IPsec ×××基本实验
一 实验拓扑
二 实验原理
IKE概述:用IPsec保护一个IP包之前,必须先建立一个安全联盟(SA),SA可以手动创建或者动态建立。Internet密钥交换(IKE)用于动态建立SA。
IKE的精髓:通过一系列数据的交换,通信双方最终计算出共享的密钥,并且即使第三方如***截获了双方用于计算密钥的所有交换数据,也不足以计算出真正的密钥。其中的核心技术就是DH交换技术。
IKE使用两个阶段的ISAKMP
第一阶段:建立IKE安全联盟
(生成1个IKE SA)
具体来说:建立一个保密和验证无误的通信信道(IKE SA),以及建立验证过的密钥,为双方的IKE通信提供机密性、消息完整性以及消息源验证服务。
(必须在进行其他任何交换如第二阶段交换,消息交换等之前完成,其他交换需要在第一阶段交换后建立的安全联盟的保护下进行)
SKEYID的生成取决于协商好的是何种验证方法。验证方法决定了如何交换载荷,以及在什么时候交换。
目前使用较为普遍的验证方法为:
1)预共享密钥
2)使用“数字签名算法(DES)”得到的数字签名
第二阶段:利用这个既定的安全联盟,为IPsec协商具体的安全联盟。
(生成2个 IPsec SA)
第一阶段交换两种模式:主模式 和 野蛮模式
主模式分为三次交换,总共用到了6条消息,最终建立了IKE SA。
这三次交换是:
1)策略协商 (策略)1-2 (1去1回)
2)DH和nonce交换(DH)3-4
3)对对方验证 (验证)5-6
第一次交换中:需要交换双方的cookie和SA载荷,在SA载荷中携带需要协商IKE SA的各项参数,主要包括IKE的散列类型、加密算法、认证方法、IKE SA协商的时间限制。
第一次交换之后:通信双方需要生成用于产生DH共享密钥的DH值。
第二次交换:对密钥交换载荷和临时值载荷进行交换
第二次交换之后:此时所需的所有计算密钥的材料已交换完毕,可以将所有密钥计算出来,并使用计算得到的密钥对后续的IKE消息提供安全服务。
第三次交换:对标识载荷和散列载荷进行交换。标识载荷包含了发起者的标识信息,IP地址或者主机名。散列载荷包含对上一过程中的产生的三组密钥进行Hash运算得出的值。
野蛮模式:3条消息
第二阶段交换一种模式:快速交换模式
实验1:
1.IPsec体系结构
安全协议
负责保护数据
AH/ESP
工作模式
传输模式:实现端到端保护
隧道模式:实现站点到站点保护
密钥管理
手工配置密钥
通过IKE协商密钥
2.IPSec SA
SA(Security Association,安全联盟)
由一个(SPI,IP目的地址,安全协议标识符)三元组唯一标识
决定了对报文进行何种处理
协议、算法、密钥
每个IPSec SA都是单向的
手工建立/IKE协商生成
SPD(Security Policy Database)
SAD(Security Association Database)
3.IKE与IPSec的关系
IKE为IPSec提供自动协商交换密钥、建立SA的服务
IPSec安全协议负责提供实际的安全服务
4.IKE协商的两个阶段
阶段1
在网络上建立一个IKE SA,为阶段2协商提供保护
主模式(Main Mode)和野蛮模式(Aggressive Mode) (思科叫积极模式)
阶段2
在阶段1建立的IKE SA的保护下完成IPSec SA的协商
快速模式(Quick Mode)
一阶段:IKE的6个包:(主模式)生成1个IKE SA
1-2:策略
3-4:DH
5-6:认证
二阶段:生成两个IPsec SA (快速模式)
R3(config-isakmp)#?
ISAKMP commands:
authentication Set authentication method for protection suite
default Set a command to its defaults
encryption Set encryption algorithm for protection suite
exit Exit from ISAKMP protection suite configuration mode
group Set the Diffie-Hellman group
hash Set hash algorithm for protection suite
lifetime Set lifetime for ISAKMP security association
no Negate a command or set its defaults
R3(config)#crypto isakmp ide
R3(config)#crypto isakmp identity ?
address Use the IP address of the interface for the identity
dn Use the distinguished name of the router cert for the identity
hostname Use the hostname of the router for the identity
R3(config)#crypto map map3 ?
