06
2024
08
14:02:16

h3c IPsec Debug (二) (ipsec 整个协商过程,用于学习和排错用很不错)

IKE

2.1  IKE调试命令

2.1.1  debugging ike

【命令】

debugging ike { all | dpd | error | event | keepalive | nat-keepalive | packet } [ remote-address { ipv4-address | ipv6 ipv6-address } [ local-address { ipv4-address | ipv6 ipv6-address } | remote-port port-number | vpn-instance vpn-instance-name ] * ]

undo debugging ike { all | dpd | error | event | keepalive | nat-keepalive | packet }

【缺省情况】

IKE调试信息开关处于关闭状态。

【视图】

用户视图

【缺省用户角色】

network-admin

【参数】

all:表示所有IKE调试信息开关。

dpd:表示DPD调试信息开关。

error:表示错误调试信息开关。

event:表示事件调试信息开关。

keepalive:表示keepalive调试信息开关。

nat-keepalive:表示NAT keepalive调试信息开关。

packet:表示报文调试信息开关。

remote-address:根据对端地址过滤调试信息。

local-address:根据本端地址过滤调试信息。

ipv4-address:表示IPv4地址。

ipv6 ipv6-address:表示IPv6地址。

remote-port port-number:根据对端端口号过滤调试信息,port-number为对端端口号,取值范围0~65535。

vpn-instance vpn-instance-name:根据私网地址成员所属的VPN实例过滤调试信息。vpn-instance-name为MPLS L3VPN的VPN实例名称,为1~31个字符的字符串,区分大小写。如果未指定本参数,则表示私网地址成员不属于任何一个VPN。

【使用指导】

debugging ike 命令用来打开IKE调试开关。undo debugging ike命令用来关闭IKE调试信息开关。

表2-1 debugging ike error命令输出信息描述表

字段

描述

Failed to verify the peer signature.

对端签名验证失败

HASH payload is missing.

未在IKE报文中找到HASH载荷

Failed to verify the peer HASH.

对端HASH验证失败

Signature payload is missing.

未在IKE报文中找到签名载荷

Invalid SPI length (length) in DPD packet.

DPD报文中的SPI长度无效,长度为length

Invalid I-Cookie in DPD packet: I-Cookie

DPD报文中的I-Cookie无效,I-Cookie的值为I-Cookie

Invalid R-Cookie in DPD packet: R-Cookie

DPD报文:R-Cookie无效,R-Cookie的值为R-Cookie

The length (length) of DPD sequence number is invalid.

DPD序列号的长度无效,长度为length

Invalid DPD sequence number (number).

DPD序列号无效,序列号的值为number

DPD packet retransmission timed out.

DPD报文的重传已超时

Invalid IPv4 address length (length).

无效的IPv4地址长度,长度为length

Invalid IPv6 address length (length).

无效的IPv6地址长度,长度为length

Invalid ID of IPv4 address type: ID-IPv4

IPv4地址类型的身份无效,身份的值为ID-IPv4

Invalid ID of IPv6 address type: ID-IPv6

IPv6地址类型的身份无效,身份的值为ID-IPv6

Invalid FQDN ID length (length).

FQDN类型的身份长度无效,长度为length

Invalid user FQDN ID length (length).

User FQDN类型的长度身份无效,长度为length

Failed to get DN because the certificate doesn't exist.

获取DN失败,因为证书不存在

Failed to get ID data for constructing ID payload.

构造ID载荷时获取ID数据失败

Invalid ID payload with protocol protocol-number and port port-number.

无效的ID载荷,ID载荷中的协议号为protocol-number,端口号为port-number

Invalid ID type (ID-type).

身份类型无效,身份类型值为ID-type

Failed to find proposal proposal-number in profile profile-name.

在名称为profile-name的IKE profile中没有找到编号为proposal-number的proposal

Failed to verify HASH for informational exchange.

验证informational exchange报文中的HASH失败

Failed to construct delete payload.

构造delete载荷失败

Invalid SPI length.

SPI长度无效

Protocol ID (ID) in delete payload is invalid.

delete载荷中的协议ID无效,协议号为ID

KE payload doesn’t exist.

KE载荷不存在

Invalid KE payload length (length).

KE载荷的长度无效,长度为length

Failed to construct notification payload for keepalive.

发送keepalive报文时构造notification载荷失败

Length (length) of the sequence number in keepalive packet is invalid.

Keepalive报文中的序列号长度无效,长度为length

Length (length) of the HASH payload in keepalive packet is invalid.

Keepalive报文中的HASH载荷长度无效,长度为length

Failed to calculate HASH for verification of keepalive packet.

验证keepalive报文时,本端计算HASH失败

Failed to add sequence number to keepalive packet.

构造keepalive报文时,添加序列号失败

Failed to calculate HASH for keepalive.

构造keepalive报文时,计算HASH失败

Failed to float port.

切换端口失败

Length (length) of the nonce payload is invalid.

Nonce载荷的长度无效,长度为length

Failed to parse the certificate request payload.

解析证书请求载荷失败

No available proposal.

没有找到可用的proposal

Failed to get certificate.

获取证书失败

Failed to get private key.

获取私钥失败

Failed to construct ID payload.

构造IPsec身份载荷失败

Failed to calculate hash-name.

计算HASH失败,HASH名称为hash-name

Failed to validate hash-name.

验证HASH失败,HASH名称为hash-name

Failed to compute key material.

计算密钥材料失败

Failed to install IPsec SA.

安装IPsec SA失败

The nonce payload doesn't exist.

Nonce载荷不存在

The KE payload doesn't exist.

KE载荷不存在

No valid DH group description in SA payload.

SA载荷中没有有效的DH group

There are too many KE payloads.

KE载荷太多,

The length of the KE payload does't match the DH group description.

KE载荷的长度和用于PFS的DH group描述不匹配

Failed to construct NAT-OA payload.

构造NAT-OA载荷失败

Failed to construct RESPONDER_LIFETIME payload.

构造RESPONDER_LIFETIME载荷失败

Failed to construct KE payload.

构造KE载荷失败

Failed to pad for encryption.

加密报文前的填充失败

Failed to send data. Reason: error-reason.

发送报文失败,错误原因为error-reason

No enough space in the packet for Non-ESP marker.

报文超大,不能添加Non-ESP标记

Failed to decrypt the packet.

解密报文失败

Non-zero message ID (Message-ID) in phase 1.

一阶段的Message ID不为0,其值为Message-ID

I-Cookie must not be zero.

I-Cookie不能为0

The first packet of phase 1 is invalid: Encryption bit is set.

一阶段的第一条报文无效:报文的加密标识为已使能

The first packet of phase 1 is invalid: Non-zero R-Cookie.

一阶段的第一条报文无效:报文的R-Cookie不为0

Failed to parse phase 1 packet. Reason reason.

解析一阶段的IKE报文失败,原因为reason,可能的取值包括:

·     INVALID_PAYLOAD_TYPE:载荷类型无效

·     DOI_NOT_SUPPORTED:不支持的DOI字段

·     SITUATION_NOT_SUPPORTED:不支持的situation字段

·     INVALID_COOKIE:cookie无效

·     INVALID_MAJOR_VERSION:主版本号无效

·     INVALID_MINOR_VERSION:次版本号无效

·     INVALID_EXCHANGE_TYPE:交换类型无效

·     INVALID_FLAGS:标识无效

·     INVALID_MESSAGE_ID:message ID无效

·     INVALID_PROTOCOL_ID:提议号无效

·     INVALID_SPI:SPI无效

·     INVALID_TRANSFORM_ID:transform ID无效

·     ATTRIBUTES_NOT_SUPPORTED:不支持的属性

·     NO_PROPOSAL_CHOSEN:没有匹配的提议

·     BAD_PROPOSAL_SYNTAX:提议语法错误

·     PAYLOAD_MALFORMED:载荷格式错误

·     INVALID_KEY_INFORMATION:密钥信息无效

·     INVALID_ID_INFORMATION:身份无效

·     INVALID_CERT_ENCODING:证书编码无效

·     INVALID_CERTIFICATE:证书无效

·     CERT_TYPE_UNSUPPORTED:不支持的证书类型

·     INVALID_CERT_AUTHORITY:证书认证失败

·     INVALID_HASH_INFORMATION:HASH无效

·     AUTHENTICATION_FAILED:认证失败

·     INVALID_SIGNATURE:签名无效

·     ADDRESS_NOTIFICATION:地址通知

·     NOTIFY_SA_LIFETIME:SA生命周期通知

·     CERTIFICATE_UNAVAILABLE:证书不可用

·     UNSUPPORTED_EXCHANGE_TYPE:不支持的交换类型

·     UNEQUAL_PAYLOAD_LENGTHS:载荷长度不相等

The packet is dropped because of not being encrypted

丢弃报文,因为报文没有加密

Failed to parse informational exchange packet. Reason reason.

解析informational exchange报文失败,原因是reason

reason取值同上

Failed to parse keepalive packet because of reason.

解析keepalive报文失败,原因是reason

reason取值同上

Unsupported exchange type (type) in packet.

不支持的交换类型type,取值包括:

·     None:不存在的交换类型

·     Base:基础交换类型

·     Main:主模式交换类型

·     AO:Authenticaton Only交换类型

·     Aggressive:野蛮模式交换类型

·     Info:infomational exchange交换类型

·     Mode cfg:配置模式交换类型

Invalid Non-ESP marker: marker.

无效的Non-ESP标识:marker

The received packet is too short, which is length bytes.

收到报文的长度太小,长度为length

Failed to receive packet.

接收报文失败

Failed to bind UDP port port-number. Reason: reason.

绑定UDP端口失败,端口号为port-number,错误原因为reason

Failed to set UDP port port-number. Reason: reason.

设置UDP端口失败,端口号为port-number,错误原因为reason

Failed to add UDP port port-number to epoll.

添加UDP端口到epoll失败,端口号为:port-number

Failed to initiate UDP port port-number. Error code: error-number.

初始化UDP端口失败,端口号为port-number,错误码为error-number

byte-numberth byte of the structure struct-name must be 0.

结构struct-name的第byte-number个字节必须为0

Field-name of struct-name has an unknown value: value.

结构struct-name的域field-name的值value无效

field-name of struct-name has unknown members.

结构struct-name的域field-name包含未知的成员

No enough bytes to get data2 from data1.

没有足够的空间来保存从数据data1中获取的数据data2

No enough space in output packet for struct-name.

报文中没有足够的空间用于保存结构struct-name

No enough space to place length bytes of data-name in struct-name.

结构struct-name中没有足够的空间用于保存length字节的数据

No enough space to place data-name in struct-name.

结构struct-name中没有足够的空间保存数据data-name

Failed to add the HASH payload.

添加HASH载荷失败

Ignored the certificate request of type type-id.

忽略证书请求,证书请求的类型为type-id

Failed to get the certificate and key by certificate request.

根据证书请求获取证书和密钥失败

Failed to verify the peer certificate. Reason: error-string.

验证对端证书失败,错误原因为error-string

Failed to find keychain keychain-name in profile profile-name.

在IKE profile profile-name中查找keychain keychain-name失败

Failed to create IKE SA with core data.

根据核心数据创建一阶段SA失败

Failed to create IPsec SA with core data.

根据核心数据创建二阶段SA失败

Failed to receive smooth SA ACK from IPsec.

从IPsec接收SA平滑处理的应答失败

Number of negotiating IKE SAs exceeded the limit.

正在协商的IKE SA的数目超出限制

Number of established IKE SAs exceeded the limit.

已经建立的IKE SA的数目超出限制

Attribute attribute-name is repeated.

属性重复,属性名称为attribute-name

Failed to construct situation.

构造situaton字段失败

Failed to construct proposal payload.

构造proposal载荷失败

Failed to construct transform payload.

构造transform载荷失败

Failed to construct attributes.

构造属性失败

Unsupported DOI doi

不支持的DOI doi

Proposal payload must be the last payload in SA payload, but payload-name payload is found following proposal payload.

proposal载荷必须是SA载荷中的最后一个载荷,但在proposal载荷之后还有payload-name载荷

Unexpected protocol ID (ID-type) found in proposal payload.

proposal载荷中的协议ID无效,协议ID号为ID-type

Invalid SPI length (SPI-length) in proposal payload.

proposal载荷中的SPI长度无效

No transform payload in proposal payload.

proposal载荷中没有transform载荷

Transform number is not monotonically increasing.

Transform号不是单调递增的

Invalid transform ID: id.

无效的transform ID:id

No acceptable transform.

没有可以接受的transform

Unexpected payload-name payload in proposal.

proposal载荷中有不期望出现的载荷payload-name

Only one transform is permitted in one proposal, but trans-count transforms are found.

在选中的proposal载荷中只允许有一个transform,但实际有trans-count

Failed to parse the IKE SA payload.

解析IKE SA载荷失败

Proposal payload has more transforms than specified in the proposal payload.

proposal载荷中的transform载荷数量比proposal载荷中指定的数量多

Proposal payload has fewer transforms than specified in the proposal payload.

proposal载荷中的transform载荷数量比proposal载荷中指定的数量少

Invalid next payload (payload-type) in transform payload.

transform载荷中的next payload字段无效,载荷类型为payload-type

SA_LIFE_TYPE attribute must be in front of the SA_LIFE_DURATION attribute.

SA_LIFE_TYPE属性必须在SA_LIFE_DURATION属性前面

Attribute attribute-type is repeated in IPsec transform trans-number.

属性类型为的attribute-type属性在IPsec transform中重复,transform号为trans-number

SA_LIFE_TYPE attribute is repeated in packet.

属性SA_LIFE_TYPE在报文中重复

Unsupported IPsec attribute attribute.

不支持的IPsec属性attribute

SA_LIFE_TYPE IPsec attribute not followed by SA_LIFE_DURATION attribute in message.

报文中的IPsec属性SA_LIFE_TYPE后面没有SA_LIFE_DURATION属性

Encapsulation mode must be specified in IPsec transform.

IPsec transform中必须指定封装模式

AUTH_ALGORITHM attribute is missing in AH transform.

在AH协议的transform中没有AUTH_ALGORITHM属性

Transform ID (id) in transform trans-number doesn't match authentication algorithm auth-algo-name (auth-algo-value).

transform中的transform ID和认证算法不匹配,transform号为trans-number,transform ID为id,认证算法为auth-algo-name,其值为auth-algo-value

Neither encryption algorithm nor authentication algorithm is specified in ESP proposal, which is not permitted.

ESP proposal中既没有加密算法也没有认证算法,这是不允许的

Unsupported ESP transform.

不支持的ESP transform

Unsupported ESP authentication algorithm.

不支持的ESP认证算法

IPsec proposal with improper SPI size (size).

IPsec proposal中的SPI大小错误,SPI大小为size

IPsec proposal contains invalid SPI (SPI).

IPsec proposal中的SPI无效,其值为SPI

Failed to get SPI from IPsec proposal.

从IPsec proposal中获取SPI失败

No transform in IPsec proposal.

IPsec proposal中没有transform

SA payload contains more than one AH proposal with the same proposal number.

SA载荷中有多个AH协议的proposal对应同一个proposal号

SA payload contains more than one ESP proposal with the same proposal number.

SA载荷中有多个ESP协议的proposal对应同一个proposal号

Invalid next payload (payload-type-num) in proposal.

Proposal载荷中的next payload字段无效,其类型值为payload-type-num

Unsupported IPsec DOI situation (situation-num).

不支持的IPsec DOI situation,其类型值为situation-num

Invalid IPsec proposal proposal-number.

无效的IPsec proposal,proposal号为proposal-number

Failed to get IPsec policy when renegotiating IPsec SA. Delete IPsec SA.

在重协商IPsec SA时获取IPsec策略失败,删除 IPsec SA

Failed to get IPsec policy for phase 2 responder. Delete IPsec SA.

作为二阶段协商的响应方时,获取IPsec策略失败,删除IPsec SA

No HASH in notification payload.

在notification载荷中没有HASH

Failed to send message to IPsec when getting SPI.

获取SPI时向IPsec发消息失败

Failed to send message to IPsec when adding SA.

添加SA时向IPsec发消息失败

Failed to send message to IPsec when deleting SA.

删除SA时向IPsec发消息失败

Failed to send message to IPsec when getting SP.

获取SP时向IPsec发消息失败

Failed to send message to IPsec when adding DPD.

添加DPD时向IPsec发消息失败

Failed to send message to IPsec when updating DPD.

升级DPD时向IPsec发消息失败

Failed to send message to IPsec when deleting DPD.

删除DPD时向IPsec发消息失败

Failed to send message to IPsec when switching SA.

切换SA时向IPsec发消息失败

Failed to negotiate IKE SA.

协商IKE SA失败

Failed to negotiate IPsec SA.

协商IPsec SA失败

Errstring. Attribute attribute-name.

错误原因为errstring。相关的属性名称为attribute-name

Errstring的内容包括:

·     Unsupported encryption algorithm: enc-alg:不支持的加密算法enc-alg

·     Unsupported HASH algorithm: hash-alg:不支持的HASH算法hash-alg

·     Unsupported authentication method: auth-meth:不支持的认证方法auth-meth

·     Unsupported DH group: group-name:不支持的DH group group-name

·     Unsupported lifetime type: lifetime-type:不支持的生命周期类型lifetime-type

·     OAKLEY_LIFE_DURATION attribute not preceded by OAKLEY_LIFE_TYPE attribute.:OAKLEY_LIFE_DURATION属性没有在OAKLEY_LIFE_TYPE属性之前

·     OAKLEY_KEY_LENGTH attribute not preceded by OAKLEY_ENCRYPTION_ALGORITHM attribute:OAKLEY_KEY_LENGTH属性没有在OAKLEY_ENCRYPTION_ALGORITHM属性之前

·     OAKLEY_KEY_LENGTH attribute not match OAKLEY_ENCRYPTION_ALGORITHM.:OAKLEY_KEY_LENGTH属性和OAKLEY_ENCRYPTION_ALGORITHM属性不匹配

·     Failed to get encryption algorithm:获取加密算法失败

·     Unsupported OAKLEY attribute attribute:不支持的OAKLEY属性attribute

Failed to match the proposal.

匹配proposal失败

Received invalid SPI message from IPsec, but no IKE SA exists.

收到IPsec的invalid SPI消息,但是没有IKE SA

Failed to get subject name from certificate.

从证书中获取主题名失败

Failed to get local certificate.

获取本地证书失败

Failed to send notification packet for deleting IPsec SA, because of no corresponding IKE SA.

删除IPsec SA时发送notification报文失败,因为没有找到对应的IKE SA

Failed to construct certificate request payload.

构造证书请求载荷失败

Unsupported attribute attribute-type.

不支持的属性,属性类型为attribute-type

Invalid major version(version).

主版本号无效,主版本号为version

Constructed SA payload.

构造SA载荷

Failed to get UDP socket.

获取UDP socket失败

Failed to parse the Cert Request payload.

解析证书请求消息失败

No available proposal.

没有可用的安全提议

Obtained profile ProfileName.

获取到名为ProfileName的安全profile

Deleted GDOI GM IKE SA.

删除GDOI GM IKE SA

 

表2-2 debugging ike event命令输出信息描述表

字段

描述

Signature verification succeeded.

验证签名成功

HASH verification succeeded.

验证HASH成功

Delete IPsec SAs.

删除IPsecSA

Delete IKE SA with connection ID id.

删除IKE SA,connection ID为id

Update DPD configuration in IKE SA.

更新一阶段SA中的DPD配置

Notify IPsec to add DPD.

通知IPsec添加DPD

Notify IPsec to delete DPD.

通知IPsec删除DPD

Notify IPsec to update DPD.

通知IPsec更新DPD

Process interface interface-type interface-num active event.

处理接口激活事件,接口名为interface-type interface-num

Process interface interface-name deactive event.

处理接口去激活事件,接口名为interface-type interface-num

Process interface interface-name delete event.

处理接口删除事件,接口名为interface-type interface-num

The board chassis chassis-num slot slot-num is inserted.

单板插入chassic-number号成员设备的slot-number号槽位中

Protocol/port in phase 1 ID payload is protocol-number/port-number, which is acceptable.

一阶段ID载荷中的协议号/端口号为protocol-number/port-number,它们是可接受的

Begin to construct IPsec SA delete packet.

开始构造二阶段SA delete报文

Delete IKE SA with connection ID id.

删除一阶段SA,connection ID为id

Received IPsec SA delete packet.

收到二阶段SA delete报文

Process delete payload.

处理delete载荷

Ignore delete payload: packet not encrypted or IKE SA not established.

忽略delete载荷:报文没有加密或者一阶段SA没有建立

Received SA acquire message from IPsec.

收到IPsec的SA请求消息

Received IPsec capability.

收到IPsec规格

Received smooth IPsec SA ACK.

收到平滑IPsec SA的应答

IKE keepalive timed out. Delete IKE SA with connection ID id.

IKE Keepalive定时器超时,删除一阶段SA,connection ID为id

Reset IKE keepalive timeout timer. New time value is time

重置IKE Keepalive超时定时器,新的时间值为time

I am behind NAT.

我在NAT设备之后

Peer is behind NAT.

对端在NAT设备之后

No need to float port.

不需要切换端口

Float port to local port local-port and remote port remote-port

切换端口,本端端口为local-port,对端端口为remote-port

Sending DPD packet of type type with sequence number seq-no.

发送type类型的DPD报文,序列号为seq-no

Delete IKE SA by received notification.

根据错误通知报文删除一阶段SA

INITIAL-CONTACT message is dropped because of not being encrypted.

INITIAL-CONTACT未加密,丢弃它

Delete redundant SA.

删除多余的SA

Length (length) of notification packet is invalid.

notification报文的长度无效,长度为length

Protocol-ID (ID) of notification packet is unsupported.

不支持notification报文中的协议号:ID

Notification notification-name is received.

收到通知报文notification-name

Inbound flow: dst-addr->src-addr

入方向流量:目的地址->源地址

Outbound flow: src-addr->dst-addr

出方向流量:源地址->目的地址

Validated hash-name successfully.

验证HASH成功,HASH名称为hash-name

Getting IPsec message timed out. Delete IPsec SA.

获取IPsec消息超时,删除二阶段SA

Protocol: protocol

安全协议为protocol(AH或ESP)

Inbound SPI: in-spi

入方向SPI值为in-spi

Outbound SPI: out-spi

出方向SPI值为out-spi

Install IPsec SAs.

下发IPsec SA

Lifetime in seconds: seconds

SA的生命周期为seconds

Lifetime in kilobytes: bytes

SA的生命周期为bytes字节

Phase 2 Exchange chooses role: Local is initiator.

二阶段协商选择角色:本端为发起方

Phase 2 Exchange chooses role: Local is responder.

二阶段协商选择角色:本端为响应方

Begin Quick mode exchange.

开始进行快速模式协商过程

No enough space to send packet.

没有足够的空间来发送报文

Retransmittion of phase 1 packet timed out.

重传一阶段报文超时

Ignore phase 1 packet retransmit timeout event.

忽略一阶段报文重传超时事件

Retransmittion of  phase 2 packet timed out.

重传二阶段报文超时

Ignore phase 2 packet retransmit timeout event.

忽略二阶段报文重传超时事件

Phase 1 Exchange chooses role: Local is initiator.

一阶段协商选择角色:本端为发起方

Phase 1 Exchange chooses role: Local is responder.

一阶段协商选择角色:本端为响应方

Phase 1 packet is malformed: Not starting with an SA payload.

一阶段报文格式错误:没有以SA载荷开始

Phase2 packet is malformed: Not starting with an HASH payload.

二阶段报文格式错误:没有以HASH载荷开始

Quick mode packet is received, but IKE SA does not exist.

收到快速模式的报文,但一阶段SA不存在

Quick mode packet is received, but IKE SA is incomplete.

收到快速模式的报文,但一阶段SA不完整

Ignored delete SA payload because the IKE SA is not established.

忽略删除SA的报文,因为IKE SA不存在

Ignored delete SA payload because the packet is not encrypted.

忽略删除SA的报文,因为报文没有加密

Received informational exchange packet, but IKE SA is inexistent or incomplete.

收到information exchange报文,但是一阶段SA不存在或者不完整

Received keepalive packet, but IKE SA is not existed.

收到IKE keepaclive报文,但是一阶段SA不存在

Received keepalive packet, but it is not encrypted.

收到IKE keepaclive报文,但是它没有加密

Received keepalive packet, but IKE SA is incomplete.

收到IKE keepaclive报文,但是一阶段SA不完整

Ignore NAT keepalive packet.

忽略NAT keepalive报文

Initialize UDP port.

初始化UDP端口

PKI data had been changed.

PKI数据已经有所变化

Found pre-shared key that matches address address in keychain keychain-name.

在keychain keychain-name中找到了预共享密钥,该预共享密钥与地址address匹配

Pre-shared key matching address address not found.

根据地址address无法找到匹配的预共享密钥

Found keychain keychain-name in profile profile-name successfully.

成功在IKE profile profile-name中找到keychain keychain-name

Get profile profile-name.

获取IKE profile profile-name

Initiator created an SA for peer address, local port local-port, remote port remote-port.

发起方创建SA,对端地址为address,本端端口为local-port,对端端口为remote-port

Set IKE SA state to state-name.

设置一阶段SA状态为state-name

IKE SA state changed from state1 to state2.

一阶段SA状态从state1转换到state2

Set IPsec SA state to state-name.

设置二阶段SA状态为state-name

IPsec SA state changed from state1 to state2.

二阶段SA状态从state1转换到state2

Responder created an SA for peer address, local port local-port, remote port remote-port.

发起方创建SA,对端地址为address,本端端口为local-port,对端端口为remote-port

Delete IPsec SA.

删除二阶段SA

Oakley transform trans-number is acceptable.

Oakley transform是可接受的,transform号为trans-number

Begin mode mode exchange.

开始mode模式的IKE协商

IKE SA not found. Initiate IKE SA negotiation.

没有一阶段SA,发起一阶段SA的协商

IKE SA is prepared for renegotiation.

一阶段SA已经准备好进行重协商

IKE SA is expired.

一阶段SA生命周期到达

Renegotiation has already started for this IKE SA.

该IKE SA的重协商已经开始

IKE SA with connection ID connection-id has expired, and it will be deleted.

一阶段SA生命周期到达,将其删除,connection ID为connection-id

IPsec SA is being negotiated.

二阶段SA正在协商

IPsec SA has expired and will be deleted.

生命周期到达,删除二阶段SA

IKE thread thread-id processes a job.

IKE线程thread-id处理一个job

IKE thread thread-id processes a CTL-Queue msg.

IKE线程thread-id处理一个控制队列消息

Vendor ID verdor-id is matched.

匹配上vendor ID verdor-id

No vendor ID is matched.

没有匹配的verdor ID

IKE SA is soft expired(Timer handle: %u, Icookie: %s), renegotiate IKE SA.

IKE SA时间软超时,将发起重协商

IKE SA is soft expired(Timer handle: %u, Icookie: %s), no need to renegotiate IKE SA.

IKE SA时间软超时,无需发起重协商

IPsec SA is soft expired(timer handle:%u, message ID: 0x%x), will be renegotiated.

IPsec SA时间软超时,将发起重协商

IPsec SA is soft expired(timer handle:%u, message ID: 0x%x), no need to renegotiate.

IPsec SA时间软超时,无需发起重协商

IPsec SA is traffic expired(SPI:%u), will be renegotiated.

IPsec SA流量软超时,将发起重协商

IPsec SA is traffic expired(SPI:%u), no need to renegotiate.

IPsec SA流量软超时,无需发起重协商

Succeed to set responder-only flag for P1SA.

成功设置一阶段SA的responder-only标识

Succeed to set responder-only flag for P2SA.

成功设置二阶段SA的responder-only标识

 

表2-3 debugging ike packet命令输出信息描述表

字段

描述

Construct authentication data by pre-shared key.

根据预共享密钥生成认证数据

Verify HASH payload.

验证HASH载荷

Construct authentication data by private key.

根据私钥生成认证数据

Verify signature payload.

验证签名载荷

DPD packet with sequence number sequence-number is received.

收到DPD报文,序列号为:sequence-number

Retransmit DPD packet.

重传DPD报文

Peer ID value: address address.

对端ID值:地址address

Peer ID value: FQDN fqdn.

对端ID值:FQDN fqdn

Peer ID value: User FQDN user-fqdn.

对端ID值:User FQDN user-fqdn

Peer ID value: DN DN-value

对端ID值:DN,DN的内容为DN-value

Peer ID type: ID-type (value).

对端ID类型:ID-type,类型的值为value

Local ID type: ID-type (value).

本端ID类型:ID-type,类型的值为value

Local ID value: ID-value.

本端ID值:ID-value

Construct ID payload.

构造ID载荷

The profile profile-name is matched.

匹配到profile为profile-name

No profile is matched.

没有匹配到profile

Process ID payload.

处理ID载荷

Construct notification packet: notification-type.

构造notification报文:notification-type

Construct delete payload.

构造delete载荷

The phase 1 delete packet is received.

收到一阶段delete报文

The cookies' length (length) is invalid.

Cookies的长度length无效

Construct KE payload.

构造KE载荷

Process KE payload.

处理KE载荷

Send keepalive packet with sequence number sequence-number.

发送IKE keepalive报文,序列号为sequence-number

Process keepalive packet with sequence number sequence-number.

处理IKE keepalive报文,序列号为sequence-number

Construct NAT-D payload.

构造NAT-D载荷

Received count NAT-D payloads.

收到NAT-D载荷,数量为count

Construct NONCE payload.

构造NONCE载荷

Process NONCE payload.

处理NONCE载荷

Construct INITIAL-CONTACT payload.

构造INITIAL-CONTACT载荷

Construct SA payload.

构造SA载荷

Construct IPsec ID payload.

构造IPsec ID载荷

Process HASH payload.

处理HASH载荷

Construct IPsec SA payload.

构造IPsec SA载荷

Construct HASH(3) payload.

构造HASH(3)载荷

Process IPsec ID payload.

处理IPsec ID载荷

Construct NAT-OA payload.

构造NAT-OA载荷

Process NAT-OA payload: address.

处理NAT-OA载荷,地址为address

Received count NAT-OA payloads.

收到NAT-OA载荷,数量为count

Construct IPsec RESPONDER_LIFETIME payload.

构造IPsec RESPONDER_LIFETIME载荷

Construct HASH(1) payload.

构造HASH(1)载荷

Collision of phase 2 negotiation is found.

二阶段协商发生碰撞

Construct HASH(2) payload.

构造HASH(2)载荷

I-Cookie: icookie

R-Cookie: rcookie

next payload: next-payload

version: version

exchange mode: mode

flags: [flag]

message ID: mid

length: length

·     发起方cookie:icookie

·     响应方cookie:rcookie

·     下一个载荷:next-payload

·     ISAKMP版本:version

·     协商模式:mode

·     标识为:flag

·     Message ID:mid

·     报文长度:length

Encrypt the packet.

对报文进行加密

Received payload-name.

收到载荷payload-name

Sending packet to address, remote port remote-port, local port local-port.

发送报文到地址address,对端端口号为remote-port,本端端口号为local-port

Sending an IPv4 packet.

发送一个IPv4报文

Sending an IPv6 packet.

发送一个IPv6报文

Retransmit phase 1 packet.

重传一阶段报文

Retransmit phase 2 packet.

重传二阶段报文

Retransmit in response to duplicate packet.

针对对端重发的报文,重传对应的响应报文

Discard duplicate packet because of exhausted retransmission.

本端重传次数已达到最大,不再响应该重复的报文,将其丢弃

Discard duplicate packet with no response.

丢弃对端重复发送的报文,不进行响应

Collision of phase 1 negotiation is found.

一阶段协商发生碰撞

Decrypt the packet.

对报文进行解密

Begin a new phase 1 negotiation as responder.

作为响应方,开始加入一个新的一阶段协商过程

Parse informational exchange packet successfully.

成功解析informational exchange报文

Received packet from address source port source-port destination port des-port.

收到的来自address的报文,源端口为source-port,目的端口为des-port

Skipping length raw bytes of name1 to get name2.

跳过载荷name1的length字节,去获取下一个载荷name2

Add certificate request payload subjectname.

添加证书请求载荷,主题名为subjectname

Construct certificate request payload.

构造证书请求载荷

Received certificate request payload that contains issuer name issuer-name.

收到证书请求载荷,签发者名为issuer-name

Process certificate request payload.

处理证书请求载荷

The certificate request payload is empty.

证书请求载荷是空的

Construct certificate payload.

构造证书载荷

The profile profile-name is matched by remote certificate.

通过对端证书匹配到一个IKE profile profile-name

Process certificate payload.

处理证书载荷

Encryption algorithm is enc-algo.

加密算法为enc-algo

HASH algorithm is hash-algo.

HASH算法为hash-algo

Authentication method is auth-method.

认证方法为auth-method

DH group is group.

DH group为group

Lifetime type is type.

生命周期类型为typetype值为:

·     in seconds:时间生命周期

·     in kilobytes:字节生命周期

Life duration is value.

生命周期为value

Key length is length bytes.

密钥长度为length字节

Check ISAKMP transform trans-number.

检查ISAKMP transform,transform号为trans-number

Attributes is acceptable.

属性是可接受的

Construct transfrom payload for transform trans-number.

构造transform载荷,transform号为trans-number

Encapsulation mode is mode.

封装模式为modemode取值包括:

·     Tunnel:隧道模式

·     Transport:传输模式

·     Tunnel-UDP:UDP封装的隧道模式

·     Transport-UDP:UDP封装的传输模式

Set attributes according to phase 2 transform.

根据二阶段transform设置属性

Transform ID is id.

Transform ID为id

Construct transform 1.

构造transform 1

Construct IPsec proposal proposal-number.

构造IPsec proposal,proposal号为proposal-number

Parse transform trans-number.

解析transform,transform号为trans-number

The SA_LIFE_TYPE attribute is repeated in packet.

SA_LIFE_TYPE属性在报文中重复

Number of key rounds is round.

密钥轮数为round

Process IPsec SA payload.

处理IPsec SA载荷

The attributes are unacceptable.

属性不可接受

Construct vid-name vendor ID payload.

构造vendor id载荷,vendor ID名称为vid-name

Process vendor ID payload.

处理vendor ID载荷

HASH:value

HASH为value

SKEYID:value

SKEYID为value

Extended Skeyid_e:value

扩展的Skeyid_e为value

Local generated new IV: value

本地新生成的IV为value

SKEYID_a: value

SKEYID_a为value

SKEYID_d: value

SKEYID_d为value

SKEYID_e: value

SKEYID_e为value

Encrypt IV: value

加密IV为value

Encryption generated new IV: value

加密新生成的IV为value

Decrypt IV: value

解密IV为value

Remote new IV: value

对端新IV为value

The proposal is acceptable.

提议是可以接受的

The proposal is unacceptable.

提议是不能接受的

 

表2-4 debugging ike dpd命令输出信息描述表

字段

描述

Invalid I-Cookie in DPD packet: I-Cookie

DPD报文中的I-Cookie无效,I-Cookie的值为I-Cookie

Invalid R-Cookie in DPD packet: R-Cookie

DPD报文中的R-Cookie无效,R-Cookie的值为R-Cookie

DPD packet with sequence number seq-no is received.

收到序列号为seq-no的DPD报文

Retransmit DPD packet.

重传DPD报文

 

表2-5 debugging ike keepalive命令输出信息描述表

字段

描述

Send keepalive packet with sequence number sequence number.

发送序号为sequence number的keepalive报文。

Sending packet to address,remote port remote-port,local port local-port.

发送报文到地址address,对端端口号为remote-port,本端端口号为local-port

 

表2-6 debugging ike nat-keepalive命令输出信息描述表

字段

描述

Sending packet to address,remote port remote-port,local port local-port.

发送报文到地址address,对端端口号为remote-port,本端端口号为local-port

 

【举例】

#在两个安全网关上配置了IKE协商类型的IPsec策略,在一阶段IKE协商过程中,若未找到匹配的IKE proposal,则打开IKE错误调试信息开关后将输出以下调试信息。

<Sysname> debugging ike error

*Aug 20 19:19:44:543 2012 Sysname IKE/7/ERROR: -MDC=1; No acceptable transform.

// 没有可以接受的transform

*Aug 20 19:19:44:543 2012 Sysname IKE/7/ERROR: -MDC=1; Failed to parse the IKE SA payload.

// 解析SA载荷失败

#在两个安全网关上配置了IKE协商类型的IPsec策略,若配置一阶段协商模式为主模式,认证方法为预共享密钥认证,则当有流量触发协商时,打开IKE事件调试信息开关后将输出以下调试信息。

<Sysname> debugging ike event

<Sysname> ping -c 1 192.168.222.5

PING 192.168.222.5 (192.168.222.5): 56 data bytes, press CTRL_C to break

*Aug 20 19:10:37:509 2012 Sysname IKE/7/EVENT: -MDC=1; Received SA acquire message from IPsec.

// 收到IPsec的SA请求消息

*Aug 20 19:10:37:510 2012 Sysname IKE/7/EVENT: -MDC=1; Set IPsec SA state to IKE_P2_STA

TE_INIT.

// 设置二阶段SA状态为IKE_P2_STATE_INIT

*Aug 20 19:10:37:510 2012 Sysname IKE/7/EVENT: -MDC=1; No IKE SA found, initiate IKE SA negotiation.

// 没有一阶段SA,发起一阶段SA的协商

*Aug 20 19:10:37:510 2012 Sysname IKE/7/EVENT: -MDC=1; Get profile profile1.

// 获取profile profile1

*Aug 20 19:10:37:510 2012 Sysname IKE/7/EVENT: -MDC=1; Initiator create a SA for peer 192.168.222.5, local port 500, remote port 500.

// 发起方创建SA,对端地址为192.168.222.5,本端端口为500,对端端口为500

*Aug 20 19:10:37:510 2012 Sysname IKE/7/EVENT: -MDC=1; Set IKE SA state to IKE_P1_STATE_INIT.

// 设置一阶段SA状态为IKE_P1_STATE_INIT

*Aug 20 19:10:37:510 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3083549648 processes a job.

// IKE线程3083549648处理一个job

*Aug 20 19:10:37:510 2012 Sysname IKE/7/EVENT: -MDC=1; Begin Main mode exchange.

// 开始主模式协商

*Aug 20 19:10:37:511 2012 Sysname IKE/7/EVENT: -MDC=1; Found pre-shared key that matches address 192.168.222.5 in keychain keychain1.

// 在keychain keychain1中找到了预共享密钥,预共享密钥匹配地址192.168.222.5

*Aug 20 19:10:37:511 2012 Sysname IKE/7/EVENT: -MDC=1; IKE SA state changed from IKE_P1_STATE_INIT to IKE_P1_STATE_SEND1.

 

// 一阶段SA状态从IKE_P1_STATE_INIT到IKE_P1_STATE_SEND1

*Aug 20 19:10:37:520 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3008052176 processes a job.

// IKE线程3008052176处理一个job

*Aug 20 19:10:37:520 2012 Sysname IKE/7/EVENT: -MDC=1; Oakley transform 1 is acceptable.

// Oakley transform是可接受的,transform号为1

*Aug 20 19:10:37:520 2012 Sysname IKE/7/EVENT: -MDC=1; Match the vendor ID NAT-T rfc3947.

// 匹配上vendor ID NAT-T rfc3947

*Aug 20 19:10:37:533 2012 Sysname IKE/7/EVENT: -MDC=1; IKE SA state changed from IKE_P1_STATE_SEND1 to IKE_P1_STATE_SEND3.

// 一阶段SA状态从IKE_P1_STATE_SEND1到IKE_P1_STATE_SEND3

*Aug 20 19:10:37:533 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3087980192 processes a Control-Queue msg.

// IKE线程3087980192处理一个控制队列消息

*Aug 20 19:10:37:566 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3083549648 processes a job.

// IKE线程3083549648处理一个job

*Aug 20 19:10:37:580 2012 Sysname IKE/7/EVENT: -MDC=1; Match the vendor ID DPD.

// 匹配上vendor ID DPD

*Aug 20 19:10:37:580 2012 Sysname IKE/7/EVENT: -MDC=1; IKE SA state changed from IKE_P1_STATE_SEND3 to IKE_P1_STATE_SEND5.

// 一阶段SA状态从IKE_P1_STATE_SEND3到IKE_P1_STATE_SEND5

*Aug 20 19:10:37:580 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3087980192 processes a Control-Queue msg.

// IKE线程3087980192处理一个控制队列消息

*Aug 20 19:10:37:584 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3075161040 processes a job.

// IKE线程3075161040处理一个job

*Aug 20 19:10:37:584 2012 Sysname IKE/7/EVENT: -MDC=1; Verify HASH successfully.

// 验证HASH成功

*Aug 20 19:10:37:585 2012 Sysname IKE/7/EVENT: -MDC=1; IKE SA state changed from IKE_P1_STATE_SEND5 to IKE_P1_STATE_ESTABLISHED.

// 一阶段SA状态从IKE_P1_STATE_SEND5到IKE_P1_STATE_ESTABLISHED

*Aug 20 19:10:37:585 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3075161040 process

es a job.

// IKE线程3075161040处理一个job

*Aug 20 19:10:37:585 2012 Sysname IKE/7/EVENT: -MDC=1; Begin Quick mode exchange.

// 开始快速模式协商

*Aug 20 19:10:37:586 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3087980192 processes a Control-Queue msg.

// IKE线程3087980192处理一个控制队列消息

*Aug 20 19:10:37:586 2012 Sysname IKE/7/EVENT: -MDC=1; IPsec SA state changed from IKE_P2_STATE_INIT to IKE_P2_STATE_GETSPI.

// 二阶段SA状态从IKE_P2_STATE_INIT到IKE_P2_STATE_GETSPI

*Aug 20 19:10:37:586 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3087980192 processes a Control-Queue msg.

// IKE线程3087980192处理一个控制队列消息

*Aug 20 19:10:37:586 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3066772432 processes a job.

// IKE线程3066772432处理一个job

*Aug 20 19:10:37:586 2012 Sysname IKE/7/EVENT: -MDC=1; IPsec SA state changed from IKE_P2_STATE_GETSPI to IKE_P2_STATE_SEND1.

// 二阶段SA状态从IKE_P2_STATE_GETSPI到IKE_P2_STATE_SEND1

*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3087980192 processes a Control-Queue msg.

// IKE线程3087980192处理一个控制队列消息

*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3033218000 processes a job.

// IKE线程3033218000处理一个job

*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; Validate HASH(2) successfully.

// 验证HASH(2)成功

*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; Install IPsec SAs.

// 下发IPsecSA

*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1;   inbound flow: 192.168.222.5/32->192.168.222.71/32

// 入流量为192.168.222.5/32->192.168.222.71/32

*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1;   outbound flow: 192.168.222.

71/32->192.168.222.5/32

// 出流量为192.168.222.71/32->192.168.222.5/32

*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1;   Lifetime second: 3600

// 生命周期为3600

*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1;   Lifetime kilobytes: 1843200

// 生命周期为1843200字节

*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1;   protocol: 51

  inbound SPI: 54e4913

   outbound SPI: 44213487

// 协议为51,入方向SPI为:54e4913,出方向SPI为:44213487

*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; IPsec SA state changed from IKE_P2_STATE_SEND1 to IKE_P2_STATE_SA_CREATED.

// 二阶段SA状态从IKE_P2_STATE_SEND1到IKE_P2_STATE_SA_CREATED

*Aug 20 19:10:37:593 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3087980192 processes a Control-Queue msg.

// IKE线程3087980192处理一个控制队列消息

*Aug 20 19:10:37:594 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3041606608 processes a job.

// IKE线程3041606608处理一个job

*Aug 20 19:10:37:594 2012 Sysname IKE/7/EVENT: -MDC=1; IPsec SA state changed from IKE_P2_STATE_SA_CREATED to IKE_P2_STATE_ESTABLISHED.

// 二阶段SA状态从IKE_P2_STATE_SA_CREATED到IKE_P2_STATE_ESTABLISHED

 

#在两个安全网关上配置了IKE协商类型的IPsec策略,若配置一阶段协商模式为主模式,认证方法为预共享密钥认证,则当有流量触发协商时,打开IKE报文调试信息开关后将输出以下调试信息。

<Sysname> debugging ike packet

<Sysname> ping -c 1  192.168.222.5

PING 192.168.222.5 (192.168.222.5): 56 data bytes, press CTRL_C to break

*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1;   Encryption algorithm is 3DES-CBC.

// 加密算法为3DES-CBC

*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1;   Hash algorithm is HMAC-MD5.

// HASH算法为HMAC-MD5

*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1;   DH group 1.

// DH group为1

*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1;   Authentication method is Pre-shared key.

// 认证方法为Pre-shared key

*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1;   Lifetime type is Life type in seconds.

// 生命周期类型为Life type in seconds

*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1;   Life duration is 86400.

// 生命周期为86400

*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Construct transform payload 1.

// 构造transform载荷,transform号为1

*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Construct SA payload.

// 构造SA载荷

*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Construct NAT-T rfc3947 vendor ID payload.

// 构造vendor id载荷,vendor ID名称为NAT-T rfc3947

*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Construct NAT-T draft3 vendor ID payload.

// 构造vendor id载荷,vendor ID名称为NAT-T draft3

*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Construct NAT-T draft2 vendor ID payload.

// 构造vendor id载荷,vendor ID名称为NAT-T draft2

*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Construct NAT-T draft1 vendor ID payload.

// 构造vendor id载荷,vendor ID名称为NAT-T draft1

*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Sending packet to 192.168.222.5 local port 500, remote port 500.

// 发送报文到地址192.168.222.5,本端端口号为500,对端端口号为500

*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1;

  I-Cookie: 3519bdda65bfeaaa

  R-Cookie: 0000000000000000

  next payload: SA

  version: ISAKMP Version 1.0

  exchange mode: Main

  flags: [ ]

  message ID: 0

  length: 164

// 发起方cookie为:3519bdda65bfeaaa

// 响应方cookie为:0000000000000000

// 下一个载荷为:SA

// 版本为:ISAKMP Version 1.0

// 协商模式为:Main

// 标识为:[ ]

// Message ID为:0

// 长度为:164

*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Sending an IPv4 packet.

// 发送一个IPv4报文

*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Received packet from 192.168.

222.5 source port 500 destination port 500.

// 收到的192.168.222.5报文,源端口为500,目的端口为500

*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1;

  I-Cookie: 3519bdda65bfeaaa

  R-Cookie: 078711749a32520c

  next payload: SA

  version: ISAKMP Version 1.0

  exchange mode: Main

  flags: [ ]

  message ID: 0

  length: 104

// 发起方cookie为:3519bdda65bfeaaa

// 响应方cookie为:078711749a32520c

// 下一个载荷为:SA

// 版本为:ISAKMP Version 1.0

// 协商模式为:Main

// 标识为:[ ]

// Message ID为:0

// 长度为:104

*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Received IKE Security Association Payload.

// 收到SA载荷

*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Vendor ID Payload.

// 收到Vendor ID载荷

*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Process SA payload.

// 处理SA载荷

*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Check ISAKMP transform 1.

检查ISAKMP transform,transform号为1

*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1;   Encryption algorithm is 3DES-CBC.

// 加密算法为3DES-CBC

*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1;   HASH algorithm is HMAC-MD5.

// HASH算法为HMAC-MD5

*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1;   DH group is 1.

// DH group为1

*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1;   Authentication method is Pre-shared key.

// 认证方法为Pre-shared key

*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1;   Lifetime type is Life type in seconds.

// 生命周期类型为Life type in seconds

*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1;   Life duration is 86400.

// 生命周期为86400

*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Attribuites is acceptable.

// 属性是可接受的

*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Process vendor ID payload.

// 处理vendor ID载荷

*Aug 20 19:18:34:137 2012 Sysname IKE/7/PACKET: -MDC=1; Construct KE payload.

// 构造IKE载荷

*Aug 20 19:18:34:137 2012 Sysname IKE/7/PACKET: -MDC=1; Construct NONCE payload.

// 构造NONCE载荷

*Aug 20 19:18:34:137 2012 Sysname IKE/7/PACKET: -MDC=1; Construct NAT-D payload.

// 构造NAT-D载荷

*Aug 20 19:18:34:138 2012 Sysname IKE/7/PACKET: -MDC=1; Construct DPD vendor ID payload.

// 构造DPD vendor ID载荷

*Aug 20 19:18:34:138 2012 Sysname IKE/7/PACKET: -MDC=1; Sending packet to 192.168.22

2.5 , remote port 500 ,local port 500.

// 发送报文到地址192.168.222.5,对端端口号为500,本端端口号为500

*Aug 20 19:18:34:138 2012 Sysname IKE/7/PACKET: -MDC=1;

  I-Cookie: 3519bdda65bfeaaa

  R-Cookie: 078711749a32520c

  next payload: KE

  version: ISAKMP Version 1.0

  exchange mode: Main

  flags: [ ]

  message ID: 0

  length: 208

// 发起方cookie为:3519bdda65bfeaaa

// 响应方cookie为:078711749a32520c

// 下一个载荷为:KE

// 版本为:ISAKMP Version 1.0

// 协商模式为:Main

// 标识为:[ ]

// Message ID为:0

// 长度为:208

*Aug 20 19:18:34:138 2012 Sysname IKE/7/PACKET: -MDC=1; Sending an IPv4 packet.

// 发送一个IPv4报文

*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Received packet from 192.168.222.5 source port 500 destination port 500.

// 收到的192.168.222.5报文,源端口为500,目的端口为500

*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1;

  I-Cookie: 3519bdda65bfeaaa

  R-Cookie: 078711749a32520c

  next payload: KE

  version: ISAKMP Version 1.0

  exchange mode: Main

  flags: [ ]

  message ID: 0

  length: 208

// 发起方cookie为:3519bdda65bfeaaa

// 响应方cookie为:078711749a32520c

// 下一个载荷为:KE

// 版本为:ISAKMP Version 1.0

// 协商模式为:Main

// 标识为:[ ]

// Message ID为:0

// 长度为:208

*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Key ExchangePayload.

// 收到ISAKMP Key Exchange载荷

*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Nonce Payload.

// 收到ISAKMP Nonce载荷

*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP NAT-D Payload.

// 收到ISAKMP NAT-D载荷

*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP NAT-D Payload.

// 收到ISAKMP NAT-D载荷

*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Vendor ID Payload.

// 收到ISAKMP Vendor ID载荷

*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Process KE payload.

// 处理KE载荷

*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Process NONCE payload.

// 处理NONCE载荷

*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; SKEYID:

 989e79e1 620ff603 a76bb9b9 7d88a19c

// SKEYID为989e79e1 620ff603 a76bb9b9 7d88a19c

*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; SKEYID_d:

 6fd7bd8f faf8480a af6c4813 4011cadd

// SKEYID_d为6fd7bd8f faf8480a af6c4813 4011cadd

*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; SKEYID_a:

 cd0aeaf8 6bb94aa3 3ad50fe4 7fb0464f

// SKEYID_a为cd0aeaf8 6bb94aa3 3ad50fe4 7fb0464f

*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; SKEYID_e:

 795d3765 91083053 65cacc69 000ffe09

// SKEYID_e为795d3765 91083053 65cacc69 000ffe09

*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Extended SKEYID_e:

 d554084f a2a9237a 9c141dac a41c86e9 8aa14807 14db45be

// 扩展的SKEYID_e为d554084f a2a9237a 9c141dac a41c86e9 8aa14807 14db45be

*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Local generated new IV:

 add7096a 4b961742

// 本地新生成的IV为add7096a 4b961742

*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Received 2 NAT-D payload.

// 收到NAT-D载荷,数量为2

*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Local ID type: IPV4_ADDR.

// 本地ID类型为:IPV4_ADDR

*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Local ID value: 192.168.222.

71.

// 本端ID值为:192.168.222.71

*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Construct ID payload.

// 构造ID载荷

*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Hash:

 c5d733fa e6d1a6af ded56c05 de989aad

// HASH为c5d733fa e6d1a6af ded56c05 de989aad

*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Construct authentication by pre-shared key.

// 根据预共享密钥生成认证数据

*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1; Construct INITIAL-CONTACT payload.

// 构造INITIAL-CONTACT载荷

*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypt the packet.

// 加密报文

*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypt IV:

 add7096a 4b961742

// 加密IV为add7096a 4b961742

*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1; Encryption generated New IV: ae230a1d 7cb77287

// 加密时新生成的IV为ae230a1d 7cb77287

*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1; Process vendor ID payload.

// 处理vendor ID载荷

*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1; Sending packet to 192.168.222.5, remote port 500, local port 500.

// 发送报文到地址192.168.222.5,对端端口号为500,本端端口号为500

*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1;

  I-Cookie: 3519bdda65bfeaaa

  R-Cookie: 078711749a32520c

  next payload: ID

  version: ISAKMP Version 1.0

  exchange mode: Main

  flags: [ENCRYPT]

  message ID: 0

  length: 92

// 发起方cookie为:3519bdda65bfeaaa

// 响应方cookie为:078711749a32520c

// 下一个载荷为:ID

// 版本为:ISAKMP Version 1.0

// 协商模式为:Main

// 标识为:[ENCRYPT]

// Message ID为:0

// 长度为:92

*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1; Sending an IPv4 packet.

// 发送一个IPv4报文

*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Received packet from 192.168.

222.5, source port 500 destination port 500.

// 收到的192.168.222.5报文,源端口为500,目的端口为500

*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1;

  I-cookie: 3519bdda65bfeaaa

  R-Cookie: 078711749a32520c

  next payload: ID

  version: ISAKMP Version 1.0

  exchange mode: Main

  flags: [ENCRYPT]

  message ID: 0

  length: 60

// 发起方cookie为:3519bdda65bfeaaa

// 响应方cookie为:078711749a32520c

// 下一个载荷为:ID

// 版本为:ISAKMP Version 1.0

// 协商模式为:Main

// 标识为:[ENCRYPT]

// Message ID为:0

// 长度为:60

*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Decrypt the packet.

// 解密报文

*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Decrypt IV:

 ae230a1d 7cb77287

// 解密IV为ae230a1d 7cb77287

*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Remote New IV:

 4c788f75 c7ad88ab

// 对端新IV为4c788f75 c7ad88ab

*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Identification Payload.

// 收到ISAKMP Identification载荷

*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Hash Payload.

// 收到ISAKMP Hash载荷

*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Process ID payload.

// 处理ID载荷

*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Peer ID type: IPV4_ADDR.

// 对端ID类型为IPV4_ADDR

*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Peer ID value: address 192.168.222.5.

// 对端ID值为192.168.222.5

*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Verify HASH payload.

// 验证HASH载荷

*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; HASH:

 f510f1f8 1d205e1c 9aa31c42 00b3ab9a

// HASH为f510f1f8 1d205e1c 9aa31c42 00b3ab9a

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Set attributes by phase 2 transform.

// 根据二阶段transform设置属性

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1;   Encapsulation mode is Tunnel.

// 封装模式为Tunnel

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1;   Life type in seconds

// 生命周期类型为Life type in seconds

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1;   Life duration is 3600.

// 生命周期为3600

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1;   Life type in kilobytes

// 生命周期类型为Life type in kilobytes

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1;   Life duration is 1843200.

// 生命周期为1843200

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1;   Authentication algorithm is HMAC-SHA1

// 认证算法为HMAC-SHA1

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1;   Transform ID is HMAC-SHA1.

// Transform ID为HMAC-SHA1

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Construct transform 1.

// 构造transform 1

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Construct IPsec proposal 1.

// 构造IPsec proposal,proposal号为1

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Construct IPsec SA payload.

// 构造IPsec SA载荷

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Construct NONCE payload.

// 构造NONCE载荷

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Construct IPsec ID payload.

// 构造IPsec ID载荷

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Construct IPsec ID payload.

// 构造IPsec ID载荷

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Construct HASH(1) payload.

// 构造HASH(1)载荷

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypt packet.

// 加密报文

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypt IV:

 836eddd9 ed30acf7

// 加密IV为836eddd9 ed30acf7

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypted Generate New IV:

 3b143591 5c647ff2

// 加密时新生成的IV为3b143591 5c647ff2

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Sending packet to 192.168.22

2.5, remote port 500, local port 500.

// 发送报文到地址192.168.222.5,对端端口号为500,本端端口号为500

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1;

  I-Cookie: 3519bdda65bfeaaa

  R-Cookie: 078711749a32520c

  next payload: HASH

  version: ISAKMP Version 1.0

  exchange mode: Quick

  flags: [ENCRYPT]

  message ID: 8a9c07c1

  length: 156

// 发起方cookie为:3519bdda65bfeaaa

// 响应方cookie为:078711749a32520c

// 下一个载荷为:HASH

// 版本为:ISAKMP Version 1.0

// 协商模式为:Quick

// 标识为:[ENCRYPT]

// Message ID为:8a9c07c1

// 长度为:156

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Sending an IPv4 packet.

// 发送一个IPv4报文

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Received packet from 192.168.222.5 source port 500 destination port 500.

// 收到的192.168.222.5报文,源端口为500,目的端口为500

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1;

  I-Cookie: 3519bdda65bfeaaa

  R-Cookie: 078711749a32520c

  next payload: HASH

  version: ISAKMP Version 1.0

  exchange mode: Quick

  flags: [ENCRYPT]

  message ID: 8a9c07c1

  length: 156

// 发起方cookie为:3519bdda65bfeaaa

// 响应方cookie为:078711749a32520c

// 下一个载荷为:HASH

// 版本为:ISAKMP Version 1.0

// 协商模式为:Quick

// 标识为:[ENCRYPT]

// Message ID为:8a9c07c1

// 长度为:156

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Decrypt the packet.

// 加密报文

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Decrypt IV:

 3b143591 5c647ff2

// 解密IV为3b143591 5c647ff2

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Remote New IV:

 4914de5c 11d57f5c

// 对端新IV为4914de5c 11d57f5c

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Hash Payload.

// 收到ISAKMP Hash 载荷

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Security Asso

ciation Payload.

// 收到ISAKMP Security Association载荷

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Nonce Payload.

// 收到ISAKMP Nonce载荷

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Identification Payload (IPsec DOI).

// 收到ISAKMP Identificatio载荷(IPsec DOI)

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Identification Payload (IPsec DOI).

// 收到ISAKMP Identificatio载荷(IPsec DOI)

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Process HASH payload.

// 处理HASH载荷

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Process IPsec SA payload.

// 处理IPsec SA载荷

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Check IPsec proposal 1.

// 检查IPsec proposal,proposal号为1

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Parse transform 1.

// 解析transform,transform号为1

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1;   Encapsulation mode is Tunnel.

// 封装模式为Tunnel

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1;   Lifetime type is Life type in seconds.

// 生命周期类型为Life type in seconds

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1;   Life duration is 3600.

// 生命周期为3600

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1;   Lifetime type is Life type in kilobytes.

// 生命周期类型为Life type in kilobytes

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1;   Life duration is 1843200.

// 生命周期为1843200

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1;   Authentication algorithm is HMAC-SHA1.

// 认证算法为HMAC-SHA1

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1;   Transform ID is HMAC-SHA1.

// Transform ID为HMAC-SHA1

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; The attributes are unacceptable.

// 属性是可接受的

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Process IPsec ID Payload.

//  处理IPsec ID载荷

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Process IPsec ID Payload.

// 处理IPsec ID载荷

*Aug 20 19:18:34:194 2012 Sysname IKE/7/PACKET: -MDC=1; Construct HASH(3) payload.

// 构造HASH(3)载荷

*Aug 20 19:18:34:194 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypt the packet.

// 加密报文

*Aug 20 19:18:34:194 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypt IV:

 4914de5c 11d57f5c

// 加密IV为4914de5c 11d57f5c

*Aug 20 19:18:34:194 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypted Generate New IV:

 ecfa444e ed72ab05

// 加密时新生成的IV为ecfa444e ed72ab05

*Aug 20 19:18:34:194 2012 Sysname IKE/7/PACKET: -MDC=1; Sending packet to 192.168.222.5, remote port 500, local port 500.

// 发送报文到地址192.168.222.5,对端端口号为500,本端端口号为500

*Aug 20 19:18:34:194 2012 Sysname IKE/7/PACKET: -MDC=1;

  I-Cookie: 3519bdda65bfeaaa

  R-Cookie: 078711749a32520c

  next payload: HASH

  version: ISAKMP Version 1.0

  exchange mode: Quick

  flags: [ENCRYPT]

  message ID: 8a9c07c1

  length: 52

// 发起方cookie为:3519bdda65bfeaaa

// 响应方cookie为:078711749a32520c

// 下一个载荷为:HASH

// 版本为:ISAKMP Version 1.0

// 协商模式为:Quick

// 标识为:[ENCRYPT]

// Message ID为:8a9c07c1

// 长度为:52

*Aug 20 19:18:34:194 2012 Sysname IKE/7/PACKET: -MDC=1; Sending an IPv4 packet.

// 发送一个IPv4报文

IKEv2

3.1  IKEv2调试命令

3.1.1  debugging ikev2

【命令】

debugging ikev2 { { all | dpd | error | internal | nat-keepalive | packet } [ remote-address { ipv4-address | ipv6 ipv6-address } [ local-address { ipv4-address | ipv6 ipv6-address } | remote-port port-number | vpn-instance vpn-name ] * ] } | pki }

undo debugging ikev2 { all | dpd | error | internal | nat-keepalive | packet | pki }

【缺省情况】

IKEv2的调试信息开关处于关闭状态。

【视图】

用户视图

【缺省用户角色】

network-admin

【参数】

all:表示IKEv2所有调试信息开关。

dpd:表示IKEv2 DPD调试信息开关。

error:表示IKEv2错误调试信息开关。

internal:表示IKEv2内部调试信息开关。

nat-keepalive:表示IKEv2 NAT keepalive调试信息开关。

packet:表示IKEv2报文调试信息开关。

pki表示IKEv2相关的PKI调试信息开关。

remote-address:根据对端地址过滤调试信息。

local-address:根据本端地址过滤调试信息。

ipv4-address:表示IPv4地址。

ipv6 ipv6-address:表示IPv6地址。

remote-port port-number:根据对端端口过滤调试信息,port-number为对端端口号,取值范围0~65535。

vpn-instance vpn-instance-name:根据私网地址成员所属的VPN实例过滤调试信息。vpn-instance-name为MPLS L3VPN的VPN实例名称,为1~31个字符的字符串,区分大小写。如果未指定本参数,则表示私网地址成员不属于任何一个VPN。

【使用指导】

debugging ikev2命令用来打开IKEv2调试信息开关。undo debugging ikev2命令用来关闭IKEv2调试信息开关。

表3-1 debugging ikev2 error命令输出信息描述表

字段

描述

Authorization failed.

IKEv2获取AAA授权属性失败

Failed to allocate PAM handle to user user-name.

IKEv2获取AAA PAM句柄失败

Invalid major version version.

IKEv2报文中主版本号错误

The address pool overlaps with an existing address pool.

新配置的本地地址池地址范围和已有本地地址池冲突

Failed to compute ECDH shared key.

计算ECDH共享密钥失败

Received an invalid DH group.

收到的IKEv2报文中携带错误的或不支持的DH号

Required key length (keylen) over 255 times the length of the PRF output.

IKEv2计算密钥时,要求的密钥长度超过了PRF算法输出长度的255倍

Failed to compute keys.

计算密钥失败

Failed to obtain hash algorithm.

从加密算法库中获取Hash算法失败

Failed to obtain encryption algorithm.

从crypto获取加密算法失败

Failed to obtain private key.

获取DSA/ESA/EC私钥失败

Failed to obtain public key.

证书方式签名AUTH载荷时,获取公钥失败

Failed to compute local authentication data.

计算本端的认证数据失败

Failed to compute SKEYSEED.

计算密钥种子失败

Failed to compute keying material.

计算密钥材料失败

Failed to create IPsec keying material.

创建IPsec密钥材料失败

Failed to verify peer's authentication data.

验证对端的认证数据失败

Invalid length (length) for hash-and-URL encoded certificate.

hash-and-url编码方式的证书长度非法

A non-printable character exists in the URL of the hash-and-URL encoded certificate. Ignored the character and those that follow.

Hash-and-url编码方式的证书里的URL中有不可打印的字符,忽略掉该字符和它之后的内容

Invalid X509 digest length (length) in Certificate Request payload.

证书请求载荷中X509摘要长度非法

Unsupported certificate request encoding type cert-encoding-type.

不支持的证书请求编码方式

No certificate exists in payload.

载荷中没有证书

Received an unsupported hash-and-URL encoded certificate.

接收到对端的hash-and-url编码格式证书,但是本端不支持该格式证书

Failed to obtain a certificate from URL url.

从URL地址对应的证书服务器获取证书失败

Unsupported certificate encoding type cert-encoding-type.

不支持的证书编码方式

Failed to obtain certificate data.

获取认证数据失败