首页 > 其他分享 >IPSEC实验汇总

IPSEC实验汇总

时间:2025-01-07 21:30:30浏览次数:3  
标签:15 1.1 汇总 Jan 2025 实验 IKE 2.2 IPSEC

IPSEC实验汇总

1.IKE主模式及预共享秘钥认证配置举例

1.1 配置参考如下:

设备组网:A---B

设备A

设备B

 sysname A

 sysname B

#

#

interface LoopBack0

interface LoopBack0

 ip address 2.1.1.1 255.255.255.255

 ip address 3.1.1.1 255.255.255.255

#

#

interface GigabitEthernet0/0

interface GigabitEthernet0/0

 port link-mode route

 port link-mode route

 combo enable copper

 combo enable copper

 ip address 1.1.1.1 255.255.255.0

 ip address 1.1.1.2 255.255.255.0

 ipsec apply policy map1

 ipsec apply policy map1

#

#

 ip route-static 0.0.0.0 0 1.1.1.2

 ip route-static 0.0.0.0 0 1.1.1.1

#

#

acl advanced 3001

acl advanced 3001

 rule 0 permit ip source 2.1.1.1 0 destination 3.1.1.1 0

 rule 0 permit ip source 3.1.1.1 0 destination 2.1.1.1 0

#

#

ipsec transform-set tran1

ipsec transform-set tran1

 esp encryption-algorithm aes-cbc-128

 esp encryption-algorithm aes-cbc-128

#

#

ipsec policy map1 10 isakmp

ipsec policy map1 10 isakmp

 transform-set tran1

 transform-set tran1

 security acl 3001

 security acl 3001

 remote-address 1.1.1.2

 remote-address 1.1.1.1

 ike-profile profile1

 ike-profile profile1

#

#

ike profile profile1

ike profile profile1

 keychain keychain1

 keychain keychain1

 local-identity address 1.1.1.1

 local-identity address 1.1.1.2

 match remote identity address 1.1.1.2 255.255.255.0

 match remote identity address 1.1.1.1 255.255.255.0

#

#

ike keychain keychain1

ike keychain keychain1

 pre-shared-key address 1.1.1.2 255.255.255.255 key cipher admin@123

 pre-shared-key address 1.1.1.1 255.255.255.255 key cipher admin@123

#

#

执行ping -a 2.1.1.1 3.1.1.1 //兴趣流触发ike/ipsec建立

<A>display ike sa

    Connection-ID   Local               Remote              Flag      DOI

-------------------------------------------------------------------------

    1               1.1.1.1             1.1.1.2             RD        IPsec

Flags:

RD--READY RL--REPLACED FD-FADING RK-REKEY

<A>display ipsec sa

-------------------------------

Interface: GigabitEthernet0/0

-------------------------------

  -----------------------------

  IPsec policy: map1

  Sequence number: 10

  Mode: ISAKMP

  -----------------------------

    Tunnel id: 0

    Encapsulation mode: tunnel

    Perfect Forward Secrecy:

    Inside VPN:

    Extended Sequence Numbers enable: N

    Traffic Flow Confidentiality enable: N

    Transmitting entity: Initiator

    Path MTU: 1440

    Tunnel:

        local  address: 1.1.1.1

        remote address: 1.1.1.2

    Flow:

        sour addr: 2.1.1.1/255.255.255.255  port: 0  protocol: ip

        dest addr: 3.1.1.1/255.255.255.255  port: 0  protocol: ip

    [Inbound ESP SAs]

      SPI: 1208970218 (0x480f6bea)

      Connection ID: 4294967296

      Transform set: ESP-ENCRYPT-AES-CBC-128

      SA duration (kilobytes/sec): 1843200/3600

      SA remaining duration (kilobytes/sec): 1843199/3341

      Max received sequence-number: 0

      Anti-replay check enable: N

      Anti-replay window size:

      UDP encapsulation used for NAT traversal: N

      Status: Active

    [Outbound ESP SAs]

      SPI: 2463401445 (0x92d485e5)

      Connection ID: 4294967297

      Transform set: ESP-ENCRYPT-AES-CBC-128

      SA duration (kilobytes/sec): 1843200/3600

      SA remaining duration (kilobytes/sec): 1843199/3341

      Max sent sequence-number: 9

      UDP encapsulation used for NAT traversal: N

      Status: Active

1.2 Debug信息如下:

主模式报文协商交互过程:Ike主模式协商有两个阶段。

第一阶段是ikesa的协商阶段、第二阶段是快速模式阶段用于ipsecsa的协商。

第一阶段的协商:主模式下第一阶段有6个交互报文。

1.第一个报文:发起方向响应方发送ike协商报文,报文中包括ike协商的本端ip地址、对端ip地址以及验证加密算法。

2.第二个报文:响应方的响应报文,包括ike协商的本端ip、对端ip以及第一个报文请求的加密验证算法(这个后面有特殊说明)。

3.第三个报文:发起方向响应方发送DH协商报文,报文中包括DH随机字段和DH交互值。

4.第四个报文:响应方向发起方发送DH响应报文,报文中包括DH随机字段和DH交互值。

5.第五个报文:发起方向响应方发送身份协商报文,报文中包括ike协商的散列数据与预共享密钥加密的值。

6.第六个报文:响应方向发起方发送身份协商报文,报文中包括ike协商的散列数据与预共享密钥加密的值。

到此为止第一阶段的协商结束ike第一阶段的sa建立成功。

下面是第二阶段的协商:主模式下第二阶段的协商有3个报文。

1.第一个报文:发起方向响应方发送快速模式协商报文,报文中包括ipsec安全提议的验证和加密方式,以及协商保护数据流的网段信息

2.第二个报文:响应方向发起方发送快速模式协商报文,报文中包括ipsec安全提议的验证和加密方式,以及协商保护数据流的网段信息。

3.第三个报文:验证报文,使用协商的密钥信息进行加密数据,验证密钥两端是否可以正常的加解密。

<A>ping -c 1 -a 2.1.1.1 3.1.1.1

Ping 3.1.1.1 (3.1.1.1) from 2.1.1.1: 56 data bytes, press CTRL+C to break

*Jan  5 15:10:40:760 2025 A IPSEC/7/EVENT:

Can't find block-flow node.

*Jan  5 15:10:40:761 2025 A IPSEC/7/PACKET:

Failed to find SA by SP, SP Index = 0, SP Convert-Seq = 655360.

*Jan  5 15:10:40:761 2025 A IPSEC/7/ERROR:

The reason of dropping packet is no available IPsec tunnel.

*Jan  5 15:10:40:761 2025 A IPSEC/7/EVENT:

Sent SA-Acquire message : SP ID = 0

*Jan  5 15:10:40:761 2025 A IPSEC/7/EVENT:

Received negotiatiate SA message from IPsec kernel.

*Jan  5 15:10:40:761 2025 A IPSEC/7/EVENT:

 Got SA time-based soft lifetime settings when filling Sp data.

 Configured soft lifetime buffer          : 0 seconds.

 Configured global soft lifetime buffer   : 0 seconds.

*Jan  5 15:10:40:761 2025 A IKE/7/EVENT: Received message from ipsec, message type is 0.

*Jan  5 15:10:40:761 2025 A IKE/7/EVENT: Received SA acquire message from IPsec.

*Jan  5 15:10:40:761 2025 A IKE/7/EVENT: IKE thread 3061771216 processes a job.

*Jan  5 15:10:40:761 2025 A IKE/7/EVENT: Received SA acquire message from IPsec.

*Jan  5 15:10:40:761 2025 A IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Set IPsec SA state to IKE_P2_STATE_INIT.

*Jan  5 15:10:40:761 2025 A IKE/7/EVENT: IKE SA not found. Initiate IKE SA negotiation.

*Jan  5 15:10:40:761 2025 A IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Obtained profile profile1.

*Jan  5 15:10:40:761 2025 A IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Initiator created an SA for peer 1.1.1.2, local port 500, remote port 500.

