本站已运行 15年11天0小时7分55秒

攻城狮论坛

作者: bbj
查看: 9310|回复: 108

主题标签Tag

more +今日重磅推荐Recommend No.1

所有IT类厂商认证考试题库下载所有IT类厂商认证考试题库下载

more +随机图赏Gallery

【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集
【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课
原创_超融合自动化运维工具cvTools原创_超融合自动化运维工具cvTools
重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)
链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享
某linux大佬,积累多年的电子书(约300本)某linux大佬,积累多年的电子书(约300本)
乾颐堂现任明教教主Python完整版乾颐堂现任明教教主Python完整版
乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)
Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天
约21套Python视频合集 核心基础视频教程(共310G,已压缩)约21套Python视频合集 核心基础视频教程(共310G,已压缩)
最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程
最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器

[求助] 关于VPN的DEBUG信息

  [复制链接]
bbj [Lv2 初出茅庐] 发表于 2013-8-24 22:37:45 | 显示全部楼层 |阅读模式
查看: 9310|回复: 108
开通VIP 免金币+免回帖+批量下载+无广告
本人在测试VPN的DEBUG时,发现一个问题,隧道已经成功建立,但是不能ping到对端的内网ip。debug隧道建立过程时候发现第四个包与正常建立连接不同:7 \9 J& m' a3 o! J0 w4 g/ o$ |
Aug 25 07:13:22.699: ISAKMP (0): received packet from 58.*.*.*dport 500 sport 500 Global (I) MM_SA_SETUP
# y: u  i+ q% P3 N( V) b, e2 S1 ~9 SAug 25 07:13:22.699: ISAKMP0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH5 v5 O: U/ r; M; _$ I" }$ J
Aug 25 07:13:22.699: ISAKMP0):Old State = IKE_I_MM3 New State = IKE_I_MM4
: q/ ]- @$ O6 j9 N, c+ ^! `0 hAug 25 07:13:22.699: ISAKMP0): processing KE payload. message ID = 05 U& j& w8 T* t! a; n7 ~% j
Aug 25 07:13:22.727: ISAKMP0): processing NONCE payload. message ID = 0
8 v! O' B" b$ nAug 25 07:13:22.731: ISAKMP0):found peer pre-shared key matching 58.*.*.*
0 y1 @& @" W& g2 R2 W7 _6 X4 R. K) B  PAug 25 07:13:22.731: ISAKMP2002): processing vendor id payload( U( G9 x4 R. N
Aug 25 07:13:22.731: ISAKMP2002): vendor ID is Unity9 u0 H. B, z  m! G: e
Aug 25 07:13:22.731: ISAKMP2002): processing vendor id payload5 ^/ r5 o1 n3 D. f) v6 ]
Aug 25 07:13:22.731: ISAKMP2002): vendor ID is DPD
- ]  D8 u8 Z! m% x7 G# UAug 25 07:13:22.731: ISAKMP2002): processing vendor id payload3 m6 e+ a% S$ n8 z9 D7 |+ ]
Aug 25 07:13:22.731: ISAKMP2002): speaking to another IOS box!" w9 w" p# i' r& h
Aug 25 07:13:22.731: ISAKMP:received payload type 20
6 m- l! k; O5 ?" X/ C4 u9 MAug 25 07:13:22.731: ISAKMP (2002): His hash no match - this node outside NAT
6 P' |6 A# ?& @: A" d; r0 WAug 25 07:13:22.731: ISAKMP:received payload type 20
, L) Y/ \3 K% s, ]1 i+ w6 Y- }Aug 25 07:13:22.731: ISAKMP (2002): No NAT Found for self or peer
# U+ Z0 H; t2 J9 }/ GAug 25 07:13:22.731: ISAKMP2002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
. V# I" P0 W1 |Aug 25 07:13:22.731: ISAKMP2002):Old State = IKE_I_MM4 New State = IKE_I_MM4 ) Y% d6 @. f. q& l8 w6 B  h3 H
Aug 25 07:13:22.731: ISAKMP2002):Send initial contact4 X  Y4 r! i( U% @
Aug 25 07:13:22.731: ISAKMP2002):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
0 ?2 ~$ \9 Y; I1 u( _Aug 25 07:13:22.731: ISAKMP (2002): ID payload
6 i5 X3 ]2 y  z0 P 又于是公司内网所以屏蔽了IP,在这里面显示了Aug 25 07:13:22.731: ISAKMP (2002): His hash no match - this node outside NAT和Aug 25 07:13:22.731: ISAKMP (2002): No NAT Found for self or peer。, ^4 {5 t* g$ ^$ v
请高手答疑下,我这个配置是什么题。外带一句,HASH算法我已经对过了,两端都是一样的。
CCNA考试 官方正规报名 仅需1500元
回复 论坛版权

