取消
显示结果 
搜索替代 
您的意思是: 
cancel
5503
查看次数
0
有帮助
5
评论
shozhang
Cisco Employee
Cisco Employee
本帖最后由 shozhang 于 2019-8-14 12:02 编辑
[postbg]bg9.png[/postbg]昨天处理了一个客户的VPN case,客户两端都是cisco的ISR4431,通过公网地址建立L2L IPsec VPN,而第一阶段SA始终协商不能成功,通过debug与抓包最终发现是由于客户过于粗放的NAT配置导致了IKE的协商失败,具体原理以及排错方式请见下面的内容:

1.客户的配置:如下只列出了必要的VPN配置,并隐去了客户的key以及公网IP地址
site1:
crypto isakmp policy 10
encr 3des hash md5
authentication pre-share
group 2
crypto isakmp key address x.x.x.x
crypto ipsec transform-set tran-r1 esp-3des esp-md5-hmac

mode tunnel
crypto map map-1 40 ipsec-isakmp

set peer x.x.x.x
set transform-set tran-r1
match address vpn-103
interface GigabitEthernet0/0/0

ip address Y.Y.Y.Y 255.255.255.240
ip nat outside
negotiation auto
crypto map map-1
ip nat inside source list NAT interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 113.208.yy.yy
ip access-list extended NAT

deny ip 172.17.1.0 0.0.0.255 192.168.72.0 0.0.3.255
permit udp any any eq domain
permit udp any eq domain any
permit icmp any any permit ip any any
ip access-list extended vpn-103

permit ip 172.17.1.0 0.0.0.255 192.168.72.0 0.0.3.255
Site2:

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key address Y.Y.Y.Y
crypto ipsec transform-set tran-r1 esp-3des esp-md5-hmac

mode tunnel
crypto map map-1 40 ipsec-isakmp

set peer Y.Y.Y.Y
set transform-set tran-r1
match address vpn-103
interface GigabitEthernet0/0/0

ip address x.x.x.x 255.255.255.248
ip nat outside
negotiation auto
crypto map map-1
ip nat inside source list NAT interface GigabitEthernet0/0/0 overload
ip access-list extended NAT

deny ip 192.168.72.0 0.0.3.255 172.17.1.0 0.0.0.255
permit udp any any eq domain
permit udp any eq domain any
permit icmp any any permit ip any any
ip access-list extended vpn-103

