山石网科-Hillstone-IPsecVPN常见故障debug排错心得终结版

嗨,各位好。

相信各位过来点开的时候会鄙视一句“这厮,又来搞山石了”,哈哈没错,这次确实又来了,不过这次带了点排错的心得过来,希望给未来在常见的配置过程当中,不知道怎么排错时候有些帮助。

说句真心话,山石(hillstone)确实挺好用的,不行你可以试试!!

好了,废话少说。直接上菜

ipsec的拓扑图,我临时画了一个,目的希望各位能有图看到,不然各位心里冒出千万个草泥马“NO picture NO bb”。

(这万恶的水印)无关紧要,今天的主题在俩台firewall上面。此图ipsec配置模式为tunnel路由模式VPN。不过本文会把策略vpn和路由vpn的常见错误一起带过,请各位细心品味

在我们平常企业组网应用中,经常会遇到组建VPN网络的需求,最基础的就是site to site,稍微复杂一点的全网site to site ipsec vpn 互联,工作量顶大,不过安全。避免了那种hub-spoken的中心与分支的关系(虽然工作量小,但隐患很大)

大家基本都知道ipsec-vpn协商有俩个阶段,第一阶段和第二阶段,那么第一阶段和第二阶段分别协商什么呢?自己去看书。(:!!!!

直接上ipsec的配置中可能会到的几个问题?

  1. 公网出接口选错!如下图,这个选错就该抽鞭子!!
  2. 共享密钥填写一些有争议的字母比如(1和I、l(L)和1、O(大写o)和0)等,导致项目沟通邮件过程中,对端密钥填写错误!这种错误该扣工资!!!
  3. 第一阶段connection type 手抖选错type!这个一般不存在,不过我经常会把这里改掉让新进入团队的兄弟们去排错检查,很锻炼人!!说真的
  4. 算法写错!这个我就不列举了,直接扣工资。
    PS:不瞒大家,我曾见过一家公司因为VPN配置俩天没配好,结果我过去检查了一下发现俩边算法填错了,当场对方的主管就把那运维工程师开除了。看得我好紧张!!!后面都不敢手滑!!
    图:(省略)
  5. 第二阶段自动连接没勾选!有部分其他产商设备,此项没有勾选会存在一些问题。
  6. 第二阶段代理ID未填写或填写不对?若对端是山石同款,则勾选auto即可,若是其他设备就要填写代理id了。

    记住,代理ID不是后期兴趣流量的匹配定义,而是第二阶段协商的参数之一,这个观念很多入门级的“选手”都没有弄清楚!!请格外注意。所以你在策略中去放行对应流量的同时需要控制进出兴趣流量,切记严谨开放策略,否则就是any到any!!

  7. 第一阶段和第二阶段全部都up了,俩边内网流量还是无法正常通信!


    此时就应该检查下tunnel的路由写过没有?、snat的指定不转换做了没有?路由模式vpn的策略方向是否放行正确?策略模式vpn的security connection方向选错没有?

大家随着我往下看,常见的配置错误以及思路简单在上面介绍了一下。现在着重聊排错环节?(访客:“铺垫这么久才进入状态,差评”!!!)

各位久等了,以下为各位演示在以上出错的情况下,hillstone cli(命令行)debug vpn 调试日志的解读技巧和个人排错经典心得。

配菜,大家继续开开胃。

客户名称:(···做网工还是要有极强的保密意识,这关系到职业道德)省略
情景:拨通了L2TP-VPN,但是ping不同内网服务器

SSH进入hillstone底层使用debug命令:(语法如下)

debug dp filter src-ip 10.91.0.15 proto icmp 【该地址为L2TP-虚拟获取的地址】

debug dp filter dst-ip 10.10.0.1 proto icmp

debug dp basic

debug dp drop

debug self

A05-qujun-Fw[DBG](config)# clear logg debug

A05-qujun-Fw[DBG](config)# show logg debug

2015-12-17 11:23:53, [email protected]: core 1 (sys up 0x1aa53c70a ms): Finish decap

Packet: 10.91.0.15 -> 10.9.1.1, id: 96, ip size 60, prot: 1(ICMP)

dp_prepare_pak_lookup srcip: 10.91.0.15, dstip: 10.9.1.1,prot 1

No session found, try to create session

-----------------First path creating new session-----------------

--------VR:trust-vr start--------

10.91.0.15:1->10.9.1.1:20876

NAT: ICMP protocol type/code 0800

No DNAT matches, skip DNAT

Get nexthop if_id: 9, flags: 22, nexthop: 103.20.248.1

Interface route

NAT: ICMP protocol type/code 0800

Matched source NAT: snat rule id:2

Matched source NAT: source port1->port22589

--------VR:trust-vr end--------

begin lookup predefine prot:1 port:20876

Identified as app PING (prot=1). timeout 6.

