本文详细记录了Internet Key Exchange version 1 (IKEv1)协议在建立安全连接过程中的各个阶段,包括主模式交互、DH密钥交换、身份验证等关键步骤,并展示了如何通过调试信息确认每个阶段的成功执行。
*Dec 4 04:47:48.455: ISAKMP:(0): SA request profile is (NULL)
*Dec 4 04:47:48.459: ISAKMP: Created a peer struct for 192.1.1.1, peer port 500
*Dec 4 04:47:48.459: ISAKMP: New peer created peer = 0x65D3BBB8 peer_handle = 0x80000005
*Dec 4 04:47:48.463: ISAKMP: Locking peer struct 0x65D3BBB8, refcount 1 for isakmp_initiator
*Dec 4 04:47:48.463: ISAKMP: local port 500, remote port 500
*Dec 4 04:47:48.467: ISAKMP: set new node 0 to QM_IDLE
*Dec 4 04:47:48.471: insert sa successfully sa = 65568BD8crypto_isadb_stuff_vrf_instance, isakmp_initiator: sa->f_vrf = 0 sa->i_vrf = 0 sa=0x65568BD8
*Dec 4 04:47:48.475: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Dec 4 04:47:48.479: ISAKMP:(0):found peer pre-shared key matching 192.1.1.1
*Dec 4 04:47:48.479: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Dec 4 04:47:48.479: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Dec 4 04:47:48.479: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Dec 4 04:47:48.479: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Dec 4 04:47:48.479: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Dec 4 04:47:48.479: ISAKMP:(0): beginning Main Mode exchange(开始主模式交互)
*Dec 4 04:47:48.479: ISAKMP:(0): sending packet to 192.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Dec 4 04:47:48.491: ISAKMP (0:0): received packet from 192.1.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
MM的第一个包和第二个包:用于协商PEER地址、协商第一阶段策略
*Dec 4 04:47:48.491: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 4 04:47:48.491: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Dec 4 04:47:48.499: ISAKMP:(0): processing SA payload. message ID = 0
*Dec 4 04:47:48.499: ISAKMP:(0): processing vendor id payload
*Dec 4 04:47:48.499: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Dec 4 04:47:48.499: ISAKMP (0:0): vendor ID is NAT-T v7
*Dec 4 04:47:48.499: ISAKMP:(0):found peer pre-shared key matching 192.1.1.1
*Dec 4 04:47:48.499: ISAKMP:(0): local preshared key found
找到两端密钥,还没有被验证
*Dec 4 04:47:48.499: ISAKMP : Scanning profiles for xauth ...
*Dec 4 04:47:48.499: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Dec 4 04:47:48.499: ISAKMP: encryption DES-CBC
*Dec 4 04:47:48.499: ISAKMP: hash SHA
*Dec 4 04:47:48.503: ISAKMP: default group 2
*Dec 4 04:47:48.503: ISAKMP: auth pre-share
*Dec 4 04:47:48.503: ISAKMP: life type in seconds
*Dec 4 04:47:48.503: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Dec 4 04:47:48.503: ISAKMP:(0):atts are acceptable. Next payload is 0(阶段一策略匹配)
*Dec 4 04:47:48.503: ISAKMP:(0): processing vendor id payload
*Dec 4 04:47:48.503: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Dec 4 04:47:48.503: ISAKMP (0:0): vendor ID is NAT-T v7
*Dec 4 04:47:48.503: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Dec 4 04:47:48.503: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Dec 4 04:47:48.503: ISAKMP:(0): sending packet to 192.1.1.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Dec 4 04:47:48.503: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Dec 4 04:47:48.503: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Dec 4 04:47:48.523: ISAKMP (0:0): received packet from 192.1.1.1 dport 500 sport 500 Global (I) MM_SA_SETUP
这是第3、4个包,用于DH来分发加密密钥和HASH密钥,记得DH是用公钥和私钥来处理预公享的对称密钥再分发的,事实上在DH算法中,现在还没有发现有DEBUG错误信息出现,这里是不需要检查的
*Dec 4 04:47:48.527: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 4 04:47:48.531: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Dec 4 04:47:48.535: ISAKMP:(0): processing KE payload. message ID = 0
*Dec 4 04:47:48.559: ISAKMP:(0): processing NONCE payload. message ID = 0
*Dec 4 04:47:48.559: ISAKMP:(0):found peer pre-shared key matching 192.1.1.1
*Dec 4 04:47:48.559: ISAKMP:(1003): processing vendor id payload
*Dec 4 04:47:48.559: ISAKMP:(1003): vendor ID is Unity
*Dec 4 04:47:48.559: ISAKMP:(1003): processing vendor id payload
*Dec 4 04:47:48.559: ISAKMP:(1003): vendor ID is DPD
*Dec 4 04:47:48.559: ISAKMP:(1003): processing vendor id payload
*Dec 4 04:47:48.559: ISAKMP:(1003): speaking to another IOS box!
