IPsec ×××基本實驗
一 實驗拓撲
二 實驗原理
IKE概述:用IPsec保護一個IP包之前,必須先建立一個安全聯盟(SA),SA可以手動創建或者動態建立。Internet密鑰交換(IKE)用於動態建立SA。
IKE的精髓:通過一系列數據的交換,通信雙方最終計算出共享的密鑰,並且即使第三方如***截獲了雙方用於計算密鑰的所有交換數據,也不足以計算出真正的密鑰。其中的核心技術就是DH交換技術。
IKE使用兩個階段的ISAKMP
第一階段:建立IKE安全聯盟
(生成1個IKE SA)
具體來說:建立一個保密和驗證無誤的通信信道(IKE SA),以及建立驗證過的密鑰,爲雙方的IKE通信提供機密性、消息完整性以及消息源驗證服務。
(必須在進行其他任何交換如第二階段交換,消息交換等之前完成,其他交換需要在第一階段交換後建立的安全聯盟的保護下進行)
SKEYID的生成取決於協商好的是何種驗證方法。驗證方法決定了如何交換載荷,以及在什麼時候交換。
目前使用較爲普遍的驗證方法爲:
1)預共享密鑰
2)使用“數字簽名算法(DES)”得到的數字簽名
第二階段:利用這個既定的安全聯盟,爲IPsec協商具體的安全聯盟。
(生成2個 IPsec SA)
第一階段交換兩種模式:主模式 和 野蠻模式
主模式分爲三次交換,總共用到了6條消息,最終建立了IKE SA。
這三次交換是:
1)策略協商 (策略)1-2 (1去1回)
2)DH和nonce交換(DH)3-4
3)對對方驗證 (驗證)5-6
第一次交換中:需要交換雙方的cookie和SA載荷,在SA載荷中攜帶需要協商IKE SA的各項參數,主要包括IKE的散列類型、加密算法、認證方法、IKE SA協商的時間限制。
第一次交換之後:通信雙方需要生成用於產生DH共享密鑰的DH值。
第二次交換:對密鑰交換載荷和臨時值載荷進行交換
第二次交換之後:此時所需的所有計算密鑰的材料已交換完畢,可以將所有密鑰計算出來,並使用計算得到的密鑰對後續的IKE消息提供安全服務。
第三次交換:對標識載荷和散列載荷進行交換。標識載荷包含了發起者的標識信息,IP地址或者主機名。散列載荷包含對上一過程中的產生的三組密鑰進行Hash運算得出的值。
野蠻模式:3條消息
第二階段交換一種模式:快速交換模式
實驗1:
1.IPsec體系結構
安全協議
負責保護數據
AH/ESP
工作模式
傳輸模式:實現端到端保護
隧道模式:實現站點到站點保護
密鑰管理
手工配置密鑰
通過IKE協商密鑰
2.IPSec SA
SA(Security Association,安全聯盟)
由一個(SPI,IP目的地址,安全協議標識符)三元組唯一標識
決定了對報文進行何種處理
協議、算法、密鑰
每個IPSec SA都是單向的
手工建立/IKE協商生成
SPD(Security Policy Database)
SAD(Security Association Database)
3.IKE與IPSec的關係
IKE爲IPSec提供自動協商交換密鑰、建立SA的服務
IPSec安全協議負責提供實際的安全服務
4.IKE協商的兩個階段
階段1
在網絡上建立一個IKE SA,爲階段2協商提供保護
主模式(Main Mode)和野蠻模式(Aggressive Mode) (思科叫積極模式)
階段2
在階段1建立的IKE SA的保護下完成IPSec SA的協商
快速模式(Quick Mode)
一階段:IKE的6個包:(主模式)生成1個IKE SA
1-2:策略
3-4:DH
5-6:認證
二階段:生成兩個IPsec SA (快速模式)
R3(config-isakmp)#?