Pak src zone L2TP, dst zone untrust, prot 1, dst-port 20876.

No policy matches, default ===DENY===  【数据没有匹配,被防火墙drop了,思考~~~~~】

Dropped: Can‘t find policy/policy denied. Abort!!

deny session:flow0 src 10.91.0.15 --> dst 10.9.1.1 Deny session installed successfully

-----------------------First path over (session not created)

Droppped: failed to create session, drop the packet

仔细检查下来,发现ping错了,再次debug,数据正常转发。呃,抽自己鞭子

A05-qujun-Fw[DBG](config)# show log debug

2015-12-17 11:32:39, [email protected]: core 1 (sys up 0x1aa5bce54 ms): Finish decap

Packet: 10.91.0.15 -> 10.10.1.1, id: 100, ip size 60, prot: 1(ICMP)

dp_prepare_pak_lookup srcip: 10.91.0.15, dstip: 10.10.1.1,prot 1

No session found, try to create session

-----------------First path creating new session-----------------

--------VR:trust-vr start--------

10.91.0.15:1->10.10.1.1:20879

NAT: ICMP protocol type/code 0800

No DNAT matches, skip DNAT

Get nexthop if_id: 13, flags: 2, nexthop: 10.10.0.254

Interface route

NAT: ICMP protocol type/code 0800

No SNAT matches, or out of pool, skip SNAT

--------VR:trust-vr end--------

begin lookup predefine prot:1 port:20879

Identified as app PING (prot=1). timeout 6.

Pak src zone L2TP, dst zone dmz, prot 1, dst-port 20879.

Policy 6 matches, ===PERMIT===【数据匹配,后面就不说了,直接欢乐的转发咯】

flow0 src 10.91.0.15 --> dst 10.10.1.1 with nexthop 10.10.0.254 ifindex 13

flow1 tunnel, id=153

flow1 src 10.10.1.1 --> dst 10.91.0.15 nexthop not lookup or invalid

flow0‘s next hop: 0.0.0.0 flow1‘s next hop: 10.10.0.254

······(省略)

VPN错误故障debug调试主菜①:VPN红烧肉【注意笔者标红的地方,公网地址已和谐】

A05-qujun-Fw[DBG]# show log debug

2015-12-17 11:58:46, [email protected]: phase2 negotiation failed due to time up waiting for phase1.

2015-12-17 11:58:46, [email protected]: delete phase 2 handler.

2015-12-17 11:58:47, [email protected]: [x.x.x.x]: Resend phase1 packet d082f40cfa318a5c:481f7e4f1262f27a

2015-12-17 11:58:47, [email protected]:

2015-12-17 11:58:47, [email protected]: [x.x.x.x]: ++++++++Phase 1 main mode third msg receive START+++++++

2015-12-17 11:58:47, [email protected]: [x.x.x.x]: Begin decryption ...

2015-12-17 11:58:47, [email protected]: [x.x.x.x]: IV was saved for next processing:

2015-12-17 11:58:47, [email protected]: a73f0fe2 1742d5fe

2015-12-17 11:58:47, [email protected]: [x.x.x.x]: with key:

2015-12-17 11:58:47, [email protected]: 7439a7fe b79997b9

2015-12-17 11:58:47, [email protected]: [x.x.x.x]: Decrypted payload by IV:

2015-12-17 11:58:47, [email protected]: 2bebedc2 c51b4e96

2015-12-17 11:58:47, [email protected]: [x.x.x.x]: Skip to trim padding

2015-12-17 11:58:47, [email protected]: [x.x.x.x]: Decrypted packet:

2015-12-17 11:58:47, [email protected]: d082f40c fa318a5c 481f7e4f 1262f27a 05100201 00000000 00000044 ba09b8b5

94a49bc2 2534d628 de147031 88bfe620 843272ae eac0e720 3e332165 099a3bab

4edd1f7c

2015-12-17 11:58:47, [email protected]: [x.x.x.x]: Decrypt packet sucessful!

