人工智能uu

这个屌丝很懒，什么也没留下！

热门标签

观察IPSEC+IKE协商过程（H3C)

作者：人工智能uu | 2024-06-28 06:53:51

踩

ike notify 37

【组网情况】

R1--Serial0/6/0 --------------------------Serial0/6/0 ----R2

【需求】

用R2的Loop0口Ping R1的loop0口，在R2上debugging ike all debugging ipsec all 查看相关信息。

ping 的过程中会检查是否有IKE SA 没有则会建立，然后再建立IPSEC SA，整个过程如下

【配置】

用的是模拟器，但是对比过真机，基本无差别

ike peer peer1

pre-shared-key cipher PMEfbsX04vk=

remote-address 202.38.160.2

ipsec proposal tran1

esp authentication-algorithm sha1

ipsec policy map1 10 isakmp

security acl 3001

ike-peer peer1

proposal tran1

acl number 3001

rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255

interface Serial0/6/0

link-protocol ppp

ip address 202.38.160.1 255.255.255.0

ipsec policy map1

interface LoopBack0

ip address 10.1.1.1 255.255.255.255

ip route-static 0.0.0.0 0.0.0.0 202.38.160.2

ike peer peer1

pre-shared-key cipher PMEfbsX04vk=

remote-address 202.38.160.1

ike peer peer2

pre-shared-key cipher qEozRmgSioU=

remote-address 202.38.160.1

ipsec proposal tran1

esp authentication-algorithm sha1

ipsec policy map1 10 isakmp

security acl 3001

ike-peer peer1

proposal tran1

acl number 3001

rule 0 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255

interface Serial0/6/0

link-protocol ppp

ip address 202.38.160.2 255.255.255.0

ipsec policy map1

interface LoopBack0

ip address 10.1.2.1 255.255.255.255

ip route-static 0.0.0.0 0.0.0.0 202.38.160.1

【debugging信息】

<R2>ping -a 10.1.2.1 10.1.1.1

PING 10.1.1.1: 56 data bytes, press CTRL_C to break

*Mar 14 22:34:17:844 2013 R2 IPSEC/7/DBG:Set Local Address 202.38.160.2

*Mar 14 22:34:17:844 2013 R2 IPSEC/7/DBG:IPSec drop packet! Notify IKE to negotiate SA for IPsec policy: map1-10

*Mar 14 22:34:17:844 2013 R2 IKE/7/DEBUG:transport reference: transport 654ca60 now has 2 references

*Mar 14 22:34:17:844 2013 R2 IKE/7/DEBUG:transport reference: transport 654c7e0 now has 2 references

*Mar 14 22:34:17:844 2013 R2 IKE/7/DEBUG:release transport: transport 654ca60 had 2 references

*Mar 14 22:34:17:844 2013 R2 IKE/7/DEBUG:release transport: transport 654c7e0 had 2 references

*Mar 14 22:34:17:844 2013 R2 IKE/7/DEBUG:Read message: message:

*Mar 14 22:34:17:844 2013 R2 IKE/7/DEBUG:02060000 80000000 00000000 00000000 00000000 00000000 06000500 00000000

*Mar 14 22:34:17:844 2013 R2 IKE/7/DEBUG:10020000 ca26a002 00000000 00000000 06000600 00000000 10020000 ca26a001

*Mar 14 22:34:17:844 2013 R2 IKE/7/DEBUG:00000000 00000000 06000a00 06000000 00000000 0a010200 ffffff00 00000000

*Mar 14 22:34:17:844 2013 R2 IKE/7/DEBUG:06000b00 06000000 00000000 0a010100 ffffff00 00000000 03000e00 00000000

*Mar 14 22:34:17:844 2013 R2 IKE/7/DEBUG:00000000 05001700 00000a00 00000000 6d617031 00000000 04001800 00000000

*Mar 14 22:34:17:859 2013 R2 IKE/7/DEBUG:00000000 00000000 56001900 00000000 36353544 32303000 9e220000 00000000

*Mar 14 22:34:17:859 2013 R2 IKE/7/DEBUG:00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000

*Mar 14 22:34:17:875 2013 R2 IKE/7/DEBUG:00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000

