一 网络拓扑

- 总部和分支都是单链路,连接互联网,通过nat和ipsec vpn实现内网互通
- 总部是锐捷设备,分支1和分支2都在华三设备,实现ipsec vpn加密
二 设备配置
2.1 总部-R11设备配置
hostname R11
!
interface GigabitEthernet 0/0
ip address 1.1.1.1 255.255.255.0
!
interface Loopback 0
ip address 192.168.1.1 255.255.255.255
!
ip route 0.0.0.0 0.0.0.0 1.1.1.2
!
2.2 总部-zb-ruijie-R12设备配置-NAT和IPSEC配置
hostname zb-ruijie-R12
!
ip access-list extended 100 //IPSEC感兴趣流
10 permit ip host 192.168.1.1 host 192.168.10.1
!
ip access-list extended 110 //NAT配置
10 deny ip host 192.168.1.1 host 192.168.10.1
15 permit ip host 192.168.1.1 any
!
ip nat inside source list 110 interface GigabitEthernet 0/1 overload
!
crypto isakmp policy 1
encryption 3des
authentication pre-share
hash md5
group 2
!
crypto isakmp keepalive 5 periodic
!
crypto isakmp key 0 123 address 203.1.1.2
crypto ipsec transform-set 1 esp-3des esp-md5-hmac
!
crypto map 1 1 ipsec-isakmp
set peer 203.1.1.2
set transform-set 1
match address 100
!
interface GigabitEthernet 0/0
ip address 1.1.1.2 255.255.255.0
ip nat inside
!
interface GigabitEthernet 0/1
ip address 202.1.1.1 255.255.255.0
crypto map 1
ip nat outside
!
ip route 0.0.0.0 0.0.0.0 202.1.1.2
ip route 192.168.1.1 255.255.255.255 1.1.1.1
!
2.3 ISP设备配置
hostname ISP
!
interface GigabitEthernet 0/0
ip address 203.1.1.1 255.255.255.0
!
interface GigabitEthernet 0/1
ip address 202.1.1.2 255.255.255.0
!
interface GigabitEthernet 0/2
ip address 204.1.1.1 255.255.255.0
!
interface Loopback 0
ip address 8.8.8.8 255.255.255.255
!
2.4 分支1-fz1-h3c-R14设备配置-NAT和IPSEC配置
sysname fz1-h3c-R14
ip unreachables enable
ip ttl-expires enable
lldp global enable
interface GigabitEthernet1/0
port link-mode route
ip address 203.1.1.2 255.255.255.0
nat outbound 3000
ipsec apply policy 1
interface GigabitEthernet2/0
port link-mode route
ip address 2.2.2.2 255.255.255.0
ip route-static 0.0.0.0 0 203.1.1.1
ip route-static 192.168.10.1 32 2.2.2.1
acl advanced 3000
description NAT
rule 0 deny ip source 192.168.10.1 0 destination 192.168.1.1 0
rule 100 permit ip
acl advanced 3001
description ipsec
rule 0 permit ip source 192.168.10.1 0 destination 192.168.1.1 0
ike keychain 1
pre-shared-key address 202.1.1.1 255.255.255.255 key simple 123
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
ike profile 1
keychain 1
match remote identity address 202.1.1.1 255.255.255.255
proposal 1
ipsec transform-set 1
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
ipsec policy 1 1 isakmp
transform-set 1
security acl 3001
remote-address 202.1.1.1
ike-profile 1
2.5 分支1-R15设备配置
hostname R15
!
interface GigabitEthernet 0/0
ip address 2.2.2.1 255.255.255.0
!
interface Loopback 0
ip address 192.168.10.1 255.255.255.255
!
ip route 0.0.0.0 0.0.0.0 2.2.2.2
!
2.5 分支2-fz2-h3c-R20设备配置-NAT和IPSEC配置
sysname fz2-h3c-R20
ip unreachables enable
ip ttl-expires enable
lldp global enable
interface GigabitEthernet1/0
port link-mode route
ip address 204.1.1.2 255.255.255.0
nat outbound 3000
ipsec apply policy 1
interface GigabitEthernet2/0
port link-mode route
ip address 3.3.3.2 255.255.255.0
ip route-static 0.0.0.0 0 204.1.1.1
ip route-static 192.168.100.1 32 3.3.3.1
acl advanced 3000
description NAT
rule 0 deny ip source 192.168.100.1 0 destination 192.168.1.1 0
rule 100 permit ip
acl advanced 3001
description ipsec
rule 0 permit ip source 192.168.100.1 0 destination 192.168.1.1 0
ike keychain 1
pre-shared-key address 202.1.1.1 255.255.255.255 key simple 123456
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
ike profile 1
keychain 1
match remote identity address 202.1.1.1 255.255.255.255
proposal 1
ipsec transform-set 1
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
ipsec policy 1 1 isakmp
transform-set 1
security acl 3001
remote-address 202.1.1.1
ike-profile 1
2.6 分支2-R21设备配置
hostname R21
!
interface GigabitEthernet 0/0
ip address 3.3.3.1 255.255.255.0
!
interface Loopback 0
ip address 192.168.100.1 255.255.255.255
!
ip route 0.0.0.0 0.0.0.0 3.3.3.2
!
-
- 总部-zb-ruijie-R12新增对接分支2-NAT和IPSEC配置
hostname zb-ruijie-R12
!
ip access-list extended 101 //新增对应分支2 IPSEC感兴趣流
10 permit ip host 192.168.1.1 host 192.168.100.1
!
ip access-list extended 110 //原NAT配置新增规则
11 deny ip host 192.168.1.1 host 192.168.100.1
!
crypto isakmp policy 1 //如果ike加密方法一样,这里无需新增,忽略此配置
encryption 3des
authentication pre-share
hash md5
group 2
!
crypto isakmp keepalive 5 periodic
!
crypto isakmp key 0 123456 address 204.1.1.2
crypto ipsec transform-set 1 esp-3des esp-md5-hmac //如果ipsec加密方法一样,这里无需新增,忽略此配置
!
crypto map 1 2 ipsec-isakmp
set peer 204.1.1.2
set transform-set 1
match address 101
!
interface GigabitEthernet 0/0 //配置一样无需新增
ip address 1.1.1.2 255.255.255.0
ip nat inside
!
interface GigabitEthernet 0/1
ip address 202.1.1.1 255.255.255.0
crypto map 1
ip nat outside
!
ip route 0.0.0.0 0.0.0.0 202.1.1.2
ip route 192.168.1.1 255.255.255.255 1.1.1.1
!
三 业务测试
3.1 总部R11业务测试
R11#ping 192.168.10.1 source 192.168.1.1
Sending 5, 100-byte ICMP Echoes to 192.168.10.1, timeout is 2 seconds:
< press Ctrl+C to break >
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms.
R11#
R11#
R11#ping 192.168.100.1 source 192.168.1.1
Sending 5, 100-byte ICMP Echoes to 192.168.100.1, timeout is 2 seconds:
< press Ctrl+C to break >
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/10 ms.
R11#
R11#traceroute 192.168.10.1 source 192.168.1.1
< press Ctrl+C to break >
Tracing the route to 192.168.10.1
1 1.1.1.2 1 msec <1 msec <1 msec
2 1.1.1.2 <1 msec <1 msec <1 msec
3 192.168.10.1 7 msec 5 msec 4 msec
R11#
R11#
R11#traceroute 192.168.100.1 source 192.168.1.1
< press Ctrl+C to break >
Tracing the route to 192.168.100.1
1 1.1.1.2 1 msec <1 msec <1 msec
2 1.1.1.2 <1 msec <1 msec <1 msec
3 192.168.100.1 14 msec 8 msec 5 msec
R11#
3.2 分支1 R15业务测试
R15#ping 192.168.1.1 source 192.168.10.1
Sending 5, 100-byte ICMP Echoes to 192.168.1.1, timeout is 2 seconds:
< press Ctrl+C to break >
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/13 ms.
R15#
R15#traceroute 192.168.1.1 source 192.168.10.1
< press Ctrl+C to break >
Tracing the route to 192.168.1.1
1 2.2.2.2 3 msec <1 msec <1 msec
2 * * *
3 192.168.1.1 10 msec 5 msec 3 msec
R15#
R15#
3.3 分支2 R21业务测试
R21#ping 192.168.1.1 source 192.168.100.1
Sending 5, 100-byte ICMP Echoes to 192.168.1.1, timeout is 2 seconds:
< press Ctrl+C to break >
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/8/24 ms.
R21#
R21#
R21#traceroute 192.168.1.1 source 192.168.100.1
< press Ctrl+C to break >
Tracing the route to 192.168.1.1
1 3.3.3.2 1 msec <1 msec <1 msec
2 * * *
3 192.168.1.1 14 msec 5 msec 3 msec
R21#
四 设备状态
4.1 总部zb-ruijie-R12-NAT和IPSEC状态查看
zb-ruijie-R12#show crypto isakmp sa
destination source state conn-id lifetime(second)
204.1.1.2 202.1.1.1 IKE_IDLE 1 86192
203.1.1.2 202.1.1.1 IKE_IDLE 3 85188
zb-ruijie-R12#show crypto ipsec sa
Crypto map tag:1
local ipv4 addr 202.1.1.1
media mtu 1500
==================================
sub_map type:static, seqno:1, id=1
local ident (addr/mask/prot/port): (192.168.1.1/0.0.0.0/0/0))
remote ident (addr/mask/prot/port): (192.168.10.1/0.0.0.0/0/0))
PERMIT
#pkts encaps: 20603, #pkts encrypt: 20603, #pkts digest 20603
#pkts decaps: 20603, #pkts decrypt: 20603, #pkts verify 20603
#send errors 0, #recv errors 0
pkts encaps errors:
#negoitate pkt drop: 0, #sab useless: 0, encap data fail: 0, compute hash fail: 0
pkts decypto errors:
#check reply wind fail: 0, #compute hash fail: 0, verify hash fail: 0
#pkts detect send req: 0, recv reply: 0, recv req: 0, send reply: 0
Inbound esp sas:
spi:0xc857c37a (3361194874)
transform: esp-3des esp-md5-hmac
in use settings={Tunnel Encaps,}
crypto map 1 1
sa timing: remaining key lifetime (k/sec): (1835795/2388)
zb-ruijie-R12#
zb-ruijie-R12#show crypto isakmp policy
Protection suite of priority 1
encryption algorithm: Three key triple DES.
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds
zb-ruijie-R12# show crypto ipsec sa
Crypto map tag:1
local ipv4 addr 202.1.1.1
media mtu 1500
==================================
sub_map type:static, seqno:1, id=1
local ident (addr/mask/prot/port): (192.168.1.1/0.0.0.0/0/0))
remote ident (addr/mask/prot/port): (192.168.10.1/0.0.0.0/0/0))
PERMIT
#pkts encaps: 21042, #pkts encrypt: 21042, #pkts digest 21042
#pkts decaps: 21042, #pkts decrypt: 21042, #pkts verify 21042
#send errors 0, #recv errors 0
pkts encaps errors:
#negoitate pkt drop: 0, #sab useless: 0, encap data fail: 0, compute hash fail: 0
pkts decypto errors:
#check reply wind fail: 0, #compute hash fail: 0, verify hash fail: 0
#pkts detect send req: 0, recv reply: 0, recv req: 0, send reply: 0
Inbound esp sas:
spi:0xc857c37a (3361194874)
transform: esp-3des esp-md5-hmac
in use settings={Tunnel Encaps,}
crypto map 1 1
sa timing: remaining key lifetime (k/sec): (1835638/2342)
IV size: 0 bytes
Replay detection support:Y
Outbound esp sas:
spi:0x3870545e (946885726)
transform: esp-3des esp-md5-hmac
in use settings={Tunnel Encaps,}
crypto map 1 1
sa timing: remaining key lifetime (k/sec): (1835638/2342)
IV size: 0 bytes
Replay detection support:Y
==================================
sub_map type:static, seqno:2, id=2
local ident (addr/mask/prot/port): (192.168.1.1/0.0.0.0/0/0))
remote ident (addr/mask/prot/port): (192.168.100.1/0.0.0.0/0/0))
PERMIT
#pkts encaps: 28, #pkts encrypt: 28, #pkts digest 28
#pkts decaps: 28, #pkts decrypt: 28, #pkts verify 28
#send errors 0, #recv errors 0
pkts encaps errors:
#negoitate pkt drop: 0, #sab useless: 0, encap data fail: 0, compute hash fail: 0
pkts decypto errors:
#check reply wind fail: 0, #compute hash fail: 0, verify hash fail: 0
#pkts detect send req: 0, recv reply: 0, recv req: 0, send reply: 0
Inbound esp sas:
spi:0xeb3917f0 (3946387440)
transform: esp-3des esp-md5-hmac
in use settings={Tunnel Encaps,}
crypto map 1 2
sa timing: remaining key lifetime (k/sec): (2103309/3346)
IV size: 0 bytes
Replay detection support:Y
Outbound esp sas:
spi:0xe11c4953 (3776727379)
transform: esp-3des esp-md5-hmac
in use settings={Tunnel Encaps,}
crypto map 1 2
sa timing: remaining key lifetime (k/sec): (2103309/3346)
IV size: 0 bytes
Replay detection support:Y
zb-ruijie-R12#
zb-ruijie-R12#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 202.1.1.1:8192 192.168.1.1:8192 8.8.8.8 8.8.8.8
zb-ruijie-R12#
zb-ruijie-R12#
4.2 分支1 fz1-h3c-R14-NAT和IPSEC状态查看
<fz1-h3c-R14>dis ike sa
Connection-ID Local Remote Flag DOI
8 203.1.1.2 202.1.1.1/500 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
<fz1-h3c-R14>
<fz1-h3c-R14>
<fz1-h3c-R14>dis ike sa ?
> Redirect it to a file
>> Redirect it to a file in append mode
count Display the count of IKE SAs
verbose Detailed information
| Matching output
<cr>
<fz1-h3c-R14>dis ike sa v
<fz1-h3c-R14>dis ike sa verbose ?
> Redirect it to a file
>> Redirect it to a file in append mode
connection-id Specify SAs by connection ID
remote-address Specify IKE SAs by remote address
| Matching output
<cr>
<fz1-h3c-R14>dis ike sa verbose
Connection ID: 8
Outside VPN:
Inside VPN:
Profile: 1
Transmitting entity: Initiator
Initiator cookie: 14f1f68625eedb17
Responder cookie: d4da3116531f6709
Tcp encaps: Disabled
Local IP/port: 203.1.1.2/500
Local ID type: IPV4_ADDR
Local ID: 203.1.1.2
Remote IP/port: 202.1.1.1/500
Remote ID type: IPV4_ADDR
Remote ID: 202.1.1.1
Authentication-method: PRE-SHARED-KEY
Authentication-algorithm: MD5
Encryption-algorithm: 3DES-CBC
Life duration(sec): 86400
Remaining key duration(sec): 84926
Exchange-mode: Main
Diffie-Hellman group: Group 2
NAT traversal: Not detected
Extend authentication: Disabled
Assigned IP address:
Vendor ID index:0xffffffff
Vendor ID sequence number:0x0
<fz1-h3c-R14>
<fz1-h3c-R14>
<fz1-h3c-R14>dis ike sa co
<fz1-h3c-R14>dis ike sa count
Total: 1
Established: 1
Negotiating: 0
<fz1-h3c-R14>
<fz1-h3c-R14>
<fz1-h3c-R14>
<fz1-h3c-R14>dis ipsec sa
Interface: GigabitEthernet1/0
IPsec policy: 1
Sequence number: 1
Mode: ISAKMP
Tunnel id: 1
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Initiator
Path MTU: 1444
IPsec over tcp: Disabled
IPsec over tcp mode: --
Tunnel:
local address/port: 203.1.1.2/500
remote address/port: 202.1.1.1/500
Flow:
sour addr: 192.168.10.1/255.255.255.255 port: 0 protocol: ip
dest addr: 192.168.1.1/255.255.255.255 port: 0 protocol: ip
Inbound ESP SAs
SPI: 946885726 (0x3870545e)
Connection ID: 12884901891
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1840151/2109
Max received sequence-number: 22951
Anti-replay check enable: Y
Anti-replay window size: 64
Encapsulation used for NAT traversal: N
Status: Active
Outbound ESP SAs
SPI: 3361194874 (0xc857c37a)
Connection ID: 12884901890
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1840152/2109
Max sent sequence-number: 22948
Encapsulation used for NAT traversal: N
Status: Active
<fz1-h3c-R14>
<fz1-h3c-R14>
<fz1-h3c-R14>dis ipsec sa ?
> Redirect it to a file
>> Redirect it to a file in append mode
brief Display brief information about all IPsec SAs
count Display SA count
interface Specify an interface
ipv6-policy Specify an IPv6 IPsec policy
policy Specify an IPv4 IPsec policy
profile Specify an IPsec profile
remote Specify a remote peer
| Matching output
<cr>
<fz1-h3c-R14>dis ipsec sa b
<fz1-h3c-R14>dis ipsec sa brief
Interface/Global Dst Address SPI Protocol Status
GE1/0 202.1.1.1 3361194874 ESP Active
GE1/0 203.1.1.2 946885726 ESP Active
<fz1-h3c-R14>
<fz1-h3c-R14>
<fz1-h3c-R14>
<fz1-h3c-R14>dis ipsec sa brief co
<fz1-h3c-R14>dis ipsec sa co
<fz1-h3c-R14>dis ipsec sa count
Total IPsec SAs count: 2
<fz1-h3c-R14>
<fz1-h3c-R14>
<fz1-h3c-R14>dis acl all
Advanced IPv4 ACL 3000, 2 rules,
NAT
ACL's step is 5
rule 0 deny ip source 192.168.10.1 0 destination 192.168.1.1 0 (124 times matched)
rule 100 permit ip (3 times matched)
Advanced IPv4 ACL 3001, 1 rule,
ipsec
ACL's step is 5
rule 0 permit ip source 192.168.10.1 0 destination 192.168.1.1 0 (24406 times matched)
<fz1-h3c-R14>
4.3 分支2 fz2-h3c-R20-NAT和IPSEC状态查看
<fz2-h3c-R20>dis ike sa
Connection-ID Local Remote Flag DOI
1 204.1.1.2 202.1.1.1/500 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
<fz2-h3c-R20>
<fz2-h3c-R20>
<fz2-h3c-R20>
<fz2-h3c-R20>dis ike sa ver
Connection ID: 1
Outside VPN:
Inside VPN:
Profile: 1
Transmitting entity: Responder
Initiator cookie: 59407f6e6930ac88
Responder cookie: bae88cdc37b2d216
Tcp encaps: Disabled
Local IP/port: 204.1.1.2/500
Local ID type: IPV4_ADDR
Local ID: 204.1.1.2
Remote IP/port: 202.1.1.1/500
Remote ID type: IPV4_ADDR
Remote ID: 202.1.1.1
Authentication-method: PRE-SHARED-KEY
Authentication-algorithm: MD5
Encryption-algorithm: 3DES-CBC
Life duration(sec): 86400
Remaining key duration(sec): 85846
Exchange-mode: Main
Diffie-Hellman group: Group 2
NAT traversal: Not detected
Extend authentication: Disabled
Assigned IP address:
Vendor ID index:0xffffffff
Vendor ID sequence number:0x0
<fz2-h3c-R20>
<fz2-h3c-R20>
<fz2-h3c-R20>dis ike sa co
<fz2-h3c-R20>dis ike sa count
Total: 1
Established: 1
Negotiating: 0
<fz2-h3c-R20>
<fz2-h3c-R20>
<fz2-h3c-R20>dis ipse sa
Interface: GigabitEthernet1/0
IPsec policy: 1
Sequence number: 1
Mode: ISAKMP
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Responder
Path MTU: 1444
IPsec over tcp: Disabled
IPsec over tcp mode: --
Tunnel:
local address/port: 204.1.1.2/500
remote address/port: 202.1.1.1/500
Flow:
sour addr: 192.168.100.1/255.255.255.255 port: 0 protocol: ip
dest addr: 192.168.1.1/255.255.255.255 port: 0 protocol: ip
Inbound ESP SAs
SPI: 3776727379 (0xe11c4953)
Connection ID: 4294967296
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843193/3036
Max received sequence-number: 49
Anti-replay check enable: Y
Anti-replay window size: 64
Encapsulation used for NAT traversal: N
Status: Active
Outbound ESP SAs
SPI: 3946387440 (0xeb3917f0)
Connection ID: 4294967297