2015-12-17 11:58:47, [email protected]: [x.x.x.x]: ===============Receive===============

2015-12-17 11:58:47, [email protected]: ISAKMP Header Format:

2015-12-17 11:58:47, [email protected]: Initiator Cookie:3498243084 4197550684

2015-12-17 11:58:47, [email protected]: Responder Cookie:1210023503 308474490

2015-12-17 11:58:47, [email protected]: Next Payload Type:5

2015-12-17 11:58:47, [email protected]: Exchange Type:2

2015-12-17 11:58:47, [email protected]: Flags:1

2015-12-17 11:58:47, [email protected]: Message ID:0

2015-12-17 11:58:47, [email protected]: Length:68

2015-12-17 11:58:47, [email protected]: Payload Generic Header:

2015-12-17 11:58:47, [email protected]: Next Payload Type:186

2015-12-17 11:58:47, [email protected]: Length:47285

2015-12-17 11:58:47, [email protected]: Content:

2015-12-17 11:58:47, [email protected]: <Identification Payload>

2015-12-17 11:58:47, [email protected]: ================================

2015-12-17 11:58:47, [email protected]: [x.x.x.x]: DUMP of above packet:

2015-12-17 11:58:47, [email protected]: d082f40c fa318a5c 481f7e4f 1262f27a 05100201 00000000 00000044 ba09b8b5

94a49bc2 2534d628 de147031 88bfe620 843272ae eac0e720 3e332165 099a3bab

4edd1f7c

2015-12-17 11:58:47, [email protected]: [x.x.x.x]: Invalid payload or failed to malloc buffer(pre-share key may mismatch).【共享密钥填写错误,各位主管看着办,扣工资的扣工资,抽鞭子的抽鞭子】

2015-12-17 11:58:47, [email protected]: [x.x.x.x]: ++++++++Phase 1 main mode third msg receive END+++++++

VPN错误故障debug调试主菜②:VPN凉拌西红柿【注意笔者标红的地方】

A05-qujun-Fw[DBG]# show log debug

2015-12-17 12:12:28, [email protected]: core 1 (sys up 0x1aa8040d9 ms): Finish decap

Packet: 10.234.1.10 -> 10.10.1.1, id: 14819, ip size 60, prot: 1(ICMP)

dp_prepare_pak_lookup srcip: 10.234.1.10, dstip: 10.10.1.1,prot 1

No session found, try to create session

-----------------First path creating new session-----------------

--------VR:trust-vr start--------

10.234.1.10:1->10.10.1.1:24882

NAT: ICMP protocol type/code 0800

No DNAT matches, skip DNAT

Get nexthop if_id: 13, flags: 2, nexthop: 10.10.0.254

Interface route

Found the reverse route for force or prefer revs-route setting

NAT: ICMP protocol type/code 0800

No SNAT matches, or out of pool, skip SNAT

--------VR:trust-vr end--------

begin lookup predefine prot:1 port:24882

Identified as app PING (prot=1). timeout 6.

Pak src zone untrust, dst zone dmz, prot 1, dst-port 24882.【流量访问正确】

No policy matches, default ===DENY===【策略没匹配到,此时思考是不是策略VPN的policy没有置顶,导致没有匹配到被设备drop掉了】

Dropped: Can‘t find policy/policy denied. Abort!!

deny session:flow0 src 10.234.1.10 --> dst 10.10.1.1 Deny session installed successfully

-----------------------First path over (session not created)

Droppped: failed to create session, drop the packet

VPN错误故障debug调试主菜②:VPN蒜泥小龙虾【注意笔者标红的地方,公网地址已和谐】

A05-qujun-Fw[DBG]# show log debug

2015-12-17 21:40:38, [email protected]: [x.x.x.x]: Peer Main mode, try to find rmconf by IP and local if.

2015-12-17 21:40:38, [email protected]: [x.x.x.x]: Peer IP: x.x.x.x

2015-12-17 21:40:38, [email protected]: [x.x.x.x]: Local IP: 103.20.248.96

2015-12-17 21:40:38, [email protected]: [x.x.x.x]: Rmconf flag 80010121.

2015-12-17 21:40:38, [email protected]: 00020000 671577dc 00000000 00000000

2015-12-17 21:40:38, [email protected]: [x.x.x.x]: Get rmconf sucessful

2015-12-17 21:40:38, [email protected]: [x.x.x.x]: Begin to negotiate with found rmconf, name To WX-51IDC

2015-12-17 21:40:38, [email protected]: [x.x.x.x]: respond new phase 1 negotiation: 103.20.248.96:500<=>x.x.x.x:500

2015-12-17 21:40:38, [email protected]: [x.x.x.x]: begin Identity Protection mode.

