1.客户的配置:如下只列出了必要的VPN配置,并隐去了客户的key以及公网IP地址 site1: crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key address x.x.x.x crypto ipsec transform-set tran-r1 esp-3des esp-md5-hmac mode tunnel crypto map map-1 40 ipsec-isakmp set peer x.x.x.x set transform-set tran-r1 match address vpn-103 interface GigabitEthernet0/0/0 ip address Y.Y.Y.Y 255.255.255.240 ip nat outside negotiation auto crypto map map-1 ip nat inside source list NAT interface GigabitEthernet0/0/0 overload ip route 0.0.0.0 0.0.0.0 113.208.yy.yy ip access-list extended NAT deny ip 172.17.1.0 0.0.0.255 192.168.72.0 0.0.3.255 permit udp any any eq domain permit udp any eq domain any permit icmp any any permit ip any any ip access-list extended vpn-103 permit ip 172.17.1.0 0.0.0.255 192.168.72.0 0.0.3.255 Site2: crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key address Y.Y.Y.Y crypto ipsec transform-set tran-r1 esp-3des esp-md5-hmac mode tunnel crypto map map-1 40 ipsec-isakmp set peer Y.Y.Y.Y set transform-set tran-r1 match address vpn-103 interface GigabitEthernet0/0/0 ip address x.x.x.x 255.255.255.248 ip nat outside negotiation auto crypto map map-1 ip nat inside source list NAT interface GigabitEthernet0/0/0 overload ip access-list extended NAT deny ip 192.168.72.0 0.0.3.255 172.17.1.0 0.0.0.255 permit udp any any eq domain permit udp any eq domain any permit icmp any any permit ip any any ip access-list extended vpn-103 permit ip 192.168.72.0 0.0.3.255 172.17.1.0 0.0.0.255 ip route 0.0.0.0 0.0.0.0 222.190.xx.xx 客户部属的是一个典型的L2L VPN,可以说是十分简单的VPN了,唯一需要注意的就是要在路由器上为各自的感兴趣流做NAT豁免。可以看到客户在两端的ISR上配置的加密算法是相同的,与共享密钥以及感兴趣流也是标准的互为镜像的,同时也为感兴趣流做了NAT豁免,可以说从配置上看不出任何问题。接下来是debug. [page] 2.debug 信息:由site2主动发起VPN协商并且抓取两侧的debug信息site1: debug crypto condition peer ipv4 X.X.X.X debug crypto isakmp Crypto ISAKMP debugging is on chuangxin-router# Aug 7 09:37:10.026 UTC: ISAKMP-PAK: (0):received packet from X.X.X.X dport 500 sport 516 Global (N) NEW SA Aug 7 09:37:10.026 UTC: ISAKMP: (0):Created a peer struct for X.X.X.X, peer port 516 Aug 7 09:37:10.026 UTC: ISAKMP: (0):New peer created peer = 0x7F4CE1EB4978 peer_handle = 0x80001808 Aug 7 09:37:10.026 UTC: ISAKMP: (0):Locking peer struct 0x7F4CE1EB4978, refcount 1 for crypto_isakmp_process_block Aug 7 09:37:10.026 UTC: ISAKMP: (0):local port 500, remote port 516 Aug 7 09:37:10.026 UTC: ISAKMP: (0):insert sa successfully sa = 7F4CE1FA28D0 Aug 7 09:37:10.027 UTC: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Aug 7 09:37:10.027 UTC: ISAKMP: (0):Old State = IKE_READY New State = IKE_R_MM1 Aug 7 09:37:10.027 UTC: ISAKMP: (0):processing SA payload. message ID = 0 Aug 7 09:37:10.027 UTC: ISAKMP: (0):processing vendor id payload Aug 7 09:37:10.027 UTC: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch Aug 7 09:37:10.027 UTC: ISAKMP: (0):vendor ID is NAT-T RFC 3947 Aug 7 09:37:10.027 UTC: ISAKMP: (0):processing vendor id payload Aug 7 09:37:10.027 UTC: ISAKMP: (0):vendor ID seems Unity/DPD but major 245 mismatch Aug 7 09:37:10.027 UTC: ISAKMP: (0):vendor ID is NAT-T v7 Aug 7 09:37:10.027 UTC: ISAKMP: (0):processing vendor id payload Aug 7 09:37:10.027 UTC: ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch Aug 7 09:37:10.027 UTC: ISAKMP: (0):vendor ID is NAT-T v3 Aug 7 09:37:10.027 UTC: ISAKMP: (0):processing vendor id payload Aug 7 09:37:10.027 UTC: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch Aug 7 09:37:10.027 UTC: ISAKMP: (0):vendor ID is NAT-T v2 Aug 