锐捷总部-华三2个分支-异构IPSEC对接

一网络拓扑

总部和分支都是单链路，连接互联网，通过nat和ipsec vpn实现内网互通
总部是锐捷设备，分支1和分支2都在华三设备，实现ipsec vpn加密

二设备配置

2.1 总部-R11设备配置

hostname R11

interface GigabitEthernet 0/0

ip address 1.1.1.1 255.255.255.0

interface Loopback 0

ip address 192.168.1.1 255.255.255.255

ip route 0.0.0.0 0.0.0.0 1.1.1.2

2.2 总部-zb-ruijie-R12设备配置-NAT和IPSEC配置

hostname zb-ruijie-R12

ip access-list extended 100 //IPSEC感兴趣流

10 permit ip host 192.168.1.1 host 192.168.10.1

ip access-list extended 110 //NAT配置

10 deny ip host 192.168.1.1 host 192.168.10.1

15 permit ip host 192.168.1.1 any

ip nat inside source list 110 interface GigabitEthernet 0/1 overload

crypto isakmp policy 1

encryption 3des

authentication pre-share

hash md5

group 2

crypto isakmp keepalive 5 periodic

crypto isakmp key 0 123 address 203.1.1.2

crypto ipsec transform-set 1 esp-3des esp-md5-hmac

crypto map 1 1 ipsec-isakmp

set peer 203.1.1.2

set transform-set 1

match address 100

interface GigabitEthernet 0/0

ip address 1.1.1.2 255.255.255.0

ip nat inside

interface GigabitEthernet 0/1

ip address 202.1.1.1 255.255.255.0

crypto map 1

ip nat outside

ip route 0.0.0.0 0.0.0.0 202.1.1.2

ip route 192.168.1.1 255.255.255.255 1.1.1.1

2.3 ISP设备配置

hostname ISP

interface GigabitEthernet 0/0

ip address 203.1.1.1 255.255.255.0

interface GigabitEthernet 0/1

ip address 202.1.1.2 255.255.255.0

interface GigabitEthernet 0/2

ip address 204.1.1.1 255.255.255.0

interface Loopback 0

ip address 8.8.8.8 255.255.255.255

2.4 分支1-fz1-h3c-R14设备配置-NAT和IPSEC配置

sysname fz1-h3c-R14

ip unreachables enable

ip ttl-expires enable

lldp global enable

interface GigabitEthernet1/0

port link-mode route

ip address 203.1.1.2 255.255.255.0

nat outbound 3000

ipsec apply policy 1

interface GigabitEthernet2/0

port link-mode route

ip address 2.2.2.2 255.255.255.0

ip route-static 0.0.0.0 0 203.1.1.1

ip route-static 192.168.10.1 32 2.2.2.1

acl advanced 3000

description NAT

rule 0 deny ip source 192.168.10.1 0 destination 192.168.1.1 0

rule 100 permit ip

acl advanced 3001

description ipsec

rule 0 permit ip source 192.168.10.1 0 destination 192.168.1.1 0

ike keychain 1

pre-shared-key address 202.1.1.1 255.255.255.255 key simple 123

ike proposal 1

encryption-algorithm 3des-cbc

dh group2

authentication-algorithm md5

ike profile 1

keychain 1

match remote identity address 202.1.1.1 255.255.255.255

proposal 1

ipsec transform-set 1

esp encryption-algorithm 3des-cbc

esp authentication-algorithm md5

ipsec policy 1 1 isakmp

transform-set 1

security acl 3001

remote-address 202.1.1.1

ike-profile 1

2.5 分支1-R15设备配置

hostname R15

interface GigabitEthernet 0/0

ip address 2.2.2.1 255.255.255.0

interface Loopback 0

ip address 192.168.10.1 255.255.255.255

ip route 0.0.0.0 0.0.0.0 2.2.2.2

2.5 分支2-fz2-h3c-R20设备配置-NAT和IPSEC配置

sysname fz2-h3c-R20

ip unreachables enable

ip ttl-expires enable

lldp global enable

interface GigabitEthernet1/0

port link-mode route

ip address 204.1.1.2 255.255.255.0

nat outbound 3000

ipsec apply policy 1

