F1060 和ER5100 建立ipsec 失败问题处理经验案例

当前F1060 和ER5100 建立ipsec，两端公网地址都是固定的，采用的主模式，公网地址都是互通的，但是ipsec 无法正常建立，查看ER 侧有出现报错信息，同时收集F1060 侧的debug 信息，发现ike sa 协商失败，具体配置见附件：

debug 信息：

*Mar 24 16:06:43:996 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1; Begin a new phase 1 negotiation as responder.

*Mar 24 16:06:43:996 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1; Received ISAKMP Security Association Payload.

*Mar 24 16:06:43:996 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1; Received ISAKMP Vendor ID Payload.

*Mar 24 16:06:43:996 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1; Received ISAKMP Vendor ID Payload.

*Mar 24 16:06:43:996 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1; Received ISAKMP Vendor ID Payload.

*Mar 24 16:06:43:996 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1; Received ISAKMP Vendor ID Payload.

*Mar 24 16:06:43:996 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1; Received ISAKMP Vendor ID Payload.

*Mar 24 16:06:43:996 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1; Received ISAKMP Vendor ID Payload.

*Mar 24 16:06:43:996 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1; Received ISAKMP Vendor ID Payload.

*Mar 24 16:06:43:996 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1; Process vendor ID payload.

*Mar 24 16:06:43:996 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1; Process SA payload.

*Mar 24 16:06:43:996 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1; Check ISAKMP transform 0.

*Mar 24 16:06:43:996 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1;   Lifetime type is 1.

*Mar 24 16:06:43:996 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1;   Life duration is 28800.

*Mar 24 16:06:43:996 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1;   Encryption algorithm is 3DES-CBC.

*Mar 24 16:06:43:997 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1;   HASH algorithm is HMAC-MD5.

*Mar 24 16:06:43:997 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1;   Authentication method is Pre-shared key.

*Mar 24 16:06:43:997 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1;   DH group is 2.

*Mar 24 16:06:43:997 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1; Construct notification packet: NO_PROPOSAL_CHOSEN.

*Mar 24 16:06:43:997 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1; Sending packet to 120.192.73.229 remote port 500, local port 500.

*Mar 24 16:06:43:997 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1;

  I-Cookie: 7fd32a83d02660b4

  R-Cookie: 0000000000000000

  next payload: NOTIFY

  version: ISAKMP Version 1.0

  exchange mode: Info

  flags:

  message ID: 0

  length: 56

ER侧报错信息：

通过查看两端配置，发现各参数基本一样，但是唯一的就是ike sa 和ipsec sa的存活时间不一样，建议客户修改两边参数，达到两端一致。

ER侧：

F1060 侧：

ike proposal 65535

 dh group2

 authentication-algorithm md5          //默认时间是86400s

1. 可以在F1060 侧把时间改为28800

2. 可以在ER5100 改为默认的86400

在配置ipsec 的时候，不仅要注意加密认证参数要一致，时间和dh 组也要保持一致，特别是在和其他厂家或者其他不同型号的设备的时候。