网络工程 - 瞻博网络到 Cisco IPSec 基于策略的 VPN - 吾爱随笔录

我正在尝试在 Cisco 设备和瞻博网络 SSG 设备之间设置站点到站点 VPN。我在具有路由接口的 L3 模式下设置了瞻博网络。出于某种原因，它没有通过第 1 阶段。我可以很好地 ping 另一端的公共 IP。以下是第 1 阶段未建立的一个可能原因：

  **** pak processing end.
## 2014-06-25 01:58:36 : IKE<y.y.y.y> re-trans timer expired, msg retry (6) (0001/0)
## 2014-06-25 01:58:36 : IKE<y.y.y.y> Initiator sending IPv4 IP y.y.y.y/port 500
## 2014-06-25 01:58:36 : IKE<y.y.y.y> Send Phase 1 packet (len=160)
****** 22134.0: <Self/self> packet received [188]******
  ipid = 58582(e4d6), @03c2ada4
flow_self_vector2: send pack with current vid =0, enc_size:0
  handle raw/no_session packet.
  send no session packet
  flow_if_ip_send_fwd: switch vectors: packet src x.x.x.x, dst  y.y.y.y

**** jump to packet:x.x.x.x->y.y.y.y
  skipping pre-frag 
  no more encapping needed
  send out through normal path.
  flow_ip_send: e4d6:x.x.x.x->y.y.y.y,17 => ethernet0/9(188) flag 0x8000890, vlan 0
  no l2info for packet.
  no route for packet
  search route to (null, 0.0.0.0->y.y.y.y) in vr trust-vr for vsd-0/flag-2000/ifp-ethernet0/9
  [ Dest] 7.route y.y.y.y->x.x.x.gw, to ethernet0/9
  route to x.x.x.gw
  arp entry found for x.x.x.gw mac 00000c07ac00
  packet send out to 00000c07ac00 through ethernet0/9
  **** pak processing end.
****** 22136.0: <Self/self> packet received [44]******
  ipid = 58585(e4d9), @03bb8814
flow_self_vector2: send pack with current vid =0, enc_size:0
  handle raw/no_session packet.
  send no session packet
  flow_if_ip_send_fwd: switch vectors: packet src x.x.x.x, dst  y.y.y.y

**** jump to packet:x.x.x.x->y.y.y.y
  skipping pre-frag 
  going into tunnel 40000003.
  flow_encrypt: pipeline.
enqueue to IKE: timems 22128004, Q 1, saidx 1: spi:0 too soon
  packet dropped, SA inactive

xxxx 是 Juniper 的接口 IP，yyyy 是 Cisco 的接口 IP。xxxgw 是设备上的默认路由指向的网关地址。

这是命令的输出get ike cookie：

SSG140-> get ike cookie

IKEv1 SA -- Active: 0, Dead: 0, Total 1

0001/0000, x.x.x.x:500->y.y.y.y:500, NONE/grp0/NULL/NULL, xchg(2) (vpn_gateway/grp-1/usr-1)
resent-tmr 39 lifetime 28800 lt-recv 0 nxt_rekey 28790 cert-expire 0
initiator, err cnt 2, send dir 0, cond 0x0
nat-traversal map not available
ike heartbeat              : disabled
ike heartbeat last rcv time: 0
ike heartbeat last snd time: 0
XAUTH status: 0
DPD seq local 0, peer 0

p2_tasks:

task_type = 0x3
p2 sa id = 0x3 (index 0x1)
app_sa_flags = 0x5000a0
p2 spi = 0x0


IKEv2 SA -- Active: 0, Dead: 0, Total 0

Cisco TAC 代表表示，他们的设备正在正常发送数据包，但未从瞻博网络设备接收任何数据包。从上面的输出来看，从 Juniper 到 Cisco 的数据包似乎被丢弃了。

这是思科配置：

name c.c.c.c MAP_110_SIAS_PEER
 crypto isakmp policy 110
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
 crypto isakmp enable OUTSIDE
tunnel-group c.c.c.c type ipsec-l2l
tunnel-group c.c.c.c ipsec-attributes
pre-shared-key xxxxxxx
 access-list MAP_110_TRU_SIAS extended permit ip 162.137.0.0 255.255.0.0 10.1.19.0 255.255.255.0 
access-list MAP_110_TRU_SIAS extended permit ip 10.0.0.0 255.0.0.0 10.1.19.0 255.255.255.0 
access-list MAP_110_TRU_SIAS extended permit ip 206.70.0.0 255.255.192.0 10.1.19.0 255.255.255.0
 crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
 crypto map MAP-OUTSIDE 110 set peer MAP_110_TRU_SIAS
 crypto map MAP-OUTSIDE 110 match address MAP_110_TRU_SIAS
 crypto map MAP-OUTSIDE 110 set transform-set AES-SHA
 crypto map MAP-OUTSIDE 110 set security-association lifetime kilobytes 10000
 crypto map MAP-OUTSIDE interface OUTSIDE
 route outside 10.1.19.0 255.255.255.192 MAP_110_SIAS_PEER
route outside MAP_110_SIAS_PEER 255.255.255.255 d.d.d.d 
 access-list ACL-INSIDE-NONAT extended permit ip 10.0.0.0 255.0.0.0 10.1.19.0 255.255.255.0 
access-list ACL-INSIDE-NONAT extended permit ip 206.70.0.0 255.255.192.0 10.1.19.0 255.255.255.0
access-list ACL-INSIDE-NONAT extended permit ip 162.137.0.0 255.255.0.0 10.1.19.0 255.255.255.0 
  nat (INSIDE) 0 access-list ACL-INSIDE-NONAT