*Jan  5 15:10:40:761 2025 A IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Set IKE SA state to IKE_P1_STATE_INIT.

*Jan  5 15:10:40:761 2025 A IKE/7/EVENT: IKE thread 3061771216 processes a job.

*Jan  5 15:10:40:761 2025 A IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Begin Main mode exchange.

*Jan  5 15:10:40:762 2025 A IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Found pre-shared key that matches address 1.1.1.2 in keychain keychain1.

*Jan  5 15:10:40:762 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

  Encryption algorithm is DES-CBC.

*Jan  5 15:10:40:762 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

  Hash algorithm is HMAC-SHA1.

*Jan  5 15:10:40:762 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

  DH group 1.

*Jan  5 15:10:40:762 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

  Authentication method is Pre-shared key.

*Jan  5 15:10:40:762 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

  Lifetime type is in seconds.

*Jan  5 15:10:40:762 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

  Life duration is 86400.

*Jan  5 15:10:40:762 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Construct transform payload for transform 1.

*Jan  5 15:10:40:762 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Constructed SA payload.

*Jan  5 15:10:40:762 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Construct NAT-T rfc3947 vendor ID payload.

*Jan  5 15:10:40:762 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Construct NAT-T draft3 vendor ID payload.

*Jan  5 15:10:40:762 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Construct NAT-T draft2 vendor ID payload.

*Jan  5 15:10:40:762 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Construct NAT-T draft1 vendor ID payload.

*Jan  5 15:10:40:762 2025 A IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

IKE SA state changed from IKE_P1_STATE_INIT to IKE_P1_STATE_SEND1.

*Jan  5 15:10:40:762 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Sending packet to 1.1.1.2 remote port 500, local port 500. // ike第1个包,携带信息如下。

*Jan  5 15:10:40:762 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500  // 携带本端地址和对端地址,端口号500

  I-Cookie: 6897b8463b96e909 // 本端cookie值

  R-Cookie: 0000000000000000 // 主动方第一个包,对端cookie值未知

  next payload: SA // 下一个载荷SA

  version: ISAKMP Version 1.0 // 版本v1

  exchange mode: Main // 主模式

  flags:

  message ID: 0

  length: 164

*Jan  5 15:10:40:762 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Sending an IPv4 packet.

*Jan  5 15:10:40:762 2025 A IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Sent data to socket successfully.

*Jan  5 15:10:40:763 2025 A IKE/7/EVENT: Received packet successfully.

*Jan  5 15:10:40:763 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Received packet from 1.1.1.2 source port 500 destination port 500. // ike第2个包,携带信息如下。

*Jan  5 15:10:40:763 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

  I-Cookie: 6897b8463b96e909

  R-Cookie: 78a217240c0b75db //接受对端回应cookie值

  next payload: SA

  version: ISAKMP Version 1.0

  exchange mode: Main

  flags:

  message ID: 0

  length: 136

*Jan  5 15:10:40:764 2025 A IKE/7/EVENT: IKE thread 3061771216 processes a job.

*Jan  5 15:10:40:764 2025 A IKE/7/EVENT: Phase1 process started.

*Jan  5 15:10:40:764 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Received ISAKMP Security Association Payload.

*Jan  5 15:10:40:764 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Received ISAKMP Vendor ID Payload.

*Jan  5 15:10:40:764 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Received ISAKMP Vendor ID Payload.

*Jan  5 15:10:40:764 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Received ISAKMP Vendor ID Payload.

*Jan  5 15:10:40:764 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Process SA payload.

*Jan  5 15:10:40:764 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Check ISAKMP transform 1.

*Jan  5 15:10:40:764 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

  Encryption algorithm is DES-CBC.

*Jan  5 15:10:40:764 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

  HASH algorithm is HMAC-SHA1.

*Jan  5 15:10:40:764 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

  DH group is 1.

*Jan  5 15:10:40:764 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

  Authentication method is Pre-shared key.

*Jan  5 15:10:40:764 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

  Lifetime type is 1.

*Jan  5 15:10:40:764 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

  Life duration is 86400.

*Jan  5 15:10:40:764 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Attributes is acceptable.

*Jan  5 15:10:40:764 2025 A IKE/7/EVENT: Oakley transform 1 is acceptable.

*Jan  5 15:10:40:764 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Process vendor ID payload.

*Jan  5 15:10:40:764 2025 A IKE/7/EVENT: Vendor ID NAT-T rfc3947 is matched.

*Jan  5 15:10:40:764 2025 A IKE/7/EVENT: Vendor ID XAUTH Cisco Unity 1.0 is matched.

*Jan  5 15:10:40:764 2025 A IKE/7/EVENT: Vendor ID XAUTH draft6 is matched.

*Jan  5 15:10:40:770 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Construct KE payload.

*Jan  5 15:10:40:770 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Construct NONCE payload.

*Jan  5 15:10:40:770 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Construct NAT-D payload.

*Jan  5 15:10:40:770 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Construct DPD vendor ID payload.

*Jan  5 15:10:40:770 2025 A IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

IKE SA state changed from IKE_P1_STATE_SEND1 to IKE_P1_STATE_SEND3.

*Jan  5 15:10:40:771 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Sending packet to 1.1.1.2 remote port 500, local port 500. // ike第3个包,携带信息如下。

*Jan  5 15:10:40:771 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

  I-Cookie: 6897b8463b96e909

  R-Cookie: 78a217240c0b75db

  next payload: KE  // 下一个载荷key-exchange,密钥交换

  version: ISAKMP Version 1.0

  exchange mode: Main

  flags:

  message ID: 0

  length: 216

*Jan  5 15:10:40:771 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Sending an IPv4 packet.

*Jan  5 15:10:40:771 2025 A IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Sent data to socket successfully.

*Jan  5 15:10:40:787 2025 A IKE/7/EVENT: Received packet successfully.

*Jan  5 15:10:40:787 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Received packet from 1.1.1.2 source port 500 destination port 500. // ike第4个包,携带信息如下。

*Jan  5 15:10:40:787 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

  I-Cookie: 6897b8463b96e909

  R-Cookie: 78a217240c0b75db

  next payload: KE

  version: ISAKMP Version 1.0

  exchange mode: Main

  flags:

  message ID: 0

  length: 216

*Jan  5 15:10:40:787 2025 A IKE/7/EVENT: IKE thread 3061771216 processes a job.

*Jan  5 15:10:40:787 2025 A IKE/7/EVENT: Phase1 process started.

*Jan  5 15:10:40:787 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Received ISAKMP Key Exchange Payload.

*Jan  5 15:10:40:787 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Received ISAKMP Nonce Payload.

*Jan  5 15:10:40:787 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Received ISAKMP NAT-D Payload.

*Jan  5 15:10:40:787 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Received ISAKMP NAT-D Payload.

*Jan  5 15:10:40:787 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Received ISAKMP Vendor ID Payload.

*Jan  5 15:10:40:787 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Process KE payload.

*Jan  5 15:10:40:787 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Process NONCE payload.

*Jan  5 15:10:40:793 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Received 2 NAT-D payload.

*Jan  5 15:10:40:793 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Local ID type: IPV4_ADDR (1).

*Jan  5 15:10:40:794 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Local ID value: 1.1.1.1.

*Jan  5 15:10:40:794 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Construct ID payload.

*Jan  5 15:10:40:794 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

HASH:

 c3d5992e facdfd31 6688cf88 8d7271f8 a31c11d0

*Jan  5 15:10:40:794 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Construct authentication by pre-shared-key.

*Jan  5 15:10:40:794 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Construct INITIAL-CONTACT payload.

*Jan  5 15:10:40:794 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Encrypt the packet.

*Jan  5 15:10:40:794 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Process vendor ID payload.

*Jan  5 15:10:40:794 2025 A IKE/7/EVENT: Vendor ID DPD is matched.

