IPSEC IKEv1主模式Debug分析
网络拓扑
PC1-----------(port5:192.168.0.1/24)FGT-BJ(port2:100.1.1.2)-------------Internet-------------(port2:200.1.1.2)FGT-SH(port5:192.168.1.1/24)-----------PC2
IPSEC Debug分析
FGT-SH发起协商,FGT-BJ进行Debug查看,下面是FGT-BJ的debug输出
# diagnose debug application ike -1
# diagnose debug enable
收到发起方的数据包,主模式第1个包
ike 0: comes 200.1.1.2:500->100.1.1.2:500,ifindex=10,vrf=0....
ike 0: IKEv1 exchange=Identity Protection id=2f013665b867de80/0000000000000000 len=572 vrf=0
ike 0: in 2F013665B867DE80000000000000000001100200000000000000023C0D000154000000010000000100000148010100080300002801010000800B0001000C00040001518080010007800E008080030001800200048004000E0300002802010000800B0001000C00040001518080010007800E00808003000180020004800400050300002803010000800B0001000C00040001518080010007800E010080030001800200048004000E0300002804010000800B0001000C00040001518080010007800E01008003000180020004800400050300002805010000800B0001000C00040001518080010007800E008080030001800200028004000E0300002806010000800B0001000C00040001518080010007800E00808003000180020002800400050300002807010000800B0001000C00040001518080010007800E010080030001800200028004000E0000002808010000800B0001000C00040001518080010007800E01008003000180020002800400050D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:2f013665b867de80/0000000000000000:2: responder: main mode get 1st message...
ike 0:2f013665b867de80/0000000000000000:2: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:2f013665b867de80/0000000000000000:2: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 0:2f013665b867de80/0000000000000000:2: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
ike 0:2f013665b867de80/0000000000000000:2: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:2f013665b867de80/0000000000000000:2: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
ike 0:2f013665b867de80/0000000000000000:2: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
ike 0:2f013665b867de80/0000000000000000:2: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:2f013665b867de80/0000000000000000:2: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
ike 0:2f013665b867de80/0000000000000000:2: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:2f013665b867de80/0000000000000000:2: VID FORTIGATE 8299031757A36082C6A621DE00000000
ike 0: cache rebuild start
ike 0:VPN-to-SH: local:100.1.1.2, remote:200.1.1.2
ike 0:VPN-to-SH: cached as static-ddns.
ike 0: cache rebuild done
VPN-to-SH有匹配的proposal
ike 0:2f013665b867de80/0000000000000000:2: negotiation result
ike 0:2f013665b867de80/0000000000000000:2: proposal id = 1:
ike 0:2f013665b867de80/0000000000000000:2: protocol id = ISAKMP:
ike 0:2f013665b867de80/0000000000000000:2: trans_id = KEY_IKE.
ike 0:2f013665b867de80/0000000000000000:2: encapsulation = IKE/none
ike 0:2f013665b867de80/0000000000000000:2: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:2f013665b867de80/0000000000000000:2: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:2f013665b867de80/0000000000000000:2: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:2f013665b867de80/0000000000000000:2: type=OAKLEY_GROUP, val=MODP2048.
ike 0:2f013665b867de80/0000000000000000:2: ISAKMP SA lifetime=86400
ike 0:2f013665b867de80/0000000000000000:2: SA proposal chosen, matched gateway VPN-to-SH
ike 0:VPN-to-SH: created connection: 0x8272220 10 100.1.1.2->200.1.1.2:500.
ike 0:VPN-to-SH:2: DPD negotiated
ike 0:VPN-to-SH:2: peer is FortiGate/FortiOS (v0 b0)
ike 0:VPN-to-SH:2: selected NAT-T version: RFC 3947
ike 0:VPN-to-SH:2: cookie 2f013665b867de80/4878dfc8fee0cc14
响应方回复的数据包,主模式第2个包,回复选定的proposal
ike 0:VPN-to-SH:2: out 2F013665B867DE804878DFC8FEE0CC140110020000000000000000C00D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E008080030001800200048004000E0D0000144A131C81070358455C5728F20E95452F0D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:VPN-to-SH:2: sent IKE msg (ident_r1send): 100.1.1.2:500->200.1.1.2:500, len=192, vrf=0, id=2f013665b867de80/4878dfc8fee0cc14
收到发起方的数据包,主模式第3个包,DH秘钥交换
ike 0: comes 200.1.1.2:500->100.1.1.2:500,ifindex=10,vrf=0....