*Dec 4 04:47:48.559: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Dec 4 04:47:48.559: ISAKMP:(1003):Old State = IKE_I_MM4 New State = IKE_I_MM4
DH在这里完成,为管理连接建立的准备完成,验证设备的过程是发生在安全的管理了解之后的
*Dec 4 04:47:48.559: ISAKMP:(1003):Send initial contact
*Dec 4 04:47:48.559: ISAKMP:(1003):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Dec 4 04:47:48.559: ISAKMP (0:1003): ID payload
next-payload : 8
type : 1
address : 192.1.1.3
protocol : 17
port : 500
length : 12
将本地身份信息发送给对方,对方将进行HASH处理
*Dec 4 04:47:48.559: ISAKMP:(1003):Total payload length: 12
*Dec 4 04:47:48.563: ISAKMP:(1003): sending packet to 192.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Dec 4 04:47:48.563: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Dec 4 04:47:48.563: ISAKMP:(1003):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Dec 4 04:47:48.571: ISAKMP (0:1003): received packet from 192.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
第5、6个包,用于验证设备,记得设备的验证是身份信息+HASH密钥来完成的
*Dec 4 04:47:48.571: ISAKMP:(1003): processing ID payload. message ID = 0
*Dec 4 04:47:48.571: ISAKMP (0:1003): ID payload
next-payload : 8
type : 1
address : 192.1.1.1
protocol : 17
port : 500
length : 12
收到对方身份信息
*Dec 4 04:47:48.571: ISAKMP:(0):: peer matches *none* of the profilescrypto_isadb_stuff_vrf_instance, crypto_isakmp_assign_profile: sa->f_vrf = 0 sa->i_vrf = 0 sa=0x65568BD8
*Dec 4 04:47:48.571: ISAKMP:(1003): processing HASH payload. message ID = 0
取出对方身份信息,执行HASH算法,“ID=0”表示HASH处理没有发现错误,对方身份验证成功
*Dec 4 04:47:48.571: ISAKMP:(1003):SA authentication status:
authenticated
设备验证完成了
*Dec 4 04:47:48.571: ISAKMP:(1003):SA has been authenticated with 192.1.1.1
*Dec 4 04:47:48.571: ISAKMP: Trying to insert a peer 192.1.1.3/192.1.1.1/500/, and inserted successfully 65D3BBB8.