举报

412man [Lv3 牛刀小试] 发表于 2013-8-24 22:47:42 | 显示全部楼层
希望大家帮忙顶下啊,别沉了。。这个问题感觉比较少见。。
回复 支持 反对

举报

apexchu [Lv2 初出茅庐] 发表于 2013-8-24 22:53:29 | 显示全部楼层
HASH no match
9 I3 X+ N& y& s. |& s$ \' sthis node outside nat
1 m  p1 D2 n; n. `( a' B
# v9 K4 b) H, h( ^" F你怎么配的,关给这个ERROR MESSAGE ,我看不太明白,你只做了IPSEC吗,那你两端的ACL呢,有没有放行呀!
回复 支持 反对

举报

newsuner [Lv4 初露锋芒] 发表于 2013-8-24 22:55:30 | 显示全部楼层
sunlyc 发表于 2013-8-27 14:13
$ i* l8 f' Z* ]% _5 O$ _/ EHASH no match
; z( {4 ?# b  [7 Ythis node outside nat

! ^5 @/ y' r9 D, Vcrypto isakmp enable
- z; o+ ?% ~, ?% l; \- [crypto isakmp policy 100$ V0 C8 X6 X/ Z" Y# }7 o
authentication pre-share  k) l0 n- B& l! w5 `6 A: f7 I2 S  [
encryption 3des
: C6 Z7 x5 T4 N3 ]6 ^- e, Mgroup 2' l) e0 D3 i& P6 J3 I
hash md5/ z* F& R9 L3 B5 _" e
lifetime 86400
6 T. R* r3 L# P6 w7 j' V9 m& f: h. h6 B7 |. L, |
crypto isakmp nat keepalive 20
6 ^+ l$ u6 K( `- X' x8 v& f2 |6 H) O$ d3 u' _/ E
ip access-list extended CScore_VPN
; |, T* H% h1 f. x5 permit ip 10.23.54.32 0.0.0.3 10.0.0.0 0.0.255.255
% B; b2 P9 |% E# V+ c10 permit ip 10.23.54.32 0.0.0.3 10.1.0.0 0.0.255.2557 T# P3 R8 z5 {: X. C$ M" p
15 permit ip 10.23.54.32 0.0.0.3 10.36.0.0 0.0.255.2553 v, e% R" ^/ i6 K, W+ O
20 permit ip 10.23.54.32 0.0.0.3 10.37.0.0 0.0.255.255
( o7 l& r- C9 I- a+ }" D4 Y25 permit ip 10.23.54.32 0.0.0.3 10.76.0.0 0.0.255.255
8 k; D0 _0 L( d2 B; m30 permit ip 10.23.54.32 0.0.0.3 10.34.132.0 0.0.3.2558 M+ t( I: H  H4 R0 s: v
35 permit ip 10.23.54.32 0.0.0.3 10.23.8.0 0.0.7.255: u6 y7 g' i6 `# w" R3 s0 k1 `) q
40 permit ip 10.23.54.32 0.0.0.3 10.23.16.0 0.0.3.255
- y5 f! `3 B# ]7 s6 H) y" y45 permit ip 10.23.54.32 0.0.0.3 10.23.48.0 0.0.128.2556 G* z. s2 x% {. ~. X
8 w* @. o5 @8 f* p  s% F% g; R& h
crypto isakmp key 没问题的加密秘钥 address 对端IP2 d, r+ r& V8 L# N: \. f. e$ P; }
crypto ipsec transform-set VPN esp-des  esp-md5-hmac
9 v7 _; o2 {+ G2 H; Lmode tunnel, B; v7 R) J! _* G) d: O5 l
ex
! O4 S# u& c/ n8 c' ^4 x. Ecrypto ipsec security-association lifetime seconds 864005 F4 i' x2 h7 J' X0 n/ C