7 09:37:10.027 UTC: ISAKMP: (0):found peer pre-shared key matching X.X.X.X Aug 7 09:37:10.027 UTC: ISAKMP: (0):local preshared key found Aug 7 09:37:10.027 UTC: ISAKMP: (0):Checking ISAKMP transform 1 against priority 10 policy Aug 7 09:37:10.027 UTC: ISAKMP: (0): encryption 3DES-CBC Aug 7 09:37:10.028 UTC: ISAKMP: (0): hash MD5 Aug 7 09:37:10.028 UTC: ISAKMP: (0): default group 2 Aug 7 09:37:10.028 UTC: ISAKMP: (0): auth pre-share Aug 7 09:37:10.028 UTC: ISAKMP: (0): life type in seconds Aug 7 09:37:10.028 UTC: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 Aug 7 09:37:10.028 UTC: ISAKMP: (0):atts are acceptable. Next payload is 0 Aug 7 09:37:10.028 UTC: ISAKMP: (0):Acceptable atts:actual life: 86400 Aug 7 09:37:10.028 UTC: ISAKMP: (0):Acceptable atts:life: 0 Aug 7 09:37:10.028 UTC: ISAKMP: (0):Fill atts in sa vpi_length:4 Aug 7 09:37:10.028 UTC: ISAKMP: (0):Fill atts in sa life_in_seconds:86400 Aug 7 09:37:10.028 UTC: ISAKMP: (0):Returning Actual lifetime: 86400 Aug 7 09:37:10.028 UTC: ISAKMP: (0):Started lifetime timer: 86400. Aug 7 09:37:10.028 UTC: ISAKMP: (0):processing vendor id payload Aug 7 09:37:10.028 UTC: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch Aug 7 09:37:10.028 UTC: ISAKMP: (0):vendor ID is NAT-T RFC 3947 Aug 7 09:37:10.028 UTC: ISAKMP: (0):processing vendor id payload Aug 7 09:37:10.028 UTC: ISAKMP: (0):vendor ID seems Unity/DPD but major 245 mismatch Aug 7 09:37:10.028 UTC: ISAKMP: (0):vendor ID is NAT-T v7 Aug 7 09:37:10.028 UTC: ISAKMP: (0):processing vendor id payload Aug 7 09:37:10.028 UTC: ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch Aug 7 09:37:10.028 UTC: ISAKMP: (0):vendor ID is NAT-T v3 Aug 7 09:37:10.028 UTC: ISAKMP: (0):processing vendor id payload Aug 7 09:37:10.029 UTC: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch Aug 7 09:37:10.029 UTC: ISAKMP: (0):vendor ID is NAT-T v2 Aug 7 09:37:10.029 UTC: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Aug 7 09:37:10.029 UTC: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM1 Aug 7 09:37:10.029 UTC: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID Aug 7 09:37:10.029 UTC: ISAKMP-PAK: (0):sending packet to X.X.X.X my_port 500 peer_port 516 (R) MM_SA_SETUP Aug 7 09:37:10.029 UTC: ISAKMP: (0):Sending an IKE IPv4 Packet. Aug 7 09:37:10.029 UTC: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Aug 7 09:37:10.029 UTC: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM2 Aug 7 09:37:20.027 UTC: ISAKMP-PAK: (0):received packet from X.X.X.X dport 500 sport 516 Global (R) MM_SA_SETUP Aug 7 09:37:20.027 UTC: ISAKMP: (0):phase 1 packet is a duplicate of a previous packet. Aug 7 09:37:20.027 UTC: ISAKMP: (0):retransmitting due to retransmit phase 1 Aug 7 09:37:20.528 UTC: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP... Aug 7 09:37:20.528 UTC: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: retransmit phase 1 Aug 7 09:37:20.528 UTC: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP Aug 7 09:37:20.528 UTC: ISAKMP-PAK: (0):sending packet to X.X.X.X my_port 500 peer_port 516 (R) MM_SA_SETUP Aug 7 09:37:20.528 UTC: ISAKMP: (0):Sending an IKE IPv4 Packet. Aug 7 09:37:30.028 UTC: ISAKMP-PAK: (0):received packet from X.X.X.X dport 500 sport 516 Global (R) MM_SA_SETUP Aug 7 09:37:30.028 UTC: ISAKMP: (0):phase 1 packet is a duplicate of a previous packet. Aug 7 09:37:30.028 UTC: ISAKMP: (0):retransmitting due to retransmit phase 1 Aug 7 09:37:30.528 