2 IKE
2.1 IKE调试命令
2.1.1 debugging ike
【命令】
debugging ike { all | dpd | error | event | keepalive | nat-keepalive | packet } [ remote-address { ipv4-address | ipv6 ipv6-address } [ local-address { ipv4-address | ipv6 ipv6-address } | remote-port port-number | vpn-instance vpn-instance-name ] * ]
undo debugging ike { all | dpd | error | event | keepalive | nat-keepalive | packet }
【缺省情况】
IKE调试信息开关处于关闭状态。
【视图】
用户视图
【缺省用户角色】
network-admin
【参数】
all:表示所有IKE调试信息开关。
dpd:表示DPD调试信息开关。
error:表示错误调试信息开关。
event:表示事件调试信息开关。
keepalive:表示keepalive调试信息开关。
nat-keepalive:表示NAT keepalive调试信息开关。
packet:表示报文调试信息开关。
remote-address:根据对端地址过滤调试信息。
local-address:根据本端地址过滤调试信息。
ipv4-address:表示IPv4地址。
ipv6 ipv6-address:表示IPv6地址。
remote-port port-number:根据对端端口号过滤调试信息,port-number为对端端口号,取值范围0~65535。
vpn-instance vpn-instance-name:根据私网地址成员所属的VPN实例过滤调试信息。vpn-instance-name为MPLS L3VPN的VPN实例名称,为1~31个字符的字符串,区分大小写。如果未指定本参数,则表示私网地址成员不属于任何一个VPN。
【使用指导】
debugging ike 命令用来打开IKE调试开关。undo debugging ike命令用来关闭IKE调试信息开关。
表2-1 debugging ike error命令输出信息描述表
字段 | 描述 |
Failed to verify the peer signature. | 对端签名验证失败 |
HASH payload is missing. | 未在IKE报文中找到HASH载荷 |
Failed to verify the peer HASH. | 对端HASH验证失败 |
Signature payload is missing. | 未在IKE报文中找到签名载荷 |
Invalid SPI length (length) in DPD packet. | DPD报文中的SPI长度无效,长度为length |
Invalid I-Cookie in DPD packet: I-Cookie | DPD报文中的I-Cookie无效,I-Cookie的值为I-Cookie |
Invalid R-Cookie in DPD packet: R-Cookie | DPD报文:R-Cookie无效,R-Cookie的值为R-Cookie |
The length (length) of DPD sequence number is invalid. | DPD序列号的长度无效,长度为length |
Invalid DPD sequence number (number). | DPD序列号无效,序列号的值为number |
DPD packet retransmission timed out. | DPD报文的重传已超时 |
Invalid IPv4 address length (length). | 无效的IPv4地址长度,长度为length |
Invalid IPv6 address length (length). | 无效的IPv6地址长度,长度为length |
Invalid ID of IPv4 address type: ID-IPv4 | IPv4地址类型的身份无效,身份的值为ID-IPv4 |
Invalid ID of IPv6 address type: ID-IPv6 | IPv6地址类型的身份无效,身份的值为ID-IPv6 |
Invalid FQDN ID length (length). | FQDN类型的身份长度无效,长度为length |
Invalid user FQDN ID length (length). | User FQDN类型的长度身份无效,长度为length |
Failed to get DN because the certificate doesn't exist. | 获取DN失败,因为证书不存在 |
Failed to get ID data for constructing ID payload. | 构造ID载荷时获取ID数据失败 |
Invalid ID payload with protocol protocol-number and port port-number. | 无效的ID载荷,ID载荷中的协议号为protocol-number,端口号为port-number |
Invalid ID type (ID-type). | 身份类型无效,身份类型值为ID-type |
Failed to find proposal proposal-number in profile profile-name. | 在名称为profile-name的IKE profile中没有找到编号为proposal-number的proposal |
Failed to verify HASH for informational exchange. | 验证informational exchange报文中的HASH失败 |
Failed to construct delete payload. | 构造delete载荷失败 |
Invalid SPI length. | SPI长度无效 |
Protocol ID (ID) in delete payload is invalid. | delete载荷中的协议ID无效,协议号为ID |
KE payload doesn’t exist. | KE载荷不存在 |
Invalid KE payload length (length). | KE载荷的长度无效,长度为length |
Failed to construct notification payload for keepalive. | 发送keepalive报文时构造notification载荷失败 |
Length (length) of the sequence number in keepalive packet is invalid. | Keepalive报文中的序列号长度无效,长度为length |
Length (length) of the HASH payload in keepalive packet is invalid. | Keepalive报文中的HASH载荷长度无效,长度为length |
Failed to calculate HASH for verification of keepalive packet. | 验证keepalive报文时,本端计算HASH失败 |
Failed to add sequence number to keepalive packet. | 构造keepalive报文时,添加序列号失败 |
Failed to calculate HASH for keepalive. | 构造keepalive报文时,计算HASH失败 |
Failed to float port. | 切换端口失败 |
Length (length) of the nonce payload is invalid. | Nonce载荷的长度无效,长度为length |
Failed to parse the certificate request payload. | 解析证书请求载荷失败 |
No available proposal. | 没有找到可用的proposal |
Failed to get certificate. | 获取证书失败 |
Failed to get private key. | 获取私钥失败 |
Failed to construct ID payload. | 构造IPsec身份载荷失败 |
Failed to calculate hash-name. | 计算HASH失败,HASH名称为hash-name |
Failed to validate hash-name. | 验证HASH失败,HASH名称为hash-name |
Failed to compute key material. | 计算密钥材料失败 |
Failed to install IPsec SA. | 安装IPsec SA失败 |
The nonce payload doesn't exist. | Nonce载荷不存在 |
The KE payload doesn't exist. | KE载荷不存在 |
No valid DH group description in SA payload. | SA载荷中没有有效的DH group |
There are too many KE payloads. | KE载荷太多, |
The length of the KE payload does't match the DH group description. | KE载荷的长度和用于PFS的DH group描述不匹配 |
Failed to construct NAT-OA payload. | 构造NAT-OA载荷失败 |
Failed to construct RESPONDER_LIFETIME payload. | 构造RESPONDER_LIFETIME载荷失败 |
Failed to construct KE payload. | 构造KE载荷失败 |
Failed to pad for encryption. | 加密报文前的填充失败 |
Failed to send data. Reason: error-reason. | 发送报文失败,错误原因为error-reason |
No enough space in the packet for Non-ESP marker. | 报文超大,不能添加Non-ESP标记 |
Failed to decrypt the packet. | 解密报文失败 |
Non-zero message ID (Message-ID) in phase 1. | 一阶段的Message ID不为0,其值为Message-ID |
I-Cookie must not be zero. | I-Cookie不能为0 |
The first packet of phase 1 is invalid: Encryption bit is set. | 一阶段的第一条报文无效:报文的加密标识为已使能 |
The first packet of phase 1 is invalid: Non-zero R-Cookie. | 一阶段的第一条报文无效:报文的R-Cookie不为0 |
Failed to parse phase 1 packet. Reason reason. | 解析一阶段的IKE报文失败,原因为reason,可能的取值包括: · INVALID_PAYLOAD_TYPE:载荷类型无效 · DOI_NOT_SUPPORTED:不支持的DOI字段 · SITUATION_NOT_SUPPORTED:不支持的situation字段 · INVALID_COOKIE:cookie无效 · INVALID_MAJOR_VERSION:主版本号无效 · INVALID_MINOR_VERSION:次版本号无效 · INVALID_EXCHANGE_TYPE:交换类型无效 · INVALID_FLAGS:标识无效 · INVALID_MESSAGE_ID:message ID无效 · INVALID_PROTOCOL_ID:提议号无效 · INVALID_SPI:SPI无效 · INVALID_TRANSFORM_ID:transform ID无效 · ATTRIBUTES_NOT_SUPPORTED:不支持的属性 · NO_PROPOSAL_CHOSEN:没有匹配的提议 · BAD_PROPOSAL_SYNTAX:提议语法错误 · PAYLOAD_MALFORMED:载荷格式错误 · INVALID_KEY_INFORMATION:密钥信息无效 · INVALID_ID_INFORMATION:身份无效 · INVALID_CERT_ENCODING:证书编码无效 · INVALID_CERTIFICATE:证书无效 · CERT_TYPE_UNSUPPORTED:不支持的证书类型 · INVALID_CERT_AUTHORITY:证书认证失败 · INVALID_HASH_INFORMATION:HASH无效 · AUTHENTICATION_FAILED:认证失败 · INVALID_SIGNATURE:签名无效 · ADDRESS_NOTIFICATION:地址通知 · NOTIFY_SA_LIFETIME:SA生命周期通知 · CERTIFICATE_UNAVAILABLE:证书不可用 · UNSUPPORTED_EXCHANGE_TYPE:不支持的交换类型 · UNEQUAL_PAYLOAD_LENGTHS:载荷长度不相等 |
The packet is dropped because of not being encrypted | 丢弃报文,因为报文没有加密 |
Failed to parse informational exchange packet. Reason reason. | 解析informational exchange报文失败,原因是reason reason取值同上 |
Failed to parse keepalive packet because of reason. | 解析keepalive报文失败,原因是reason reason取值同上 |
Unsupported exchange type (type) in packet. | 不支持的交换类型type,取值包括: · None:不存在的交换类型 · Base:基础交换类型 · Main:主模式交换类型 · AO:Authenticaton Only交换类型 · Aggressive:野蛮模式交换类型 · Info:infomational exchange交换类型 · Mode cfg:配置模式交换类型 |
Invalid Non-ESP marker: marker. | 无效的Non-ESP标识:marker |
The received packet is too short, which is length bytes. | 收到报文的长度太小,长度为length |
Failed to receive packet. | 接收报文失败 |
Failed to bind UDP port port-number. Reason: reason. | 绑定UDP端口失败,端口号为port-number,错误原因为reason |
Failed to set UDP port port-number. Reason: reason. | 设置UDP端口失败,端口号为port-number,错误原因为reason |
Failed to add UDP port port-number to epoll. | 添加UDP端口到epoll失败,端口号为:port-number |
Failed to initiate UDP port port-number. Error code: error-number. | 初始化UDP端口失败,端口号为port-number,错误码为error-number |
byte-numberth byte of the structure struct-name must be 0. | 结构struct-name的第byte-number个字节必须为0 |
Field-name of struct-name has an unknown value: value. | 结构struct-name的域field-name的值value无效 |
field-name of struct-name has unknown members. | 结构struct-name的域field-name包含未知的成员 |
No enough bytes to get data2 from data1. | 没有足够的空间来保存从数据data1中获取的数据data2 |
No enough space in output packet for struct-name. | 报文中没有足够的空间用于保存结构struct-name |
No enough space to place length bytes of data-name in struct-name. | 结构struct-name中没有足够的空间用于保存length字节的数据 |
No enough space to place data-name in struct-name. | 结构struct-name中没有足够的空间保存数据data-name |
Failed to add the HASH payload. | 添加HASH载荷失败 |
Ignored the certificate request of type type-id. | 忽略证书请求,证书请求的类型为type-id |
Failed to get the certificate and key by certificate request. | 根据证书请求获取证书和密钥失败 |
Failed to verify the peer certificate. Reason: error-string. | 验证对端证书失败,错误原因为error-string |
Failed to find keychain keychain-name in profile profile-name. | 在IKE profile profile-name中查找keychain keychain-name失败 |
Failed to create IKE SA with core data. | 根据核心数据创建一阶段SA失败 |
Failed to create IPsec SA with core data. | 根据核心数据创建二阶段SA失败 |
Failed to receive smooth SA ACK from IPsec. | 从IPsec接收SA平滑处理的应答失败 |
Number of negotiating IKE SAs exceeded the limit. | 正在协商的IKE SA的数目超出限制 |
Number of established IKE SAs exceeded the limit. | 已经建立的IKE SA的数目超出限制 |
Attribute attribute-name is repeated. | 属性重复,属性名称为attribute-name |
Failed to construct situation. | 构造situaton字段失败 |
Failed to construct proposal payload. | 构造proposal载荷失败 |
Failed to construct transform payload. | 构造transform载荷失败 |
Failed to construct attributes. | 构造属性失败 |
Unsupported DOI doi | 不支持的DOI doi |
Proposal payload must be the last payload in SA payload, but payload-name payload is found following proposal payload. | proposal载荷必须是SA载荷中的最后一个载荷,但在proposal载荷之后还有payload-name载荷 |
Unexpected protocol ID (ID-type) found in proposal payload. | proposal载荷中的协议ID无效,协议ID号为ID-type |
Invalid SPI length (SPI-length) in proposal payload. | proposal载荷中的SPI长度无效 |
No transform payload in proposal payload. | proposal载荷中没有transform载荷 |
Transform number is not monotonically increasing. | Transform号不是单调递增的 |
Invalid transform ID: id. | 无效的transform ID:id |
No acceptable transform. | 没有可以接受的transform |
Unexpected payload-name payload in proposal. | proposal载荷中有不期望出现的载荷payload-name |
Only one transform is permitted in one proposal, but trans-count transforms are found. | 在选中的proposal载荷中只允许有一个transform,但实际有trans-count个 |
Failed to parse the IKE SA payload. | 解析IKE SA载荷失败 |
Proposal payload has more transforms than specified in the proposal payload. | proposal载荷中的transform载荷数量比proposal载荷中指定的数量多 |
Proposal payload has fewer transforms than specified in the proposal payload. | proposal载荷中的transform载荷数量比proposal载荷中指定的数量少 |
Invalid next payload (payload-type) in transform payload. | transform载荷中的next payload字段无效,载荷类型为payload-type |
SA_LIFE_TYPE attribute must be in front of the SA_LIFE_DURATION attribute. | SA_LIFE_TYPE属性必须在SA_LIFE_DURATION属性前面 |
Attribute attribute-type is repeated in IPsec transform trans-number. | 属性类型为的attribute-type属性在IPsec transform中重复,transform号为trans-number |
SA_LIFE_TYPE attribute is repeated in packet. | 属性SA_LIFE_TYPE在报文中重复 |
Unsupported IPsec attribute attribute. | 不支持的IPsec属性attribute |
SA_LIFE_TYPE IPsec attribute not followed by SA_LIFE_DURATION attribute in message. | 报文中的IPsec属性SA_LIFE_TYPE后面没有SA_LIFE_DURATION属性 |
Encapsulation mode must be specified in IPsec transform. | IPsec transform中必须指定封装模式 |
AUTH_ALGORITHM attribute is missing in AH transform. | 在AH协议的transform中没有AUTH_ALGORITHM属性 |
Transform ID (id) in transform trans-number doesn't match authentication algorithm auth-algo-name (auth-algo-value). | transform中的transform ID和认证算法不匹配,transform号为trans-number,transform ID为id,认证算法为auth-algo-name,其值为auth-algo-value |
Neither encryption algorithm nor authentication algorithm is specified in ESP proposal, which is not permitted. | ESP proposal中既没有加密算法也没有认证算法,这是不允许的 |
Unsupported ESP transform. | 不支持的ESP transform |
Unsupported ESP authentication algorithm. | 不支持的ESP认证算法 |
IPsec proposal with improper SPI size (size). | IPsec proposal中的SPI大小错误,SPI大小为size |
IPsec proposal contains invalid SPI (SPI). | IPsec proposal中的SPI无效,其值为SPI |
Failed to get SPI from IPsec proposal. | 从IPsec proposal中获取SPI失败 |
No transform in IPsec proposal. | IPsec proposal中没有transform |
SA payload contains more than one AH proposal with the same proposal number. | SA载荷中有多个AH协议的proposal对应同一个proposal号 |
SA payload contains more than one ESP proposal with the same proposal number. | SA载荷中有多个ESP协议的proposal对应同一个proposal号 |
Invalid next payload (payload-type-num) in proposal. | Proposal载荷中的next payload字段无效,其类型值为payload-type-num |
Unsupported IPsec DOI situation (situation-num). | 不支持的IPsec DOI situation,其类型值为situation-num |
Invalid IPsec proposal proposal-number. | 无效的IPsec proposal,proposal号为proposal-number |
Failed to get IPsec policy when renegotiating IPsec SA. Delete IPsec SA. | 在重协商IPsec SA时获取IPsec策略失败,删除 IPsec SA |
Failed to get IPsec policy for phase 2 responder. Delete IPsec SA. | 作为二阶段协商的响应方时,获取IPsec策略失败,删除IPsec SA |
No HASH in notification payload. | 在notification载荷中没有HASH |
Failed to send message to IPsec when getting SPI. | 获取SPI时向IPsec发消息失败 |
Failed to send message to IPsec when adding SA. | 添加SA时向IPsec发消息失败 |
Failed to send message to IPsec when deleting SA. | 删除SA时向IPsec发消息失败 |
Failed to send message to IPsec when getting SP. | 获取SP时向IPsec发消息失败 |
