解决USG防火墙和银河风云DS705对接IPSEC VPN不通问题

发布时间:  2013-02-17 浏览次数:  231 下载次数:  2
问题描述
   客户使用USG防火墙和友商银河风云DS705上网行为管理设备对接IPESC VPN,基本参数都已经配置好,但隧道第一阶段不能建立成功。
   对比USG和DS705的基本设置,显示的参数都是完全匹配的,修改IPSEC POLICY 应用接口添加了auto-neg参数,让链路自动触发建立IPSEC VPN。测试ping -a 192.168.0.254 192.168.5.1 两端内网的地址,不能ping通,隧道一直在协商。

告警信息
隧道一直在协商中,不能正常建立起来。

[USG2100-ike-peer-to-dk] disp ike sa

12:10:18  2013/02/16

current ike sa number: 2
-----------------------------------------------------------------------------
conn-id    peer                    flag          phase vpn
-----------------------------------------------------------------------------
40002   219.149.222.54          NEG           v2:2  public
2          219.149.222.54          NEG           v2:1  public
处理过程
USG关键配置:

客户初始配置ACL如下:

acl number 3000
rule 0 permit ip source 192.168.0.0 0.255.255.255  destination 192.168.0.0 0.255.255.255
客户两端感兴趣流是192.168.0.0 网段到192.168.5.0 网段,掩码24位。客户配置的ACL感兴趣流范围过大。
修改为
acl number 3000
rule 0 permit ip source 192.168.0.0 0.0.0.255 destination 192.168.5.0 0.0.0.255


ike阶段配置

ike proposal 100
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
integrity-algorithm hmac-md5-96
//需要添加该命令,强制IKE安全提议中使用的完整性算法为HMAC-md5-96。

#
ike peer to-dk
exchange-mode aggressive  //之前配置的是主模式,不能协商,之后改成了野蛮模式                          
 pre-shared-key %$%$DV$M(n}y:KdpF]$deqm2I.%y%$%$
ike-proposal 100
undo version 2                   //默认版本2协商,不能协商成功,修改为版本1.
remote-address 219.149.222.54
#
ipsec proposal to-dk
esp encryption-algorithm 3des
#
ipsec policy todk 1 isakmp
security acl 3000
ike-peer to-dk
proposal to-dk
sa duration time-based 115200
#
interface Dialer0
link-protocol ppp
ppp chap user n0431xyz10550410
ppp chap password cipher %$%$.`fYAc*GlJn\w<OGXc##IJA8%$%$
ppp pap local-user n0431xyz10550410 password cipher %$%$[J$sYvgbC)->Nk91O+&7I@7.%$%$
ppp ipcp dns admit-any
ip address ppp-negotiate
dialer user n0431xyz10550410
dialer bundle 1
ipsec policy todk auto-neg
ddns apply policy 3322

policy interzone trust untrust inbound
policy 0
  action permit
  policy logging
  policy destination address-set webserver
#
nat-policy interzone trust untrust outbound
policy 1                                
  action source-nat

银河风云DS705配置如下:




 

 





修改参数后,测试隧道可以建立

[USG2100]      disp ike sa
08:38:37  2013/02/17
current ike sa number: 2
-----------------------------------------------------------------------------
conn-id    peer                    flag          phase vpn
-----------------------------------------------------------------------------
40094      219.149.222.54          RD            v1:2  public
40093      219.149.222.54          RD            v1:1  public

测试内网之间互ping  问题解决。

[USG2100]ping -a 192.168.0.254 192.168.5.1
08:38:52  2013/02/17
  PING 192.168.5.1: 56  data bytes, press CTRL_C to break
    Reply from 192.168.5.1: bytes=56 Sequence=1 ttl=64 time=50 ms
    Reply from 192.168.5.1: bytes=56 Sequence=2 ttl=64 time=40 ms
    Reply from 192.168.5.1: bytes=56 Sequence=3 ttl=64 time=40 ms
    Reply from 192.168.5.1: bytes=56 Sequence=4 ttl=64 time=40 ms
    Reply from 192.168.5.1: bytes=56 Sequence=5 ttl=64 time=40 ms
根因
1.ACL配置错误。

2.没有排除感兴趣流地址。

3.USG和友商之间的默认参数不匹配。

建议与总结

END