06

2024
08
14:02:16

h3c IPsec Debug (二) （ipsec 整个协商过程，用于学习和排错用很不错）

2 IKE

2.1 IKE调试命令

2.1.1 debugging ike

【命令】

debugging ike { all | dpd | error | event | keepalive | nat-keepalive | packet } [ remote-address { ipv4-address | ipv6 ipv6-address } [ local-address { ipv4-address | ipv6 ipv6-address } | remote-port port-number | vpn-instance vpn-instance-name ] * ]

undo debugging ike { all | dpd | error | event | keepalive | nat-keepalive | packet }

【缺省情况】

IKE调试信息开关处于关闭状态。

【视图】

用户视图

【缺省用户角色】

network-admin

【参数】

all：表示所有IKE调试信息开关。

dpd：表示DPD调试信息开关。

error：表示错误调试信息开关。

event：表示事件调试信息开关。

keepalive：表示keepalive调试信息开关。

nat-keepalive：表示NAT keepalive调试信息开关。

packet：表示报文调试信息开关。

remote-address：根据对端地址过滤调试信息。

local-address：根据本端地址过滤调试信息。

ipv4-address：表示IPv4地址。

ipv6 ipv6-address：表示IPv6地址。

remote-port port-number：根据对端端口号过滤调试信息，port-number为对端端口号，取值范围0～65535。

vpn-instance vpn-instance-name：根据私网地址成员所属的VPN实例过滤调试信息。vpn-instance-name为MPLS L3VPN的VPN实例名称，为1～31个字符的字符串，区分大小写。如果未指定本参数，则表示私网地址成员不属于任何一个VPN。

【使用指导】

debugging ike 命令用来打开IKE调试开关。undo debugging ike命令用来关闭IKE调试信息开关。

表2-1 debugging ike error命令输出信息描述表

字段	描述
Failed to verify the peer signature.	对端签名验证失败
HASH payload is missing.	未在IKE报文中找到HASH载荷
Failed to verify the peer HASH.	对端HASH验证失败
Signature payload is missing.	未在IKE报文中找到签名载荷
Invalid SPI length (length) in DPD packet.	DPD报文中的SPI长度无效，长度为length
Invalid I-Cookie in DPD packet: I-Cookie	DPD报文中的I-Cookie无效，I-Cookie的值为I-Cookie
Invalid R-Cookie in DPD packet: R-Cookie	DPD报文：R-Cookie无效，R-Cookie的值为R-Cookie
The length (length) of DPD sequence number is invalid.	DPD序列号的长度无效，长度为length
Invalid DPD sequence number (number).	DPD序列号无效，序列号的值为number
DPD packet retransmission timed out.	DPD报文的重传已超时
Invalid IPv4 address length (length).	无效的IPv4地址长度，长度为length
Invalid IPv6 address length (length).	无效的IPv6地址长度，长度为length
Invalid ID of IPv4 address type: ID-IPv4	IPv4地址类型的身份无效，身份的值为ID-IPv4
Invalid ID of IPv6 address type: ID-IPv6	IPv6地址类型的身份无效，身份的值为ID-IPv6
Invalid FQDN ID length (length).	FQDN类型的身份长度无效，长度为length
Invalid user FQDN ID length (length).	User FQDN类型的长度身份无效，长度为length
Failed to get DN because the certificate doesn't exist.	获取DN失败，因为证书不存在
Failed to get ID data for constructing ID payload.	构造ID载荷时获取ID数据失败
Invalid ID payload with protocol protocol-number and port port-number.	无效的ID载荷，ID载荷中的协议号为protocol-number，端口号为port-number
Invalid ID type (ID-type).	身份类型无效，身份类型值为ID-type
Failed to find proposal proposal-number in profile profile-name.	在名称为profile-name的IKE profile中没有找到编号为proposal-number的proposal
Failed to verify HASH for informational exchange.	验证informational exchange报文中的HASH失败
Failed to construct delete payload.	构造delete载荷失败
Invalid SPI length.	SPI长度无效
Protocol ID (ID) in delete payload is invalid.	delete载荷中的协议ID无效，协议号为ID
KE payload doesn’t exist.	KE载荷不存在
Invalid KE payload length (length).	KE载荷的长度无效，长度为length
Failed to construct notification payload for keepalive.	发送keepalive报文时构造notification载荷失败
Length (length) of the sequence number in keepalive packet is invalid.	Keepalive报文中的序列号长度无效，长度为length
Length (length) of the HASH payload in keepalive packet is invalid.	Keepalive报文中的HASH载荷长度无效，长度为length
Failed to calculate HASH for verification of keepalive packet.	验证keepalive报文时，本端计算HASH失败
Failed to add sequence number to keepalive packet.	构造keepalive报文时，添加序列号失败
Failed to calculate HASH for keepalive.	构造keepalive报文时，计算HASH失败
Failed to float port.	切换端口失败
Length (length) of the nonce payload is invalid.	Nonce载荷的长度无效，长度为length
Failed to parse the certificate request payload.	解析证书请求载荷失败
No available proposal.	没有找到可用的proposal
Failed to get certificate.	获取证书失败
Failed to get private key.	获取私钥失败
Failed to construct ID payload.	构造IPsec身份载荷失败
Failed to calculate hash-name.	计算HASH失败，HASH名称为hash-name
Failed to validate hash-name.	验证HASH失败，HASH名称为hash-name
Failed to compute key material.	计算密钥材料失败
Failed to install IPsec SA.	安装IPsec SA失败
The nonce payload doesn't exist.	Nonce载荷不存在
The KE payload doesn't exist.	KE载荷不存在
No valid DH group description in SA payload.	SA载荷中没有有效的DH group
There are too many KE payloads.	KE载荷太多，
The length of the KE payload does't match the DH group description.	KE载荷的长度和用于PFS的DH group描述不匹配
Failed to construct NAT-OA payload.	构造NAT-OA载荷失败
Failed to construct RESPONDER_LIFETIME payload.	构造RESPONDER_LIFETIME载荷失败
Failed to construct KE payload.	构造KE载荷失败
Failed to pad for encryption.	加密报文前的填充失败
Failed to send data. Reason: error-reason.	发送报文失败，错误原因为error-reason
No enough space in the packet for Non-ESP marker.	报文超大，不能添加Non-ESP标记
Failed to decrypt the packet.	解密报文失败
Non-zero message ID (Message-ID) in phase 1.	一阶段的Message ID不为0，其值为Message-ID
I-Cookie must not be zero.	I-Cookie不能为0
The first packet of phase 1 is invalid: Encryption bit is set.	一阶段的第一条报文无效：报文的加密标识为已使能
The first packet of phase 1 is invalid: Non-zero R-Cookie.	一阶段的第一条报文无效：报文的R-Cookie不为0
Failed to parse phase 1 packet. Reason reason.	解析一阶段的IKE报文失败，原因为reason，可能的取值包括： · INVALID_PAYLOAD_TYPE：载荷类型无效 · DOI_NOT_SUPPORTED：不支持的DOI字段 · SITUATION_NOT_SUPPORTED：不支持的situation字段 · INVALID_COOKIE：cookie无效 · INVALID_MAJOR_VERSION：主版本号无效 · INVALID_MINOR_VERSION：次版本号无效 · INVALID_EXCHANGE_TYPE：交换类型无效 · INVALID_FLAGS：标识无效 · INVALID_MESSAGE_ID：message ID无效 · INVALID_PROTOCOL_ID：提议号无效 · INVALID_SPI：SPI无效 · INVALID_TRANSFORM_ID：transform ID无效 · ATTRIBUTES_NOT_SUPPORTED：不支持的属性 · NO_PROPOSAL_CHOSEN：没有匹配的提议 · BAD_PROPOSAL_SYNTAX：提议语法错误 · PAYLOAD_MALFORMED：载荷格式错误 · INVALID_KEY_INFORMATION：密钥信息无效 · INVALID_ID_INFORMATION：身份无效 · INVALID_CERT_ENCODING：证书编码无效 · INVALID_CERTIFICATE：证书无效 · CERT_TYPE_UNSUPPORTED：不支持的证书类型 · INVALID_CERT_AUTHORITY：证书认证失败 · INVALID_HASH_INFORMATION：HASH无效 · AUTHENTICATION_FAILED：认证失败 · INVALID_SIGNATURE：签名无效 · ADDRESS_NOTIFICATION：地址通知 · NOTIFY_SA_LIFETIME：SA生命周期通知 · CERTIFICATE_UNAVAILABLE：证书不可用 · UNSUPPORTED_EXCHANGE_TYPE：不支持的交换类型 · UNEQUAL_PAYLOAD_LENGTHS：载荷长度不相等
The packet is dropped because of not being encrypted	丢弃报文，因为报文没有加密
Failed to parse informational exchange packet. Reason reason.	解析informational exchange报文失败，原因是reason reason取值同上
Failed to parse keepalive packet because of reason.	解析keepalive报文失败，原因是reason reason取值同上
Unsupported exchange type (type) in packet.	不支持的交换类型type，取值包括： · None：不存在的交换类型 · Base：基础交换类型 · Main：主模式交换类型 · AO：Authenticaton Only交换类型 · Aggressive：野蛮模式交换类型 · Info：infomational exchange交换类型 · Mode cfg：配置模式交换类型
Invalid Non-ESP marker: marker.	无效的Non-ESP标识：marker
The received packet is too short, which is length bytes.	收到报文的长度太小，长度为length
Failed to receive packet.	接收报文失败
Failed to bind UDP port port-number. Reason: reason.	绑定UDP端口失败，端口号为port-number，错误原因为reason
Failed to set UDP port port-number. Reason: reason.	设置UDP端口失败，端口号为port-number，错误原因为reason
Failed to add UDP port port-number to epoll.	添加UDP端口到epoll失败，端口号为：port-number
Failed to initiate UDP port port-number. Error code: error-number.	初始化UDP端口失败，端口号为port-number，错误码为error-number
byte-numberth byte of the structure struct-name must be 0.	结构struct-name的第byte-number个字节必须为0
Field-name of struct-name has an unknown value: value.	结构struct-name的域field-name的值value无效
field-name of struct-name has unknown members.	结构struct-name的域field-name包含未知的成员
No enough bytes to get data2 from data1.	没有足够的空间来保存从数据data1中获取的数据data2
No enough space in output packet for struct-name.	报文中没有足够的空间用于保存结构struct-name
No enough space to place length bytes of data-name in struct-name.	结构struct-name中没有足够的空间用于保存length字节的数据
No enough space to place data-name in struct-name.	结构struct-name中没有足够的空间保存数据data-name
Failed to add the HASH payload.	添加HASH载荷失败
Ignored the certificate request of type type-id.	忽略证书请求，证书请求的类型为type-id
Failed to get the certificate and key by certificate request.	根据证书请求获取证书和密钥失败
Failed to verify the peer certificate. Reason: error-string.	验证对端证书失败，错误原因为error-string
Failed to find keychain keychain-name in profile profile-name.	在IKE profile profile-name中查找keychain keychain-name失败
Failed to create IKE SA with core data.	根据核心数据创建一阶段SA失败
Failed to create IPsec SA with core data.	根据核心数据创建二阶段SA失败
Failed to receive smooth SA ACK from IPsec.	从IPsec接收SA平滑处理的应答失败
Number of negotiating IKE SAs exceeded the limit.	正在协商的IKE SA的数目超出限制
Number of established IKE SAs exceeded the limit.	已经建立的IKE SA的数目超出限制
Attribute attribute-name is repeated.	属性重复，属性名称为attribute-name
Failed to construct situation.	构造situaton字段失败
Failed to construct proposal payload.	构造proposal载荷失败
Failed to construct transform payload.	构造transform载荷失败
Failed to construct attributes.	构造属性失败
Unsupported DOI doi	不支持的DOI doi
Proposal payload must be the last payload in SA payload, but payload-name payload is found following proposal payload.	proposal载荷必须是SA载荷中的最后一个载荷，但在proposal载荷之后还有payload-name载荷
Unexpected protocol ID (ID-type) found in proposal payload.	proposal载荷中的协议ID无效，协议ID号为ID-type
Invalid SPI length (SPI-length) in proposal payload.	proposal载荷中的SPI长度无效
No transform payload in proposal payload.	proposal载荷中没有transform载荷
Transform number is not monotonically increasing.	Transform号不是单调递增的
Invalid transform ID: id.	无效的transform ID：id
No acceptable transform.	没有可以接受的transform
Unexpected payload-name payload in proposal.	proposal载荷中有不期望出现的载荷payload-name
Only one transform is permitted in one proposal, but trans-count transforms are found.	在选中的proposal载荷中只允许有一个transform，但实际有trans-count个
Failed to parse the IKE SA payload.	解析IKE SA载荷失败
Proposal payload has more transforms than specified in the proposal payload.	proposal载荷中的transform载荷数量比proposal载荷中指定的数量多
Proposal payload has fewer transforms than specified in the proposal payload.	proposal载荷中的transform载荷数量比proposal载荷中指定的数量少
Invalid next payload (payload-type) in transform payload.	transform载荷中的next payload字段无效，载荷类型为payload-type
SA_LIFE_TYPE attribute must be in front of the SA_LIFE_DURATION attribute.	SA_LIFE_TYPE属性必须在SA_LIFE_DURATION属性前面
Attribute attribute-type is repeated in IPsec transform trans-number.	属性类型为的attribute-type属性在IPsec transform中重复，transform号为trans-number
SA_LIFE_TYPE attribute is repeated in packet.	属性SA_LIFE_TYPE在报文中重复
Unsupported IPsec attribute attribute.	不支持的IPsec属性attribute
SA_LIFE_TYPE IPsec attribute not followed by SA_LIFE_DURATION attribute in message.	报文中的IPsec属性SA_LIFE_TYPE后面没有SA_LIFE_DURATION属性
Encapsulation mode must be specified in IPsec transform.	IPsec transform中必须指定封装模式
AUTH_ALGORITHM attribute is missing in AH transform.	在AH协议的transform中没有AUTH_ALGORITHM属性
Transform ID (id) in transform trans-number doesn't match authentication algorithm auth-algo-name (auth-algo-value).	transform中的transform ID和认证算法不匹配，transform号为trans-number，transform ID为id，认证算法为auth-algo-name，其值为auth-algo-value
Neither encryption algorithm nor authentication algorithm is specified in ESP proposal, which is not permitted.	ESP proposal中既没有加密算法也没有认证算法，这是不允许的
Unsupported ESP transform.	不支持的ESP transform
Unsupported ESP authentication algorithm.	不支持的ESP认证算法
IPsec proposal with improper SPI size (size).	IPsec proposal中的SPI大小错误，SPI大小为size
IPsec proposal contains invalid SPI (SPI).	IPsec proposal中的SPI无效，其值为SPI
Failed to get SPI from IPsec proposal.	从IPsec proposal中获取SPI失败
No transform in IPsec proposal.	IPsec proposal中没有transform
SA payload contains more than one AH proposal with the same proposal number.	SA载荷中有多个AH协议的proposal对应同一个proposal号
SA payload contains more than one ESP proposal with the same proposal number.	SA载荷中有多个ESP协议的proposal对应同一个proposal号
Invalid next payload (payload-type-num) in proposal.	Proposal载荷中的next payload字段无效，其类型值为payload-type-num
Unsupported IPsec DOI situation (situation-num).	不支持的IPsec DOI situation，其类型值为situation-num
Invalid IPsec proposal proposal-number.	无效的IPsec proposal，proposal号为proposal-number
Failed to get IPsec policy when renegotiating IPsec SA. Delete IPsec SA.	在重协商IPsec SA时获取IPsec策略失败，删除 IPsec SA
Failed to get IPsec policy for phase 2 responder. Delete IPsec SA.	作为二阶段协商的响应方时，获取IPsec策略失败，删除IPsec SA
No HASH in notification payload.	在notification载荷中没有HASH
Failed to send message to IPsec when getting SPI.	获取SPI时向IPsec发消息失败
Failed to send message to IPsec when adding SA.	添加SA时向IPsec发消息失败
Failed to send message to IPsec when deleting SA.	删除SA时向IPsec发消息失败
Failed to send message to IPsec when getting SP.	获取SP时向IPsec发消息失败
Failed to send message to IPsec when adding DPD.	添加DPD时向IPsec发消息失败
Failed to send message to IPsec when updating DPD.	升级DPD时向IPsec发消息失败
Failed to send message to IPsec when deleting DPD.	删除DPD时向IPsec发消息失败
Failed to send message to IPsec when switching SA.	切换SA时向IPsec发消息失败
Failed to negotiate IKE SA.	协商IKE SA失败
Failed to negotiate IPsec SA.	协商IPsec SA失败
Errstring. Attribute attribute-name.	错误原因为errstring。相关的属性名称为attribute-name Errstring的内容包括： · Unsupported encryption algorithm: enc-alg：不支持的加密算法enc-alg · Unsupported HASH algorithm: hash-alg：不支持的HASH算法hash-alg · Unsupported authentication method: auth-meth：不支持的认证方法auth-meth · Unsupported DH group: group-name：不支持的DH group group-name · Unsupported lifetime type: lifetime-type：不支持的生命周期类型lifetime-type · OAKLEY_LIFE_DURATION attribute not preceded by OAKLEY_LIFE_TYPE attribute.：OAKLEY_LIFE_DURATION属性没有在OAKLEY_LIFE_TYPE属性之前 · OAKLEY_KEY_LENGTH attribute not preceded by OAKLEY_ENCRYPTION_ALGORITHM attribute：OAKLEY_KEY_LENGTH属性没有在OAKLEY_ENCRYPTION_ALGORITHM属性之前 · OAKLEY_KEY_LENGTH attribute not match OAKLEY_ENCRYPTION_ALGORITHM.：OAKLEY_KEY_LENGTH属性和OAKLEY_ENCRYPTION_ALGORITHM属性不匹配 · Failed to get encryption algorithm：获取加密算法失败 · Unsupported OAKLEY attribute attribute：不支持的OAKLEY属性attribute
Failed to match the proposal.	匹配proposal失败
Received invalid SPI message from IPsec, but no IKE SA exists.	收到IPsec的invalid SPI消息，但是没有IKE SA
Failed to get subject name from certificate.	从证书中获取主题名失败
Failed to get local certificate.	获取本地证书失败
Failed to send notification packet for deleting IPsec SA, because of no corresponding IKE SA.	删除IPsec SA时发送notification报文失败，因为没有找到对应的IKE SA
Failed to construct certificate request payload.	构造证书请求载荷失败
Unsupported attribute attribute-type.	不支持的属性，属性类型为attribute-type
Invalid major version(version).	主版本号无效，主版本号为version
Constructed SA payload.	构造SA载荷
Failed to get UDP socket.	获取UDP socket失败
Failed to parse the Cert Request payload.	解析证书请求消息失败
No available proposal.	没有可用的安全提议
Obtained profile ProfileName.	获取到名为ProfileName的安全profile
Deleted GDOI GM IKE SA.	删除GDOI GM IKE SA