Failed to send message to IPsec when adding DPD. | 添加DPD时向IPsec发消息失败 |
Failed to send message to IPsec when updating DPD. | 升级DPD时向IPsec发消息失败 |
Failed to send message to IPsec when deleting DPD. | 删除DPD时向IPsec发消息失败 |
Failed to send message to IPsec when switching SA. | 切换SA时向IPsec发消息失败 |
Failed to negotiate IKE SA. | 协商IKE SA失败 |
Failed to negotiate IPsec SA. | 协商IPsec SA失败 |
Errstring. Attribute attribute-name. | 错误原因为errstring。相关的属性名称为attribute-name Errstring的内容包括: · Unsupported encryption algorithm: enc-alg:不支持的加密算法enc-alg · Unsupported HASH algorithm: hash-alg:不支持的HASH算法hash-alg · Unsupported authentication method: auth-meth:不支持的认证方法auth-meth · Unsupported DH group: group-name:不支持的DH group group-name · Unsupported lifetime type: lifetime-type:不支持的生命周期类型lifetime-type · OAKLEY_LIFE_DURATION attribute not preceded by OAKLEY_LIFE_TYPE attribute.:OAKLEY_LIFE_DURATION属性没有在OAKLEY_LIFE_TYPE属性之前 · OAKLEY_KEY_LENGTH attribute not preceded by OAKLEY_ENCRYPTION_ALGORITHM attribute:OAKLEY_KEY_LENGTH属性没有在OAKLEY_ENCRYPTION_ALGORITHM属性之前 · OAKLEY_KEY_LENGTH attribute not match OAKLEY_ENCRYPTION_ALGORITHM.:OAKLEY_KEY_LENGTH属性和OAKLEY_ENCRYPTION_ALGORITHM属性不匹配 · Failed to get encryption algorithm:获取加密算法失败 · Unsupported OAKLEY attribute attribute:不支持的OAKLEY属性attribute |
Failed to match the proposal. | 匹配proposal失败 |
Received invalid SPI message from IPsec, but no IKE SA exists. | 收到IPsec的invalid SPI消息,但是没有IKE SA |
Failed to get subject name from certificate. | 从证书中获取主题名失败 |
Failed to get local certificate. | 获取本地证书失败 |
Failed to send notification packet for deleting IPsec SA, because of no corresponding IKE SA. | 删除IPsec SA时发送notification报文失败,因为没有找到对应的IKE SA |
Failed to construct certificate request payload. | 构造证书请求载荷失败 |
Unsupported attribute attribute-type. | 不支持的属性,属性类型为attribute-type |
Invalid major version(version). | 主版本号无效,主版本号为version |
Constructed SA payload. | 构造SA载荷 |
Failed to get UDP socket. | 获取UDP socket失败 |
Failed to parse the Cert Request payload. | 解析证书请求消息失败 |
No available proposal. | 没有可用的安全提议 |
Obtained profile ProfileName. | 获取到名为ProfileName的安全profile |
Deleted GDOI GM IKE SA. | 删除GDOI GM IKE SA |
表2-2 debugging ike event命令输出信息描述表
字段 | 描述 |
Signature verification succeeded. | 验证签名成功 |
HASH verification succeeded. | 验证HASH成功 |
Delete IPsec SAs. | 删除IPsecSA |
Delete IKE SA with connection ID id. | 删除IKE SA,connection ID为id |
Update DPD configuration in IKE SA. | 更新一阶段SA中的DPD配置 |
Notify IPsec to add DPD. | 通知IPsec添加DPD |
Notify IPsec to delete DPD. | 通知IPsec删除DPD |
Notify IPsec to update DPD. | 通知IPsec更新DPD |
Process interface interface-type interface-num active event. | 处理接口激活事件,接口名为interface-type interface-num |
Process interface interface-name deactive event. | 处理接口去激活事件,接口名为interface-type interface-num |
Process interface interface-name delete event. | 处理接口删除事件,接口名为interface-type interface-num |
The board chassis chassis-num slot slot-num is inserted. | 单板插入chassic-number号成员设备的slot-number号槽位中 |
Protocol/port in phase 1 ID payload is protocol-number/port-number, which is acceptable. | 一阶段ID载荷中的协议号/端口号为protocol-number/port-number,它们是可接受的 |
Begin to construct IPsec SA delete packet. | 开始构造二阶段SA delete报文 |
Delete IKE SA with connection ID id. | 删除一阶段SA,connection ID为id |
Received IPsec SA delete packet. | 收到二阶段SA delete报文 |
Process delete payload. | 处理delete载荷 |
Ignore delete payload: packet not encrypted or IKE SA not established. | 忽略delete载荷:报文没有加密或者一阶段SA没有建立 |
Received SA acquire message from IPsec. | 收到IPsec的SA请求消息 |
Received IPsec capability. | 收到IPsec规格 |
Received smooth IPsec SA ACK. | 收到平滑IPsec SA的应答 |
IKE keepalive timed out. Delete IKE SA with connection ID id. | IKE Keepalive定时器超时,删除一阶段SA,connection ID为id |
Reset IKE keepalive timeout timer. New time value is time | 重置IKE Keepalive超时定时器,新的时间值为time |
I am behind NAT. | 我在NAT设备之后 |
Peer is behind NAT. | 对端在NAT设备之后 |
No need to float port. | 不需要切换端口 |
Float port to local port local-port and remote port remote-port | 切换端口,本端端口为local-port,对端端口为remote-port |
Sending DPD packet of type type with sequence number seq-no. | 发送type类型的DPD报文,序列号为seq-no |
Delete IKE SA by received notification. | 根据错误通知报文删除一阶段SA |
INITIAL-CONTACT message is dropped because of not being encrypted. | INITIAL-CONTACT未加密,丢弃它 |
Delete redundant SA. | 删除多余的SA |
Length (length) of notification packet is invalid. | notification报文的长度无效,长度为length |
Protocol-ID (ID) of notification packet is unsupported. | 不支持notification报文中的协议号:ID |
Notification notification-name is received. | 收到通知报文notification-name |
Inbound flow: dst-addr->src-addr | 入方向流量:目的地址->源地址 |
Outbound flow: src-addr->dst-addr | 出方向流量:源地址->目的地址 |
Validated hash-name successfully. | 验证HASH成功,HASH名称为hash-name |
Getting IPsec message timed out. Delete IPsec SA. | 获取IPsec消息超时,删除二阶段SA |
Protocol: protocol | 安全协议为protocol(AH或ESP) |
Inbound SPI: in-spi | 入方向SPI值为in-spi |
Outbound SPI: out-spi | 出方向SPI值为out-spi |
Install IPsec SAs. | 下发IPsec SA |
Lifetime in seconds: seconds | SA的生命周期为seconds秒 |
Lifetime in kilobytes: bytes | SA的生命周期为bytes字节 |
Phase 2 Exchange chooses role: Local is initiator. | 二阶段协商选择角色:本端为发起方 |
Phase 2 Exchange chooses role: Local is responder. | 二阶段协商选择角色:本端为响应方 |
Begin Quick mode exchange. | 开始进行快速模式协商过程 |
No enough space to send packet. | 没有足够的空间来发送报文 |
Retransmittion of phase 1 packet timed out. | 重传一阶段报文超时 |
Ignore phase 1 packet retransmit timeout event. | 忽略一阶段报文重传超时事件 |
Retransmittion of phase 2 packet timed out. | 重传二阶段报文超时 |
Ignore phase 2 packet retransmit timeout event. | 忽略二阶段报文重传超时事件 |
Phase 1 Exchange chooses role: Local is initiator. | 一阶段协商选择角色:本端为发起方 |
Phase 1 Exchange chooses role: Local is responder. | 一阶段协商选择角色:本端为响应方 |
Phase 1 packet is malformed: Not starting with an SA payload. | 一阶段报文格式错误:没有以SA载荷开始 |
Phase2 packet is malformed: Not starting with an HASH payload. | 二阶段报文格式错误:没有以HASH载荷开始 |
Quick mode packet is received, but IKE SA does not exist. | 收到快速模式的报文,但一阶段SA不存在 |
Quick mode packet is received, but IKE SA is incomplete. | 收到快速模式的报文,但一阶段SA不完整 |
Ignored delete SA payload because the IKE SA is not established. | 忽略删除SA的报文,因为IKE SA不存在 |
Ignored delete SA payload because the packet is not encrypted. | 忽略删除SA的报文,因为报文没有加密 |
Received informational exchange packet, but IKE SA is inexistent or incomplete. | 收到information exchange报文,但是一阶段SA不存在或者不完整 |
Received keepalive packet, but IKE SA is not existed. | 收到IKE keepaclive报文,但是一阶段SA不存在 |
Received keepalive packet, but it is not encrypted. | 收到IKE keepaclive报文,但是它没有加密 |
Received keepalive packet, but IKE SA is incomplete. | 收到IKE keepaclive报文,但是一阶段SA不完整 |
Ignore NAT keepalive packet. | 忽略NAT keepalive报文 |
Initialize UDP port. | 初始化UDP端口 |
PKI data had been changed. | PKI数据已经有所变化 |
Found pre-shared key that matches address address in keychain keychain-name. | 在keychain keychain-name中找到了预共享密钥,该预共享密钥与地址address匹配 |
Pre-shared key matching address address not found. | 根据地址address无法找到匹配的预共享密钥 |
Found keychain keychain-name in profile profile-name successfully. | 成功在IKE profile profile-name中找到keychain keychain-name |
Get profile profile-name. | 获取IKE profile profile-name |
Initiator created an SA for peer address, local port local-port, remote port remote-port. | 发起方创建SA,对端地址为address,本端端口为local-port,对端端口为remote-port |
Set IKE SA state to state-name. | 设置一阶段SA状态为state-name |
IKE SA state changed from state1 to state2. | 一阶段SA状态从state1转换到state2 |
Set IPsec SA state to state-name. | 设置二阶段SA状态为state-name |
IPsec SA state changed from state1 to state2. | 二阶段SA状态从state1转换到state2 |
Responder created an SA for peer address, local port local-port, remote port remote-port. | 发起方创建SA,对端地址为address,本端端口为local-port,对端端口为remote-port |
Delete IPsec SA. | 删除二阶段SA |
Oakley transform trans-number is acceptable. | Oakley transform是可接受的,transform号为trans-number |
Begin mode mode exchange. | 开始mode模式的IKE协商 |
IKE SA not found. Initiate IKE SA negotiation. | 没有一阶段SA,发起一阶段SA的协商 |
IKE SA is prepared for renegotiation. | 一阶段SA已经准备好进行重协商 |
IKE SA is expired. | 一阶段SA生命周期到达 |
Renegotiation has already started for this IKE SA. | 该IKE SA的重协商已经开始 |
IKE SA with connection ID connection-id has expired, and it will be deleted. | 一阶段SA生命周期到达,将其删除,connection ID为connection-id |
IPsec SA is being negotiated. | 二阶段SA正在协商 |
IPsec SA has expired and will be deleted. | 生命周期到达,删除二阶段SA |
IKE thread thread-id processes a job. | IKE线程thread-id处理一个job |
IKE thread thread-id processes a CTL-Queue msg. | IKE线程thread-id处理一个控制队列消息 |
Vendor ID verdor-id is matched. | 匹配上vendor ID verdor-id |
No vendor ID is matched. | 没有匹配的verdor ID |
IKE SA is soft expired(Timer handle: %u, Icookie: %s), renegotiate IKE SA. | IKE SA时间软超时,将发起重协商 |
IKE SA is soft expired(Timer handle: %u, Icookie: %s), no need to renegotiate IKE SA. | IKE SA时间软超时,无需发起重协商 |
IPsec SA is soft expired(timer handle:%u, message ID: 0x%x), will be renegotiated. | IPsec SA时间软超时,将发起重协商 |
IPsec SA is soft expired(timer handle:%u, message ID: 0x%x), no need to renegotiate. | IPsec SA时间软超时,无需发起重协商 |
IPsec SA is traffic expired(SPI:%u), will be renegotiated. | IPsec SA流量软超时,将发起重协商 |
IPsec SA is traffic expired(SPI:%u), no need to renegotiate. | IPsec SA流量软超时,无需发起重协商 |
Succeed to set responder-only flag for P1SA. | 成功设置一阶段SA的responder-only标识 |
Succeed to set responder-only flag for P2SA. | 成功设置二阶段SA的responder-only标识 |
表2-3 debugging ike packet命令输出信息描述表
字段 | 描述 |
Construct authentication data by pre-shared key. | 根据预共享密钥生成认证数据 |
Verify HASH payload. | 验证HASH载荷 |
Construct authentication data by private key. | 根据私钥生成认证数据 |
Verify signature payload. | 验证签名载荷 |
DPD packet with sequence number sequence-number is received. | 收到DPD报文,序列号为:sequence-number |
Retransmit DPD packet. | 重传DPD报文 |
Peer ID value: address address. | 对端ID值:地址address |
Peer ID value: FQDN fqdn. | 对端ID值:FQDN fqdn |
Peer ID value: User FQDN user-fqdn. | 对端ID值:User FQDN user-fqdn |
Peer ID value: DN DN-value | 对端ID值:DN,DN的内容为DN-value |
Peer ID type: ID-type (value). | 对端ID类型:ID-type,类型的值为value |
Local ID type: ID-type (value). | 本端ID类型:ID-type,类型的值为value |
Local ID value: ID-value. | 本端ID值:ID-value |
Construct ID payload. | 构造ID载荷 |
The profile profile-name is matched. | 匹配到profile为profile-name |
No profile is matched. | 没有匹配到profile |
Process ID payload. | 处理ID载荷 |
Construct notification packet: notification-type. | 构造notification报文:notification-type |
Construct delete payload. | 构造delete载荷 |
The phase 1 delete packet is received. | 收到一阶段delete报文 |
The cookies' length (length) is invalid. | Cookies的长度length无效 |
Construct KE payload. | 构造KE载荷 |
Process KE payload. | 处理KE载荷 |
Send keepalive packet with sequence number sequence-number. | 发送IKE keepalive报文,序列号为sequence-number |
Process keepalive packet with sequence number sequence-number. | 处理IKE keepalive报文,序列号为sequence-number |
Construct NAT-D payload. | 构造NAT-D载荷 |
Received count NAT-D payloads. | 收到NAT-D载荷,数量为count |
Construct NONCE payload. | 构造NONCE载荷 |
Process NONCE payload. | 处理NONCE载荷 |
Construct INITIAL-CONTACT payload. | 构造INITIAL-CONTACT载荷 |
Construct SA payload. | 构造SA载荷 |
Construct IPsec ID payload. | 构造IPsec ID载荷 |
Process HASH payload. | 处理HASH载荷 |
Construct IPsec SA payload. | 构造IPsec SA载荷 |
Construct HASH(3) payload. | 构造HASH(3)载荷 |
Process IPsec ID payload. | 处理IPsec ID载荷 |
Construct NAT-OA payload. | 构造NAT-OA载荷 |
Process NAT-OA payload: address. | 处理NAT-OA载荷,地址为address |
Received count NAT-OA payloads. | 收到NAT-OA载荷,数量为count |
Construct IPsec RESPONDER_LIFETIME payload. | 构造IPsec RESPONDER_LIFETIME载荷 |
Construct HASH(1) payload. | 构造HASH(1)载荷 |
Collision of phase 2 negotiation is found. | 二阶段协商发生碰撞 |
Construct HASH(2) payload. | 构造HASH(2)载荷 |
I-Cookie: icookie R-Cookie: rcookie next payload: next-payload version: version exchange mode: mode flags: [flag] message ID: mid length: length | · 发起方cookie:icookie · 响应方cookie:rcookie · 下一个载荷:next-payload · ISAKMP版本:version · 协商模式:mode · 标识为:flag · Message ID:mid · 报文长度:length |
Encrypt the packet. | 对报文进行加密 |
Received payload-name. | 收到载荷payload-name |
Sending packet to address, remote port remote-port, local port local-port. | 发送报文到地址address,对端端口号为remote-port,本端端口号为local-port |
Sending an IPv4 packet. | 发送一个IPv4报文 |
Sending an IPv6 packet. | 发送一个IPv6报文 |
Retransmit phase 1 packet. | 重传一阶段报文 |
Retransmit phase 2 packet. | 重传二阶段报文 |
Retransmit in response to duplicate packet. | 针对对端重发的报文,重传对应的响应报文 |
Discard duplicate packet because of exhausted retransmission. | 本端重传次数已达到最大,不再响应该重复的报文,将其丢弃 |
Discard duplicate packet with no response. | 丢弃对端重复发送的报文,不进行响应 |
Collision of phase 1 negotiation is found. | 一阶段协商发生碰撞 |
Decrypt the packet. | 对报文进行解密 |
Begin a new phase 1 negotiation as responder. | 作为响应方,开始加入一个新的一阶段协商过程 |
