碼上快樂

相關內容    簡體    繁體

實際中可能遇到的NAT問題(IPsec)

本文轉載自   查看原文   2018-12-13 15:11   1112    IPSec VPN/ Secure VPN

一、背景介紹:
一般我們在實際網絡中不是IPSec VPN的時候,都是邊界設備連接Internet,然后兩個邊界設備通過Internet去實現互通,建立VPN,但是,有的運營商在分配IP地址的時候,給我們使用的地址可能會在運營商的設備上再完成一次NAT,這樣將會導致我們的IPSec VPN無法建立,我做了一個測試,簡單搭建的拓撲圖如下:

 


R1作為一個分支站點的邊界路由去,R2和R3是作為運營商的設備,R4是總部的一個邊界路由器,但是在R2上針對R1的12.1.1.0/24做了NAT。

二、基本配置:
R1:
R1#sho run int lo0
Building configuration...

Current configuration : 61 bytes
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
end

R1#sho run int e0/0
Building configuration...

Current configuration : 95 bytes
!
interface Ethernet0/0
 ip address 12.1.1.1 255.255.255.0
 half-duplex
 crypto map cisco
end
R1#sho run | s ip route
ip route 0.0.0.0 0.0.0.0 12.1.1.2

R2:
R2#sho run int e0/0
Building configuration...

Current configuration : 115 bytes
!
interface Ethernet0/0
 ip address 12.1.1.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 half-duplex
end

R2#sho run int e0/1
Building configuration...

Current configuration : 116 bytes
!
interface Ethernet0/1
 ip address 23.1.1.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 half-duplex
end

R2#sho run | s ip route
ip route 0.0.0.0 0.0.0.0 23.1.1.3
R2#sho run | s ip nat
 ip nat inside
 ip nat outside
ip nat pool cisco 23.1.1.100 23.1.1.200 netmask 255.255.255.0
ip nat inside source list nat pool cisco

R3:
R3#sho run int e0/0
Building configuration...

Current configuration : 77 bytes
!
interface Ethernet0/0
 ip address 23.1.1.3 255.255.255.0
 half-duplex
end

R3#sho run int e0/1
Building configuration...

Current configuration : 77 bytes
!
interface Ethernet0/1
 ip address 34.1.1.3 255.255.255.0
 half-duplex
end

R3#sho run | s ip route
ip route 12.1.1.0 255.255.255.0 23.1.1.2
R4:
R4#sho run int e0/0
Building configuration...

Current configuration : 95 bytes
!
interface Ethernet0/0
 ip address 34.1.1.4 255.255.255.0
 half-duplex
 crypto map cisco
end

R4#sho run int l0
Building configuration...

Current configuration : 61 bytes
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.0
end

R4#sho run | s ip route
ip route 0.0.0.0 0.0.0.0 34.1.1.3


如此實現R1和R4站點之間的可達性:
R1#ping 34.1.1.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 34.1.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/60/92 ms

三、在R1和R4配置IPSec VPN
R1:
R1#sho run | s crypto
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key cisco address 34.1.1.4
crypto ipsec transform-set Trans esp-3des esp-sha-hmac
 mode transport
crypto map cisco 10 ipsec-isakmp
 set peer 34.1.1.4
 set transform-set Trans
 set pfs group2
 match address vpn
 crypto map cisco
R1#sho run int e0/0
Building configuration...

Current configuration : 95 bytes
!
interface Ethernet0/0
 ip address 12.1.1.1 255.255.255.0
 half-duplex
 crypto map cisco
End
R1#sho run | s ip access
ip access-list extended vpn
 permit ip 1.1.1.0 0.0.0.255 4.4.4.0 0.0.0.255

R4:
R4#sho run | s crypto
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key cisco address 12.1.1.1
crypto ipsec transform-set Trans esp-3des esp-sha-hmac
 mode transport
crypto map cisco 10 ipsec-isakmp
 set peer 12.1.1.1
 set transform-set Trans
 set pfs group2
 match address vpn
 crypto map cisco
R4#sho run int e0/0
Building configuration...

