AR3260与天融信防火墙建ipsec vpn,阶段2失败

发布时间:  2015-05-11 浏览次数:  254 下载次数:  0
问题描述

故障现象:设备AR3260连接到公网,与另一端的天融信防火墙建立ipsec vpn,阶段1起来了;但是阶段2起不来。


AR3260端配置:

acl number 3001

 rule 5 permit ip source 192.168.0.0 0.0.255.255 destination 172.16.20.0 0.0.0.255
#
ipsec proposal 11
 esp encryption-algorithm 3des
#
ike proposal 1
 encryption-algorithm 3des-cbc
 authentication-algorithm md5
#
ike peer 11 v1
 pre-shared-key cipher %$%$yP1y#x}bc*^a|wVEa9cD,.2n%$%$
 ike-proposal 1
 remote-address 60.247.X.115
#
ipsec policy 1 1 isakmp
 security acl 3001
 ike-peer 11
 proposal 11

 

 

天融信防火墙配置:




下图红圈部分,天融信端已修改为192.168.3.228/32



处理过程

1、查看ipsec协商状态:

<YaoJan-AR3260>display ike sa
    Conn-ID  Peer            VPN   Flag(s)                Phase
  ---------------------------------------------------------------
     6111    60.247.X.115   0     RD                     1

  Flag Description:
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP

 

<YaoJan-AR3260>display ipsec sa
 No Security Associations established.

 

阶段2的协商失败。

 

2、查看配置信息,比对发现,ACL的配置两端不匹配。修改匹配之后再查看协商状态信息:

 

[YaoJan-AR3260]display ike sa
    Conn-ID  Peer            VPN   Flag(s)                Phase
  ---------------------------------------------------------------
     6119    60.247.X.115   0     RD|ST                  2
     6117    60.247.X.115   0     RD                     1

  Flag Description:
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP

 

[YaoJan-AR3260]display ipsec sa

===============================
Interface: GigabitEthernet0/0/0
 Path MTU: 1500
===============================

  -----------------------------
  IPSec policy name: "1"
  Sequence number  : 1
  Acl Group        : 3001
  Acl rule         : 5
  Mode             : ISAKMP
  -----------------------------
    Connection ID     : 6119
    Encapsulation mode: Tunnel
    Tunnel local      : 121.28.X.105
    Tunnel remote     : 60.247.X.115
    Flow source       : 192.168.3.228/255.255.255.255 0/0
    Flow destination  : 172.16.20.0/255.255.255.0 0/0
    Qos pre-classify  : Disable

    [Outbound ESP SAs]
      SPI: 1823851704 (0x6cb5c4b8)
      Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-MD5
      SA remaining key duration (bytes/sec): 1887436800/3586
      Max sent sequence-number: 0
      UDP encapsulation used for NAT traversal: N

    [Inbound ESP SAs]
      SPI: 3901785363 (0xe8908513)
      Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-MD5
      SA remaining key duration (bytes/sec): 1887436800/3586
      Max received sequence-number: 0
      Anti-replay window size: 32
      UDP encapsulation used for NAT traversal: N

根因

ipsec vpn两端ACL不匹配,范围不一致。

解决方案

修改AR3200的ACL配置:

acl number 3001
 rule 5 permit ip source 192.168.0.0 0.0.255.255 destination 172.16.20.0 0.0.0.255

修改为:

acl number 3001
 rule 5 permit ip source 192.168.3.228 0 destination 172.16.20.0 0.0.0.255

建议与总结

建议在配置ACL时,检查两端的源、目的IP地址,需要互为镜像。

END