IPSec提供对网络或者主机之间的IP数据包和协议的保护;
SSL VPN提供用户对网络上的服务和应用程序访问的保护;
......
显示全文...
2009年7月30日星期四
2009年7月14日星期二
VPN几个基础概念
常见的VPN的实施方法:
1、GRE
2、IPSec
3、PPTP
4、L2TP
5、MPLS
6、SSL
一个很疑惑的问题:如果已经使用了加密,为什么还需要使用数据包验证?
首先,当信息解密后您需要核实您所解密的信息是否是发送的信息,而不是一个欺骗的流量。其次,一名黑客可以利用这一过程对您的设备发送欺骗数据包,导致它在解密数据的时候消耗CPU的周期。
......
显示全文...
2009年7月13日星期一
VPN 故障描述及排除一例
拓扑描述:
Router HostA E0/0-------E0/0 Router CompanyA E0/1--------E0/1 Router P E0/0--------- E0/0 Router CompanyB E0/1 ------ E0/1 Router HostB
HostA 的配置如下:
HostA>en
HostA#show run
Building configuration...
Current configuration : 931 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HostA
!
boot-start-marker
boot-end-marker
!
!
memory-size iomem 5
no aaa new-model
ip subnet-zero
no ip routing
!
!
no ip domain lookup
no ip cef
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
ip address 192.168.1.2 255.255.255.0
no ip route-cache
half-duplex
!
interface Ethernet0/1
no ip address
no ip route-cache
shutdown
half-duplex
!
interface Ethernet0/2
no ip address
no ip route-cache
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
no ip route-cache
shutdown
half-duplex
!
ip default-gateway 192.168.1.1
ip http server
no ip http secure-server
ip classless
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
logging synchronous
login
!
!
end
HostA#
Company A的配置:
CompanyA#show run
Building configuration...
Current configuration : 1236 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CompanyA
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
!
memory-size iomem 5
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
!
!
ip cef
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 1.1.2.1
!
!
crypto ipsec transform-set vpn esp-3des esp-md5-hmac
!
crypto map vpn_map 100 ipsec-isakmp
set peer 1.1.2.1
set transform-set vpn
match address 100
!
!
!
!
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
half-duplex
!
interface Ethernet0/1
ip address 1.1.1.1 255.255.255.0
half-duplex
crypto map vpn_map
!
interface Ethernet0/2
no ip address
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.1.2
!
!
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
logging synchronous
login
!
!
end
CompanyA#
P的配置:
P#show run
Building configuration...
Current configuration : 808 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname P
!
boot-start-marker
boot-end-marker
!
!
memory-size iomem 5
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
!
!
ip cef
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
ip address 1.1.2.2 255.255.255.0
half-duplex
!
interface Ethernet0/1
ip address 1.1.1.2 255.255.255.0
half-duplex
!
interface Ethernet0/2
no ip address
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
ip http server
no ip http secure-server
ip classless
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
logging synchronous
login
!
!
end
P#
Company B的配置:
CompanyB#show run
Building configuration...
Current configuration : 1235 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CompanyB
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
!
memory-size iomem 5
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
!
!
ip cef
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 1.1.1.1
!
!
crypto ipsec transform-set vpn esp-3des esp-md5-hmac
!
crypto map vpn_map 1 ipsec-isakmp
set peer 1.1.1.1
set transform-set vpn
match address 100
!
!
!
!
interface Ethernet0/0
ip address 1.1.2.1 255.255.255.0
half-duplex
crypto map vpn_map
!
interface Ethernet0/1
ip address 172.16.1.1 255.255.255.0
half-duplex
!
interface Ethernet0/2
no ip address
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.2.2
!
!
!
access-list 100 permit ip 172.16.1.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
logging synchronous
login
!
!
end
CompanyB#
Router B的配置是:
HostB#show run
Building configuration...
Current configuration : 919 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HostB
!
boot-start-marker
boot-end-marker
!
!
memory-size iomem 5
no aaa new-model
ip subnet-zero
no ip routing
!
!
no ip domain lookup
!
