推荐点击下面图片,通过本站淘宝优惠价购买:
https://support.huawei.com/enterprise/zh/knowledge/EKB1000927946
问题描述
1、版本信息:V100R001C30SPC600
2、组网概述:一个总部下挂一个网段PC,两个分支各下挂一个网段PC,总部与分支之间建立ipsec vpn隧道,分支使用模板方式建立;分支之间业务互访,需建立点到点隧道;
3、组网拓扑图
告警信息
无告警信息
处理过程
1、查看当前分支设备的ike sa和ipsec sa;
<spook1>dis ike sa
Ike sa information :
Conn-ID Peer VPN Flag(s) Phase
----------------------------------------------------------------------------------------------
2 202.100.1.10 RD|A v1:2
1 202.100.1.10 RD|A v1:1
9 202.100.3.10 NEG|A v1:1
Number of SA entries : 3
Number of SA entries of all cpu : 3
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
#
<spook1>dis ipsec sa
ipsec sa information:
===============================
Interface: GigabitEthernet1/0/0
===============================
-----------------------------
IPSec policy name: "1"
Sequence number : 10
Acl group : 3000
Acl rule : 5
Mode : Template
-----------------------------
Connection ID : 2
Encapsulation mode: Tunnel
Tunnel local : 202.100.2.10
Tunnel remote : 202.100.1.10
Flow source : 192.168.2.0/255.255.255.0 0/0
Flow destination : 192.168.1.0/255.255.255.0 0/0
[Outbound ESP SAs]
SPI: 3966996463 (0xec738fef)
Proposal: ESP-ENCRYPT-AES-256 SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485760/995
Max sent sequence-number: 16
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/kilobytes): 15/0
[Inbound ESP SAs]
SPI: 2798864871 (0xa6d349e7)
Proposal: ESP-ENCRYPT-AES-256 SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485760/995
Max received sequence-number: 15
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/kilobytes): 14/0
Anti-replay : Enable
Anti-replay window size: 1024
可以看到分支与总部的vpn隧道显示正常;分支与分支之间的vpn隧道正在协商第一阶段sa;
2、打开分支的debug信息,信息如下:
<spook1>
Oct 9 2017 03:19:41.520.1 spook1 IPSEC/7/IPSEC-DEBUG:IPSEC_INFO 20:4898 IPSec Info: handle adp message,id 0, Spi 0,remote address 0.
<spook1>
Oct 9 2017 03:19:41.520.2 spook1 IPSEC/7/IPSEC-DEBUG:IPSEC_INFO 20:4994 IPSec Info: handle adp outbound sa miss:remote address 33728704,local address 33794240,usSourcePort 60098,usDestPort 8
<spook1>
Oct 9 2017 03:19:41.520.3 spook1 IPSEC/7/IPSEC-DEBUG:IPSEC_INFO 20:4645 IPSec Info: handle sa miss,flow source 33728704,flow dest 33794240, source port 60098,dest port 8.
<spook1>
Oct 9 2017 03:19:41.520.4 spook1 IPSEC/7/IPSEC-DEBUG:IPSEC_INFO 20:1430 IKE is negotiating SA for IPsec policy: 1-20
3、将分支之间建立的IPSEC VPN的策略提前至模板方式:
配置脚本如下:
ipsec policy 1 5 isakmp
security acl 3001
ike-peer 2
proposal 2
ipsec policy 1 10 isakmp template 2
#
配置完成后,分支之间vpn隧道建立成功;分支与总部之间隧道正常;
查看ike sa如下所示:
<spook1>dis ike sa
Ike sa information :
Conn-ID Peer VPN Flag(s) Phase
----------------------------------------------------------------------------------------------
13 202.100.3.10 RD|ST|A v1:2
12 202.100.3.10 RD|ST|A v1:1
11 202.100.1.10 RD|A v1:2
1 202.100.1.10 RD|A v1:1
根因
1、当防火墙设备先采用模板方式建立IPSEC VPN隧道后,如果需要重新添加点对点方式的VPN隧道,不能将isakmp序号靠后,否则点对点的隧道无法建立成功;
解决方案
1、当防火墙设备先采用模板方式建立IPSEC VPN隧道后,如果需要重新添加点对点方式的VPN隧道,需要将点对点方式的isakmp 序号提前;
建议与总结
1、需要充分了解网络形态和IPSEC VPN建立隧道不同方式的前后顺序;如果现网设备,在只有一个出口的情况下,同时使用模板方式建立隧道和点对点方式建立隧道,必须将点对点方式建立隧道的isakmp提前,两种方式的隧道都能正常建立;
本文链接:https://hqyman.cn/post/5759.html 非本站原创文章欢迎转载,原创文章需保留本站地址!
休息一下,本站随机推荐观看栏目:
