ikev1主模式相应端是如何决定再不会遇见第二个她消息选哪个提议呢
点击联系发帖人
时间:2018-07-05 02:10
Loading...
反馈文档意见
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
反馈文档意见
视频加载中…
(需要安装HedEx Lite)
您需要下载安装最新版本的HedEx Lite,安装完成后请重启浏览器
或将当前使用的HedEx Lite升级到最新版本
复制下载链接1.关于strongswan 的介绍
srongswan 是基于ipsec 的开源 vpn 服务器,目前已经实现了ikev1 和 ikev2的vpn 服务器,其官网上有相应的示例,但如果是初学者来说,可能会比较难,本人就是一个菜鸟,刚开始做的时候,一头雾水,网上的资源也相对较少,因此本人整理关于如何搭建ikev1 模式的vpn 服务器,并且测试成功
安装strongswan
安装依赖:yum
安装依赖:
wget http://download.strongswan.org/strongswan.tar.gz
tar xzf strongswan.tar.gcd
cd strongswan-*
./configure
--sysconfdir=/etc
--enable-openssl --enable-nat-transport --disable-mysql --disable-ldap
--disable-static --enable-shared --enable-md4 --enable-eap-mschapv2 --enable-eap-aka --enable-eap-aka-3gpp2
--enable-eap-gtc --enable-eap-identity --enable-eap-md5 --enable-eap-peap --enable-eap-radius --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-pseudonym --enable-eap-simaka-reauth --enable-eap-simaka-sql --enable-eap-tls --enable-eap-tnc --enable-eap-ttls
make & make install3.与strogswan 相关的配置文件及其配置
stongswan 的相关配置文件在/etc 目录下,需要修改的配置文件有/etc/ipsec.conf , /etc/strongswan.conf , /etc/ipse.secrets ,/etc/strongswan.d/charon-logging.conf
1)首先修改ipsec.conf 配置文,如下所示:
conn android_xauth_psk
keyexchange=ikev1
fragmentation=yes
keyingtries=3
left=%defaultroute
leftauth=psk
right=%any
rightsourceip = %config
rightsubnet=0.0.0.0/0
rightauth=psk
rightauth2=xauth
位于配置文件的全局区,后面紧紧跟的是该VPN服务器的
:指定使用的密钥交换协议是ikev1
远端vpn服务器的ip地址是任意的
表示远程服务器数据加密的方式是预共享密钥
表示本地客户端的数据加密方式的预共享密钥
表示客户端的ip地址是任意的
:为客户端分配ip地址池,%config表示是ipv4的任意地址
:表示客客户端的子网是任意的
:表示客户端的用户认证方式是XAUTH
iOS 拆包的重组支持。
定义 strongswan 启动时该连接的行为start是启动; route
是添加路由表,有数据通过就启动; add是添加连接类型但不启动; ignore
是当它不存在。默认是 ignore。看起来似乎是 route比较好,但问题是我们服务器端不能预分配虚拟 IP,所以服务器端一般用的都是 add。而客户端文本配置可以选择
2)配置strongswa.conf
load_modular = yes
duplicheck.enable = no
compress = yes
dns1 = 8.8.8.8
dns2 = 8.8.4.4
/var/log/strongswan.charon.log {
time_format = %b %e %T
default = 2
append = no
flush_line = yes
说明:其他的保持不变
从strongswan5以后,无论是ikev1还是ikev2协议都使用ike2的daemon:charon来实现
duplicheck.enable = no:是为了同时连接多个设备,所以要把冗余检查关闭
/var/log/strongswan.charon.log配置的strongswan的日志的格式
default = 2:定义的是日志的级别,默认日志级别为:-1,0,1,2,3,4,-1是完全没有日志,0只告诉你建立连接,连接关闭;1只输出错误提示,2会输出错误,警告和调试信息;3会把连接传输的数据也打印;4则会把密钥内容这些敏感数据也打印。一般情况下,1或2都可以
append = no:是相当你重启strogswan后,是按上次日志写,还是新建一个日志(上次的会删除)。因为strogswan的日志太多了,所以用no
flush_line = yes:是每产生一行日志,就写入到磁盘一次,防止突然断电,磁盘缓存数据丢失。
3)修改ipse.secrets配置文件
该文件主要保存的客户端和服务器之间的数据加密方式及用户的信息
0sZ3l0MTIzNDU2
jianq : XAUTH "gyt123456"
说明:PSK即为共享密钥,其数据格式为0s+base64编码的数据,
XAUTH左右两端的分别为用户名和用户登录密码(字符串)
修改/etc/strongswwan.d/Charon-logging.cong配置文件:
该文件主要是用于控制输出的调试信息
在filelog作用域加上如下内容:
flush_line = yes
ike_name=yes
time_format = %b %e %T
4)修改 charon-logging.conf 配置文件
# Section to define file loggers, see LOGGER CONFIGURATION in
# strongswan.conf(5).
# &filename& is the full path to the log file.
# &filename& {
# Loglevel for a specific subsystem.
# &subsystem& = &default&
# If this option is enabled log entries are appended to the existing
append = yes
# Default loglevel.
default = 1
# Enabling this option disables block buffering and enables line
# buffering.
# flush_line = no
flush_line=yes
# Prefix each log entry with the connection name and a unique
# numerical identifier for each IKE_SA.
# ike_name = no
ike_name=yes
# Prefix each log entry with a timestamp. The option accepts a
# format string as passed to strftime(3).
# time_format =
time_format=%b %e %T
# Section to define syslog loggers, see LOGGER CONFIGURATION in
# strongswan.conf(5).
# Identifier for use with openlog(3).
# identifier =
# &facility& is one of the supported syslog facilities, see LOGGER
# CONFIGURATION in strongswan.conf(5).
# &facility& {
# Loglevel for a specific subsystem.
# &subsystem& = &default&
# Default loglevel.
# default = 1
# Prefix each log entry with the connection name and a unique
# numerical identifier for each IKE_SA.
# ike_name = no
ike_name=yes
4.修改防火墙
sudo iptables -A INPUT -p udp --dport 500 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 4500 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
sudo echo 1 & /proc/sys/net/ipv4/ip_forward做完上述步骤之后启动strongswan
调试的形式启动:strongsan : ipsec
查看状态: ipsec statusall
5.配置客户端
Android端类型选择IPSec
IOS端类型选择
预共享密钥:填写PSK后面base64位解码的字符串
用户名和密码填写XAUTH的左右的内容
Android端类型选择IPSec
IOS端类型选择
预共享密钥:填写PSK后面base64位解码的字符串
用户名和密码填写XAUTH的左右的内容
用Android Studio编译StrongSwan源码
StrongSwan是一个开源的VPN框架,它支持Android客户端,并且提供了Android客户端的源码,在这里下载。
1、打开Android Studio将源码直接导入进来(Import Pro...
Android VPN 相关知识学习
按照协议类型对VPN的划分:
1、点到点隧道协议PPTP(Point-to-Point Tunneling Protocol),用于将PPP分组通过IP网络封装传输。
2、第二层转发协议L2F(Lev...
StrongSwan的Jni,编译和混淆时都要注意
android_jni
jni\libandroidbridge\android_jni.h
#define JNI_PACKAGE org_strongswan_android_logic
strongswan 配置ikev2 for iOS and Android
strongswan 高版本已支持ikev2,ios9.0以上版本的支持ikev2,Android也是高版本的部分机型支持ikev2,本人搭建的基于ikev2交换协议的strongswan VPN服务...
如何使用Strongswan和Freeradius建立IKEv2 VPN
如何使用Strongswan和Freeradius建立IKEv2 VPN。
目 前支持IKEv2的客户端貌似只有Openswan/Strongswan,Windows的话只有Windows 7和...
Strongswan5.3.5与Android5.0.2(小米)野蛮模式的L2TPoverIPsec的对接
野蛮模式需要改一下strongswan的agg的载荷顺序,否则android不认第二条回包
[root@- etc]# cat ipsec.conf
# /etc/ipsec.co...
CentOS7下Strongswan架设IPSec-IKEv1, IKEv2, L2TP VPN,适用于 IOS9,OSX, Windows, Linux
原文地址:https://linsir.org/post/how_to_install_IPSec_IKEV2_base_on_strongswan_with_CentOS7
VPN 隧道协...
Andriod 手机和VM之间基于strongswan搭建IPsec VPN
这段时间在做IPsec的搭建工作,总结一下Andriod 手机和虚拟机之间搭建ipsec VPN的步骤。本人使用的虚拟机是VMware, 运行Ubuntu 14.04系统,Android 手机系统是4...