<1-65535> Sequence to insert into crypto map entry
client Specify client configuration settings
isakmp Specify isakmp configuration settings
isakmp-profile Specify isakmp profile to use
local-address Interface to use for local address for this crypto map
redundancy High availability options for this map
三 实验步骤
做这个实验,发现路由是如此重要,一般后来的问题都是由于路由都没弄好导致的。
R3:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
Lifetime 86400
Crypto isakmp identity address
crypto isakmp key xb5 address 112.16.15.2
crypto isakmp key xb7 address 112.16.17.2
crypto ipsec transform-set tf10 esp-3des esp-md5-hmac
Mode tunnel
access-list 105 permit ip 192.168.30.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 107 permit ip 192.168.30.0 0.0.0.255 192.168.70.0 0.0.0.255
crypto map map3 10 ipsec-isakmp
set peer 112.16.15.2
set transform-set tf10
match address 105
crypto map map3 20 ipsec-isakmp
set peer 112.16.17.2
set transform-set tf10
match address 107
interface Serial0/0
ip address 112.16.13.2 255.255.255.252
crypto map map3
ip route 0.0.0.0 0.0.0.0 112.16.13.1 //非常重要!!!确保连通性
R5:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
Lifetime 86400
Crypto isakmp identity address
crypto isakmp key xb5 address 112.16.13.2
crypto ipsec transform-set tf10 esp-3des esp-md5-hmac
Mode tunnel
access-list 105 permit ip 192.168.50.0 0.0.0.255 192.168.30.0 0.0.0.255
crypto map map5 10 ipsec-isakmp
set peer 112.16.13.2
set transform-set tf10
match address 105
interface Serial0/0
crypto map map5
ip route 0.0.0.0 0.0.0.0 112.16.15.1
R7:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
Lifetime 86400
Crypto isakmp identity address
crypto isakmp key xb7 address 112.16.13.2
crypto ipsec transform-set tf10 esp-3des esp-md5-hmac
Mode tunnel
access-list 107 permit ip 192.168.70.0 0.0.0.255 192.168.30.0 0.0.0.255
crypto map map7 10 ipsec-isakmp
set peer 112.16.13.2
set transform-set tf10
match address 107
interface Serial0/0
crypto map map7
ip route 0.0.0.0 0.0.0.0 112.16.17.1
排错!:
当一阶段协商不成功,出错排查
R3#sh crypto isakmp sa
dst src state conn-id slot status
接口是否应用了安全策略
是否有匹配的数据流触发
是否为对方配置了共享密钥,以及共享密钥是否一直
后来发现是没有到对方的路由在R3上加了
ip route 0.0.0.0 0.0.0.0 112.16.13.1
于是一阶段协商成功。
R3#sh crypto isakmp sa
dst src state conn-id slot status
112.16.17.2 112.16.13.2 QM_IDLE 2 0 ACTIVE
以上结果必须要有数据流通过去触发!!
R3#ping 192.168.70.1 source 192.168.30.1
但是R3与R5之间却没有触发成功,原来是传输集不一致,改了之后就行了。但是一阶段二阶段都协商成功了,为什么还是不能通信?
两个阶段的SA成功建立,但不能通信,一般都是ACL配置不当引起的!
排查之后,发现ACL是没有问题的,后来发现原来路由不同,只有去的路由,没有回来的路由!有去的路由可以引发两个阶段建立SA。没有回来的路由导致不通!!!