2015-12-17 21:40:38, [email protected]:

2015-12-17 21:40:38, [email protected]: [x.x.x.x]: ++++++++Phase 1 main mode first msg receive START.++++++++

2015-12-17 21:40:38, [email protected]: [x.x.x.x]: ===============Receive===============

2015-12-17 21:40:38, [email protected]: ISAKMP Header Format:

2015-12-17 21:40:38, [email protected]: Initiator Cookie:307148809 2169817196

2015-12-17 21:40:38, [email protected]: Responder Cookie:0 0

2015-12-17 21:40:38, [email protected]: Next Payload Type:1

2015-12-17 21:40:38, [email protected]: Exchange Type:2

2015-12-17 21:40:38, [email protected]: Flags:0

2015-12-17 21:40:38, [email protected]: Message ID:0

2015-12-17 21:40:38, [email protected]: Length:124

2015-12-17 21:40:38, [email protected]: Payload Generic Header:

2015-12-17 21:40:38, [email protected]: Next Payload Type:13

2015-12-17 21:40:38, [email protected]: Length:56

2015-12-17 21:40:38, [email protected]: Content:

2015-12-17 21:40:38, [email protected]: <SA Info>

2015-12-17 21:40:38, [email protected]: Payload Generic Header:

2015-12-17 21:40:38, [email protected]: Next Payload Type:13

2015-12-17 21:40:38, [email protected]: Length:20

2015-12-17 21:40:38, [email protected]: Content:

2015-12-17 21:40:38, [email protected]: <Vender ID Payload>

2015-12-17 21:40:38, [email protected]: Vendor ID:

2015-12-17 21:40:38, [email protected]: Payload Generic Header:

2015-12-17 21:40:38, [email protected]: Next Payload Type:0

2015-12-17 21:40:38, [email protected]: Length:20

2015-12-17 21:40:38, [email protected]: Content:

2015-12-17 21:40:38, [email protected]: <Vender ID Payload>

2015-12-17 21:40:38, [email protected]: Vendor ID:

2015-12-17 21:40:38, [email protected]: ================================

2015-12-17 21:40:38, [email protected]: [x.x.x.x]: Dump of above packet:

2015-12-17 21:40:38, [email protected]: 124eb809 8154c86c 00000000 00000000 01100200 00000000 0000007c 0d000038

00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004

00015180 80010005 80030001 80020001 80040002 0d000014 afcad713 68a1f1c9

6b8696fc 77570100 00000014 36665412 e8c59732 317454ee efef85b6

2015-12-17 21:40:38, [email protected]: [x.x.x.x]: phase 1 (main mode): remote supports DPD

2015-12-17 21:40:38, [email protected]: [x.x.x.x]: Compared: DB:Peer【比较本端和对端协商参数】

2015-12-17 21:40:38, [email protected]: [x.x.x.x]: (lifetime = 86400:86400)

2015-12-17 21:40:38, [email protected]: [x.x.x.x]: (lifebyte = 0:0)

2015-12-17 21:40:38, [email protected]: [x.x.x.x]: enctype = DES-CBC:3DES-CBC【opps,算法配错了】

2015-12-17 21:40:38, [email protected]: [x.x.x.x]: (encklen = 0:0)

2015-12-17 21:40:38, [email protected]: [x.x.x.x]: hashtype = MD5:MD5

2015-12-17 21:40:38, [email protected]: [x.x.x.x]: authmethod = pre-shared key:pre-shared key

2015-12-17 21:40:38, [email protected]: [x.x.x.x]: dh_group = 1024-bit MODP group:1024-bit MODP group

2015-12-17 21:40:38, [email protected]: [x.x.x.x]: Rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = DES-CBC:3DES-CBC

2015-12-17 21:40:38, [email protected]: [x.x.x.x]: No suitable proposal found【没有合适的提议被发现,不说了,抽鞭子!!!!】

2015-12-17 21:40:38, [email protected]: [x.x.x.x]: Phase 1 (main mode): failed to get valid proposal!

2015-12-17 21:40:38, [email protected]: [x.x.x.x]: ++++++++Phase 1 main mode first msg receive END.++++++++

2015-12-17 21:40:38, [email protected]:

2015-12-17 21:40:38, [email protected]: [x.x.x.x]: Failed to process packet.

然后自己细心的查看了俩边的配置文件,如下图:

SITE-A与SITE-B的第一阶段配置文件show:

同时也证明了,第一阶段确实有配置出入的地方~~~~~~

VPN错误故障debug调试主菜③:VPN外婆菜【注意笔者标红的地方,公网地址已和谐】

A05-qujun-Fw[DBG]# show logg debug

2015-12-17 21:50:22, [email protected]: [x.x.x.x]: Receive Information.

2015-12-17 21:50:22, [email protected]: [x.x.x.x]: Begin decryption ...

