Eudemon1000E与Cisco PIX IPSec对接只有部分数据流能互通

发布时间:  2013-09-30 浏览次数:  221 下载次数:  0
问题描述
组网图如图1所示。Eudemon与Cisco PIX建立IPSec VPN后,10.196.226.0/28网段内的终端只能同时访问对端内网的一个终端,比如能访问10.175.20.25时就不能再访问其他的几个终端了。
告警信息
处理过程
步骤 1 将ACL 3501拆分成多个只包含一条rule的ACL,再使用多条IPSec子策略,问题解决。
修改后ACL和IPSec策略的配置如下:
acl number 3501
rule 5 permit ip source 10.215.11.184 0 destination 10.50.244.86 0
acl number 3601
rule 5 permit ip source 10.215.11.184 0 destination 10.175.20.25 0
acl number 3701
rule 5 permit ip source 10.215.11.184 0 destination 10.175.20.35 0
acl number 3801
rule 5 permit ip source 10.215.11.184 0 destination 10.175.4.170 0
acl number 3901
rule 5 permit ip source 10.215.11.184 0 destination 10.175.4.110 0

ipsec policy huawei 40 isakmp
security acl 3501
ike-peer mobilink
proposal shades
sa duration time-based 3600
#
ipsec policy huawei 70 isakmp
security acl 3601
ike-peer mobilink
proposal shades
sa duration time-based 3600
#
ipsec policy huawei 80 isakmp
security acl 3701
ike-peer mobilink
proposal shades
sa duration time-based 3600
#
ipsec policy huawei 90 isakmp
security acl 3801
ike-peer mobilink
proposal shades
sa duration time-based 3600
#
ipsec policy huawei 100 isakmp
security acl 3901
ike-peer mobilink
proposal shades
sa duration time-based 3600
根因
由于部分Eudemon产品一个ACL规则对应一个IPSec隧道,一对SA,但是象Cisco设备的access-list可以配置多条规则,但是一条规则对应一个IPSec隧道,一对SA。这样就会导致ACL配置多条规则时,只有发起协商的那个规则对应的数据流能通,其它规则的数据流均不通。
经过确认Eudemon与Pix对接是使用ipsec policy huawei 40 isakmp子策略,引用的ACL 3501中配置了多个rule。具体配置如下:
nat address-group 2 10.215.11.184 10.215.11.184  
#
acl number 3005                                                                 
rule 5 permit ip source 10.196.226.0 0.0.0.15 destination 10.50.244.86 0       
rule 10 permit ip source 10.196.226.0 0.0.0.15 destination 10.175.20.25 0      
rule 15 permit ip source 10.196.226.0 0.0.0.15 destination 10.175.20.35 0      
rule 20 permit ip source 10.196.226.0 0.0.0.15 destination 10.175.4.170 0      
rule 25 permit ip source 10.196.226.0 0.0.0.15 destination 10.175.4.110 0 
#                                                                               
firewall interzone trust untrust                                                
nat outbound 3005 address-group 2                                              
#  
先给内网某网段访问对端5个server的会话做NAT,转换到同一个IP地址10.215.11.184(原因是对端存在10.196.226.0网段了);
acl number 3501                                                                 
rule 5 permit ip source 10.215.11.184 0 destination 10.50.244.86 0             
rule 10 permit ip source 10.215.11.184 0 destination 10.175.20.25 0            
rule 15 permit ip source 10.215.11.184 0 destination 10.175.20.35 0            
rule 20 permit ip source 10.215.11.184 0 destination 10.175.4.170 0            
rule 25 permit ip source 10.215.11.184 0 destination 10.175.4.110 0   
#    
再对NAT后的地址进行IPSec VPN保护
                                                                           
ike peer mobilink                                                               
pre-shared-key hu@w31114r                                                      
ike-proposal 30                                                                
remote-address 221.132.117.34                                                  
nat traversal                                                                  
#                                                                               
ipsec proposal shades                                                           
esp authentication-algorithm sha1                                                 
#                                                                               
ipsec policy huawei 40 isakmp                                                   
security acl 3501                                                              
ike-peer mobilink                                                              
proposal shades                                                                
sa duration time-based 3600                                                    
#                                                                               
interface Ethernet2/0/1                                                         
ip address 124.109.53.154 255.255.255.252                                      
undo ip fast-forwarding qff                                                    
ipsec policy huawei                                                            
#
建议与总结
当Eudemon设备与Cisco等友商设备IPSec对接时,如果加密数据流需要用多条规则定义,则要配置成多条子策略方式,每个ACL引用一条规则。

END