• 全部
  • 經驗案例
  • 典型配置
  • 技術公告
  • FAQ
  • 漏洞說明
  • 全部
  • 全部
  • 大數據引擎
  • 知了引擎
產品線
搜索
取消
案例類型
發布者
是否解決
是否官方
時間
搜索引擎
匹配模式
高級搜索

HCL-模擬器-ipsec

2025-01-13提問
  • 0關注
  • 0收藏,760瀏覽
粉絲:0人 關注:2人

問題描述:

華三模擬器在路由器和防火牆上做ipsec是不是無法建立隧道,我防火牆做了實驗隧道無法建立。

最佳答案

Xcheng 九段
粉絲:128人 關注:3人

肯定可以


檢查配置或debug定位吧


回複Xcheng:

做了幾次一共就遇到這麼三個debug信息

小白的逆襲 發表時間:2025-01-13 更多>>

debug隻在報sp無法發現sa

小白的逆襲 發表時間:2025-01-13

那不就是配置問題麼

Xcheng 發表時間:2025-01-13

建議報個培訓班係統性學習下吧,或查閱官網手冊等權威資料進一步確認吧

Xcheng 發表時間:2025-01-13
回複Xcheng:

我在做一下試一下吧,跟著專家發的配置做的

小白的逆襲 發表時間:2025-01-13
回複Xcheng:

<zongbu>*Jan 13 10:02:08:496 2025 zongbu IPSEC/7/EVENT: -COntext=1; Sent debug message to all nodes, message type is 0x3.

小白的逆襲 發表時間:2025-01-13

聯係相關專家吧

Xcheng 發表時間:2025-01-13

或仔細檢查配置吧

Xcheng 發表時間:2025-01-13
回複Xcheng:

<zongbu>*Jan 13 10:11:47:911 2025 zongbu IKE/7/EVENT: -COntext=1; Sent config set message.

小白的逆襲 發表時間:2025-01-13
回複Xcheng:

做了幾次一共就遇到這麼三個debug信息

小白的逆襲 發表時間:2025-01-13
5 個回答
粉絲:25人 關注:4人

是的,模擬軟件不比真機,很多功能是有限製的,還是建議用真機做實驗。

粉絲:104人 關注:0人

您好,可以的,進一步檢查配置

我是用的中心節點對應多個下級節點的配置做的,debug隻報一個錯誤就是SP無法發現SA

小白的逆襲 發表時間:2025-01-13 更多>>

我是用的中心節點對應多個下級節點的配置做的,debug隻報一個錯誤就是SP無法發現SA

小白的逆襲 發表時間:2025-01-13
粉絲:0人 關注:0人

模擬器可以配置IPSec,配置完成後,可以使用終端相互ping一下,激發一下SA建立

IPSec排查,主要看一下三個部分:公網路由(看看兩端公網地址通不通,可以配個安全策略放行Ping),安全策略(放行IKE和IPSec相關的,Untrust到Local,Local到Untrust),IPSec和IKE的配置是否對稱(重點檢查一下,把兩端的配置粘出來,仔細對比一下,包括ACL也對比一下)。

zhiliao_wjxmkq 發表時間:2025-01-13 更多>>

我配置了acl,按道理不用配置去往內網的路由,但是防火牆配置了去內網的路由,ping對端內網電腦才能建立第一階段,但無法建立第二階段

小白的逆襲 發表時間:2025-01-13

IPSec排查,主要看一下三個部分:公網路由(看看兩端公網地址通不通,可以配個安全策略放行Ping),安全策略(放行IKE和IPSec相關的,Untrust到Local,Local到Untrust),IPSec和IKE的配置是否對稱(重點檢查一下,把兩端的配置粘出來,仔細對比一下,包括ACL也對比一下)。