!
no ip cef
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
no ip address
no ip route-cache
half-duplex
!
interface Ethernet0/1
ip address 172.16.1.2 255.255.255.0
no ip route-cache
half-duplex
!
interface Ethernet0/2
no ip address
no ip route-cache
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
no ip route-cache
shutdown
half-duplex
!
ip default-gateway 172.16.1.1
ip http server
no ip http secure-server
ip classless
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
logging synchronous
login
!
!
end
HostB#
Debug 信息:
CompanyA#
*Mar 1 01:45:08.703: ISAKMP (0:134217729): received packet from 1.1.2.1 dport 500 sport 500 Global (R) QM_IDLE
*Mar 1 01:45:08.707: ISAKMP: set new node -1210591783 to QM_IDLE
*Mar 1 01:45:08.711: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = -1210591783
*Mar 1 01:45:08.711: ISAKMP:(0:1:SW:1): processing SA payload. message ID = -1210591783
*Mar 1 01:45:08.711: ISAKMP:(0:1:SW:1):Checking IPSec proposal 1
*Mar 1 01:45:08.711: ISAKMP: transform 1, ESP_3DES
*Mar 1 01:45:08.711: ISAKMP: attributes in transform:
*Mar 1 01:45:08.711: ISAKMP: encaps is 1 (Tunnel)
*Mar 1 01:45:08.715: ISAKMP: SA life type in seconds
*Mar 1 01:45:08.715: ISAKMP: SA life duration (basic) of 3600
*Mar 1 01:45:08.715: ISAKMP: SA life type in kilobytes
*Mar 1 01:45:08.715: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Mar 1 01:45:08.715: ISAKMP: authenticator is HMAC-MD5
*Mar 1 01:45:08.719: ISAKMP:(0:1:SW:1):atts are acceptable.
*Mar 1 01:45:08.719: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 1.1.1.1, remote= 1.1.2.1,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
*Mar 1 01:45:08.723: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 1.1.1.1
*Mar 1 01:45:08.723: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal
*Mar 1 01:45:08.723: ISAKMP:(0:1:SW:1): phase 2 SA policy not acceptable! (local 1.1.1.1 remote 1.1.2.1)
*Mar 1 01:45:08.723: ISAKMP: set new node -1225072254 to QM_IDLE
*Mar 1 01:45:08.727: ISAKMP:(0:1:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 28, message ID = -1225072254
*Mar 1 01:45:08.731: ISAKMP:(0:1:SW:1): sending packet to 1.1.2.1 my_port 500 peer_port 500 (R) QM_IDLE
*Mar 1 01:45:08.731: ISAKMP:(0:1:SW:1):purging node -1225072254
*Mar 1 01:45:08.731: ISAKMP:(0:1:SW:1):deleting node -1210591783 error TRUE reason "QM rejected"
*Mar 1 01:45:08.735: ISAKMP (0:134217729): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH: for node -1210591783: state = IKE_QM_READY
*Mar 1 01:45:08.735: ISAKMP:(0:1:SW:1):Node -1210591783, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 1 01:45:08.735: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY New State = IKE_QM_READY
*Mar 1 01:45:08.735: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 1.1.2.1
它是从这一句开始出现问题的:
*Mar 1 01:45:08.723: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 1.1.1.1
解决过程:
CompanyA原来配置:
CompanyA(config)#do show access-list
Extended IP access list 100
10 permit ip 192.168.1.0 0.0.0.255 any
CompanyA更改配置:
CompanyA#show access-lists
Extended IP access list 100
10 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
CompanyB原来配置:
CompanyB#show access-lists
Extended IP access list 100
10 permit ip 172.16.1.0 0.0.0.255 any (5 matches)
CompanyB更改配置:
CompanyB#show access-lists
Extended IP access list 100
10 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255 (25 matches)
VPN建立成功,DEBUG信息如下:
CompanyA#
*Mar 1 01:50:33.495: ISAKMP (0:0): received packet from 1.1.2.1 dport 500 sport 500 Global (N) NEW SA
*Mar 1 01:50:33.495: ISAKMP: Created a peer struct for 1.1.2.1, peer port 500
*Mar 1 01:50:33.495: ISAKMP: Locking peer struct 0x64AA4FC8, IKE refcount 1 for crypto_isakmp_process_block
*Mar 1 01:50:33.495: ISAKMP: local port 500, remote port 500
*Mar 1 01:50:33.499: insert sa successfully sa = 64D88378
*Mar 1 01:50:33.499: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 01:50:33.499: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_R_MM1
*Mar 1 01:50:33.503: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
*Mar 1 01:50:33.503: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar 1 01:50:33.503: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch
*Mar 1 01:50:33.503: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3
*Mar 1 01:50:33.503: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar 1 01:50:33.507: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar 1 01:50:33.507: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
*Mar 1 01:50:33.507: ISAKMP: Looking for a matching key for 1.1.2.1 in default : success
*Mar 1 01:50:33.507: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 1.1.2.1
*Mar 1 01:50:33.507: ISAKMP:(0:0:N/A:0): local preshared key found
*Mar 1 01:50:33.507: ISAKMP : Scanning profiles for xauth ...