3 E, J4 u0 `3 s# Z' N2 z* d0 V5 e8 }6 M. w. B8 t
crypto map CS_VPN 100 ipsec-isakmp8 Q" t/ w# u5 {/ v5 m
match address CScore_VPN4 n. |! ]9 s8 o! e
set peer  对端IP
, _' e2 W9 ?$ k3 i) I, wset transform-set VPN5 Z1 j7 u/ O, F, t9 @  s5 Z
set security-association lifetime seconds 86400
2 H) X. {5 q% @/ ~$ yset pfs group2
9 V2 n2 s* D7 U" a  hreverse-route
1 t8 ]3 V% @$ k7 `" h9 Y% g  V9 P! v# u
interface dia10
5 p0 g* o3 H* q" V  Qcrypto map CS_VPN
回复 支持 反对

举报

阿靈 [Lv3 牛刀小试] 发表于 2013-8-24 22:58:32 | 显示全部楼层
补充下DEBUG信息:
+ T( d: `* @: H+ y* XAug 27 11:42:37.475:         inbound SA from 58.*.*.*to 118.*.*.* (f/i)  0/ 0
# h7 F. h7 g& r8 v1 v* J& Q- m6 V        (proxy 10.23.8.0 to 10.23.54.32)5 g$ ~/ b& q) Y8 }1 L% ?5 V/ K
Aug 27 11:42:37.475:         has spi 0xCC7B952A and conn_id 0
$ M" f. i+ q, z$ s4 DAug 27 11:42:37.475:         lifetime of 86400 seconds4 {: k: K- R$ q& ]- O; `' t+ p
Aug 27 11:42:37.475:         lifetime of 4608000 kilobytes
8 q' l, |$ N# S0 F: fAug 27 11:42:37.475:         outbound SA from 118.*.*.* to 58.*.*.*(f/i) 0/0& G2 O3 a5 l5 Z& x& K
        (proxy 10.23.54.32 to 10.23.8.0)
. b0 z1 g/ v  c, f9 JAug 27 11:42:37.475:         has spi  0x4BB72C8F and conn_id 0
) ~8 v% d( \. T+ w3 U$ iAug 27 11:42:37.475:         lifetime of 86400 seconds
& Y5 n7 u& K. P3 UAug 27 11:42:37.475:         lifetime of 4608000 kilobytes
" Y3 _; h9 U) L- s' E$ }Aug 27 11:42:37.475: ISAKMP2001): sending packet to 58.*.*.*my_port 500 peer_port 500 (I) QM_IDLE      ; n0 H) d0 q6 t* n: p; |
Aug 27 11:42:37.475: ISAKMP2001):Sending an IKE IPv4 Packet.: E3 e3 T" H; q4 z4 R
Aug 27 11:42:37.475: ISAKMP2001):deleting node 1853074095 error FALSE reason "No Error"
. T" n) S$ X! p" b2 O! y) T" @Aug 27 11:42:37.475: ISAKMP2001):Node 1853074095, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
" g6 c$ s( b4 s. }2 A0 Y& RAug 27 11:42:37.475: ISAKMP2001):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE% {. r( E8 ~1 q7 Q
Aug 27 11:42:37.475: IPSEC(key_engine): got a queue event with 1 KMI message(s)1 [- x9 h$ H. a& O: ?
Aug 27 11:42:37.475: Crypto mapdb : proxy_match
$ ^) j* m6 J" q' x& J        src addr     : 10.23.54.32
1 q; ~7 E0 z6 ~2 \        dst addr     : 10.23.8.0
$ ~2 t# T  E, d        protocol     : 0
2 P0 {( b* N( g5 o9 }+ D" h, w        src port     : 0
7 {" [2 ~6 k1 P% k9 h4 z        dst port     : 04 _- S5 B+ t6 \* ?# P
Aug 27 11:42:37.475: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 58.20.43.227
) Y. ^- _0 m  Y- y7 a& B) u. L2 b! hAug 27 11:42:37.475: IPSEC(rte_mgr): VPN Route Event create SA based on crypto ACL in real time for 58.20.43.227* B9 u3 M5 ]: m: G7 |9 h7 w9 Q; z
Aug 27 11:42:37.475:  IPSEC(rte_mgr): Route add Peer 58.*.*.*, Destination 10.23.8.0, Nexthop 0.0.0.0, RT type 1
. w2 P; p: y7 X, Q' [3 @7 fAug 27 11:42:37.475: IPSEC(rte_mgr): VPN Route Refcount 1 Dialer10
( [9 T4 V5 G9 uAug 27 11:42:37.479: IPSEC(rte_mgr): VPN Route Added 10.23.8.0 255.255.248.0 via 58.*.*.*in IP DEFAULT TABLE with tag 0 distance 13 Y" A5 d6 r* ]- O
Aug 27 11:42:37.479: IPSEC(policy_db_add_ident): src 10.23.54.32, dest 10.23.8.0, dest_port 0
  G1 Q0 o# Q: v8 ]
! M/ ^5 j" [! l* N' q7 F2 EAug 27 11:42:37.479: IPSEC(create_sa): sa created,
. t0 P* y, C2 R- B3 V6 {( E9 Q5 n5 p  (sa) sa_dest= 118.*.*.*, sa_proto= 50,
4 B* D: P. _) {* ^) z    sa_spi= 0xCC7B952A(3430651178),
$ c6 a- ~' j% j    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 1
+ N2 D1 y0 H7 l    sa_lifetime(k/sec)= (4434691/86400)
  H, m) A) ~5 B9 V+ W  o' |0 LAug 27 11:42:37.479: IPSEC(create_sa): sa created,4 y/ N6 k+ {3 e' T
  (sa) sa_dest= 58.20.43.227, sa_proto= 50,
- W. D8 V# d! Y9 A1 c. o/ ^    sa_spi= 0x4BB72C8F(1270295695),
' [: w$ d5 D2 G) m) j* B    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2, {. J( n$ W! a) `' B* a0 Z! }
    sa_lifetime(k/sec)= (4434691/86400)
7 v# ~& A$ v2 G! @Aug 27 11:42:37.479: IPSEC(update_current_outbound_sa): get enable SA peer 58.*.*.*current outbound sa to SPI 4BB72C8F
