购买或续订
购买或续订
Umbrella 发布说明和公告现已在 Cisco 社区发布!点击查看详情。
取消
开启建议
自动建议可通过在您键入时建议可能的匹配,而快速缩小您的搜索结果范围。
显示结果 
搜索替代 
您的意思是: 
cancel
开始对话
17751
查看次数
0
有帮助
21
回复

h3c MSR5006与cisco ASA 5506 组建IPSEC vpn问题 急求解

查看解答
httpurl
Level 1
Level 1

发布时间 ‎09-13-2017 09:34 PM

本帖最后由 httpurl 于 2017-9-19 08:38 编辑
公司是H3C MSR5006 主路由 先通过IPSEC vpn 与苏州办事处、香港办事处实现内网互通。办事处设备为CISCO ASA 5506-X。现在遇到问题为 公司与香港VPN正常,苏州与香港VPN正常 ,而公司与苏州VPN异常,PING测试H3C页面查看隧道已经建立也有发送包过去,但是没有收到包,苏州VPN查看看到收包没有发送包。求各路大神给点意见,因为我在测试环境一切正常,头疼。。。。
环境:公司H3C MSR5006 G0/1 地址A.A.A.A. vpn连苏州 异常
G0/2 地址B.B.B.B VPN连香港 正常

苏州CISCO ASA5506 地址S,S,S,S. vpn连公司 异常
VPN连香港 正常

香港CISCO ASA5506 地址X.X.X.X. vpn连苏州 正常
VPN连公司 正常
VPN隧道状态如下:只看到公司的数据包 苏州无任何数据包
1. 公司
123321ab7w5mrxfywrxd4z.jpg
2. 苏州
123346qtauemktthmmzute.jpg
全部使用点对点 IPSEC VPN 具体配置如下:
H3C MSR5006
sysname H3C
#
clock timezone #Web#8#01 add 08:00:00
#
undocopyright-info enable
#
l2tpenable
#
firewall enable
firewall fragments-inspect
#
nataddress-group 1 a.a.a.a
#
domain default enable system
#
dnsproxy enable
dnsserver 218.2.135.1
dnsserver 61.147.37.1
dnsserver 221.6.4.67
dnsserver 8.8.8.8
dnsserver 8.8.4.4
#
telnet server enable

acl number 3003 name ipsec-danyang-HK 香港
rule1 permit ip source 192.168.116.0 0.0.0.255 destination 172.24.16.0 0.0.3.255
rule2 permit ip source 192.168.116.0 0.0.0.255 destination 172.24.32.0 0.0.3.255
rule3 permit ip source 192.168.116.0 0.0.0.255 destination 172.24.48.0 0.0.3.255
rule4 permit ip source 192.168.116.0 0.0.0.255 destination 172.24.96.0 0.0.3.255
rule5 permit ip source 192.168.116.0 0.0.0.255 destination 172.24.112.0 0.0.3.255
rule6 permit ip source 192.168.116.0 0.0.0.255 destination 172.25.48.0 0.0.3.255
rule7 permit ip source 192.168.116.0 0.0.0.255 destination 172.25.64.0 0.0.3.255
rule8 permit ip source 192.168.116.0 0.0.0.255 destination 172.25.96.0 0.0.3.255
rule9 permit ip source 192.168.116.0 0.0.0.255 destination 172.25.16.0 0.0.3.255
rule10 permit ip source 192.168.116.0 0.0.0.255 destination 172.25.32.0 0.0.3.255
rule11 permit ip source 192.168.116.0 0.0.0.255 destination 172.25.112.0 0.0.3.255

acl number 3004 name ipsec-danyang-suzhou 苏州
rule1 permit ip source 192.168.116.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

