IPSec提供对网络或者主机之间的IP数据包和协议的保护;
SSL VPN提供用户对网络上的服务和应用程序访问的保护;
......
显示全文...
2009年7月30日星期四
2009年7月14日星期二
VPN几个基础概念
常见的VPN的实施方法:
1、GRE
2、IPSec
3、PPTP
4、L2TP
5、MPLS
6、SSL
一个很疑惑的问题:如果已经使用了加密,为什么还需要使用数据包验证?
首先,当信息解密后您需要核实您所解密的信息是否是发送的信息,而不是一个欺骗的流量。其次,一名黑客可以利用这一过程对您的设备发送欺骗数据包,导致它在解密数据的时候消耗CPU的周期。
......
显示全文...
2009年7月13日星期一
VPN 故障描述及排除一例
拓扑描述:
Router HostA E0/0-------E0/0 Router CompanyA E0/1--------E0/1 Router P E0/0--------- E0/0 Router CompanyB E0/1 ------ E0/1 Router HostB
HostA 的配置如下:
HostA>en
HostA#show run
Building configuration...
Current configuration : 931 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HostA
!
boot-start-marker
boot-end-marker
!
!
memory-size iomem 5
no aaa new-model
ip subnet-zero
no ip routing
!
!
no ip domain lookup
no ip cef
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
ip address 192.168.1.2 255.255.255.0
no ip route-cache
half-duplex
!
interface Ethernet0/1
no ip address
no ip route-cache
shutdown
half-duplex
!
interface Ethernet0/2
no ip address
no ip route-cache
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
no ip route-cache
shutdown
half-duplex
!
ip default-gateway 192.168.1.1
ip http server
no ip http secure-server
ip classless
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
logging synchronous
login
!
!
end
HostA#
Company A的配置:
CompanyA#show run
Building configuration...
Current configuration : 1236 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CompanyA
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
!
memory-size iomem 5
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
!
!
ip cef
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 1.1.2.1
!
!
crypto ipsec transform-set vpn esp-3des esp-md5-hmac
!
crypto map vpn_map 100 ipsec-isakmp
set peer 1.1.2.1
set transform-set vpn
match address 100
!
!
!
!
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
half-duplex
!
interface Ethernet0/1
ip address 1.1.1.1 255.255.255.0
half-duplex
crypto map vpn_map
!
interface Ethernet0/2
no ip address
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.1.2
!
!
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
logging synchronous
login
!
!
end
CompanyA#
P的配置:
P#show run
Building configuration...
Current configuration : 808 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname P
!
boot-start-marker
boot-end-marker
!
!
memory-size iomem 5
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
!
!
ip cef
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
ip address 1.1.2.2 255.255.255.0
half-duplex
!
interface Ethernet0/1
ip address 1.1.1.2 255.255.255.0
half-duplex
!
interface Ethernet0/2
no ip address
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
ip http server
no ip http secure-server
ip classless
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
logging synchronous
login
!
!
end
P#
Company B的配置:
CompanyB#show run
Building configuration...
Current configuration : 1235 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CompanyB
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
!
memory-size iomem 5
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
!
!
ip cef
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 1.1.1.1
!
!
crypto ipsec transform-set vpn esp-3des esp-md5-hmac
!
crypto map vpn_map 1 ipsec-isakmp
set peer 1.1.1.1
set transform-set vpn
match address 100
!
!
!
!
interface Ethernet0/0
ip address 1.1.2.1 255.255.255.0
half-duplex
crypto map vpn_map
!
interface Ethernet0/1
ip address 172.16.1.1 255.255.255.0
half-duplex
!
interface Ethernet0/2
no ip address
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.2.2
!
!
!
access-list 100 permit ip 172.16.1.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
logging synchronous
login
!
!
end
CompanyB#
Router B的配置是:
HostB#show run
Building configuration...
Current configuration : 919 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HostB
!
boot-start-marker
boot-end-marker
!
!
memory-size iomem 5
no aaa new-model
ip subnet-zero
no ip routing
!
!
no ip domain lookup
!