Parse informational exchange packet successfully. | 成功解析informational exchange报文 |
Received packet from address source port source-port destination port des-port. | 收到的来自address的报文,源端口为source-port,目的端口为des-port |
Skipping length raw bytes of name1 to get name2. | 跳过载荷name1的length字节,去获取下一个载荷name2 |
Add certificate request payload subjectname. | 添加证书请求载荷,主题名为subjectname |
Construct certificate request payload. | 构造证书请求载荷 |
Received certificate request payload that contains issuer name issuer-name. | 收到证书请求载荷,签发者名为issuer-name |
Process certificate request payload. | 处理证书请求载荷 |
The certificate request payload is empty. | 证书请求载荷是空的 |
Construct certificate payload. | 构造证书载荷 |
The profile profile-name is matched by remote certificate. | 通过对端证书匹配到一个IKE profile profile-name |
Process certificate payload. | 处理证书载荷 |
Encryption algorithm is enc-algo. | 加密算法为enc-algo |
HASH algorithm is hash-algo. | HASH算法为hash-algo |
Authentication method is auth-method. | 认证方法为auth-method |
DH group is group. | DH group为group |
Lifetime type is type. | 生命周期类型为type,type值为: · in seconds:时间生命周期 · in kilobytes:字节生命周期 |
Life duration is value. | 生命周期为value |
Key length is length bytes. | 密钥长度为length字节 |
Check ISAKMP transform trans-number. | 检查ISAKMP transform,transform号为trans-number |
Attributes is acceptable. | 属性是可接受的 |
Construct transfrom payload for transform trans-number. | 构造transform载荷,transform号为trans-number |
Encapsulation mode is mode. | 封装模式为mode,mode取值包括: · Tunnel:隧道模式 · Transport:传输模式 · Tunnel-UDP:UDP封装的隧道模式 · Transport-UDP:UDP封装的传输模式 |
Set attributes according to phase 2 transform. | 根据二阶段transform设置属性 |
Transform ID is id. | Transform ID为id |
Construct transform 1. | 构造transform 1 |
Construct IPsec proposal proposal-number. | 构造IPsec proposal,proposal号为proposal-number |
Parse transform trans-number. | 解析transform,transform号为trans-number |
The SA_LIFE_TYPE attribute is repeated in packet. | SA_LIFE_TYPE属性在报文中重复 |
Number of key rounds is round. | 密钥轮数为round |
Process IPsec SA payload. | 处理IPsec SA载荷 |
The attributes are unacceptable. | 属性不可接受 |
Construct vid-name vendor ID payload. | 构造vendor id载荷,vendor ID名称为vid-name |
Process vendor ID payload. | 处理vendor ID载荷 |
HASH:value | HASH为value |
SKEYID:value | SKEYID为value |
Extended Skeyid_e:value | 扩展的Skeyid_e为value |
Local generated new IV: value | 本地新生成的IV为value |
SKEYID_a: value | SKEYID_a为value |
SKEYID_d: value | SKEYID_d为value |
SKEYID_e: value | SKEYID_e为value |
Encrypt IV: value | 加密IV为value |
Encryption generated new IV: value | 加密新生成的IV为value |
Decrypt IV: value | 解密IV为value |
Remote new IV: value | 对端新IV为value |
The proposal is acceptable. | 提议是可以接受的 |
The proposal is unacceptable. | 提议是不能接受的 |
表2-4 debugging ike dpd命令输出信息描述表
字段 | 描述 |
Invalid I-Cookie in DPD packet: I-Cookie | DPD报文中的I-Cookie无效,I-Cookie的值为I-Cookie |
Invalid R-Cookie in DPD packet: R-Cookie | DPD报文中的R-Cookie无效,R-Cookie的值为R-Cookie |
DPD packet with sequence number seq-no is received. | 收到序列号为seq-no的DPD报文 |
Retransmit DPD packet. | 重传DPD报文 |
表2-5 debugging ike keepalive命令输出信息描述表
字段 | 描述 |
Send keepalive packet with sequence number sequence number. | 发送序号为sequence number的keepalive报文。 |
Sending packet to address,remote port remote-port,local port local-port. | 发送报文到地址address,对端端口号为remote-port,本端端口号为local-port |
表2-6 debugging ike nat-keepalive命令输出信息描述表
字段 | 描述 |
Sending packet to address,remote port remote-port,local port local-port. | 发送报文到地址address,对端端口号为remote-port,本端端口号为local-port |
【举例】
#在两个安全网关上配置了IKE协商类型的IPsec策略,在一阶段IKE协商过程中,若未找到匹配的IKE proposal,则打开IKE错误调试信息开关后将输出以下调试信息。
<Sysname> debugging ike error
*Aug 20 19:19:44:543 2012 Sysname IKE/7/ERROR: -MDC=1; No acceptable transform.
// 没有可以接受的transform
*Aug 20 19:19:44:543 2012 Sysname IKE/7/ERROR: -MDC=1; Failed to parse the IKE SA payload.
// 解析SA载荷失败
#在两个安全网关上配置了IKE协商类型的IPsec策略,若配置一阶段协商模式为主模式,认证方法为预共享密钥认证,则当有流量触发协商时,打开IKE事件调试信息开关后将输出以下调试信息。
<Sysname> debugging ike event
<Sysname> ping -c 1 192.168.222.5
PING 192.168.222.5 (192.168.222.5): 56 data bytes, press CTRL_C to break
*Aug 20 19:10:37:509 2012 Sysname IKE/7/EVENT: -MDC=1; Received SA acquire message from IPsec.
// 收到IPsec的SA请求消息
*Aug 20 19:10:37:510 2012 Sysname IKE/7/EVENT: -MDC=1; Set IPsec SA state to IKE_P2_STA
TE_INIT.
// 设置二阶段SA状态为IKE_P2_STATE_INIT
*Aug 20 19:10:37:510 2012 Sysname IKE/7/EVENT: -MDC=1; No IKE SA found, initiate IKE SA negotiation.
// 没有一阶段SA,发起一阶段SA的协商
*Aug 20 19:10:37:510 2012 Sysname IKE/7/EVENT: -MDC=1; Get profile profile1.
// 获取profile profile1
*Aug 20 19:10:37:510 2012 Sysname IKE/7/EVENT: -MDC=1; Initiator create a SA for peer 192.168.222.5, local port 500, remote port 500.
// 发起方创建SA,对端地址为192.168.222.5,本端端口为500,对端端口为500
*Aug 20 19:10:37:510 2012 Sysname IKE/7/EVENT: -MDC=1; Set IKE SA state to IKE_P1_STATE_INIT.
// 设置一阶段SA状态为IKE_P1_STATE_INIT
*Aug 20 19:10:37:510 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3083549648 processes a job.
// IKE线程3083549648处理一个job
*Aug 20 19:10:37:510 2012 Sysname IKE/7/EVENT: -MDC=1; Begin Main mode exchange.
// 开始主模式协商
*Aug 20 19:10:37:511 2012 Sysname IKE/7/EVENT: -MDC=1; Found pre-shared key that matches address 192.168.222.5 in keychain keychain1.
// 在keychain keychain1中找到了预共享密钥,预共享密钥匹配地址192.168.222.5
*Aug 20 19:10:37:511 2012 Sysname IKE/7/EVENT: -MDC=1; IKE SA state changed from IKE_P1_STATE_INIT to IKE_P1_STATE_SEND1.
// 一阶段SA状态从IKE_P1_STATE_INIT到IKE_P1_STATE_SEND1
*Aug 20 19:10:37:520 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3008052176 processes a job.
// IKE线程3008052176处理一个job
*Aug 20 19:10:37:520 2012 Sysname IKE/7/EVENT: -MDC=1; Oakley transform 1 is acceptable.
// Oakley transform是可接受的,transform号为1
*Aug 20 19:10:37:520 2012 Sysname IKE/7/EVENT: -MDC=1; Match the vendor ID NAT-T rfc3947.
// 匹配上vendor ID NAT-T rfc3947
*Aug 20 19:10:37:533 2012 Sysname IKE/7/EVENT: -MDC=1; IKE SA state changed from IKE_P1_STATE_SEND1 to IKE_P1_STATE_SEND3.
// 一阶段SA状态从IKE_P1_STATE_SEND1到IKE_P1_STATE_SEND3
*Aug 20 19:10:37:533 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3087980192 processes a Control-Queue msg.
// IKE线程3087980192处理一个控制队列消息
*Aug 20 19:10:37:566 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3083549648 processes a job.
// IKE线程3083549648处理一个job
*Aug 20 19:10:37:580 2012 Sysname IKE/7/EVENT: -MDC=1; Match the vendor ID DPD.
// 匹配上vendor ID DPD
*Aug 20 19:10:37:580 2012 Sysname IKE/7/EVENT: -MDC=1; IKE SA state changed from IKE_P1_STATE_SEND3 to IKE_P1_STATE_SEND5.
// 一阶段SA状态从IKE_P1_STATE_SEND3到IKE_P1_STATE_SEND5
*Aug 20 19:10:37:580 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3087980192 processes a Control-Queue msg.
// IKE线程3087980192处理一个控制队列消息
*Aug 20 19:10:37:584 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3075161040 processes a job.
// IKE线程3075161040处理一个job
*Aug 20 19:10:37:584 2012 Sysname IKE/7/EVENT: -MDC=1; Verify HASH successfully.
// 验证HASH成功
*Aug 20 19:10:37:585 2012 Sysname IKE/7/EVENT: -MDC=1; IKE SA state changed from IKE_P1_STATE_SEND5 to IKE_P1_STATE_ESTABLISHED.
// 一阶段SA状态从IKE_P1_STATE_SEND5到IKE_P1_STATE_ESTABLISHED
*Aug 20 19:10:37:585 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3075161040 process
es a job.
// IKE线程3075161040处理一个job
*Aug 20 19:10:37:585 2012 Sysname IKE/7/EVENT: -MDC=1; Begin Quick mode exchange.
// 开始快速模式协商
*Aug 20 19:10:37:586 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3087980192 processes a Control-Queue msg.
// IKE线程3087980192处理一个控制队列消息
*Aug 20 19:10:37:586 2012 Sysname IKE/7/EVENT: -MDC=1; IPsec SA state changed from IKE_P2_STATE_INIT to IKE_P2_STATE_GETSPI.
// 二阶段SA状态从IKE_P2_STATE_INIT到IKE_P2_STATE_GETSPI
*Aug 20 19:10:37:586 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3087980192 processes a Control-Queue msg.
// IKE线程3087980192处理一个控制队列消息
*Aug 20 19:10:37:586 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3066772432 processes a job.
// IKE线程3066772432处理一个job
*Aug 20 19:10:37:586 2012 Sysname IKE/7/EVENT: -MDC=1; IPsec SA state changed from IKE_P2_STATE_GETSPI to IKE_P2_STATE_SEND1.
// 二阶段SA状态从IKE_P2_STATE_GETSPI到IKE_P2_STATE_SEND1
*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3087980192 processes a Control-Queue msg.
// IKE线程3087980192处理一个控制队列消息
*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3033218000 processes a job.
// IKE线程3033218000处理一个job
*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; Validate HASH(2) successfully.
// 验证HASH(2)成功
*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; Install IPsec SAs.
// 下发IPsecSA
*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; inbound flow: 192.168.222.5/32->192.168.222.71/32
// 入流量为192.168.222.5/32->192.168.222.71/32
*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; outbound flow: 192.168.222.
71/32->192.168.222.5/32
// 出流量为192.168.222.71/32->192.168.222.5/32
*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; Lifetime second: 3600
// 生命周期为3600秒
*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; Lifetime kilobytes: 1843200
// 生命周期为1843200字节
*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; protocol: 51
inbound SPI: 54e4913
outbound SPI: 44213487
// 协议为51,入方向SPI为:54e4913,出方向SPI为:44213487
*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; IPsec SA state changed from IKE_P2_STATE_SEND1 to IKE_P2_STATE_SA_CREATED.
// 二阶段SA状态从IKE_P2_STATE_SEND1到IKE_P2_STATE_SA_CREATED
*Aug 20 19:10:37:593 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3087980192 processes a Control-Queue msg.
// IKE线程3087980192处理一个控制队列消息
*Aug 20 19:10:37:594 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3041606608 processes a job.
// IKE线程3041606608处理一个job
*Aug 20 19:10:37:594 2012 Sysname IKE/7/EVENT: -MDC=1; IPsec SA state changed from IKE_P2_STATE_SA_CREATED to IKE_P2_STATE_ESTABLISHED.
// 二阶段SA状态从IKE_P2_STATE_SA_CREATED到IKE_P2_STATE_ESTABLISHED
#在两个安全网关上配置了IKE协商类型的IPsec策略,若配置一阶段协商模式为主模式,认证方法为预共享密钥认证,则当有流量触发协商时,打开IKE报文调试信息开关后将输出以下调试信息。
<Sysname> debugging ike packet
<Sysname> ping -c 1 192.168.222.5
PING 192.168.222.5 (192.168.222.5): 56 data bytes, press CTRL_C to break
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Encryption algorithm is 3DES-CBC.
// 加密算法为3DES-CBC
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Hash algorithm is HMAC-MD5.
// HASH算法为HMAC-MD5
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; DH group 1.
// DH group为1
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Authentication method is Pre-shared key.
// 认证方法为Pre-shared key
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Lifetime type is Life type in seconds.
// 生命周期类型为Life type in seconds
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Life duration is 86400.
// 生命周期为86400
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Construct transform payload 1.
// 构造transform载荷,transform号为1
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Construct SA payload.
// 构造SA载荷
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Construct NAT-T rfc3947 vendor ID payload.
// 构造vendor id载荷,vendor ID名称为NAT-T rfc3947
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Construct NAT-T draft3 vendor ID payload.
// 构造vendor id载荷,vendor ID名称为NAT-T draft3
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Construct NAT-T draft2 vendor ID payload.
// 构造vendor id载荷,vendor ID名称为NAT-T draft2
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Construct NAT-T draft1 vendor ID payload.
// 构造vendor id载荷,vendor ID名称为NAT-T draft1
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Sending packet to 192.168.222.5 local port 500, remote port 500.
// 发送报文到地址192.168.222.5,本端端口号为500,对端端口号为500
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1;
I-Cookie: 3519bdda65bfeaaa
R-Cookie: 0000000000000000
next payload: SA
version: ISAKMP Version 1.0
exchange mode: Main
flags: [ ]
message ID: 0
length: 164
// 发起方cookie为:3519bdda65bfeaaa
// 响应方cookie为:0000000000000000
// 下一个载荷为:SA
// 版本为:ISAKMP Version 1.0
// 协商模式为:Main
// 标识为:[ ]
// Message ID为:0
// 长度为:164
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Sending an IPv4 packet.
// 发送一个IPv4报文
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Received packet from 192.168.
222.5 source port 500 destination port 500.
// 收到的192.168.222.5报文,源端口为500,目的端口为500
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1;
I-Cookie: 3519bdda65bfeaaa
R-Cookie: 078711749a32520c
next payload: SA
version: ISAKMP Version 1.0
exchange mode: Main
flags: [ ]
message ID: 0
length: 104
// 发起方cookie为:3519bdda65bfeaaa
// 响应方cookie为:078711749a32520c
// 下一个载荷为:SA
// 版本为:ISAKMP Version 1.0
// 协商模式为:Main
// 标识为:[ ]
// Message ID为:0
// 长度为:104
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Received IKE Security Association Payload.