ike 0: IKEv1 exchange=Identity Protection id=2f013665b867de80/4878dfc8fee0cc14 len=380 vrf=0
ike 0: in 2F013665B867DE804878DFC8FEE0CC1404100200000000000000017C0A0001045369DFD050FE4B83832486EB52226B86D1577173ACAF314808BCCC85503E79B107B6A4A84FF35AAC33CD21A34B92B0F5DB386B7C1CA6EB8CA960C9F10BF634422EFB65A1F10C990178FF50F399D3F7C100739FD07180370CD8E8F453C3820719E6E1A93B05A82547D9C006171B4662D5F6957AA4EAF646E951149C7932F857FCFF65C3A08C33BAB87CCA8EFFEB772C3173FA598322DF3985D685274538422F7F6A8DEE06E7DD82D20903CA20351BA0ED72759E472228CD1F3CA1B4B3EFAE928024A9EEDD2518F558B4642DBD8F6104C3C575D60EC18C42708D5BD62139AD4BEACA3EFAEF9C2D20F1E08ACC6383B5BBA423372457D1276AEB92EA44A578B12F0314000014D72D6C2B0293D53F5100169A9B9FCD2C140000243D49DDDC234A0ECB8B6FB311024C90A47BA01F6F651CB35C0EFAD8EA92C118660000002486DF949862FBE5DACC6A16AF1D52082976C458B245B28165A65B4A6C8047F396
ike 0:VPN-to-SH:2: responder:main mode get 2nd message...
ike 0:VPN-to-SH:2: received NAT-D payload type 20
ike 0:VPN-to-SH:2: received NAT-D payload type 20
ike 0:VPN-to-SH:2: NAT not detected
ike 0:VPN-to-SH:2: generate DH public value request queued
ike 0:VPN-to-SH:2: compute DH shared secret request queued
响应方回复的数据包,主模式第4个包,DH秘钥交换
ike 0:VPN-to-SH:2: out 2F013665B867DE804878DFC8FEE0CC1404100200000000000000017C0A000104C7C1AE93B18487170D87BCDE7C5CADB6EB6ECEAB1C79D43B51793B52005A64A8D481779209039910A037E5EC9E8601AD675F6FE02A9B17C534A68DF48B0290C898E47A0A5E64660501E1FB35BB995E337DC257B14F89B09CC5708EF7522767D911B69A99D20EAC47A1A95CF8E21887BEFCB2CEB0952D1F193108454325C82F43311DF030E4F48F830007A19C77AA9B77EF98834B427DE9E1136EDF6C4F9FF48D5772C165E105B6278DBCBC220796E509FC0397DEBC694B7E975307B5B4505C9AC48F73E26EA60DB5AD9705D9830347667D05BC59CE6E3662CA054EB1A01F9CB075CB3BCC292B982E931042EC6F6692BF624215179E6663F3B319E98E56CD59EA1400001440B940F425F78C908561DB60981F79C71400002486DF949862FBE5DACC6A16AF1D52082976C458B245B28165A65B4A6C8047F396000000243D49DDDC234A0ECB8B6FB311024C90A47BA01F6F651CB35C0EFAD8EA92C11866
ike 0:VPN-to-SH:2: sent IKE msg (ident_r2send): 100.1.1.2:500->200.1.1.2:500, len=380, vrf=0, id=2f013665b867de80/4878dfc8fee0cc14
ike 0:VPN-to-SH:2: ISAKMP SA 2f013665b867de80/4878dfc8fee0cc14 key 16:161F81D2B495911EF63B98D14AD53392
收到发起方的数据包,主模式第5个数据包
ike 0: comes 200.1.1.2:500->100.1.1.2:500,ifindex=10,vrf=0....
ike 0: IKEv1 exchange=Identity Protection id=2f013665b867de80/4878dfc8fee0cc14 len=108 vrf=0
ike 0: in 2F013665B867DE804878DFC8FEE0CC1405100201000000000000006C300DBBB94A52BF9EBD32DAD36637AF3D01E12599D17FA31C11C0E84769FF94BBB2E2B495567DA5BC9742A711CE425345CA3172FC40E6F780C6D7B5BA7C1335289E087ADE06F7BE1D7049A827E902B778
ike 0:VPN-to-SH:2: responder: main mode get 3rd message...
ike 0:VPN-to-SH:2: dec 2F013665B867DE804878DFC8FEE0CC1405100201000000000000006C0800000C01000000C80101020B00002428BFF5F8227E569BC4138008FEFD2446057302EEE6662B5CED771411A71FFB930000001C00000001011060022F013665B867DE804878DFC8FEE0CC14FE5CDC03
ike 0:VPN-to-SH:2: received p1 notify type INITIAL-CONTACT
主模式使用IPV4地址作为身份ID,预共享秘钥认证成功
ike 0:VPN-to-SH:2: peer identifier IPV4_ADDR 200.1.1.2
ike 0:VPN-to-SH:2: PSK authentication succeeded
ike 0:VPN-to-SH:2: authentication OK
ike 0:VPN-to-SH:2: enc 2F013665B867DE804878DFC8FEE0CC1405100201000000000000004C0800000C0100000064010102000000241328931A3FDD6ABABDF48A93D4C3937D6151EA202121C6FAEAE55698A6F85A57
响应方回复的数据包,主模式第6个包,身份信息和认证信息确认
ike 0:VPN-to-SH:2: out 2F013665B867DE804878DFC8FEE0CC1405100201000000000000005C74BC93E1AB30646D580EC9F228CEAFA928ADC9EC53A454D6C7E3FA36CB5BFCF1EEE6F13590EC2BFDA2299E25C9815B2AF528D0E8A6F441D22D4D5B70F98E3BA8
ike 0:VPN-to-SH:2: sent IKE msg (ident_r3send): 100.1.1.2:500->200.1.1.2:500, len=92, vrf=0, id=2f013665b867de80/4878dfc8fee0cc14
第一阶段建立成功,生成IKE SA
ike 0:VPN-to-SH:2: established IKE SA 2f013665b867de80/4878dfc8fee0cc14
ike 0:VPN-to-SH:2: check peer route: if_addr4_rcvd=0, if_addr6_rcvd=0, mode_cfg=0
ike 0:VPN-to-SH:2: processing INITIAL-CONTACT
ike 0:VPN-to-SH: flushing
ike 0:VPN-to-SH: flushed
ike 0:VPN-to-SH:2: processed INITIAL-CONTACT
ike 0:VPN-to-SH: set oper up
ike 0:VPN-to-SH:2: no pending Quick-Mode negotiations
收到发起方的数据包,快速模式第1个包
ike 0: comes 200.1.1.2:500->100.1.1.2:500,ifindex=10,vrf=0....
ike 0: IKEv1 exchange=Quick id=2f013665b867de80/4878dfc8fee0cc14:31008365 len=620 vrf=0
ike 0: in 2F013665B867DE804878DFC8FEE0CC1408102001310083650000026C9DE34950B723760C49E4FC1522F510BF59FFD6880B3F2331E0948E049ED7594508887D23676A0F646530D7BA6CFB3AEDD0C299727D1637970406D9A3092D2AE86918E3D126BCB320EC2E8B602D97A7FE10CF5AE7497746CF0A56E8AA444F3CD5237C7AC30606E2E279E5E4271B4D2141907A99821BEDECA31CE8B5D36EDB61478B6E673853D952B6958DB25F2BA7EA95A67BC7E259A0E823ACBA17C8C6F38003C4F79191F876DBC95B78A92A2473EF158A4CA04BABE1AB83BA5D3E026928B4CB9E68B884DF08D45C5EBC789B41ACBD5106F9E7EF8A83DE6E9C5970D6158B88E2228B7424BE7020DE0920E9740531A00F1104517ECC0273E2BC19F201AC0487A7D05AF9D29FBB3C9167565774CF17ACB103694B5EB96057B514C26B849773F0888333A8D28D70950BD54CA2980F6B80FB85990BC5154AB5A26D6F0C267B18F0AE6BBC54FD1D94A2B66FC51F83247C2183050DE99262E6B829D7AAB266F4877F7AF64F0340DBE7D2BF3DD4E06201D0C54059471963AB9DD6C53DDE84BD5144F281EEE1BD5B06B1A2C8E9700AA29BD150DAB64AD02C92D3711AB0EA27549C7FEEA9DD88C7F5D6C51CF6B4B8553F2BD90F1176D4F3B89A244F95DAF7B2F060B78F0255AE0A74D1444F9A484B90930BA66159EF203A8E476681C45A859B716D8C0BB17D1C24890A4624E72ECB5C4557BF807D59352BF0B4ADA324DF70CF7537AD43D9138BCD7AE2705C05590828E3D1B1736BD348BE39C32D4EC50F790AB3C69EC66D7D95098DA090EABE77C45CCB4E91510569033E985919B8873237DE59323B6B4DBBE391C220A016130C42EDF4681897FD