表2-2 debugging ike event命令输出信息描述表

字段	描述
Signature verification succeeded.	验证签名成功
HASH verification succeeded.	验证HASH成功
Delete IPsec SAs.	删除IPsecSA
Delete IKE SA with connection ID id.	删除IKE SA，connection ID为id
Update DPD configuration in IKE SA.	更新一阶段SA中的DPD配置
Notify IPsec to add DPD.	通知IPsec添加DPD
Notify IPsec to delete DPD.	通知IPsec删除DPD
Notify IPsec to update DPD.	通知IPsec更新DPD
Process interface interface-type interface-num active event.	处理接口激活事件，接口名为interface-type interface-num
Process interface interface-name deactive event.	处理接口去激活事件，接口名为interface-type interface-num
Process interface interface-name delete event.	处理接口删除事件，接口名为interface-type interface-num
The board chassis chassis-num slot slot-num is inserted.	单板插入chassic-number号成员设备的slot-number号槽位中
Protocol/port in phase 1 ID payload is protocol-number/port-number, which is acceptable.	一阶段ID载荷中的协议号/端口号为protocol-number/port-number，它们是可接受的
Begin to construct IPsec SA delete packet.	开始构造二阶段SA delete报文
Delete IKE SA with connection ID id.	删除一阶段SA，connection ID为id
Received IPsec SA delete packet.	收到二阶段SA delete报文
Process delete payload.	处理delete载荷
Ignore delete payload: packet not encrypted or IKE SA not established.	忽略delete载荷：报文没有加密或者一阶段SA没有建立
Received SA acquire message from IPsec.	收到IPsec的SA请求消息
Received IPsec capability.	收到IPsec规格
Received smooth IPsec SA ACK.	收到平滑IPsec SA的应答
IKE keepalive timed out. Delete IKE SA with connection ID id.	IKE Keepalive定时器超时，删除一阶段SA，connection ID为id
Reset IKE keepalive timeout timer. New time value is time	重置IKE Keepalive超时定时器，新的时间值为time
I am behind NAT.	我在NAT设备之后
Peer is behind NAT.	对端在NAT设备之后
No need to float port.	不需要切换端口
Float port to local port local-port and remote port remote-port	切换端口，本端端口为local-port，对端端口为remote-port
Sending DPD packet of type type with sequence number seq-no.	发送type类型的DPD报文，序列号为seq-no
Delete IKE SA by received notification.	根据错误通知报文删除一阶段SA
INITIAL-CONTACT message is dropped because of not being encrypted.	INITIAL-CONTACT未加密，丢弃它
Delete redundant SA.	删除多余的SA
Length (length) of notification packet is invalid.	notification报文的长度无效，长度为length
Protocol-ID (ID) of notification packet is unsupported.	不支持notification报文中的协议号：ID
Notification notification-name is received.	收到通知报文notification-name
Inbound flow: dst-addr->src-addr	入方向流量：目的地址->源地址
Outbound flow: src-addr->dst-addr	出方向流量：源地址->目的地址
Validated hash-name successfully.	验证HASH成功，HASH名称为hash-name
Getting IPsec message timed out. Delete IPsec SA.	获取IPsec消息超时，删除二阶段SA
Protocol: protocol	安全协议为protocol（AH或ESP）
Inbound SPI: in-spi	入方向SPI值为in-spi
Outbound SPI: out-spi	出方向SPI值为out-spi
Install IPsec SAs.	下发IPsec SA
Lifetime in seconds: seconds	SA的生命周期为seconds秒
Lifetime in kilobytes: bytes	SA的生命周期为bytes字节
Phase 2 Exchange chooses role: Local is initiator.	二阶段协商选择角色：本端为发起方
Phase 2 Exchange chooses role: Local is responder.	二阶段协商选择角色：本端为响应方
Begin Quick mode exchange.	开始进行快速模式协商过程
No enough space to send packet.	没有足够的空间来发送报文
Retransmittion of phase 1 packet timed out.	重传一阶段报文超时
Ignore phase 1 packet retransmit timeout event.	忽略一阶段报文重传超时事件
Retransmittion of phase 2 packet timed out.	重传二阶段报文超时
Ignore phase 2 packet retransmit timeout event.	忽略二阶段报文重传超时事件
Phase 1 Exchange chooses role: Local is initiator.	一阶段协商选择角色：本端为发起方
Phase 1 Exchange chooses role: Local is responder.	一阶段协商选择角色：本端为响应方
Phase 1 packet is malformed: Not starting with an SA payload.	一阶段报文格式错误：没有以SA载荷开始
Phase2 packet is malformed: Not starting with an HASH payload.	二阶段报文格式错误：没有以HASH载荷开始
Quick mode packet is received, but IKE SA does not exist.	收到快速模式的报文，但一阶段SA不存在
Quick mode packet is received, but IKE SA is incomplete.	收到快速模式的报文，但一阶段SA不完整
Ignored delete SA payload because the IKE SA is not established.	忽略删除SA的报文，因为IKE SA不存在
Ignored delete SA payload because the packet is not encrypted.	忽略删除SA的报文，因为报文没有加密
Received informational exchange packet, but IKE SA is inexistent or incomplete.	收到information exchange报文，但是一阶段SA不存在或者不完整
Received keepalive packet, but IKE SA is not existed.	收到IKE keepaclive报文，但是一阶段SA不存在
Received keepalive packet, but it is not encrypted.	收到IKE keepaclive报文，但是它没有加密
Received keepalive packet, but IKE SA is incomplete.	收到IKE keepaclive报文，但是一阶段SA不完整
Ignore NAT keepalive packet.	忽略NAT keepalive报文
Initialize UDP port.	初始化UDP端口
PKI data had been changed.	PKI数据已经有所变化
Found pre-shared key that matches address address in keychain keychain-name.	在keychain keychain-name中找到了预共享密钥，该预共享密钥与地址address匹配
Pre-shared key matching address address not found.	根据地址address无法找到匹配的预共享密钥
Found keychain keychain-name in profile profile-name successfully.	成功在IKE profile profile-name中找到keychain keychain-name
Get profile profile-name.	获取IKE profile profile-name
Initiator created an SA for peer address, local port local-port, remote port remote-port.	发起方创建SA，对端地址为address，本端端口为local-port，对端端口为remote-port
Set IKE SA state to state-name.	设置一阶段SA状态为state-name
IKE SA state changed from state1 to state2.	一阶段SA状态从state1转换到state2
Set IPsec SA state to state-name.	设置二阶段SA状态为state-name
IPsec SA state changed from state1 to state2.	二阶段SA状态从state1转换到state2
Responder created an SA for peer address, local port local-port, remote port remote-port.	发起方创建SA，对端地址为address，本端端口为local-port，对端端口为remote-port
Delete IPsec SA.	删除二阶段SA
Oakley transform trans-number is acceptable.	Oakley transform是可接受的，transform号为trans-number
Begin mode mode exchange.	开始mode模式的IKE协商
IKE SA not found. Initiate IKE SA negotiation.	没有一阶段SA，发起一阶段SA的协商
IKE SA is prepared for renegotiation.	一阶段SA已经准备好进行重协商
IKE SA is expired.	一阶段SA生命周期到达
Renegotiation has already started for this IKE SA.	该IKE SA的重协商已经开始
IKE SA with connection ID connection-id has expired, and it will be deleted.	一阶段SA生命周期到达，将其删除，connection ID为connection-id
IPsec SA is being negotiated.	二阶段SA正在协商
IPsec SA has expired and will be deleted.	生命周期到达，删除二阶段SA
IKE thread thread-id processes a job.	IKE线程thread-id处理一个job
IKE thread thread-id processes a CTL-Queue msg.	IKE线程thread-id处理一个控制队列消息
Vendor ID verdor-id is matched.	匹配上vendor ID verdor-id
No vendor ID is matched.	没有匹配的verdor ID
IKE SA is soft expired(Timer handle: %u, Icookie: %s), renegotiate IKE SA.	IKE SA时间软超时，将发起重协商
IKE SA is soft expired(Timer handle: %u, Icookie: %s), no need to renegotiate IKE SA.	IKE SA时间软超时，无需发起重协商
IPsec SA is soft expired(timer handle:%u, message ID: 0x%x), will be renegotiated.	IPsec SA时间软超时，将发起重协商
IPsec SA is soft expired(timer handle:%u, message ID: 0x%x), no need to renegotiate.	IPsec SA时间软超时，无需发起重协商
IPsec SA is traffic expired(SPI:%u), will be renegotiated.	IPsec SA流量软超时，将发起重协商
IPsec SA is traffic expired(SPI:%u), no need to renegotiate.	IPsec SA流量软超时，无需发起重协商
Succeed to set responder-only flag for P1SA.	成功设置一阶段SA的responder-only标识
Succeed to set responder-only flag for P2SA.	成功设置二阶段SA的responder-only标识

表2-3 debugging ike packet命令输出信息描述表

字段	描述
Construct authentication data by pre-shared key.	根据预共享密钥生成认证数据
Verify HASH payload.	验证HASH载荷
Construct authentication data by private key.	根据私钥生成认证数据
Verify signature payload.	验证签名载荷
DPD packet with sequence number sequence-number is received.	收到DPD报文，序列号为：sequence-number
Retransmit DPD packet.	重传DPD报文
Peer ID value: address address.	对端ID值：地址address
Peer ID value: FQDN fqdn.	对端ID值：FQDN fqdn
Peer ID value: User FQDN user-fqdn.	对端ID值：User FQDN user-fqdn
Peer ID value: DN DN-value	对端ID值：DN，DN的内容为DN-value
Peer ID type: ID-type (value).	对端ID类型：ID-type，类型的值为value
Local ID type: ID-type (value).	本端ID类型：ID-type，类型的值为value
Local ID value: ID-value.	本端ID值：ID-value
Construct ID payload.	构造ID载荷
The profile profile-name is matched.	匹配到profile为profile-name
No profile is matched.	没有匹配到profile
Process ID payload.	处理ID载荷
Construct notification packet: notification-type.	构造notification报文：notification-type
Construct delete payload.	构造delete载荷
The phase 1 delete packet is received.	收到一阶段delete报文
The cookies' length (length) is invalid.	Cookies的长度length无效
Construct KE payload.	构造KE载荷
Process KE payload.	处理KE载荷
Send keepalive packet with sequence number sequence-number.	发送IKE keepalive报文，序列号为sequence-number
Process keepalive packet with sequence number sequence-number.	处理IKE keepalive报文，序列号为sequence-number
Construct NAT-D payload.	构造NAT-D载荷
Received count NAT-D payloads.	收到NAT-D载荷，数量为count
Construct NONCE payload.	构造NONCE载荷
Process NONCE payload.	处理NONCE载荷
Construct INITIAL-CONTACT payload.	构造INITIAL-CONTACT载荷
Construct SA payload.	构造SA载荷
Construct IPsec ID payload.	构造IPsec ID载荷
Process HASH payload.	处理HASH载荷
Construct IPsec SA payload.	构造IPsec SA载荷
Construct HASH(3) payload.	构造HASH(3)载荷
Process IPsec ID payload.	处理IPsec ID载荷
Construct NAT-OA payload.	构造NAT-OA载荷
Process NAT-OA payload: address.	处理NAT-OA载荷，地址为address
Received count NAT-OA payloads.	收到NAT-OA载荷，数量为count
Construct IPsec RESPONDER_LIFETIME payload.	构造IPsec RESPONDER_LIFETIME载荷
Construct HASH(1) payload.	构造HASH(1)载荷
Collision of phase 2 negotiation is found.	二阶段协商发生碰撞
Construct HASH(2) payload.	构造HASH(2)载荷
I-Cookie: icookie R-Cookie: rcookie next payload: next-payload version: version exchange mode: mode flags: [flag] message ID: mid length: length	· 发起方cookie：icookie · 响应方cookie：rcookie · 下一个载荷：next-payload · ISAKMP版本：version · 协商模式：mode · 标识为：flag · Message ID：mid · 报文长度：length
Encrypt the packet.	对报文进行加密
Received payload-name.	收到载荷payload-name
Sending packet to address, remote port remote-port, local port local-port.	发送报文到地址address，对端端口号为remote-port，本端端口号为local-port
Sending an IPv4 packet.	发送一个IPv4报文
Sending an IPv6 packet.	发送一个IPv6报文
Retransmit phase 1 packet.	重传一阶段报文
Retransmit phase 2 packet.	重传二阶段报文
Retransmit in response to duplicate packet.	针对对端重发的报文，重传对应的响应报文
Discard duplicate packet because of exhausted retransmission.	本端重传次数已达到最大，不再响应该重复的报文，将其丢弃
Discard duplicate packet with no response.	丢弃对端重复发送的报文，不进行响应
Collision of phase 1 negotiation is found.	一阶段协商发生碰撞
Decrypt the packet.	对报文进行解密
Begin a new phase 1 negotiation as responder.	作为响应方，开始加入一个新的一阶段协商过程
Parse informational exchange packet successfully.	成功解析informational exchange报文
Received packet from address source port source-port destination port des-port.	收到的来自address的报文，源端口为source-port，目的端口为des-port
Skipping length raw bytes of name1 to get name2.	跳过载荷name1的length字节，去获取下一个载荷name2
Add certificate request payload subjectname.	添加证书请求载荷，主题名为subjectname
Construct certificate request payload.	构造证书请求载荷
Received certificate request payload that contains issuer name issuer-name.	收到证书请求载荷，签发者名为issuer-name
Process certificate request payload.	处理证书请求载荷
The certificate request payload is empty.	证书请求载荷是空的
Construct certificate payload.	构造证书载荷
The profile profile-name is matched by remote certificate.	通过对端证书匹配到一个IKE profile profile-name
Process certificate payload.	处理证书载荷
Encryption algorithm is enc-algo.	加密算法为enc-algo
HASH algorithm is hash-algo.	HASH算法为hash-algo
Authentication method is auth-method.	认证方法为auth-method
DH group is group.	DH group为group
Lifetime type is type.	生命周期类型为type，type值为： · in seconds：时间生命周期 · in kilobytes：字节生命周期
Life duration is value.	生命周期为value
Key length is length bytes.	密钥长度为length字节
Check ISAKMP transform trans-number.	检查ISAKMP transform，transform号为trans-number
Attributes is acceptable.	属性是可接受的
Construct transfrom payload for transform trans-number.	构造transform载荷，transform号为trans-number
Encapsulation mode is mode.	封装模式为mode，mode取值包括： · Tunnel：隧道模式 · Transport：传输模式 · Tunnel-UDP：UDP封装的隧道模式 · Transport-UDP：UDP封装的传输模式
Set attributes according to phase 2 transform.	根据二阶段transform设置属性
Transform ID is id.	Transform ID为id
Construct transform 1.	构造transform 1
Construct IPsec proposal proposal-number.	构造IPsec proposal，proposal号为proposal-number
Parse transform trans-number.	解析transform，transform号为trans-number
The SA_LIFE_TYPE attribute is repeated in packet.	SA_LIFE_TYPE属性在报文中重复
Number of key rounds is round.	密钥轮数为round
Process IPsec SA payload.	处理IPsec SA载荷
The attributes are unacceptable.	属性不可接受
Construct vid-name vendor ID payload.	构造vendor id载荷，vendor ID名称为vid-name
Process vendor ID payload.	处理vendor ID载荷
HASH:value	HASH为value
SKEYID:value	SKEYID为value
Extended Skeyid_e:value	扩展的Skeyid_e为value
Local generated new IV: value	本地新生成的IV为value
SKEYID_a: value	SKEYID_a为value
SKEYID_d: value	SKEYID_d为value
SKEYID_e: value	SKEYID_e为value
Encrypt IV: value	加密IV为value
Encryption generated new IV: value	加密新生成的IV为value
Decrypt IV: value	解密IV为value
Remote new IV: value	对端新IV为value
The proposal is acceptable.	提议是可以接受的
The proposal is unacceptable.	提议是不能接受的