interface GigabitEthernet2/0

port link-mode route

ip address 3.3.3.2 255.255.255.0

ip route-static 0.0.0.0 0 204.1.1.1

ip route-static 192.168.100.1 32 3.3.3.1

acl advanced 3000

description NAT

rule 0 deny ip source 192.168.100.1 0 destination 192.168.1.1 0

rule 100 permit ip

acl advanced 3001

description ipsec

rule 0 permit ip source 192.168.100.1 0 destination 192.168.1.1 0

ike keychain 1

pre-shared-key address 202.1.1.1 255.255.255.255 key simple 123456

ike proposal 1

encryption-algorithm 3des-cbc

dh group2

authentication-algorithm md5

ike profile 1

keychain 1

match remote identity address 202.1.1.1 255.255.255.255

proposal 1

ipsec transform-set 1

esp encryption-algorithm 3des-cbc

esp authentication-algorithm md5

ipsec policy 1 1 isakmp

transform-set 1

security acl 3001

remote-address 202.1.1.1

ike-profile 1

2.6 分支2-R21设备配置

hostname R21

interface GigabitEthernet 0/0

ip address 3.3.3.1 255.255.255.0

interface Loopback 0

ip address 192.168.100.1 255.255.255.255

ip route 0.0.0.0 0.0.0.0 3.3.3.2

1. 总部-zb-ruijie-R12新增对接分支2-NAT和IPSEC配置

hostname zb-ruijie-R12

ip access-list extended 101 //新增对应分支2 IPSEC感兴趣流

10 permit ip host 192.168.1.1 host 192.168.100.1

ip access-list extended 110 //原NAT配置新增规则

11 deny ip host 192.168.1.1 host 192.168.100.1

crypto isakmp policy 1 //如果ike加密方法一样，这里无需新增，忽略此配置

encryption 3des

authentication pre-share

hash md5

group 2

crypto isakmp keepalive 5 periodic

crypto isakmp key 0 123456 address 204.1.1.2

crypto ipsec transform-set 1 esp-3des esp-md5-hmac //如果ipsec加密方法一样，这里无需新增，忽略此配置

crypto map 1 2 ipsec-isakmp

set peer 204.1.1.2

set transform-set 1

match address 101

interface GigabitEthernet 0/0 //配置一样无需新增

ip address 1.1.1.2 255.255.255.0

ip nat inside

interface GigabitEthernet 0/1

ip address 202.1.1.1 255.255.255.0

crypto map 1

ip nat outside

ip route 0.0.0.0 0.0.0.0 202.1.1.2

ip route 192.168.1.1 255.255.255.255 1.1.1.1

三业务测试

3.1 总部R11业务测试

R11#ping 192.168.10.1 source 192.168.1.1

Sending 5, 100-byte ICMP Echoes to 192.168.10.1, timeout is 2 seconds:

< press Ctrl+C to break >

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms.

R11#

R11#ping 192.168.100.1 source 192.168.1.1

Sending 5, 100-byte ICMP Echoes to 192.168.100.1, timeout is 2 seconds:

< press Ctrl+C to break >

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/10 ms.

R11#

R11#traceroute 192.168.10.1 source 192.168.1.1

< press Ctrl+C to break >

Tracing the route to 192.168.10.1

1 1.1.1.2 1 msec <1 msec <1 msec

2 1.1.1.2 <1 msec <1 msec <1 msec

3 192.168.10.1 7 msec 5 msec 4 msec

R11#

R11#traceroute 192.168.100.1 source 192.168.1.1

< press Ctrl+C to break >

Tracing the route to 192.168.100.1

1 1.1.1.2 1 msec <1 msec <1 msec

2 1.1.1.2 <1 msec <1 msec <1 msec

3 192.168.100.1 14 msec 8 msec 5 msec

R11#

3.2 分支1 R15业务测试

R15#ping 192.168.1.1 source 192.168.10.1

Sending 5, 100-byte ICMP Echoes to 192.168.1.1, timeout is 2 seconds:

< press Ctrl+C to break >

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/13 ms.