UTC: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP... Aug 7 09:37:30.528 UTC: ISAKMP: (0):: incrementing error counter on sa, attempt 2 of 5: retransmit phase 1 Aug 7 09:37:30.528 UTC: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP Aug 7 09:37:30.528 UTC: ISAKMP-PAK: (0):sending packet to X.X.X.X my_port 500 peer_port 516 (R) MM_SA_SETUP Aug 7 09:37:30.528 UTC: ISAKMP: (0):Sending an IKE IPv4 Packet. Aug 7 09:37:40.028 UTC: ISAKMP-PAK: (0):received packet from X.X.X.X dport 500 sport 516 Global (R) MM_SA_SETUP Aug 7 09:37:40.028 UTC: ISAKMP: (0):phase 1 packet is a duplicate of a previous packet. Aug 7 09:37:40.028 UTC: ISAKMP: (0):retransmitting due to retransmit phase 1 Aug 7 09:37:40.534 UTC: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP... Aug 7 09:37:40.534 UTC: ISAKMP: (0):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1 Aug 7 09:37:40.534 UTC: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP Aug 7 09:37:40.534 UTC: ISAKMP-PAK: (0):sending packet to X.X.X.X my_port 500 peer_port 516 (R) MM_SA_SETUP Aug 7 09:37:40.534 UTC: ISAKMP: (0):Sending an IKE IPv4 Packet. Aug 7 09:37:48.906: %IOSXE-4-PLATFORM:cpp_cp: QFP:0.0 Thread:002 TS:00004575368831271461 %CERM_DP-4-DP_TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license. Aug 7 09:37:50.028 UTC: ISAKMP-PAK: (0):received packet from X.X.X.X dport 500 sport 516 Global (R) MM_SA_SETUP Aug 7 09:37:50.029 UTC: ISAKMP: (0):phase 1 packet is a duplicate of a previous packet. Aug 7 09:37:50.029 UTC: ISAKMP: (0):retransmitting due to retransmit phase 1 Aug 7 09:37:50.529 UTC: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP... Aug 7 09:37:50.529 UTC: ISAKMP: (0):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1 Aug 7 09:37:50.529 UTC: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP Aug 7 09:37:50.529 UTC: ISAKMP-PAK: (0):sending packet to X.X.X.X my_port 500 peer_port 516 (R) MM_SA_SETUP Aug 7 09:37:50.529 UTC: ISAKMP: (0):Sending an IKE IPv4 Packet. Aug 7 09:38:00.030 UTC: ISAKMP-PAK: (0):received packet from X.X.X.X dport 500 sport 516 Global (R) MM_SA_SETUP Aug 7 09:38:00.030 UTC: ISAKMP: (0):phase 1 packet is a duplicate of a previous packet. Aug 7 09:38:00.030 UTC: ISAKMP: (0):retransmitting due to retransmit phase 1 Aug 7 09:38:00.531 UTC: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP... Aug 7 09:38:00.532 UTC: ISAKMP: (0):: incrementing error counter on sa, attempt 5 of 5: retransmit phase 1 Aug 7 09:38:00.532 UTC: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP Aug 7 09:38:00.532 UTC: ISAKMP-PAK: (0):sending packet to X.X.X.X my_port 500 peer_port 516 (R) MM_SA_SETUP Aug 7 09:38:00.532 UTC: ISAKMP: (0):Sending an IKE IPv4 Packet. Aug 7 09:38:10.532 UTC: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP... Aug 7 09:38:10.532 UTC: ISAKMP: (0):peer does not do paranoid keepalives. Aug 7 09:38:10.532 UTC: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer X.X.X.X) Aug 7 09:38:10.532 UTC: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer X.X.X.X) Aug 7 09:38:10.532 UTC: ISAKMP: (0):Deleting the unauthenticated sa Aug 7 09:38:10.532 UTC: ISAKMP: (0):Unlocking peer struct 0x7F4CE1EB4978 for isadb_mark_sa_deleted(), count 0 Aug 7 09:38:10.532 UTC: ISAKMP: (0):Deleting the peer struct for unauthenticated sa Aug 7 09:38:10.532 UTC: ISAKMP: (0):Deleting peer node by peer_reap for X.X.X.X: 7F4CE1EB4978 Aug 7 09:38:10.533 UTC: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL Aug 7 09:38:10.533 UTC: ISAKMP: (0):Old State = IKE_R_MM2 New State = IKE_DEST_SA site2:debug crypto condition peer ipv4 Y.Y.Y.Y debug crypto isakmp Crypto ISAKMP debugging is on *Aug 7 09:38:29.282: ISAKMP: (0):Created a peer struct for Y.Y.Y.Y, peer port 500 *Aug 7 09:38:29.282: ISAKMP: (0):New peer created peer = 0x80007FCC369E4098 peer_handle = 0x8000000080000256 *Aug 7 09:38:29.282: ISAKMP: (0):Locking peer struct 0x80007FCC369E4098, refcount 1 for isakmp_initiator *Aug 7 09:38:29.282: ISAKMP: (0):local port 500, remote port 500 *Aug 7 09:38:29.282: ISAKMP: (0):set new node 0 to QM_IDLE *Aug 7 09:38:29.283: ISAKMP: (0):insert sa successfully sa = 80007FCC369E32F0 *Aug 7 09:38:29.283: ISAKMP: (0):Can not start Aggressive mode, trying Main mode. *Aug 7 09:38:29.283: ISAKMP: (0):found peer pre-shared key matching Y.Y.Y.Y *Aug 7 09:38:29.283: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID *Aug 7 09:38:29.283: ISAKMP: (0):constructed NAT-T vendor-07 ID *Aug 7 09:38:29.283: ISAKMP: (0):constructed NAT-T vendor-03 ID *Aug 7 09:38:29.283: ISAKMP: (0):constructed NAT-T vendor-02 ID *Aug 7 09:38:29.283: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM *Aug 7 09:38:29.283: ISAKMP: (0):Old State = IKE_READY New State = IKE_I_MM1 *Aug 7 09:38:29.283: ISAKMP: (0):beginning Main Mode exchange *Aug 7 09:38:29.283: ISAKMP-PAK: (0):sending packet to Y.Y.Y.Y my_port 500 peer_port 500 (I) MM_NO_STATE *Aug 7 09:38:29.283: ISAKMP: (0):Sending an IKE IPv4 Packet. *Aug 7 09:38:39.284: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE... *Aug 7 09:38:39.284: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: retransmit phase 1 *Aug 7 09:38:39.284: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE *Aug 7 09:38:39.284: ISAKMP-PAK: (0):sending packet to Y.Y.Y.Y my_port 500 peer_port 500 (I) MM_NO_STATE *Aug 7 09:38:39.284: ISAKMP: (0):Sending an IKE IPv4 Packet. *Aug 7 09:38:49.285: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE... *Aug 7 09:38:49.285: ISAKMP: (0):: incrementing error counter on sa, attempt 2 of 5: retransmit phase 1 *Aug 7 09:38:49.285: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE *Aug 7 09:38:49.285: ISAKMP-PAK: (0):sending packet to Y.Y.Y.Y my_port 500 peer_port 500 (I) MM_NO_STATE *Aug 7 09:38:49.285: ISAKMP: (0):Sending an IKE IPv4 Packet. *Aug 7 09:38:59.283: ISAKMP: (0):set new node 0 to QM_IDLE *Aug 7 09:38:59.283: ISAKMP-ERROR: (0):SA is still budding. Attached new ipsec request to it. (local X.X.X.X, remote Y.Y.Y.Y) *Aug 7 09:38:59.283: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA *Aug 7 09:38:59.286: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE... *Aug 7 09:38:59.286: ISAKMP: (0):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1 *Aug 7 09:38:59.286: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE *Aug 7 09:38:59.286: ISAKMP-PAK: (0):sending packet to Y.Y.Y.Y my_port 500 peer_port 500 (I) MM_NO_STATE *Aug 7 09:38:59.286: ISAKMP: (0):Sending an IKE IPv4 Packet. *Aug 7 09:39:09.286: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE... *Aug 7 09:39:09.286: ISAKMP: (0):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1 *Aug 7 09:39:09.286: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE *Aug 7 09:39:09.286: ISAKMP-PAK: (0):sending packet to Y.Y.Y.Y my_port 500 peer_port 500 (I) MM_NO_STATE *Aug 7 09:39:09.286: ISAKMP: (0):Sending an IKE IPv4 Packet. *Aug 7 