ciscoPT中fa0/5-11怎么连的
点击联系发帖人
时间:2014-11-20 08:31
电脑教程子分类您所在位置: &
 &  & 
思科路由部分11个实验项目 全程记录+讲解+知识点.doc56页
本文档一共被下载:
次 ,您可免费全文在线阅读后下载本文档
文档加载中...广告还剩秒
需要金币:100 &&
你可能关注的文档:
··········
··········
思科路由部分11个实验项目 全程记录+讲解+知识点
实验基于Dynamips-0.2.6-Rc4 | unzip-c3620-i-mz.122-37.bin |unzip-c3640-js-mz.124-10 with NM-16ESW 实验平台 双Xeon 3.0 4G ECC 运行稳定后CPU 40%左右 实验1:在P1范围内实现RIPv2 实验2:在P1范围内实现基于RIPv2的等价负载均衡 实验3:在P1范围内实现基于RIPv2的Key-Chain密钥实验 实验4:在P2范围内实现IGRP的非等价负载均衡 实验5:全区域中通过桢中继实现RIPv2路由协议 + 密钥验证 实验6:全区域中实现EIGRP路由+FR+非等价负载均衡+验证 实验7:OSPF基本配置[P1区域内配置]+DR/BDR考察 实验8:单区域NBMA环境OSPF实现+验证 实验9:多区域OSPF实现 实验10:简单的路由重发布 末节区域 完全末节区域 NSSA区域 Virtual-Link 实验11:被动接口 路由更新过滤 策略路由 路由单项重发布以及AD/Metric更改 路由双向重发布 P1配置部分 P1R1-P1R2 192.168.1.1 - 192.168.1.2 /24 P1R1上配置Lo0 200.200.200.200 /24 P1R1-P1R3 192.168.2.1 - 192.168.2.2 /24 P1R3-P1R4 192.168.3.1 - 192.168.3.2 /24 P1R2-P1R4 192.168.4.1 - 192.168.4.2 /24 P1R1-BBR1 - 10.0.0.2 /8 P1R2-BBR1 - 10.0.0.3 /8 P2配置部分 P2R1-P2R2 172.16.1.1 - 172.16.1.2 /16 P2R1上配置Lo0 100.100.100.100 /8 P2R1-P2R3 172.17.1.1 - 172.17.1.2 /16 P2R3-P2R4 172.18.1.1 - 172.18.1.2 /16 P2R2-P2R4 172.19.1.1 - 172.19.1.2 /16 P2R1-BBR2 - 11.0.0.2 /8 P2R2-BBR2 - 11.0.0.3 /8 BBR配置部分 BBR1-BBR2 219.146.241.1 -219.146.241.2 /24 BBR1 s0/0.1 -s0/0.2 10.0.0.1 BBR2 s0/0.1 -s0/0.2 11.0.0.1 BBR2-SW1 219.146.242.1 - 219.146.242.2 BBR1-SW2 219.146.243.1 - 219.146.243.2 SW1-SW2 219.146.244.1 - 219.146.244.2 SR配置部分 SR1-SW1 101.0.0.1 - 101.0.0.2 SR2-SW1 102.0.0.1 - 102.0.0.2 SR3-SW2 103.0.0.1 - 103.0.0.2 SR4-SW2 104.0.0.1 - 104.0.0.2 SR1:lo0 105.0.0.1 Lo1 106.0.0.1 SR2:lo0 107.0.0.1 Lo1 108.0.0.1
实验1:在P1范围内实现RIPv2 [P1R1] router rip ver 2 net 192.168.1.0 net 192.168.2.0 net 200.2
正在加载中,请稍后...chenliqni 的BLOG
用户名:chenliqni
文章数:82
访问量:23646
注册日期:
阅读量:5863
阅读量:12276
阅读量:413477
阅读量:1101216
51CTO推荐博文
&&&&最近在调试DEBUG过程中看到本文章,觉得对于VPN错误信息不熟的人来说非常有用,几部囊括了所有的VPN的DEBUG错误提示信息,并且作者对其进行了一定说明,遂转发希望对更多的人有帮助。&&&&&&VPN中的排e,甭管是在工作中是在LAB中,都是挺重要的。因此,我,人榈脑L2L/EzVPN/DMVPN/GETVPN中加入些e`配置,并通^Debug矸治龈鞣Ne`。此篇博文是介BL2LVPN的,在後m的博文中,我⒔o大家逐一展示其他型VPN中的Troubleshooting!&&
一,拓洌二,配置:R1:R1#sh&run&|&sec&crycrypto&isakmp&policy&10authentication&pre-sharecrypto&isakmp&key&cisco&address&202.100.1.2crypto&ipsec&transform-set&cisco&esp-des&esp-md5-hmac&crypto&map&cisco&10&ipsec-isakmp&set&peer&202.100.1.2set&transform-set&cisco&match&address&L2LVPNinterface&Loopback0ip&address&1.1.1.1&255.255.255.0!interface&FastEthernet0/0ip&address&202.100.1.1&255.255.255.0duplex&autospeed&autocrypto&map&cisco!ip&route&0.0.0.0&0.0.0.0&202.100.1.2!ip&access-list&extended&L2LVPNpermit&ip&host&1.1.1.1&host&2.2.2.2三,DEBUG展示:1,配置完全正_情r下的debug:l起方(R1):R1#debug&cry&ipsCrypto&IPSEC&debugging&is&onR1#debug&cry&isaCrypto&ISAKMP&debugging&is&onR1#ping&2.2.2.2&so&1.1.1.1Type&escape&sequence&to&abort.Sending&5,&100-byte&ICMP&Echos&to&2.2.2.2,&timeout&is&2&seconds:Packet&sent&with&a&source&address&of&1.1.1.1&*Mar&&1&00:13:31.891:&IPSEC(sa_request):&,&(key&eng.&msg.)&OUTBOUND&local=&202.100.1.1,&remote=&202.100.1.2,(&加密c)local_proxy=&1.1.1.1/255.255.255.255/0/0&(type=1),&&remote_proxy=&2.2.2.2/255.255.255.255/0/0&(type=1),&&(感d趣流-ProxyID)protocol=&ESP,&transform=&esp-des&esp-md5-hmac&&(Tunnel),&&(fh型/DQ集:加密方法,哈希型)&lifedur=&3600s&and&4608000kb,&&spi=&0x0(0),&conn_id=&0,&keysize=&0,&flags=&0x0*Mar&&1&00:13:31.899:&ISAKMP:(0):&SA&request&profile&is&(NULL)*Mar&&1&00:13:31.899:&ISAKMP:&Created&a&peer&struct&for&202.100.1.2,&peer&port&500*Mar&&1&00:13:31.899:&ISAKMP:&New&peer&created&peer&=&0x65F2D2E0&peer_handle&=&0x*Mar&&1&00:13:31.903:&ISAKMP:&Locking&peer&struct&0x65F2D2E0,&refcount&1&for&isakmp_initiator*Mar&&1&00:13:31.903:&ISAKMP:&local&port&500,&remote&port&500*Mar&&1&00:13:31.903:&ISAKMP:&set&new&node&0&to&QM_IDLE&&*Mar&&1&00:13:31.923:&insert&sa&successfully&sa&=&65FD96E8*Mar&&1&00:13:31.923:&ISAKMP:(0):Can¬&start&Aggressive&mode,&trying&Main&mode.*Mar&&1&00:13:31.923:&ISAKMP:(0):found&peer&pre-shared&key&matching&202.100.1.2*Mar&&1&00:13:31.927:&ISAKMP:(0):&constructed&NAT-T&vendor-rfc3947&ID*Mar&&1&00:13:31.927:&ISAKMP:(0):&constructed&NAT-T&vendor-07&ID*Mar&&1&00:13:31.927:&ISAKMP:(0):&constructed&NAT-T&vendor-03&ID*Mar&&1&00:13:31.931:&ISAKMP:(0):&constructed&NAT-T&vendor-02&ID*Mar&&1&00:13:31.931:&ISAKMP:(0):Input&=&IKE_MESG_FROM_IPSEC,&IKE_SA_REQ_MM*Mar&&1&00:13:31.931:&ISAKMP:(0):Old&State&=&IKE_READY&&New&State&=&IKE_I_MM1&*Mar&&1&00:13:31.931:&ISAKMP:(0):&beginning&Main&Mode&exchange*Mar&&1&00:13:31.935:&ISAKMP:(0):&sending&packet&to&202.100.1.2&my_port&500&peer_port&500&(I)&MM_NO_STATE*Mar&&1&00:13:31.935:&ISAKMP:(0):Sending&an&IKE&IPv4&Packet.*Mar&&1&00:13:32.111:&ISAKMP&(0:0):&received&packet&from&202.100.1.2&dport&500&sport&500&Global&(I)&MM_NO_STATE(第一二包:策略)*Mar&&1&00:13:32.123:&ISAKMP:(0):Input&=&IKE_MESG_FROM_PEER,&IKE_MM_EXCH*Mar&&1&00:13:32.123:&ISAKMP:(0):Old&State&=&IKE_I_MM1&&New&State&=&IKE_I_MM2&*.!Mar&&1&00:13:32.131:&ISAKMP:(0):&processing&SA&payload.&message&ID&=&0*Mar&&1&00:13:32.131:&ISAKMP:(0):&processing&vendor&id&payload*Mar&&1&00:13:32.131:&ISAKMP:(0):&vendor&ID&seems&Unity/DPD&but&major&69&mismatch*Mar&&1&00:13:32.131:&ISAKMP&(0:0):&vendor&ID&is&NAT-T&RFC&3947*Mar&&1&00:13:32.135:&ISAKMP:(0):found&peer&pre-shared&key&matching&202.100.1.2*Mar&&1&00:13:32.135:&ISAKMP:(0):&local&preshared&key&found*Mar&&1&00:13:32.135:&ISAKMP&:&Scanning&profiles&for&xauth&...*Mar&&1&00:13:32.135:&ISAKMP:(0):Checking&ISAKMP&transform&1&against&priority&10&policy*Mar&&1&00:13:32.135:&ISAKMP:&&encryption&DES-CBC*Mar&&1&00:13:32.139:&ISAKMP:&&hash&SHA*Mar&&1&00:13:32.139:&ISAKMP:&&default&group&1*Mar&&1&00:13:32.139:&ISAKMP:&&auth&pre-share*Mar&&1&00:13:32.139:&ISAKMP:&&life&type&in&seconds*Mar&&1&00:13:32.139:&ISAKMP:&&life&duration&(VPI)&of&&0x0&0x1&0x51&0x80&*Mar&&1&00:13:32.143:&ISAKMP:(0):atts&are&acceptable.&Next&payload&is&0&&&(策略是可以被接受的/一致)*Mar&&1&00:13:32.143:&ISAKMP:(0):Acceptable&atts:actual&life:&0*Mar&&1&00:13:32.143:&ISAKMP:(0):Acceptable&atts:life:&0*Mar&&1&00:13:32.147:&ISAKMP:(0):Fill&atts&in&sa&vpi_length:4*Mar&&1&00:13:32.147:&ISAKMP:(0):Fill&atts&in&sa&life_in_seconds:86400*Mar&&1&00:13:32.147:&ISAKMP:(0):Returning&Actual&lifetime:&86400*Mar&&1&00:13:32.147:&ISAKMP:(0)::Started&lifetime&timer:&86400.*Mar&&1&00:13:32.215:&ISAKMP:(0):&processing&vendor&id&payload*Mar&&1&00:13:32.215:&ISAKMP:(0):&vendor&ID&seems&Unity/DPD&but&major&69&mismatch*Mar&&1&00:13:32.215:&ISAKMP&(0:0):&vendor&ID&is&NAT-T&RFC&3947*Mar&&1&00:13:32.215:&ISAKMP:(0):Input&=&IKE_MESG_INTERNAL,&IKE_PROCESS_MAIN_MODE*Mar&&1&00:13:32.215:&ISAKMP:(0):Old&State&=&IKE_I_MM2&&New&State&=&IKE_I_MM2&*Mar&&1&00:13:32.215:&ISAKMP:(0):&sending&packet&to&202.100.1.2&my_port&500&peer_port&500&(I)&MM_SA_SETUP*Mar&&1&00:13:32.215:&ISAKMP:(0):Sending&an&IKE&IPv4&Packet.*Mar&&1&00:13:32.219:&ISAKMP:(0):Input&=&IKE_ME!!!Success&rate&is&80&percent&(4/5),&round-trip&min/avg/max&=&72/104/128&ms&SG_INTERNAL,&IKE_PROCESS_COMPLETE*Mar&&1&00:13:32.219:&ISAKMP:(0):Old&State&=&IKE_I_MM2&&New&State&=&IKE_I_MM3&*Mar&&1&00:13:32.363:&ISAKMP&(0:0):&received&packet&from&202.100.1.2&dport&500&sport&500&Global&(I)&MM_SA_SETUP(第三四包:DH/NONCE)*Mar&&1&00:13:32.367:&ISAKMP:(0):Input&=&IKE_MESG_FROM_PEER,&IKE_MM_EXCH*Mar&&1&00:13:32.367:&ISAKMP:(0):Old&State&=&IKE_I_MM3&&New&State&=&IKE_I_MM4&*Mar&&1&00:13:32.371:&ISAKMP:(0):&processing&KE&payload.&message&ID&=&0*Mar&&1&00:13:32.431:&ISAKMP:(0):&processing&NONCE&payload.&message&ID&=&0(公共值和SC担*Mar&&1&00:13:32.431:&ISAKMP:(0):found&peer&pre-shared&key&matching&202.100.1.2*Mar&&1&00:13:32.435:&ISAKMP:(1001):&processing&vendor&id&payload*Mar&&1&00:13:32.435:&ISAKMP:(1001):&vendor&ID&is&Unity*Mar&&1&00:13:32.439:&ISAKMP:(1001):&processing&vendor&id&payload*Mar&&1&00:13:32.439:&ISAKMP:(1001):&vendor&ID&is&DPD*Mar&&1&00:13:32.439:&ISAKMP:(1001):&processing&vendor&id&payload*Mar&&1&00:13:32.443:&ISAKMP:(1001):&speaking&to&another&IOS&box!*MaR1#r&&1&00:13:32.443:&ISAKMP:received&payload&type&20*Mar&&1&00:13:32.443:&ISAKMP:received&payload&type&20*Mar&&1&00:13:32.443:&ISAKMP:(1001):Input&=&IKE_MESG_INTERNAL,&IKE_PROCESS_MAIN_MODE*Mar&&1&00:13:32.447:&ISAKMP:(1001):Old&State&=&IKE_I_MM4&&New&State&=&IKE_I_MM4&*Mar&&1&00:13:32.447:&ISAKMP:(1001):Send&initial&contact*Mar&&1&00:13:32.447:&ISAKMP:(1001):SA&is&doing&pre-shared&key&authentication&using&id&type&ID_IPV4_ADDR*Mar&&1&00:13:32.447:&ISAKMP&(0:1001):&ID&payload&&next-payload&:&8&type&&&:&1&&address&&:&202.100.1.1&&protocol&&&:&17&&port&&&:&500&&length&&&:&12*Mar&&1&00:13:32.447:&ISAKMP:(1001):Total&payload&length:&12*Mar&&1&00:13:32.447:&ISAKMP:(1001):&sending&packet&to&202.100.1.2&my_port&500&peer_port&500&(I)&MM_KEY_EXCH*Mar&&1&00:13:32.447:&ISAKMP:(1001):Sending&an&IKE&IPv4&Packet.*Mar&&1&00:13:32.451:&ISAKMP:(1001):Input&=&IKE_MESG_INTERNAL,&IKE_PROCESS_COMPLETE*Mar&&1&00:13:32.451:&ISAKMP:(1001):Old&State&=&IKE_I_MM4&&New&State&=&IKE_I_MM5&*Mar&&1&00:13:32.551:&ISAKMP&(0:1001):&received&packet&from&202.100.1.2&dport&500&sport&500&Global&(I)&MM_KEY_EXCH(第五六包:JC)*Mar&&1&00:13:32.555:&ISAKMP:(1001):&processing&ID&payload.&message&ID&=&0*Mar&&1&00:13:32.555:&ISAKMP&(0:1001):&ID&payload&&next-payload&:&8&type&&&:&1&&address&&:&202.100.1.2&&protocol&&&:&17&&port&&&:&500&&length&&&:&12*Mar&&1&00:13:32.555:&ISAKMP:(0)::&peer&matches&*none*&of&the&profiles*Mar&&1&00:13:32.559:&ISAKMP:(1001):&processing&HASH&payload.&message&ID&=&0*Mar&&1&00:13:32.559:&ISAKMP:(1001):SA&authentication&status:&&(JCB)authenticated*Mar&&1&00:13:32.563:&ISAKMP:(1001):SA&has&been&authenticated&with&202.100.1.2(JCΦ润w)*Mar&&1&00:13:32.563:&ISAKMP:&Trying&to&insert&a&peer&202.100.1.1/202.100.1.2/500/,&&and&inserted&successfully&65F2D2E0.*Mar&&1&00:13:32.563:&ISAKMP:(1001):Input&=&IKE_MESG_FROM_PEER,&IKE_MM_EXCH*Mar&&1&00:13:32.567:&ISAKMP:(1001):Old&State&=&IKE_I_MM5&&New&State&=&IKE_I_MM6&R1#*Mar&&1&00:13:32.571:&ISAKMP:(1001):Input&=&IKE_MESG_INTERNAL,&IKE_PROCESS_MAIN_MODE*Mar&&1&00:13:32.571:&ISAKMP:(1001):Old&State&=&IKE_I_MM6&&New&State&=&IKE_I_MM6&*Mar&&1&00:13:32.579:&ISAKMP:(1001):Input&=&IKE_MESG_INTERNAL,&IKE_PROCESS_COMPLETE*Mar&&1&00:13:32.579:&ISAKMP:(1001):Old&State&=&IKE_I_MM6&&New&State&=&IKE_P1_COMPLETE&*Mar&&1&00:13:32.583:&ISAKMP:(1001):beginning&Quick&Mode&exchange,&M-ID&of&*Mar&&1&00:13:32.587:&ISAKMP:(1001):QM&Initiator&gets&spi*Mar&&1&00:13:32.591:&ISAKMP:(1001):&sending&packet&to&202.100.1.2&my_port&500&peer_port&500&(I)&QM_IDLE&&*Mar&&1&00:13:32.591:&ISAKMP:(1001):Sending&an&IKE&IPv4&Packet.*Mar&&1&00:13:32.595:&ISAKMP:(1001):Node&,&Input&=&IKE_MESG_INTERNAL,&IKE_INIT_QM*Mar&&1&00:13:32.595:&ISAKMP:(1001):Old&State&=&IKE_QM_READY&&New&State&=&IKE_QM_I_QM1*Mar&&1&00:13:32.595:&ISAKMP:(1001):Input&=&IKE_MESG_INTERNAL,&IKE_PHASE1_COMPLETE*Mar&&1&00:13:32.595:&ISAKMP:(1001):Old&State&=&IKE_P1_COMPLETE&&New&State&=&IKE_P1_COMPLETE&*Mar&&1&00:13:32.783:&ISAKMP&(0:1001):&received&packet&from&202.100.1.2&dport&500&sport&500&Global&(I)&QM_IDLE&&(第七八包)*Mar&&1&00:13:32.787:&ISAKMP:(1001):&processing&HASH&payload.&message&ID&=&*Mar&&1&00:13:32.787:&ISAKMP:(1001):&processing&SA&payload.&message&ID&=&*Mar&&1&00:13:32.787:&ISAKMP:(1001):Checking&IPSec&proposal&1(校提h)*Mar&&1&00:13:32.791:&ISAKMP:&transform&1,&ESP_DES*Mar&&1&00:13:32.791:&ISAKMP:&&&attributes&in&transform:*Mar&&1&00:13:32.791:&ISAKMP:&&encaps&is&1&(Tunnel)*Mar&&1&00:13:32.791:&ISAKMP:&&SA&life&type&in&seconds*Mar&&1&00:13:32.791:&ISAKMP:&&SA&life&duration&(basic)&of&3600*Mar&&1&00:13:32.791:&ISAKMP:&&SA&life&type&in&kilobytes*Mar&&1&00:13:32.795:&ISAKMP:&&SA&life&duration&(VPI)&of&&0x0&0x46&0x50&0x0&*Mar&&1&00:13:32.795:&ISAKMP:&&authenticator&is&HMAC-MD5*Mar&&1&00:13:32.795:&ISAKMP:(1001):atts&are&acceptable.&&(被接受)*Mar&&1&00:13:32.799:&IPSEC(validate_proposal_request):&proposal&part*Mar&&1&00:13:32.799:&IPSEC(validate_proposal_request):&proposal&part,&(key&eng.&msg.)&INBOUND&local=&202.100.1.1,&remote=&202.100.1.2,&&local_proxy=&1.1.1.1/255.255.255.255/0/0&(type=1),&&remote_proxy=&2.2.2.2/255.255.255.255/0/0&(type=1),&protocol=&ESP,&transform=&NONE&&(Tunnel),&&lifedur=&0s&and&0kb,&&spi=&0x0(0),&conn_id=&0,&keysize=&0,&flags=&0x0*Mar&&1&00:13:32.803:&Crypto&mapdb&:&proxy_match&src&addr&&&:&1.1.1.1&dst&addr&&&:&2.2.2.2&protocol&&&:&0&src&port&&&:&0&dst&port&&&:&0*Mar&&1&00:13:32.803:&ISAKMP:(1001):&processing&NONCE&payload.&message&ID&=&*Mar&&1&00:13:32.807:&ISAKMP:(1001):&processing&ID&payload.&message&ID&=&*Mar&&1&00:13:32.807:&ISAKMP:(1001):&processing&ID&payload.&message&ID&=&*Mar&&1&00:13:32.815:&ISAKMP:(1001):&Creating&IPSec&SAs*Mar&&1&00:13:32.815:&&&inbound&SA&from&202.100.1.2&to&202.100.1.1&(f/i)&&0/&0&(proxy&2.2.2.2&to&1.1.1.1)*Mar&&1&00:13:32.815:&&&has&spi&0x84D750DA&and&conn_id&0*Mar&&1&00:13:32.815:&&&lifetime&of&3600&seconds*Mar&&1&00:13:32.819:&&&lifetime&of&4608000&kilobytes*Mar&&1&00:13:32.819:&&&outbound&SA&from&202.100.1.1&to&202.100.1.2&(f/i)&0/0&(proxy&1.1.1.1&to&2.2.2.2)*Mar&&1&00:13:32.819:&&&has&spi&&0x8E9C20F&and&conn_id&0*Mar&&1&00:13:32.819:&&&lifetime&of&3600&seconds*Mar&&1&00:13:32.819:&&&lifetime&of&4608000&kilobytes*Mar&&1&00:13:32.823:&ISAKMP:(1001):&sending&packet&to&202.100.1.2&my_port&500&peer_port&500&(I)&QM_IDLE(第九包)&&*Mar&&1&00:13:32.823:&ISAKMP:(1001):Sending&an&IKE&IPv4&Packet.