3G+Nat穿越场景IPSec VPN建立不成功

发布时间:  2014-09-15 浏览次数:  816 下载次数:  0
问题描述
分支与总部内网节点路由器建立IPSec VPN不成功,分支出口网管为AR207G,版本V2R2C02SPC300,WAN侧为3G cellular口(动态获取IP地址);总部出口NAT网关为思科路由器,内网节点AR207固定私网地址为192.168.0.18。客户要求在AR207G 与AR207建立IPSec VPN,现网测试IPsec VPN隧道建立不成功。
192.168.5.x/24(private) ---AR207(E0/0/0 192.168.0.18/24)—Cisco-NAT  (85.18.98.67/30)-----INTERNET----AR207G(dynamic )----(private)192.168.20.x/24
告警信息
处理过程
1. AR207G侧: 3G口动态获取ip地址,或因重启,端口up/down等因素会改变ip地址;而对于AR207端,IP地址固定但是为私网地址,需要经过经过cisco s设备nat 接入internet。总体思想是对于固定IP侧AR207采用IPsec Template 模板配置和NAT穿越,
2. AR207侧:固定ip侧的采用野蛮模式,指定对端公网IP,且IPSec配置采用野蛮模式,本地id类型为name,设置ike local-name 和NAT穿越,同时注意nat outbound 中ACL规则把走IPSec 隧道流deny掉。
3. 难点:在如何确定AR207G对端的公网IP,本场景中AR207固定私网IP,可以在出口网关Cisco设备上设置Nat server固定AR207的公网IP地址,从而解决隧道建立问题。
4. 配置文件调整如下:
AR207G:
#
ike local-name huawei2
#
acl name GGG 2000
description 2000
rule 1 deny source 192.168.20.0 0.0.0.255 destination 192.168.5.0 0.0.0.255
rule 5 permit source 192.168.20.0 0.0.0.255
#
acl number 3101
rule 5 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.5.0 0.0.0.255
#
ipsec proposal tran1
esp authentication-algorithm sha1
#
ike proposal 1
encryption-algorithm aes-cbc-128
authentication-algorithm md5
#
ike peer spub v1
exchange-mode aggressive 
pre-shared-key simple huawei
ike-proposal 1
local-id-type name                                                            
remote-name huawei
nat traversal
remote-address 85.18.98.67        
#
ipsec policy map1 10 isakmp
security acl 3101
ike-peer spub
proposal tran1
#
#
interface Cellular0/0/0
link-protocol ppp
ppp chap user card
ppp chap password simple card
ppp ipcp dns 8.8.8.8
ip address ppp-negotiate
dialer enable-circular
dialer-group 1
dialer timer idle 0
dialer number *99# autodial
ipsec policy map1
nat outbound 2000
#
#
ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/0
ip route-static 192.168.5.0 255.255.255.0 85.18.98.67
#
Cisco-NAT出口网关设备: 设置NAT static  或者Nat server ,固定内部AR207(192.168.0.18/24)的公网ip为 (85.18.98.67/30)
#
AR207:
#
ike local-name huawei
#
acl number 3101
rule 5 permit ip source 192.168.5.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
#
ipsec proposal tran1
esp authentication-algorithm sha1
#
ike proposal 1
encryption-algorithm aes-cbc-128
authentication-algorithm md5
#
ike peer spub v1
exchange-mode aggressive 
pre-shared-key simple huawei
ike-proposal 1
local-id-type name                                                            
remote-name huawei02
local-address 192.168.0.18
nat traversal      
#                                                                                                                                  
ipsec policy-template temp1 10                                                                                                     
security acl 3101                                                                                                                 
ike-peer spub                                                                                                                     
proposal tran1                                                                                                                    
#                                                                                                                                  
ipsec policy map1 10 isakmp template temp1                                                                                         
#
interface Ethernet0/0/0
undo portswitch
description 1_Internet_R_ethernet0/0/0
ip address 192.168.0.18 255.255.255.0
ipsec policy map1
#
ip route-static 0.0.0.0 0.0.0.0 192.168.0.1
根因
查看场景和配置文件,结果发现动态获取IP地址的AR207G 端IPsec配置采用主模式,本地id类型为name却没有设置ike local-name,设定了本端此刻获取的3G 接口IP地址,remote 对端地址为AR207固定私网地址192.168.0.18,且没有配置nat 穿越,对于需要走IPSec 隧道的报文实际上已经NAT无法匹配security ACL。判定此问题存在严重配置问题,需要调整配置实现客户需求。
建议与总结
IPSec 隧道建立配置前,应该充分理解该场景:两端IP地址是否固定;是否公网地址(涉及Nat穿越需要两端都要配置);是否IPsec和NAT outbound同时应用在一个接口,再则确定使用ISAKMP策略还是使用策略模板(一般在IPSec隧道的两端,协商发起方采用ISAKMP策略配置安全策略,协商响应方采用策略模板方式配置安全策略)

END