#
ike proposal 1
encryption-algorithm aes-cbc 256
dhgroup2
authentication-algorithm md5
#
ike proposal 2
encryption-algorithm aes-cbc 256
dhgroup2
authentication-algorithm md5
#
ike peer danyang
proposal 1
pre-shared-key cipher$c$3$+ZV+GT+4wp8f5neCQFIEQXy76qZvbs3ou7t3gw==
remote-address x.x.x.x 香港
nattraversal
#
ike peer suzhou
proposal 2
pre-shared-key cipher$c$3$QyGjdpSUAigaFmqRHyHT9z6hIUTLJTh/
remote-address s.s.s.s 苏州
nattraversal
#
ipsec proposal danyang
espencryption-algorithm aes 256
#
ipsec proposal suzhou
espencryption-algorithm aes 256
#
ipsec policy 1048577 1 isakmp 苏州
connection-name suzhou
security acl 3004
ike-peer suzhou
proposal suzhou
saduration traffic-based 4608000
saduration time-based 28800
#
ipsec policy 1048578 1 isakmp 香港
connection-name danyang
security acl 3003
ike-peer danyang
proposal danyang
saduration traffic-based 4608000
saduration time-based 28800
#
attack-defense policy 86 interfaceGigabitEthernet0/1 流控
signature-detect action drop-packet
signature-detect fraggle enable
signature-detect land enable
signature-detect winnuke enable
signature-detect tcp-flag enable
signature-detect icmp-unreachable enable
signature-detect icmp-redirect enable
signature-detect tracert enable
signature-detect smurf enable
signature-detect source-route enable
signature-detect route-record enable
signature-detect large-icmp enable
defense scan enable
defense scan add-to-blacklist
defense syn-flood enable
defense syn-flood action drop-packet
defense udp-flood enable
defense udp-flood action drop-packet
defense icmp-flood enable
defense icmp-flood action drop-packet
#
attack-defense policy 87 流控
signature-detect action drop-packet
signature-detect fraggle enable
signature-detect land enable
signature-detect winnuke enable
signature-detect tcp-flag enable
signature-detect icmp-unreachable enable
signature-detect icmp-redirect enable
signature-detect tracert enable
signature-detect smurf enable
signature-detect source-route enable
signature-detect route-record enable
signature-detect large-icmp enable
defense scan enable
defense scan add-to-blacklist
defense syn-flood enable
defense syn-flood action drop-packet
defense udp-flood enable
defense udp-flood action drop-packet
defense icmp-flood enable
defense icmp-flood action drop-packet
#
interface GigabitEthernet0/1
portlink-mode route
description it
natoutbound
ip address a.a.a.a 255.255.255.224 连接苏州外网地址
darenable
darprotocol-statistic flow-interval 10
ipsec no-nat-process enable
ipsec policy 1048577
mirroring-group 1 mirroring-port both
attack-defense apply policy 86
flow-statistic enable inbound
flow-statistic enable outbound
ipflow-ordering external

#
interface GigabitEthernet0/2
portlink-mode route
description liantong
natoutbound
ipaddress b.b.b.b 255.255.255.192 连接香港地址
darenable
darprotocol-statistic flow-interval 10
ipsec no-nat-process enable
ipsec policy 1048578
mirroring-group 1 mirroring-port both
attack-defense apply policy 87
flow-statistic enable inbound
flow-statistic enable outbound
ipflow-ordering external
#