*Mar&&1&00:13:32.827:&ISAKMP:(1001):deleting&node&&error&FALSE&reason&&No&Error&*Mar&&1&00:13:32.827:&ISAKMP:(1001):Node&,&Input&=&IKE_MESG_FROM_PEER,&IKE_QM_EXCH*Mar&&1&00:13:32.827:&ISAKMP:(1001):Old&State&=&IKE_QM_I_QM1&&New&State&=&IKE_QM_PHASE2_COMPLETE*Mar&&1&00:13:32.831:&IPSEC(key_engine):&got&a&queue&event&with&1&KMI&message(s)*Mar&&1&00:13:32.835:&Crypto&mapdb&:&proxy_match&src&addr&&&:&1.1.1.1&dst&addr&&&:&2.2.2.2&protocol&&&:&0&src&port&&&:&0&dst&port&&&:&0*Mar&&1&00:13:32.835:&IPSEC(crypto_ipsec_sa_find_ident_head):&reconnecting&with&the&same&proxies&and&peer&202.100.1.2*Mar&&1&00:13:32.839:&IPSEC(policy_db_add_ident):&src&1.1.1.1,&dest&2.2.2.2,&dest_port&0*Mar&&1&00:13:32.839:&IPSEC(create_sa):&sa&created,&(sa)&sa_dest=&202.100.1.1,&sa_proto=&50,&&sa_spi=&0x84D750DA(),&&sa_trans=&esp-des&esp-md5-hmac&,&sa_conn_id=&1*Mar&&1&00:13:32.843:&IPSEC(create_sa):&sa&created,&(sa)&sa_dest=&202.100.1.2,&sa_proto=&50,&&sa_spi=&0x8E9C20F(),&&sa_trans=&esp-des&esp-md5-hmac&,&sa_conn_id=&2*Mar&&1&00:13:32.843:&IPSEC(update_current_outbound_sa):&updated&peer&202.100.1.2¤t&outbound&sa&to&SPI&8E9C20F2,在R1O渖闲薷牡谝浑A段(Phase1)加密方式3DES后,debug展示:l起方(R1):R1#sh&run&|&sec&crycrypto&isakmp&policy&10encr&3desauthentication&pre-shareR1#debug&cry&ipsCrypto&IPSEC&debugging&is&onR1#debug&cry&isaCrypto&ISAKMP&debugging&is&onR1#ping&2.2.2.2&so&1.1.1.1Type&escape&sequence&to&abort.Sending&5,&100-byte&ICMP&Echos&to&2.2.2.2,&timeout&is&2&seconds:Packet&sent&with&a&source&address&of&1.1.1.1&*Mar&&1&02:10:44.591:&IPSEC(sa_request):&,&(key&eng.&msg.)&OUTBOUND&local=&202.100.1.1,&remote=&202.100.1.2,&&local_proxy=&1.1.1.1/255.255.255.255/0/0&(type=1),&&remote_proxy=&2.2.2.2/255.255.255.255/0/0&(type=1),&protocol=&ESP,&transform=&esp-des&esp-md5-hmac&&(Tunnel),&&lifedur=&3600s&and&4608000kb,&&spi=&0x0(0),&conn_id=&0,&keysize=&0,&flags=&0x0*Mar&&1&02:10:44.599:&ISAKMP:(0):&SA&request&profile&is&(NULL)*Mar&&1&02:10:44.599:&ISAKMP:&Created&a&peer&struct&for&202.100.1.2,&peer&port&500*Mar&&1&02:10:44.603:&ISAKMP:&New&peer&created&peer&=&0x663FED30&peer_handle&=&0x*Mar&&1&02:10:44.603:&ISAKMP:&Locking&peer&struct&0x663FED30,&refcount&1&for&isakmp_initiator*Mar&&1&02:10:44.603:&ISAKMP:&local&port&500,&remote&port&500*Mar&&1&02:10:44.603:&ISAKMP:&set&new&node&0&to&QM_IDLE&&*Mar&&1&02:10:44.607:&ISAKMP:&Find&a&dup&sa&in&the&avl&tree&during&calling&isadb_insert&sa&=&66D4ED78*Mar&&1&02:10:44.607:&ISAKMP:(0):Can¬&start&Aggres.sive&mode,&trying&Main&mode.*Mar&&1&02:10:44.607:&ISAKMP:(0):found&peer&pre-shared&key&matching&202.100.1.2*Mar&&1&02:10:44.611:&ISAKMP:(0):&constructed&NAT-T&vendor-rfc3947&ID*Mar&&1&02:10:44.611:&ISAKMP:(0):&constructed&NAT-T&vendor-07&ID*Mar&&1&02:10:44.611:&ISAKMP:(0):&constructed&NAT-T&vendor-03&ID*Mar&&1&02:10:44.615:&ISAKMP:(0):&constructed&NAT-T&vendor-02&ID*Mar&&1&02:10:44.615:&ISAKMP:(0):Input&=&IKE_MESG_FROM_IPSEC,&IKE_SA_REQ_MM*Mar&&1&02:10:44.615:&ISAKMP:(0):Old&State&=&IKE_READY&&New&State&=&IKE_I_MM1&*Mar&&1&02:10:44.615:&ISAKMP:(0):&beginning&Main&Mode&exchange*Mar&&1&02:10:44.619:&ISAKMP:(0):&sending&packet&to&202.100.1.2&my_port&500&peer_port&500&(I)&MM_NO_STATE*Mar&&1&02:10:44.619:&ISAKMP:(0):Sending&an&IKE&IPv4&Packet.*Mar&&1&02:10:44.763:&ISAKMP&(0:0):&received&packet&from&202.100.1.2&dport&500&sport&500&Global&(I)&MM_NO_STATE&&(第一二包)*Mar&&1&02:10:44.763:&ISAKMP:(0):Notify&has&no&hash.&Rejected.*Mar&&1&02:10:44.767:&ISAKMP&(0:0):&Unknown&Input&IKE_MESG_FROM_PEER,&IKE_INFO_NOTIFY:&&state&=&IKE_I_MM1*Mar&&1&02:10:44.767:&ISAKMP:(0):Input&=&IKE_MESG_FROM_PEER,&IKE_INFO_NOTIFY*Mar&&1&02:10:44.767:&ISAKMP:(0):Old&State&=&IKE_I_MM1&&New&State&=&IKE_I_MM1&*Mar&&1&02:10:44.767:&%CRYPTO-6-IKMP_MODE_FAILURE:&Processing&of&Informational&mode&failed&with&peer&at&202.100.1.2....Success&rate&is&0&percent&(0/5)(L5次失。*Mar&&1&02:10:54.619:&ISAKMP:(0):&retransmitting&phase&1&MM_NO_STATE...*Mar&&1&02:10:54.619:&ISAKMP&(0:0):&incrementing&error&counter&on&sa,&attempt&1&of&5:&retransmit&phase&1*Mar&&1&02:10:54.619:&ISAKMP:(0):&retransmitting&phase&1&MM_NO_STATE*Mar&&1&02:10:54.623:&ISAKMP:(0):&sending&packet&to&202.100.1.2&my_port&500&peer_port&500&(I)&MM_NO_STATE*Mar&&1&02:10:54.623:&ISAKMP:(0):Sending&an&IKE&IPv4&Packet.*Mar&&1&02:11:04.623:&ISAKMP:(0):&retransmitting&phase&1&MM_NO_STATE...*Mar&&1&02:11:04.623:&ISAKMP&(0:0):&incrementing&error&counter&on&sa,&attempt&2&of&5:&retransmit&phase&1*Mar&&1&02:11:04.623:&ISAKMP:(0):&retransmitting&phase&1&MM_NO_STATE*Mar&&1&02:11:04.627:&ISAKMP:(0):&sending&packet&to&202.100.1.2&my_port&500&peer_port&500&(I)&MM_NO_STATE*Mar&&1&02:11:04.627:&ISAKMP:(0):Sending&an&IKE&IPv4&Packet.接收方debug:R2#debug&cry&ipsCrypto&IPSEC&debugging&is&onR2#debug&cry&isaCrypto&ISAKMP&debugging&is&onR2#*Mar&&1&02:10:37.911:&ISAKMP&(0:0):&received&packet&from&202.100.1.1&dport&500&sport&500&Global&(N)&NEW&SA(第一个包)*Mar&&1&02:10:37.943:&ISAKMP:(0):Checking&ISAKMP&transform&1&against&priority&10&policy*Mar&&1&02:10:37.943:&ISAKMP:&&encryption&3DES-CBC*Mar&&1&02:10:37.943:&ISAKMP:&&hash&SHA*Mar&&1&02:10:37.943:&ISAKMP:&&default&group&1*Mar&&1&02:10:37.943:&ISAKMP:&&auth&pre-share*Mar&&1&02:10:37.947:&ISAKMP:&&life&type&in&seconds*Mar&&1&02:10:37.947:&ISAKMP:&&life&duration&(VPI)&of&&0x0&0x1&0x51&0x80&*Mar&&1&02:10:37.947:&ISAKMP:(0):Encryption&algorithm&offered&does¬&match&policy!(在接受方,提示加密算法不匹配*Mar&&1&02:10:37.947:&ISAKMP:(0):atts&are¬&acceptable.&Next&payload&is&0&&P1策略]有被接受)*Mar&&1&02:10:37.951:&ISAKMP:(0):Checking&ISAKMP&transform&1&against&priority&65535&policy*Mar&&1&02:10:37.951:&ISAKMP:&&encryption&3DES-CBC*Mar&&1&02:10:37.951:&ISAKMP:&&hash&SHA*Mar&&1&02:10:37.951:&ISAKMP:&&default&group&1*Mar&&1&02:10:37.951:&ISAKMP:&&auth&pre-share*Mar&&1&02:10:37.955:&ISAKMP:&&life&type&in&seconds*Mar&&1&02:10:37.955:&ISAKMP:&&life&duration&(VPI)&of&&0x0&0x1&0x51&0x80&*Mar&&1&02:10:37.955:&ISAKMP:(0):Encryption&algorithm&offered&does¬&match&policy!*Mar&&1&02:10:37.959:&ISAKMP:(0):atts&are¬&acceptable.&Next&payload&is&0*Mar&&1&02:10:37.959:&ISAKMP:(0)R2#:no&offers&accepted!*Mar&&1&02:10:37.959:&ISAKMP:(0):&phase&1&SA&policy¬&acceptable!&(local&202.100.1.2&remote&202.100.1.1)*Mar&&1&02:10:37.959:&ISAKMP&(0:0):&incrementing&error&counter&on&sa,&attempt&1&of&5:&construct_fail_ag_init*Mar&&1&02:10:37.963:&ISAKMP:(0):&sending&packet&to&202.100.1.1&my_port&500&peer_port&500&(R)&MM_NO_STATE(第二个包)*Mar&&1&02:10:37.963:&ISAKMP:(0):Sending&an&IKE&IPv4&Packet.*Mar&&1&02:10:37.963:&ISAKMP:(0):peer&does¬&do¶noid&keepalives.R2#3,在R1O渖闲薷牡谝浑A段(Phase1)哈希方式MD5后,debug展示:f明:因樵诎l送方(R1)上的debug信息和(2)一致,所以我只看下接收方接收方debug:R2#debu&cry&isaCrypto&ISAKMP&debugging&is&onR2#debu&cry&ipsCrypto&IPSEC&debugging&is&onJul&&6&07:49:51.222:&ISAKMP&(0:0):&received&packet&from&202.100.1.1&dport&500&sport&500&Global&(N)&NEW&SA(第一包)Jul&&6&07:49:51.250:&ISAKMP:(0):Checking&ISAKMP&transform&1&against&priority&10&policyJul&&6&07:49:51.254:&ISAKMP:&&encryption&DES-CBCJul&&6&07:49:51.254:&ISAKMP:&&hash&MD5Jul&&6&07:49:51.254:&ISAKMP:&&default&group&1Jul&&6&07:49:51.254:&ISAKMP:&&auth&pre-shareJul&&6&07:49:51.254:&ISAKMP:&&life&type&in&secondsJul&&6&07:49:51.254:&ISAKMP:&&life&duration&(VPI)&of&&0x0&0x1&0x51&0x80&Jul&&6&07:49:51.258:&ISAKMP:(0):Hash&algorithm&offered&does¬&match&policy!(Hash&算法不匹配)Jul&&6&07:49:51.258:&ISAKMP:(0):atts&are¬&acceptable.&Next&payload&is&0&&(不被接受)Jul&&6&07:49:51.258:&ISAKMP:(0):Checking&ISAKMP&transform&1&against&priority&65535&policyJul&&6&07:49:51.262:&ISAKMP:&&encryption&DES-CBCJul&&6&07:49:51.262:&ISAKMP:&&hash&MD5Jul&&6&07:49:51.262:&ISAKMP:&&default&group&1Jul&&6&07:49:51.262:&ISAKMP:&&auth&pre-shareJul&&6&07:49:51.262:&ISAKMP:&&life&type&in&secondsJul&&6&07:49:51.262:&ISAKMP:&&life&duration&(VPI)&of&&0x0&0x1&0x51&0x80&Jul&&6&07:49:51.266:&ISAKMP:(0):Hash&algorithm&offered&does¬&match&policy!Jul&&6&07:49:51.266:&ISAKMP:(0):atts&are¬&acceptable.&Next&payload&is&0Jul&&6&07:49:51.266:&ISAKMP:(0):no&offers&accepted!Jul&&6&07:49:51.270:&ISAKMP:(0):&phase&1&SA&policy¬&acceptable!&(local&202.100.1.2&remote&202.100.1.1)&(第一A段SA策略]有接受)Jul&&6&07:49:51.270:&ISAKMP&(0:0):&incrementing&error&counter&on&sa,&attempt&1&of&5:&construct_fail_ag_initJul&&6&07:49:51.270:&ISAKMP:(0):&sending&packet&to&202.100.1.1&my_port&500&peer_port&500&(R)&MM_NO_STATE(第二包)Jul&&6&07:49:51.274:&ISAKMP:(0):Sending&an&IKE&IPv4&Packet.Jul&&6&07:49:51.274:&ISAKMP:(0):peer&does¬&do¶noid&keepalives.4,在R1O渖闲薷牡谝浑A段(Phase1)JC方式樽Cê名)后,debug展示:l起方R1上debug:R1#debu&cry&isaCrypto&ISAKMP&debugging&is&onR1#debu&cry&ipsCrypto&IPSEC&debugging&is&onR1#ping&2.2.2.2&so&1.1.1.1Type&escape&sequence&to&abort.Sending&5,&100-byte&ICMP&Echos&to&2.2.2.2,&timeout&is&2&seconds:Packet&sent&with&a&source&address&of&1.1.1.1&Jul&&6&08:11:42.867:&IPSEC(sa_request):&,&(key&eng.&msg.)&OUTBOUND&local=&202.100.1.1,&remote=&202.100.1.2,&&local_proxy=&1.1.1.1/255.255.255.255/0/0&(type=1),&&remote_proxy=&2.2.2.2/255.255.255.255/0/0&(type=1),&protocol=&ESP,&transform=&esp-des&esp-md5-hmac&&(Tunnel),&&lifedur=&3600s&and&4608000kb,&&spi=&0x0(0),&conn_id=&0,&keysize=&0,&flags=&0x0Jul&&6&08:11:42.875:&ISAKMP:(0):&SA&request&profile&is&(NULL)Jul&&6&08:11:42.875:&ISAKMP:&Created&a&peer&struct&for&202.100.1.2,&peer&port&500Jul&&6&08:11:42.875:&ISAKMP:&New&peer&created&peer&=&0x663C537C&peer_handle&=&0xJul&&6&08:11:42.879:&ISAKMP:&Locking&peer&struct&0x663C537C,&refcount&1&for&isakmp_initiatorJul&&6&08:11:42.879:&ISAKMP:&local&port&500,&remote&port&500Jul&&6&08:11:42.879:&ISAKMP:&set&new&node&0&to&QM_IDLE&&Jul&&6&08:11:42.883:&insert&sa&successfully&sa&=&65FDA2D4Jul&&6&08:11:42.883:&ISAKMP:(0):Can¬&start&Aggressive&mode,&trying&Main&mode.Jul&&6&08:11:42.883:&ISAKMP:(0):found&peer&pre-shared&key&matching&202.100.1.2Jul&&6&08:11:42.887:&ISAKMP:(0):incorrect&policy&settings.&Unable&to&initiate.&&(e`的策略O置,不能蚶^m初始化)Jul&&6&08:11:42.887:&ISAKMP:(0):Input&=&IKE_MESG_FROM_IPSEC,&IKE_SA_REQ_MMJul&&6&08:11:42.887:&ISAKMP:(0):Old&State&=&IKE_READY&&New&State&=&IKE_I_MM1&f明:因樵诒镜]有找到C赃M程直接被停止,焊]l包的CP1的第一包),所以在接收O洌R2)上是看不到debug信息的。5,在R1O渖闲薷牡诙A段(Phase2)DQ集ESP加密方式3DES后,debug展示:l起方(R1):R1#Jul&&6&08:35:45.307:&ISAKMP:(1003):QM&Initiator&gets&spiJul&&6&08:35:45.311:&ISAKMP:(1003):&sending&packet&to&202.100.1.2&my_port&500&peer_port&500&(I)&QM_IDLE&&Jul&&6&08:35:45.315:&ISAKMP:(1003):Sending&an&IKE&IPv4&Packet.Jul&&6&08:35:45.315:&ISAKMP:(1003):Node&,&Input&=&IKE_MESG_INTERNAL,&IKE_INIT_QMJul&&6&08:35:45.319:&ISAKMP:(1003):Old&State&=&IKE_QM_READY&&New&State&=&IKE_QM_I_QM1Jul&&6&08:35:45.319:&ISAKMP:(1003):Input&=&IKE_MESG_INTERNAL,&IKE_PHASE1_COMPLETEJul&&6&08:35:45.319:&ISAKMP:(1003):Old&State&=&IKE_P1_COMPLETE&&New&State&=&IKE_P1_COMPLETE&Jul&&6&08:35:45.491:&ISAKMP&(0:1003):&received&packet&from&202.100.1.2&dport&500&.sport&500&Global&(I)&QM_IDLE(第七八包)Jul&&6&08:35:45.491:&ISAKMP:&set&new&node&-&to&QM_IDLE&&Jul&&6&08:35:45.495:&ISAKMP:(1003):&processing&HASH&payload.&message&ID&=&-Jul&&6&08:35:45.495:&ISAKMP:(1003):&processing&NOTIFY&PROPOSAL_NOT_CHOSEN&protocol&3&spi&,&message&ID&=&-,&sa&=&65FDA2D4Jul&&6&08:36:14.515:&ISAKMP:&set&new&node&0&to&QM_IDLE&&Jul&&6&08:36:14.519:&SA&has&outstanding&requests(local&101.253.164.56&port&500,&remote&101.253.164.28&port&500)&&&??????Jul&&6&08:36:14.519:&ISAKMP:(1003):&sitting&IDLE.&Starting&QM&immediately&(QM_IDLE&&)接收方(R2)debug:R2#debu&cry&ipsCrypto&IPSEC&debugging&is&onR2#debu&cry&isaCrypto&ISAKMP&debugging&is&onR2#Jul&&6&08:35:45.398:&IPSEC(ipsec_process_proposal):&transform&proposal¬&supported&for&identity:&&{esp-3des&esp-md5-hmac&}&&(DQ集O置不一致)Jul&&6&08:35:45.402:&ISAKMP:(1003):&IPSec&policy&invalidated&proposal&with&error&256Jul&&6&08:35:45.402:&ISAKMP:(1003):&phase&2&SA&policy¬&acceptable!&(local&202.100.1.2&remote&202.100.1.1)&&(P2的SA策略]有被接受)Jul&&6&08:35:45.402:&ISAKMP:&set&new&node&-&to&QM_IDLE&&Jul&&6&08:35:45.406:&ISAKMP:(1003):Sending&NOTIFY&PROPOSAL_NOT_CHOSEN&protocol&3&spi&,&message&ID&=&-6,在R1O渖闲薷牡诙A段(Phase2)感d趣流后(map下{用),debug展示:A计划:l起方=问题方(R1):R1#debu&cry&ipsCrypto&IPSEC&debugging&is&onR1#debu&cry&isaCrypto&ISAKMP&debugging&is&onR1#ping&2.2.2.2&so&1.1.1.1Type&escape&sequence&to&abort.Sending&5,&100-byte&ICMP&Echos&to&2.2.2.2,&timeout&is&2&seconds:Packet&sent&with&a&source&address&of&1.1.1.1&.Jul&&6&10:13:43.643:&ISAKMP:(1003):purging&node&....Success&rate&is&0&percent&(0/5)Jul&&6&10:13:53.643:&ISAKMP:(1003):purging&SA.,&sa=65FDA2D4,&delme=65FDA2D4接收方(R2):R2#debu&cry&ipsCrypto&IPSEC&debugging&is&onR2#debu&cry&isaCrypto&ISAKMP&debugging&is&onJul&&6&10:34:40.071:&%CRYPTO-4-RECVD_PKT_NOT_IPSEC:&Rec'd&packet¬&an&IPSEC&packet.&(ip)&vrf/dest_addr=&/2.2.2.2,&src_addr=&1.1.1.1,&prot=&1B计划:发起方≠问题方(R2):R2#ping&1.1.1.1&so&2.2.2.2Type&escape&sequence&to&abort.Sending&5,&100-byte&ICMP&Echos&to&1.1.1.1,&timeout&is&2&seconds:Packet&sent&with&a&source&address&of&2.2.2.2&Jul&&6&12:15:58.826:&IPSEC(sa_request):&,&(key&eng.&msg.)&OUTBOUND&local=&202.100.1.2,&remote=&202.100.1.1,&&local_proxy=&2.2.2.2/255.255.255.255/0/0&(type=1),&&remote_proxy=&1.1.1.1/255.255.255.255/0/0&(type=1),&protocol=&ESP,&transform=&esp-des&esp-md5-hmac&&(Tunnel),&&lifedur=&3600s&and&4608000kb,&&spi=&0x0(0),&conn_id=&0,&keysize=&0,&flags=&0x0Jul&&6&12:15:58.834:&ISAKMP:&set&new&node&0&to&QM_IDLE&&Jul&&6&12:15:58.834:&SA&has&outstanding&requests&&(local&102.44.26.132&port&500,&remote&102.44.26.160&port&500)Jul&&6&12:15:58.838:&ISAKMP:(1005):&sitting&IDLE.&Starting&QM&immediately&(QM_IDLE&&)Jul&&6&12:15:58.838:&ISAKMP:(1005):beginning&Quick&Mode&exchange,&M-ID&of&-Jul&&6&12:15:58.842:&ISAKMP:(1005):QM&Initiator&gets&spiJul&&6&12:15:58.846:&ISAKMP:(1005):&sending&packet&to&202.100.1.1&my_port&500&peer_port&500&(R)&QM_IDLE&&Jul&&6&12:15:58.846:&ISAKMP:(1005):Sending&an&IKE&IPv4&Packet.Jul&&6&12:15:58.846:&ISAKMP:(1005):Node&-,&Input&=&IKE_MESG_INTERNAL,&IKE_INIT_QMJul&&6&12:15:58.850:&ISAKMP:(1005):Old&State&=&IKE_QM_READY&&New&State&=&IKE_QM_I_QM1Jul&&6&12:15:59.014:&ISAKMP&(0:1005):&received&packet&from&202.100.1.1&dport&500&sport&500&Global&(R)&QM_IDLE&&Jul&&6&12:15:59.018:&ISAKMP:&set&new&node&&to&QM_IDLE&&Jul&&6&12:15:59.018:&ISAKMP:(1005):&processing&HASH&payload.