表2-4 debugging ike dpd命令输出信息描述表

字段	描述
Invalid I-Cookie in DPD packet: I-Cookie	DPD报文中的I-Cookie无效，I-Cookie的值为I-Cookie
Invalid R-Cookie in DPD packet: R-Cookie	DPD报文中的R-Cookie无效，R-Cookie的值为R-Cookie
DPD packet with sequence number seq-no is received.	收到序列号为seq-no的DPD报文
Retransmit DPD packet.	重传DPD报文

表2-5 debugging ike keepalive命令输出信息描述表

字段	描述
Send keepalive packet with sequence number sequence number.	发送序号为sequence number的keepalive报文。
Sending packet to address,remote port remote-port,local port local-port.	发送报文到地址address，对端端口号为remote-port，本端端口号为local-port

表2-6 debugging ike nat-keepalive命令输出信息描述表

字段	描述
Sending packet to address,remote port remote-port,local port local-port.	发送报文到地址address，对端端口号为remote-port，本端端口号为local-port

【举例】

#在两个安全网关上配置了IKE协商类型的IPsec策略，在一阶段IKE协商过程中，若未找到匹配的IKE proposal，则打开IKE错误调试信息开关后将输出以下调试信息。

<Sysname> debugging ike error

*Aug 20 19:19:44:543 2012 Sysname IKE/7/ERROR: -MDC=1; No acceptable transform.

// 没有可以接受的transform

*Aug 20 19:19:44:543 2012 Sysname IKE/7/ERROR: -MDC=1; Failed to parse the IKE SA payload.

// 解析SA载荷失败

#在两个安全网关上配置了IKE协商类型的IPsec策略，若配置一阶段协商模式为主模式，认证方法为预共享密钥认证，则当有流量触发协商时，打开IKE事件调试信息开关后将输出以下调试信息。

<Sysname> debugging ike event

<Sysname> ping -c 1 192.168.222.5

PING 192.168.222.5 (192.168.222.5): 56 data bytes, press CTRL_C to break

*Aug 20 19:10:37:509 2012 Sysname IKE/7/EVENT: -MDC=1; Received SA acquire message from IPsec.

// 收到IPsec的SA请求消息

*Aug 20 19:10:37:510 2012 Sysname IKE/7/EVENT: -MDC=1; Set IPsec SA state to IKE_P2_STA

TE_INIT.

// 设置二阶段SA状态为IKE_P2_STATE_INIT

*Aug 20 19:10:37:510 2012 Sysname IKE/7/EVENT: -MDC=1; No IKE SA found, initiate IKE SA negotiation.

// 没有一阶段SA，发起一阶段SA的协商

*Aug 20 19:10:37:510 2012 Sysname IKE/7/EVENT: -MDC=1; Get profile profile1.

// 获取profile profile1

*Aug 20 19:10:37:510 2012 Sysname IKE/7/EVENT: -MDC=1; Initiator create a SA for peer 192.168.222.5, local port 500, remote port 500.

// 发起方创建SA，对端地址为192.168.222.5，本端端口为500，对端端口为500

*Aug 20 19:10:37:510 2012 Sysname IKE/7/EVENT: -MDC=1; Set IKE SA state to IKE_P1_STATE_INIT.

// 设置一阶段SA状态为IKE_P1_STATE_INIT

*Aug 20 19:10:37:510 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3083549648 processes a job.

// IKE线程3083549648处理一个job

*Aug 20 19:10:37:510 2012 Sysname IKE/7/EVENT: -MDC=1; Begin Main mode exchange.

// 开始主模式协商

*Aug 20 19:10:37:511 2012 Sysname IKE/7/EVENT: -MDC=1; Found pre-shared key that matches address 192.168.222.5 in keychain keychain1.

// 在keychain keychain1中找到了预共享密钥，预共享密钥匹配地址192.168.222.5

*Aug 20 19:10:37:511 2012 Sysname IKE/7/EVENT: -MDC=1; IKE SA state changed from IKE_P1_STATE_INIT to IKE_P1_STATE_SEND1.

// 一阶段SA状态从IKE_P1_STATE_INIT到IKE_P1_STATE_SEND1

*Aug 20 19:10:37:520 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3008052176 processes a job.

// IKE线程3008052176处理一个job

*Aug 20 19:10:37:520 2012 Sysname IKE/7/EVENT: -MDC=1; Oakley transform 1 is acceptable.

// Oakley transform是可接受的，transform号为1

*Aug 20 19:10:37:520 2012 Sysname IKE/7/EVENT: -MDC=1; Match the vendor ID NAT-T rfc3947.

// 匹配上vendor ID NAT-T rfc3947

*Aug 20 19:10:37:533 2012 Sysname IKE/7/EVENT: -MDC=1; IKE SA state changed from IKE_P1_STATE_SEND1 to IKE_P1_STATE_SEND3.

// 一阶段SA状态从IKE_P1_STATE_SEND1到IKE_P1_STATE_SEND3

*Aug 20 19:10:37:533 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3087980192 processes a Control-Queue msg.

// IKE线程3087980192处理一个控制队列消息

*Aug 20 19:10:37:566 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3083549648 processes a job.

// IKE线程3083549648处理一个job

*Aug 20 19:10:37:580 2012 Sysname IKE/7/EVENT: -MDC=1; Match the vendor ID DPD.

// 匹配上vendor ID DPD

*Aug 20 19:10:37:580 2012 Sysname IKE/7/EVENT: -MDC=1; IKE SA state changed from IKE_P1_STATE_SEND3 to IKE_P1_STATE_SEND5.

// 一阶段SA状态从IKE_P1_STATE_SEND3到IKE_P1_STATE_SEND5

*Aug 20 19:10:37:580 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3087980192 processes a Control-Queue msg.

// IKE线程3087980192处理一个控制队列消息

*Aug 20 19:10:37:584 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3075161040 processes a job.

// IKE线程3075161040处理一个job

*Aug 20 19:10:37:584 2012 Sysname IKE/7/EVENT: -MDC=1; Verify HASH successfully.

// 验证HASH成功

*Aug 20 19:10:37:585 2012 Sysname IKE/7/EVENT: -MDC=1; IKE SA state changed from IKE_P1_STATE_SEND5 to IKE_P1_STATE_ESTABLISHED.

// 一阶段SA状态从IKE_P1_STATE_SEND5到IKE_P1_STATE_ESTABLISHED

*Aug 20 19:10:37:585 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3075161040 process

es a job.

// IKE线程3075161040处理一个job

*Aug 20 19:10:37:585 2012 Sysname IKE/7/EVENT: -MDC=1; Begin Quick mode exchange.

// 开始快速模式协商

*Aug 20 19:10:37:586 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3087980192 processes a Control-Queue msg.

// IKE线程3087980192处理一个控制队列消息

*Aug 20 19:10:37:586 2012 Sysname IKE/7/EVENT: -MDC=1; IPsec SA state changed from IKE_P2_STATE_INIT to IKE_P2_STATE_GETSPI.

// 二阶段SA状态从IKE_P2_STATE_INIT到IKE_P2_STATE_GETSPI

*Aug 20 19:10:37:586 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3087980192 processes a Control-Queue msg.

// IKE线程3087980192处理一个控制队列消息

*Aug 20 19:10:37:586 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3066772432 processes a job.

// IKE线程3066772432处理一个job

*Aug 20 19:10:37:586 2012 Sysname IKE/7/EVENT: -MDC=1; IPsec SA state changed from IKE_P2_STATE_GETSPI to IKE_P2_STATE_SEND1.

// 二阶段SA状态从IKE_P2_STATE_GETSPI到IKE_P2_STATE_SEND1

*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3087980192 processes a Control-Queue msg.

// IKE线程3087980192处理一个控制队列消息

*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3033218000 processes a job.

// IKE线程3033218000处理一个job

*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; Validate HASH(2) successfully.

// 验证HASH(2)成功

*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; Install IPsec SAs.

// 下发IPsecSA

*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; inbound flow: 192.168.222.5/32->192.168.222.71/32

// 入流量为192.168.222.5/32->192.168.222.71/32

*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; outbound flow: 192.168.222.

71/32->192.168.222.5/32

// 出流量为192.168.222.71/32->192.168.222.5/32

*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; Lifetime second: 3600

// 生命周期为3600秒

*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; Lifetime kilobytes: 1843200

// 生命周期为1843200字节

*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; protocol: 51

inbound SPI: 54e4913

outbound SPI: 44213487

// 协议为51，入方向SPI为：54e4913，出方向SPI为：44213487

*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; IPsec SA state changed from IKE_P2_STATE_SEND1 to IKE_P2_STATE_SA_CREATED.

// 二阶段SA状态从IKE_P2_STATE_SEND1到IKE_P2_STATE_SA_CREATED

*Aug 20 19:10:37:593 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3087980192 processes a Control-Queue msg.

// IKE线程3087980192处理一个控制队列消息

*Aug 20 19:10:37:594 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3041606608 processes a job.

// IKE线程3041606608处理一个job

*Aug 20 19:10:37:594 2012 Sysname IKE/7/EVENT: -MDC=1; IPsec SA state changed from IKE_P2_STATE_SA_CREATED to IKE_P2_STATE_ESTABLISHED.

// 二阶段SA状态从IKE_P2_STATE_SA_CREATED到IKE_P2_STATE_ESTABLISHED

#在两个安全网关上配置了IKE协商类型的IPsec策略，若配置一阶段协商模式为主模式，认证方法为预共享密钥认证，则当有流量触发协商时，打开IKE报文调试信息开关后将输出以下调试信息。

<Sysname> debugging ike packet

<Sysname> ping -c 1 192.168.222.5

PING 192.168.222.5 (192.168.222.5): 56 data bytes, press CTRL_C to break

*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Encryption algorithm is 3DES-CBC.

// 加密算法为3DES-CBC

*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Hash algorithm is HMAC-MD5.

// HASH算法为HMAC-MD5

*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; DH group 1.

// DH group为1

*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Authentication method is Pre-shared key.

// 认证方法为Pre-shared key

*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Lifetime type is Life type in seconds.

// 生命周期类型为Life type in seconds

*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Life duration is 86400.

// 生命周期为86400

*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Construct transform payload 1.

// 构造transform载荷，transform号为1

*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Construct SA payload.

// 构造SA载荷

*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Construct NAT-T rfc3947 vendor ID payload.

// 构造vendor id载荷，vendor ID名称为NAT-T rfc3947

*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Construct NAT-T draft3 vendor ID payload.

// 构造vendor id载荷，vendor ID名称为NAT-T draft3

*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Construct NAT-T draft2 vendor ID payload.

// 构造vendor id载荷，vendor ID名称为NAT-T draft2

*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Construct NAT-T draft1 vendor ID payload.

// 构造vendor id载荷，vendor ID名称为NAT-T draft1

*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Sending packet to 192.168.222.5 local port 500, remote port 500.

// 发送报文到地址192.168.222.5，本端端口号为500，对端端口号为500

*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1;

I-Cookie: 3519bdda65bfeaaa

R-Cookie: 0000000000000000

next payload: SA

version: ISAKMP Version 1.0

exchange mode: Main

flags: [ ]

message ID: 0

length: 164

// 发起方cookie为：3519bdda65bfeaaa

// 响应方cookie为：0000000000000000

// 下一个载荷为：SA

// 版本为：ISAKMP Version 1.0

// 协商模式为：Main

// 标识为：[ ]

// Message ID为：0

// 长度为：164

*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Sending an IPv4 packet.

// 发送一个IPv4报文

*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Received packet from 192.168.

222.5 source port 500 destination port 500.

// 收到的192.168.222.5报文，源端口为500，目的端口为500

*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1;

I-Cookie: 3519bdda65bfeaaa

R-Cookie: 078711749a32520c

next payload: SA

version: ISAKMP Version 1.0

exchange mode: Main

flags: [ ]

message ID: 0

length: 104

// 发起方cookie为：3519bdda65bfeaaa

// 响应方cookie为：078711749a32520c

// 下一个载荷为：SA

// 版本为：ISAKMP Version 1.0

// 协商模式为：Main

// 标识为：[ ]

// Message ID为：0

// 长度为：104

*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Received IKE Security Association Payload.

// 收到SA载荷

*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Vendor ID Payload.

// 收到Vendor ID载荷

*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Process SA payload.

// 处理SA载荷

*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Check ISAKMP transform 1.

检查ISAKMP transform，transform号为1

*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Encryption algorithm is 3DES-CBC.

// 加密算法为3DES-CBC

*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; HASH algorithm is HMAC-MD5.

// HASH算法为HMAC-MD5

*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; DH group is 1.

// DH group为1

*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Authentication method is Pre-shared key.

// 认证方法为Pre-shared key

*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Lifetime type is Life type in seconds.

// 生命周期类型为Life type in seconds

*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Life duration is 86400.

// 生命周期为86400

*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Attribuites is acceptable.

// 属性是可接受的

*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Process vendor ID payload.