zhiliao_wjxmkq 發表時間:2025-01-13
粉絲:0人 關注:2人

​[BEGIN] 2025/1/13 10:43:04

[jiedian]
[jiedian]dis
[jiedian]display cu
[jiedian]display current-configuration
#
version 7.1.064, Alpha 7164
#
sysname jiedian
#
context Admin id 1
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
xbar load-single
password-recovery enable
lpu-type f-series
#
vlan 1
#
interface NULL0
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 192.168.20.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-mode route
combo enable copper
ip address 198.76.26.2 255.255.255.0
nat outbound 3888
ipsec apply policy GE1/0/2
#
interface GigabitEthernet1/0/3
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/4
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/5
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/6
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/7
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/8
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/9
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/10
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/11
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/12
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/13
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/14
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/15
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/16
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/17
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/18
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/19
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/20
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/21
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/22
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/23
port link-mode route
combo enable copper
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/0
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/2
#
security-zone name Management
import interface GigabitEthernet1/0/1
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
user-role network-admin
#
line vty 0 4
authentication-mode scheme
user-role network-admin
#
line vty 5 63
user-role network-operator
#
ip route-static 101.88.26.0 24 198.76.26.1
#
acl advanced 3888
rule 10 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
rule 20 permit ip
#
acl advanced 3999
rule 10 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
#
domain system
#
aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$UbIhNnPevyKUwfpm$LqR3+yg1IjNct39MkOR0H0iQXLkYB3jMqM4vbAeoXOhbabIIFnjJPEGR00YiYA1Sz4LiY3FmEdru2fOLMb1shQ==
service-type telnet terminal http https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
ipsec transform-set jiedian
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec policy GE1//0/2 1 isakmp
transform-set jiedian
security acl 3999
local-address 198.76.26.2
remote-address 101.88.26.2
ike-profile 1
#
ike profile 1
keychain 1
local-identity address 198.76.26.2
match remote identity address 101.88.26.2 255.255.255.0
proposal 1
#
ike proposal 1
#
ike keychain 1
pre-shared-key address 101.88.26.2 255.255.255.0 key cipher $c$3$QNy6WhqcdyNofdwFdBAY3JCo5iCV39W2dg==
#
ip http enable
ip https enable
#
security-policy ip
rule 5 name any
action pass
#
return
[jiedian] 

[jiedian]sa fo
Validating file. Please wait...
Saved the current configuration to mainboard device successfully.

-----------------------------------------

[BEGIN] 2025/1/13 10:42:34
[zongbu]
[zongbu]dis
[zongbu]display cu
[zongbu]display current-configuration
#
version 7.1.064, Alpha 7164
#
sysname zongbu
#
context Admin id 1
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
xbar load-single
password-recovery enable
lpu-type f-series
#
vlan 1
#
interface NULL0
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 192.168.10.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-mode route
combo enable copper
ip address 101.88.26.2 255.255.255.0
nat outbound 3888
ipsec apply policy GE1/0/2
#
interface GigabitEthernet1/0/3
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/4
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/5
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/6
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/7
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/8
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/9
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/10
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/11
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/12
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/13
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/14
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/15
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/16
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/17
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/18
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/19
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/20
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/21
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/22
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/23
port link-mode route
combo enable copper
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/0
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/2
#
security-zone name Management
import interface GigabitEthernet1/0/1
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
user-role network-admin
#
line vty 0 4
authentication-mode scheme
user-role network-admin
#
line vty 5 63
user-role network-operator
#
ip route-static 198.76.26.0 24 101.88.26.1
#
acl advanced 3888
rule 0 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
rule 5 permit ip
#
acl advanced 3999
rule 0 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
#
domain system
#
aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$UbIhNnPevyKUwfpm$LqR3+yg1IjNct39MkOR0H0iQXLkYB3jMqM4vbAeoXOhbabIIFnjJPEGR00YiYA1Sz4LiY3FmEdru2fOLMb1shQ==
service-type telnet terminal http https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
ipsec transform-set zongbu
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec policy GE1/0/2 1 isakmp
transform-set zongbu
security acl 3999
local-address 101.88.26.2
remote-address 198.76.26.2
ike-profile 1
#
ike profile 1
keychain 1
local-identity address 101.88.26.2
match remote identity address 198.76.26.2 255.255.255.0
proposal 1
#
ike proposal 1
#
ike keychain 1
pre-shared-key address 198.76.26.2 255.255.255.0 key cipher $c$3$aFtWBHe8ZKCW1qzBxHpFJv6suidJUNXWHQ==
#
ip http enable
ip https enable
#
security-policy ip
rule 5 name any
action pass
#
return
[zongbu]
[zongbu]
[zongbu]sa fo
Validating file. Please wait...
Saved the current configuration to mainboard device successfully.

