实际NAT对IPSec ×××的影响

一、背景描述

 

在实际部署的IPSec ×××中经常会遇到由于NAT的问题，而导致IPSec ×××无法建立的问题，例如，一个公司的总部通过运营商连接分支机构，虽然在边界路由器都有固定的IP地址，而且双方可达，但是，可能出现的问题是，如果在分支机构边界路由器使用的IP地址是经过运营商时，被运营商做了一个NAT，那么建立IPSec ×××的时候将会出现问题，部署人员可能并没有考虑到运营商在中间有什么操作。

例如如下拓扑：

针对上面的拓扑配置，先保证各设备的可达性，然后在R1和R4上创建IPSec ×××，在R2做NAT，将12.1.1.0/24网段的地址翻译成23.1.1.0/24（范围先设置为100-200），先在这样的情况下去建立IPSec ×××。

二、查看debug信息

 

R1#debug  cry isakmp

Crypto ISAKMP debugging is on

R1#debug crypto ipsec

Crypto IPSEC debugging is on

R1#

R1#  

*Jun 15 21:34:51.731: ISAKMP (0): received packet from 34.1.1.4 dport 500 sport 500 Global (N) NEW SA

*Jun 15 21:34:51.735: ISAKMP: Created a peer struct for 34.1.1.4, peer port 500

*Jun 15 21:34:51.735: ISAKMP: New peer created peer = 0x6B03E410 peer_handle = 0x80000002

*Jun 15 21:34:51.739: ISAKMP: Locking peer struct 0x6B03E410, refcount 1 for crypto_isakmp_process_block

*Jun 15 21:34:51.739: ISAKMP: local port 500, remote port 500

*Jun 15 21:34:51.743: ISAKMP:(0):insert sa successfully sa = 6B054290

*Jun 15 21:34:51.751: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jun 15 21:34:51.751: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

 

*Jun 15 21:34:51.759: ISAKMP:(0): processing SA payload. message ID = 0

*Jun 15 21:34:51.759: ISAKMP:(0): processing vendor id payload

*Jun 15 21:34:51.759: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Jun 15 21:34:51.759: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Jun 15 21:34:51.759: ISAKMP:(0): processing vendor id payload

*Jun 15 21:34:51.759: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

*Jun 15 21:34:51.759: ISAKMP (0): vendor ID is NAT-T v7

*Jun 15 21:34:51.759: ISAKMP:(0): processing vendor id payload

*Jun 15 21:34:51.759: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

*Jun 15 21:34:51.759: ISAKMP:(0): vendor ID is NAT-T v3

*Jun 15 21:34:51.759: ISAKMP:(0): processing vendor id payload

*Jun 15 21:34:51.759: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

*Jun 15 21:34:51.759: ISAKMP:(0): vendor ID is NAT-T v2

*Jun 15 21:34:51.759: ISAKMP:(0):found peer pre-shared key matching 34.1.1.4

*Jun 15 21:34:51.759: ISAKMP:(0): local preshared key found

*Jun 15 21:34:51.759: ISAKMP : Scanning profiles for xauth ...

*Jun 15 21:34:51.759: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

*Jun 15 21:34:51.759: ISAKMP:      encryption 3DES-CBC

*Jun 15 21:34:51.759: ISAKMP:      hash MD5

*Jun 15 21:34:51.759: ISAKMP:     default group 2

*Jun 15 21:34:51.759: ISAKMP:      auth pre-share

*Jun 15 21:34:51.759: ISAKMP:      life type in seconds

*Jun 15 21:34:51.759: ISAKMP:      life duration (basic) of 28800

*Jun 15 21:34:51.759: ISAKMP:(0):atts are acceptable. Next payload is 0

*Jun 15 21:34:51.759: ISAKMP:(0):Acceptable atts:actual life: 0

*Jun 15 21:34:51.759: ISAKMP:(0):Acceptable atts:life: 0

*Jun 15 21:34:51.759: ISAKMP:(0):Basic life_in_seconds:28800

*Jun 15 21:34:51.759: ISAKMP:(0):Returning Actual lifetime: 28800

*Jun 15 21:34:51.759: ISAKMP:(0)::Started lifetime timer: 28800.

