实际中可能遇到的NAT问题(IPsec)

最新推荐文章于 2021-07-29 08:00:00 发布
最新推荐文章于 2021-07-29 08:00:00 发布
阅读量586 收藏
点赞数
文章标签: 游戏
原文链接:http://www.cnblogs.com/MomentsLee/p/10114166.html
版权

一、背景介绍:
一般我们在实际网络中不是IPSec VPN的时候,都是边界设备连接Internet,然后两个边界设备通过Internet去实现互通,建立VPN,但是,有的运营商在分配IP地址的时候,给我们使用的地址可能会在运营商的设备上再完成一次NAT,这样将会导致我们的IPSec VPN无法建立,我做了一个测试,简单搭建的拓扑图如下:

 


R1作为一个分支站点的边界路由去,R2和R3是作为运营商的设备,R4是总部的一个边界路由器,但是在R2上针对R1的12.1.1.0/24做了NAT。

二、基本配置:
R1:
R1#sho run int lo0
Building configuration...

Current configuration : 61 bytes
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
end

R1#sho run int e0/0
Building configuration...

Current configuration : 95 bytes
!
interface Ethernet0/0
 ip address 12.1.1.1 255.255.255.0
 half-duplex
 crypto map cisco
end
R1#sho run | s ip route
ip route 0.0.0.0 0.0.0.0 12.1.1.2

R2:
R2#sho run int e0/0
Building configuration...

Current configuration : 115 bytes
!
interface Ethernet0/0
 ip address 12.1.1.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 half-duplex
end

R2#sho run int e0/1
Building configuration...

Current configuration : 116 bytes
!
interface Ethernet0/1
 ip address 23.1.1.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 half-duplex
end

R2#sho run | s ip route
ip route 0.0.0.0 0.0.0.0 23.1.1.3
R2#sho run | s ip nat
 ip nat inside
 ip nat outside
ip nat pool cisco 23.1.1.100 23.1.1.200 netmask 255.255.255.0
ip nat inside source list nat pool cisco

R3:
R3#sho run int e0/0
Building configuration...

Current configuration : 77 bytes
!
interface Ethernet0/0
 ip address 23.1.1.3 255.255.255.0
 half-duplex
end

R3#sho run int e0/1
Building configuration...

Current configuration : 77 bytes
!
interface Ethernet0/1
 ip address 34.1.1.3 255.255.255.0
 half-duplex
end

R3#sho run | s ip route
ip route 12.1.1.0 255.255.255.0 23.1.1.2
R4:
R4#sho run int e0/0
Building configuration...

Current configuration : 95 bytes
!
interface Ethernet0/0
 ip address 34.1.1.4 255.255.255.0
 half-duplex
 crypto map cisco
end

R4#sho run int l0
Building configuration...

Current configuration : 61 bytes
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.0
end

R4#sho run | s ip route
ip route 0.0.0.0 0.0.0.0 34.1.1.3


如此实现R1和R4站点之间的可达性:
R1#ping 34.1.1.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 34.1.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/60/92 ms

三、在R1和R4配置IPSec VPN
R1:
R1#sho run | s crypto
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key cisco address 34.1.1.4
crypto ipsec transform-set Trans esp-3des esp-sha-hmac
 mode transport
crypto map cisco 10 ipsec-isakmp
 set peer 34.1.1.4
 set transform-set Trans
 set pfs group2
 match address vpn
 crypto map cisco
R1#sho run int e0/0
Building configuration...

Current configuration : 95 bytes
!
interface Ethernet0/0
 ip address 12.1.1.1 255.255.255.0
 half-duplex
 crypto map cisco
End
R1#sho run | s ip access
ip access-list extended vpn
 permit ip 1.1.1.0 0.0.0.255 4.4.4.0 0.0.0.255

R4:
R4#sho run | s crypto
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key cisco address 12.1.1.1
crypto ipsec transform-set Trans esp-3des esp-sha-hmac
 mode transport
crypto map cisco 10 ipsec-isakmp
 set peer 12.1.1.1
 set transform-set Trans
 set pfs group2
 match address vpn
 crypto map cisco
R4#sho run int e0/0
Building configuration...