permit ip 192.168.72.0 0.0.3.255 172.17.1.0 0.0.0.255
ip route 0.0.0.0 0.0.0.0 222.190.xx.xx
客户部属的是一个典型的L2L VPN,可以说是十分简单的VPN了,唯一需要注意的就是要在路由器上为各自的感兴趣流做NAT豁免。可以看到客户在两端的ISR上配置的加密算法是相同的,与共享密钥以及感兴趣流也是标准的互为镜像的,同时也为感兴趣流做了NAT豁免,可以说从配置上看不出任何问题。接下来是debug.
[page]
2.debug 信息:由site2主动发起VPN协商并且抓取两侧的debug信息
site1:
debug crypto condition peer ipv4 X.X.X.X
debug crypto isakmp
Crypto ISAKMP debugging is on
chuangxin-router#
Aug 7 09:37:10.026 UTC: ISAKMP-PAK: (0):received packet from X.X.X.X dport 500 sport 516 Global (N) NEW SA
Aug 7 09:37:10.026 UTC: ISAKMP: (0):Created a peer struct for X.X.X.X, peer port 516
Aug 7 09:37:10.026 UTC: ISAKMP: (0):New peer created peer = 0x7F4CE1EB4978 peer_handle = 0x80001808
Aug 7 09:37:10.026 UTC: ISAKMP: (0):Locking peer struct 0x7F4CE1EB4978, refcount 1 for crypto_isakmp_process_block
Aug 7 09:37:10.026 UTC: ISAKMP: (0):local port 500, remote port 516
Aug 7 09:37:10.026 UTC: ISAKMP: (0):insert sa successfully sa = 7F4CE1FA28D0
Aug 7 09:37:10.027 UTC: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Aug 7 09:37:10.027 UTC: ISAKMP: (0):Old State = IKE_READY New State = IKE_R_MM1
Aug 7 09:37:10.027 UTC: ISAKMP: (0):processing SA payload. message ID = 0
Aug 7 09:37:10.027 UTC: ISAKMP: (0):processing vendor id payload
Aug 7 09:37:10.027 UTC: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
Aug 7 09:37:10.027 UTC: ISAKMP: (0):vendor ID is NAT-T RFC 3947
Aug 7 09:37:10.027 UTC: ISAKMP: (0):processing vendor id payload
Aug 7 09:37:10.027 UTC: ISAKMP: (0):vendor ID seems Unity/DPD but major 245 mismatch
Aug 7 09:37:10.027 UTC: ISAKMP: (0):vendor ID is NAT-T v7
Aug 7 09:37:10.027 UTC: ISAKMP: (0):processing vendor id payload
Aug 7 09:37:10.027 UTC: ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
Aug 7 09:37:10.027 UTC: ISAKMP: (0):vendor ID is NAT-T v3
Aug 7 09:37:10.027 UTC: ISAKMP: (0):processing vendor id payload
Aug 7 09:37:10.027 UTC: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
Aug 7 09:37:10.027 UTC: ISAKMP: (0):vendor ID is NAT-T v2
Aug 7 09:37:10.027 UTC: ISAKMP: (0):found peer pre-shared key matching X.X.X.X
Aug 7 09:37:10.027 UTC: ISAKMP: (0):local preshared key found
Aug 7 09:37:10.027 UTC: ISAKMP: (0):Checking ISAKMP transform 1 against priority 10 policy
Aug 7 09:37:10.027 UTC: ISAKMP: (0): encryption 3DES-CBC
Aug 7 09:37:10.028 UTC: ISAKMP: (0): hash MD5
Aug 7 09:37:10.028 UTC: ISAKMP: (0): default group 2
Aug 7 09:37:10.028 UTC: ISAKMP: (0): auth pre-share
Aug 7 09:37:10.028 UTC: ISAKMP: (0): life type in seconds
Aug 7 09:37:10.028 UTC: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Aug 7 09:37:10.028 UTC: ISAKMP: (0):atts are acceptable. Next payload is 0
Aug 7 09:37:10.028 UTC: ISAKMP: (0):Acceptable atts:actual life: 86400
Aug 7 09:37:10.028 UTC: ISAKMP: (0):Acceptable atts:life: 0
Aug 7 09:37:10.028 UTC: ISAKMP: (0):Fill atts in sa vpi_length:4
Aug 7 09:37:10.028 UTC: ISAKMP: (0):Fill atts in sa life_in_seconds:86400
Aug 7 09:37:10.028 UTC: ISAKMP: (0):Returning Actual lifetime: 86400
Aug 7 09:37:10.028 UTC: ISAKMP: (0):Started lifetime timer: 86400.
Aug 7 09:37:10.028 UTC: ISAKMP: (0):processing vendor id payload
Aug 7 09:37:10.028 UTC: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
Aug 7 09:37:10.028 UTC: ISAKMP: (0):vendor ID is NAT-T RFC 3947
Aug 7 09:37:10.028 UTC: ISAKMP: (0):processing vendor id payload
Aug 7 09:37:10.028 UTC: ISAKMP: (0):vendor ID seems Unity/DPD but major 245 mismatch
Aug 7 09:37:10.028 UTC: ISAKMP: (0):vendor ID is NAT-T v7
Aug 7 09:37:10.028 UTC: ISAKMP: (0):processing vendor id payload
Aug 7 09:37:10.028 UTC: ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