2015-12-17 21:50:22, [email protected]: [x.x.x.x]: IV was saved for next processing:

2015-12-17 21:50:22, [email protected]: bb648cbe 7dd114ad

2015-12-17 21:50:22, [email protected]: [x.x.x.x]: with key:

2015-12-17 21:50:22, [email protected]: b13ee2ad 40c39cef

2015-12-17 21:50:22, [email protected]: [x.x.x.x]: Decrypted payload by IV:

2015-12-17 21:50:22, [email protected]: 9d8257e5 0e680b7d

2015-12-17 21:50:22, [email protected]: [x.x.x.x]: Skip to trim padding

2015-12-17 21:50:22, [email protected]: [x.x.x.x]: Decrypted packet:

2015-12-17 21:50:22, [email protected]: eef157b3 3b0f4a19 78058009 563e7e36 08100501 b05744e5 00000054 0b000014

709932fd 98e3b39c d23093f8 05f564f0 00000020 00000001 01108d28 eef157b3

3b0f4a19 78058009 563e7e36 00000041 0a51ae03

2015-12-17 21:50:22, [email protected]: [x.x.x.x]: Decrypt packet sucessful!

2015-12-17 21:50:22, [email protected]: [x.x.x.x]: Hash validated.

2015-12-17 21:50:22, [email protected]: [x.x.x.x]: DPD R-U-There received

2015-12-17 21:50:22, [email protected]: [x.x.x.x]: Begin encryption ...

2015-12-17 21:50:22, [email protected]: [x.x.x.x]: Encrypted successful!

2015-12-17 21:50:22, [email protected]: [x.x.x.x]: received a valid R-U-THERE, ACK sent

2015-12-17 21:50:22, [email protected]: [x.x.x.x]: notification message 36136:36136, doi=1 proto_id=1 spi=eef157b33b0f4a19 78058009563e7

e36 (size=16).

2015-12-17 21:50:23, [email protected]: [x.x.x.x]: DPD monitoring....

2015-12-17 21:50:23, [email protected]: [x.x.x.x]: Begin encryption ...

2015-12-17 21:50:23, [email protected]: [x.x.x.x]: Encrypted successful!

2015-12-17 21:50:23, [email protected]: [x.x.x.x]: DPD R-U-There sent (0)

2015-12-17 21:50:23, [email protected]: [x.x.x.x]: rescheduling send_r_u (10).

2015-12-17 21:50:23, [email protected]: [x.x.x.x]: Receive Information.

2015-12-17 21:50:23, [email protected]: [x.x.x.x]: Begin decryption ...

2015-12-17 21:50:23, [email protected]: [x.x.x.x]: IV was saved for next processing:

2015-12-17 21:50:23, [email protected]: 29503bf1 0657c560

2015-12-17 21:50:23, [email protected]: [x.x.x.x]: with key:

2015-12-17 21:50:23, [email protected]: b13ee2ad 40c39cef

2015-12-17 21:50:23, [email protected]: [x.x.x.x]: Decrypted payload by IV:

2015-12-17 21:50:23, [email protected]: ff76dc93 093f62f7

2015-12-17 21:50:23, [email protected]: [x.x.x.x]: Skip to trim padding

2015-12-17 21:50:23, [email protected]: [x.x.x.x]: Decrypted packet:

2015-12-17 21:50:23, [email protected]: eef157b3 3b0f4a19 78058009 563e7e36 08100501 fe48cae7 00000054 0b000014

120e019f 66e1fad1 1f9c2401 6ba98b8b 00000020 00000001 01108d29 eef157b3

3b0f4a19 78058009 563e7e36 00000771 fc7fdf03

2015-12-17 21:50:23, [email protected]: [x.x.x.x]: Decrypt packet sucessful!

2015-12-17 21:50:23, [email protected]: [x.x.x.x]: Hash validated.

2015-12-17 21:50:23, [email protected]: [x.x.x.x]: DPD R-U-There-Ack received

2015-12-17 21:50:23, [email protected]: [x.x.x.x]: received an R-U-THERE-ACK

2015-12-17 21:50:23, [email protected]: [x.x.x.x]: notification message 36137:36137, doi=1 proto_id=1 spi=eef157b33b0f4a19 78058009563e7

(·············省略部分协商输出日志)

2015-12-17 21:50:26, [email protected]: [x.x.x.x]: phase 2 (quick mode) : received IDci2:

2015-12-17 21:50:26, [email protected]: 04000000 0aea0100 ffffff00

2015-12-17 21:50:26, [email protected]: [x.x.x.x]: phase 2 (quick mode) : received IDcr2:

2015-12-17 21:50:26, [email protected]: 04000000 0a0a0000 ffff0000

2015-12-17 21:50:26, [email protected]: [x.x.x.x]: phase 2 (quick mode) : Begin to HASH(1) validate ...

2015-12-17 21:50:26, [email protected]: [x.x.x.x]: Phase 2 (quick mode) : HASH(1) matched.

