问

ipsec1对多,只有一个能ping通.竞争占用隧道.如何解决

IPSec VPN

2019-11-04提问

0关注
1收藏，788浏览

zhiliao_5XnQJ

zhiliao_5XnQJ 零段

粉丝：0人关注：0人

问题描述：

总部使用MSR3610,建立ipsec模板. 野蛮模式.

分支单位有多个使用msr810,4G路由器.除了Vlan-interface1的ip地址不同外,其他ipsec的配置数据都相同.

每个分支单位都可以单独成功建立ipsec,并能ping通总部的内部网络.

所有分支单位全部接入ipsec后,dis ike sa 能发现所有对等体.dis ipsec tunnel 可以看到全部隧道.

问题来了. 这些分支单位只有一个能ping通.谁优先接入隧道谁就能ping通.其他后接入隧道的就无法ping通.

在总部使用reset ipsec sa后, 原先不能ping的,就能ping了.也仅仅是一个. 本来可以ping的,就不能ping了.

就像是竞争的方式独占隧道.

这种问题如何解决.

组网及组网描述：

//////////////////////总部配置////////////////////////////////////

#互联网接口
interface GigabitEthernet0/0
port link-mode route
ip address 123.123.123.123 255.255.255.0
tcp mss 1280
ipsec apply policy ipsec1
#内部网络接口
interface GigabitEthernet0/3
port link-mode route
combo enable copper
ip address 172.168.1.1 255.255.255.0
#
#
ip route-static 0.0.0.0 0 123.123.123.121
#
acl advanced 3000
rule 0 permit ip destination 172.169.0.0 0.0.255.255
#
ipsec transform-set ipsec1
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec policy-template ipsec1 65535
transform-set ipsec1
security acl 3000
ike-profile ipsec1
sa duration time-based 3600
sa duration traffic-based 1843200
#
ipsec policy ipsec1 65535 isakmp template ipsec1
#
ike identity fqdn zongbu
#
ike profile ipsec1
keychain ipsec1
exchange-mode aggressive
local-identity fqdn zongbu
match remote identity fqdn RTA
proposal 65535
#
ike proposal 65535
encryption-algorithm 3des-cbc
authentication-algorithm md5
#
ike keychain ipsec1
pre-shared-key hostname RTA key simple 123456
#

///////////////////////以下是分支机构配置//////////////////////////////
vlan 1
#
dhcp server ip-pool lan1
gateway-list 172.169.1.1
network 172.169.1.0 mask 255.255.255.0
address range 172.169.1.2 172.169.1.254
dns-list 172.169.1.1
###有多个分支机构,分别是172.169.x.y

#
apn-profile profile69
apn static 3gnet
#
controller Cellular0/0
#
controller Cellular1/0
description Single_Line1-UNICOM
eth-channel 0
#

interface Vlan-interface1
ip address 172.169.1.1 255.255.255.0
###有多个分支机构,分别是172.169.x.1####
#
interface Eth-channel1/0:0
dialer circular enable
dialer-group 89
dialer timer autodial 5
dialer number *99# autodial
ip address cellular-alloc
apn-profile apply profile69
ipsec apply policy RTA
#

ip route-static 0.0.0.0 0 Eth-channel1/0:0

#
acl advanced 3000
rule 0 permit ip source 172.169.0.0 0.0.255.255 destination 172.168.0.0 0.0.255.255

ipsec transform-set 1
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec policy RTA 1 isakmp
transform-set 1
security acl 3000
remote-address 123.123.123.123
ike-profile RTA
sa duration time-based 3600
sa duration traffic-based 1843200
#
ike identity fqdn RTA
#
ike profile RTA
keychain RTA
exchange-mode aggressive
local-identity fqdn RTA
match remote identity fqdn zongbu
proposal 1
#
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm md5
#
ike keychain RTA
pre-shared-key address 123.123.123.123 255.255.255.255 key simple 123456
#

2 个回答

按时间按赞数

小白白

小白白四段

粉丝：6人关注：0人

你有多个分支，应该创建多个ipsec sa吧，你所有的分支都用这一个？

怎么修改呢?我尝试match remote identity fqdn RTA1,match remote identity fqdn RTA2,match remote identity fqdn RTA3.pre-shared-key hostname RTA1 pre-shared-key hostname RTA2,pre-shared-key hostname RTA 3.问题依旧.

zhiliao_5XnQJ 发表时间：2019-11-04

每个创建一个新的ipsec sa

小白白发表时间：2019-11-04