*Dec 4 04:47:48.571: ISAKMP:(1003):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 4 04:47:48.575: ISAKMP:(1003):Old State = IKE_I_MM5 New State = IKE_I_MM6
*Dec 4 04:47:48.583: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Dec 4 04:47:48.583: ISAKMP:(1003):Old State = IKE_I_MM6 New State = IKE_I_MM6
*Dec 4 04:47:48.583: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Dec 4 04:47:48.583: ISAKMP:(1003):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE(阶段一完成,转入第二阶段)
scmIkeTunnelCreate ikeidx:3
*Dec 4 04:47:48.583: scmIkeTunnelCreated: Default context, vdi_ptr=gdi_ptr=1714916048/1714916048
*Dec 4 04:47:48.583: ISAKMP:(1003):beginning Quick Mode exchange, M-ID of 1301997138
第二阶段进行的是快速模式
*Dec 4 04:47:48.583: ISAKMP:(1003):QM Initiator gets spi
*Dec 4 04:47:48.583: ISAKMP:(1003): sending packet to 192.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE
*Dec 4 04:47:48.587: ISAKMP:(1003):Node 1301997138, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Dec 4 04:47:48.587: ISAKMP:(1003):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Dec 4 04:47:48.587: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Dec 4 04:47:48.587: ISAKMP:(1003):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Dec 4 04:47:48.599: ISAKMP (0:1003): received packet from 192.1.1.1 dport 500 sport 500 Global (I) QM_IDLE
*Dec 4 04:47:48.599: ISAKMP:(1003): processing HASH payload. message ID = 1301997138
*Dec 4 04:47:48.599: ISAKMP:(1003): processing SA payload. message ID = 1301997138
*Dec 4 04:47:48.599: ISAKMP:(1003):Checking IPSec proposal 1
*Dec 4 04:47:48.599: ISAKMP: transform 1, ESP_DES
*Dec 4 04:47:48.599: ISAKMP: attributes in transform:
*Dec 4 04:47:48.599: ISAKMP: encaps is 1 (Tunnel)
*Dec 4 04:47:48.599: ISAKMP: SA life type in seconds
*Dec 4 04:47:48.599: ISAKMP: SA life duration (basic) of 3600
*Dec 4 04:47:48.599: ISAKMP: SA life type in kilobytes
*Dec 4 04:47:48.599: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Dec 4 04:47:48.599: ISAKMP: authenticator is HMAC-SHA
*Dec 4 04:47:48.599: ISAKMP:(1003):atts are acceptable.(传输集匹配)
*Dec 4 04:47:48.599: ISAKMP:(1003): processing NONCE payload. message ID = 1301997138
*Dec 4 04:47:48.599: ISAKMP:(1003): processing ID payload. message ID = 1301997138
*Dec 4 04:47:48.599: ISAKMP:(1003): processing ID payload. message ID = 1301997138
*Dec 4 04:47:48.599: ISAKMP:(1003): Creating IPSec SAs(创建SA)
*Dec 4 04:47:48.599: inbound SA from 192.1.1.1 to 192.1.1.3 (f/i) 0/ 0
(proxy 192.168.1.0 to 10.1.1.0)
*Dec 4 04:47:48.599: has spi 0x18879411 and conn_id 0
*Dec 4 04:47:48.599: lifetime of 3600 seconds
*Dec 4 04:47:48.599: lifetime of 4608000 kilobytes
*Dec 4 04:47:48.599: outbound SA from 192.1.1.3 to 192.1.1.1 (f/i) 0/0
(proxy 10.1.1.0 to 192.168.1.0)
CRYPTO ACL协商成功
*Dec 4 04:47:48.599: has spi 0xDE9946A9 and conn_id 0
*Dec 4 04:47:48.599: lifetime of 3600 seconds
*Dec 4 04:47:48.599: lifetime of 4608000 kilobytes
*Dec 4 04:47:48.599: ISAKMP:(1003): sending packet to 192.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE
*Dec 4 04:47:48.603: ISAKMP:(1003):deleting node 1301997138 error FALSE reason "No Error"
*Dec 4 04:47:48.603: ISAKMP:(1003):Node 1301997138, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Dec 4 04:47:48.603: ISAKMP:(1003):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETEnotify_mib_ipsec_tunnel_activation: peer has vdi ptr set 0x66378AD0
scmIpSecTunnelCreated (IKE SA:3)阶段二完成
...new ipsidx:3
*Dec 4 04:47:48.603: scmIPSecTunnelCreated: Default context, vdi_ptr=gdi_ptr=1714916048/1714916048
*Dec 4 04:48:38.603: ISAKMP:(1003):purging node 1301997138
*Dec 4 04:47:48.459: ISAKMP: Created a peer struct for 192.1.1.1, peer port 500
*Dec 4 04:47:48.459: ISAKMP: New peer created peer = 0x65D3BBB8 peer_handle = 0x80000005