ISAKMP commands:
authentication Set authentication method for protection suite
default Set a command to its defaults
encryption Set encryption algorithm for protection suite
exit Exit from ISAKMP protection suite configuration mode
group Set the Diffie-Hellman group
hash Set hash algorithm for protection suite
lifetime Set lifetime for ISAKMP security association
no Negate a command or set its defaults
R3(config)#crypto isakmp ide
R3(config)#crypto isakmp identity ?
address Use the IP address of the interface for the identity
dn Use the distinguished name of the router cert for the identity
hostname Use the hostname of the router for the identity
R3(config)#crypto map map3 ?
<1-65535> Sequence to insert into crypto map entry
client Specify client configuration settings
isakmp Specify isakmp configuration settings
isakmp-profile Specify isakmp profile to use
local-address Interface to use for local address for this crypto map
redundancy High availability options for this map
三 實驗步驟
做這個實驗,發現路由是如此重要,一般後來的問題都是由於路由都沒弄好導致的。
R3:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
Lifetime 86400
Crypto isakmp identity address
crypto isakmp key xb5 address 112.16.15.2
crypto isakmp key xb7 address 112.16.17.2
crypto ipsec transform-set tf10 esp-3des esp-md5-hmac
Mode tunnel
access-list 105 permit ip 192.168.30.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 107 permit ip 192.168.30.0 0.0.0.255 192.168.70.0 0.0.0.255
crypto map map3 10 ipsec-isakmp
set peer 112.16.15.2
set transform-set tf10
match address 105
crypto map map3 20 ipsec-isakmp
set peer 112.16.17.2
set transform-set tf10
match address 107
interface Serial0/0
ip address 112.16.13.2 255.255.255.252
crypto map map3
ip route 0.0.0.0 0.0.0.0 112.16.13.1 //非常重要!!!確保連通性
R5:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
Lifetime 86400
Crypto isakmp identity address
crypto isakmp key xb5 address 112.16.13.2
crypto ipsec transform-set tf10 esp-3des esp-md5-hmac
Mode tunnel
access-list 105 permit ip 192.168.50.0 0.0.0.255 192.168.30.0 0.0.0.255
crypto map map5 10 ipsec-isakmp
set peer 112.16.13.2
set transform-set tf10
match address 105
interface Serial0/0
crypto map map5
ip route 0.0.0.0 0.0.0.0 112.16.15.1
R7:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
Lifetime 86400
Crypto isakmp identity address
crypto isakmp key xb7 address 112.16.13.2
crypto ipsec transform-set tf10 esp-3des esp-md5-hmac
Mode tunnel
access-list 107 permit ip 192.168.70.0 0.0.0.255 192.168.30.0 0.0.0.255
crypto map map7 10 ipsec-isakmp
set peer 112.16.13.2
set transform-set tf10
match address 107
interface Serial0/0
crypto map map7
ip route 0.0.0.0 0.0.0.0 112.16.17.1
排錯!:
當一階段協商不成功,出錯排查
R3#sh crypto isakmp sa
dst src state conn-id slot status
接口是否應用了安全策略
是否有匹配的數據流觸發
是否爲對方配置了共享密鑰,以及共享密鑰是否一直
後來發現是沒有到對方的路由在R3上加了
ip route 0.0.0.0 0.0.0.0 112.16.13.1
於是一階段協商成功。
R3#sh crypto isakmp sa
dst src state conn-id slot status
112.16.17.2 112.16.13.2 QM_IDLE 2 0 ACTIVE
以上結果必須要有數據流通過去觸發!!
R3#ping 192.168.70.1 source 192.168.30.1
但是R3與R5之間卻沒有觸發成功,原來是傳輸集不一致,改了之後就行了。但是一階段二階段都協商成功了,爲什麼還是不能通信?
兩個階段的SA成功建立,但不能通信,一般都是ACL配置不當引起的!