[END] 2025/1/13 10:42:45

[END] 2025/1/13 10:43:14


[zongbu]display current-configuration | in static
ip route-static 192.168.20.0 24 101.88.26.1
ip route-static 198.76.26.0 24 101.88.26.1


[jiedian]display current-configuration | in static
ip route-static 101.88.26.0 24 198.76.26.1
ip route-static 192.168.10.0 24 192.76.26.1

-----------------------------------


[zongbu]*Jan 13 10:47:31:710 2025 zongbu IPSEC/7/PACKET: -COntext=1;
Failed to find SA by SP, SP Index = 0, SP Convert-Seq = 65536.
*Jan 13 10:47:31:710 2025 zongbu IPSEC/7/ERROR: -COntext=1;
The reason of dropping packet is no available IPsec tunnel.
*Jan 13 10:47:31:710 2025 zongbu IPSEC/7/EVENT: -COntext=1;
Sent SA-Acquire message : SP ID = 0
*Jan 13 10:47:31:710 2025 zongbu IPSEC/7/EVENT: -COntext=1;
Received negotiate SA message from IPsec kernel.
*Jan 13 10:47:31:710 2025 zongbu IPSEC/7/EVENT: -COntext=1;
Got SA time-based soft lifetime settings when filling Sp data.
Configured soft lifetime buffer : 0 seconds.
Configured global soft lifetime buffer : 0 seconds.
*Jan 13 10:47:31:733 2025 zongbu IPSEC/7/EVENT: -COntext=1;
The SA doesn't exist in kernel.
*Jan 13 10:47:31:733 2025 zongbu IPSEC/7/EVENT: -COntext=1;
Remote address no need to change, SP index=0.

[zongbu]di
[zongbu]dis
[zongbu]display ike sa
[zongbu]display ike sa
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
ID Profile Remote Flag Remote-Type Remote-ID
--------------------------------------------------------------------------------
3 1 198.76.26.2 RD IPV4_ADDR 198.76.26.2
[zongbu]dis
[zongbu]display ips
[zongbu]display ipsec sa
[zongbu]display ipsec sa 

---------------------------------------

[jiedian]*Jan 13 10:47:30:841 2025 jiedian IKE/7/EVENT: -COntext=1; Received packet successfully.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received packet from 101.88.26.2 source port 500 destination port 500.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500

I-COOKIE: 4707425c9220ea98
R-COOKIE: 0000000000000000
next payload: SA
version: ISAKMP Version 1.0
exchange mode: Main
flags:
message ID: 0
length: 164
*Jan 13 10:47:30:841 2025 jiedian IKE/7/EVENT: -COntext=1; Phase1 process started.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Begin a new phase 1 negotiation as responder.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Responder created an SA for peer 101.88.26.2, local port 500, remote port 500.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Set IKE SA state to IKE_P1_STATE_INIT.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Security Association Payload.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Vendor ID Payload.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Vendor ID Payload.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Vendor ID Payload.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Vendor ID Payload.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Process vendor ID payload.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/EVENT: -COntext=1; Vendor ID NAT-T rfc3947 is matched.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Process SA payload.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Check ISAKMP transform 1.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Encryption algorithm is DES-CBC.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
HASH algorithm is HMAC-SHA1.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
DH group is 1.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Authentication method is Pre-shared key.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Lifetime type is 1.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Life duration is 86400.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Get pre-shared key by IKE profile .
*Jan 13 10:47:30:842 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Found pre-shared key that matches address 101.88.26.2 in keychain 1.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Attributes is acceptable.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/EVENT: -COntext=1; Oakley transform 1 is acceptable.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Constructed SA payload
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Construct NAT-T rfc3947 vendor ID payload.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Construct XAUTH Cisco Unity 1.0 vendor ID payload.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Construct XAUTH draft6 vendor ID payload.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
IKE SA state changed from IKE_P1_STATE_INIT to IKE_P1_STATE_SEND2.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Sending packet to 101.88.26.2 remote port 500, local port 500, out-interface 0.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500

I-COOKIE: 4707425c9220ea98
R-COOKIE: 324b0840145c5e8e
next payload: SA
version: ISAKMP Version 1.0
exchange mode: Main
flags:
message ID: 0
length: 136
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Sending an IPv4 packet.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Send udp packet by socket 44 SrcPort 500 ifIndex 0.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Sent data to socket successfully.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/EVENT: -COntext=1; IKE thread 3048594384 ErrCode 0 processes a job.
*Jan 13 10:47:30:845 2025 jiedian IKE/7/EVENT: -COntext=1; Received packet successfully.
*Jan 13 10:47:30:845 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received packet from 101.88.26.2 source port 500 destination port 500.
*Jan 13 10:47:30:845 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500