2 m8 `2 G: v3 ]Aug 27 11:42:37.479: IPSEC(update_current_outbound_sa): updated peer 58.*.*.*current outbound sa to SPI 4BB72C8F( p5 o$ s9 y* o4 S4 [9 t
Aug 27 11:42:38.799: ISAKMP2001): retransmitting phase 2 QM_IDLE       475159008 ...
& c3 \8 G/ z0 m+ M2 c8 {# O  R- RAug 27 11:42:38.799: ISAKMP (2001): incrementing error counter on node, attempt 1 of 5: retransmit phase 22 j" G+ j/ X: _4 l, B
Aug 27 11:42:38.799: ISAKMP (2001): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2" i9 W) q( l# r7 n5 D' j
Aug 27 11:42:38.799: ISAKMP2001): retransmitting phase 2 475159008 QM_IDLE      - j% t. m) ]) \) R3 Z
Aug 27 11:42:38.799: ISAKMP2001): sending packet to 58.*.*.*my_port 500 peer_port 500 (I) QM_IDLE      ; t& a9 p3 [$ |0 G, ]0 D! a
Aug 27 11:42:38.799: ISAKMP2001):Sending an IKE IPv4 Packet.; V) h+ c# Y% w9 s: i. G4 M* `& M
Aug 27 11:42:39.483: ISAKMP (2001): received packet from 58.*.*.*dport 500 sport 500 Global (I) QM_IDLE      
. n* U( J; g8 D  T2 F. h, v' R0 aAug 27 11:42:39.487: ISAKMP2001): processing HASH payload. message ID = 475159008
" I7 @. g$ m, Z2 p5 ?+ dAug 27 11:42:39.487: ISAKMP2001): processing SA payload. message ID = 4751590088 F5 b3 u+ z  }& O# [) u
Aug 27 11:42:39.487: ISAKMP2001):Checking IPSec proposal 1
; M* I. V+ d( R- Q1 ]Aug 27 11:42:39.487: ISAKMP: transform 1, ESP_DES( x! n; m0 k9 L7 X0 a* P
Aug 27 11:42:39.487: ISAKMP:   attributes in transform:3 F7 o+ A+ y3 I% X* J7 ?
Aug 27 11:42:39.487: ISAKMP:      encaps is 1 (Tunnel)
; @5 X6 p; [2 l0 |Aug 27 11:42:39.487: ISAKMP:      SA life type in seconds
" m/ }$ z( q' t& A) _Aug 27 11:42:39.487: ISAKMP:      SA life duration (VPI) of  0x0 0x1 0x51 0x80
1 |$ M6 v8 I+ s$ z6 b1 QAug 27 11:42:39.487: ISAKMP:      SA life type in kilobytes4 d' A, W* v( h2 v! ?
Aug 27 11:42:39.487: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 # B& [- D% m! C+ ~
Aug 27 11:42:39.487: ISAKMP:      authenticator is HMAC-MD50 h+ K8 @% A8 a( u8 y( r! {
Aug 27 11:42:39.487: ISAKMP:      group is 2
/ n3 t  Y4 A2 ^0 l9 c$ M5 ?! IAug 27 11:42:39.487: ISAKMP2001):atts are acceptable.; d- I- N' D( w. O# e( z( \* p) s
Aug 27 11:42:39.487: IPSEC(validate_proposal_request): proposal part #1
% l/ H/ Q9 P& zAug 27 11:42:39.487: IPSEC(validate_proposal_request): proposal part #1,! k2 M; b- f" [  J' l
  (key eng. msg.) INBOUND local= 118.*.*.*:0, remote= 58.20.43.227:0, 8 E) I3 x" Z3 d# |; o$ r: }- {
    local_proxy= 10.23.54.32/255.255.255.252/0/0 (type=4),
# M$ ?' X9 ?5 \- R# [  B4 p5 A4 ~! D    remote_proxy= 10.23.8.0/255.255.248.0/0/0 (type=4),( G. Y+ W3 V4 i3 B( r$ O0 E. {
    protocol= ESP, transform= NONE  (Tunnel),
0 |% m# B4 ~" ]5 ]% Y( }    lifedur= 0s and 0kb,
+ a% b$ H. c: c9 Y0 P8 f0 V    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
/ Y8 {# Q  ^  |3 d" E4 I8 ?Aug 27 11:42:39.487: Crypto mapdb : proxy_match
2 Q" k* }; ?; J( w7 @# R: z        src addr     : 10.23.54.32
1 w+ q5 e- N& L* j0 v( Y        dst addr     : 10.23.8.0$ Z' r0 r8 V. m& t& K
        protocol     : 0' t7 x2 ^5 w1 }# ^% F4 `
        src port     : 0
4 k7 B, k/ u- S' o        dst port     : 03 U0 {# l7 _9 w1 \- E
Aug 27 11:42:39.487: ISAKMP2001): processing NONCE payload. message ID = 475159008
' M+ S: j. E3 ~& c; p) a- |Aug 27 11:42:39.487: ISAKMP2001): processing KE payload. message ID = 475159008
8 k. i- l$ H. G5 T2 [/ }5 z+ aAug 27 11:42:39.515: ISAKMP2001): processing ID payload. message ID = 475159008
2 _. K/ ~8 g  T1 O$ _" f/ rAug 27 11:42:39.515: ISAKMP2001): processing ID payload. message ID = 475159008. X9 `+ A- _9 S$ b" e, l! R- x
Aug 27 11:42:39.515: ISAKMP2001): Creating IPSec SAs' k* y! V- D( {+ T" X2 Y/ s; l
Aug 27 11:42:39.515:         inbound SA from 58.*.*.*to 118.*.*.* (f/i)  0/ 0( j$ l' F$ Q: {; f: K' F- C/ Q
        (proxy 10.23.8.0 to 10.23.54.32)3 B2 I. O, }6 Q2 a/ d$ B9 a8 `
Aug 27 11:42:39.515:         has spi 0xBABB1470 and conn_id 08 o' X3 n& [! d  u$ D
Aug 27 11:42:39.515:         lifetime of 86400 seconds
* D  D3 e. o' y' NAug 27 11:42:39.515:         lifetime of 4608000 kilobytes% i, r- o) l. Y