没有更多推荐了,
(window.slotbydup=window.slotbydup || []).push({
id: "5865577",
container: s,
size: "300,250",
display: "inlay-fix"IOS IPSec和IKE调试- IKEv1主模式排除故障
IOS IPSec和IKE调试- IKEv1主模式排除故障
(193.9 KB)
在各种设备上使用 Adobe Reader 查看
在 iPhone、iPad、Android、Sony Reader 或 Windows Phone 上使用各种应用查看
在 Kindle 设备上查看或在多个设备上使用 Kindle 应用查看
文档 ID:113594
关于此翻译
思科采用人工翻译与机器翻译相结合的方式将此文档翻译成不同语言,希望全球的用户都能通过各自的语言得到支持性的内容。
请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。
Cisco Systems, Inc. 对于翻译的准确性不承担任何责任,并建议您总是参考英文原始文档(已提供链接)。
本文提供信息了解在Cisco IOS软件的调试,当使用主模式和预先共享密钥(PSK)时。
本文在配置里也提供信息关于怎样翻译某些调试线路。
这些主题没有讨论:
通过流量,在通道设立了后
IPSec或Internet Key Exchange (IKE)基本概念
IKE和IPSec调试倾向于获得隐秘。Cisco技术支持中心(TAC)经常使用这些Bug了解与IPSec VPN隧道建立的一问题哪里查找。
主模式典型地使用在LAN-to-LAN隧道之间,或者在远程访问(EzVPN)的情况下,当证书使用验证时。
那些调试是从运行15.2(1)T软件版本的Cisco IOS设备。
两个主要方案在本文描述:
IOS发起者侧
IOS响应方侧
在本文中,在两个站点之间的一个基于VTI的通道根据IPv6设立。
请使用()为了得到关于用于本文的命令的更多信息。
使用 debug 命令之前,请参阅。
使用的调试
debug crypto isakmp
debug crypto ipsec
debug crypto kmi
IOS 路由器配置
crypto isakmp policy 10authentication pre-sharecrypto isakmp key cisco address ipv6 ::/0crypto ipsec transform-set TRA esp-aes esp-sha-hmacmode transportcrypto ipsec profile PROset transform-set TRAinterface Tunnel23ip address 192.168.23.2 255.255.255.0ipv6 address FE80::23:2 link-localtunnel source Ethernet0/0tunnel mode ipsec ipv6tunnel destination 2001: DB8::3tunnel protection ipsec profile PRO
crypto isakmp policy 10authentication pre-sharecrypto isakmp key cisco address ipv6 ::/0crypto ipsec transform-set TRA esp-aes esp-sha-hmacmode transportcrypto ipsec profile PROset transform-set TRAinterface Tunnel23ip address 192.168.23.3 255.255.255.0ipv6 address FE80::23:3 link-localtunnel source Ethernet0/0tunnel mode ipsec ipv6tunnel destination 2001: DB8::2tunnel protection ipsec profile PRO
IOS响应方旁拉
主模式消息1 (MM1)
最初的提议对于IKE包括:
Diffie-Hellman (DH)组
*Sep 21 08:33:43.377: ISAKMP (0) : received packet from 2001: DB8::2 dport 500
sport 500 Global (N) NEW SA*Sep 21 08:33:43.377: ISAKMP: Created a peer struct for 2001: DB8::2, peer port
500*Sep 21 08:33:43.377: ISAKMP: New peer created peer = 0x8E45588
peer_handle = 0x8000000A*Sep 21 08:33:43.377: ISAKMP: Locking peer struct 0x8E45588, refcount 1 for
crypto_isakmp_process_block*Sep 21 08:33:43.377: ISAKMP: local port 500, remote port 500*Sep 21 08:33:43.377: ISAKMP: (0):insert sa successfully sa = 6D12A00*Sep 21 08:33:43.377: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH*Sep 21 08:33:43.377: ISAKMP: (0): Old State = IKE_READY& New State = IKE_R_MM1*Sep 21 08:33:43.377: ISAKMP: (0): processing SA payload. message ID = 0*Sep 21 08:33:43.377: ISAKMP: (0):found peer pre-shared key matching 2001:
DB8::2*Sep 21 08:33:43.377: ISAKMP: (0): local preshared key found*Sep 21 08:33:43.377: ISAKMP: Scanning profiles for xauth ...*Sep 21 08:33:43.377: ISAKMP: (0):Checking ISAKMP transform 1 against priority
10 policy*Sep 21 08:33:43.377: ISAKMP:&&&&& encryption DES-CBC*Sep 21 08:33:43.377: ISAKMP:&&&&& hash SHA*Sep 21 08:33:43.377: ISAKMP:&&&&& default group 1*Sep 21 08:33:43.377: ISAKMP:&&&&& auth pre-share*Sep 21 08:33:43.377: ISAKMP:&&&&& life type in seconds*Sep 21 08:33:43.377: ISAKMP:&&&&& life duration (VPI) of& 0x0 0x1 0x51 0x80*Sep 21 08:33:43.377: ISAKMP: (0):atts are acceptable. Next payload is 0*Sep 21 08:33:43.377: ISAKMP: (0):Acceptable atts:actual life: 0*Sep 21 08:33:43.377: ISAKMP: (0):Acceptable atts:life: 0*Sep 21 08:33:43.377: ISAKMP: (0):Fill atts in sa vpi_length:4*Sep 21 08:33:43.377: ISAKMP: (0):Fill atts in sa life_in_seconds:86400*Sep 21 08:33:43.377: ISAKMP: (0):Returning Actual lifetime: 86400*Sep 21 08:33:43.377: ISAKMP: (0):: Started lifetime timer: 86400.*Sep 21 08:33:43.377: ISAKMP: (0):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE*Sep 21 08:33:43.377: ISAKMP: (0): Old State = IKE_R_MM1& New State = IKE_R_MM1
相关的配置:
crypto isakmp policy 10authentication pre-share
主模式消息2&(MM2) -发送我们的回复
*Sep 21 08:33:43.377: ISAKMP: (0): sending packet to 2001: DB8::2 my_port 500
peer_port 500 (R) MM_SA_SETUP*Sep 21 08:33:43.377: ISAKMP: (0): Sending an IKE IPv6 Packet.*Sep 21 08:33:43.377: ISAKMP: (0):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE*Sep 21 08:33:43.377: ISAKMP: (0): Old State = IKE_R_MM1& New State = IKE_R_MM2
主模式消息3&(MM3)
网络地址转换(NAT)发现
DH交换第一部分
*Sep 21 08:33:43.381: ISAKMP (0): received packet from 2001:DB8::2 dport 500
sport 500 Global (R) MM_SA_SETUP*Sep 21 08:33:43.381: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH*Sep 21 08:33:43.381: ISAKMP: (0): Old State = IKE_R_MM2& New State = IKE_R_MM3*Sep 21 08:33:43.381: ISAKMP: (0): processing KE payload. message ID = 0*Sep 21 08:33:43.393: ISAKMP: (0): processing NONCE payload. message ID = 0*Sep 21 08:33:43.393: ISAKMP: (0):found peer pre-shared key matching 2001:
DB8::2*Sep 21 08:33:43.393: ISAKMP: (1011): processing vendor id payload*Sep 21 08:33:43.393: ISAKMP: (1011): vendor ID is DPD*Sep 21 08:33:43.393: ISAKMP: (1011): processing vendor id payload*Sep 21 08:33:43.393: ISAKMP: (1011): speaking to another IOS box!*Sep 21 08:33:43.393: ISAKMP: (1011): processing vendor id payload*Sep 21 08:33:43.393: ISAKMP: (1011): vendor ID seems Unity/DPD but major 0
mismatch*Sep 21 08:33:43.393: ISAKMP: (1011): vendor ID is XAUTH*Sep 21 08:33:43.393: ISAKMP: (1011):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE*Sep 21 08:33:43.393: ISAKMP: (1011): Old State = IKE_R_MM3& New State =
主模式消息4&(MM4)
NAT检测有效负载
DH交换的继续
*Sep 21 08:33:43.405: ISAKMP: (1011): sending packet to 2001: DB8::2 my_port
500 peer_port 500 (R) MM_KEY_EXCH*Sep 21 08:33:43.405: ISAKMP: (1011): Sending an IKE IPv6 Packet.*Sep 21 08:33:43.405: ISAKMP: (1011):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE*Sep 21 08:33:43.405: ISAKMP: (1011): Old State = IKE_R_MM3& New State =
主模式消息5&(MM5) -发起者发送其标识
本地身份信息
*Sep 21 08:33:43.425: ISAKMP (1011): received packet from 2001: DB8::2 dport
500 sport 500 Global (R) MM_KEY_EXCH*Sep 21 08:33:43.425: ISAKMP: (1011):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH*Sep 21 08:33:43.425: ISAKMP: (1011): Old State = IKE_R_MM4& New State =
IKE_R_MM5*Sep 21 08:33:43.425: ISAKMP: (1011): processing ID payload. message ID = 0*Sep 21 08:33:43.425: ISAKMP (1011): ID payload&&&&&&& next-payload : 8&&&&&&& type&&&&&&&& : 5&&&&&&& address&&&&& : 2001: DB8::2&&&&&&& protocol&&&& : 17&&&&&&& port&&&&&&&& : 500&&&&&&& length&&&&&& : 24*Sep 21 08:33:43.425: ISAKMP: (0):: peer matches *none* of the profiles*Sep 21 08:33:43.425: ISAKMP: (1011): processing HASH payload. message ID = 0*Sep 21 08:33:43.425: ISAKMP: (1011): processing NOTIFY INITIAL_CONTACT
protocol 1 spi 0, message ID = 0, sa = 0x6D12A00*Sep 21 08:33:43.425: ISAKMP: (1011): SA authentication status: authenticated*Sep 21 08:33:43.425: ISAKMP: (1011): SA has been authenticated with 2001:
DB8::2*Sep 21 08:33:43.425: ISAKMP: (1011): SA authentication status: authenticated*Sep 21 08:33:43.425: ISAKMP: (1011): Process initial contact, bring down
existing phase 1 and 2 SA's with local 2001: DB8::3 remote 2001: DB8::2
remote port 500*Sep 21 08:33:43.425: ISAKMP: Trying to insert a peer 2001: DB8::3/2001:
DB8::2/500/,& and inserted successfully 8E45588.*Sep 21 08:33:43.425: ISAKMP: (1011):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE*Sep 21 08:33:43.425: ISAKMP: (1011): Old State = IKE_R_MM5& New State =
主模式消息6&(MM6) -响应方发送其标识。阶段1完成。
从对等体发送的远程标识
关于隧道组的最终决策选择
*Sep 21 08:33:43.425: IPSEC(key_engine): got a queue event with 1 KMI message(s)*Sep 21 08:33:43.425: ISAKMP: (1011): SA is doing pre-shared key authentication
using id type ID_IPV6_ADDR*Sep 21 08:33:43.425: ISAKMP (1011): ID payload&&&&&&& next-payload : 8&&&&&&& type&&&&&&&& : 5&&&&&&& address&&&&& : 2001: DB8::3&&&&&&& protocol&&&& : 17&&&&&&& port&&&&&&&& : 500&&&&&&& length&&&&&& : 24*Sep 21 08:33:43.425: ISAKMP: (1011):Total payload length: 24*Sep 21 08:33:43.425: ISAKMP: (1011): sending packet to 2001: DB8::2 my_port
500 peer_port 500 (R) MM_KEY_EXCH*Sep 21 08:33:43.425: ISAKMP: (1011): Sending an IKE IPv6 Packet.*Sep 21 08:33:43.425: ISAKMP: (1011):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE*Sep 21 08:33:43.425: ISAKMP: (1011): Old State = IKE_R_MM5& New State =
IKE_P1_COMPLETE
相关的配置:
crypto isakmp identity ...