*Mar 1 01:50:33.511: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy
*Mar 1 01:50:33.511: ISAKMP: encryption 3DES-CBC
*Mar 1 01:50:33.511: ISAKMP: hash MD5
*Mar 1 01:50:33.511: ISAKMP: default group 2
*Mar 1 01:50:33.511: ISAKMP: auth pre-share
*Mar 1 01:50:33.511: ISAKMP: life type in seconds
*Mar 1 01:50:33.511: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Mar 1 01:50:33.515: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
*Mar 1 01:50:33.579: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar 1 01:50:33.579: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 157 mismatch
*Mar 1 01:50:33.583: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v3
*Mar 1 01:50:33.583: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar 1 01:50:33.583: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 123 mismatch
*Mar 1 01:50:33.583: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v2
*Mar 1 01:50:33.583: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 01:50:33.583: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Mar 1 01:50:33.583: ISAKMP:(0:1:SW:1): constructed NAT-T vendor-03 ID
*Mar 1 01:50:33.583: ISAKMP:(0:1:SW:1): sending packet to 1.1.2.1 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Mar 1 01:50:33.583: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 01:50:33.583: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Mar 1 01:50:33.851: ISAKMP (0:134217729): received packet from 1.1.2.1 dport 500 sport 500 Global (R) MM_SA_SETUP
*Mar 1 01:50:33.855: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 01:50:33.855: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Mar 1 01:50:33.859: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0
*Mar 1 01:50:33.931: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 0
*Mar 1 01:50:33.935: ISAKMP: Looking for a matching key for 1.1.2.1 in default : success
*Mar 1 01:50:33.935: ISAKMP:(0:1:SW:1):found peer pre-shared key matching 1.1.2.1
*Mar 1 01:50:33.939: ISAKMP:(0:1:SW:1):SKEYID state generated
*Mar 1 01:50:33.939: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar 1 01:50:33.939: ISAKMP:(0:1:SW:1): vendor ID is Unity
*Mar 1 01:50:33.939: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar 1 01:50:33.939: ISAKMP:(0:1:SW:1): vendor ID is DPD
*Mar 1 01:50:33.943: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar 1 01:50:33.943: ISAKMP:(0:1:SW:1): speaking to another IOS box!
*Mar 1 01:50:33.943: ISAKMP:received payload type 17
*Mar 1 01:50:33.943: ISAKMP:received payload type 17
*Mar 1 01:50:33.947: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 01:50:33.947: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Mar 1 01:50:33.951: ISAKMP:(0:1:SW:1): sending packet to 1.1.2.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Mar 1 01:50:33.951: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 01:50:33.951: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Mar 1 01:50:34.379: ISAKMP (0:134217729): received packet from 1.1.2.1 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Mar 1 01:50:34.379: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 01:50:34.379: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM4 New State = IKE_R_MM5
*Mar 1 01:50:34.383: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 0
*Mar 1 01:50:34.383: ISAKMP (0:134217729): ID payload
next-payload : 8
type : 1
address : 1.1.2.1
protocol : 17
port : 500
length : 12
*Mar 1 01:50:34.387: ISAKMP:(0:1:SW:1):: peer matches *none* of the profiles
*Mar 1 01:50:34.387: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 0
*Mar 1 01:50:34.387: ISAKMP:(0:1:SW:1): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 64D88378
*Mar 1 01:50:34.391: ISAKMP:(0:1:SW:1):SA authentication status:
authenticated
*Mar 1 01:50:34.391: ISAKMP:(0:1:SW:1): Process initial contact,
bring down existing phase 1 and 2 SA's with local 1.1.1.1 remote 1.1.2.1 remote port 500
*Mar 1 01:50:34.391: ISAKMP:(0:1:SW:1):SA authentication status:
authenticated
*Mar 1 01:50:34.395: ISAKMP:(0:1:SW:1):SA has been authenticated with 1.1.2.1
*Mar 1 01:50:34.395: ISAKMP: Trying to insert a peer 1.1.1.1/1.1.2.1/500/, and inserted successfully.
