IPsecVPN故障排查笔记

其他 2018-11-26 21:21:26 阅读次数: 0

拓扑

主要配置:

FW1

isakmp peer tofw2
  isakmp-proposal psk-md5-3des-g2
  pre-share hillstone
  peer 202.90.21.1
  local-id fqdn sandun
  peer-id fqdn wuxi
  nat-traversal
  dpd interval 10 retry 3
  interface ethernet0/0
exit

tunnel ipsec tofw2 auto
  isakmp-peer tofw2
  ipsec-proposal esp-md5-3des-g2
  auto-connect
  accept-all-proxy-id
exit

interface ethernet0/0
  zone  trust
  ip address 183.129.161.1 255.255.255.252
  ip address 121.52.255.74 255.255.255.192 secondary
  manage ping
  no reverse-route
exit

interface tunnel1
  zone  VPNHub
  ip address 192.168.255.1 255.255.255.252
  description tofw2
  manage ping
  tunnel ipsec tofw2
  no reverse-route
exit

ip vrouter trust-vr
  ip route 0.0.0.0/0 183.129.161.2
exit

rule id 1
  action permit
  src-addr Any
  dst-addr Any
  service Any
exit

FW2

isakmp peer tofw1
  isakmp-proposal psk-md5-3des-g2
  pre-share hillstone
  peer 183.129.161.1
  local-id fqdn wuxi
  peer-id fqdn sandun
  nat-traversal
  dpd interval 10 retry 3
  interface loopback1
exit

tunnel ipsec tofw1 auto
  isakmp-peer tofw1
  ipsec-proposal esp-md5-3des-g2
  auto-connect
  accept-all-proxy-id
exit

interface ethernet0/0
  zone  untrust
  ip address 192.168.110.2 255.255.255.252
  manage ping
exit
interface loopback1
  zone  trust
  ip address 202.90.21.1 255.255.255.255
  manage ping
exit
interface tunnel1
  zone  untrust
  ip address 192.168.255.2 255.255.255.252
  description tofw1
  manage ping
  tunnel ipsec tofw1
  no reverse-route
exit

ip vrouter trust-vr
  ip ruote 0.0.0.0/0 192.168.110.1
exit

rule id 1
  action permit
  src-addr Any
  dst-addr Any
  service Any
exit

  

故障现象:隧道接口无法ping通

FW1的debug没有异常,FW2 debug如下

2018-11-26 11:45:19, DEBUG@FLOW: core 0 (sys up 0x14429d ms): From self packet, 0000.2400.0000->0000.2400.0000, size 98, type 0x800, vid 0, interface tunnel1
Start l3 forward
Packet: 192.168.255.2 -> 192.168.255.1, id: 806, ip size 84, prot: 1(ICMP)
ad_vector_for_fast_flow: zonename untrust, proto_flag[1] 7, proto 1
dp_prepare_pak_lookup srcip: 192.168.255.2, dstip: 192.168.255.1, src-port:54540, dst-port:1, prot 1
No session found, try to create session
dp_first_crt_sess_init_flow0_from_pak_iif: set cpuid 0
Dataplane first create session from self packet
-----------------First path creating new session-----------------
session is self type
dp_sess_sm_transtion: Do session state machine transtion, id 4, state: 0, event: 0!
allocate pending session and install flow0
begin lookup predefine prot:1 port:1
Identified as app PING (prot=1). timeout 6.
--------VR:trust-vr start--------
192.168.255.2:54540->192.168.255.1:1
Get nexthop if_id: 36, flags: 0, nexthop: 192.168.255.1
Connection route.
--------VR:trust-vr end--------
Start policy lookup.
session is self type
crt_sess->flow0_io_cpuid 0
flow0 src 192.168.255.2 --> dst 192.168.255.1 with nexthop 192.168.255.1 ifindex 36
flow1 src 192.168.255.1 --> dst 192.168.255.2 nexthop not lookup or invalid
flow0 tunnel, id=1, cpuid=0, local cpuid=0
flow0's next hop: unknown flow1's next hop: 192.168.255.1
crt_sess->revs_rres.gw: unknown, crt_sess->forw_rres.gw unknown
Calculate flow1 hash, srcip: 192.168.255.1, dstip: 192.168.255.2, lports: 1d50c, prot: 1, token: 2
in flow_first profile_merge
------sess:4,app :104 init in first proc
Application 104 hasn't been registered, don't need do ALG
APP inited for application PING
crt_sess policy_flag is 0000, session flag1 is 0000
PING: create session: atomic bit 0
dp_sess_sm_transtion: Do session state machine transtion, id 4, state: 1, event: 3!
The following session is installed
session: id 4, prot 1, flag0 0,flag1 0, created 1327, life 600
  flow0(if id: 36 flow id: 8 flag: 40200c98):192.168.255.2:54540
->192.168.255.1:1
  flow1(if id: 36 flow id: 9 flag: 880): 192.168.255.1:1
->192.168.255.2:54540
Session installed successfully
-----------------------First path over---------------------
Found the session 4
session: id 4, prot 1, flag0 0,flag1 0, created 1327, life 600
  flow0(if id: 36 flow id: 8 flag: 40200c98):192.168.255.2:54540
->192.168.255.1:1
  flow1(if id: 36 flow id: 9 flag: 890): 192.168.255.1:1
->192.168.255.2:54540
dp_app_proc: 0x0x2aaaab956500 
dp_app_proc: ICMP or fragment packet or need skip app proc, just forward it 
ICMP after translation: data1 cd5, data2 100 
Dropped: Route to 183.129.161.171 out interface zone is not the same with tunnel's.

由此判断出是因为数据包出接口和建立隧道的接口不相同导致的

需要在FW2做出如下调整

将配置:

interface ethernet0/0
zone "untrust"
ip address 192.168.110.2 255.255.255.252
mirror enable tx
manage ping
exit
interface loopback1
zone "trust"
ip address 202.90.21.193 255.255.255.255
manage ping
exit


调整为:

interface ethernet0/0
zone "untrust"
ip address 202.90.21.193 255.255.255.255
ip address 192.168.110.2 255.255.255.252 secondary
manage ssh
manage ping
manage snmp
manage https
exit

  

注意事项:

  1. 在FW1 ping FW2 隧道接口地址时,debug filter不能是隧道接口地址,因为这个时候FW2收到的包时封装过的,使用的隧道协商两端的IP

  

  2. 不能把loopback1地址写道出接口ethernet0/0的二级ip上,这样业务还是不通的,需要把loopback1地址改成e0/0的主IP,把主IP改成二级IP,由于数据转发是看网关的,所以这样修改对业务没有影响。

猜你喜欢

转载自www.cnblogs.com/itechnology/p/10022926.html
今日推荐
美国拟限制 AI 大模型出口中国和俄罗斯
苹果将与 OpenAI 达成协议,将 ChatGPT 应用于 iPhone
openKylin 社区生态委员会第六次会议圆满召开
阿里云正式发布通义千问 2.5
Python 3.13 发布首个 Beta:实验性自由线程模式和 JIT、改进交互式解释器
Stack Overflow 拿我的代码去训练 AI 大模型,还封了我的账号
Pop!_OS 的 COSMIC 桌面完成 App Store 上架工作
报告:Django 仍然是 74% 开发者的首选
《2024 年一季度互联网投融资运行情况》研究报告
15 年前上了“FFmpeg 耻辱柱”,今天他还得谢谢咱——腾讯QQPlayer一雪前耻?
TIOBE 5 月榜单:Fortran “复活”进入 Top 10
GCC 14.1 发布
周排行
NEFU 117 素数个数的位数
Closest Common Ancestors (Lca,tarjan)
ELK部署
【转载】Hive笔记整理(三)
SQL语句(一)基本表的定义
关于Java web开发中的MySQL的事务语句
MFC创建自定义窗体
如何用一句话激怒程序员?
《逆袭大学》文摘——9.4 基础和应用的平衡中找到大学的节奏
【spring源码分析】@Value注解原理
每日归档
更多
2024-05-11(38)
2024-05-10(38)
2024-05-09(35)
2024-05-08(42)
2024-05-07(14)
2024-05-06(40)
2024-05-05(0)
2024-05-04(7)
2024-05-03(19)
2024-05-02(0)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022