模拟器上完全按照手册做的野蛮模式ipsecvpn,问题到底出在哪了?debug看不懂
- 0关注
- 1收藏,2560浏览
问题描述:
<r2>dis ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
10 5.5.5.2 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
<r2>dis ipsec sa
<r2>dis cu
#
version 7.1.075, Alpha 7571
#
sysname r2
#
ospf 20
area 0.0.0.0
network 1.1.1.0 0.0.0.255
network 2.2.2.0 0.0.0.255
#
ip unreachables enable
ip ttl-expires enable
#
system-working-mode standard
xbar load-single
password-recovery enable
lpu-type f-series
#
vlan 1
#
interface Serial1/0
#
interface Serial2/0
#
interface Serial3/0
#
interface Serial4/0
#
interface NULL0
#
interface GigabitEthernet0/0
port link-mode route
combo enable copper
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet0/1
port link-mode route
combo enable copper
ip address 2.2.2.1 255.255.255.0
ipsec apply policy r2
#
interface GigabitEthernet0/2
port link-mode route
combo enable copper
#
interface GigabitEthernet5/0
port link-mode route
combo enable copper
#
interface GigabitEthernet5/1
port link-mode route
combo enable copper
#
interface GigabitEthernet6/0
port link-mode route
combo enable copper
#
interface GigabitEthernet6/1
port link-mode route
combo enable copper
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
user-role network-operator
#
line con 0
user-role network-admin
idle-timeout 35000 0
#
line vty 0 63
user-role network-operator
#
acl advanced 3003
rule 10 permit ip source 1.1.1.0 0.0.0.255 destination 3.1.1.0 0.0.0.255
#
acl advanced 3004
rule 5 permit ip source 1.1.1.2 0 destination 4.1.1.0 0.0.0.255
#
domain name system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
ipsec transform-set left
esp encryption-algorithm 3des-cbc
esp authentication-algorithm sha1
#
ipsec transform-set r2
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec transform-set right
esp encryption-algorithm aes-cbc-256
esp authentication-algorithm sha512
#
ipsec policy-template left 1
transform-set left
local-address 2.2.2.1
ike-profile left
#
ipsec policy-template r2 1
transform-set r2
local-address 2.2.2.1
ike-profile r2
#
ipsec policy left 1 isakmp template left
#
ipsec policy pp 2 isakmp
transform-set right
security acl 3004
local-address 2.2.2.1
remote-address 2.2.2.3
ike-profile right
#
ipsec policy r2 1 isakmp template r2
#
ipsec policy right 10 isakmp
transform-set right
security acl 3004
local-address 2.2.2.1
remote-address 2.2.2.3
ike-profile right
#
ike profile left
keychain left
exchange-mode aggressive
match remote identity address 2.2.2.2 255.255.255.0
#
ike profile r2
keychain r2
exchange-mode aggressive
match remote identity fqdn r2
#
ike profile right
keychain right
match remote identity address 2.2.2.3 255.255.255.0
#
ike keychain left
pre-shared-key address 2.2.2.2 255.255.255.0 key cipher $c$3$OgQBFD1d0PBkl0+5xC03i7UXgUYtZ7Wf2A==
#
ike keychain r2
pre-shared-key address 5.5.5.2 255.255.255.0 key cipher $c$3$CuxNcQerJYgN+psGATVnlOGgXDlkge4Q3Q==
#
ike keychain right
pre-shared-key address 2.2.2.3 255.255.255.0 key cipher $c$3$KcgbIHraifNAmPwWJ/wobP2OwGMiFeigog==
#
return
<r2>
----------------------------------------------------------------------------------------
Can't find block-flow node.
*Sep 3 11:27:10:487 2019 H3C IPSEC/7/PACKET:
Failed to find SA by SP, SP Index = 0, SP Convert-Seq = 65536.
*Sep 3 11:27:10:487 2019 H3C IPSEC/7/ERROR:
The reason of dropping packet is no available IPsec tunnel.
*Sep 3 11:27:10:488 2019 H3C IPSEC/7/EVENT:
Sent SA-Acquire message : SP ID = 0
*Sep 3 11:27:10:488 2019 H3C IPSEC/7/EVENT:
Received negotiatiate SA message from IPsec kernel.
*Sep 3 11:27:10:492 2019 H3C IPSEC/7/EVENT:
Sent delete SA message to all nodes, message type is 0x16.
*Sep 3 11:27:10:492 2019 H3C IPSEC/7/EVENT:
The SA doesn't exist in kernel.
*Sep 3 11:27:12:689 2019 H3C IPSEC/7/EVENT:
Can't find block-flow node.
*Sep 3 11:27:12:689 2019 H3C IPSEC/7/PACKET:
Failed to find SA by SP, SP Index = 0, SP Convert-Seq = 65536.
*Sep 3 11:27:12:689 2019 H3C IPSEC/7/ERROR:
The reason of dropping packet is no available IPsec tunnel.
*Sep 3 11:27:12:689 2019 H3C IPSEC/7/EVENT:
Sent SA-Acquire message : SP ID = 0
*Sep 3 11:27:12:689 2019 H3C IPSEC/7/EVENT:
Received negotiatiate SA message from IPsec kernel.
*Sep 3 11:27:12:693 2019 H3C IPSEC/7/EVENT:
Sent delete SA message to all nodes, message type is 0x16.
*Sep 3 11:27:12:693 2019 H3C IPSEC/7/EVENT:
The SA doesn't exist in kernel.