快速模式消息1&(QM1)
*Sep 21 08:33:43.433: ISAKMP (1011): received packet from 2001: DB8::2 dport
500 sport 500 Global (R) QM_IDLE*Sep 21 08:33:43.433: ISAKMP: set new node
to QM_IDLE*Sep 21 08:33:43.433: ISAKMP: (1011): processing HASH payload. message ID =
*Sep 21 08:33:43.433: ISAKMP: (1011): processing SA payload. message ID =
*Sep 21 08:33:43.433: ISAKMP: (1011):Checking IPSec proposal 1*Sep 21 08:33:43.433: ISAKMP: transform 1, ESP_AES*Sep 21 08:33:43.433: ISAKMP:&& attributes in transform:*Sep 21 08:33:43.433: ISAKMP:&&&&& encaps is 1 (Tunnel)*Sep 21 08:33:43.433: ISAKMP:&&&&& SA life type in seconds*Sep 21 08:33:43.433: ISAKMP:&&&&& SA life duration (basic) of 3600*Sep 21 08:33:43.433: ISAKMP:&&&&& SA life type in kilobytes*Sep 21 08:33:43.433: ISAKMP:&&&&& SA life duration (VPI) of& 0x0 0x46 0x50 0x0*Sep 21 08:33:43.433: ISAKMP:&&&&& authenticator is HMAC-SHA*Sep 21 08:33:43.433: ISAKMP:&&&&& key length is 128*Sep 21 08:33:43.433: ISAKMP: (1011):atts are acceptable.*Sep 21 08:33:43.433: IPSEC(validate_proposal_request): proposal part #1*Sep 21 08:33:43.433: IPSEC(validate_proposal_request): proposal part #1,& (key eng. msg.) INBOUND local= 2001: DB8::3:0, remote= 2001: DB8::2:0,&&& local_proxy= ::/0/256/0,&&& remote_proxy= ::/0/256/0,&&& protocol= ESP, transform= NONE& (Tunnel),&&& lifedur= 0s and 0kb,&&& spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0*Sep 21 08:33:43.433: ISAKMP: (1011): processing NONCE payload. message ID =
*Sep 21 08:33:43.433: ISAKMP: (1011): processing ID payload. message ID =
*Sep 21 08:33:43.433: ISAKMP: (1011): processing ID payload. message ID =
*Sep 21 08:33:43.433: ISAKMP: (1011):QM Responder gets spi*Sep 21 08:33:43.433: ISAKMP: (1011):Node , Input =
IKE_MESG_FROM_PEER, IKE_QM_EXCH*Sep 21 08:33:43.433: ISAKMP: (1011): Old State = IKE_QM_READY& New State =
IKE_QM_SPI_STARVE
相关配置:
tunnel mode ipsec ipv6
快速模式消息2&(QM2)
远程终端发送参数
短两个报价的第2阶段寿命选择
*Sep 21 08:33:43.433: ISAKMP: (1011): sending packet to 2001: DB8::2 my_port
500 peer_port 500 (R) QM_IDLE*Sep 21 08:33:43.433: ISAKMP: (1011): Sending an IKE IPv6 Packet.*Sep 21 08:33:43.433: ISAKMP: (1011):Node , Input =
IKE_MESG_INTERNAL, IKE_GOT_SPI*Sep 21 08:33:43.433: ISAKMP: (1011): Old State = IKE_QM_SPI_STARVE& New
State = IKE_QM_R_QM2*Sep 21 08:33:43.437: IPSEC(key_engine): got a queue event with 1 KMI message(s)R3(config-if)#*Sep 21 08:33:43.437: IPSEC(crypto_ipsec_create_ipsec_sas): Map found
Tunnel23-head-0*Sep 21 08:33:43.437: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting
with the same proxies and peer 2001: DB8::2*Sep 21 08:33:43.437: IPSEC(create_sa): sa created,& (sa) sa_dest= 2001: DB8::3, sa_proto= 50,&&& sa_spi= 0x221A91),&&& sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 305&&& sa_lifetime(k/sec)= (2)*Sep 21 08:33:43.437: IPSEC(create_sa): sa created,& (sa) sa_dest= 2001: DB8::2, sa_proto= 50,&&& sa_spi= 0x45F16A9A(),&&& sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 306&&& sa_lifetime(k/sec)= (2)
相关配置:
crypto ipsec transform-set TRA esp-aes esp-sha-hmacmode transportcrypto ipsec profile PROset transform-set TRAinterface tunnel23tunnel mode ipsec ipv6tunnel protection ipsec profile PRO
快速模式消息3 (QM3) -相位两应该完成和隧道接口上升
*Sep 21 08:33:43.437: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel23,
changed state to up*Sep 21 08:33:43.437: ISAKMP (1011): received packet from 2001: DB8::2 dport
500 sport 500 Global (R) QM_IDLE*Sep 21 08:33:43.437: ISAKMP: (1011): deleting node
error FALSE
reason "QM done (await)"*Sep 21 08:33:43.437: ISAKMP: (1011):Node , Input =
IKE_MESG_FROM_PEER, IKE_QM_EXCH*Sep 21 08:33:43.437: ISAKMP: (1011): Old State = IKE_QM_R_QM2& New State =
IKE_QM_PHASE2_COMPLETE*Sep 21 08:33:43.437: IPSEC(key_engine): got a queue event with 1 KMI message(s*Sep 21 08:33:43.437: IPSEC(key_engine_enable_outbound): rec'd enable notify
from ISAKMP
IOS路由器-发起者
主模式消息1 (MM1) -初始联系
供应商ID (VID)
IKE安全关联(SA)
IPSec已经创建SAS的一个模板
*Sep 21 08:33:43.245: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON*Sep 21 08:33:43.245: IPSEC(sa ident sadb root initialize created IPv6 ACL %s)
: Tunnel23-head-0-65537-Tunnel23-head-0-ACL-6-IPSECV6-ACL*Sep 21 08:33:43.245: IPSEC(recalculate_mtu) : reset sadb_root 79E82A8 mtu to
1500*Sep 21 08:33:43.245: IPSEC(adjust_mtu) : adjusting ident ip mtu from 1460 to
1500,& (identity) local= 2001: DB8::2:0, remote= 2001: DB8::3:0,&&& local_proxy= ::/0/256/0,&&& remote_proxy= ::/0/256/0*Sep 21 08:33:43.245: IPSEC(adjust_mtu): adjusting path mtu from 1460 to 1500,& (identity) local= 2001: DB8::2:0, remote= 2001: DB8::3:0,&&& local_proxy= ::/0/256/0,&&& remote_proxy= ::/0/256/0*Sep 21 08:33:43.245: IPSEC(sa_request): ,& (key eng. msg.) OUTBOUND local= 2001: DB8::2:500, remote= 2001: DB8::3:500,&&& local_proxy= ::/0/256/0,&&& remote_proxy= ::/0/256/0,&&& protocol= ESP, transform= esp-aes esp-sha-hmac& (Tunnel),&&& lifedur= 3600s and 4608000kb,&&& spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0*Sep 21 08:33:43.245: ISAKMP: (0): SA request profile is (NULL)*Sep 21 08:33:43.245: ISAKMP: Created a peer struct for 2001: DB8::3, peer port
500*Sep 21 08:33:43.245: ISAKMP: New peer created peer = 0x9344BE8 peer_handle =
0x*Sep 21 08:33:43.245: ISAKMP: Locking peer struct 0x9344BE8, refcount 1 for
isakmp_initiator*Sep 21 08:33:43.245: ISAKMP: local port 500, remote port 500*Sep 21 08:33:43.245: ISAKMP: set new node 0 to QM_IDLE*Sep 21 08:33:43.245: ISAKMP: (0):insert sa successfully sa = 944C840*Sep 21 08:33:43.245: ISAKMP: (0):Can not start Aggressive mode, trying Main
mode.*Sep 21 08:33:43.245: ISAKMP: (0):found peer pre-shared key matching 2001:
DB8::3*Sep 21 08:33:43.245: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM*Sep 21 08:33:43.245: ISAKMP: (0): Old State = IKE_READY& New State = IKE_I_MM1*Sep 21 08:33:43.245: ISAKMP: (0): beginning Main Mode exchange*Sep 21 08:33:43.245: ISAKMP: (0): sending packet to 2001: DB8::3 my_port 500
peer_port 500 (I) MM_NO_STATE*Sep 21 08:33:43.245: ISAKMP: (0): Sending an IKE IPv6 Packet.
相关配置:
crypto isakmp policy 10authentication pre-share
主模式消息2 (MM2) -对初始联系的回复
对等体选择互联网安全协会和密钥管理协议(ISAKMP)策略使用
*Sep 21 08:33:43.249: ISAKMP (0): received packet from 2001: DB8::3 dport 500
sport 500 Global (I) MM_NO_STATE*Sep 21 08:33:43.249: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH*Sep 21 08:33:43.249: ISAKMP: (0): Old State = IKE_I_MM1& New State = IKE_I_MM2*Sep 21 08:33:43.249: ISAKMP: (0): processing SA payload. message ID = 0*Sep 21 08:33:43.249: ISAKMP: (0):found peer pre-shared key matching 2001:
DB8::3*Sep 21 08:33:43.249: ISAKMP: (0): local preshared key found*Sep 21 08:33:43.249: ISAKMP : Scanning profiles for xauth ...*Sep 21 08:33:43.249: ISAKMP: (0):Checking ISAKMP transform 1 against priority
10 policy*Sep 21 08:33:43.249: ISAKMP:&&&&& encryption DES-CBC*Sep 21 08:33:43.249: ISAKMP:&&&&& hash SHA*Sep 21 08:33:43.249: ISAKMP:&&&&& default group 1*Sep 21 08:33:43.249: ISAKMP:&&&&& auth pre-share*Sep 21 08:33:43.249: ISAKMP:&&&&& life type in seconds*Sep 21 08:33:43.249: ISAKMP:&&&&& life duration (VPI) of& 0x0 0x1 0x51 0x80*Sep 21 08:33:43.249: ISAKMP: (0):atts are acceptable. Next payload is 0*Sep 21 08:33:43.249: ISAKMP: (0):Acceptable atts:actual life: 0*Sep 21 08:33:43.249: ISAKMP: (0):Acceptable atts:life: 0*Sep 21 08:33:43.249: ISAKMP: (0):Fill atts in sa vpi_length:4*Sep 21 08:33:43.249: ISAKMP: (0):Fill atts in sa life_in_seconds:86400*Sep 21 08:33:43.249: ISAKMP: (0):Returning Actual lifetime: 86400*Sep 21 08:33:43.249: ISAKMP: (0):: Started lifetime timer: 86400.*Sep 21 08:33:43.249: ISAKMP: (0):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE*Sep 21 08:33:43.249: ISAKMP: (0): Old State = IKE_I_MM2& New State =
主模式消息3 (MM3) - NAT发现号和Diffie-Hellman交换
NAT发现有效负载和哈希
DH交换开始
对端死机检测(DPD)支持
*Sep 21 08:33:43.249: ISAKMP: (0): sending packet to 2001: DB8::3 my_port 500
peer_port 500 (I) MM_SA_SETUP*Sep 21 08:33:43.249: ISAKMP: (0): Sending an IKE IPv6 Packet.*Sep 21 08:33:43.249: ISAKMP: (0):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE*Sep 21 08:33:43.249: ISAKMP: (0): Old State = IKE_I_MM2& New State = IKE_I_MM3
主模式消息4 (MM4) - NAT发现号和Diffie-Hellman交换
NAT发现有效负载
DH交换开始
另外的VIDs (DPD, Unity支持)
知识谈与另一个IOS设备
*Sep 21 08:33:43.273: ISAKMP (0): received packet from 2001: DB8::3 dport 500
sport 500 Global (I) MM_SA_SETUP*Sep 21 08:33:43.273: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH*Sep 21 08:33:43.273: ISAKMP: (0): Old State = IKE_I_MM3& New State = IKE_I_MM4*Sep 21 08:33:43.273: ISAKMP: (0): processing KE payload. message ID = 0*Sep 21 08:33:43.281: ISAKMP: (0): processing NONCE payload. message ID = 0*Sep 21 08:33:43.281: ISAKMP: (0):found peer pre-shared key matching 2001:
DB8::3*Sep 21 08:33:43.281: ISAKMP: (1011): processing vendor id payload*Sep 21 08:33:43.281: ISAKMP: (1011): vendor ID is Unity*Sep 21 08:33:43.281: ISAKMP: (1011): processing vendor id payload*Sep 21 08:33:43.281: ISAKMP: (1011): vendor ID is DPD*Sep 21 08:33:43.281: ISAKMP: (1011): processing vendor id payload*Sep 21 08:33:43.281: ISAKMP: (1011): speaking to another IOS box!*Sep 21 08:33:43.281: ISAKMP: (1011):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE*Sep 21 08:33:43.281: ISAKMP: (1011): Old State = IKE_I_MM4& New State =
主模式消息5 (MM5) -发送标识
远端对等体标识(ID)
*Sep 21 08:33:43.293: ISAKMP: (1011): Send initial contact*Sep 21 08:33:43.293: ISAKMP: (1011): SA is doing pre-shared key authentication
using id type ID_IPV6_ADDR*Sep 21 08:33:43.293: ISAKMP (1011): ID payload&&&&&&& next-payload : 8&&&&&&& type&&&&&&&& : 5&&&&&&& address&&&&& : 2001: DB8::2&&&&&&& protocol&&&& : 17&&&&&&& port&&&&&&&& : 500&&&&&&& length&&&&&& : 24*Sep 21 08:33:43.293: ISAKMP: (1011):Total payload length: 24*Sep 21 08:33:43.293: ISAKMP: (1011): sending packet to 2001: DB8::3 my_port
500 peer_port 500 (I) MM_KEY_EXCH*Sep 21 08:33:43.293: ISAKMP: (1011): Sending an IKE IPv6 Packet.*Sep 21 08:33:43.293: ISAKMP: (1011):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE*Sep 21 08:33:43.293: ISAKMP: (1011): Old State = IKE_I_MM4& New State =
相关配置:
crypto isakmp identity ...