ip route 0.0.0.0 0.0.0.0 112.16.15.1
ip route 0.0.0.0 0.0.0.0 112.16.17.1
于是通了
R3#ping 192.168.50.1 source 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.50.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.30.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 304/570/672 ms
R3#ping 192.168.70.1 source 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.70.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.30.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 384/524/672 ms
R3#sh crypto isakmp sa
dst src state conn-id slot status
112.16.17.2 112.16.13.2 QM_IDLE 2 0 ACTIVE
112.16.15.2 112.16.13.2 QM_IDLE 1 0 ACTIVE
R3#sh cry
R3#sh crypto ipsec sa
interface: Serial0/0
Crypto map tag: map3, local addr 112.16.13.2
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0)
current_peer 112.16.15.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 112.16.13.2, remote crypto endpt.: 112.16.15.2
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
current outbound spi: 0x2EA78F2B(782733099)
inbound esp sas:
spi: 0x8230FDE8(2184248808)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: map3
sa timing: remaining key lifetime (k/sec): (4389570/622)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x2EA78F2B(782733099)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: map3
sa timing: remaining key lifetime (k/sec): (4389569/621)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.70.0/255.255.255.0/0/0)
current_peer 112.16.17.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
#pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 112.16.13.2, remote crypto endpt.: 112.16.17.2
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
current outbound spi: 0x52EA15A0(1391072672)
inbound esp sas:
spi: 0x393C5104(960254212)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: SW:3, crypto map: map3
sa timing: remaining key lifetime (k/sec): (4511004/1896)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x52EA15A0(1391072672)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: SW:4, crypto map: map3
sa timing: remaining key lifetime (k/sec): (4511004/1896)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R3# sh cry session
Crypto session current status
Interface: Serial0/0
Session status: UP-ACTIVE
Peer: 112.16.15.2 port 500
IKE SA: local 112.16.13.2/500 remote 112.16.15.2/500 Active
IPSEC FLOW: permit ip 192.168.30.0/255.255.255.0 192.168.50.0/255.255.255.0
Active SAs: 2, origin: crypto map
Interface: Serial0/0
Session status: UP-ACTIVE
Peer: 112.16.17.2 port 500
IKE SA: local 112.16.13.2/500 remote 112.16.17.2/500 Active
IPSEC FLOW: permit ip 192.168.30.0/255.255.255.0 192.168.70.0/255.255.255.0
Active SAs: 2, origin: crypto map
R3#sh cry ipsec transform-set
Transform set tf10: { esp-3des esp-md5-hmac }
will negotiate = { Tunnel, },
R3#sh cry isakmp key
Keyring Hostname/Address Preshared Key
default 112.16.15.2 xb5
112.16.17.2 xb7
R3#clear crypto isakmp
R3#sh cry isakmp sa
dst src state conn-id slot status
112.16.15.2 112.16.13.2 MM_NO_STATE 1 0 ACTIVE (deleted)
再过一小段时间发现才为空
(二阶段是敲下clear cry sa 就没的,另全部清空的命令是clear cry session)
R3#sh cry isakmp sa //清一阶段
dst src state conn-id slot status
空了之后,再测试
R3#ping 192.168.50.1 so 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.50.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.30.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 212/325/404 ms
通信并不延迟,因为已经二阶段的SA(当然是去往192.168.50.1的SA)还在
R3#sh cry ipsec sa
interface: Serial0/0
Crypto map tag: map3, local addr 112.16.13.2
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0)
current_peer 112.16.15.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
#pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 112.16.13.2, remote crypto endpt.: 112.16.15.2
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
current outbound spi: 0x53DE17B1(1407063985)
inbound esp sas:
spi: 0xEE98D751(4002994001)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2006, flow_id: SW:6, crypto map: map3
sa timing: remaining key lifetime (k/sec): (4570748/3291)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x53DE17B1(1407063985)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: SW:3, crypto map: map3
sa timing: remaining key lifetime (k/sec): (4570748/3290)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
只有当IPsec SA也清空了,才延迟
R3# clea cry sa//清二阶段
回想IPsec ×××隧道的通信过程:
IPsec SA没有,触发一阶段创建IKE SA,有就不会触发,直接用
再来看看第一次通信时的debug信息:
R3#de cry isakmp//查看一阶段的调试信息
Crypto ISAKMP debugging is on
R3#de cry ipsec//查看二阶段的调试信息
Crypto IPSEC debugging is on
