ipsec通信故障

发布时间:  2014-11-23 浏览次数:  192 下载次数:  0
问题描述
如下图,现象:PC到PC相互之间通信不了,防火墙FW1内网地址ping防火墙FW2内网地址能通;防火墙FW1,FW2分别到对端私网都不通。

处理过程
1、查看ike是否起来;
[firewall]display ike sa
19:49:07  2014/11/23
current ike sa number: 2
-----------------------------------------------------------------------------
conn-id    peer                    flag          phase vpn
-----------------------------------------------------------------------------
40001      12.1.1.3                RD|ST         v2:2  public
1          12.1.1.3                RD|ST         v2:1  public

2、查看ipsec 是否起来;
[firewall]display ipsec sa
19:49:40  2014/11/23
===============================
Interface: GigabitEthernet0/0/1
    path MTU: 1500
===============================

  -----------------------------
  IPsec policy name: "fw1"
  sequence number: 10
  mode: isakmp
  vpn: public
  -----------------------------
    connection id: 40001
    rule number: 5
    encapsulation mode: tunnel
    holding time: 0d 0h 28m 12s
    tunnel local : 11.1.1.1    tunnel remote: 12.1.1.3
    flow      source: 192.168.1.0-192.168.1.255 0-65535 0
    flow destination: 172.16.1.0-172.16.1.255 0-65535 0

    [inbound ESP SAs]
      spi: 938898288 (0x37f67370)
      vpn: public  said: 0  cpuid: 0x0000
      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
      sa remaining key duration (bytes/sec): 1887408000/1908
      max received sequence-number: 476
      udp encapsulation used for nat traversal: N

    [outbound ESP SAs]
      spi: 2579017962 (0x99b8b0ea)
      vpn: public  said: 1  cpuid: 0x0000
      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
      sa remaining key duration (bytes/sec): 1887407940/1908
      max sent sequence-number: 478
      udp encapsulation used for nat traversal: N

3、以上确认都起来之后,查看会话表项;
[firewall]display firewall session table verbose source inside 192.168.1.10 destination glo
bal 172.16.1.10
19:50:52  2014/11/23
Current Total Sessions : 29
  icmp  VPN:public --> public
  Zone: trust--> untrust  TTL: 00:00:20  Left: 00:00:00
  Interface: GigabitEthernet0/0/1  NextHop: 11.1.1.2  MAC: 4c-1f-cc-df-62-28
  <--packets:0 bytes:0   -->packets:1 bytes:60
  192.168.1.10:6602[11.1.1.1:3204]-->172.16.1.10:2048
从会话表项可以看出,内网感兴趣流量被nat转换了。

4、检查nat策略;
[firewall]display nat-policy all 
nat-policy interzone trust untrust outbound
policy 0 (1274 times matched)
  action source-nat
  policy service service-set ip
  policy source any
  policy destination any
  easy-ip GigabitEthernet0/0/1
nat策略的源,目的地址包含了感兴趣流量,因此需要将感兴趣流量排除在nat策略之外。

5、新建策略将感兴趣流量不做nat处理。
[firewall]display nat-policy interzone trust untrust outbound
19:58:04  2014/11/23
nat-policy interzone trust untrust outbound
policy 1 (56 times matched)
  action no-nat
  policy service service-set ip
  policy source 192.168.1.0 0.0.0.255
  policy destination 172.16.1.0 0.0.0.255


policy 0 (1485 times matched)
  action source-nat
  policy service service-set ip
  policy source any
  policy destination any
  easy-ip GigabitEthernet0/0/1


根因
私网之间感兴趣流量被nat转换,导致即使ipsec建立起来也不能实现私网PC间的通信。
解决方案
新建nat策略,对感兴趣流量不做nat处理。
建议与总结
如果需要配置ipsec vpn,不要在接口上开启nat enable,而将nat配置在域间nat策略上。并且需要将感兴趣流量不做nat处理。

END