排查之後,發現ACL是沒有問題的,後來發現原來路由不同,只有去的路由,沒有回來的路由!有去的路由可以引發兩個階段建立SA。沒有回來的路由導致不通!!!
ip route 0.0.0.0 0.0.0.0 112.16.15.1
ip route 0.0.0.0 0.0.0.0 112.16.17.1
於是通了
R3#ping 192.168.50.1 source 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.50.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.30.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 304/570/672 ms
R3#ping 192.168.70.1 source 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.70.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.30.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 384/524/672 ms
R3#sh crypto isakmp sa
dst src state conn-id slot status
112.16.17.2 112.16.13.2 QM_IDLE 2 0 ACTIVE
112.16.15.2 112.16.13.2 QM_IDLE 1 0 ACTIVE
R3#sh cry
R3#sh crypto ipsec sa
interface: Serial0/0
Crypto map tag: map3, local addr 112.16.13.2
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0)
current_peer 112.16.15.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 112.16.13.2, remote crypto endpt.: 112.16.15.2
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
current outbound spi: 0x2EA78F2B(782733099)
inbound esp sas:
spi: 0x8230FDE8(2184248808)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: map3
sa timing: remaining key lifetime (k/sec): (4389570/622)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x2EA78F2B(782733099)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: map3
sa timing: remaining key lifetime (k/sec): (4389569/621)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.70.0/255.255.255.0/0/0)
current_peer 112.16.17.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
#pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 112.16.13.2, remote crypto endpt.: 112.16.17.2
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
current outbound spi: 0x52EA15A0(1391072672)
inbound esp sas:
spi: 0x393C5104(960254212)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: SW:3, crypto map: map3
sa timing: remaining key lifetime (k/sec): (4511004/1896)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x52EA15A0(1391072672)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: SW:4, crypto map: map3
sa timing: remaining key lifetime (k/sec): (4511004/1896)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R3# sh cry session
Crypto session current status
Interface: Serial0/0
Session status: UP-ACTIVE
Peer: 112.16.15.2 port 500
IKE SA: local 112.16.13.2/500 remote 112.16.15.2/500 Active
IPSEC FLOW: permit ip 192.168.30.0/255.255.255.0 192.168.50.0/255.255.255.0
Active SAs: 2, origin: crypto map
Interface: Serial0/0
Session status: UP-ACTIVE
Peer: 112.16.17.2 port 500
IKE SA: local 112.16.13.2/500 remote 112.16.17.2/500 Active
IPSEC FLOW: permit ip 192.168.30.0/255.255.255.0 192.168.70.0/255.255.255.0
Active SAs: 2, origin: crypto map
R3#sh cry ipsec transform-set
Transform set tf10: { esp-3des esp-md5-hmac }
will negotiate = { Tunnel, },
R3#sh cry isakmp key
Keyring Hostname/Address Preshared Key
default 112.16.15.2 xb5
112.16.17.2 xb7
R3#clear crypto isakmp
R3#sh cry isakmp sa
dst src state conn-id slot status
112.16.15.2 112.16.13.2 MM_NO_STATE 1 0 ACTIVE (deleted)
再過一小段時間發現才爲空
(二階段是敲下clear cry sa 就沒的,另全部清空的命令是clear cry session)
R3#sh cry isakmp sa //清一階段
dst src state conn-id slot status
空了之後,再測試
R3#ping 192.168.50.1 so 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.50.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.30.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 212/325/404 ms
通信並不延遲,因爲已經二階段的SA(當然是去往192.168.50.1的SA)還在
R3#sh cry ipsec sa
interface: Serial0/0
Crypto map tag: map3, local addr 112.16.13.2
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0)
current_peer 112.16.15.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
#pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 112.16.13.2, remote crypto endpt.: 112.16.15.2
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
current outbound spi: 0x53DE17B1(1407063985)
inbound esp sas:
spi: 0xEE98D751(4002994001)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2006, flow_id: SW:6, crypto map: map3
sa timing: remaining key lifetime (k/sec): (4570748/3291)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x53DE17B1(1407063985)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: SW:3, crypto map: map3
sa timing: remaining key lifetime (k/sec): (4570748/3290)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
只有當IPsec SA也清空了,才延遲
R3# clea cry sa//清二階段
回想IPsec ×××隧道的通信過程:
IPsec SA沒有,觸發一階段創建IKE SA,有就不會觸發,直接用
再來看看第一次通信時的debug信息:
R3#de cry isakmp//查看一階段的調試信息
Crypto ISAKMP debugging is on
R3#de cry ipsec//查看二階段的調試信息
Crypto IPSEC debugging is on