// 收到SA载荷
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Vendor ID Payload.
// 收到Vendor ID载荷
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Process SA payload.
// 处理SA载荷
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Check ISAKMP transform 1.
检查ISAKMP transform,transform号为1
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Encryption algorithm is 3DES-CBC.
// 加密算法为3DES-CBC
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; HASH algorithm is HMAC-MD5.
// HASH算法为HMAC-MD5
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; DH group is 1.
// DH group为1
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Authentication method is Pre-shared key.
// 认证方法为Pre-shared key
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Lifetime type is Life type in seconds.
// 生命周期类型为Life type in seconds
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Life duration is 86400.
// 生命周期为86400
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Attribuites is acceptable.
// 属性是可接受的
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Process vendor ID payload.
// 处理vendor ID载荷
*Aug 20 19:18:34:137 2012 Sysname IKE/7/PACKET: -MDC=1; Construct KE payload.
// 构造IKE载荷
*Aug 20 19:18:34:137 2012 Sysname IKE/7/PACKET: -MDC=1; Construct NONCE payload.
// 构造NONCE载荷
*Aug 20 19:18:34:137 2012 Sysname IKE/7/PACKET: -MDC=1; Construct NAT-D payload.
// 构造NAT-D载荷
*Aug 20 19:18:34:138 2012 Sysname IKE/7/PACKET: -MDC=1; Construct DPD vendor ID payload.
// 构造DPD vendor ID载荷
*Aug 20 19:18:34:138 2012 Sysname IKE/7/PACKET: -MDC=1; Sending packet to 192.168.22
2.5 , remote port 500 ,local port 500.
// 发送报文到地址192.168.222.5,对端端口号为500,本端端口号为500
*Aug 20 19:18:34:138 2012 Sysname IKE/7/PACKET: -MDC=1;
I-Cookie: 3519bdda65bfeaaa
R-Cookie: 078711749a32520c
next payload: KE
version: ISAKMP Version 1.0
exchange mode: Main
flags: [ ]
message ID: 0
length: 208
// 发起方cookie为:3519bdda65bfeaaa
// 响应方cookie为:078711749a32520c
// 下一个载荷为:KE
// 版本为:ISAKMP Version 1.0
// 协商模式为:Main
// 标识为:[ ]
// Message ID为:0
// 长度为:208
*Aug 20 19:18:34:138 2012 Sysname IKE/7/PACKET: -MDC=1; Sending an IPv4 packet.
// 发送一个IPv4报文
*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Received packet from 192.168.222.5 source port 500 destination port 500.
// 收到的192.168.222.5报文,源端口为500,目的端口为500
*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1;
I-Cookie: 3519bdda65bfeaaa
R-Cookie: 078711749a32520c
next payload: KE
version: ISAKMP Version 1.0
exchange mode: Main
flags: [ ]
message ID: 0
length: 208
// 发起方cookie为:3519bdda65bfeaaa
// 响应方cookie为:078711749a32520c
// 下一个载荷为:KE
// 版本为:ISAKMP Version 1.0
// 协商模式为:Main
// 标识为:[ ]
// Message ID为:0
// 长度为:208
*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Key ExchangePayload.
// 收到ISAKMP Key Exchange载荷
*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Nonce Payload.
// 收到ISAKMP Nonce载荷
*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP NAT-D Payload.
// 收到ISAKMP NAT-D载荷
*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP NAT-D Payload.
// 收到ISAKMP NAT-D载荷
*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Vendor ID Payload.
// 收到ISAKMP Vendor ID载荷
*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Process KE payload.
// 处理KE载荷
*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Process NONCE payload.
// 处理NONCE载荷
*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; SKEYID:
989e79e1 620ff603 a76bb9b9 7d88a19c
// SKEYID为989e79e1 620ff603 a76bb9b9 7d88a19c
*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; SKEYID_d:
6fd7bd8f faf8480a af6c4813 4011cadd
// SKEYID_d为6fd7bd8f faf8480a af6c4813 4011cadd
*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; SKEYID_a:
cd0aeaf8 6bb94aa3 3ad50fe4 7fb0464f
// SKEYID_a为cd0aeaf8 6bb94aa3 3ad50fe4 7fb0464f
*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; SKEYID_e:
795d3765 91083053 65cacc69 000ffe09
// SKEYID_e为795d3765 91083053 65cacc69 000ffe09
*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Extended SKEYID_e:
d554084f a2a9237a 9c141dac a41c86e9 8aa14807 14db45be
// 扩展的SKEYID_e为d554084f a2a9237a 9c141dac a41c86e9 8aa14807 14db45be
*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Local generated new IV:
add7096a 4b961742
// 本地新生成的IV为add7096a 4b961742
*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Received 2 NAT-D payload.
// 收到NAT-D载荷,数量为2
*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Local ID type: IPV4_ADDR.
// 本地ID类型为:IPV4_ADDR
*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Local ID value: 192.168.222.
71.
// 本端ID值为:192.168.222.71
*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Construct ID payload.
// 构造ID载荷
*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Hash:
c5d733fa e6d1a6af ded56c05 de989aad
// HASH为c5d733fa e6d1a6af ded56c05 de989aad
*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Construct authentication by pre-shared key.
// 根据预共享密钥生成认证数据
*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1; Construct INITIAL-CONTACT payload.
// 构造INITIAL-CONTACT载荷
*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypt the packet.
// 加密报文
*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypt IV:
add7096a 4b961742
// 加密IV为add7096a 4b961742
*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1; Encryption generated New IV: ae230a1d 7cb77287
// 加密时新生成的IV为ae230a1d 7cb77287
*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1; Process vendor ID payload.
// 处理vendor ID载荷
*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1; Sending packet to 192.168.222.5, remote port 500, local port 500.
// 发送报文到地址192.168.222.5,对端端口号为500,本端端口号为500
*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1;
I-Cookie: 3519bdda65bfeaaa
R-Cookie: 078711749a32520c
next payload: ID
version: ISAKMP Version 1.0
exchange mode: Main
flags: [ENCRYPT]
message ID: 0
length: 92
// 发起方cookie为:3519bdda65bfeaaa
// 响应方cookie为:078711749a32520c
// 下一个载荷为:ID
// 版本为:ISAKMP Version 1.0
// 协商模式为:Main
// 标识为:[ENCRYPT]
// Message ID为:0
// 长度为:92
*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1; Sending an IPv4 packet.
// 发送一个IPv4报文
*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Received packet from 192.168.
222.5, source port 500 destination port 500.
// 收到的192.168.222.5报文,源端口为500,目的端口为500
*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1;
I-cookie: 3519bdda65bfeaaa
R-Cookie: 078711749a32520c
next payload: ID
version: ISAKMP Version 1.0
exchange mode: Main
flags: [ENCRYPT]
message ID: 0
length: 60
// 发起方cookie为:3519bdda65bfeaaa
// 响应方cookie为:078711749a32520c
// 下一个载荷为:ID
// 版本为:ISAKMP Version 1.0
// 协商模式为:Main
// 标识为:[ENCRYPT]
// Message ID为:0
// 长度为:60
*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Decrypt the packet.
// 解密报文
*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Decrypt IV:
ae230a1d 7cb77287
// 解密IV为ae230a1d 7cb77287
*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Remote New IV:
4c788f75 c7ad88ab
// 对端新IV为4c788f75 c7ad88ab
*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Identification Payload.
// 收到ISAKMP Identification载荷
*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Hash Payload.
// 收到ISAKMP Hash载荷
*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Process ID payload.
// 处理ID载荷
*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Peer ID type: IPV4_ADDR.
// 对端ID类型为IPV4_ADDR
*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Peer ID value: address 192.168.222.5.
// 对端ID值为192.168.222.5
*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Verify HASH payload.
// 验证HASH载荷
*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; HASH:
f510f1f8 1d205e1c 9aa31c42 00b3ab9a
// HASH为f510f1f8 1d205e1c 9aa31c42 00b3ab9a
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Set attributes by phase 2 transform.
// 根据二阶段transform设置属性
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Encapsulation mode is Tunnel.
// 封装模式为Tunnel
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Life type in seconds
// 生命周期类型为Life type in seconds
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Life duration is 3600.
// 生命周期为3600
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Life type in kilobytes
// 生命周期类型为Life type in kilobytes
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Life duration is 1843200.
// 生命周期为1843200
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Authentication algorithm is HMAC-SHA1
// 认证算法为HMAC-SHA1
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Transform ID is HMAC-SHA1.
// Transform ID为HMAC-SHA1
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Construct transform 1.
// 构造transform 1
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Construct IPsec proposal 1.
// 构造IPsec proposal,proposal号为1
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Construct IPsec SA payload.
// 构造IPsec SA载荷
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Construct NONCE payload.
// 构造NONCE载荷
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Construct IPsec ID payload.
// 构造IPsec ID载荷
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Construct IPsec ID payload.
// 构造IPsec ID载荷
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Construct HASH(1) payload.
// 构造HASH(1)载荷
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypt packet.
// 加密报文
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypt IV:
836eddd9 ed30acf7
// 加密IV为836eddd9 ed30acf7
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypted Generate New IV:
3b143591 5c647ff2
// 加密时新生成的IV为3b143591 5c647ff2
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Sending packet to 192.168.22
2.5, remote port 500, local port 500.
// 发送报文到地址192.168.222.5,对端端口号为500,本端端口号为500
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1;
I-Cookie: 3519bdda65bfeaaa
R-Cookie: 078711749a32520c
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Quick
flags: [ENCRYPT]
message ID: 8a9c07c1
length: 156
// 发起方cookie为:3519bdda65bfeaaa
// 响应方cookie为:078711749a32520c
// 下一个载荷为:HASH
// 版本为:ISAKMP Version 1.0
// 协商模式为:Quick
// 标识为:[ENCRYPT]
// Message ID为:8a9c07c1
// 长度为:156
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Sending an IPv4 packet.
// 发送一个IPv4报文
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Received packet from 192.168.222.5 source port 500 destination port 500.
// 收到的192.168.222.5报文,源端口为500,目的端口为500
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1;
I-Cookie: 3519bdda65bfeaaa
R-Cookie: 078711749a32520c
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Quick
flags: [ENCRYPT]
message ID: 8a9c07c1
length: 156
// 发起方cookie为:3519bdda65bfeaaa
// 响应方cookie为:078711749a32520c
// 下一个载荷为:HASH
// 版本为:ISAKMP Version 1.0
// 协商模式为:Quick
// 标识为:[ENCRYPT]
// Message ID为:8a9c07c1
// 长度为:156
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Decrypt the packet.
// 加密报文
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Decrypt IV:
3b143591 5c647ff2
// 解密IV为3b143591 5c647ff2
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Remote New IV:
4914de5c 11d57f5c
// 对端新IV为4914de5c 11d57f5c
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Hash Payload.
// 收到ISAKMP Hash 载荷
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Security Asso
ciation Payload.
// 收到ISAKMP Security Association载荷
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Nonce Payload.
// 收到ISAKMP Nonce载荷
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Identification Payload (IPsec DOI).
// 收到ISAKMP Identificatio载荷(IPsec DOI)
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Identification Payload (IPsec DOI).
// 收到ISAKMP Identificatio载荷(IPsec DOI)
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Process HASH payload.
// 处理HASH载荷
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Process IPsec SA payload.
// 处理IPsec SA载荷
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Check IPsec proposal 1.
// 检查IPsec proposal,proposal号为1
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Parse transform 1.
// 解析transform,transform号为1
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Encapsulation mode is Tunnel.
// 封装模式为Tunnel
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Lifetime type is Life type in seconds.
// 生命周期类型为Life type in seconds
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Life duration is 3600.
// 生命周期为3600
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Lifetime type is Life type in kilobytes.
// 生命周期类型为Life type in kilobytes
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Life duration is 1843200.
// 生命周期为1843200
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Authentication algorithm is HMAC-SHA1.
// 认证算法为HMAC-SHA1
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Transform ID is HMAC-SHA1.
// Transform ID为HMAC-SHA1
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; The attributes are unacceptable.
// 属性是可接受的
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Process IPsec ID Payload.
// 处理IPsec ID载荷
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Process IPsec ID Payload.
// 处理IPsec ID载荷
*Aug 20 19:18:34:194 2012 Sysname IKE/7/PACKET: -MDC=1; Construct HASH(3) payload.
// 构造HASH(3)载荷
*Aug 20 19:18:34:194 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypt the packet.
// 加密报文
*Aug 20 19:18:34:194 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypt IV:
4914de5c 11d57f5c
// 加密IV为4914de5c 11d57f5c
*Aug 20 19:18:34:194 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypted Generate New IV:
ecfa444e ed72ab05
// 加密时新生成的IV为ecfa444e ed72ab05
*Aug 20 19:18:34:194 2012 Sysname IKE/7/PACKET: -MDC=1; Sending packet to 192.168.222.5, remote port 500, local port 500.
// 发送报文到地址192.168.222.5,对端端口号为500,本端端口号为500
*Aug 20 19:18:34:194 2012 Sysname IKE/7/PACKET: -MDC=1;
I-Cookie: 3519bdda65bfeaaa
R-Cookie: 078711749a32520c
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Quick
flags: [ENCRYPT]
message ID: 8a9c07c1
length: 52
// 发起方cookie为:3519bdda65bfeaaa
// 响应方cookie为:078711749a32520c
// 下一个载荷为:HASH
// 版本为:ISAKMP Version 1.0
// 协商模式为:Quick
// 标识为:[ENCRYPT]
// Message ID为:8a9c07c1
// 长度为:52
*Aug 20 19:18:34:194 2012 Sysname IKE/7/PACKET: -MDC=1; Sending an IPv4 packet.