*Jan  5 15:10:40:794 2025 A IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

IKE SA state changed from IKE_P1_STATE_SEND3 to IKE_P1_STATE_SEND5.

*Jan  5 15:10:40:794 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Sending packet to 1.1.1.2 remote port 500, local port 500. // ike第5个包,携带信息如下。

*Jan  5 15:10:40:794 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

  I-Cookie: 6897b8463b96e909

  R-Cookie: 78a217240c0b75db

  next payload: ID // 下一个载荷identification

  version: ISAKMP Version 1.0

  exchange mode: Main

  flags: ENCRYPT

  message ID: 0

  length: 92

*Jan  5 15:10:40:794 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Sending an IPv4 packet.

*Jan  5 15:10:40:795 2025 A IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Sent data to socket successfully.

*Jan  5 15:10:40:796 2025 A IKE/7/EVENT: Received packet successfully.

*Jan  5 15:10:40:796 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Received packet from 1.1.1.2 source port 500 destination port 500. // ike第6个包,携带信息如下。

*Jan  5 15:10:40:796 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

  I-Cookie: 6897b8463b96e909

  R-Cookie: 78a217240c0b75db

  next payload: ID

  version: ISAKMP Version 1.0

  exchange mode: Main

  flags: ENCRYPT

  message ID: 0

  length: 68

*Jan  5 15:10:40:796 2025 A IKE/7/EVENT: IKE thread 3061771216 processes a job.

*Jan  5 15:10:40:796 2025 A IKE/7/EVENT: Phase1 process started.

*Jan  5 15:10:40:796 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Decrypt the packet.

*Jan  5 15:10:40:796 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Received ISAKMP Identification Payload.

*Jan  5 15:10:40:796 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Received ISAKMP Hash Payload.

*Jan  5 15:10:40:796 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Process ID payload.

*Jan  5 15:10:40:797 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Peer ID type: IPV4_ADDR (1).

*Jan  5 15:10:40:797 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Peer ID value: address 1.1.1.2.

*Jan  5 15:10:40:797 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Verify HASH payload.

*Jan  5 15:10:40:797 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

HASH:

 df4ce143 5c8bf88d f0608074 7b543c26 e234a0e3

*Jan  5 15:10:40:797 2025 A IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

HASH verification succeeded.

*Jan  5 15:10:40:797 2025 A IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

IKE SA state changed from IKE_P1_STATE_SEND5 to IKE_P1_STATE_ESTABLISHED.

*Jan  5 15:10:40:797 2025 A IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

The default soft lifetime 77760(seconds) was used for the IKE P1 SA.

*Jan  5 15:10:40:797 2025 A IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Add tunnel, alloc new tunnel with ID [1].

*Jan  5 15:10:40:797 2025 A IKE/7/EVENT: IKE thread 3061771216 processes a job.

*Jan  5 15:10:40:798 2025 A IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Begin Quick mode exchange.

*Jan  5 15:10:40:798 2025 A IKE/7/EVENT: Received message from ipsec, message type is 9.

*Jan  5 15:10:40:798 2025 A IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

IPsec SA state changed from IKE_P2_STATE_INIT to IKE_P2_STATE_GETSPI.

*Jan  5 15:10:40:798 2025 A IKE/7/EVENT: IKE thread 3061771216 processes a job.

*Jan  5 15:10:40:798 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Set attributes according to phase 2 transform.

*Jan  5 15:10:40:798 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

  Encapsulation mode is Tunnel.

*Jan  5 15:10:40:798 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

  in seconds

*Jan  5 15:10:40:798 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

  Life duration is 3600.

*Jan  5 15:10:40:798 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

  in kilobytes

*Jan  5 15:10:40:798 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

  Life duration is 1843200.

*Jan  5 15:10:40:798 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

  Key length is 128 bytes.

*Jan  5 15:10:40:799 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

  Transform ID is AES-CBC.

*Jan  5 15:10:40:799 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Construct transform 1.

*Jan  5 15:10:40:799 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Construct IPsec proposal 1.

*Jan  5 15:10:40:799 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Construct IPsec SA payload.

*Jan  5 15:10:40:799 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Construct NONCE payload.

*Jan  5 15:10:40:799 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Construct IPsec ID payload.

*Jan  5 15:10:40:799 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Construct IPsec ID payload.

*Jan  5 15:10:40:799 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Construct HASH(1) payload.

*Jan  5 15:10:40:799 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Encrypt the packet.

*Jan  5 15:10:40:799 2025 A IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

IPsec SA state changed from IKE_P2_STATE_GETSPI to IKE_P2_STATE_SEND1.

*Jan  5 15:10:40:799 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Sending packet to 1.1.1.2 remote port 500, local port 500. // ipsec第1个包,携带信息如下。

*Jan  5 15:10:40:799 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

  I-Cookie: 6897b8463b96e909

  R-Cookie: 78a217240c0b75db

  next payload: HASH 下一个载荷HASH

  version: ISAKMP Version 1.0

  exchange mode: Quick

  flags: ENCRYPT

  message ID: 507ac03f

  length: 156

*Jan  5 15:10:40:799 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Sending an IPv4 packet.

*Jan  5 15:10:40:800 2025 A IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Sent data to socket successfully.

*Jan  5 15:10:40:804 2025 A IKE/7/EVENT: Received packet successfully.

*Jan  5 15:10:40:804 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Received packet from 1.1.1.2 source port 500 destination port 500. // ipsec第2个包,携带信息如下。

*Jan  5 15:10:40:804 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

  I-Cookie: 6897b8463b96e909

  R-Cookie: 78a217240c0b75db

  next payload: HASH

  version: ISAKMP Version 1.0

  exchange mode: Quick

  flags: ENCRYPT

  message ID: 507ac03f

  length: 156

*Jan  5 15:10:40:814 2025 A IKE/7/EVENT: IKE thread 3061771216 processes a job.

*Jan  5 15:10:40:814 2025 A IKE/7/EVENT: Phase2 process started.

*Jan  5 15:10:40:814 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Decrypt the packet.

*Jan  5 15:10:40:814 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Received ISAKMP Hash Payload.

*Jan  5 15:10:40:814 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Received ISAKMP Security Association Payload.

*Jan  5 15:10:40:814 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Received ISAKMP Nonce Payload.

*Jan  5 15:10:40:814 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Received ISAKMP Identification Payload (IPsec DOI).

*Jan  5 15:10:40:815 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Received ISAKMP Identification Payload (IPsec DOI).

*Jan  5 15:10:40:815 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Process HASH payload.

*Jan  5 15:10:40:815 2025 A IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Validated HASH(2) successfully.

*Jan  5 15:10:40:815 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Process IPsec SA payload.

*Jan  5 15:10:40:815 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Check IPsec proposal 1.

*Jan  5 15:10:40:815 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Parse transform 1.

*Jan  5 15:10:40:815 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

  Encapsulation mode is Tunnel.

*Jan  5 15:10:40:815 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

  Lifetime type is in seconds.

*Jan  5 15:10:40:815 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

  Life duration is 3600.

*Jan  5 15:10:40:815 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

  Lifetime type is in kilobytes.

*Jan  5 15:10:40:815 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

  Life duration is 1843200.

*Jan  5 15:10:40:815 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

  Key length is 128 bytes.

*Jan  5 15:10:40:816 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

  Transform ID is AES-CBC.

*Jan  5 15:10:40:816 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

The proposal is acceptable.

*Jan  5 15:10:40:816 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Process IPsec ID payload.

*Jan  5 15:10:40:816 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Process IPsec ID payload.

*Jan  5 15:10:40:816 2025 A IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Install IPsec SAs.