 

*Jun 15 21:34:51.759: ISAKMP:(0): processing vendor id payload

*Jun 15 21:34:51.759: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Jun 15 21:34:51.759: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Jun 15 21:34:51.759: ISAKMP:(0): processing vendor id payload

*Jun 15 21:34:51.759: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

*Jun 15 21:34:51.759: ISAKMP (0): vendor ID is NAT-T v7

R1#

*Jun 15 21:34:51.759: ISAKMP:(0): processing vendor id payload

*Jun 15 21:34:51.759: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

*Jun 15 21:34:51.759: ISAKMP:(0): vendor ID is NAT-T v3

*Jun 15 21:34:51.759: ISAKMP:(0): processing vendor id payload

*Jun 15 21:34:51.759: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

*Jun 15 21:34:51.759: ISAKMP:(0): vendor ID is NAT-T v2

*Jun 15 21:34:51.759: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jun 15 21:34:51.759: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

 

*Jun 15 21:34:51.759: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

*Jun 15 21:34:51.759: ISAKMP:(0): sending packet to 34.1.1.4 my_port 500 peer_port 500 (R) MM_SA_SETUP

*Jun 15 21:34:51.759: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jun 15 21:34:51.759: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Jun 15 21:34:51.763: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2

 

R1#

*Jun 15 21:35:01.711: ISAKMP (0): received packet from 34.1.1.4 dport 500 sport 500 Global (R) MM_SA_SETUP

*Jun 15 21:35:01.715: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet. >>>这是因为对端一致在ping产生感兴趣流导致

*Jun 15 21:35:01.715: ISAKMP:(0): retransmitting due to retransmit phase 1  >>>>即便只ping一个包，在没有收到对端的SA时，也会重传5次！

*Jun 15 21:35:02.215: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

*Jun 15 21:35:02.215: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

*Jun 15 21:35:02.219: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

*Jun 15 21:35:02.219: ISAKMP:(0): sending packet to 34.1.1.4 my_port 500 peer_port 500 (R) MM_SA_SETUP

*Jun 15 21:35:02.219: ISAKMP:(0):Sending an IKE IPv4 Packet.

R1#

*Jun 15 21:35:11.723: ISAKMP (0): received packet from 34.1.1.4 dport 500 sport 500 Global (R) MM_SA_SETUP

*Jun 15 21:35:11.723: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.

*Jun 15 21:35:11.727: ISAKMP:(0): retransmitting due to retransmit phase 1

*Jun 15 21:35:12.227: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

*Jun 15 21:35:12.227: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

*Jun 15 21:35:12.231: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

*Jun 15 21:35:12.231: ISAKMP:(0): sending packet to 34.1.1.4 my_port 500 peer_port 500 (R) MM_SA_SETUP

*Jun 15 21:35:12.231: ISAKMP:(0):Sending an IKE IPv4 Packet.

R1#

*Jun 15 21:35:21.759: ISAKMP (0): received packet from 34.1.1.4 dport 500 sport 500 Global (R) MM_SA_SETUP

*Jun 15 21:35:21.763: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.

*Jun 15 21:35:21.763: ISAKMP:(0): retransmitting due to retransmit phase 1

*Jun 15 21:35:22.263: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

*Jun 15 21:35:22.263: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

*Jun 15 21:35:22.267: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

*Jun 15 21:35:22.267: ISAKMP:(0): sending packet to 34.1.1.4 my_port 500 peer_port 500 (R) MM_SA_SETUP

*Jun 15 21:35:22.267: ISAKMP:(0):Sending an IKE IPv4 Packet.

R1#

*Jun 15 21:35:31.763: ISAKMP (0): received packet from 34.1.1.4 dport 500 sport 500 Global (R) MM_SA_SETUP

*Jun 15 21:35:31.763: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.

*Jun 15 21:35:31.767: ISAKMP:(0): retransmitting due to retransmit phase 1

*Jun 15 21:35:32.267: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

*Jun 15 21:35:32.267: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

*Jun 15 21:35:32.271: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

*Jun 15 21:35:32.271: ISAKMP:(0): sending packet to 34.1.1.4 my_port 500 peer_port 500 (R) MM_SA_SETUP

*Jun 15 21:35:32.271: ISAKMP:(0):Sending an IKE IPv4 Packet.