!
no ip cef
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
no ip address
no ip route-cache
half-duplex
!
interface Ethernet0/1
ip address 172.16.1.2 255.255.255.0
no ip route-cache
half-duplex
!
interface Ethernet0/2
no ip address
no ip route-cache
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
no ip route-cache
shutdown
half-duplex
!
ip default-gateway 172.16.1.1
ip http server
no ip http secure-server
ip classless
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
logging synchronous
login
!
!
end
HostB#
Debug 信息:
CompanyA#
*Mar 1 01:45:08.703: ISAKMP (0:134217729): received packet from 1.1.2.1 dport 500 sport 500 Global (R) QM_IDLE
*Mar 1 01:45:08.707: ISAKMP: set new node -1210591783 to QM_IDLE
*Mar 1 01:45:08.711: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = -1210591783
*Mar 1 01:45:08.711: ISAKMP:(0:1:SW:1): processing SA payload. message ID = -1210591783
*Mar 1 01:45:08.711: ISAKMP:(0:1:SW:1):Checking IPSec proposal 1
*Mar 1 01:45:08.711: ISAKMP: transform 1, ESP_3DES
*Mar 1 01:45:08.711: ISAKMP: attributes in transform:
*Mar 1 01:45:08.711: ISAKMP: encaps is 1 (Tunnel)
*Mar 1 01:45:08.715: ISAKMP: SA life type in seconds
*Mar 1 01:45:08.715: ISAKMP: SA life duration (basic) of 3600
*Mar 1 01:45:08.715: ISAKMP: SA life type in kilobytes
*Mar 1 01:45:08.715: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Mar 1 01:45:08.715: ISAKMP: authenticator is HMAC-MD5
*Mar 1 01:45:08.719: ISAKMP:(0:1:SW:1):atts are acceptable.
*Mar 1 01:45:08.719: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 1.1.1.1, remote= 1.1.2.1,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
*Mar 1 01:45:08.723: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 1.1.1.1
*Mar 1 01:45:08.723: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal
*Mar 1 01:45:08.723: ISAKMP:(0:1:SW:1): phase 2 SA policy not acceptable! (local 1.1.1.1 remote 1.1.2.1)
*Mar 1 01:45:08.723: ISAKMP: set new node -1225072254 to QM_IDLE
*Mar 1 01:45:08.727: ISAKMP:(0:1:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 28, message ID = -1225072254
*Mar 1 01:45:08.731: ISAKMP:(0:1:SW:1): sending packet to 1.1.2.1 my_port 500 peer_port 500 (R) QM_IDLE
*Mar 1 01:45:08.731: ISAKMP:(0:1:SW:1):purging node -1225072254
*Mar 1 01:45:08.731: ISAKMP:(0:1:SW:1):deleting node -1210591783 error TRUE reason "QM rejected"
*Mar 1 01:45:08.735: ISAKMP (0:134217729): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH: for node -1210591783: state = IKE_QM_READY
*Mar 1 01:45:08.735: ISAKMP:(0:1:SW:1):Node -1210591783, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 1 01:45:08.735: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY New State = IKE_QM_READY
*Mar 1 01:45:08.735: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 1.1.2.1
它是从这一句开始出现问题的:
*Mar 1 01:45:08.723: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 1.1.1.1
解决过程:
CompanyA原来配置:
CompanyA(config)#do show access-list
Extended IP access list 100
10 permit ip 192.168.1.0 0.0.0.255 any
CompanyA更改配置:
CompanyA#show access-lists
Extended IP access list 100
10 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
CompanyB原来配置:
CompanyB#show access-lists
Extended IP access list 100
10 permit ip 172.16.1.0 0.0.0.255 any (5 matches)
CompanyB更改配置:
CompanyB#show access-lists
Extended IP access list 100
10 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255 (25 matches)
VPN建立成功,DEBUG信息如下:
CompanyA#
*Mar 1 01:50:33.495: ISAKMP (0:0): received packet from 1.1.2.1 dport 500 sport 500 Global (N) NEW SA
*Mar 1 01:50:33.495: ISAKMP: Created a peer struct for 1.1.2.1, peer port 500
*Mar 1 01:50:33.495: ISAKMP: Locking peer struct 0x64AA4FC8, IKE refcount 1 for crypto_isakmp_process_block
*Mar 1 01:50:33.495: ISAKMP: local port 500, remote port 500
*Mar 1 01:50:33.499: insert sa successfully sa = 64D88378
*Mar 1 01:50:33.499: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 01:50:33.499: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_R_MM1
*Mar 1 01:50:33.503: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
*Mar 1 01:50:33.503: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar 1 01:50:33.503: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch
*Mar 1 01:50:33.503: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3
*Mar 1 01:50:33.503: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar 1 01:50:33.507: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar 1 01:50:33.507: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
*Mar 1 01:50:33.507: ISAKMP: Looking for a matching key for 1.1.2.1 in default : success
*Mar 1 01:50:33.507: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 1.1.2.1
*Mar 1 01:50:33.507: ISAKMP:(0:0:N/A:0): local preshared key found
*Mar 1 01:50:33.507: ISAKMP : Scanning profiles for xauth ...