*Jan  5 15:10:40:816 2025 A IKE/7/EVENT:   Inbound flow: 3.1.1.1/32->2.1.1.1/32

*Jan  5 15:10:40:816 2025 A IKE/7/EVENT:   Outbound flow: 2.1.1.1/32->3.1.1.1/32

*Jan  5 15:10:40:816 2025 A IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

  Lifetime in seconds: 3600

*Jan  5 15:10:40:816 2025 A IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

  Lifetime in kilobytes: 1843200

*Jan  5 15:10:40:816 2025 A IKE/7/EVENT:

  Protocol: 50

  Inbound  SPI: 0xbc5b3520

  Outbound SPI: 0x0d1ca3d8

*Jan  5 15:10:40:817 2025 A IPSEC/7/EVENT:

Can not find IPsec tunnel in same flow hash table, and will create a new one.

*Jan  5 15:10:40:817 2025 A IPSEC/7/EVENT:

IPsec tunnel successfully added in kernel.

*Jan  5 15:10:40:817 2025 A IPSEC/7/EVENT:

SA successfully added in kernel.

*Jan  5 15:10:40:817 2025 A IPSEC/7/EVENT:

SA successfully added in kernel.

*Jan  5 15:10:40:817 2025 A IPSEC/7/EVENT:

 Got default traffic-based lifetime settings for IPsec P2 SA  when filling ISAKMP SA data:

 Role                      : Initiator.

 Default soft lifetime     : 1509949440 bytes.

 Hard lifetime             : 1887436800 bytes.

*Jan  5 15:10:40:817 2025 A IPSEC/7/EVENT:

 Got traffic-based lifetime settings for IPsec P2 SA when filling ISAKMP SA data:

 Role                                        : Initiator.

 Configured soft lifetime buffer             : 0 bytes.

 Configured global soft lifetime buffer      : 0 bytes.

 Default soft lifetime                       : 1509949440 bytes.

 Hard lifetime after negotiation             : 1887436800 bytes.

 Actual soft lifetime                        : 1509949440 bytes.

*Jan  5 15:10:40:817 2025 A IPSEC/7/EVENT:

Added tunnel to kernel successfully.

*Jan  5 15:10:40:817 2025 A IPSEC/7/EVENT:

Sent add tunnel message to Slot:0 Cpu:0, message type is 0x13.

*Jan  5 15:10:40:817 2025 A IPSEC/7/EVENT:

Save IPsec Tunnel to DBM, tunnelIndex 0, refreshCnt 0, createTime 1938

*Jan  5 15:10:40:817 2025 A IPSEC/7/EVENT:

Added an IPsec tunnel when adding ISAKMP SA: tunnel index = 0, tunnel sequence number = 3.

*Jan  5 15:10:40:817 2025 A IPSEC/7/EVENT:

Added SA to kernel successfully.

*Jan  5 15:10:40:817 2025 A IPSEC/7/EVENT:

Added ISAKMP SAs. Number of SAs added is 2.

*Jan  5 15:10:40:817 2025 A IPSEC/7/EVENT:

No.1 SA index: 0, sequence number: 3.

*Jan  5 15:10:40:817 2025 A IPSEC/7/EVENT:

No.2 SA index: 1, sequence number: 3.

*Jan  5 15:10:40:817 2025 A IPSEC/7/EVENT:

Added SA context to IKE.

*Jan  5 15:10:40:817 2025 A IKE/7/EVENT: Received message from ipsec, message type is 11.

*Jan  5 15:10:40:817 2025 A IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

IPsec SA state changed from IKE_P2_STATE_SEND1 to IKE_P2_STATE_SA_CREATED.

*Jan  5 15:10:40:818 2025 A IKE/7/EVENT: IKE thread 3061771216 processes a job.

*Jan  5 15:10:40:818 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Construct HASH(3) payload.

*Jan  5 15:10:40:818 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Encrypt the packet.

*Jan  5 15:10:40:818 2025 A IPSEC/7/EVENT:

Updated outbound SA of IPsec tunnel(SA index = 0, SPI = 0xd8a31c0d).

*Jan  5 15:10:40:818 2025 A IPSEC/7/EVENT:

Sent switch SA message to Slot:0 Cpu:0, message type is 0x1a.

*Jan  5 15:10:40:818 2025 A IPSEC/7/EVENT:

Switch SA and delete blockflow node. SA index : 1, SA Seq : 3.Block index : 0, Block seq : 3.

*Jan  5 15:10:40:818 2025 A IPSEC/7/EVENT:

Switched SA successfully.

*Jan  5 15:10:40:818 2025 A IKE/7/EVENT: Received message from ipsec, message type is 15.

*Jan  5 15:10:40:818 2025 A IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

IPsec SA state changed from IKE_P2_STATE_SA_CREATED to IKE_P2_STATE_SA_SWITCH.

*Jan  5 15:10:40:818 2025 A IKE/7/EVENT: IKE thread 3061771216 processes a job.

*Jan  5 15:10:40:819 2025 A IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

IPsec SA state changed from IKE_P2_STATE_SA_SWITCH to IKE_P2_STATE_ESTABLISHED.

*Jan  5 15:10:40:819 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Sending packet to 1.1.1.2 remote port 500, local port 500. // ipsec第3个包,携带信息如下。

*Jan  5 15:10:40:819 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

  I-Cookie: 6897b8463b96e909

  R-Cookie: 78a217240c0b75db

  next payload: HASH

  version: ISAKMP Version 1.0

  exchange mode: Quick

  flags: ENCRYPT

  message ID: 507ac03f

  length: 52

*Jan  5 15:10:40:819 2025 A IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Sending an IPv4 packet.

*Jan  5 15:10:40:819 2025 A IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Sent data to socket successfully.

*Jan  5 15:10:40:819 2025 A IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

 Got time-based lifetime settings for IKE P2 SA:

 Role                                 : Initiator.

 Configured soft lifetime buffer      : 0 seconds.

 Hard lifetime after negotiation      : 3600 seconds.

 Default soft lifetime                : 2700 seconds.

 Actual soft lifetime                 : 2700 seconds.

*Jan  5 15:10:40:824 2025 A IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 1.1.1.2/500

Add P2 SA to triple successfully.

Request time out

--- Ping statistics for 3.1.1.1 ---

1 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss

<A>

<A>%Jan  5 15:10:42:965 2025 A PING/6/PING_STATISTICS: Ping statistics for 3.1.1.1: 1 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.

2.IKE野蛮模式及NAT穿越配置举例

2.1 配置参考如下:

设备组网:A(0/0)---(0/0)B(0/1)---(0/0)C

设备A

设备C

 sysname RTA

 sysname RTB

#

#

interface LoopBack0

interface LoopBack0

 ip address 10.1.1.1 255.255.255.0

 ip address 10.1.2.1 255.255.255.0

#

#

interface GigabitEthernet0/0

interface GigabitEthernet0/0

 port link-mode route

 port link-mode route

 combo enable copper

 combo enable copper

 ip address 1.1.1.1 255.255.255.252

 ip address 2.2.2.2 255.255.255.252

 ipsec apply policy policy1

 ipsec apply policy policy1

#

#

 ip route-static 0.0.0.0 0 1.1.1.2

 ip route-static 10.1.1.0 24 2.2.2.1

#

#

acl advanced 3000

 

 rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255

 

#

#

ipsec transform-set transform1

ipsec transform-set transform1

 esp encryption-algorithm 3des-cbc

 esp encryption-algorithm 3des-cbc

 esp authentication-algorithm md5

 esp authentication-algorithm md5

#

#

ipsec policy policy1 1 isakmp

ipsec policy-template template1 1

 transform-set transform1

 transform-set transform1

 security acl 3000

 local-address 2.2.2.2

 remote-address 2.2.2.2

 ike-profile profile1

 ike-profile profile1

#

#

ipsec policy policy1 1 isakmp template template1

ike profile profile1

#

 keychain keychain1

ike profile profile1

 exchange-mode aggressive

 keychain keychain1

 local-identity fqdn www.devicea.com

 exchange-mode aggressive

 match remote identity address 2.2.2.2 255.255.0.0

 match remote identity fqdn www.devicea.com

#

#

ike keychain keychain1

ike keychain keychain1

 pre-shared-key address 2.2.2.2 255.255.0.0 key cipher admin@123

 pre-shared-key hostname www.devicea.com key cipher admin@123

#

#

设备B配置如下:

sysname NAT

#

interface GigabitEthernet0/0

 port link-mode route

 combo enable copper

 ip address 1.1.1.2 255.255.255.252

#

interface GigabitEthernet0/1

 port link-mode route

 combo enable copper

 ip address 2.2.2.1 255.255.255.252

 nat outbound

#

<RTA>display ike sa

    Connection-ID   Local               Remote              Flag      DOI

-------------------------------------------------------------------------

    2               1.1.1.1             2.2.2.2             RD        IPsec

Flags:

RD--READY RL--REPLACED FD-FADING RK-REKEY

<RTA>dis

<RTA>display ipsec sa

-------------------------------

Interface: GigabitEthernet0/0

-------------------------------

  -----------------------------

  IPsec policy: policy1

  Sequence number: 1

  Mode: ISAKMP

  -----------------------------

    Tunnel id: 0

    Encapsulation mode: tunnel

    Perfect Forward Secrecy:

    Inside VPN:

    Extended Sequence Numbers enable: N

    Traffic Flow Confidentiality enable: N

    Transmitting entity: Initiator

    Path MTU: 1436

    Tunnel:

        local  address: 1.1.1.1

        remote address: 2.2.2.2

    Flow:

        sour addr: 10.1.1.0/255.255.255.0  port: 0  protocol: ip

        dest addr: 10.1.2.0/255.255.255.0  port: 0  protocol: ip

    [Inbound ESP SAs]

      SPI: 1443389746 (0x56086132)

      Connection ID: 12884901889

      Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5

      SA duration (kilobytes/sec): 1843200/3600

      SA remaining duration (kilobytes/sec): 1843200/3545

      Max received sequence-number: 0

      Anti-replay check enable: Y

      Anti-replay window size: 64

      UDP encapsulation used for NAT traversal: Y

      Status: Active

    [Outbound ESP SAs]

      SPI: 3650774992 (0xd99a67d0)

      Connection ID: 12884901888

      Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5

      SA duration (kilobytes/sec): 1843200/3600

      SA remaining duration (kilobytes/sec): 1843200/3545

      Max sent sequence-number: 0

      UDP encapsulation used for NAT traversal: Y // NAT穿越标识

      Status: Active

B设备全局开启session statistics enable,即可看到包计数,否则结果为0。

[NAT]display nat session verbose

Slot 0:

Initiator:

  Source      IP/port: 1.1.1.1/4500

  Destination IP/port: 2.2.2.2/4500

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: UDP(17)

  Inbound interface: GigabitEthernet0/0

Responder:

  Source      IP/port: 2.2.2.2/4500

  Destination IP/port: 2.2.2.1/1024

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: UDP(17)

  Inbound interface: GigabitEthernet0/1

State: UDP_READY

Application: GENERAL_UDP

Rule ID: -/-/-

Rule name:

Start time: 2025-01-05 15:58:48  TTL: 56s

Initiator->Responder:            8 packets       1037 bytes

Responder->Initiator:            7 packets       1008 bytes

2.2 Debug信息如下:

ike野蛮协商有两个阶段 :第一阶段是ike sa的协商阶段、第二阶段是快速模式阶段 用于ipsec sa的协商。

第一阶段的协商:主模式下第一阶段有3个交互报文。

1. 第一个报文:发起方向响应方发送ike协商报文,报文中包括ike协商的ip、name以及验证加密算法以及DH报文。

2.第二个报文:响应方的响应报文,包括ike协商的ip、name以及第一个报文请求的加密验证算法、dh报文和身份验证的信息。

3. 第三个报文:发起方向响应方发送身份验证信息。

到此为止 第一阶段的协商结束 ike 第一阶段的sa建立成功。

下面是第二阶段的协商 :主模式下第二阶段的协商有3个报文。

1. 第一个报文:发起方向响应方发送快速模式协商报文,报文中包括ipsec的安全提议的验证和加密方式,以及协商的保护数据流的网段信息。

2.第二个报文:响应方向发起方发送快速模式协商报文,报文中包括ipsec的安全提议的验证和加密方式,以及协商的保护数据流的网段信息。

3. 第三个报文:验证报文,使用协商的密钥信息进行加密数据,验证密钥两端是否可以正常的加解密。

<RTA>ping -c 1 -a  10.1.1.1 10.1.2.1

Ping 10.1.2.1 (10.1.2.1) from 10.1.1.1: 56 data bytes, press CTRL+C to break

*Jan  5 15:59:33:862 2025 RTA IPSEC/7/EVENT:

Can't find block-flow node.

*Jan  5 15:59:33:863 2025 RTA IPSEC/7/PACKET:

Failed to find SA by SP, SP Index = 0, SP Convert-Seq = 65536.

*Jan  5 15:59:33:863 2025 RTA IPSEC/7/ERROR:

The reason of dropping packet is no available IPsec tunnel. // 没有有效的ipsec隧道,下面开始建立。

*Jan  5 15:59:33:863 2025 RTA IPSEC/7/EVENT:

Sent SA-Acquire message : SP ID = 0

*Jan  5 15:59:33:863 2025 RTA IPSEC/7/EVENT:

Received negotiatiate SA message from IPsec kernel. // 开始协商sa信息

*Jan  5 15:59:33:863 2025 RTA IPSEC/7/EVENT:

 Got SA time-based soft lifetime settings when filling Sp data.

 Configured soft lifetime buffer          : 0 seconds.

 Configured global soft lifetime buffer   : 0 seconds.

*Jan  5 15:59:33:863 2025 RTA IKE/7/EVENT: Received message from ipsec, message type is 0.

*Jan  5 15:59:33:863 2025 RTA IKE/7/EVENT: Received SA acquire message from IPsec.

*Jan  5 15:59:33:863 2025 RTA IKE/7/EVENT: IKE thread 3063475152 processes a job.

*Jan  5 15:59:33:863 2025 RTA IKE/7/EVENT: Received SA acquire message from IPsec.

*Jan  5 15:59:33:864 2025 RTA IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Set IPsec SA state to IKE_P2_STATE_INIT.

*Jan  5 15:59:33:864 2025 RTA IKE/7/EVENT: IKE SA not found. Initiate IKE SA negotiation.

*Jan  5 15:59:33:864 2025 RTA IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Obtained profile profile1.

*Jan  5 15:59:33:864 2025 RTA IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Initiator created an SA for peer 2.2.2.2, local port 500, remote port 500.

*Jan  5 15:59:33:864 2025 RTA IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Set IKE SA state to IKE_P1_STATE_INIT.

*Jan  5 15:59:33:864 2025 RTA IKE/7/EVENT: IKE thread 3063475152 processes a job.

*Jan  5 15:59:33:864 2025 RTA IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Begin Aggressive mode exchange. // 开始野蛮模式协商

*Jan  5 15:59:33:864 2025 RTA IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Found pre-shared key that matches address 2.2.2.2 in keychain keychain1.

*Jan  5 15:59:33:864 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

  Encryption algorithm is DES-CBC.

*Jan  5 15:59:33:864 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

  Hash algorithm is HMAC-SHA1.

*Jan  5 15:59:33:864 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

  DH group 1.

*Jan  5 15:59:33:864 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

  Authentication method is Pre-shared key.

*Jan  5 15:59:33:864 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

  Lifetime type is in seconds.

*Jan  5 15:59:33:865 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

  Life duration is 86400.

*Jan  5 15:59:33:865 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Construct transform payload for transform 1.

*Jan  5 15:59:33:865 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Constructed SA payload. // 根据上述信息构建sa载荷

*Jan  5 15:59:33:870 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Construct KE payload.

*Jan  5 15:59:33:870 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Construct NONCE payload.

*Jan  5 15:59:33:870 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Local ID type: FQDN (2). //野蛮模式地址不固定,本端使用FQDN方式建立

*Jan  5 15:59:33:870 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Local ID value: www.devicea.com.

*Jan  5 15:59:33:870 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Construct ID payload.

*Jan  5 15:59:33:870 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Construct DPD vendor ID payload.

*Jan  5 15:59:33:870 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Construct NAT-T rfc3947 vendor ID payload.

*Jan  5 15:59:33:871 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Construct NAT-T draft3 vendor ID payload.

*Jan  5 15:59:33:871 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Construct NAT-T draft2 vendor ID payload.

*Jan  5 15:59:33:871 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Construct NAT-T draft1 vendor ID payload.

*Jan  5 15:59:33:871 2025 RTA IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

IKE SA state changed from IKE_P1_STATE_INIT to IKE_P1_STATE_SEND1.

*Jan  5 15:59:33:871 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Sending packet to 2.2.2.2 remote port 500, local port 500.  // ike第1个包

*Jan  5 15:59:33:871 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

  I-Cookie: 4a403cc6998232c9

  R-Cookie: 0000000000000000

  next payload: SA

  version: ISAKMP Version 1.0

  exchange mode: Aggressive  // 野蛮模式

  flags:

  message ID: 0

  length: 328

*Jan  5 15:59:33:871 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Sending an IPv4 packet.

*Jan  5 15:59:33:872 2025 RTA IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Sent data to socket successfully.

*Jan  5 15:59:33:886 2025 RTA IKE/7/EVENT: Received packet successfully.

*Jan  5 15:59:33:886 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Received packet from 2.2.2.2 source port 500 destination port 500.  // ike第2个包

*Jan  5 15:59:33:886 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

  I-Cookie: 4a403cc6998232c9

  R-Cookie: b1f9d249c1dbdc3b

  next payload: SA

  version: ISAKMP Version 1.0

  exchange mode: Aggressive

  flags:

  message ID: 0

  length: 360

*Jan  5 15:59:33:887 2025 RTA IKE/7/EVENT: IKE thread 3063475152 processes a job.

*Jan  5 15:59:33:887 2025 RTA IKE/7/EVENT: Phase1 process started.

*Jan  5 15:59:33:887 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Received ISAKMP Security Association Payload.

*Jan  5 15:59:33:887 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Received ISAKMP Key Exchange Payload.

*Jan  5 15:59:33:887 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Received ISAKMP Nonce Payload.

*Jan  5 15:59:33:887 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Received ISAKMP Identification Payload.

*Jan  5 15:59:33:887 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Received ISAKMP Vendor ID Payload.

*Jan  5 15:59:33:887 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Received ISAKMP Vendor ID Payload.

*Jan  5 15:59:33:888 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Received ISAKMP Vendor ID Payload.

*Jan  5 15:59:33:888 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Received ISAKMP Vendor ID Payload.

*Jan  5 15:59:33:888 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Received ISAKMP NAT-D Payload.

*Jan  5 15:59:33:888 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Received ISAKMP NAT-D Payload.

*Jan  5 15:59:33:888 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Received ISAKMP Hash Payload.

*Jan  5 15:59:33:888 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Process NONCE payload.

*Jan  5 15:59:33:888 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Process KE payload.

*Jan  5 15:59:33:888 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Process ID payload.

*Jan  5 15:59:33:889 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Peer ID type: IPV4_ADDR (1).

*Jan  5 15:59:33:889 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Peer ID value: address 2.2.2.2.

*Jan  5 15:59:33:889 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Process SA payload.

*Jan  5 15:59:33:889 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Check ISAKMP transform 1.

*Jan  5 15:59:33:889 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

  Encryption algorithm is DES-CBC.

*Jan  5 15:59:33:889 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

  HASH algorithm is HMAC-SHA1.

*Jan  5 15:59:33:889 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

  DH group is 1.

*Jan  5 15:59:33:890 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

  Authentication method is Pre-shared key.

*Jan  5 15:59:33:890 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

  Lifetime type is 1.

*Jan  5 15:59:33:890 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

  Life duration is 86400.

*Jan  5 15:59:33:890 2025 RTA IKE/7/EVENT: Found pre-shared key in keychain keychain1 matching address 2.2.2.2.

*Jan  5 15:59:33:890 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Attributes is acceptable.

*Jan  5 15:59:33:890 2025 RTA IKE/7/EVENT: Oakley transform 1 is acceptable.

*Jan  5 15:59:33:890 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Process vendor ID payload.

*Jan  5 15:59:33:890 2025 RTA IKE/7/EVENT: Vendor ID DPD is matched.

*Jan  5 15:59:33:891 2025 RTA IKE/7/EVENT: Vendor ID NAT-T rfc3947 is matched.

*Jan  5 15:59:33:891 2025 RTA IKE/7/EVENT: Vendor ID XAUTH Cisco Unity 1.0 is matched.

*Jan  5 15:59:33:891 2025 RTA IKE/7/EVENT: Vendor ID XAUTH draft6 is matched.

*Jan  5 15:59:33:891 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

Received 2 NAT-D payload.

*Jan  5 15:59:33:891 2025 RTA IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/500

I am behind NAT.

*Jan  5 15:59:33:891 2025 RTA IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Float port to local port 4500 and remote port 4500

*Jan  5 15:59:33:897 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Verify HASH payload.

*Jan  5 15:59:33:898 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

HASH:

 cc3cbb6f 07c5170e af6c6791 b0574006 e3c77e34

*Jan  5 15:59:33:898 2025 RTA IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

HASH verification succeeded.

*Jan  5 15:59:33:898 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

HASH:

 e0f45c3e f1f64121 74aafe29 15e186c3 6a941bde

*Jan  5 15:59:33:898 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Construct authentication by pre-shared-key.

*Jan  5 15:59:33:898 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Construct NAT-D payload.

*Jan  5 15:59:33:899 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Construct INITIAL-CONTACT payload.

*Jan  5 15:59:33:899 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Encrypt the packet.

*Jan  5 15:59:33:899 2025 RTA IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

IKE SA state changed from IKE_P1_STATE_SEND1 to IKE_P1_STATE_ESTABLISHED.

*Jan  5 15:59:33:899 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Sending packet to 2.2.2.2 remote port 4500, local port 4500. // ike第3个包,识别到nat穿越,端口号变为4500

*Jan  5 15:59:33:899 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

  I-Cookie: 4a403cc6998232c9

  R-Cookie: b1f9d249c1dbdc3b

  next payload: HASH

  version: ISAKMP Version 1.0

  exchange mode: Aggressive

  flags: ENCRYPT

  message ID: 0

  length: 132

*Jan  5 15:59:33:899 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Sending an IPv4 packet.

*Jan  5 15:59:33:899 2025 RTA IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Sent data to socket successfully.

*Jan  5 15:59:33:900 2025 RTA IKE/7/NAT-KEEPALIVE: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Sending packet to 2.2.2.2 remote port 4500, local port 4500.

*Jan  5 15:59:33:900 2025 RTA IKE/7/NAT-KEEPALIVE: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Sending an IPv4 packet.

*Jan  5 15:59:33:900 2025 RTA IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Sent data to socket successfully.

*Jan  5 15:59:33:900 2025 RTA IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

The default soft lifetime 77760(seconds) was used for the IKE P1 SA.

*Jan  5 15:59:33:900 2025 RTA IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Add tunnel, alloc new tunnel with ID [1].

*Jan  5 15:59:33:901 2025 RTA IKE/7/EVENT: IKE thread 3063475152 processes a job.

*Jan  5 15:59:33:901 2025 RTA IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Begin Quick mode exchange.

*Jan  5 15:59:33:901 2025 RTA IKE/7/EVENT: Received message from ipsec, message type is 9.

*Jan  5 15:59:33:901 2025 RTA IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

IPsec SA state changed from IKE_P2_STATE_INIT to IKE_P2_STATE_GETSPI.

