MS36-20 IPSEC对接时问题
问题描述:
两台V7路由器进行IPSEC对接时,dis ipsec sa时,发现对于同一个ipsec policy 节点会出现两个相同的sa,请问这是为什么。
<H3C>dis ipsec sa
-------------------------------
Interface: GigabitEthernet0/0
-------------------------------
-----------------------------
IPsec policy: map1
Sequence number: 10
Mode: ISAKMP
-----------------------------
Tunnel id: 3
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1428
Tunnel:
local address: 1.119.54.82
remote address: 211.102.210.122
Flow:
sour addr: 192.168.4.0/255.255.255.0 port: 0 protocol: ip
dest addr: 192.168.2.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 1112980996 (0x4256be04)
Connection ID: 3371549327360
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/149
Max received sequence-number: 0
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 4087633032 (0xf3a45488)
Connection ID: 3165390897166
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/149
Max sent sequence-number: 12
UDP encapsulation used for NAT traversal: N
Status: Active
-----------------------------
IPsec policy: map1
Sequence number: 10
Mode: ISAKMP
-----------------------------
Tunnel id: 5
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1428
Tunnel:
local address: 1.119.54.82
remote address: 211.102.210.122
Flow:
sour addr: 192.168.4.0/255.255.255.0 port: 0 protocol: ip
dest addr: 192.168.102.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 3205575571 (0xbf113393)
Connection ID: 1842540969986
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/2995
Max received sequence-number: 0
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 4087633033 (0xf3a45489)
Connection ID: 3921305141258
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/2995
Max sent sequence-number: 0
UDP encapsulation used for NAT traversal: N
Status: Active
-----------------------------
IPsec policy: map1
Sequence number: 10
Mode: ISAKMP
-----------------------------
Tunnel id: 3
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1428
Tunnel:
local address: 1.119.54.82
remote address: 211.102.210.122
Flow:
sour addr: 192.168.4.0/255.255.255.0 port: 0 protocol: ip
dest addr: 192.168.2.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 1469134788 (0x579137c4)
Connection ID: 1584842932244
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3149
Max received sequence-number: 0
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 4087633034 (0xf3a4548a)
Connection ID: 622770257941
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3149
Max sent sequence-number: 3
UDP encapsulation used for NAT traversal: N
Status: Active
另,在ike sa 和ipsec sa都建立的情况下,还是会有报错信息: *May 19 20:31:12:968
*May 19 20:31:12:968
(0)
最佳答案
已采纳 风干工程师肉干要不要 风干工程师肉干要不要 九段 粉丝:137人 关注:5人
第一个SA的生存时间已经快到了,还剩下149秒,看上去应该是重新协商了新的SA,第二个SA的生存时间还剩3149,说明是刚刚建立不久的
第二个问题,需要看一下具体的deb,看上去像是有其他节点在向本端发起建立请求,但是没有通过。
(0)
第一个,两个都存在的情况,会对ipsec有影响吗 ? 第二个,确实,debug信息里面有*May 19 20:31:14:978
该问题暂时没有网友解答
,MS36-20 IPSEC对接时问题