主模式消息6 (MM6) -远端对等体标识,阶段1设立
重新生成密钥开始的时期
远程标识(在这种情况下地址)
决策登陆在配置文件
*Sep 21 08:33:43.297: ISAKMP (1011): received packet from 2001: DB8::3 dport
500 sport 500 Global (I) MM_KEY_EXCH*Sep 21 08:33:43.297: ISAKMP: (1011): processing ID payload. message ID = 0*Sep 21 08:33:43.297: ISAKMP (1011): ID payload&&&&&&& next-payload : 8&&&&&&& type&&&&&&&& : 5&&&&&&& address&&&&& : 2001: DB8::3&&&&&&& protocol&&&& : 17&&&&&&& port&&&&&&&& : 500&&&&&&& length&&&&&& : 24*Sep 21 08:33:43.297: ISAKMP: (0):: peer matches *none* of the profiles*Sep 21 08:33:43.297: ISAKMP: (1011): processing HASH payload. message ID = 0*Sep 21 08:33:43.297: ISAKMP: (1011): SA authentication status: authenticated*Sep 21 08:33:43.297: ISAKMP: (1011): SA has been authenticated with 2001:
DB8::3*Sep 21 08:33:43.297: ISAKMP: Trying to insert a peer 2001: DB8::2/2001:
DB8::3/500/,& and inserted successfully 9344BE8.*Sep 21 08:33:43.297: ISAKMP: (1011):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH*Sep 21 08:33:43.297: ISAKMP: (1011): Old State = IKE_I_MM5& New State =
IKE_I_MM6*Sep 21 08:33:43.297: ISAKMP: (1011):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE*Sep 21 08:33:43.297: ISAKMP: (1011): Old State = IKE_I_MM6& New State =
IKE_I_MM6*Sep 21 08:33:43.301: ISAKMP: (1011):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE*Sep 21 08:33:43.301: ISAKMP: (1011): Old State = IKE_I_MM6& New State =
IKE_P1_COMPLETE
相关配置:
crypto isakmp identity ...
快速模式消息1 (QM1) -对等体开始第2阶段
远程和本地代理ID
*Sep 21 08:33:43.301: ISAKMP: (1011):beginning Quick Mode exchange, M-ID of
*Sep 21 08:33:43.301: ISAKMP: (1011):QM Initiator gets spi*Sep 21 08:33:43.301: ISAKMP: (1011): sending packet to 2001: DB8::3 my_port
500 peer_port 500 (I) QM_IDLE*Sep 21 08:33:43.301: ISAKMP: (1011): Sending an IKE IPv6 Packet.*Sep 21 08:33:43.301: ISAKMP: (1011):Node , Input =
IKE_MESG_INTERNAL, IKE_INIT_QM*Sep 21 08:33:43.301: ISAKMP: (1011): Old State = IKE_QM_READY& New State =
IKE_QM_I_QM1*Sep 21 08:33:43.301: ISAKMP: (1011):Input = IKE_MESG_INTERNAL,
IKE_PHASE1_COMPLETE*Sep 21 08:33:43.301: ISAKMP: (1011): Old State = IKE_P1_COMPLETE& New State =
IKE_P1_COMPLETE
相关配置:
crypto ipsec transform-set TRA esp-aes esp-sha-hmacmode transportcrypto ipsec profile PROset transform-set TRA
快速模式消息2 (QM2)
代理身分的确认
完善的转发秘密(PFS)设置
*Sep 21 08:33:43.305: ISAKMP (1011): received packet from 2001: DB8::3 dport
500 sport 500 Global (I) QM_IDLE*Sep 21 08:33:43.305: ISAKMP: (1011): processing HASH payload. message ID =
*Sep 21 08:33:43.305: ISAKMP: (1011): processing SA payload. message ID =
*Sep 21 08:33:43.305: ISAKMP: (1011):Checking IPSec proposal 1*Sep 21 08:33:43.305: ISAKMP: transform 1, ESP_AES*Sep 21 08:33:43.305: ISAKMP:&& attributes in transform:*Sep 21 08:33:43.305: ISAKMP:&&&&& encaps is 1 (Tunnel)*Sep 21 08:33:43.305: ISAKMP:&&&&& SA life type in seconds*Sep 21 08:33:43.305: ISAKMP:&&&&& SA life duration (basic) of 3600*Sep 21 08:33:43.305: ISAKMP:&&&&& SA life type in kilobytes*Sep 21 08:33:43.305: ISAKMP:&&&&& SA life duration (VPI) of& 0x0 0x46 0x50 0x0*Sep 21 08:33:43.305: ISAKMP:&&&&& authenticator is HMAC-SHA*Sep 21 08:33:43.305: ISAKMP:&&&&& key length is 128*Sep 21 08:33:43.305: ISAKMP: (1011):atts are acceptable.*Sep 21 08:33:43.305: IPSEC(validate_proposal_request): proposal part #1*Sep 21 08:33:43.305: IPSEC(validate_proposal_request): proposal part #1,& (key eng. msg.) INBOUND local= 2001: DB8::2:0, remote= 2001: DB8::3:0,&&& local_proxy= ::/0/256/0,&&& remote_proxy= ::/0/256/0,&&& protocol= ESP, transform= NONE& (Tunnel),&&& lifedur= 0s and 0kb,&&& spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0*Sep 21 08:33:43.305: ISAKMP: (1011): processing NONCE payload. message ID =
*Sep 21 08:33:43.305: ISAKMP: (1011): processing ID payload. message ID =
*Sep 21 08:33:43.305: ISAKMP: (1011): processing ID payload. message ID =
相关配置:
crypto ipsec transform-set TRA esp-aes esp-sha-hmacmode transportcrypto ipsec profile PROset transform-set TRAinterface tunnel23tunnel mode ipsec ipv6tunnel protection ipsec profile PRO
快速模式消息3 (QM3) -第2阶段建立
设置通过流量的安全策略索引(斯皮)
*Sep 21 08:33:43.305: ISAKMP: (1011): Sending an IKE IPv6 Packet.*Sep 21 08:33:43.305: ISAKMP: (1011): deleting node
error FALSE
reason "No Error"*Sep 21 08:33:43.305: ISAKMP: (1011):Node , Input =
IKE_MESG_FROM_PEER, IKE_QM_EXCH*Sep 21 08:33:43.305: ISAKMP: (1011): Old State = IKE_QM_I_QM1& New State =
IKE_QM_PHASE2_COMPLETE*Sep 21 08:33:43.305: IPSEC(key_engine): got a queue event with 1 KMI message(s)*Sep 21 08:33:43.305: IPSEC(crypto_ipsec_create_ipsec_sas): Map found
Tunnel23-head-0*Sep 21 08:33:43.305: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting
with the same proxies and peer 2001: DB8::3*Sep 21 08:33:43.305: IPSEC(create_sa): sa created,& (sa) sa_dest= 2001: DB8::2, sa_proto= 50,&&& sa_spi= 0x45F16A9A(),&&& sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 305&&& sa_lifetime(k/sec)= (9)*Sep 21 08:33:43.305: IPSEC(create_sa): sa created,& (sa) sa_dest= 2001: DB8::3, sa_proto= 50,&&& sa_spi= 0x221A91),&&& sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 306&&& sa_lifetime(k/sec)= (9)R2(config-if)#*Sep 21 08:33:43.309: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Tunnel23, changed state to up
sh crypto ipsec sainterface: Tunnel23&&& Crypto map tag: Tunnel23-head-0, local addr 2001: DB8::2&& protected vrf: (none)&& local& ident (addr/mask/prot/port): (::/0/0/0)&& remote ident (addr/mask/prot/port): (::/0/0/0)&& current_peer 2001: DB8::3 port 500&&&& PERMIT, flags={origin_is_acl,}&&& #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4&&& #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4&&& #pkts compressed: 0, #pkts decompressed: 0&&& #pkts not compressed: 0, #pkts compr. failed: 0&&& #pkts not decompressed: 0, #pkts decompress failed: 0&&& #send errors 0, #recv errors 0&&&& local crypto endpt.: 2001: DB8::2,&&&& remote crypto endpt.: 2001: DB8::3&&&& path mtu 1500, ipv6 mtu 1500, ipv6 mtu idb Ethernet0/0&&&& current outbound spi: 0x221A91)&&&& PFS (Y/N): N, DH group: none&&&& inbound esp sas:&&&&& spi: 0x45F16A9A()&&&&&&& transform: esp-aes esp-sha-hmac ,&&&&&&& in use settings ={Tunnel, }&&&&&&& conn id: 305, flow_id: SW:305, sibling_flags , crypto map:
Tunnel23-head-0&&&&&&& sa timing: remaining key lifetime (k/sec): (8)&&&&&&& IV size: 16 bytes&&&&&&& replay detection support: Y&&&&&&& Status: ACTIVE&&&& inbound ah sas:&&&& inbound pcp sas:&&&& outbound esp sas:&&&&& spi: 0x221A91)&&&&&&& transform: esp-aes esp-sha-hmac ,&&&&&&& in use settings ={Tunnel, }&&&&&&& conn id: 306, flow_id: SW:306, sibling_flags , crypto map:
Tunnel23-head-0&&&&&&& sa timing: remaining key lifetime (k/sec): (8)&&&&&&& IV size: 16 bytes&&&&&&& replay detection support: Y&&&&&&& Status: ACTIVER2(config-if)#do ping fe80::23:3Output Interface: tunnel23Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to FE80::23:3, timeout is 2 seconds:Packet sent with a source address of FE80::23:2%Tunnel23!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 8/11/20 msR2(config-if)#do sh crypto ipsec sa | i caps|ident&& local& ident (addr/mask/prot/port): (::/0/0/0)&& remote ident (addr/mask/prot/port): (::/0/0/0)&&& #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9&&& #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
通道启用和通过流量。
;标准和参考包含很多有用的信息。
Marcin Latosiewicz, Jay Young, and Atri Basu Cisco TAC Engineers.
此文档是否有帮助?