// 处理vendor ID载荷

*Aug 20 19:18:34:137 2012 Sysname IKE/7/PACKET: -MDC=1; Construct KE payload.

// 构造IKE载荷

*Aug 20 19:18:34:137 2012 Sysname IKE/7/PACKET: -MDC=1; Construct NONCE payload.

// 构造NONCE载荷

*Aug 20 19:18:34:137 2012 Sysname IKE/7/PACKET: -MDC=1; Construct NAT-D payload.

// 构造NAT-D载荷

*Aug 20 19:18:34:138 2012 Sysname IKE/7/PACKET: -MDC=1; Construct DPD vendor ID payload.

// 构造DPD vendor ID载荷

*Aug 20 19:18:34:138 2012 Sysname IKE/7/PACKET: -MDC=1; Sending packet to 192.168.22

2.5 , remote port 500 ,local port 500.

// 发送报文到地址192.168.222.5，对端端口号为500，本端端口号为500

*Aug 20 19:18:34:138 2012 Sysname IKE/7/PACKET: -MDC=1;

I-Cookie: 3519bdda65bfeaaa

R-Cookie: 078711749a32520c

next payload: KE

version: ISAKMP Version 1.0

exchange mode: Main

flags: [ ]

message ID: 0

length: 208

// 发起方cookie为：3519bdda65bfeaaa

// 响应方cookie为：078711749a32520c

// 下一个载荷为：KE

// 版本为：ISAKMP Version 1.0

// 协商模式为：Main

// 标识为：[ ]

// Message ID为：0

// 长度为：208

*Aug 20 19:18:34:138 2012 Sysname IKE/7/PACKET: -MDC=1; Sending an IPv4 packet.

// 发送一个IPv4报文

*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Received packet from 192.168.222.5 source port 500 destination port 500.

// 收到的192.168.222.5报文，源端口为500，目的端口为500

*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1;

I-Cookie: 3519bdda65bfeaaa

R-Cookie: 078711749a32520c

next payload: KE

version: ISAKMP Version 1.0

exchange mode: Main

flags: [ ]

message ID: 0

length: 208

// 发起方cookie为：3519bdda65bfeaaa

// 响应方cookie为：078711749a32520c

// 下一个载荷为：KE

// 版本为：ISAKMP Version 1.0

// 协商模式为：Main

// 标识为：[ ]

// Message ID为：0

// 长度为：208

*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Key ExchangePayload.

// 收到ISAKMP Key Exchange载荷

*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Nonce Payload.

// 收到ISAKMP Nonce载荷

*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP NAT-D Payload.

// 收到ISAKMP NAT-D载荷

*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP NAT-D Payload.

// 收到ISAKMP NAT-D载荷

*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Vendor ID Payload.

// 收到ISAKMP Vendor ID载荷

*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Process KE payload.

// 处理KE载荷

*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Process NONCE payload.

// 处理NONCE载荷

*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; SKEYID:

989e79e1 620ff603 a76bb9b9 7d88a19c

// SKEYID为989e79e1 620ff603 a76bb9b9 7d88a19c

*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; SKEYID_d:

6fd7bd8f faf8480a af6c4813 4011cadd

// SKEYID_d为6fd7bd8f faf8480a af6c4813 4011cadd

*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; SKEYID_a:

cd0aeaf8 6bb94aa3 3ad50fe4 7fb0464f

// SKEYID_a为cd0aeaf8 6bb94aa3 3ad50fe4 7fb0464f

*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; SKEYID_e:

795d3765 91083053 65cacc69 000ffe09

// SKEYID_e为795d3765 91083053 65cacc69 000ffe09

*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Extended SKEYID_e:

d554084f a2a9237a 9c141dac a41c86e9 8aa14807 14db45be

// 扩展的SKEYID_e为d554084f a2a9237a 9c141dac a41c86e9 8aa14807 14db45be

*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Local generated new IV:

add7096a 4b961742

// 本地新生成的IV为add7096a 4b961742

*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Received 2 NAT-D payload.

// 收到NAT-D载荷，数量为2

*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Local ID type: IPV4_ADDR.

// 本地ID类型为：IPV4_ADDR

*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Local ID value: 192.168.222.

71.

// 本端ID值为：192.168.222.71

*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Construct ID payload.

// 构造ID载荷

*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Hash:

c5d733fa e6d1a6af ded56c05 de989aad

// HASH为c5d733fa e6d1a6af ded56c05 de989aad

*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Construct authentication by pre-shared key.

// 根据预共享密钥生成认证数据

*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1; Construct INITIAL-CONTACT payload.

// 构造INITIAL-CONTACT载荷

*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypt the packet.

// 加密报文

*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypt IV:

add7096a 4b961742

// 加密IV为add7096a 4b961742

*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1; Encryption generated New IV: ae230a1d 7cb77287

// 加密时新生成的IV为ae230a1d 7cb77287

*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1; Process vendor ID payload.

// 处理vendor ID载荷

*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1; Sending packet to 192.168.222.5, remote port 500, local port 500.

// 发送报文到地址192.168.222.5，对端端口号为500，本端端口号为500

*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1;

I-Cookie: 3519bdda65bfeaaa

R-Cookie: 078711749a32520c

next payload: ID

version: ISAKMP Version 1.0

exchange mode: Main

flags: [ENCRYPT]

message ID: 0

length: 92

// 发起方cookie为：3519bdda65bfeaaa

// 响应方cookie为：078711749a32520c

// 下一个载荷为：ID

// 版本为：ISAKMP Version 1.0

// 协商模式为：Main

// 标识为：[ENCRYPT]

// Message ID为：0

// 长度为：92

*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1; Sending an IPv4 packet.

// 发送一个IPv4报文

*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Received packet from 192.168.

222.5, source port 500 destination port 500.

// 收到的192.168.222.5报文，源端口为500，目的端口为500

*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1;

I-cookie: 3519bdda65bfeaaa

R-Cookie: 078711749a32520c

next payload: ID

version: ISAKMP Version 1.0

exchange mode: Main

flags: [ENCRYPT]

message ID: 0

length: 60

// 发起方cookie为：3519bdda65bfeaaa

// 响应方cookie为：078711749a32520c

// 下一个载荷为：ID

// 版本为：ISAKMP Version 1.0

// 协商模式为：Main

// 标识为：[ENCRYPT]

// Message ID为：0

// 长度为：60

*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Decrypt the packet.

// 解密报文

*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Decrypt IV:

ae230a1d 7cb77287

// 解密IV为ae230a1d 7cb77287

*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Remote New IV:

4c788f75 c7ad88ab

// 对端新IV为4c788f75 c7ad88ab

*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Identification Payload.

// 收到ISAKMP Identification载荷

*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Hash Payload.

// 收到ISAKMP Hash载荷

*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Process ID payload.

// 处理ID载荷

*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Peer ID type: IPV4_ADDR.

// 对端ID类型为IPV4_ADDR

*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Peer ID value: address 192.168.222.5.

// 对端ID值为192.168.222.5

*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Verify HASH payload.

// 验证HASH载荷

*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; HASH:

f510f1f8 1d205e1c 9aa31c42 00b3ab9a

// HASH为f510f1f8 1d205e1c 9aa31c42 00b3ab9a

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Set attributes by phase 2 transform.

// 根据二阶段transform设置属性

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Encapsulation mode is Tunnel.

// 封装模式为Tunnel

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Life type in seconds

// 生命周期类型为Life type in seconds

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Life duration is 3600.

// 生命周期为3600

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Life type in kilobytes

// 生命周期类型为Life type in kilobytes

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Life duration is 1843200.

// 生命周期为1843200

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Authentication algorithm is HMAC-SHA1

// 认证算法为HMAC-SHA1

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Transform ID is HMAC-SHA1.

// Transform ID为HMAC-SHA1

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Construct transform 1.

// 构造transform 1

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Construct IPsec proposal 1.

// 构造IPsec proposal，proposal号为1

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Construct IPsec SA payload.

// 构造IPsec SA载荷

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Construct NONCE payload.

// 构造NONCE载荷

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Construct IPsec ID payload.

// 构造IPsec ID载荷

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Construct IPsec ID payload.

// 构造IPsec ID载荷

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Construct HASH(1) payload.

// 构造HASH(1)载荷

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypt packet.

// 加密报文

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypt IV:

836eddd9 ed30acf7

// 加密IV为836eddd9 ed30acf7

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypted Generate New IV:

3b143591 5c647ff2

// 加密时新生成的IV为3b143591 5c647ff2

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Sending packet to 192.168.22

2.5, remote port 500, local port 500.

// 发送报文到地址192.168.222.5，对端端口号为500，本端端口号为500

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1;

I-Cookie: 3519bdda65bfeaaa

R-Cookie: 078711749a32520c

next payload: HASH

version: ISAKMP Version 1.0

exchange mode: Quick

flags: [ENCRYPT]

message ID: 8a9c07c1

length: 156

// 发起方cookie为：3519bdda65bfeaaa

// 响应方cookie为：078711749a32520c

// 下一个载荷为：HASH

// 版本为：ISAKMP Version 1.0

// 协商模式为：Quick

// 标识为：[ENCRYPT]

// Message ID为：8a9c07c1

// 长度为：156

*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Sending an IPv4 packet.

// 发送一个IPv4报文

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Received packet from 192.168.222.5 source port 500 destination port 500.

// 收到的192.168.222.5报文，源端口为500，目的端口为500

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1;

I-Cookie: 3519bdda65bfeaaa

R-Cookie: 078711749a32520c

next payload: HASH

version: ISAKMP Version 1.0

exchange mode: Quick

flags: [ENCRYPT]

message ID: 8a9c07c1

length: 156

// 发起方cookie为：3519bdda65bfeaaa

// 响应方cookie为：078711749a32520c

// 下一个载荷为：HASH

// 版本为：ISAKMP Version 1.0

// 协商模式为：Quick

// 标识为：[ENCRYPT]

// Message ID为：8a9c07c1

// 长度为：156

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Decrypt the packet.

// 加密报文

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Decrypt IV:

3b143591 5c647ff2

// 解密IV为3b143591 5c647ff2

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Remote New IV:

4914de5c 11d57f5c

// 对端新IV为4914de5c 11d57f5c

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Hash Payload.

// 收到ISAKMP Hash 载荷

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Security Asso

ciation Payload.

// 收到ISAKMP Security Association载荷

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Nonce Payload.

// 收到ISAKMP Nonce载荷

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Identification Payload (IPsec DOI).

// 收到ISAKMP Identificatio载荷(IPsec DOI)

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Identification Payload (IPsec DOI).

// 收到ISAKMP Identificatio载荷(IPsec DOI)

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Process HASH payload.

// 处理HASH载荷

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Process IPsec SA payload.

// 处理IPsec SA载荷

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Check IPsec proposal 1.

// 检查IPsec proposal，proposal号为1

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Parse transform 1.

// 解析transform，transform号为1

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Encapsulation mode is Tunnel.

// 封装模式为Tunnel

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Lifetime type is Life type in seconds.

// 生命周期类型为Life type in seconds

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Life duration is 3600.

// 生命周期为3600

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Lifetime type is Life type in kilobytes.

// 生命周期类型为Life type in kilobytes

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Life duration is 1843200.

// 生命周期为1843200

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Authentication algorithm is HMAC-SHA1.

// 认证算法为HMAC-SHA1

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Transform ID is HMAC-SHA1.

// Transform ID为HMAC-SHA1

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; The attributes are unacceptable.

// 属性是可接受的

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Process IPsec ID Payload.

// 处理IPsec ID载荷

*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Process IPsec ID Payload.

// 处理IPsec ID载荷

*Aug 20 19:18:34:194 2012 Sysname IKE/7/PACKET: -MDC=1; Construct HASH(3) payload.

// 构造HASH(3)载荷

*Aug 20 19:18:34:194 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypt the packet.

// 加密报文

*Aug 20 19:18:34:194 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypt IV:

4914de5c 11d57f5c

// 加密IV为4914de5c 11d57f5c

*Aug 20 19:18:34:194 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypted Generate New IV:

ecfa444e ed72ab05

// 加密时新生成的IV为ecfa444e ed72ab05

*Aug 20 19:18:34:194 2012 Sysname IKE/7/PACKET: -MDC=1; Sending packet to 192.168.222.5, remote port 500, local port 500.

// 发送报文到地址192.168.222.5，对端端口号为500，本端端口号为500

*Aug 20 19:18:34:194 2012 Sysname IKE/7/PACKET: -MDC=1;

I-Cookie: 3519bdda65bfeaaa

R-Cookie: 078711749a32520c

next payload: HASH

version: ISAKMP Version 1.0

exchange mode: Quick

flags: [ENCRYPT]

message ID: 8a9c07c1

length: 52

// 发起方cookie为：3519bdda65bfeaaa

// 响应方cookie为：078711749a32520c

// 下一个载荷为：HASH

// 版本为：ISAKMP Version 1.0

// 协商模式为：Quick

// 标识为：[ENCRYPT]

// Message ID为：8a9c07c1

// 长度为：52

*Aug 20 19:18:34:194 2012 Sysname IKE/7/PACKET: -MDC=1; Sending an IPv4 packet.

// 发送一个IPv4报文

3 IKEv2

3.1 IKEv2调试命令

3.1.1 debugging ikev2

【命令】

debugging ikev2 { { all | dpd | error | internal | nat-keepalive | packet } [ remote-address { ipv4-address | ipv6 ipv6-address } [ local-address { ipv4-address | ipv6 ipv6-address } | remote-port port-number | vpn-instance vpn-name ] * ] } | pki }

undo debugging ikev2 { all | dpd | error | internal | nat-keepalive | packet | pki }