*Jan  5 15:59:33:902 2025 RTA IKE/7/EVENT: IKE thread 3063475152 processes a job.

*Jan  5 15:59:33:902 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Set attributes according to phase 2 transform.

*Jan  5 15:59:33:902 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

  Encapsulation mode is Tunnel-UDP.

*Jan  5 15:59:33:902 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

  in seconds

*Jan  5 15:59:33:902 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

  Life duration is 3600.

*Jan  5 15:59:33:902 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

  in kilobytes

*Jan  5 15:59:33:902 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

  Life duration is 1843200.

*Jan  5 15:59:33:902 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

  Authentication algorithm is HMAC-MD5.

*Jan  5 15:59:33:902 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

  Transform ID is 3DES-CBC.

*Jan  5 15:59:33:902 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Construct transform 1.

*Jan  5 15:59:33:903 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Construct IPsec proposal 1.

*Jan  5 15:59:33:903 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Construct IPsec SA payload.

*Jan  5 15:59:33:903 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Construct NONCE payload.

*Jan  5 15:59:33:903 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Construct IPsec ID payload.

*Jan  5 15:59:33:903 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Construct IPsec ID payload.

*Jan  5 15:59:33:904 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Construct HASH(1) payload.

*Jan  5 15:59:33:904 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Encrypt the packet.

*Jan  5 15:59:33:904 2025 RTA IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

IPsec SA state changed from IKE_P2_STATE_GETSPI to IKE_P2_STATE_SEND1.

*Jan  5 15:59:33:904 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Sending packet to 2.2.2.2 remote port 4500, local port 4500. // ipsec第1个包

*Jan  5 15:59:33:904 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

  I-Cookie: 4a403cc6998232c9

  R-Cookie: b1f9d249c1dbdc3b

  next payload: HASH

  version: ISAKMP Version 1.0

  exchange mode: Quick

  flags: ENCRYPT

  message ID: 17059ae9

  length: 164

*Jan  5 15:59:33:904 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Sending an IPv4 packet.

*Jan  5 15:59:33:905 2025 RTA IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Sent data to socket successfully.

*Jan  5 15:59:33:909 2025 RTA IKE/7/EVENT: Received Nat travel packet.

*Jan  5 15:59:33:909 2025 RTA IKE/7/EVENT: Received packet successfully.

*Jan  5 15:59:33:909 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Received packet from 2.2.2.2 source port 4500 destination port 4500. // ipsec第2个包

*Jan  5 15:59:33:909 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

  I-Cookie: 4a403cc6998232c9

  R-Cookie: b1f9d249c1dbdc3b

  next payload: HASH

  version: ISAKMP Version 1.0

  exchange mode: Quick

  flags: ENCRYPT

  message ID: 17059ae9

  length: 164

*Jan  5 15:59:33:909 2025 RTA IKE/7/EVENT: IKE thread 3063475152 processes a job.

*Jan  5 15:59:33:910 2025 RTA IKE/7/EVENT: Phase2 process started.

*Jan  5 15:59:33:910 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Decrypt the packet.

*Jan  5 15:59:33:910 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Received ISAKMP Hash Payload.

*Jan  5 15:59:33:910 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Received ISAKMP Security Association Payload.

*Jan  5 15:59:33:910 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Received ISAKMP Nonce Payload.

*Jan  5 15:59:33:911 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Received ISAKMP Identification Payload (IPsec DOI).

*Jan  5 15:59:33:911 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Received ISAKMP Identification Payload (IPsec DOI).

*Jan  5 15:59:33:911 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Process HASH payload.

*Jan  5 15:59:33:911 2025 RTA IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Validated HASH(2) successfully.

*Jan  5 15:59:33:911 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Process IPsec SA payload.

*Jan  5 15:59:33:912 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Check IPsec proposal 1.

*Jan  5 15:59:33:912 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Parse transform 1.

*Jan  5 15:59:33:912 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

  Encapsulation mode is Tunnel-UDP.

*Jan  5 15:59:33:912 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

  Lifetime type is in seconds.

*Jan  5 15:59:33:912 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

  Life duration is 3600.

*Jan  5 15:59:33:912 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

  Lifetime type is in kilobytes.

*Jan  5 15:59:33:912 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

  Life duration is 1843200.

*Jan  5 15:59:33:913 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

  Authentication algorithm is HMAC-MD5.

*Jan  5 15:59:33:913 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

  Transform ID is 3DES-CBC.

*Jan  5 15:59:33:913 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

The proposal is acceptable.

*Jan  5 15:59:33:913 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Process IPsec ID payload.

*Jan  5 15:59:33:913 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Process IPsec ID payload.

*Jan  5 15:59:33:913 2025 RTA IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Install IPsec SAs.

*Jan  5 15:59:33:913 2025 RTA IKE/7/EVENT:   Inbound flow: 10.1.2.0/24->10.1.1.0/24

*Jan  5 15:59:33:913 2025 RTA IKE/7/EVENT:   Outbound flow: 10.1.1.0/24->10.1.2.0/24

*Jan  5 15:59:33:914 2025 RTA IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

  Lifetime in seconds: 3600

*Jan  5 15:59:33:914 2025 RTA IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

  Lifetime in kilobytes: 1843200

*Jan  5 15:59:33:914 2025 RTA IKE/7/EVENT:

  Protocol: 50

  Inbound  SPI: 0x32610856

  Outbound SPI: 0xd0679ad9

*Jan  5 15:59:33:914 2025 RTA IPSEC/7/EVENT:

Can not find IPsec tunnel in same flow hash table, and will create a new one.

*Jan  5 15:59:33:914 2025 RTA IPSEC/7/EVENT:

IPsec tunnel successfully added in kernel.

*Jan  5 15:59:33:915 2025 RTA IPSEC/7/EVENT:

SA successfully added in kernel.

*Jan  5 15:59:33:915 2025 RTA IPSEC/7/EVENT:

SA successfully added in kernel.

*Jan  5 15:59:33:914 2025 RTA IPSEC/7/EVENT:

 Got default traffic-based lifetime settings for IPsec P2 SA  when filling ISAKMP SA data:

 Role                      : Initiator.

 Default soft lifetime     : 1509949440 bytes.

 Hard lifetime             : 1887436800 bytes.

*Jan  5 15:59:33:914 2025 RTA IPSEC/7/EVENT:

 Got traffic-based lifetime settings for IPsec P2 SA when filling ISAKMP SA data:

 Role                                        : Initiator.

 Configured soft lifetime buffer             : 0 bytes.

 Configured global soft lifetime buffer      : 0 bytes.

 Default soft lifetime                       : 1509949440 bytes.

 Hard lifetime after negotiation             : 1887436800 bytes.

 Actual soft lifetime                        : 1509949440 bytes.

*Jan  5 15:59:33:914 2025 RTA IPSEC/7/EVENT:

Added tunnel to kernel successfully.

*Jan  5 15:59:33:914 2025 RTA IPSEC/7/EVENT:

Sent add tunnel message to Slot:0 Cpu:0, message type is 0x13.

*Jan  5 15:59:33:915 2025 RTA IPSEC/7/EVENT:

Save IPsec Tunnel to DBM, tunnelIndex 0, refreshCnt 0, createTime 309

*Jan  5 15:59:33:915 2025 RTA IPSEC/7/EVENT:

Added an IPsec tunnel when adding ISAKMP SA: tunnel index = 0, tunnel sequence number = 3.

*Jan  5 15:59:33:915 2025 RTA IPSEC/7/EVENT:

Added SA to kernel successfully.

*Jan  5 15:59:33:915 2025 RTA IPSEC/7/EVENT:

Added ISAKMP SAs. Number of SAs added is 2.

*Jan  5 15:59:33:915 2025 RTA IPSEC/7/EVENT:

No.1 SA index: 0, sequence number: 3.

