IPSec虚拟专用网原理及基础配置实例
https://blog.csdn.net/weixin_44907813/article/details/102941603
其实,防火墙和路由器的配置非常相似,可以参考上方传送门,下方会介绍一个防火墙的配置实例
一、路由器的故障诊断排查
1、show crypto isakmp sa
R1:show crypto isakmp sa # 可以显示数据连接sa的细节信息
MM_NO_STATE :ISAKMP SA建立的初始状态;管理连接建立失败也会处于该状态
MM_SA_SETUP :对等体之间ISAKMP策略协商成功后处于该状态
MM_KEY_EXCH :对等体通过DH算法成功建立共享密钥,此时还没有进行设备验证
MM_KEY_AUTH :对等体成功进行设备验证,之后会过渡到QM_IDLE状态
QM_IDLE :管理连接成功建立,即将过渡到阶段2的数据连接建立过程
2、debug crypto isakmp
R1:debug crypto isakmp # 诊断和排查管理连接出现的问题
故障实例一:两端加密算法不匹配
ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy
ISAKMP: default group 1
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy! # 加密算法不匹配
ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0
…… # 策略不被接受
ISAKMP:(0:0:N/A:0):no offers accepted! # 没有匹配策略
……
received packet from 10.0.0.1 dport 500 sport 500 Global (R) MM_NO_STATE
故障案例二:两端使用的预共享密钥不一致
ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy
ISAKMP: default group 1
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
…… # 算法已匹配,开始秘钥交换及身份验证
ISAKMP (0:134217729): received packet from 10.0.0.1 dport 500 sport 500 Global (R) MM_KEY_EXCH
ISAKMP: reserved not zero on ID payload!
%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 10.0.0.1 failed its sanity check or is malformed
# 完整性验证失败,将停留在MM KEY EXCH 阶段
二、防火墙和路由器的区别:
I