09:39:19.287: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE... *Aug 7 09:39:19.287: ISAKMP: (0):: incrementing error counter on sa, attempt 5 of 5: retransmit phase 1 *Aug 7 09:39:19.287: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE *Aug 7 09:39:19.287: ISAKMP-PAK: (0):sending packet to Y.Y.Y.Y my_port 500 peer_port 500 (I) MM_NO_STATE *Aug 7 09:39:19.287: ISAKMP: (0):Sending an IKE IPv4 Packet. *Aug 7 09:39:29.288: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE... *Aug 7 09:39:29.288: ISAKMP: (0):peer does not do paranoid keepalives. *Aug 7 09:39:29.288: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer Y.Y.Y.Y) *Aug 7 09:39:29.288: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer Y.Y.Y.Y) *Aug 7 09:39:29.288: ISAKMP: (0):Unlocking peer struct 0x80007FCC369E4098 for isadb_mark_sa_deleted(), count 0 *Aug 7 09:39:29.288: ISAKMP: (0):Deleting peer node by peer_reap for Y.Y.Y.Y: 80007FCC369E4098 *Aug 7 09:39:29.289: ISAKMP: (0):deleting node 1173895836 error FALSE reason "IKE deleted" *Aug 7 09:39:29.290: ISAKMP: (0):deleting node 4132299765 error FALSE reason "IKE deleted" *Aug 7 09:39:29.290: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL *Aug 7 09:39:29.290: ISAKMP: (0):Old State = IKE_I_MM1 New State = IKE_DEST_SA 可以看到,两端的isakmp协商只发出了前两个包(main mode第一阶段有6个包),每台4331只是完成了第一次的isakmp包交换后就开始尝试重传了,这说明IKE协商的发起者根本没有收到第三个包,经过5次重传失败之后,IKE协商宣告失败。 Aug 7 09:37:10.027 UTC: ISAKMP: (0):local preshared key found Aug 7 09:37:10.027 UTC: ISAKMP: (0):Checking ISAKMP transform 1 against priority 10 policy Aug 7 09:37:10.027 UTC: ISAKMP: (0): encryption 3DES-CBC Aug 7 09:37:10.028 UTC: ISAKMP: (0): hash MD5 Aug 7 09:37:10.028 UTC: ISAKMP: (0): default group 2 Aug 7 09:37:10.028 UTC: ISAKMP: (0): auth pre-share Aug 7 09:37:10.028 UTC: ISAKMP: (0): life type in seconds Aug 7 09:37:10.028 UTC: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 Aug 7 09:37:10.028 UTC: ISAKMP: (0):atts are acceptable. Next payload is 0 Aug 7 09:37:10.028 UTC: ISAKMP: (0):Acceptable atts:actual life: 86400 Aug 7 09:37:10.028 UTC: ISAKMP: (0):Acceptable atts:life: 0 由以上的信息可以看出,第一阶段的算法是匹配的,因此可以排除因算法不一致造成的IKE协商失败。接下来只有进行抓包进行分析了 [page] 3.抓包结果发现异常:site1:site2: 发现site2向site1发送的isakmp包的目的端口是UDP500,但是源端口却是UDP512,同时site1向site2回传的包的源端口是UDP516,目的端口是UDP512.我们知道,IKE的协商包使用的源目端口都应该是UDP500或者4500,而site1回包的源端口号是516,目的端口号是512,site2自然不会响应这个isakmp的回包,因此才导致IKE的协商失败,这个端口异常就是路由器协商失败的根源所在。 经过查找资料发现isakmp端口异常的原因是受到的客户配置的NAT的影响:我们在路由器上抓取NAT转译条目可以看到类似如下的一个转译条目,这里可以看出,原来的UDP500被转译成了UDP512. #sh ip nat translations udpPro Inside global Inside local Outside local Outside globaludp 61.247.237.xx:512 61.247.237.xx:500 115.111.137.yy:500 115.111.137.yy:500 再看一下两侧的NAT配置 site1: ip access-list extended NAT deny ip 172.17.1.0 0.0.0.255 192.168.72.0 0.0.3.255 permit udp any any eq domain permit udp any eq domain any permit icmp any any permit ip any any site2: ip access-list extended NAT deny ip 192.168.72.0 0.0.3.255 172.17.1.0 0.0.0.255 permit udp any any eq domain permit udp any eq domain any permit icmp any any permit ip any any 显然两侧的isakmp包都受到了“permit ip any any”的影响而被转译了原端口。 [page] 解决方案: 分别在两侧的路由器上为isakmp报文做NAT豁免,添加deny条目 site1: ip access-list extended NAT deny udp host Y.Y.Y.Y any eq 500 deny udp host Y.Y.Y.Y any eq 4500 site2: ip access-list extended NAT deny udp host X.X.X.X any eq 500 deny udp host X.X.X.X any eq 4500
建议:在Cisco较新的IOS中已经不支持在NAT的源地址池中使用“permit ip any any”语句,但是在较老的IOS中依然可以这么配置,希望这个这个帖子能帮助到遇到相同问题的网工们。