2 IKE
2.1 IKE调试命令
2.1.1 debugging ike
【命令】
debugging ike { all | dpd | error | event | keepalive | nat-keepalive | packet } [ remote-address { ipv4-address | ipv6 ipv6-address } [ local-address { ipv4-address | ipv6 ipv6-address } | remote-port port-number | vpn-instance vpn-instance-name ] * ]
undo debugging ike { all | dpd | error | event | keepalive | nat-keepalive | packet }
【缺省情况】
IKE调试信息开关处于关闭状态。
【视图】
用户视图
【缺省用户角色】
network-admin
【参数】
all:表示所有IKE调试信息开关。
dpd:表示DPD调试信息开关。
error:表示错误调试信息开关。
event:表示事件调试信息开关。
keepalive:表示keepalive调试信息开关。
nat-keepalive:表示NAT keepalive调试信息开关。
packet:表示报文调试信息开关。
remote-address:根据对端地址过滤调试信息。
local-address:根据本端地址过滤调试信息。
ipv4-address:表示IPv4地址。
ipv6 ipv6-address:表示IPv6地址。
remote-port port-number:根据对端端口号过滤调试信息,port-number为对端端口号,取值范围0~65535。
vpn-instance vpn-instance-name:根据私网地址成员所属的VPN实例过滤调试信息。vpn-instance-name为MPLS L3VPN的VPN实例名称,为1~31个字符的字符串,区分大小写。如果未指定本参数,则表示私网地址成员不属于任何一个VPN。
【使用指导】
debugging ike 命令用来打开IKE调试开关。undo debugging ike命令用来关闭IKE调试信息开关。
表2-1 debugging ike error命令输出信息描述表
字段 | 描述 |
Failed to verify the peer signature. | 对端签名验证失败 |
HASH payload is missing. | 未在IKE报文中找到HASH载荷 |
Failed to verify the peer HASH. | 对端HASH验证失败 |
Signature payload is missing. | 未在IKE报文中找到签名载荷 |
Invalid SPI length (length) in DPD packet. | DPD报文中的SPI长度无效,长度为length |
Invalid I-Cookie in DPD packet: I-Cookie | DPD报文中的I-Cookie无效,I-Cookie的值为I-Cookie |
Invalid R-Cookie in DPD packet: R-Cookie | DPD报文:R-Cookie无效,R-Cookie的值为R-Cookie |
The length (length) of DPD sequence number is invalid. | DPD序列号的长度无效,长度为length |
Invalid DPD sequence number (number). | DPD序列号无效,序列号的值为number |
DPD packet retransmission timed out. | DPD报文的重传已超时 |
Invalid IPv4 address length (length). | 无效的IPv4地址长度,长度为length |
Invalid IPv6 address length (length). | 无效的IPv6地址长度,长度为length |
Invalid ID of IPv4 address type: ID-IPv4 | IPv4地址类型的身份无效,身份的值为ID-IPv4 |
Invalid ID of IPv6 address type: ID-IPv6 | IPv6地址类型的身份无效,身份的值为ID-IPv6 |
Invalid FQDN ID length (length). | FQDN类型的身份长度无效,长度为length |
Invalid user FQDN ID length (length). | User FQDN类型的长度身份无效,长度为length |
Failed to get DN because the certificate doesn't exist. | 获取DN失败,因为证书不存在 |
Failed to get ID data for constructing ID payload. | 构造ID载荷时获取ID数据失败 |
Invalid ID payload with protocol protocol-number and port port-number. | 无效的ID载荷,ID载荷中的协议号为protocol-number,端口号为port-number |
Invalid ID type (ID-type). | 身份类型无效,身份类型值为ID-type |
Failed to find proposal proposal-number in profile profile-name. | 在名称为profile-name的IKE profile中没有找到编号为proposal-number的proposal |
Failed to verify HASH for informational exchange. | 验证informational exchange报文中的HASH失败 |
Failed to construct delete payload. | 构造delete载荷失败 |
Invalid SPI length. | SPI长度无效 |
Protocol ID (ID) in delete payload is invalid. | delete载荷中的协议ID无效,协议号为ID |
KE payload doesn’t exist. | KE载荷不存在 |
Invalid KE payload length (length). | KE载荷的长度无效,长度为length |
Failed to construct notification payload for keepalive. | 发送keepalive报文时构造notification载荷失败 |
Length (length) of the sequence number in keepalive packet is invalid. | Keepalive报文中的序列号长度无效,长度为length |
Length (length) of the HASH payload in keepalive packet is invalid. | Keepalive报文中的HASH载荷长度无效,长度为length |
Failed to calculate HASH for verification of keepalive packet. | 验证keepalive报文时,本端计算HASH失败 |
Failed to add sequence number to keepalive packet. | 构造keepalive报文时,添加序列号失败 |
Failed to calculate HASH for keepalive. | 构造keepalive报文时,计算HASH失败 |
Failed to float port. | 切换端口失败 |
Length (length) of the nonce payload is invalid. | Nonce载荷的长度无效,长度为length |
Failed to parse the certificate request payload. | 解析证书请求载荷失败 |
No available proposal. | 没有找到可用的proposal |
Failed to get certificate. | 获取证书失败 |
Failed to get private key. | 获取私钥失败 |
Failed to construct ID payload. | 构造IPsec身份载荷失败 |
Failed to calculate hash-name. | 计算HASH失败,HASH名称为hash-name |
Failed to validate hash-name. | 验证HASH失败,HASH名称为hash-name |
Failed to compute key material. | 计算密钥材料失败 |
Failed to install IPsec SA. | 安装IPsec SA失败 |
The nonce payload doesn't exist. | Nonce载荷不存在 |
The KE payload doesn't exist. | KE载荷不存在 |
No valid DH group description in SA payload. | SA载荷中没有有效的DH group |
There are too many KE payloads. | KE载荷太多, |
The length of the KE payload does't match the DH group description. | KE载荷的长度和用于PFS的DH group描述不匹配 |
Failed to construct NAT-OA payload. | 构造NAT-OA载荷失败 |
Failed to construct RESPONDER_LIFETIME payload. | 构造RESPONDER_LIFETIME载荷失败 |
Failed to construct KE payload. | 构造KE载荷失败 |
Failed to pad for encryption. | 加密报文前的填充失败 |
Failed to send data. Reason: error-reason. | 发送报文失败,错误原因为error-reason |
No enough space in the packet for Non-ESP marker. | 报文超大,不能添加Non-ESP标记 |
Failed to decrypt the packet. | 解密报文失败 |
Non-zero message ID (Message-ID) in phase 1. | 一阶段的Message ID不为0,其值为Message-ID |
I-Cookie must not be zero. | I-Cookie不能为0 |
The first packet of phase 1 is invalid: Encryption bit is set. | 一阶段的第一条报文无效:报文的加密标识为已使能 |
The first packet of phase 1 is invalid: Non-zero R-Cookie. | 一阶段的第一条报文无效:报文的R-Cookie不为0 |
Failed to parse phase 1 packet. Reason reason. | 解析一阶段的IKE报文失败,原因为reason,可能的取值包括: · INVALID_PAYLOAD_TYPE:载荷类型无效 · DOI_NOT_SUPPORTED:不支持的DOI字段 · SITUATION_NOT_SUPPORTED:不支持的situation字段 · INVALID_COOKIE:cookie无效 · INVALID_MAJOR_VERSION:主版本号无效 · INVALID_MINOR_VERSION:次版本号无效 · INVALID_EXCHANGE_TYPE:交换类型无效 · INVALID_FLAGS:标识无效 · INVALID_MESSAGE_ID:message ID无效 · INVALID_PROTOCOL_ID:提议号无效 · INVALID_SPI:SPI无效 · INVALID_TRANSFORM_ID:transform ID无效 · ATTRIBUTES_NOT_SUPPORTED:不支持的属性 · NO_PROPOSAL_CHOSEN:没有匹配的提议 · BAD_PROPOSAL_SYNTAX:提议语法错误 · PAYLOAD_MALFORMED:载荷格式错误 · INVALID_KEY_INFORMATION:密钥信息无效 · INVALID_ID_INFORMATION:身份无效 · INVALID_CERT_ENCODING:证书编码无效 · INVALID_CERTIFICATE:证书无效 · CERT_TYPE_UNSUPPORTED:不支持的证书类型 · INVALID_CERT_AUTHORITY:证书认证失败 · INVALID_HASH_INFORMATION:HASH无效 · AUTHENTICATION_FAILED:认证失败 · INVALID_SIGNATURE:签名无效 · ADDRESS_NOTIFICATION:地址通知 · NOTIFY_SA_LIFETIME:SA生命周期通知 · CERTIFICATE_UNAVAILABLE:证书不可用 · UNSUPPORTED_EXCHANGE_TYPE:不支持的交换类型 · UNEQUAL_PAYLOAD_LENGTHS:载荷长度不相等 |
The packet is dropped because of not being encrypted | 丢弃报文,因为报文没有加密 |
Failed to parse informational exchange packet. Reason reason. | 解析informational exchange报文失败,原因是reason reason取值同上 |
