Router1#debug crypto ipsec<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
Router1#debug crypto isakmp
Router1#
Get acquire: <?xml:namespace prefix = st1 ns = "urn:schemas-microsoft-com:office:smarttags" />10.32.1.0/0.0.0.255 -> 10.32.2.0/0.0.0.255 , prot 0, port 0/0
Get acquire: negotiate source 192.168.33.40 -> dest 192.168.33.39
Acqurire negociate with 192.168.33.39
(33) sending packet to 192.168.33.39 (I) MM_SI1_WR1, MM_SA_SETUP
sendout main I1, and wait R1
Receive IKE message packet.
(33) received packet from 192.168.33.39, (I) MM_SI1_WR1, MM_SA_SETUP
Exchange type : 0x2<sa> <vendor ID>
main mode r1 process
(33) Checking ISAKMP transform 1 against priority 10 policy
encryption DES-CBC
hash MD5
auth pre-share
default group 1
life type in seconds
life duration 1200 orginal:1200
(33) atts are acceptable
0x1 0x0 d=0xaf 0xca 0xd7 0x13 0x68 0xa1 0xf1 0xc9 0x6b 0x86 0x96 0xfc 0x77 0x57
dpd's vendor id is detected.
(33) sending packet to 192.168.33.39 (I) MM_SI2_WR2, MM_KEY_EXCH
IKE message packet process over.
Receive IKE message packet.
(33) received packet from 192.168.33.39, (I) MM_SI2_WR2, MM_KEY_EXCH
Exchange type : 0x2<key> <nonce>
main mode process R2:(33) processing NONCE payload.
(33)main mode process R2:SKEYID state generated
(33) sending packet to 192.168.33.39 (I) MM_SI3_WR3, MM_VERIFY
IKE message packet process over.
Receive IKE message packet.
(33) received packet from 192.168.33.39, (I) MM_SI3_WR3, MM_VERIFY
Exchange type : 0x5<hash> <notify>
Receive notify: ipsec responder lifetime.
information exhange: processing NOTIFY payload. message ID = 156391
Process isakmp notify payload end.
IKE message packet process over.
Receive IKE message packet.
(33) received packet from 192.168.33.39, (I) MM_SI3_WR3, MM_VERIFY
Exchange type : 0x2<id> <hash>
(33) (auth pre-share) processing ID payload. message ID = 0
(33) (auth pre-share) processing HASH payload. message ID = 0
(33) (auth pre-share) SA has been authenticated with 192.168.33.39
(main mode)(33) (I)Phase_1 negotiate complete!
++++++++++++++Fill quick sa's dpd_mode(0).
(33) Beginning Quick Mode exchange, M-ID of 1914599138
(33)(quick mode) sending packet to 192.168.33.39 (I) QM_SI1_WR1
IKE message packet process over.
Receive IKE message packet.
find phase 2 quick sa!
(33) (1914599138)received packet from 192.168.33.39, (I) QM_SI1_WR1
Exchange type : 0x20<hash> <sa> <nonce> <id>
599138 mode)(isakmp_id---33) process r1:processing SA payload. message ID = 1914
set->lifebak_sec=3600
(quick_mode)(I)phase 2 sa established,begining to update sab!
(33) Creating IPSec SAs-esp.
inbound SA has spi 432034025
protocol esp, DES_CBC
auth MD5
fill esp in success!
outbound SA has spi 937737430
protocol esp, DES_CBC
auth MD5
fill esp out success!
lifetime of 3600 seconds, soft 3570 seconds
lifetime of 4607000 kilobytes, soft 256 kilobytes
+++++++++++++Fill sab' dpd_mode(0)
add first sab into salink.
life_seconds=3600
life_back_seconds=3600
(quick mode)(isakmp_id---33) sending packet to 192.168.33.39 (I) QM_IDLE
(quick mode)(isakmp_id---33)process r1:Phase_2 negotiate complete!
ike's tunnel (number=1)established.
IKE message packet process over.
crypto card irq: process switch pk tx
crypto card irq: fast switch pk rx
IPSec input: packet already decapulated, src=10.32.2.1, dst=10.32.1.1
crypto card irq: process switch pk tx
crypto card irq: fast switch pk rx
IPSec input: packet already decapulated, src=10.32.2.1, dst=10.32.1.1
crypto card irq: process switch pk tx
crypto card irq: fast switch pk rx
IPSec input: packet already decapulated, src=10.32.2.1, dst=10.32.1.1
crypto card irq: process switch pk tx
crypto card irq: fast switch pk rx
IPSec input: packet already decapulated, src=10.32.2.1, dst=10.32.1.1
转载于:https://blog.51cto.com/hj0822/123296
3867
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