Current configuration : 95 bytes
!
interface Ethernet0/0
 ip address 34.1.1.4 255.255.255.0
 half-duplex
 crypto map cisco
end
R4#sh run | s ip access
ip access-list extended vpn
 permit ip 4.4.4.0 0.0.0.255 1.1.1.0 0.0.0.255

四、测试尝试建立的IPSec VPN,从R4的内部流量到R1的内部流量(模拟为4.4.4.0/24到1.1.1.0/24)为触发流量。
过程中开启debug信息:
R1/R4#debug crypto isakmp
Crypto ISAKMP debugging is on
R1#debug crypto ipsec
Crypto IPSEC debugging is on

DEBUG过程
R4#ping 1.1.1.1 so 4.4.4.4 re 100

R1上的debug:
R1#
//收到了R4发来的SA信息:
*Mar  1 00:43:58.955: ISAKMP (0:0): received packet from 34.1.1.4 dport 500 sport 500 Global (N) NEW SA
*Mar  1 00:43:58.955: ISAKMP: Created a peer struct for 34.1.1.4, peer port 500
*Mar  1 00:43:58.955: ISAKMP: New peer created peer = 0x646C2A90 peer_handle = 0x8000000C
*Mar  1 00:43:58.959: ISAKMP: Locking peer struct 0x646C2A90, IKE refcount 1 for crypto_isakmp_process_block
*Mar  1 00:43:58.959: ISAKMP: local port 500, remote port 500
*Mar  1 00:43:58.959: insert sa successfully sa = 643C4DB8
*Mar  1 00:43:58.963: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 00:43:58.963: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_R_MM1

*Mar  1 00:43:58.967: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
*Mar  1 00:43:58.967: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar  1 00:43:58.971: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
*Mar  1 00:43:58.971: ISAKMP (0:0): vendor ID is NAT-T v7
*Mar  1 00:43:58.971: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar  1 00:43:58.971: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch
*Mar  1 00:43:58.975: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3
*Mar  1 00:43:58.975: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar  1 00:43:58.975: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar  1 00:43:58.975: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
*Mar  1 00:43:58.979: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 34.1.1.4
*Mar  1 00:43:58.979: ISAKMP:(0:0:N/A:0): local preshared key found
*Mar  1 00:43:58.979: ISAKMP : Scanning profiles for xauth …
//开始检查IKE第一阶段的策略
*Mar  1 00:43:58.979: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy
*Mar  1 00:43:58.979: ISAKMP:      encryption 3DES-CBC
*Mar  1 00:43:58.983: ISAKMP:      hash MD5
*Mar  1 00:43:58.983: ISAKMP:      default group 2
*Mar  1 00:43:58.983: ISAKMP:      auth pre-share
*Mar  1 00:43:58.983: ISAKMP:      life type in seconds
*Mar  1 00:43:58.983: ISAKMP:      life duration (basic) of 28800
*Mar  1 00:43:58.983: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
*Mar  1 00:43:59.023: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 00:43:59.023: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
*Mar  1 00:43:59.023: ISAKMP (0:134217729): vendor ID is NAT-T v7
*Mar  1 00:43:59.023: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 00:43:59.023: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 157 mismatch
*Mar  1 00:43:59.023: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v3
*Mar  1 00:43:59.027: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 00:43:59.027: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 123 mismatch
*Mar  1 00:43:59.027: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v2
*Mar  1 00:43:59.027: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 00:43:59.027: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM1  New State = IKE_R_MM1
//本端和对端继续交互SA协商报文,但是发出没有收到回复
*Mar  1 00:43:59.027: ISAKMP:(0:1:SW:1): constructed NAT-T vendor-07 ID
*Mar  1 00:43:59.031: ISAKMP:(0:1:SW:1): sending packet to 34.1.1.4 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Mar  1 00:43:59.031: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 00:43:59.031: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM1  New State = IKE_R_MM2

