Skip to main content

 路由器设置 > 新闻资讯 >

分享一个关于路由器IPSec VPN故障排除的问题

2012-10-19 22:37 浏览:

情况是这样的,北京和上海之间通过路由器建立了IPSec VPN,北京新上了电信的线,为了上海到北京更快更高更强!决定将VPN建立到北京的电信链路上,于是更改了两端的IP地址。

  #

  ike peer peer pre-shared-key ****

  remote-address 219.143.x.x

  local-address 116.228.x.x

  #

  #

  ike peer peer pre-shared-key ****

  remote-address 116.228.x.x

  local-address 219.143.x.x

  #

修改完毕,

  reset ipsec sa

  reset ike sa

坐等建立连接,1分钟...2分钟...5分钟...fuck....看来无法建立成功,检查回话状态

  dis ike sa

  Total IKE phase-1 SAs: 0

  connection-id peer flag phase doi

  ----------------------------------------------------------

  38 219.143.x.x RD|ST 2 IPSEC

  flag meaning

  RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT

  dis ike sa

  total phase-1 SAs: 0

  connection-id peer flag phase doi

  ----------------------------------------------------------

  28599 116.228.x.x RD 2 IPSEC

  28598 RD 1 IPSEC

  flag meaning

  RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT

竟然建立ike sa失败,检查配置,一切正常,很奇怪,无奈开启debugging

-----------北京路由器--------------

  terminal debugging

  Info: Current terminal debugging is on.

  terminal monitor

  Info: Current terminal monitor is on.

  debugging ike all 

  *Oct 16 15:43:11:409 2012 MSR5040 IKE/7/DEBUG: message send:

  *Oct 16 15:43:11:409 2012 MSR5040 IKE/7/DEBUG: ICOOKIE: 0xf348aed30c37f270

  *Oct 16 15:43:11:409 2012 MSR5040 IKE/7/DEBUG: RCOOKIE: 0x0000000000000000

  *Oct 16 15:43:11:410 2012 MSR5040 IKE/7/DEBUG: NEXT_PAYLOAD: SA

  *Oct 16 15:43:11:410 2012 MSR5040 IKE/7/DEBUG: VERSION: 16

  *Oct 16 15:43:11:410 2012 MSR5040 IKE/7/DEBUG: EXCH_TYPE: ID_PROT

  *Oct 16 15:43:11:410 2012 MSR5040 IKE/7/DEBUG: FLAGS: [ ]

  *Oct 16 15:43:11:411 2012 MSR5040 IKE/7/DEBUG: MESSAGE_ID: 0x00000000

  *Oct 16 15:43:11:411 2012 MSR5040 IKE/7/DEBUG: LENGTH: 124

请求信息无误,并且已经产生SA,问题应该不是处在北京路由器上,检查上海路由器。

-----------上海路由器--------------

  terminal debugging