Current configuration : 95 bytes
!
interface Ethernet0/0
 ip address 34.1.1.4 255.255.255.0
 half-duplex
 crypto map cisco
end
R4#sh run | s ip access
ip access-list extended vpn
 permit ip 4.4.4.0 0.0.0.255 1.1.1.0 0.0.0.255

四、測試嘗試建立的IPSec VPN,從R4的內部流量到R1的內部流量(模擬為4.4.4.0/24到1.1.1.0/24)為觸發流量。
過程中開啟debug信息:
R1/R4#debug crypto isakmp
Crypto ISAKMP debugging is on
R1#debug crypto ipsec
Crypto IPSEC debugging is on

DEBUG過程
R4#ping 1.1.1.1 so 4.4.4.4 re 100

R1上的debug:
R1#
//收到了R4發來的SA信息:
*Mar  1 00:43:58.955: ISAKMP (0:0): received packet from 34.1.1.4 dport 500 sport 500 Global (N) NEW SA
*Mar  1 00:43:58.955: ISAKMP: Created a peer struct for 34.1.1.4, peer port 500
*Mar  1 00:43:58.955: ISAKMP: New peer created peer = 0x646C2A90 peer_handle = 0x8000000C
*Mar  1 00:43:58.959: ISAKMP: Locking peer struct 0x646C2A90, IKE refcount 1 for crypto_isakmp_process_block
*Mar  1 00:43:58.959: ISAKMP: local port 500, remote port 500
*Mar  1 00:43:58.959: insert sa successfully sa = 643C4DB8
*Mar  1 00:43:58.963: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 00:43:58.963: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_R_MM1

*Mar  1 00:43:58.967: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
*Mar  1 00:43:58.967: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar  1 00:43:58.971: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
*Mar  1 00:43:58.971: ISAKMP (0:0): vendor ID is NAT-T v7
*Mar  1 00:43:58.971: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar  1 00:43:58.971: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch
*Mar  1 00:43:58.975: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3
*Mar  1 00:43:58.975: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar  1 00:43:58.975: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar  1 00:43:58.975: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
*Mar  1 00:43:58.979: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 34.1.1.4
*Mar  1 00:43:58.979: ISAKMP:(0:0:N/A:0): local preshared key found
*Mar  1 00:43:58.979: ISAKMP : Scanning profiles for xauth …
//開始檢查IKE第一階段的策略
*Mar  1 00:43:58.979: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy
*Mar  1 00:43:58.979: ISAKMP:      encryption 3DES-CBC
*Mar  1 00:43:58.983: ISAKMP:      hash MD5
*Mar  1 00:43:58.983: ISAKMP:      default group 2
*Mar  1 00:43:58.983: ISAKMP:      auth pre-share
*Mar  1 00:43:58.983: ISAKMP:      life type in seconds
*Mar  1 00:43:58.983: ISAKMP:      life duration (basic) of 28800
*Mar  1 00:43:58.983: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
*Mar  1 00:43:59.023: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 00:43:59.023: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
*Mar  1 00:43:59.023: ISAKMP (0:134217729): vendor ID is NAT-T v7
*Mar  1 00:43:59.023: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 00:43:59.023: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 157 mismatch
*Mar  1 00:43:59.023: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v3
*Mar  1 00:43:59.027: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 00:43:59.027: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 123 mismatch
*Mar  1 00:43:59.027: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v2
*Mar  1 00:43:59.027: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 00:43:59.027: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM1  New State = IKE_R_MM1
//本端和對端繼續交互SA協商報文,但是發出沒有收到回復
*Mar  1 00:43:59.027: ISAKMP:(0:1:SW:1): constructed NAT-T vendor-07 ID
*Mar  1 00:43:59.031: ISAKMP:(0:1:SW:1): sending packet to 34.1.1.4 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Mar  1 00:43:59.031: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 00:43:59.031: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM1  New State = IKE_R_MM2