ike 0:VPN-to-SH:2:0: responder received first quick-mode message
ike 0:VPN-to-SH:2: dec 2F013665B867DE804878DFC8FEE0CC1408102001310083650000026C01000024C7EFFF7C6D036D232FFF69008822337928B03AFD50F33CED859B59D9AC9412950A0000EC0000000100000001000000E001030407DB38E2B303000020010C0000800100018002A8C08004000180060080800500028003000E03000020020C0000800100018002A8C08004000180060100800500028003000E03000020030C0000800100018002A8C08004000180060080800500058003000E03000020040C0000800100018002A8C08004000180060100800500058003000E0300001C05140000800100018002A8C080040001800600808003000E0300001C06140000800100018002A8C080040001800601008003000E0000001C071C0000800100018002A8C080040001800601008003000E040000147D2BEB602046C003CC7C8078DB63B5A805000104712E6A9987254B0247F457E224710813BC36723BD07FDC6D2420A3F8C1A6612EE12F0CB8FE7F18EA8318C03EB5B25AC803317615EAFA6600B18F97D90FB8D16928CA3A95AAE106C87A4E368B460882AE763AE31D4484B18CFD50595144BD0BF7D748635590A8941EB4CCA7C6A25ADB532CE4807E08F3BFC6D781C1B3A4DF1CE59849CFEEF7A71E92FDB318C37EBDCBAFAEFE35670D1A9FCF77C818CD2708017E0482BAA42BF9951BD52E55C6CBD6AECF6985510D388FD04931532D5C932696885C6492C0F0CDD3C3965DB1D5EA477A0416CA98692CC6EBA52142719D965CACBD1FB78574D33056E5EF1A5D7D5878CA209BF6C2DBA82526AE34503FEB58C1F7770500001004000000C0A80100FFFFFF000000001004000000C0A80000FFFFFF00B09C916D1B008707
第二阶段有匹配的感兴趣流和proposal
ike 0:VPN-to-SH:2:0: peer proposal is: peer:0:192.168.1.0-192.168.1.255:0, me:0:192.168.0.0-192.168.0.255:0
ike 0:VPN-to-SH:2:VPN-to-SH:0: trying
ike 0:VPN-to-SH:2:VPN-to-SH:0: matched phase2
ike 0:VPN-to-SH:2:VPN-to-SH:0: autokey
ike 0:VPN-to-SH:2:VPN-to-SH:0: my proposal:
ike 0:VPN-to-SH:2:VPN-to-SH:0: proposal id = 1:
ike 0:VPN-to-SH:2:VPN-to-SH:0: protocol id = IPSEC_ESP:
ike 0:VPN-to-SH:2:VPN-to-SH:0: PFS DH group = 14
ike 0:VPN-to-SH:2:VPN-to-SH:0: trans_id = ESP_AES_CBC (key_len = 128)
ike 0:VPN-to-SH:2:VPN-to-SH:0: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:2:VPN-to-SH:0: type = AUTH_ALG, val=SHA1
ike 0:VPN-to-SH:2:VPN-to-SH:0: trans_id = ESP_AES_CBC (key_len = 256)
ike 0:VPN-to-SH:2:VPN-to-SH:0: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:2:VPN-to-SH:0: type = AUTH_ALG, val=SHA1
ike 0:VPN-to-SH:2:VPN-to-SH:0: trans_id = ESP_AES_CBC (key_len = 128)
ike 0:VPN-to-SH:2:VPN-to-SH:0: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:2:VPN-to-SH:0: type = AUTH_ALG, val=SHA2_256
ike 0:VPN-to-SH:2:VPN-to-SH:0: trans_id = ESP_AES_CBC (key_len = 256)