*Mar 1 01:50:33.511: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy
*Mar 1 01:50:33.511: ISAKMP: encryption 3DES-CBC
*Mar 1 01:50:33.511: ISAKMP: hash MD5
*Mar 1 01:50:33.511: ISAKMP: default group 2
*Mar 1 01:50:33.511: ISAKMP: auth pre-share
*Mar 1 01:50:33.511: ISAKMP: life type in seconds
*Mar 1 01:50:33.511: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Mar 1 01:50:33.515: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
*Mar 1 01:50:33.579: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar 1 01:50:33.579: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 157 mismatch
*Mar 1 01:50:33.583: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v3
*Mar 1 01:50:33.583: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar 1 01:50:33.583: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 123 mismatch
*Mar 1 01:50:33.583: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v2
*Mar 1 01:50:33.583: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 01:50:33.583: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Mar 1 01:50:33.583: ISAKMP:(0:1:SW:1): constructed NAT-T vendor-03 ID
*Mar 1 01:50:33.583: ISAKMP:(0:1:SW:1): sending packet to 1.1.2.1 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Mar 1 01:50:33.583: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 01:50:33.583: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Mar 1 01:50:33.851: ISAKMP (0:134217729): received packet from 1.1.2.1 dport 500 sport 500 Global (R) MM_SA_SETUP
*Mar 1 01:50:33.855: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 01:50:33.855: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Mar 1 01:50:33.859: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0
*Mar 1 01:50:33.931: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 0
*Mar 1 01:50:33.935: ISAKMP: Looking for a matching key for 1.1.2.1 in default : success
*Mar 1 01:50:33.935: ISAKMP:(0:1:SW:1):found peer pre-shared key matching 1.1.2.1
*Mar 1 01:50:33.939: ISAKMP:(0:1:SW:1):SKEYID state generated
*Mar 1 01:50:33.939: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar 1 01:50:33.939: ISAKMP:(0:1:SW:1): vendor ID is Unity
*Mar 1 01:50:33.939: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar 1 01:50:33.939: ISAKMP:(0:1:SW:1): vendor ID is DPD
*Mar 1 01:50:33.943: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar 1 01:50:33.943: ISAKMP:(0:1:SW:1): speaking to another IOS box!
*Mar 1 01:50:33.943: ISAKMP:received payload type 17
*Mar 1 01:50:33.943: ISAKMP:received payload type 17
*Mar 1 01:50:33.947: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 01:50:33.947: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Mar 1 01:50:33.951: ISAKMP:(0:1:SW:1): sending packet to 1.1.2.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Mar 1 01:50:33.951: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 01:50:33.951: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Mar 1 01:50:34.379: ISAKMP (0:134217729): received packet from 1.1.2.1 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Mar 1 01:50:34.379: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 01:50:34.379: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM4 New State = IKE_R_MM5
*Mar 1 01:50:34.383: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 0
*Mar 1 01:50:34.383: ISAKMP (0:134217729): ID payload
next-payload : 8
type : 1
address : 1.1.2.1
protocol : 17
port : 500
length : 12
*Mar 1 01:50:34.387: ISAKMP:(0:1:SW:1):: peer matches *none* of the profiles
*Mar 1 01:50:34.387: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 0
*Mar 1 01:50:34.387: ISAKMP:(0:1:SW:1): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 64D88378
*Mar 1 01:50:34.391: ISAKMP:(0:1:SW:1):SA authentication status:
authenticated
*Mar 1 01:50:34.391: ISAKMP:(0:1:SW:1): Process initial contact,
bring down existing phase 1 and 2 SA's with local 1.1.1.1 remote 1.1.2.1 remote port 500
*Mar 1 01:50:34.391: ISAKMP:(0:1:SW:1):SA authentication status:
authenticated
*Mar 1 01:50:34.395: ISAKMP:(0:1:SW:1):SA has been authenticated with 1.1.2.1
*Mar 1 01:50:34.395: ISAKMP: Trying to insert a peer 1.1.1.1/1.1.2.1/500/, and inserted successfully.
