USG6300 V100R001C30SPC600 ipsec vpn建立后不通

发布时间:  2017-02-13 浏览次数:  238 下载次数:  0
问题描述

版本信息

USG6300 V100R001C30SPC600

组网概述

USG6300AR2200 之间建立通过运营商,组建ipsec vpn网络

组网拓扑图


故障现象

USG6300AR2200建立ipsec vpn,两边的ike saipsec sa都正常建立,但数据不能通信。

处理过程

1.查看ipsec 数据包统计信息,USG6300成功将数据发出,但AR2200端收到的数据包显示认证失败

USG6300

<FW1>Display ipsec statistic

05:44:11  2000/04/02

the security packet statistics:

input/output security packets: 0/10

input/output security bytes: 0/840

input/output dropped security packets: 0/0

the encrypt packet statistics

send sae:10, recv sae:10, send err:0

local cpu:10, other cpu:0, recv other cpu:0

intact packet:2, first slice:0, after slice:0

       ……


AR2200

[R3]Display ipsec statistic esp

……

AuthFail count            : 10

……

PktInSAMissDrop count     : 0


2.查看两端的ikeipsec 参数

<FW1>Display ike proposal

……

 3        PRE_SHARED     SHA2-256       256-AES    MODP_1024      86400   

 

<FW1>Display ipsec proposal

……

IPsec proposal name: r3

encapsulation mode: tunnel

transform: esp-new

ESP protocol: authentication sha2-256-hmac-128, encryption 256-aes

 

[R3]Display ike proposal

……

IKE Proposal: 1

Authentication method      : pre-shared

Authentication algorithm   : SHA2-256

Encryption algorithm       : AES-CBC-256

DH group                   : MODP-1024

SA duration                : 86400

PRF                        : PRF-HMAC-SHA

 

[R3]Display ipsec proposal

……

IPSec proposal name: fw1                           

Encapsulation mode: Tunnel                           

Transform         : esp-new

ESP protocol      : Authentication SHA2-HMAC-256                            

Encryption     AES-256

根因

由于AR2200 V2R5C00SPC500 USG6300 V1R1C30SPC600sha2算法不兼容,USG6300加密的数据在AR2200端认证不通过

解决方案

USG6300AR2200端的ikeipsec的认证算法更改为sha1

配置如下,

USG6300

ike proposal 3

authentication-algorithm sha1

#

ipsec proposal r3

 esp authentication-algorithm sha1

 

AR2200

ipsec proposal fw1

 esp authentication-algorithm sha1

#

ike proposal 1

authentication-algorithm sha1

END