Aug 27 11:42:39.515:         outbound SA from 118.*.*.* to 58.*.*.*(f/i) 0/0
3 I( v9 c; j/ i  W8 q  a. C, u  C        (proxy 10.23.54.32 to 10.23.8.0)3 y7 O( L, d- a2 l5 p; u( ^
Aug 27 11:42:39.515:         has spi  0xB6B88103 and conn_id 05 Y6 C% h( W4 I
Aug 27 11:42:39.515:         lifetime of 86400 seconds# J( K. i$ _# g, n2 j" u
Aug 27 11:42:39.515:         lifetime of 4608000 kilobytes# I- Q/ `: d. R" q2 x4 G( n3 S1 p
Aug 27 11:42:39.515: ISAKMP2001): sending packet to 58.*.*.*my_port 500 peer_port 500 (I) QM_IDLE      
. V2 F7 e# t! oAug 27 11:42:39.519: ISAKMP2001):Sending an IKE IPv4 Packet.
6 Z: u! N7 H' G2 }( \Aug 27 11:42:39.519: ISAKMP2001):deleting node 475159008 error FALSE reason "No Error"& v) M, [- H  n" I+ l$ C
Aug 27 11:42:39.519: ISAKMP2001):Node 475159008, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH* c7 @# g6 v* O' F2 z* T5 h. l1 m2 O
Aug 27 11:42:39.519: ISAKMP2001):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE
$ j, U$ Y4 Y+ g* q9 d$ w& YAug 27 11:42:39.519: IPSEC(key_engine): got a queue event with 1 KMI message(s)$ f6 B$ }* C: R0 Y$ D( ?
Aug 27 11:42:39.519: Crypto mapdb : proxy_match
- P7 B, }. w2 E2 ]3 L0 A# G0 d        src addr     : 10.23.54.32
- V- T3 o; e* v7 x        dst addr     : 10.23.8.0
# E- L9 |' f$ L9 v, q. p7 W4 {        protocol     : 0
/ ~* ]3 V. S( y. `7 w3 k3 N+ q        src port     : 0, w: a- f5 [. {% R6 B5 m
        dst port     : 0
  T1 m. r! e+ @* z' i( sAug 27 11:42:39.519: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 58.20.43.227
* N# _( e8 I. pAug 27 11:42:39.519: IPSEC(rte_mgr): VPN Route Event create SA based on crypto ACL in real time for 58.20.43.227
" z2 S! z4 n5 a% D4 G! E, Q7 XAug 27 11:42:39.519:  IPSEC(rte_mgr): Route add Peer 58.*.*.*, Destination 10.23.8.0, Nexthop 0.0.0.0, RT type 1
, i& x, f# k. x7 }! f2 T9 A/ N- xAug 27 11:42:39.519: IPSEC(rte_mgr):Search route found ID 1+ ~) [4 l/ `1 S/ ?: h3 |
Aug 27 11:42:39.519: IPSEC(rte_mgr): VPN Route Refcount 2 58.*.*.*on Dialer10
9 H3 F0 ]  c8 r  w; s& P& \5 |Aug 27 11:42:39.519: IPSEC(create_sa): sa created,
" r4 |1 U, T' k1 ^4 n' ~0 @/ i  (sa) sa_dest= 118.*.*.*, sa_proto= 50, & g+ f; \! k5 Y8 I; ]5 x; V
    sa_spi= 0xBABB1470(3132822640), * V  D) ]: B* W, ]- A' U- q" ^
    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 38 X( R' I2 G- K& c5 S7 T2 B8 Z7 p
    sa_lifetime(k/sec)= (4558678/86400)* Y( x6 m% U, _( Q( d
Aug 27 11:42:39.519: IPSEC(create_sa): sa created,$ A9 _! C; U- K) D! }" [
  (sa) sa_dest= 58.20.43.227, sa_proto= 50, - d# @) `; a  R4 w) P% ?% w. |
    sa_spi= 0xB6B88103(3065544963), & |7 T+ Z: `* y4 F0 `  g1 @" \
    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 47 e  o; a  K% c' A& e. f$ V/ M
    sa_lifetime(k/sec)= (4558678/86400)
" I% v$ v: N$ i" [Aug 27 11:42:39.519: IPSEC(update_current_outbound_sa): get enable SA peer 58.*.*.*current outbound sa to SPI B6B88103% {6 y) ?; [0 e8 J
Aug 27 11:42:39.519: IPSEC(update_current_outbound_sa): updated peer 58.*.*.*current outbound sa to SPI B6B88103
% ~4 F8 E  w+ `0 e4 Z/ EAug 27 11:42:39.519: IPSEC(check_delete_duplicate_sa_bundle): found duplicated fresh SA bundle, aging it out. min_spi=4BB72C8F" S/ K6 g' }' e& U* J" ?4 K4 ^
Aug 27 11:42:39.519: IPSEC(early_age_out_sibling): sibling outbound SPI 4BB72C8F expiring in 30 seconds due to it's a duplicate SA bundle.3 Z0 }3 }% }  M" [4 }; ?; ^5 o
Router(config-if)#' j5 ~5 J9 \$ \' E
Aug 27 11:43:02.435: ISAKMP (2001): received packet from 58.*.*.*dport 500 sport 500 Global (I) QM_IDLE      
/ W5 i3 u. @( ?6 mAug 27 11:43:02.435: ISAKMP: set new node -917327660 to QM_IDLE      
" W, g9 x+ \. s" j# f# r+ S, BAug 27 11:43:02.435: ISAKMP2001): processing HASH payload. message ID = 3377639636- c9 x8 [* r3 d4 X9 o. Q
Aug 27 11:43:02.435: ISAKMP2001): processing DELETE payload. message ID = 3377639636
6 p3 [% m; l, _+ UAug 27 11:43:02.435: ISAKMP2001):peer does not do paranoid keepalives.+ y1 t( v7 L2 t: ^9 j' x9 r' a