*Dec 4 04:47:48.463: ISAKMP: Locking peer struct 0x65D3BBB8, refcount 1 for isakmp_initiator
*Dec 4 04:47:48.463: ISAKMP: local port 500, remote port 500
*Dec 4 04:47:48.467: ISAKMP: set new node 0 to QM_IDLE
*Dec 4 04:47:48.471: insert sa successfully sa = 65568BD8crypto_isadb_stuff_vrf_instance, isakmp_initiator: sa->f_vrf = 0 sa->i_vrf = 0 sa=0x65568BD8
*Dec 4 04:47:48.475: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Dec 4 04:47:48.479: ISAKMP:(0):found peer pre-shared key matching 192.1.1.1
*Dec 4 04:47:48.479: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Dec 4 04:47:48.479: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Dec 4 04:47:48.479: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Dec 4 04:47:48.479: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Dec 4 04:47:48.479: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Dec 4 04:47:48.479: ISAKMP:(0): beginning Main Mode exchange(开始主模式交互)
*Dec 4 04:47:48.479: ISAKMP:(0): sending packet to 192.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Dec 4 04:47:48.491: ISAKMP (0:0): received packet from 192.1.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
MM的第一个包和第二个包:用于协商PEER地址、协商第一阶段策略
*Dec 4 04:47:48.491: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 4 04:47:48.491: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Dec 4 04:47:48.499: ISAKMP:(0): processing SA payload. message ID = 0
*Dec 4 04:47:48.499: ISAKMP:(0): processing vendor id payload
*Dec 4 04:47:48.499: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Dec 4 04:47:48.499: ISAKMP (0:0): vendor ID is NAT-T v7
*Dec 4 04:47:48.499: ISAKMP:(0):found peer pre-shared key matching 192.1.1.1
*Dec 4 04:47:48.499: ISAKMP:(0): local preshared key found
找到两端密钥,还没有被验证
*Dec 4 04:47:48.499: ISAKMP : Scanning profiles for xauth ...
*Dec 4 04:47:48.499: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Dec 4 04:47:48.499: ISAKMP: encryption DES-CBC
*Dec 4 04:47:48.499: ISAKMP: hash SHA
*Dec 4 04:47:48.503: ISAKMP: default group 2
*Dec 4 04:47:48.503: ISAKMP: auth pre-share
*Dec 4 04:47:48.503: ISAKMP: life type in seconds
*Dec 4 04:47:48.503: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Dec 4 04:47:48.503: ISAKMP:(0):atts are acceptable. Next payload is 0(阶段一策略匹配)
*Dec 4 04:47:48.503: ISAKMP:(0): processing vendor id payload
*Dec 4 04:47:48.503: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Dec 4 04:47:48.503: ISAKMP (0:0): vendor ID is NAT-T v7
*Dec 4 04:47:48.503: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Dec 4 04:47:48.503: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Dec 4 04:47:48.503: ISAKMP:(0): sending packet to 192.1.1.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Dec 4 04:47:48.503: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Dec 4 04:47:48.503: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Dec 4 04:47:48.523: ISAKMP (0:0): received packet from 192.1.1.1 dport 500 sport 500 Global (I) MM_SA_SETUP
这是第3、4个包,用于DH来分发加密密钥和HASH密钥,记得DH是用公钥和私钥来处理预公享的对称密钥再分发的,事实上在DH算法中,现在还没有发现有DEBUG错误信息出现,这里是不需要检查的
*Dec 4 04:47:48.527: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 4 04:47:48.531: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Dec 4 04:47:48.535: ISAKMP:(0): processing KE payload. message ID = 0
*Dec 4 04:47:48.559: ISAKMP:(0): processing NONCE payload. message ID = 0
*Dec 4 04:47:48.559: ISAKMP:(0):found peer pre-shared key matching 192.1.1.1
*Dec 4 04:47:48.559: ISAKMP:(1003): processing vendor id payload
*Dec 4 04:47:48.559: ISAKMP:(1003): vendor ID is Unity
*Dec 4 04:47:48.559: ISAKMP:(1003): processing vendor id payload
*Dec 4 04:47:48.559: ISAKMP:(1003): vendor ID is DPD
*Dec 4 04:47:48.559: ISAKMP:(1003): processing vendor id payload
*Dec 4 04:47:48.559: ISAKMP:(1003): speaking to another IOS box!