2015-12-17 21:50:26, [email protected]: [x.x.x.x]: phase2 handler negotiating already exists, ignore phase2 negotiation request

2015-12-17 21:50:26, [email protected]: [x.x.x.x]: Detect double p2handle, Kill p for it‘s responder.

2015-12-17 21:50:26, [email protected]: [x.x.x.x]: get a src address from ID payload 10.234.1.0:0 prefixlen=24 ul_proto=255

2015-12-17 21:50:26, [email protected]: [x.x.x.x]: get dst address from ID payload 10.10.0.0:0 prefixlen=16 ul_proto=255

2015-12-17 21:50:26, [email protected]: [x.x.x.x]: Suitable SP found:10.234.1.0:0/24[ 10.10.0.0:0/16[ proto=any dir=in

2015-12-17 21:50:26, [email protected]: [x.x.x.x]:  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)

2015-12-17 21:50:26, [email protected]: [x.x.x.x]:   (trns_id=DES encklen=0 authtype=hmac-md5)

2015-12-17 21:50:26, [email protected]: life duration was in TLV.

2015-12-17 21:50:26, [email protected]: [x.x.x.x]: Begin compare proposals

2015-12-17 21:50:26, [email protected]: prop#=1 prot-id=ESP spi-size=4 #trns=1 trns#=1 trns-id=DES

2015-12-17 21:50:26, [email protected]: [x.x.x.x]: Begin to compare my and peer‘s proposal ...

2015-12-17 21:50:26, [email protected]: [x.x.x.x]: Peer‘s single bundle:

2015-12-17 21:50:26, [email protected]: [x.x.x.x]:  (proto_id=ESP spisize=4 spi=4d804926 spi_p=00000000 encmode=Tunnel reqid=0:0)

2015-12-17 21:50:26, [email protected]: [x.x.x.x]:   (trns_id=DES encklen=0 authtype=hmac-md5)

2015-12-17 21:50:26, [email protected]: [x.x.x.x]: My single bundle:

2015-12-17 21:50:26, [email protected]: [x.x.x.x]:  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)

2015-12-17 21:50:26, [email protected]: [x.x.x.x]:   (trns_id=DES encklen=0 authtype=hmac-md5)

2015-12-17 21:50:26, [email protected]: [x.x.x.x]: pfs group mismatched: my:2 peer:0【第二阶段pfs组不匹配,填写错误!!】

2015-12-17 21:50:26, [email protected]: [x.x.x.x]: Not matched

2015-12-17 21:50:26, [email protected]: [x.x.x.x]: No suitable proposals found.

2015-12-17 21:50:26, [email protected]: [x.x.x.x]: ++++++++Phase 2 (quick mode) first msg receive END.++++++++

同样,我在hillstone底层查看了第二阶段的配置文件show图如下:

PS:左边可能还存在代理ID没填写的问题,请大家注意。

VPN错误故障debug调试主菜④:VPN铁板鱿鱼【注意笔者标红的地方,公网地址已和谐】

A05-qujun-Fw[DBG]# show logging debug

2015-12-17 22:06:27, [email protected]: cookie: -1, 0, -1, 0, 0

2015-12-17 22:06:27, [email protected]: IPC start (SA_GET_LIFESIZE)

2015-12-17 22:06:27, [email protected]: Sa index : 307

2015-12-17 22:06:27, [email protected]: Fpmsg_send_and_recv return ok

2015-12-17 22:06:27, [email protected]: 4505, 1170652208, 2096965600, 4637893, 4136288.

2015-12-17 22:06:27, [email protected]: dp‘s lifesize is 04613972

2015-12-17 22:06:27, [email protected]: SA 307 ‘s lifesize is 4505

2015-12-17 22:06:27, [email protected]: IPC start (SA_GET_LIFESIZE)

2015-12-17 22:06:27, [email protected]: Sa index : 202

2015-12-17 22:06:27, [email protected]: Fpmsg_send_and_recv return ok

2015-12-17 22:06:27, [email protected]: 0, 96232, 118944, 1241, 1712.

2015-12-17 22:06:27, [email protected]: dp‘s lifesize is 00

2015-12-17 22:06:27, [email protected]: SA 202 ‘s lifesize is 0

2015-12-17 22:06:28, [email protected]: cookie: -1, 0, -1, 0, 0

2015-12-17 22:06:28, [email protected]: IPC start (SA_GET_LIFESIZE)

2015-12-17 22:06:28, [email protected]: Sa index : 307

2015-12-17 22:06:28, [email protected]: Fpmsg_send_and_recv return ok

2015-12-17 22:06:28, [email protected]: 4506, 1170653088, 2096965840, 4637902, 4136293.

