IPsec ×××基本實驗

原創 mrgwy 2020-05-31 15:45

IPsec ×××基本實驗

一 實驗拓撲

二 實驗原理

IKE概述:用IPsec保護一個IP包之前,必須先建立一個安全聯盟(SA),SA可以手動創建或者動態建立。Internet密鑰交換(IKE)用於動態建立SA。



IKE的精髓:通過一系列數據的交換,通信雙方最終計算出共享的密鑰,並且即使第三方如***截獲了雙方用於計算密鑰的所有交換數據,也不足以計算出真正的密鑰。其中的核心技術就是DH交換技術。


IKE使用兩個階段的ISAKMP

第一階段:建立IKE安全聯盟

  (生成1個IKE SA)

         具體來說:建立一個保密和驗證無誤的通信信道(IKE SA),以及建立驗證過的密鑰,爲雙方的IKE通信提供機密性、消息完整性以及消息源驗證服務。

          (必須在進行其他任何交換如第二階段交換,消息交換等之前完成,其他交換需要在第一階段交換後建立的安全聯盟的保護下進行)


          SKEYID的生成取決於協商好的是何種驗證方法。驗證方法決定了如何交換載荷,以及在什麼時候交換。

          目前使用較爲普遍的驗證方法爲:

         1)預共享密鑰

     2)使用“數字簽名算法(DES)”得到的數字簽名



第二階段:利用這個既定的安全聯盟,爲IPsec協商具體的安全聯盟。

         (生成2個 IPsec SA)



第一階段交換兩種模式:主模式 和 野蠻模式

主模式分爲三次交換,總共用到了6條消息,最終建立了IKE SA。

 這三次交換是:

1)策略協商  (策略)1-2  (1去1回)

2)DH和nonce交換(DH)3-4

3)對對方驗證    (驗證)5-6

   第一次交換中:需要交換雙方的cookie和SA載荷,在SA載荷中攜帶需要協商IKE SA的各項參數,主要包括IKE的散列類型、加密算法、認證方法、IKE SA協商的時間限制。

   第一次交換之後:通信雙方需要生成用於產生DH共享密鑰的DH值。


   第二次交換:對密鑰交換載荷和臨時值載荷進行交換

   第二次交換之後:此時所需的所有計算密鑰的材料已交換完畢,可以將所有密鑰計算出來,並使用計算得到的密鑰對後續的IKE消息提供安全服務。


   第三次交換:對標識載荷和散列載荷進行交換。標識載荷包含了發起者的標識信息,IP地址或者主機名。散列載荷包含對上一過程中的產生的三組密鑰進行Hash運算得出的值。


野蠻模式:3條消息


第二階段交換一種模式:快速交換模式

實驗1:

1.IPsec體系結構

安全協議

 負責保護數據

 AH/ESP

工作模式

 傳輸模式:實現端到端保護

 隧道模式:實現站點到站點保護

密鑰管理

 手工配置密鑰

 通過IKE協商密鑰

2.IPSec SA

SA(Security Association,安全聯盟)

由一個(SPI,IP目的地址,安全協議標識符)三元組唯一標識

決定了對報文進行何種處理

 協議、算法、密鑰

每個IPSec SA都是單向的

手工建立/IKE協商生成

SPD(Security Policy Database)

SAD(Security Association Database)

3.IKE與IPSec的關係

IKE爲IPSec提供自動協商交換密鑰、建立SA的服務

IPSec安全協議負責提供實際的安全服務

4.IKE協商的兩個階段

階段1

在網絡上建立一個IKE SA,爲階段2協商提供保護

主模式(Main Mode)和野蠻模式(Aggressive Mode) (思科叫積極模式)

階段2

在階段1建立的IKE SA的保護下完成IPSec SA的協商

快速模式(Quick Mode)

一階段:IKE的6個包:(主模式)生成1個IKE SA

1-2:策略

3-4:DH

5-6:認證

二階段:生成兩個IPsec SA (快速模式)


R3(config-isakmp)#?    

ISAKMP commands:

 authentication  Set authentication method for protection suite

 default         Set a command to its defaults

 encryption      Set encryption algorithm for protection suite

 exit            Exit from ISAKMP protection suite configuration mode

 group           Set the Diffie-Hellman group

 hash            Set hash algorithm for protection suite

 lifetime        Set lifetime for ISAKMP security association

 no              Negate a command or set its defaults


R3(config)#crypto isakmp ide

R3(config)#crypto isakmp identity ?

 address   Use the IP address of the interface for the identity

 dn        Use the distinguished name of the router cert for the identity

 hostname  Use the hostname of the router for the identity


R3(config)#crypto map map3 ?

