USG2130BSR IPSec协商成功,业务不通

发布时间:  2014-09-11 浏览次数:  1553 下载次数:  0
问题描述
两台usgUSG2130BSR通过公网建立ipsec,协商成功,业务不通。
组网信息:

USG2130BSR---------Internet--------------USG2130BSR
    58.209.118.10                                                             222.73.189.92

版本信息:USG2100 V100R005C00SPC700
告警信息
处理过程
1. 察看IPSec信息,可以看到隧道建立成功.
[USG-A]dis ike sa                                                                                                                  
19:09:19  2013/01/07                                                                                                               
current ike sa number: 2                                                                                                           
  ---------------------------------------------------------------------                                                            
  connection-id  peer                    vpn   flag          phase   doi                                                           
  ------------------------------------------------------------------------                                                         
    0x49         222.73.189.92           0     RD          v1:2    IPSEC                                                           
    0x48         222.73.189.92           0     RD          v1:1    IPSEC     
从隧道的peer地址来看,对端地址就是配置的222.73.189.92.
2. 察看IPSec协商报文的会话(协商报文为IKE报文,端口为500的UDP报文)
[USG-A]dis firewall  session table  verbose  destination-port 500                                                                  
19:11:51  2013/01/07                                                                                                               
Current Total Sessions : 1                                                                                                        
  udp  VPN:public --> public                                                                                                       
  Zone: untrust--> local  TTL: 00:02:00  Left: 00:01:50                                                                            
  Interface: InLoopBack0  NextHop: 127.0.0.1  MAC: 00-00-00-00-00-00                                                               
  <--packets:2 bytes:576   -->packets:6 bytes:920                                                                                  
  222.73.189.92:500-->58.209.118.10:500                                                                                        
从上面的会话可以看出,中间链路并没有对用户222.73.189.92做NAT.

3. 察看ESP会话,即IPSec的业务报文
[USG-A]dis firewall  session tabl verbose  destination global  58.209.118.10 
esp  VPN:public --> public                                                                                                       
  Zone: untrust--> local  TTL: 00:10:00  Left: 00:09:47                                                                            
  Interface: InLoopBack0  NextHop: 127.0.0.1  MAC: 00-00-00-00-00-00                                                               
  <--packets:0 bytes:0   -->packets:5461 bytes:806880                                                                              
  122.225.10.249:0-->58.209.118.10:0   
发现esp报文的源地址已经变成122.225.10.249,去掉IPSec配置后,该会话就会消失,IPSec协商成功后,该会话又会出现,说明该报文就是来自222.73.189.92.

4. 从上面的信息可以看出,中间设备将ESP报文的源IP修改成122.225.10.249.导致两边无法通信.一端本身就是公网地址不需要进行地址转换.

根因
业务报文传输问题。
建议与总结
如果要实现ESP报文的nat穿越,根据RFC规定,协商报文也需要做NAT,否则IPSec两端无法感知中间是否有NAT设备.
协商原理如下图所示,只有协商报文才能探测中间有无NAT设备的.


END