*Mar 1 01:50:34.395: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 01:50:34.395: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Mar 1 01:50:34.399: IPSEC(key_engine): got a queue event with 1 kei messages
*Mar 1 01:50:34.399: ISAKMP:(0:1:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar 1 01:50:34.399: ISAKMP (0:134217729): ID payload
next-payload : 8
type : 1
address : 1.1.1.1
protocol : 17
port : 500
length : 12
*Mar 1 01:50:34.403: ISAKMP:(0:1:SW:1):Total payload length: 12
*Mar 1 01:50:34.407: ISAKMP:(0:1:SW:1): sending packet to 1.1.2.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Mar 1 01:50:34.407: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 01:50:34.407: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Mar 1 01:50:34.411: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar 1 01:50:34.411: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Mar 1 01:50:34.667: ISAKMP (0:134217729): received packet from 1.1.2.1 dport 500 sport 500 Global (R) QM_IDLE
*Mar 1 01:50:34.671: ISAKMP: set new node -1328570287 to QM_IDLE
*Mar 1 01:50:34.675: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = -1328570287
*Mar 1 01:50:34.675: ISAKMP:(0:1:SW:1): processing SA payload. message ID = -1328570287
*Mar 1 01:50:34.675: ISAKMP:(0:1:SW:1):Checking IPSec proposal 1
*Mar 1 01:50:34.675: ISAKMP: transform 1, ESP_3DES
*Mar 1 01:50:34.675: ISAKMP: attributes in transform:
*Mar 1 01:50:34.675: ISAKMP: encaps is 1 (Tunnel)
*Mar 1 01:50:34.679: ISAKMP: SA life type in seconds
*Mar 1 01:50:34.679: ISAKMP: SA life duration (basic) of 3600
*Mar 1 01:50:34.679: ISAKMP: SA life type in kilobytes
*Mar 1 01:50:34.679: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Mar 1 01:50:34.679: ISAKMP: authenticator is HMAC-MD5
*Mar 1 01:50:34.683: ISAKMP:(0:1:SW:1):atts are acceptable.
*Mar 1 01:50:34.683: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 1.1.1.1, remote= 1.1.2.1,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
*Mar 1 01:50:34.687: Crypto mapdb : proxy_match
src addr : 192.168.1.0
dst addr : 172.16.1.0
protocol : 0
src port : 0
dst port : 0
*Mar 1 01:50:34.687: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = -1328570287
*Mar 1 01:50:34.687: ISAKMP:(0:1:SW:1): processing ID payload. message ID = -1328570287
*Mar 1 01:50:34.691: ISAKMP:(0:1:SW:1): processing ID payload. message ID = -1328570287
*Mar 1 01:50:34.691: ISAKMP:(0:1:SW:1): asking for 1 spis from ipsec
*Mar 1 01:50:34.691: ISAKMP:(0:1:SW:1):Node -1328570287, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 1 01:50:34.691: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
*Mar 1 01:50:34.695: IPSEC(key_engine): got a queue event with 1 kei messages
*Mar 1 01:50:34.695: IPSEC(spi_response): getting spi 2443743009 for SA
from 1.1.1.1 to 1.1.2.1 for prot 3
*Mar 1 01:50:34.695: ISAKMP: received ke message (2/1)
*Mar 1 01:50:34.943: IPSec: Flow_switching Allocated flow for flow_id 134217729
*Mar 1 01:50:34.947: IPSec: Flow_switching Allocated flow for flow_id 134217730