R3#ping 192.168.50.1 so 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.50.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.30.1
*Mar 1 00:05:24.167: IPSEC(sa_request): , //二階段的SA查找
(key eng. msg.) OUTBOUND local= 112.16.13.2, remote= 112.16.15.2,
local_proxy= 192.168.30.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.50.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x3BE78437(1005028407), conn_id= 0, keysize= 0, flags= 0x400A
*Mar 1 00:05:24.183: ISAKMP: received ke message (1/1) //觸發一階段
*Mar 1 00:05:24.187: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*Mar 1 00:05:24.187: ISAKMP: Created a peer struct for 112.16.15.2, peer port 500
*Mar 1 00:05:24.191: ISAKMP: New peer created peer = 0x64FFBCA4 peer_handle = 0x80000003
*Mar 1 00:05:24.195: ISAKMP: Locking peer struct 0x64FFBCA4, IKE refcount 1 for isakmp_initiator
*Mar 1 00:05:24.195: ISAKMP: local port 500, remote port 500
*Mar 1 00:05:24.199: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 00:05:24.203: insert sa successfully sa = 64F9CAC8
*Mar 1 00:05:24.203: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
*Mar 1 00:05:24.207: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 112.16.15.2
*Mar 1 00:05:24.215: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*Mar 1 00:05:24.215: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*Mar 1 00:05:24.219: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*Mar 1 00:05:24.223: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 1 00:05:24.227: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1
*Mar 1 00:05:24.227: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*Mar 1 00:05:24.231: ISAKMP:(0:0:N/A:0): sending packet to 112.16.15.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 00:05:24.775: ISAKMP (0:0): received packet from 112.16.15.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Mar 1 00:05:24.783: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 00:05:24.787: ISAKMP:(0:0:N/A:0):.Old State = IKE_I_MM1 New State = IKE_I_MM2
*Mar 1 00:05:24.795: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
*Mar 1 00:05:24.799: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar 1 00:05:24.799: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
*Mar 1 00:05:24.803: ISAKMP (0:0): vendor ID is NAT-T v7
*Mar 1 00:05:24.807: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 112.16.15.2
*Mar 1 00:05:24.811: ISAKMP:(0:0:N/A:0): local preshared key found
*Mar 1 00:05:24.811: ISAKMP : Scanning profiles for xauth ...
*Mar 1 00:05:24.815: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy
*Mar 1 00:05:24.819: ISAKMP: encryption 3DES-CBC
*Mar 1 00:05:24.819: ISAKMP: hash MD5
*Mar 1 00:05:24.819: ISAKMP: default group 2
*Mar 1 00:05:24.823: ISAKMP: auth pre-share
*Mar 1 00:05:24.823: ISAKMP: life type in seconds
*Mar 1 00:05:24.827: ISAKMP: life duration (VPI) of 0x0 0x1. 0x51 0x80
*Mar 1 00:05:24.831: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
*Mar 1 00:05:24.943: ISAKMP:(0:2:SW:1): processing vendor id payload
*Mar 1 00:05:24.947: ISAKMP:(0:2:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
*Mar 1 00:05:24.951: ISAKMP (0:134217730): vendor ID is NAT-T v7
*Mar 1 00:05:24.955: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 00:05:24.955: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Mar 1 00:05:24.987: ISAKMP:(0:2:SW:1): sending packet to 112.16.15.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Mar 1 00:05:24.995: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 00:05:24.995: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Mar 1 00:05:25.515: ISAKMP (0:134217730): received packet from 112.16.15.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*Mar 1 00:05:25.523: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*M!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 224/257/292 ms
R3#ar 1 00:05:25.523: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Mar 1 00:05:25.535: ISAKMP:(0:2:SW:1): processing KE payload. message ID = 0
*Mar 1 00:05:25.691: ISAKMP:(0:2:SW:1): processing NONCE payload. message ID = 0
*Mar 1 00:05:25.691: ISAKMP:(0:2:SW:1):found peer pre-shared key matching 112.16.15.2
*Mar 1 00:05:25.691: ISAKMP:(0:2:SW:1):SKEYID state generated
*Mar 1 00:05:25.691: ISAKMP:(0:2:SW:1): processing vendor id payload
*Mar 1 00:05:25.691: ISAKMP:(0:2:SW:1): vendor ID is Unity
*Mar 1 00:05:25.691: ISAKMP:(0:2:SW:1): processing vendor id payload
*Mar 1 00:05:25.691: ISAKMP:(0:2:SW:1): vendor ID is DPD
*Mar 1 00:05:25.691: ISAKMP:(0:2:SW:1): processing vendor id payload
*Mar 1 00:05:25.691: ISAKMP:(0:2:SW:1): speaking to another IOS box!