Failed to parse keepalive packet because of reason. | 解析keepalive报文失败,原因是reason reason取值同上 |
Unsupported exchange type (type) in packet. | 不支持的交换类型type,取值包括: · None:不存在的交换类型 · Base:基础交换类型 · Main:主模式交换类型 · AO:Authenticaton Only交换类型 · Aggressive:野蛮模式交换类型 · Info:infomational exchange交换类型 · Mode cfg:配置模式交换类型 |
Invalid Non-ESP marker: marker. | 无效的Non-ESP标识:marker |
The received packet is too short, which is length bytes. | 收到报文的长度太小,长度为length |
Failed to receive packet. | 接收报文失败 |
Failed to bind UDP port port-number. Reason: reason. | 绑定UDP端口失败,端口号为port-number,错误原因为reason |
Failed to set UDP port port-number. Reason: reason. | 设置UDP端口失败,端口号为port-number,错误原因为reason |
Failed to add UDP port port-number to epoll. | 添加UDP端口到epoll失败,端口号为:port-number |
Failed to initiate UDP port port-number. Error code: error-number. | 初始化UDP端口失败,端口号为port-number,错误码为error-number |
byte-numberth byte of the structure struct-name must be 0. | 结构struct-name的第byte-number个字节必须为0 |
Field-name of struct-name has an unknown value: value. | 结构struct-name的域field-name的值value无效 |
field-name of struct-name has unknown members. | 结构struct-name的域field-name包含未知的成员 |
No enough bytes to get data2 from data1. | 没有足够的空间来保存从数据data1中获取的数据data2 |
No enough space in output packet for struct-name. | 报文中没有足够的空间用于保存结构struct-name |
No enough space to place length bytes of data-name in struct-name. | 结构struct-name中没有足够的空间用于保存length字节的数据 |
No enough space to place data-name in struct-name. | 结构struct-name中没有足够的空间保存数据data-name |
Failed to add the HASH payload. | 添加HASH载荷失败 |
Ignored the certificate request of type type-id. | 忽略证书请求,证书请求的类型为type-id |
Failed to get the certificate and key by certificate request. | 根据证书请求获取证书和密钥失败 |
Failed to verify the peer certificate. Reason: error-string. | 验证对端证书失败,错误原因为error-string |
Failed to find keychain keychain-name in profile profile-name. | 在IKE profile profile-name中查找keychain keychain-name失败 |
Failed to create IKE SA with core data. | 根据核心数据创建一阶段SA失败 |
Failed to create IPsec SA with core data. | 根据核心数据创建二阶段SA失败 |
Failed to receive smooth SA ACK from IPsec. | 从IPsec接收SA平滑处理的应答失败 |
Number of negotiating IKE SAs exceeded the limit. | 正在协商的IKE SA的数目超出限制 |
Number of established IKE SAs exceeded the limit. | 已经建立的IKE SA的数目超出限制 |
Attribute attribute-name is repeated. | 属性重复,属性名称为attribute-name |
Failed to construct situation. | 构造situaton字段失败 |
Failed to construct proposal payload. | 构造proposal载荷失败 |
Failed to construct transform payload. | 构造transform载荷失败 |
Failed to construct attributes. | 构造属性失败 |
Unsupported DOI doi | 不支持的DOI doi |
Proposal payload must be the last payload in SA payload, but payload-name payload is found following proposal payload. | proposal载荷必须是SA载荷中的最后一个载荷,但在proposal载荷之后还有payload-name载荷 |
Unexpected protocol ID (ID-type) found in proposal payload. | proposal载荷中的协议ID无效,协议ID号为ID-type |
Invalid SPI length (SPI-length) in proposal payload. | proposal载荷中的SPI长度无效 |
No transform payload in proposal payload. | proposal载荷中没有transform载荷 |
Transform number is not monotonically increasing. | Transform号不是单调递增的 |
Invalid transform ID: id. | 无效的transform ID:id |
No acceptable transform. | 没有可以接受的transform |
Unexpected payload-name payload in proposal. | proposal载荷中有不期望出现的载荷payload-name |
Only one transform is permitted in one proposal, but trans-count transforms are found. | 在选中的proposal载荷中只允许有一个transform,但实际有trans-count个 |
Failed to parse the IKE SA payload. | 解析IKE SA载荷失败 |
Proposal payload has more transforms than specified in the proposal payload. | proposal载荷中的transform载荷数量比proposal载荷中指定的数量多 |
Proposal payload has fewer transforms than specified in the proposal payload. | proposal载荷中的transform载荷数量比proposal载荷中指定的数量少 |
Invalid next payload (payload-type) in transform payload. | transform载荷中的next payload字段无效,载荷类型为payload-type |
SA_LIFE_TYPE attribute must be in front of the SA_LIFE_DURATION attribute. | SA_LIFE_TYPE属性必须在SA_LIFE_DURATION属性前面 |
Attribute attribute-type is repeated in IPsec transform trans-number. | 属性类型为的attribute-type属性在IPsec transform中重复,transform号为trans-number |
SA_LIFE_TYPE attribute is repeated in packet. | 属性SA_LIFE_TYPE在报文中重复 |
Unsupported IPsec attribute attribute. | 不支持的IPsec属性attribute |
SA_LIFE_TYPE IPsec attribute not followed by SA_LIFE_DURATION attribute in message. | 报文中的IPsec属性SA_LIFE_TYPE后面没有SA_LIFE_DURATION属性 |
Encapsulation mode must be specified in IPsec transform. | IPsec transform中必须指定封装模式 |
AUTH_ALGORITHM attribute is missing in AH transform. | 在AH协议的transform中没有AUTH_ALGORITHM属性 |
Transform ID (id) in transform trans-number doesn't match authentication algorithm auth-algo-name (auth-algo-value). | transform中的transform ID和认证算法不匹配,transform号为trans-number,transform ID为id,认证算法为auth-algo-name,其值为auth-algo-value |
Neither encryption algorithm nor authentication algorithm is specified in ESP proposal, which is not permitted. | ESP proposal中既没有加密算法也没有认证算法,这是不允许的 |
Unsupported ESP transform. | 不支持的ESP transform |
Unsupported ESP authentication algorithm. | 不支持的ESP认证算法 |
IPsec proposal with improper SPI size (size). | IPsec proposal中的SPI大小错误,SPI大小为size |
IPsec proposal contains invalid SPI (SPI). | IPsec proposal中的SPI无效,其值为SPI |
Failed to get SPI from IPsec proposal. | 从IPsec proposal中获取SPI失败 |
No transform in IPsec proposal. | IPsec proposal中没有transform |
SA payload contains more than one AH proposal with the same proposal number. | SA载荷中有多个AH协议的proposal对应同一个proposal号 |
SA payload contains more than one ESP proposal with the same proposal number. | SA载荷中有多个ESP协议的proposal对应同一个proposal号 |
Invalid next payload (payload-type-num) in proposal. | Proposal载荷中的next payload字段无效,其类型值为payload-type-num |
Unsupported IPsec DOI situation (situation-num). | 不支持的IPsec DOI situation,其类型值为situation-num |
Invalid IPsec proposal proposal-number. | 无效的IPsec proposal,proposal号为proposal-number |
Failed to get IPsec policy when renegotiating IPsec SA. Delete IPsec SA. | 在重协商IPsec SA时获取IPsec策略失败,删除 IPsec SA |
Failed to get IPsec policy for phase 2 responder. Delete IPsec SA. | 作为二阶段协商的响应方时,获取IPsec策略失败,删除IPsec SA |
No HASH in notification payload. | 在notification载荷中没有HASH |
Failed to send message to IPsec when getting SPI. | 获取SPI时向IPsec发消息失败 |
Failed to send message to IPsec when adding SA. | 添加SA时向IPsec发消息失败 |
Failed to send message to IPsec when deleting SA. | 删除SA时向IPsec发消息失败 |
Failed to send message to IPsec when getting SP. | 获取SP时向IPsec发消息失败 |
Failed to send message to IPsec when adding DPD. | 添加DPD时向IPsec发消息失败 |
Failed to send message to IPsec when updating DPD. | 升级DPD时向IPsec发消息失败 |
Failed to send message to IPsec when deleting DPD. | 删除DPD时向IPsec发消息失败 |
Failed to send message to IPsec when switching SA. | 切换SA时向IPsec发消息失败 |
Failed to negotiate IKE SA. | 协商IKE SA失败 |
Failed to negotiate IPsec SA. | 协商IPsec SA失败 |
Errstring. Attribute attribute-name. | 错误原因为errstring。相关的属性名称为attribute-name Errstring的内容包括: · Unsupported encryption algorithm: enc-alg:不支持的加密算法enc-alg · Unsupported HASH algorithm: hash-alg:不支持的HASH算法hash-alg · Unsupported authentication method: auth-meth:不支持的认证方法auth-meth · Unsupported DH group: group-name:不支持的DH group group-name · Unsupported lifetime type: lifetime-type:不支持的生命周期类型lifetime-type · OAKLEY_LIFE_DURATION attribute not preceded by OAKLEY_LIFE_TYPE attribute.:OAKLEY_LIFE_DURATION属性没有在OAKLEY_LIFE_TYPE属性之前 · OAKLEY_KEY_LENGTH attribute not preceded by OAKLEY_ENCRYPTION_ALGORITHM attribute:OAKLEY_KEY_LENGTH属性没有在OAKLEY_ENCRYPTION_ALGORITHM属性之前 · OAKLEY_KEY_LENGTH attribute not match OAKLEY_ENCRYPTION_ALGORITHM.:OAKLEY_KEY_LENGTH属性和OAKLEY_ENCRYPTION_ALGORITHM属性不匹配 · Failed to get encryption algorithm:获取加密算法失败 · Unsupported OAKLEY attribute attribute:不支持的OAKLEY属性attribute |
Failed to match the proposal. | 匹配proposal失败 |
Received invalid SPI message from IPsec, but no IKE SA exists. | 收到IPsec的invalid SPI消息,但是没有IKE SA |
Failed to get subject name from certificate. | 从证书中获取主题名失败 |
Failed to get local certificate. | 获取本地证书失败 |
Failed to send notification packet for deleting IPsec SA, because of no corresponding IKE SA. | 删除IPsec SA时发送notification报文失败,因为没有找到对应的IKE SA |
Failed to construct certificate request payload. | 构造证书请求载荷失败 |
Unsupported attribute attribute-type. | 不支持的属性,属性类型为attribute-type |
Invalid major version(version). | 主版本号无效,主版本号为version |
Constructed SA payload. | 构造SA载荷 |
Failed to get UDP socket. | 获取UDP socket失败 |
Failed to parse the Cert Request payload. | 解析证书请求消息失败 |
No available proposal. | 没有可用的安全提议 |
Obtained profile ProfileName. | 获取到名为ProfileName的安全profile |
Deleted GDOI GM IKE SA. | 删除GDOI GM IKE SA |
表2-2 debugging ike event命令输出信息描述表
字段 | 描述 |
Signature verification succeeded. | 验证签名成功 |
HASH verification succeeded. | 验证HASH成功 |
Delete IPsec SAs. | 删除IPsecSA |
Delete IKE SA with connection ID id. | 删除IKE SA,connection ID为id |
Update DPD configuration in IKE SA. | 更新一阶段SA中的DPD配置 |
Notify IPsec to add DPD. | 通知IPsec添加DPD |
Notify IPsec to delete DPD. | 通知IPsec删除DPD |
Notify IPsec to update DPD. | 通知IPsec更新DPD |
Process interface interface-type interface-num active event. | 处理接口激活事件,接口名为interface-type interface-num |
Process interface interface-name deactive event. | 处理接口去激活事件,接口名为interface-type interface-num |
Process interface interface-name delete event. | 处理接口删除事件,接口名为interface-type interface-num |
The board chassis chassis-num slot slot-num is inserted. | 单板插入chassic-number号成员设备的slot-number号槽位中 |
Protocol/port in phase 1 ID payload is protocol-number/port-number, which is acceptable. | 一阶段ID载荷中的协议号/端口号为protocol-number/port-number,它们是可接受的 |
Begin to construct IPsec SA delete packet. | 开始构造二阶段SA delete报文 |
Delete IKE SA with connection ID id. | 删除一阶段SA,connection ID为id |
Received IPsec SA delete packet. | 收到二阶段SA delete报文 |
Process delete payload. | 处理delete载荷 |
Ignore delete payload: packet not encrypted or IKE SA not established. | 忽略delete载荷:报文没有加密或者一阶段SA没有建立 |
Received SA acquire message from IPsec. | 收到IPsec的SA请求消息 |
Received IPsec capability. | 收到IPsec规格 |
Received smooth IPsec SA ACK. | 收到平滑IPsec SA的应答 |
IKE keepalive timed out. Delete IKE SA with connection ID id. | IKE Keepalive定时器超时,删除一阶段SA,connection ID为id |
Reset IKE keepalive timeout timer. New time value is time | 重置IKE Keepalive超时定时器,新的时间值为time |
I am behind NAT. | 我在NAT设备之后 |
Peer is behind NAT. | 对端在NAT设备之后 |
No need to float port. | 不需要切换端口 |
Float port to local port local-port and remote port remote-port | 切换端口,本端端口为local-port,对端端口为remote-port |
Sending DPD packet of type type with sequence number seq-no. | 发送type类型的DPD报文,序列号为seq-no |
Delete IKE SA by received notification. | 根据错误通知报文删除一阶段SA |
INITIAL-CONTACT message is dropped because of not being encrypted. | INITIAL-CONTACT未加密,丢弃它 |
Delete redundant SA. | 删除多余的SA |
Length (length) of notification packet is invalid. | notification报文的长度无效,长度为length |
Protocol-ID (ID) of notification packet is unsupported. | 不支持notification报文中的协议号:ID |
Notification notification-name is received. | 收到通知报文notification-name |
Inbound flow: dst-addr->src-addr | 入方向流量:目的地址->源地址 |
Outbound flow: src-addr->dst-addr | 出方向流量:源地址->目的地址 |
Validated hash-name successfully. | 验证HASH成功,HASH名称为hash-name |
Getting IPsec message timed out. Delete IPsec SA. | 获取IPsec消息超时,删除二阶段SA |
Protocol: protocol | 安全协议为protocol(AH或ESP) |
Inbound SPI: in-spi | 入方向SPI值为in-spi |
Outbound SPI: out-spi | 出方向SPI值为out-spi |
Install IPsec SAs. | 下发IPsec SA |
Lifetime in seconds: seconds | SA的生命周期为seconds秒 |
Lifetime in kilobytes: bytes | SA的生命周期为bytes字节 |
Phase 2 Exchange chooses role: Local is initiator. | 二阶段协商选择角色:本端为发起方 |
Phase 2 Exchange chooses role: Local is responder. | 二阶段协商选择角色:本端为响应方 |
Begin Quick mode exchange. | 开始进行快速模式协商过程 |
No enough space to send packet. | 没有足够的空间来发送报文 |
Retransmittion of phase 1 packet timed out. | 重传一阶段报文超时 |
Ignore phase 1 packet retransmit timeout event. | 忽略一阶段报文重传超时事件 |
Retransmittion of phase 2 packet timed out. | 重传二阶段报文超时 |
Ignore phase 2 packet retransmit timeout event. | 忽略二阶段报文重传超时事件 |
Phase 1 Exchange chooses role: Local is initiator. | 一阶段协商选择角色:本端为发起方 |
Phase 1 Exchange chooses role: Local is responder. | 一阶段协商选择角色:本端为响应方 |
Phase 1 packet is malformed: Not starting with an SA payload. | 一阶段报文格式错误:没有以SA载荷开始 |
Phase2 packet is malformed: Not starting with an HASH payload. | 二阶段报文格式错误:没有以HASH载荷开始 |
Quick mode packet is received, but IKE SA does not exist. | 收到快速模式的报文,但一阶段SA不存在 |
Quick mode packet is received, but IKE SA is incomplete. | 收到快速模式的报文,但一阶段SA不完整 |
Ignored delete SA payload because the IKE SA is not established. | 忽略删除SA的报文,因为IKE SA不存在 |
Ignored delete SA payload because the packet is not encrypted. | 忽略删除SA的报文,因为报文没有加密 |
Received informational exchange packet, but IKE SA is inexistent or incomplete. | 收到information exchange报文,但是一阶段SA不存在或者不完整 |
Received keepalive packet, but IKE SA is not existed. | 收到IKE keepaclive报文,但是一阶段SA不存在 |
Received keepalive packet, but it is not encrypted. | 收到IKE keepaclive报文,但是它没有加密 |
Received keepalive packet, but IKE SA is incomplete. | 收到IKE keepaclive报文,但是一阶段SA不完整 |
Ignore NAT keepalive packet. | 忽略NAT keepalive报文 |
Initialize UDP port. | 初始化UDP端口 |
PKI data had been changed. | PKI数据已经有所变化 |
Found pre-shared key that matches address address in keychain keychain-name. | 在keychain keychain-name中找到了预共享密钥,该预共享密钥与地址address匹配 |
Pre-shared key matching address address not found. | 根据地址address无法找到匹配的预共享密钥 |
Found keychain keychain-name in profile profile-name successfully. | 成功在IKE profile profile-name中找到keychain keychain-name |
Get profile profile-name. | 获取IKE profile profile-name |
Initiator created an SA for peer address, local port local-port, remote port remote-port. | 发起方创建SA,对端地址为address,本端端口为local-port,对端端口为remote-port |
Set IKE SA state to state-name. | 设置一阶段SA状态为state-name |
IKE SA state changed from state1 to state2. | 一阶段SA状态从state1转换到state2 |
Set IPsec SA state to state-name. | 设置二阶段SA状态为state-name |
IPsec SA state changed from state1 to state2. | 二阶段SA状态从state1转换到state2 |
Responder created an SA for peer address, local port local-port, remote port remote-port. | 发起方创建SA,对端地址为address,本端端口为local-port,对端端口为remote-port |
Delete IPsec SA. | 删除二阶段SA |
Oakley transform trans-number is acceptable. | Oakley transform是可接受的,transform号为trans-number |
Begin mode mode exchange. | 开始mode模式的IKE协商 |
IKE SA not found. Initiate IKE SA negotiation. | 没有一阶段SA,发起一阶段SA的协商 |
IKE SA is prepared for renegotiation. | 一阶段SA已经准备好进行重协商 |
IKE SA is expired. | 一阶段SA生命周期到达 |
Renegotiation has already started for this IKE SA. | 该IKE SA的重协商已经开始 |
IKE SA with connection ID connection-id has expired, and it will be deleted. | 一阶段SA生命周期到达,将其删除,connection ID为connection-id |
IPsec SA is being negotiated. | 二阶段SA正在协商 |
IPsec SA has expired and will be deleted. | 生命周期到达,删除二阶段SA |
IKE thread thread-id processes a job. | IKE线程thread-id处理一个job |
IKE thread thread-id processes a CTL-Queue msg. | IKE线程thread-id处理一个控制队列消息 |
Vendor ID verdor-id is matched. | 匹配上vendor ID verdor-id |
No vendor ID is matched. | 没有匹配的verdor ID |
IKE SA is soft expired(Timer handle: %u, Icookie: %s), renegotiate IKE SA. | IKE SA时间软超时,将发起重协商 |
IKE SA is soft expired(Timer handle: %u, Icookie: %s), no need to renegotiate IKE SA. | IKE SA时间软超时,无需发起重协商 |
IPsec SA is soft expired(timer handle:%u, message ID: 0x%x), will be renegotiated. | IPsec SA时间软超时,将发起重协商 |
IPsec SA is soft expired(timer handle:%u, message ID: 0x%x), no need to renegotiate. | IPsec SA时间软超时,无需发起重协商 |
IPsec SA is traffic expired(SPI:%u), will be renegotiated. | IPsec SA流量软超时,将发起重协商 |
IPsec SA is traffic expired(SPI:%u), no need to renegotiate. | IPsec SA流量软超时,无需发起重协商 |
Succeed to set responder-only flag for P1SA. | 成功设置一阶段SA的responder-only标识 |
Succeed to set responder-only flag for P2SA. | 成功设置二阶段SA的responder-only标识 |
表2-3 debugging ike packet命令输出信息描述表
字段 | 描述 |
Construct authentication data by pre-shared key. | 根据预共享密钥生成认证数据 |
Verify HASH payload. | 验证HASH载荷 |
Construct authentication data by private key. | 根据私钥生成认证数据 |
Verify signature payload. | 验证签名载荷 |
DPD packet with sequence number sequence-number is received. | 收到DPD报文,序列号为:sequence-number |
Retransmit DPD packet. | 重传DPD报文 |
Peer ID value: address address. | 对端ID值:地址address |
Peer ID value: FQDN fqdn. | 对端ID值:FQDN fqdn |
Peer ID value: User FQDN user-fqdn. | 对端ID值:User FQDN user-fqdn |
Peer ID value: DN DN-value | 对端ID值:DN,DN的内容为DN-value |
Peer ID type: ID-type (value). | 对端ID类型:ID-type,类型的值为value |
Local ID type: ID-type (value). | 本端ID类型:ID-type,类型的值为value |
Local ID value: ID-value. | 本端ID值:ID-value |
Construct ID payload. | 构造ID载荷 |
The profile profile-name is matched. | 匹配到profile为profile-name |
No profile is matched. | 没有匹配到profile |
Process ID payload. | 处理ID载荷 |
Construct notification packet: notification-type. | 构造notification报文:notification-type |
Construct delete payload. | 构造delete载荷 |
The phase 1 delete packet is received. | 收到一阶段delete报文 |
The cookies' length (length) is invalid. | Cookies的长度length无效 |
Construct KE payload. | 构造KE载荷 |
Process KE payload. | 处理KE载荷 |
Send keepalive packet with sequence number sequence-number. | 发送IKE keepalive报文,序列号为sequence-number |
Process keepalive packet with sequence number sequence-number. | 处理IKE keepalive报文,序列号为sequence-number |
Construct NAT-D payload. | 构造NAT-D载荷 |
Received count NAT-D payloads. | 收到NAT-D载荷,数量为count |
Construct NONCE payload. | 构造NONCE载荷 |
Process NONCE payload. | 处理NONCE载荷 |
Construct INITIAL-CONTACT payload. | 构造INITIAL-CONTACT载荷 |
Construct SA payload. | 构造SA载荷 |
Construct IPsec ID payload. | 构造IPsec ID载荷 |
Process HASH payload. | 处理HASH载荷 |
Construct IPsec SA payload. | 构造IPsec SA载荷 |
Construct HASH(3) payload. | 构造HASH(3)载荷 |
Process IPsec ID payload. | 处理IPsec ID载荷 |
Construct NAT-OA payload. | 构造NAT-OA载荷 |
Process NAT-OA payload: address. | 处理NAT-OA载荷,地址为address |
Received count NAT-OA payloads. | 收到NAT-OA载荷,数量为count |
Construct IPsec RESPONDER_LIFETIME payload. | 构造IPsec RESPONDER_LIFETIME载荷 |
Construct HASH(1) payload. | 构造HASH(1)载荷 |
Collision of phase 2 negotiation is found. | 二阶段协商发生碰撞 |
Construct HASH(2) payload. | 构造HASH(2)载荷 |
I-Cookie: icookie R-Cookie: rcookie next payload: next-payload version: version exchange mode: mode flags: [flag] message ID: mid length: length | · 发起方cookie:icookie · 响应方cookie:rcookie · 下一个载荷:next-payload · ISAKMP版本:version · 协商模式:mode · 标识为:flag · Message ID:mid · 报文长度:length |
Encrypt the packet. | 对报文进行加密 |
Received payload-name. | 收到载荷payload-name |
Sending packet to address, remote port remote-port, local port local-port. | 发送报文到地址address,对端端口号为remote-port,本端端口号为local-port |
Sending an IPv4 packet. | 发送一个IPv4报文 |
Sending an IPv6 packet. | 发送一个IPv6报文 |
Retransmit phase 1 packet. | 重传一阶段报文 |
Retransmit phase 2 packet. | 重传二阶段报文 |
Retransmit in response to duplicate packet. | 针对对端重发的报文,重传对应的响应报文 |
Discard duplicate packet because of exhausted retransmission. | 本端重传次数已达到最大,不再响应该重复的报文,将其丢弃 |
Discard duplicate packet with no response. | 丢弃对端重复发送的报文,不进行响应 |
Collision of phase 1 negotiation is found. | 一阶段协商发生碰撞 |
Decrypt the packet. | 对报文进行解密 |
Begin a new phase 1 negotiation as responder. | 作为响应方,开始加入一个新的一阶段协商过程 |
Parse informational exchange packet successfully. | 成功解析informational exchange报文 |
Received packet from address source port source-port destination port des-port. | 收到的来自address的报文,源端口为source-port,目的端口为des-port |
Skipping length raw bytes of name1 to get name2. | 跳过载荷name1的length字节,去获取下一个载荷name2 |
Add certificate request payload subjectname. | 添加证书请求载荷,主题名为subjectname |
Construct certificate request payload. | 构造证书请求载荷 |
Received certificate request payload that contains issuer name issuer-name. | 收到证书请求载荷,签发者名为issuer-name |
Process certificate request payload. | 处理证书请求载荷 |
The certificate request payload is empty. | 证书请求载荷是空的 |
Construct certificate payload. | 构造证书载荷 |
The profile profile-name is matched by remote certificate. | 通过对端证书匹配到一个IKE profile profile-name |
Process certificate payload. | 处理证书载荷 |
Encryption algorithm is enc-algo. | 加密算法为enc-algo |
HASH algorithm is hash-algo. | HASH算法为hash-algo |
Authentication method is auth-method. | 认证方法为auth-method |
DH group is group. | DH group为group |
Lifetime type is type. | 生命周期类型为type,type值为: · in seconds:时间生命周期 · in kilobytes:字节生命周期 |
Life duration is value. | 生命周期为value |
Key length is length bytes. | 密钥长度为length字节 |
Check ISAKMP transform trans-number. | 检查ISAKMP transform,transform号为trans-number |
Attributes is acceptable. | 属性是可接受的 |
Construct transfrom payload for transform trans-number. | 构造transform载荷,transform号为trans-number |
Encapsulation mode is mode. | 封装模式为mode,mode取值包括: · Tunnel:隧道模式 · Transport:传输模式 · Tunnel-UDP:UDP封装的隧道模式 · Transport-UDP:UDP封装的传输模式 |
Set attributes according to phase 2 transform. | 根据二阶段transform设置属性 |
Transform ID is id. | Transform ID为id |
Construct transform 1. | 构造transform 1 |
Construct IPsec proposal proposal-number. | 构造IPsec proposal,proposal号为proposal-number |
Parse transform trans-number. | 解析transform,transform号为trans-number |
The SA_LIFE_TYPE attribute is repeated in packet. | SA_LIFE_TYPE属性在报文中重复 |
Number of key rounds is round. | 密钥轮数为round |
Process IPsec SA payload. | 处理IPsec SA载荷 |
The attributes are unacceptable. | 属性不可接受 |
Construct vid-name vendor ID payload. | 构造vendor id载荷,vendor ID名称为vid-name |
Process vendor ID payload. | 处理vendor ID载荷 |
HASH:value | HASH为value |
SKEYID:value | SKEYID为value |
Extended Skeyid_e:value | 扩展的Skeyid_e为value |
Local generated new IV: value | 本地新生成的IV为value |
SKEYID_a: value | SKEYID_a为value |
SKEYID_d: value | SKEYID_d为value |
SKEYID_e: value | SKEYID_e为value |
Encrypt IV: value | 加密IV为value |
Encryption generated new IV: value | 加密新生成的IV为value |
Decrypt IV: value | 解密IV为value |
Remote new IV: value | 对端新IV为value |
The proposal is acceptable. | 提议是可以接受的 |
The proposal is unacceptable. | 提议是不能接受的 |
表2-4 debugging ike dpd命令输出信息描述表
字段 | 描述 |
Invalid I-Cookie in DPD packet: I-Cookie | DPD报文中的I-Cookie无效,I-Cookie的值为I-Cookie |
Invalid R-Cookie in DPD packet: R-Cookie | DPD报文中的R-Cookie无效,R-Cookie的值为R-Cookie |
DPD packet with sequence number seq-no is received. | 收到序列号为seq-no的DPD报文 |
Retransmit DPD packet. | 重传DPD报文 |
表2-5 debugging ike keepalive命令输出信息描述表
字段 | 描述 |
Send keepalive packet with sequence number sequence number. | 发送序号为sequence number的keepalive报文。 |
Sending packet to address,remote port remote-port,local port local-port. | 发送报文到地址address,对端端口号为remote-port,本端端口号为local-port |
表2-6 debugging ike nat-keepalive命令输出信息描述表
字段 | 描述 |
Sending packet to address,remote port remote-port,local port local-port. | 发送报文到地址address,对端端口号为remote-port,本端端口号为local-port |
【举例】
#在两个安全网关上配置了IKE协商类型的IPsec策略,在一阶段IKE协商过程中,若未找到匹配的IKE proposal,则打开IKE错误调试信息开关后将输出以下调试信息。
<Sysname> debugging ike error
*Aug 20 19:19:44:543 2012 Sysname IKE/7/ERROR: -MDC=1; No acceptable transform.
// 没有可以接受的transform
*Aug 20 19:19:44:543 2012 Sysname IKE/7/ERROR: -MDC=1; Failed to parse the IKE SA payload.
// 解析SA载荷失败
#在两个安全网关上配置了IKE协商类型的IPsec策略,若配置一阶段协商模式为主模式,认证方法为预共享密钥认证,则当有流量触发协商时,打开IKE事件调试信息开关后将输出以下调试信息。
<Sysname> debugging ike event
<Sysname> ping -c 1 192.168.222.5
PING 192.168.222.5 (192.168.222.5): 56 data bytes, press CTRL_C to break
*Aug 20 19:10:37:509 2012 Sysname IKE/7/EVENT: -MDC=1; Received SA acquire message from IPsec.
// 收到IPsec的SA请求消息
*Aug 20 19:10:37:510 2012 Sysname IKE/7/EVENT: -MDC=1; Set IPsec SA state to IKE_P2_STA
TE_INIT.
// 设置二阶段SA状态为IKE_P2_STATE_INIT
*Aug 20 19:10:37:510 2012 Sysname IKE/7/EVENT: -MDC=1; No IKE SA found, initiate IKE SA negotiation.
// 没有一阶段SA,发起一阶段SA的协商
*Aug 20 19:10:37:510 2012 Sysname IKE/7/EVENT: -MDC=1; Get profile profile1.
// 获取profile profile1
*Aug 20 19:10:37:510 2012 Sysname IKE/7/EVENT: -MDC=1; Initiator create a SA for peer 192.168.222.5, local port 500, remote port 500.
// 发起方创建SA,对端地址为192.168.222.5,本端端口为500,对端端口为500
*Aug 20 19:10:37:510 2012 Sysname IKE/7/EVENT: -MDC=1; Set IKE SA state to IKE_P1_STATE_INIT.
// 设置一阶段SA状态为IKE_P1_STATE_INIT
*Aug 20 19:10:37:510 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3083549648 processes a job.
// IKE线程3083549648处理一个job
*Aug 20 19:10:37:510 2012 Sysname IKE/7/EVENT: -MDC=1; Begin Main mode exchange.
// 开始主模式协商
*Aug 20 19:10:37:511 2012 Sysname IKE/7/EVENT: -MDC=1; Found pre-shared key that matches address 192.168.222.5 in keychain keychain1.
// 在keychain keychain1中找到了预共享密钥,预共享密钥匹配地址192.168.222.5
*Aug 20 19:10:37:511 2012 Sysname IKE/7/EVENT: -MDC=1; IKE SA state changed from IKE_P1_STATE_INIT to IKE_P1_STATE_SEND1.
// 一阶段SA状态从IKE_P1_STATE_INIT到IKE_P1_STATE_SEND1
*Aug 20 19:10:37:520 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3008052176 processes a job.
// IKE线程3008052176处理一个job
*Aug 20 19:10:37:520 2012 Sysname IKE/7/EVENT: -MDC=1; Oakley transform 1 is acceptable.
// Oakley transform是可接受的,transform号为1
*Aug 20 19:10:37:520 2012 Sysname IKE/7/EVENT: -MDC=1; Match the vendor ID NAT-T rfc3947.
// 匹配上vendor ID NAT-T rfc3947
*Aug 20 19:10:37:533 2012 Sysname IKE/7/EVENT: -MDC=1; IKE SA state changed from IKE_P1_STATE_SEND1 to IKE_P1_STATE_SEND3.
// 一阶段SA状态从IKE_P1_STATE_SEND1到IKE_P1_STATE_SEND3
*Aug 20 19:10:37:533 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3087980192 processes a Control-Queue msg.
// IKE线程3087980192处理一个控制队列消息
*Aug 20 19:10:37:566 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3083549648 processes a job.
// IKE线程3083549648处理一个job
*Aug 20 19:10:37:580 2012 Sysname IKE/7/EVENT: -MDC=1; Match the vendor ID DPD.
// 匹配上vendor ID DPD
*Aug 20 19:10:37:580 2012 Sysname IKE/7/EVENT: -MDC=1; IKE SA state changed from IKE_P1_STATE_SEND3 to IKE_P1_STATE_SEND5.
// 一阶段SA状态从IKE_P1_STATE_SEND3到IKE_P1_STATE_SEND5
*Aug 20 19:10:37:580 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3087980192 processes a Control-Queue msg.
// IKE线程3087980192处理一个控制队列消息
*Aug 20 19:10:37:584 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3075161040 processes a job.
// IKE线程3075161040处理一个job
*Aug 20 19:10:37:584 2012 Sysname IKE/7/EVENT: -MDC=1; Verify HASH successfully.
// 验证HASH成功
*Aug 20 19:10:37:585 2012 Sysname IKE/7/EVENT: -MDC=1; IKE SA state changed from IKE_P1_STATE_SEND5 to IKE_P1_STATE_ESTABLISHED.
// 一阶段SA状态从IKE_P1_STATE_SEND5到IKE_P1_STATE_ESTABLISHED
*Aug 20 19:10:37:585 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3075161040 process
es a job.
// IKE线程3075161040处理一个job
*Aug 20 19:10:37:585 2012 Sysname IKE/7/EVENT: -MDC=1; Begin Quick mode exchange.
// 开始快速模式协商
*Aug 20 19:10:37:586 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3087980192 processes a Control-Queue msg.
// IKE线程3087980192处理一个控制队列消息
*Aug 20 19:10:37:586 2012 Sysname IKE/7/EVENT: -MDC=1; IPsec SA state changed from IKE_P2_STATE_INIT to IKE_P2_STATE_GETSPI.
// 二阶段SA状态从IKE_P2_STATE_INIT到IKE_P2_STATE_GETSPI
*Aug 20 19:10:37:586 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3087980192 processes a Control-Queue msg.
// IKE线程3087980192处理一个控制队列消息
*Aug 20 19:10:37:586 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3066772432 processes a job.
// IKE线程3066772432处理一个job
*Aug 20 19:10:37:586 2012 Sysname IKE/7/EVENT: -MDC=1; IPsec SA state changed from IKE_P2_STATE_GETSPI to IKE_P2_STATE_SEND1.
// 二阶段SA状态从IKE_P2_STATE_GETSPI到IKE_P2_STATE_SEND1
*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3087980192 processes a Control-Queue msg.
// IKE线程3087980192处理一个控制队列消息
*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3033218000 processes a job.
// IKE线程3033218000处理一个job
*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; Validate HASH(2) successfully.
// 验证HASH(2)成功
*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; Install IPsec SAs.
// 下发IPsecSA
*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; inbound flow: 192.168.222.5/32->192.168.222.71/32
// 入流量为192.168.222.5/32->192.168.222.71/32
*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; outbound flow: 192.168.222.
71/32->192.168.222.5/32
// 出流量为192.168.222.71/32->192.168.222.5/32
*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; Lifetime second: 3600
// 生命周期为3600秒
*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; Lifetime kilobytes: 1843200
// 生命周期为1843200字节
*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; protocol: 51
inbound SPI: 54e4913
outbound SPI: 44213487
// 协议为51,入方向SPI为:54e4913,出方向SPI为:44213487
*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; IPsec SA state changed from IKE_P2_STATE_SEND1 to IKE_P2_STATE_SA_CREATED.
// 二阶段SA状态从IKE_P2_STATE_SEND1到IKE_P2_STATE_SA_CREATED
*Aug 20 19:10:37:593 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3087980192 processes a Control-Queue msg.
// IKE线程3087980192处理一个控制队列消息
*Aug 20 19:10:37:594 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3041606608 processes a job.
// IKE线程3041606608处理一个job
*Aug 20 19:10:37:594 2012 Sysname IKE/7/EVENT: -MDC=1; IPsec SA state changed from IKE_P2_STATE_SA_CREATED to IKE_P2_STATE_ESTABLISHED.
// 二阶段SA状态从IKE_P2_STATE_SA_CREATED到IKE_P2_STATE_ESTABLISHED
#在两个安全网关上配置了IKE协商类型的IPsec策略,若配置一阶段协商模式为主模式,认证方法为预共享密钥认证,则当有流量触发协商时,打开IKE报文调试信息开关后将输出以下调试信息。
<Sysname> debugging ike packet
<Sysname> ping -c 1 192.168.222.5
PING 192.168.222.5 (192.168.222.5): 56 data bytes, press CTRL_C to break
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Encryption algorithm is 3DES-CBC.
// 加密算法为3DES-CBC
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Hash algorithm is HMAC-MD5.
// HASH算法为HMAC-MD5
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; DH group 1.
// DH group为1
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Authentication method is Pre-shared key.
// 认证方法为Pre-shared key
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Lifetime type is Life type in seconds.
// 生命周期类型为Life type in seconds
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Life duration is 86400.
// 生命周期为86400
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Construct transform payload 1.
// 构造transform载荷,transform号为1
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Construct SA payload.
// 构造SA载荷
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Construct NAT-T rfc3947 vendor ID payload.
// 构造vendor id载荷,vendor ID名称为NAT-T rfc3947
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Construct NAT-T draft3 vendor ID payload.
// 构造vendor id载荷,vendor ID名称为NAT-T draft3
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Construct NAT-T draft2 vendor ID payload.
// 构造vendor id载荷,vendor ID名称为NAT-T draft2
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Construct NAT-T draft1 vendor ID payload.
// 构造vendor id载荷,vendor ID名称为NAT-T draft1
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Sending packet to 192.168.222.5 local port 500, remote port 500.
// 发送报文到地址192.168.222.5,本端端口号为500,对端端口号为500
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1;
I-Cookie: 3519bdda65bfeaaa
R-Cookie: 0000000000000000
next payload: SA
version: ISAKMP Version 1.0
exchange mode: Main
flags: [ ]
message ID: 0
length: 164
// 发起方cookie为:3519bdda65bfeaaa
// 响应方cookie为:0000000000000000
// 下一个载荷为:SA
// 版本为:ISAKMP Version 1.0
// 协商模式为:Main
// 标识为:[ ]
// Message ID为:0
// 长度为:164
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Sending an IPv4 packet.
// 发送一个IPv4报文
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Received packet from 192.168.
222.5 source port 500 destination port 500.
// 收到的192.168.222.5报文,源端口为500,目的端口为500
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1;
I-Cookie: 3519bdda65bfeaaa
R-Cookie: 078711749a32520c
next payload: SA
version: ISAKMP Version 1.0
exchange mode: Main
flags: [ ]
message ID: 0
length: 104
// 发起方cookie为:3519bdda65bfeaaa
// 响应方cookie为:078711749a32520c
// 下一个载荷为:SA
// 版本为:ISAKMP Version 1.0
// 协商模式为:Main
// 标识为:[ ]
// Message ID为:0
// 长度为:104
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Received IKE Security Association Payload.
// 收到SA载荷
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Vendor ID Payload.
// 收到Vendor ID载荷
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Process SA payload.
// 处理SA载荷
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Check ISAKMP transform 1.
检查ISAKMP transform,transform号为1
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Encryption algorithm is 3DES-CBC.
// 加密算法为3DES-CBC
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; HASH algorithm is HMAC-MD5.
// HASH算法为HMAC-MD5
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; DH group is 1.
// DH group为1
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Authentication method is Pre-shared key.
// 认证方法为Pre-shared key
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Lifetime type is Life type in seconds.
// 生命周期类型为Life type in seconds
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Life duration is 86400.
// 生命周期为86400
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Attribuites is acceptable.
// 属性是可接受的
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Process vendor ID payload.
// 处理vendor ID载荷
*Aug 20 19:18:34:137 2012 Sysname IKE/7/PACKET: -MDC=1; Construct KE payload.
// 构造IKE载荷
*Aug 20 19:18:34:137 2012 Sysname IKE/7/PACKET: -MDC=1; Construct NONCE payload.
// 构造NONCE载荷
*Aug 20 19:18:34:137 2012 Sysname IKE/7/PACKET: -MDC=1; Construct NAT-D payload.
// 构造NAT-D载荷
*Aug 20 19:18:34:138 2012 Sysname IKE/7/PACKET: -MDC=1; Construct DPD vendor ID payload.
// 构造DPD vendor ID载荷
*Aug 20 19:18:34:138 2012 Sysname IKE/7/PACKET: -MDC=1; Sending packet to 192.168.22
2.5 , remote port 500 ,local port 500.
// 发送报文到地址192.168.222.5,对端端口号为500,本端端口号为500
*Aug 20 19:18:34:138 2012 Sysname IKE/7/PACKET: -MDC=1;
I-Cookie: 3519bdda65bfeaaa
R-Cookie: 078711749a32520c
next payload: KE
version: ISAKMP Version 1.0
exchange mode: Main
flags: [ ]
message ID: 0
length: 208
// 发起方cookie为:3519bdda65bfeaaa
// 响应方cookie为:078711749a32520c
// 下一个载荷为:KE
// 版本为:ISAKMP Version 1.0
// 协商模式为:Main
// 标识为:[ ]
// Message ID为:0
// 长度为:208
*Aug 20 19:18:34:138 2012 Sysname IKE/7/PACKET: -MDC=1; Sending an IPv4 packet.
// 发送一个IPv4报文
*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Received packet from 192.168.222.5 source port 500 destination port 500.
// 收到的192.168.222.5报文,源端口为500,目的端口为500
*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1;
I-Cookie: 3519bdda65bfeaaa
R-Cookie: 078711749a32520c
next payload: KE
version: ISAKMP Version 1.0
exchange mode: Main
flags: [ ]
message ID: 0
length: 208
// 发起方cookie为:3519bdda65bfeaaa
// 响应方cookie为:078711749a32520c
// 下一个载荷为:KE
// 版本为:ISAKMP Version 1.0
// 协商模式为:Main
// 标识为:[ ]
// Message ID为:0
// 长度为:208
*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Key ExchangePayload.
// 收到ISAKMP Key Exchange载荷
*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Nonce Payload.
// 收到ISAKMP Nonce载荷
*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP NAT-D Payload.
// 收到ISAKMP NAT-D载荷
*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP NAT-D Payload.
// 收到ISAKMP NAT-D载荷
*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Vendor ID Payload.
// 收到ISAKMP Vendor ID载荷
*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Process KE payload.
// 处理KE载荷
*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Process NONCE payload.
// 处理NONCE载荷
*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; SKEYID:
989e79e1 620ff603 a76bb9b9 7d88a19c
// SKEYID为989e79e1 620ff603 a76bb9b9 7d88a19c
*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; SKEYID_d:
6fd7bd8f faf8480a af6c4813 4011cadd
// SKEYID_d为6fd7bd8f faf8480a af6c4813 4011cadd
*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; SKEYID_a:
cd0aeaf8 6bb94aa3 3ad50fe4 7fb0464f
// SKEYID_a为cd0aeaf8 6bb94aa3 3ad50fe4 7fb0464f
*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; SKEYID_e:
795d3765 91083053 65cacc69 000ffe09
// SKEYID_e为795d3765 91083053 65cacc69 000ffe09
*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Extended SKEYID_e:
d554084f a2a9237a 9c141dac a41c86e9 8aa14807 14db45be
// 扩展的SKEYID_e为d554084f a2a9237a 9c141dac a41c86e9 8aa14807 14db45be
*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Local generated new IV:
add7096a 4b961742
// 本地新生成的IV为add7096a 4b961742
*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Received 2 NAT-D payload.
// 收到NAT-D载荷,数量为2
*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Local ID type: IPV4_ADDR.
// 本地ID类型为:IPV4_ADDR
*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Local ID value: 192.168.222.
71.
// 本端ID值为:192.168.222.71
*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Construct ID payload.
// 构造ID载荷
*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Hash:
c5d733fa e6d1a6af ded56c05 de989aad
// HASH为c5d733fa e6d1a6af ded56c05 de989aad
*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Construct authentication by pre-shared key.
// 根据预共享密钥生成认证数据
*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1; Construct INITIAL-CONTACT payload.
// 构造INITIAL-CONTACT载荷
*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypt the packet.
// 加密报文
*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypt IV:
add7096a 4b961742
// 加密IV为add7096a 4b961742
*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1; Encryption generated New IV: ae230a1d 7cb77287
// 加密时新生成的IV为ae230a1d 7cb77287
*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1; Process vendor ID payload.
// 处理vendor ID载荷
*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1; Sending packet to 192.168.222.5, remote port 500, local port 500.
// 发送报文到地址192.168.222.5,对端端口号为500,本端端口号为500
*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1;
I-Cookie: 3519bdda65bfeaaa
R-Cookie: 078711749a32520c
next payload: ID
version: ISAKMP Version 1.0
exchange mode: Main
flags: [ENCRYPT]
message ID: 0
length: 92
// 发起方cookie为:3519bdda65bfeaaa
// 响应方cookie为:078711749a32520c
// 下一个载荷为:ID
// 版本为:ISAKMP Version 1.0
// 协商模式为:Main
// 标识为:[ENCRYPT]
// Message ID为:0
// 长度为:92
*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1; Sending an IPv4 packet.
// 发送一个IPv4报文
*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Received packet from 192.168.
222.5, source port 500 destination port 500.
// 收到的192.168.222.5报文,源端口为500,目的端口为500
*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1;
I-cookie: 3519bdda65bfeaaa
R-Cookie: 078711749a32520c
next payload: ID
version: ISAKMP Version 1.0
exchange mode: Main
flags: [ENCRYPT]
message ID: 0
length: 60
// 发起方cookie为:3519bdda65bfeaaa
// 响应方cookie为:078711749a32520c
// 下一个载荷为:ID
// 版本为:ISAKMP Version 1.0
// 协商模式为:Main
// 标识为:[ENCRYPT]
// Message ID为:0
// 长度为:60
*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Decrypt the packet.
// 解密报文
*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Decrypt IV:
ae230a1d 7cb77287
// 解密IV为ae230a1d 7cb77287
*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Remote New IV:
4c788f75 c7ad88ab
// 对端新IV为4c788f75 c7ad88ab
*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Identification Payload.
// 收到ISAKMP Identification载荷
*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Hash Payload.
// 收到ISAKMP Hash载荷
*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Process ID payload.
// 处理ID载荷
*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Peer ID type: IPV4_ADDR.
// 对端ID类型为IPV4_ADDR
*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Peer ID value: address 192.168.222.5.
// 对端ID值为192.168.222.5
*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Verify HASH payload.
// 验证HASH载荷
*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; HASH:
f510f1f8 1d205e1c 9aa31c42 00b3ab9a
// HASH为f510f1f8 1d205e1c 9aa31c42 00b3ab9a
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Set attributes by phase 2 transform.
// 根据二阶段transform设置属性
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Encapsulation mode is Tunnel.
// 封装模式为Tunnel
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Life type in seconds
// 生命周期类型为Life type in seconds
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Life duration is 3600.
// 生命周期为3600
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Life type in kilobytes
// 生命周期类型为Life type in kilobytes
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Life duration is 1843200.
// 生命周期为1843200
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Authentication algorithm is HMAC-SHA1
// 认证算法为HMAC-SHA1
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Transform ID is HMAC-SHA1.
// Transform ID为HMAC-SHA1
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Construct transform 1.
// 构造transform 1
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Construct IPsec proposal 1.
// 构造IPsec proposal,proposal号为1
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Construct IPsec SA payload.
// 构造IPsec SA载荷
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Construct NONCE payload.
// 构造NONCE载荷
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Construct IPsec ID payload.
// 构造IPsec ID载荷
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Construct IPsec ID payload.
// 构造IPsec ID载荷
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Construct HASH(1) payload.
// 构造HASH(1)载荷
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypt packet.
// 加密报文
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypt IV:
836eddd9 ed30acf7
// 加密IV为836eddd9 ed30acf7
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypted Generate New IV:
3b143591 5c647ff2
// 加密时新生成的IV为3b143591 5c647ff2
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Sending packet to 192.168.22
2.5, remote port 500, local port 500.
// 发送报文到地址192.168.222.5,对端端口号为500,本端端口号为500
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1;
I-Cookie: 3519bdda65bfeaaa
R-Cookie: 078711749a32520c
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Quick
flags: [ENCRYPT]
message ID: 8a9c07c1
length: 156
// 发起方cookie为:3519bdda65bfeaaa
// 响应方cookie为:078711749a32520c
// 下一个载荷为:HASH
// 版本为:ISAKMP Version 1.0
// 协商模式为:Quick
// 标识为:[ENCRYPT]
// Message ID为:8a9c07c1
// 长度为:156
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Sending an IPv4 packet.
// 发送一个IPv4报文
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Received packet from 192.168.222.5 source port 500 destination port 500.
// 收到的192.168.222.5报文,源端口为500,目的端口为500
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1;
I-Cookie: 3519bdda65bfeaaa
R-Cookie: 078711749a32520c
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Quick
flags: [ENCRYPT]
message ID: 8a9c07c1
length: 156
// 发起方cookie为:3519bdda65bfeaaa
// 响应方cookie为:078711749a32520c
// 下一个载荷为:HASH
// 版本为:ISAKMP Version 1.0
// 协商模式为:Quick
// 标识为:[ENCRYPT]
// Message ID为:8a9c07c1
// 长度为:156
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Decrypt the packet.
// 加密报文
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Decrypt IV:
3b143591 5c647ff2
// 解密IV为3b143591 5c647ff2
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Remote New IV:
4914de5c 11d57f5c
// 对端新IV为4914de5c 11d57f5c
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Hash Payload.
// 收到ISAKMP Hash 载荷
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Security Asso
ciation Payload.
// 收到ISAKMP Security Association载荷
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Nonce Payload.
// 收到ISAKMP Nonce载荷
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Identification Payload (IPsec DOI).
// 收到ISAKMP Identificatio载荷(IPsec DOI)
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Identification Payload (IPsec DOI).
// 收到ISAKMP Identificatio载荷(IPsec DOI)
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Process HASH payload.
// 处理HASH载荷
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Process IPsec SA payload.
// 处理IPsec SA载荷
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Check IPsec proposal 1.
// 检查IPsec proposal,proposal号为1
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Parse transform 1.
// 解析transform,transform号为1
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Encapsulation mode is Tunnel.
// 封装模式为Tunnel
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Lifetime type is Life type in seconds.
// 生命周期类型为Life type in seconds
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Life duration is 3600.
// 生命周期为3600
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Lifetime type is Life type in kilobytes.
// 生命周期类型为Life type in kilobytes
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Life duration is 1843200.
// 生命周期为1843200
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Authentication algorithm is HMAC-SHA1.
// 认证算法为HMAC-SHA1
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Transform ID is HMAC-SHA1.
// Transform ID为HMAC-SHA1
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; The attributes are unacceptable.
// 属性是可接受的
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Process IPsec ID Payload.
// 处理IPsec ID载荷
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Process IPsec ID Payload.
// 处理IPsec ID载荷
*Aug 20 19:18:34:194 2012 Sysname IKE/7/PACKET: -MDC=1; Construct HASH(3) payload.
// 构造HASH(3)载荷
*Aug 20 19:18:34:194 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypt the packet.
// 加密报文
*Aug 20 19:18:34:194 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypt IV:
4914de5c 11d57f5c
// 加密IV为4914de5c 11d57f5c
*Aug 20 19:18:34:194 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypted Generate New IV:
ecfa444e ed72ab05
// 加密时新生成的IV为ecfa444e ed72ab05
*Aug 20 19:18:34:194 2012 Sysname IKE/7/PACKET: -MDC=1; Sending packet to 192.168.222.5, remote port 500, local port 500.
// 发送报文到地址192.168.222.5,对端端口号为500,本端端口号为500
*Aug 20 19:18:34:194 2012 Sysname IKE/7/PACKET: -MDC=1;
I-Cookie: 3519bdda65bfeaaa
R-Cookie: 078711749a32520c
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Quick
flags: [ENCRYPT]
message ID: 8a9c07c1
length: 52
// 发起方cookie为:3519bdda65bfeaaa
// 响应方cookie为:078711749a32520c
// 下一个载荷为:HASH
// 版本为:ISAKMP Version 1.0
// 协商模式为:Quick
// 标识为:[ENCRYPT]
// Message ID为:8a9c07c1
// 长度为:52
*Aug 20 19:18:34:194 2012 Sysname IKE/7/PACKET: -MDC=1; Sending an IPv4 packet.
// 发送一个IPv4报文
3 IKEv2
3.1 IKEv2调试命令
3.1.1 debugging ikev2
【命令】
debugging ikev2 { { all | dpd | error | internal | nat-keepalive | packet } [ remote-address { ipv4-address | ipv6 ipv6-address } [ local-address { ipv4-address | ipv6 ipv6-address } | remote-port port-number | vpn-instance vpn-name ] * ] } | pki }
undo debugging ikev2 { all | dpd | error | internal | nat-keepalive | packet | pki }
【缺省情况】
IKEv2的调试信息开关处于关闭状态。
【视图】
用户视图
【缺省用户角色】
network-admin
【参数】
all:表示IKEv2所有调试信息开关。
dpd:表示IKEv2 DPD调试信息开关。
error:表示IKEv2错误调试信息开关。
internal:表示IKEv2内部调试信息开关。
nat-keepalive:表示IKEv2 NAT keepalive调试信息开关。
packet:表示IKEv2报文调试信息开关。
pki:表示IKEv2相关的PKI调试信息开关。
remote-address:根据对端地址过滤调试信息。
local-address:根据本端地址过滤调试信息。
ipv4-address:表示IPv4地址。
ipv6 ipv6-address:表示IPv6地址。
remote-port port-number:根据对端端口过滤调试信息,port-number为对端端口号,取值范围0~65535。
vpn-instance vpn-instance-name:根据私网地址成员所属的VPN实例过滤调试信息。vpn-instance-name为MPLS L3VPN的VPN实例名称,为1~31个字符的字符串,区分大小写。如果未指定本参数,则表示私网地址成员不属于任何一个VPN。
【使用指导】
debugging ikev2命令用来打开IKEv2调试信息开关。undo debugging ikev2命令用来关闭IKEv2调试信息开关。
表3-1 debugging ikev2 error命令输出信息描述表
字段 | 描述 |
Authorization failed. | IKEv2获取AAA授权属性失败 |
Failed to allocate PAM handle to user user-name. | IKEv2获取AAA PAM句柄失败 |
Invalid major version version. | IKEv2报文中主版本号错误 |
The address pool overlaps with an existing address pool. | 新配置的本地地址池地址范围和已有本地地址池冲突 |
Failed to compute ECDH shared key. | 计算ECDH共享密钥失败 |
Received an invalid DH group. | 收到的IKEv2报文中携带错误的或不支持的DH号 |
Required key length (keylen) over 255 times the length of the PRF output. | IKEv2计算密钥时,要求的密钥长度超过了PRF算法输出长度的255倍 |
Failed to compute keys. | 计算密钥失败 |
Failed to obtain hash algorithm. | 从加密算法库中获取Hash算法失败 |
Failed to obtain encryption algorithm. | 从crypto获取加密算法失败 |
Failed to obtain private key. | 获取DSA/ESA/EC私钥失败 |
Failed to obtain public key. | 证书方式签名AUTH载荷时,获取公钥失败 |
Failed to compute local authentication data. | 计算本端的认证数据失败 |
Failed to compute SKEYSEED. | 计算密钥种子失败 |
Failed to compute keying material. | 计算密钥材料失败 |
Failed to create IPsec keying material. | 创建IPsec密钥材料失败 |
Failed to verify peer's authentication data. | 验证对端的认证数据失败 |
Invalid length (length) for hash-and-URL encoded certificate. | hash-and-url编码方式的证书长度非法 |
A non-printable character exists in the URL of the hash-and-URL encoded certificate. Ignored the character and those that follow. | Hash-and-url编码方式的证书里的URL中有不可打印的字符,忽略掉该字符和它之后的内容 |
Invalid X509 digest length (length) in Certificate Request payload. | 证书请求载荷中X509摘要长度非法 |
Unsupported certificate request encoding type cert-encoding-type. | 不支持的证书请求编码方式 |
No certificate exists in payload. | 载荷中没有证书 |
Received an unsupported hash-and-URL encoded certificate. | 接收到对端的hash-and-url编码格式证书,但是本端不支持该格式证书 |
Failed to obtain a certificate from URL url. | 从URL地址对应的证书服务器获取证书失败 |
Unsupported certificate encoding type cert-encoding-type. | 不支持的证书编码方式 |
Failed to obtain certificate data. | 获取认证数据失败 |