Shulou(Shulou.com)05/31 Report--

USG firewall ipsec through nat example analysis, I believe that many inexperienced people do not know what to do, so this paper summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

AR1:

Acl number 3001

Rule 1 deny ip source 10.1.2.0 0.0.0.255destination 10.1.1.0 0.0.0.255

Rule 2 permit ip source 10.1.2.0 0.0.0.255

Rule 3 permit ip source 172.16.1.0 0.0.0.255

InterfaceGigabitEthernet0/0/0

Ip address 202.100.1.2 255.255.255.0

Nat outbound 3001

#

InterfaceGigabitEthernet0/0/1

Ip address 172.16.1.2 255.255.255.0

#

Ip route-static10.1.2.0 255.255.255.0 172.16.1.1

#

FW1:

Acl number 3001

Rule 1 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255

Ike proposal 1

#

Ike peer 1

Pre-shared-key $$Kvy%6e6} DWp&azElXM;@VMD;%$%$

Ike-proposal 1

Nat traversal

#

Ipsec proposal 1

#

Ipsec policy-template temp 1

Security acl 3001

Ike-peer 1

Proposal 1

#

Ipsec policy l2l 1 isakmp template temp

#

Interface GigabitEthernet0/0/1

Ip address 10.1.1.1 255.255.255.0

#

Interface GigabitEthernet0/0/2

Ip address 202.100.1.1 255.255.255.0

Ipsec policy l2l

#

Firewall zone trust

Set priority 85

Add interface GigabitEthernet0/0/1

#

Firewall zone untrust

Set priority 5

Add interface GigabitEthernet0/0/2

Ip route-static 0.0.0.0 0.0.0.0 202.100.1.2

#

Ip service-set natt type object

Service 1 protocol udp destination-port 4500

#

Ip service-set ike type object

Service 0 protocol udp destination-port 500

#

Policy interzone local untrust inbound

Policy 0

Action permit

Policy service service-set ike

Policy service service-set esp

Policy service service-set natt

Policy service service-set icmp

#

Policy interzone trust untrust inbound

Policy 0

Action permit

Policy source 10.1.2.0 mask 24

Policy destination 10.1.1.0 mask 24

#

Policy interzone trust untrust outbound

Policy 0

Action permit

Policy source 10.1.1.0 mask 24

# # #

FW2:

Acl number 3001

Rule 1 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255

#

Ike proposal 1

#

Ike peer 1

Pre-shared-key% $% $a6XbSSWL% o`:; YS:d} ~ V | sj%$%$

Ike-proposal 1

Remote-address 202.100.1.1

Nat traversal

#

Ipsec proposal 1

#

Ipsec policy l2l 1 isakmp

Security acl 3001

Ike-peer 1

Proposal 1

#

Interface GigabitEthernet0/0/1

Ip address 10.1.2.1 255.255.255.0

#

Interface GigabitEthernet0/0/2

Ip address 172.16.1.1 255.255.255.0

Ipsec policy l2l

Firewall zone trust

Set priority 85

Add interface GigabitEthernet0/0/1

#

Firewall zone untrust

Set priority 5

Add interface GigabitEthernet0/0/2

#

Ip route-static 0.0.0.0 0.0.0.0 172.16.1.2

Ip service-set natt type object

Service 1 protocol udp destination-port 4500

#

Ip service-set ike type object

Service 0 protocol udp destination-port 500

#

Policy interzone local untrust inbound

Policy 0

Action permit

Policy service service-set ike

Policy service service-set esp

Policy service service-set natt

Policy service service-set icmp

#

Policy interzone trust untrust inbound

Policy 0

Action permit

Policy source 10.1.1.0 mask 24

Policy destination 10.1.2.0 mask 24

#

Policy interzone trust untrust outbound

Policy 0

Action permit

Policy source 10.1.2.0 mask 24

#

# # #

[FW1] dis ike sa

15:49:39 2014-08-01

Current ike sa number: 2

Conn-id peer flag phase *

40001 202.100.1.2:10244 RD v2:2 public

2 202.100.1.2:10244 RD v2:1 public

[FW1] dis ipsec sa brief

15:49:43 2014-08-01

Current ipsec sa number: 2

Current ipsec tunnel number: 1

Src Address Dst Address SPI Protocol Algorithm

202.100.1.2 202.100.1.1 268723444 ESP EES;A:HMAC-MD5-96

202.100.1.1 202.100.1.2 3352737410 ESP EES;A:HMAC-MD5-96

[FW1] display ipsec sa

15:51:44 2014-08-01

= =

Interface: GigabitEthernet0/0/2

Path MTU: 1500

= =

-

IPsec policy name: "L2l"

Sequence number: 1

Mode: template

* *: public

-

Connection id: 40001

Rule number: 4294967295

Encapsulation mode: tunnel

Holding time: 0d 0h 20m 26s

Tunnel local: 202.100.1.1 tunnel remote: 202.100.1.2

Flow source: 10.1.1.0-10.1.1.2550-65535 0

Flow destination: 10.1.2.0-10.1.2.2550-65535 0

[inbound ESP SAs]

Spi: 268723444 (0x100464f4)

* *: public said: 0 cpuid: 0x0000

Proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5

Sa remaining key duration (bytes/sec): 1887436260Universe 2374

Max received sequence-number: 9

Udp encapsulation used for nat traversal: Y

[outbound ESP SAs]

Spi: 3352737410 (0xc7d6b682)

* *: public said: 1 cpuid: 0x0000

Proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5

Sa remaining key duration (bytes/sec): 1887436260Universe 2374

Max sent sequence-number: 10

Udp encapsulation used for nat traversal: Y

# # #

[FW1] display ipsec statistics

15:53:57 2014-08-01

The security packet statistics:

Input/output security packets: 76/9

Input/output security bytes: 540/540

Input/output dropped security packets: 67/0

The encrypt packet statistics

Send sae:9, recv sae:9, send err:0

Local cpu:9, other cpu:0, recv other cpu:0

Intact packet:9, first slice:0, after slice:0

The decrypt packet statistics

Send sae:9, recv sae:9, send err:0

Local cpu:9, other cpu:0, recv other cpu:0

Reass first slice:0, after slice:0, len err:0

Dropped security packet detail:

No enough memory: 0, too long: 0

Can't find SA: 67, wrong SA: 0

Authentication: 0, replay: 0

Front recheck: 0, after recheck: 0

Exceed byte limit: 0, exceed packet limit: 0

Change cpu enc: 0, dec change cpu: 0

Change datachan: 0, fib search: 0

Rcv enc (dec) form sae said err: 0,0

Port number error: 0

Send port: 0, output l3: 0, l2tp input: 0

Negotiate about packet statistics:

IP packet ok:0, err:0, drop:0

IP rcv other cpu to ike:0, drop:0

IKE packet inbound ok:3, err:0

IKE packet outbound ok:3, err:0

SoftExpr:0, HardExpr:0, DPDOper:0, SwapSa:0

ModpCnt: 4, SaeSucc: 0, SoftwareSucc: 4

After reading the above, have you mastered the method of example analysis of USG firewall ipsec traversing nat? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.