相关的支持社区讨论
本文档适用于以下产品}
反馈文档意见
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
反馈文档意见
视频加载中…
(需要安装HedEx Lite)
您需要下载安装最新版本的HedEx Lite,安装完成后请重启浏览器
或将当前使用的HedEx Lite升级到最新版本
复制下载链接1.关于strongswan 的介绍
srongswan 是基于ipsec 的开源 vpn 服务器,目前已经实现了ikev1 和 ikev2的vpn 服务器,其官网上有相应的示例,但如果是初学者来说,可能会比较难,本人就是一个菜鸟,刚开始做的时候,一头雾水,网上的资源也相对较少,因此本人整理关于如何搭建ikev1 模式的vpn 服务器,并且测试成功
安装strongswan
安装依赖:yum
安装依赖:
wget http://download.strongswan.org/strongswan.tar.gz
tar xzf strongswan.tar.gcd
cd strongswan-*
./configure
--sysconfdir=/etc
--enable-openssl --enable-nat-transport --disable-mysql --disable-ldap
--disable-static --enable-shared --enable-md4 --enable-eap-mschapv2 --enable-eap-aka --enable-eap-aka-3gpp2
--enable-eap-gtc --enable-eap-identity --enable-eap-md5 --enable-eap-peap --enable-eap-radius --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-pseudonym --enable-eap-simaka-reauth --enable-eap-simaka-sql --enable-eap-tls --enable-eap-tnc --enable-eap-ttls
make & make install3.与strogswan 相关的配置文件及其配置
stongswan 的相关配置文件在/etc 目录下,需要修改的配置文件有/etc/ipsec.conf , /etc/strongswan.conf , /etc/ipse.secrets ,/etc/strongswan.d/charon-logging.conf
1)首先修改ipsec.conf 配置文,如下所示:
conn android_xauth_psk
keyexchange=ikev1
fragmentation=yes
keyingtries=3
left=%defaultroute
leftauth=psk
right=%any
rightsourceip = %config
rightsubnet=0.0.0.0/0
rightauth=psk
rightauth2=xauth
位于配置文件的全局区,后面紧紧跟的是该VPN服务器的
:指定使用的密钥交换协议是ikev1
远端vpn服务器的ip地址是任意的
表示远程服务器数据加密的方式是预共享密钥
表示本地客户端的数据加密方式的预共享密钥
表示客户端的ip地址是任意的
:为客户端分配ip地址池,%config表示是ipv4的任意地址
:表示客客户端的子网是任意的
:表示客户端的用户认证方式是XAUTH
iOS 拆包的重组支持。
定义 strongswan 启动时该连接的行为start是启动; route
是添加路由表,有数据通过就启动; add是添加连接类型但不启动; ignore
是当它不存在。默认是 ignore。看起来似乎是 route比较好,但问题是我们服务器端不能预分配虚拟 IP,所以服务器端一般用的都是 add。而客户端文本配置可以选择
2)配置strongswa.conf
load_modular = yes
duplicheck.enable = no
compress = yes
dns1 = 8.8.8.8
dns2 = 8.8.4.4
/var/log/strongswan.charon.log {
time_format = %b %e %T
default = 2
append = no
flush_line = yes
说明:其他的保持不变
从strongswan5以后,无论是ikev1还是ikev2协议都使用ike2的daemon:charon来实现
duplicheck.enable = no:是为了同时连接多个设备,所以要把冗余检查关闭
/var/log/strongswan.charon.log配置的strongswan的日志的格式
default = 2:定义的是日志的级别,默认日志级别为:-1,0,1,2,3,4,-1是完全没有日志,0只告诉你建立连接,连接关闭;1只输出错误提示,2会输出错误,警告和调试信息;3会把连接传输的数据也打印;4则会把密钥内容这些敏感数据也打印。一般情况下,1或2都可以
append = no:是相当你重启strogswan后,是按上次日志写,还是新建一个日志(上次的会删除)。因为strogswan的日志太多了,所以用no
flush_line = yes:是每产生一行日志,就写入到磁盘一次,防止突然断电,磁盘缓存数据丢失。
3)修改ipse.secrets配置文件
该文件主要保存的客户端和服务器之间的数据加密方式及用户的信息
0sZ3l0MTIzNDU2
jianq : XAUTH "gyt123456"
说明:PSK即为共享密钥,其数据格式为0s+base64编码的数据,
XAUTH左右两端的分别为用户名和用户登录密码(字符串)
修改/etc/strongswwan.d/Charon-logging.cong配置文件:
该文件主要是用于控制输出的调试信息
在filelog作用域加上如下内容:
flush_line = yes
ike_name=yes
time_format = %b %e %T
4)修改 charon-logging.conf 配置文件
# Section to define file loggers, see LOGGER CONFIGURATION in
# strongswan.conf(5).
# &filename& is the full path to the log file.
# &filename& {
# Loglevel for a specific subsystem.
# &subsystem& = &default&
# If this option is enabled log entries are appended to the existing
append = yes
# Default loglevel.
default = 1
# Enabling this option disables block buffering and enables line
# buffering.
# flush_line = no
flush_line=yes
# Prefix each log entry with the connection name and a unique
# numerical identifier for each IKE_SA.
# ike_name = no
ike_name=yes
# Prefix each log entry with a timestamp. The option accepts a
# format string as passed to strftime(3).
# time_format =
time_format=%b %e %T
# Section to define syslog loggers, see LOGGER CONFIGURATION in
# strongswan.conf(5).
# Identifier for use with openlog(3).
# identifier =
# &facility& is one of the supported syslog facilities, see LOGGER
# CONFIGURATION in strongswan.conf(5).
# &facility& {
# Loglevel for a specific subsystem.
# &subsystem& = &default&
# Default loglevel.
# default = 1
# Prefix each log entry with the connection name and a unique
# numerical identifier for each IKE_SA.
# ike_name = no
ike_name=yes
4.修改防火墙
sudo iptables -A INPUT -p udp --dport 500 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 4500 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
sudo echo 1 & /proc/sys/net/ipv4/ip_forward做完上述步骤之后启动strongswan
调试的形式启动:strongsan : ipsec
查看状态: ipsec statusall
5.配置客户端
Android端类型选择IPSec
IOS端类型选择
预共享密钥:填写PSK后面base64位解码的字符串
用户名和密码填写XAUTH的左右的内容
Android端类型选择IPSec
IOS端类型选择
预共享密钥:填写PSK后面base64位解码的字符串
用户名和密码填写XAUTH的左右的内容
用Android Studio编译StrongSwan源码
StrongSwan是一个开源的VPN框架,它支持Android客户端,并且提供了Android客户端的源码,在这里下载。
1、打开Android Studio将源码直接导入进来(Import Pro...
Android VPN 相关知识学习
按照协议类型对VPN的划分:
1、点到点隧道协议PPTP(Point-to-Point Tunneling Protocol),用于将PPP分组通过IP网络封装传输。
2、第二层转发协议L2F(Lev...
StrongSwan的Jni,编译和混淆时都要注意
android_jni
jni\libandroidbridge\android_jni.h
#define JNI_PACKAGE org_strongswan_android_logic
strongswan 配置ikev2 for iOS and Android
strongswan 高版本已支持ikev2,ios9.0以上版本的支持ikev2,Android也是高版本的部分机型支持ikev2,本人搭建的基于ikev2交换协议的strongswan VPN服务...
如何使用Strongswan和Freeradius建立IKEv2 VPN
如何使用Strongswan和Freeradius建立IKEv2 VPN。
目 前支持IKEv2的客户端貌似只有Openswan/Strongswan,Windows的话只有Windows 7和...
Strongswan5.3.5与Android5.0.2(小米)野蛮模式的L2TPoverIPsec的对接
野蛮模式需要改一下strongswan的agg的载荷顺序,否则android不认第二条回包
[root@- etc]# cat ipsec.conf
# /etc/ipsec.co...
CentOS7下Strongswan架设IPSec-IKEv1, IKEv2, L2TP VPN,适用于 IOS9,OSX, Windows, Linux
原文地址:https://linsir.org/post/how_to_install_IPSec_IKEV2_base_on_strongswan_with_CentOS7
VPN 隧道协...
Andriod 手机和VM之间基于strongswan搭建IPsec VPN
这段时间在做IPsec的搭建工作,总结一下Andriod 手机和虚拟机之间搭建ipsec VPN的步骤。本人使用的虚拟机是VMware, 运行Ubuntu 14.04系统,Android 手机系统是4...
没有更多推荐了,
(window.slotbydup=window.slotbydup || []).push({
id: "5865577",
container: s,
size: "300,250",
display: "inlay-fix"IOS IPSec和IKE调试- IKEv1主模式排除故障
IOS IPSec和IKE调试- IKEv1主模式排除故障
(193.9 KB)
在各种设备上使用 Adobe Reader 查看
在 iPhone、iPad、Android、Sony Reader 或 Windows Phone 上使用各种应用查看
在 Kindle 设备上查看或在多个设备上使用 Kindle 应用查看
文档 ID:113594
关于此翻译
思科采用人工翻译与机器翻译相结合的方式将此文档翻译成不同语言,希望全球的用户都能通过各自的语言得到支持性的内容。
请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。
Cisco Systems, Inc. 对于翻译的准确性不承担任何责任,并建议您总是参考英文原始文档(已提供链接)。
本文提供信息了解在Cisco IOS软件的调试,当使用主模式和预先共享密钥(PSK)时。
本文在配置里也提供信息关于怎样翻译某些调试线路。
这些主题没有讨论:
通过流量,在通道设立了后
IPSec或Internet Key Exchange (IKE)基本概念
IKE和IPSec调试倾向于获得隐秘。Cisco技术支持中心(TAC)经常使用这些Bug了解与IPSec VPN隧道建立的一问题哪里查找。
主模式典型地使用在LAN-to-LAN隧道之间,或者在远程访问(EzVPN)的情况下,当证书使用验证时。
那些调试是从运行15.2(1)T软件版本的Cisco IOS设备。
两个主要方案在本文描述:
IOS发起者侧
IOS响应方侧
在本文中,在两个站点之间的一个基于VTI的通道根据IPv6设立。
请使用()为了得到关于用于本文的命令的更多信息。
使用 debug 命令之前,请参阅。
使用的调试
debug crypto isakmp
debug crypto ipsec
debug crypto kmi
IOS 路由器配置
crypto isakmp policy 10authentication pre-sharecrypto isakmp key cisco address ipv6 ::/0crypto ipsec transform-set TRA esp-aes esp-sha-hmacmode transportcrypto ipsec profile PROset transform-set TRAinterface Tunnel23ip address 192.168.23.2 255.255.255.0ipv6 address FE80::23:2 link-localtunnel source Ethernet0/0tunnel mode ipsec ipv6tunnel destination 2001: DB8::3tunnel protection ipsec profile PRO
crypto isakmp policy 10authentication pre-sharecrypto isakmp key cisco address ipv6 ::/0crypto ipsec transform-set TRA esp-aes esp-sha-hmacmode transportcrypto ipsec profile PROset transform-set TRAinterface Tunnel23ip address 192.168.23.3 255.255.255.0ipv6 address FE80::23:3 link-localtunnel source Ethernet0/0tunnel mode ipsec ipv6tunnel destination 2001: DB8::2tunnel protection ipsec profile PRO
IOS响应方旁拉
主模式消息1 (MM1)
最初的提议对于IKE包括:
Diffie-Hellman (DH)组
*Sep 21 08:33:43.377: ISAKMP (0) : received packet from 2001: DB8::2 dport 500
sport 500 Global (N) NEW SA*Sep 21 08:33:43.377: ISAKMP: Created a peer struct for 2001: DB8::2, peer port
500*Sep 21 08:33:43.377: ISAKMP: New peer created peer = 0x8E45588
peer_handle = 0x8000000A*Sep 21 08:33:43.377: ISAKMP: Locking peer struct 0x8E45588, refcount 1 for
crypto_isakmp_process_block*Sep 21 08:33:43.377: ISAKMP: local port 500, remote port 500*Sep 21 08:33:43.377: ISAKMP: (0):insert sa successfully sa = 6D12A00*Sep 21 08:33:43.377: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH*Sep 21 08:33:43.377: ISAKMP: (0): Old State = IKE_READY& New State = IKE_R_MM1*Sep 21 08:33:43.377: ISAKMP: (0): processing SA payload. message ID = 0*Sep 21 08:33:43.377: ISAKMP: (0):found peer pre-shared key matching 2001:
DB8::2*Sep 21 08:33:43.377: ISAKMP: (0): local preshared key found*Sep 21 08:33:43.377: ISAKMP: Scanning profiles for xauth ...*Sep 21 08:33:43.377: ISAKMP: (0):Checking ISAKMP transform 1 against priority