*Mar 14 22:34:17:875 2013 R2 IKE/7/DEBUG:Add message: type 5

*Mar 14 22:34:17:875 2013 R2 IKE/7/DEBUG:Add message: type 6

*Mar 14 22:34:17:875 2013 R2 IKE/7/DEBUG:Add message: type 10

*Mar 14 22:34:17:875 2013 R2 IKE/7/DEBUG:Add message: type 11

*Mar 14 22:34:17:875 2013 R2 IKE/7/DEBUG:Add message: type 14

*Mar 14 22:34:17:875 2013 R2 IKE/7/DEBUG:Add message: type 23

*Mar 14 22:34:17:875 2013 R2 IKE/7/DEBUG:Add message: type 24

*Mar 14 22:34:17:875 2013 R2 IKE/7/DEBUG:Add message: type 25

*Mar 14 22:34:17:875 2013 R2 IKE/7/DEBUG:Connection name is 202.38.160.1,202.38.160.2,,map1,10-655D200,0

*Mar 14 22:34:17:891 2013 R2 IKE/7/DEBUG:exchange lookup by name: name 202.38.160.1,202.38.160.2 phase 1

*Mar 14 22:34:17:891 2013 R2 IKE/7/DEBUG:add transport: adding 658edc0

*Mar 14 22:34:17:891 2013 R2 IKE/7/DEBUG:exchange lookup by name: name 202.38.160.1,202.38.160.2 phase 1

*Mar 14 22:34:17:891 2013 R2 IKE/7/DEBUG:exchange create(i): 6570ad0 at 7368s

*Mar 14 22:34:17:891 2013 R2 IKE/7/DEBUG:transport reference: transport 658edc0 now has 1 references

*Mar 14 22:34:17:891 2013 R2 IKE/7/DEBUG:message alloc: allocated 6571070

*Mar 14 22:34:17:891 2013 R2 IKE/7/DEBUG:create sa: sa 65702f0 phase 1 added to exchange 6570ad0

*Mar 14 22:34:17:891 2013 R2 IKE/7/DEBUG:exchange validate: checking for required SA

*Mar 14 22:34:17:891 2013 R2 IKE/7/DEBUG:message_send: message 6571070 发送ike协商的消息1

*Mar 14 22:34:17:891 2013 R2 IKE/7/DEBUG: ICOOKIE: 0x4b006e3cec204045 发起方cookie，发起sa创建、sa通知或sa删除的实体的cookie

*Mar 14 22:34:17:906 2013 R2 IKE/7/DEBUG: RCOOKIE: 0x0000000000000000 响应方cookie，响应sa创建、sa通知或sa删除的实体的cookie

*Mar 14 22:34:17:906 2013 R2 IKE/7/DEBUG: NEXT_PAYLOAD: SA 下一个有效载荷为安全关联

*Mar 14 22:34:17:906 2013 R2 IKE/7/DEBUG: VERSION: 16 版本

*Mar 14 22:34:17:906 2013 R2 IKE/7/DEBUG: EXCH_TYPE: ID_PROT ike交换类型为Identity Protection

*Mar 14 22:34:17:906 2013 R2 IKE/7/DEBUG: FLAGS: [ ] 标志为空，表示数据没有进行加密

*Mar 14 22:34:17:906 2013 R2 IKE/7/DEBUG: MESSAGE_ID: 0x00000000 报文id

*Mar 14 22:34:17:906 2013 R2 IKE/7/DEBUG: LENGTH: 84 报文长度，即整个报文的长度，单位为字节

*Mar 14 22:34:17:906 2013 R2 IKE/7/DEBUG:message dump: iovec 0:

*Mar 14 22:34:17:906 2013 R2 IKE/7/DEBUG:4b006e3c ec204045 00000000 00000000 01100200 00000000 00000054

*Mar 14 22:34:17:906 2013 R2 IKE/7/DEBUG:message dump: iovec 1:

*Mar 14 22:34:17:922 2013 R2 IKE/7/DEBUG:00000038 00000001 00000001

*Mar 14 22:34:17:937 2013 R2 IKE/7/DEBUG:message dump: iovec 2:

*Mar 14 22:34:17:937 2013 R2 IKE/7/DEBUG:0000002c 01010001

*Mar 14 22:34:17:937 2013 R2 IKE/7/DEBUG:message dump: iovec 3:

*Mar 14 22:34:17:937 2013 R2 IKE/7/DEBUG:00000024 00010000 80010001 80020002 80030001 80040001 800b0001 000c0004

*Mar 14 22:34:17:937 2013 R2 IKE/7/DEBUG:00015180

*Mar 14 22:34:17:937 2013 R2 IKE/7/DEBUG:exchange run(i): finished step 0, advancing...