*Mar 1 01:50:34.395: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 01:50:34.395: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Mar 1 01:50:34.399: IPSEC(key_engine): got a queue event with 1 kei messages
*Mar 1 01:50:34.399: ISAKMP:(0:1:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar 1 01:50:34.399: ISAKMP (0:134217729): ID payload
next-payload : 8
type : 1
address : 1.1.1.1
protocol : 17
port : 500
length : 12
*Mar 1 01:50:34.403: ISAKMP:(0:1:SW:1):Total payload length: 12
*Mar 1 01:50:34.407: ISAKMP:(0:1:SW:1): sending packet to 1.1.2.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Mar 1 01:50:34.407: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 01:50:34.407: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Mar 1 01:50:34.411: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar 1 01:50:34.411: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Mar 1 01:50:34.667: ISAKMP (0:134217729): received packet from 1.1.2.1 dport 500 sport 500 Global (R) QM_IDLE
*Mar 1 01:50:34.671: ISAKMP: set new node -1328570287 to QM_IDLE
*Mar 1 01:50:34.675: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = -1328570287
*Mar 1 01:50:34.675: ISAKMP:(0:1:SW:1): processing SA payload. message ID = -1328570287
*Mar 1 01:50:34.675: ISAKMP:(0:1:SW:1):Checking IPSec proposal 1
*Mar 1 01:50:34.675: ISAKMP: transform 1, ESP_3DES
*Mar 1 01:50:34.675: ISAKMP: attributes in transform:
*Mar 1 01:50:34.675: ISAKMP: encaps is 1 (Tunnel)
*Mar 1 01:50:34.679: ISAKMP: SA life type in seconds
*Mar 1 01:50:34.679: ISAKMP: SA life duration (basic) of 3600
*Mar 1 01:50:34.679: ISAKMP: SA life type in kilobytes
*Mar 1 01:50:34.679: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Mar 1 01:50:34.679: ISAKMP: authenticator is HMAC-MD5
*Mar 1 01:50:34.683: ISAKMP:(0:1:SW:1):atts are acceptable.