//本端沒有收到回復,繼續重傳5次,刪除准備協商的SA
*Mar  1 00:44:08.971: ISAKMP (0:134217729): received packet from 34.1.1.4 dport 500 sport 500 Global (R) MM_SA_SETUP
*Mar  1 00:44:08.975: ISAKMP:(0:1:SW:1): phase 1 packet is a duplicate of a previous packet.
*Mar  1 00:44:08.975: ISAKMP:(0:1:SW:1): retransmitting due to retransmit phase 1
*Mar  1 00:44:09.475: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_SA_SETUP...
*Mar  1 00:44:09.475: ISAKMP (0:134217729): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Mar  1 00:44:09.475: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_SA_SETUP
*Mar  1 00:44:09.475: ISAKMP:(0:1:SW:1): sending packet to 34.1.1.4 my_port 500 peer_port 500 (R) MM_SA_SETUP
R1#
*Mar  1 00:44:18.979: ISAKMP (0:134217729): received packet from 34.1.1.4 dport 500 sport 500 Global (R) MM_SA_SETUP
*Mar  1 00:44:18.983: ISAKMP:(0:1:SW:1): phase 1 packet is a duplicate of a previous packet.
*Mar  1 00:44:18.983: ISAKMP:(0:1:SW:1): retransmitting due to retransmit phase 1
*Mar  1 00:44:19.483: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_SA_SETUP...
*Mar  1 00:44:19.483: ISAKMP (0:134217729): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Mar  1 00:44:19.483: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_SA_SETUP
*Mar  1 00:44:19.483: ISAKMP:(0:1:SW:1): sending packet to 34.1.1.4 my_port 500 peer_port 500 (R) MM_SA_SETUP
R1#
*Mar  1 00:44:28.967: ISAKMP (0:134217729): received packet from 34.1.1.4 dport 500 sport 500 Global (R) MM_SA_SETUP
*Mar  1 00:44:28.967: ISAKMP:(0:1:SW:1): phase 1 packet is a duplicate of a previous packet.
*Mar  1 00:44:28.967: ISAKMP:(0:1:SW:1): retransmitting due to retransmit phase 1
*Mar  1 00:44:29.471: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_SA_SETUP...
*Mar  1 00:44:29.471: ISAKMP (0:134217729): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Mar  1 00:44:29.471: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_SA_SETUP
*Mar  1 00:44:29.471: ISAKMP:(0:1:SW:1): sending packet to 34.1.1.4 my_port 500 peer_port 500 (R) MM_SA_SETUP
R1#
*Mar  1 00:44:39.019: ISAKMP (0:134217729): received packet from 34.1.1.4 dport 500 sport 500 Global (R) MM_SA_SETUP
*Mar  1 00:44:39.019: ISAKMP:(0:1:SW:1): phase 1 packet is a duplicate of a previous packet.
*Mar  1 00:44:39.019: ISAKMP:(0:1:SW:1): retransmitting due to retransmit phase 1
*Mar  1 00:44:39.523: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_SA_SETUP...
*Mar  1 00:44:39.523: ISAKMP (0:134217729): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Mar  1 00:44:39.523: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_SA_SETUP
*Mar  1 00:44:39.523: ISAKMP:(0:1:SW:1): sending packet to 34.1.1.4 my_port 500 peer_port 500 (R) MM_SA_SETUP
R1#
*Mar  1 00:44:48.987: ISAKMP (0:134217729): received packet from 34.1.1.4 dport 500 sport 500 Global (R) MM_SA_SETUP
*Mar  1 00:44:48.987: ISAKMP:(0:1:SW:1): phase 1 packet is a duplicate of a previous packet.
*Mar  1 00:44:48.987: ISAKMP:(0:1:SW:1): retransmitting due to retransmit phase 1
*Mar  1 00:44:49.491: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_SA_SETUP...
*Mar  1 00:44:49.491: ISAKMP (0:134217729): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Mar  1 00:44:49.491: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_SA_SETUP
*Mar  1 00:44:49.491: ISAKMP:(0:1:SW:1): sending packet to 34.1.1.4 my_port 500 peer_port 500 (R) MM_SA_SETUP
R1#
*Mar  1 00:44:59.495: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_SA_SETUP...
*Mar  1 00:44:59.495: ISAKMP:(0:1:SW:1):peer does not do paranoid keepalives.