Aug 7 09:37:10.028 UTC: ISAKMP: (0):vendor ID is NAT-T v3
Aug 7 09:37:10.028 UTC: ISAKMP: (0):processing vendor id payload
Aug 7 09:37:10.029 UTC: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
Aug 7 09:37:10.029 UTC: ISAKMP: (0):vendor ID is NAT-T v2
Aug 7 09:37:10.029 UTC: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Aug 7 09:37:10.029 UTC: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Aug 7 09:37:10.029 UTC: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
Aug 7 09:37:10.029 UTC: ISAKMP-PAK: (0):sending packet to X.X.X.X my_port 500 peer_port 516 (R) MM_SA_SETUP
Aug 7 09:37:10.029 UTC: ISAKMP: (0):Sending an IKE IPv4 Packet.
Aug 7 09:37:10.029 UTC: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Aug 7 09:37:10.029 UTC: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM2
Aug 7 09:37:20.027 UTC: ISAKMP-PAK: (0):received packet from X.X.X.X dport 500 sport 516 Global (R) MM_SA_SETUP
Aug 7 09:37:20.027 UTC: ISAKMP: (0):phase 1 packet is a duplicate of a previous packet.
Aug 7 09:37:20.027 UTC: ISAKMP: (0):retransmitting due to retransmit phase 1
Aug 7 09:37:20.528 UTC: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP...
Aug 7 09:37:20.528 UTC: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Aug 7 09:37:20.528 UTC: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP
Aug 7 09:37:20.528 UTC: ISAKMP-PAK: (0):sending packet to X.X.X.X my_port 500 peer_port 516 (R) MM_SA_SETUP
Aug 7 09:37:20.528 UTC: ISAKMP: (0):Sending an IKE IPv4 Packet.
Aug 7 09:37:30.028 UTC: ISAKMP-PAK: (0):received packet from X.X.X.X dport 500 sport 516 Global (R) MM_SA_SETUP
Aug 7 09:37:30.028 UTC: ISAKMP: (0):phase 1 packet is a duplicate of a previous packet.
Aug 7 09:37:30.028 UTC: ISAKMP: (0):retransmitting due to retransmit phase 1
Aug 7 09:37:30.528 UTC: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP...
Aug 7 09:37:30.528 UTC: ISAKMP: (0):: incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Aug 7 09:37:30.528 UTC: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP
Aug 7 09:37:30.528 UTC: ISAKMP-PAK: (0):sending packet to X.X.X.X my_port 500 peer_port 516 (R) MM_SA_SETUP
Aug 7 09:37:30.528 UTC: ISAKMP: (0):Sending an IKE IPv4 Packet.
Aug 7 09:37:40.028 UTC: ISAKMP-PAK: (0):received packet from X.X.X.X dport 500 sport 516 Global (R) MM_SA_SETUP
Aug 7 09:37:40.028 UTC: ISAKMP: (0):phase 1 packet is a duplicate of a previous packet.
Aug 7 09:37:40.028 UTC: ISAKMP: (0):retransmitting due to retransmit phase 1
Aug 7 09:37:40.534 UTC: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP...
Aug 7 09:37:40.534 UTC: ISAKMP: (0):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Aug 7 09:37:40.534 UTC: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP
Aug 7 09:37:40.534 UTC: ISAKMP-PAK: (0):sending packet to X.X.X.X my_port 500 peer_port 516 (R) MM_SA_SETUP
Aug 7 09:37:40.534 UTC: ISAKMP: (0):Sending an IKE IPv4 Packet.
Aug 7 09:37:48.906: %IOSXE-4-PLATFORM:cpp_cp: QFP:0.0 Thread:002 TS:00004575368831271461 %CERM_DP-4-DP_TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
Aug 7 09:37:50.028 UTC: ISAKMP-PAK: (0):received packet from X.X.X.X dport 500 sport 516 Global (R) MM_SA_SETUP
Aug 7 09:37:50.029 UTC: ISAKMP: (0):phase 1 packet is a duplicate of a previous packet.
Aug 7 09:37:50.029 UTC: ISAKMP: (0):retransmitting due to retransmit phase 1
Aug 7 09:37:50.529 UTC: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP...
Aug 7 09:37:50.529 UTC: ISAKMP: (0):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Aug 7 09:37:50.529 UTC: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP
Aug 7 09:37:50.529 UTC: ISAKMP-PAK: (0):sending packet to X.X.X.X my_port 500 peer_port 516 (R) MM_SA_SETUP
Aug 7 09:37:50.529 UTC: ISAKMP: (0):Sending an IKE IPv4 Packet.
Aug 7 09:38:00.030 UTC: ISAKMP-PAK: (0):received packet from X.X.X.X dport 500 sport 516 Global (R) MM_SA_SETUP
Aug 7 09:38:00.030 UTC: ISAKMP: (0):phase 1 packet is a duplicate of a previous packet.
Aug 7 09:38:00.030 UTC: ISAKMP: (0):retransmitting due to retransmit phase 1
Aug 7 09:38:00.531 UTC: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP...
Aug 7 09:38:00.532 UTC: ISAKMP: (0):: incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Aug 7 09:38:00.532 UTC: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP
Aug 7 09:38:00.532 UTC: ISAKMP-PAK: (0):sending packet to X.X.X.X my_port 500 peer_port 516 (R) MM_SA_SETUP
Aug 7 09:38:00.532 UTC: ISAKMP: (0):Sending an IKE IPv4 Packet.
Aug 7 09:38:10.532 UTC: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP...
Aug 7 09:38:10.532 UTC: ISAKMP: (0):peer does not do paranoid keepalives.
Aug 7 09:38:10.532 UTC: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer X.X.X.X)
Aug 7 09:38:10.532 UTC: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer X.X.X.X)
Aug 7 09:38:10.532 UTC: ISAKMP: (0):Deleting the unauthenticated sa
Aug 7 09:38:10.532 UTC: ISAKMP: (0):Unlocking peer struct 0x7F4CE1EB4978 for isadb_mark_sa_deleted(), count 0
Aug 7 09:38:10.532 UTC: ISAKMP: (0):Deleting the peer struct for unauthenticated sa
Aug 7 09:38:10.532 UTC: ISAKMP: (0):Deleting peer node by peer_reap for X.X.X.X: 7F4CE1EB4978
Aug 7 09:38:10.533 UTC: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Aug 7 09:38:10.533 UTC: ISAKMP: (0):Old State = IKE_R_MM2 New State = IKE_DEST_SA
site2:
debug crypto condition peer ipv4 Y.Y.Y.Y
debug crypto isakmp
Crypto ISAKMP debugging is on
*Aug 7 09:38:29.282: ISAKMP: (0):Created a peer struct for Y.Y.Y.Y, peer port 500
*Aug 7 09:38:29.282: ISAKMP: (0):New peer created peer = 0x80007FCC369E4098 peer_handle = 0x8000000080000256
*Aug 7 09:38:29.282: ISAKMP: (0):Locking peer struct 0x80007FCC369E4098, refcount 1 for isakmp_initiator
*Aug 7 09:38:29.282: ISAKMP: (0):local port 500, remote port 500
*Aug 7 09:38:29.282: ISAKMP: (0):set new node 0 to QM_IDLE
*Aug 7 09:38:29.283: ISAKMP: (0):insert sa successfully sa = 80007FCC369E32F0
*Aug 7 09:38:29.283: ISAKMP: (0):Can not start Aggressive mode, trying Main mode.
*Aug 7 09:38:29.283: ISAKMP: (0):found peer pre-shared key matching Y.Y.Y.Y
*Aug 7 09:38:29.283: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
*Aug 7 09:38:29.283: ISAKMP: (0):constructed NAT-T vendor-07 ID
*Aug 7 09:38:29.283: ISAKMP: (0):constructed NAT-T vendor-03 ID
*Aug 7 09:38:29.283: ISAKMP: (0):constructed NAT-T vendor-02 ID
*Aug 7 09:38:29.283: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Aug 7 09:38:29.283: ISAKMP: (0):Old State = IKE_READY New State = IKE_I_MM1
*Aug 7 09:38:29.283: ISAKMP: (0):beginning Main Mode exchange
*Aug 7 09:38:29.283: ISAKMP-PAK: (0):sending packet to Y.Y.Y.Y my_port 500 peer_port 500 (I) MM_NO_STATE
*Aug 7 09:38:29.283: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Aug 7 09:38:39.284: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Aug 7 09:38:39.284: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Aug 7 09:38:39.284: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Aug 7 09:38:39.284: ISAKMP-PAK: (0):sending packet to Y.Y.Y.Y my_port 500 peer_port 500 (I) MM_NO_STATE
