最佳答案
您好,可以的,進一步檢查配置
(0)
我是用的中心節點對應多個下級節點的配置做的,debug隻報一個錯誤就是SP無法發現SA
我是用的中心節點對應多個下級節點的配置做的,debug隻報一個錯誤就是SP無法發現SA
模擬器可以配置IPSec,配置完成後,可以使用終端相互ping一下,激發一下SA建立
(0)
IPSec排查,主要看一下三個部分:公網路由(看看兩端公網地址通不通,可以配個安全策略放行Ping),安全策略(放行IKE和IPSec相關的,Untrust到Local,Local到Untrust),IPSec和IKE的配置是否對稱(重點檢查一下,把兩端的配置粘出來,仔細對比一下,包括ACL也對比一下)。
我配置了acl,按道理不用配置去往內網的路由,但是防火牆配置了去內網的路由,ping對端內網電腦才能建立第一階段,但無法建立第二階段
IPSec排查,主要看一下三個部分:公網路由(看看兩端公網地址通不通,可以配個安全策略放行Ping),安全策略(放行IKE和IPSec相關的,Untrust到Local,Local到Untrust),IPSec和IKE的配置是否對稱(重點檢查一下,把兩端的配置粘出來,仔細對比一下,包括ACL也對比一下)。
[BEGIN] 2025/1/13 10:43:04
[jiedian]
[jiedian]dis
[jiedian]display cu
[jiedian]display current-configuration
#
version 7.1.064, Alpha 7164
#
sysname jiedian
#
context Admin id 1
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
xbar load-single
password-recovery enable
lpu-type f-series
#
vlan 1
#
interface NULL0
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 192.168.20.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-mode route
combo enable copper
ip address 198.76.26.2 255.255.255.0
nat outbound 3888
ipsec apply policy GE1/0/2
#
interface GigabitEthernet1/0/3
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/4
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/5
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/6
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/7
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/8
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/9
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/10
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/11
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/12
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/13
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/14
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/15
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/16
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/17
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/18
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/19
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/20
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/21
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/22
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/23
port link-mode route
combo enable copper
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/0
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/2
#
security-zone name Management
import interface GigabitEthernet1/0/1
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
user-role network-admin
#
line vty 0 4
authentication-mode scheme
user-role network-admin
#
line vty 5 63
user-role network-operator
#
ip route-static 101.88.26.0 24 198.76.26.1
#
acl advanced 3888
rule 10 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
rule 20 permit ip
#
acl advanced 3999
rule 10 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
#
domain system
#
aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$UbIhNnPevyKUwfpm$LqR3+yg1IjNct39MkOR0H0iQXLkYB3jMqM4vbAeoXOhbabIIFnjJPEGR00YiYA1Sz4LiY3FmEdru2fOLMb1shQ==
service-type telnet terminal http https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
ipsec transform-set jiedian
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec policy GE1//0/2 1 isakmp
transform-set jiedian
security acl 3999
local-address 198.76.26.2
remote-address 101.88.26.2
ike-profile 1
#
ike profile 1
keychain 1
local-identity address 198.76.26.2
match remote identity address 101.88.26.2 255.255.255.0
proposal 1
#
ike proposal 1
#
ike keychain 1
pre-shared-key address 101.88.26.2 255.255.255.0 key cipher $c$3$QNy6WhqcdyNofdwFdBAY3JCo5iCV39W2dg==
#
ip http enable
ip https enable
#
security-policy ip
rule 5 name any
action pass
#
return
[jiedian]
[jiedian]sa fo
Validating file. Please wait...
Saved the current configuration to mainboard device successfully.