10 policy*Sep 21 08:33:43.377: ISAKMP:&&&&& encryption DES-CBC*Sep 21 08:33:43.377: ISAKMP:&&&&& hash SHA*Sep 21 08:33:43.377: ISAKMP:&&&&& default group 1*Sep 21 08:33:43.377: ISAKMP:&&&&& auth pre-share*Sep 21 08:33:43.377: ISAKMP:&&&&& life type in seconds*Sep 21 08:33:43.377: ISAKMP:&&&&& life duration (VPI) of& 0x0 0x1 0x51 0x80*Sep 21 08:33:43.377: ISAKMP: (0):atts are acceptable. Next payload is 0*Sep 21 08:33:43.377: ISAKMP: (0):Acceptable atts:actual life: 0*Sep 21 08:33:43.377: ISAKMP: (0):Acceptable atts:life: 0*Sep 21 08:33:43.377: ISAKMP: (0):Fill atts in sa vpi_length:4*Sep 21 08:33:43.377: ISAKMP: (0):Fill atts in sa life_in_seconds:86400*Sep 21 08:33:43.377: ISAKMP: (0):Returning Actual lifetime: 86400*Sep 21 08:33:43.377: ISAKMP: (0):: Started lifetime timer: 86400.*Sep 21 08:33:43.377: ISAKMP: (0):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE*Sep 21 08:33:43.377: ISAKMP: (0): Old State = IKE_R_MM1& New State = IKE_R_MM1
相关的配置:
crypto isakmp policy 10authentication pre-share
主模式消息2&(MM2) -发送我们的回复
*Sep 21 08:33:43.377: ISAKMP: (0): sending packet to 2001: DB8::2 my_port 500
peer_port 500 (R) MM_SA_SETUP*Sep 21 08:33:43.377: ISAKMP: (0): Sending an IKE IPv6 Packet.*Sep 21 08:33:43.377: ISAKMP: (0):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE*Sep 21 08:33:43.377: ISAKMP: (0): Old State = IKE_R_MM1& New State = IKE_R_MM2
主模式消息3&(MM3)
网络地址转换(NAT)发现
DH交换第一部分
*Sep 21 08:33:43.381: ISAKMP (0): received packet from 2001:DB8::2 dport 500
sport 500 Global (R) MM_SA_SETUP*Sep 21 08:33:43.381: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH*Sep 21 08:33:43.381: ISAKMP: (0): Old State = IKE_R_MM2& New State = IKE_R_MM3*Sep 21 08:33:43.381: ISAKMP: (0): processing KE payload. message ID = 0*Sep 21 08:33:43.393: ISAKMP: (0): processing NONCE payload. message ID = 0*Sep 21 08:33:43.393: ISAKMP: (0):found peer pre-shared key matching 2001:
DB8::2*Sep 21 08:33:43.393: ISAKMP: (1011): processing vendor id payload*Sep 21 08:33:43.393: ISAKMP: (1011): vendor ID is DPD*Sep 21 08:33:43.393: ISAKMP: (1011): processing vendor id payload*Sep 21 08:33:43.393: ISAKMP: (1011): speaking to another IOS box!*Sep 21 08:33:43.393: ISAKMP: (1011): processing vendor id payload*Sep 21 08:33:43.393: ISAKMP: (1011): vendor ID seems Unity/DPD but major 0
mismatch*Sep 21 08:33:43.393: ISAKMP: (1011): vendor ID is XAUTH*Sep 21 08:33:43.393: ISAKMP: (1011):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE*Sep 21 08:33:43.393: ISAKMP: (1011): Old State = IKE_R_MM3& New State =
主模式消息4&(MM4)
NAT检测有效负载
DH交换的继续
*Sep 21 08:33:43.405: ISAKMP: (1011): sending packet to 2001: DB8::2 my_port
500 peer_port 500 (R) MM_KEY_EXCH*Sep 21 08:33:43.405: ISAKMP: (1011): Sending an IKE IPv6 Packet.*Sep 21 08:33:43.405: ISAKMP: (1011):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE*Sep 21 08:33:43.405: ISAKMP: (1011): Old State = IKE_R_MM3& New State =
主模式消息5&(MM5) -发起者发送其标识
本地身份信息
*Sep 21 08:33:43.425: ISAKMP (1011): received packet from 2001: DB8::2 dport
500 sport 500 Global (R) MM_KEY_EXCH*Sep 21 08:33:43.425: ISAKMP: (1011):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH*Sep 21 08:33:43.425: ISAKMP: (1011): Old State = IKE_R_MM4& New State =
IKE_R_MM5*Sep 21 08:33:43.425: ISAKMP: (1011): processing ID payload. message ID = 0*Sep 21 08:33:43.425: ISAKMP (1011): ID payload&&&&&&& next-payload : 8&&&&&&& type&&&&&&&& : 5&&&&&&& address&&&&& : 2001: DB8::2&&&&&&& protocol&&&& : 17&&&&&&& port&&&&&&&& : 500&&&&&&& length&&&&&& : 24*Sep 21 08:33:43.425: ISAKMP: (0):: peer matches *none* of the profiles*Sep 21 08:33:43.425: ISAKMP: (1011): processing HASH payload. message ID = 0*Sep 21 08:33:43.425: ISAKMP: (1011): processing NOTIFY INITIAL_CONTACT
protocol 1 spi 0, message ID = 0, sa = 0x6D12A00*Sep 21 08:33:43.425: ISAKMP: (1011): SA authentication status: authenticated*Sep 21 08:33:43.425: ISAKMP: (1011): SA has been authenticated with 2001:
DB8::2*Sep 21 08:33:43.425: ISAKMP: (1011): SA authentication status: authenticated*Sep 21 08:33:43.425: ISAKMP: (1011): Process initial contact, bring down
existing phase 1 and 2 SA's with local 2001: DB8::3 remote 2001: DB8::2
remote port 500*Sep 21 08:33:43.425: ISAKMP: Trying to insert a peer 2001: DB8::3/2001:
DB8::2/500/,& and inserted successfully 8E45588.*Sep 21 08:33:43.425: ISAKMP: (1011):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE*Sep 21 08:33:43.425: ISAKMP: (1011): Old State = IKE_R_MM5& New State =
主模式消息6&(MM6) -响应方发送其标识。阶段1完成。
从对等体发送的远程标识
关于隧道组的最终决策选择
*Sep 21 08:33:43.425: IPSEC(key_engine): got a queue event with 1 KMI message(s)*Sep 21 08:33:43.425: ISAKMP: (1011): SA is doing pre-shared key authentication
using id type ID_IPV6_ADDR*Sep 21 08:33:43.425: ISAKMP (1011): ID payload&&&&&&& next-payload : 8&&&&&&& type&&&&&&&& : 5&&&&&&& address&&&&& : 2001: DB8::3&&&&&&& protocol&&&& : 17&&&&&&& port&&&&&&&& : 500&&&&&&& length&&&&&& : 24*Sep 21 08:33:43.425: ISAKMP: (1011):Total payload length: 24*Sep 21 08:33:43.425: ISAKMP: (1011): sending packet to 2001: DB8::2 my_port
500 peer_port 500 (R) MM_KEY_EXCH*Sep 21 08:33:43.425: ISAKMP: (1011): Sending an IKE IPv6 Packet.*Sep 21 08:33:43.425: ISAKMP: (1011):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE*Sep 21 08:33:43.425: ISAKMP: (1011): Old State = IKE_R_MM5& New State =
IKE_P1_COMPLETE
相关的配置:
crypto isakmp identity ...
快速模式消息1&(QM1)
*Sep 21 08:33:43.433: ISAKMP (1011): received packet from 2001: DB8::2 dport
500 sport 500 Global (R) QM_IDLE*Sep 21 08:33:43.433: ISAKMP: set new node
to QM_IDLE*Sep 21 08:33:43.433: ISAKMP: (1011): processing HASH payload. message ID =
*Sep 21 08:33:43.433: ISAKMP: (1011): processing SA payload. message ID =
*Sep 21 08:33:43.433: ISAKMP: (1011):Checking IPSec proposal 1*Sep 21 08:33:43.433: ISAKMP: transform 1, ESP_AES*Sep 21 08:33:43.433: ISAKMP:&& attributes in transform:*Sep 21 08:33:43.433: ISAKMP:&&&&& encaps is 1 (Tunnel)*Sep 21 08:33:43.433: ISAKMP:&&&&& SA life type in seconds*Sep 21 08:33:43.433: ISAKMP:&&&&& SA life duration (basic) of 3600*Sep 21 08:33:43.433: ISAKMP:&&&&& SA life type in kilobytes*Sep 21 08:33:43.433: ISAKMP:&&&&& SA life duration (VPI) of& 0x0 0x46 0x50 0x0*Sep 21 08:33:43.433: ISAKMP:&&&&& authenticator is HMAC-SHA*Sep 21 08:33:43.433: ISAKMP:&&&&& key length is 128*Sep 21 08:33:43.433: ISAKMP: (1011):atts are acceptable.*Sep 21 08:33:43.433: IPSEC(validate_proposal_request): proposal part #1*Sep 21 08:33:43.433: IPSEC(validate_proposal_request): proposal part #1,& (key eng. msg.) INBOUND local= 2001: DB8::3:0, remote= 2001: DB8::2:0,&&& local_proxy= ::/0/256/0,&&& remote_proxy= ::/0/256/0,&&& protocol= ESP, transform= NONE& (Tunnel),&&& lifedur= 0s and 0kb,&&& spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0*Sep 21 08:33:43.433: ISAKMP: (1011): processing NONCE payload. message ID =
*Sep 21 08:33:43.433: ISAKMP: (1011): processing ID payload. message ID =
*Sep 21 08:33:43.433: ISAKMP: (1011): processing ID payload. message ID =
*Sep 21 08:33:43.433: ISAKMP: (1011):QM Responder gets spi*Sep 21 08:33:43.433: ISAKMP: (1011):Node , Input =
IKE_MESG_FROM_PEER, IKE_QM_EXCH*Sep 21 08:33:43.433: ISAKMP: (1011): Old State = IKE_QM_READY& New State =
IKE_QM_SPI_STARVE
相关配置:
tunnel mode ipsec ipv6
快速模式消息2&(QM2)
远程终端发送参数
短两个报价的第2阶段寿命选择
*Sep 21 08:33:43.433: ISAKMP: (1011): sending packet to 2001: DB8::2 my_port
500 peer_port 500 (R) QM_IDLE*Sep 21 08:33:43.433: ISAKMP: (1011): Sending an IKE IPv6 Packet.*Sep 21 08:33:43.433: ISAKMP: (1011):Node , Input =
IKE_MESG_INTERNAL, IKE_GOT_SPI*Sep 21 08:33:43.433: ISAKMP: (1011): Old State = IKE_QM_SPI_STARVE& New
State = IKE_QM_R_QM2*Sep 21 08:33:43.437: IPSEC(key_engine): got a queue event with 1 KMI message(s)R3(config-if)#*Sep 21 08:33:43.437: IPSEC(crypto_ipsec_create_ipsec_sas): Map found
Tunnel23-head-0*Sep 21 08:33:43.437: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting
with the same proxies and peer 2001: DB8::2*Sep 21 08:33:43.437: IPSEC(create_sa): sa created,& (sa) sa_dest= 2001: DB8::3, sa_proto= 50,&&& sa_spi= 0x221A91),&&& sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 305&&& sa_lifetime(k/sec)= (2)*Sep 21 08:33:43.437: IPSEC(create_sa): sa created,& (sa) sa_dest= 2001: DB8::2, sa_proto= 50,&&& sa_spi= 0x45F16A9A(),&&& sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 306&&& sa_lifetime(k/sec)= (2)
相关配置:
crypto ipsec transform-set TRA esp-aes esp-sha-hmacmode transportcrypto ipsec profile PROset transform-set TRAinterface tunnel23tunnel mode ipsec ipv6tunnel protection ipsec profile PRO