ike 0:VPN-to-SH:2:VPN-to-SH:0: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:2:VPN-to-SH:0: type = AUTH_ALG, val=SHA2_256
ike 0:VPN-to-SH:2:VPN-to-SH:0: trans_id = ESP_AES_GCM_16 (key_len = 128)
ike 0:VPN-to-SH:2:VPN-to-SH:0: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:2:VPN-to-SH:0: type = AUTH_ALG, val=NULL
ike 0:VPN-to-SH:2:VPN-to-SH:0: trans_id = ESP_AES_GCM_16 (key_len = 256)
ike 0:VPN-to-SH:2:VPN-to-SH:0: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:2:VPN-to-SH:0: type = AUTH_ALG, val=NULL
ike 0:VPN-to-SH:2:VPN-to-SH:0: trans_id = ESP_CHACHA20_POLY1305 (key_len = 256)
ike 0:VPN-to-SH:2:VPN-to-SH:0: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:2:VPN-to-SH:0: type = AUTH_ALG, val=NULL
ike 0:VPN-to-SH:2:VPN-to-SH:0: proposal id = 2:
ike 0:VPN-to-SH:2:VPN-to-SH:0: protocol id = IPSEC_ESP:
ike 0:VPN-to-SH:2:VPN-to-SH:0: PFS DH group = 5
ike 0:VPN-to-SH:2:VPN-to-SH:0: trans_id = ESP_AES_CBC (key_len = 128)
ike 0:VPN-to-SH:2:VPN-to-SH:0: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:2:VPN-to-SH:0: type = AUTH_ALG, val=SHA1
ike 0:VPN-to-SH:2:VPN-to-SH:0: trans_id = ESP_AES_CBC (key_len = 256)
ike 0:VPN-to-SH:2:VPN-to-SH:0: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:2:VPN-to-SH:0: type = AUTH_ALG, val=SHA1
ike 0:VPN-to-SH:2:VPN-to-SH:0: trans_id = ESP_AES_CBC (key_len = 128)
ike 0:VPN-to-SH:2:VPN-to-SH:0: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:2:VPN-to-SH:0: type = AUTH_ALG, val=SHA2_256
ike 0:VPN-to-SH:2:VPN-to-SH:0: trans_id = ESP_AES_CBC (key_len = 256)
ike 0:VPN-to-SH:2:VPN-to-SH:0: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:2:VPN-to-SH:0: type = AUTH_ALG, val=SHA2_256
ike 0:VPN-to-SH:2:VPN-to-SH:0: trans_id = ESP_AES_GCM_16 (key_len = 128)
ike 0:VPN-to-SH:2:VPN-to-SH:0: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:2:VPN-to-SH:0: type = AUTH_ALG, val=NULL
ike 0:VPN-to-SH:2:VPN-to-SH:0: trans_id = ESP_AES_GCM_16 (key_len = 256)
ike 0:VPN-to-SH:2:VPN-to-SH:0: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:2:VPN-to-SH:0: type = AUTH_ALG, val=NULL
ike 0:VPN-to-SH:2:VPN-to-SH:0: trans_id = ESP_CHACHA20_POLY1305 (key_len = 256)
ike 0:VPN-to-SH:2:VPN-to-SH:0: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:2:VPN-to-SH:0: type = AUTH_ALG, val=NULL
ike 0:VPN-to-SH:2:VPN-to-SH:0: incoming proposal:
ike 0:VPN-to-SH:2:VPN-to-SH:0: proposal id = 1:
ike 0:VPN-to-SH:2:VPN-to-SH:0: protocol id = IPSEC_ESP:
ike 0:VPN-to-SH:2:VPN-to-SH:0: PFS DH group = 14
ike 0:VPN-to-SH:2:VPN-to-SH:0: trans_id = ESP_AES_CBC (key_len = 128)
ike 0:VPN-to-SH:2:VPN-to-SH:0: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:2:VPN-to-SH:0: type = AUTH_ALG, val=SHA1
ike 0:VPN-to-SH:2:VPN-to-SH:0: trans_id = ESP_AES_CBC (key_len = 256)