 <1-65535>       Sequence to insert into crypto map entry

 client          Specify client configuration settings

 isakmp          Specify isakmp configuration settings

 isakmp-profile  Specify isakmp profile to use

 local-address   Interface to use for local address for this crypto map

 redundancy      High availability options for this map



三 實驗步驟

做這個實驗,發現路由是如此重要,一般後來的問題都是由於路由都沒弄好導致的。

R3:

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

Lifetime 86400


Crypto isakmp identity address


crypto isakmp key xb5 address 112.16.15.2

crypto isakmp key xb7 address 112.16.17.2


crypto ipsec transform-set tf10 esp-3des esp-md5-hmac

Mode tunnel


access-list 105 permit ip 192.168.30.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 107 permit ip 192.168.30.0 0.0.0.255 192.168.70.0 0.0.0.255


crypto map map3 10 ipsec-isakmp

set peer 112.16.15.2

set transform-set tf10

match address 105

crypto map map3 20 ipsec-isakmp

set peer 112.16.17.2

set transform-set tf10

match address 107


interface Serial0/0

ip address 112.16.13.2 255.255.255.252

crypto map map3


ip route 0.0.0.0 0.0.0.0 112.16.13.1  //非常重要!!!確保連通性


R5:

crypto isakmp policy 10

 encr 3des

 hash md5

 authentication pre-share

 group 2

 Lifetime 86400

Crypto isakmp identity address


crypto isakmp key xb5 address 112.16.13.2

crypto ipsec transform-set tf10 esp-3des esp-md5-hmac

Mode tunnel


access-list 105 permit ip 192.168.50.0 0.0.0.255 192.168.30.0 0.0.0.255


crypto map map5 10 ipsec-isakmp

set peer 112.16.13.2

set transform-set tf10

match address 105


interface Serial0/0

crypto map map5


ip route 0.0.0.0 0.0.0.0 112.16.15.1


R7:

crypto isakmp policy 10

 encr 3des

 hash md5

 authentication pre-share

 group 2

 Lifetime 86400

Crypto isakmp identity address


crypto isakmp key xb7 address 112.16.13.2

crypto ipsec transform-set tf10 esp-3des esp-md5-hmac

Mode tunnel


access-list 107 permit ip 192.168.70.0 0.0.0.255 192.168.30.0 0.0.0.255


crypto map map7 10 ipsec-isakmp

set peer 112.16.13.2

set transform-set tf10

match address 107


interface Serial0/0

crypto map map7


ip route 0.0.0.0 0.0.0.0 112.16.17.1


排錯!:

當一階段協商不成功,出錯排查

R3#sh crypto isakmp sa

dst             src             state          conn-id slot status

接口是否應用了安全策略

是否有匹配的數據流觸發

是否爲對方配置了共享密鑰,以及共享密鑰是否一直


後來發現是沒有到對方的路由在R3上加了

ip route 0.0.0.0 0.0.0.0 112.16.13.1  


於是一階段協商成功。

R3#sh crypto isakmp sa

dst             src             state          conn-id slot status

112.16.17.2     112.16.13.2     QM_IDLE              2    0 ACTIVE


以上結果必須要有數據流通過去觸發!!

R3#ping 192.168.70.1 source 192.168.30.1


但是R3與R5之間卻沒有觸發成功,原來是傳輸集不一致,改了之後就行了。但是一階段二階段都協商成功了,爲什麼還是不能通信?


兩個階段的SA成功建立,但不能通信,一般都是ACL配置不當引起的!

  排查之後,發現ACL是沒有問題的,後來發現原來路由不同,只有去的路由,沒有回來的路由!有去的路由可以引發兩個階段建立SA。沒有回來的路由導致不通!!!

ip route 0.0.0.0 0.0.0.0 112.16.15.1

ip route 0.0.0.0 0.0.0.0 112.16.17.1


於是通了

R3#ping 192.168.50.1 source 192.168.30.1


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.50.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.30.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 304/570/672 ms

R3#ping 192.168.70.1 source 192.168.30.1


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.70.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.30.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 384/524/672 ms