* _) N8 m. r) s7 ?! _Aug 27 11:43:02.435: ISAKMP2001):deleting node -917327660 error FALSE reason "Informational (in) state 1"; `. k8 K7 ]  W% x
Aug 27 11:43:02.435: IPSEC(key_engine): got a queue event with 1 KMI message(s)2 m6 ^* ]$ ?5 a4 i3 H  K! @
Aug 27 11:43:02.435: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP" J: y! ?* u2 Y
Aug 27 11:43:04.519: ISAKMP: set new node 804935725 to QM_IDLE      # z) C5 Q; \2 a! w. q. m  o" p2 d4 e
Aug 27 11:43:04.519: ISAKMP2001): sending packet to 58.*.*.*my_port 500 peer_port 500 (I) QM_IDLE      
6 |$ E8 M( ?4 yAug 27 11:43:04.519: ISAKMP2001):Sending an IKE IPv4 Packet.
3 R& w. M2 v; x" ZAug 27 11:43:04.519: ISAKMP2001):purging node 804935725
$ t6 X" M5 R/ A( [& {Aug 27 11:43:04.519: ISAKMP2001):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL
$ V2 l# v6 O& KAug 27 11:43:04.519: ISAKMP2001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE $ F$ p, s. U. o
7 A' ]5 L0 L- {) x) A% n$ D
Aug 27 11:43:07.435: ISAKMP (2001): received packet from 58.*.*.*dport 500 sport 500 Global (I) QM_IDLE      2 @: I1 ^+ D& M8 F8 G! U6 W4 |0 Q
Aug 27 11:43:07.435: ISAKMP: set new node -492395739 to QM_IDLE      
6 B0 `6 M+ q& B8 K8 t! z" w3 }Aug 27 11:43:07.435: ISAKMP2001): processing HASH payload. message ID = 3802571557
& a3 ^, {; [. L6 `Aug 27 11:43:07.435: ISAKMP2001): processing DELETE payload. message ID = 38025715575 D! c( C* c. w6 E* K9 u
Aug 27 11:43:07.435: ISAKMP2001):peer does not do paranoid keepalives.* P7 _! \4 r2 o4 z0 |* P+ S9 U5 I