*Mar  1 00:44:59.495: ISAKMP:(0:1:SW:1):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 34.1.1.4)
*Mar  1 00:44:59.499: ISAKMP:(0:1:SW:1):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 34.1.1.4)
*Mar  1 00:44:59.503: ISAKMP: Unlocking IKE struct 0x646C2A90 for isadb_mark_sa_deleted(), count 0
*Mar  1 00:44:59.503: ISAKMP: Deleting peer node by peer_reap for 34.1.1.4: 646C2A90
*Mar  1 00:44:59.507: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
R1#
*Mar  1 00:44:59.507: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM2  New State = IKE_DEST_SA
//開始重復上述過程
*Mar  1 00:44:59.507: IPSEC(key_engine): got a queue event with 1 kei messages
*Mar  1 00:45:00.971: ISAKMP (0:0): received packet from 34.1.1.4 dport 500 sport 500 Global (N) NEW SA

R4上的debug:
//發出SA協商報文,開始嘗試建立第一階段
*Mar  1 00:43:54.987: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 34.1.1.4, remote= 12.1.1.1,
    local_proxy= 4.4.4.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 1.1.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x924045A9(2453685673), conn_id= 0, keysize= 0, flags= 0x400F
*Mar  1 00:43:54.991: ISAKMP: received ke message (1/1)
*Mar  1 00:43:54.995: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*Mar  1 00:43:54.995: ISAKMP: Created a peer struct for 12.1.1.1, peer port 500
*Mar  1 00:43:54.995: ISAKMP: New peer created peer = 0x649A497C peer_handle = 0x8000000C
*Mar  1 00:43:54.995: ISAKMP: Locking peer struct 0x649A497C, IKE refcount 1 for isakmp_initiator
*Mar  1 00:43:54.999: ISAKMP: local port 500, remote port 500
*Mar  1 00:43:54.999: ISAKMP: set new node 0 to QM_IDLE      
*Mar  1 00:43:54.999: insert sa successfully sa = 64278AD0
*Mar  1 00:43:55.003: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
*Mar  1 00:43:55.003: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 12.1.1.1
*Mar  1 00:43:55.003: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*Mar  1 00:43:55.007: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*Mar  1 00:43:55.007: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*Mar  1 00:43:55.007: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar  1 00:43:55.007: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1
//向對端12.1.1.1發起協商,但是回復的是NAT之后的地址23.1.1.100。本端認為協商出錯
*Mar  1 00:43:55.011: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*Mar  1 00:43:55.011: ISAKMP:(0:0:N/A:0): sending packet to 12.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar  1 00:43:55.131: ISAKMP (0:0): received p.acket from 23.1.1.100 dport 500 sport 500 Global (N) NEW SA
*Mar  1 00:43:55.135: %CRYPTO-4-IKMP_NO_SA: IKE message from 23.1.1.100      has no SA and is not an initialization offer....
*Mar  1 00:44:05.011: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Mar  1 00:44:05.011: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Mar  1 00:44:05.011: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Mar  1 00:44:05.015: ISAKMP:(0:0:N/A:0): sending packet to 12.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar  1 00:44:05.595: ISAKMP (0:0): received packet from 23.1.1.100 dport 500 sport 500 Global (N) NEW SA.....
*Mar  1 00:44:15.015: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Mar  1 00:44:15.015: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Mar  1 00:44:15.015: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Mar  1 00:44:15.019: ISAKMP:(0:0:N/A:0): sending packet to 12.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar  1 00:44:15.591: ISAKMP (0:0): received packet from 23.1.1.100 dport 500 sport 500 Global (N) NEW SA.....
*Mar  1 00:44:24.987: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 34.1.1.4, remote= 12.1.1.1,