I-COOKIE: 4707425c9220ea98
R-COOKIE: 324b0840145c5e8e
next payload: KE
version: ISAKMP Version 1.0
exchange mode: Main
flags:
message ID: 0
length: 216
*Jan 13 10:47:30:845 2025 jiedian IKE/7/EVENT: -COntext=1; Phase1 process started.
*Jan 13 10:47:30:845 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Key Exchange Payload.
*Jan 13 10:47:30:845 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Nonce Payload.
*Jan 13 10:47:30:845 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP NAT-D Payload.
*Jan 13 10:47:30:845 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP NAT-D Payload.
*Jan 13 10:47:30:845 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Vendor ID Payload.
*Jan 13 10:47:30:845 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Process KE payload.
*Jan 13 10:47:30:845 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Process NONCE payload.
*Jan 13 10:47:30:845 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received 2 NAT-D payload.
*Jan 13 10:47:30:845 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Process vendor ID payload.
*Jan 13 10:47:30:846 2025 jiedian IKE/7/EVENT: -COntext=1; Vendor ID DPD is matched.
*Jan 13 10:47:30:848 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Construct KE payload.
*Jan 13 10:47:30:848 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Construct NONCE payload.
*Jan 13 10:47:30:848 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Construct NAT-D payload.
*Jan 13 10:47:30:848 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Construct DPD vendor ID payload.
*Jan 13 10:47:30:850 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
IKE SA state changed from IKE_P1_STATE_SEND2 to IKE_P1_STATE_SEND4.
*Jan 13 10:47:30:850 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Sending packet to 101.88.26.2 remote port 500, local port 500, out-interface 0.
*Jan 13 10:47:30:850 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500

I-COOKIE: 4707425c9220ea98
R-COOKIE: 324b0840145c5e8e
next payload: KE
version: ISAKMP Version 1.0
exchange mode: Main
flags:
message ID: 0
length: 216
*Jan 13 10:47:30:850 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Sending an IPv4 packet.
*Jan 13 10:47:30:851 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Send udp packet by socket 44 SrcPort 500 ifIndex 0.
*Jan 13 10:47:30:851 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Sent data to socket successfully.
*Jan 13 10:47:30:851 2025 jiedian IKE/7/EVENT: -COntext=1; IKE thread 3048594384 ErrCode 0 processes a job.
*Jan 13 10:47:30:854 2025 jiedian IKE/7/EVENT: -COntext=1; Received packet successfully.
*Jan 13 10:47:30:854 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received packet from 101.88.26.2 source port 500 destination port 500.
*Jan 13 10:47:30:854 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500

I-COOKIE: 4707425c9220ea98
R-COOKIE: 324b0840145c5e8e
next payload: ID
version: ISAKMP Version 1.0
exchange mode: Main
flags: ENCRYPT
message ID: 0
length: 92
*Jan 13 10:47:30:854 2025 jiedian IKE/7/EVENT: -COntext=1; Phase1 process started.
*Jan 13 10:47:30:854 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Decrypt the packet.
*Jan 13 10:47:30:855 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Identification Payload.
*Jan 13 10:47:30:855 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Hash Payload.
*Jan 13 10:47:30:855 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Notification Payload.
*Jan 13 10:47:30:855 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Process ID payload.
*Jan 13 10:47:30:855 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Peer ID type: IPV4_ADDR (1).
*Jan 13 10:47:30:855 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Peer ID value: address 101.88.26.2.
*Jan 13 10:47:30:855 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Update the profile with Remote identity.
*Jan 13 10:47:30:855 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
The profile 1 is matched.
*Jan 13 10:47:30:855 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Found keychain 1 in profile 1 successfully.
*Jan 13 10:47:30:855 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Verify HASH payload.
*Jan 13 10:47:30:855 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
HASH:
c7e6ab57 d7541f2c 61a66e60 8ed9ef5a 1148f77d
*Jan 13 10:47:30:855 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
HASH verification succeeded.
*Jan 13 10:47:30:856 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Notification IPSEC_INITIAL_CONTACT is received.
*Jan 13 10:47:30:856 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Local ID type: IPV4_ADDR (1).
*Jan 13 10:47:30:856 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Local ID value: 198.76.26.2.
*Jan 13 10:47:30:856 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Construct ID payload.
*Jan 13 10:47:30:856 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
HASH:
a797f0d6 851d0253 c2b0f1b0 8a85d7bc d9b058b5
*Jan 13 10:47:30:856 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Construct authentication by pre-shared-key.
*Jan 13 10:47:30:856 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Encrypt the packet.
*Jan 13 10:47:30:856 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
IKE SA state changed from IKE_P1_STATE_SEND4 to IKE_P1_STATE_ESTABLISHED.
*Jan 13 10:47:30:856 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Sending packet to 101.88.26.2 remote port 500, local port 500, out-interface 0.
*Jan 13 10:47:30:856 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500