ike 0:VPN-to-SH:2:VPN-to-SH:0: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:2:VPN-to-SH:0: type = AUTH_ALG, val=SHA1
ike 0:VPN-to-SH:2:VPN-to-SH:0: trans_id = ESP_AES_CBC (key_len = 128)
ike 0:VPN-to-SH:2:VPN-to-SH:0: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:2:VPN-to-SH:0: type = AUTH_ALG, val=SHA2_256
ike 0:VPN-to-SH:2:VPN-to-SH:0: trans_id = ESP_AES_CBC (key_len = 256)
ike 0:VPN-to-SH:2:VPN-to-SH:0: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:2:VPN-to-SH:0: type = AUTH_ALG, val=SHA2_256
ike 0:VPN-to-SH:2:VPN-to-SH:0: trans_id = ESP_AES_GCM_16 (key_len = 128)
ike 0:VPN-to-SH:2:VPN-to-SH:0: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:2:VPN-to-SH:0: type = AUTH_ALG, val=NULL
ike 0:VPN-to-SH:2:VPN-to-SH:0: trans_id = ESP_AES_GCM_16 (key_len = 256)
ike 0:VPN-to-SH:2:VPN-to-SH:0: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:2:VPN-to-SH:0: type = AUTH_ALG, val=NULL
ike 0:VPN-to-SH:2:VPN-to-SH:0: trans_id = ESP_CHACHA20_POLY1305 (key_len = 256)
ike 0:VPN-to-SH:2:VPN-to-SH:0: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:2:VPN-to-SH:0: type = AUTH_ALG, val=NULL
ike 0:VPN-to-SH:2:VPN-to-SH:0: negotiation result
ike 0:VPN-to-SH:2:VPN-to-SH:0: proposal id = 1:
ike 0:VPN-to-SH:2:VPN-to-SH:0: protocol id = IPSEC_ESP:
ike 0:VPN-to-SH:2:VPN-to-SH:0: PFS DH group = 14
ike 0:VPN-to-SH:2:VPN-to-SH:0: trans_id = ESP_AES_CBC (key_len = 128)
ike 0:VPN-to-SH:2:VPN-to-SH:0: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:2:VPN-to-SH:0: type = AUTH_ALG, val=SHA1
ike 0:VPN-to-SH:2:VPN-to-SH:0: set pfs=MODP2048
ike 0:VPN-to-SH:2:VPN-to-SH:0: using tunnel mode.
ike 0:VPN-to-SH:2:VPN-to-SH:0: generate DH public value request queued
ike 0:VPN-to-SH:2:VPN-to-SH:0: compute DH shared secret request queued
ike 0:VPN-to-SH:2:VPN-to-SH:0: replay protection enabled
ike 0:VPN-to-SH:2:VPN-to-SH:0: SA life soft seconds=42929.
ike 0:VPN-to-SH:2:VPN-to-SH:0: SA life hard seconds=43200.
ike 0:VPN-to-SH:2:VPN-to-SH:0: IPsec SA selectors #src=1 #dst=1
ike 0:VPN-to-SH:2:VPN-to-SH:0: src 0 4 0:192.168.0.0/255.255.255.0:0
ike 0:VPN-to-SH:2:VPN-to-SH:0: dst 0 4 0:192.168.1.0/255.255.255.0:0
生成IN和OUT方向的IPSEC SA
ike 0:VPN-to-SH:2:VPN-to-SH:0: add IPsec SA: SPIs=fe02f809/db38e2b3
ike 0:VPN-to-SH:2:VPN-to-SH:0: IPsec SA dec spi fe02f809 key 16:95A30E49CBCB4EFCBAA65C8CA9B0074C auth 20:C5E5A450DABB70B398CD151C67D3B30E2BC938EA
ike 0:VPN-to-SH:2:VPN-to-SH:0: IPsec SA enc spi db38e2b3 key 16:A4DDB950CCE7BAD17A48AAB32F61514A auth 20:10B16B53C56103A2036BF5308EB3DB30885DB220
ike 0:VPN-to-SH:2:VPN-to-SH:0: added IPsec SA: SPIs=fe02f809/db38e2b3
隧道UP
ike 0:VPN-to-SH:2:VPN-to-SH:0: sending SNMP tunnel UP trap