&message&ID&=&Jul&&6&12:15:59.022:&ISAKMP:(1005):&processing&NOTIFY&PROPOSAL_NOT_CHOSEN&protocol&3&spi&,&message&ID&=&,&sa&=&662C193CSuccess&rate&is&0&percent&(0/5)Jul&&6&12:16:28.838:&ISAKMP:(1005):&sitting&IDLE.&Starting&QM&immediately&(QM_IDLE&&)Jul&&6&12:16:28.838:&ISAKMP:(1005):beginning&Quick&Mode&exchange,&M-ID&of&Jul&&6&12:16:28.842:&ISAR2#KMP:(1005):QM&Initiator&gets&spiJul&&6&12:16:28.846:&ISAKMP:(1005):&sending&packet&to&202.100.1.1&my_port&500&peer_port&500&(R)&QM_IDLE&&Jul&&6&12:16:28.846:&ISAKMP:(1005):Sending&an&IKE&IPv4&Packet.Jul&&6&12:16:28.850:&ISAKMP:(1005):Node&,&Input&=&IKE_MESG_INTERNAL,&IKE_INIT_QMJul&&6&12:16:28.850:&ISAKMP:(1005):Old&State&=&IKE_QM_READY&&New&State&=&IKE_QM_I_QM1Jul&&6&12:16:29.002:&ISAKMP&(0:1005):&received&packet&from&202.100.1.1&dport&500&sport&500&Global&(R)&QM_IDLE(第二阶段过不了)&&接收方(R1):R1#Jul&&6&12:15:58.914:&ISAKMP&(0:1005):&received&packet&from&202.100.1.2&dport&500&sport&500&Global&(I)&QM_IDLE&&Jul&&6&12:15:58.914:&ISAKMP:&set&new&node&-&to&QM_IDLE&&Jul&&6&12:15:58.918:&ISAKMP:(1005):&processing&HASH&payload.&message&ID&=&-Jul&&6&12:15:58.918:&ISAKMP:(1005):&processing&SA&payload.&message&ID&=&-Jul&&6&12:15:58.922:&ISAKMP:(1005):Checking&IPSec&proposal&1Jul&&6&12:15:58.922:&ISAKMP:&transform&1,&ESP_DESJul&&6&12:15:58.922:&ISAKMP:&&&attributes&in&transform:Jul&&6&12:15:58.922:&ISAKMP:&&encaps&is&1&(Tunnel)Jul&&6&12:15:58.922:&ISAKMP:&&SA&life&type&in&secondsJul&&6&12:15:58.922:&ISAKMP:&&SA&life&duration&(basic)&of&3600Jul&&6&12:15:58.926:&ISAKMP:&&SA&life&type&in&kilobytesJul&&6&12:15:58.926:&ISAKMP:&&SA&life&duration&(VPI)&of&&0x0&0x46&0x50&0x0&Jul&&6&12:15:58.926:&ISAKMP:&&authenticator&is&HMAC-MD5Jul&&6&12:15:58.926:&ISAKMP:(1005):atts&are&acceptable.Jul&&6&12:15:58.930:&IPSECR1#(validate_proposal_request):&proposal&partJul&&6&12:15:58.930:&IPSEC(validate_proposal_request):&proposal&part,&(key&eng.&msg.)&INBOUND&local=&202.100.1.1,&remote=&202.100.1.2,&&local_proxy=&1.1.1.1/255.255.255.255/0/0&(type=1),&&remote_proxy=&2.2.2.2/255.255.255.255/0/0&(type=1),&protocol=&ESP,&transform=&NONE&&(Tunnel),&&lifedur=&0s&and&0kb,&&spi=&0x0(0),&conn_id=&0,&keysize=&0,&flags=&0x0Jul&&6&12:15:58.934:&Crypto&mapdb&:&proxy_match&src&addr&&&:&1.1.1.1&dst&addr&&&:&2.2.2.2&protocol&&&:&0&src&port&&&:&0&dst&port&&&:&0Jul&&6&12:15:58.934:&Crypto&mapdb&:&proxy_match&src&addr&&&:&1.1.1.1&dst&addr&&&:&2.2.2.2&protocol&&&:&0&src&port&&&:&0&dst&port&&&:&0Jul&&6&12:15:58.938:&map_db_find_best&did¬&find&matching&mapJul&&6&12:15:58.938:&IPSEC(ipsec_process_proposal):&proxy&identities¬&supported(感兴趣流身份不被支持/不匹配)Jul&&6&12:15:58.938:&ISAKMP:(1005):&IPSec&policy&invalidated&proposal&with&error&32Jul&&6&12:15:58.938:&ISAKMP:(1005):&phase&2&SA&policy¬&acceptable!&(local&202.100.1.1&remote&202.100.1.2)Jul&&6&12:15:58.942:&ISAKMP:&set&new&node&&to&QM_IDLE&&Jul&&6&12:15:58.942:&ISAKMP:(1005):Sending&NOTIFY&PROPOSAL_NOT_CHOSEN&protocol&3&spi&,&message&ID&=&Jul&&6&12:15:58.946:&ISAKMP:(1005):&sending&packet&to&202.100.1.2&my_port&500&peer_port&500&(I)&QM_IDLE&&Jul&&6&12:15:58.946:&ISAKMP:(1005):Sending&an&IKE&IPv4&Packet.Jul&&6&12:15:58.950:&ISAKMP:(1005):purging&node&Jul&&6&12:15:58.950:&ISAKMP:(1005):deleting&node&-&error&TRUE&reason&&QM&rejected&Jul&&6&12:15:58.950:&ISAKMP:(1005):Node&-,&Input&=&IKE_MESG_FROM_PEER,&IKE_QM_EXCHJul&&6&12:15:58.954:&ISAKMP:(1005):Old&State&=&IKE_QM_READY&&New&State&=&IKE_QM_READYR1#7,在R1O渖闲薷MAP下set&peer(和cry&isa&key&0&cisco&add&202.100.1.2加密c不一致),debug展示:l起方=问题方(R1):R1#ping&2.2.2.2&so&1.1.1.1Type&escape&sequence&to&abort.Sending&5,&100-byte&ICMP&Echos&to&2.2.2.2,&timeout&is&2&seconds:Packet&sent&with&a&source&address&of&1.1.1.1&Jul&&6&11:13:17.947:&IPSEC(sa_request):&,&(key&eng.&msg.)&OUTBOUND&local=&202.100.1.1,&remote=&2.2.2.2,&&local_proxy=&1.1.1.1/255.255.255.255/0/0&(type=1),&&remote_proxy=&2.2.2.2/255.255.255.255/0/0&(type=1),&protocol=&ESP,&transform=&esp-des&esp-md5-hmac&&(Tunnel),&&lifedur=&3600s&and&4608000kb,&&spi=&0x0(0),&conn_id=&0,&keysize=&0,&flags=&0x0Jul&&6&11:13:17.955:&ISAKMP:(0):&SA&request&profile&is&(NULL)Jul&&6&11:13:17.959:&ISAKMP:&Created&a&peer&struct&for&2.2.2.2,&peer&port&500Jul&&6&11:13:17.959:&ISAKMP:&New&peer&created&peer&=&0x663C537C&peer_handle&=&0x8000000BJul&&6&11:13:17.959:&ISAKMP:&Locking&peer&struct&0x663C537C,&refcount&1&for&isakmp_initiatorJul&&6&11:13:17.959:&ISAKMP:&local&port&500,&remote&port&500Jul&&6&11:13:17.963:&ISAKMP:&set&new&node&0&to&QM_IDLE&&Jul&&6&11:13:17.963:&insert&sa&successfully&sa&=&661B5C78Jul&&6&11:13:17.963:&ISAKMP:(0):Can¬&start&Aggressive&mode,&trying&Main&mode.Jul&&6&11:13:17.967:&ISAKMP:(0):No&pre-shared&key&with&2.2.2.2!Jul&&6&11:13:17.967:&ISAKMP:(0):&No&Cert&or&pre-shared&address&key.(提示加密点有问题)Jul&&6&11:13:17.967:&ISAKMP:(0):&construct_initial_message:&Can¬&start&Main&modeJul&&6&11:13:17.967:&ISAKMP:&Unlocking&peer&struct&0x663C537C&for&isadb_unlock_peer_delete_sa(),&count&0Jul&&6&11:13:17.971:&ISAKMP:&Deleting&peer&node&by&peer_reap&for&2.2.2.2:&663C537CJul&&6&11:13:17.971:&ISAKMP:(0):purging&SA.,&sa=661B5C78,&delme=661B5C78Jul&&6&11:13:17.971:&ISAKMP:(0):purging&node&Jul&&6&11:13:17.975:&ISAKMP:&Error&while&processing&SA&request:&Failed&to&initialize&SAJul&&6&11:13:17.975:&ISAKMP:&Error&while&processing&KMI&message&0,&error&2.Jul&&6&11:13:17.979:&IPSEC(key_engine):&got&a&queue&event&with&1&KMI&message(s).....Success&rate&is&0&percent&(0/5)f明:由於pre-share&address(key)不一致,导致发送方无法初始化IPsec&VPN的主模式,因此,接收方收不到任何包。8,在R2O渖闲薷MAP下set&peer(和cry&isa&key&0&cisco&add&<span style="color:#ff0.1.1加密c不一致),debug展示:发起方≠问题方(R1):(P1是可以搞定的,就不展示了,我们从P2开始)(现象不明显)R1#ping&2.2.2.2&so&1.1.1.1Jul&&6&11:25:59.483:&ISAKMP:(1005):beginning&Quick&Mode&exchange,&M-ID&of&Jul&&6&11:25:59.483:&ISAKMP:(1005):QM&Initiator&gets&spiJul&&6&11:25:59.487:&ISAKMP:(1005):&sending&packet&to&202.100.1.2&my_port&500&peer_port&500&(I)&QM_IDLE&&Jul&&6&11:25:59.487:&ISAKMP:(1005):Sending&an&IKE&IPv4&Packet.Jul&&6&11:25:59.491:&ISAKMP:(1005):Node&,&Input&=&IKE_MESG_INTERNAL,&IKE_INIT_QMJul&&6&11:25:59.491:&ISAKMP:(1005):Old&State&=&IKE_QM_READY&&New&State&=&IKE_QM_I_QM1Jul&&6&11:25:59.495:&ISAKMP:(1005):Input&=&IKE_MESG_INTERNAL,&IKE_PHASE1_COMPLETEJul&&6&11:25:59.495:&ISAKMP:(1005):Old&State&=&IKE_P1_COMPLETE&&New&State&=&IKE_P1_COMPLETE&Jul&&6&11:25:59.647:&ISAKMP&(0:1005):&received&packet&from&202.100.1.2&dport&500&spo.rt&500&Global&(I)&QM_IDLE&&Jul&&6&11:25:59.651:&ISAKMP:&set&new&node&&to&QM_IDLE&&Jul&&6&11:25:59.651:&ISAKMP:(1005):&processing&HASH&payload.&message&ID&=&Jul&&6&11:25:59.655:&ISAKMP:(1005):&processing&NOTIFY&PROPOSAL_NOT_CHOSEN&protocol&3&spi&,&message&ID&=&,&sa&=&661B5C78Jul&&6&11:25:59.655:&ISAKMP:(1005):&deleting&spi&&message&ID&=&Jul&&6&11:25:59.655:&ISAKMP:(1005):deleting&node&&error&TRUE&reason&&Delete&Larval&Jul&&6&11:25:59.659:&ISAKMP:(1005):deleting&node&&error&FALSE&reason&&Informational&(in)&state&1&Jul&&6&11:25:59.659:&ISAKMP:(1005):Input&=&IKE_MESG_FROM_PEER,&IKE_INFO_NOTIFYJul&&6&11:25:59.659:&ISAKMP:(1005):Old&State&=&IKE_P1_COMPLETE&&New&State&=&IKE_P1_COMPLETE&Success&rate&is&0&percent&(0/5)Jul&&6&11:26:28.811:&IPSEC(key_engine):&request&timer&fired:&count&=&1,&(identity)&local=&202.100.1.1,&remote=&202.100.1.2,&&local_proxy=&1.1.1.1/255.255.255.255/0/0&(type=1),&&remote_proxy=&2.2.2.2/255.255.255.255/0/0&(type=1)Jul&&6&11:26:28.815:&IPSEC(sa_request):&,&(key&eng.&msg.)&OUTBOUND&local=&202.100.1.1,&remote=&202.100.1.2,&&local_proxy=&1.1.1.1/255.255.255.255/0/0&(type=1),&&remote_proxy=&2.2.2.2/255.255.255.255/0/0&(type=1),&protocol=&ESP,&transform=&esp-des&esp-md5-hmac&&(Tunnel),&&lifedur=&3600s&and&4608000kb,&&spi=&0x0(0),&conn_id=&0,&keysize=&0,&flags=&0x0Jul&&6&11:26:28.819:&ISAKMP:&set&new&node&0&to&QM_IDLE&&Jul&&6&11:26:28.819:&SA&has&outstanding&requests&&(local&102.27.93.220&port&500,&remote&102.27.93.192&port&500)&????????Jul&&6&11:26:28.823:&ISAKMP:(1005):&sitting&IDLE.&Starting&QM&immediately&(QM_IDLE&&)Jul&&6&11:26:28.823:&ISAKMP:(1005):beginning&Quick&Mode&exchange,&M-ID&of&-Jul&&6&11:26:28.827:&ISAKMP:(1005):QM&Initiator&gets&spiJul&&6&11:26:28.831:&ISAKMP:(1005):&sending&packet&to&202.100.1.2&my_port&500&peer_port&500&(I)&QM_IDLE(第二阶段过不去)&&Jul&&6&11:26:28.831:&ISAKMP:(1005):Sending&an&IKE&IPv4&Packet.9,在R1O渖闲薷cry&isa&key&0&cisco&add&<span style="color:#ff.2.2加密c和MAP下set&peer不一致),debug展示:l起方=问题方(R1):(和7的结果一样)――――――――――――――――――――――――发起方≠问题方(R2):R2#ping&1.1.1.1&so&2.2.2.2Type&escape&sequence&to&abort.Sending&5,&100-byte&ICMP&Echos&to&1.1.1.1,&timeout&is&2&seconds:Packet&sent&with&a&source&address&of&2.2.2.2&Jul&&6&13:26:21.258:&%CRYPTO-6-IKMP_MODE_FAILURE:&Processing&of&Informational&mode&failed&with&peer&at&202.100.1.1.....Success&rate&is&0&percent&(0/5)注意:我们现在在R1上看下debug信息:问题方(R1):R1#Jul&&6&13:26:21.138:&ISAKMP&(0:0):&received&packet&from&202.100.1.2&dport&500&sport&500&Global&(N)&NEW&SAJul&&6&13:26:21.138:&ISAKMP:&Created&a&peer&struct&for&202.100.1.2,&peer&port&500Jul&&6&13:26:21.142:&ISAKMP:&New&peer&created&peer&=&0x663C537C&peer_handle&=&0xJul&&6&13:26:21.142:&ISAKMP:&Locking&peer&struct&0x663C537C,&refcount&1&for&crypto_isakmp_process_blockJul&&6&13:26:21.142:&ISAKMP:&local&port&500,&remote&port&500Jul&&6&13:26:21.146:&insert&sa&successfully&sa&=&65FDA2D4Jul&&6&13:26:21.146:&ISAKMP:(0):Input&=&IKE_MESG_FROM_PEER,&IKE_MM_EXCHJul&&6&13:26:21.146:&ISAKMP:(0):Old&State&=&IKE_READY&&New&State&=&IKE_R_MM1&Jul&&6&13:26:21.154:&ISAKMP:(0):&processing&SA&payload.&message&ID&=&0Jul&&6&13:26:21.154:&ISAKMP:(0):&processing&vendor&id&payloadJul&&6&13:26:21.158:&ISAKMP:(0):&vendor&ID&seems&Unity/DPD&but&major&69&mismatchJul&&6&13:26:21.158:&ISAKMP&(0:0):&vendor&ID&is&NAT-T&RFC&3947Jul&&6&13:26:21.158:&ISAKMP:(0):&processing&vendor&id&payloadJul&&6&13:26:21.158:&ISAKMP:(0):&vendor&ID&seems&Unity/DPD&but&major&245&mismatchJul&&6&13:26:21.158:&ISAKMP&(0:0):&vendor&ID&is&NAT-T&v7Jul&&6&13:26:21.162:&ISAKMP:(0):&processing&vendor&id&payloadJul&&6&13:26:21.162:&ISAKMP:(0):&vendor&ID&seems&Unity/DPD&but&major&157&mismatchJul&&6&13:26:21.162:&ISAKMP:(0):&vendor&ID&is&NAT-T&v3Jul&&6&13:26:21.162:&ISAKMP:(0):&processing&vendor&id&payloadJul&&6&13:26:21.166:&ISAKMP:(0):&vendor&ID&seems&Unity/DPD&but&major&123&mismatchJul&&6&13:26:21.166:&ISAKMP:(0):&vendor&ID&is&NAT-T&v2Jul&&6&13:26:21.166:&ISAKMP:(0):No&pre-shared&key&with&202.100.1.2!(不匹配Φ润w加密c/]有Φ润w的A共享密_)Jul&&6&13:26:21.166:&ISAKMP&:&Scanning&profiles&for&xauth&...Jul&&6&13:26:21.170:&ISAKMP:(0):Checking&ISAKMP&transform&1&against&priority&10&policyJul&&6&13:26:21.170:&ISAKMP:&&encryption&DES-CBCJul&&6&13:26:21.170:&ISAKMP:&&hash&SHAJul&&6&13:26:21.170:&ISAKMP:&&default&group&1Jul&&6&13:26:21.170:&ISAKMP:&&auth&pre-shareJul&&6&13:26:21.170:&ISAKMP:&&&life&type&in&secondsJul&&6&13:26:21.174:&ISAKMP:&&life&duration&(VPI)&of&&0x0&0x1&0x51&0x80&Jul&&6&13:26:21.174:&ISAKMP:(0):Preshared&authentication&offered&but&does¬&match&policy!Jul&&6&13:26:21.174:&ISAKMP:(0):atts&are¬&acceptable.&Next&payload&is&0Jul&&6&13:26:21.178:&ISAKMP:(0):Checking&ISAKMP&transform&1&against&priority&65535&policyJul&&6&13:26:21.178:&ISAKMP:&&encryption&DES-CBCJul&&6&13:26:21.178:&ISAKMP:&&hash&SHAJul&&6&13:26:21.178:&ISAKMP:&&default&group&1Jul&&6&13:26:21.178:&ISAKMP:&&auth&pre-shareJul&&6&13:26:21.178:&ISAKMP:&&life&type&in&secondsJul&&6&13:26:21.182:&ISAKMP:&&life&duration&(VPI)&of&&0x0&0x1&0x51&0x80&Jul&&6&13:26:21.182:&ISAKMP:(0):Authentication&method&offered&does¬&match&policy!&&Jul&&6&13:26:21.182:&ISAKMP:(0):atts&are¬&acceptable.&Next&payload&is&0Jul&&6&13:26:21.186:&ISAKMP:(0):no&offers&accepted!Jul&&6&13:26:21.186:&ISAKMP:(0):&phase&1&SA&policy¬&acceptable!&(local&202.100.1.1&remote&202.100.1.2)&Jul&&6&13:26:21.186:&ISAKMP&(0:0):&incrementing&error&counter&on&sa,&attempt&1&of&5:&construct_fail_ag_initJul&&6&13:26:21.190:&ISAKMP:(0):&sending&packet&to&202.100.1.2&my_port&500&peer_port&500&(R)&MM_NO_STATEJul&&6&13:26:21.190:&ISAKMP:(0):Sending&an&IKE&IPv4&Packet.Jul&&6&13:26:21.190:&ISAKMP:(0):peer&does¬&do¶noid&keepalives.10,在R1O涞母信d趣M出的接口(F0/0)上不{用cry&map后,debug展示:l起方=问题方(R1):R1#debu&cry&isaCrypto&ISAKMP&debugging&is&onR1#debu&cry&ipsCrypto&IPSEC&debugging&is&onR1#ping&2.2.2.2&so&1.1.1.1Type&escape&sequence&to&abort.Sending&5,&100-byte&ICMP&Echos&to&2.2.2.2,&timeout&is&2&seconds:Packet&sent&with&a&source&address&of&1.1.1.1&.....Success&rate&is&0&percent&(0/5)R1#*Mar&&1&00:11:11.899:&ISAKMP:(1001):purging&SA.,&sa=65CBF5EC,&delme=65CBF5EC]反接收方(R2):R2#*Mar&&1&00:10:32.935:&%CRYPTO-4-RECVD_PKT_NOT_IPSEC:&Rec'd&packet¬&an&IPSEC&packet.&(ip)&vrf/dest_addr=&/2.2.2.2,&src_addr=&1.1.1.1,&prot=&1R2#*Mar&&1&00:10:58.555:&ISAKMP:(1001):purging&node&-*Mar&&1&00:10:58.555:&ISAKMP:(1001):purging&node&-f明:通^下Dv述CRY&&MAPγ芪幕蛎魑牧髁康奶&是否感d趣流&&&是否加密&&有omap&&outionN/A&&&是&&&有&&&解密&是&&&否&&&有&&&drop&是&&&否&&]有&&forward&N/A&&是&&]有&&解密――――――――――――――――――――――――――――――――――――――――――――发起方≠问题方(R2):R2#ping&1.1.1.1&so&2.2.2.2Type&escape&sequence&to&abort.Sending&5,&100-byte&ICMP&Echos&to&1.1.1.1,&timeout&is&2&seconds:Packet&sent&with&a&source&address&of&2.2.2.2&*Mar&&1&00:15:14.983:&IPSEC(sa_request):&,&(key&eng.&msg.)