2015-12-17 22:06:28, [email protected]: dp‘s lifesize is 04615152

2015-12-17 22:06:28, [email protected]: SA 307 ‘s lifesize is 4506

2015-12-17 22:06:28, [email protected]: IPC start (SA_GET_LIFESIZE)

2015-12-17 22:06:28, [email protected]: Sa index : 202

2015-12-17 22:06:28, [email protected]: Fpmsg_send_and_recv return ok

2015-12-17 22:06:28, [email protected]: 0, 96232, 118944, 1241, 1712.

2015-12-17 22:06:28, [email protected]: dp‘s lifesize is 00

2015-12-17 22:06:28, [email protected]: SA 202 ‘s lifesize is 0

2015-12-17 22:06:57, [email protected]: [x.x.x.x]: IKE daemon start ike negotiation as initiator,with this sa index:202【security connection type 选择有出入,总之仍然是配置错误!!!】

2015-12-17 22:06:57, [email protected]: [x.x.x.x]: Peer address not found or responder only connection-type

2015-12-17 22:06:57, [email protected]: [x.x.x.x]: Can not start negotiation as initiator

2015-12-17 22:07:23, [email protected]: cookie: -1, 0, -1, 0, 0

2015-12-17 22:07:23, [email protected]: IPC start (SA_GET_LIFESIZE)

2015-12-17 22:07:23, [email protected]: Sa index : 307

2015-12-17 22:07:23, [email protected]: Fpmsg_send_and_recv return ok

2015-12-17 22:07:23, [email protected]: 4555, 1170690240, 2096975856, 4638273, 4136501.

2015-12-17 22:07:23, [email protected]: dp‘s lifesize is 04664816

2015-12-17 22:07:23, [email protected]: SA 307 ‘s lifesize is 4555

2015-12-17 22:07:23, [email protected]: IPC start (SA_GET_LIFESIZE)

2015-12-17 22:07:23, [email protected]: Sa index : 202

2015-12-17 22:07:23, [email protected]: Fpmsg_send_and_recv return ok

2015-12-17 22:07:23, [email protected]: 0, 96232, 118944, 1241, 1712.

2015-12-17 22:07:23, [email protected]: dp‘s lifesize is 00

2015-12-17 22:07:23, [email protected]: SA 202 ‘s lifesize is 0

最后的错误,我就不对配置文件了,前面的常见错误举例中,也列举了security connection type的配置错误修正的选项,请各位自行往上查看即可。

至此,今天的介绍就介绍完毕了,总之此次的文章其实也只是班门弄斧。大家持批判的态度look即可,不求力赞,但求共同进步!

把学习当作每天生活的一部分,

————————————来自一家二级运营商的网工分享

时间: 2024-10-10 07:43:20

山石网科-Hillstone-IPsecVPN常见故障debug排错心得终结版的相关文章

山石网科-Hillstone-双ISP接入流量故障排错终结篇

各位,好久不见. 近期在维护山石网科的防火墙中遇到一个比较有代表性质的案例,故在时候拿出来和大家做简单的分享.好了,不多说. -------来自一家运营商的网工分享 背景: 山石网科设备-E2800 华为S5700-52C-EI 单ISP(CTC)线路接入 私有云+传统IDC业务混合部署 需求: 新增一条CNC-ISP出口,提升联通进出.电信进出访问的优化,杜绝单电信异网传输延迟问题,增强网络的可靠性.冗余性和健壮性,进而将数据流量访问进行合理的分配和科学的利用. 改造前拓扑: 改造前拓扑特点:

山石网科如何利用GRE+IPSEC+BFD进行高可用组网-经验分享篇

有些日子没过来写文章,一是最近在研究阿里云(ACP)等组网以及考试,而是也发现没有什么特别实用的技术在blog中去分享.不出意料的在上周通过了ACP的考试,发现云计算中又出现了一些的组网应用,虽然在阿里云和目前很多公司的云平台操作的时候,很难感觉到网络的存在,都是自己点一点就好了..但如果在使用的过程只是这么简单以为的话,这是会出大问题的. 比如从网络的容灾的概念中,你虽然在各大云平台得到了网络配置的最大简化体验,此时网络工程的重心就会辐射到容灾.安全.流量切换等等.这些作为但凡作为一个运维都要

