remote address: 1.1.1.1
Flow: 感兴趣流,也就是两个设备内网的网段
sour addr: 192.168.7.0/255.255.255.0 port: 0 protocol: ip dest addr: 192.168.5.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs] ipsec sa使用的加密和验证算法,sa的时间周期 SPI: 74172241 (0x046bc751) Connection ID: 12884901893
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5 SA duration (kilobytes/sec): 1843200/3600
缺省情况下,IPsec SA基于时间的生存时间为3600秒,基于流量的生存时间为1843200千字节
SA remaining duration (kilobytes/sec): 1843199/3408 Max received sequence-number: 9 Anti-replay check enable: Y Anti-replay window size: 64
UDP encapsulation used for NAT traversal: Y Status: Active
[Outbound ESP SAs]
SPI: 3758785220 (0xe00a82c4) Connection ID: 12884901892
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5 SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3408 Max sent sequence-number: 9
UDP encapsulation used for NAT traversal: Y 使用nat穿越功能 Status: Active
配置关键点及注意事项:
1 防火墙需要把接口加入安全域,在V7防火墙默认的域间规则情况下都是禁止放通的,需要放通:内网到外网的域间策略,外网到内网的域间策略,local到外网的域间策略,外网到local的域间策略
2 防火墙A设备作为分部,需要能ping的通防火墙B的公网ip,中间经过了nat设备,ike野蛮模式默认开启了nat 穿越功能,B设备作为总部,使用ipsec策略模板进行匹配发起方。
3两台vpn网关设备使用的ike和ipsec的安全提议对必须保持一致,V7防火墙的ipsec 安全提议参数默认没有,需要配置,v7通过如下命令可以查看参数是否一致,如下
dis ike proposal
Priority Authentication Authentication Encryption Diffie-Hellman Duration
method algorithm algorithm group (seconds)
----------------------------------------------------------------------------
1 PRE-SHARED-KEY MD5 3DES-CBC Group 1 86400
default PRE-SHARED-KEY SHA1 DES-CBC Group 1 86400
Encapsulation mode: tunnel ESN: Disabled PFS:
Transform: ESP ESP protocol: Integrity: MD5 Encryption: 3DES-CBC
4如果需要IKE对等体存活状态检测,可以开启keepalive或者dpd功能时,两端需要同时配置,参数需要配置一致