// 发送一个IPv4报文
3 IKEv2
3.1 IKEv2调试命令
3.1.1 debugging ikev2
【命令】
debugging ikev2 { { all | dpd | error | internal | nat-keepalive | packet } [ remote-address { ipv4-address | ipv6 ipv6-address } [ local-address { ipv4-address | ipv6 ipv6-address } | remote-port port-number | vpn-instance vpn-name ] * ] } | pki }
undo debugging ikev2 { all | dpd | error | internal | nat-keepalive | packet | pki }
【缺省情况】
IKEv2的调试信息开关处于关闭状态。
【视图】
用户视图
【缺省用户角色】
network-admin
【参数】
all:表示IKEv2所有调试信息开关。
dpd:表示IKEv2 DPD调试信息开关。
error:表示IKEv2错误调试信息开关。
internal:表示IKEv2内部调试信息开关。
nat-keepalive:表示IKEv2 NAT keepalive调试信息开关。
packet:表示IKEv2报文调试信息开关。
pki:表示IKEv2相关的PKI调试信息开关。
remote-address:根据对端地址过滤调试信息。
local-address:根据本端地址过滤调试信息。
ipv4-address:表示IPv4地址。
ipv6 ipv6-address:表示IPv6地址。
remote-port port-number:根据对端端口过滤调试信息,port-number为对端端口号,取值范围0~65535。
vpn-instance vpn-instance-name:根据私网地址成员所属的VPN实例过滤调试信息。vpn-instance-name为MPLS L3VPN的VPN实例名称,为1~31个字符的字符串,区分大小写。如果未指定本参数,则表示私网地址成员不属于任何一个VPN。
【使用指导】
debugging ikev2命令用来打开IKEv2调试信息开关。undo debugging ikev2命令用来关闭IKEv2调试信息开关。
表3-1 debugging ikev2 error命令输出信息描述表
字段 | 描述 |
Authorization failed. | IKEv2获取AAA授权属性失败 |
Failed to allocate PAM handle to user user-name. | IKEv2获取AAA PAM句柄失败 |
Invalid major version version. | IKEv2报文中主版本号错误 |
The address pool overlaps with an existing address pool. | 新配置的本地地址池地址范围和已有本地地址池冲突 |
Failed to compute ECDH shared key. | 计算ECDH共享密钥失败 |
Received an invalid DH group. | 收到的IKEv2报文中携带错误的或不支持的DH号 |
Required key length (keylen) over 255 times the length of the PRF output. | IKEv2计算密钥时,要求的密钥长度超过了PRF算法输出长度的255倍 |
Failed to compute keys. | 计算密钥失败 |
Failed to obtain hash algorithm. | 从加密算法库中获取Hash算法失败 |
Failed to obtain encryption algorithm. | 从crypto获取加密算法失败 |
Failed to obtain private key. | 获取DSA/ESA/EC私钥失败 |
Failed to obtain public key. | 证书方式签名AUTH载荷时,获取公钥失败 |
Failed to compute local authentication data. | 计算本端的认证数据失败 |
Failed to compute SKEYSEED. | 计算密钥种子失败 |
Failed to compute keying material. | 计算密钥材料失败 |
Failed to create IPsec keying material. | 创建IPsec密钥材料失败 |
Failed to verify peer's authentication data. | 验证对端的认证数据失败 |
Invalid length (length) for hash-and-URL encoded certificate. | hash-and-url编码方式的证书长度非法 |
A non-printable character exists in the URL of the hash-and-URL encoded certificate. Ignored the character and those that follow. | Hash-and-url编码方式的证书里的URL中有不可打印的字符,忽略掉该字符和它之后的内容 |
Invalid X509 digest length (length) in Certificate Request payload. | 证书请求载荷中X509摘要长度非法 |
Unsupported certificate request encoding type cert-encoding-type. | 不支持的证书请求编码方式 |
No certificate exists in payload. | 载荷中没有证书 |
Received an unsupported hash-and-URL encoded certificate. | 接收到对端的hash-and-url编码格式证书,但是本端不支持该格式证书 |
Failed to obtain a certificate from URL url. | 从URL地址对应的证书服务器获取证书失败 |
Unsupported certificate encoding type cert-encoding-type. | 不支持的证书编码方式 |
Failed to obtain certificate data. | 获取认证数据失败 |
Failed to construct Certificate Request payload. | 构造证书请求载荷失败 |
Failed to obtain certificate and key pair. | 获取证书和密钥对失败 |
Failed to obtain certificate request. | 获取证书请求失败 |
Failed to construct USE_TRANSPORT notification. | 构造USE_TRANSPORT通知消息失败 |
Failed to find the Child SA for rekey. | 找不到需要重协商的Child SA |
Lack of SA payload. | 报文中缺少SA载荷 |
Lack of TSi payload. | 报文中缺少TSi载荷 |
Lack of TSr payload. | 报文中缺少TSr载荷 |
Local and peer encapsulation modes not match. | 协商双方的封装模式不匹配 |
Failed to parse TS payload. | 解析TS载荷失败 |
Failed to obtain IPsec policy for rekeying IKE SA. | 重协商IKE SA时,获取IPsec策略失败 |
Failed to find IKE SA for rekey. | 找不到需要重协商的IKE SA |
Lack of NONCE payload. | IKEv2报文中缺少nonce载荷 |
Failed to generate cookie. | 生成cookie失败 |
Invalid payload attribute: type=attribute-type, length=attribute-len. | 长度为attribute-len,类型为attribute-type的载荷属性非法 |
Failed to get address pool to assign internal address. | 从AAA获取IPv4地址池失败,无法分配私网地址 |
The addresses in address pool pool-name were exhausted. | 地址池地址资源耗尽 |
Failed to assign an address from address pool pool-name to the peer. | 从地址池中为对端分配地址失败 |
Failed to get IPv6 address pool to assign internal address. | 从AAA获取IPv6地址池失败,无法分配私网地址 |
Failed to assign an address from address pool pool-name. | 从地址池获取IP地址失败 |
Configuration payload attribute attribute-name ignored: unsupported attribute. | 不支持的配置载荷属性,将其忽略 |
Unsupported Configuration payload attribute attribute-name. | 不支持的配置载荷属性 |
Failed to construct Configuration payload. | 构造配置载荷失败 |
Unsupported Configuration payload type. | 不支持的配置载荷类型 |
Failed to construct Delete payload. | 构造删除载荷失败 |
Failed to send add-DPD request. | 向IPsec进程发送添加DPD请求失败 |
Failed to send delete-DPD request. | 向IPsec进程发送删除DPD请求失败 |
Failed to increase memory for packet generator. | 构造报文时增大内存空间失败 |
Encoding type encoding-type-name supports only 8-bit alignment. | encoding-type-name编码类型要求报文中添加的内容必须8比特对齐 |
4-bit integers must be 4-bit aligned. | 要添加的4比特整数内容必须是4比特对齐 |
Attribute format flag was not set. | 未设置属性格式标记 |
Failed to generate a data block at bitpos bitpos. | 在报文的bitpos位置处生成数据块失败 |
Invalid encoding type encoding-type in rule number. | 该编码规则(编号为number)中的编码类型(类型为encoding-type)不合法 |
Failed to pad data encoded by rule number of type encoding-type. | 向报文中填充number 编码规则encoding-type编码类型的数据失败 |
Invalid ID type id-type was found during ID payload construction. | 构造ID载荷时发现不可识别的身份类型 |
Unsupported ID type (id-type). | 不支持的身份类型 |
Failed to construct payload-type payload. | 构造载荷失败 |
Received AUTHENTICATION_FAILED notification. Destroyed IKE SA. | 收到认证失败通知报文,销毁IKE SA |
Profile profile-name does not exist. | IKEv2 profile不存在 |
No keychain found in profile profile-name. | profile下没有配置keychain |
No pre-shared key found. | 没有找到预共享密钥 |
No pre-shared key found for local or peer. | 没有找到本端或对端的预共享密钥 |
Failed to create Child SA while getting SPI. | 发起方获取SPI(安全参数索引)时创建Child SA失败 |
Failed to find peer authentication method. | 没有找到对端的认证方式 |
Failed to find local pre-shared key. | 没有找到本端预共享密钥 |
No matching profile found. | 没有找到匹配的proile |
Profile profile-name does not exist. | profile不存在 |
Peer authentication method was not specified in the profile. | Profile中没有配置对端的认证方式 |
Failed to find peer pre-shared key. | 没有找到对端预共享密钥 |
IPsec policy verification failed because peer ID does not match profile profile-name. | 对端的身份信息匹配profile失败,因此对端的安全策略验证失败 |
Lack of IDr payload. | 报文中缺少响应方ID载荷 |
Peer ignored AUTH payload and proposed EAP, which was unsupported on local. | 对端忽略AUTH载荷,期望使用EAP认证方式,但是本端不支持 |
Lack of SA payload. | 报文中缺少SA载荷 |
Lack of KE payload. | 报文中缺少KE载荷 |
Lack of NONCE payload. | 报文中缺少NONCE载荷 |
Profile profile-name not found to construct AUTH exchange request. IKEv2 negotiation terminated. | 发起方构造AUTH交换请求报文时找不到对应的profile,终止IKEv2协商 |
Child SA not found. IKEv2 negotiation terminated. | 找不到Child SA,终止协商 |
Failed to find Child SA. | 查找Child SA失败 |
Authentication failed. | 认证失败 |
Failed to create new Child SA. | 新建Child SA失败 |
Failed to parse KE payload. | 解析KE载荷失败 |
Received an invalid DH group. | 收到一个不可识别的DH号 |
The peer's KE payload contained an incorrect DH group. | 对端的KE载荷中包含了错误的DH group |
The local proposed DH group dh-group1 rather than DH group dh-group2. | 本端提议使用dh-group1,而不是dh-group2 |
Failed to construct KE payload. | 构造KE载荷失败 |
Failed to parse KE payload. | 解析KE载荷失败 |
The peer's KE payload contained an incorrect DH group. | 对端的KE载荷中包含错误的DH组 |
Failed to calculate DH public key. | 计算DH公钥失败 |
Failed to parse payload-type payload. | 解析载荷失败 |
Failed to parse packet due to lack of Encrypted payload. | 收到的IKEv2协商报文中没有加密载荷,解析报文失败 |
Encrypted payload was not the last payload. | 加密载荷不是最后一个载荷 |
Invalid payload length. | 载荷长度非法 |
Number of received payload-type payloads exceeded the upper limit. | 本端收到payload-type类型的载荷数目超过最大值 |
Number of received payload-type payloads was smaller than the lower limit. | payload-type类型载荷出现的次数少于最小值 |
Invalid message: exchange type=exchange-type, request flag=flag. | 非法消息,交换类型为exchange-type,请求报文标记为flag(flag取值为true或者false) |
Invalid message. | 非法的消息 |
Failed to construct NAT-OA payload. | 构造NAT-OA载荷失败 |
Failed to parse NAT-OA payload. | 解析NAT-OA载荷失败 |
Failed to compute NAT-D. | 计算NAT-D失败 |
Unrecognized protocol (prototolID). | 不识别的协议号 |
Invalid data length (data-length) for notify-type notification. | notify-type类型的通知数据长度非法 |
Local did not accept the DH group proposed by peer. | 本端不接受对端提议的DH号 |
Local does not support the DH group proposed by peer. | 本端不支持对端提议的DH号 |
Failed to construct NOTIFY payload. | 构造通知载荷失败 |
Received an unexpected message. | 收到的消息不是本端期望接收的 |
Received message ID out of window. | 收到的报文的消息ID落在本端维护的消息窗口外 |
Received an invalid IKE SPI. | 收到的IKEv2协商报文中携带非法的IKE SPI |
Failed to verify message header. | 验证消息头失败 |
Received a too small packet. | 收到的IKEv2报文长度太短 |
Failed to create packet. | 创建报文失败 |
No message rules specified for exchange-type exchange. | 没有exchange-type类型的消息规则 |
Not enough memory for sending packet. | 没有足够的空间发送IKEv2报文 |
Not enough space for Non-ESP marker in packet. | 报文中没有足够的空间添加Non-ESP标记 |
Not enough memory for rule number with encoding type type. | 报文解析器中没有足够的内存空间给指定编码类型(type)的消息规则(编号为number) |
Message not match the specified encoding rule and encoding type. | 不符合指定编码规则和编码类型的消息 |
Failed to parse payload-type substructure payload. | 解析子结构载荷失败 |
Invalid length for payload-type substructure payload. | 子结构载荷长度非法 |
Failed to create payload. | 创建载荷失败 |
Failed to parse payload-type payload. | 解析payload-type类型的载荷失败 |
Unsupported transform type type. | 不支持的提议类型 |
Unsupported TS payload type. | 不支持的TS载荷类型 |
Failed to create payload-type payload. | 创建payload-type类型的载荷失败 |
Failed to verify payload-type payload. | 验证载荷失败 |
Unrecognized critical payload. | 不可识别的一个关键载荷 |
Failed to verify certificate. | 验证证书失败 |
Incorrect length for SHA1 output. | SHA1算法计算输出的数据长度错误 |
Profile profile-name does not exist. | Profile不存在 |
Keychain keychain-name does not exist. | Keychain不存在 |
Not enough space for processing cookie in request packet. | 请求报文中没有足够的空间处理cookie |
Ignored packets with outdated cookies. | 忽略了携带过期cookie的报文 |
Failed to send install-IPsec-SA request. | IKEv2向IPsec发送添加IPsec SA的请求失败 |
Failed to send switch-IPsec-SA request. | IKEv2向IPsec发送切换IPsec SA的请求失败 |
Message ID updated: local window left=local-window-left, local window expected=local-expected, peer window left=peer-window-left, peer window expected=peer-expected | 将本端窗口最左侧值更新为Local-window-left,将本端下次期待收到请求的Message ID更新为Local-expected 将对端窗口最左侧值更新为Remote-window-left,将对端下次要发送的Messge ID更新为Remote-expected |
Failed to move window: Received message ID was smaller than current value. | 收到的IKEv2报文中的Message ID比当前值小,移动窗口失败 |
Failed to create IKE SA with core data. | 根据核心数据创建IKE SA失败 |
Failed to create Child SA with core data. | 根据核心数据创建Child SA失败 |
Failed to find profile profile-name. | 找不到IKEv2 profile |
Failed to create IKE SA: not enough memory. | 内存不足,创建IKE SA失败 |
Failed to find profile profile-name. | 查找IKEv2 profile失败 |
Failed to create Child SA: not enough memory. | 内存不足,创建Child SA失败 |
Incorrect proposal order. | 错误的IKEv2提议顺序 |
Failed to verify payload-type payload. | 验证载荷失败 |
Inconsistent next payload type. | 不合协议逻辑的下一载荷类型 |
Invalid transform count. | 报文中的提议个数与实际携带的提议个数不符 |
Failed to add encryption algorithm attribute. | 添加加密算法属性失败 |
Failed to add transforms to SA payload. | 向SA载荷中添加提议载荷失败 |
Failed to add ESP encryption algorithm attribute. | 添加ESP加密算法属性失败 |
Unsupported ESP encryption algorithm. | 不支持的ESP加密算法 |
Unsupported ESP authentication algorithm. | 不支持的ESP认证算法 |
Unsupported AH authentication algorithm. | 不支持的AH认证算法 |
Failed to find matching IKEv2 policy. | 没有找到相匹配的IKEv2策略 |
Policy verification failed. | 没有找到已使用的IKEv2策略 |
Failed to find matching IKEv2 proposal. | 没有找到匹配的IKEv2提议 |
Failed to construct SA payload. | 构造SA载荷失败 |
Failed to find matching IKEv2 proposal. | 没有找到匹配的IKEv2提议 |
Failed to add SA payload. | 向报文中添加SA载荷失败 |
Failed to find encryption algorithm during payload encryption. | 加密载荷时找不到加密算法 |
Failed to decrypt payload: invalid payload length. | 因为载荷长度非法,解密载荷失败 |
Packet integrity verification failed. | IKEv2报文未通过完整性检查 |
Failed to encrypt payload. | 加密IKEv2报文载荷失败 |
Failed to decrypt payload. | 解密IKEv2报文载荷失败 |
Failed to parse payload-type payload. | 解析IKEv2报文payload-type载荷失败 |
IPsec process (ipsec-status) timed out and Child SA was deleted. | IPsec处理超时(当前的IPsec处理状态为ipsec-state),删除创建的Child SA |
Failed to start timer for IPsec process (ipsec-status). | 启动等待IPsec处理的定时器失败(当前的IPsec处理状态为ipsec-state) |
Responder did not use the Transport mode. | 响应方无法匹配transport封装模式 |
Child SA already exists. | 创建Child SA时发现该Child SA已经存在 |
Lack of SA payload. | 缺少SA载荷 |
Failed to send IPsec policy request. | IKEv2向IPsec发送获取IPsec策略的请求失败 |
Failed to parse payloads during Child SA establishment. | 创建Child SA过程中解析载荷失败 |
Failed to send IPsec SPI request. | IKEv2向IPsec发送获取IPsec SPI的请求失败 |
No matching IKE SA found. Ignored IPsec SA installation request. | 找不到对应的IKE SA,忽略创建IPsec SA的请求 |
Failed to find IKE SA during IPsec process (ipsec-status). | 进行IPsec处理(状态为ipsec-state)时查找IKE SA失败 |