R3#ping 192.168.50.1 so 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.50.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.30.1
*Mar 1 00:05:24.167: IPSEC(sa_request): , //二阶段的SA查找
(key eng. msg.) OUTBOUND local= 112.16.13.2, remote= 112.16.15.2,
local_proxy= 192.168.30.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.50.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x3BE78437(1005028407), conn_id= 0, keysize= 0, flags= 0x400A
*Mar 1 00:05:24.183: ISAKMP: received ke message (1/1) //触发一阶段
*Mar 1 00:05:24.187: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*Mar 1 00:05:24.187: ISAKMP: Created a peer struct for 112.16.15.2, peer port 500
*Mar 1 00:05:24.191: ISAKMP: New peer created peer = 0x64FFBCA4 peer_handle = 0x80000003
*Mar 1 00:05:24.195: ISAKMP: Locking peer struct 0x64FFBCA4, IKE refcount 1 for isakmp_initiator
*Mar 1 00:05:24.195: ISAKMP: local port 500, remote port 500
*Mar 1 00:05:24.199: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 00:05:24.203: insert sa successfully sa = 64F9CAC8
*Mar 1 00:05:24.203: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
*Mar 1 00:05:24.207: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 112.16.15.2
*Mar 1 00:05:24.215: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*Mar 1 00:05:24.215: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*Mar 1 00:05:24.219: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*Mar 1 00:05:24.223: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 1 00:05:24.227: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1
*Mar 1 00:05:24.227: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*Mar 1 00:05:24.231: ISAKMP:(0:0:N/A:0): sending packet to 112.16.15.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 00:05:24.775: ISAKMP (0:0): received packet from 112.16.15.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Mar 1 00:05:24.783: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 00:05:24.787: ISAKMP:(0:0:N/A:0):.Old State = IKE_I_MM1 New State = IKE_I_MM2
*Mar 1 00:05:24.795: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
*Mar 1 00:05:24.799: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar 1 00:05:24.799: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
*Mar 1 00:05:24.803: ISAKMP (0:0): vendor ID is NAT-T v7
*Mar 1 00:05:24.807: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 112.16.15.2
*Mar 1 00:05:24.811: ISAKMP:(0:0:N/A:0): local preshared key found
*Mar 1 00:05:24.811: ISAKMP : Scanning profiles for xauth ...
*Mar 1 00:05:24.815: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy
*Mar 1 00:05:24.819: ISAKMP: encryption 3DES-CBC
*Mar 1 00:05:24.819: ISAKMP: hash MD5
*Mar 1 00:05:24.819: ISAKMP: default group 2
*Mar 1 00:05:24.823: ISAKMP: auth pre-share
*Mar 1 00:05:24.823: ISAKMP: life type in seconds
*Mar 1 00:05:24.827: ISAKMP: life duration (VPI) of 0x0 0x1. 0x51 0x80
*Mar 1 00:05:24.831: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
*Mar 1 00:05:24.943: ISAKMP:(0:2:SW:1): processing vendor id payload
*Mar 1 00:05:24.947: ISAKMP:(0:2:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
*Mar 1 00:05:24.951: ISAKMP (0:134217730): vendor ID is NAT-T v7
*Mar 1 00:05:24.955: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 00:05:24.955: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Mar 1 00:05:24.987: ISAKMP:(0:2:SW:1): sending packet to 112.16.15.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Mar 1 00:05:24.995: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 00:05:24.995: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Mar 1 00:05:25.515: ISAKMP (0:134217730): received packet from 112.16.15.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*Mar 1 00:05:25.523: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*M!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 224/257/292 ms
R3#ar 1 00:05:25.523: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Mar 1 00:05:25.535: ISAKMP:(0:2:SW:1): processing KE payload. message ID = 0
*Mar 1 00:05:25.691: ISAKMP:(0:2:SW:1): processing NONCE payload. message ID = 0
*Mar 1 00:05:25.691: ISAKMP:(0:2:SW:1):found peer pre-shared key matching 112.16.15.2
*Mar 1 00:05:25.691: ISAKMP:(0:2:SW:1):SKEYID state generated
*Mar 1 00:05:25.691: ISAKMP:(0:2:SW:1): processing vendor id payload
*Mar 1 00:05:25.691: ISAKMP:(0:2:SW:1): vendor ID is Unity
*Mar 1 00:05:25.691: ISAKMP:(0:2:SW:1): processing vendor id payload
*Mar 1 00:05:25.691: ISAKMP:(0:2:SW:1): vendor ID is DPD
*Mar 1 00:05:25.691: ISAKMP:(0:2:SW:1): processing vendor id payload
*Mar 1 00:05:25.691: ISAKMP:(0:2:SW:1): speaking to another IOS box!