R3#sh crypto isakmp sa

dst             src             state          conn-id slot status

112.16.17.2     112.16.13.2     QM_IDLE              2    0 ACTIVE

112.16.15.2     112.16.13.2     QM_IDLE              1    0 ACTIVE


R3#sh cry

R3#sh crypto ipsec sa


interface: Serial0/0

   Crypto map tag: map3, local addr 112.16.13.2


  protected vrf: (none)

  local  ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)

  remote ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0)

  current_peer 112.16.15.2 port 500

    PERMIT, flags={origin_is_acl,}

   #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14

   #pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10

   #pkts compressed: 0, #pkts decompressed: 0

   #pkts not compressed: 0, #pkts compr. failed: 0

   #pkts not decompressed: 0, #pkts decompress failed: 0

   #send errors 1, #recv errors 0


    local crypto endpt.: 112.16.13.2, remote crypto endpt.: 112.16.15.2

    path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0

    current outbound spi: 0x2EA78F2B(782733099)


    inbound esp sas:

     spi: 0x8230FDE8(2184248808)

       transform: esp-3des esp-md5-hmac ,

       in use settings ={Tunnel, }

       conn id: 2001, flow_id: SW:1, crypto map: map3

       sa timing: remaining key lifetime (k/sec): (4389570/622)

       IV size: 8 bytes

       replay detection support: Y

       Status: ACTIVE


    inbound ah sas:


    inbound pcp sas:


    outbound esp sas:

     spi: 0x2EA78F2B(782733099)

       transform: esp-3des esp-md5-hmac ,

       in use settings ={Tunnel, }

       conn id: 2002, flow_id: SW:2, crypto map: map3

       sa timing: remaining key lifetime (k/sec): (4389569/621)

       IV size: 8 bytes

       replay detection support: Y

       Status: ACTIVE


    outbound ah sas:


    outbound pcp sas:


  protected vrf: (none)

  local  ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)

  remote ident (addr/mask/prot/port): (192.168.70.0/255.255.255.0/0/0)

  current_peer 112.16.17.2 port 500

    PERMIT, flags={origin_is_acl,}

   #pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8

   #pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8

   #pkts compressed: 0, #pkts decompressed: 0

   #pkts not compressed: 0, #pkts compr. failed: 0

   #pkts not decompressed: 0, #pkts decompress failed: 0

   #send errors 2, #recv errors 0


    local crypto endpt.: 112.16.13.2, remote crypto endpt.: 112.16.17.2

    path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0

    current outbound spi: 0x52EA15A0(1391072672)


    inbound esp sas:

     spi: 0x393C5104(960254212)

       transform: esp-3des esp-md5-hmac ,

       in use settings ={Tunnel, }

       conn id: 2003, flow_id: SW:3, crypto map: map3

       sa timing: remaining key lifetime (k/sec): (4511004/1896)

       IV size: 8 bytes

       replay detection support: Y

       Status: ACTIVE


    inbound ah sas:


    inbound pcp sas:


    outbound esp sas:

     spi: 0x52EA15A0(1391072672)

       transform: esp-3des esp-md5-hmac ,

       in use settings ={Tunnel, }

       conn id: 2004, flow_id: SW:4, crypto map: map3

       sa timing: remaining key lifetime (k/sec): (4511004/1896)

       IV size: 8 bytes

       replay detection support: Y

       Status: ACTIVE


    outbound ah sas:


    outbound pcp sas:


R3#   sh cry session

Crypto session current status


Interface: Serial0/0

Session status: UP-ACTIVE    

Peer: 112.16.15.2 port 500

 IKE SA: local 112.16.13.2/500 remote 112.16.15.2/500 Active

 IPSEC FLOW: permit ip 192.168.30.0/255.255.255.0 192.168.50.0/255.255.255.0

       Active SAs: 2, origin: crypto map


Interface: Serial0/0

Session status: UP-ACTIVE    

Peer: 112.16.17.2 port 500

 IKE SA: local 112.16.13.2/500 remote 112.16.17.2/500 Active

 IPSEC FLOW: permit ip 192.168.30.0/255.255.255.0 192.168.70.0/255.255.255.0

       Active SAs: 2, origin: crypto map


R3#sh cry ipsec transform-set

Transform set tf10: { esp-3des esp-md5-hmac  }

  will negotiate = { Tunnel,  },


R3#sh cry isakmp key

Keyring               Hostname/Address                   Preshared Key


default               112.16.15.2                        xb5

                     112.16.17.2                        xb7



R3#clear crypto isakmp


R3#sh cry isakmp sa

dst             src             state          conn-id slot status

112.16.15.2     112.16.13.2     MM_NO_STATE          1    0 ACTIVE (deleted)



再過一小段時間發現才爲空

(二階段是敲下clear cry  sa 就沒的,另全部清空的命令是clear cry session)

R3#sh cry isakmp sa //清一階段

dst             src             state          conn-id slot status



空了之後,再測試

R3#ping 192.168.50.1 so 192.168.30.1


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.50.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.30.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 212/325/404 ms