' u# V2 E% y. T1 P; ]1 Q& UAug 27 11:43:07.435: ISAKMP2001):deleting node -492395739 error FALSE reason "Informational (in) state 1"6 O) _5 g# o4 W+ [  y
Aug 27 11:43:07.439: IPSEC(key_engine): got a queue event with 1 KMI message(s)0 \) e. O  h" [' \6 a. m- u
Aug 27 11:43:07.439: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP! ]- }! l+ M/ e: g' i) n7 ?: h
Aug 27 11:43:07.439: IPSEC(key_engine_delete_sas): delete SA with spi 0x4BB72C8F proto 50 for 58.20.43.227. H  X9 s3 p. A8 o# Y9 X
Aug 27 11:43:07.439: IPSEC(delete_sa): deleting SA,. P. A5 L; [  f5 g: R9 T+ y
  (sa) sa_dest= 118.*.*.*, sa_proto= 50,
, A4 ~/ y+ g2 r, U' ]6 ~+ l- ?    sa_spi= 0xCC7B952A(3430651178), 1 u, x) {2 _. ?: A
    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 1
: {9 [0 b# r- a4 G9 ~8 i/ G! p    sa_lifetime(k/sec)= (4434691/86400),; `8 a/ z6 }( o
  (identity) local= 118.*.*.*:0, remote= 58.20.43.227:0,
7 L! p5 [# l; Q; s& \* a3 _% W    local_proxy= 10.23.54.32/255.255.255.252/0/0 (type=4), 7 T0 F% X0 \  o" y5 j" p& \4 x
    remote_proxy= 10.23.8.0/255.255.248.0/0/0 (type=4)$ q1 g+ R2 W5 Y2 U0 X
Aug 27 11:43:07.439: IPSEC(delete_sa): deleting SA,+ q! U) {, g1 V: D0 v7 H
  (sa) sa_dest= 58.20.43.227, sa_proto= 50,
, J1 B$ Q/ K* c  Z3 o/ X    sa_spi= 0x4BB72C8F(1270295695),
. }; k7 l5 }/ G4 \, L4 I$ c    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2
* W" n" d9 s% H3 _, b2 a    sa_lifetime(k/sec)= (4434691/86400),  g- y  I! ~0 c; A- X3 h
  (identity) local= 118.*.*.*:0, remote= 58.20.43.227:0,
: s9 i3 x1 K- v    local_proxy= 10.23.54.32/255.255.255.252/0/0 (type=4),
5 ?" l2 M+ L/ h5 g' @# d% _    remote_proxy= 10.23.8.0/255.255.248.0/0/0 (type=4)7 ?6 c: S7 [$ S; c
Aug 27 11:43:07.439:  IPSEC(rte_mgr): Delete Route found ID 1$ `) ]3 }: ^/ Y6 ]
Aug 27 11:43:07.439: IPSEC(rte_mgr): VPN Route Refcount 1 Dialer10% ^1 J4 x4 F) _
Router(config-if)#% f+ z2 @0 F6 e7 {, J
Aug 27 11:43:27.475: ISAKMP2001):purging node 1853074095/ {4 u  j$ g3 s9 s3 i
Aug 27 11:43:29.519: ISAKMP2001):purging node 475159008- H8 B- E2 E1 t. H- K! U# J
Aug 27 11:43:52.435: ISAKMP2001):purging node -917327660- g0 ]) a5 w5 a+ i, L4 y
Aug 27 11:43:57.435: ISAKMP2001):purging node -492395739
回复 支持 反对