*Mar 1 00:05:25.691: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 00:05:25.691: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Mar 1 00:05:
R3#25.691: ISAKMP:(0:2:SW:1):Send initial contact
*Mar 1 00:05:25.695: ISAKMP:(0:2:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar 1 00:05:25.699: ISAKMP (0:134217730): ID payload
next-payload : 8
type : 1
address : 112.16.13.2
protocol : 17
port : 500
length : 12
*Mar 1 00:05:25.707: ISAKMP:(0:2:SW:1):Total payload length: 12
*Mar 1 00:05:25.715: ISAKMP:(0:2:SW:1): sending packet to 112.16.15.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar 1 00:05:25.719: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 00:05:25.723: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Mar 1 00:05:26.059: ISAKMP (0:134217730): received packet from 112.16.15.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar 1 00:05:26.067: ISAKMP:(0:2:SW:1): processing ID payload. message ID = 0
*Mar 1 00:05:26.071: ISAKMP (0:134217730): ID payload
next-payload : 8
type : 1
R3#
address : 112.16.15.2
protocol : 17
port : 500
length : 12
*Mar 1 00:05:26.079: ISAKMP:(0:2:SW:1):: peer matches *none* of the profiles
*Mar 1 00:05:26.079: ISAKMP:(0:2:SW:1): processing HASH payload. message ID = 0
*Mar 1 00:05:26.087: ISAKMP:(0:2:SW:1):SA authentication status:
authenticated
*Mar 1 00:05:26.091: ISAKMP:(0:2:SW:1):SA has been authenticated with 112.16.15.2
*Mar 1 00:05:26.091: ISAKMP: Trying to insert a peer 112.16.13.2/112.16.15.2/500/, and inserted successfully 64FFBCA4.
*Mar 1 00:05:26.099: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 00:05:26.099: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM5 New State = IKE_I_MM6
*Mar 1 00:05:26.175: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 00:05:26.175: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM6 New State = IKE_I_MM6
*Mar 1 00:05:26.175: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 00:05:2
R3#6.175: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
*Mar 1 00:05:26.179: ISAKMP:(0:2:SW:1):beginning Quick Mode exchange, M-ID of 81987909
*Mar 1 00:05:26.195: ISAKMP:(0:2:SW:1): sending packet to 112.16.15.2 my_port 500 peer_port 500 (I) QM_IDLE
*Mar 1 00:05:26.199: ISAKMP:(0:2:SW:1):Node 81987909, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar 1 00:05:26.203: ISAKMP:(0:2:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Mar 1 00:05:26.207: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar 1 00:05:26.211: ISAKMP:(0:2:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Mar 1 00:05:26.635: ISAKMP (0:134217730): received packet from 112.16.15.2 dport 500 sport 500 Global (I) QM_IDLE
*Mar 1 00:05:26.647: ISAKMP:(0:2:SW:1): processing HASH payload. message ID = 81987909
*Mar 1 00:05:26.651: ISAKMP:(0:2:SW:1): processing SA payload. message ID = 81987909
*Mar 1 00:05:26.655: ISAKMP:(0:2:SW:1)
R3#:Checking IPSec proposal 1
*Mar 1 00:05:26.655: ISAKMP: transform 1, ESP_3DES
*Mar 1 00:05:26.659: ISAKMP: attributes in transform:
*Mar 1 00:05:26.659: ISAKMP: encaps is 1 (Tunnel)
*Mar 1 00:05:26.663: ISAKMP: SA life type in seconds
*Mar 1 00:05:26.663: ISAKMP: SA life duration (basic) of 3600
*Mar 1 00:05:26.667: ISAKMP: SA life type in kilobytes
*Mar 1 00:05:26.667: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Mar 1 00:05:26.671: ISAKMP: authenticator is HMAC-MD5
*Mar 1 00:05:26.675: ISAKMP:(0:2:SW:1):atts are acceptable.