通信並不延遲,因爲已經二階段的SA(當然是去往192.168.50.1的SA)還在

R3#sh cry ipsec sa


interface: Serial0/0

   Crypto map tag: map3, local addr 112.16.13.2


  protected vrf: (none)

  local  ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)

  remote ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0)

  current_peer 112.16.15.2 port 500

    PERMIT, flags={origin_is_acl,}

   #pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8

   #pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8

   #pkts compressed: 0, #pkts decompressed: 0

   #pkts not compressed: 0, #pkts compr. failed: 0

   #pkts not decompressed: 0, #pkts decompress failed: 0

   #send errors 2, #recv errors 0


    local crypto endpt.: 112.16.13.2, remote crypto endpt.: 112.16.15.2

    path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0

    current outbound spi: 0x53DE17B1(1407063985)


    inbound esp sas:

     spi: 0xEE98D751(4002994001)

       transform: esp-3des esp-md5-hmac ,

       in use settings ={Tunnel, }

       conn id: 2006, flow_id: SW:6, crypto map: map3

       sa timing: remaining key lifetime (k/sec): (4570748/3291)

       IV size: 8 bytes

       replay detection support: Y

       Status: ACTIVE


    inbound ah sas:


    inbound pcp sas:


    outbound esp sas:

     spi: 0x53DE17B1(1407063985)

       transform: esp-3des esp-md5-hmac ,

       in use settings ={Tunnel, }

       conn id: 2003, flow_id: SW:3, crypto map: map3

       sa timing: remaining key lifetime (k/sec): (4570748/3290)

       IV size: 8 bytes

       replay detection support: Y

       Status: ACTIVE


    outbound ah sas:


    outbound pcp sas:


只有當IPsec SA也清空了,才延遲

R3# clea cry sa//清二階段


回想IPsec ×××隧道的通信過程:

IPsec SA沒有,觸發一階段創建IKE SA,有就不會觸發,直接用


再來看看第一次通信時的debug信息:

R3#de cry isakmp//查看一階段的調試信息

Crypto ISAKMP debugging is on

R3#de cry ipsec//查看二階段的調試信息

Crypto IPSEC debugging is on

R3#ping 192.168.50.1 so 192.168.30.1


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.50.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.30.1


*Mar  1 00:05:24.167: IPSEC(sa_request): ,  //二階段的SA查找

 (key eng. msg.) OUTBOUND local= 112.16.13.2, remote= 112.16.15.2,

   local_proxy= 192.168.30.0/255.255.255.0/0/0 (type=4),

   remote_proxy= 192.168.50.0/255.255.255.0/0/0 (type=4),

   protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),

   lifedur= 3600s and 4608000kb,

   spi= 0x3BE78437(1005028407), conn_id= 0, keysize= 0, flags= 0x400A

*Mar  1 00:05:24.183: ISAKMP: received ke message (1/1)   //觸發一階段

*Mar  1 00:05:24.187: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)

*Mar  1 00:05:24.187: ISAKMP: Created a peer struct for 112.16.15.2, peer port 500

*Mar  1 00:05:24.191: ISAKMP: New peer created peer = 0x64FFBCA4 peer_handle = 0x80000003

*Mar  1 00:05:24.195: ISAKMP: Locking peer struct 0x64FFBCA4, IKE refcount 1 for isakmp_initiator

*Mar  1 00:05:24.195: ISAKMP: local port 500, remote port 500

*Mar  1 00:05:24.199: ISAKMP: set new node 0 to QM_IDLE      

*Mar  1 00:05:24.203: insert sa successfully sa = 64F9CAC8

*Mar  1 00:05:24.203: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.

*Mar  1 00:05:24.207: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 112.16.15.2

*Mar  1 00:05:24.215: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID

*Mar  1 00:05:24.215: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID

*Mar  1 00:05:24.219: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID

*Mar  1 00:05:24.223: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Mar  1 00:05:24.227: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1


*Mar  1 00:05:24.227: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange

*Mar  1 00:05:24.231: ISAKMP:(0:0:N/A:0): sending packet to 112.16.15.2 my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar  1 00:05:24.775: ISAKMP (0:0): received packet from 112.16.15.2 dport 500 sport 500 Global (I) MM_NO_STATE

*Mar  1 00:05:24.783: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar  1 00:05:24.787: ISAKMP:(0:0:N/A:0):.Old State = IKE_I_MM1  New State = IKE_I_MM2


*Mar  1 00:05:24.795: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0

*Mar  1 00:05:24.799: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Mar  1 00:05:24.799: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch

*Mar  1 00:05:24.803: ISAKMP (0:0): vendor ID is NAT-T v7

*Mar  1 00:05:24.807: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 112.16.15.2

*Mar  1 00:05:24.811: ISAKMP:(0:0:N/A:0): local preshared key found

*Mar  1 00:05:24.811: ISAKMP : Scanning profiles for xauth ...