//本端没有收到回复,继续重传5次,删除准备协商的SA
*Mar  1 00:44:08.971: ISAKMP (0:134217729): received packet from 34.1.1.4 dport 500 sport 500 Global (R) MM_SA_SETUP
*Mar  1 00:44:08.975: ISAKMP:(0:1:SW:1): phase 1 packet is a duplicate of a previous packet.
*Mar  1 00:44:08.975: ISAKMP:(0:1:SW:1): retransmitting due to retransmit phase 1
*Mar  1 00:44:09.475: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_SA_SETUP...
*Mar  1 00:44:09.475: ISAKMP (0:134217729): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Mar  1 00:44:09.475: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_SA_SETUP
*Mar  1 00:44:09.475: ISAKMP:(0:1:SW:1): sending packet to 34.1.1.4 my_port 500 peer_port 500 (R) MM_SA_SETUP
R1#
*Mar  1 00:44:18.979: ISAKMP (0:134217729): received packet from 34.1.1.4 dport 500 sport 500 Global (R) MM_SA_SETUP
*Mar  1 00:44:18.983: ISAKMP:(0:1:SW:1): phase 1 packet is a duplicate of a previous packet.
*Mar  1 00:44:18.983: ISAKMP:(0:1:SW:1): retransmitting due to retransmit phase 1
*Mar  1 00:44:19.483: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_SA_SETUP...
*Mar  1 00:44:19.483: ISAKMP (0:134217729): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Mar  1 00:44:19.483: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_SA_SETUP
*Mar  1 00:44:19.483: ISAKMP:(0:1:SW:1): sending packet to 34.1.1.4 my_port 500 peer_port 500 (R) MM_SA_SETUP
R1#
*Mar  1 00:44:28.967: ISAKMP (0:134217729): received packet from 34.1.1.4 dport 500 sport 500 Global (R) MM_SA_SETUP
*Mar  1 00:44:28.967: ISAKMP:(0:1:SW:1): phase 1 packet is a duplicate of a previous packet.
*Mar  1 00:44:28.967: ISAKMP:(0:1:SW:1): retransmitting due to retransmit phase 1
*Mar  1 00:44:29.471: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_SA_SETUP...
*Mar  1 00:44:29.471: ISAKMP (0:134217729): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Mar  1 00:44:29.471: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_SA_SETUP
*Mar  1 00:44:29.471: ISAKMP:(0:1:SW:1): sending packet to 34.1.1.4 my_port 500 peer_port 500 (R) MM_SA_SETUP
R1#
*Mar  1 00:44:39.019: ISAKMP (0:134217729): received packet from 34.1.1.4 dport 500 sport 500 Global (R) MM_SA_SETUP
*Mar  1 00:44:39.019: ISAKMP:(0:1:SW:1): phase 1 packet is a duplicate of a previous packet.
*Mar  1 00:44:39.019: ISAKMP:(0:1:SW:1): retransmitting due to retransmit phase 1
*Mar  1 00:44:39.523: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_SA_SETUP...
*Mar  1 00:44:39.523: ISAKMP (0:134217729): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Mar  1 00:44:39.523: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_SA_SETUP
*Mar  1 00:44:39.523: ISAKMP:(0:1:SW:1): sending packet to 34.1.1.4 my_port 500 peer_port 500 (R) MM_SA_SETUP
R1#
*Mar  1 00:44:48.987: ISAKMP (0:134217729): received packet from 34.1.1.4 dport 500 sport 500 Global (R) MM_SA_SETUP
*Mar  1 00:44:48.987: ISAKMP:(0:1:SW:1): phase 1 packet is a duplicate of a previous packet.
*Mar  1 00:44:48.987: ISAKMP:(0:1:SW:1): retransmitting due to retransmit phase 1
*Mar  1 00:44:49.491: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_SA_SETUP...
*Mar  1 00:44:49.491: ISAKMP (0:134217729): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Mar  1 00:44:49.491: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_SA_SETUP
*Mar  1 00:44:49.491: ISAKMP:(0:1:SW:1): sending packet to 34.1.1.4 my_port 500 peer_port 500 (R) MM_SA_SETUP
R1#
*Mar  1 00:44:59.495: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_SA_SETUP...
*Mar  1 00:44:59.495: ISAKMP:(0:1:SW:1):peer does not do paranoid keepalives.

*Mar  1 00:44:59.495: ISAKMP:(0:1:SW:1):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 34.1.1.4)
*Mar  1 00:44:59.499: ISAKMP:(0:1:SW:1):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 34.1.1.4)
*Mar  1 00:44:59.503: ISAKMP: Unlocking IKE struct 0x646C2A90 for isadb_mark_sa_deleted(), count 0
*Mar  1 00:44:59.503: ISAKMP: Deleting peer node by peer_reap for 34.1.1.4: 646C2A90
*Mar  1 00:44:59.507: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
R1#
*Mar  1 00:44:59.507: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM2  New State = IKE_DEST_SA
//开始重复上述过程
*Mar  1 00:44:59.507: IPSEC(key_engine): got a queue event with 1 kei messages
*Mar  1 00:45:00.971: ISAKMP (0:0): received packet from 34.1.1.4 dport 500 sport 500 Global (N) NEW SA