*Mar 1 01:50:34.683: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 1.1.1.1, remote= 1.1.2.1,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
*Mar 1 01:50:34.687: Crypto mapdb : proxy_match
src addr : 192.168.1.0
dst addr : 172.16.1.0
protocol : 0
src port : 0
dst port : 0
*Mar 1 01:50:34.687: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = -1328570287
*Mar 1 01:50:34.687: ISAKMP:(0:1:SW:1): processing ID payload. message ID = -1328570287
*Mar 1 01:50:34.691: ISAKMP:(0:1:SW:1): processing ID payload. message ID = -1328570287
*Mar 1 01:50:34.691: ISAKMP:(0:1:SW:1): asking for 1 spis from ipsec
*Mar 1 01:50:34.691: ISAKMP:(0:1:SW:1):Node -1328570287, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 1 01:50:34.691: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
*Mar 1 01:50:34.695: IPSEC(key_engine): got a queue event with 1 kei messages
*Mar 1 01:50:34.695: IPSEC(spi_response): getting spi 2443743009 for SA
from 1.1.1.1 to 1.1.2.1 for prot 3
*Mar 1 01:50:34.695: ISAKMP: received ke message (2/1)
*Mar 1 01:50:34.943: IPSec: Flow_switching Allocated flow for flow_id 134217729
*Mar 1 01:50:34.947: IPSec: Flow_switching Allocated flow for flow_id 134217730
*Mar 1 01:50:34.951: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 1.1.2.1:500 Id: 1.1.2.1
*Mar 1 01:50:34.951: ISAKMP: Locking peer struct 0x64AA4FC8, IPSEC refcount 1 for for stuff_ke
*Mar 1 01:50:34.951: ISAKMP:(0:1:SW:1): Creating IPSec SAs
*Mar 1 01:50:34.951: inbound SA from 1.1.2.1 to 1.1.1.1 (f/i) 0/ 0
(proxy 172.16.1.0 to 192.168.1.0)
*Mar 1 01:50:34.951: has spi 0x91A88F21 and conn_id 2000 and flags 2
*Mar 1 01:50:34.951: lifetime of 3600 seconds
*Mar 1 01:50:34.951: lifetime of 4608000 kilobytes
*Mar 1 01:50:34.951: has client flags 0x0
*Mar 1 01:50:34.951: outbound SA from 1.1.1.1 to 1.1.2.1 (f/i) 0/0
(proxy 192.168.1.0 to 172.16.1.0)
*Mar 1 01:50:34.951: has spi -1119953576 and conn_id 2001 and flags A
*Mar 1 01:50:34.951: lifetime of 3600 seconds
*Mar 1 01:50:34.951: lifetime of 4608000 kilobytes
*Mar 1 01:50:34.951: has client flags 0x0
*Mar 1 01:50:34.951: ISAKMP:(0:1:SW:1): sending packet to 1.1.2.1 my_port 500 peer_port 500 (R) QM_IDLE
*Mar 1 01:50:34.951: ISAKMP:(0:1:SW:1):Node -1328570287, Input = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY
*Mar 1 01:50:34.955: ISAKMP:(0:1:SW:1):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
*Mar 1 01:50:34.955: IPSEC(key_engine): got a queue event with 2 kei messages
*Mar 1 01:50:34.955: IPSEC(initialize_sas): ,
(key eng. msg.) INBOUND local= 1.1.1.1, remote= 1.1.2.1,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x91A88F21(2443743009), conn_id= 134219728, keysize= 0, flags= 0x2
*Mar 1 01:50:34.959: IPSEC(initialize_sas): ,
(key eng. msg.) OUTBOUND local= 1.1.1.1, remote= 1.1.2.1,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xBD3EDD58(3175013720), conn_id= 134219729, keysize= 0, flags= 0xA
*Mar 1 01:50:34.963: Crypto mapdb : proxy_match
src addr : 192.168.1.0
dst addr : 172.16.1.0
protocol : 0
src port : 0
dst port : 0
*Mar 1 01:50:34.963: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and 1.1.2.1
*Mar 1 01:50:34.963: IPSEC(policy_db_add_ident): src 192.168.1.0, dest 172.16.1.0, dest_port 0
*Mar 1 01:50:34.967: IPSEC(create_sa): sa created,
(sa) sa_dest= 1.1.1.1, sa_prot= 50,
sa_spi= 0x91A88F21(2443743009),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 134219728
*Mar 1 01:50:34.967: IPSEC(create_sa): sa created,
(sa) sa_dest= 1.1.2.1, sa_prot= 50,
sa_spi= 0xBD3EDD58(3175013720),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 134219729
*Mar 1 01:50:35.223: ISAKMP (0:134217729): received packet from 1.1.2.1 dport 500 sport 500 Global (R) QM_IDLE
*Mar 1 01:50:35.223: ISAKMP:(0:1:SW:1):deleting node -1328570287 error FALSE reason "QM done (await)"
*Mar 1 01:50:35.227: ISAKMP:(0:1:SW:1):Node -1328570287, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 1 01:50:35.227: ISAKMP:(0:1:SW:1):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
*Mar 1 01:50:35.227: IPSEC(key_engine): got a queue event with 1 kei messages
*Mar 1 01:50:35.227: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
*Mar 1 01:50:35.231: IPSEC(key_engine_enable_outbound): enable SA with spi 3175013720/50 for 1.1.2.1
CompanyA#
这个问题的解决的深层次的原理,还没有弄明白,继续努力。
......
