IPsec 感兴趣流不匹配
IPSec VPN 实验时发现如下报错:
map_db_find_best did not find matching map
IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local addres X.X.X.X
检查配置并且多次尝试发现问题出在 ACL 上面,两台设备定义感兴趣流的 ACL 不是完全的镜像关系,而是包含关系,即 ACL A 的范围大于 ACL B 定义的范围,由 A 侧发起的 IPSec VPN 协商是不能成功的,报错信息如上。但是由 B 侧发起的流量能成功协商 IPSec VPN 并且对数据加密。
对于定义 IPSec VPN 的感兴趣流的 ACL 中的条目必须符合条件,IPSec 的协商才能建立成功。查了下思科文档,有记录:
This message appears in debugs if the access list for IPsec traffic does not match.
1d00h: IPSec(validate_transform_proposal): proxy identities not supported
1d00h: ISAKMP: IPSec policy invalidated proposal
1d00h: ISAKMP (0:2): SA not acceptable!
The access lists on each peer needs to mirror each other (all entries need to be reversible). This example illustrates this point.Peer A
access-list 150 permit ip 172.21.113.0 0.0.0.255 172.21.114.0 0.0.0.255
access-list 150 permit ip host 15.15.15.1 host 172.21.114.123
Peer B
access-list 150 permit ip 172.21.114.0 0.0.0.255 172.21.113.0 0.0.0.255
access-list 150 permit ip host 172.21.114.123 host 15.15.15.1
Related posts:
没有评论