*Mar 14 22:34:17:937 2013 R2 IKE/7/DEBUG:transport reference: transport 658edc0 now has 2 references

*Mar 14 22:34:17:937 2013 R2 IKE/7/DEBUG:transport reference: transport 654ca60 now has 2 references

*Mar 14 22:34:17:937 2013 R2 IKE/7/DEBUG:transport reference: transport 654c7e0 now has 2 references

*Mar 14 22:34:17:953 2013 R2 IKE/7/DEBUG:transport 658edc0 sending message 6571070 0 times.

*Mar 14 22:34:17:953 2013 R2 IKE/7/DEBUG:transport send messages: message 6571070 scheduled for retranslate 1 in 11 seconds

*Mar 14 22:34:17:953 2013 R2 IKE/7/DEBUG:release transport: transport 658edc0 had 2 references

*Mar 14 22:34:17:953 2013 R2 IKE/7/DEBUG:release transport: transport 654ca60 had 2 references

*Mar 14 22:34:17:953 2013 R2 IKE/7/DEBUG:release transport: transport 654c7e0 had 2 references

*Mar 14 22:34:17:953 2013 R2 IKE/7/DEBUG:add transport: adding 658e460

*Mar 14 22:34:17:953 2013 R2 IKE/7/DEBUG:transport reference: transport 658e460 now has 1 references

*Mar 14 22:34:17:953 2013 R2 IKE/7/DEBUG:message alloc: allocated 6570410

*Mar 14 22:34:17:953 2013 R2 IKE/7/DEBUG:message_recv: message 6570410 接收ike协商的消息2

*Mar 14 22:34:17:953 2013 R2 IKE/7/DEBUG: ICOOKIE: 0x4b006e3cec204045

*Mar 14 22:34:17:969 2013 R2 IKE/7/DEBUG: RCOOKIE: 0x3d4bd616a7e6da0c 对端的COOKIE有了！与消息1中进行对比

*Mar 14 22:34:17:969 2013 R2 IKE/7/DEBUG: NEXT_PAYLOAD: SA

*Mar 14 22:34:17:969 2013 R2 IKE/7/DEBUG: VERSION: 16

*Mar 14 22:34:17:969 2013 R2 IKE/7/DEBUG: EXCH_TYPE: ID_PROT

*Mar 14 22:34:17:969 2013 R2 IKE/7/DEBUG: FLAGS: [ ]

*Mar 14 22:34:17:969 2013 R2 IKE/7/DEBUG: MESSAGE_ID: 0x00000000

*Mar 14 22:34:17:969 2013 R2 IKE/7/DEBUG: LENGTH: 84

*Mar 14 22:34:17:969 2013 R2 IKE/7/DEBUG:message dump: iovec 0:

*Mar 14 22:34:17:969 2013 R2 IKE/7/DEBUG:4b006e3c ec204045 3d4bd616 a7e6da0c 01100200 00000000 00000054 00000038

*Mar 14 22:34:17:969 2013 R2 IKE/7/DEBUG:00000001 00000001 0000002c 01010001 00000024 00010000 80010001 80020002

*Mar 14 22:34:17:969 2013 R2 IKE/7/DEBUG:80030001 80040001 800b0001 000c0004 00015180

*Mar 14 22:34:17:969 2013 R2 IKE/7/DEBUG:exchange lookup from cookie: icookie 4b006e3cec204045

*Mar 14 22:34:17:969 2013 R2 IKE/7/DEBUG: checking 202.38.160.1,202.38.160.2 && 1...

*Mar 14 22:34:17:969 2013 R2 IKE/7/DEBUG: found exchange 202.38.160.1,202.38.160.2 && 1... 建立交换

*Mar 14 22:34:17:969 2013 R2 IKE/7/DEBUG:transport reference: transport 658e460 now has 2 references

*Mar 14 22:34:17:969 2013 R2 IKE/7/DEBUG:check message duplicate: last_received 0x0

*Mar 14 22:34:17:969 2013 R2 IKE/7/DEBUG:message free: freeing 6571070

*Mar 14 22:34:17:969 2013 R2 IKE/7/DEBUG:release transport: transport 658edc0 had 1 references

*Mar 14 22:34:17:969 2013 R2 IKE/7/DEBUG:release transport:: freeing 658edc0

*Mar 14 22:34:17:969 2013 R2 IKE/7/DEBUG:message parse payloads: payload SA 处理安全关联载荷

*Mar 14 22:34:18:00 2013 R2 IKE/7/DEBUG:validate payload SA of message 6570410

*Mar 14 22:34:18:00 2013 R2 IKE/7/DEBUG: DOI: 1 解释域的值为1，表明ISAKMP SA在第二阶段用于IPSec

*Mar 14 22:34:18:00 2013 R2 IKE/7/DEBUG:message parse payloads: payload PROPOSAL 处理PROPOSAL载荷

