取消
显示结果 
搜索替代 
您的意思是: 
cancel
6465
查看次数
0
有帮助
3
回复

ipsec vpn隧道,一端加密,一端无解密包,隧道口地址ping不通

jia-yupeng
Level 1
Level 1
网络拓扑见附件:113204gd9nd3cmwiiccx26.png
siteA配置:
version 12.4
no service password-encryption
!
hostname IPV6-2821-CNBJPEK12-01
enable secret 5 $1$p3WY$E.P83ia7N/Bx.YE9J87eV/
!
no aaa new-model
clock timezone UTC 8
!
ip cef
!
no ip domain lookup
ip domain name lenovo.com
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
ipv6 unicast-routing
ipv6 cef
!
voice-card 0
no dspfarm
!
crypto pki token default removal timeout 0
!
username lenovo password 0 lenovo,!
!
ip ssh version 2
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set T1 esp-3des esp-sha-hmac
!
crypto ipsec profile P1
set transform-set T1
!
interface Tunnel0
ip address 9.9.9.2 255.255.255.252
ip tcp adjust-mss 1300
ip ospf mtu-ignore
load-interval 30
tunnel source 10.103.2.134
tunnel destination 10.128.220.107
tunnel mode ipsec ipv4
tunnel protection ipsec profile P1
!
interface GigabitEthernet0/0
description To-COS-12804-CNBJPEK12-01-10GE3/0/10
ip address 10.103.2.134 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/1
description To-Dis-12708-CNBJPEK12-01-XGE1/0/6
no ip address
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 9.9.9.2 0.0.0.0 area 0
!
ip forward-protocol nd
ip route 10.0.0.0 255.0.0.0 10.103.2.133 name Internal-mgmt
!
siteB配置:
version 15.6
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no platform punt-keepalive disable-kernel-core
platform console serial
!
hostname apnewhkxscs_csr1000v-1
!
aaa session-id common
clock timezone UTC 8 0
!
ip name-server 8.8.4.4
!
subscriber templating
!
multilink bundle-name authenticated
!
license udi pid CSR1000V sn 9F8JLPHZJYI
license accept end user agreement
license boot level security
!
username lenovo privilege 15 password 7 151E0E020B3C246869
!
redundancy
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0
!
!
crypto ipsec transform-set T1 esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile P1
set transform-set T1
!
interface Tunnel6
ip address 9.9.9.1 255.255.255.252
ip tcp adjust-mss 1300
ip ospf mtu-ignore
load-interval 30
tunnel source 10.128.220.107
tunnel mode ipsec ipv4
tunnel destination 10.103.2.134
tunnel protection ipsec profile P1
!
interface GigabitEthernet1
ip address 10.128.220.107 255.255.255.240
ip tcp adjust-mss 1200
negotiation auto
!
router ospf 1
router-id 10.128.220.107
network 9.9.9.1 0.0.0.0 area 0
default-information originate
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.128.220.147 name internet
ip route 10.0.0.0 255.0.0.0 10.128.220.110
ip route 10.103.2.134 255.255.255.255 10.128.220.110
测试:
IPV6-2821-CNBJPEK12-01#ping 10.128.220.107 source 10.103.2.134
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.128.220.107, timeout is 2 seconds:
Packet sent with a source address of 10.103.2.134
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/48/52 ms
isdkmp sa:
IPV6-2821-CNBJPEK12-01#sh crypto isakmp sa
dst src state conn-id slot status
10.128.220.107 10.103.2.134 QM_IDLE 2 0 ACTIVE
siteA:
ipsec sa:
IPV6-2821-CNBJPEK12-01#SH CRYpto IPsec SA
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 10.103.2.134
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 10.128.220.107 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 125, #pkts encrypt: 125, #pkts digest: 125
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.103.2.134, remote crypto endpt.: 10.128.220.107
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x87C7164F(2277971535)
inbound esp sas:
spi: 0x83B90367(2209940327)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3003, flow_id: NETGX:3, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4585833/2350)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x91268ACF(2435222223)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3002, flow_id: NETGX:2, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4426620/2352)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound esp sas:
spi: 0xF2142416(4061406230)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3001, flow_id: NETGX:1, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4585832/2348)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x87C7164F(2277971535)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3004, flow_id: NETGX:4, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4426604/2350)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
siteB:
apnewhkxscs_csr1000v-1#sh crypto ipsec sa peer 10.103.2.134
interface: Tunnel6
Crypto map tag: Tunnel6-head-0, local addr 10.128.220.107
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 10.103.2.134 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 150, #pkts encrypt: 150, #pkts digest: 150
#pkts decaps: 134, #pkts decrypt: 134, #pkts verify: 134
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.128.220.107, remote crypto endpt.: 10.103.2.134
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x91268ACF(2435222223)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xF2142416(4061406230)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2875, flow_id: CSR:875, sibling_flags FFFFFFFF80000048, crypto map: Tunnel6-head-0
sa timing: remaining key lifetime (k/sec): (4608000/2243)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x87C7164F(2277971535)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2877, flow_id: CSR:877, sibling_flags FFFFFFFF80004048, crypto map: Tunnel6-head-0
sa timing: remaining key lifetime (k/sec): (4607985/2244)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound esp sas:
spi: 0x83B90367(2209940327)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2876, flow_id: CSR:876, sibling_flags FFFFFFFF80000048, crypto map: Tunnel6-head-0
sa timing: remaining key lifetime (k/sec): (4608000/2243)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x91268ACF(2435222223)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2878, flow_id: CSR:878, sibling_flags FFFFFFFF80004048, crypto map: Tunnel6-head-0
sa timing: remaining key lifetime (k/sec): (4607988/2244)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
问题:
site A只有加密的包,site B加密解密都有,隧道口地址ping不到,
IPV6-2821-CNBJPEK12-01#ping 9.9.9.1 SOurce 9.9.9.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.9.1, timeout is 2 seconds:
Packet sent with a source address of 9.9.9.2
.....
Success rate is 0 percent (0/5)
site A无邻居表象
IPV6-2821-CNBJPEK12-01#sh ip os neighbor
siteB有邻居表项,状态为init
apnewhkxscs_csr1000v-1#sh ip os neighbor
Neighbor ID Pri State Dead Time Address Interface
10.103.2.134 0 INIT/ - 00:00:31 9.9.9.2 Tunnel6
排除iOS版本影响,有别的site跟siteA一样的版本12.4,可以正常和site B建立邻居,学习路由,
请帮忙分析下。
1 个已接受解答

