请选择 进入手机版 | 继续访问电脑版

设为首页 收藏本站
思科服务支持社区 点击关注
思科服务支持社区

  
 找回密码
 立即注册

扫一扫,访问微社区

搜索
热搜: 邮件服务器
查看: 199|回复: 3

ipsec vpn隧道,一端加密,一端无解密包,隧道口地址ping不通

[复制链接]
发表于 2018-7-12 11:50:36 | 显示全部楼层 |阅读模式
0可用金钱
网络拓扑见附件:
siteA配置:
version 12.4
no service password-encryption
!
hostname IPV6-2821-CNBJPEK12-01
enable secret 5 $1$p3WY$E.P83ia7N/Bx.YE9J87eV/
!
no aaa new-model
clock timezone UTC 8
!
ip cef
!
no ip domain lookup
ip domain name lenovo.com
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
ipv6 unicast-routing
ipv6 cef
!         
voice-card 0
no dspfarm
!
crypto pki token default removal timeout 0
!
username lenovo password 0 lenovo,!
!
ip ssh version 2
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set T1 esp-3des esp-sha-hmac
!
crypto ipsec profile P1
set transform-set T1
!
interface Tunnel0
ip address 9.9.9.2 255.255.255.252
ip tcp adjust-mss 1300
ip ospf mtu-ignore
load-interval 30
tunnel source 10.103.2.134
tunnel destination 10.128.220.107
tunnel mode ipsec ipv4
tunnel protection ipsec profile P1
!
interface GigabitEthernet0/0
description To-COS-12804-CNBJPEK12-01-10GE3/0/10
ip address 10.103.2.134 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/1
description To-Dis-12708-CNBJPEK12-01-XGE1/0/6
no ip address
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 9.9.9.2 0.0.0.0 area 0
!         
ip forward-protocol nd
ip route 10.0.0.0 255.0.0.0 10.103.2.133 name Internal-mgmt
!
siteB配置:
version 15.6
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no platform punt-keepalive disable-kernel-core
platform console serial
!
hostname apnewhkxscs_csr1000v-1
!
aaa session-id common
clock timezone UTC 8 0
!
ip name-server 8.8.4.4
!
subscriber templating
!
multilink bundle-name authenticated
!
license udi pid CSR1000V sn 9F8JLPHZJYI
license accept end user agreement
license boot level security
!
username lenovo privilege 15 password 7 151E0E020B3C246869
!
redundancy
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0        
!
!
crypto ipsec transform-set T1 esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile P1
set transform-set T1
!
interface Tunnel6
ip address 9.9.9.1 255.255.255.252
ip tcp adjust-mss 1300
ip ospf mtu-ignore
load-interval 30
tunnel source 10.128.220.107
tunnel mode ipsec ipv4
tunnel destination 10.103.2.134
tunnel protection ipsec profile P1
!
interface GigabitEthernet1
ip address 10.128.220.107 255.255.255.240
ip tcp adjust-mss 1200
negotiation auto
!
router ospf 1
router-id 10.128.220.107
network 9.9.9.1 0.0.0.0 area 0
default-information originate
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.128.220.147 name internet
ip route 10.0.0.0 255.0.0.0 10.128.220.110
ip route 10.103.2.134 255.255.255.255 10.128.220.110

测试:
IPV6-2821-CNBJPEK12-01#ping 10.128.220.107 source 10.103.2.134
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.128.220.107, timeout is 2 seconds:
Packet sent with a source address of 10.103.2.134
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/48/52 ms

isdkmp sa:

IPV6-2821-CNBJPEK12-01#sh crypto isakmp sa
dst             src             state          conn-id slot status
10.128.220.107  10.103.2.134    QM_IDLE              2    0 ACTIVE

siteA:
ipsec sa:
IPV6-2821-CNBJPEK12-01#SH CRYpto IPsec SA
interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 10.103.2.134
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 10.128.220.107 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 125, #pkts encrypt: 125, #pkts digest: 125
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.103.2.134, remote crypto endpt.: 10.128.220.107
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x87C7164F(2277971535)
     inbound esp sas:
      spi: 0x83B90367(2209940327)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3003, flow_id: NETGX:3, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4585833/2350)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
      spi: 0x91268ACF(2435222223)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3002, flow_id: NETGX:2, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4426620/2352)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound esp sas:
      spi: 0xF2142416(4061406230)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3001, flow_id: NETGX:1, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4585832/2348)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
      spi: 0x87C7164F(2277971535)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3004, flow_id: NETGX:4, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4426604/2350)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