I-COOKIE: 4707425c9220ea98
R-COOKIE: 324b0840145c5e8e
next payload: ID
version: ISAKMP Version 1.0
exchange mode: Main
flags: ENCRYPT
message ID: 0
length: 68
*Jan 13 10:47:30:856 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Sending an IPv4 packet.
*Jan 13 10:47:30:856 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Send udp packet by socket 44 SrcPort 500 ifIndex 0.
*Jan 13 10:47:30:856 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Sent data to socket successfully.
*Jan 13 10:47:30:856 2025 jiedian IKE/7/EVENT: -COntext=1;
Address 198.76.26.2 is not VirtualAddr
*Jan 13 10:47:30:856 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
The default soft lifetime 82080(seconds) was used for the IKE P1 SA.
*Jan 13 10:47:30:857 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Add tunnel, alloc new tunnel with ID [1].
*Jan 13 10:47:30:857 2025 jiedian IKE/7/EVENT: -COntext=1; IKE thread 3048594384 ErrCode 0 processes a job.
*Jan 13 10:47:30:858 2025 jiedian IKE/7/EVENT: -COntext=1; Received packet successfully.
*Jan 13 10:47:30:858 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received packet from 101.88.26.2 source port 500 destination port 500.
*Jan 13 10:47:30:858 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500

I-COOKIE: 4707425c9220ea98
R-COOKIE: 324b0840145c5e8e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Quick
flags: ENCRYPT
message ID: 620d80a0
length: 172
*Jan 13 10:47:30:860 2025 jiedian IKE/7/EVENT: -COntext=1; Phase2 process started.
*Jan 13 10:47:30:860 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Set IPsec SA state to IKE_P2_STATE_INIT.
*Jan 13 10:47:30:860 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Decrypt the packet.
*Jan 13 10:47:30:860 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Hash Payload.
*Jan 13 10:47:30:860 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Security Association Payload.
*Jan 13 10:47:30:860 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Nonce Payload.
*Jan 13 10:47:30:860 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Identification Payload (IPsec DOI).
*Jan 13 10:47:30:860 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Identification Payload (IPsec DOI).
*Jan 13 10:47:30:860 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Process HASH payload.
*Jan 13 10:47:30:860 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Validated HASH(1) successfully.
*Jan 13 10:47:30:860 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Process IPsec ID payload.
*Jan 13 10:47:30:861 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Process IPsec ID payload.
*Jan 13 10:47:30:861 2025 jiedian IPSEC/7/EVENT: -COntext=1;
Could not find tunnel, ike profile name is 1.
*Jan 13 10:47:30:861 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
IPsec SA state changed from IKE_P2_STATE_INIT to IKE_P2_STATE_GETSP.
*Jan 13 10:47:30:861 2025 jiedian IKE/7/EVENT: -COntext=1; IKE thread 3048594384 ErrCode 0 processes a job.
*Jan 13 10:47:30:861 2025 jiedian IKE/7/EVENT: -COntext=1; Received message from ipsec, message type is 10.
*Jan 13 10:47:30:861 2025 jiedian IKE/7/ERROR: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Failed to get IPsec policy for phase 2 responder. Delete IPsec SA.
*Jan 13 10:47:30:861 2025 jiedian IKE/7/ERROR: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Failed to negotiate IPsec SA.
*Jan 13 10:47:30:861 2025 jiedian IKE/7/EVENT: -COntext=1; Delete IPsec SA.
*Jan 13 10:47:30:861 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Send delete SA to IPsec, the reason is negotiate fail.
*Jan 13 10:47:30:862 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Encrypt the packet.
*Jan 13 10:47:30:862 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Construct notification packet: INVALID_ID_INFORMATION.
*Jan 13 10:47:30:862 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Sending packet to 101.88.26.2 remote port 500, local port 500, out-interface 0.
*Jan 13 10:47:30:862 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500

I-COOKIE: 4707425c9220ea98
R-COOKIE: 324b0840145c5e8e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: ebf3f95a
length: 68
*Jan 13 10:47:30:862 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Sending an IPv4 packet.
*Jan 13 10:47:30:862 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Send udp packet by socket 44 SrcPort 500 ifIndex 0.
*Jan 13 10:47:30:862 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Sent data to socket successfully.