&OUTBOUND&local=&202.100.1.2,&remote=&202.100.1.1,&&local_proxy=&2.2.2.2/255.255.255.255/0/0&(type=1),&&remote_proxy=&1.1.1.1/255.255.255.255/0/0&(type=1),&protocol=&ESP,&transform=&esp-des&esp-md5-hmac&&(Tunnel),&&lifedur=&3600s&and&4608000kb,&&spi=&0x0(0),&conn_id=&0,&keysize=&0,&flags=&0x0*Mar&&1&00:15:14.991:&ISAKMP:(0):&SA&request&profile&is&(NULL)*Mar&&1&00:15:14.991:&ISAKMP:&Created&a&peer&struct&for&202.100.1.1,&peer&port&500*Mar&&1&00:15:14.995:&ISAKMP:&New&peer&created&peer&=&0x66C81378&peer_handle&=&0x*Mar&&1&00:15:14.995:&ISAKMP:&Locking&peer&struct&0x66C81378,&refcount&1&for&isakmp_initiator*Mar&&1&00:15:14.995:&ISAKMP:&local&port&500,&remote&port&500*Mar&&1&00:15:14.995:&ISAKMP:&set&new&node&0&to&QM_IDLE&&*Mar&&1&00:15:14.999:&insert&sa&successfully&sa&=&66232F58*Mar&&1&00:15:14.999:&ISAKMP:(0):Can¬&start&Aggressive&mode,&trying&Main&mode.*Mar&&1&00:15:14.999:&ISAKMP:(0):found&peer&pre-shared&key&matching&202.100.1.1*Mar&&1&00:15:15.003:&ISAKMP:(0):&constructed&NAT-T&vendor-rfc3947&ID*Mar&&1&00:15:15.003:&ISAKMP:(0):&constructed&NAT-T&vendor-07&ID*Mar&&1&00:15:15.003:&ISAKMP:(0):&constructed&NAT-T&vendor-03&ID*Mar&&1&00:15:15.007:&ISAKMP:(0):&constructed&NAT-T&vendor-02&ID*Mar&&1&00:15:15.007:&ISAKMP:(0):Input&=&IKE_MESG_FROM_IPSEC,&IKE_SA_REQ_MM*Mar&&1&00:15:15.007:&ISAKMP:(0):Old&State&=&IKE_READY&&New&State&=&IKE_I_MM1&*Mar&&1&00:15:15.007:&ISAKMP:(0):&beginning&Main&Mode&exchange*Mar&&1&00:15:15.011:&ISAKMP:(0):&sending&packet&to&202.100.1.1&my_port&500&peer_port&500&(I)&MM_NO_STATE(第一包)*Mar&&1&00:15:15.011:&ISAKMP:(0):Sending&an&IKE&IPv4&Packet......Success&rate&is&0&percent&(0/5)*Mar&&1&00:15:25.011:&ISAKMP:(0):&retransmitting&phase&1&MM_NO_STATE...*Mar&&1&00:15:25.011:&ISAKMP&(0:0):&incrementing&error&counter&on&sa,&attempt&1&of&5:&retransmit&phase&1(Φ润w]有回包,重5次)*Mar&&1&00:15:25.011:&ISAKMP:(0):&retransmitting&phase&1&MM_NO_STATE*Mar&&1&00:15:25.015:&ISAKMP:(0):&sending&packet&to&202.100.1.1&my_port&500&peer_port&500&(I)&MM_NO_STATE*Mar&&1&00:15:25.015:&ISAKMP:(0):Sending&an&IKE&IPv4&Packet.R2#*Mar&&1&00:15:35.015:&ISAKMP:(0):&retransmitting&phase&1&MM_NO_STATE...*Mar&&1&00:15:35.015:&ISAKMP&(0:0):&incrementing&error&counter&on&sa,&attempt&2&of&5:&retransmit&phase&1*Mar&&1&00:15:35.015:&ISAKMP:(0):&retransmitting&phase&1&MM_NO_STATE*Mar&&1&00:15:35.019:&ISAKMP:(0):&sending&packet&to&202.100.1.1&my_port&500&peer_port&500&(I)&MM_NO_STATE*Mar&&1&00:15:35.019:&ISAKMP:(0):Sending&an&IKE&IPv4&Packet.R2#*Mar&&1&00:15:44.983:&IPSEC(key_engine):&request&timer&fired:&count&=&1,&(identity)&local=&202.100.1.2,&remote=&202.100.1.1,&&local_proxy=&2.2.2.2/255.255.255.255/0/0&(type=1),&&remote_proxy=&1.1.1.1/255.255.255.255/0/0&(type=1)*Mar&&1&00:15:44.987:&IPSEC(sa_request):&,&(key&eng.&msg.)&OUTBOUND&local=&202.100.1.2,&remote=&202.100.1.1,&&local_proxy=&2.2.2.2/255.255.255.255/0/0&(type=1),&&remote_proxy=&1.1.1.1/255.255.255.255/0/0&(type=1),&protocol=&ESP,&transform=&esp-des&esp-md5-hmac&&(Tunnel),&&lifedur=&3600s&and&4608000kb,&&spi=&0x0(0),&conn_id=&0,&keysize=&0,&flags=&0x0*Mar&&1&00:15:44.991:&ISAKMP:&set&new&node&0&to&QM_IDLE&&*Mar&&1&00:15:44.995:&ISAKMP:(0):SA&is&still&budding.&Attached&new&ipsec&request&to&it.&(local&202.100.1.2,&remote&202.100.1.1)*Mar&&1&00:15:44.995:&ISAKMP:&Error&while&processing&SA&request:&Failed&to&initialize&SA*Mar&&1&00:15:44.995:&ISAKMP:&Error&while&processing&KMI&message&0,&error&2.接收方=问题方(R1):依然]有任何反通^下Dv述CRY&&MAPγ芪幕蛎魑牧髁康奶&是否感d趣流&&&是否加密&&&有omap&&outionN/A&&是&&&有&&&解密&是&&否&&&有&&&drop&是&&否&&]有&&forward&N/A&&&是&&]有&&解密11,在R1O渖闲薷穆酚桑]有去往Φ润w的感d趣流路由),debug展示:l起方=问题方(R1):完全]反接收方(R2):完全]反――――――――――――――――――――――――――――――――――――――――――发起方≠问题方(R2):R2#sh&cry&en&conn&acCrypto&Engine&ConnectionsID&Interface&&Type&&Algorithm&&&Encrypt&&Decrypt&IP-Address&7&Fa0/0&&IPsec&DES+MD5&&&0&&0&202.100.1.2&8&Fa0/0&&IPsec&DES+MD5&&40&202.100.1.21004&Fa0/0&&IKE&&&SHA+DES&&&0&&0&202.100.1.2R2#sh&cry&isa&saIPv4&Crypto&ISAKMP&SAdst&&&src&&&state&&conn-id&slot&status202.100.1.1&&&202.100.1.2&&&QM_IDLE&&&1004&&0&ACTIVEIPv6&Crypto&ISAKMP&SAR2#sh&cry&ips&sainterface:&FastEthernet0/0&Crypto&map&tag:&cisco,&local&addr&202.100.1.2protected&vrf:&(none)local&&ident&(addr/mask/prot/port):&(2.2.2.2/255.255.255.255/0/0)remote&ident&(addr/mask/prot/port):&(1.1.1.1/255.255.255.255/0/0)current_peer&202.100.1.1&port&500PERMIT,&flags={origin_is_acl,}&#pkts&encaps:&4,&#pkts&encrypt:&4,&#pkts&digest:&4&#pkts&decaps:&0,&#pkts&decrypt:&0,&#pkts&verify:&0&#pkts&compressed:&0,&#pkts&decompressed:&0&#pkts¬&compressed:&0,&#pkts&compr.&failed:&0&#pkts¬&decompressed:&0,&#pkts&decompress&failed:&0&#send&errors&1,&#recv&errors&0local&crypto&endpt.:&202.100.1.2,&remote&crypto&endpt.:&202.100.1.1path&mtu&1500,&ip&mtu&1500,&ip&mtu&idb&FastEthernet0/0current&outbound&spi:&0xAE7F796)inbound&esp&sas:&spi:&0xBB653B0B()&transform:&esp-des&esp-md5-hmac&,&in&use&settings&={Tunnel,&}&conn&id:&7,&flow_id:&SW:7,&crypto&map:&cisco&sa&timing:&remaining&key&lifetime&(k/sec):&(8)&IV&size:&8&bytes&replay&detection&support:&Y&Status:&ACTIVEinbound&ah&sas:inbound&pcp&sas:outbound&esp&sas:&spi:&0xAE7F796)&transform:&esp-des&esp-md5-hmac&,&in&use&settings&={Tunnel,&}&conn&id:&8,&flow_id:&SW:8,&crypto&map:&cisco&sa&timing:&remaining&key&lifetime&(k/sec):&(6)&IV&size:&8&bytes&replay&detection&support:&Y&Status:&ACTIVEoutbound&ah&sas:outbound&pcp&sas:R2#接收方=问题方(R1):R1#sh&cry&en&conn&acCrypto&Engine&ConnectionsID&Interface&&Type&&Algorithm&&&Encrypt&&Decrypt&IP-Address&7&Fa0/0&&IPsec&DES+MD5&&&0&&4&202.100.1.1&8&Fa0/0&&IPsec&DES+MD5&&&0&&0&202.100.1.11004&Fa0/0&&IKE&&&SHA+DES&&&0&&0&202.100.1.1R1#sh&cry&isa&saIPv4&Crypto&ISAKMP&SAdst&&&src&&&state&&conn-id&slot&status202.100.1.1&&&202.100.1.2&&&QM_IDLE&&&1004&&0&ACTIVEIPv6&Crypto&ISAKMP&SAR1#sh&cry&ips&sainterface:&FastEthernet0/0&Crypto&map&tag:&cisco,&local&addr&202.100.1.1protected&vrf:&(none)local&&ident&(addr/mask/prot/port):&(1.1.1.1/255.255.255.255/0/0)remote&ident&(addr/mask/prot/port):&(2.2.2.2/255.255.255.255/0/0)current_peer&202.100.1.2&port&500PERMIT,&flags={origin_is_acl,}&#pkts&encaps:&0,&#pkts&encrypt:&0,&#pkts&digest:&0&#pkts&decaps:&4,&#pkts&decrypt:&4,&#pkts&verify:&4&#pkts&compressed:&0,&#pkts&decompressed:&0&#pkts¬&compressed:&0,&#pkts&compr.&failed:&0&#pkts¬&decompressed:&0,&#pkts&decompress&failed:&0&#send&errors&0,&#recv&errors&0local&crypto&endpt.:&202.100.1.1,&remote&crypto&endpt.:&202.100.1.2path&mtu&1500,&ip&mtu&1500,&ip&mtu&idb&FastEthernet0/0current&outbound&spi:&0xBB653B0B()inbound&esp&sas:&spi:&0xAE7F796)&transform:&esp-des&esp-md5-hmac&,&in&use&settings&={Tunnel,&}&conn&id:&7,&flow_id:&SW:7,&crypto&map:&cisco&sa&timing:&remaining&key&lifetime&(k/sec):&(3)&IV&size:&8&bytes&replay&detection&support:&Y&Status:&ACTIVEinbound&ah&sas:inbound&pcp&sas:outbound&esp&sas:&spi:&0xBB653B0B()&transform:&esp-des&esp-md5-hmac&,&in&use&settings&={Tunnel,&}&conn&id:&8,&flow_id:&SW:8,&crypto&map:&cisco&sa&timing:&remaining&key&lifetime&(k/sec):&(2)&IV&size:&8&bytes&replay&detection&support:&Y&Status:&ACTIVEoutbound&ah&sas:outbound&pcp&sas:12,在R1O渖闲薷MAP{用的接口(F0/0Q到Lo0接口),debug展示:l起方=问题方(R1):完全]反接收方(R2):完全]反――――――――――――――――――――――――――――――――――――――――发起方≠问题方(R2):*Mar&&1&01:10:06.291:&ISAKMP:(1005):beginning&Quick&Mode&exchange,&M-ID&of&*Mar&&1&01:10:06.295:&ISAKMP:(1005):QM&Initiator&gets&spi*Mar&&1&01:10:06.299:&ISAKMP:(1005):&sending&packet&to&202.100.1.1&my_port&500&peer_port&500&(I)&QM_IDLE&&*Mar&&1&01:10:06.299:&ISAKMP:(1005):Sending&an&IKE&IPv4&Packet.*Mar&&1&01:10:06.303:&ISAKMP:(1005):Node&,&Input&=&IKE_MESG_INTERNAL,&IKE_INIT_QM*Mar&&1&01:10:06.303:&ISAKMP:(1005):Old&State&=&IKE_QM_READY&&New&State&=&IKE_QM_I_QM1*Mar&&1&01:10:06.303:&ISAKMP:(1005):Input&=&IKE_MESG_INTERNAL,&IKE_PHASE1_COMPLETE*Mar&&1&01:10:06.303:&ISAKMP:(1005):Old&State&=&IKE_P1_COMPLETE&&New&State&=&IKE_.P1_COMPLETE&*Mar&&1&01:10:06.447:&ISAKMP&(0:1005):&received&packet&from&202.100.1.1&dport&500&sport&500&Global&(I)&QM_IDLE(第七八包^不去)&&*Mar&&1&01:10:06.451:&ISAKMP:&set&new&node&-&to&QM_IDLE&&*Mar&&1&01:10:06.455:&ISAKMP:(1005):&processing&HASH&payload.&message&ID&=&-*Mar&&1&01:10:06.455:&ISAKMP:(1005):&processing&NOTIFY&PROPOSAL_NOT_CHOSEN&protocol&3&spi&,&message&ID&=&-,&sa&=&66232F58*Mar&&1&01:10:06.455:&ISAKMP:(1005):&deleting&spi&&message&ID&=&*Mar&&1&01:10:06.455:&ISAKMP:(1005):deleting&node&&error&TRUE&reason&&Delete&Larval&*Mar&&1&01:10:06.459:&ISAKMP:(1005):deleting&node&-&error&FALSE&reason&&Informational&(in)&state&1&*Mar&&1&01:10:06.459:&ISAKMP:(1005):Input&=&IKE_MESG_FROM_PEER,&IKE_INFO_NOTIFY*Mar&&1&01:10:06.459:&ISAKMP:(1005):Old&State&=&IKE_P1_COMPLETE&&New&State&=&IKE_P1_COMPLETE&.Success&rate&is&0&percent&(0/5)R2#sh&cry&en&conn&acCrypto&Engine&ConnectionsID&Interface&&Type&&Algorithm&&&Encrypt&&Decrypt&IP-Address1005&Fa0/0&&IKE&&&SHA+DES&&&0&&0&202.100.1.2R2#sh&cry&isa&saIPv4&Crypto&ISAKMP&SAdst&&&src&&&state&&conn-id&slot&status202.100.1.1&&&202.100.1.2&&&QM_IDLE&&&1005&&0&ACTIVEIPv6&Crypto&ISAKMP&SA接收方=问题方(R1):*Mar&&1&01:10:09.739:&ISAKMP&(0:1005):&received&packet&from&202.100.1.2&dport&500&sport&500&Global&(R)&QM_IDLE&&*Mar&&1&01:10:09.739:&ISAKMP:&set&new&node&&to&QM_IDLE&&*Mar&&1&01:10:09.743:&ISAKMP:(1005):&processing&HASH&payload.&message&ID&=&*Mar&&1&01:10:09.743:&ISAKMP:(1005):&processing&SA&payload.&message&ID&=&*Mar&&1&01:10:09.743:&ISAKMP:(1005):Checking&IPSec&proposal&1*Mar&&1&01:10:09.747:&ISAKMP:&transform&1,&ESP_DES*Mar&&1&01:10:09.747:&ISAKMP:&&&attributes&in&transform:*Mar&&1&01:10:09.747:&ISAKMP:&&encaps&is&1&(Tunnel)*Mar&&1&01:10:09.747:&ISAKMP:&&SA&life&type&in&seconds*Mar&&1&01:10:09.747:&ISAKMP:&&SA&life&duration&(basic)&of&3600*Mar&&1&01:10:09.751:&ISAKMP:&&SA&life&type&in&kilobytes*Mar&&1&01:10:09.751:&ISAKMP:&&SA&life&duration&(VPI)&of&&0x0&0x46&0x50&0x0&*Mar&&1&01:10:09.751:&ISAKMP:&&authenticator&is&HMAC-MD5*Mar&&1&01:10:09.751:R1#&ISAKMP:(1005):atts&are&acceptable.*Mar&&1&01:10:09.755:&IPSEC(validate_proposal_request):&proposal&part*Mar&&1&01:10:09.755:&IPSEC(validate_proposal_request):&proposal&part,&(key&eng.&msg.)&INBOUND&local=&202.100.1.1,&remote=&202.100.1.2,&&local_proxy=&1.1.1.1/255.255.255.255/0/0&(type=1),&&remote_proxy=&2.2.2.2/255.255.255.255/0/0&(type=1),&protocol=&ESP,&transform=&NONE&&(Tunnel),&&lifedur=&0s&and&0kb,&&spi=&0x0(0),&conn_id=&0,&keysize=&0,&flags=&0x0*Mar&&1&01:10:09.759:&IPSEC(ipsec_process_proposal):&invalid&local&address&202.100.1.1*Mar&&1&01:10:09.759:&ISAKMP:(1005):&IPSec&policy&invalidated&proposal&with&error&8*Mar&&1&01:10:09.763:&ISAKMP:(1005):&phase&2&SA&policy¬&acceptable!&(local&202.100.1.1&remote&202.100.1.2)(第二A段策略]有接受)*Mar&&1&01:10:09.763:&ISAKMP:&set&new&node&-&to&QM_IDLE&&*Mar&&1&01:10:09.763:&ISAKMP:(1005):Sending&NOTIFY&PROPOSAL_NOT_CHOSEN&protocol&3&spi&,&message&ID&=&-*Mar&&1&01:10:09.767:R1#&ISAKMP:(1005):&sending&packet&to&202.100.1.2&my_port&500&peer_port&500&(R)&QM_IDLE&&*Mar&&1&01:10:09.767:&ISAKMP:(1005):Sending&an&IKE&IPv4&Packet.*Mar&&1&01:10:09.771:&ISAKMP:(1005):purging&node&-*Mar&&1&01:10:09.771:&ISAKMP:(1005):deleting&node&&error&TRUE&reason&&QM&rejected&(快速模式拒^)*Mar&&1&01:10:09.771:&ISAKMP:(1005):Node&,&Input&=&IKE_MESG_FROM_PEER,&IKE_QM_EXCH*Mar&&1&01:10:09.775:&ISAKMP:(1005):Old&State&=&IKE_QM_READY&&New&State&=&IKE_QM_READYR1#*Mar&&1&01:11:29.111:&ISAKMP:(1005):purging&node&-R1#sh&cry&en&conn&acCrypto&Engine&ConnectionsID&Interface&&Type&&Algorithm&&&Encrypt&&Decrypt&IP-Address1005&Fa0/0&&IKE&&&SHA+DES&&&0&&0&202.100.1.1R1#sh&cry&isa&saIPv4&Crypto&ISAKMP&SAdst&&&src&&&state&&conn-id&slot&status202.100.1.1&&&202.100.1.2&&&QM_IDLE&&&1005&&0&ACTIVEIPv6&Crypto&ISAKMP&SA13,在R1O渖闲薷念A共享密_,debug信息:l起方=问题方(R1):R1#*Mar&&1&00:44:18.423:&ISAKMP:(1002):&sending&packet&to&202.100.1.2&my_port&500&peer_port&500&(I)&MM_KEY_EXCH*Mar&&1&00:44:18.423:&ISAKMP:(1002):Sending&an&IKE&IPv4&Packet.*Mar&&1&00:44:18.423:&ISAKMP:(1002):Input&=&IKE_MESG_INTERNAL,&IKE_PROCESS_COMP.LETE*Mar&&1&00:44:18.427:&ISAKMP:(1002):Old&State&=&IKE_I_MM4&&New&State&=&IKE_I_MM5&*Mar&&1&00:44:19.531:&ISAKMP&(0:1002):&received&packet&from&202.100.1.2&dport&500&sport&500&Global&(I)&MM_KEY_EXCH*Mar&&1&00:44:19.531:&ISAKMP:(1002):&phase&1&packet&is&a&duplicate&of&a&previous&packet.(第五六包不^,L5次失。*Mar&&1&00:44:19.531:&ISAKMP:(1002):&retransmitting&due&to&retransmit&phase&1*Mar&&1&00:44:20.035:&ISAKMP:(1002):&retransmitting&phase&1&MM_KEY_EXCH...*Mar&&1&00:44:20.035:&ISAKMP&(0:1002):&incrementing&error&counter&on&sa,&attempt&1&of&5:&retransmit&phase&1*Mar&&1&00:44:20.035:&ISAKMP:(1002):&retransmitting&phase&1&MM_KEY_EXCH*Mar&&1&00:44:20.039:&ISAKMP:(1002):&sending&packet&to&202.100.1.2&my_port&500&peer_port&500&(I)&MM_KEY_EXCH*Mar&&1&00:44:20.039:&ISAKMP:(1002):Sending&an&IKE&IPv4&Packet...接收方≠问题方(R2):R2#*Mar&&1&00:44:15.595:&ISAKMP&(0:1002):&received&packet&from&202.100.1.1&dport&500&sport&500&Global&(R)&MM_KEY_EXCH*Mar&&1&00:44:15.595:&ISAKMP:&reserved¬&zero&on&ID&payload!*Mar&&1&00:44:15.599:&%CRYPTO-4-IKMP_BAD_MESSAGE:&IKE&message&from&202.100.1.1&failed&its&sanity&check&or&is&malformed*Mar&&1&00:44:15.599:&ISAKMP&(0:1002):&incrementing&error&counter&on&sa,&attempt&1&of&5:&reset_retransmission*Mar&&1&00:44:16.599:&ISAKMP:(1002):&retransmitting&phase&1&MM_KEY_EXCH...&
了这篇文章
类别:┆阅读(0)┆评论(0)}
 &  & 
思科路由部分11个实验项目 全程记录+讲解+知识点.doc56页
本文档一共被下载:
次 ,您可免费全文在线阅读后下载本文档
文档加载中...广告还剩秒
需要金币:100 &&
你可能关注的文档:
··········
··········
思科路由部分11个实验项目 全程记录+讲解+知识点
