AR1220路由器与思科ASA5525 ipsec对接出现频繁中断故障

发布时间:  2016-06-06 浏览次数:  475 下载次数:  0
问题描述

1,ASA5525防火墙与运营商直接相连,接口为公网地址。AR1220路由器通拨号获取ip地址与思科ASA5525防火墙采用ipsec模板对接,频繁出现ipsec隧道中断。通过在AR1220手工清理重启ipsec的进程不能与ASA5525防火墙建立ipsec隧道,需要多次重启ar1220路由器才能恢复与ASA5525防火墙建立ipsec隧道。

2,拓扑如下图:



告警信息

1,通过display ike sa 发现ike sa没有协商成功。

<AR1220-S-172>dis ike sa  

    Conn-ID  Peer            VPN   Flag(s)                Phase  

  ---------------------------------------------------------------

    21450    125.71.204.20   0                            1     

       

  Flag Description:

  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT

  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP

处理过程
1,查看AR1220的ipsec配置
(1)acl number 3001  
 description ipsec-vpn
 rule 5 permit ip source 10.56.172.0 0.0.0.255 destination 40.0.0.0 0.0.0.255 
 rule 10 permit ip source 10.56.172.0 0.0.0.255 destination 192.168.123.0 0.0.0.255 
 rule 15 permit ip source 10.56.172.0 0.0.0.255 destination 172.25.0.0 0.0.255.255 
 rule 20 permit ip source 10.56.172.0 0.0.0.255 destination 172.24.0.0 0.0.255.255 
 rule 25 permit ip source 10.56.172.0 0.0.0.255 destination 172.16.0.0 0.0.255.255 
 rule 30 permit ip source 10.56.172.0 0.0.0.255 destination 172.100.11.0 0.0.0.3 
(2)ipsec sa安全提议
ipsec proposal yc-huawei
 esp encryption-algorithm 3des
(3)ike sa安全提议
ike proposal 1
 encryption-algorithm 3des-cbc
 dh group2
authentication-algorithm md5
(4)ike peer 配置
ike peer yc-huawei v1
 pre-shared-key cipher %@%@iFU7W[[20$Yc"6@VR>uF,QPh%@%@
 ike-proposal 1
 nat traversal
 remote-address 125.71.204.20
 (5) ipsec策略
ipsec policy yc-huawei 1 isakmp
 security acl 3001
 ike-peer yc-huawei
 proposal yc-huawei
 route inject dynamic
 (6)应用ipsec安全策略
interface Dialer1
ipsec policy yc-huawei

路由配置:
ip route-static 0.0.0.0 0.0.0.0 Dialer1
ip route-static 10.56.172.0 255.255.255.0 10.56.172.254 (指向交换机互联地址)
ip route-static 40.0.0.0 255.255.255.0 125.71.204.20  (指向防火墙公网地址)
ip route-static 40.0.172.0 255.255.255.0 10.56.172.254 (指向交换机互联地址)
ip route-static 172.2.6.0 255.255.255.0 125.71.204.20 (指向防火墙公网地址)
ip route-static 172.16.0.0 255.255.0.0 125.71.204.20(指向防火墙公网地址)
ip route-static 172.24.0.0 255.255.0.0 125.71.204.20(指向防火墙公网地址)
ip route-static 172.25.0.0 255.255.0.0 125.71.204.20(指向防火墙公网地址)
ip route-static 172.100.11.0 255.255.255.252 125.71.204.20 (指向防火墙公网地址)
ip route-static 192.168.123.0 255.255.255.0 125.71.204.20 (指向防火墙公网地址)
2,删除指向公网地址地址的明细路由 ,只保留默认路由指向拨号的接口
undo ip route-static 40.0.0.0 255.255.255.0 125.71.204.20
undo ip route-static 172.2.6.0 255.255.255.0 125.71.204.20
undo ip route-static 172.16.0.0 255.255.0.0 125.71.204.20
undo ip route-static 172.24.0.0 255.255.0.0 125.71.204.20
undo ip route-static 172.25.0.0 255.255.0.0 125.71.204.20
undo ip route-static 172.100.11.0 255.255.255.252 125.71.204.20
undo ip route-static 192.168.123.0 255.255.255.0 125.71.204.20
3,重启ipsec进程
4,查看ike sa 与 ipsec sa信息,看到ike sa与ipsec sa协商成功

解决方案

建议在配置ipsec的时候,使用默认路由指向拨号出接口。

建议与总结

在配置动态获取ip地址的ipsec的时候,使用默认路由指向拨号获取地址出接口。

END