快速模式消息3 (QM3) -相位两应该完成和隧道接口上升
*Sep 21 08:33:43.437: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel23,
changed state to up*Sep 21 08:33:43.437: ISAKMP (1011): received packet from 2001: DB8::2 dport
500 sport 500 Global (R) QM_IDLE*Sep 21 08:33:43.437: ISAKMP: (1011): deleting node
error FALSE
reason "QM done (await)"*Sep 21 08:33:43.437: ISAKMP: (1011):Node , Input =
IKE_MESG_FROM_PEER, IKE_QM_EXCH*Sep 21 08:33:43.437: ISAKMP: (1011): Old State = IKE_QM_R_QM2& New State =
IKE_QM_PHASE2_COMPLETE*Sep 21 08:33:43.437: IPSEC(key_engine): got a queue event with 1 KMI message(s*Sep 21 08:33:43.437: IPSEC(key_engine_enable_outbound): rec'd enable notify
from ISAKMP
IOS路由器-发起者
主模式消息1 (MM1) -初始联系
供应商ID (VID)
IKE安全关联(SA)
IPSec已经创建SAS的一个模板
*Sep 21 08:33:43.245: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON*Sep 21 08:33:43.245: IPSEC(sa ident sadb root initialize created IPv6 ACL %s)
: Tunnel23-head-0-65537-Tunnel23-head-0-ACL-6-IPSECV6-ACL*Sep 21 08:33:43.245: IPSEC(recalculate_mtu) : reset sadb_root 79E82A8 mtu to
1500*Sep 21 08:33:43.245: IPSEC(adjust_mtu) : adjusting ident ip mtu from 1460 to
1500,& (identity) local= 2001: DB8::2:0, remote= 2001: DB8::3:0,&&& local_proxy= ::/0/256/0,&&& remote_proxy= ::/0/256/0*Sep 21 08:33:43.245: IPSEC(adjust_mtu): adjusting path mtu from 1460 to 1500,& (identity) local= 2001: DB8::2:0, remote= 2001: DB8::3:0,&&& local_proxy= ::/0/256/0,&&& remote_proxy= ::/0/256/0*Sep 21 08:33:43.245: IPSEC(sa_request): ,& (key eng. msg.) OUTBOUND local= 2001: DB8::2:500, remote= 2001: DB8::3:500,&&& local_proxy= ::/0/256/0,&&& remote_proxy= ::/0/256/0,&&& protocol= ESP, transform= esp-aes esp-sha-hmac& (Tunnel),&&& lifedur= 3600s and 4608000kb,&&& spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0*Sep 21 08:33:43.245: ISAKMP: (0): SA request profile is (NULL)*Sep 21 08:33:43.245: ISAKMP: Created a peer struct for 2001: DB8::3, peer port
500*Sep 21 08:33:43.245: ISAKMP: New peer created peer = 0x9344BE8 peer_handle =
0x*Sep 21 08:33:43.245: ISAKMP: Locking peer struct 0x9344BE8, refcount 1 for
isakmp_initiator*Sep 21 08:33:43.245: ISAKMP: local port 500, remote port 500*Sep 21 08:33:43.245: ISAKMP: set new node 0 to QM_IDLE*Sep 21 08:33:43.245: ISAKMP: (0):insert sa successfully sa = 944C840*Sep 21 08:33:43.245: ISAKMP: (0):Can not start Aggressive mode, trying Main
mode.*Sep 21 08:33:43.245: ISAKMP: (0):found peer pre-shared key matching 2001:
DB8::3*Sep 21 08:33:43.245: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM*Sep 21 08:33:43.245: ISAKMP: (0): Old State = IKE_READY& New State = IKE_I_MM1*Sep 21 08:33:43.245: ISAKMP: (0): beginning Main Mode exchange*Sep 21 08:33:43.245: ISAKMP: (0): sending packet to 2001: DB8::3 my_port 500
peer_port 500 (I) MM_NO_STATE*Sep 21 08:33:43.245: ISAKMP: (0): Sending an IKE IPv6 Packet.
相关配置:
crypto isakmp policy 10authentication pre-share
主模式消息2 (MM2) -对初始联系的回复
对等体选择互联网安全协会和密钥管理协议(ISAKMP)策略使用
*Sep 21 08:33:43.249: ISAKMP (0): received packet from 2001: DB8::3 dport 500
sport 500 Global (I) MM_NO_STATE*Sep 21 08:33:43.249: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH*Sep 21 08:33:43.249: ISAKMP: (0): Old State = IKE_I_MM1& New State = IKE_I_MM2*Sep 21 08:33:43.249: ISAKMP: (0): processing SA payload. message ID = 0*Sep 21 08:33:43.249: ISAKMP: (0):found peer pre-shared key matching 2001:
DB8::3*Sep 21 08:33:43.249: ISAKMP: (0): local preshared key found*Sep 21 08:33:43.249: ISAKMP : Scanning profiles for xauth ...*Sep 21 08:33:43.249: ISAKMP: (0):Checking ISAKMP transform 1 against priority
10 policy*Sep 21 08:33:43.249: ISAKMP:&&&&& encryption DES-CBC*Sep 21 08:33:43.249: ISAKMP:&&&&& hash SHA*Sep 21 08:33:43.249: ISAKMP:&&&&& default group 1*Sep 21 08:33:43.249: ISAKMP:&&&&& auth pre-share*Sep 21 08:33:43.249: ISAKMP:&&&&& life type in seconds*Sep 21 08:33:43.249: ISAKMP:&&&&& life duration (VPI) of& 0x0 0x1 0x51 0x80*Sep 21 08:33:43.249: ISAKMP: (0):atts are acceptable. Next payload is 0*Sep 21 08:33:43.249: ISAKMP: (0):Acceptable atts:actual life: 0*Sep 21 08:33:43.249: ISAKMP: (0):Acceptable atts:life: 0*Sep 21 08:33:43.249: ISAKMP: (0):Fill atts in sa vpi_length:4*Sep 21 08:33:43.249: ISAKMP: (0):Fill atts in sa life_in_seconds:86400*Sep 21 08:33:43.249: ISAKMP: (0):Returning Actual lifetime: 86400*Sep 21 08:33:43.249: ISAKMP: (0):: Started lifetime timer: 86400.*Sep 21 08:33:43.249: ISAKMP: (0):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE*Sep 21 08:33:43.249: ISAKMP: (0): Old State = IKE_I_MM2& New State =
主模式消息3 (MM3) - NAT发现号和Diffie-Hellman交换
NAT发现有效负载和哈希
DH交换开始
对端死机检测(DPD)支持
*Sep 21 08:33:43.249: ISAKMP: (0): sending packet to 2001: DB8::3 my_port 500
peer_port 500 (I) MM_SA_SETUP*Sep 21 08:33:43.249: ISAKMP: (0): Sending an IKE IPv6 Packet.*Sep 21 08:33:43.249: ISAKMP: (0):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE*Sep 21 08:33:43.249: ISAKMP: (0): Old State = IKE_I_MM2& New State = IKE_I_MM3
主模式消息4 (MM4) - NAT发现号和Diffie-Hellman交换
NAT发现有效负载
DH交换开始
另外的VIDs (DPD, Unity支持)
知识谈与另一个IOS设备
*Sep 21 08:33:43.273: ISAKMP (0): received packet from 2001: DB8::3 dport 500
sport 500 Global (I) MM_SA_SETUP*Sep 21 08:33:43.273: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH*Sep 21 08:33:43.273: ISAKMP: (0): Old State = IKE_I_MM3& New State = IKE_I_MM4*Sep 21 08:33:43.273: ISAKMP: (0): processing KE payload. message ID = 0*Sep 21 08:33:43.281: ISAKMP: (0): processing NONCE payload. message ID = 0*Sep 21 08:33:43.281: ISAKMP: (0):found peer pre-shared key matching 2001:
DB8::3*Sep 21 08:33:43.281: ISAKMP: (1011): processing vendor id payload*Sep 21 08:33:43.281: ISAKMP: (1011): vendor ID is Unity*Sep 21 08:33:43.281: ISAKMP: (1011): processing vendor id payload*Sep 21 08:33:43.281: ISAKMP: (1011): vendor ID is DPD*Sep 21 08:33:43.281: ISAKMP: (1011): processing vendor id payload*Sep 21 08:33:43.281: ISAKMP: (1011): speaking to another IOS box!*Sep 21 08:33:43.281: ISAKMP: (1011):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE*Sep 21 08:33:43.281: ISAKMP: (1011): Old State = IKE_I_MM4& New State =
主模式消息5 (MM5) -发送标识
远端对等体标识(ID)
*Sep 21 08:33:43.293: ISAKMP: (1011): Send initial contact*Sep 21 08:33:43.293: ISAKMP: (1011): SA is doing pre-shared key authentication
using id type ID_IPV6_ADDR*Sep 21 08:33:43.293: ISAKMP (1011): ID payload&&&&&&& next-payload : 8&&&&&&& type&&&&&&&& : 5&&&&&&& address&&&&& : 2001: DB8::2&&&&&&& protocol&&&& : 17&&&&&&& port&&&&&&&& : 500&&&&&&& length&&&&&& : 24*Sep 21 08:33:43.293: ISAKMP: (1011):Total payload length: 24*Sep 21 08:33:43.293: ISAKMP: (1011): sending packet to 2001: DB8::3 my_port
500 peer_port 500 (I) MM_KEY_EXCH*Sep 21 08:33:43.293: ISAKMP: (1011): Sending an IKE IPv6 Packet.*Sep 21 08:33:43.293: ISAKMP: (1011):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE*Sep 21 08:33:43.293: ISAKMP: (1011): Old State = IKE_I_MM4& New State =
相关配置:
crypto isakmp identity ...
主模式消息6 (MM6) -远端对等体标识,阶段1设立
重新生成密钥开始的时期
远程标识(在这种情况下地址)
决策登陆在配置文件
*Sep 21 08:33:43.297: ISAKMP (1011): received packet from 2001: DB8::3 dport
500 sport 500 Global (I) MM_KEY_EXCH*Sep 21 08:33:43.297: ISAKMP: (1011): processing ID payload. message ID = 0*Sep 21 08:33:43.297: ISAKMP (1011): ID payload&&&&&&& next-payload : 8&&&&&&& type&&&&&&&& : 5&&&&&&& address&&&&& : 2001: DB8::3&&&&&&& protocol&&&& : 17&&&&&&& port&&&&&&&& : 500&&&&&&& length&&&&&& : 24*Sep 21 08:33:43.297: ISAKMP: (0):: peer matches *none* of the profiles*Sep 21 08:33:43.297: ISAKMP: (1011): processing HASH payload. message ID = 0*Sep 21 08:33:43.297: ISAKMP: (1011): SA authentication status: authenticated*Sep 21 08:33:43.297: ISAKMP: (1011): SA has been authenticated with 2001:
DB8::3*Sep 21 08:33:43.297: ISAKMP: Trying to insert a peer 2001: DB8::2/2001:
DB8::3/500/,& and inserted successfully 9344BE8.*Sep 21 08:33:43.297: ISAKMP: (1011):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH*Sep 21 08:33:43.297: ISAKMP: (1011): Old State = IKE_I_MM5& New State =
IKE_I_MM6*Sep 21 08:33:43.297: ISAKMP: (1011):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE*Sep 21 08:33:43.297: ISAKMP: (1011): Old State = IKE_I_MM6& New State =
IKE_I_MM6*Sep 21 08:33:43.301: ISAKMP: (1011):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE*Sep 21 08:33:43.301: ISAKMP: (1011): Old State = IKE_I_MM6& New State =
IKE_P1_COMPLETE
相关配置:
crypto isakmp identity ...