R15#

R15#traceroute 192.168.1.1 source 192.168.10.1

< press Ctrl+C to break >

Tracing the route to 192.168.1.1

1 2.2.2.2 3 msec <1 msec <1 msec

2 * * *

3 192.168.1.1 10 msec 5 msec 3 msec

R15#

3.3 分支2 R21业务测试

R21#ping 192.168.1.1 source 192.168.100.1

Sending 5, 100-byte ICMP Echoes to 192.168.1.1, timeout is 2 seconds:

< press Ctrl+C to break >

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/8/24 ms.

R21#

R21#traceroute 192.168.1.1 source 192.168.100.1

< press Ctrl+C to break >

Tracing the route to 192.168.1.1

1 3.3.3.2 1 msec <1 msec <1 msec

2 * * *

3 192.168.1.1 14 msec 5 msec 3 msec

R21#

四设备状态

4.1 总部zb-ruijie-R12-NAT和IPSEC状态查看

zb-ruijie-R12#show crypto isakmp sa

destination source state conn-id lifetime(second)

204.1.1.2 202.1.1.1 IKE_IDLE 1 86192

203.1.1.2 202.1.1.1 IKE_IDLE 3 85188

zb-ruijie-R12#show crypto ipsec sa

Crypto map tag:1

local ipv4 addr 202.1.1.1

media mtu 1500

==================================

sub_map type:static, seqno:1, id=1

local ident (addr/mask/prot/port): (192.168.1.1/0.0.0.0/0/0))

remote ident (addr/mask/prot/port): (192.168.10.1/0.0.0.0/0/0))

PERMIT

#pkts encaps: 20603, #pkts encrypt: 20603, #pkts digest 20603

#pkts decaps: 20603, #pkts decrypt: 20603, #pkts verify 20603

#send errors 0, #recv errors 0

pkts encaps errors:

#negoitate pkt drop: 0, #sab useless: 0, encap data fail: 0, compute hash fail: 0

pkts decypto errors:

#check reply wind fail: 0, #compute hash fail: 0, verify hash fail: 0

#pkts detect send req: 0, recv reply: 0, recv req: 0, send reply: 0

Inbound esp sas:

spi:0xc857c37a (3361194874)

transform: esp-3des esp-md5-hmac

in use settings={Tunnel Encaps,}

crypto map 1 1

sa timing: remaining key lifetime (k/sec): (1835795/2388)

zb-ruijie-R12#

zb-ruijie-R12#show crypto isakmp policy

Protection suite of priority 1

encryption algorithm: Three key triple DES.

hash algorithm: Message Digest 5

authentication method: Pre-Shared Key

Diffie-Hellman group: #2 (1024 bit)

lifetime: 86400 seconds

Default protection suite

encryption algorithm: DES - Data Encryption Standard (56 bit keys).

hash algorithm: Secure Hash Standard

authentication method: Pre-Shared Key

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds

zb-ruijie-R12# show crypto ipsec sa

Crypto map tag:1

local ipv4 addr 202.1.1.1

media mtu 1500

==================================

sub_map type:static, seqno:1, id=1

local ident (addr/mask/prot/port): (192.168.1.1/0.0.0.0/0/0))

remote ident (addr/mask/prot/port): (192.168.10.1/0.0.0.0/0/0))

PERMIT

#pkts encaps: 21042, #pkts encrypt: 21042, #pkts digest 21042

#pkts decaps: 21042, #pkts decrypt: 21042, #pkts verify 21042

#send errors 0, #recv errors 0

pkts encaps errors:

#negoitate pkt drop: 0, #sab useless: 0, encap data fail: 0, compute hash fail: 0

pkts decypto errors:

#check reply wind fail: 0, #compute hash fail: 0, verify hash fail: 0

#pkts detect send req: 0, recv reply: 0, recv req: 0, send reply: 0

Inbound esp sas:

spi:0xc857c37a (3361194874)

transform: esp-3des esp-md5-hmac

in use settings={Tunnel Encaps,}

crypto map 1 1

sa timing: remaining key lifetime (k/sec): (1835638/2342)

IV size: 0 bytes

Replay detection support:Y

Outbound esp sas:

spi:0x3870545e (946885726)

transform: esp-3des esp-md5-hmac

in use settings={Tunnel Encaps,}

crypto map 1 1

sa timing: remaining key lifetime (k/sec): (1835638/2342)

IV size: 0 bytes

Replay detection support:Y

==================================

sub_map type:static, seqno:2, id=2

local ident (addr/mask/prot/port): (192.168.1.1/0.0.0.0/0/0))

remote ident (addr/mask/prot/port): (192.168.100.1/0.0.0.0/0/0))

PERMIT

#pkts encaps: 28, #pkts encrypt: 28, #pkts digest 28

#pkts decaps: 28, #pkts decrypt: 28, #pkts verify 28

#send errors 0, #recv errors 0

pkts encaps errors:

#negoitate pkt drop: 0, #sab useless: 0, encap data fail: 0, compute hash fail: 0

pkts decypto errors:

#check reply wind fail: 0, #compute hash fail: 0, verify hash fail: 0

#pkts detect send req: 0, recv reply: 0, recv req: 0, send reply: 0

Inbound esp sas:

spi:0xeb3917f0 (3946387440)

transform: esp-3des esp-md5-hmac

in use settings={Tunnel Encaps,}

crypto map 1 2

sa timing: remaining key lifetime (k/sec): (2103309/3346)

IV size: 0 bytes

Replay detection support:Y

Outbound esp sas:

spi:0xe11c4953 (3776727379)

transform: esp-3des esp-md5-hmac

in use settings={Tunnel Encaps,}

crypto map 1 2

sa timing: remaining key lifetime (k/sec): (2103309/3346)

IV size: 0 bytes

Replay detection support:Y

zb-ruijie-R12#

zb-ruijie-R12#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 202.1.1.1:8192 192.168.1.1:8192 8.8.8.8 8.8.8.8

zb-ruijie-R12#

4.2 分支1 fz1-h3c-R14-NAT和IPSEC状态查看

<fz1-h3c-R14>dis ike sa

Connection-ID Local Remote Flag DOI

8 203.1.1.2 202.1.1.1/500 RD IPsec

Flags:

RD--READY RL--REPLACED FD-FADING RK-REKEY

<fz1-h3c-R14>

<fz1-h3c-R14>dis ike sa ?

> Redirect it to a file

>> Redirect it to a file in append mode

count Display the count of IKE SAs

verbose Detailed information

| Matching output

<cr>

<fz1-h3c-R14>dis ike sa v

<fz1-h3c-R14>dis ike sa verbose ?

> Redirect it to a file

>> Redirect it to a file in append mode

connection-id Specify SAs by connection ID

remote-address Specify IKE SAs by remote address

| Matching output

<cr>

<fz1-h3c-R14>dis ike sa verbose

Connection ID: 8

Outside VPN:

Inside VPN:

Profile: 1

Transmitting entity: Initiator

Initiator cookie: 14f1f68625eedb17

Responder cookie: d4da3116531f6709

Tcp encaps: Disabled

Local IP/port: 203.1.1.2/500

Local ID type: IPV4_ADDR

Local ID: 203.1.1.2

Remote IP/port: 202.1.1.1/500

Remote ID type: IPV4_ADDR

Remote ID: 202.1.1.1

Authentication-method: PRE-SHARED-KEY

Authentication-algorithm: MD5

Encryption-algorithm: 3DES-CBC

Life duration(sec): 86400

Remaining key duration(sec): 84926

Exchange-mode: Main

Diffie-Hellman group: Group 2

NAT traversal: Not detected

Extend authentication: Disabled

Assigned IP address:

Vendor ID index:0xffffffff

Vendor ID sequence number:0x0

<fz1-h3c-R14>

<fz1-h3c-R14>dis ike sa co

<fz1-h3c-R14>dis ike sa count

Total: 1

Established: 1

Negotiating: 0

<fz1-h3c-R14>

<fz1-h3c-R14>dis ipsec sa

Interface: GigabitEthernet1/0

IPsec policy: 1

Sequence number: 1

Mode: ISAKMP

Tunnel id: 1

Encapsulation mode: tunnel

Perfect Forward Secrecy:

Inside VPN:

Extended Sequence Numbers enable: N

Traffic Flow Confidentiality enable: N

Transmitting entity: Initiator

Path MTU: 1444

IPsec over tcp: Disabled

IPsec over tcp mode: --

Tunnel:

local address/port: 203.1.1.2/500

remote address/port: 202.1.1.1/500

Flow:

sour addr: 192.168.10.1/255.255.255.255 port: 0 protocol: ip

dest addr: 192.168.1.1/255.255.255.255 port: 0 protocol: ip

Inbound ESP SAs

SPI: 946885726 (0x3870545e)

Connection ID: 12884901891

Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5

SA duration (kilobytes/sec): 1843200/3600

SA remaining duration (kilobytes/sec): 1840151/2109

Max received sequence-number: 22951

Anti-replay check enable: Y

Anti-replay window size: 64

Encapsulation used for NAT traversal: N

Status: Active

Outbound ESP SAs

SPI: 3361194874 (0xc857c37a)

Connection ID: 12884901890

Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5

SA duration (kilobytes/sec): 1843200/3600

SA remaining duration (kilobytes/sec): 1840152/2109

Max sent sequence-number: 22948

Encapsulation used for NAT traversal: N

Status: Active

<fz1-h3c-R14>

<fz1-h3c-R14>dis ipsec sa ?

> Redirect it to a file

>> Redirect it to a file in append mode

brief Display brief information about all IPsec SAs

count Display SA count

interface Specify an interface

ipv6-policy Specify an IPv6 IPsec policy

policy Specify an IPv4 IPsec policy

profile Specify an IPsec profile

remote Specify a remote peer

| Matching output

<cr>

<fz1-h3c-R14>dis ipsec sa b

<fz1-h3c-R14>dis ipsec sa brief

Interface/Global Dst Address SPI Protocol Status

GE1/0 202.1.1.1 3361194874 ESP Active

GE1/0 203.1.1.2 946885726 ESP Active

<fz1-h3c-R14>

<fz1-h3c-R14>dis ipsec sa brief co

<fz1-h3c-R14>dis ipsec sa co

<fz1-h3c-R14>dis ipsec sa count

Total IPsec SAs count: 2

<fz1-h3c-R14>

<fz1-h3c-R14>dis acl all

Advanced IPv4 ACL 3000, 2 rules,

NAT

ACL's step is 5

rule 0 deny ip source 192.168.10.1 0 destination 192.168.1.1 0 (124 times matched)

rule 100 permit ip (3 times matched)

Advanced IPv4 ACL 3001, 1 rule,

ipsec

ACL's step is 5

rule 0 permit ip source 192.168.10.1 0 destination 192.168.1.1 0 (24406 times matched)

<fz1-h3c-R14>

4.3 分支2 fz2-h3c-R20-NAT和IPSEC状态查看

<fz2-h3c-R20>dis ike sa

Connection-ID Local Remote Flag DOI

1 204.1.1.2 202.1.1.1/500 RD IPsec

Flags:

RD--READY RL--REPLACED FD-FADING RK-REKEY

<fz2-h3c-R20>

<fz2-h3c-R20>dis ike sa ver

Connection ID: 1

Outside VPN:

Inside VPN:

Profile: 1

Transmitting entity: Responder

Initiator cookie: 59407f6e6930ac88

Responder cookie: bae88cdc37b2d216

Tcp encaps: Disabled

Local IP/port: 204.1.1.2/500

Local ID type: IPV4_ADDR

Local ID: 204.1.1.2

Remote IP/port: 202.1.1.1/500

Remote ID type: IPV4_ADDR

Remote ID: 202.1.1.1

Authentication-method: PRE-SHARED-KEY

Authentication-algorithm: MD5

Encryption-algorithm: 3DES-CBC

Life duration(sec): 86400

Remaining key duration(sec): 85846

Exchange-mode: Main

Diffie-Hellman group: Group 2

NAT traversal: Not detected

Extend authentication: Disabled

Assigned IP address:

Vendor ID index:0xffffffff

Vendor ID sequence number:0x0

<fz2-h3c-R20>

<fz2-h3c-R20>dis ike sa co

<fz2-h3c-R20>dis ike sa count

Total: 1

Established: 1

Negotiating: 0

<fz2-h3c-R20>

<fz2-h3c-R20>dis ipse sa

Interface: GigabitEthernet1/0

IPsec policy: 1

Sequence number: 1

Mode: ISAKMP

Tunnel id: 0

Encapsulation mode: tunnel

Perfect Forward Secrecy:

Inside VPN:

Extended Sequence Numbers enable: N

Traffic Flow Confidentiality enable: N

Transmitting entity: Responder

Path MTU: 1444

IPsec over tcp: Disabled

IPsec over tcp mode: --

Tunnel:

local address/port: 204.1.1.2/500

remote address/port: 202.1.1.1/500

Flow:

sour addr: 192.168.100.1/255.255.255.255 port: 0 protocol: ip

dest addr: 192.168.1.1/255.255.255.255 port: 0 protocol: ip

Inbound ESP SAs

SPI: 3776727379 (0xe11c4953)

Connection ID: 4294967296

Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5

SA duration (kilobytes/sec): 1843200/3600

SA remaining duration (kilobytes/sec): 1843193/3036

Max received sequence-number: 49

Anti-replay check enable: Y

Anti-replay window size: 64

Encapsulation used for NAT traversal: N

Status: Active

Outbound ESP SAs

SPI: 3946387440 (0xeb3917f0)

Connection ID: 4294967297

Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5

SA duration (kilobytes/sec): 1843200/3600

SA remaining duration (kilobytes/sec): 1843193/3036

Max sent sequence-number: 46

Encapsulation used for NAT traversal: N

Status: Active

<fz2-h3c-R20>

<fz2-h3c-R20>dis ipse sa brief

Interface/Global Dst Address SPI Protocol Status

GE1/0 202.1.1.1 3946387440 ESP Active

GE1/0 204.1.1.2 3776727379 ESP Active

<fz2-h3c-R20>

<fz2-h3c-R20>dis ipse sa co

<fz2-h3c-R20>dis ipse sa count

Total IPsec SAs count: 2

<fz2-h3c-R20>

<fz2-h3c-R20>dis acl all

Advanced IPv4 ACL 3000, 2 rules,

NAT

ACL's step is 5

rule 0 deny ip source 192.168.100.1 0 destination 192.168.1.1 0

rule 100 permit ip

Advanced IPv4 ACL 3001, 1 rule,

ipsec

ACL's step is 5

rule 0 permit ip source 192.168.100.1 0 destination 192.168.1.1 0 (59 times matched)

<fz2-h3c-R20>

五问题及其解决方法

5.1 问题1-锐捷路由器报错

3.锐捷路由器ipsec报错及其解决方法：

rujie-R12(config)# *Apr 3 14:16:57: %IPSEC-4-CHECK_ISAKMP_ID_FAILED: ID type is ID_IPV4_ADDR, peer address:203.1.1.2, but ID in packet is 202.1.1.1, isn't equal, current state:MM_SR2_WI3, MM_VERIFY.

