今天IPsec vpn突然不通了,请各位大佬帮忙看看,万分感谢!
1、现象描述:
本端为H3C F1000-E-SI防火墙,对端为华为防火墙,协商模式为主模式,IPsec vpn隧道建立失败,报错信息:“Feb 28 10:40:30 2019 F1000-E-SI %%10IKE/4/IKE_PACKET_DROPPED(l): -DEV_TYPE=SECPATH-PN=210235A0F6H151000015-Src addr='对端地址"-Dst addr='本端地址'-I_COOKIE=241e754dd2c74960-R_COOKIE=0000000000000000-Cause=No proposal is chosen-Payload=PROPOSAL; IKE packet dropped.”
2、对端配置
3、本端配置
#
acl number 3002
description TO_VPN
rule 0 permit ip source 10.255.11.110 0 destination 192.168.20.128 0
#
ike proposal 1
authentication-algorithm md5
#
ike proposal 2
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
sa duration 28800
#
ike dpd weijiwei
time-out 10
#
ike peer weijiwei
pre-shared-key cipher $c$3$KSYr7WCDPkM1SC4Umi8yhT95TuFYMaIVLtpz+68=
remote-address “对端”
dpd weijiwei
#
ipsec transform-set weijiwei
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm des
#
ipsec policy-template weijiwei 1
security acl 3002
ike-peer weijiwei
transform-set weijiwei
sa duration traffic-based 1843200
sa duration time-based 3600
#
ipsec policy vpn 10 isakmp
security acl 3002
ike-peer weijiwei
transform-set weijiwei
#
4、debugging ike message信息如下
%Feb 28 15:05:13:497 2019 F1000-E-SI IKE/4/IKE_PACKET_DROPPED: -Src addr=“对端地址”-Dst addr=“本端地址”-I_COOKIE=3f92f5d150234bf8-R_COOKIE=0000000000000000-Cause=No proposal is chosen-Payload=PROPOSAL; IKE packet dropped.
*Feb 28 15:05:13:497 2019 F1000-E-SI IKE/7/DEBUG: received message:
*Feb 28 15:05:13:497 2019 F1000-E-SI IKE/7/DEBUG: ICOOKIE: 0x3f92f5d150234bf8
*Feb 28 15:05:13:497 2019 F1000-E-SI IKE/7/DEBUG: RCOOKIE: 0x0000000000000000
*Feb 28 15:05:13:497 2019 F1000-E-SI IKE/7/DEBUG: NEXT_PAYLOAD: SA
*Feb 28 15:05:13:497 2019 F1000-E-SI IKE/7/DEBUG: VERSION: 16
*Feb 28 15:05:13:498 2019 F1000-E-SI IKE/7/DEBUG: EXCH_TYPE: MAIN
*Feb 28 15:05:13:498 2019 F1000-E-SI IKE/7/DEBUG: FLAGS: [ ]
*Feb 28 15:05:13:498 2019 F1000-E-SI IKE/7/DEBUG: MESSAGE_ID: 0x00000000
*Feb 28 15:05:13:498 2019 F1000-E-SI IKE/7/DEBUG: LENGTH: 164
*Feb 28 15:05:13:498 2019 F1000-E-SI IKE/7/DEBUG: parse payloads: payload SA
*Feb 28 15:05:13:498 2019 F1000-E-SI IKE/7/DEBUG: parse payloads: payload VENDOR
*Feb 28 15:05:13:498 2019 F1000-E-SI IKE/7/DEBUG: parse payloads: payload VENDOR
*Feb 28 15:05:13:498 2019 F1000-E-SI IKE/7/DEBUG: parse payloads: payload VENDOR
*Feb 28 15:05:13:498 2019 F1000-E-SI IKE/7/DEBUG: parse payloads: payload VENDOR
*Feb 28 15:05:13:499 2019 F1000-E-SI IKE/7/DEBUG: validate payload SA
*Feb 28 15:05:13:499 2019 F1000-E-SI IKE/7/DEBUG: DOI: 1
*Feb 28 15:05:13:499 2019 F1000-E-SI IKE/7/DEBUG: receive rfc3947 Protocol Vendor ID
*Feb 28 15:05:13:499 2019 F1000-E-SI IKE/7/DEBUG: receive draft-ietf-ipsec-nat-t-ike-02 Protocol Vendor ID
*Feb 28 15:05:13:499 2019 F1000-E-SI IKE/7/DEBUG: receive draft-ietf-ipsec-nat-t-ike-01 Protocol Vendor ID