R1#

*Jun 15 21:35:41.791: ISAKMP (0): received packet from 34.1.1.4 dport 500 sport 500 Global (R) MM_SA_SETUP

*Jun 15 21:35:41.791: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.

*Jun 15 21:35:41.795: ISAKMP:(0): retransmitting due to retransmit phase 1

*Jun 15 21:35:42.295: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

*Jun 15 21:35:42.295: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

*Jun 15 21:35:42.295: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

*Jun 15 21:35:42.295: ISAKMP:(0): sending packet to 34.1.1.4 my_port 500 peer_port 500 (R) MM_SA_SETUP

*Jun 15 21:35:42.295: ISAKMP:(0):Sending an IKE IPv4 Packet.

R1#

*Jun 15 21:35:52.295: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

*Jun 15 21:35:52.295: ISAKMP:(0):peer does not do paranoid keepalives.

 

*Jun 15 21:35:52.299: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 34.1.1.4)

*Jun 15 21:35:52.307: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 34.1.1.4)

*Jun 15 21:35:52.307: ISAKMP: Unlocking peer struct 0x6B03E410 for isadb_mark_sa_deleted(), count 0

*Jun 15 21:35:52.311: ISAKMP: Deleting peer node by peer_reap for 34.1.1.4: 6B03E410

*Jun 15 21:35:52.319: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Jun 15 21:35:52.319: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_DEST_SA

 

*Jun 15 21:35:52.323: IPSEC(key_engine): got a queue event with 1 KMI message(s)

 

R4#ping 1.1.1.1 so 4.4.4.4 re 20

Type escape sequence to abort.

Sending 20, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 4.4.4.4

 

*Jun 15 21:34:51.603: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 34.1.1.4:500, remote= 12.1.1.1:500,

    local_proxy= 4.4.4.0/255.255.255.0/256/0,

    remote_proxy= 1.1.1.0/255.255.255.0/256/0,

    protocol= ESP, transform= esp-3des esp-sha256-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

*Jun 15 21:34:51.615: ISAKMP:(0): SA request profile is (NULL)

*Jun 15 21:34:51.619: ISAKMP: Created a peer struct for 12.1.1.1, peer port 500

*Jun 15 21:34:51.619: ISAKMP: New peer created peer = 0x6B0639F8 peer_handle = 0x80000002

*Jun 15 21:34:51.623: ISAKMP: Locking peer struct 0x6B0639F8, refcount 1 for isakmp_initiator

*Jun 15 21:34:51.623: ISAKMP: local port 500, remote port 500

*Jun 15 21:34:51.627: ISAKMP: set new node 0 to QM_IDLE     

*Jun 15 21:34:51.639: ISAKMP:(0):insert sa successfully sa = 6B062F1C

*Jun 15 21:34:51.643: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

*Jun 15 21:34:51.643: ISAKMP:(0):found peer pre-shared key matching 12.1.1.1

*Jun 15 21:34:51.647: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

*Jun 15 21:34:51.647: ISAKMP:(0): constructed NAT-T vendor-07 ID

*Jun 15 21:34:51.651: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Jun 15 21:34:51.651: ISAKMP:(0): constructed NAT-T vendor-02 ID

*Jun 15 21:34:51.651: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Jun 15 21:34:51.651: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

 

*Jun 15 21:34:51.651: ISAKMP:(0): beginning Main Mode exchange

*Jun 15 21:34:51.651: ISAKMP:(0): sending packet to 12.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE

*Jun 15 21:34:51.651: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jun 15 21:34:51.783: ISAKMP (0): received packet from 23.1.1.100 dport 500 sport 500 Global (N) NEW SA

*Jun 15 21:34:51.783: %CRYPTO-4-IKMP_NO_SA: IKE message from 23.1.1.100 has no SA and is not an initialization offer.....