-----------------------------------------
[BEGIN] 2025/1/13 10:42:34
[zongbu]
[zongbu]dis
[zongbu]display cu
[zongbu]display current-configuration
#
version 7.1.064, Alpha 7164
#
sysname zongbu
#
context Admin id 1
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
xbar load-single
password-recovery enable
lpu-type f-series
#
vlan 1
#
interface NULL0
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 192.168.10.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-mode route
combo enable copper
ip address 101.88.26.2 255.255.255.0
nat outbound 3888
ipsec apply policy GE1/0/2
#
interface GigabitEthernet1/0/3
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/4
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/5
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/6
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/7
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/8
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/9
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/10
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/11
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/12
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/13
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/14
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/15
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/16
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/17
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/18
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/19
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/20
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/21
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/22
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/23
port link-mode route
combo enable copper
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/0
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/2
#
security-zone name Management
import interface GigabitEthernet1/0/1
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
user-role network-admin
#
line vty 0 4
authentication-mode scheme
user-role network-admin
#
line vty 5 63
user-role network-operator
#
ip route-static 198.76.26.0 24 101.88.26.1
#
acl advanced 3888
rule 0 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
rule 5 permit ip
#
acl advanced 3999
rule 0 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
#
domain system
#
aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$UbIhNnPevyKUwfpm$LqR3+yg1IjNct39MkOR0H0iQXLkYB3jMqM4vbAeoXOhbabIIFnjJPEGR00YiYA1Sz4LiY3FmEdru2fOLMb1shQ==
service-type telnet terminal http https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
ipsec transform-set zongbu
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec policy GE1/0/2 1 isakmp
transform-set zongbu
security acl 3999
local-address 101.88.26.2
remote-address 198.76.26.2
ike-profile 1
#
ike profile 1
keychain 1
local-identity address 101.88.26.2
match remote identity address 198.76.26.2 255.255.255.0
proposal 1
#
ike proposal 1
#
ike keychain 1
pre-shared-key address 198.76.26.2 255.255.255.0 key cipher $c$3$aFtWBHe8ZKCW1qzBxHpFJv6suidJUNXWHQ==
#
ip http enable
ip https enable
#
security-policy ip
rule 5 name any
action pass
#
return
[zongbu]
[zongbu]
[zongbu]sa fo
Validating file. Please wait...
Saved the current configuration to mainboard device successfully.
[END] 2025/1/13 10:42:45
[END] 2025/1/13 10:43:14
[zongbu]display current-configuration | in static
ip route-static 192.168.20.0 24 101.88.26.1
ip route-static 198.76.26.0 24 101.88.26.1
[jiedian]display current-configuration | in static
ip route-static 101.88.26.0 24 198.76.26.1
ip route-static 192.168.10.0 24 192.76.26.1
-----------------------------------
[zongbu]*Jan 13 10:47:31:710 2025 zongbu IPSEC/7/PACKET: -COntext=1;
Failed to find SA by SP, SP Index = 0, SP Convert-Seq = 65536.
*Jan 13 10:47:31:710 2025 zongbu IPSEC/7/ERROR: -COntext=1;
The reason of dropping packet is no available IPsec tunnel.
*Jan 13 10:47:31:710 2025 zongbu IPSEC/7/EVENT: -COntext=1;
Sent SA-Acquire message : SP ID = 0
*Jan 13 10:47:31:710 2025 zongbu IPSEC/7/EVENT: -COntext=1;
Received negotiate SA message from IPsec kernel.
*Jan 13 10:47:31:710 2025 zongbu IPSEC/7/EVENT: -COntext=1;
Got SA time-based soft lifetime settings when filling Sp data.
Configured soft lifetime buffer : 0 seconds.
Configured global soft lifetime buffer : 0 seconds.
*Jan 13 10:47:31:733 2025 zongbu IPSEC/7/EVENT: -COntext=1;
The SA doesn't exist in kernel.
*Jan 13 10:47:31:733 2025 zongbu IPSEC/7/EVENT: -COntext=1;
Remote address no need to change, SP index=0.