*Mar  1 00:05:24.815: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy

*Mar  1 00:05:24.819: ISAKMP:      encryption 3DES-CBC

*Mar  1 00:05:24.819: ISAKMP:      hash MD5

*Mar  1 00:05:24.819: ISAKMP:      default group 2

*Mar  1 00:05:24.823: ISAKMP:      auth pre-share

*Mar  1 00:05:24.823: ISAKMP:      life type in seconds

*Mar  1 00:05:24.827: ISAKMP:      life duration (VPI) of  0x0 0x1. 0x51 0x80

*Mar  1 00:05:24.831: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0

*Mar  1 00:05:24.943: ISAKMP:(0:2:SW:1): processing vendor id payload

*Mar  1 00:05:24.947: ISAKMP:(0:2:SW:1): vendor ID seems Unity/DPD but major 245 mismatch

*Mar  1 00:05:24.951: ISAKMP (0:134217730): vendor ID is NAT-T v7

*Mar  1 00:05:24.955: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar  1 00:05:24.955: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM2


*Mar  1 00:05:24.987: ISAKMP:(0:2:SW:1): sending packet to 112.16.15.2 my_port 500 peer_port 500 (I) MM_SA_SETUP

*Mar  1 00:05:24.995: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar  1 00:05:24.995: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM3


*Mar  1 00:05:25.515: ISAKMP (0:134217730): received packet from 112.16.15.2 dport 500 sport 500 Global (I) MM_SA_SETUP

*Mar  1 00:05:25.523: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*M!!!

Success rate is 60 percent (3/5), round-trip min/avg/max = 224/257/292 ms

R3#ar  1 00:05:25.523: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM3  New State = IKE_I_MM4


*Mar  1 00:05:25.535: ISAKMP:(0:2:SW:1): processing KE payload. message ID = 0

*Mar  1 00:05:25.691: ISAKMP:(0:2:SW:1): processing NONCE payload. message ID = 0

*Mar  1 00:05:25.691: ISAKMP:(0:2:SW:1):found peer pre-shared key matching 112.16.15.2

*Mar  1 00:05:25.691: ISAKMP:(0:2:SW:1):SKEYID state generated

*Mar  1 00:05:25.691: ISAKMP:(0:2:SW:1): processing vendor id payload

*Mar  1 00:05:25.691: ISAKMP:(0:2:SW:1): vendor ID is Unity

*Mar  1 00:05:25.691: ISAKMP:(0:2:SW:1): processing vendor id payload

*Mar  1 00:05:25.691: ISAKMP:(0:2:SW:1): vendor ID is DPD

*Mar  1 00:05:25.691: ISAKMP:(0:2:SW:1): processing vendor id payload

*Mar  1 00:05:25.691: ISAKMP:(0:2:SW:1): speaking to another IOS box!

*Mar  1 00:05:25.691: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar  1 00:05:25.691: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM4


*Mar  1 00:05:

R3#25.691: ISAKMP:(0:2:SW:1):Send initial contact

*Mar  1 00:05:25.695: ISAKMP:(0:2:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Mar  1 00:05:25.699: ISAKMP (0:134217730): ID payload

       next-payload : 8

       type         : 1

       address      : 112.16.13.2

       protocol     : 17

       port         : 500

       length       : 12

*Mar  1 00:05:25.707: ISAKMP:(0:2:SW:1):Total payload length: 12

*Mar  1 00:05:25.715: ISAKMP:(0:2:SW:1): sending packet to 112.16.15.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH

*Mar  1 00:05:25.719: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar  1 00:05:25.723: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM5


*Mar  1 00:05:26.059: ISAKMP (0:134217730): received packet from 112.16.15.2 dport 500 sport 500 Global (I) MM_KEY_EXCH

*Mar  1 00:05:26.067: ISAKMP:(0:2:SW:1): processing ID payload. message ID = 0

*Mar  1 00:05:26.071: ISAKMP (0:134217730): ID payload

       next-payload : 8

       type         : 1

R3#

       address      : 112.16.15.2

       protocol     : 17

       port         : 500

       length       : 12

*Mar  1 00:05:26.079: ISAKMP:(0:2:SW:1):: peer matches *none* of the profiles

*Mar  1 00:05:26.079: ISAKMP:(0:2:SW:1): processing HASH payload. message ID = 0

*Mar  1 00:05:26.087: ISAKMP:(0:2:SW:1):SA authentication status:

       authenticated

*Mar  1 00:05:26.091: ISAKMP:(0:2:SW:1):SA has been authenticated with 112.16.15.2

*Mar  1 00:05:26.091: ISAKMP: Trying to insert a peer 112.16.13.2/112.16.15.2/500/,  and inserted successfully 64FFBCA4.