显示全文...
2009年6月23日星期二
vlan接口一直down的问题解决过程一例
过程是这样的,直接输入命令int vlan 99 ,再加上IP ADD;对INT VLAN 100做相同的配置,通过SHOW IP INT BRI查看,VLAN的接口一直处于DOWN的状态:
Interface IP-Address OK? Method Status Protocol
Vlan1 unassigned YES NVRAM up up
Vlan99 10.10.99.1 YES manual down down
Vlan100 10.10.100.1 YES manual down down
第一,我怀疑是没有开路由,打一个命令ip routing,问题没有解决;
第二,输入命令SHOW VLAN BRI没有看到VLAN 99 ,VLAN 100,新加VLAN 99,VLAN 100,问题解决!
这个问题我以前碰到过,也记的解决方法,即在同一个交换机下,把一个接口加入到一个VLAN,即可以解决,但是这个是核心交换机,所以用了近三十分钟的时间,才搞定。郁闷的说。
......
显示全文...
2009年6月5日星期五
RF
射频,Radio Frequency ,简称RF。射频就是射频电流,它是一种高频交流变化电磁波的简称。每秒变化小于1000次的交流电称为低频电流,大于10000次的称为高频电流,而射频就是这样一种高频电流。
......
显示全文...
Cisco高档路由器故障排除一例
故障现象及处理
某单位以Cisco7513路由器作为广域网骨干路由器,采用标准配置,IOS的版本为11.1。一日发现该路由器的2M主干出口线路协议处于down状态,从而使与之相联的网络中断,用“show running-config”命令检查所有运行参数,没有发现错误;
又用“show interfaces serial”命令检查串口,发现某些端口状态up,而线路协议是 down,并且出现这种情况的串口均在同一个串口板(A板)上,其它各模块工作正常。经查所有物理线路也都正常,从而排除了线路故障的可能性。然而在一般情况下同一个串口板上的串口同时出现线路故障的可能性也并不大。至此可以初步确定可能A板出了问题。当进入全局配置模式后,再想进入A板上串口的端口配置模式时却发现无法实现,每次键入“interface serial串口号”时,总是报错,但是同样的命令却可以进入其它串口的端口配置模式。这时,可以初步判断IOS本身出现了某种软件故障,用reload命令重启路由器后系统进入ROMmonitor模式,提示符为“rommon>”,键入命令“boot”可启动路由器但故障依然存在,且所有A板串口的配置语句全都报错。
再将路由器关电然后加电时观察到:路由器的交流(或直流)OK LED灯为绿色,这说明系统的供电子系统工作正常,风扇旋转正常且输出错误LED灯未亮,这说明冷却子系统工作正常,路由交换处理器(RSP)的LED灯为绿色,这也表示系统工作正常。各接口的Enable LED灯为绿色,表示RSP已完成了接口处理器的初始化。但A板的LED灯全闪了一下就灭了,执行“reset”命令再用“boot”引导系统后所有A板串口的配置语句全部消失了。
进一步检查A板时发现其型号为VIP2,其上的两个子模块中只安装了一个四串口子模块,因此A板上只有四个串(可扩充至8个),其中三个串口已使用,一个空闲。正常时三个使用的串口的LED灯应亮,而未使用的串口的LED灯应为黄色,但目前却是四个串口的LED都不亮。系统启动后,用命令“show version”可以发现系统已找到了A板并识别出该板的型号为VIP2,只是没有详细信息。为进一步压缩故障,将A板调换插槽安装,故障依然存在;将A板安装在另一台无故障的机器上时,则一切正常。
通过以上的步骤,将故障压缩到路由器配置参数上了。再用“show version”命令,在显示信息的最后一行,发现路由器配置寄存器数值为0x0,将其修改为0x2102后,重新引导路由器,将备份配置从tftpserver上拷入running-config后,路由器工作恢复正常,至此排除了这一貌似硬件接口损坏而实为软件参数设置错误的故障。
......
显示全文...
2009年5月20日星期三
订阅:
博文 (Atom)
博文