*Mar 1 01:50:34.951: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 1.1.2.1:500 Id: 1.1.2.1
*Mar 1 01:50:34.951: ISAKMP: Locking peer struct 0x64AA4FC8, IPSEC refcount 1 for for stuff_ke
*Mar 1 01:50:34.951: ISAKMP:(0:1:SW:1): Creating IPSec SAs
*Mar 1 01:50:34.951: inbound SA from 1.1.2.1 to 1.1.1.1 (f/i) 0/ 0
(proxy 172.16.1.0 to 192.168.1.0)
*Mar 1 01:50:34.951: has spi 0x91A88F21 and conn_id 2000 and flags 2
*Mar 1 01:50:34.951: lifetime of 3600 seconds
*Mar 1 01:50:34.951: lifetime of 4608000 kilobytes
*Mar 1 01:50:34.951: has client flags 0x0
*Mar 1 01:50:34.951: outbound SA from 1.1.1.1 to 1.1.2.1 (f/i) 0/0
(proxy 192.168.1.0 to 172.16.1.0)
*Mar 1 01:50:34.951: has spi -1119953576 and conn_id 2001 and flags A
*Mar 1 01:50:34.951: lifetime of 3600 seconds
*Mar 1 01:50:34.951: lifetime of 4608000 kilobytes
*Mar 1 01:50:34.951: has client flags 0x0
*Mar 1 01:50:34.951: ISAKMP:(0:1:SW:1): sending packet to 1.1.2.1 my_port 500 peer_port 500 (R) QM_IDLE
*Mar 1 01:50:34.951: ISAKMP:(0:1:SW:1):Node -1328570287, Input = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY
*Mar 1 01:50:34.955: ISAKMP:(0:1:SW:1):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
*Mar 1 01:50:34.955: IPSEC(key_engine): got a queue event with 2 kei messages
*Mar 1 01:50:34.955: IPSEC(initialize_sas): ,
(key eng. msg.) INBOUND local= 1.1.1.1, remote= 1.1.2.1,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x91A88F21(2443743009), conn_id= 134219728, keysize= 0, flags= 0x2
*Mar 1 01:50:34.959: IPSEC(initialize_sas): ,
(key eng. msg.) OUTBOUND local= 1.1.1.1, remote= 1.1.2.1,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xBD3EDD58(3175013720), conn_id= 134219729, keysize= 0, flags= 0xA
*Mar 1 01:50:34.963: Crypto mapdb : proxy_match
src addr : 192.168.1.0
dst addr : 172.16.1.0
protocol : 0
src port : 0
dst port : 0
*Mar 1 01:50:34.963: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and 1.1.2.1
*Mar 1 01:50:34.963: IPSEC(policy_db_add_ident): src 192.168.1.0, dest 172.16.1.0, dest_port 0
*Mar 1 01:50:34.967: IPSEC(create_sa): sa created,
(sa) sa_dest= 1.1.1.1, sa_prot= 50,
sa_spi= 0x91A88F21(2443743009),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 134219728
*Mar 1 01:50:34.967: IPSEC(create_sa): sa created,
(sa) sa_dest= 1.1.2.1, sa_prot= 50,
sa_spi= 0xBD3EDD58(3175013720),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 134219729
*Mar 1 01:50:35.223: ISAKMP (0:134217729): received packet from 1.1.2.1 dport 500 sport 500 Global (R) QM_IDLE
*Mar 1 01:50:35.223: ISAKMP:(0:1:SW:1):deleting node -1328570287 error FALSE reason "QM done (await)"
*Mar 1 01:50:35.227: ISAKMP:(0:1:SW:1):Node -1328570287, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 1 01:50:35.227: ISAKMP:(0:1:SW:1):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
*Mar 1 01:50:35.227: IPSEC(key_engine): got a queue event with 1 kei messages
*Mar 1 01:50:35.227: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
*Mar 1 01:50:35.231: IPSEC(key_engine_enable_outbound): enable SA with spi 3175013720/50 for 1.1.2.1
CompanyA#
这个问题的解决的深层次的原理,还没有弄明白,继续努力。
......
显示全文...
订阅:
博文 (Atom)
博文