山石网科-Hillstone-路由模式的IPSEC-VPN之配置终结篇

首先,当然第一件事情,是要理清思路了,这一点对一个工程师来讲是必须且非常重要的一步. 第一步,新建IPsec-Vpn. 第二步,配置第一阶段相关参数.(高级可选参数,DPD对端存活检测/NAT穿越都可以勾选上,这个不是协商参数) 第三步,配置第二阶段相关参数.注意(如果俩端都是山石设备,即可以不用配置代理ID,选择自动即可,若不是,请填写代理ID.PS:代理ID只是协商让IPsecUP的一项参数,并非定义感兴趣) 高级可选参数中,将自动连接.VPN隧道监测.VPN隧道状态通知勾选. 第四步,配置

山石网科-Hillstone-PNP-VPN应用实战经验终结篇

各位晚上好自上次更新已经有了20多天没更新了罪过罪过.不过确实有一个令人振奋的消息需要主动的推送给大家.上周历经9个小时完成了Hillstone-HCSE的考试并通过了.这期间让我感触最深的就是细心和经验非常关键痴迷命令行的网工在考试中是有优势的因为命令行集中体现了思路.逻辑.快的三个特点所以这一次考试也算给自己在山石的售后近两年一个完美的交代. --------Allen 当然了今晚不是傲娇的过来说一说我考试过了也是带了一个山石特有的VPN场景的干货过来了大家都或多或少知晓市面上主流的VPN应

山石网科-Hillstone-HA(高可用)active/standby固件版本升级终结经验篇

各位,好 我们在常见的企业边缘的网络架构中经常会遇到高可用.堆叠.VRRP等双机部署情景,那我在前面介绍的一些案例当中,基本都是双机部署,高可用的企业组网形式, 所以,基础的配置也都在前面介绍了,但是却没有介绍高可用的状态下如何升级硬件的OS的情景,这里因为在上周完成了一次(山石网科-HA)无缝迁移,所以我们这里特意总结如下思路, 与各位分享,欢迎大家参阅指正. 操作步骤:(请现场同事同时记录所有操作细节和完成时间) PS:为什么要做这一步,因为我们是一家专业的技术服务公司,所以我们队每一个步骤

山石网科-Hillstone-L2TP-VPN之配置终结篇

L2TP-VPN 暂时就不做什么名词解释了.目前中小型企业使用较普遍的一种远程拨入的"action" 所以这里,我直接开始介绍咱们国产产商"山石网科"的配置方法,日后再介绍一些基于L2TP-VPN的高级应用.总之,技术是 一步一步累加的,所以先学会配置,搞清楚这个技术要实现什么目的,这个当务之急.. 第一步.首先建立一个独立的L3-zone,这里命名为[L2TP-VPN] 网络连接-安全域-新建 第二步.建立tunnel隧道接口,并把接口的zone设置为L2TP-V

山石网科-Hillstone-SC-VPN(SSL-VPN)之配置终结篇

老样子,先把需求说一下,为何要做? 有部分客户经常吐槽山石网科L2TP的不稳定,瞬断自动重连的效果也不是很好,总结"移动办公L2体验糟糕" 而基于客户端的拨号无疑把这些痛点都解决掉了,所以.我们开始上菜 第一步:在StoneOS的webUI中找到SSL-VPN,并点击NEW进入配置界面 第二步:开始真是配置SSL-VPN各项参数 SSL-VPN name:这个不解释 USER:拨入用户的授权方式(可local.可radius) Interface:顾名思义就是移动办公用户,拨入时使用的

山石网科UTM使用体验和对比

因由启明星辰UTM 升级成了山石网科UTM,这两个设备做一个大概的比较,给大家作为参考. 启明星辰UTM用了三年,因ips规则库无法升级,因此就直接更换了设备,这里对两个设备的基本功能.配置等做一个直观的比较,但不涉及的性能的详细数据比较. 系统界面对比 山石界面友好,简洁清爽,强于启明星辰.各种状态显示清晰,一目了然.尤其是流量分析这部分,比启明星辰强太多.启明星辰的流量分析基本可以忽略. 防火墙功能 防火墙由于太 成熟了,两家都差不多,该有的都有. ips功能 ips性能启明星辰明显强于山石

山石网科-Hillstone-PBR(策略路由)挂载URL应用经验分享篇

近期遇到一个比较普通且具有代表性的案例,特别开森的过来给大家分享下.希望大家多多支持. 特点:新接入ISP出口,将特点URL流量引入到该出口 在网络改造前的多次三方沟通后,我们给出相对完整的接入方案和操作细节,记住,这一点在网络工程师的施工过程中非常重要,必须要有的环节,否则就是极其不专业的做法. 好了,我们上菜. 当前网络拓扑图参考如下: 当前拓扑描述: 网络全冗余结构,接入纯BGP网络,物理分离管理和业务线路 网络边缘使用A/P模式部署 核心交换使用华为S9300系列虚拟化部署(CSS) 负