R4上的debug:
//发出SA协商报文,开始尝试建立第一阶段
*Mar  1 00:43:54.987: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 34.1.1.4, remote= 12.1.1.1,
    local_proxy= 4.4.4.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 1.1.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x924045A9(2453685673), conn_id= 0, keysize= 0, flags= 0x400F
*Mar  1 00:43:54.991: ISAKMP: received ke message (1/1)
*Mar  1 00:43:54.995: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*Mar  1 00:43:54.995: ISAKMP: Created a peer struct for 12.1.1.1, peer port 500
*Mar  1 00:43:54.995: ISAKMP: New peer created peer = 0x649A497C peer_handle = 0x8000000C
*Mar  1 00:43:54.995: ISAKMP: Locking peer struct 0x649A497C, IKE refcount 1 for isakmp_initiator
*Mar  1 00:43:54.999: ISAKMP: local port 500, remote port 500
*Mar  1 00:43:54.999: ISAKMP: set new node 0 to QM_IDLE      
*Mar  1 00:43:54.999: insert sa successfully sa = 64278AD0
*Mar  1 00:43:55.003: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
*Mar  1 00:43:55.003: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 12.1.1.1
*Mar  1 00:43:55.003: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*Mar  1 00:43:55.007: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*Mar  1 00:43:55.007: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*Mar  1 00:43:55.007: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar  1 00:43:55.007: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1
//向对端12.1.1.1发起协商,但是回复的是NAT之后的地址23.1.1.100。本端认为协商出错
*Mar  1 00:43:55.011: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*Mar  1 00:43:55.011: ISAKMP:(0:0:N/A:0): sending packet to 12.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar  1 00:43:55.131: ISAKMP (0:0): received p.acket from 23.1.1.100 dport 500 sport 500 Global (N) NEW SA
*Mar  1 00:43:55.135: %CRYPTO-4-IKMP_NO_SA: IKE message from 23.1.1.100      has no SA and is not an initialization offer....
*Mar  1 00:44:05.011: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Mar  1 00:44:05.011: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Mar  1 00:44:05.011: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Mar  1 00:44:05.015: ISAKMP:(0:0:N/A:0): sending packet to 12.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar  1 00:44:05.595: ISAKMP (0:0): received packet from 23.1.1.100 dport 500 sport 500 Global (N) NEW SA.....
*Mar  1 00:44:15.015: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Mar  1 00:44:15.015: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Mar  1 00:44:15.015: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Mar  1 00:44:15.019: ISAKMP:(0:0:N/A:0): sending packet to 12.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar  1 00:44:15.591: ISAKMP (0:0): received packet from 23.1.1.100 dport 500 sport 500 Global (N) NEW SA.....
*Mar  1 00:44:24.987: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 34.1.1.4, remote= 12.1.1.1,
    local_proxy= 4.4.4.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 1.1.1.0/255.255.255.0/0/0 (type=4)
*Mar  1 00:44:24.991: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 34.1.1.4, remote= 12.1.1.1,
    local_proxy= 4.4.4.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 1.1.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x393ADF7B(960159611), conn_id= 0, keysize= 0, flags= 0x400F
*Mar  1 00:44:24.995: ISAKMP: received ke message (1/1)
*Mar  1 00:44:24.995: ISAKMP: set new node 0 to QM_IDLE      
*Mar  1 00:44:24.999: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new ipsec request to it. (local 34.1.1.4, remote 12.1.1.1)
*Mar  1 00:44:25.019: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Mar  1 00:44:25.019: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Mar  1 00:44:25.019: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Mar  1 00:44:25.019: ISAKMP:(0:0:N/A:0): sending packet to 12.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar  1 00:44:25.575: ISAKMP (0:0): received packet from 23.1.1.100 dport 500 sport 500 Global (N) NEW SA.....
*Mar  1 00:44:35.023: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Mar  1 00:44:35.023: ISAKMP (0:0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Mar  1 00:44:35.023: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Mar  1 00:44:35.027: ISAKMP:(0:0:N/A:0): sending packet to 12.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar  1 00:44:35.659: ISAKMP (0:0): received packet from 23.1.1.100 dport 500 sport 500 Global (N) NEW SA.....
*Mar  1 00:44:45.027: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Mar  1 00:44:45.027: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Mar  1 00:44:45.027: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Mar  1 00:44:45.031: ISAKMP:(0:0:N/A:0): sending packet to 12.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar  1 00:44:45.599: ISAKMP (0:0): received packet from 23.1.1.100 dport 500 sport 500 Global (N) NEW SA.....
*Mar  1 00:44:54.991: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 34.1.1.4, remote= 12.1.1.1,
    local_proxy= 4.4.4.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 1.1.1.0/255.255.255.0/0/0 (type=4)
*Mar  1 00:44:54.995: ISAKMP: received ke message (3/1)
*Mar  1 00:44:54.995: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.
//重传5次后,删除准备协商的SA
*Mar  1 00:44:54.999: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer 12.1.1.1)
*Mar  1 00:44:55.003: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer 12.1.1.1)
*Mar  1 00:44:55.003: ISAKMP: Unlocking IKE struct 0x649A497C for isadb_mark_sa_deleted(), count 0
*Mar  1 00:44:55.003: ISAKMP: Deleting peer node by peer_reap for 12.1.1.1: 649A497C
*Mar  1 00:44:55.007: ISAKMP:(0:0:N/A:0):deleting node 210980541 error FALSE reason "IKE deleted"
*Mar  1 00:44:55.007: ISAKMP:(0:0:N/A:0):deleting node -132879272 error FALSE reason "IKE deleted"
*Mar  1 00:44:55.007: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar  1 00:44:55.011: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