    local_proxy= 4.4.4.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 1.1.1.0/255.255.255.0/0/0 (type=4)
*Mar  1 00:44:24.991: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 34.1.1.4, remote= 12.1.1.1,
    local_proxy= 4.4.4.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 1.1.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x393ADF7B(960159611), conn_id= 0, keysize= 0, flags= 0x400F
*Mar  1 00:44:24.995: ISAKMP: received ke message (1/1)
*Mar  1 00:44:24.995: ISAKMP: set new node 0 to QM_IDLE      
*Mar  1 00:44:24.999: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new ipsec request to it. (local 34.1.1.4, remote 12.1.1.1)
*Mar  1 00:44:25.019: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Mar  1 00:44:25.019: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Mar  1 00:44:25.019: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Mar  1 00:44:25.019: ISAKMP:(0:0:N/A:0): sending packet to 12.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar  1 00:44:25.575: ISAKMP (0:0): received packet from 23.1.1.100 dport 500 sport 500 Global (N) NEW SA.....
*Mar  1 00:44:35.023: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Mar  1 00:44:35.023: ISAKMP (0:0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Mar  1 00:44:35.023: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Mar  1 00:44:35.027: ISAKMP:(0:0:N/A:0): sending packet to 12.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar  1 00:44:35.659: ISAKMP (0:0): received packet from 23.1.1.100 dport 500 sport 500 Global (N) NEW SA.....
*Mar  1 00:44:45.027: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Mar  1 00:44:45.027: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Mar  1 00:44:45.027: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Mar  1 00:44:45.031: ISAKMP:(0:0:N/A:0): sending packet to 12.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar  1 00:44:45.599: ISAKMP (0:0): received packet from 23.1.1.100 dport 500 sport 500 Global (N) NEW SA.....
*Mar  1 00:44:54.991: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 34.1.1.4, remote= 12.1.1.1,
    local_proxy= 4.4.4.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 1.1.1.0/255.255.255.0/0/0 (type=4)
*Mar  1 00:44:54.995: ISAKMP: received ke message (3/1)
*Mar  1 00:44:54.995: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.
//重傳5次后,刪除准備協商的SA
*Mar  1 00:44:54.999: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer 12.1.1.1)
*Mar  1 00:44:55.003: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer 12.1.1.1)
*Mar  1 00:44:55.003: ISAKMP: Unlocking IKE struct 0x649A497C for isadb_mark_sa_deleted(), count 0
*Mar  1 00:44:55.003: ISAKMP: Deleting peer node by peer_reap for 12.1.1.1: 649A497C
*Mar  1 00:44:55.007: ISAKMP:(0:0:N/A:0):deleting node 210980541 error FALSE reason "IKE deleted"
*Mar  1 00:44:55.007: ISAKMP:(0:0:N/A:0):deleting node -132879272 error FALSE reason "IKE deleted"
*Mar  1 00:44:55.007: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar  1 00:44:55.011: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

五、解決方法:
R4(config)#no crypto isakmp key 0 cisco address 12.1.1.1
R4(config)#crypto isakmp key 0 cisco address 23.1.1.100 255.255.255.0
R4(config)#crypto map cisco 10 ipsec-isakmp
R4(config-crypto-map)#no set peer 12.1.1.1
R4(config-crypto-map)#set peer 23.1.1.100



免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 html5中video在安卓與ios實際應用中遇到的問題及解決 selenium(11):元素定位實際遇到的各種問題(持續更新) tqdm中遇到的問題 videojs中遇到的問題 虛擬機中ubuntu不能聯網問題的解決——NAT方式 CentOS 7.7版本中NAT上網問題 python+selenium頁面自動化 元素定位實際遇到的各種問題(持續更新) redis性能優化——生產中實際遇到的問題排查總結 echarts 使用中遇到的問題 antd使用中遇到的問題
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM