一、检查公网是否可达

操作步骤

1.执行命令行display current-configuration interface GigabitEthernet 1/0/1 ,检查接口是否允许ping访问。

[HUAWEI] display current-configuration interface GigabitEthernet 1/0/1
interface GigabitEthernet1/0/1
ip address 117.78.X.X 255.255.255.192
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage telnet permit
ipsec policy ipsec2352146053

2.在隧道两端进行ping测试。执行命令ping 117.78.X.X检查能否ping通。

[HUAWEI] ping 117.78.X.X
PING 117.78.X.X: 56 data bytes, press CTRL_C to break
Reply from 117.78.X.X: bytes=56 Sequence=1 ttl=255 time=3 ms
Reply from 117.78.X.X: bytes=56 Sequence=2 ttl=255 time=3 ms
Reply from 117.78.X.X: bytes=56 Sequence=3 ttl=255 time=3 ms
Reply from 117.78.X.X: bytes=56 Sequence=4 ttl=255 time=3 ms
Reply from 117.78.X.X: bytes=56 Sequence=5 ttl=255 time=3 ms
--- 117.78.X.X ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss

  1. round-trip min/avg/max = 3/3/3 ms

二、查看IKE SA是否存在

操作步骤

1.执行命令display ike sa检查IKE SA是否协商成功。

[HUAWEI] display ike sa
IKE SA information :
Conn-ID Peer V.P.N Flag(s) Phase

----------------------------------------------------------------------------------------------

117440971 11.2.23.1:500 RD|S v1:1 //IKEv1 第一阶段协商
150995463 11.1.121.1:500 RD|ST|S v1:2 //IKEv1 第二阶段协商
Number of IKE SA : 2

----------------------------------------------------------------------------------------------

Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING

如果IKE SA的状态是RD状态,表示IKE协商成功,则查看步骤3。
如果IKE SA没有或者状态不正确,则继续按照下面的步骤排查。

2.检查出接口是否配置了ipsec策略,如果没有配置,则不会发起协商。

执行命令display current-configuration interface检查接口是否应用了ipsec策略

[HUAWEI] display current-configuration interface
interface GigabitEthernet1/0/1
ip address 117.78.X.X 255.255.255.192
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage telnet permit
ipsec policy ipsec2352146053 //出口需要应用ipsec策略,如果没有,请应用

3.检查ike的安全策略(到自身的安全策略和从自身发送的安全策略)是否放行。

执行命令display firewall session table verbose destination-port global 500确认有没有IKE的会话。

[HUAWEI] display firewall session table verbose destination-port global 500
Current Total Sessions : 1 General_UDP V.P.N:public --> public ID: a68f6683fb0101b01bc574eed08
Zone: untrust--> local TTL: 00:02:00 Left: 00:01:44
Recv Interface: GigabitEthernet1/0/2
Interface: GigabitEthernet1/0/1 NextHop: 0.0.0.0 MAC: 00-00-00-00-00-00
<--packets:10 bytes:4080 -->packets:20 bytes:8160
128.230.Y.Y:500-->117.78.X.X:500 PolicyName: sec_policy

如果存在会话,说明IKE的安全策略已经放行,否则需要单独配置ike的安全策略,在没有nat的场景下,放行UDP 500端口报文,在nat场景下需要放行UDP 500和4500 端口的报文。

[HUAWEI] ip service-set isakmp type object
[HUAWEI-object-service-set-isakmp] service 0 protocol udp destination-port 500
[HUAWEI-object-service-set-isakmp] service 1 protocol udp destination-port 4500
[HUAWEI] security-policy
[HUAWEI-policy-security] rule name isakmp
[HUAWEI-policy-security-isakmp] service isakmp
[HUAWEI-policy-security-isakmp] action permit

4.防火墙做源NAT时,检查是否将IKE的报文排除。

执行display current-configuration configuration policy-nat命令检查NAT策略是否将IKE报文排除。

display current-configuration configuration policy-nat nat-policy
rule name ipsec_nonat source-zone
local destination-zone untrust
source-address 117.78.X.X 32
destination-address 128.230.Y.Y 32
action no-nat

如果NAT策略没有排除IKE报文,会导致本地发出的IKE协商数据也被NAT,端口出现变更导致第一阶段无法协商。

 说明:

检查NAT策略中,是否存在策略没有指定源区域(不指定代表所有)。如果存在,请指定具体的源区域,从而排除local区域;或者新建指定local区域的策略,并调整其顺序到最上面。

5.检查ike proposal两边的参数配置是否一致。

执行命令display ike proposal检查两边ike proposal参数是否一致。

[HUAWEI] display ike proposal
Number of IKE Proposals:1


IKE Proposal: 1
Authentication Method : PRE_SHARED
Authentication Algorithm : SHA2-256
Encryption Algorithm : AES-256
Diffie-Hellman Group : MODP-1024
SA Duration(Seconds) : 86400
Integrity Algorithm : HMAC-SHA2-256 // IKEv1不关心,IKEv2需要保持一致
Prf Algorithm : HMAC-SHA2-256 // IKEv1不关心,IKEv2需要保持一致


查看使用的ike proposal是否和对端配置的算法一致,如果不一致的话,进入到ike proposal试图进行修改。修改方法如下:

[HUAWEI] ike proposal 1
[HUAWEI-ike-proposal-1] authentication-algorithm sha2-256 sha1 md5
[HUAWEI-ike-proposal-1] integrity-algorithm aes-xcbc-96 hmac-sha2-256 hmac-sha1-96 hmac-md5-96

6.对端V.P.N网关在nat设备后的场景下,如果使用ip认证则需要配置remote-address auth-address为对端的接口地址。

[HUAWEI] ike peer 1
[HUAWEI-ike-peer-1] pre-shared-key %$%$rQZ4Fin'u#n@Fr!Au"J,R-$x%$%$
[HUAWEI-ike-peer-1] remote-address 117.78.x.y //映射前的公网地址
[HUAWEI-ike-peer-1] remote-address authentication-address 192.168.5.5 //映射后的私网地址

 说明:

配置修改后,执行reset ike sa 、reset ipsec sa命令重新发起协商,重置协商参数。

三、检查IPSec SA是否存在

操作步骤

1.执行命令行display ipsec sa,检测IPSec SA是否协商成功。

[HUAWEI] display ipsec sa ipsec sa
information:

Interface: GigabitEthernet1/0/1

IPSec policy name: "a1"
Sequence number : 5
Acl group : 3104
Acl rule : 1
Mode : ISAKMP

Connection ID : 117560206
Encapsulation mode: Tunnel
Tunnel local : 117.78.X.X
Tunnel remote : 128.230.Y.Y
Flow source : 100.1.4.1/255.255.255.255 0/0
Flow destination : 111.1.4.1/255.255.255.255 0/0

[Outbound ESP SAs]
SPI: 1401510577 (0x53895ab1)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 81528788/2953
Max sent sequence-number: 21184512
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 0/0

[Inbound ESP SAs]
SPI: 3622191503 (0xd7e6418f)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 83886080/2953
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 0/0
Anti-replay : Enable
Anti-replay window size: 1024

如果IPSec SA不存在,则检查两端的ipsec proposal配置。

2.执行命令display ipsec proposal检查两边ipsec proposal参数是否一致。
**
[HUAWEI] display ipsec proposal
Number of proposals: 1
IPSec proposal name: prop23521460281
Encapsulation mode: Auto
Transform : esp-new
ESP protocol : Authentication SHA2-HMAC-256 Encryption AES-256

如果两边不一致,则进入ipsec proposal试图,修改相关的算法。

[HUAWEI] ipsec proposal prop23521460281
[HUAWEI-ipsec-proposal-prop23521460281] encapsulation-mode auto
[HUAWEI-ipsec-proposal-prop23521460281] esp authentication-algorithm sha1

确认下两边是否都配置了pfs算法且算法一致。

3.执行命令display ipsec policy检查两边pfs算法是否一致。

[HUAWEI] display ipsec policy
===========================================
IPSec policy group: "a10" Using interface: GigabitEthernet1/0/1 ===========================================
Sequence number: 1 Policy
Alias: a10-1 Security data flow: 3010
Peer name : ike23521460281
Perfect forward secrecy: None //是否配置了pfs算法,NONE代表没有配置。
Tunnel local: binding-interface
Proposal name: prop23521460281
IPSec SA local duration(time based): 3600 seconds
IPSec SA local duration(traffic based): 83886080 kilobytes
SA trigger mode: Traffic-based
Route inject: None
Policy state: Enable
Anti-replay: -
Anti-replay window size: -
Fragment before-encryption: Disable
Respond-only: Disable
Policy status : Active
Smart-link profile: -
Smart-link using interface: -

如果需要配置,则进入ipsec策略试图配置pfs算法。

[HUAWEI] ipsec policy 1 1 isakmp
[HUAWEI-ipsec-policy-1] pfs dh-group2

[HUAWEI]

检查两边的ACL是否配置镜像。

4.执行命令display acl xxx命令检查两边ACL是否配置成镜像。

[HUAWEI] ipsec policy1 1 isakmp
[HUAWEI-ipsec-policy-isakmp-1-1] display this
ipsec policy 1 1 isakmp
security acl 3010
ike-peer peer1
proposal 1
[HUAWEI] display acl 3010
Advanced ACL 3010, 1 rule,not binding with v.p.n-instance
Acl's step is 5
rule 5 permit ip source 100.1.4.1 0.0.0.255 destination 111.1.4.1 0.0.0.255 //源和目的是否和对端正好相反

四、收集信息并寻求技术支持

如果上述步骤未能解决问题,请先按如下步骤收集相关信息,然后寻求技术支持。

收集故障相关信息

1.收集上述步骤的操作结果,并记录到文件中。
2.在用户视图下采集ike的debug信息。
debugging ike all //ikev1协商时搜集的debug
debugging ikev2 all //ikev2协商时搜集的debug
terminal moniter
terminal debugging

采集结束后执行undo debugging all命令。

3.一键式收集设备的所有诊断信息并导出文件。

a.在诊断视图下,执行display diagnostic-information file-name命令,采集设备诊断信息并保存为文件。

system-view
[HUAWEI] diagnose
[HUAWEI-diagnose] display diagnostic-information dia-info.txt
Now saving the diagnostic information to the device 100%
Info: The diagnostic information was saved to the device successfully

 说明:

生成的文本文件的缺省保存路径为flash:/,您可以在用户视图下使用dir命令可以确认文件是否正确生成。

b.当诊断信息文件生成之后,您可以通过FTP、SFTP等方式将其从设备上导出,详细操作可参考文件系统。

 说明:

您也可以直接执行display diagnostic-information命令,并通过终端日志存盘方式获取设备诊断信息文件,详细操作可参见设备诊断信息文件获取指导。

4.收集设备的日志和告警信息并导出文件。
a.在用户视图下,执行save logfile all命令,将缓冲区的日志和告警信息保存为文件。
save logfile all
Info: Save logfile successfully.
Info: Save diagnostic logfile successfully.
b.当日志信息文件生成之后,您可以通过FTP、SFTP等方式将其从设备上导出,详细操作可参考文件系统。

 说明:

您也可以直接执行display logbuffer和display trapbuffer命令查看设备的日志和告警信息,并通过终端日志存盘方式获取日志和告警信息文件,操作方法与设备诊断信息文件的获取方式相同,可参见设备诊断信息文件获取指导。

5.对端设备的配置。