[zongbu]di
[zongbu]dis
[zongbu]display ike sa
[zongbu]display ike sa
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
ID Profile Remote Flag Remote-Type Remote-ID
--------------------------------------------------------------------------------
3 1 198.76.26.2 RD IPV4_ADDR 198.76.26.2
[zongbu]dis
[zongbu]display ips
[zongbu]display ipsec sa
[zongbu]display ipsec sa
---------------------------------------
[jiedian]*Jan 13 10:47:30:841 2025 jiedian IKE/7/EVENT: -COntext=1; Received packet successfully.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received packet from 101.88.26.2 source port 500 destination port 500.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
I-COOKIE: 4707425c9220ea98
R-COOKIE: 0000000000000000
next payload: SA
version: ISAKMP Version 1.0
exchange mode: Main
flags:
message ID: 0
length: 164
*Jan 13 10:47:30:841 2025 jiedian IKE/7/EVENT: -COntext=1; Phase1 process started.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Begin a new phase 1 negotiation as responder.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Responder created an SA for peer 101.88.26.2, local port 500, remote port 500.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Set IKE SA state to IKE_P1_STATE_INIT.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Security Association Payload.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Vendor ID Payload.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Vendor ID Payload.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Vendor ID Payload.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Vendor ID Payload.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Process vendor ID payload.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/EVENT: -COntext=1; Vendor ID NAT-T rfc3947 is matched.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Process SA payload.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Check ISAKMP transform 1.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Encryption algorithm is DES-CBC.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
HASH algorithm is HMAC-SHA1.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
DH group is 1.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Authentication method is Pre-shared key.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Lifetime type is 1.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Life duration is 86400.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Get pre-shared key by IKE profile .
*Jan 13 10:47:30:842 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Found pre-shared key that matches address 101.88.26.2 in keychain 1.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Attributes is acceptable.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/EVENT: -COntext=1; Oakley transform 1 is acceptable.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Constructed SA payload
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Construct NAT-T rfc3947 vendor ID payload.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Construct XAUTH Cisco Unity 1.0 vendor ID payload.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Construct XAUTH draft6 vendor ID payload.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
IKE SA state changed from IKE_P1_STATE_INIT to IKE_P1_STATE_SEND2.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Sending packet to 101.88.26.2 remote port 500, local port 500, out-interface 0.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
I-COOKIE: 4707425c9220ea98
R-COOKIE: 324b0840145c5e8e
next payload: SA
version: ISAKMP Version 1.0
exchange mode: Main
flags:
message ID: 0
length: 136
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Sending an IPv4 packet.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Send udp packet by socket 44 SrcPort 500 ifIndex 0.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Sent data to socket successfully.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/EVENT: -COntext=1; IKE thread 3048594384 ErrCode 0 processes a job.
*Jan 13 10:47:30:845 2025 jiedian IKE/7/EVENT: -COntext=1; Received packet successfully.
*Jan 13 10:47:30:845 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received packet from 101.88.26.2 source port 500 destination port 500.
*Jan 13 10:47:30:845 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
I-COOKIE: 4707425c9220ea98
R-COOKIE: 324b0840145c5e8e
next payload: KE
version: ISAKMP Version 1.0
exchange mode: Main
flags:
message ID: 0
length: 216
*Jan 13 10:47:30:845 2025 jiedian IKE/7/EVENT: -COntext=1; Phase1 process started.
*Jan 13 10:47:30:845 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Key Exchange Payload.
*Jan 13 10:47:30:845 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Nonce Payload.
*Jan 13 10:47:30:845 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP NAT-D Payload.
*Jan 13 10:47:30:845 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP NAT-D Payload.
*Jan 13 10:47:30:845 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Vendor ID Payload.
*Jan 13 10:47:30:845 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Process KE payload.
*Jan 13 10:47:30:845 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Process NONCE payload.
*Jan 13 10:47:30:845 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received 2 NAT-D payload.
*Jan 13 10:47:30:845 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Process vendor ID payload.
*Jan 13 10:47:30:846 2025 jiedian IKE/7/EVENT: -COntext=1; Vendor ID DPD is matched.
*Jan 13 10:47:30:848 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Construct KE payload.
*Jan 13 10:47:30:848 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Construct NONCE payload.
*Jan 13 10:47:30:848 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Construct NAT-D payload.
*Jan 13 10:47:30:848 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Construct DPD vendor ID payload.
*Jan 13 10:47:30:850 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
IKE SA state changed from IKE_P1_STATE_SEND2 to IKE_P1_STATE_SEND4.
*Jan 13 10:47:30:850 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Sending packet to 101.88.26.2 remote port 500, local port 500, out-interface 0.