*Dec 4 04:47:48.559: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Dec 4 04:47:48.559: ISAKMP:(1003):Old State = IKE_I_MM4 New State = IKE_I_MM4
DH在这里完成,为管理连接建立的准备完成,验证设备的过程是发生在安全的管理了解之后的
*Dec 4 04:47:48.559: ISAKMP:(1003):Send initial contact
*Dec 4 04:47:48.559: ISAKMP:(1003):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Dec 4 04:47:48.559: ISAKMP (0:1003): ID payload
next-payload : 8
type : 1
address : 192.1.1.3
protocol : 17
port : 500
length : 12
将本地身份信息发送给对方,对方将进行HASH处理
*Dec 4 04:47:48.559: ISAKMP:(1003):Total payload length: 12
*Dec 4 04:47:48.563: ISAKMP:(1003): sending packet to 192.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Dec 4 04:47:48.563: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Dec 4 04:47:48.563: ISAKMP:(1003):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Dec 4 04:47:48.571: ISAKMP (0:1003): received packet from 192.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
第5、6个包,用于验证设备,记得设备的验证是身份信息+HASH密钥来完成的
*Dec 4 04:47:48.571: ISAKMP:(1003): processing ID payload. message ID = 0
*Dec 4 04:47:48.571: ISAKMP (0:1003): ID payload
next-payload : 8
type : 1
address : 192.1.1.1
protocol : 17
port : 500
length : 12
收到对方身份信息
*Dec 4 04:47:48.571: ISAKMP:(0):: peer matches *none* of the profilescrypto_isadb_stuff_vrf_instance, crypto_isakmp_assign_profile: sa->f_vrf = 0 sa->i_vrf = 0 sa=0x65568BD8
*Dec 4 04:47:48.571: ISAKMP:(1003): processing HASH payload. message ID = 0
取出对方身份信息,执行HASH算法,“ID=0”表示HASH处理没有发现错误,对方身份验证成功
*Dec 4 04:47:48.571: ISAKMP:(1003):SA authentication status:
authenticated
设备验证完成了
*Dec 4 04:47:48.571: ISAKMP:(1003):SA has been authenticated with 192.1.1.1
*Dec 4 04:47:48.571: ISAKMP: Trying to insert a peer 192.1.1.3/192.1.1.1/500/, and inserted successfully 65D3BBB8.
