IPSec IKEv1野蛮模式Debug分析

网络拓扑

image-20240102113949000

IPSEC Debug分析

FGT-SH发起协商,FGT-BJ进行Debug查看,下面是FGT-BJ的debug输出


# diagnose debug application ike -1
# diagnose debug  enable

收到对端的数据包,野蛮模式第1个包
ike 0: comes 200.1.1.2:500->100.1.1.2:500,ifindex=10,vrf=0....
ike 0: IKEv1 exchange=Aggressive id=d281703dcfc7fc74/0000000000000000 len=720 vrf=0
ike 0: in D281703DCFC7FC7400000000000000000110040000000000000002D0040000B40000000100000001000000A8010100040300002801010000800B0001000C00040001518080010007800E008080030001800200048004000E0300002803010000800B0001000C00040001518080010007800E010080030001800200048004000E0300002805010000800B0001000C00040001518080010007800E008080030001800200028004000E0000002807010000800B0001000C00040001518080010007800E010080030001800200028004000E0A00010453E290339EEA9422A4B4B1034821162393F25DC77AE0D24864206F06B8E7826733B2FD2DF5C70E86310C29F83A77057D630FF9F8C0CE6DBA3FB571D5D3960C9AAC7260FE6D8019E523508632E1423CF657A462DCA2F4EFB96268E48003194A77D9D85C6A864F1366B7FDA693D1798DFBADCDF3797116C551F260BC03DFA9B7ADF795EAD145DE2ADD68EDF20E87E67D8F2E90D3245D3A8ED9AB630134CA5F23158BFDA4A6DBC1E5F6C03FB6C3278A3209295A8C7558E93BBB66F115383B11CF7F4644608A5E448B53F4B2BC344706446445575684CD0850FE9D6B47A981BBAEDD24D60F8424618B0F45E34B8C20FF7A48AF12192B44EED4DF2F333533849321F505000024D612B8B99DFE002B24E032D5DA3AB863E9AC517913DE2F80658C3C0B3554A9190D00000C01000000C80101020D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:d281703dcfc7fc74/0000000000000000:3: responder: aggressive mode get 1st message...
ike 0:d281703dcfc7fc74/0000000000000000:3: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:d281703dcfc7fc74/0000000000000000:3: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 0:d281703dcfc7fc74/0000000000000000:3: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
ike 0:d281703dcfc7fc74/0000000000000000:3: VID draft-ietf-ipsec-nat-t-ike-02 90CB80913EBB696E086381B5EC427B1F
ike 0:d281703dcfc7fc74/0000000000000000:3: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
ike 0:d281703dcfc7fc74/0000000000000000:3: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
ike 0:d281703dcfc7fc74/0000000000000000:3: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:d281703dcfc7fc74/0000000000000000:3: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
ike 0:d281703dcfc7fc74/0000000000000000:3: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:d281703dcfc7fc74/0000000000000000:3: VID FORTIGATE 8299031757A36082C6A621DE00000000

发起方使用IP地址作为身份ID
ike 0::3: peer identifier IPV4_ADDR 200.1.1.2
ike 0: cache rebuild start
ike 0:VPN-to-SH: local:100.1.1.2, remote:200.1.1.2
ike 0:VPN-to-SH: cached as static-ddns.