*Mar  1 00:05:26.099: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar  1 00:05:26.099: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM5  New State = IKE_I_MM6


*Mar  1 00:05:26.175: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar  1 00:05:26.175: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM6  New State = IKE_I_MM6


*Mar  1 00:05:26.175: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar  1 00:05:2

R3#6.175: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE


*Mar  1 00:05:26.179: ISAKMP:(0:2:SW:1):beginning Quick Mode exchange, M-ID of 81987909

*Mar  1 00:05:26.195: ISAKMP:(0:2:SW:1): sending packet to 112.16.15.2 my_port 500 peer_port 500 (I) QM_IDLE      

*Mar  1 00:05:26.199: ISAKMP:(0:2:SW:1):Node 81987909, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

*Mar  1 00:05:26.203: ISAKMP:(0:2:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

*Mar  1 00:05:26.207: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Mar  1 00:05:26.211: ISAKMP:(0:2:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE


*Mar  1 00:05:26.635: ISAKMP (0:134217730): received packet from 112.16.15.2 dport 500 sport 500 Global (I) QM_IDLE      

*Mar  1 00:05:26.647: ISAKMP:(0:2:SW:1): processing HASH payload. message ID = 81987909

*Mar  1 00:05:26.651: ISAKMP:(0:2:SW:1): processing SA payload. message ID = 81987909

*Mar  1 00:05:26.655: ISAKMP:(0:2:SW:1)

R3#:Checking IPSec proposal 1

*Mar  1 00:05:26.655: ISAKMP: transform 1, ESP_3DES

*Mar  1 00:05:26.659: ISAKMP:   attributes in transform:

*Mar  1 00:05:26.659: ISAKMP:      encaps is 1 (Tunnel)

*Mar  1 00:05:26.663: ISAKMP:      SA life type in seconds

*Mar  1 00:05:26.663: ISAKMP:      SA life duration (basic) of 3600

*Mar  1 00:05:26.667: ISAKMP:      SA life type in kilobytes

*Mar  1 00:05:26.667: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0

*Mar  1 00:05:26.671: ISAKMP:      authenticator is HMAC-MD5

*Mar  1 00:05:26.675: ISAKMP:(0:2:SW:1):atts are acceptable.

*Mar  1 00:05:26.679: IPSEC(validate_proposal_request): proposal part #1,

 (key eng. msg.) INBOUND local= 112.16.13.2, remote= 112.16.15.2,

   local_proxy= 192.168.30.0/255.255.255.0/0/0 (type=4),

   remote_proxy= 192.168.50.0/255.255.255.0/0/0 (type=4),

   protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),

   lifedur= 0s and 0kb,

   spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x

R3#2

*Mar  1 00:05:26.691: Crypto mapdb : proxy_match

       src addr     : 192.168.30.0

       dst addr     : 192.168.50.0

       protocol     : 0

       src port     : 0

       dst port     : 0

*Mar  1 00:05:26.699: ISAKMP:(0:2:SW:1): processing NONCE payload. message ID = 81987909

*Mar  1 00:05:26.703: ISAKMP:(0:2:SW:1): processing ID payload. message ID = 81987909

*Mar  1 00:05:26.707: ISAKMP:(0:2:SW:1): processing ID payload. message ID = 81987909

*Mar  1 00:05:26.719: ISAKMP: Locking peer struct 0x64FFBCA4, IPSEC refcount 1 for for stuff_ke

*Mar  1 00:05:26.723: ISAKMP:(0:2:SW:1): Creating IPSec SAs

*Mar  1 00:05:26.723:         inbound SA from 112.16.15.2 to 112.16.13.2 (f/i)  0/ 0

       (proxy 192.168.50.0 to 192.168.30.0)

*Mar  1 00:05:26.731:         has spi 0x3BE78437 and conn_id 0 and flags 2

*Mar  1 00:05:26.731:         lifetime of 3600 seconds

*Mar  1 00:05:26.735:         lifetime of 4608000 kilobytes

*Mar  1 00:05:26.735:         has client flags 0x0

*Mar  1 00:05:26.735:        

R3#outbound SA from 112.16.13.2 to 112.16.15.2 (f/i) 0/0

       (proxy 192.168.30.0 to 192.168.50.0)