五、解决方法:
R4(config)#no crypto isakmp key 0 cisco address 12.1.1.1
R4(config)#crypto isakmp key 0 cisco address 23.1.1.100 255.255.255.0
R4(config)#crypto map cisco 10 ipsec-isakmp
R4(config-crypto-map)#no set peer 12.1.1.1
R4(config-crypto-map)#set peer 23.1.1.100


转载于:https://www.cnblogs.com/MomentsLee/p/10114166.html

weixin_30265103
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
IPSec穿越NAT报文
04-16
IPSec报文穿越NAT的报文。
***_ha_高可用_设备备份
weixin_33957648的博客
07-27 298
Client的配置(Client是标准的lan to lan 的配置 peer是HSRP的虚拟的IP)hostname client!crypto isakmp policy 10authentication pre-sharecrypto isakmp key 123 address 200.100.2.100crypto isakmp keepalive 1...
实际NATIPSec ×××的影响
weixin_34295316的博客
06-16 653
一、背景描述在实际部署的IPSec ×××经常会遇到由于NAT问题,而导致IPSec ×××无法建立的问题,例如,一个公司的总部通过运营商连接分支机构,虽然在边界路由器都有固定的IP地址,而且双方可达,但是,可能出现的问题是,如果在分支机构边界路由器使用的IP地址是经过运营商时,被运营商做了一个NAT,那么建立IPSec ×××的时候将会出现问题,部署人员可能并没有考虑...
IPSec实验
小蔡的博客
01-15 7656
#本节介绍如何使用华为路由器,建立IPSec VPN,来保障俩个站点之间通信的安全 1.拓扑图 2.步骤 2.1 在r4和r5上配置静态路由,指定对端的路由 2.2 使用高级IP acl 指定进行保护的流量(指定流量的源地址和目的IP地址) 2.3 创建IPSec安全提议并指定IPSec使用的各项参数 2.4 创建IKE安全提议,并指定IKE使用的各项参数 2.5 创建IKE对等体。并在其引用配置的安全提议 2.6 创建IPSec安全策略,并在其引用ACL,IPSec安全提议和IKE对等体 2.7建
解决了一个困扰了我一个礼拜的网络问题:EasyConnect总是断,两种解决方法。
热门推荐
v-space的博客
06-06 6万+
1.问题描述 无线和有线经常隔十几秒就断。 2.解决历程 首先以为是无线问题。因此买了网线,结果还是一样的问题。 然后觉得是自己笔记本电脑的问题。使用腾讯电脑管家网络修复工具,在连接无线时,经常显示出IP出错,而且修复不了,提示让我检查路由器或网卡驱动;然后采用windows自带网络修复,报错701,按照如下思路修改后成功解决。 (1)首先保证下图以太网3那个不要随便禁用(即使未识别) (2)我的电脑【右键】->属性->设备管理器->网络适配器->WAN Miniport(IP)
easycwmp解读(1.1)-基本配置/etc/config/easycwmp
guiyuan_yelang的专栏
06-12 2489
文件路径: 源码:ext/openwrt/config/easycwmpd 设备路径: /etc/config/easycwmp 源码内容 # easycwmp uci configuration config local option enable '0' #开关-是否启动easycwmpd进程 option interface eth0 #TR069协议报文接收,发送的网卡-一般是WAN口 option port 7547 #本机监听acs Get操作的接口 option ubus_s
IPSEC穿越NAT典型配置指导
最新发布
09-14
IPSEC穿越NAT典型配置指导
IPsec nat穿越技术
12-06
