MSR3610设备作为总部和多个分支MSR2011设备建立野蛮模式ipsec vpn,
设备信息:MSR3610 R0707P19版本 MSR2011 2207P02版本
问题描述: MSR3610设备作为总部和多个分支MSR2011设备建立野蛮模式ipsec vpn,其中一个分支起不来,MSR2011侧有配置NAT穿越,分支侧只有ike sa,没有ipsec sa,总部侧没有ike sa。
总部配置:
ipsec transform-set 1
esp encryption-algorithm des-cbc
esp authentication-algorithm md5
#
ipsec policy-template zongbu 2
transform-set 1
local-address 60.28.52.XX
remote-address hbfenbu1
ike-profile 2
#
ipsec policy vanguard 1 isakmp template zongbu
#
ike identity fqdn hbcenter
#
ike profile 2
keychain 2
local-identity address 60.28.52.XX
match remote identity fqdn hbfenbu1
proposal 1
#
ike proposal 1
#
ike keychain 2
pre-shared-key hostname hbfenbu1 key cipher $c$3$V5sVOrjKJEpq7NrcneqocOzpXvH58H+kTFDs
#
分部配置:
ike proposal 1
#
ike peer hbfenbu1
exchange-mode aggressive
pre-shared-key simple hbcenter
id-type name
remote-name hbcenter
remote-address 60.28.52.XX
local-name hbfenbu1
nat traversal
#
ipsec proposal 1
#
ipsec policy hbfenbu1 1 isakmp
security acl 3002
ike-peer hbfenbu1
proposal 1
[MSR20]dis ike sa
total phase-1 SAs: 1
connection-id peer flag phase doi
----------------------------------------------------------------
4708 60.28.52.XX RD|ST 1 IPSEC
[MSR20]dis ipsec sa
[MSR20]
Debug ike all查看当前协商过程,发现是中间运营商侧(以前遇到过类似问题)将第一阶段第三个报文端口号是4500的源地址又给转换成了新的公网地址(114.250.82.XX),导致第二阶段的协商的时候,防火墙侧依旧是把第二阶段报文回复给了(123.118.61.XX)导致,第二阶段协商不起来。
*Sep 18 01:57:10:284 2020 H3C12345 IKE/7/PACKET: vrf = 0, local = 60.28.52.XX, remote = 123.118.61.XX/4500
Received packet from 123.118.61.XX source port 4500 destination port 4500.
*Sep 18 01:57:10:284 2020 H3C12345 IKE/7/PACKET: vrf = 0, local = 60.28.52.XX, remote = 123.118.61.XX/4500
I-COOKIE: 5c46f48afd838c70
R-COOKIE: bb2beba2aade1138
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Quick
flags: ENCRYPT
message ID: 9100d3e9
length: 172
*Sep 18 01:57:10:284 2020 H3C12345 IKE/7/EVENT: IKE thread 1099234726576 processes a job.
*Sep 18 01:57:10:285 2020 H3C12345 IKE/7/EVENT: Phase2 process started.
*Sep 18 01:57:10:285 2020 H3C12345 IKE/7/EVENT: vrf = 0, local = 60.28.52.XX, remote = 114.250.82.XX/4500
Set IPsec SA state to IKE_P2_STATE_INIT.
*Sep 18 01:57:10:285 2020 H3C12345 IKE/7/PACKET: vrf = 0, local = 60.28.52.XX, remote = 114.250.82.XX/4500
Decrypt the packet.
R0809P28版本可以兼容这种特殊运营商,ike第二条4500端口的流穿越nat时改变公网地址的情况。也可以将MSR36设备升级到R0809P28版本后问题解决。