VPN-to-SH有匹配的Proposal
ike 0: cache rebuild done
ike 0:d281703dcfc7fc74/0000000000000000:3: negotiation result
ike 0:d281703dcfc7fc74/0000000000000000:3: proposal id = 1:
ike 0:d281703dcfc7fc74/0000000000000000:3:   protocol id = ISAKMP:
ike 0:d281703dcfc7fc74/0000000000000000:3:      trans_id = KEY_IKE.
ike 0:d281703dcfc7fc74/0000000000000000:3:      encapsulation = IKE/none
ike 0:d281703dcfc7fc74/0000000000000000:3:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:d281703dcfc7fc74/0000000000000000:3:         type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:d281703dcfc7fc74/0000000000000000:3:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:d281703dcfc7fc74/0000000000000000:3:         type=OAKLEY_GROUP, val=MODP2048.
ike 0:d281703dcfc7fc74/0000000000000000:3: ISAKMP SA lifetime=86400
ike 0:d281703dcfc7fc74/0000000000000000:3: SA proposal chosen, matched gateway VPN-to-SH
ike 0:VPN-to-SH: created connection: 0x8291690 10 100.1.1.2->200.1.1.2:500.
ike 0:VPN-to-SH:3: DPD negotiated
ike 0:VPN-to-SH:3: peer is FortiGate/FortiOS (v0 b0)
ike 0:VPN-to-SH:3: selected NAT-T version: RFC 3947
ike 0:VPN-to-SH:3: generate DH public value request queued
ike 0:VPN-to-SH:3: compute DH shared secret request queued
ike 0:VPN-to-SH:3: cookie d281703dcfc7fc74/d07504953e9d8606
ike 0:VPN-to-SH:3: ISAKMP SA d281703dcfc7fc74/d07504953e9d8606 key 16:9F8B9F21828B2667E9F48941FAE1411C

响应方回复的数据包,野蛮模式第2个报文,响应方用选定提议的所有参数,DH公开值进行应答,以及身份ID供发起方验证
ike 0:VPN-to-SH:3: out D281703DCFC7FC74D07504953E9D86060110040000000000000002500400003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E008080030001800200048004000E0A000104797A5665CD5074E082FADF617796BCD6769F2E25B6A03AB6FDF9AF091A20F4695EE09AD2266A3F99D70C8EC1B470EFA5D2B768626C412AD2F6F3FB6D69FDD77C07FB9A275DC405328907BCF8D587D375C914378C28788E4978BE85654DBBA2E9E057968A72A7B4B5FC460588F20130C54B4A041261E4DC38B01F10B4118C243ECC4BD50F2E1034879B7ED428F2003DAE42C74A7479A20B3A2CEB082321F640F4BEC18FF6BA01E3E34600D713DEBD218A350ABE0ACC9F61904F2F43949BFDC43D0A6F3D656B1522B16050D04205DF5E60118758106EF1852CF801163810164D3B7B2064C4A54185660E20493F81102B12FF4B88B1A447F34749178AE6CDB39185050000140DA682516661FD4466ADF8F415C3423C0800000C01000000640101020D0000240A3F41A59BC6E3354F353985366B8D7148AF7B96F560E33CBED1D86B8E28CB4C140000144A131C81070358455C5728F20E95452F14000024D3141A6A7D9320C4105437E65A9B4E60E653C68D9A71A5AFFC24B06A49CED2EE0D0000244B1C68D360542FC9E16DC7867E8FC6CA8FC90FBDC591A2AC1F0B7B37CE0A6BA60D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:VPN-to-SH:3: sent IKE msg (agg_r1send): 100.1.1.2:500->200.1.1.2:500, len=592, vrf=0, id=d281703dcfc7fc74/d07504953e9d8606