IPsec nat穿越技术,学习研究提升自己的能力
IPSec NAT-T技术
08-16
IPSec NAT-T技术,通过出口网络设备连接IPSec的各种情况及处理方法
IPSec穿越NAT的原理.pdf
09-30
IPSec穿越NAT的原理.pdf
ASA 实现 IPSec 虚拟专用网(内附故障排查)
看清所以看轻
11-09 2827
IPSec虚拟专用网原理及基础配置实例:https://blog.csdn.net/weixin_44907813/article/details/102941603 其实,防火墙和路由器的配置非常相似,可以参考上方传送门,下方会介绍一个防火墙的配置实例 一、路由器的故障诊断排查 1、show crypto isakmp sa R1:show crypto isakmp sa ...
关于×××在DEBUG过程可能出现的问题
weixin_34008933的博客
08-22 1548
最近在调试DEBUG过程看到本文章,觉得对于×××错误信息不熟的人来说非常有用,几部囊括了所有的×××的DEBUG错误提示信息,并且作者对其进行了一定说明,遂转发希望对更多的人有帮助。原文地址:×××(IKEv1)實驗Troubleshooting系列一:L2L-×××作者:修羅雷禪×××的排錯,甭管是在工作還是在LAB,都是挺重要的。因此,我,人...
配置基于路由的ipsec 隧道
搬砖小胖子
08-06 4029
设备名称 接口 IP地址 内网地址 备注 BJ_AR2240 Tunnel0/0/1 169.254.2.1/30 192.168.0.0/16 VPN接口 WQ_AR2240 Tunnel0/0/1 169.254.2.2/30 172.20.0.0/16 VPN接口 说明: 与基于模板的ipsec vpn不同的是,基于路由的ipsec vpn没有acl 感兴趣流的限制,...
IPSec的高可用性技术
weixin_30266885的博客
12-14 510
IPSec VPN的高可用性技术:①、DPD(Dead Peer Detection)对等体检测 ——旨在检查有问题IPSec VPN网络,并快速的切换到备用网关②、RRI(Reverse Route Injection)反向路由注入 ——解决高可用性的路由问题 ****************DPD*****...
自定义EventSource(一)EventCounter
dotNET跨平台
07-29 366
之前的Counters都是系统内置的,我们只需在进程外,或进程内采集,然后交给专门的展示指标工具即可。本篇说一下自定义EventSource,来采集自己业务,或自己产品的指标收集方式。...
IPSec ××× 设备 链路 冗余备份实验【实践闯未来】!
weixin_34008933的博客
03-15 297
实践闯未来!本人FJXSUNMIT,初来报道,互相学习研究CISCO技术! IPSec ××× 设备链路冗余实验:(上为拓扑图) 基本实验配置: R1: R1#sh run hostname R1 no ip domain lookup ! crypto isakmp policy 10 authentication pre-share ...
2个Offer纠结
iteye_20876的博客
03-11 245
呵呵,屏蔽的*内容
Block Site
more time
09-04 3295
Block Site出于各种各样的原因,有时我们需要屏蔽一些网站。 本文提供 3 种途径来实现这个功能。1 Google Chrome 插件 blocksitehttps://chrome.google.com/webstore/detail/block-site/eiimnmioipafcokbfikbljfdeojpcgbh安装之后只需要在一个网站上右键就可以block了,进入选项还有更多高级
思科nat的设置可能遇到问题
06-12
2. 重叠的IP地址:如果您在内部网络和外部网络之间使用了相同的IP地址,NAT可能遇到问题。这可能会导致数据包在网络丢失或被路由到错误的位置。 3. 防火墙问题:如果您正在使用防火墙来保护您的网络,您需要...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值