实验基于Dynamips-0.2.6-Rc4 | unzip-c3620-i-mz.122-37.bin |unzip-c3640-js-mz.124-10 with NM-16ESW 实验平台 双Xeon 3.0 4G ECC 运行稳定后CPU 40%左右 实验1:在P1范围内实现RIPv2 实验2:在P1范围内实现基于RIPv2的等价负载均衡 实验3:在P1范围内实现基于RIPv2的Key-Chain密钥实验 实验4:在P2范围内实现IGRP的非等价负载均衡 实验5:全区域中通过桢中继实现RIPv2路由协议 + 密钥验证 实验6:全区域中实现EIGRP路由+FR+非等价负载均衡+验证 实验7:OSPF基本配置[P1区域内配置]+DR/BDR考察 实验8:单区域NBMA环境OSPF实现+验证 实验9:多区域OSPF实现 实验10:简单的路由重发布 末节区域 完全末节区域 NSSA区域 Virtual-Link 实验11:被动接口 路由更新过滤 策略路由 路由单项重发布以及AD/Metric更改 路由双向重发布 P1配置部分 P1R1-P1R2 192.168.1.1 - 192.168.1.2 /24 P1R1上配置Lo0 200.200.200.200 /24 P1R1-P1R3 192.168.2.1 - 192.168.2.2 /24 P1R3-P1R4 192.168.3.1 - 192.168.3.2 /24 P1R2-P1R4 192.168.4.1 - 192.168.4.2 /24 P1R1-BBR1 - 10.0.0.2 /8 P1R2-BBR1 - 10.0.0.3 /8 P2配置部分 P2R1-P2R2 172.16.1.1 - 172.16.1.2 /16 P2R1上配置Lo0 100.100.100.100 /8 P2R1-P2R3 172.17.1.1 - 172.17.1.2 /16 P2R3-P2R4 172.18.1.1 - 172.18.1.2 /16 P2R2-P2R4 172.19.1.1 - 172.19.1.2 /16 P2R1-BBR2 - 11.0.0.2 /8 P2R2-BBR2 - 11.0.0.3 /8 BBR配置部分 BBR1-BBR2 219.146.241.1 -219.146.241.2 /24 BBR1 s0/0.1 -s0/0.2 10.0.0.1 BBR2 s0/0.1 -s0/0.2 11.0.0.1 BBR2-SW1 219.146.242.1 - 219.146.242.2 BBR1-SW2 219.146.243.1 - 219.146.243.2 SW1-SW2 219.146.244.1 - 219.146.244.2 SR配置部分 SR1-SW1 101.0.0.1 - 101.0.0.2 SR2-SW1 102.0.0.1 - 102.0.0.2 SR3-SW2 103.0.0.1 - 103.0.0.2 SR4-SW2 104.0.0.1 - 104.0.0.2 SR1:lo0 105.0.0.1 Lo1 106.0.0.1 SR2:lo0 107.0.0.1 Lo1 108.0.0.1
实验1:在P1范围内实现RIPv2 [P1R1] router rip ver 2 net 192.168.1.0 net 192.168.2.0 net 200.2
正在加载中,请稍后...chenliqni 的BLOG
用户名:chenliqni
文章数:82
访问量:23646
注册日期:
阅读量:5863
阅读量:12276
阅读量:413477
阅读量:1101216
51CTO推荐博文
&&&&最近在调试DEBUG过程中看到本文章,觉得对于VPN错误信息不熟的人来说非常有用,几部囊括了所有的VPN的DEBUG错误提示信息,并且作者对其进行了一定说明,遂转发希望对更多的人有帮助。&&&&&&VPN中的排e,甭管是在工作中是在LAB中,都是挺重要的。因此,我,人榈脑L2L/EzVPN/DMVPN/GETVPN中加入些e`配置,并通^Debug矸治龈鞣Ne`。此篇博文是介BL2LVPN的,在後m的博文中,我⒔o大家逐一展示其他型VPN中的Troubleshooting!&&
一,拓洌二,配置:R1:R1#sh&run&|&sec&crycrypto&isakmp&policy&10authentication&pre-sharecrypto&isakmp&key&cisco&address&202.100.1.2crypto&ipsec&transform-set&cisco&esp-des&esp-md5-hmac&crypto&map&cisco&10&ipsec-isakmp&set&peer&202.100.1.2set&transform-set&cisco&match&address&L2LVPNinterface&Loopback0ip&address&1.1.1.1&255.255.255.0!interface&FastEthernet0/0ip&address&202.100.1.1&255.255.255.0duplex&autospeed&autocrypto&map&cisco!ip&route&0.0.0.0&0.0.0.0&202.100.1.2!ip&access-list&extended&L2LVPNpermit&ip&host&1.1.1.1&host&2.2.2.2三,DEBUG展示:1,配置完全正_情r下的debug:l起方(R1):R1#debug&cry&ipsCrypto&IPSEC&debugging&is&onR1#debug&cry&isaCrypto&ISAKMP&debugging&is&onR1#ping&2.2.2.2&so&1.1.1.1Type&escape&sequence&to&abort.Sending&5,&100-byte&ICMP&Echos&to&2.2.2.2,&timeout&is&2&seconds:Packet&sent&with&a&source&address&of&1.1.1.1&*Mar&&1&00:13:31.891:&IPSEC(sa_request):&,&(key&eng.&msg.)&OUTBOUND&local=&202.100.1.1,&remote=&202.100.1.2,(&加密c)local_proxy=&1.1.1.1/255.255.255.255/0/0&(type=1),&&remote_proxy=&2.2.2.2/255.255.255.255/0/0&(type=1),&&(感d趣流-ProxyID)protocol=&ESP,&transform=&esp-des&esp-md5-hmac&&(Tunnel),&&(fh型/DQ集:加密方法,哈希型)&lifedur=&3600s&and&4608000kb,&&spi=&0x0(0),&conn_id=&0,&keysize=&0,&flags=&0x0*Mar&&1&00:13:31.899:&ISAKMP:(0):&SA&request&profile&is&(NULL)*Mar&&1&00:13:31.899:&ISAKMP:&Created&a&peer&struct&for&202.100.1.2,&peer&port&500*Mar&&1&00:13:31.899:&ISAKMP:&New&peer&created&peer&=&0x65F2D2E0&peer_handle&=&0x*Mar&&1&00:13:31.903:&ISAKMP:&Locking&peer&struct&0x65F2D2E0,&refcount&1&for&isakmp_initiator*Mar&&1&00:13:31.903:&ISAKMP:&local&port&500,&remote&port&500*Mar&&1&00:13:31.903:&ISAKMP:&set&new&node&0&to&QM_IDLE&&*Mar&&1&00:13:31.923:&insert&sa&successfully&sa&=&65FD96E8*Mar&&1&00:13:31.923:&ISAKMP:(0):Can¬&start&Aggressive&mode,&trying&Main&mode.*Mar&&1&00:13:31.923:&ISAKMP:(0):found&peer&pre-shared&key&matching&202.100.1.2*Mar&&1&00:13:31.927:&ISAKMP:(0):&constructed&NAT-T&vendor-rfc3947&ID*Mar&&1&00:13:31.927:&ISAKMP:(0):&constructed&NAT-T&vendor-07&ID*Mar&&1&00:13:31.927:&ISAKMP:(0):&constructed&NAT-T&vendor-03&ID*Mar&&1&00:13:31.931:&ISAKMP:(0):&constructed&NAT-T&vendor-02&ID*Mar&&1&00:13:31.931:&ISAKMP:(0):Input&=&IKE_MESG_FROM_IPSEC,&IKE_SA_REQ_MM*Mar&&1&00:13:31.931:&ISAKMP:(0):Old&State&=&IKE_READY&&New&State&=&IKE_I_MM1&*Mar&&1&00:13:31.931:&ISAKMP:(0):&beginning&Main&Mode&exchange*Mar&&1&00:13:31.935:&ISAKMP:(0):&sending&packet&to&202.100.1.2&my_port&500&peer_port&500&(I)&MM_NO_STATE*Mar&&1&00:13:31.935:&ISAKMP:(0):Sending&an&IKE&IPv4&Packet.*Mar&&1&00:13:32.111:&ISAKMP&(0:0):&received&packet&from&202.100.1.2&dport&500&sport&500&Global&(I)&MM_NO_STATE(第一二包:策略)*Mar&&1&00:13:32.123:&ISAKMP:(0):Input&=&IKE_MESG_FROM_PEER,&IKE_MM_EXCH*Mar&&1&00:13:32.123:&ISAKMP:(0):Old&State&=&IKE_I_MM1&&New&State&=&IKE_I_MM2&*.!Mar&&1&00:13:32.131:&ISAKMP:(0):&processing&SA&payload.&message&ID&=&0*Mar&&1&00:13:32.131:&ISAKMP:(0):&processing&vendor&id&payload*Mar&&1&00:13:32.131:&ISAKMP:(0):&vendor&ID&seems&Unity/DPD&but&major&69&mismatch*Mar&&1&00:13:32.131:&ISAKMP&(0:0):&vendor&ID&is&NAT-T&RFC&3947*Mar&&1&00:13:32.135:&ISAKMP:(0):found&peer&pre-shared&key&matching&202.100.1.2*Mar&&1&00:13:32.135:&ISAKMP:(0):&local&preshared&key&found*Mar&&1&00:13:32.135:&ISAKMP&:&Scanning&profiles&for&xauth&...*Mar&&1&00:13:32.135:&ISAKMP:(0):Checking&ISAKMP&transform&1&against&priority&10&policy*Mar&&1&00:13:32.135:&ISAKMP:&&encryption&DES-CBC*Mar&&1&00:13:32.139:&ISAKMP:&&hash&SHA*Mar&&1&00:13:32.139:&ISAKMP:&&default&group&1*Mar&&1&00:13:32.139:&ISAKMP:&&auth&pre-share*Mar&&1&00:13:32.139:&ISAKMP:&&life&type&in&seconds*Mar&&1&00:13:32.139:&ISAKMP:&&life&duration&(VPI)&of&&0x0&0x1&0x51&0x80&*Mar&&1&00:13:32.143:&ISAKMP:(0):atts&are&acceptable.&Next&payload&is&0&&&(策略是可以被接受的/一致)*Mar&&1&00:13:32.143:&ISAKMP:(0):Acceptable&atts:actual&life:&0*Mar&&1&00:13:32.143:&ISAKMP:(0):Acceptable&atts:life:&0*Mar&&1&00:13:32.147:&ISAKMP:(0):Fill&atts&in&sa&vpi_length:4*Mar&&1&00:13:32.147:&ISAKMP:(0):Fill&atts&in&sa&life_in_seconds:86400*Mar&&1&00:13:32.147:&ISAKMP:(0):Returning&Actual&lifetime:&86400*Mar&&1&00:13:32.147:&ISAKMP:(0)::Started&lifetime&timer:&86400.*Mar&&1&00:13:32.215:&ISAKMP:(0):&processing&vendor&id&payload*Mar&&1&00:13:32.215:&ISAKMP:(0):&vendor&ID&seems&Unity/DPD&but&major&69&mismatch*Mar&&1&00:13:32.215:&ISAKMP&(0:0):&vendor&ID&is&NAT-T&RFC&3947*Mar&&1&00:13:32.215:&ISAKMP:(0):Input&=&IKE_MESG_INTERNAL,&IKE_PROCESS_MAIN_MODE*Mar&&1&00:13:32.215:&ISAKMP:(0):Old&State&=&IKE_I_MM2&&New&State&=&IKE_I_MM2&*Mar&&1&00:13:32.215:&ISAKMP:(0):&sending&packet&to&202.100.1.2&my_port&500&peer_port&500&(I)&MM_SA_SETUP*Mar&&1&00:13:32.215:&ISAKMP:(0):Sending&an&IKE&IPv4&Packet.*Mar&&1&00:13:32.219:&ISAKMP:(0):Input&=&IKE_ME!!!Success&rate&is&80&percent&(4/5),&round-trip&min/avg/max&=&72/104/128&ms&SG_INTERNAL,&IKE_PROCESS_COMPLETE*Mar&&1&00:13:32.219:&ISAKMP:(0):Old&State&=&IKE_I_MM2&&New&State&=&IKE_I_MM3&*Mar&&1&00:13:32.363:&ISAKMP&(0:0):&received&packet&from&202.100.1.2&dport&500&sport&500&Global&(I)&MM_SA_SETUP(第三四包:DH/NONCE)*Mar&&1&00:13:32.367:&ISAKMP:(0):Input&=&IKE_MESG_FROM_PEER,&IKE_MM_EXCH*Mar&&1&00:13:32.367:&ISAKMP:(0):Old&State&=&IKE_I_MM3&&New&State&=&IKE_I_MM4&*Mar&&1&00:13:32.371:&ISAKMP:(0):&processing&KE&payload.&message&ID&=&0*Mar&&1&00:13:32.431:&ISAKMP:(0):&processing&NONCE&payload.&message&ID&=&0(公共值和SC担*Mar&&1&00:13:32.431:&ISAKMP:(0):found&peer&pre-shared&key&matching&202.100.1.2*Mar&&1&00:13:32.435:&ISAKMP:(1001):&processing&vendor&id&payload*Mar&&1&00:13:32.435:&ISAKMP:(1001):&vendor&ID&is&Unity*Mar&&1&00:13:32.439:&ISAKMP:(1001):&processing&vendor&id&payload*Mar&&1&00:13:32.439:&ISAKMP:(1001):&vendor&ID&is&DPD*Mar&&1&00:13:32.439:&ISAKMP:(1001):&processing&vendor&id&payload*Mar&&1&00:13:32.443:&ISAKMP:(1001):&speaking&to&another&IOS&box!*MaR1#r&&1&00:13:32.443:&ISAKMP:received&payload&type&20*Mar&&1&00:13:32.443:&ISAKMP:received&payload&type&20*Mar&&1&00:13:32.443:&ISAKMP:(1001):Input&=&IKE_MESG_INTERNAL,&IKE_PROCESS_MAIN_MODE*Mar&&1&00:13:32.447:&ISAKMP:(1001):Old&State&=&IKE_I_MM4&&New&State&=&IKE_I_MM4&*Mar&&1&00:13:32.447:&ISAKMP:(1001):Send&initial&contact*Mar&&1&00:13:32.447:&ISAKMP:(1001):SA&is&doing&pre-shared&key&authentication&using&id&type&ID_IPV4_ADDR*Mar&&1&00:13:32.447:&ISAKMP&(0:1001):&ID&payload&&next-payload&:&8&type&&&:&1&&address&&:&202.100.1.1&&protocol&&&:&17&&port&&&:&500&&length&&&:&12*Mar&&1&00:13:32.447:&ISAKMP:(1001):Total&payload&length:&12*Mar&&1&00:13:32.447:&ISAKMP:(1001):&sending&packet&to&202.100.1.2&my_port&500&peer_port&500&(I)&MM_KEY_EXCH*Mar&&1&00:13:32.447:&ISAKMP:(1001):Sending&an&IKE&IPv4&Packet.*Mar&&1&00:13:32.451:&ISAKMP:(1001):Input&=&IKE_MESG_INTERNAL,&IKE_PROCESS_COMPLETE*Mar&&1&00:13:32.451:&ISAKMP:(1001):Old&State&=&IKE_I_MM4&&New&State&=&IKE_I_MM5&*Mar&&1&00:13:32.551:&ISAKMP&(0:1001):&received&packet&from&202.100.1.2&dport&500&sport&500&Global&(I)&MM_KEY_EXCH(第五六包:JC)*Mar&&1&00:13:32.555:&ISAKMP:(1001):&processing&ID&payload.&message&ID&=&0*Mar&&1&00:13:32.555:&ISAKMP&(0:1001):&ID&payload&&next-payload&:&8&type&&&:&1&&address&&:&202.100.1.2&&protocol&&&:&17&&port&&&:&500&&length&&&:&12*Mar&&1&00:13:32.555:&ISAKMP:(0)::&peer&matches&*none*&of&the&profiles*Mar&&1&00:13:32.559:&ISAKMP:(1001):&processing&HASH&payload.&message&ID&=&0*Mar&&1&00:13:32.559:&ISAKMP:(1001):SA&authentication&status:&&(JCB)authenticated*Mar&&1&00:13:32.563:&ISAKMP:(1001):SA&has&been&authenticated&with&202.100.1.2(JCΦ润w)*Mar&&1&00:13:32.563:&ISAKMP:&Trying&to&insert&a&peer&202.100.1.1/202.100.1.2/500/,&&and&inserted&successfully&65F2D2E0.*Mar&&1&00:13:32.563:&ISAKMP:(1001):Input&=&IKE_MESG_FROM_PEER,&IKE_MM_EXCH*Mar&&1&00:13:32.567:&ISAKMP:(1001):Old&State&=&IKE_I_MM5&&New&State&=&IKE_I_MM6&R1#*Mar&&1&00:13:32.571:&ISAKMP:(1001):Input&=&IKE_MESG_INTERNAL,&IKE_PROCESS_MAIN_MODE*Mar&&1&00:13:32.571:&ISAKMP:(1001):Old&State&=&IKE_I_MM6&&New&State&=&IKE_I_MM6&*Mar&&1&00:13:32.579:&ISAKMP:(1001):Input&=&IKE_MESG_INTERNAL,&IKE_PROCESS_COMPLETE*Mar&&1&00:13:32.579:&ISAKMP:(1001):Old&State&=&IKE_I_MM6&&New&State&=&IKE_P1_COMPLETE&*Mar&&1&00:13:32.583:&ISAKMP:(1001):beginning&Quick&Mode&exchange,&M-ID&of&*Mar&&1&00:13:32.587:&ISAKMP:(1001):QM&Initiator&gets&spi*Mar&&1&00:13:32.591:&ISAKMP:(1001):&sending&packet&to&202.100.1.2&my_port&500&peer_port&500&(I)&QM_IDLE&&*Mar&&1&00:13:32.591:&ISAKMP:(1001):Sending&an&IKE&IPv4&Packet.*Mar&&1&00:13:32.595:&ISAKMP:(1001):Node&,&Input&=&IKE_MESG_INTERNAL,&IKE_INIT_QM*Mar&&1&00:13:32.595:&ISAKMP:(1001):Old&State&=&IKE_QM_READY&&New&State&=&IKE_QM_I_QM1*Mar&&1&00:13:32.595:&ISAKMP:(1001):Input&=&IKE_MESG_INTERNAL,&IKE_PHASE1_COMPLETE*Mar&&1&00:13:32.595:&ISAKMP:(1001):Old&State&=&IKE_P1_COMPLETE&&New&State&=&IKE_P1_COMPLETE&*Mar&&1&00:13:32.783:&ISAKMP&(0:1001):&received&packet&from&202.100.1.2&dport&500&sport&500&Global&(I)&QM_IDLE&&(第七八包)*Mar&&1&00:13:32.787:&ISAKMP:(1001):&processing&HASH&payload.&message&ID&=&*Mar&&1&00:13:32.787:&ISAKMP:(1001):&processing&SA&payload.&message&ID&=&*Mar&&1&00:13:32.787:&ISAKMP:(1001):Checking&IPSec&proposal&1(校提h)*Mar&&1&00:13:32.791:&ISAKMP:&transform&1,&ESP_DES*Mar&&1&00:13:32.791:&ISAKMP:&&&attributes&in&transform:*Mar&&1&00:13:32.791:&ISAKMP:&&encaps&is&1&(Tunnel)*Mar&&1&00:13:32.791:&ISAKMP:&&SA&life&type&in&seconds*Mar&&1&00:13:32.791:&ISAKMP:&&SA&life&duration&(basic)&of&3600*Mar&&1&00:13:32.791:&ISAKMP:&&SA&life&type&in&kilobytes*Mar&&1&00:13:32.795:&ISAKMP:&&SA&life&duration&(VPI)&of&&0x0&0x46&0x50&0x0&*Mar&&1&00:13:32.795:&ISAKMP:&&authenticator&is&HMAC-MD5*Mar&&1&00:13:32.795:&ISAKMP:(1001):atts&are&acceptable.&&(被接受)*Mar&&1&00:13:32.799:&IPSEC(validate_proposal_request):&proposal&part*Mar&&1&00:13:32.799:&IPSEC(validate_proposal_request):&proposal&part,&(key&eng.&msg.)&INBOUND&local=&202.100.1.1,&remote=&202.100.1.2,&&local_proxy=&1.1.1.1/255.255.255.255/0/0&(type=1),&&remote_proxy=&2.2.2.2/255.255.255.255/0/0&(type=1),&protocol=&ESP,&transform=&NONE&&(Tunnel),&&lifedur=&0s&and&0kb,&&spi=&0x0(0),&conn_id=&0,&keysize=&0,&flags=&0x0*Mar&&1&00:13:32.803:&Crypto&mapdb&:&proxy_match&src&addr&&&:&1.1.1.1&dst&addr&&&:&2.2.2.2&protocol&&&:&0&src&port&&&:&0&dst&port&&&:&0*Mar&&1&00:13:32.803:&ISAKMP:(1001):&processing&NONCE&payload.&message&ID&=&*Mar&&1&00:13:32.807:&ISAKMP:(1001):&processing&ID&payload.&message&ID&=&*Mar&&1&00:13:32.807:&ISAKMP:(1001):&processing&ID&payload.&message&ID&=&*Mar&&1&00:13:32.815:&ISAKMP:(1001):&Creating&IPSec&SAs*Mar&&1&00:13:32.815:&&&inbound&SA&from&202.100.1.2&to&202.100.1.1&(f/i)&&0/&0&(proxy&2.2.2.2&to&1.1.1.1)*Mar&&1&00:13:32.815:&&&has&spi&0x84D750DA&and&conn_id&0*Mar&&1&00:13:32.815:&&&lifetime&of&3600&seconds*Mar&&1&00:13:32.819:&&&lifetime&of&4608000&kilobytes*Mar&&1&00:13:32.819:&&&outbound&SA&from&202.100.1.1&to&202.100.1.2&(f/i)&0/0&(proxy&1.1.1.1&to&2.2.2.2)*Mar&&1&00:13:32.819:&&&has&spi&&0x8E9C20F&and&conn_id&0*Mar&&1&00:13:32.819:&&&lifetime&of&3600&seconds*Mar&&1&00:13:32.819:&&&lifetime&of&4608000&kilobytes*Mar&&1&00:13:32.823:&ISAKMP:(1001):&sending&packet&to&202.100.1.2&my_port&500&peer_port&500&(I)&QM_IDLE(第九包)&&*Mar&&1&00:13:32.823:&ISAKMP:(1001):Sending&an&IKE&IPv4&Packet.*Mar&&1&00:13:32.827:&ISAKMP:(1001):deleting&node&&error&FALSE&reason&&No&Error&*Mar&&1&00:13:32.827:&ISAKMP:(1001):Node&,&Input&=&IKE_MESG_FROM_PEER,&IKE_QM_EXCH*Mar&&1&00:13:32.827:&ISAKMP:(1001):Old&State&=&IKE_QM_I_QM1&&New&State&=&IKE_QM_PHASE2_COMPLETE*Mar&&1&00:13:32.831:&IPSEC(key_engine):&got&a&queue&event&with&1&KMI&message(s)*Mar&&1&00:13:32.835:&Crypto&mapdb&:&proxy_match&src&addr&&&:&1.1.1.1&dst&addr&&&:&2.2.2.2&protocol&&&:&0&src&port&&&:&0&dst&port&&&:&0*Mar&&1&00:13:32.835:&IPSEC(crypto_ipsec_sa_find_ident_head):&reconnecting&with&the&same&proxies&and&peer&202.100.1.2*Mar&&1&00:13:32.839:&IPSEC(policy_db_add_ident):&src&1.1.1.1,&dest&2.2.2.2,&dest_port&0*Mar&&1&00:13:32.839:&IPSEC(create_sa):&sa&created,&(sa)&sa_dest=&202.100.1.1,&sa_proto=&50,&&sa_spi=&0x84D750DA(),&&sa_trans=&esp-des&esp-md5-hmac&,&sa_conn_id=&1*Mar&&1&00:13:32.843:&IPSEC(create_sa):&sa&created,&(sa)&sa_dest=&202.100.1.2,&sa_proto=&50,&&sa_spi=&0x8E9C20F(),&&sa_trans=&esp-des&esp-md5-hmac&,&sa_conn_id=&2*Mar&&1&00:13:32.843:&IPSEC(update_current_outbound_sa):&updated&peer&202.100.1.2¤t&outbound&sa&to&SPI&8E9C20F2,在R1O渖闲薷牡谝浑A段(Phase1)加密方式3DES后,debug展示:l起方(R1):R1#sh&run&|&sec&crycrypto&isakmp&policy&10encr&3desauthentication&pre-shareR1#debug&cry&ipsCrypto&IPSEC&debugging&is&onR1#debug&cry&isaCrypto&ISAKMP&debugging&is&onR1#ping&2.2.2.2&so&1.1.1.1Type&escape&sequence&to&abort.Sending&5,&100-byte&ICMP&Echos&to&2.2.2.2,&timeout&is&2&seconds:Packet&sent&with&a&source&address&of&1.1.1.1&*Mar&&1&02:10:44.591:&IPSEC(sa_request):&,&(key&eng.