*Feb 28 15:05:13:499 2019 F1000-E-SI IKE/7/DEBUG: receive DPD Protocol Vendor ID
*Feb 28 15:05:13:499 2019 F1000-E-SI IKE/7/DEBUG: parse payloads: payload PROPOSAL
*Feb 28 15:05:13:499 2019 F1000-E-SI IKE/7/DEBUG: parse payloads: payload TRANSFORM
*Feb 28 15:05:13:499 2019 F1000-E-SI IKE/7/DEBUG: validate payload PROPOSAL
*Feb 28 15:05:13:500 2019 F1000-E-SI IKE/7/DEBUG: NO: 1
*Feb 28 15:05:13:500 2019 F1000-E-SI IKE/7/DEBUG: PROTO: ISAKMP
*Feb 28 15:05:13:500 2019 F1000-E-SI IKE/7/DEBUG: SPI_SZ: 0
*Feb 28 15:05:13:500 2019 F1000-E-SI IKE/7/DEBUG: NTRANSFORMS: 1
*Feb 28 15:05:13:500 2019 F1000-E-SI IKE/7/DEBUG: validate payload TRANSFORM
*Feb 28 15:05:13:500 2019 F1000-E-SI IKE/7/DEBUG: NO: 0
*Feb 28 15:05:13:500 2019 F1000-E-SI IKE/7/DEBUG: ID: 1
*Feb 28 15:05:13:500 2019 F1000-E-SI IKE/7/DEBUG: Transform 0's attributes
*Feb 28 15:05:13:500 2019 F1000-E-SI IKE/7/DEBUG: Attribute ENCRYPTION_ALGORITHM : DES_CBC
*Feb 28 15:05:13:501 2019 F1000-E-SI IKE/7/DEBUG: Attribute HASH_ALGORITHM : SHA
*Feb 28 15:05:13:501 2019 F1000-E-SI IKE/7/DEBUG: Attribute AUTHENTICATION_METHOD : PRE_SHARED
*Feb 28 15:05:13:501 2019 F1000-E-SI IKE/7/DEBUG: Attribute GROUP_DESCRIPTION : MODP_1536
*Feb 28 15:05:13:501 2019 F1000-E-SI IKE/7/DEBUG: Attribute LIFE_TYPE : SECONDS
*Feb 28 15:05:13:501 2019 F1000-E-SI IKE/7/DEBUG: Attribute LIFE_DURATION : 86400
*Feb 28 15:05:13:501 2019 F1000-E-SI IKE/7/DEBUG: validate payload VENDOR
*Feb 28 15:05:13:501 2019 F1000-E-SI IKE/7/DEBUG: vendor ID seen
*Feb 28 15:05:13:501 2019 F1000-E-SI IKE/7/DEBUG: validate payload VENDOR
*Feb 28 15:05:13:501 2019 F1000-E-SI IKE/7/DEBUG: vendor ID seen
*Feb 28 15:05:13:502 2019 F1000-E-SI IKE/7/DEBUG: validate payload VENDOR
*Feb 28 15:05:13:502 2019 F1000-E-SI IKE/7/DEBUG: vendor ID seen
*Feb 28 15:05:13:502 2019 F1000-E-SI IKE/7/DEBUG: validate payload VENDOR
*Feb 28 15:05:13:502 2019 F1000-E-SI IKE/7/DEBUG: vendor ID seen
*Feb 28 15:05:13:502 2019 F1000-E-SI IKE/7/DEBUG: negotiate sa: transform 0 proto 1 proposal 1 compatible
*Feb 28 15:05:13:502 2019 F1000-E-SI IKE/7/DEBUG: negotiate sa: proposal 1 failed
*Feb 28 15:05:13:502 2019 F1000-E-SI IKE/7/DEBUG: add payload to message: NOTIFY
*Feb 28 15:05:13:502 2019 F1000-E-SI IKE/7/DEBUG: DOI: IPSEC
*Feb 28 15:05:13:502 2019 F1000-E-SI IKE/7/DEBUG: PROTO: ISAKMP
*Feb 28 15:05:13:503 2019 F1000-E-SI IKE/7/DEBUG: SPI_SZ: 0
*Feb 28 15:05:13:503 2019 F1000-E-SI IKE/7/DEBUG: MSG_TYPE: NO_PROPOSAL_CHOSEN
*Feb 28 15:05:13:503 2019 F1000-E-SI IKE/7/DEBUG: send message:
*Feb 28 15:05:13:503 2019 F1000-E-SI IKE/7/DEBUG: ICOOKIE: 0x3f92f5d150234bf8
*Feb 28 15:05:13:503 2019 F1000-E-SI IKE/7/DEBUG: RCOOKIE: 0x0000000000000000
*Feb 28 15:05:13:503 2019 F1000-E-SI IKE/7/DEBUG: NEXT_PAYLOAD: NOTIFY
*Feb 28 15:05:13:503 2019 F1000-E-SI IKE/7/DEBUG: VERSION: 16