已接受的解答

Mansur
Spotlight
Spotlight
两边版本不一样,是不是某些策略的默认配置不一样,检查下。
不过你这个A到B有加密和解密。返回的数据B加密了,A没解密,应该是没收到吧
在A端抓包看看有没有B发来的esp数据包。。。

在原帖中查看解决方案

3 条回复3

Mansur
Spotlight
Spotlight
两边版本不一样,是不是某些策略的默认配置不一样,检查下。
不过你这个A到B有加密和解密。返回的数据B加密了,A没解密,应该是没收到吧
在A端抓包看看有没有B发来的esp数据包。。。

jia-yupeng
Level 1
Level 1
maguanghua2013 发表于 2018-7-12 16:34
两边版本不一样,是不是某些策略的默认配置不一样,检查下。
不过你这个A到B有加密和解密。返回的数据B加 ...

有别的site也是12.4版本,运行似乎没问题,
另外抓包测试了
在B侧可以匹配到B发给A的esp包:
10.128.220.107:
ip access-list extended test
permit esp host 10.128.220.107 host 10.103.2.134 log
permit ip any any
interface GigabitEthernet1
ip address 10.128.220.107 255.255.255.240
ip access-group test out
apnewhkxscs_csr1000v-1#sh access-lists
Extended IP access list test
10 permit esp host 10.128.220.107 host 10.103.2.134 log (5 matches)
20 permit ip any any (81632 matches)
--------
在A侧:---没有收到B发过来的esp报文,
10.103.2.134:
ip access-list extended test
permit esp host 10.128.220.107 host 10.103.2.134
permit ip any any
interface GigabitEthernet0/0
ip address 10.103.2.134 255.255.255.252
ip access-group test in
IPV6-2821-CNBJPEK12-01#sh access-lists
Extended IP access list test
10 permit esp host 10.128.220.107 host 10.103.2.134
20 permit ip any any (399 matches)
不知道是丢在中间路径了还是A自身,中间路径没有FW。

jia-yupeng
Level 1
Level 1
maguanghua2013 发表于 2018-7-12 16:34
两边版本不一样,是不是某些策略的默认配置不一样,检查下。
不过你这个A到B有加密和解密。返回的数据B加 ...

多谢楼主支持,现在在siteA换了台同样设备,版本升级为12.4同样版本,和siteB之间正常建立隧道,运行ospf没有问题。(ps:siteA原来使用的是利旧的R2821,现在怀疑可能是设备自身问题,把数据包丢在自身或者没处理)
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接