&msg.)&OUTBOUND&local=&202.100.1.1,&remote=&202.100.1.2,&&local_proxy=&1.1.1.1/255.255.255.255/0/0&(type=1),&&remote_proxy=&2.2.2.2/255.255.255.255/0/0&(type=1),&protocol=&ESP,&transform=&esp-des&esp-md5-hmac&&(Tunnel),&&lifedur=&3600s&and&4608000kb,&&spi=&0x0(0),&conn_id=&0,&keysize=&0,&flags=&0x0*Mar&&1&02:10:44.599:&ISAKMP:(0):&SA&request&profile&is&(NULL)*Mar&&1&02:10:44.599:&ISAKMP:&Created&a&peer&struct&for&202.100.1.2,&peer&port&500*Mar&&1&02:10:44.603:&ISAKMP:&New&peer&created&peer&=&0x663FED30&peer_handle&=&0x*Mar&&1&02:10:44.603:&ISAKMP:&Locking&peer&struct&0x663FED30,&refcount&1&for&isakmp_initiator*Mar&&1&02:10:44.603:&ISAKMP:&local&port&500,&remote&port&500*Mar&&1&02:10:44.603:&ISAKMP:&set&new&node&0&to&QM_IDLE&&*Mar&&1&02:10:44.607:&ISAKMP:&Find&a&dup&sa&in&the&avl&tree&during&calling&isadb_insert&sa&=&66D4ED78*Mar&&1&02:10:44.607:&ISAKMP:(0):Can¬&start&Aggres.sive&mode,&trying&Main&mode.*Mar&&1&02:10:44.607:&ISAKMP:(0):found&peer&pre-shared&key&matching&202.100.1.2*Mar&&1&02:10:44.611:&ISAKMP:(0):&constructed&NAT-T&vendor-rfc3947&ID*Mar&&1&02:10:44.611:&ISAKMP:(0):&constructed&NAT-T&vendor-07&ID*Mar&&1&02:10:44.611:&ISAKMP:(0):&constructed&NAT-T&vendor-03&ID*Mar&&1&02:10:44.615:&ISAKMP:(0):&constructed&NAT-T&vendor-02&ID*Mar&&1&02:10:44.615:&ISAKMP:(0):Input&=&IKE_MESG_FROM_IPSEC,&IKE_SA_REQ_MM*Mar&&1&02:10:44.615:&ISAKMP:(0):Old&State&=&IKE_READY&&New&State&=&IKE_I_MM1&*Mar&&1&02:10:44.615:&ISAKMP:(0):&beginning&Main&Mode&exchange*Mar&&1&02:10:44.619:&ISAKMP:(0):&sending&packet&to&202.100.1.2&my_port&500&peer_port&500&(I)&MM_NO_STATE*Mar&&1&02:10:44.619:&ISAKMP:(0):Sending&an&IKE&IPv4&Packet.*Mar&&1&02:10:44.763:&ISAKMP&(0:0):&received&packet&from&202.100.1.2&dport&500&sport&500&Global&(I)&MM_NO_STATE&&(第一二包)*Mar&&1&02:10:44.763:&ISAKMP:(0):Notify&has&no&hash.&Rejected.*Mar&&1&02:10:44.767:&ISAKMP&(0:0):&Unknown&Input&IKE_MESG_FROM_PEER,&IKE_INFO_NOTIFY:&&state&=&IKE_I_MM1*Mar&&1&02:10:44.767:&ISAKMP:(0):Input&=&IKE_MESG_FROM_PEER,&IKE_INFO_NOTIFY*Mar&&1&02:10:44.767:&ISAKMP:(0):Old&State&=&IKE_I_MM1&&New&State&=&IKE_I_MM1&*Mar&&1&02:10:44.767:&%CRYPTO-6-IKMP_MODE_FAILURE:&Processing&of&Informational&mode&failed&with&peer&at&202.100.1.2....Success&rate&is&0&percent&(0/5)(L5次失。*Mar&&1&02:10:54.619:&ISAKMP:(0):&retransmitting&phase&1&MM_NO_STATE...*Mar&&1&02:10:54.619:&ISAKMP&(0:0):&incrementing&error&counter&on&sa,&attempt&1&of&5:&retransmit&phase&1*Mar&&1&02:10:54.619:&ISAKMP:(0):&retransmitting&phase&1&MM_NO_STATE*Mar&&1&02:10:54.623:&ISAKMP:(0):&sending&packet&to&202.100.1.2&my_port&500&peer_port&500&(I)&MM_NO_STATE*Mar&&1&02:10:54.623:&ISAKMP:(0):Sending&an&IKE&IPv4&Packet.*Mar&&1&02:11:04.623:&ISAKMP:(0):&retransmitting&phase&1&MM_NO_STATE...*Mar&&1&02:11:04.623:&ISAKMP&(0:0):&incrementing&error&counter&on&sa,&attempt&2&of&5:&retransmit&phase&1*Mar&&1&02:11:04.623:&ISAKMP:(0):&retransmitting&phase&1&MM_NO_STATE*Mar&&1&02:11:04.627:&ISAKMP:(0):&sending&packet&to&202.100.1.2&my_port&500&peer_port&500&(I)&MM_NO_STATE*Mar&&1&02:11:04.627:&ISAKMP:(0):Sending&an&IKE&IPv4&Packet.接收方debug:R2#debug&cry&ipsCrypto&IPSEC&debugging&is&onR2#debug&cry&isaCrypto&ISAKMP&debugging&is&onR2#*Mar&&1&02:10:37.911:&ISAKMP&(0:0):&received&packet&from&202.100.1.1&dport&500&sport&500&Global&(N)&NEW&SA(第一个包)*Mar&&1&02:10:37.943:&ISAKMP:(0):Checking&ISAKMP&transform&1&against&priority&10&policy*Mar&&1&02:10:37.943:&ISAKMP:&&encryption&3DES-CBC*Mar&&1&02:10:37.943:&ISAKMP:&&hash&SHA*Mar&&1&02:10:37.943:&ISAKMP:&&default&group&1*Mar&&1&02:10:37.943:&ISAKMP:&&auth&pre-share*Mar&&1&02:10:37.947:&ISAKMP:&&life&type&in&seconds*Mar&&1&02:10:37.947:&ISAKMP:&&life&duration&(VPI)&of&&0x0&0x1&0x51&0x80&*Mar&&1&02:10:37.947:&ISAKMP:(0):Encryption&algorithm&offered&does¬&match&policy!(在接受方,提示加密算法不匹配*Mar&&1&02:10:37.947:&ISAKMP:(0):atts&are¬&acceptable.&Next&payload&is&0&&P1策略]有被接受)*Mar&&1&02:10:37.951:&ISAKMP:(0):Checking&ISAKMP&transform&1&against&priority&65535&policy*Mar&&1&02:10:37.951:&ISAKMP:&&encryption&3DES-CBC*Mar&&1&02:10:37.951:&ISAKMP:&&hash&SHA*Mar&&1&02:10:37.951:&ISAKMP:&&default&group&1*Mar&&1&02:10:37.951:&ISAKMP:&&auth&pre-share*Mar&&1&02:10:37.955:&ISAKMP:&&life&type&in&seconds*Mar&&1&02:10:37.955:&ISAKMP:&&life&duration&(VPI)&of&&0x0&0x1&0x51&0x80&*Mar&&1&02:10:37.955:&ISAKMP:(0):Encryption&algorithm&offered&does¬&match&policy!*Mar&&1&02:10:37.959:&ISAKMP:(0):atts&are¬&acceptable.&Next&payload&is&0*Mar&&1&02:10:37.959:&ISAKMP:(0)R2#:no&offers&accepted!*Mar&&1&02:10:37.959:&ISAKMP:(0):&phase&1&SA&policy¬&acceptable!&(local&202.100.1.2&remote&202.100.1.1)*Mar&&1&02:10:37.959:&ISAKMP&(0:0):&incrementing&error&counter&on&sa,&attempt&1&of&5:&construct_fail_ag_init*Mar&&1&02:10:37.963:&ISAKMP:(0):&sending&packet&to&202.100.1.1&my_port&500&peer_port&500&(R)&MM_NO_STATE(第二个包)*Mar&&1&02:10:37.963:&ISAKMP:(0):Sending&an&IKE&IPv4&Packet.*Mar&&1&02:10:37.963:&ISAKMP:(0):peer&does¬&do¶noid&keepalives.R2#3,在R1O渖闲薷牡谝浑A段(Phase1)哈希方式MD5后,debug展示:f明:因樵诎l送方(R1)上的debug信息和(2)一致,所以我只看下接收方接收方debug:R2#debu&cry&isaCrypto&ISAKMP&debugging&is&onR2#debu&cry&ipsCrypto&IPSEC&debugging&is&onJul&&6&07:49:51.222:&ISAKMP&(0:0):&received&packet&from&202.100.1.1&dport&500&sport&500&Global&(N)&NEW&SA(第一包)Jul&&6&07:49:51.250:&ISAKMP:(0):Checking&ISAKMP&transform&1&against&priority&10&policyJul&&6&07:49:51.254:&ISAKMP:&&encryption&DES-CBCJul&&6&07:49:51.254:&ISAKMP:&&hash&MD5Jul&&6&07:49:51.254:&ISAKMP:&&default&group&1Jul&&6&07:49:51.254:&ISAKMP:&&auth&pre-shareJul&&6&07:49:51.254:&ISAKMP:&&life&type&in&secondsJul&&6&07:49:51.254:&ISAKMP:&&life&duration&(VPI)&of&&0x0&0x1&0x51&0x80&Jul&&6&07:49:51.258:&ISAKMP:(0):Hash&algorithm&offered&does¬&match&policy!(Hash&算法不匹配)Jul&&6&07:49:51.258:&ISAKMP:(0):atts&are¬&acceptable.&Next&payload&is&0&&(不被接受)Jul&&6&07:49:51.258:&ISAKMP:(0):Checking&ISAKMP&transform&1&against&priority&65535&policyJul&&6&07:49:51.262:&ISAKMP:&&encryption&DES-CBCJul&&6&07:49:51.262:&ISAKMP:&&hash&MD5Jul&&6&07:49:51.262:&ISAKMP:&&default&group&1Jul&&6&07:49:51.262:&ISAKMP:&&auth&pre-shareJul&&6&07:49:51.262:&ISAKMP:&&life&type&in&secondsJul&&6&07:49:51.262:&ISAKMP:&&life&duration&(VPI)&of&&0x0&0x1&0x51&0x80&Jul&&6&07:49:51.266:&ISAKMP:(0):Hash&algorithm&offered&does¬&match&policy!Jul&&6&07:49:51.266:&ISAKMP:(0):atts&are¬&acceptable.&Next&payload&is&0Jul&&6&07:49:51.266:&ISAKMP:(0):no&offers&accepted!Jul&&6&07:49:51.270:&ISAKMP:(0):&phase&1&SA&policy¬&acceptable!&(local&202.100.1.2&remote&202.100.1.1)&(第一A段SA策略]有接受)Jul&&6&07:49:51.270:&ISAKMP&(0:0):&incrementing&error&counter&on&sa,&attempt&1&of&5:&construct_fail_ag_initJul&&6&07:49:51.270:&ISAKMP:(0):&sending&packet&to&202.100.1.1&my_port&500&peer_port&500&(R)&MM_NO_STATE(第二包)Jul&&6&07:49:51.274:&ISAKMP:(0):Sending&an&IKE&IPv4&Packet.Jul&&6&07:49:51.274:&ISAKMP:(0):peer&does¬&do¶noid&keepalives.4,在R1O渖闲薷牡谝浑A段(Phase1)JC方式樽Cê名)后,debug展示:l起方R1上debug:R1#debu&cry&isaCrypto&ISAKMP&debugging&is&onR1#debu&cry&ipsCrypto&IPSEC&debugging&is&onR1#ping&2.2.2.2&so&1.1.1.1Type&escape&sequence&to&abort.Sending&5,&100-byte&ICMP&Echos&to&2.2.2.2,&timeout&is&2&seconds:Packet&sent&with&a&source&address&of&1.1.1.1&Jul&&6&08:11:42.867:&IPSEC(sa_request):&,&(key&eng.&msg.)&OUTBOUND&local=&202.100.1.1,&remote=&202.100.1.2,&&local_proxy=&1.1.1.1/255.255.255.255/0/0&(type=1),&&remote_proxy=&2.2.2.2/255.255.255.255/0/0&(type=1),&protocol=&ESP,&transform=&esp-des&esp-md5-hmac&&(Tunnel),&&lifedur=&3600s&and&4608000kb,&&spi=&0x0(0),&conn_id=&0,&keysize=&0,&flags=&0x0Jul&&6&08:11:42.875:&ISAKMP:(0):&SA&request&profile&is&(NULL)Jul&&6&08:11:42.875:&ISAKMP:&Created&a&peer&struct&for&202.100.1.2,&peer&port&500Jul&&6&08:11:42.875:&ISAKMP:&New&peer&created&peer&=&0x663C537C&peer_handle&=&0xJul&&6&08:11:42.879:&ISAKMP:&Locking&peer&struct&0x663C537C,&refcount&1&for&isakmp_initiatorJul&&6&08:11:42.879:&ISAKMP:&local&port&500,&remote&port&500Jul&&6&08:11:42.879:&ISAKMP:&set&new&node&0&to&QM_IDLE&&Jul&&6&08:11:42.883:&insert&sa&successfully&sa&=&65FDA2D4Jul&&6&08:11:42.883:&ISAKMP:(0):Can¬&start&Aggressive&mode,&trying&Main&mode.Jul&&6&08:11:42.883:&ISAKMP:(0):found&peer&pre-shared&key&matching&202.100.1.2Jul&&6&08:11:42.887:&ISAKMP:(0):incorrect&policy&settings.&Unable&to&initiate.&&(e`的策略O置,不能蚶^m初始化)Jul&&6&08:11:42.887:&ISAKMP:(0):Input&=&IKE_MESG_FROM_IPSEC,&IKE_SA_REQ_MMJul&&6&08:11:42.887:&ISAKMP:(0):Old&State&=&IKE_READY&&New&State&=&IKE_I_MM1&f明:因樵诒镜]有找到C赃M程直接被停止,焊]l包的CP1的第一包),所以在接收O洌R2)上是看不到debug信息的。5,在R1O渖闲薷牡诙A段(Phase2)DQ集ESP加密方式3DES后,debug展示:l起方(R1):R1#Jul&&6&08:35:45.307:&ISAKMP:(1003):QM&Initiator&gets&spiJul&&6&08:35:45.311:&ISAKMP:(1003):&sending&packet&to&202.100.1.2&my_port&500&peer_port&500&(I)&QM_IDLE&&Jul&&6&08:35:45.315:&ISAKMP:(1003):Sending&an&IKE&IPv4&Packet.Jul&&6&08:35:45.315:&ISAKMP:(1003):Node&,&Input&=&IKE_MESG_INTERNAL,&IKE_INIT_QMJul&&6&08:35:45.319:&ISAKMP:(1003):Old&State&=&IKE_QM_READY&&New&State&=&IKE_QM_I_QM1Jul&&6&08:35:45.319:&ISAKMP:(1003):Input&=&IKE_MESG_INTERNAL,&IKE_PHASE1_COMPLETEJul&&6&08:35:45.319:&ISAKMP:(1003):Old&State&=&IKE_P1_COMPLETE&&New&State&=&IKE_P1_COMPLETE&Jul&&6&08:35:45.491:&ISAKMP&(0:1003):&received&packet&from&202.100.1.2&dport&500&.sport&500&Global&(I)&QM_IDLE(第七八包)Jul&&6&08:35:45.491:&ISAKMP:&set&new&node&-&to&QM_IDLE&&Jul&&6&08:35:45.495:&ISAKMP:(1003):&processing&HASH&payload.&message&ID&=&-Jul&&6&08:35:45.495:&ISAKMP:(1003):&processing&NOTIFY&PROPOSAL_NOT_CHOSEN&protocol&3&spi&,&message&ID&=&-,&sa&=&65FDA2D4Jul&&6&08:36:14.515:&ISAKMP:&set&new&node&0&to&QM_IDLE&&Jul&&6&08:36:14.519:&SA&has&outstanding&requests(local&101.253.164.56&port&500,&remote&101.253.164.28&port&500)&&&??????Jul&&6&08:36:14.519:&ISAKMP:(1003):&sitting&IDLE.&Starting&QM&immediately&(QM_IDLE&&)接收方(R2)debug:R2#debu&cry&ipsCrypto&IPSEC&debugging&is&onR2#debu&cry&isaCrypto&ISAKMP&debugging&is&onR2#Jul&&6&08:35:45.398:&IPSEC(ipsec_process_proposal):&transform&proposal¬&supported&for&identity:&&{esp-3des&esp-md5-hmac&}&&(DQ集O置不一致)Jul&&6&08:35:45.402:&ISAKMP:(1003):&IPSec&policy&invalidated&proposal&with&error&256Jul&&6&08:35:45.402:&ISAKMP:(1003):&phase&2&SA&policy¬&acceptable!&(local&202.100.1.2&remote&202.100.1.1)&&(P2的SA策略]有被接受)Jul&&6&08:35:45.402:&ISAKMP:&set&new&node&-&to&QM_IDLE&&Jul&&6&08:35:45.406:&ISAKMP:(1003):Sending&NOTIFY&PROPOSAL_NOT_CHOSEN&protocol&3&spi&,&message&ID&=&-6,在R1O渖闲薷牡诙A段(Phase2)感d趣流后(map下{用),debug展示:A计划:l起方=问题方(R1):R1#debu&cry&ipsCrypto&IPSEC&debugging&is&onR1#debu&cry&isaCrypto&ISAKMP&debugging&is&onR1#ping&2.2.2.2&so&1.1.1.1Type&escape&sequence&to&abort.Sending&5,&100-byte&ICMP&Echos&to&2.2.2.2,&timeout&is&2&seconds:Packet&sent&with&a&source&address&of&1.1.1.1&.Jul&&6&10:13:43.643:&ISAKMP:(1003):purging&node&....Success&rate&is&0&percent&(0/5)Jul&&6&10:13:53.643:&ISAKMP:(1003):purging&SA.,&sa=65FDA2D4,&delme=65FDA2D4接收方(R2):R2#debu&cry&ipsCrypto&IPSEC&debugging&is&onR2#debu&cry&isaCrypto&ISAKMP&debugging&is&onJul&&6&10:34:40.071:&%CRYPTO-4-RECVD_PKT_NOT_IPSEC:&Rec'd&packet¬&an&IPSEC&packet.&(ip)&vrf/dest_addr=&/2.2.2.2,&src_addr=&1.1.1.1,&prot=&1B计划:发起方≠问题方(R2):R2#ping&1.1.1.1&so&2.2.2.2Type&escape&sequence&to&abort.Sending&5,&100-byte&ICMP&Echos&to&1.1.1.1,&timeout&is&2&seconds:Packet&sent&with&a&source&address&of&2.2.2.2&Jul&&6&12:15:58.826:&IPSEC(sa_request):&,&(key&eng.&msg.)&OUTBOUND&local=&202.100.1.2,&remote=&202.100.1.1,&&local_proxy=&2.2.2.2/255.255.255.255/0/0&(type=1),&&remote_proxy=&1.1.1.1/255.255.255.255/0/0&(type=1),&protocol=&ESP,&transform=&esp-des&esp-md5-hmac&&(Tunnel),&&lifedur=&3600s&and&4608000kb,&&spi=&0x0(0),&conn_id=&0,&keysize=&0,&flags=&0x0Jul&&6&12:15:58.834:&ISAKMP:&set&new&node&0&to&QM_IDLE&&Jul&&6&12:15:58.834:&SA&has&outstanding&requests&&(local&102.44.26.132&port&500,&remote&102.44.26.160&port&500)Jul&&6&12:15:58.838:&ISAKMP:(1005):&sitting&IDLE.&Starting&QM&immediately&(QM_IDLE&&)Jul&&6&12:15:58.838:&ISAKMP:(1005):beginning&Quick&Mode&exchange,&M-ID&of&-Jul&&6&12:15:58.842:&ISAKMP:(1005):QM&Initiator&gets&spiJul&&6&12:15:58.846:&ISAKMP:(1005):&sending&packet&to&202.100.1.1&my_port&500&peer_port&500&(R)&QM_IDLE&&Jul&&6&12:15:58.846:&ISAKMP:(1005):Sending&an&IKE&IPv4&Packet.Jul&&6&12:15:58.846:&ISAKMP:(1005):Node&-,&Input&=&IKE_MESG_INTERNAL,&IKE_INIT_QMJul&&6&12:15:58.850:&ISAKMP:(1005):Old&State&=&IKE_QM_READY&&New&State&=&IKE_QM_I_QM1Jul&&6&12:15:59.014:&ISAKMP&(0:1005):&received&packet&from&202.100.1.1&dport&500&sport&500&Global&(R)&QM_IDLE&&Jul&&6&12:15:59.018:&ISAKMP:&set&new&node&&to&QM_IDLE&&Jul&&6&12:15:59.018:&ISAKMP:(1005):&processing&HASH&payload.&message&ID&=&Jul&&6&12:15:59.022:&ISAKMP:(1005):&processing&NOTIFY&PROPOSAL_NOT_CHOSEN&protocol&3&spi&,&message&ID&=&,&sa&=&662C193CSuccess&rate&is&0&percent&(0/5)Jul&&6&12:16:28.838:&ISAKMP:(1005):&sitting&IDLE.