*Aug 7 09:38:39.284: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Aug 7 09:38:49.285: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Aug 7 09:38:49.285: ISAKMP: (0):: incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Aug 7 09:38:49.285: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Aug 7 09:38:49.285: ISAKMP-PAK: (0):sending packet to Y.Y.Y.Y my_port 500 peer_port 500 (I) MM_NO_STATE
*Aug 7 09:38:49.285: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Aug 7 09:38:59.283: ISAKMP: (0):set new node 0 to QM_IDLE
*Aug 7 09:38:59.283: ISAKMP-ERROR: (0):SA is still budding. Attached new ipsec request to it. (local X.X.X.X, remote Y.Y.Y.Y)
*Aug 7 09:38:59.283: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA
*Aug 7 09:38:59.286: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Aug 7 09:38:59.286: ISAKMP: (0):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Aug 7 09:38:59.286: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Aug 7 09:38:59.286: ISAKMP-PAK: (0):sending packet to Y.Y.Y.Y my_port 500 peer_port 500 (I) MM_NO_STATE
*Aug 7 09:38:59.286: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Aug 7 09:39:09.286: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Aug 7 09:39:09.286: ISAKMP: (0):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Aug 7 09:39:09.286: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Aug 7 09:39:09.286: ISAKMP-PAK: (0):sending packet to Y.Y.Y.Y my_port 500 peer_port 500 (I) MM_NO_STATE
*Aug 7 09:39:09.286: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Aug 7 09:39:19.287: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Aug 7 09:39:19.287: ISAKMP: (0):: incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Aug 7 09:39:19.287: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Aug 7 09:39:19.287: ISAKMP-PAK: (0):sending packet to Y.Y.Y.Y my_port 500 peer_port 500 (I) MM_NO_STATE
*Aug 7 09:39:19.287: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Aug 7 09:39:29.288: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Aug 7 09:39:29.288: ISAKMP: (0):peer does not do paranoid keepalives.
*Aug 7 09:39:29.288: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer Y.Y.Y.Y)
*Aug 7 09:39:29.288: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer Y.Y.Y.Y)
*Aug 7 09:39:29.288: ISAKMP: (0):Unlocking peer struct 0x80007FCC369E4098 for isadb_mark_sa_deleted(), count 0
*Aug 7 09:39:29.288: ISAKMP: (0):Deleting peer node by peer_reap for Y.Y.Y.Y: 80007FCC369E4098
*Aug 7 09:39:29.289: ISAKMP: (0):deleting node 1173895836 error FALSE reason "IKE deleted"
*Aug 7 09:39:29.290: ISAKMP: (0):deleting node 4132299765 error FALSE reason "IKE deleted"
*Aug 7 09:39:29.290: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Aug 7 09:39:29.290: ISAKMP: (0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
可以看到,两端的isakmp协商只发出了前两个包(main mode第一阶段有6个包),每台4331只是完成了第一次的isakmp包交换后就开始尝试重传了,这说明IKE协商的发起者根本没有收到第三个包,经过5次重传失败之后,IKE协商宣告失败。
Aug 7 09:37:10.027 UTC: ISAKMP: (0):local preshared key found
Aug 7 09:37:10.027 UTC: ISAKMP: (0):Checking ISAKMP transform 1 against priority 10 policy
Aug 7 09:37:10.027 UTC: ISAKMP: (0): encryption 3DES-CBC
Aug 7 09:37:10.028 UTC: ISAKMP: (0): hash MD5
Aug 7 09:37:10.028 UTC: ISAKMP: (0): default group 2
Aug 7 09:37:10.028 UTC: ISAKMP: (0): auth pre-share
Aug 7 09:37:10.028 UTC: ISAKMP: (0): life type in seconds
Aug 7 09:37:10.028 UTC: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Aug 7 09:37:10.028 UTC: ISAKMP: (0):atts are acceptable. Next payload is 0
Aug 7 09:37:10.028 UTC: ISAKMP: (0):Acceptable atts:actual life: 86400
Aug 7 09:37:10.028 UTC: ISAKMP: (0):Acceptable atts:life: 0
由以上的信息可以看出,第一阶段的算法是匹配的,因此可以排除因算法不一致造成的IKE协商失败。接下来只有进行抓包进行分析了