rujie-R12(config)# *Apr 3 14:17:02: %IPSEC-4-CHECK_ISAKMP_ID_FAILED: ID type is ID_IPV4_ADDR, peer address:203.1.1.2, but ID in packet is 202.1.1.1, isn't equal, current state:MM_SR2_WI3, MM_VERIFY.

rujie-R12(config)# *Apr 3 14:17:10: %IPSEC-4-CHECK_ISAKMP_ID_FAILED: ID type is ID_IPV4_ADDR, peer address:203.1.1.2, but ID in packet is 202.1.1.1, isn't equal, current state:MM_SR2_WI3, MM_VERIFY.

rujie-R12(config)# *Apr 3 14:17:21: %IPSEC-4-ISAKMP_RETRANSMIT_FAILED: Local:202.1.1.1 Peer:203.1.1.2, responder send out main mode fourth packet, wait fifth packet failed, please check the network.

rujie-R12(config)# *Apr 3 14:17:27: %IPSEC-5-ISAKMP_NO_SA: IKE message from 203.1.1.2 has no SA and is not an initialization offer.

rujie-R12(config)# *Apr 3 14:17:45: %IPSEC-5-ISAKMP_NO_SA: IKE message from 203.1.1.2 has no SA and is not an initialization offer.

rujie-R12(config)# *Apr 3 14:18:00: %IPSEC-5-ISAKMP_NO_SA: IKE message from 203.1.1.2 has no SA and is not an initialization offer.

rujie-R12(config)# *Apr 3 14:18:28: %IPSEC-5-RECV_NOTICE: Local:202.1.1.1 Peer:203.1.1.2, invalid id information.

rujie-R12(config)# *Apr 3 14:18:33: %IPSEC-5-RECV_NOTICE: Local:202.1.1.1 Peer:203.1.1.2, invalid id information.

rujie-R12(config)#

rujie-R12(config)#*Apr 3 14:18:40: %IPSEC-5-RECV_NOTICE: Local:202.1.1.1 Peer:203.1.1.2, invalid id information.

rujie-R12(config)#sh ru*Apr 3 14:18:46: %IPSEC-5-RECV_NOTICE: Local:202.1.1.1 Peer:203.1.1.2, invalid id information.

rujie-R12(config)#sh ru*Apr 3 14:18:52: %IPSEC-4-ISAKMP_RETRANSMIT_FAILED: Local:202.1.1.1 Peer:203.1.1.2, initiator send out quick mode first packet, wait second packet failed, please check the configure of transform set and acl.

解决方法：

ike profile 1

keychain 1

local-identity address 202.1.1.1

proposal 1

修改为 match remote identity address 202.1.1.1 255.255.255.255后解决

ike profile 1

keychain 1

match remote identity address 202.1.1.1 255.255.255.255

proposal 1

锐捷总部-华三2个分支-异构IPSEC对接

一 网络拓扑

二 设备配置

2.1 总部-R11设备配置

2.2 总部-zb-ruijie-R12设备配置-NAT和IPSEC配置

2.3 ISP设备配置

2.4 分支1-fz1-h3c-R14设备配置-NAT和IPSEC配置

2.5 分支1-R15设备配置

2.5 分支2-fz2-h3c-R20设备配置-NAT和IPSEC配置

2.6 分支2-R21设备配置

三 业务测试

3.1 总部R11业务测试

3.2 分支1 R15业务测试

3.3 分支2 R21业务测试

四 设备状态

4.1 总部zb-ruijie-R12-NAT和IPSEC状态查看

4.2 分支1 fz1-h3c-R14-NAT和IPSEC状态查看

4.3 分支2 fz2-h3c-R20-NAT和IPSEC状态查看

五 问题及其解决方法

5.1 问题1-锐捷路由器报错

一网络拓扑

二设备配置

三业务测试

四设备状态

五问题及其解决方法