siteB:
apnewhkxscs_csr1000v-1#sh crypto ipsec sa peer 10.103.2.134
interface: Tunnel6
    Crypto map tag: Tunnel6-head-0, local addr 10.128.220.107
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 10.103.2.134 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 150, #pkts encrypt: 150, #pkts digest: 150
    #pkts decaps: 134, #pkts decrypt: 134, #pkts verify: 134
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 10.128.220.107, remote crypto endpt.: 10.103.2.134
     plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
     current outbound spi: 0x91268ACF(2435222223)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
      spi: 0xF2142416(4061406230)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2875, flow_id: CSR:875, sibling_flags FFFFFFFF80000048, crypto map: Tunnel6-head-0
        sa timing: remaining key lifetime (k/sec): (4608000/2243)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
      spi: 0x87C7164F(2277971535)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2877, flow_id: CSR:877, sibling_flags FFFFFFFF80004048, crypto map: Tunnel6-head-0
        sa timing: remaining key lifetime (k/sec): (4607985/2244)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
     outbound esp sas:
      spi: 0x83B90367(2209940327)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2876, flow_id: CSR:876, sibling_flags FFFFFFFF80000048, crypto map: Tunnel6-head-0
        sa timing: remaining key lifetime (k/sec): (4608000/2243)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
      spi: 0x91268ACF(2435222223)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2878, flow_id: CSR:878, sibling_flags FFFFFFFF80004048, crypto map: Tunnel6-head-0
        sa timing: remaining key lifetime (k/sec): (4607988/2244)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)


问题:
site A只有加密的包,site B加密解密都有,隧道口地址ping不到,
IPV6-2821-CNBJPEK12-01#ping 9.9.9.1 SOurce 9.9.9.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.9.1, timeout is 2 seconds:
Packet sent with a source address of 9.9.9.2
.....
Success rate is 0 percent (0/5)

site A无邻居表象
IPV6-2821-CNBJPEK12-01#sh ip os neighbor

siteB有邻居表项,状态为init
apnewhkxscs_csr1000v-1#sh ip os neighbor
Neighbor ID     Pri   State           Dead Time   Address         Interface
10.103.2.134      0   INIT/  -        00:00:31    9.9.9.2         Tunnel6

排除iOS版本影响,有别的site跟siteA一样的版本12.4,可以正常和site B建立邻居,学习路由,
请帮忙分析下。



附件: 您需要 登录 才可以下载或查看,没有帐号?立即注册

最佳答案

查看完整内容

两边版本不一样,是不是某些策略的默认配置不一样,检查下。 不过你这个A到B有加密和解密。返回的数据B加密了,A没解密,应该是没收到吧 在A端抓包看看有没有B发来的esp数据包。。。
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2018-7-12 11:50:37 | 显示全部楼层
两边版本不一样,是不是某些策略的默认配置不一样,检查下。
不过你这个A到B有加密和解密。返回的数据B加密了,A没解密,应该是没收到吧
在A端抓包看看有没有B发来的esp数据包。。。
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
 楼主| 发表于 2018-7-12 18:58:12 | 显示全部楼层
maguanghua2013 发表于 2018-7-12 16:34
两边版本不一样,是不是某些策略的默认配置不一样,检查下。
不过你这个A到B有加密和解密。返回的数据B加 ...

有别的site也是12.4版本,运行似乎没问题,
另外抓包测试了
在B侧可以匹配到B发给A的esp包:
10.128.220.107:
ip access-list extended test
permit esp host 10.128.220.107 host 10.103.2.134 log
permit ip any any

interface GigabitEthernet1
ip address 10.128.220.107 255.255.255.240
ip access-group test out

apnewhkxscs_csr1000v-1#sh access-lists
Extended IP access list test
    10 permit esp host 10.128.220.107 host 10.103.2.134 log (5 matches)
    20 permit ip any any (81632 matches)
--------
在A侧:---没有收到B发过来的esp报文,
10.103.2.134:
ip access-list extended test
permit esp host 10.128.220.107 host 10.103.2.134
permit ip any any

interface GigabitEthernet0/0
ip address 10.103.2.134 255.255.255.252
ip access-group test in

IPV6-2821-CNBJPEK12-01#sh access-lists   
Extended IP access list test
    10 permit esp host 10.128.220.107 host 10.103.2.134
    20 permit ip any any (399 matches)
不知道是丢在中间路径了还是A自身,中间路径没有FW。
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
 楼主| 发表于 2018-7-13 10:45:46 | 显示全部楼层
maguanghua2013 发表于 2018-7-12 16:34
两边版本不一样,是不是某些策略的默认配置不一样,检查下。
不过你这个A到B有加密和解密。返回的数据B加 ...

多谢楼主支持,现在在siteA换了台同样设备,版本升级为12.4同样版本,和siteB之间正常建立隧道,运行ospf没有问题。(ps:siteA原来使用的是利旧的R2821,现在怀疑可能是设备自身问题,把数据包丢在自身或者没处理)
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Archiver | 思科服务支持社区  

GMT+8, 2018-7-22 07:04 , Processed in 0.098995 second(s), 44 queries .

京ICP备09041801号-187

版权所有 :copyright:1992-2019 思科系统  重要声明 | 保密声明 | 隐私权政策 | 商标 |

快速回复 返回顶部 返回列表