*Mar  1 00:05:26.739:         has spi 1320439935 and conn_id 0 and flags A

*Mar  1 00:05:26.743:         lifetime of 3600 seconds

*Mar  1 00:05:26.743:         lifetime of 4608000 kilobytes

*Mar  1 00:05:26.747:         has client flags 0x0

*Mar  1 00:05:26.751: ISAKMP:(0:2:SW:1): sending packet to 112.16.15.2 my_port 500 peer_port 500 (I) QM_IDLE      

*Mar  1 00:05:26.759: ISAKMP:(0:2:SW:1):deleting node 81987909 error FALSE reason "No Error"

*Mar  1 00:05:26.763: ISAKMP:(0:2:SW:1):Node 81987909, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Mar  1 00:05:26.763: ISAKMP:(0:2:SW:1):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE

*Mar  1 00:05:26.771: IPSEC(key_engine): got a queue event with 2 kei messages

*Mar  1 00:05:26.775: IPSEC(initialize_sas): ,

 (key eng. msg.) INBOUND local= 112.16.13.2, remote= 112.16.15.2,

   local_proxy= 192.168.30.0/255.255.255.0/0/0

R3#(type=4),

   remote_proxy= 192.168.50.0/255.255.255.0/0/0 (type=4),

   protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),

   lifedur= 3600s and 4608000kb,

   spi= 0x3BE78437(1005028407), conn_id= 0, keysize= 0, flags= 0x2

*Mar  1 00:05:26.787: IPSEC(initialize_sas): ,

 (key eng. msg.) OUTBOUND local= 112.16.13.2, remote= 112.16.15.2,

   local_proxy= 192.168.30.0/255.255.255.0/0/0 (type=4),

   remote_proxy= 192.168.50.0/255.255.255.0/0/0 (type=4),

   protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),

   lifedur= 3600s and 4608000kb,

   spi= 0x4EB4507F(1320439935), conn_id= 0, keysize= 0, flags= 0xA

*Mar  1 00:05:26.799: Crypto mapdb : proxy_match

       src addr     : 192.168.30.0

       dst addr     : 192.168.50.0

       protocol     : 0

       src port     : 0

       dst port     : 0

*Mar  1 00:05:26.803: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and 112.16.15.2

*Mar  1 00:05:26.807: IPSec: Flow_switching Allocated flow for sibli

R3#ng 80000003

*Mar  1 00:05:26.811: IPSEC(policy_db_add_ident): src 192.168.30.0, dest 192.168.50.0, dest_port 0


*Mar  1 00:05:26.815: ISAKMP: Locking peer struct 0x64FFBCA4, IPSEC refcount 2 for from create_transforms

*Mar  1 00:05:26.819: IPSEC(create_sa): sa created,

 (sa) sa_dest= 112.16.13.2, sa_proto= 50,

   sa_spi= 0x3BE78437(1005028407),

   sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2003

*Mar  1 00:05:26.823: IPSEC(create_sa): sa created,

 (sa) sa_dest= 112.16.15.2, sa_proto= 50,

   sa_spi= 0x4EB4507F(1320439935),

   sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2004

*Mar  1 00:05:26.831: ISAKMP: Unlocking IPSEC struct 0x64FFBCA4 from create_transforms, count 1

R3#




R3#clear cry sa //清空第二階段的SA,只保留第一階段的SA

R3#debug cry ipsec

R3# ping 192.168.70.1 so 192.168.30.1


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.70.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.30.1