*Jan 13 10:47:30:850 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
I-COOKIE: 4707425c9220ea98
R-COOKIE: 324b0840145c5e8e
next payload: KE
version: ISAKMP Version 1.0
exchange mode: Main
flags:
message ID: 0
length: 216
*Jan 13 10:47:30:850 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Sending an IPv4 packet.
*Jan 13 10:47:30:851 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Send udp packet by socket 44 SrcPort 500 ifIndex 0.
*Jan 13 10:47:30:851 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Sent data to socket successfully.
*Jan 13 10:47:30:851 2025 jiedian IKE/7/EVENT: -COntext=1; IKE thread 3048594384 ErrCode 0 processes a job.
*Jan 13 10:47:30:854 2025 jiedian IKE/7/EVENT: -COntext=1; Received packet successfully.
*Jan 13 10:47:30:854 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received packet from 101.88.26.2 source port 500 destination port 500.
*Jan 13 10:47:30:854 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
I-COOKIE: 4707425c9220ea98
R-COOKIE: 324b0840145c5e8e
next payload: ID
version: ISAKMP Version 1.0
exchange mode: Main
flags: ENCRYPT
message ID: 0
length: 92
*Jan 13 10:47:30:854 2025 jiedian IKE/7/EVENT: -COntext=1; Phase1 process started.
*Jan 13 10:47:30:854 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Decrypt the packet.
*Jan 13 10:47:30:855 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Identification Payload.
*Jan 13 10:47:30:855 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Hash Payload.
*Jan 13 10:47:30:855 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Notification Payload.
*Jan 13 10:47:30:855 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Process ID payload.
*Jan 13 10:47:30:855 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Peer ID type: IPV4_ADDR (1).
*Jan 13 10:47:30:855 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Peer ID value: address 101.88.26.2.
*Jan 13 10:47:30:855 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Update the profile with Remote identity.
*Jan 13 10:47:30:855 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
The profile 1 is matched.
*Jan 13 10:47:30:855 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Found keychain 1 in profile 1 successfully.
*Jan 13 10:47:30:855 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Verify HASH payload.
*Jan 13 10:47:30:855 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
HASH:
c7e6ab57 d7541f2c 61a66e60 8ed9ef5a 1148f77d
*Jan 13 10:47:30:855 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
HASH verification succeeded.
*Jan 13 10:47:30:856 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Notification IPSEC_INITIAL_CONTACT is received.
*Jan 13 10:47:30:856 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Local ID type: IPV4_ADDR (1).
*Jan 13 10:47:30:856 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Local ID value: 198.76.26.2.
*Jan 13 10:47:30:856 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Construct ID payload.
*Jan 13 10:47:30:856 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
HASH:
a797f0d6 851d0253 c2b0f1b0 8a85d7bc d9b058b5
*Jan 13 10:47:30:856 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Construct authentication by pre-shared-key.
*Jan 13 10:47:30:856 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Encrypt the packet.
*Jan 13 10:47:30:856 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
IKE SA state changed from IKE_P1_STATE_SEND4 to IKE_P1_STATE_ESTABLISHED.
*Jan 13 10:47:30:856 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Sending packet to 101.88.26.2 remote port 500, local port 500, out-interface 0.
*Jan 13 10:47:30:856 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
I-COOKIE: 4707425c9220ea98
R-COOKIE: 324b0840145c5e8e
next payload: ID
version: ISAKMP Version 1.0
exchange mode: Main
flags: ENCRYPT
message ID: 0
length: 68
*Jan 13 10:47:30:856 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Sending an IPv4 packet.
*Jan 13 10:47:30:856 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Send udp packet by socket 44 SrcPort 500 ifIndex 0.
*Jan 13 10:47:30:856 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Sent data to socket successfully.
*Jan 13 10:47:30:856 2025 jiedian IKE/7/EVENT: -COntext=1;
Address 198.76.26.2 is not VirtualAddr
*Jan 13 10:47:30:856 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
The default soft lifetime 82080(seconds) was used for the IKE P1 SA.
*Jan 13 10:47:30:857 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Add tunnel, alloc new tunnel with ID [1].
*Jan 13 10:47:30:857 2025 jiedian IKE/7/EVENT: -COntext=1; IKE thread 3048594384 ErrCode 0 processes a job.