*Mar 1 00:05:26.679: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 112.16.13.2, remote= 112.16.15.2,
local_proxy= 192.168.30.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.50.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x
R3#2
*Mar 1 00:05:26.691: Crypto mapdb : proxy_match
src addr : 192.168.30.0
dst addr : 192.168.50.0
protocol : 0
src port : 0
dst port : 0
*Mar 1 00:05:26.699: ISAKMP:(0:2:SW:1): processing NONCE payload. message ID = 81987909
*Mar 1 00:05:26.703: ISAKMP:(0:2:SW:1): processing ID payload. message ID = 81987909
*Mar 1 00:05:26.707: ISAKMP:(0:2:SW:1): processing ID payload. message ID = 81987909
*Mar 1 00:05:26.719: ISAKMP: Locking peer struct 0x64FFBCA4, IPSEC refcount 1 for for stuff_ke
*Mar 1 00:05:26.723: ISAKMP:(0:2:SW:1): Creating IPSec SAs
*Mar 1 00:05:26.723: inbound SA from 112.16.15.2 to 112.16.13.2 (f/i) 0/ 0
(proxy 192.168.50.0 to 192.168.30.0)
*Mar 1 00:05:26.731: has spi 0x3BE78437 and conn_id 0 and flags 2
*Mar 1 00:05:26.731: lifetime of 3600 seconds
*Mar 1 00:05:26.735: lifetime of 4608000 kilobytes
*Mar 1 00:05:26.735: has client flags 0x0
*Mar 1 00:05:26.735:
R3#outbound SA from 112.16.13.2 to 112.16.15.2 (f/i) 0/0
(proxy 192.168.30.0 to 192.168.50.0)
*Mar 1 00:05:26.739: has spi 1320439935 and conn_id 0 and flags A
*Mar 1 00:05:26.743: lifetime of 3600 seconds
*Mar 1 00:05:26.743: lifetime of 4608000 kilobytes
*Mar 1 00:05:26.747: has client flags 0x0
*Mar 1 00:05:26.751: ISAKMP:(0:2:SW:1): sending packet to 112.16.15.2 my_port 500 peer_port 500 (I) QM_IDLE
*Mar 1 00:05:26.759: ISAKMP:(0:2:SW:1):deleting node 81987909 error FALSE reason "No Error"
*Mar 1 00:05:26.763: ISAKMP:(0:2:SW:1):Node 81987909, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 1 00:05:26.763: ISAKMP:(0:2:SW:1):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
*Mar 1 00:05:26.771: IPSEC(key_engine): got a queue event with 2 kei messages
*Mar 1 00:05:26.775: IPSEC(initialize_sas): ,
(key eng. msg.) INBOUND local= 112.16.13.2, remote= 112.16.15.2,
local_proxy= 192.168.30.0/255.255.255.0/0/0
R3#(type=4),
remote_proxy= 192.168.50.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x3BE78437(1005028407), conn_id= 0, keysize= 0, flags= 0x2
*Mar 1 00:05:26.787: IPSEC(initialize_sas): ,
(key eng. msg.) OUTBOUND local= 112.16.13.2, remote= 112.16.15.2,
local_proxy= 192.168.30.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.50.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x4EB4507F(1320439935), conn_id= 0, keysize= 0, flags= 0xA
*Mar 1 00:05:26.799: Crypto mapdb : proxy_match
src addr : 192.168.30.0
dst addr : 192.168.50.0
protocol : 0
src port : 0
dst port : 0
*Mar 1 00:05:26.803: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and 112.16.15.2
*Mar 1 00:05:26.807: IPSec: Flow_switching Allocated flow for sibli
R3#ng 80000003
*Mar 1 00:05:26.811: IPSEC(policy_db_add_ident): src 192.168.30.0, dest 192.168.50.0, dest_port 0
*Mar 1 00:05:26.815: ISAKMP: Locking peer struct 0x64FFBCA4, IPSEC refcount 2 for from create_transforms
*Mar 1 00:05:26.819: IPSEC(create_sa): sa created,
(sa) sa_dest= 112.16.13.2, sa_proto= 50,