*Mar 1 00:05:25.691: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 00:05:25.691: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Mar 1 00:05:
R3#25.691: ISAKMP:(0:2:SW:1):Send initial contact
*Mar 1 00:05:25.695: ISAKMP:(0:2:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar 1 00:05:25.699: ISAKMP (0:134217730): ID payload
next-payload : 8
type : 1
address : 112.16.13.2
protocol : 17
port : 500
length : 12
*Mar 1 00:05:25.707: ISAKMP:(0:2:SW:1):Total payload length: 12
*Mar 1 00:05:25.715: ISAKMP:(0:2:SW:1): sending packet to 112.16.15.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar 1 00:05:25.719: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 00:05:25.723: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Mar 1 00:05:26.059: ISAKMP (0:134217730): received packet from 112.16.15.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar 1 00:05:26.067: ISAKMP:(0:2:SW:1): processing ID payload. message ID = 0
*Mar 1 00:05:26.071: ISAKMP (0:134217730): ID payload
next-payload : 8
type : 1
R3#
address : 112.16.15.2
protocol : 17
port : 500
length : 12
*Mar 1 00:05:26.079: ISAKMP:(0:2:SW:1):: peer matches *none* of the profiles
*Mar 1 00:05:26.079: ISAKMP:(0:2:SW:1): processing HASH payload. message ID = 0
*Mar 1 00:05:26.087: ISAKMP:(0:2:SW:1):SA authentication status:
authenticated
*Mar 1 00:05:26.091: ISAKMP:(0:2:SW:1):SA has been authenticated with 112.16.15.2
*Mar 1 00:05:26.091: ISAKMP: Trying to insert a peer 112.16.13.2/112.16.15.2/500/, and inserted successfully 64FFBCA4.
*Mar 1 00:05:26.099: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 00:05:26.099: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM5 New State = IKE_I_MM6
*Mar 1 00:05:26.175: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 00:05:26.175: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM6 New State = IKE_I_MM6
*Mar 1 00:05:26.175: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 00:05:2
R3#6.175: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
*Mar 1 00:05:26.179: ISAKMP:(0:2:SW:1):beginning Quick Mode exchange, M-ID of 81987909
*Mar 1 00:05:26.195: ISAKMP:(0:2:SW:1): sending packet to 112.16.15.2 my_port 500 peer_port 500 (I) QM_IDLE
*Mar 1 00:05:26.199: ISAKMP:(0:2:SW:1):Node 81987909, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar 1 00:05:26.203: ISAKMP:(0:2:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Mar 1 00:05:26.207: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar 1 00:05:26.211: ISAKMP:(0:2:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Mar 1 00:05:26.635: ISAKMP (0:134217730): received packet from 112.16.15.2 dport 500 sport 500 Global (I) QM_IDLE
*Mar 1 00:05:26.647: ISAKMP:(0:2:SW:1): processing HASH payload. message ID = 81987909
*Mar 1 00:05:26.651: ISAKMP:(0:2:SW:1): processing SA payload. message ID = 81987909
*Mar 1 00:05:26.655: ISAKMP:(0:2:SW:1)
R3#:Checking IPSec proposal 1
*Mar 1 00:05:26.655: ISAKMP: transform 1, ESP_3DES
*Mar 1 00:05:26.659: ISAKMP: attributes in transform:
*Mar 1 00:05:26.659: ISAKMP: encaps is 1 (Tunnel)
*Mar 1 00:05:26.663: ISAKMP: SA life type in seconds
*Mar 1 00:05:26.663: ISAKMP: SA life duration (basic) of 3600
*Mar 1 00:05:26.667: ISAKMP: SA life type in kilobytes
*Mar 1 00:05:26.667: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Mar 1 00:05:26.671: ISAKMP: authenticator is HMAC-MD5
*Mar 1 00:05:26.675: ISAKMP:(0:2:SW:1):atts are acceptable.