*Mar  1 00:28:20.959: IPSEC(sa_request): ,

 (key eng. msg.) OUTBOUND local= 112.16.13.2, remote= 112.16.17.2,

   local_proxy= 192.168.30.0/255.255.255.0/0/0 (type=4),

   remote_proxy= 192.168.70.0/255.255.255.0/0/0 (type=4),

   protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),

   lifedur= 3600s and 4608000kb,

   spi= 0xE91C1B2B(3910933291), conn_id= 0, keysize= 0, flags= 0x400A

*Mar  1 00:28:21.723: IPSEC(validate_proposal_request): proposal part #1,

 (key eng. msg.) INBOUND local= 112.16.13.2, remote= 112.16.17.2,

   local_proxy= 192.168.30.0/255.255.255.0/0/0 (type=4),

   remote_proxy= 192.168.70.0/255.255.255.0/0/0 (type=4),

   protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),

   lifedur= 0s and 0kb,

   spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

*Mar  1 00:28:21.739: Crypto mapdb : proxy_match

       src addr     : 192.168.30.0

       dst addr     : 192.168.70.0

       protocol     : 0

       src port     : 0

       dst port     : 0

*Mar  1 00:28:.21.767: IPSEC(key_engine): got a queue event with 2 kei messages

*Mar  1 00:28:21.767: IPSEC(initialize_sas): ,

 (key eng. msg.) INBOUND local= 112.16.13.2, remote= 112.16.17.2,

   local_proxy= 192.168.30.0/255.255.255.0/0/0 (type=4),

   remote_proxy= 192.168.70.0/255.255.255.0/0/0 (type=4),

   protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),

   lifedur= 3600s and 4608000kb,

   spi= 0xE91C1B2B(3910933291), conn_id= 0, keysize= 0, flags= 0x2

*Mar  1 00:28:21.779: IPSEC(initialize_sas): ,

 (key eng. msg.) OUTBOUND local= 112.16.13.2, remote= 112.16.17.2,

   local_proxy= 192.168.30.0/255.255.255.0/0/0 (type=4),

   remote_proxy= 192.168.70.0/255.255.255.0/0/0 (type=4),

   protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),

   lifedur= 3600s and 4608000kb,

   spi= 0xA698B6E1(2795026145), conn_id= 0, keysize= 0, flags= 0xA

*Mar  1 00:28:21.791: Crypto mapdb : proxy_match

       src addr     : 192.168.30.0

       dst addr     : 192.168.70.0

       protoco!!l     : 0

       src port     : 0

       dst port     : 0

*Mar  1 00:28:21.799: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and 112.16.17.2

*Mar  1 00:28:21.799: IPSec: Flow_switching Allocated flow for sibling 80000006

*Mar  1 00:28:21.803: IPSEC(policy_db_add_ident): src 192.168.30.0, dest 192.168.70.0, dest_port 0


*Mar  1 00:28:21.807: IPSEC(create_sa): sa created,

 (sa) sa_dest= 112.16.13.2, sa_proto= 50,

   sa_spi= 0xE91C1B2B(3910933291),

   sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2003

*Mar  1 00:28:21.815: IPSEC(create_sa): sa created,

 (sa) sa_dest= 112.16.17.2, sa_proto= 50,

   sa_spi= 0xA698B6E1(2795026145),

   sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2004!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 400/606/972 ms

R3#


思考:R3需要知道去往192.168.50.0和192.168.70.0網段的路由,否則無法通信,R5,R7也是必須知道到192.168.30.0的路由,爲什麼?而中間路由器R1則不需要知道這些網段的路由,爲什麼?分析數據流。


總結排錯思路:

階段1的SA沒有建立:

接口是否應用了安全策略

是否有匹配的數據流觸發

是否爲對方配置了共享密鑰,以及共享密鑰石佛一致

階段2的SA沒有建立:

ACL是否匹配

安全提議是否一致

設置的隧道對端地址是否匹配

應用的接口是否正確

兩個階段的SA都成功建立,但不能通信:

  一般都是由於ACL的配置不當引起的,檢查ACL的配置是否符合要求


注意:以上必須要有很好的路由思想,路由是基礎,路由不通,也是其中的一個情況。



發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

如何顯示不全手機號,以及郵箱的方法

簡單粗暴上代碼 data() { return { account: "13123456789", } }, mounted() { this.substr(this.account) }, substr(ac

remip 2020-06-07 23:09:25

IPsec ××× 工作中感受

webmaster@wk 2020-06-02 17:07:52

解決Cisco ××× Client Reason 442: Failed to Enable Virtual Adapter

withacker 2020-06-01 03:47:28

安全“高手”幫你把***殺個片甲不留

蕭湘月 2020-06-01 03:27:46

某網貸平臺遭受***

huakai201 2020-06-01 02:01:24

5路由器組成的幀模式MPLS及MPLS ×××實驗(含3660支持MPLS的IOS)

非常菜 2020-06-01 01:58:11

迅博工控級3G ×××網關簡介

xunbonet 2020-06-01 01:11:19

QQ***之詳細講解QQ×××術

z956655636 2020-06-01 00:07:07

在WINDOWS 2003 下建立×××服務器

技術成就未來 2020-05-31 23:16:09

opensuse下pptpd ××× 一鍵安裝腳本

sucre800 2020-05-31 23:08:43

ASA 5550 ××× 配置(二之一)

zhujian2233 2020-05-31 22:36:07

×××的配置

ji191359129 2020-05-31 22:21:19

×××的配置擴展

ji191359129 2020-05-31 22:21:19

IPSec單隧道×××

Ty_WangPanPan 2020-05-31 22:20:08

IPSec多隧道×××

Ty_WangPanPan 2020-05-31 22:20:08