acl错误导致l2tp over ipsec起不来

发布时间:  2013-06-26 浏览次数:  478 下载次数:  0
问题描述
客户一台USG2100,远端pc想实现通过l2tp over ipsec接入访问内网,通过vpn client软件拨号不成功 。
告警信息
无。
处理过程
1 拨号过程中查看ike sa:
<USG2100>dis ike sa
20:54:36  2013/06/19
current ike sa number: 2
-----------------------------------------------------------------------------
conn-id    peer                    flag          phase vpn
-----------------------------------------------------------------------------
40051      <unnamed>               NONE          v1:2  public
40050      2.2.2.2:12485              RD            v1:1  public

第二阶段起不来。

2 debugging ipsec error:

2013-06-19 20:54:21 USG2100 %%01IKE/4/WARNING(l): phase2: security acl mismatch.
*0.46319980 USG2100 IKE/7/DEBUG:Get IPsec policy: get IPsec policy failed
*0.46319980 USG2100 IKE/7/DEBUG:validate_prop: no IPsec policy found
*0.46319980 USG2100 IKE/7/DEBUG:dropped message from 2.2.2.2 due to notification type INVALID_ID_INFORMATION

提示acl不一致。

3 检查acl 配置:
[USG2100]dis acl all
20:55:09  2013/06/19
Total nonempty acl number is 1

Advanced ACL 3000, 1 rule,not binding with vpn-instance
Acl's step is 5
rule 10 permit udp destination-port eq 1701 (0 times matched)

将acl修改为源端口 1701
拨号成功。

[USG2100] dis ike sa
current ike sa number: 2
-----------------------------------------------------------------------------
conn-id    peer                    flag          phase vpn
-----------------------------------------------------------------------------
40053      2.2.2.2:12485         RD            v1:2  public
40052      2.2.2.2:12485         RD            v1:1  public
会话如下:
udp  VPN:public --> public
Zone: untrust--> local  TTL: 00:02:00  Left: 00:01:38
Interface: InLoopBack0  NextHop: 127.0.0.1  MAC: 00-00-00-00-00-00
<--packets:4 bytes:1452   -->packets:4 bytes:1228
2.2.2.2:13681-->1.1.1.1:500

udp  VPN:public --> public
Zone: untrust--> local  TTL: 00:02:00  Left: 00:01:54
Interface: InLoopBack0  NextHop: 127.0.0.1  MAC: 00-00-00-00-00-00
<--packets:5 bytes:564   -->packets:139 bytes:23430
2.2.2.2:12485-->1.1.1.1:4500
                         
l2tp  VPN:public --> public
Zone: untrust--> local  TTL: 00:02:00  Left: 00:01:41
Interface: InLoopBack0  NextHop: 127.0.0.1  MAC: 00-00-00-00-00-00
<--packets:36 bytes:1947   -->packets:118 bytes:13012
192.168.253.12:60966-->1.1.1.1:1701
根因
配置问题。
建议与总结
l2tp over ipsec在Client-Initialized 场景,pc源端口是随机的,比如上面会话源端口为60966,acl匹配的是回去的报文,源端口是1701目的端口是pc的随机端口。

END