*Jun 15 21:35:01.651: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Jun 15 21:35:01.651: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

*Jun 15 21:35:01.655: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Jun 15 21:35:01.655: ISAKMP:(0): sending packet to 12.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE

*Jun 15 21:35:01.655: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jun 15 21:35:02.259: ISAKMP (0): received packet from 23.1.1.100 dport 500 sport 500 Global (N) NEW SA.....

*Jun 15 21:35:11.655: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Jun 15 21:35:11.655: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

*Jun 15 21:35:11.659: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Jun 15 21:35:11.659: ISAKMP:(0): sending packet to 12.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE

*Jun 15 21:35:11.659: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jun 15 21:35:12.247: ISAKMP (0): received packet from 23.1.1.100 dport 500 sport 500 Global (N) NEW SA.....

*Jun 15 21:35:21.603: IPSEC(key_engine): request timer fired: count = 1,

  (identity) local= 34.1.1.4:0, remote= 12.1.1.1:0,

    local_proxy= 4.4.4.0/255.255.255.0/256/0,

    remote_proxy= 1.1.1.0/255.255.255.0/256/0

*Jun 15 21:35:21.607: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 34.1.1.4:500, remote= 12.1.1.1:500,

    local_proxy= 4.4.4.0/255.255.255.0/256/0,

    remote_proxy= 1.1.1.0/255.255.255.0/256/0,

    protocol= ESP, transform= esp-3des esp-sha256-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

*Jun 15 21:35:21.623: ISAKMP: set new node 0 to QM_IDLE     

*Jun 15 21:35:21.627: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 34.1.1.4, remote 12.1.1.1)

*Jun 15 21:35:21.627: ISAKMP: Error while processing SA request: Failed to initialize SA

*Jun 15 21:35:21.631: ISAKMP: Error while processing KMI message 0, error 2.

*Jun 15 21:35:21.663: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Jun 15 21:35:21.663: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

*Jun 15 21:35:21.667: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Jun 15 21:35:21.667: ISAKMP:(0): sending packet to 12.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE

*Jun 15 21:35:21.667: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jun 15 21:35:22.315: ISAKMP (0): received packet from 23.1.1.100 dport 500 sport 500 Global (N) NEW SA.....

Success rate is 0 percent (0/20)

R4#

*Jun 15 21:35:31.671: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Jun 15 21:35:31.671: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

*Jun 15 21:35:31.675: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Jun 15 21:35:31.675: ISAKMP:(0): sending packet to 12.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE

*Jun 15 21:35:31.675: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jun 15 21:35:32.287: ISAKMP (0): received packet from 23.1.1.100 dport 500 sport 500 Global (N) NEW SA

R4#

*Jun 15 21:35:41.679: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Jun 15 21:35:41.679: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

*Jun 15 21:35:41.683: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Jun 15 21:35:41.683: ISAKMP:(0): sending packet to 12.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE

*Jun 15 21:35:41.683: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jun 15 21:35:42.347: ISAKMP (0): received packet from 23.1.1.100 dport 500 sport 500 Global (N) NEW SA

R4#

*Jun 15 21:35:51.607: IPSEC(key_engine): request timer fired: count = 2,

  (identity) local= 34.1.1.4:0, remote= 12.1.1.1:0,

    local_proxy= 4.4.4.0/255.255.255.0/256/0,

    remote_proxy= 1.1.1.0/255.255.255.0/256/0

*Jun 15 21:35:51.687: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Jun 15 21:35:51.687: ISAKMP:(0):peer does not do paranoid keepalives.

 

*Jun 15 21:35:51.691: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 12.1.1.1)

*Jun 15 21:35:51.711: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 12.1.1.1)

R4#

*Jun 15 21:35:51.715: ISAKMP: Unlocking peer struct 0x6B0639F8 for isadb_mark_sa_deleted(), count 0

*Jun 15 21:35:51.719: ISAKMP: Deleting peer node by peer_reap for 12.1.1.1: 6B0639F8

*Jun 15 21:35:51.723: ISAKMP:(0):deleting node -797028350 error FALSE reason "IKE deleted"

*Jun 15 21:35:51.727: ISAKMP:(0):deleting node 676799932 error FALSE reason "IKE deleted"