sa_spi= 0x3BE78437(1005028407),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2003
*Mar 1 00:05:26.823: IPSEC(create_sa): sa created,
(sa) sa_dest= 112.16.15.2, sa_proto= 50,
sa_spi= 0x4EB4507F(1320439935),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2004
*Mar 1 00:05:26.831: ISAKMP: Unlocking IPSEC struct 0x64FFBCA4 from create_transforms, count 1
R3#
R3#clear cry sa //清空第二階段的SA,只保留第一階段的SA
R3#debug cry ipsec
R3# ping 192.168.70.1 so 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.70.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.30.1
*Mar 1 00:28:20.959: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 112.16.13.2, remote= 112.16.17.2,
local_proxy= 192.168.30.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.70.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xE91C1B2B(3910933291), conn_id= 0, keysize= 0, flags= 0x400A
*Mar 1 00:28:21.723: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 112.16.13.2, remote= 112.16.17.2,
local_proxy= 192.168.30.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.70.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
*Mar 1 00:28:21.739: Crypto mapdb : proxy_match
src addr : 192.168.30.0
dst addr : 192.168.70.0
protocol : 0
src port : 0
dst port : 0
*Mar 1 00:28:.21.767: IPSEC(key_engine): got a queue event with 2 kei messages
*Mar 1 00:28:21.767: IPSEC(initialize_sas): ,
(key eng. msg.) INBOUND local= 112.16.13.2, remote= 112.16.17.2,
local_proxy= 192.168.30.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.70.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xE91C1B2B(3910933291), conn_id= 0, keysize= 0, flags= 0x2
*Mar 1 00:28:21.779: IPSEC(initialize_sas): ,
(key eng. msg.) OUTBOUND local= 112.16.13.2, remote= 112.16.17.2,
local_proxy= 192.168.30.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.70.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xA698B6E1(2795026145), conn_id= 0, keysize= 0, flags= 0xA
*Mar 1 00:28:21.791: Crypto mapdb : proxy_match
src addr : 192.168.30.0
dst addr : 192.168.70.0
protoco!!l : 0
src port : 0
dst port : 0
*Mar 1 00:28:21.799: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and 112.16.17.2
*Mar 1 00:28:21.799: IPSec: Flow_switching Allocated flow for sibling 80000006
*Mar 1 00:28:21.803: IPSEC(policy_db_add_ident): src 192.168.30.0, dest 192.168.70.0, dest_port 0
*Mar 1 00:28:21.807: IPSEC(create_sa): sa created,
(sa) sa_dest= 112.16.13.2, sa_proto= 50,
sa_spi= 0xE91C1B2B(3910933291),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2003
*Mar 1 00:28:21.815: IPSEC(create_sa): sa created,
(sa) sa_dest= 112.16.17.2, sa_proto= 50,
sa_spi= 0xA698B6E1(2795026145),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2004!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 400/606/972 ms
R3#
思考:R3需要知道去往192.168.50.0和192.168.70.0網段的路由,否則無法通信,R5,R7也是必須知道到192.168.30.0的路由,爲什麼?而中間路由器R1則不需要知道這些網段的路由,爲什麼?分析數據流。
總結排錯思路:
階段1的SA沒有建立:
接口是否應用了安全策略
是否有匹配的數據流觸發
是否爲對方配置了共享密鑰,以及共享密鑰石佛一致
階段2的SA沒有建立:
ACL是否匹配
安全提議是否一致
設置的隧道對端地址是否匹配
應用的接口是否正確
兩個階段的SA都成功建立,但不能通信:
一般都是由於ACL的配置不當引起的,檢查ACL的配置是否符合要求
注意:以上必須要有很好的路由思想,路由是基礎,路由不通,也是其中的一個情況。