[page]
3.抓包结果发现异常:site1:154717wh787hzgxt7voofg.pngsite2:154716n9lxpopvn89v2i7l.png
发现site2向site1发送的isakmp包的目的端口是UDP500,但是源端口却是UDP512,同时site1向site2回传的包的源端口是UDP516,目的端口是UDP512.我们知道,IKE的协商包使用的源目端口都应该是UDP500或者4500,而site1回包的源端口号是516,目的端口号是512,site2自然不会响应这个isakmp的回包,因此才导致IKE的协商失败,这个端口异常就是路由器协商失败的根源所在。
经过查找资料发现isakmp端口异常的原因是受到的客户配置的NAT的影响:我们在路由器上抓取NAT转译条目可以看到类似如下的一个转译条目,这里可以看出,原来的UDP500被转译成了UDP512.
#sh ip nat translations udpPro
Inside global Inside local Outside local Outside globaludp
61.247.237.xx:512 61.247.237.xx:500 115.111.137.yy:500 115.111.137.yy:500
再看一下两侧的NAT配置
site1:
ip access-list extended NAT
deny ip 172.17.1.0 0.0.0.255 192.168.72.0 0.0.3.255
permit udp any any eq domain
permit udp any eq domain any
permit icmp any any permit ip any any
site2:
ip access-list extended NAT
deny ip 192.168.72.0 0.0.3.255 172.17.1.0 0.0.0.255
permit udp any any eq domain
permit udp any eq domain any
permit icmp any any permit ip any any
显然两侧的isakmp包都受到了“permit ip any any”的影响而被转译了原端口。
[page]
解决方案:
分别在两侧的路由器上为isakmp报文做NAT豁免,添加deny条目
site1:
ip access-list extended NAT

deny udp host Y.Y.Y.Y any eq 500
deny udp host Y.Y.Y.Y any eq 4500
site2:
ip access-list extended NAT
deny udp host X.X.X.X any eq 500
deny udp host X.X.X.X any eq 4500

建议:在Cisco较新的IOS中已经不支持在NAT的源地址池中使用“permit ip any any”语句,但是在较老的IOS中依然可以这么配置,希望这个这个帖子能帮助到遇到相同问题的网工们。

评论
xiaocqu
Spotlight
Spotlight
干货,感谢楼主分享
raxing
Cisco Employee
Cisco Employee
ios-xe platform NAT case, 先查ACL 如果是permit ip any any 的acl 立马改掉;P
one-time
Level 13
Level 13
感谢楼主分享
YilinChen
Spotlight
Spotlight
2端都是思科路由器,建议还是配置成SVTI类型的IPSECVPN吧,这样灵活方便的多
shozhang
Cisco Employee
Cisco Employee
YilinChen 发表于 2019-8-13 15:33
2端都是思科路由器,建议还是配置成SVTI类型的IPSECVPN吧,这样灵活方便的多

SVTI也可能存在这个问题
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接