*Jun 15 21:35:51.727: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Jun 15 21:35:51.727: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

 

*Jun 15 21:35:51.735: IPSEC(key_engine): got a queue event with 1 KMI message(s)

R4#

*Jun 15 21:36:41.723: ISAKMP:(0):purging node -797028350

*Jun 15 21:36:41.727: ISAKMP:(0):purging node 676799932

R4#

*Jun 15 21:36:51.727: ISAKMP:(0):purging SA., sa=6B062F1C, delme=6B062F1C

 

分析一下如果流量是从R1到R4，那么R1会向R4发起协商，R4收到的会是源为23.1.1.100的发来的SA协商报文，它和本地比较，发现本地没有该Peer的策略，那么会拒绝，效果如下：

R4#

*Jun 15 21:59:23.991: ISAKMP:(0):No pre-shared key with 23.1.1.100!

*Jun 15 21:59:23.991: ISAKMP : Scanning profiles for xauth ...

*Jun 15 21:59:23.991: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

*Jun 15 21:59:23.991: ISAKMP:      encryption 3DES-CBC

*Jun 15 21:59:23.991: ISAKMP:      hash MD5

*Jun 15 21:59:23.991: ISAKMP:      default group 2

*Jun 15 21:59:23.991: ISAKMP:      auth pre-share

*Jun 15 21:59:23.991: ISAKMP:      life type in seconds

*Jun 15 21:59:23.991: ISAKMP:      life duration (basic) of 28800

*Jun 15 21:59:23.991: ISAKMP:(0):Preshared authentication offered but does not match policy!

*Jun 15 21:59:23.991: ISAKMP:(0):atts are not acceptable. Next payload is 0

*Jun 15 21:59:23.991: ISAKMP:(0):no offers accepted!

*Jun 15 21:59:23.991: ISAKMP:(0): phase 1 SA policy not acceptable! (local 34.1.1.4 remote 23.1.1.100)

*Jun 15 21:59:23.991: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init

*Jun 15 21:59:23.991: ISAKMP:(0): Failed to construct AG informational message.

*Jun 15 21:59:23.991: ISAKMP:(0): sending packet to 23.1.1.100 my_port 500 peer_port 500 (R) MM_NO_STATE

*Jun 15 21:59:23.991: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jun 15 21:59:23.991: ISAKMP:(0):peer does not do paranoid keepalives.

*Jun 15 21:59:23.995: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STA

 

而R1则会收到由于R4没有对应的Peer的策略的信息告知没有hash，拒绝建立×××，具体情况如下：

R1#

*Jun 15 21:59:23.947: ISAKMP:(0): beginning Main Mode exchange

*Jun 15 21:59:23.947: ISAKMP:(0): sending packet to 34.1.1.4 my_port 500 peer_port 500 (I) MM_NO_STATE

*Jun 15 21:59:23.947: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jun 15 21:59:24.075: ISAKMP (0): received packet from 34.1.1.4 dport 500 sport 500 Global (I) MM_NO_STATE

*Jun 15 21:59:24.079: ISAKMP:(0):Notify has no hash. Rejected.

最终还是重传5次而删除准备协商起来的SA。

三、解决方法

 

将R4的Peer设置为NAT翻译后的地址，这里是23.1.1.100/24

R4(config)#no crypto isakmp key 0 cisco address 12.1.1.1

R4(config)#crypto isakmp key 0 cisco address 23.1.1.100

R4(config)#crypto map cisco 10 ipsec-isakmp

R4(config-crypto-map)#no set peer 12.1.1.1

R4(config-crypto-map)#set peer 23.1.1.100

四、测试效果

 

发一个包触发一下流量

R1#ping 4.4.4.4 so 1.1.1.1 re 1

 

第一阶段的SA协商成功

IPSec ×××会话建立成功

查看show crypto engine connection active

在建立IPSec ×××的过程中，本端会意识到自己是NAT inside，然后以UDP 4500发起IKE报文

 

*Jun 15 22:22:11.479: ISAKMP (0): received packet from 34.1.1.4 dport 500 sport 500 Global (I) MM_SA_SETUP