&Starting&QM&immediately&(QM_IDLE&&)Jul&&6&12:16:28.838:&ISAKMP:(1005):beginning&Quick&Mode&exchange,&M-ID&of&Jul&&6&12:16:28.842:&ISAR2#KMP:(1005):QM&Initiator&gets&spiJul&&6&12:16:28.846:&ISAKMP:(1005):&sending&packet&to&202.100.1.1&my_port&500&peer_port&500&(R)&QM_IDLE&&Jul&&6&12:16:28.846:&ISAKMP:(1005):Sending&an&IKE&IPv4&Packet.Jul&&6&12:16:28.850:&ISAKMP:(1005):Node&,&Input&=&IKE_MESG_INTERNAL,&IKE_INIT_QMJul&&6&12:16:28.850:&ISAKMP:(1005):Old&State&=&IKE_QM_READY&&New&State&=&IKE_QM_I_QM1Jul&&6&12:16:29.002:&ISAKMP&(0:1005):&received&packet&from&202.100.1.1&dport&500&sport&500&Global&(R)&QM_IDLE(第二阶段过不了)&&接收方(R1):R1#Jul&&6&12:15:58.914:&ISAKMP&(0:1005):&received&packet&from&202.100.1.2&dport&500&sport&500&Global&(I)&QM_IDLE&&Jul&&6&12:15:58.914:&ISAKMP:&set&new&node&-&to&QM_IDLE&&Jul&&6&12:15:58.918:&ISAKMP:(1005):&processing&HASH&payload.&message&ID&=&-Jul&&6&12:15:58.918:&ISAKMP:(1005):&processing&SA&payload.&message&ID&=&-Jul&&6&12:15:58.922:&ISAKMP:(1005):Checking&IPSec&proposal&1Jul&&6&12:15:58.922:&ISAKMP:&transform&1,&ESP_DESJul&&6&12:15:58.922:&ISAKMP:&&&attributes&in&transform:Jul&&6&12:15:58.922:&ISAKMP:&&encaps&is&1&(Tunnel)Jul&&6&12:15:58.922:&ISAKMP:&&SA&life&type&in&secondsJul&&6&12:15:58.922:&ISAKMP:&&SA&life&duration&(basic)&of&3600Jul&&6&12:15:58.926:&ISAKMP:&&SA&life&type&in&kilobytesJul&&6&12:15:58.926:&ISAKMP:&&SA&life&duration&(VPI)&of&&0x0&0x46&0x50&0x0&Jul&&6&12:15:58.926:&ISAKMP:&&authenticator&is&HMAC-MD5Jul&&6&12:15:58.926:&ISAKMP:(1005):atts&are&acceptable.Jul&&6&12:15:58.930:&IPSECR1#(validate_proposal_request):&proposal&partJul&&6&12:15:58.930:&IPSEC(validate_proposal_request):&proposal&part,&(key&eng.&msg.)&INBOUND&local=&202.100.1.1,&remote=&202.100.1.2,&&local_proxy=&1.1.1.1/255.255.255.255/0/0&(type=1),&&remote_proxy=&2.2.2.2/255.255.255.255/0/0&(type=1),&protocol=&ESP,&transform=&NONE&&(Tunnel),&&lifedur=&0s&and&0kb,&&spi=&0x0(0),&conn_id=&0,&keysize=&0,&flags=&0x0Jul&&6&12:15:58.934:&Crypto&mapdb&:&proxy_match&src&addr&&&:&1.1.1.1&dst&addr&&&:&2.2.2.2&protocol&&&:&0&src&port&&&:&0&dst&port&&&:&0Jul&&6&12:15:58.934:&Crypto&mapdb&:&proxy_match&src&addr&&&:&1.1.1.1&dst&addr&&&:&2.2.2.2&protocol&&&:&0&src&port&&&:&0&dst&port&&&:&0Jul&&6&12:15:58.938:&map_db_find_best&did¬&find&matching&mapJul&&6&12:15:58.938:&IPSEC(ipsec_process_proposal):&proxy&identities¬&supported(感兴趣流身份不被支持/不匹配)Jul&&6&12:15:58.938:&ISAKMP:(1005):&IPSec&policy&invalidated&proposal&with&error&32Jul&&6&12:15:58.938:&ISAKMP:(1005):&phase&2&SA&policy¬&acceptable!&(local&202.100.1.1&remote&202.100.1.2)Jul&&6&12:15:58.942:&ISAKMP:&set&new&node&&to&QM_IDLE&&Jul&&6&12:15:58.942:&ISAKMP:(1005):Sending&NOTIFY&PROPOSAL_NOT_CHOSEN&protocol&3&spi&,&message&ID&=&Jul&&6&12:15:58.946:&ISAKMP:(1005):&sending&packet&to&202.100.1.2&my_port&500&peer_port&500&(I)&QM_IDLE&&Jul&&6&12:15:58.946:&ISAKMP:(1005):Sending&an&IKE&IPv4&Packet.Jul&&6&12:15:58.950:&ISAKMP:(1005):purging&node&Jul&&6&12:15:58.950:&ISAKMP:(1005):deleting&node&-&error&TRUE&reason&&QM&rejected&Jul&&6&12:15:58.950:&ISAKMP:(1005):Node&-,&Input&=&IKE_MESG_FROM_PEER,&IKE_QM_EXCHJul&&6&12:15:58.954:&ISAKMP:(1005):Old&State&=&IKE_QM_READY&&New&State&=&IKE_QM_READYR1#7,在R1O渖闲薷MAP下set&peer(和cry&isa&key&0&cisco&add&202.100.1.2加密c不一致),debug展示:l起方=问题方(R1):R1#ping&2.2.2.2&so&1.1.1.1Type&escape&sequence&to&abort.Sending&5,&100-byte&ICMP&Echos&to&2.2.2.2,&timeout&is&2&seconds:Packet&sent&with&a&source&address&of&1.1.1.1&Jul&&6&11:13:17.947:&IPSEC(sa_request):&,&(key&eng.&msg.)&OUTBOUND&local=&202.100.1.1,&remote=&2.2.2.2,&&local_proxy=&1.1.1.1/255.255.255.255/0/0&(type=1),&&remote_proxy=&2.2.2.2/255.255.255.255/0/0&(type=1),&protocol=&ESP,&transform=&esp-des&esp-md5-hmac&&(Tunnel),&&lifedur=&3600s&and&4608000kb,&&spi=&0x0(0),&conn_id=&0,&keysize=&0,&flags=&0x0Jul&&6&11:13:17.955:&ISAKMP:(0):&SA&request&profile&is&(NULL)Jul&&6&11:13:17.959:&ISAKMP:&Created&a&peer&struct&for&2.2.2.2,&peer&port&500Jul&&6&11:13:17.959:&ISAKMP:&New&peer&created&peer&=&0x663C537C&peer_handle&=&0x8000000BJul&&6&11:13:17.959:&ISAKMP:&Locking&peer&struct&0x663C537C,&refcount&1&for&isakmp_initiatorJul&&6&11:13:17.959:&ISAKMP:&local&port&500,&remote&port&500Jul&&6&11:13:17.963:&ISAKMP:&set&new&node&0&to&QM_IDLE&&Jul&&6&11:13:17.963:&insert&sa&successfully&sa&=&661B5C78Jul&&6&11:13:17.963:&ISAKMP:(0):Can¬&start&Aggressive&mode,&trying&Main&mode.Jul&&6&11:13:17.967:&ISAKMP:(0):No&pre-shared&key&with&2.2.2.2!Jul&&6&11:13:17.967:&ISAKMP:(0):&No&Cert&or&pre-shared&address&key.(提示加密点有问题)Jul&&6&11:13:17.967:&ISAKMP:(0):&construct_initial_message:&Can¬&start&Main&modeJul&&6&11:13:17.967:&ISAKMP:&Unlocking&peer&struct&0x663C537C&for&isadb_unlock_peer_delete_sa(),&count&0Jul&&6&11:13:17.971:&ISAKMP:&Deleting&peer&node&by&peer_reap&for&2.2.2.2:&663C537CJul&&6&11:13:17.971:&ISAKMP:(0):purging&SA.,&sa=661B5C78,&delme=661B5C78Jul&&6&11:13:17.971:&ISAKMP:(0):purging&node&Jul&&6&11:13:17.975:&ISAKMP:&Error&while&processing&SA&request:&Failed&to&initialize&SAJul&&6&11:13:17.975:&ISAKMP:&Error&while&processing&KMI&message&0,&error&2.Jul&&6&11:13:17.979:&IPSEC(key_engine):&got&a&queue&event&with&1&KMI&message(s).....Success&rate&is&0&percent&(0/5)f明:由於pre-share&address(key)不一致,导致发送方无法初始化IPsec&VPN的主模式,因此,接收方收不到任何包。8,在R2O渖闲薷MAP下set&peer(和cry&isa&key&0&cisco&add&<span style="color:#ff0.1.1加密c不一致),debug展示:发起方≠问题方(R1):(P1是可以搞定的,就不展示了,我们从P2开始)(现象不明显)R1#ping&2.2.2.2&so&1.1.1.1Jul&&6&11:25:59.483:&ISAKMP:(1005):beginning&Quick&Mode&exchange,&M-ID&of&Jul&&6&11:25:59.483:&ISAKMP:(1005):QM&Initiator&gets&spiJul&&6&11:25:59.487:&ISAKMP:(1005):&sending&packet&to&202.100.1.2&my_port&500&peer_port&500&(I)&QM_IDLE&&Jul&&6&11:25:59.487:&ISAKMP:(1005):Sending&an&IKE&IPv4&Packet.Jul&&6&11:25:59.491:&ISAKMP:(1005):Node&,&Input&=&IKE_MESG_INTERNAL,&IKE_INIT_QMJul&&6&11:25:59.491:&ISAKMP:(1005):Old&State&=&IKE_QM_READY&&New&State&=&IKE_QM_I_QM1Jul&&6&11:25:59.495:&ISAKMP:(1005):Input&=&IKE_MESG_INTERNAL,&IKE_PHASE1_COMPLETEJul&&6&11:25:59.495:&ISAKMP:(1005):Old&State&=&IKE_P1_COMPLETE&&New&State&=&IKE_P1_COMPLETE&Jul&&6&11:25:59.647:&ISAKMP&(0:1005):&received&packet&from&202.100.1.2&dport&500&spo.rt&500&Global&(I)&QM_IDLE&&Jul&&6&11:25:59.651:&ISAKMP:&set&new&node&&to&QM_IDLE&&Jul&&6&11:25:59.651:&ISAKMP:(1005):&processing&HASH&payload.&message&ID&=&Jul&&6&11:25:59.655:&ISAKMP:(1005):&processing&NOTIFY&PROPOSAL_NOT_CHOSEN&protocol&3&spi&,&message&ID&=&,&sa&=&661B5C78Jul&&6&11:25:59.655:&ISAKMP:(1005):&deleting&spi&&message&ID&=&Jul&&6&11:25:59.655:&ISAKMP:(1005):deleting&node&&error&TRUE&reason&&Delete&Larval&Jul&&6&11:25:59.659:&ISAKMP:(1005):deleting&node&&error&FALSE&reason&&Informational&(in)&state&1&Jul&&6&11:25:59.659:&ISAKMP:(1005):Input&=&IKE_MESG_FROM_PEER,&IKE_INFO_NOTIFYJul&&6&11:25:59.659:&ISAKMP:(1005):Old&State&=&IKE_P1_COMPLETE&&New&State&=&IKE_P1_COMPLETE&Success&rate&is&0&percent&(0/5)Jul&&6&11:26:28.811:&IPSEC(key_engine):&request&timer&fired:&count&=&1,&(identity)&local=&202.100.1.1,&remote=&202.100.1.2,&&local_proxy=&1.1.1.1/255.255.255.255/0/0&(type=1),&&remote_proxy=&2.2.2.2/255.255.255.255/0/0&(type=1)Jul&&6&11:26:28.815:&IPSEC(sa_request):&,&(key&eng.&msg.)&OUTBOUND&local=&202.100.1.1,&remote=&202.100.1.2,&&local_proxy=&1.1.1.1/255.255.255.255/0/0&(type=1),&&remote_proxy=&2.2.2.2/255.255.255.255/0/0&(type=1),&protocol=&ESP,&transform=&esp-des&esp-md5-hmac&&(Tunnel),&&lifedur=&3600s&and&4608000kb,&&spi=&0x0(0),&conn_id=&0,&keysize=&0,&flags=&0x0Jul&&6&11:26:28.819:&ISAKMP:&set&new&node&0&to&QM_IDLE&&Jul&&6&11:26:28.819:&SA&has&outstanding&requests&&(local&102.27.93.220&port&500,&remote&102.27.93.192&port&500)&????????Jul&&6&11:26:28.823:&ISAKMP:(1005):&sitting&IDLE.&Starting&QM&immediately&(QM_IDLE&&)Jul&&6&11:26:28.823:&ISAKMP:(1005):beginning&Quick&Mode&exchange,&M-ID&of&-Jul&&6&11:26:28.827:&ISAKMP:(1005):QM&Initiator&gets&spiJul&&6&11:26:28.831:&ISAKMP:(1005):&sending&packet&to&202.100.1.2&my_port&500&peer_port&500&(I)&QM_IDLE(第二阶段过不去)&&Jul&&6&11:26:28.831:&ISAKMP:(1005):Sending&an&IKE&IPv4&Packet.9,在R1O渖闲薷cry&isa&key&0&cisco&add&<span style="color:#ff.2.2加密c和MAP下set&peer不一致),debug展示:l起方=问题方(R1):(和7的结果一样)――――――――――――――――――――――――发起方≠问题方(R2):R2#ping&1.1.1.1&so&2.2.2.2Type&escape&sequence&to&abort.Sending&5,&100-byte&ICMP&Echos&to&1.1.1.1,&timeout&is&2&seconds:Packet&sent&with&a&source&address&of&2.2.2.2&Jul&&6&13:26:21.258:&%CRYPTO-6-IKMP_MODE_FAILURE:&Processing&of&Informational&mode&failed&with&peer&at&202.100.1.1.....Success&rate&is&0&percent&(0/5)注意:我们现在在R1上看下debug信息:问题方(R1):R1#Jul&&6&13:26:21.138:&ISAKMP&(0:0):&received&packet&from&202.100.1.2&dport&500&sport&500&Global&(N)&NEW&SAJul&&6&13:26:21.138:&ISAKMP:&Created&a&peer&struct&for&202.100.1.2,&peer&port&500Jul&&6&13:26:21.142:&ISAKMP:&New&peer&created&peer&=&0x663C537C&peer_handle&=&0xJul&&6&13:26:21.142:&ISAKMP:&Locking&peer&struct&0x663C537C,&refcount&1&for&crypto_isakmp_process_blockJul&&6&13:26:21.142:&ISAKMP:&local&port&500,&remote&port&500Jul&&6&13:26:21.146:&insert&sa&successfully&sa&=&65FDA2D4Jul&&6&13:26:21.146:&ISAKMP:(0):Input&=&IKE_MESG_FROM_PEER,&IKE_MM_EXCHJul&&6&13:26:21.146:&ISAKMP:(0):Old&State&=&IKE_READY&&New&State&=&IKE_R_MM1&Jul&&6&13:26:21.154:&ISAKMP:(0):&processing&SA&payload.&message&ID&=&0Jul&&6&13:26:21.154:&ISAKMP:(0):&processing&vendor&id&payloadJul&&6&13:26:21.158:&ISAKMP:(0):&vendor&ID&seems&Unity/DPD&but&major&69&mismatchJul&&6&13:26:21.158:&ISAKMP&(0:0):&vendor&ID&is&NAT-T&RFC&3947Jul&&6&13:26:21.158:&ISAKMP:(0):&processing&vendor&id&payloadJul&&6&13:26:21.158:&ISAKMP:(0):&vendor&ID&seems&Unity/DPD&but&major&245&mismatchJul&&6&13:26:21.158:&ISAKMP&(0:0):&vendor&ID&is&NAT-T&v7Jul&&6&13:26:21.162:&ISAKMP:(0):&processing&vendor&id&payloadJul&&6&13:26:21.162:&ISAKMP:(0):&vendor&ID&seems&Unity/DPD&but&major&157&mismatchJul&&6&13:26:21.162:&ISAKMP:(0):&vendor&ID&is&NAT-T&v3Jul&&6&13:26:21.162:&ISAKMP:(0):&processing&vendor&id&payloadJul&&6&13:26:21.166:&ISAKMP:(0):&vendor&ID&seems&Unity/DPD&but&major&123&mismatchJul&&6&13:26:21.166:&ISAKMP:(0):&vendor&ID&is&NAT-T&v2Jul&&6&13:26:21.166:&ISAKMP:(0):No&pre-shared&key&with&202.100.1.2!(不匹配Φ润w加密c/]有Φ润w的A共享密_)Jul&&6&13:26:21.166:&ISAKMP&:&Scanning&profiles&for&xauth&...Jul&&6&13:26:21.170:&ISAKMP:(0):Checking&ISAKMP&transform&1&against&priority&10&policyJul&&6&13:26:21.170:&ISAKMP:&&encryption&DES-CBCJul&&6&13:26:21.170:&ISAKMP:&&hash&SHAJul&&6&13:26:21.170:&ISAKMP:&&default&group&1Jul&&6&13:26:21.170:&ISAKMP:&&auth&pre-shareJul&&6&13:26:21.170:&ISAKMP:&&&life&type&in&secondsJul&&6&13:26:21.174:&ISAKMP:&&life&duration&(VPI)&of&&0x0&0x1&0x51&0x80&Jul&&6&13:26:21.174:&ISAKMP:(0):Preshared&authentication&offered&but&does¬&match&policy!Jul&&6&13:26:21.174:&ISAKMP:(0):atts&are¬&acceptable.&Next&payload&is&0Jul&&6&13:26:21.178:&ISAKMP:(0):Checking&ISAKMP&transform&1&against&priority&65535&policyJul&&6&13:26:21.178:&ISAKMP:&&encryption&DES-CBCJul&&6&13:26:21.178:&ISAKMP:&&hash&SHAJul&&6&13:26:21.178:&ISAKMP:&&default&group&1Jul&&6&13:26:21.178:&ISAKMP:&&auth&pre-shareJul&&6&13:26:21.178:&ISAKMP:&&life&type&in&secondsJul&&6&13:26:21.182:&ISAKMP:&&life&duration&(VPI)&of&&0x0&0x1&0x51&0x80&Jul&&6&13:26:21.182:&ISAKMP:(0):Authentication&method&offered&does¬&match&policy!&&Jul&&6&13:26:21.182:&ISAKMP:(0):atts&are¬&acceptable.&Next&payload&is&0Jul&&6&13:26:21.186:&ISAKMP:(0):no&offers&accepted!Jul&&6&13:26:21.186:&ISAKMP:(0):&phase&1&SA&policy¬&acceptable!&(local&202.100.1.1&remote&202.100.1.2)&Jul&&6&13:26:21.186:&ISAKMP&(0:0):&incrementing&error&counter&on&sa,&attempt&1&of&5:&construct_fail_ag_initJul&&6&13:26:21.190:&ISAKMP:(0):&sending&packet&to&202.100.1.2&my_port&500&peer_port&500&(R)&MM_NO_STATEJul&&6&13:26:21.190:&ISAKMP:(0):Sending&an&IKE&IPv4&Packet.Jul&&6&13:26:21.190:&ISAKMP:(0):peer&does¬&do¶noid&keepalives.10,在R1O涞母信d趣M出的接口(F0/0)上不{用cry&map后,debug展示:l起方=问题方(R1):R1#debu&cry&isaCrypto&ISAKMP&debugging&is&onR1#debu&cry&ipsCrypto&IPSEC&debugging&is&onR1#ping&2.2.2.2&so&1.1.1.1Type&escape&sequence&to&abort.Sending&5,&100-byte&ICMP&Echos&to&2.2.2.2,&timeout&is&2&seconds:Packet&sent&with&a&source&address&of&1.1.1.1&.....Success&rate&is&0&percent&(0/5)R1#*Mar&&1&00:11:11.899:&ISAKMP:(1001):purging&SA.,&sa=65CBF5EC,&delme=65CBF5EC]反接收方(R2):R2#*Mar&&1&00:10:32.935:&%CRYPTO-4-RECVD_PKT_NOT_IPSEC:&Rec'd&packet¬&an&IPSEC&packet.&(ip)&vrf/dest_addr=&/2.2.2.2,&src_addr=&1.1.1.1,&prot=&1R2#*Mar&&1&00:10:58.555:&ISAKMP:(1001):purging&node&-*Mar&&1&00:10:58.555:&ISAKMP:(1001):purging&node&-f明:通^下Dv述CRY&&MAPγ芪幕蛎魑牧髁康奶&是否感d趣流&&&是否加密&&有omap&&outionN/A&&&是&&&有&&&解密&是&&&否&&&有&&&drop&是&&&否&&]有&&forward&N/A&&是&&]有&&解密――――――――――――――――――――――――――――――――――――――――――――发起方≠问题方(R2):R2#ping&1.1.1.1&so&2.2.2.2Type&escape&sequence&to&abort.Sending&5,&100-byte&ICMP&Echos&to&1.1.1.1,&timeout&is&2&seconds:Packet&sent&with&a&source&address&of&2.2.2.2&*Mar&&1&00:15:14.983:&IPSEC(sa_request):&,&(key&eng.&msg.)&OUTBOUND&local=&202.100.1.2,&remote=&202.100.1.1,&&local_proxy=&2.2.2.2/255.255.255.255/0/0&(type=1),&&remote_proxy=&1.1.1.1/255.255.255.255/0/0&(type=1),&protocol=&ESP,&transform=&esp-des&esp-md5-hmac&&(Tunnel),&&lifedur=&3600s&and&4608000kb,&&spi=&0x0(0),&conn_id=&0,&keysize=&0,&flags=&0x0*Mar&&1&00:15:14.991:&ISAKMP:(0):&SA&request&profile&is&(NULL)*Mar&&1&00:15:14.991:&ISAKMP:&Created&a&peer&struct&for&202.100.1.1,&peer&port&500*Mar&&1&00:15:14.995:&ISAKMP:&New&peer&created&peer&=&0x66C81378&peer_handle&=&0x*Mar&&1&00:15:14.995:&ISAKMP:&Locking&peer&struct&0x66C81378,&refcount&1&for&isakmp_initiator*Mar&&1&00:15:14.995:&ISAKMP:&local&port&500,&remote&port&500*Mar&&1&00:15:14.995:&ISAKMP:&set&new&node&0&to&QM_IDLE&&*Mar&&1&00:15:14.999:&insert&sa&successfully&sa&=&66232F58*Mar&&1&00:15:14.999:&ISAKMP:(0):Can¬&start&Aggressive&mode,&trying&Main&mode.