Failed to send request to IPsec. Destroyed SA. | IKEv2向IPsec发送请求失败,销毁SA |
Failed to find IKE SA. | 查找IKE SA失败 |
[IPsec->IKE] | IPsec模块向IKE模块发送消息 |
[IPsec->IKE] Failed to find Child SA after IKE obtained IPsec policy. | IKE获取到IPsec策略后,查找不到Child SA |
[IPsec->IKE] Failed to process next status after IKE obtained IPsec policy. | IKE获取到IPsec策略 后,处理下一个状态失败 |
[IPsec->IKE] Failed to find Child SA after IKE obtained IPsec SPI. | IKE获取到IPsec SPI后,查找Child SA失败 |
[IPsec->IKE] Failed to process next status after IKE obtained IPsec SPI. | IKE获取到IPsec SPI后,处理下一个状态失败 |
[IPsec->IKE] Failed to find Child SA after IPsec SA was installed. | IKE完成添加IPsec SA处理后,查找Child SA失败 |
[IPsec->IKE] Failed to process next status after IPsec SA was installed. | IPsec添加SA后,IKEv2处理下一状态失败 |
Failed to construct packet. | 创建IKEv2报文失败 |
Invalid port range (start port start-port, end port end-port) in TSi/TSr payload. | TSi或者TSr中的端口号范围非法(开始端口号为start-port ,结束端口号为end-port) |
TSr protocol family tsr-family inconsistent with TSi protocol family tsi-family. | TSr的协议簇Tsr-family和TSi的协议簇Tsi-family不一致 |
TSr protocol range inconsistent with TSi protocol range. | TSr的协议范围和Tsi的协议范围不一致 |
Failed to construct TSi payload. | 构造TSi载荷失败 |
Failed to construct TSr payload. | 构造TSr载荷失败 |
表3-2 debugging ikev2 internal命令输出信息描述表
字段 | 描述 |
[AAA->IKE] IKE obtained authorization data from AAA. | [AAA向IKE发送消息] IKE从AAA获取授权数据 |
DH key computation succeeded. | 计算DH key成功 |
Computed IPsec SA keying material. | 计算IPsec SA密钥材料 |
Computed SKEYSEED. | 计算SKEYSEED |
Verified peer authentication data. | 验证对端的认证数据 |
Peer authentication data passed verification. | 对端认证数据验证通过 |
Local authentication method is method-name. | 本端的认证方式为method-name |
Generated authentication data. | 生成认证数据 |
Constructed AUTH payload. | 构造AUTH载荷 |
Failed to construct AUTH payload. | 构造AUTH载荷失败 |
Constructed Certificate payload. | 构造证书载荷 |
Certificate subject name subject-name | 证书主体名为subject-name |
Constructed Certificate Request payload. | 构造证书请求载荷 |
Certificate encoding type type | 证书编码方式为type |
Processed Certificate payload. | 处理证书载荷 |
Old Child SA has been replaced. Sent TEMPORARY_FAILURE notification to peer. | 重协商时Child SA已被替换,向对端发送TEMPORARY_FAILURE通知 |
IKE SA is busy. | 当前IKE SA状态机繁忙 |
(Tunnel ID tunnel-id): Received an IKE SA rekey packet, but the IKE SA was being deleted. | (Tunnel ID为tunnel-id)在删除IKE SA的过程中收到对端发送的重协商报文 |
(Tunnel ID tunnel-id): Received an IKE SA rekey packet, but the IKE SA has a half-open Child SA. | (Tunnel ID为tunnel-id)收到对端的IKE SA重协商报文,但是正在新建或者重协商该IKE SA的Child SA |
(Tunnel ID tunnel-id): Received an IKE SA rekey packet, but the Child SA was being deleted. | (Tunnel ID为tunnel-id)收到对端的IKE SA重协商报文,但是正在删除该IKE SA的Child SA |
Peer prefers encaps-mode mode. | 对端倾向使用encaps-mode封装模式 |
Received an invalid KE payload. Retried negotiation. | 收到非法KE载荷,尝试重协商 |
IPv4 address assigned by peer: ipv4-addr | 对端推送给本端的IPv4地址 |
IPv6 address assigned by peer: ipv6-addr/ipv6-prefix | 对端推送给本端的IPv6地址 |
Subnet mask assigned by peer: mask | 对端推送给本端的IPv4子网掩码 |
Constructed CP payload: cp-type. | 构造cp-type类型的CP载荷 |
Processed CP payload: cp-type. | 处理cp-type类型的CP载荷 |
AAA authorization was not configured in profile profile-name. | IKEv2 profile下没有配置AAA授权 |
[IKE->AAA] Sent an authorization request. | [IKE向AAA发送消息] IKE发送授权请求 |
Constructed Delete payload. | 构造SA删除载荷 |
Processed Delete payload. | 处理SA删除载荷 |
Constructed payload-type payload: id of type id-type. | 构造ID载荷:载荷类型为payload-type,ID类型为id-type,ID内容为id |
Processed ID payload. | 处理ID载荷 |
Constructed empty payload for keepalive request. | 为保活检查请求报文构造空载荷 |
Received keepalive response. | 收到保活检查回应报文 |
Peer did not accept the address assigned by local. | 对端不接受本端分配的地址 |
Peer accepted the address assigned by local. | 对端接受本端分配的地址 |
Selected profile profile-name. | 选择了IKEv2 profile profile-name |
Obtained pre-shared key from keychain keychain-name. | 从IKEv2 profile下引用的keychain中获取预共享密钥 |
Searched for a profile matching peer ID id of type id-type. | 根据对端的身份信息(ID类型为id-type,ID内容为id)查找IKEv2 profile |
Found matching profile profile-name. | 查找到匹配的IKEv2 profile |
Profile verification passed. | 验证IKEv2 profile成功 |
Received an INVALID_KE_PAYLOAD notification. Retried negotiation. | 发起方DH猜想失败,收到对端的INVALID_KE_PAYLOAD通知消息,尝试再次发起协商 |
SA_INIT exchange completed. | SA_INIT交换结束 |
Constructed KE payload. | 构造KE载荷 |
Processed KE payload. | 处理KE载荷 |
Computed DH public key by using dh-group. | 使用DH组dh-group计算DH公钥 |
Peer was behind NAT. | IKEv2发现对端在NAT设备之后 |
Local was behind NAT. | IKEv2发现本端在NAT设备之后 |
Constructed NAT-OAi payload. | 构造NAT-OAi载荷 |
Constructed NAT-OAr payload. | 构造NAT-Oar载荷 |
Processed NAT discovery notification. | 处理发现NAT通知载荷 |
No NAT found. | IKEv2协商双方之间不存在NAT设备 |
Constructed NONCE payload. | 构造NONCE载荷 |
Peer did not accept DH group dh-group1 and proposed DH group dh-group2. | 对端不接受采用DH组dh-group1进行协商,对端提议使用DH组dh-group2进行协商 |
Constructed NOTIFY payload: notify-type. | 构造notify-type类型的通知载荷 |
Processed notification response for IKE SA. | 处理IKE SA通知响应载荷 |
Processed NOTIFY payload in AUTH exchange response. | 处理AUTH交互中的回应报文中的通知载荷 |
Processed NOTIFY payload in Child SA exchange response. | 处理Child SA交互中的回应报文中的通知载荷 |
Processed NOTIFY payload notify-type. | 处理notify-type类型的通知载荷 |
Searched for IKEv2 policy with VRF vrf and local address address. | 查找本端地址为address、VRF为vrf的IKEv2策略 |
Used default IKEv2 policy. | 使用缺省的IKEv2策略 |
Obtained pre-shared key through hostname hostname. | 通过hostname获取预共享密钥 |
Matched peer name. | 匹配到IKEv2 Peer(名称为name) |
Obtained pre-shared key through address address. | 通过地址address获取预共享密钥 |
Obtained pre-shared key through ID id of type id-type. | 通过id-type类型的身份id获取预共享密钥 |
(Tunnel ID tunnel-id): (I) Current status status | (隧道ID为tunnel-id)发起方 当前状态 |
(Tunnel ID tunnel-id): (R) Current status status | (隧道ID为tunnel-id)响应方(R)当前状态 |
(Tunnel ID tunnel-id): IKE SA received an incorrect request priority. | IKE SA(隧道ID为tunnel-id)收到一个错误的请求等级 |
Activated new request. | 从请求队列中激活新的请求 |
(Tunnel ID: tunnel-id): Found no duplicate IKE SA. | (隧道ID为tunnel-id)没有发现重复的IKE SA |
(Tunnel ID tunnel-id): Deleted negotiation context. | (隧道ID为tunnel-id)删除协商上下文 |
Next request message ID outside of window. | 下一条IKE请求的消息ID位于消息窗口外 |
Message ID exceeded the limit. Waiting for rekey… | 消息ID到达最大值,等待重协商 |
Reclaimed IPv4 address ipv4-addr. | 回收IKEv2分配出去的IPv4地址 |
Reclaimed IPv6 address ipv6-addr ipv6-prefix. | 回收IKEv2分配出去的IPv6地址 |
Deleted Child SA (message ID messge-id). | 删除Child SA,Child SA对应的消息ID为messge-id |
Deleted Child SA (protocol protocol SPI spi). | 删除Child SA,Child SA对应的安全协议为protocol,SPI为spi Protocol的取值包括AH和ESP. |
(Tunnel ID tunnel-id): Deleted IKE SA. | (隧道ID为tunnel-id)删除IKE SA |
(Tunnel ID tunnel-id)): Found duplicate IKE SA. | (隧道ID为tunnel-id)发现重复的IKE SA |
(Tunnel ID tunnel-id): Processed IKE SA rekey collision. | 处理IKE SA的协商碰撞 |
Transform type id | 打印Transform载荷:类型为type,ID为id |
Transform type id attribute | 打印Transform载荷:类型为type,ID为id,属性为attribute |
Proposal number | 打印propsal载荷 |
Matched IKEv2 policy policy-name. | 匹配到IKEv2策略policy-name |
Constructed SA payload. | 构造SA载荷 |
Processed SA payload. | 处理SA载荷 |
Used transport mode. | 使用传输模式协商 |
Used tunnel mode. | 使用隧道模式协商 |
Processed TSi payload. | 处理TSi载荷 |
Processed TSr payload. | 处理TSr载荷 |
Constructed TSi payload. | 构造TSi载荷 |
Constructed TSr payload. | 构造TSr载荷 |
表3-3 debugging ikev2 packet命令输出信息描述表
字段 | 描述 |
Data ipv4-addr, length length | IPv4 CP载荷数据和长度 |
Data ipv6-addr/ipv6-prefix, length length | IPv6 CP载荷数据和长度 |
Attribute type type | CP载荷属性类型,可能的取值为: · INTERNAL_IP4_ADDRESS · INTERNAL_IP4_NETMASK · INTERNAL_IP4_DNS · INTERNAL_IP4_NBNS · INTERNAL_ADDRESS_EXPIRY · INTERNAL_IP4_DHCP · APPLICATION_VERSION · INTERNAL_IP6_ADDRESS · INTERNAL_IP6_NETMASK · INTERNAL_IP6_DNS · INTERNAL_IP6_NBNS · INTERNAL_IP6_DHCP · INTERNAL_IP4_SUBNET · SUPPORTED_ATTRIBUTES · INTERNAL_IP6_SUBNET · MIP6_HOME_PREFIX · INTERNAL_IP6_LINK · INTERNAL_IP6_PREFIX · HOME_AGENT_ADDRESS · INTERNAL_IP4_SERVER · INTERNAL_IP6_SERVER · UNITY_BANNER · UNITY_SAVE_PASSWD · UNITY_DEF_DOMAIN · UNITY_SPLITDNS_NAME · UNITY_SPLIT_INCLUDE · UNITY_NATT_PORT · UNITY_LOCAL_LAN · UNITY_PFS · UNITY_FW_TYPE · UNITY_BACKUP_SERVERS · UNITY_DDNS_HOSTNAME |
Assigned IPv4 address ipv4-addr from pool pool-name. | 从地址池pool-name中分配IPv4地址 |
Assigned IPv6 address ipv6-addr/ipv6-prefix from pool pool-name. | 从地址池pool-name中分配IPv6地址 |
Type type, length length | CP载荷属性,类型为type,长度为length |
Received keepalive packet. | 收到IKEv2保活检查报文 |
Responder received no AUTH request. | 响应方没有收到AUTH请求报文 |
Failed to construct ECDH public key. | 构造ECDH公钥失败 |
Unsupported DH group. | 不支持的DH号 |
Parsed the last payload (Encrypted payload). | 解析报文最后一个载荷(加密载荷) |
Payload content: | 报文载荷内容 |
Processed INVALID_SPI notification. | 处理非法SPI的通知 |
Processed INVALID_SELECTORS notification. | 处理非法selector的通知 |
Request message ID was msgid. Expected IDs were from windowleft to windowright. | 请求报文的消息ID为msgid,本端能够接收的报文消息ID窗口范围为(windowleft~windowright) |
I-SPI=i-spi R-SPI=r-spi Message ID=messge-id Exchange type=exchange-type Flags=flags Next payload=payload, length=length | IKEv2报文头信息,具体包含: · I-SPI:发起方SPI · R-SP:响应方SPI · Message ID:消息ID · Exchange type:交换类型 · Flags:请求方/响应方的标识 · Next payload:下一载荷的类型和长度 |
Received packet from peer-addr: source port source-port, destination port dest-port. | 收到来自peer-addr的对端报文源端口号为source-port,目的端口号为dest-port |
Constructed an encrypted packet. | 创建了一个被加密的报文 |
Payload content: | IKEv2报文载荷内容 |
Sent packet to address: peer port peer-port, local port local-port. | 发送报文到地址address,对端端口号为remote-port,本端端口号为local-port |
Sent an IPv4 packet. | 发送一个IPv4报文 |
Sent an IPv6 packet. | 发送一个IPv6报文 |
Current payload payload, length length, next payload next-payload | 报文载荷:当前载荷为payload,长度为length,下一载荷为next-payload |
Current payload payload, length length, DH group dh-group, next payload next-payload | 报文载荷:当前载荷为payload,长度为length,DH算法为dh-group,下一载荷为next-payload |
Current payload payload, length length, type type, next payload next-payload | 报文载荷:当前载荷为payload,长度为length,类型为type,下一载荷为next-payload |
Current payload payload, length length, encoding type encoding-type, next payload next-payload | 报文载荷:当前载荷为payload,长度为length,编码方式为encoding-type,下一载荷为next-payload |
Current payload payload, length length, method method, next payload next-payload | 报文载荷:当前载荷为payload,长度为length,认证方式为method,下一载荷为next-payload |
Current payload payload, length length, type type, protocol protocol, SPI size size, next payload next-payload | 报文载荷:当前载荷为payload,类型为type,长度为length,协议为protocol,SPI大小为size,下一载荷为next-payload |
Current payload payload, length length, type type, protocol protocol, SPI size size, SPI count spi-count, next payload next-payload | 报文载荷:当前载荷为payload,类型为type,长度为length,协议为protocol,SPI大小为size,包含的SPI数目为spi-number,下一载荷为next-payload |
Current payload payload, length length, selector count selector-count, next payload next-payload | 报文载荷:当前载荷为payload,长度为length,包含的Selector数目为number,下一载荷为next-payload |
Last proposal number, length length | proposal载荷:number为0表示为最后一个proposal载荷,为2表示此proposal载荷之后还有其他的proposal载荷,载荷长度为length |
Proposal number, protocol protocol, SPI size size, transform count transform-count | proposal载荷:当前载荷编号为number,协议为protocol,SPI大小为size,包含的Transform数目为count |
Last transform value, length length | Transform载荷,value为0表示是最后一个Transform,为3表示该Transform载荷后还有其他的Transform载荷,载荷长度为length |
Type type, transform ID transform-id | Transform载荷,类型为type,ID为transform-id |
Key length length | Transform载荷的属性:key长度为length |
TS type type, IP protocol protocol, length length | TS载荷类型为type,保护的协议为protocol,载荷长度为length |
Start port start-port, end port end-port | TS载荷的端口号范围为start-port到end-port |
Start address start-addr, end address end-addr | TS载荷的地址范围为start-addr到end-addr |
Type type, length length | CP载荷属性,类型为type,长度为length |
Current payload payload, length length, ID type type, next payload next-payload | 当前载荷为payload,长度为length,ID类型为type,下一载荷为next-payload |
Initiator received an INVALID_KE_PAYLOAD notification from responder who proposed DH group dh-group1. Initiator sent another INIT exchange request. | 发起方DH猜想失败,收到响应方的IKEV2_INVALID_KE_PAYLOAD通知载荷,响应方希望使用dh-group1进行协商,发起方重新发送init请求报文 |
Retransmitted the packet. | 重传IKEv2报文 |
Retransmission timed out. | 超过最大重传次数,IKEv2报文重传超时 |
Packet carried the same cookie as the previous packet. | 报文中携带和之前相同的cooike |
Packet carried a different cookie than the previous packet. | 报文中携带的cooike和之前的cooike不相等 |
Keepalive check timed out. | IKEv2保活检查超时 |
Retransmitted the response. | 重传IKEv2响应报文 |
Received a packet with cookie. | 收到携带cookie的IKEv2报文 |
Received a packet without cookie. | 收到不携带cookie的IKEv2报文 |
Processed response with message ID msg-id. Requests with IDs from msgleft to msgright can be sent. | 处理消息ID为msg-id的响应报文,能够发送的请求报文的消息ID范围为msgleft到msgright |
Sent response with message ID msg-id. Requests with IDs from msgleft to msgright can be accepted. | 发送消息ID为msg-id的回应报文,能够接收的请求报文消息ID范围为msgleft到msgright |