【缺省情况】

IKEv2的调试信息开关处于关闭状态。

【视图】

用户视图

【缺省用户角色】

network-admin

【参数】

all：表示IKEv2所有调试信息开关。

dpd：表示IKEv2 DPD调试信息开关。

error：表示IKEv2错误调试信息开关。

internal：表示IKEv2内部调试信息开关。

nat-keepalive：表示IKEv2 NAT keepalive调试信息开关。

packet：表示IKEv2报文调试信息开关。

pki：表示IKEv2相关的PKI调试信息开关。

remote-address：根据对端地址过滤调试信息。

local-address：根据本端地址过滤调试信息。

ipv4-address：表示IPv4地址。

ipv6 ipv6-address：表示IPv6地址。

remote-port port-number：根据对端端口过滤调试信息，port-number为对端端口号，取值范围0～65535。

【使用指导】

debugging ikev2命令用来打开IKEv2调试信息开关。undo debugging ikev2命令用来关闭IKEv2调试信息开关。

表3-1 debugging ikev2 error命令输出信息描述表

字段	描述
Authorization failed.	IKEv2获取AAA授权属性失败
Failed to allocate PAM handle to user user-name.	IKEv2获取AAA PAM句柄失败
Invalid major version version.	IKEv2报文中主版本号错误
The address pool overlaps with an existing address pool.	新配置的本地地址池地址范围和已有本地地址池冲突
Failed to compute ECDH shared key.	计算ECDH共享密钥失败
Received an invalid DH group.	收到的IKEv2报文中携带错误的或不支持的DH号
Required key length (keylen) over 255 times the length of the PRF output.	IKEv2计算密钥时，要求的密钥长度超过了PRF算法输出长度的255倍
Failed to compute keys.	计算密钥失败
Failed to obtain hash algorithm.	从加密算法库中获取Hash算法失败
Failed to obtain encryption algorithm.	从crypto获取加密算法失败
Failed to obtain private key.	获取DSA/ESA/EC私钥失败
Failed to obtain public key.	证书方式签名AUTH载荷时，获取公钥失败
Failed to compute local authentication data.	计算本端的认证数据失败
Failed to compute SKEYSEED.	计算密钥种子失败
Failed to compute keying material.	计算密钥材料失败
Failed to create IPsec keying material.	创建IPsec密钥材料失败
Failed to verify peer's authentication data.	验证对端的认证数据失败
Invalid length (length) for hash-and-URL encoded certificate.	hash-and-url编码方式的证书长度非法
A non-printable character exists in the URL of the hash-and-URL encoded certificate. Ignored the character and those that follow.	Hash-and-url编码方式的证书里的URL中有不可打印的字符，忽略掉该字符和它之后的内容
Invalid X509 digest length (length) in Certificate Request payload.	证书请求载荷中X509摘要长度非法
Unsupported certificate request encoding type cert-encoding-type.	不支持的证书请求编码方式
No certificate exists in payload.	载荷中没有证书
Received an unsupported hash-and-URL encoded certificate.	接收到对端的hash-and-url编码格式证书，但是本端不支持该格式证书
Failed to obtain a certificate from URL url.	从URL地址对应的证书服务器获取证书失败
Unsupported certificate encoding type cert-encoding-type.	不支持的证书编码方式
Failed to obtain certificate data.	获取认证数据失败
Failed to construct Certificate Request payload.	构造证书请求载荷失败
Failed to obtain certificate and key pair.	获取证书和密钥对失败
Failed to obtain certificate request.	获取证书请求失败
Failed to construct USE_TRANSPORT notification.	构造USE_TRANSPORT通知消息失败
Failed to find the Child SA for rekey.	找不到需要重协商的Child SA
Lack of SA payload.	报文中缺少SA载荷
Lack of TSi payload.	报文中缺少TSi载荷
Lack of TSr payload.	报文中缺少TSr载荷
Local and peer encapsulation modes not match.	协商双方的封装模式不匹配
Failed to parse TS payload.	解析TS载荷失败
Failed to obtain IPsec policy for rekeying IKE SA.	重协商IKE SA时，获取IPsec策略失败
Failed to find IKE SA for rekey.	找不到需要重协商的IKE SA
Lack of NONCE payload.	IKEv2报文中缺少nonce载荷
Failed to generate cookie.	生成cookie失败
Invalid payload attribute: type=attribute-type, length=attribute-len.	长度为attribute-len，类型为attribute-type的载荷属性非法
Failed to get address pool to assign internal address.	从AAA获取IPv4地址池失败，无法分配私网地址
The addresses in address pool pool-name were exhausted.	地址池地址资源耗尽
Failed to assign an address from address pool pool-name to the peer.	从地址池中为对端分配地址失败
Failed to get IPv6 address pool to assign internal address.	从AAA获取IPv6地址池失败，无法分配私网地址
Failed to assign an address from address pool pool-name.	从地址池获取IP地址失败
Configuration payload attribute attribute-name ignored: unsupported attribute.	不支持的配置载荷属性，将其忽略
Unsupported Configuration payload attribute attribute-name.	不支持的配置载荷属性
Failed to construct Configuration payload.	构造配置载荷失败
Unsupported Configuration payload type.	不支持的配置载荷类型
Failed to construct Delete payload.	构造删除载荷失败
Failed to send add-DPD request.	向IPsec进程发送添加DPD请求失败
Failed to send delete-DPD request.	向IPsec进程发送删除DPD请求失败
Failed to increase memory for packet generator.	构造报文时增大内存空间失败
Encoding type encoding-type-name supports only 8-bit alignment.	encoding-type-name编码类型要求报文中添加的内容必须8比特对齐
4-bit integers must be 4-bit aligned.	要添加的4比特整数内容必须是4比特对齐
Attribute format flag was not set.	未设置属性格式标记
Failed to generate a data block at bitpos bitpos.	在报文的bitpos位置处生成数据块失败
Invalid encoding type encoding-type in rule number.	该编码规则（编号为number）中的编码类型（类型为encoding-type）不合法
Failed to pad data encoded by rule number of type encoding-type.	向报文中填充number 编码规则encoding-type编码类型的数据失败
Invalid ID type id-type was found during ID payload construction.	构造ID载荷时发现不可识别的身份类型
Unsupported ID type (id-type).	不支持的身份类型
Failed to construct payload-type payload.	构造载荷失败
Received AUTHENTICATION_FAILED notification. Destroyed IKE SA.	收到认证失败通知报文，销毁IKE SA
Profile profile-name does not exist.	IKEv2 profile不存在
No keychain found in profile profile-name.	profile下没有配置keychain
No pre-shared key found.	没有找到预共享密钥
No pre-shared key found for local or peer.	没有找到本端或对端的预共享密钥
Failed to create Child SA while getting SPI.	发起方获取SPI（安全参数索引）时创建Child SA失败
Failed to find peer authentication method.	没有找到对端的认证方式
Failed to find local pre-shared key.	没有找到本端预共享密钥
No matching profile found.	没有找到匹配的proile
Profile profile-name does not exist.	profile不存在
Peer authentication method was not specified in the profile.	Profile中没有配置对端的认证方式
Failed to find peer pre-shared key.	没有找到对端预共享密钥
IPsec policy verification failed because peer ID does not match profile profile-name.	对端的身份信息匹配profile失败，因此对端的安全策略验证失败
Lack of IDr payload.	报文中缺少响应方ID载荷
Peer ignored AUTH payload and proposed EAP, which was unsupported on local.	对端忽略AUTH载荷，期望使用EAP认证方式，但是本端不支持
Lack of SA payload.	报文中缺少SA载荷
Lack of KE payload.	报文中缺少KE载荷
Lack of NONCE payload.	报文中缺少NONCE载荷
Profile profile-name not found to construct AUTH exchange request. IKEv2 negotiation terminated.	发起方构造AUTH交换请求报文时找不到对应的profile，终止IKEv2协商
Child SA not found. IKEv2 negotiation terminated.	找不到Child SA，终止协商
Failed to find Child SA.	查找Child SA失败
Authentication failed.	认证失败
Failed to create new Child SA.	新建Child SA失败
Failed to parse KE payload.	解析KE载荷失败
Received an invalid DH group.	收到一个不可识别的DH号
The peer's KE payload contained an incorrect DH group.	对端的KE载荷中包含了错误的DH group
The local proposed DH group dh-group1 rather than DH group dh-group2.	本端提议使用dh-group1，而不是dh-group2
Failed to construct KE payload.	构造KE载荷失败
Failed to parse KE payload.	解析KE载荷失败
The peer's KE payload contained an incorrect DH group.	对端的KE载荷中包含错误的DH组
Failed to calculate DH public key.	计算DH公钥失败
Failed to parse payload-type payload.	解析载荷失败
Failed to parse packet due to lack of Encrypted payload.	收到的IKEv2协商报文中没有加密载荷，解析报文失败
Encrypted payload was not the last payload.	加密载荷不是最后一个载荷
Invalid payload length.	载荷长度非法
Number of received payload-type payloads exceeded the upper limit.	本端收到payload-type类型的载荷数目超过最大值
Number of received payload-type payloads was smaller than the lower limit.	payload-type类型载荷出现的次数少于最小值
Invalid message: exchange type=exchange-type, request flag=flag.	非法消息，交换类型为exchange-type，请求报文标记为flag（flag取值为true或者false）
Invalid message.	非法的消息
Failed to construct NAT-OA payload.	构造NAT-OA载荷失败
Failed to parse NAT-OA payload.	解析NAT-OA载荷失败
Failed to compute NAT-D.	计算NAT-D失败
Unrecognized protocol (prototolID).	不识别的协议号
Invalid data length (data-length) for notify-type notification.	notify-type类型的通知数据长度非法
Local did not accept the DH group proposed by peer.	本端不接受对端提议的DH号
Local does not support the DH group proposed by peer.	本端不支持对端提议的DH号
Failed to construct NOTIFY payload.	构造通知载荷失败
Received an unexpected message.	收到的消息不是本端期望接收的
Received message ID out of window.	收到的报文的消息ID落在本端维护的消息窗口外
Received an invalid IKE SPI.	收到的IKEv2协商报文中携带非法的IKE SPI
Failed to verify message header.	验证消息头失败
Received a too small packet.	收到的IKEv2报文长度太短
Failed to create packet.	创建报文失败
No message rules specified for exchange-type exchange.	没有exchange-type类型的消息规则
Not enough memory for sending packet.	没有足够的空间发送IKEv2报文
Not enough space for Non-ESP marker in packet.	报文中没有足够的空间添加Non-ESP标记
Not enough memory for rule number with encoding type type.	报文解析器中没有足够的内存空间给指定编码类型（type）的消息规则（编号为number）
Message not match the specified encoding rule and encoding type.	不符合指定编码规则和编码类型的消息
Failed to parse payload-type substructure payload.	解析子结构载荷失败
Invalid length for payload-type substructure payload.	子结构载荷长度非法
Failed to create payload.	创建载荷失败
Failed to parse payload-type payload.	解析payload-type类型的载荷失败
Unsupported transform type type.	不支持的提议类型
Unsupported TS payload type.	不支持的TS载荷类型
Failed to create payload-type payload.	创建payload-type类型的载荷失败
Failed to verify payload-type payload.	验证载荷失败
Unrecognized critical payload.	不可识别的一个关键载荷
Failed to verify certificate.	验证证书失败
Incorrect length for SHA1 output.	SHA1算法计算输出的数据长度错误
Profile profile-name does not exist.	Profile不存在
Keychain keychain-name does not exist.	Keychain不存在
Not enough space for processing cookie in request packet.	请求报文中没有足够的空间处理cookie
Ignored packets with outdated cookies.	忽略了携带过期cookie的报文
Failed to send install-IPsec-SA request.	IKEv2向IPsec发送添加IPsec SA的请求失败
Failed to send switch-IPsec-SA request.	IKEv2向IPsec发送切换IPsec SA的请求失败
Message ID updated: local window left=local-window-left, local window expected=local-expected, peer window left=peer-window-left, peer window expected=peer-expected	将本端窗口最左侧值更新为Local-window-left，将本端下次期待收到请求的Message ID更新为Local-expected 将对端窗口最左侧值更新为Remote-window-left，将对端下次要发送的Messge ID更新为Remote-expected
Failed to move window: Received message ID was smaller than current value.	收到的IKEv2报文中的Message ID比当前值小，移动窗口失败
Failed to create IKE SA with core data.	根据核心数据创建IKE SA失败
Failed to create Child SA with core data.	根据核心数据创建Child SA失败
Failed to find profile profile-name.	找不到IKEv2 profile
Failed to create IKE SA: not enough memory.	内存不足，创建IKE SA失败
Failed to find profile profile-name.	查找IKEv2 profile失败
Failed to create Child SA: not enough memory.	内存不足，创建Child SA失败
Incorrect proposal order.	错误的IKEv2提议顺序
Failed to verify payload-type payload.	验证载荷失败
Inconsistent next payload type.	不合协议逻辑的下一载荷类型
Invalid transform count.	报文中的提议个数与实际携带的提议个数不符
Failed to add encryption algorithm attribute.	添加加密算法属性失败
Failed to add transforms to SA payload.	向SA载荷中添加提议载荷失败
Failed to add ESP encryption algorithm attribute.	添加ESP加密算法属性失败
Unsupported ESP encryption algorithm.	不支持的ESP加密算法
Unsupported ESP authentication algorithm.	不支持的ESP认证算法
Unsupported AH authentication algorithm.	不支持的AH认证算法
Failed to find matching IKEv2 policy.	没有找到相匹配的IKEv2策略
Policy verification failed.	没有找到已使用的IKEv2策略
Failed to find matching IKEv2 proposal.	没有找到匹配的IKEv2提议
Failed to construct SA payload.	构造SA载荷失败
Failed to find matching IKEv2 proposal.	没有找到匹配的IKEv2提议
Failed to add SA payload.	向报文中添加SA载荷失败
Failed to find encryption algorithm during payload encryption.	加密载荷时找不到加密算法
Failed to decrypt payload: invalid payload length.	因为载荷长度非法，解密载荷失败
Packet integrity verification failed.	IKEv2报文未通过完整性检查
Failed to encrypt payload.	加密IKEv2报文载荷失败
Failed to decrypt payload.	解密IKEv2报文载荷失败
Failed to parse payload-type payload.	解析IKEv2报文payload-type载荷失败
IPsec process (ipsec-status) timed out and Child SA was deleted.	IPsec处理超时（当前的IPsec处理状态为ipsec-state），删除创建的Child SA
Failed to start timer for IPsec process (ipsec-status).	启动等待IPsec处理的定时器失败（当前的IPsec处理状态为ipsec-state）
Responder did not use the Transport mode.	响应方无法匹配transport封装模式
Child SA already exists.	创建Child SA时发现该Child SA已经存在
Lack of SA payload.	缺少SA载荷
Failed to send IPsec policy request.	IKEv2向IPsec发送获取IPsec策略的请求失败
Failed to parse payloads during Child SA establishment.	创建Child SA过程中解析载荷失败
Failed to send IPsec SPI request.	IKEv2向IPsec发送获取IPsec SPI的请求失败
No matching IKE SA found. Ignored IPsec SA installation request.	找不到对应的IKE SA，忽略创建IPsec SA的请求
Failed to find IKE SA during IPsec process (ipsec-status).	进行IPsec处理（状态为ipsec-state）时查找IKE SA失败
Failed to send request to IPsec. Destroyed SA.	IKEv2向IPsec发送请求失败，销毁SA
Failed to find IKE SA.	查找IKE SA失败
[IPsec->IKE]	IPsec模块向IKE模块发送消息
[IPsec->IKE] Failed to find Child SA after IKE obtained IPsec policy.	IKE获取到IPsec策略后，查找不到Child SA
[IPsec->IKE] Failed to process next status after IKE obtained IPsec policy.	IKE获取到IPsec策略后，处理下一个状态失败
[IPsec->IKE] Failed to find Child SA after IKE obtained IPsec SPI.	IKE获取到IPsec SPI后，查找Child SA失败
[IPsec->IKE] Failed to process next status after IKE obtained IPsec SPI.	IKE获取到IPsec SPI后，处理下一个状态失败
[IPsec->IKE] Failed to find Child SA after IPsec SA was installed.	IKE完成添加IPsec SA处理后，查找Child SA失败
[IPsec->IKE] Failed to process next status after IPsec SA was installed.	IPsec添加SA后，IKEv2处理下一状态失败
Failed to construct packet.	创建IKEv2报文失败
Invalid port range (start port start-port, end port end-port) in TSi/TSr payload.	TSi或者TSr中的端口号范围非法（开始端口号为start-port ，结束端口号为end-port）
TSr protocol family tsr-family inconsistent with TSi protocol family tsi-family.	TSr的协议簇Tsr-family和TSi的协议簇Tsi-family不一致
TSr protocol range inconsistent with TSi protocol range.	TSr的协议范围和Tsi的协议范围不一致
Failed to construct TSi payload.	构造TSi载荷失败
Failed to construct TSr payload.	构造TSr载荷失败

