USG 5120 防火墙将私网地址映射到公网与USG5120防火墙对接ipsec vpn不成功

发布时间:  2015-11-13 浏览次数:  481 下载次数:  0
问题描述

如图FW1和FW3拥有公网地址,FW2在私网环境。FW1需要与FW2建立ipsec vpn,我们将FW2的500和4500端口映射到FW3的公网出口上。具体配置信息如下:

FW1:

acl number 3001
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.0.0 0.0.0.255

#
ike proposal 1
#
ike peer 1
exchange-mode aggressive
pre-shared-key %$%$4ae<>"*#PP]FO@L1.)K#d[RI%$%$
ike-proposal 1
undo version 2
remote-address 1.1.1.2
#
ipsec proposal 1
#
ipsec policy map1 1 isakmp
security acl 3001
ike-peer 1
proposal 1
#
interface GigabitEthernet0/0/0
alias GE0/MGMT
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 2.2.2.1 255.255.255.0
ipsec policy map1
#

FW2:

acl number 3001
rule 5 permit ip source 192.168.0.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

#
ike proposal 1
#
ike peer 1
exchange-mode aggressive
pre-shared-key %$%$3Iv)'a6vEAabe,(+hPmNd4+"%$%$
ike-proposal 1
undo version 2
#
ipsec proposal 1
#
ipsec policy-template 1 1
security acl 3001
ike-peer 1
proposal 1
#
ipsec policy map1 1 isakmp template 1
#
interface GigabitEthernet0/0/0
alias GE0/MGMT
ip address 192.168.0.1 255.255.255.0
dhcp select interface
dhcp server gateway-list 192.168.0.1
#
interface GigabitEthernet0/0/1
ip address 1.1.2.1 255.255.255.0
ipsec policy map1

FW3:

#
interface GigabitEthernet0/0/0
alias GE0/MGMT
ip address 1.1.2.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 1.1.1.2 255.255.255.0

#

nat server 0 protocol udp global interface GigabitEthernet0/0/1 500 inside 1.1.2.1 500

nat server 0 protocol udp global interface GigabitEthernet0/0/1 4500 inside 1.1.2.1 4500


FW1与FW3之间的网络正常,FW2与FW3之间的网络以及端口映射正常,但ipsec vpn的第一阶段不能正常建立。






告警信息
%2015-11-13 15:04:30 SRG %%01IKE/4/WARNING(l): phase1: cannot find matching ike peer configuration for peer 1.1.2.1,please check "remote-address" and "exchange-mode" in ike peer configuration.
处理过程

1.从配置,我们可以看到FW1与FW3的外网口的IP地址建立ike,但告警信息告警的是FW1与FW2的出口地址(私网地址)建立ike

2.查看会话信息如下,

FW1:

udp  VPN:public --> public
  Zone: local--> untrust  TTL: 00:02:00  Left: 00:01:57
  Interface: GigabitEthernet0/0/1  NextHop: 2.2.2.2  MAC: 00-e0-fc-58-24-3b
  <--packets:1 bytes:376   -->packets:1 bytes:304
  2.2.2.1:500-->1.1.1.2:500

FW2:
  udp  VPN:public --> public
  Zone: untrust--> local  TTL: 00:02:00  Left: 00:01:58
  Interface: InLoopBack0  NextHop: 127.0.0.1  MAC: 00-00-00-00-00-00
  <--packets:4 bytes:1504   -->packets:1 bytes:304
  2.2.2.1:500-->1.1.2.1:500
发现来去都有udp 500端口的协商会话,但没有udp 4500端口的会话,但两端的nat 穿越都已经开启

3.抓包查看:


从抓信息可以看到,FW1请求的remote-address是1.1.1.2,但回包的ID却是1.1.2.1,导致协商失败

根因

由于配置时,指定的remote-address只能是公网ip地址,所以使用local-id-type 为ip时,使用的id为请求的ip地址;但经过映射后数据包到达FW2时,FW2回包时封装的id却是私网地址,不是FW1请求的地址,所以导致ike 建立失败。

解决方案

更改ike peer的local-id-type 为fqdn,具体ike peer配置如下:

FW1:

ike  local-name fw1

#

ike peer 1
exchange-mode aggressive
pre-shared-key %$%$4ae<>"*#PP]FO@L1.)K#d[RI%$%$
ike-proposal 1
undo version 2
local-id-type fqdn
remote-id fw2
remote-address 1.1.1.2

FW2:

ike  local-name fw1

#

ike peer 1
exchange-mode aggressive
pre-shared-key %$%$4ae<>"*#PP]FO@L1.)K#d[RI%$%$
ike-proposal 1
undo version 2
local-id-type fqdn


END