苏州 CISCO ASA 5506
: Serial Number: JAD20220ELA
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.6(1)
!interface GigabitEthernet1/1 苏州外网地址
nameif OUTSIDE
security-level 0
ipaddress S,S,S,S
!
interface GigabitEthernet1/2 苏州内网地址
nameif INSIDE
security-level 100
ipaddress 192.168.1.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name zennioptical.com
same-security-traffic permitinter-interface
same-security-traffic permitintra-interface
object network NET.IN-192.168.1.0-24
subnet 192.168.1.0 255.255.255.0
object network 192.168.116.10
host192.168.116.10
object network NETWORK_OBJ_192.168.1.0_24 本地内网
subnet 192.168.1.0 255.255.255.0
object network 192.168.116.0
subnet 192.168.116.0 255.255.255.0
object-group network NET-IP-RACKSPACE-HK 香港内网
network-object 172.25.112.0 255.255.252.0
network-object 172.25.16.0 255.255.252.0
network-object 172.25.32.0 255.255.252.0
network-object 172.25.48.0 255.255.252.0
network-object 172.25.64.0 255.255.252.0
network-object 172.25.96.0 255.255.252.0
network-object 172.24.16.0 255.255.252.0
network-object 172.24.32.0 255.255.252.0
network-object 172.24.48.0 255.255.252.0
network-object 172.24.96.0 255.255.252.0
network-object 172.24.112.0 255.255.252.0
object-group network net-danyang 公司内网
network-object object 192.168.116.0
access-list OUTSIDE remark ALLOWANCE FORTRACEROUTE
access-list OUTSIDE extended permit icmpany any source-quench
access-list OUTSIDE extended permit icmpany any echo-reply
access-list OUTSIDE extended permit icmpany any time-exceeded
access-list OUTSIDE extended permit icmp anyany unreachable
access-list OUTSIDE remark IP SECTIONBEGINS
access-list OUTSIDE remark -
access-list OUTSIDE extended permit ip host2.2.2.2 any
access-list OUTSIDE extended permit ip 1.1.1.10 any
access-list OUTSIDE extended permit icmpany any
access-list OUTSIDE remark -
access-list OUTSIDE remark UDP SECTIONBEGINS
access-list OUTSIDE remark -
access-list OUTSIDE remark -
access-list OUTSIDE remark -
access-list OUTSIDE remark -
access-list OUTSIDE remark TCP SECTIONBEGINS
access-list OUTSIDE remark TCP SECTIONBEGINS
access-list OUTSIDE remark -
access-list OUTSIDE remark -
access-list OUTSIDE remark -
access-list OUTSIDE remark -
access-list OUTSIDE_cryptomap extendedpermit ip object NET.IN-192.168.1.0-24 object-group NET-IP-RACKSPACE-HK
access-list OUTSIDE_cryptomap_1 extendedpermit ip object NET.IN-192.168.1.0-24 object-group net-danyang
pager lines 24
logging enable
logging asdm debugging
mtu OUTSIDE 1500
mtu INSIDE 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any OUTSIDE
icmp permit any INSIDE
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
NAT创建
nat (INSIDE,OUTSIDE) source staticNET.IN-192.168.1.0-24 NET.IN-192.168.1.0-24 destination staticNET-IP-RACKSPACE-HK NET-IP-RACKSPACE-HK no-proxy-arp route-lookup 香港
nat (INSIDE,OUTSIDE) source staticNET.IN-192.168.1.0-24 NET.IN-192.168.1.0-24 destination static net-danyangnet-danyang no-proxy-arp route-lookup 公司
!
object network NET.IN-192.168.1.0-24
nat(INSIDE,OUTSIDE) dynamic interface
access-group OUTSIDE in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 3.3.3.3 1 外网静态路由
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h2251:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
配置外网访问设备
http server enable
http 192.168.1.0 255.255.255.0 INSIDE
http 1.1.1.10.0 255.255.255.0 OUTSIDE
http 1.1.1.1 255.255.255.255 OUTSIDE
http 1.1.1.1255.255.255.224 OUTSIDE
snmp-server host OUTSIDE 1.1.1.1 community *****
snmp-server host OUTSIDE 1.1.1.1 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
service sw-reset-button
crypto ipsec ikev1 transform-setESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-setESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-setESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-setESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHAesp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-setESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-setESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-setESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-setESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-setESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-setESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-setESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-setESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-setESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-setESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-setESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-setESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-setESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-setESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-setESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-setESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-setESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-setESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-setESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-setESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5esp-des esp-md5-hmac
crypto ipsec ikev1 transform-setESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-setESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-setESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-setESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5

IKE协商方面:
苏州与香港采用 EPS-AES-256-SHA 使用了IKEV1IKEV2加密
苏州与公司采用 eps-aes-256-md5 只使用IKEV1加密
公司与香港采用 eps-aes-256-md5 只使用IKEV1加密
在测试中我测过2条通道使用相同或不同IKE加密都是隧道建立但是苏州没有回包。

crypto ipsec security-associationpmtu-aging infinite
crypto map OUTSIDE_map 1 match addressOUTSIDE_cryptomap
crypto map OUTSIDE_map 1 set peer x.x.x.x 指向香港地址
crypto map OUTSIDE_map 1 set ikev1transform-set ESP-AES-256-SHA
crypto map OUTSIDE_map 1 set ikev2ipsec-proposal AES256 AES192 AES 3DES DES
crypto map OUTSIDE_map 2 match addressOUTSIDE_cryptomap_1
crypto map OUTSIDE_map 2 set peer a.a.a.a 指向公司地址
crypto map OUTSIDE_map 2 set ikev1transform-set ESP-AES-256-MD5
crypto map OUTSIDE_map interface OUTSIDE
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prfsha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prfsha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prfsha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prfsha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prfsha
lifetime seconds 86400
crypto ikev2 enable OUTSIDE
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hashsha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hashsha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hashsha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryptionaes-192
hashsha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hashsha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hashsha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hashsha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hashsha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hashsha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hashsha
group 2
lifetime 86400
crypto ikev1 policy 200
authentication pre-share
encryption aes-256
hashmd5
group 2
lifetime 86400
telnet timeout 5
no ssh stricthostkeycheck