表3-2 debugging ikev2 internal命令输出信息描述表

字段	描述
[AAA->IKE] IKE obtained authorization data from AAA.	[AAA向IKE发送消息] IKE从AAA获取授权数据
DH key computation succeeded.	计算DH key成功
Computed IPsec SA keying material.	计算IPsec SA密钥材料
Computed SKEYSEED.	计算SKEYSEED
Verified peer authentication data.	验证对端的认证数据
Peer authentication data passed verification.	对端认证数据验证通过
Local authentication method is method-name.	本端的认证方式为method-name
Generated authentication data.	生成认证数据
Constructed AUTH payload.	构造AUTH载荷
Failed to construct AUTH payload.	构造AUTH载荷失败
Constructed Certificate payload.	构造证书载荷
Certificate subject name subject-name	证书主体名为subject-name
Constructed Certificate Request payload.	构造证书请求载荷
Certificate encoding type type	证书编码方式为type
Processed Certificate payload.	处理证书载荷
Old Child SA has been replaced. Sent TEMPORARY_FAILURE notification to peer.	重协商时Child SA已被替换，向对端发送TEMPORARY_FAILURE通知
IKE SA is busy.	当前IKE SA状态机繁忙
(Tunnel ID tunnel-id): Received an IKE SA rekey packet, but the IKE SA was being deleted.	（Tunnel ID为tunnel-id）在删除IKE SA的过程中收到对端发送的重协商报文
(Tunnel ID tunnel-id): Received an IKE SA rekey packet, but the IKE SA has a half-open Child SA.	（Tunnel ID为tunnel-id）收到对端的IKE SA重协商报文，但是正在新建或者重协商该IKE SA的Child SA
(Tunnel ID tunnel-id): Received an IKE SA rekey packet, but the Child SA was being deleted.	（Tunnel ID为tunnel-id）收到对端的IKE SA重协商报文，但是正在删除该IKE SA的Child SA
Peer prefers encaps-mode mode.	对端倾向使用encaps-mode封装模式
Received an invalid KE payload. Retried negotiation.	收到非法KE载荷，尝试重协商
IPv4 address assigned by peer: ipv4-addr	对端推送给本端的IPv4地址
IPv6 address assigned by peer: ipv6-addr/ipv6-prefix	对端推送给本端的IPv6地址
Subnet mask assigned by peer: mask	对端推送给本端的IPv4子网掩码
Constructed CP payload: cp-type.	构造cp-type类型的CP载荷
Processed CP payload: cp-type.	处理cp-type类型的CP载荷
AAA authorization was not configured in profile profile-name.	IKEv2 profile下没有配置AAA授权
[IKE->AAA] Sent an authorization request.	[IKE向AAA发送消息] IKE发送授权请求
Constructed Delete payload.	构造SA删除载荷
Processed Delete payload.	处理SA删除载荷
Constructed payload-type payload: id of type id-type.	构造ID载荷：载荷类型为payload-type，ID类型为id-type，ID内容为id
Processed ID payload.	处理ID载荷
Constructed empty payload for keepalive request.	为保活检查请求报文构造空载荷
Received keepalive response.	收到保活检查回应报文
Peer did not accept the address assigned by local.	对端不接受本端分配的地址
Peer accepted the address assigned by local.	对端接受本端分配的地址
Selected profile profile-name.	选择了IKEv2 profile profile-name
Obtained pre-shared key from keychain keychain-name.	从IKEv2 profile下引用的keychain中获取预共享密钥
Searched for a profile matching peer ID id of type id-type.	根据对端的身份信息（ID类型为id-type，ID内容为id）查找IKEv2 profile
Found matching profile profile-name.	查找到匹配的IKEv2 profile
Profile verification passed.	验证IKEv2 profile成功
Received an INVALID_KE_PAYLOAD notification. Retried negotiation.	发起方DH猜想失败，收到对端的INVALID_KE_PAYLOAD通知消息，尝试再次发起协商
SA_INIT exchange completed.	SA_INIT交换结束
Constructed KE payload.	构造KE载荷
Processed KE payload.	处理KE载荷
Computed DH public key by using dh-group.	使用DH组dh-group计算DH公钥
Peer was behind NAT.	IKEv2发现对端在NAT设备之后
Local was behind NAT.	IKEv2发现本端在NAT设备之后
Constructed NAT-OAi payload.	构造NAT-OAi载荷
Constructed NAT-OAr payload.	构造NAT-Oar载荷
Processed NAT discovery notification.	处理发现NAT通知载荷
No NAT found.	IKEv2协商双方之间不存在NAT设备
Constructed NONCE payload.	构造NONCE载荷
Peer did not accept DH group dh-group1 and proposed DH group dh-group2.	对端不接受采用DH组dh-group1进行协商，对端提议使用DH组dh-group2进行协商
Constructed NOTIFY payload: notify-type.	构造notify-type类型的通知载荷
Processed notification response for IKE SA.	处理IKE SA通知响应载荷
Processed NOTIFY payload in AUTH exchange response.	处理AUTH交互中的回应报文中的通知载荷
Processed NOTIFY payload in Child SA exchange response.	处理Child SA交互中的回应报文中的通知载荷
Processed NOTIFY payload notify-type.	处理notify-type类型的通知载荷
Searched for IKEv2 policy with VRF vrf and local address address.	查找本端地址为address、VRF为vrf的IKEv2策略
Used default IKEv2 policy.	使用缺省的IKEv2策略
Obtained pre-shared key through hostname hostname.	通过hostname获取预共享密钥
Matched peer name.	匹配到IKEv2 Peer（名称为name）
Obtained pre-shared key through address address.	通过地址address获取预共享密钥
Obtained pre-shared key through ID id of type id-type.	通过id-type类型的身份id获取预共享密钥
(Tunnel ID tunnel-id): (I) Current status status	（隧道ID为tunnel-id）发起方当前状态
(Tunnel ID tunnel-id): (R) Current status status	（隧道ID为tunnel-id）响应方(R)当前状态
(Tunnel ID tunnel-id): IKE SA received an incorrect request priority.	IKE SA（隧道ID为tunnel-id）收到一个错误的请求等级
Activated new request.	从请求队列中激活新的请求
(Tunnel ID: tunnel-id): Found no duplicate IKE SA.	（隧道ID为tunnel-id）没有发现重复的IKE SA
(Tunnel ID tunnel-id): Deleted negotiation context.	（隧道ID为tunnel-id）删除协商上下文
Next request message ID outside of window.	下一条IKE请求的消息ID位于消息窗口外
Message ID exceeded the limit. Waiting for rekey…	消息ID到达最大值，等待重协商
Reclaimed IPv4 address ipv4-addr.	回收IKEv2分配出去的IPv4地址
Reclaimed IPv6 address ipv6-addr ipv6-prefix.	回收IKEv2分配出去的IPv6地址
Deleted Child SA (message ID messge-id).	删除Child SA，Child SA对应的消息ID为messge-id
Deleted Child SA (protocol protocol SPI spi).	删除Child SA，Child SA对应的安全协议为protocol，SPI为spi Protocol的取值包括AH和ESP．
(Tunnel ID tunnel-id): Deleted IKE SA.	（隧道ID为tunnel-id）删除IKE SA
(Tunnel ID tunnel-id)): Found duplicate IKE SA.	（隧道ID为tunnel-id）发现重复的IKE SA
(Tunnel ID tunnel-id): Processed IKE SA rekey collision.	处理IKE SA的协商碰撞
Transform type id	打印Transform载荷：类型为type，ID为id
Transform type id attribute	打印Transform载荷：类型为type，ID为id，属性为attribute
Proposal number	打印propsal载荷
Matched IKEv2 policy policy-name.	匹配到IKEv2策略policy-name
Constructed SA payload.	构造SA载荷
Processed SA payload.	处理SA载荷
Used transport mode.	使用传输模式协商
Used tunnel mode.	使用隧道模式协商
Processed TSi payload.	处理TSi载荷
Processed TSr payload.	处理TSr载荷
Constructed TSi payload.	构造TSi载荷
Constructed TSr payload.	构造TSr载荷

表3-3 debugging ikev2 packet命令输出信息描述表

字段	描述
Data ipv4-addr, length length	IPv4 CP载荷数据和长度
Data ipv6-addr/ipv6-prefix, length length	IPv6 CP载荷数据和长度
Attribute type type	CP载荷属性类型，可能的取值为： · INTERNAL_IP4_ADDRESS · INTERNAL_IP4_NETMASK · INTERNAL_IP4_DNS · INTERNAL_IP4_NBNS · INTERNAL_ADDRESS_EXPIRY · INTERNAL_IP4_DHCP · APPLICATION_VERSION · INTERNAL_IP6_ADDRESS · INTERNAL_IP6_NETMASK · INTERNAL_IP6_DNS · INTERNAL_IP6_NBNS · INTERNAL_IP6_DHCP · INTERNAL_IP4_SUBNET · SUPPORTED_ATTRIBUTES · INTERNAL_IP6_SUBNET · MIP6_HOME_PREFIX · INTERNAL_IP6_LINK · INTERNAL_IP6_PREFIX · HOME_AGENT_ADDRESS · INTERNAL_IP4_SERVER · INTERNAL_IP6_SERVER · UNITY_BANNER · UNITY_SAVE_PASSWD · UNITY_DEF_DOMAIN · UNITY_SPLITDNS_NAME · UNITY_SPLIT_INCLUDE · UNITY_NATT_PORT · UNITY_LOCAL_LAN · UNITY_PFS · UNITY_FW_TYPE · UNITY_BACKUP_SERVERS · UNITY_DDNS_HOSTNAME
Assigned IPv4 address ipv4-addr from pool pool-name.	从地址池pool-name中分配IPv4地址
Assigned IPv6 address ipv6-addr/ipv6-prefix from pool pool-name.	从地址池pool-name中分配IPv6地址
Type type, length length	CP载荷属性，类型为type，长度为length
Received keepalive packet.	收到IKEv2保活检查报文
Responder received no AUTH request.	响应方没有收到AUTH请求报文
Failed to construct ECDH public key.	构造ECDH公钥失败
Unsupported DH group.	不支持的DH号
Parsed the last payload (Encrypted payload).	解析报文最后一个载荷（加密载荷）
Payload content:	报文载荷内容
Processed INVALID_SPI notification.	处理非法SPI的通知
Processed INVALID_SELECTORS notification.	处理非法selector的通知
Request message ID was msgid. Expected IDs were from windowleft to windowright.	请求报文的消息ID为msgid，本端能够接收的报文消息ID窗口范围为(windowleft～windowright)
I-SPI=i-spi R-SPI=r-spi Message ID=messge-id Exchange type=exchange-type Flags=flags Next payload=payload, length=length	IKEv2报文头信息，具体包含： · I-SPI：发起方SPI · R-SP：响应方SPI · Message ID：消息ID · Exchange type：交换类型 · Flags：请求方/响应方的标识 · Next payload：下一载荷的类型和长度
Received packet from peer-addr: source port source-port, destination port dest-port.	收到来自peer-addr的对端报文源端口号为source-port，目的端口号为dest-port
Constructed an encrypted packet.	创建了一个被加密的报文
Payload content:	IKEv2报文载荷内容
Sent packet to address: peer port peer-port, local port local-port.	发送报文到地址address，对端端口号为remote-port，本端端口号为local-port
Sent an IPv4 packet.	发送一个IPv4报文
Sent an IPv6 packet.	发送一个IPv6报文
Current payload payload, length length, next payload next-payload	报文载荷：当前载荷为payload，长度为length，下一载荷为next-payload
Current payload payload, length length, DH group dh-group, next payload next-payload	报文载荷：当前载荷为payload，长度为length，DH算法为dh-group，下一载荷为next-payload
Current payload payload, length length, type type, next payload next-payload	报文载荷：当前载荷为payload，长度为length，类型为type，下一载荷为next-payload
Current payload payload, length length, encoding type encoding-type, next payload next-payload	报文载荷：当前载荷为payload，长度为length，编码方式为encoding-type，下一载荷为next-payload
Current payload payload, length length, method method, next payload next-payload	报文载荷：当前载荷为payload，长度为length，认证方式为method，下一载荷为next-payload
Current payload payload, length length, type type, protocol protocol, SPI size size, next payload next-payload	报文载荷：当前载荷为payload，类型为type，长度为length，协议为protocol，SPI大小为size，下一载荷为next-payload
Current payload payload, length length, type type, protocol protocol, SPI size size, SPI count spi-count, next payload next-payload	报文载荷：当前载荷为payload，类型为type，长度为length，协议为protocol，SPI大小为size，包含的SPI数目为spi-number，下一载荷为next-payload
Current payload payload, length length, selector count selector-count, next payload next-payload	报文载荷：当前载荷为payload，长度为length，包含的Selector数目为number，下一载荷为next-payload
Last proposal number, length length	proposal载荷：number为0表示为最后一个proposal载荷，为2表示此proposal载荷之后还有其他的proposal载荷，载荷长度为length
Proposal number, protocol protocol, SPI size size, transform count transform-count	proposal载荷：当前载荷编号为number，协议为protocol，SPI大小为size，包含的Transform数目为count
Last transform value, length length	Transform载荷，value为0表示是最后一个Transform，为3表示该Transform载荷后还有其他的Transform载荷，载荷长度为length
Type type, transform ID transform-id	Transform载荷，类型为type，ID为transform-id
Key length length	Transform载荷的属性：key长度为length
TS type type, IP protocol protocol, length length	TS载荷类型为type，保护的协议为protocol，载荷长度为length
Start port start-port, end port end-port	TS载荷的端口号范围为start-port到end-port
Start address start-addr, end address end-addr	TS载荷的地址范围为start-addr到end-addr
Type type, length length	CP载荷属性，类型为type，长度为length
Current payload payload, length length, ID type type, next payload next-payload	当前载荷为payload，长度为length，ID类型为type，下一载荷为next-payload
Initiator received an INVALID_KE_PAYLOAD notification from responder who proposed DH group dh-group1. Initiator sent another INIT exchange request.	发起方DH猜想失败，收到响应方的IKEV2_INVALID_KE_PAYLOAD通知载荷，响应方希望使用dh-group1进行协商，发起方重新发送init请求报文
Retransmitted the packet.	重传IKEv2报文
Retransmission timed out.	超过最大重传次数，IKEv2报文重传超时
Packet carried the same cookie as the previous packet.	报文中携带和之前相同的cooike
Packet carried a different cookie than the previous packet.	报文中携带的cooike和之前的cooike不相等
Keepalive check timed out.	IKEv2保活检查超时
Retransmitted the response.	重传IKEv2响应报文
Received a packet with cookie.	收到携带cookie的IKEv2报文
Received a packet without cookie.	收到不携带cookie的IKEv2报文
Processed response with message ID msg-id. Requests with IDs from msgleft to msgright can be sent.	处理消息ID为msg-id的响应报文，能够发送的请求报文的消息ID范围为msgleft到msgright
Sent response with message ID msg-id. Requests with IDs from msgleft to msgright can be accepted.	发送消息ID为msg-id的回应报文，能够接收的请求报文消息ID范围为msgleft到msgright
Proposal proposal-number	SA载荷内的proposal编号为proposal-number
Encrypted payload passed integrity verification.	对IKEv2加密载荷的完整性检查通过
Invalid TSr port range (start port start-port, end port end-port).	TSr端口号范围（start-port～end-port）不合法

表3-4 debugging ikev2 pki命令输出信息描述表

字段	描述
Certificate verification through PKI domain domain-name succeeded.	使用PKI域domain-name验证对端证书成功
Obtained CA certificate from PKI domain domain-name.	从PKI域domain-name中获取CA证书
Obtained local certificate and key pair from PKI domain domain-name.	从PKI域domain-name中获取本地证书和密钥对
The key pair did not meet the peer's requirement. Checked the next PKI domain.	密钥对不符合对端要求，查找下一个PKI域
Obtained certificate request from cache.	从缓存中获取证书请求
Obtained certificate request from cache in profile profile-name.	从IKEv2 profile profile-name下的缓存中获取证书请求
PKI data changed.	与IKE相关的PKI数据发生变化