*Sep 3 11:27:14:886 2019 H3C IPSEC/7/EVENT:
Can't find block-flow node.
*Sep 3 11:27:14:886 2019 H3C IPSEC/7/PACKET:
Failed to find SA by SP, SP Index = 0, SP Convert-Seq = 65536.
*Sep 3 11:27:14:886 2019 H3C IPSEC/7/ERROR:
The reason of dropping packet is no available IPsec tunnel.
*Sep 3 11:27:14:886 2019 H3C IPSEC/7/EVENT:
Sent SA-Acquire message : SP ID = 0
*Sep 3 11:27:14:886 2019 H3C IPSEC/7/EVENT:
Received negotiatiate SA message from IPsec kernel.
*Sep 3 11:27:14:891 2019 H3C IPSEC/7/EVENT:
Sent delete SA message to all nodes, message type is 0x16.
*Sep 3 11:27:14:891 2019 H3C IPSEC/7/EVENT:
The SA doesn't exist in kernel.
*Sep 3 11:27:17:077 2019 H3C IPSEC/7/EVENT:
Can't find block-flow node.
*Sep 3 11:27:17:077 2019 H3C IPSEC/7/PACKET:
Failed to find SA by SP, SP Index = 0, SP Convert-Seq = 65536.
*Sep 3 11:27:17:077 2019 H3C IPSEC/7/ERROR:
The reason of dropping packet is no available IPsec tunnel.
*Sep 3 11:27:17:077 2019 H3C IPSEC/7/EVENT:
Sent SA-Acquire message : SP ID = 0
*Sep 3 11:27:17:077 2019 H3C IPSEC/7/EVENT:
Received negotiatiate SA message from IPsec kernel.
*Sep 3 11:27:17:081 2019 H3C IPSEC/7/EVENT:
Sent delete SA message to all nodes, message type is 0x16.
*Sep 3 11:27:17:081 2019 H3C IPSEC/7/EVENT:
The SA doesn't exist in kernel.
*Sep 3 11:27:19:279 2019 H3C IPSEC/7/EVENT:
Can't find block-flow node.
*Sep 3 11:27:19:279 2019 H3C IPSEC/7/PACKET:
Failed to find SA by SP, SP Index = 0, SP Convert-Seq = 65536.
*Sep 3 11:27:19:279 2019 H3C IPSEC/7/ERROR:
The reason of dropping packet is no available IPsec tunnel.
*Sep 3 11:27:19:280 2019 H3C IPSEC/7/EVENT:
Sent SA-Acquire message : SP ID = 0
*Sep 3 11:27:19:280 2019 H3C IPSEC/7/EVENT:
Received negotiatiate SA message from IPsec kernel.
*Sep 3 11:27:19:284 2019 H3C IPSEC/7/EVENT:
Sent delete SA message to all nodes, message type is 0x16.
*Sep 3 11:27:19:284 2019 H3C IPSEC/7/EVENT:
The SA doesn't exist in kernel.
<H3C>dis cu
#
version 7.1.075, Alpha 7571
#
sysname H3C
#
ospf 1
area 0.0.0.0
network 5.5.5.0 0.0.0.255
network 6.1.1.0 0.0.0.255
#
ip unreachables enable
ip ttl-expires enable
#
system-working-mode standard
xbar load-single
password-recovery enable
lpu-type f-series
#
vlan 1
#
interface Serial1/0
#
interface Serial2/0
#
interface Serial3/0
#
interface Serial4/0
#
interface NULL0
#
interface GigabitEthernet0/0
port link-mode route
combo enable copper
ip address 5.5.5.2 255.255.255.0
ipsec apply policy r2
#
interface GigabitEthernet0/1
port link-mode route
combo enable copper
ip address 6.1.1.1 255.255.255.0
#
interface GigabitEthernet0/2
port link-mode route
combo enable copper
#
interface GigabitEthernet5/0
port link-mode route
combo enable copper
#
interface GigabitEthernet5/1
port link-mode route
combo enable copper
#
interface GigabitEthernet6/0
port link-mode route
combo enable copper
#
interface GigabitEthernet6/1
port link-mode route
combo enable copper
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
user-role network-operator
#
line con 0
user-role network-admin
idle-timeout 35000 0
#
line vty 0 63
user-role network-operator
#
acl advanced 3006
rule 10 permit ip source 6.1.1.0 0.0.0.255 destination 1.1.1.2 0
#
domain name system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
ipsec transform-set r2
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec policy r2 1 isakmp
transform-set r2
security acl 3006
remote-address 2.2.2.1
ike-profile r2
#
ike profile r2
keychain r2
exchange-mode aggressive
local-identity fqdn r2
match remote identity address 2.2.2.1 255.255.255.0
#
ike keychain r2
pre-shared-key address 2.2.2.1 255.255.255.0 key cipher $c$3$GlefgIgUroKHsxLU8NTwga1nrylXp3eG5w==
#
return
<H3C>
- 2019-09-03提问
- 举报
-
(0)
ike sa有吗?ipsec sa有吗?做的ispec野蛮模式nat穿越?两端的acl都不匹配
- 2019-09-03回答
- 评论(1)
- 举报
-
(0)
ike sa有了,ipsec sa没有。手册上的我看nat外面的设备上就没做acl
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
ike sa有了,ipsec sa没有。手册上的我看nat外面的设备上就没做acl