略
ACG ipsec vpn相关配置截图:
对端设备相关参数:
公网IP:118.26.68.210
内网:192.168.1.0/24
配置完成之后ike sa处于连接状态,ipsec sa处于连接中状态,私网无法互通
我们在ACG上debug ipsac-vpn分析建立连接失败原因:
H3C# debug ipsec-vpn error
H3C# clear log debug
H3C# display log debug
<2021-10-24 15:10:27> IKE-ERROR:notification INVALID-ID-INFORMATION received in informational exchange.
<2021-10-24 15:10:28> IKE-ERROR:invalid flag 0x08.
<2021-10-24 15:10:32> IKE-ERROR:notification INVALID-ID-INFORMATION received in informational exchange.
<2021-10-24 15:10:37> IKE-ERROR:notification INVALID-ID-INFORMATION received in informational exchange.
<2021-10-24 15:10:42> IKE-ERROR:phase2 negotiation failed due to time up. 82d3621b0d26e8bf:56c8674a05c2dba3:c657e830
<2021-10-24 15:10:43> IKE-ERROR:failed to get proposal for responder.
<2021-10-24 15:10:43> IKE-ERROR:failed to pre-process ph2 packet (side: 1, status: 1).
<2021-10-24 15:10:43> IKE-ERROR:failed to get proposal for responder.
<2021-10-24 15:10:43> IKE-ERROR:failed to pre-process ph2 packet (side: 1, status: 1).
<2021-10-24 15:10:47> IKE-ERROR:notification INVALID-ID-INFORMATION received in informational exchange.
<2021-10-24 15:10:48> IKE-ERROR:failed to get proposal for responder.
<2021-10-24 15:10:48> IKE-ERROR:failed to pre-process ph2 packet (side: 1, status: 1).
<2021-10-24 15:10:48> IKE-ERROR:failed to get proposal for responder.
<2021-10-24 15:10:48> IKE-ERROR:failed to pre-process ph2 packet (side: 1, status: 1).
<2021-10-24 15:10:50> IKE-ERROR:failed to get proposal for responder.
<2021-10-24 15:10:50> IKE-ERROR:failed to pre-process ph2 packet (side: 1, status: 1).
<2021-10-24 15:10:52> IKE-ERROR:notification INVALID-ID-INFORMATION received in informational exchange.
<2021-10-24 15:10:54> IKE-ERROR:failed to get proposal for responder.
<2021-10-24 15:10:54> IKE-ERROR:failed to pre-process ph2 packet (side: 1, status: 1).
<2021-10-24 15:10:55> IKE-ERROR:failed to get proposal for responder.
<2021-10-24 15:10:55> IKE-ERROR:failed to pre-process ph2 packet (side: 1, status: 1).
<2021-10-24 15:10:55> IKE-ERROR:failed to get proposal for responder.
<2021-10-24 15:10:55> IKE-ERROR:failed to pre-process ph2 packet (side: 1, status: 1).
<2021-10-24 15:10:57> IKE-ERROR:notification INVALID-ID-INFORMATION received in informational exchange.
H3C#
发现debug信息里面有INVALID-ID-INFORMATION字段,这个字段可能是由于私网流量不匹配导致的。
现场检查华为设备acl并没有放通私网流量,导致匹配不上,ACG ipsec vpn处于连接中状态,修改华为设备acl后正常连接。
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作