表3-5 debugging ikev2 ipsec命令输出信息描述表

字段	描述
[IPsec->IKE]	IPsec向IKE发送消息
[IKE->IPsec]	IKE向IPsec发送消息
[IPsec->IKE] Received a smooth IPsec SA ACK.	IKE收到了平滑IPsec SA的回应消息
[IKE->IPSEC] Sent add-DPD request.	IKE向IPsec发送添加DPD的请求
[IKE->IPsec] Sent delete-DPD request.	IKE向IPsec发送删除DPD的请求
Protected flow: Inbound: DstIP1/Mask1->SrcIP1/Mask11 Outbound: SrcIP1/Mask11->DstIP1/Mask1	Child SA保护的流信息如下： · 入方向：目的地址为DstIP1，掩码为Mask1-->源地址为SrcIP1，掩码为Mask11 · 出方向：源地址为SrcIP1，掩码为Mask11-->目的地址为DstIP1，掩码为Mask1
[IKE->IPsec] Sent install-IPsec-SA request.	IKE向IPsec发送添加IPsec SA请的求
[IKE->IPsec] Sent switch-IPsec-SA request.	IKE向IPsec发送切换IPsec SA的请求
Traffic-based IPsec SA lifetime expired.	Child SA对应的IPsec SA流量生命周期超时
[IPsec->IKE] Received an invalid SPI, no matching IKE SA found.	IKE收到了一个SPI非法的消息，且查找不到对应的IKE SA
[IKE->IPsec] Sent IPsec policy request.	IKE向IPsec发送获取IPsec策略的请求
[IKE->IPsec] Sent IPsec SPI request.	IKE向IPsec发送获取IPsec SPI的请求
[IPsec->IKE] Received IPsec SA negotiation request.	IKE收到IPsec的协商SA的请求
[IPsec->IKE] IPsec policy successfully obtained.	IPsec通知IKE成功获取了IPsec策略
[IPsec->IKE] IPsec SPI successfully obtained.	IPsec通知IKE成功获取了IPsec SPI
[IPsec->IKE] IPsec SA successfully installed.	IPsec通知IKE成功添加了IPsec SA

表3-6 debugging ikev2 timer命令输出信息描述表

字段	描述
Responder started a timer of number sec, waiting for AUTH exchange request.	响应方启动number秒的等待定时器，等待接收发起方的AUTH交换请求报文
(Tunnel ID tunnel-id): Sent NAT-keepalive packet.	IKE SA（隧道ID为tunnel-id）发送NAT keepalive报文
Started hardtimer.	启动硬超时定时器
Failed to create IKE SA timer.	创建IKE SA定时器失败
Failed to create Child SA timer.	创建Child SA定时器失败
(Tunnel ID tunnel-id): IKE SA soft lifetime expired and IKE SA was rekeyed.	（隧道ID为tunnel-id）IKE SA软生命周期超时，重协商IKE SA
(Tunnel ID tunnel-id): IKE SA hard lifetime expired and IKE SA was deleted.	（隧道ID为tunnel-id）IKE SA硬生命周期超时，删除IKE SA
(Tunnel ID tunnel-id): IKE SA lifetime timer (number sec) started.	（隧道ID为tunnel-id）IKE SA生命周期定时器启动，定时器超时时间为number秒
Failed to start hardtimer.	启动硬超时定时器失败
Child SA soft lifetime expired.	Child SA的软生命周期超时
Child SA hard lifetime expired.	Child SA的硬生命周期超时

表3-7 debugging ikev2 dpd命令输出信息描述表

字段	描述
Construct empty payload for liveness check request.	为保活检查请求报文构造空载荷
Received liveness check response.	收到保活检查回应报文
Receive liveness check.	收到保活检查报文
Retransmit DPD packet.	重传DPD报文
Liveness check timeout.	保活检查超时
Sending packet to address,remote port remote-port,local port local-port.	发送报文到地址address，对端端口号为remote-port，本端端口号为local-port
Sending an IPv4 packet.	发送IPv4报文
Sending an IPv6 packet.	发送IPv6报文

表3-8 debugging ikev2 nat-keepalive命令输出信息描述表

字段	描述
Sending packet to address,remote port remote-port,local port local-port.	发送报文到地址address，对端端口号为remote-port，本端端口号为local-port
Sending an IPv4 packet.	发送IPv4报文
Sending an IPv6 packet.	发送IPv6报文

【举例】

# 在两个安全网关上配置了IKEv2协商类型的IPsec安全策略，且打开IKEv2错误调试信息开关。在IKE协商过程中，若未找到匹配的IKEv2 proposal，将输出以下调试信息。

<Sysname> debugging ikev2 error

*Nov 24 05:40:16:391 2014 Sysname IKEV2/7/ERROR: -MDC=1; No proposal matched.

// 没有可以接受的提议

# 在两个安全网关上配置了IKEv2协商类型的IPsec安全策略，且打开IKEv2内部调试信息开关。若配置认证方法为预共享密钥认证，则当有流量触发IKE协商时，将输出以下调试信息。

<Sysname> debugging ikev2 internal

Ping 123.234.234.123 (123.234.234.123): 56 data bytes, press CTRL_C to break

*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/EVENT: -MDC=1; [IPsec->IKE] Received an IPsec SA

negotiation request.

// 收到IPsec协商SA请求消息

*Oct 20 09:13:57:413 2014 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3077876688 processed the request.

// IKE线程3077876688处理协商请求

*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/FSM: -MDC=1; (Tunnel ID 5):(I) Current Status: IDLE

// 当前的状态机状态：IDLE

*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/FSM: -MDC=1; Chose profile fxm.

// 选择了IKEv2 profile：fxm

*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/FSM: -MDC=1; Obtained pre-shared key from keychain fxm.

// 从IKEv2 profile fxm引用的keychain fxm中获取预共享密钥

*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/FSM: -MDC=1; Obtained pre-shared key through address 123.234.234.123.

// 通过对端地址123.234.234.123获取预共享密钥

*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/FSM: -MDC=1; Matched peer test.

// 匹配到keychain fxm下的Peer test

*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/FSM: -MDC=1; Searched for IKEv2 policy with VRF 0 and local address 123.234.234.124

// 查找与vrf 0、本端地址123.234.234.124匹配的IKEv2策略

*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed SA payload.

// 构造SA载荷

*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/FSM: -MDC=1; Proposal 1

// SA子载荷proposal 1

*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/FSM: -MDC=1; Transform ENCR 3DES-CBC

// proposal子载荷Transform加密算法为3DES

*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/FSM: -MDC=1; Transform INTEG AUTH-HMAC-MD5-96

// Transform认证算法为HMAC-MD5

*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/FSM: -MDC=1; Transform PRF PRF-HMAC-MD5

// Transform prf算法为HMAC-MD5

*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/FSM: -MDC=1; Transform D-H 768-bit MODP/Group 1

// Transform DH算法为768-bit MODP/Group 1

*Oct 20 09:13:57:426 2014 Sysname IKEV2/7/FSM: -MDC=1; Computed DH public key by using 768-bit MODP/Group 1.

// 使用768-bit MODP/Group 1计算DH公钥

*Oct 20 09:13:57:426 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed KE payload.

// 构造KE载荷

*Oct 20 09:13:57:427 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed NONCE payload.

// 构造NONCE载荷

*Oct 20 09:13:57:427 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed NOTIFY payload: NAT_DETECTION_SOURCE_IP.

// 构造NAT_DETECTION_SOURCE_IP通知载荷

*Oct 20 09:13:57:427 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed NOTIFY payload: NAT_DETECTION_DESTINATION_IP.

// 构造NAT_DETECTION_DESTINATION_IP通知载荷

*Oct 20 09:13:57:427 2014 Sysname IKEV2/7/FSM: -MDC=1; (Tunnel ID 5):(I) Current Status: BUILD_INIT

// 当前的状态机状态：BUILD_INIT

*Oct 20 09:13:57:446 2014 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3077876688 processed the INIT exchange response.

// IKE线程3077876688处理解析init交互响应报文

*Oct 20 09:13:57:446 2014 Sysname IKEV2/7/FSM: -MDC=1; Processed response notification for IKE SA.

// 处理IKE SA的响应通知消息

*Oct 20 09:13:57:446 2014 Sysname IKEV2/7/FSM: -MDC=1; Processed SA payload.

// 解析处理SA载荷

*Oct 20 09:13:57:446 2014 Sysname IKEV2/7/FSM: -MDC=1; Processed KE payload.

// 解析处理KE载荷

*Oct 20 09:13:57:446 2014 Sysname IKEV2/7/FSM: -MDC=1; Processed NAT discovery notification.

// 处理NAT-D通知

*Oct 20 09:13:57:453 2014 Sysname IKEV2/7/FSM: -MDC=1; DH key computation succeeded.

// DH密钥计算完成

*Oct 20 09:13:57:453 2014 Sysname IKEV2/7/FSM: -MDC=1; Calculated SKEYSEED.

// 计算密钥种子

*Oct 20 09:13:57:453 2014 Sysname IKEV2/7/EVENT: -MDC=1; [IKE->IPsec] Sent IPsec SPI request.

// IKE向IPsec获取SPI

*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/EVENT: -MDC=1; [IPsec->IKE] IPsec SPI successfully obtained.

// 成功获取IPsec SPI

*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; (Tunnel ID 5):(I) Current Status: PROC_INIT

// 当前状态机状态：PROC_INIT

*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; SA_INIT exchange completed.

// SA INIT交换完成

*Oct 20 09:13:57:454 2014 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3077876688 processed the AUTH exchange request.

// IKE线程3077876688处理构造AUTH交换请求报文

*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed IDi payload: 123.234.234.124 of type ID_IPV4_ADDR

// 构造IDi载荷，类型为IPv4地址，地址为123.234.234.124

*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed NOTIFY payload: INITIAL_CONTACT.

// 构造 INITIAL_CONTACT 通知载荷

*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; Local authentication method is Pre-shared key.

// 本端的认证方式为预共享密钥

*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; Generated authentication data.

// 构造认证数据

*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed AUTH payload.

// 构造AUTH载荷

*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed NOTIFY payload: ESP_TFC_PADDING_NOT_SUPPORTED.

// 构造ESP_TFC_PADDING_NOT_SUPPORTED通知载荷

*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed NOTIFY payload: NON_FIRST_FRAGMENTS_ALSO.

// 构造NON_FIRST_FRAGMENTS_ALSO通知载荷

*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed NOTIFY payload: IKEV2_MESSAGE_ID_SYNC_SUPPORTED.

// 构造IKEV2_MESSAGE_ID_SYNC_SUPPORTED通知载荷

*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed SA payload.

// 构造SA载荷

*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed TSi payload.

// 构造TSi载荷

*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed TSr payload.

// 构造TSr载荷

*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; (Tunnel ID 5): (I) Current Status: BUILD_AUTH

// 当前状态机状态：BUILD_AUTH

*Oct 20 09:13:57:457 2014 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3077876688 processed the AUTH exchange response.

// IKE线程3077876688处理解析AUTH交换响应方报文

*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; Processed AUTH response notification.

// 处理AUTH响应通知

*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; Processed ID payload.

// 解析ID载荷

*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; Verified peer policy.

// 验证对端的IKEv2策略

*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; Verified peer authentication data.

// 验证对端的认证数据

*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; Peer authentication data passed verification.

// 对端认证数据验证通过

*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; AAA authorization was not configured in profile fxm.

// profile fxm中没有配置AAA授权

*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; Processed NOTIFY payload IKEV2_MESSAGE_ID_SYNC_SUPPORTED.

// 处理IKEV2_MESSAGE_ID_SYNC_SUPPORTED通知载荷

*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; (Tunnel ID 5):(I) Current Status: PROC_AUTH

// 当前状态机状态：处理AUTH交换响应报文

*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; Processed response notification for Child SA.

// 处理Child SA的响应通知载荷

*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; Processed SA payload.

// 处理SA载荷

*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; Processed TSi payload.

// 处理TSi载荷

*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; Processed TSr payload.

// 处理TSr载荷

*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; Computed IPsec keying material.

// 计算IPsec密钥材料

*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/EVENT: -MDC=1; Protected flow:

// 保护的流信息

*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/EVENT: -MDC=1; Inbound: 123.234.234.123/32->123.234.234.124/32

// 入方向流信息：123.234.234.123/32->123.234.234.124/32

*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/EVENT: -MDC=1; Outbound: 123.234.234.124/32->123.234.234.123/32

// 出方向流信息：123.234.234.124/32->123.234.234.123/32

*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/EVENT: -MDC=1; [IKE->IPsec] Sent install IPsec sa request.

// IKE向IPsec发送添加IPsec SA请求

*Oct 20 09:13:57:469 2014 Sysname IKEV2/7/FSM: -MDC=1; (Tunnel ID 5): (I) Current Status: ESTABLISHED

// 当前状态机状态：ESTABLISHED

*Oct 20 09:13:57:469 2014 Sysname IKEV2/7/FSM: -MDC=1; (Tunnel ID 5): (I) Current Status: CHILD_ESTABLISHED

// 当前状态机状态：CHILD_ESTABLISHED

*Oct 20 09:13:57:469 2014 Sysname IKEV2/7/FSM: -MDC=1; (Tunnel ID 5): (I) Current Status: READY

// 当前状态机状态：READY

*Oct 20 09:13:57:469 2014 Sysname IKEV2/7/EVENT: -MDC=1; [IPsec->IKE] Succeed to install IPsec SA.

// IPsec添加SA成功

*Oct 20 09:13:57:469 2014 Sysname IKEV2/7/TIMER: -MDC=1; (Tunnel ID 5): IKE SA lifetime timer (86400 sec) started.

// IKE SA生命周期定时器启动

*Oct 20 09:13:57:469 2014 Sysname IKEV2/7/FSM: -MDC=1; (Tunnel ID: 5): No duplicate IKE SA found.

// 协商过程中没有发现碰撞

*Oct 20 09:13:57:469 2014 Sysname IKEV2/7/FSM: -MDC=1; (Tunnel ID 5): Deleted negotiation context.

// 删除协商上下文

*Oct 20 09:13:57:469 2014 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3077876688 processed a job.

// IKE线程3077876688处理一个任务

*Oct 20 09:13:57:469 2014 Sysname IKEV2/7/EVENT: -MDC=1; [IKE->IPsec] Send switch IPs

ec sa request.

// IKE向IPsec发送切换SA请求

# 在两个安全网关上配置了IKEv2协商类型的IPsec安全策略，若配置认证方法为预共享密钥认证，则当有流量触发协商时，打开IKEv2报文调试信息开关后将输出以下调试信息。

<Sysname> debugging ikev2 packet

Ping 123.234.234.123 (123.234.234.123): 56 data bytes, press CTRL_C to break

*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Payload content:

// 打印载荷内容

*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; SA, Length: 44, Next payload: KE

// 当前SA载荷，载荷长度44，下一载荷为KE

*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last proposal: 0, Length: 40

// 当前proposal是SA载荷内唯一的proposal，载荷长度为40

*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Proposal: 1, Protocol: IKE, SPI size: 0, Transform count: 4

// proposal编号为1，为IKE协议，SPI大小为0，包含4个Transform

*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0x3, Length: 8

// 该Transform长度为8，不是最后一个Transform

*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: ENCR, Transform ID: 3DES-CBC

// Transform类型为加密类型，3DES-CBC算法

*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0x3, Length: 8

// 该Transform长度为8，不是最后一个Transform

*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: INTEG, Transform ID: AUTH-HMAC-MD5-96

// Transform类型为认证类型，AUTH-HMAC-MD5-96算法

*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0x3, Length: 8

// 该Transform长度为8，不是最后一个Transform

*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: PRF, Transform ID: PRF-HMAC-MD5

// Transform类型为Prf，为PRF-HMAC-MD5算法

*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0, Length: 8

// 该Transform长度为8，为最后一个Transform

*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: D-H, Transform ID: 768-bit MODP/Group 1

// Transform类型为DH算法，768-bit MODP/Group 1算法

*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; KE, Length: 104, DH: 768-bit MODP/Group 1, Next payload: NONCE

// 当前载荷为KE，长度为104，采用768-bit MODP/Group 1算法，下一载荷为NONCE

*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; NONCE, Length: 36, Next payload: NOTIFY

// 当前载荷为NONCE，长度为36，下一载荷为NOTIFY

*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; NOTIFY, Length: 28, Type: NAT_DETECTION_SOURCE_IP, Protocol: NO PROTOCOL, SPI size:0, Next payload: NOTIFY

// 当前载荷为NAT_DETECTION_SOURCE_IP通知载荷，长度为28，下一载荷为NOTIFY载荷

*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; NOTIFY, Length: 28, Type: NAT_DETECTION_DESTINATION_IP, Protocol: NO PROTOCOL, SPI size: 0, Next payload: NO_PAYLOAD

// 当前载荷为NAT_DETECTION_DESTINATION_IP通知载荷，长度为28

*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Sent packet to 123.234.234.123, Remote port 500, Local port 500.