[jiedian]


粉絲:32人 關注:11人

你的配置99%都是對的,加一下去業務段的路由就好了。。。。。。

不加路由的話,ping的時候流量無法被引導到出接口那裏,也就匹配不上ipsec policy了。


還有一個ipsec policy GE1//0/2 1 isakmp我估計是編輯文本的時候出錯了吧,多了個“/”。


兩邊都要加一下路由。

第一次ping的時候可能會丟一個包,用於觸發協商,後續就不再丟包了。

可以了

小白的逆襲 發表時間:2025-01-16 更多>>

好的我再試試

小白的逆襲 發表時間:2025-01-14

加業務網段我也不行,能不您的配置發一下嗎

小白的逆襲 發表時間:2025-01-14

能把

小白的逆襲 發表時間:2025-01-14

我用的就是你的配置,直接複製進去然後加了條路由。

奇怪的流量 發表時間:2025-01-15

那就奇怪了我默認路由按道理不用加明細,就是建立不起來ike和ipsec sa

小白的逆襲 發表時間:2025-01-16

可以了

小白的逆襲 發表時間:2025-01-16

編輯答案

你正在編輯答案

如果你要對問題或其他回答進行點評或詢問,請使用評論功能。

分享擴散:

提出建議

    +

親~登錄後才可以操作哦!

確定

親~檢測到您登陸的賬號未在http://hclhub.h3c.com進行注冊

注冊後可訪問此模塊

跳轉hclhub

你的郵箱還未認證,請認證郵箱或綁定手機後進行當前操作

舉報

×

侵犯我的權益 >
對根叔社區有害的內容 >
辱罵、歧視、挑釁等(不友善)

侵犯我的權益

×

泄露了我的隱私 >
侵犯了我企業的權益 >
抄襲了我的內容 >
誹謗我 >
辱罵、歧視、挑釁等(不友善)
騷擾我

泄露了我的隱私

×

您好,當您發現根叔知了上有泄漏您隱私的內容時,您可以向根叔知了進行舉報。 請您把以下內容通過郵件發送到pub.zhiliao@h3c.com 郵箱,我們會盡快處理。
  • 1. 您認為哪些內容泄露了您的隱私?(請在郵件中列出您舉報的內容、鏈接地址,並給出簡短的說明)
  • 2. 您是誰?(身份證明材料,可以是身份證或護照等證件)

侵犯了我企業的權益

×

您好,當您發現根叔知了上有關於您企業的造謠與誹謗、商業侵權等內容時,您可以向根叔知了進行舉報。 請您把以下內容通過郵件發送到 pub.zhiliao@h3c.com 郵箱,我們會在審核後盡快給您答複。
  • 1. 您舉報的內容是什麼?(請在郵件中列出您舉報的內容和鏈接地址)
  • 2. 您是誰?(身份證明材料,可以是身份證或護照等證件)
  • 3. 是哪家企業?(營業執照,單位登記證明等證件)
  • 4. 您與該企業的關係是?(您是企業法人或被授權人,需提供企業委托授權書)
我們認為知名企業應該坦然接受公眾討論,對於答案中不準確的部分,我們歡迎您以正式或非正式身份在根叔知了上進行澄清。

抄襲了我的內容

×

原文鏈接或出處

誹謗我

×

您好,當您發現根叔知了上有誹謗您的內容時,您可以向根叔知了進行舉報。 請您把以下內容通過郵件發送到pub.zhiliao@h3c.com 郵箱,我們會盡快處理。
  • 1. 您舉報的內容以及侵犯了您什麼權益?(請在郵件中列出您舉報的內容、鏈接地址,並給出簡短的說明)
  • 2. 您是誰?(身份證明材料,可以是身份證或護照等證件)
我們認為知名企業應該坦然接受公眾討論,對於答案中不準確的部分,我們歡迎您以正式或非正式身份在根叔知了上進行澄清。

對根叔社區有害的內容

×

垃圾廣告信息
色情、暴力、血腥等違反法律法規的內容
政治敏感
不規範轉載 >
辱罵、歧視、挑釁等(不友善)
騷擾我
誘導投票

不規範轉載

×

舉報說明