*Feb 28 15:05:13:503 2019 F1000-E-SI IKE/7/DEBUG: EXCH_TYPE: INFO
*Feb 28 15:05:13:503 2019 F1000-E-SI IKE/7/DEBUG: FLAGS: [ ]
*Feb 28 15:05:13:504 2019 F1000-E-SI IKE/7/DEBUG: MESSAGE_ID: 0x00000000
*Feb 28 15:05:13:504 2019 F1000-E-SI IKE/7/DEBUG: LENGTH: 44
*Feb 28 15:05:14:911 2019 F1000-E-SI IKE/7/DEBUG: received message:
*Feb 28 15:05:14:911 2019 F1000-E-SI IKE/7/DEBUG: ICOOKIE: 0xaf7adb79694eaa3b
*Feb 28 15:05:14:911 2019 F1000-E-SI IKE/7/DEBUG: RCOOKIE: 0x5229fb5aab7a6536
*Feb 28 15:05:14:912 2019 F1000-E-SI IKE/7/DEBUG: NEXT_PAYLOAD: HASH
*Feb 28 15:05:14:912 2019 F1000-E-SI IKE/7/DEBUG: VERSION: 16
*Feb 28 15:05:14:912 2019 F1000-E-SI IKE/7/DEBUG: EXCH_TYPE: INFO
*Feb 28 15:05:14:912 2019 F1000-E-SI IKE/7/DEBUG: FLAGS: [ ENC ]
*Feb 28 15:05:14:912 2019 F1000-E-SI IKE/7/DEBUG: MESSAGE_ID: 0x81000000
*Feb 28 15:05:14:912 2019 F1000-E-SI IKE/7/DEBUG: LENGTH: 84
*Feb 28 15:05:14:912 2019 F1000-E-SI IKE/7/DEBUG: parse payloads: payload HASH
*Feb 28 15:05:14:912 2019 F1000-E-SI IKE/7/DEBUG: parse payloads: payload NOTIFY
*Feb 28 15:05:14:912 2019 F1000-E-SI IKE/7/DEBUG: validate payload HASH
*Feb 28 15:05:14:913 2019 F1000-E-SI IKE/7/DEBUG: validate payload NOTIFY
*Feb 28 15:05:14:913 2019 F1000-E-SI IKE/7/DEBUG: DOI: IPSEC
*Feb 28 15:05:14:913 2019 F1000-E-SI IKE/7/DEBUG: PROTO: ISAKMP
*Feb 28 15:05:14:913 2019 F1000-E-SI IKE/7/DEBUG: SPI_SZ: 16
*Feb 28 15:05:14:913 2019 F1000-E-SI IKE/7/DEBUG: MSG_TYPE: DPD_REQUEST
*Feb 28 15:05:14:913 2019 F1000-E-SI IKE/7/DEBUG: got NOTIFY of type DPD_REQUEST
*Feb 28 15:05:14:913 2019 F1000-E-SI IKE/7/DEBUG: add payload to message: HASH
*Feb 28 15:05:14:913 2019 F1000-E-SI IKE/7/DEBUG: add payload to message: NOTIFY
*Feb 28 15:05:14:913 2019 F1000-E-SI IKE/7/DEBUG: DOI: IPSEC
*Feb 28 15:05:14:914 2019 F1000-E-SI IKE/7/DEBUG: PROTO: ISAKMP
*Feb 28 15:05:14:914 2019 F1000-E-SI IKE/7/DEBUG: SPI_SZ: 16
*Feb 28 15:05:14:914 2019 F1000-E-SI IKE/7/DEBUG: MSG_TYPE: DPD_RESPONSE
*Feb 28 15:05:14:914 2019 F1000-E-SI IKE/7/DEBUG: send message:
*Feb 28 15:05:14:914 2019 F1000-E-SI IKE/7/DEBUG: ICOOKIE: 0xaf7adb79694eaa3b
*Feb 28 15:05:14:914 2019 F1000-E-SI IKE/7/DEBUG: RCOOKIE: 0x5229fb5aab7a6536
*Feb 28 15:05:14:914 2019 F1000-E-SI IKE/7/DEBUG: NEXT_PAYLOAD: HASH
*Feb 28 15:05:14:914 2019 F1000-E-SI IKE/7/DEBUG: VERSION: 16
*Feb 28 15:05:14:914 2019 F1000-E-SI IKE/7/DEBUG: EXCH_TYPE: INFO
*Feb 28 15:05:14:915 2019 F1000-E-SI IKE/7/DEBUG: FLAGS: [ ENC ]
*Feb 28 15:05:14:915 2019 F1000-E-SI IKE/7/DEBUG: MESSAGE_ID: 0x81fed7ae
*Feb 28 15:05:14:915 2019 F1000-E-SI IKE/7/DEBUG: LENGTH: 84
5、根据上述debugging ike message信息,我们将本端esp认证算法改为了sha1,故障依旧。
(0)
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明
从对端的配置截图看,两端认证算法是一致的,但是从debugging ike message上看,怀疑对端是sha,但是本端修改为sha1后依然不行