解决USG5500 配置IPSEC VPN后隧道不通问题

发布时间:  2014-05-29 浏览次数:  332 下载次数:  0
问题描述
       某局点客户使用USG5500防火墙配置IPSEC VPN ,配置好后,隧道可以建立,但两端走IPSEC VPN的地址不能互通。

告警信息
配置了ipsec vpn感兴趣流no nat, 但数据仍然进行了nat 转换

display firewall session table  verbose  source inside 10.0.203.100
14:32:34  2014/05/19
Current Total Sessions : 3
  icmp  VPN:public --> public
  Zone: trust--> untrust2  TTL: 00:00:20  Left: 00:00:18
  Interface: GigabitEthernet0/0/1  NextHop: 218.104.49.129  MAC: 00-00-00-00-00-00
  <--packets:19 bytes:1140   -->packets:19 bytes:1140
  10.0.203.100:1[10.200.60.1:1]-->10.151.10.10:2048 
处理过程
细致检查配置,发现配置中域内NAT中,引用地址池时,后面加了no-pat参数。
policy 6                                                                                                 
  action source-nat                                                                                                               
  policy service service-set ip                                                                                                   
  policy source 10.0.200.0 mask 22                                                                                                
  policy destination 10.151.10.0 mask 24                                                                                          
  address-group 10 (ccpm) no-pat

  而查看会话,是匹配了NAT 数据流的      

icmp  VPN:public --> public                                                                                                     
  Zone: trust--> untrust2  TTL: 00:00:20  Left: 00:00:20                                                                          
  Interface: GigabitEthernet0/0/1  NextHop: 218.104.49.129  MAC: 00-00-00-00-00-00                                                
  <--packets:5 bytes:300   -->packets:5 bytes:300                                                                                 
  10.0.203.100:1[10.200.60.1:1]-->10.151.10.10:2048    

  //这条会话按照配置是应该要做nat的,所以没有问题。但由于命中的是no-pat形式的nat policy,所以会生
成servermap表,因此servermap表直接导致下面的那条流也做了nat。
因为servermap比nat policy优先匹配的。



  icmp  VPN:public --> public                                                                                                      
  Zone: trust--> untrust2  TTL: 00:00:20  Left: 00:00:16                                                                           
  Interface: GigabitEthernet0/0/1  NextHop: 218.104.49.129  MAC: 00-12-d9-a1-3d-80                                                 
  <--packets:0 bytes:0   -->packets:1 bytes:60                                                                                     
  10.0.203.100:1[10.200.60.1:1]-->172.16.250.5:2048         

//这条流虽然配置了不做nat,但是由于命中了servermap,所以也会做nat。
域内配置了no-pat ,USG会为10.0.203.100.0网段分配一个公网IP,同时建立servermap,后续从该私网IP发出的所有报文,都将命中server-map表转换成该公网地址,这种地址转换关系是一一对应的。

                                                                                                                         
  查看server-map表,发现有命中。

<wxhx-usg5310>display firewall  server-map                                                                                       
16:54:58  2014/05/19                                                                                                             
server-map item(s)                                                                                                              
------------------------------------------------------------------------------                                                  
No-Pat, 10.0.203.100[10.200.60.1] -> ANY, Zone: ---                                                                             
   Protocol: ANY(Appro: ---), Left-Time: 00:12:00, Addr-Pool: 10                                                                 
   VPN: public -> public                                                                                                         
                                                                                                                                 
No-Pat Reverse, ANY -> 10.200.60.1[10.0.203.100], Zone: untrust2                                                                
   Protocol: ANY(Appro: ---), Left-Time: --:--:--, Addr-Pool: ---                                                                
   VPN: public -> public

                                                                                         
  address-group 10 (ccpm) no-pat

去掉该命令后面的no-pat命令后,问题解决。

根因

从查看会话来看,配置了no-nat仍然转换了地址。
初步怀疑是配置中仍旧有导致NAT转换的配置。

 icmp  VPN:public --> public
  Zone: trust--> untrust2  TTL: 00:00:20  Left: 00:00:18
  Interface: GigabitEthernet0/0/1  NextHop: 218.104.49.129  MAC: 00-00-00-00-00-00
  <--packets:19 bytes:1140   -->packets:19 bytes:1140
  10.0.203.100:1[10.200.60.1:1]-->10.151.10.10:2048  

建议与总结
因为server-map表的优先级比NAT转换要高,而NAT优先级本身也比IPSEC VPN感兴趣流要高.因此在配置IPSEC VPN时,要考虑感兴趣流地址是有匹配server--map表的可能。

END