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843193/3036
Max sent sequence-number: 46
Encapsulation used for NAT traversal: N
Status: Active
<fz2-h3c-R20>
<fz2-h3c-R20>dis ipse sa brief
Interface/Global Dst Address SPI Protocol Status
GE1/0 202.1.1.1 3946387440 ESP Active
GE1/0 204.1.1.2 3776727379 ESP Active
<fz2-h3c-R20>
<fz2-h3c-R20>
<fz2-h3c-R20>dis ipse sa co
<fz2-h3c-R20>dis ipse sa count
Total IPsec SAs count: 2
<fz2-h3c-R20>
<fz2-h3c-R20>
<fz2-h3c-R20>
<fz2-h3c-R20>dis acl all
Advanced IPv4 ACL 3000, 2 rules,
NAT
ACL's step is 5
rule 0 deny ip source 192.168.100.1 0 destination 192.168.1.1 0
rule 100 permit ip
Advanced IPv4 ACL 3001, 1 rule,
ipsec
ACL's step is 5
rule 0 permit ip source 192.168.100.1 0 destination 192.168.1.1 0 (59 times matched)
<fz2-h3c-R20>
五 问题及其解决方法
5.1 问题1-锐捷路由器报错
3.锐捷路由器ipsec报错及其解决方法:
rujie-R12(config)# *Apr 3 14:16:57: %IPSEC-4-CHECK_ISAKMP_ID_FAILED: ID type is ID_IPV4_ADDR, peer address:203.1.1.2, but ID in packet is 202.1.1.1, isn't equal, current state:MM_SR2_WI3, MM_VERIFY.
rujie-R12(config)# *Apr 3 14:17:02: %IPSEC-4-CHECK_ISAKMP_ID_FAILED: ID type is ID_IPV4_ADDR, peer address:203.1.1.2, but ID in packet is 202.1.1.1, isn't equal, current state:MM_SR2_WI3, MM_VERIFY.
rujie-R12(config)# *Apr 3 14:17:10: %IPSEC-4-CHECK_ISAKMP_ID_FAILED: ID type is ID_IPV4_ADDR, peer address:203.1.1.2, but ID in packet is 202.1.1.1, isn't equal, current state:MM_SR2_WI3, MM_VERIFY.
rujie-R12(config)# *Apr 3 14:17:21: %IPSEC-4-ISAKMP_RETRANSMIT_FAILED: Local:202.1.1.1 Peer:203.1.1.2, responder send out main mode fourth packet, wait fifth packet failed, please check the network.
rujie-R12(config)# *Apr 3 14:17:27: %IPSEC-5-ISAKMP_NO_SA: IKE message from 203.1.1.2 has no SA and is not an initialization offer.
rujie-R12(config)# *Apr 3 14:17:45: %IPSEC-5-ISAKMP_NO_SA: IKE message from 203.1.1.2 has no SA and is not an initialization offer.
rujie-R12(config)# *Apr 3 14:18:00: %IPSEC-5-ISAKMP_NO_SA: IKE message from 203.1.1.2 has no SA and is not an initialization offer.
rujie-R12(config)# *Apr 3 14:18:28: %IPSEC-5-RECV_NOTICE: Local:202.1.1.1 Peer:203.1.1.2, invalid id information.
rujie-R12(config)# *Apr 3 14:18:33: %IPSEC-5-RECV_NOTICE: Local:202.1.1.1 Peer:203.1.1.2, invalid id information.
rujie-R12(config)#
rujie-R12(config)#*Apr 3 14:18:40: %IPSEC-5-RECV_NOTICE: Local:202.1.1.1 Peer:203.1.1.2, invalid id information.
rujie-R12(config)#sh ru*Apr 3 14:18:46: %IPSEC-5-RECV_NOTICE: Local:202.1.1.1 Peer:203.1.1.2, invalid id information.
rujie-R12(config)#sh ru*Apr 3 14:18:52: %IPSEC-4-ISAKMP_RETRANSMIT_FAILED: Local:202.1.1.1 Peer:203.1.1.2, initiator send out quick mode first packet, wait second packet failed, please check the configure of transform set and acl.
解决方法:
ike profile 1
keychain 1
local-identity address 202.1.1.1
proposal 1
修改为 match remote identity address 202.1.1.1 255.255.255.255后解决
ike profile 1
keychain 1
match remote identity address 202.1.1.1 255.255.255.255
proposal 1