MS36-20 IPSEC对接时问题
- 0关注
- 1收藏,2522浏览
问题描述:
两台V7路由器进行IPSEC对接时,dis ipsec sa时,发现对于同一个ipsec policy 节点会出现两个相同的sa,请问这是为什么。
<H3C>dis ipsec sa
-------------------------------
Interface: GigabitEthernet0/0
-------------------------------
-----------------------------
IPsec policy: map1
Sequence number: 10
Mode: ISAKMP
-----------------------------
Tunnel id: 3
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1428
Tunnel:
local address: 1.119.54.82
remote address: 211.102.210.122
Flow:
sour addr: 192.168.4.0/255.255.255.0 port: 0 protocol: ip
dest addr: 192.168.2.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 1112980996 (0x4256be04)
Connection ID: 3371549327360
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/149
Max received sequence-number: 0
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 4087633032 (0xf3a45488)
Connection ID: 3165390897166
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/149
Max sent sequence-number: 12
UDP encapsulation used for NAT traversal: N
Status: Active
-----------------------------
IPsec policy: map1
Sequence number: 10
Mode: ISAKMP
-----------------------------
Tunnel id: 5
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1428
Tunnel:
local address: 1.119.54.82
remote address: 211.102.210.122
Flow:
sour addr: 192.168.4.0/255.255.255.0 port: 0 protocol: ip
dest addr: 192.168.102.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 3205575571 (0xbf113393)
Connection ID: 1842540969986
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/2995
Max received sequence-number: 0
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 4087633033 (0xf3a45489)
Connection ID: 3921305141258
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/2995
Max sent sequence-number: 0
UDP encapsulation used for NAT traversal: N
Status: Active
-----------------------------
IPsec policy: map1
Sequence number: 10
Mode: ISAKMP
-----------------------------
Tunnel id: 3
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1428
Tunnel:
local address: 1.119.54.82
remote address: 211.102.210.122
Flow:
sour addr: 192.168.4.0/255.255.255.0 port: 0 protocol: ip
dest addr: 192.168.2.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 1469134788 (0x579137c4)
Connection ID: 1584842932244
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3149
Max received sequence-number: 0
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 4087633034 (0xf3a4548a)
Connection ID: 622770257941
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3149
Max sent sequence-number: 3
UDP encapsulation used for NAT traversal: N
Status: Active
另,在ike sa 和ipsec sa都建立的情况下,还是会有报错信息: *May 19 20:31:12:968 2017 H3C IKE/7/ERROR: No acceptable transform.
*May 19 20:31:12:968 2017 H3C IKE/7/ERROR: Failed to parse the IKE SA payload.
- 2017-05-19提问
- 举报
-
(0)
最佳答案
第一个SA的生存时间已经快到了,还剩下149秒,看上去应该是重新协商了新的SA,第二个SA的生存时间还剩3149,说明是刚刚建立不久的
第二个问题,需要看一下具体的deb,看上去像是有其他节点在向本端发起建立请求,但是没有通过。
- 2017-05-19回答
- 评论(1)
- 举报
-
(0)
第一个,两个都存在的情况,会对ipsec有影响吗 ? 第二个,确实,debug信息里面有*May 19 20:31:14:978 2017 H3C IKE/7/PACKET: Construct notification packet: NO_PROPOSAL_CHOSEN. *May 19 20:31:14:978 2017 H3C IKE/7/PACKET: Sending packet to 211.102.210.122 remote port 500, local port 500. 这条debug信息。但是怎么解释会向211.102.210.122这个地址发起协商。keychain和policy当中都没有配置这个对端。
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
第一个,两个都存在的情况,会对ipsec有影响吗 ? 第二个,确实,debug信息里面有*May 19 20:31:14:978 2017 H3C IKE/7/PACKET: Construct notification packet: NO_PROPOSAL_CHOSEN. *May 19 20:31:14:978 2017 H3C IKE/7/PACKET: Sending packet to 211.102.210.122 remote port 500, local port 500. 这条debug信息。但是怎么解释会向211.102.210.122这个地址发起协商。keychain和policy当中都没有配置这个对端。