当前F1060 和ER5100 建立ipsec,两端公网地址都是固定的,采用的主模式,公网地址都是互通的,但是ipsec 无法正常建立,查看ER 侧有出现报错信息,同时收集F1060 侧的debug 信息,发现ike sa 协商失败,具体配置见附件:
debug 信息:
*Mar 24 16:06:43:996 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1; Begin a new phase 1 negotiation as responder.
*Mar 24 16:06:43:996 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1; Received ISAKMP Security Association Payload.
*Mar 24 16:06:43:996 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1; Received ISAKMP Vendor ID Payload.
*Mar 24 16:06:43:996 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1; Received ISAKMP Vendor ID Payload.
*Mar 24 16:06:43:996 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1; Received ISAKMP Vendor ID Payload.
*Mar 24 16:06:43:996 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1; Received ISAKMP Vendor ID Payload.
*Mar 24 16:06:43:996 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1; Received ISAKMP Vendor ID Payload.
*Mar 24 16:06:43:996 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1; Received ISAKMP Vendor ID Payload.
*Mar 24 16:06:43:996 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1; Received ISAKMP Vendor ID Payload.
*Mar 24 16:06:43:996 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1; Process vendor ID payload.
*Mar 24 16:06:43:996 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1; Process SA payload.
*Mar 24 16:06:43:996 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1; Check ISAKMP transform 0.
*Mar 24 16:06:43:996 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1; Lifetime type is 1.
*Mar 24 16:06:43:996 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1; Life duration is 28800.
*Mar 24 16:06:43:996 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1; Encryption algorithm is 3DES-CBC.
*Mar 24 16:06:43:997 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1; HASH algorithm is HMAC-MD5.
*Mar 24 16:06:43:997 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1; Authentication method is Pre-shared key.
*Mar 24 16:06:43:997 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1; DH group is 2.
*Mar 24 16:06:43:997 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1; Construct notification packet: NO_PROPOSAL_CHOSEN.
*Mar 24 16:06:43:997 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1; Sending packet to 120.192.73.229 remote port 500, local port 500.
*Mar 24 16:06:43:997 2016 yz-xbh-nw-fw-f1060 IKE/7/PACKET: -Context=1;
I-Cookie: 7fd32a83d02660b4
R-Cookie: 0000000000000000
next payload: NOTIFY
version: ISAKMP Version 1.0
exchange mode: Info
flags:
message ID: 0
length: 56
ER侧报错信息:
通过查看两端配置,发现各参数基本一样,但是唯一的就是ike sa 和ipsec sa的存活时间不一样,建议客户修改两边参数,达到两端一致。
ER侧:
F1060 侧:
ike proposal 65535
dh group2
authentication-algorithm md5 //默认时间是86400s
1. 可以在F1060 侧把时间改为28800
2. 可以在ER5100 改为默认的86400
在配置ipsec 的时候,不仅要注意加密认证参数要一致,时间和dh 组也要保持一致,特别是在和其他厂家或者其他不同型号的设备的时候。
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作