Proposal proposal-number | SA载荷内的proposal编号为proposal-number |
Encrypted payload passed integrity verification. | 对IKEv2加密载荷的完整性检查通过 |
Invalid TSr port range (start port start-port, end port end-port). | TSr端口号范围(start-port~end-port)不合法 |
表3-4 debugging ikev2 pki命令输出信息描述表
字段 | 描述 |
Certificate verification through PKI domain domain-name succeeded. | 使用PKI域domain-name验证对端证书成功 |
Obtained CA certificate from PKI domain domain-name. | 从PKI域domain-name中获取CA证书 |
Obtained local certificate and key pair from PKI domain domain-name. | 从PKI域domain-name中获取本地证书和密钥对 |
The key pair did not meet the peer's requirement. Checked the next PKI domain. | 密钥对不符合对端要求,查找下一个PKI域 |
Obtained certificate request from cache. | 从缓存中获取证书请求 |
Obtained certificate request from cache in profile profile-name. | 从IKEv2 profile profile-name下的缓存中获取证书请求 |
PKI data changed. | 与IKE相关的PKI数据发生变化 |
表3-5 debugging ikev2 ipsec命令输出信息描述表
字段 | 描述 |
[IPsec->IKE] | IPsec向IKE发送消息 |
[IKE->IPsec] | IKE向IPsec发送消息 |
[IPsec->IKE] Received a smooth IPsec SA ACK. | IKE收到了平滑IPsec SA的回应消息 |
[IKE->IPSEC] Sent add-DPD request. | IKE向IPsec发送添加DPD的请求 |
[IKE->IPsec] Sent delete-DPD request. | IKE向IPsec发送删除DPD的请求 |
Protected flow: Inbound: DstIP1/Mask1->SrcIP1/Mask11 Outbound: SrcIP1/Mask11->DstIP1/Mask1 | Child SA保护的流信息如下: · 入方向:目的地址为DstIP1,掩码为Mask1-->源地址为SrcIP1,掩码为Mask11 · 出方向:源地址为SrcIP1,掩码为Mask11-->目的地址为DstIP1,掩码为Mask1 |
[IKE->IPsec] Sent install-IPsec-SA request. | IKE向IPsec发送添加IPsec SA请的求 |
[IKE->IPsec] Sent switch-IPsec-SA request. | IKE向IPsec发送切换IPsec SA的请求 |
Traffic-based IPsec SA lifetime expired. | Child SA对应的IPsec SA流量生命周期超时 |
[IPsec->IKE] Received an invalid SPI, no matching IKE SA found. | IKE收到了一个SPI非法的消息,且查找不到对应的IKE SA |
[IKE->IPsec] Sent IPsec policy request. | IKE向IPsec发送获取IPsec策略的请求 |
[IKE->IPsec] Sent IPsec SPI request. | IKE向IPsec发送获取IPsec SPI的请求 |
[IPsec->IKE] Received IPsec SA negotiation request. | IKE收到IPsec的协商SA的请求 |
[IPsec->IKE] IPsec policy successfully obtained. | IPsec通知IKE成功获取了IPsec策略 |
[IPsec->IKE] IPsec SPI successfully obtained. | IPsec通知IKE成功获取了IPsec SPI |
[IPsec->IKE] IPsec SA successfully installed. | IPsec通知IKE成功添加了IPsec SA |
表3-6 debugging ikev2 timer命令输出信息描述表
字段 | 描述 |
Responder started a timer of number sec, waiting for AUTH exchange request. | 响应方启动number秒的等待定时器,等待接收发起方的AUTH交换请求报文 |
(Tunnel ID tunnel-id): Sent NAT-keepalive packet. | IKE SA(隧道ID为tunnel-id)发送NAT keepalive报文 |
Started hardtimer. | 启动硬超时定时器 |
Failed to create IKE SA timer. | 创建IKE SA定时器失败 |
Failed to create Child SA timer. | 创建Child SA定时器失败 |
(Tunnel ID tunnel-id): IKE SA soft lifetime expired and IKE SA was rekeyed. | (隧道ID为tunnel-id)IKE SA软生命周期超时,重协商IKE SA |
(Tunnel ID tunnel-id): IKE SA hard lifetime expired and IKE SA was deleted. | (隧道ID为tunnel-id)IKE SA硬生命周期超时,删除IKE SA |
(Tunnel ID tunnel-id): IKE SA lifetime timer (number sec) started. | (隧道ID为tunnel-id)IKE SA生命周期定时器启动,定时器超时时间为number秒 |
Failed to start hardtimer. | 启动硬超时定时器失败 |
Child SA soft lifetime expired. | Child SA的软生命周期超时 |
Child SA hard lifetime expired. | Child SA的硬生命周期超时 |
表3-7 debugging ikev2 dpd命令输出信息描述表
字段 | 描述 |
Construct empty payload for liveness check request. | 为保活检查请求报文构造空载荷 |
Received liveness check response. | 收到保活检查回应报文 |
Receive liveness check. | 收到保活检查报文 |
Retransmit DPD packet. | 重传DPD报文 |
Liveness check timeout. | 保活检查超时 |
Sending packet to address,remote port remote-port,local port local-port. | 发送报文到地址address,对端端口号为remote-port,本端端口号为local-port |
Sending an IPv4 packet. | 发送IPv4报文 |
Sending an IPv6 packet. | 发送IPv6报文 |
表3-8 debugging ikev2 nat-keepalive命令输出信息描述表
字段 | 描述 |
Sending packet to address,remote port remote-port,local port local-port. | 发送报文到地址address,对端端口号为remote-port,本端端口号为local-port |
Sending an IPv4 packet. | 发送IPv4报文 |
Sending an IPv6 packet. | 发送IPv6报文 |
【举例】
# 在两个安全网关上配置了IKEv2协商类型的IPsec安全策略,且打开IKEv2错误调试信息开关。在IKE协商过程中,若未找到匹配的IKEv2 proposal,将输出以下调试信息。
<Sysname> debugging ikev2 error
*Nov 24 05:40:16:391 2014 Sysname IKEV2/7/ERROR: -MDC=1; No proposal matched.
// 没有可以接受的提议
# 在两个安全网关上配置了IKEv2协商类型的IPsec安全策略,且打开IKEv2内部调试信息开关。若配置认证方法为预共享密钥认证,则当有流量触发IKE协商时,将输出以下调试信息。
<Sysname> debugging ikev2 internal
Ping 123.234.234.123 (123.234.234.123): 56 data bytes, press CTRL_C to break
*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/EVENT: -MDC=1; [IPsec->IKE] Received an IPsec SA
negotiation request.
// 收到IPsec协商SA请求消息
*Oct 20 09:13:57:413 2014 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3077876688 processed the request.
// IKE线程3077876688处理协商请求
*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/FSM: -MDC=1; (Tunnel ID 5):(I) Current Status: IDLE
// 当前的状态机状态:IDLE
*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/FSM: -MDC=1; Chose profile fxm.
// 选择了IKEv2 profile:fxm
*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/FSM: -MDC=1; Obtained pre-shared key from keychain fxm.
// 从IKEv2 profile fxm引用的keychain fxm中获取预共享密钥
*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/FSM: -MDC=1; Obtained pre-shared key through address 123.234.234.123.
// 通过对端地址123.234.234.123获取预共享密钥
*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/FSM: -MDC=1; Matched peer test.
// 匹配到keychain fxm下的Peer test
*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/FSM: -MDC=1; Searched for IKEv2 policy with VRF 0 and local address 123.234.234.124
// 查找与vrf 0、本端地址123.234.234.124匹配的IKEv2策略
*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed SA payload.
// 构造SA载荷
*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/FSM: -MDC=1; Proposal 1
// SA子载荷proposal 1
*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/FSM: -MDC=1; Transform ENCR 3DES-CBC
// proposal子载荷Transform加密算法为3DES
*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/FSM: -MDC=1; Transform INTEG AUTH-HMAC-MD5-96
// Transform认证算法为HMAC-MD5
*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/FSM: -MDC=1; Transform PRF PRF-HMAC-MD5
// Transform prf算法为HMAC-MD5
*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/FSM: -MDC=1; Transform D-H 768-bit MODP/Group 1
// Transform DH算法为768-bit MODP/Group 1
*Oct 20 09:13:57:426 2014 Sysname IKEV2/7/FSM: -MDC=1; Computed DH public key by using 768-bit MODP/Group 1.
// 使用768-bit MODP/Group 1计算DH公钥
*Oct 20 09:13:57:426 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed KE payload.
// 构造KE载荷
*Oct 20 09:13:57:427 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed NONCE payload.
// 构造NONCE载荷
*Oct 20 09:13:57:427 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed NOTIFY payload: NAT_DETECTION_SOURCE_IP.
// 构造NAT_DETECTION_SOURCE_IP通知载荷
*Oct 20 09:13:57:427 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed NOTIFY payload: NAT_DETECTION_DESTINATION_IP.
// 构造NAT_DETECTION_DESTINATION_IP通知载荷
*Oct 20 09:13:57:427 2014 Sysname IKEV2/7/FSM: -MDC=1; (Tunnel ID 5):(I) Current Status: BUILD_INIT
// 当前的状态机状态:BUILD_INIT
*Oct 20 09:13:57:446 2014 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3077876688 processed the INIT exchange response.
// IKE线程3077876688处理解析init交互响应报文
*Oct 20 09:13:57:446 2014 Sysname IKEV2/7/FSM: -MDC=1; Processed response notification for IKE SA.
// 处理IKE SA的响应通知消息
*Oct 20 09:13:57:446 2014 Sysname IKEV2/7/FSM: -MDC=1; Processed SA payload.
// 解析处理SA载荷
*Oct 20 09:13:57:446 2014 Sysname IKEV2/7/FSM: -MDC=1; Processed KE payload.
// 解析处理KE载荷
*Oct 20 09:13:57:446 2014 Sysname IKEV2/7/FSM: -MDC=1; Processed NAT discovery notification.
// 处理NAT-D通知
*Oct 20 09:13:57:453 2014 Sysname IKEV2/7/FSM: -MDC=1; DH key computation succeeded.
// DH密钥计算完成
*Oct 20 09:13:57:453 2014 Sysname IKEV2/7/FSM: -MDC=1; Calculated SKEYSEED.
// 计算密钥种子
*Oct 20 09:13:57:453 2014 Sysname IKEV2/7/EVENT: -MDC=1; [IKE->IPsec] Sent IPsec SPI request.
// IKE向IPsec获取SPI
*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/EVENT: -MDC=1; [IPsec->IKE] IPsec SPI successfully obtained.
// 成功获取IPsec SPI
*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; (Tunnel ID 5):(I) Current Status: PROC_INIT
// 当前状态机状态:PROC_INIT
*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; SA_INIT exchange completed.
// SA INIT交换完成
*Oct 20 09:13:57:454 2014 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3077876688 processed the AUTH exchange request.
// IKE线程3077876688处理构造AUTH交换请求报文
*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed IDi payload: 123.234.234.124 of type ID_IPV4_ADDR
// 构造IDi载荷,类型为IPv4地址,地址为123.234.234.124
*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed NOTIFY payload: INITIAL_CONTACT.
// 构造 INITIAL_CONTACT 通知载荷
*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; Local authentication method is Pre-shared key.
// 本端的认证方式为预共享密钥
*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; Generated authentication data.
// 构造认证数据
*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed AUTH payload.
// 构造AUTH载荷
*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed NOTIFY payload: ESP_TFC_PADDING_NOT_SUPPORTED.
// 构造ESP_TFC_PADDING_NOT_SUPPORTED通知载荷
*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed NOTIFY payload: NON_FIRST_FRAGMENTS_ALSO.
// 构造NON_FIRST_FRAGMENTS_ALSO通知载荷
*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed NOTIFY payload: IKEV2_MESSAGE_ID_SYNC_SUPPORTED.
// 构造IKEV2_MESSAGE_ID_SYNC_SUPPORTED通知载荷
*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed SA payload.
// 构造SA载荷
*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed TSi payload.
// 构造TSi载荷
*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed TSr payload.
// 构造TSr载荷
*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; (Tunnel ID 5): (I) Current Status: BUILD_AUTH
// 当前状态机状态:BUILD_AUTH
*Oct 20 09:13:57:457 2014 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3077876688 processed the AUTH exchange response.
// IKE线程3077876688处理解析AUTH交换响应方报文
*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; Processed AUTH response notification.
// 处理AUTH响应通知
*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; Processed ID payload.
// 解析ID载荷
*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; Verified peer policy.
// 验证对端的IKEv2策略
*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; Verified peer authentication data.
// 验证对端的认证数据
*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; Peer authentication data passed verification.
// 对端认证数据验证通过
*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; AAA authorization was not configured in profile fxm.
// profile fxm中没有配置AAA授权
*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; Processed NOTIFY payload IKEV2_MESSAGE_ID_SYNC_SUPPORTED.
// 处理IKEV2_MESSAGE_ID_SYNC_SUPPORTED通知载荷
*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; (Tunnel ID 5):(I) Current Status: PROC_AUTH
// 当前状态机状态:处理AUTH交换响应报文
*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; Processed response notification for Child SA.
// 处理Child SA的响应通知载荷
*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; Processed SA payload.
// 处理SA载荷
*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; Processed TSi payload.
// 处理TSi载荷
*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; Processed TSr payload.
// 处理TSr载荷
*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; Computed IPsec keying material.
// 计算IPsec密钥材料
*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/EVENT: -MDC=1; Protected flow:
// 保护的流信息
*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/EVENT: -MDC=1; Inbound: 123.234.234.123/32->123.234.234.124/32
// 入方向流信息:123.234.234.123/32->123.234.234.124/32
*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/EVENT: -MDC=1; Outbound: 123.234.234.124/32->123.234.234.123/32
// 出方向流信息:123.234.234.124/32->123.234.234.123/32
*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/EVENT: -MDC=1; [IKE->IPsec] Sent install IPsec sa request.
// IKE向IPsec发送添加IPsec SA请求
*Oct 20 09:13:57:469 2014 Sysname IKEV2/7/FSM: -MDC=1; (Tunnel ID 5): (I) Current Status: ESTABLISHED
// 当前状态机状态:ESTABLISHED
*Oct 20 09:13:57:469 2014 Sysname IKEV2/7/FSM: -MDC=1; (Tunnel ID 5): (I) Current Status: CHILD_ESTABLISHED
// 当前状态机状态:CHILD_ESTABLISHED
*Oct 20 09:13:57:469 2014 Sysname IKEV2/7/FSM: -MDC=1; (Tunnel ID 5): (I) Current Status: READY
// 当前状态机状态:READY
*Oct 20 09:13:57:469 2014 Sysname IKEV2/7/EVENT: -MDC=1; [IPsec->IKE] Succeed to install IPsec SA.
// IPsec添加SA成功
*Oct 20 09:13:57:469 2014 Sysname IKEV2/7/TIMER: -MDC=1; (Tunnel ID 5): IKE SA lifetime timer (86400 sec) started.
// IKE SA生命周期定时器启动
*Oct 20 09:13:57:469 2014 Sysname IKEV2/7/FSM: -MDC=1; (Tunnel ID: 5): No duplicate IKE SA found.
// 协商过程中没有发现碰撞
*Oct 20 09:13:57:469 2014 Sysname IKEV2/7/FSM: -MDC=1; (Tunnel ID 5): Deleted negotiation context.
// 删除协商上下文
*Oct 20 09:13:57:469 2014 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3077876688 processed a job.
// IKE线程3077876688处理一个任务
*Oct 20 09:13:57:469 2014 Sysname IKEV2/7/EVENT: -MDC=1; [IKE->IPsec] Send switch IPs
ec sa request.