*Jun 15 22:22:11.487: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jun 15 22:22:11.487: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

 

*Jun 15 22:22:11.495: ISAKMP:(0): processing KE payload. message ID = 0

*Jun 15 22:22:11.543: ISAKMP:(0): processing NONCE payload. message ID = 0

*Jun 15 22:22:11.543: ISAKMP:(0):found peer pre-shared key matching 34.1.1.4

*Jun 15 22:22:11.543: ISAKMP:(1002): processing vendor id payload

*Jun 15 22:22:11.543: ISAKMP:(1002): vendor ID is Unity

*Jun 15 22:22:11.547: ISAKMP:(1002): processing vendor id payload

*Jun 15 22:22:11.547: ISAKMP:(1002): vendor ID is DPD

*Jun 15 22:22:11.551: ISAKMP:(1002): processing vendor id payload

*Jun 15 22:22:11.551: ISAKMP:(1002): speaking to another IOS box!

*Jun 15 22:22:11.555: ISAKMP:received payload type 20

*Jun 15 22:22:11.555: ISAKMP (1002): NAT found, both nodes inside NAT

*Jun 15 22:22:11.555: ISAKMP:received payload type 20

*Jun 15 22:22:11.555: ISAKMP (1002): My hash no match -  this node inside NAT

*Jun 15 22:22:11.555: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jun 15 22:22:11.555: ISAKMP:(1002):Old State = IKE_I_MM4  New State = IKE_I_MM4

 

*Jun 15 22:22:11.555: ISAKMP:(1002):Send initial contact

*Jun 15 22:22:11.555: ISAKMP:(1002):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Jun 15 22:22:11.555: ISAKMP (1002): ID payload

        next-payload : 8

        type         : 1

        address      : 12.1.1.1

        protocol     : 17

        port         : 0

        length       : 12

*Jun 15 22:22:11.555: ISAKMP:(1002):Total payload length: 12

*Jun 15 22:22:11.555: ISAKMP:(1002): sending packet to 34.1.1.4 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

*Jun 15 22:22:11.555: ISAKMP:(1002):Sending an IKE IPv4 Packet.

*Jun 15 22:22:11.555: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Jun 15 22:22:11.559: ISAKMP:(1002):Old State = IKE_I_MM4  New State = IKE_I_MM5

 

*Jun 15 22:22:11.651: ISAKMP (1002): received packet from 34.1.1.4 dport 4500 sport 4500 Global (I) MM_KEY_EXCH

*Jun 15 22:22:11.655: ISAKMP:(1002): processing ID payload. message ID = 0

*Jun 15 22:22:11.659: ISAKMP (1002): ID payload

        next-payload : 8

        type  

R1#      : 1

        address      : 34.1.1.4

        protocol     : 17

        port         : 0

        length       : 12

*Jun 15 22:22:11.663: ISAKMP:(0):: peer matches *none* of the profiles

*Jun 15 22:22:11.663: ISAKMP:(1002): processing HASH payload. message ID = 0

*Jun 15 22:22:11.667: ISAKMP:(1002):SA authentication status:

        authenticated

*Jun 15 22:22:11.667: ISAKMP:(1002):SA has been authenticated with 34.1.1.4

*Jun 15 22:22:11.671: ISAKMP:(1002):Setting UDP ENC peer struct 0x6AF764AC sa= 0x6B08E61C

*Jun 15 22:22:11.671: ISAKMP: Trying to insert a peer 12.1.1.1/34.1.1.4/4500/,  and inserted successfully 6B08F0F8.

*Jun 15 22:22:11.675: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jun 15 22:22:11.675: ISAKMP:(1002):Old State = IKE_I_MM5  New State = IKE_I_MM6

 

*Jun 15 22:22:11.683: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jun 15 22:22:11.683: ISAKMP:(1002):Old State = IKE_I_MM6  New State = IKE_I_MM6

 

*Jun 15 22:22:11.683: ISAKMP:(1002):Input = IKE_MESG

R1#_INTERNAL, IKE_PROCESS_COMPLETE

*Jun 15 22:22:11.683: ISAKMP:(1002):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

后续就以UDP 4500端口去进行QM了。