*Mar&&1&00:15:14.999:&ISAKMP:(0):found&peer&pre-shared&key&matching&202.100.1.1*Mar&&1&00:15:15.003:&ISAKMP:(0):&constructed&NAT-T&vendor-rfc3947&ID*Mar&&1&00:15:15.003:&ISAKMP:(0):&constructed&NAT-T&vendor-07&ID*Mar&&1&00:15:15.003:&ISAKMP:(0):&constructed&NAT-T&vendor-03&ID*Mar&&1&00:15:15.007:&ISAKMP:(0):&constructed&NAT-T&vendor-02&ID*Mar&&1&00:15:15.007:&ISAKMP:(0):Input&=&IKE_MESG_FROM_IPSEC,&IKE_SA_REQ_MM*Mar&&1&00:15:15.007:&ISAKMP:(0):Old&State&=&IKE_READY&&New&State&=&IKE_I_MM1&*Mar&&1&00:15:15.007:&ISAKMP:(0):&beginning&Main&Mode&exchange*Mar&&1&00:15:15.011:&ISAKMP:(0):&sending&packet&to&202.100.1.1&my_port&500&peer_port&500&(I)&MM_NO_STATE(第一包)*Mar&&1&00:15:15.011:&ISAKMP:(0):Sending&an&IKE&IPv4&Packet......Success&rate&is&0&percent&(0/5)*Mar&&1&00:15:25.011:&ISAKMP:(0):&retransmitting&phase&1&MM_NO_STATE...*Mar&&1&00:15:25.011:&ISAKMP&(0:0):&incrementing&error&counter&on&sa,&attempt&1&of&5:&retransmit&phase&1(Φ润w]有回包,重5次)*Mar&&1&00:15:25.011:&ISAKMP:(0):&retransmitting&phase&1&MM_NO_STATE*Mar&&1&00:15:25.015:&ISAKMP:(0):&sending&packet&to&202.100.1.1&my_port&500&peer_port&500&(I)&MM_NO_STATE*Mar&&1&00:15:25.015:&ISAKMP:(0):Sending&an&IKE&IPv4&Packet.R2#*Mar&&1&00:15:35.015:&ISAKMP:(0):&retransmitting&phase&1&MM_NO_STATE...*Mar&&1&00:15:35.015:&ISAKMP&(0:0):&incrementing&error&counter&on&sa,&attempt&2&of&5:&retransmit&phase&1*Mar&&1&00:15:35.015:&ISAKMP:(0):&retransmitting&phase&1&MM_NO_STATE*Mar&&1&00:15:35.019:&ISAKMP:(0):&sending&packet&to&202.100.1.1&my_port&500&peer_port&500&(I)&MM_NO_STATE*Mar&&1&00:15:35.019:&ISAKMP:(0):Sending&an&IKE&IPv4&Packet.R2#*Mar&&1&00:15:44.983:&IPSEC(key_engine):&request&timer&fired:&count&=&1,&(identity)&local=&202.100.1.2,&remote=&202.100.1.1,&&local_proxy=&2.2.2.2/255.255.255.255/0/0&(type=1),&&remote_proxy=&1.1.1.1/255.255.255.255/0/0&(type=1)*Mar&&1&00:15:44.987:&IPSEC(sa_request):&,&(key&eng.&msg.)&OUTBOUND&local=&202.100.1.2,&remote=&202.100.1.1,&&local_proxy=&2.2.2.2/255.255.255.255/0/0&(type=1),&&remote_proxy=&1.1.1.1/255.255.255.255/0/0&(type=1),&protocol=&ESP,&transform=&esp-des&esp-md5-hmac&&(Tunnel),&&lifedur=&3600s&and&4608000kb,&&spi=&0x0(0),&conn_id=&0,&keysize=&0,&flags=&0x0*Mar&&1&00:15:44.991:&ISAKMP:&set&new&node&0&to&QM_IDLE&&*Mar&&1&00:15:44.995:&ISAKMP:(0):SA&is&still&budding.&Attached&new&ipsec&request&to&it.&(local&202.100.1.2,&remote&202.100.1.1)*Mar&&1&00:15:44.995:&ISAKMP:&Error&while&processing&SA&request:&Failed&to&initialize&SA*Mar&&1&00:15:44.995:&ISAKMP:&Error&while&processing&KMI&message&0,&error&2.接收方=问题方(R1):依然]有任何反通^下Dv述CRY&&MAPγ芪幕蛎魑牧髁康奶&是否感d趣流&&&是否加密&&&有omap&&outionN/A&&是&&&有&&&解密&是&&否&&&有&&&drop&是&&否&&]有&&forward&N/A&&&是&&]有&&解密11,在R1O渖闲薷穆酚桑]有去往Φ润w的感d趣流路由),debug展示:l起方=问题方(R1):完全]反接收方(R2):完全]反――――――――――――――――――――――――――――――――――――――――――发起方≠问题方(R2):R2#sh&cry&en&conn&acCrypto&Engine&ConnectionsID&Interface&&Type&&Algorithm&&&Encrypt&&Decrypt&IP-Address&7&Fa0/0&&IPsec&DES+MD5&&&0&&0&202.100.1.2&8&Fa0/0&&IPsec&DES+MD5&&40&202.100.1.21004&Fa0/0&&IKE&&&SHA+DES&&&0&&0&202.100.1.2R2#sh&cry&isa&saIPv4&Crypto&ISAKMP&SAdst&&&src&&&state&&conn-id&slot&status202.100.1.1&&&202.100.1.2&&&QM_IDLE&&&1004&&0&ACTIVEIPv6&Crypto&ISAKMP&SAR2#sh&cry&ips&sainterface:&FastEthernet0/0&Crypto&map&tag:&cisco,&local&addr&202.100.1.2protected&vrf:&(none)local&&ident&(addr/mask/prot/port):&(2.2.2.2/255.255.255.255/0/0)remote&ident&(addr/mask/prot/port):&(1.1.1.1/255.255.255.255/0/0)current_peer&202.100.1.1&port&500PERMIT,&flags={origin_is_acl,}&#pkts&encaps:&4,&#pkts&encrypt:&4,&#pkts&digest:&4&#pkts&decaps:&0,&#pkts&decrypt:&0,&#pkts&verify:&0&#pkts&compressed:&0,&#pkts&decompressed:&0&#pkts¬&compressed:&0,&#pkts&compr.&failed:&0&#pkts¬&decompressed:&0,&#pkts&decompress&failed:&0&#send&errors&1,&#recv&errors&0local&crypto&endpt.:&202.100.1.2,&remote&crypto&endpt.:&202.100.1.1path&mtu&1500,&ip&mtu&1500,&ip&mtu&idb&FastEthernet0/0current&outbound&spi:&0xAE7F796)inbound&esp&sas:&spi:&0xBB653B0B()&transform:&esp-des&esp-md5-hmac&,&in&use&settings&={Tunnel,&}&conn&id:&7,&flow_id:&SW:7,&crypto&map:&cisco&sa&timing:&remaining&key&lifetime&(k/sec):&(8)&IV&size:&8&bytes&replay&detection&support:&Y&Status:&ACTIVEinbound&ah&sas:inbound&pcp&sas:outbound&esp&sas:&spi:&0xAE7F796)&transform:&esp-des&esp-md5-hmac&,&in&use&settings&={Tunnel,&}&conn&id:&8,&flow_id:&SW:8,&crypto&map:&cisco&sa&timing:&remaining&key&lifetime&(k/sec):&(6)&IV&size:&8&bytes&replay&detection&support:&Y&Status:&ACTIVEoutbound&ah&sas:outbound&pcp&sas:R2#接收方=问题方(R1):R1#sh&cry&en&conn&acCrypto&Engine&ConnectionsID&Interface&&Type&&Algorithm&&&Encrypt&&Decrypt&IP-Address&7&Fa0/0&&IPsec&DES+MD5&&&0&&4&202.100.1.1&8&Fa0/0&&IPsec&DES+MD5&&&0&&0&202.100.1.11004&Fa0/0&&IKE&&&SHA+DES&&&0&&0&202.100.1.1R1#sh&cry&isa&saIPv4&Crypto&ISAKMP&SAdst&&&src&&&state&&conn-id&slot&status202.100.1.1&&&202.100.1.2&&&QM_IDLE&&&1004&&0&ACTIVEIPv6&Crypto&ISAKMP&SAR1#sh&cry&ips&sainterface:&FastEthernet0/0&Crypto&map&tag:&cisco,&local&addr&202.100.1.1protected&vrf:&(none)local&&ident&(addr/mask/prot/port):&(1.1.1.1/255.255.255.255/0/0)remote&ident&(addr/mask/prot/port):&(2.2.2.2/255.255.255.255/0/0)current_peer&202.100.1.2&port&500PERMIT,&flags={origin_is_acl,}&#pkts&encaps:&0,&#pkts&encrypt:&0,&#pkts&digest:&0&#pkts&decaps:&4,&#pkts&decrypt:&4,&#pkts&verify:&4&#pkts&compressed:&0,&#pkts&decompressed:&0&#pkts¬&compressed:&0,&#pkts&compr.&failed:&0&#pkts¬&decompressed:&0,&#pkts&decompress&failed:&0&#send&errors&0,&#recv&errors&0local&crypto&endpt.:&202.100.1.1,&remote&crypto&endpt.:&202.100.1.2path&mtu&1500,&ip&mtu&1500,&ip&mtu&idb&FastEthernet0/0current&outbound&spi:&0xBB653B0B()inbound&esp&sas:&spi:&0xAE7F796)&transform:&esp-des&esp-md5-hmac&,&in&use&settings&={Tunnel,&}&conn&id:&7,&flow_id:&SW:7,&crypto&map:&cisco&sa&timing:&remaining&key&lifetime&(k/sec):&(3)&IV&size:&8&bytes&replay&detection&support:&Y&Status:&ACTIVEinbound&ah&sas:inbound&pcp&sas:outbound&esp&sas:&spi:&0xBB653B0B()&transform:&esp-des&esp-md5-hmac&,&in&use&settings&={Tunnel,&}&conn&id:&8,&flow_id:&SW:8,&crypto&map:&cisco&sa&timing:&remaining&key&lifetime&(k/sec):&(2)&IV&size:&8&bytes&replay&detection&support:&Y&Status:&ACTIVEoutbound&ah&sas:outbound&pcp&sas:12,在R1O渖闲薷MAP{用的接口(F0/0Q到Lo0接口),debug展示:l起方=问题方(R1):完全]反接收方(R2):完全]反――――――――――――――――――――――――――――――――――――――――发起方≠问题方(R2):*Mar&&1&01:10:06.291:&ISAKMP:(1005):beginning&Quick&Mode&exchange,&M-ID&of&*Mar&&1&01:10:06.295:&ISAKMP:(1005):QM&Initiator&gets&spi*Mar&&1&01:10:06.299:&ISAKMP:(1005):&sending&packet&to&202.100.1.1&my_port&500&peer_port&500&(I)&QM_IDLE&&*Mar&&1&01:10:06.299:&ISAKMP:(1005):Sending&an&IKE&IPv4&Packet.*Mar&&1&01:10:06.303:&ISAKMP:(1005):Node&,&Input&=&IKE_MESG_INTERNAL,&IKE_INIT_QM*Mar&&1&01:10:06.303:&ISAKMP:(1005):Old&State&=&IKE_QM_READY&&New&State&=&IKE_QM_I_QM1*Mar&&1&01:10:06.303:&ISAKMP:(1005):Input&=&IKE_MESG_INTERNAL,&IKE_PHASE1_COMPLETE*Mar&&1&01:10:06.303:&ISAKMP:(1005):Old&State&=&IKE_P1_COMPLETE&&New&State&=&IKE_.P1_COMPLETE&*Mar&&1&01:10:06.447:&ISAKMP&(0:1005):&received&packet&from&202.100.1.1&dport&500&sport&500&Global&(I)&QM_IDLE(第七八包^不去)&&*Mar&&1&01:10:06.451:&ISAKMP:&set&new&node&-&to&QM_IDLE&&*Mar&&1&01:10:06.455:&ISAKMP:(1005):&processing&HASH&payload.&message&ID&=&-*Mar&&1&01:10:06.455:&ISAKMP:(1005):&processing&NOTIFY&PROPOSAL_NOT_CHOSEN&protocol&3&spi&,&message&ID&=&-,&sa&=&66232F58*Mar&&1&01:10:06.455:&ISAKMP:(1005):&deleting&spi&&message&ID&=&*Mar&&1&01:10:06.455:&ISAKMP:(1005):deleting&node&&error&TRUE&reason&&Delete&Larval&*Mar&&1&01:10:06.459:&ISAKMP:(1005):deleting&node&-&error&FALSE&reason&&Informational&(in)&state&1&*Mar&&1&01:10:06.459:&ISAKMP:(1005):Input&=&IKE_MESG_FROM_PEER,&IKE_INFO_NOTIFY*Mar&&1&01:10:06.459:&ISAKMP:(1005):Old&State&=&IKE_P1_COMPLETE&&New&State&=&IKE_P1_COMPLETE&.Success&rate&is&0&percent&(0/5)R2#sh&cry&en&conn&acCrypto&Engine&ConnectionsID&Interface&&Type&&Algorithm&&&Encrypt&&Decrypt&IP-Address1005&Fa0/0&&IKE&&&SHA+DES&&&0&&0&202.100.1.2R2#sh&cry&isa&saIPv4&Crypto&ISAKMP&SAdst&&&src&&&state&&conn-id&slot&status202.100.1.1&&&202.100.1.2&&&QM_IDLE&&&1005&&0&ACTIVEIPv6&Crypto&ISAKMP&SA接收方=问题方(R1):*Mar&&1&01:10:09.739:&ISAKMP&(0:1005):&received&packet&from&202.100.1.2&dport&500&sport&500&Global&(R)&QM_IDLE&&*Mar&&1&01:10:09.739:&ISAKMP:&set&new&node&&to&QM_IDLE&&*Mar&&1&01:10:09.743:&ISAKMP:(1005):&processing&HASH&payload.&message&ID&=&*Mar&&1&01:10:09.743:&ISAKMP:(1005):&processing&SA&payload.&message&ID&=&*Mar&&1&01:10:09.743:&ISAKMP:(1005):Checking&IPSec&proposal&1*Mar&&1&01:10:09.747:&ISAKMP:&transform&1,&ESP_DES*Mar&&1&01:10:09.747:&ISAKMP:&&&attributes&in&transform:*Mar&&1&01:10:09.747:&ISAKMP:&&encaps&is&1&(Tunnel)*Mar&&1&01:10:09.747:&ISAKMP:&&SA&life&type&in&seconds*Mar&&1&01:10:09.747:&ISAKMP:&&SA&life&duration&(basic)&of&3600*Mar&&1&01:10:09.751:&ISAKMP:&&SA&life&type&in&kilobytes*Mar&&1&01:10:09.751:&ISAKMP:&&SA&life&duration&(VPI)&of&&0x0&0x46&0x50&0x0&*Mar&&1&01:10:09.751:&ISAKMP:&&authenticator&is&HMAC-MD5*Mar&&1&01:10:09.751:R1#&ISAKMP:(1005):atts&are&acceptable.*Mar&&1&01:10:09.755:&IPSEC(validate_proposal_request):&proposal&part*Mar&&1&01:10:09.755:&IPSEC(validate_proposal_request):&proposal&part,&(key&eng.&msg.)&INBOUND&local=&202.100.1.1,&remote=&202.100.1.2,&&local_proxy=&1.1.1.1/255.255.255.255/0/0&(type=1),&&remote_proxy=&2.2.2.2/255.255.255.255/0/0&(type=1),&protocol=&ESP,&transform=&NONE&&(Tunnel),&&lifedur=&0s&and&0kb,&&spi=&0x0(0),&conn_id=&0,&keysize=&0,&flags=&0x0*Mar&&1&01:10:09.759:&IPSEC(ipsec_process_proposal):&invalid&local&address&202.100.1.1*Mar&&1&01:10:09.759:&ISAKMP:(1005):&IPSec&policy&invalidated&proposal&with&error&8*Mar&&1&01:10:09.763:&ISAKMP:(1005):&phase&2&SA&policy¬&acceptable!&(local&202.100.1.1&remote&202.100.1.2)(第二A段策略]有接受)*Mar&&1&01:10:09.763:&ISAKMP:&set&new&node&-&to&QM_IDLE&&*Mar&&1&01:10:09.763:&ISAKMP:(1005):Sending&NOTIFY&PROPOSAL_NOT_CHOSEN&protocol&3&spi&,&message&ID&=&-*Mar&&1&01:10:09.767:R1#&ISAKMP:(1005):&sending&packet&to&202.100.1.2&my_port&500&peer_port&500&(R)&QM_IDLE&&*Mar&&1&01:10:09.767:&ISAKMP:(1005):Sending&an&IKE&IPv4&Packet.*Mar&&1&01:10:09.771:&ISAKMP:(1005):purging&node&-*Mar&&1&01:10:09.771:&ISAKMP:(1005):deleting&node&&error&TRUE&reason&&QM&rejected&(快速模式拒^)*Mar&&1&01:10:09.771:&ISAKMP:(1005):Node&,&Input&=&IKE_MESG_FROM_PEER,&IKE_QM_EXCH*Mar&&1&01:10:09.775:&ISAKMP:(1005):Old&State&=&IKE_QM_READY&&New&State&=&IKE_QM_READYR1#*Mar&&1&01:11:29.111:&ISAKMP:(1005):purging&node&-R1#sh&cry&en&conn&acCrypto&Engine&ConnectionsID&Interface&&Type&&Algorithm&&&Encrypt&&Decrypt&IP-Address1005&Fa0/0&&IKE&&&SHA+DES&&&0&&0&202.100.1.1R1#sh&cry&isa&saIPv4&Crypto&ISAKMP&SAdst&&&src&&&state&&conn-id&slot&status202.100.1.1&&&202.100.1.2&&&QM_IDLE&&&1005&&0&ACTIVEIPv6&Crypto&ISAKMP&SA13,在R1O渖闲薷念A共享密_,debug信息:l起方=问题方(R1):R1#*Mar&&1&00:44:18.423:&ISAKMP:(1002):&sending&packet&to&202.100.1.2&my_port&500&peer_port&500&(I)&MM_KEY_EXCH*Mar&&1&00:44:18.423:&ISAKMP:(1002):Sending&an&IKE&IPv4&Packet.*Mar&&1&00:44:18.423:&ISAKMP:(1002):Input&=&IKE_MESG_INTERNAL,&IKE_PROCESS_COMP.LETE*Mar&&1&00:44:18.427:&ISAKMP:(1002):Old&State&=&IKE_I_MM4&&New&State&=&IKE_I_MM5&*Mar&&1&00:44:19.531:&ISAKMP&(0:1002):&received&packet&from&202.100.1.2&dport&500&sport&500&Global&(I)&MM_KEY_EXCH*Mar&&1&00:44:19.531:&ISAKMP:(1002):&phase&1&packet&is&a&duplicate&of&a&previous&packet.(第五六包不^,L5次失。*Mar&&1&00:44:19.531:&ISAKMP:(1002):&retransmitting&due&to&retransmit&phase&1*Mar&&1&00:44:20.035:&ISAKMP:(1002):&retransmitting&phase&1&MM_KEY_EXCH...*Mar&&1&00:44:20.035:&ISAKMP&(0:1002):&incrementing&error&counter&on&sa,&attempt&1&of&5:&retransmit&phase&1*Mar&&1&00:44:20.035:&ISAKMP:(1002):&retransmitting&phase&1&MM_KEY_EXCH*Mar&&1&00:44:20.039:&ISAKMP:(1002):&sending&packet&to&202.100.1.2&my_port&500&peer_port&500&(I)&MM_KEY_EXCH*Mar&&1&00:44:20.039:&ISAKMP:(1002):Sending&an&IKE&IPv4&Packet...接收方≠问题方(R2):R2#*Mar&&1&00:44:15.595:&ISAKMP&(0:1002):&received&packet&from&202.100.1.1&dport&500&sport&500&Global&(R)&MM_KEY_EXCH*Mar&&1&00:44:15.595:&ISAKMP:&reserved¬&zero&on&ID&payload!*Mar&&1&00:44:15.599:&%CRYPTO-4-IKMP_BAD_MESSAGE:&IKE&message&from&202.100.1.1&failed&its&sanity&check&or&is&malformed*Mar&&1&00:44:15.599:&ISAKMP&(0:1002):&incrementing&error&counter&on&sa,&attempt&1&of&5:&reset_retransmission*Mar&&1&00:44:16.599:&ISAKMP:(1002):&retransmitting&phase&1&MM_KEY_EXCH...&
了这篇文章
类别:┆阅读(0)┆评论(0)}
我要回帖
更多关于 中国体彩网11选5 的文章
更多推荐
- ·庆余年手游礼包码9000元宝监察院怎么加入_庆余年手游礼包码9000元宝监察院加入奖励领取方法
- ·这个配置如何升级最有什么电脑性价比高,只玩英雄联盟?
- ·如何把在外面AI克隆的ai模仿声音软件在剪映里面使用呢?
- ·和平精英助手app叫什么怎么去下载辅助与队友玩?
- ·第五人格古董商强度怎么样杀过人吗?
- ·梦幻西游法术修炼落星飞鸿增加法术伤害么
- ·手游排行榜 欢迎归来几个字怎么取消
- ·新天龙八部阿朱里面阿朱是自己搞挂的还是被乔峰搞挂的啊?
- ·zengrams44消消乐113关怎么过过
- ·谁给个老版本的热血传奇客户端解压包官方免费下载啊?谢谢了
- ·扬子江扬剧视频二团杜斯文叫(大)什么名字
- ·缺一门游戏的核心玩法玩法?
- ·QQ炫舞初次搭配sss设计师生涯猜选喜好SSS怎么搭配 猜选喜好SSS搭配攻略
- ·游戏旋转轮胎扎钉子怎么办按ESC怎么没反应了怎么办?
- ·coiiectingsheiiscostco怎么读读?
- ·寻一起梦幻西游老区2的游戏伙伴,花点小钱可以,新老区都可以,有的MMMMMM#32
- ·sukahon貉怎么读读呀??
- ·我的安卓有自带的 安卓4.4.2recoveryy模式,想自己卡刷rom,但是一到 wipe cache
- ·LOL小号玩树人,lol豹女符文怎么样?怎么玩?
- ·rust怎么移动小木虫怎么删除帖子箱子
- ·ciscoPT中fa0/5-11怎么连的
- ·大闹天宫ol微端职业技能
- ·qq炫舞3s旅行挑战同学聚会3s怎么搭配
- ·疯传app官网官网是那个
- ·大话骰子怎么玩是怎么玩的???
- ·huizhen-
- ·水角磨机 瓷砖磨边金刚细磨是多少目
- ·为什么我现在买不了神武手游积分买什么里的东西了?
- ·大家都是喜欢在金牌里面玩什么游戏?金牌里面什么游戏最多人玩的网页游戏
- ·jy解说视频2014年4月20日刀锋之影视频第25分钟背景音乐
- ·推荐NDS好用的nds模拟器金手指,可以玩黑白2的,最好有金手指,谢谢
- ·是我太过犹豫是任情你是不变的惟一歌名云中歌结局是什么么
- ·求大神f1升级失败帮帮升级下!玩个CF还卡屏!玩战地图质开最高档又没事?
- ·六界仙尊的百花谷商业街副本是不是满员进去积分就多
- ·金脉现在很多人的咖啡馆都在这玩啊?金脉里面哪种游戏最受人欢迎啊