// IKE向IPsec发送切换SA请求
# 在两个安全网关上配置了IKEv2协商类型的IPsec安全策略,若配置认证方法为预共享密钥认证,则当有流量触发协商时,打开IKEv2报文调试信息开关后将输出以下调试信息。
<Sysname> debugging ikev2 packet
Ping 123.234.234.123 (123.234.234.123): 56 data bytes, press CTRL_C to break
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Payload content:
// 打印载荷内容
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; SA, Length: 44, Next payload: KE
// 当前SA载荷,载荷长度44,下一载荷为KE
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last proposal: 0, Length: 40
// 当前proposal是SA载荷内唯一的proposal,载荷长度为40
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Proposal: 1, Protocol: IKE, SPI size: 0, Transform count: 4
// proposal编号为1,为IKE协议,SPI大小为0,包含4个Transform
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0x3, Length: 8
// 该Transform长度为8,不是最后一个Transform
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: ENCR, Transform ID: 3DES-CBC
// Transform类型为加密类型,3DES-CBC算法
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0x3, Length: 8
// 该Transform长度为8,不是最后一个Transform
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: INTEG, Transform ID: AUTH-HMAC-MD5-96
// Transform类型为认证类型,AUTH-HMAC-MD5-96算法
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0x3, Length: 8
// 该Transform长度为8,不是最后一个Transform
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: PRF, Transform ID: PRF-HMAC-MD5
// Transform类型为Prf,为PRF-HMAC-MD5算法
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0, Length: 8
// 该Transform长度为8,为最后一个Transform
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: D-H, Transform ID: 768-bit MODP/Group 1
// Transform类型为DH算法,768-bit MODP/Group 1算法
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; KE, Length: 104, DH: 768-bit MODP/Group 1, Next payload: NONCE
// 当前载荷为KE,长度为104,采用768-bit MODP/Group 1算法,下一载荷为NONCE
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; NONCE, Length: 36, Next payload: NOTIFY
// 当前载荷为NONCE,长度为36,下一载荷为NOTIFY
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; NOTIFY, Length: 28, Type: NAT_DETECTION_SOURCE_IP, Protocol: NO PROTOCOL, SPI size:0, Next payload: NOTIFY
// 当前载荷为NAT_DETECTION_SOURCE_IP通知载荷,长度为28,下一载荷为NOTIFY载荷
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; NOTIFY, Length: 28, Type: NAT_DETECTION_DESTINATION_IP, Protocol: NO PROTOCOL, SPI size: 0, Next payload: NO_PAYLOAD
// 当前载荷为NAT_DETECTION_DESTINATION_IP通知载荷,长度为28
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Sent packet to 123.234.234.123, Remote port 500, Local port 500.
// 向对端123.234.234.123发送报文,本端端口号为500,对端端口号为500
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1;
I-SPI: e787e1a5584f87e6
R-SPI: 0000000000000000
Message ID: 0
Exchange type: SA_INIT
Flags: REQUEST, INITIATOR
Next payload: SA, Length: 268
// 发起方SPI:e787e1a5584f87e6
// 响应方SPI:0000000000000000
// Message ID:0
// 交换类型:SA_INIT交换
// 标记:协商发起方,请求报文
// 下一个载荷:SA载荷,长度为268
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Sent an IPv4 packet.
// 发送IPv4报文
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; Received packet from 123.234.234.123, Source port 500, Destination port 500.
// 收到对端123.234.234.123的IPv4报文,源端口号为500,目的端口号为500
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1;
I-SPI: e787e1a5584f87e6
R-SPI: e91e92c42120d7f0
Message ID: 0
Exchange type: SA_INIT
Flags: RESPONSE
Next payload: SA, Length: 276
// 发起方SPI:e787e1a5584f87e6
// 响应方SPI:e91e92c42120d7f0
// Message ID:0
// 交换类型:SA_INIT交换
// 标记:协商响应方
// 下一个载荷:SA载荷,长度为276
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; Payload content:
// 打印载荷内容
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; SA, Length: 44, Next payload: KE
// 当前载荷为SA载荷,长度44字节,下一载荷为KE
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last proposal: 0, Length: 40
// SA载荷包含一个proposal子载荷,长度为40
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; Proposal: 1, Protocol: IKE, SPI size: 0, Transform count: 4
// proposal 1,协议为IKE,SPI大小为0,包含4个Transform
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0x3, Length: 8
// 该Transform长度为8,不是最后一个Transform
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: ENCR, Transform ID: 3DES-CBC
// Transform类型为加密类型,3DES-CBC加密算法
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0x3, Length: 8
// 该Transform长度为8,不是最后一个Transform
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: INTEG, Transform ID: AUTH-HMAC-MD5-96
// Transform类型为认证类型,AUTH-HMAC-MD5-96认证算法
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0x3, Length: 8
// 该Transform长度为8,不是最后一个Transform
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: PRF, Transform ID: PRF-HMAC-MD5
// Transform类型为Prf类型,为PRF-HMAC-MD5算法
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0, Length: 8
// 该Transform长度为8,是最后一个Transform
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: D-H, Transform ID: 768-bit MODP/Group 1
// Transform类型为DH类型,768-bit MODP/Group 1 算法
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; KE, Length: 104, DH: 768-bit MODP/Group 1, Next payload: NONCE
// 当前载荷为KE载荷,长度为104,采用768-bit MODP/Group 1算法,下一载荷为NONCE
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; NONCE, Length: 36, Next payload: NOTIFY
// 当前载荷为NONCE载荷,长度为36,下一载荷为NOTIFY
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; NOTIFY, Length: 28, Type: NAT_DETECTION_SOURCE_IP, Protocol: NO PROTOCOL, SPI size: 0, Next payload: NOTIFY
// 当前载荷为NAT_DETECTION_SOURCE_IP通知载荷,长度为28,下一载荷为NOTIFY载荷
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; NOTIFY, Length: 28, Type: NAT_DETECTION_DESTINATION_IP, Protocol: NO PROTOCOL, SPI size: 0, Next payload: NOTIFY
// 当前载荷为NAT_DETECTION_DESTINATION_IP,长度28,下一载荷为NOTIFY载荷
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; NOTIFY, Length: 8, Type: HTTP_CERT_LOOKUP_SUPPORTED, Protocol: NO PROTOCOL, SPI size: 0, Next payload: NO_PAYLOAD
// 当前载荷为HTTP_CERT_LOOKUP_SUPPORTED通知载荷,长度为8
*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; Processed response with message ID 0, requests with IDs from 1 to 1 can be sent.
// 处理INIT交互响应报文(messge id=0),下一条请求报文的message id为1
*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; Built packet for encryption.
// 创建需要加密的报文
*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; Payload content:
// 打印报文内容
*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; IDi, Length: 12, Type: ID_IPV4_ADDR, Next payload: NOTIFY
// 当前载荷为IDi,长度为12字节,类型为IPv4地址类型,下一载荷为NOTIFY
*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; NOTIFY, Length: 8, Type: INITIAL_CONTACT, Protocol: NO PROTOCOL, SPI size: 0, Next payload: AUTH
// 当前载荷为INITIAL_CONTACT通知载荷,长度为8,下一载荷为AUTH载荷
*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; AUTH, Length: 24, Method: Pre-shared key, Next payload: NOTIFY
// 当前载荷为AUTH载荷,认证方式为预共享密钥,长度为24
*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; NOTIFY, Length: 8, Type: ESP_TFC_PADDING_NOT_SUPPORTED, Protocol: NO PROTOCOL, SPI size: 0, Next payload: NOTIFY
// 当前载荷为ESP_TFC_PADDING_NOT_SUPPORTED通知载荷,长度为8,下一载荷为NOTIFY
*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; NOTIFY, Length: 8, Type: NON_FIRST_FRAGMENTS_ALSO, Protocol: NO PROTOCOL, SPI size: 0, Next payload: NOTIFY
// 当前载荷为NON_FIRST_FRAGMENTS_ALSO通知载荷,长度为8,下一载荷为NOTIFY
*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; NOTIFY, Length: 8, Type: IKEV2_MESSAGE_ID_SYNC_SUPPORTED, Protocol: NO PROTOCOL, SPI size: 0, Next payload: SA
// 当前载荷为IKEV2_MESSAGE_ID_SYNC_SUPPORTED通知载荷,长度为8,下一载荷为SA
*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; SA, Length: 40, Next payload: TSi
// 当前载荷为SA,长度为40字节,下一载荷为TSi
*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last proposal: 0, Length: 36
// SA载荷包含一个proposal,长度为36
*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; Proposal: 1, Protocol: ESP, SPI size: 4, Transform count: 3
// proposal协议为ESP,SPI长度为4,包含三个Transform
*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0x3, Length: 8
// 该Transform长度为8,不是最后一个Transform
*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: INTEG, Transform ID: AUTH-HMAC-MD5-96
// Transform类型为认证类型,AUTH-HMAC-MD5-96算法
*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0x3, Length: 8
// 该Transform长度为8,不是最后一个Transform
*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: ENCR, Transform ID: 3DES-CBC
// Transform类型为加密类型,为3DES-CBC算法
*Oct 20 09:18:03:332 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0, Length: 8
// 该Transform长度为8,为最后一个Transform
*Oct 20 09:18:03:332 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: ESN, Transform ID: NO ESN
// Transform类型为ESN类型,为NO_ESN
*Oct 20 09:18:03:332 2014 Sysname IKEV2/7/PACKET: -MDC=1; TSi, Length: 40, Selector count: 2, Next payload: TSr
// 当前载荷为TSi载荷,包含2个Selecotr,下一载荷为TSr
*Oct 20 09:18:03:332 2014 Sysname IKEV2/7/PACKET: -MDC=1; TS type: TS_IPV4_ADDR_RANGE, IP protocol: 1, Length: 16
// 触发流TSi类型为TS_IPV4_ADDR_RANGE,协议为ICMP,长度为16
*Oct 20 09:18:03:332 2014 Sysname IKEV2/7/PACKET: -MDC=1; Start port: 0, End port: 65535
// 触发流TSi开始端口号为0,结束端口号为65535
*Oct 20 09:18:03:332 2014 Sysname IKEV2/7/PACKET: -MDC=1; Start address: 123.234.234.124, End address: 123.234.234.124
// 触发流TSi IP地址范围为123.234.234.124到123.234.234.124
*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1; TS type: TS_IPV4_ADDR_RANGE, IP protocol: 0, Length: 16
// 配置流TSi 类型为 TS_IPV4_ADDR_RANGE,协议为IPv4协议,长度为16
*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1; Start port: 0, End port: 65535
// 配置流TSi开始端口号为0,结束端口号为65535
*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1; Start address: 123.234.234.124, End address: 123.234.234.124
// 配置流TSi地址范围为123.234.234.124到123.234.234.124
*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1; TSr, Length: 40, Selector count: 2, Next payload: NO_PAYLOAD
// 当前载荷为TSr载荷,包含两个Selector
*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1; TS type: TS_IPV4_ADDR_RANGE, IP protocol: 1, Length: 16
// 触发流TSr类型为TS_IPV4_ADDR_RANGE,协议为ICMP,长度为16
*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1; Start port: 0, End port: 65535
// 触发流TSr开始端口号为0,结束端口号为0
*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1; Start address: 123.234.234.123, End address: 123.234.234.123
// 触发流TSr地址范围为123.234.234.123到123.234.234.123
*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1; TS type: TS_IPV4_ADDR_RANGE, IP protocol: 0, Length: 16
// 配置流TSr类型为TS_IPV4_ADDR_RAN GE,协议类型为IPv4,长度为16
*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1; Start port: 0, End port: 65535
// 配置流TSr开始端口号为0,结束端口号为0
*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1; Start address: 123.234.234.123, End address: 123.234.234.123
// 配置流TSr的地址范围为123.234.234.123到123.234.234.123
*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1; Sent packet to 123.234.234.123, Remote port 500, Local port 500.
// 向对端发送AUTH交换请求报文,对端地址为123.234.234.123,本端端口号为500,对端端口号为500
*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1;
I-SPI: e787e1a5584f87e6
R-SPI: e91e92c42120d7f0
Message ID: 1
Exchange type: AUTH
Flags: REQUEST, INITIATOR
Next payload: ENCRYPTED, Length: 244
// 发起方SPI:e787e1a5584f87e6
// 响应方SPI:e91e92c42120d7f0
// Message ID:1
// 交换类型:AUTH交换
// 标记:协商发起方,请求报文
// 下一个载荷:加密载荷,长度为244
*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1; Sent an IPv4 packet.
// 收到一个IPv4报文
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Received packet from 123.234.234.123, Source port 500, Destination port 500.
// 收到来自123.234.234.123的报文,源端口号为500,目的端口号为500
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1;
I-SPI: e787e1a5584f87e6
R-SPI: e91e92c42120d7f0
Message ID: 1
Exchange type: AUTH
Flags: RESPONSE
Next payload: ENCRYPTED, Length: 204
// 发起方SPI:e787e1a5584f87e6
// 响应方SPI:e91e92c42120d7f0
// Messge ID:1
// 交换类型:AUTH交换
// 标记:响应方
// 下一载荷加密载荷,长度204
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Payload content:
// 打印报文内容如下
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Payload ENCRYPTED found.
// 准备处理加密载荷
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Integrity check passed.
// 认证检查通过
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; IDr, Length: 12, Type: ID_IPV4_ADDR, Next payload: AUTH
// 当前载荷为IDr载荷,类型为IPv4地址,长度为12,下一载荷为AUTH
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; AUTH, Length: 24, Method: Pre-shared key, Next payload: NOTIFY
// 当前载荷为AUTH,采用的认证方式为预共享密钥,长度为24,下一载荷为 NOTIFY
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; NOTIFY, Length: 8, Type: IKEV2_MESSAGE_ID_SYNC_SUPPORTED, Protocol: NO PROTOCOL, SPI size: 0, Next payload: NOTIFY
// 当前载荷为IKEV2_MESSAGE_ID_SYNC_SUPPORTED通知载荷,长度为8,下一载荷为NOTIFY
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; NOTIFY, Length: 8, Type: ESP_TFC_PADDING_NOT_SUPPORTED, Protocol: NO PROTOCOL, SPI size: 0, Next payload: NOTIFY
// 当前载荷为 ESP_TFC_PADDING_NOT_SUPPORTED通知载荷,长度为8,下一载荷为 NOTIFY
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; NOTIFY, Length: 8, Type: NON_FIRST_FRAGMENTS_ALSO, Protocol: NO PROTOCOL, SPI size: 0, Next payload: SA
// 当前载荷为NON_FIRST_FRAGMENTS_ALSO通知载荷,长度为8,下一载荷为SA载荷
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; SA, Length: 40, Next payload: TSi
// 当前载荷为SA载荷,长度为40,下一载荷为TSi载荷
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last proposal: 0, Length: 36
// SA载荷包含一个proposal,长度为36
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Proposal: 1, Protocol: ESP, SPI size: 4, Transform count: 3
// proposal 1,协议类型为ESP,SPI大小为4字节,包含3个Transform
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0x3, Length: 8
// 该Transform长度为8,不是最后一个Transform
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: INTEG, Transform ID: AUTH-HMAC-MD5-96
// Transform 类型为认证类型, AUTH-HMAC-MD5-96算法
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0x3, Length: 8
// 该Transform长度为8,不是最后一个Transform
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: ENCR, Transform ID: 3DES-CBC
// Transform类型为加密类型,3DES-CBC算法
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0, Length: 8
// 该Transform长度为8,为最后一个Transform
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: ESN, Transform ID: NO ESN
// Transform类型为ESN,NO ESN
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; TSi, Length: 24, Selector count: 1, Next payload: TSr
// 当前载荷为TSi载荷,长度为24,包含1个Selector,下一载荷为TSr
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; TS type: TS_IPV4_ADDR_RANGE, IP protocol: 0, Length: 16
// TSi类型为TS_IPV4_ADDR_RANGE,协议为ICMP,长度为16
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Start port: 0, End port: 65535
// TSi开始端口号为0,结束端口号为65535
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Start address: 123.234.234.124, End address: 123.234.234.124
// TSi IP地址范围为23.234.234.124到123.234.234.124
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; TSr, Length: 24, Selector count: 1, Next payload: NO_PAYLOAD
// 当前为TSr载荷,长度为24,包含一个Selector
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; TS type: TS_IPV4_ADDR_RANGE, IP protocol: 0, Length: 16
// TSr的类型为TS_IPV4_ADDR_RANGE 协议为ICMP,长度为16
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Start port: 0, End port: 65535
// TSr的端口号范围为0到65535
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Start address: 123.234.234.123, End address: 123.234.234.123
// TSr的IP地址范围为123.234.234.123 到 123.234.234.123
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Processed response with message ID 1, requests with IDs from 2 to 2 can be sent.
// 处理Messge ID为1的AUTH交互响应报文,下一次请求报文的Message
推荐本站淘宝优惠价购买喜欢的宝贝:
本文链接:https://sg.hqyman.cn/post/7440.html 非本站原创文章欢迎转载,原创文章需保留本站地址!
休息一下~~