举报

fanxu [Lv3 牛刀小试] 发表于 2013-8-24 22:59:25 | 显示全部楼层
是什么问题引起的,兄弟说下,我最近也正好在玩这个
回复 支持 反对

举报

sss777 [Lv3 牛刀小试] 发表于 2013-8-24 23:00:07 | 显示全部楼层
odeson 发表于 2013-8-30 15:29 & M& d* _% ~) i+ J9 K
是什么问题引起的,兄弟说下,我最近也正好在玩这个
' R- g0 f% A: x! M6 Z% w0 V3 Z5 @
建议你看一本书,这个里面的写VPN写的非常好非常详细,特别是关于IPSEC VPN的(至少我目前只看了这部分)。 这个是网页版的。
回复 支持 反对

举报

isslee [Lv8 技术精悍] 发表于 2014-3-27 23:13:10 | 显示全部楼层
没看完~~~~~~ 先顶,好同志
回复 支持 反对

举报

bele [VIP@钻石] 发表于 2014-3-29 17:48:44 | 显示全部楼层
找到好贴不容易,我顶你了,谢了
回复 支持 反对

举报

ayayay [Lv8 技术精悍] 发表于 2014-3-31 15:18:07 | 显示全部楼层
不知该说些什么。。。。。。就是谢谢
回复 支持 反对

举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|无图浏览|手机版|网站地图|攻城狮论坛

GMT+8, 2025-7-27 00:04 , Processed in 0.108680 second(s), 15 queries , Gzip On, MemCache On.

Powered by Discuz! X3.4 © 2001-2013 Comsenz Inc.

Designed by ARTERY.cn