ike 0:VPN-to-SH:2: enc 2F013665B867DE804878DFC8FEE0CC140810200131008365000001B001000024C308502AF541F30479F8C453637BADED887799A67B446206E205F558A5BC077D0A00003800000001000000010000002C01030401FE02F80900000020010C0000800100018002A8C08004000180060080800500028003000E040000141451040EC380E31C646516A89096C12505000104890DB8BA0888142ACD3C99CBD3B57B71186093383DA57E60CE60308E0E9BEB6B27C751FF683DC4FC56EAB5DECE51B3A52C085A0C477DEF0BAE3ACCA11764D4C49C0ADBF6E12A033929ADC01A1C6D7587C5BE571C7E63781906FA124705430DBDDF477C238A27E9358A1A8C8FEF923702229F4C8F790847066853CF54E7AD9ED0C3B847C3ADB01A262FA03C3B36EEDDE140E5975C509DB991A65764CD8F2E8569FE870118494C3735784B8F91AF3F82D296E04FA2C061D0BCC2B713115077AC2223402FEAA2DBA0E8530C10D033FEF9D150B30F77A26241B542A613E191590DB77FD0A9A9432C20B526FEAE06EE70920F382F9C49928D39118013ED6EC7697BB20500001004000000C0A80100FFFFFF000000001004000000C0A80000FFFFFF00
响应方回复的数据包,快速模式第2个包,发送确认的安全参数和身份认证信息
ike 0:VPN-to-SH:2: out 2F013665B867DE804878DFC8FEE0CC140810200131008365000001BC5BF94023269A223BC47B8445F7F1DB5707F939EDAFF54CF75D4A3B1CFCF2C256BFF1ACC1E94729AA344342A8D3C38849D3E7AD8827053E70BEF72D069A331301EBE135F7674951DB0D1B568F0C47D778E992FC25D61D0690EB27AC0481CFC80317A30A7CF06A20635F53AA4EDD2B830C92E9EF5EAA3D1E3272ECEAB88CBC187A242D81B1F9DA053482D05FF4ACDB571F8F9B9D675C4BFEC401E9E13AEEFF6A17F8689BDDAE83CFE363AFF24BA4D6C7D1617D0A7AA4C5A63E0C60BA40A7B92D020E494A35C7242308C437436DAD7C015D43BF517F55FDD1207D9C4719B48D77DED72DA812899576009141D1F9E2307A279523EAF0850B7A3968BA3AD4E7EE48761EF8E11D046BCB54BC4114E2E6A69E7B3A0CBE071D1A0A23BCA262AD92A9FD6BD193A935819B5BEE6067FBAA1FC9B087F84CA3641DA372AA27FE6A17B751A72F263CE3D2FDED093809CB7CE6E7D3D2A6556E720147AD12D2D8861490A9E78EC213F5F155B93D6075AD26FE1177EDA152551EB1867B3B7C65EFA2CB7387D780427B0662F9EC667139E17B9692F36060F0ECB8F8620EA1DEAB55488A5A6D4BD3AB
ike 0:VPN-to-SH:2: sent IKE msg (quick_r1send): 100.1.1.2:500->200.1.1.2:500, len=444, vrf=0, id=2f013665b867de80/4878dfc8fee0cc14:31008365
收到发起方的数据包,快速模式第3个包,发起方的确认报文
ike 0: comes 200.1.1.2:500->100.1.1.2:500,ifindex=10,vrf=0....
ike 0: IKEv1 exchange=Quick id=2f013665b867de80/4878dfc8fee0cc14:31008365 len=76 vrf=0
ike 0: in 2F013665B867DE804878DFC8FEE0CC1408102001310083650000004CC37A67EFDA1D1385BAD16B7F1462D26C8510BEA49AD6681DA24219B2C2B9B3CF5EC6577F1AE0051F2DBEC65F7BB65CD7
ike 0:VPN-to-SH:2: dec 2F013665B867DE804878DFC8FEE0CC1408102001310083650000004C000000249C86B516C45350E8D2254EE877DBFB8CF7B461D3454C9FD93BCEFB177035802712E75AF0009C454FDB097C0B
ike 0:VPN-to-SH:VPN-to-SH:0: send SA_DONE SPI 0xdb38e2b3
ike 0:VPN-to-SH: link is idle 10 100.1.1.2->200.1.1.2:0 dpd=1 seqno=1 rr=0
# diagnose debug disable