*Jan 13 10:47:30:858 2025 jiedian IKE/7/EVENT: -COntext=1; Received packet successfully.
*Jan 13 10:47:30:858 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received packet from 101.88.26.2 source port 500 destination port 500.
*Jan 13 10:47:30:858 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
I-COOKIE: 4707425c9220ea98
R-COOKIE: 324b0840145c5e8e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Quick
flags: ENCRYPT
message ID: 620d80a0
length: 172
*Jan 13 10:47:30:860 2025 jiedian IKE/7/EVENT: -COntext=1; Phase2 process started.
*Jan 13 10:47:30:860 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Set IPsec SA state to IKE_P2_STATE_INIT.
*Jan 13 10:47:30:860 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Decrypt the packet.
*Jan 13 10:47:30:860 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Hash Payload.
*Jan 13 10:47:30:860 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Security Association Payload.
*Jan 13 10:47:30:860 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Nonce Payload.
*Jan 13 10:47:30:860 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Identification Payload (IPsec DOI).
*Jan 13 10:47:30:860 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Identification Payload (IPsec DOI).
*Jan 13 10:47:30:860 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Process HASH payload.
*Jan 13 10:47:30:860 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Validated HASH(1) successfully.
*Jan 13 10:47:30:860 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Process IPsec ID payload.
*Jan 13 10:47:30:861 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Process IPsec ID payload.
*Jan 13 10:47:30:861 2025 jiedian IPSEC/7/EVENT: -COntext=1;
Could not find tunnel, ike profile name is 1.
*Jan 13 10:47:30:861 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
IPsec SA state changed from IKE_P2_STATE_INIT to IKE_P2_STATE_GETSP.
*Jan 13 10:47:30:861 2025 jiedian IKE/7/EVENT: -COntext=1; IKE thread 3048594384 ErrCode 0 processes a job.
*Jan 13 10:47:30:861 2025 jiedian IKE/7/EVENT: -COntext=1; Received message from ipsec, message type is 10.
*Jan 13 10:47:30:861 2025 jiedian IKE/7/ERROR: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Failed to get IPsec policy for phase 2 responder. Delete IPsec SA.
*Jan 13 10:47:30:861 2025 jiedian IKE/7/ERROR: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Failed to negotiate IPsec SA.
*Jan 13 10:47:30:861 2025 jiedian IKE/7/EVENT: -COntext=1; Delete IPsec SA.
*Jan 13 10:47:30:861 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Send delete SA to IPsec, the reason is negotiate fail.
*Jan 13 10:47:30:862 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Encrypt the packet.
*Jan 13 10:47:30:862 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Construct notification packet: INVALID_ID_INFORMATION.
*Jan 13 10:47:30:862 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Sending packet to 101.88.26.2 remote port 500, local port 500, out-interface 0.
*Jan 13 10:47:30:862 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
I-COOKIE: 4707425c9220ea98
R-COOKIE: 324b0840145c5e8e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: ebf3f95a
length: 68
*Jan 13 10:47:30:862 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Sending an IPv4 packet.
*Jan 13 10:47:30:862 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Send udp packet by socket 44 SrcPort 500 ifIndex 0.
*Jan 13 10:47:30:862 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Sent data to socket successfully.
[jiedian]
(0)
你的配置99%都是對的,加一下去業務段的路由就好了。。。。。。
不加路由的話,ping的時候流量無法被引導到出接口那裏,也就匹配不上ipsec policy了。
還有一個ipsec policy GE1//0/2 1 isakmp我估計是編輯文本的時候出錯了吧,多了個“/”。
兩邊都要加一下路由。
第一次ping的時候可能會丟一個包,用於觸發協商,後續就不再丟包了。
(0)
可以了
親~登錄後才可以操作哦!
確定你的郵箱還未認證,請認證郵箱或綁定手機後進行當前操作
舉報
×
侵犯我的權益
×
侵犯了我企業的權益
×
抄襲了我的內容
×
原文鏈接或出處
誹謗我
×
對根叔社區有害的內容
×
不規範轉載
×
舉報說明
做了幾次一共就遇到這麼三個debug信息