ipsec *** 故障排除

最新推荐文章于 2022-05-17 16:21:36 发布

weixin_34202952

最新推荐文章于 2022-05-17 16:21:36 发布

阅读量704

点赞数

文章标签：游戏

原文链接：http://blog.51cto.com/ssk77/1206653

版权

闲来无事，做了一个ipsec ***的实验，结果没有想到，不但没有效果，反而出现了一个意想不到的结果，呵呵。。。这个不是重点，看看如何排除故障！！！

实验拓扑：

R3-R1-R5-R2-R4

接口的话从左到右，依次是e0/1 e0/1 e0/0 e0/0 e0/2 e0/2 e0/1 e0/1

一些基本的配置，这里就省略了，相信配置IP地址这个不是什么问题。

R3的e0/1:192.168.2.100 网关192.168.2.254

R1的e0/1：192.168.2.254 e0/0 10.1.1.1

R5的e0/0：10.1.1.5 e0/2: 20.1.1.5

R2的e0/2 20.1.1.2 e0/1 10.10.2.254

R4 e0/1 10.10.2.100 网关：10.10.2.254

这个实验需要注意的几点，ipsec ***和NAT的相关性问题还有就是感兴趣流，大家平时做实验都是写扩展列表，但是可能不会太注意到细节，如下所写：access-list 100 permit ip 192.168.2.0 255.255.255.0 10.10.2.0 255.255.255.0 我注意到我身边的有些技术人员就会这样写，这样你在show running-config时，是无法看到正常的列表的。

R1的配置如下：

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 123 address 20.1.1.2
!
!
crypto ipsec transform-set ssk ah-md5-hmac esp-3des
!
crypto map ssk 10 ipsec-isakmp
set peer 20.1.1.2
set transform-set ssk
match address 101（故障点1）
!
!
!
!
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
half-duplex
crypto map ssk
!
interface Ethernet0/1
ip address 192.168.2.254 255.255.255.0
ip nat inside
ip virtual-reassembly
half-duplex

ip route 0.0.0.0 0.0.0.0 10.1.1.5
!
!
ip nat inside source list 101 interface Ethernet0/0 overload
!

access-list 101 deny ip 192.168.2.0 0.0.0.255 10.10.2.0 0.0.0.255
access-list 101 permit ip any any (故障点2)

这里只贴出相关配置

ipsec ***基本设置配置完成后，发现第一阶段建立不起来，于是开启debug查看相关信息后，如下：

R2#
*Mar 1 01:25:32.659: ISAKMP (0:0): received packet from 10.1.1.1 dport 500 sport 500 Global (N) NEW SA
*Mar 1 01:25:32.659: ISAKMP: Created a peer struct for 10.1.1.1, peer port 500
*Mar 1 01:25:32.659: ISAKMP: New peer created peer = 0x645C147C peer_handle = 0x80000004
*Mar 1 01:25:32.663: ISAKMP: Locking peer struct 0x645C147C, IKE refcount 1 for crypto_isakmp_process_block
*Mar 1 01:25:32.663: ISAKMP: local port 500, remote port 500
*Mar 1 01:25:32.663: insert sa successfully sa = 651B769C
*Mar 1 01:25:32.667: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 01:25:32.667: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_R_MM1

*Mar 1 01:25:32.671: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
*Mar 1 01:25:32.671: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar 1 01:25:32.671: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
*Mar 1 01:25:32.675: ISAKMP (0:0): vendor ID is NAT-T v7
*Mar 1 01:25:32.675: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar 1 01:25:32.675: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch
*Mar 1 01:25:32.675: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3
*Mar 1 01:25:32.679: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar 1 01:25:32.679: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar 1 01:25:32.679: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
*Mar 1 01:25:32.679: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 10.1.1.1
*Mar 1 01:25:32.683: ISAKMP:(0:0:N/A:0): local preshared key found
*Mar 1 01:25:32.683: ISAKMP : Scanning profiles for xauth ...
*Mar 1 01:25:32.683: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy
*Mar 1 01:25:32.683: ISAKMP: encryption 3DES-CBC
*Mar 1 01:25:32.683: ISAKMP: hash MD5
*Mar 1 01:25:32.687: ISAKMP: default group 2
*Mar 1 01:25:32.687: ISAKMP: auth pre-share
*Mar 1 01:25:32.687: ISAKMP: life type in seconds
*Mar 1 01:25:32.687: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Mar 1 01:25:32.691: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
*Mar 1 01:25:32.763: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar 1 01:25:32.763: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
*Mar 1 01:25:32.767: ISAKMP (0:134217729): vendor ID is NAT-T v7
*Mar 1 01:25:32.767: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar 1 01:25:32.767: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 157 mismatch
*Mar 1 01:25:32.767: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v3
*Mar 1 01:25:32.771: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar 1 01:25:32.771: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 123 mismatch

在此处大家只需要注意故障点1和2就可以了，因为做了NAT，所以要特别注意NAT的流量和ipsec的感兴趣流量是要分开的，于是match的地址一定不能被nat的流量匹配到。把流量分开后，ipsec ***成功建立。当然这只是其中一个问题，每个人碰到的问题都不会相同，希望大家有问题，一起交流，第一次写博文，有不足之处，希望大家批评指正，谢谢！！！