快速模式消息1 (QM1) -对等体开始第2阶段
远程和本地代理ID
*Sep 21 08:33:43.301: ISAKMP: (1011):beginning Quick Mode exchange, M-ID of
*Sep 21 08:33:43.301: ISAKMP: (1011):QM Initiator gets spi*Sep 21 08:33:43.301: ISAKMP: (1011): sending packet to 2001: DB8::3 my_port
500 peer_port 500 (I) QM_IDLE*Sep 21 08:33:43.301: ISAKMP: (1011): Sending an IKE IPv6 Packet.*Sep 21 08:33:43.301: ISAKMP: (1011):Node , Input =
IKE_MESG_INTERNAL, IKE_INIT_QM*Sep 21 08:33:43.301: ISAKMP: (1011): Old State = IKE_QM_READY& New State =
IKE_QM_I_QM1*Sep 21 08:33:43.301: ISAKMP: (1011):Input = IKE_MESG_INTERNAL,
IKE_PHASE1_COMPLETE*Sep 21 08:33:43.301: ISAKMP: (1011): Old State = IKE_P1_COMPLETE& New State =
IKE_P1_COMPLETE
相关配置:
crypto ipsec transform-set TRA esp-aes esp-sha-hmacmode transportcrypto ipsec profile PROset transform-set TRA
快速模式消息2 (QM2)
代理身分的确认
完善的转发秘密(PFS)设置
*Sep 21 08:33:43.305: ISAKMP (1011): received packet from 2001: DB8::3 dport
500 sport 500 Global (I) QM_IDLE*Sep 21 08:33:43.305: ISAKMP: (1011): processing HASH payload. message ID =
*Sep 21 08:33:43.305: ISAKMP: (1011): processing SA payload. message ID =
*Sep 21 08:33:43.305: ISAKMP: (1011):Checking IPSec proposal 1*Sep 21 08:33:43.305: ISAKMP: transform 1, ESP_AES*Sep 21 08:33:43.305: ISAKMP:&& attributes in transform:*Sep 21 08:33:43.305: ISAKMP:&&&&& encaps is 1 (Tunnel)*Sep 21 08:33:43.305: ISAKMP:&&&&& SA life type in seconds*Sep 21 08:33:43.305: ISAKMP:&&&&& SA life duration (basic) of 3600*Sep 21 08:33:43.305: ISAKMP:&&&&& SA life type in kilobytes*Sep 21 08:33:43.305: ISAKMP:&&&&& SA life duration (VPI) of& 0x0 0x46 0x50 0x0*Sep 21 08:33:43.305: ISAKMP:&&&&& authenticator is HMAC-SHA*Sep 21 08:33:43.305: ISAKMP:&&&&& key length is 128*Sep 21 08:33:43.305: ISAKMP: (1011):atts are acceptable.*Sep 21 08:33:43.305: IPSEC(validate_proposal_request): proposal part #1*Sep 21 08:33:43.305: IPSEC(validate_proposal_request): proposal part #1,& (key eng. msg.) INBOUND local= 2001: DB8::2:0, remote= 2001: DB8::3:0,&&& local_proxy= ::/0/256/0,&&& remote_proxy= ::/0/256/0,&&& protocol= ESP, transform= NONE& (Tunnel),&&& lifedur= 0s and 0kb,&&& spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0*Sep 21 08:33:43.305: ISAKMP: (1011): processing NONCE payload. message ID =
*Sep 21 08:33:43.305: ISAKMP: (1011): processing ID payload. message ID =
*Sep 21 08:33:43.305: ISAKMP: (1011): processing ID payload. message ID =
相关配置:
crypto ipsec transform-set TRA esp-aes esp-sha-hmacmode transportcrypto ipsec profile PROset transform-set TRAinterface tunnel23tunnel mode ipsec ipv6tunnel protection ipsec profile PRO
快速模式消息3 (QM3) -第2阶段建立
设置通过流量的安全策略索引(斯皮)
*Sep 21 08:33:43.305: ISAKMP: (1011): Sending an IKE IPv6 Packet.*Sep 21 08:33:43.305: ISAKMP: (1011): deleting node
error FALSE
reason "No Error"*Sep 21 08:33:43.305: ISAKMP: (1011):Node , Input =
IKE_MESG_FROM_PEER, IKE_QM_EXCH*Sep 21 08:33:43.305: ISAKMP: (1011): Old State = IKE_QM_I_QM1& New State =
IKE_QM_PHASE2_COMPLETE*Sep 21 08:33:43.305: IPSEC(key_engine): got a queue event with 1 KMI message(s)*Sep 21 08:33:43.305: IPSEC(crypto_ipsec_create_ipsec_sas): Map found
Tunnel23-head-0*Sep 21 08:33:43.305: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting
with the same proxies and peer 2001: DB8::3*Sep 21 08:33:43.305: IPSEC(create_sa): sa created,& (sa) sa_dest= 2001: DB8::2, sa_proto= 50,&&& sa_spi= 0x45F16A9A(),&&& sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 305&&& sa_lifetime(k/sec)= (9)*Sep 21 08:33:43.305: IPSEC(create_sa): sa created,& (sa) sa_dest= 2001: DB8::3, sa_proto= 50,&&& sa_spi= 0x221A91),&&& sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 306&&& sa_lifetime(k/sec)= (9)R2(config-if)#*Sep 21 08:33:43.309: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Tunnel23, changed state to up
sh crypto ipsec sainterface: Tunnel23&&& Crypto map tag: Tunnel23-head-0, local addr 2001: DB8::2&& protected vrf: (none)&& local& ident (addr/mask/prot/port): (::/0/0/0)&& remote ident (addr/mask/prot/port): (::/0/0/0)&& current_peer 2001: DB8::3 port 500&&&& PERMIT, flags={origin_is_acl,}&&& #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4&&& #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4&&& #pkts compressed: 0, #pkts decompressed: 0&&& #pkts not compressed: 0, #pkts compr. failed: 0&&& #pkts not decompressed: 0, #pkts decompress failed: 0&&& #send errors 0, #recv errors 0&&&& local crypto endpt.: 2001: DB8::2,&&&& remote crypto endpt.: 2001: DB8::3&&&& path mtu 1500, ipv6 mtu 1500, ipv6 mtu idb Ethernet0/0&&&& current outbound spi: 0x221A91)&&&& PFS (Y/N): N, DH group: none&&&& inbound esp sas:&&&&& spi: 0x45F16A9A()&&&&&&& transform: esp-aes esp-sha-hmac ,&&&&&&& in use settings ={Tunnel, }&&&&&&& conn id: 305, flow_id: SW:305, sibling_flags , crypto map:
Tunnel23-head-0&&&&&&& sa timing: remaining key lifetime (k/sec): (8)&&&&&&& IV size: 16 bytes&&&&&&& replay detection support: Y&&&&&&& Status: ACTIVE&&&& inbound ah sas:&&&& inbound pcp sas:&&&& outbound esp sas:&&&&& spi: 0x221A91)&&&&&&& transform: esp-aes esp-sha-hmac ,&&&&&&& in use settings ={Tunnel, }&&&&&&& conn id: 306, flow_id: SW:306, sibling_flags , crypto map:
Tunnel23-head-0&&&&&&& sa timing: remaining key lifetime (k/sec): (8)&&&&&&& IV size: 16 bytes&&&&&&& replay detection support: Y&&&&&&& Status: ACTIVER2(config-if)#do ping fe80::23:3Output Interface: tunnel23Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to FE80::23:3, timeout is 2 seconds:Packet sent with a source address of FE80::23:2%Tunnel23!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 8/11/20 msR2(config-if)#do sh crypto ipsec sa | i caps|ident&& local& ident (addr/mask/prot/port): (::/0/0/0)&& remote ident (addr/mask/prot/port): (::/0/0/0)&&& #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9&&& #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
通道启用和通过流量。
;标准和参考包含很多有用的信息。
Marcin Latosiewicz, Jay Young, and Atri Basu Cisco TAC Engineers.
此文档是否有帮助?
相关的支持社区讨论
本文档适用于以下产品}
我要回帖
更多关于 第二个阶段 的文章
更多推荐
- ·的学西餐的大专有哪些学校培训学校?
- ·中考体育缓考多少天是什么情况啊?
- ·什么是中考体育缓考多少天啊?
- ·台湾很开的综艺有哪些伪娘彭咩参加过哪些综艺?
- ·陈妍希参加过的综艺节目有没有上过康熙来了
- ·胆息肉手术时间多久最佳治疗时间是什么时候?
- ·面试三天了还没有通知毕业,面试上了一家企业,说是只能签第三方合同,有保障吗?我挺怕她们拖欠工资的!
- ·没学过计算机,没基础,想学java软件开发工作描述,去北京哪个学校培训好?
- ·2017年山东省教育招生考试院网上报名有哪些招生未招满的三本学校
- ·1 2 4 8找规律律 1 3 2 4 2 0 1 1 ()
- ·这是这个恐龙叫什么名字恐龙
- ·以前年度 换拨冗换一个词怎么说说
- ·帮我认认这印章上的字怎么认是什么字吗?
- ·突然间胃部痛阵怎么办喉结部位疼还有胃部疼是怎么回事
- ·写观后感的作文300字作文450字左右什么写
- ·超时空同居 现在可以看到高清吗?
- ·咳嗽块状灰痰开始黄痰后来灰痰是怎么回事
- ·小孩有了支气管炎传染小孩吗会和小孩互相传染吗
- ·干咳好象断断续续咳嗽几个月了好几个月了也不怎么咳
- ·ikev1主模式相应端是如何决定再不会遇见第二个她消息选哪个提议呢
- ·宇宙毁灭后还有世界吗会灭亡吗?
- ·胆囊息肉会一直长大吗一直在长大如何治疗?
- ·三相漏电断路器接线图上Ue 220/440V 是什么意思
- ·仰忠会仰止的拼音怎么读读
- ·北京大学工商管理博士类注册会计师,选华科还是中南财大?
- ·北京惠民富农重庆国际商业中心项目咨询有限公司是骗子公司吗?真的能安排出国劳务吗?
- ·微商有个AAA韩氏祛纹王老师卖的祛纹膏好用吗?是不是骗子
- ·淄川离淄川淄博四中王雪薇最近的齐商银行在哪里
- ·制订与实施 制定制度还是制订制度定
- ·合肥鸿升中学自动化科技有限公司在哪有谁知道吗?他们家的控制柜怎么样?
- ·人的膝盖弯曲时疼痛会弯曲可是中国一个成语说,弯腰屈膝是没尊严的,为何呢
- ·谁能帮我有道翻译在线一下这些韩文的意思
- ·本人大学刚毕业,大学java基础入门一般。去哪个学校再次深入学习比较好呀?
- ·304亚克力钥匙圈自制 哪里做的比较好?
- ·34岁 女 体检时检查总胆固醇偏高怎么办3.33