// 向对端123.234.234.123发送报文，本端端口号为500，对端端口号为500

*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1;

I-SPI: e787e1a5584f87e6

R-SPI: 0000000000000000

Message ID: 0

Exchange type: SA_INIT

Flags: REQUEST, INITIATOR

Next payload: SA, Length: 268

// 发起方SPI：e787e1a5584f87e6

// 响应方SPI：0000000000000000

// Message ID：0

// 交换类型：SA_INIT交换

// 标记：协商发起方，请求报文

// 下一个载荷：SA载荷，长度为268

*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Sent an IPv4 packet.

// 发送IPv4报文

*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; Received packet from 123.234.234.123, Source port 500, Destination port 500.

// 收到对端123.234.234.123的IPv4报文，源端口号为500，目的端口号为500

*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1;

I-SPI: e787e1a5584f87e6

R-SPI: e91e92c42120d7f0

Message ID: 0

Exchange type: SA_INIT

Flags: RESPONSE

Next payload: SA, Length: 276

// 发起方SPI：e787e1a5584f87e6

// 响应方SPI：e91e92c42120d7f0

// Message ID：0

// 交换类型：SA_INIT交换

// 标记：协商响应方

// 下一个载荷：SA载荷，长度为276

*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; Payload content:

// 打印载荷内容

*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; SA, Length: 44, Next payload: KE

// 当前载荷为SA载荷，长度44字节，下一载荷为KE

*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last proposal: 0, Length: 40

// SA载荷包含一个proposal子载荷，长度为40

*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; Proposal: 1, Protocol: IKE, SPI size: 0, Transform count: 4

// proposal 1，协议为IKE，SPI大小为0，包含4个Transform

*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0x3, Length: 8

// 该Transform长度为8，不是最后一个Transform

*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: ENCR, Transform ID: 3DES-CBC

// Transform类型为加密类型，3DES-CBC加密算法

*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0x3, Length: 8

// 该Transform长度为8，不是最后一个Transform

*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: INTEG, Transform ID: AUTH-HMAC-MD5-96

// Transform类型为认证类型，AUTH-HMAC-MD5-96认证算法

*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0x3, Length: 8

// 该Transform长度为8，不是最后一个Transform

*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: PRF, Transform ID: PRF-HMAC-MD5

// Transform类型为Prf类型，为PRF-HMAC-MD5算法

*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0, Length: 8

// 该Transform长度为8，是最后一个Transform

*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: D-H, Transform ID: 768-bit MODP/Group 1

// Transform类型为DH类型，768-bit MODP/Group 1 算法

*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; KE, Length: 104, DH: 768-bit MODP/Group 1, Next payload: NONCE

// 当前载荷为KE载荷，长度为104，采用768-bit MODP/Group 1算法，下一载荷为NONCE

*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; NONCE, Length: 36, Next payload: NOTIFY

// 当前载荷为NONCE载荷，长度为36，下一载荷为NOTIFY

*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; NOTIFY, Length: 28, Type: NAT_DETECTION_SOURCE_IP, Protocol: NO PROTOCOL, SPI size: 0, Next payload: NOTIFY

// 当前载荷为NAT_DETECTION_SOURCE_IP通知载荷，长度为28，下一载荷为NOTIFY载荷

*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; NOTIFY, Length: 28, Type: NAT_DETECTION_DESTINATION_IP, Protocol: NO PROTOCOL, SPI size: 0, Next payload: NOTIFY

// 当前载荷为NAT_DETECTION_DESTINATION_IP，长度28，下一载荷为NOTIFY载荷

*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; NOTIFY, Length: 8, Type: HTTP_CERT_LOOKUP_SUPPORTED, Protocol: NO PROTOCOL, SPI size: 0, Next payload: NO_PAYLOAD

// 当前载荷为HTTP_CERT_LOOKUP_SUPPORTED通知载荷，长度为8

*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; Processed response with message ID 0, requests with IDs from 1 to 1 can be sent.

// 处理INIT交互响应报文（messge id=0）,下一条请求报文的message id为1

*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; Built packet for encryption.

// 创建需要加密的报文

*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; Payload content:

// 打印报文内容

*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; IDi, Length: 12, Type: ID_IPV4_ADDR, Next payload: NOTIFY

// 当前载荷为IDi，长度为12字节，类型为IPv4地址类型，下一载荷为NOTIFY

*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; NOTIFY, Length: 8, Type: INITIAL_CONTACT, Protocol: NO PROTOCOL, SPI size: 0, Next payload: AUTH

// 当前载荷为INITIAL_CONTACT通知载荷，长度为8，下一载荷为AUTH载荷

*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; AUTH, Length: 24, Method: Pre-shared key, Next payload: NOTIFY

// 当前载荷为AUTH载荷，认证方式为预共享密钥，长度为24

*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; NOTIFY, Length: 8, Type: ESP_TFC_PADDING_NOT_SUPPORTED, Protocol: NO PROTOCOL, SPI size: 0, Next payload: NOTIFY

// 当前载荷为ESP_TFC_PADDING_NOT_SUPPORTED通知载荷，长度为8，下一载荷为NOTIFY

*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; NOTIFY, Length: 8, Type: NON_FIRST_FRAGMENTS_ALSO, Protocol: NO PROTOCOL, SPI size: 0, Next payload: NOTIFY

// 当前载荷为NON_FIRST_FRAGMENTS_ALSO通知载荷，长度为8，下一载荷为NOTIFY

*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; NOTIFY, Length: 8, Type: IKEV2_MESSAGE_ID_SYNC_SUPPORTED, Protocol: NO PROTOCOL, SPI size: 0, Next payload: SA

// 当前载荷为IKEV2_MESSAGE_ID_SYNC_SUPPORTED通知载荷，长度为8，下一载荷为SA

*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; SA, Length: 40, Next payload: TSi

// 当前载荷为SA，长度为40字节，下一载荷为TSi

*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last proposal: 0, Length: 36

// SA载荷包含一个proposal，长度为36

*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; Proposal: 1, Protocol: ESP, SPI size: 4, Transform count: 3

// proposal协议为ESP，SPI长度为4，包含三个Transform

*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0x3, Length: 8

// 该Transform长度为8，不是最后一个Transform

*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: INTEG, Transform ID: AUTH-HMAC-MD5-96

// Transform类型为认证类型，AUTH-HMAC-MD5-96算法

*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0x3, Length: 8

// 该Transform长度为8，不是最后一个Transform

*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: ENCR, Transform ID: 3DES-CBC

// Transform类型为加密类型，为3DES-CBC算法

*Oct 20 09:18:03:332 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0, Length: 8

// 该Transform长度为8，为最后一个Transform

*Oct 20 09:18:03:332 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: ESN, Transform ID: NO ESN

// Transform类型为ESN类型，为NO_ESN

*Oct 20 09:18:03:332 2014 Sysname IKEV2/7/PACKET: -MDC=1; TSi, Length: 40, Selector count: 2, Next payload: TSr

// 当前载荷为TSi载荷，包含2个Selecotr，下一载荷为TSr

*Oct 20 09:18:03:332 2014 Sysname IKEV2/7/PACKET: -MDC=1; TS type: TS_IPV4_ADDR_RANGE, IP protocol: 1, Length: 16

// 触发流TSi类型为TS_IPV4_ADDR_RANGE，协议为ICMP，长度为16

*Oct 20 09:18:03:332 2014 Sysname IKEV2/7/PACKET: -MDC=1; Start port: 0, End port: 65535

// 触发流TSi开始端口号为0，结束端口号为65535

*Oct 20 09:18:03:332 2014 Sysname IKEV2/7/PACKET: -MDC=1; Start address: 123.234.234.124, End address: 123.234.234.124

// 触发流TSi IP地址范围为123.234.234.124到123.234.234.124

*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1; TS type: TS_IPV4_ADDR_RANGE, IP protocol: 0, Length: 16

// 配置流TSi 类型为 TS_IPV4_ADDR_RANGE，协议为IPv4协议，长度为16

*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1; Start port: 0, End port: 65535

// 配置流TSi开始端口号为0，结束端口号为65535

*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1; Start address: 123.234.234.124, End address: 123.234.234.124

// 配置流TSi地址范围为123.234.234.124到123.234.234.124

*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1; TSr, Length: 40, Selector count: 2, Next payload: NO_PAYLOAD

// 当前载荷为TSr载荷，包含两个Selector

*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1; TS type: TS_IPV4_ADDR_RANGE, IP protocol: 1, Length: 16

// 触发流TSr类型为TS_IPV4_ADDR_RANGE，协议为ICMP，长度为16

*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1; Start port: 0, End port: 65535

// 触发流TSr开始端口号为0，结束端口号为0

*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1; Start address: 123.234.234.123, End address: 123.234.234.123

// 触发流TSr地址范围为123.234.234.123到123.234.234.123

*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1; TS type: TS_IPV4_ADDR_RANGE, IP protocol: 0, Length: 16

// 配置流TSr类型为TS_IPV4_ADDR_RAN GE，协议类型为IPv4，长度为16

*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1; Start port: 0, End port: 65535

// 配置流TSr开始端口号为0，结束端口号为0

*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1; Start address: 123.234.234.123, End address: 123.234.234.123

// 配置流TSr的地址范围为123.234.234.123到123.234.234.123

*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1; Sent packet to 123.234.234.123, Remote port 500, Local port 500.

// 向对端发送AUTH交换请求报文，对端地址为123.234.234.123，本端端口号为500，对端端口号为500

*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1;

I-SPI: e787e1a5584f87e6

R-SPI: e91e92c42120d7f0

Message ID: 1

Exchange type: AUTH

Flags: REQUEST, INITIATOR

Next payload: ENCRYPTED, Length: 244

// 发起方SPI：e787e1a5584f87e6

// 响应方SPI：e91e92c42120d7f0

// Message ID：1

// 交换类型：AUTH交换

// 标记：协商发起方，请求报文

// 下一个载荷：加密载荷，长度为244

*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1; Sent an IPv4 packet.

// 收到一个IPv4报文

*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Received packet from 123.234.234.123, Source port 500, Destination port 500.

// 收到来自123.234.234.123的报文，源端口号为500，目的端口号为500

*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1;

I-SPI: e787e1a5584f87e6

R-SPI: e91e92c42120d7f0

Message ID: 1

Exchange type: AUTH

Flags: RESPONSE

Next payload: ENCRYPTED, Length: 204

// 发起方SPI：e787e1a5584f87e6

// 响应方SPI：e91e92c42120d7f0

// Messge ID：1

// 交换类型：AUTH交换

// 标记：响应方

// 下一载荷加密载荷，长度204

*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Payload content:

// 打印报文内容如下

*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Payload ENCRYPTED found.

// 准备处理加密载荷

*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Integrity check passed.

// 认证检查通过

*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; IDr, Length: 12, Type: ID_IPV4_ADDR, Next payload: AUTH

// 当前载荷为IDr载荷，类型为IPv4地址，长度为12，下一载荷为AUTH

*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; AUTH, Length: 24, Method: Pre-shared key, Next payload: NOTIFY

// 当前载荷为AUTH，采用的认证方式为预共享密钥，长度为24，下一载荷为 NOTIFY

*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; NOTIFY, Length: 8, Type: IKEV2_MESSAGE_ID_SYNC_SUPPORTED, Protocol: NO PROTOCOL, SPI size: 0, Next payload: NOTIFY

// 当前载荷为IKEV2_MESSAGE_ID_SYNC_SUPPORTED通知载荷，长度为8，下一载荷为NOTIFY

*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; NOTIFY, Length: 8, Type: ESP_TFC_PADDING_NOT_SUPPORTED, Protocol: NO PROTOCOL, SPI size: 0, Next payload: NOTIFY

// 当前载荷为 ESP_TFC_PADDING_NOT_SUPPORTED通知载荷，长度为8，下一载荷为 NOTIFY

*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; NOTIFY, Length: 8, Type: NON_FIRST_FRAGMENTS_ALSO, Protocol: NO PROTOCOL, SPI size: 0, Next payload: SA

// 当前载荷为NON_FIRST_FRAGMENTS_ALSO通知载荷，长度为8，下一载荷为SA载荷

*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; SA, Length: 40, Next payload: TSi

// 当前载荷为SA载荷，长度为40，下一载荷为TSi载荷

*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last proposal: 0, Length: 36

// SA载荷包含一个proposal，长度为36

*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Proposal: 1, Protocol: ESP, SPI size: 4, Transform count: 3

// proposal 1，协议类型为ESP，SPI大小为4字节，包含3个Transform

*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0x3, Length: 8

// 该Transform长度为8，不是最后一个Transform

*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: INTEG, Transform ID: AUTH-HMAC-MD5-96

// Transform 类型为认证类型， AUTH-HMAC-MD5-96算法

*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0x3, Length: 8

// 该Transform长度为8，不是最后一个Transform

*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: ENCR, Transform ID: 3DES-CBC

// Transform类型为加密类型，3DES-CBC算法

*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0, Length: 8

// 该Transform长度为8，为最后一个Transform

*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: ESN, Transform ID: NO ESN

// Transform类型为ESN，NO ESN

*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; TSi, Length: 24, Selector count: 1, Next payload: TSr

// 当前载荷为TSi载荷，长度为24，包含1个Selector，下一载荷为TSr

*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; TS type: TS_IPV4_ADDR_RANGE, IP protocol: 0, Length: 16

// TSi类型为TS_IPV4_ADDR_RANGE，协议为ICMP，长度为16

*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Start port: 0, End port: 65535

// TSi开始端口号为0，结束端口号为65535

*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Start address: 123.234.234.124, End address: 123.234.234.124

// TSi IP地址范围为23.234.234.124到123.234.234.124

*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; TSr, Length: 24, Selector count: 1, Next payload: NO_PAYLOAD

// 当前为TSr载荷，长度为24，包含一个Selector

*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; TS type: TS_IPV4_ADDR_RANGE, IP protocol: 0, Length: 16

// TSr的类型为TS_IPV4_ADDR_RANGE 协议为ICMP，长度为16

*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Start port: 0, End port: 65535

// TSr的端口号范围为0到65535

*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Start address: 123.234.234.123, End address: 123.234.234.123

// TSr的IP地址范围为123.234.234.123 到 123.234.234.123

*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Processed response with message ID 1, requests with IDs from 2 to 2 can be sent.

// 处理Messge ID为1的AUTH交互响应报文，下一次请求报文的Message

推荐本站淘宝优惠价购买喜欢的宝贝:

本文链接：https://sg.hqyman.cn/post/7440.html 非本站原创文章欢迎转载，原创文章需保留本站地址！

分享到：

打赏

休息一下~~

作者:hqy | 分类:技术文章 | 浏览:467 | 评论:0

发表评论:

◎欢迎参与讨论，请在这里发表您的看法、交流您的观点。

« 2025年3月 »
一	二	三	四	五	六	日
					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30
31

控制面板: 您好，欢迎到访网站！
登录后台查看权限
个人中心修改密码

随心随性: 不经一番寒彻骨，怎得梅花扑鼻香。

网站分类

搜索

最新留言

文章归档

网站收藏

一个和谐有爱的空间

友情链接

HQY 一个和谐有爱的空间

HQY

06

2024
08
14:02:16

h3c IPsec Debug (二) （ipsec 整个协商过程，用于学习和排错用很不错）

2 IKE

2.1 IKE调试命令

2.1.1 debugging ike

3 IKEv2

3.1 IKEv2调试命令

3.1.1 debugging ikev2

发表评论:

HQY 一个和谐有爱的空间

HQY

06

20240814:02:16

h3c IPsec Debug (二) （ipsec 整个协商过程，用于学习和排错用很不错）

2 IKE

2.1 IKE调试命令

2.1.1 debugging ike

3 IKEv2

3.1 IKEv2调试命令

3.1.1 debugging ikev2

发表评论:

2024
08
14:02:16