*Dec 4 04:47:48.571: ISAKMP:(1003):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 4 04:47:48.575: ISAKMP:(1003):Old State = IKE_I_MM5 New State = IKE_I_MM6
*Dec 4 04:47:48.583: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Dec 4 04:47:48.583: ISAKMP:(1003):Old State = IKE_I_MM6 New State = IKE_I_MM6
*Dec 4 04:47:48.583: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Dec 4 04:47:48.583: ISAKMP:(1003):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE(阶段一完成,转入第二阶段)
scmIkeTunnelCreate ikeidx:3
*Dec 4 04:47:48.583: scmIkeTunnelCreated: Default context, vdi_ptr=gdi_ptr=1714916048/1714916048
*Dec 4 04:47:48.583: ISAKMP:(1003):beginning Quick Mode exchange, M-ID of 1301997138
第二阶段进行的是快速模式
*Dec 4 04:47:48.583: ISAKMP:(1003):QM Initiator gets spi
*Dec 4 04:47:48.583: ISAKMP:(1003): sending packet to 192.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE
*Dec 4 04:47:48.587: ISAKMP:(1003):Node 1301997138, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Dec 4 04:47:48.587: ISAKMP:(1003):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Dec 4 04:47:48.587: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Dec 4 04:47:48.587: ISAKMP:(1003):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Dec 4 04:47:48.599: ISAKMP (0:1003): received packet from 192.1.1.1 dport 500 sport 500 Global (I) QM_IDLE
*Dec 4 04:47:48.599: ISAKMP:(1003): processing HASH payload. message ID = 1301997138
*Dec 4 04:47:48.599: ISAKMP:(1003): processing SA payload. message ID = 1301997138
*Dec 4 04:47:48.599: ISAKMP:(1003):Checking IPSec proposal 1
*Dec 4 04:47:48.599: ISAKMP: transform 1, ESP_DES
*Dec 4 04:47:48.599: ISAKMP: attributes in transform:
*Dec 4 04:47:48.599: ISAKMP: encaps is 1 (Tunnel)
*Dec 4 04:47:48.599: ISAKMP: SA life type in seconds
*Dec 4 04:47:48.599: ISAKMP: SA life duration (basic) of 3600
*Dec 4 04:47:48.599: ISAKMP: SA life type in kilobytes
*Dec 4 04:47:48.599: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Dec 4 04:47:48.599: ISAKMP: authenticator is HMAC-SHA
*Dec 4 04:47:48.599: ISAKMP:(1003):atts are acceptable.(传输集匹配)
*Dec 4 04:47:48.599: ISAKMP:(1003): processing NONCE payload. message ID = 1301997138
*Dec 4 04:47:48.599: ISAKMP:(1003): processing ID payload. message ID = 1301997138
*Dec 4 04:47:48.599: ISAKMP:(1003): processing ID payload. message ID = 1301997138
*Dec 4 04:47:48.599: ISAKMP:(1003): Creating IPSec SAs(创建SA)
*Dec 4 04:47:48.599: inbound SA from 192.1.1.1 to 192.1.1.3 (f/i) 0/ 0
(proxy 192.168.1.0 to 10.1.1.0)
*Dec 4 04:47:48.599: has spi 0x18879411 and conn_id 0
*Dec 4 04:47:48.599: lifetime of 3600 seconds
*Dec 4 04:47:48.599: lifetime of 4608000 kilobytes
*Dec 4 04:47:48.599: outbound SA from 192.1.1.3 to 192.1.1.1 (f/i) 0/0
(proxy 10.1.1.0 to 192.168.1.0)
CRYPTO ACL协商成功
*Dec 4 04:47:48.599: has spi 0xDE9946A9 and conn_id 0
*Dec 4 04:47:48.599: lifetime of 3600 seconds
*Dec 4 04:47:48.599: lifetime of 4608000 kilobytes
*Dec 4 04:47:48.599: ISAKMP:(1003): sending packet to 192.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE
*Dec 4 04:47:48.603: ISAKMP:(1003):deleting node 1301997138 error FALSE reason "No Error"
*Dec 4 04:47:48.603: ISAKMP:(1003):Node 1301997138, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Dec 4 04:47:48.603: ISAKMP:(1003):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETEnotify_mib_ipsec_tunnel_activation: peer has vdi ptr set 0x66378AD0
scmIpSecTunnelCreated (IKE SA:3)阶段二完成
...new ipsidx:3
*Dec 4 04:47:48.603: scmIPSecTunnelCreated: Default context, vdi_ptr=gdi_ptr=1714916048/1714916048
*Dec 4 04:48:38.603: ISAKMP:(1003):purging node 1301997138
转载于:https://blog.51cto.com/xuhuihihi/293791
扫一扫
3125
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
