总部------分支
总部和分支野蛮模式ipsec成功建立后,分支带源(Loopback 0 地址)ping总部
(Loopback 0 地址)
可以通,总部带源
(Loopback 0 地址)
ping分支
(Loopback 0 地址)
不通。
检查隧道两端ipsec sa:
总部公网口:
-----------------------------
IPsec policy: Reth1
Sequence number: 100
Mode: Template
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1436
Tunnel:
local address: 122.144.xx.xx
remote address: 118.254.xx.xx
Flow:
sour addr: 172.16.xx.xx/255.255.255.255 port: 0 protocol: ip
dest addr: 172.4.xx.xx/255.255.255.255 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 1787016117 (0x6a83b3b5)
Connection ID: 12884901891
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3019
Max received sequence-number: 0
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: Y
Status: Active
[Outbound ESP SAs]
SPI: 3528705820 (0xd253c71c)
Connection ID: 12884901890
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3019
Max sent sequence-number: 0
UDP encapsulation used for NAT traversal: Y
Status: Active
分支拨号口使能ipsec:
-----------------------------
IPsec policy: HY-IPSEC-IDC
Sequence number: 100
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1406
Tunnel:
local address: 100.70.xx.xx //地址还要在公网nat,真实地址118.254.xx.xx
remote address: 122.144.xx.xx
Flow:
sour addr: 172.4.xx.xx/255.255.255.255 port: 0 protocol: ip
dest addr: 172.16.xx.xx/255.255.255.255 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 3528705820 (0xd253c71c)
Connection ID: 12884901891
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/2005
Max received sequence-number: 0
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: Y
Status: Active
[Outbound ESP SAs]
SPI: 1787016117 (0x6a83b3b5)
Connection ID: 12884901890
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/2005
Max sent sequence-number: 0
UDP encapsulation used for NAT traversal: Y
Status: Active
IPsec sa协商正常,SPI也分别能对上。
查看安全策略,都分别放通了Untrust—Local,Local—Untrust。
查看交互接口配置:
总部:
#
interface Reth1
ip address 122.144.xx.xx 255.255.255.192
member interface GigabitEthernet1/0/2 priority 2
member interface GigabitEthernet2/0/2 priority 1
nat server protocol tcp global 122.144.xx.xx 80 inside 172.16.xx.xx 80
nat server protocol tcp global 122.144.xx.xx 443 inside 172.16.xx.xx 443
nat server protocol tcp global current-interface 3333 inside 172.16.xx.xx 21
ipsec apply policy Reth1
gateway 122.144.xx.xx
#
分支:
#
interface Dialer1
mtu 1492
ppp chap password cipher $c$3$jULx7kYUmc+Vxf+R6eRWZgnR3gTw1v8g9Sk=
ppp chap user xxxx
ppp pap local-user xxxx password cipher $c$3$hYUYvvN7EkX1lPbGwaGsAp2Tw2uKuupL0C4=
dialer bundle enable
dialer-group 2
dialer timer idle 0
dialer timer autodial 5
ip address ppp-negotiate
nat outbound 3004 //已经deny感兴趣流
ipsec apply policy HY-IPSEC-IDC
#
接口配置也未见异常。
在总部往分部ping测试之后查看dis ipsec statistics,发现没有触发IPSec封装
IPsec packet statistics:
Received/sent packets: 0/0
Received/sent bytes: 0/0
Dropped packets (received/sent): 0/0
Dropped packets statistics
No available SA: 0
Wrong SA: 0
Invalid length: 0
Authentication failure: 0
Encapsulation failure: 0
Decapsulation failure: 0
Replayed packets: 0
ACL check failure: 0
MTU check failure: 0
Loopback limit exceeded: 0
Crypto speed limit exceeded: 0
再查看私网会话发现会话中的Responder的destination地址为公网口地址122.144.xx.xx,说明流量被nat了。
Initiator:
Source IP/port: 172.16.xx.xx/10620
Destination IP/port: 172.4.xx.xx/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: InLoopBack0
Source security zone: Local
Responder:
Source IP/port: 172.4.xx.xx/1
Destination IP/port: 122.144.xx.xx/0
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: Reth1
Source security zone: Untrust
State: ICMP_REQUEST
Application: ICMP
Rule ID: 2
Rule name: Localy_2_IPv4
Start time: 2019-10-10 20:11:58 TTL: 23s
Initiator->Responder: 5 packets 420 bytes
Responder->Initiator: 0 packets 0 bytes
发现在总部侧的配置中有nat policy的配置,流量触发了nat policy进行了转化。
#
nat policy
rule name tointernet
outbound-interface Reth1
action easy-ip
#
删除nat policy,直接在接口配置nat outbound acl,deny感兴趣流后问题解决。
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作