*Mar 1 00:05:26.679: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 112.16.13.2, remote= 112.16.15.2,
local_proxy= 192.168.30.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.50.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x
R3#2
*Mar 1 00:05:26.691: Crypto mapdb : proxy_match
src addr : 192.168.30.0
dst addr : 192.168.50.0
protocol : 0
src port : 0
dst port : 0
*Mar 1 00:05:26.699: ISAKMP:(0:2:SW:1): processing NONCE payload. message ID = 81987909
*Mar 1 00:05:26.703: ISAKMP:(0:2:SW:1): processing ID payload. message ID = 81987909
*Mar 1 00:05:26.707: ISAKMP:(0:2:SW:1): processing ID payload. message ID = 81987909
*Mar 1 00:05:26.719: ISAKMP: Locking peer struct 0x64FFBCA4, IPSEC refcount 1 for for stuff_ke
*Mar 1 00:05:26.723: ISAKMP:(0:2:SW:1): Creating IPSec SAs
*Mar 1 00:05:26.723: inbound SA from 112.16.15.2 to 112.16.13.2 (f/i) 0/ 0
(proxy 192.168.50.0 to 192.168.30.0)
*Mar 1 00:05:26.731: has spi 0x3BE78437 and conn_id 0 and flags 2
*Mar 1 00:05:26.731: lifetime of 3600 seconds
*Mar 1 00:05:26.735: lifetime of 4608000 kilobytes
*Mar 1 00:05:26.735: has client flags 0x0
*Mar 1 00:05:26.735:
R3#outbound SA from 112.16.13.2 to 112.16.15.2 (f/i) 0/0
(proxy 192.168.30.0 to 192.168.50.0)
*Mar 1 00:05:26.739: has spi 1320439935 and conn_id 0 and flags A
*Mar 1 00:05:26.743: lifetime of 3600 seconds
*Mar 1 00:05:26.743: lifetime of 4608000 kilobytes
*Mar 1 00:05:26.747: has client flags 0x0
*Mar 1 00:05:26.751: ISAKMP:(0:2:SW:1): sending packet to 112.16.15.2 my_port 500 peer_port 500 (I) QM_IDLE
*Mar 1 00:05:26.759: ISAKMP:(0:2:SW:1):deleting node 81987909 error FALSE reason "No Error"
*Mar 1 00:05:26.763: ISAKMP:(0:2:SW:1):Node 81987909, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 1 00:05:26.763: ISAKMP:(0:2:SW:1):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
*Mar 1 00:05:26.771: IPSEC(key_engine): got a queue event with 2 kei messages
*Mar 1 00:05:26.775: IPSEC(initialize_sas): ,
(key eng. msg.) INBOUND local= 112.16.13.2, remote= 112.16.15.2,
local_proxy= 192.168.30.0/255.255.255.0/0/0
R3#(type=4),
remote_proxy= 192.168.50.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x3BE78437(1005028407), conn_id= 0, keysize= 0, flags= 0x2
*Mar 1 00:05:26.787: IPSEC(initialize_sas): ,
(key eng. msg.) OUTBOUND local= 112.16.13.2, remote= 112.16.15.2,
local_proxy= 192.168.30.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.50.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x4EB4507F(1320439935), conn_id= 0, keysize= 0, flags= 0xA
*Mar 1 00:05:26.799: Crypto mapdb : proxy_match
src addr : 192.168.30.0
dst addr : 192.168.50.0
protocol : 0
src port : 0
dst port : 0
*Mar 1 00:05:26.803: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and 112.16.15.2
*Mar 1 00:05:26.807: IPSec: Flow_switching Allocated flow for sibli
R3#ng 80000003
*Mar 1 00:05:26.811: IPSEC(policy_db_add_ident): src 192.168.30.0, dest 192.168.50.0, dest_port 0
*Mar 1 00:05:26.815: ISAKMP: Locking peer struct 0x64FFBCA4, IPSEC refcount 2 for from create_transforms
*Mar 1 00:05:26.819: IPSEC(create_sa): sa created,
(sa) sa_dest= 112.16.13.2, sa_proto= 50,