*Mar 14 22:34:18:00 2013 R2 IKE/7/DEBUG:message parse payloads: payload TRANSFORM 处理TRANSFORM载荷

*Mar 14 22:34:18:00 2013 R2 IKE/7/DEBUG:validate payload PROPOSAL of message 6570410

*Mar 14 22:34:18:00 2013 R2 IKE/7/DEBUG: NO: 1

*Mar 14 22:34:18:00 2013 R2 IKE/7/DEBUG: PROTO: ISAKMP

*Mar 14 22:34:18:00 2013 R2 IKE/7/DEBUG: SPI_SZ: 0

*Mar 14 22:34:18:00 2013 R2 IKE/7/DEBUG: NTRANSFORMS: 1

*Mar 14 22:34:18:00 2013 R2 IKE/7/DEBUG:validate payload TRANSFORM of message 6570410

*Mar 14 22:34:18:16 2013 R2 IKE/7/DEBUG: NO: 0

*Mar 14 22:34:18:16 2013 R2 IKE/7/DEBUG: ID: 1

*Mar 14 22:34:18:16 2013 R2 IKE/7/DEBUG: Transform 0's attributes

*Mar 14 22:34:18:16 2013 R2 IKE/7/DEBUG: Attribute ENCRYPTION_ALGORITHM : DES_CBC ike安全提议加密算法为DES_CBC

*Mar 14 22:34:18:16 2013 R2 IKE/7/DEBUG: Attribute HASH_ALGORITHM : SHA ike安全提议验证算法为SHA

*Mar 14 22:34:18:16 2013 R2 IKE/7/DEBUG: Attribute AUTHENTICATION_METHOD : PRE_SHARED 鉴定方式为预共享密钥

*Mar 14 22:34:18:16 2013 R2 IKE/7/DEBUG: Attribute GROUP_DESCRIPTION : MODP_768

*Mar 14 22:34:18:16 2013 R2 IKE/7/DEBUG: Attribute LIFE_TYPE : SECONDS 生存周期

*Mar 14 22:34:18:16 2013 R2 IKE/7/DEBUG: Attribute LIFE_DURATION : 86400

*Mar 14 22:34:18:16 2013 R2 IKE/7/DEBUG:exchange validate: checking for required SA

*Mar 14 22:34:18:31 2013 R2 IKE/7/DEBUG:add transform sa: proto 65a0a00 no 1 proto 1 chosen 656ada0 sa 65702f0 id 1

*Mar 14 22:34:18:31 2013 R2 IKE/7/DEBUG:ipsec_decode_transform: transform 0 chosen

*Mar 14 22:34:18:31 2013 R2 IKE/7/DEBUG:get group: returning 65a09a0 of group 1

*Mar 14 22:34:18:31 2013 R2 IKE/7/DEBUG:exchange run(i): finished step 1, advancing...

*Mar 14 22:34:18:31 2013 R2 IKE/7/DEBUG:transport reference: transport 658e460 now has 3 references

*Mar 14 22:34:18:31 2013 R2 IKE/7/DEBUG:message alloc: allocated 6571070

*Mar 14 22:34:18:31 2013 R2 IKE/7/DEBUG:ipsec: g^xi:

*Mar 14 22:34:18:31 2013 R2 IKE/7/DEBUG:25f3a7ab 01ce602e 0f84b326 c3227a9e f18c4999 36595bb4 6e358a94 3ef8c8b3

*Mar 14 22:34:18:31 2013 R2 IKE/7/DEBUG:9797409e 33c0911d cd583d3c 9a15ab60 15b7d2b1 1206ff05 282bd4ca 984e78dc

*Mar 14 22:34:18:31 2013 R2 IKE/7/DEBUG:16c3a06e a5f4e31c 92192e7c f32857dd eaa9e295 7153ad55 cb78b090 b0658cd3

*Mar 14 22:34:18:47 2013 R2 IKE/7/DEBUG:exchange : NONCE_i: 通过DH算法得出临时值Ni,响应方的临时值为Nr

*Mar 14 22:34:18:47 2013 R2 IKE/7/DEBUG:7c5d34e5 1977cabb 82c2d0ea 538159bb </

声明：本文内容由网友自发贡献，不代表【wpsshop博客】立场，版权归原作者所有，本站不承担相应法律责任。如您发现有侵权的内容，请联系我们。转载请注明出处：https://www.wpsshop.cn/w/人工智能uu/article/detail/765165