dhcpd dns 3.3.3.3 DNS 为运营商网关
!
dhcpd address 192.168.1.5-192.168.1.254INSIDE
dhcpd enable INSIDE
!
group-policy GroupPolicy_xianggang internal
group-policy GroupPolicy_ xianggangattributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
dynamic-access-policy-recordDfltAccessPolicy
username guestmin password VNM4zYPEVwZEDQOdencrypted privilege 15
username joe password 9d0Zbb5vniFMEC2tencrypted privilege 15
username tan password wf7On0i5n41YhRUJencrypted privilege 15
username davidsm password sRzlsSdAfQ.ImAFlencrypted privilege 15
username itadmin password AJi448PhOZIXFSyjencrypted privilege 15

tunnel-group x.x.x.x type ipsec-l2l 香港隧道
tunnel-group x.x.x.x general-attributes
default-group-policy GroupPolicy_xianggang
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key*****
ikev2 local-authentication pre-shared-key*****
tunnel-group a.a.a.a type ipsec-l2l 公司隧道
tunnel-group a.a.a.a general-attributes
default-group-policy GroupPolicy1
tunnel-group a.a.a.a ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive disable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:a647868a5d45d9af6bee841097a52f46
: end

标签:
0 有帮助
21 条回复21

查看解答
httpurl
Level 1
Level 1

发布时间 ‎09-14-2017 02:58 AM

arvinjing 发表于 2017-9-14 17:10
object network NETWORK_OBJ_192.168.1.0_24 本地内网
subnet 192.168.1.0 255.255.255.0
用这个Objec ...

那为什么他跟香港那边是使用同一个Object IPSEC vpn 却一切正常
0 有帮助

查看解答
httpurl
Level 1
Level 1

发布时间 ‎09-14-2017 02:59 AM

arvinjing 发表于 2017-9-14 17:10
object network NETWORK_OBJ_192.168.1.0_24 本地内网
subnet 192.168.1.0 255.255.255.0
用这个Objec ...

因为香港使用的内网Object 跟PAT的Object是同一个NET.IN-192.168.1.0-24
0 有帮助

查看解答
httpurl
Level 1
Level 1

发布时间 ‎09-14-2017 07:34 PM

使用备用设备测试了 测试环境 就算现在PAT下创建Object 然后VPN调用 但是VPN 测试是正常的 难道这是一个BUG 不定时发生??
0 有帮助

查看解答
xuxianda7
Spotlight
Spotlight

发布时间 ‎09-15-2017 07:10 AM

备用机器一样的配置就没问题?
0 有帮助

查看解答
httpurl
Level 1
Level 1

发布时间 ‎09-17-2017 12:24 AM

问题已经在设备重启后解决 配置没问题 可能是设备BUG
我要特别感谢 arvinjing 耐心的帮我查看配置 谢谢!!
0 有帮助

查看解答
httpurl
Level 1
Level 1

发布时间 ‎09-17-2017 12:32 AM

arvinjing 发表于 2017-9-14 17:10
object network NETWORK_OBJ_192.168.1.0_24 本地内网
subnet 192.168.1.0 255.255.255.0
用这个Objec ...

问题已经在设备重启后解决 现在已经正常 整体配置没有问题
我要特别感谢 arvinjing 大神 耐心的帮我查看配置 查找问题
谢谢!!!
0 有帮助

查看解答
Yanli Sun
Community Manager
Community Manager
回复 httpurl

发布时间 ‎09-18-2017 12:32 AM

感谢您分享解决方案 很高兴您的问题得到了解决 :)
0 有帮助
快捷链接

浏览社区快速链接并以您的母语获取个性化内容:

发布或浏览文章 分享想法或新闻 观看我们的所有视频视频
Customers Also Viewed These Support Documents