*Jan  5 15:59:33:915 2025 RTA IPSEC/7/EVENT:

No.2 SA index: 1, sequence number: 3.

*Jan  5 15:59:33:915 2025 RTA IPSEC/7/EVENT:

Added SA context to IKE.

*Jan  5 15:59:33:915 2025 RTA IKE/7/EVENT: Received message from ipsec, message type is 11.

*Jan  5 15:59:33:915 2025 RTA IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

IPsec SA state changed from IKE_P2_STATE_SEND1 to IKE_P2_STATE_SA_CREATED.

*Jan  5 15:59:33:915 2025 RTA IKE/7/EVENT: IKE thread 3063475152 processes a job.

*Jan  5 15:59:33:915 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Construct HASH(3) payload.

*Jan  5 15:59:33:915 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Encrypt the packet.

*Jan  5 15:59:33:916 2025 RTA IPSEC/7/EVENT:

Updated outbound SA of IPsec tunnel(SA index = 0, SPI = 0xd99a67d0).

*Jan  5 15:59:33:916 2025 RTA IPSEC/7/EVENT:

Sent switch SA message to Slot:0 Cpu:0, message type is 0x1a.

*Jan  5 15:59:33:916 2025 RTA IPSEC/7/EVENT:

Switch SA and delete blockflow node. SA index : 1, SA Seq : 3.Block index : 0, Block seq : 3.

*Jan  5 15:59:33:916 2025 RTA IPSEC/7/EVENT:

Switched SA successfully.

*Jan  5 15:59:33:916 2025 RTA IKE/7/EVENT: Received message from ipsec, message type is 15.

*Jan  5 15:59:33:916 2025 RTA IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

IPsec SA state changed from IKE_P2_STATE_SA_CREATED to IKE_P2_STATE_SA_SWITCH.

*Jan  5 15:59:33:916 2025 RTA IKE/7/EVENT: IKE thread 3063475152 processes a job.

*Jan  5 15:59:33:917 2025 RTA IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

IPsec SA state changed from IKE_P2_STATE_SA_SWITCH to IKE_P2_STATE_ESTABLISHED.

*Jan  5 15:59:33:917 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Sending packet to 2.2.2.2 remote port 4500, local port 4500. // ipsec第3个包

*Jan  5 15:59:33:917 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

  I-Cookie: 4a403cc6998232c9

  R-Cookie: b1f9d249c1dbdc3b

  next payload: HASH

  version: ISAKMP Version 1.0

  exchange mode: Quick

  flags: ENCRYPT

  message ID: 17059ae9

  length: 52

*Jan  5 15:59:33:917 2025 RTA IKE/7/PACKET: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Sending an IPv4 packet.

*Jan  5 15:59:33:924 2025 RTA IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Sent data to socket successfully.

*Jan  5 15:59:33:924 2025 RTA IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

 Got time-based lifetime settings for IKE P2 SA:

 Role                                 : Initiator.

 Configured soft lifetime buffer      : 0 seconds.

 Hard lifetime after negotiation      : 3600 seconds.

 Default soft lifetime                : 2700 seconds.

 Actual soft lifetime                 : 2700 seconds.

*Jan  5 15:59:33:925 2025 RTA IKE/7/EVENT: vrf = 0, local = 1.1.1.1, remote = 2.2.2.2/4500

Add P2 SA to triple successfully.

Request time out

--- Ping statistics for 10.1.2.1 ---

1 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss

<RTA>%Jan  5 15:59:36:075 2025 RTA PING/6/PING_STATISTICS: Ping statistics for 10.1.2.1: 1 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.

标签:15,1.1,汇总,Jan,2025,实验,IKE,2.2,IPSEC
From: https://blog.csdn.net/2501_90154931/article/details/144946423

相关文章

  • Python数据结构与常用操作方法汇总
     在Python中,数据结构是程序中用来存储、组织和操作数据的基本方式。常见的数据结构有列表(list)、元组(tuple)、字典(dict)、集合(set),每种数据结构有自己特定的操作方法。目录一:列表(list)二: 元组(tuple) 三:字典(dict) 四:集合(set)一:列表(list)  列表是......
  • (免费送源码)计算机毕业设计原创定制:python+Django+MySQL Django实验室管理系统
    摘 要本论文主要论述了如何使用python语言、Django框架开发一个实验室管理系统,本系统将严格按照软件开发流程,进行各个阶段的工作,面向对象编程思想进行项目开发。在引言中,作者将论述该系统的当前背景以及系统开发的目的,后续章节将严格按照软件开发流程,对系统进行各个阶段分析......
  • 【汇总】Android mk语法
    前言全局说明Androidmk语法一、说明1.1环境:二、赋值2.1赋值语法::=是赋值TARGET_BUILD_TYPE:=release2.2追加赋值TARGET_BUILD_TYPE+=debug变量内容原有基础上,再增加内容2.2多个文件赋值LOCAL_SRC_FILES:=adb.c\utils.c......
  • 【汇总】Android 编译命令
    一、变量、命令、参数排序变量、命令、参数英文说明中文说明备注、示例A    B    C    D    E    F    G    H    I    J    K    L ......
  • [计算机方向毕业设计]最新最全计算机专业毕业设计选题推荐精选汇总
    以下整理了部分全栈方向的计算机专业的毕业设计选题:(更多选题可以私信博主)①javaweb信息管理系统或web应用选题(应用开发类)该类课题属于基于具体场景来实现具体功能的应用开发类项目。相关技术栈如下:1.前端:如html/css/js等前端语言构建web页面,也可以通过如vue等相关技......
  • ensp实验:网络地址转换配置实验NAT:(一)
    一、实验介绍网络地址转换NAT(NetworkAddressTranslation)是将IP数据报文中头的IP地址转换为另一个IP地址的过程。作为缓解IP地址枯竭的一种过渡方案,NAT通过地址重用的方法来满足IP地址的需要,可以在一定程度上缓解IP地址空间枯竭的压力。NAT除了解决IP地址短......
  • ensp实验:本地AAA配置
    一、实验拓扑本地AAA配置的实验拓扑如下图所示(1)配置R1,命令如下:<Huawei>system-view//进入系统视图[Huawei]undoinfo-centerenable//关闭路由器输出信息[Huawei]sysnameR1//修改设备名为R1[R1]interfaceg0/0/0//进入接口g0/0/0[R1-GigabitEthernet0/0/0]ip......
  • 信息学奥赛一本通汇总
    「基础算法」第1章递推算法博客链接总结:一般有具体的情境,可以通过直接的模拟转移过程来实现递推,T2,T4,T9找到已知状态和所求状态的差别和联系,想办法将所求转化为已知进行转移,一般要用到分讨,T1,T3根据题目将问题转化,增维,然后转化后进行递推,T8第2章贪心算法博客链接总结:......
  • 微积分基本公式汇总
    微积分基本公式汇总若\(f(x)=x^n\),有\(f'(x)=nx^{n-1}\).\(\frac{d}{dx}(g(x)+h(x))=\frac{dg}{dx}+\frac{dh}{dx}\).\(\frac{d}{dx}(g(x)h(x))=g(x)h'(x)+h(x)g'(x)\)(左乘右导,右乘左导).\(\frac{d}{dx}(g(h(x)))=\frac{dg}{dh}(h(x))......
  • HTTPS 抓包实验
    1.HTTP的缺点在正式介绍HTTPS前我们先来看看HTTP协议当前存在的三大缺点:机密性问题:通信使用了明文,第三方可以拦截并获悉通信内容;完整性问题:未验证报文的完整性,第三方可以篡改通信内容;认证问题:未验证对方的身份,第三方可以冒充他人身份参与通信。注:其他未加密协议也会存......

赞助商

阅读排行

网站主页关于我们联系我们网站地图

本网站内容转载自其他媒体,侵权联系[admin##ips99.com]。

Copyright © 2020-2023 IPS99 版权所有 IPS99