FAQ-USG6300对接 ipsec vpn 协商不成功

发布时间:  2015-05-20 浏览次数:  465 下载次数:  0
问题描述

USG6300与SVN2230 ipsec vpn对接隧道协商不成功。

USG6300对接参数:

<USG6300>display ike proposal 
17:54:08  2015/04/25
priority authentication authentication encryption Diffie-Hellman duration
              method       algorithm    algorithm     group       (seconds)
---------------------------------------------------------------------------
10       PRE_SHARED     MD5            3DES_CBC   MODP_1024      86400   
default  PRE_SHARED     SHA2-512       256-AES    MODP_1024      86400 
 
<USG6300>dis ike peer
17:54:15  2015/04/25

---------------------------
IKE peer: hl
   Exchange mode: main on phase 1
   Pre-shared key:
   Local certificate file name: 
   Peer certificate file name: 
   Proposal: 
   Local ID type: IP
   Local ID:
   remote ip:
   VPN instance: root
   Authentic IP address:
   IP address pool:
   Remote ID type: IP
   Peer name:
   Peer domain name:
   Eap-auth domain:
   VPN instance bound to the SA: root
   NAT traversal: enable
   SA soft timeout buffer time:
---------------------------

                                         
---------------------------
IKE peer: jttzjt
   Exchange mode: main on phase 1
   Pre-shared key: %$%$I*t#;"-WvYvM8sT:l}s332)}%$%$
   Local certificate file name: 
   Peer certificate file name: 
   undo version 2
   Proposal: 10
   Local ID type: IP
   Local ID:
   remote ip: 183.63.251.173
   VPN instance: root
   Authentic IP address:
   IP address pool:
   Remote ID type: IP
   Peer name:
   Peer domain name:
   Eap-auth domain:
   VPN instance bound to the SA: root
   NAT traversal: enable
   SA soft timeout buffer time:
   Applied to 1 policy: vpn-10-isakmp

<USG6300>dis ipsec proposal
17:54:44  2015/04/25

  IPsec proposal name: jttzjt
    encapsulation mode: tunnel
    transform: esp-new
    ESP protocol: authentication md5-hmac-96, encryption 3des
---------------------------

<USG6300>dis ipsec policy
17:54:33  2015/04/25

===========================================
IPsec Policy Group: "vpn"
Using interface: {GigabitEthernet0/0/1}
===========================================

  -----------------------------
  IPsec policy name: "vpn"
  sequence number: 10
  mode: isakmp
  state: active
  -----------------------------
    security data flow : 3000
    ike-peer name:  jttzjt
    perfect forward secrecy: None
    proposal name:  jttzjt
    IPsec sa local duration(time based): 3600 seconds
    sa soft-duration time-based buffer: 0 seconds
    sa soft-duration traffic-based buffer: 0 kilobytes
    IPsec sa local duration(traffic based): 1843200 kilobytes
    IPSec sa anti-replay: use global
    IPSec sa anti-replay window-size: use global

SVN2230对接参数:

[SVN2230]dis display ike proposal
17:59:58  2015/04/25
priority authentication authentication encryption Diffie-Hellman duration
              method       algorithm    algorithm     group       (seconds)
---------------------------------------------------------------------------   
10       PRE_SHARED     MD5            3DES_CBC   MODP_1024      86400   
default  PRE_SHARED     SHA1           DES_CBC    MODP_768       86400   
[SVN2230]dis ike peer name hl
18:00:05  2015/04/25

---------------------------
IKE Peer: hl
   exchange mode: main on phase 1
   pre-shared-key: %$%$vFTxV^EB0JuS7<Nl0.K&Xd[R%$%$
   certificate domain name: 
   certificate file name: 
   undo version 2
   proposal: 10
   local id type: ip
   peer ip address: 202.104.69.18
   vpn:
   authentic ip address:
   ip pool:
   peer name:
   peer domain name:
   sa binding vpn:
   nat traversal: disable
   applied to 1 policy: map-80-isakmp
---------------------------


[SVN2230]dis ipsec proposal name hl
18:00:47  2015/04/25

  IPsec proposal name: hl
    encapsulation mode: tunnel
    transform: esp-new
    ESP protocol: authentication md5-hmac-96, encryption 3des

[SVN2230]dis ipsec policy name map 80
18:00:26  2015/04/25

  -----------------------------
  IPsec policy name: "map"
  sequence number: 80
  mode: isakmp
  -----------------------------
    security data flow : 3180
    ike-peer name:  hl
    perfect forward secrecy: None
    proposal name:  hl
    IPsec sa local duration(time based): 3600 seconds
    IPsec sa local duration(traffic based): 1843200 kilobytes

检查两端ipsec相关参数完全一致

解决方案

查看端口为500会话表;

<USG6300>dis firewall session table destination-port 500
17:56:12  2015/04/25
Current Total Sessions : 1
  udp  VPN:public --> public 202.104.69.18:500[202.104.69.18:2070]-->183.63.251.173:500

< USG6300>display firewall session table source-port 500
17:56:21  2015/04/25
Current Total Sessions : 1
  udp  VPN:public --> public 202.104.69.18:500[202.104.69.18:2070]-->183.63.251.173:500
< USG6300>

 ike协商发出的报文源端口号进行了nat转换

查看USG6300的NAT配置

nat-policy
rule name vpn
  source-zone trust
  destination-zone untrust
  destination-address address-set jttzjtvpn
  destination-address address-set gztzjt
  action no-nat
rule name GuideNat1429929532299
  egress-interface GigabitEthernet0/0/1    //对从GigabitEthernet0/0/1 接口发起的ike协商报文的 源端口做了转换  
  action nat easy-ip


建议修改nat策略的规则

rule name GuideNat1429929532299
   source-zone trust
  destination-zone untrust
   action nat easy-ip

END