sa_spi= 0x3BE78437(1005028407),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2003
*Mar 1 00:05:26.823: IPSEC(create_sa): sa created,
(sa) sa_dest= 112.16.15.2, sa_proto= 50,
sa_spi= 0x4EB4507F(1320439935),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2004
*Mar 1 00:05:26.831: ISAKMP: Unlocking IPSEC struct 0x64FFBCA4 from create_transforms, count 1
R3#
R3#clear cry sa //清空第二阶段的SA,只保留第一阶段的SA
R3#debug cry ipsec
R3# ping 192.168.70.1 so 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.70.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.30.1
*Mar 1 00:28:20.959: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 112.16.13.2, remote= 112.16.17.2,
local_proxy= 192.168.30.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.70.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xE91C1B2B(3910933291), conn_id= 0, keysize= 0, flags= 0x400A
*Mar 1 00:28:21.723: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 112.16.13.2, remote= 112.16.17.2,
local_proxy= 192.168.30.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.70.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
*Mar 1 00:28:21.739: Crypto mapdb : proxy_match
src addr : 192.168.30.0
dst addr : 192.168.70.0
protocol : 0
src port : 0
dst port : 0
*Mar 1 00:28:.21.767: IPSEC(key_engine): got a queue event with 2 kei messages
*Mar 1 00:28:21.767: IPSEC(initialize_sas): ,
(key eng. msg.) INBOUND local= 112.16.13.2, remote= 112.16.17.2,
local_proxy= 192.168.30.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.70.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xE91C1B2B(3910933291), conn_id= 0, keysize= 0, flags= 0x2
*Mar 1 00:28:21.779: IPSEC(initialize_sas): ,
(key eng. msg.) OUTBOUND local= 112.16.13.2, remote= 112.16.17.2,
local_proxy= 192.168.30.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.70.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xA698B6E1(2795026145), conn_id= 0, keysize= 0, flags= 0xA
*Mar 1 00:28:21.791: Crypto mapdb : proxy_match
src addr : 192.168.30.0
dst addr : 192.168.70.0
protoco!!l : 0
src port : 0
dst port : 0
*Mar 1 00:28:21.799: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and 112.16.17.2
*Mar 1 00:28:21.799: IPSec: Flow_switching Allocated flow for sibling 80000006
*Mar 1 00:28:21.803: IPSEC(policy_db_add_ident): src 192.168.30.0, dest 192.168.70.0, dest_port 0
*Mar 1 00:28:21.807: IPSEC(create_sa): sa created,
(sa) sa_dest= 112.16.13.2, sa_proto= 50,
sa_spi= 0xE91C1B2B(3910933291),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2003
*Mar 1 00:28:21.815: IPSEC(create_sa): sa created,
(sa) sa_dest= 112.16.17.2, sa_proto= 50,
sa_spi= 0xA698B6E1(2795026145),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2004!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 400/606/972 ms
R3#
思考:R3需要知道去往192.168.50.0和192.168.70.0网段的路由,否则无法通信,R5,R7也是必须知道到192.168.30.0的路由,为什么?而中间路由器R1则不需要知道这些网段的路由,为什么?分析数据流。
总结排错思路:
阶段1的SA没有建立:
接口是否应用了安全策略
是否有匹配的数据流触发
是否为对方配置了共享密钥,以及共享密钥石佛一致
阶段2的SA没有建立:
ACL是否匹配
安全提议是否一致
设置的隧道对端地址是否匹配
应用的接口是否正确
两个阶段的SA都成功建立,但不能通信:
一般都是由于ACL的配置不当引起的,检查ACL的配置是否符合要求
注意:以上必须要有很好的路由思想,路由是基础,路由不通,也是其中的一个情况。
转载于:https://blog.51cto.com/zln0518/1210092
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