收到发起方的数据包,野蛮模式第3个报文,发起方的确认信息,确认与响应方可以通信
ike 0: comes 200.1.1.2:500->100.1.1.2:500,ifindex=10,vrf=0....
ike 0: IKEv1 exchange=Aggressive id=d281703dcfc7fc74/d07504953e9d8606 len=172 vrf=0
ike 0: in D281703DCFC7FC74D07504953E9D86060810040100000000000000AC07B95FFAA22F64125C7C69E4BE2CDAA9CF69581F048D1D9FF7526A143818E59F1D59314B926251FAF7B80060D7317500A859CB66E64DE016BFC7E1C9D52DE71246F25B9959A6CE700EF95E28746F045B41AAE04299D7F39A4C8C98BAB85AF3D842971CD2CDB280743677706CCD7A2D1D334D7F6A9CC59946388B50734290E8ECBBBFAA9E8198207007CADFB101184CBD
ike 0:VPN-to-SH:3: responder: aggressive mode get 2nd response...
ike 0:VPN-to-SH:3: dec D281703DCFC7FC74D07504953E9D86060810040100000000000000AC14000024D90A7BBC0962B9E6192FA19BDAFDD607B0FDFBC19A05A019F2259FC9D0EE6371140000244B1C68D360542FC9E16DC7867E8FC6CA8FC90FBDC591A2AC1F0B7B37CE0A6BA60B000024D3141A6A7D9320C4105437E65A9B4E60E653C68D9A71A5AFFC24B06A49CED2EE0000001C0000000101106002D281703DCFC7FC74D07504953E9D860628CB58CA69594207
ike 0:VPN-to-SH:3: received NAT-D payload type 20
ike 0:VPN-to-SH:3: received NAT-D payload type 20
ike 0:VPN-to-SH:3: received p1 notify type INITIAL-CONTACT

预共享秘钥认证成功
ike 0:VPN-to-SH:3: PSK authentication succeeded
ike 0:VPN-to-SH:3: authentication OK
ike 0:VPN-to-SH:3: NAT not detected 


生成IKE SA
ike 0:VPN-to-SH:3: established IKE SA d281703dcfc7fc74/d07504953e9d8606
ike 0:VPN-to-SH:3: check peer route: if_addr4_rcvd=0, if_addr6_rcvd=0, mode_cfg=0
ike 0:VPN-to-SH:3: processing INITIAL-CONTACT
ike 0:VPN-to-SH: flushing 
ike 0:VPN-to-SH: flushed 
ike 0:VPN-to-SH:3: processed INITIAL-CONTACT
ike 0:VPN-to-SH: set oper up
ike 0:VPN-to-SH:3: no pending Quick-Mode negotiations


收到发起的数据包,快速模式第1个包
ike 0: comes 200.1.1.2:500->100.1.1.2:500,ifindex=10,vrf=0....
ike 0: IKEv1 exchange=Quick id=d281703dcfc7fc74/d07504953e9d8606:03b7f8e6 len=620 vrf=0
ike 0: in D281703DCFC7FC74D07504953E9D86060810200103B7F8E60000026C407ACC496B7A31B516DCEBFC25D4C6C668B271C7969F0B1785DF58417ED399C37BD28D42CC804C33CDE204D57588C4354E4A4A421804B7160B020EEF914F7BC2368EBD8EB6D322359574E37DEFA2C255E7BAE94FF245859DE7912F4A0C20F1594833582B0A40CE6D9D267ADE8CCDFB47F06B360CA48256F67D0834B6657C3A46C9DE785F0117A336F83810DF0F2F7CC2926BD5757F093C453BB0AB32ACE53DF72C096045C5C5E0D0FE3E79D2DE5108D2AE0AE916E364D152A131AC2E8C980EEC1CCA7BAD7175739A4B09FF95BA46C482D8149A9B3A7A2D0A1DDABEE65391070FEDB3497CF5436B0B9B8F9ED64F087CB601C6A871338BF756D28D8FA1B703D92BCC51643BF78BCF156DF38046951B9D71108FD12F8D1A9EAFED83291E95BE22C2CAB810A10E00AA9B82EB4789270EF1CC3AA442A946A21E7FFDCBD85336AD8C8773F231EB9669992CE37A8F9B069189103D59B587441485370D7260E8F61C1A94E9527C15FDEB26AE4D3AB69477F95892BB4429E0DBF2CA55A7543664A11BC2643ABE7008D97B0D6A12F3827E0F9F2FD98DB4A92B846D8D366702F77523EA5F4CA6D4B6621A267623758C9C401C1A9C7FA595EDC789D0EAACBAB88FF66E6532381135B859609595B877D7661FDAF1B684733451FC63FCED3C1911FE14EB3906267CC24ECE199CB0DF7405C7D4C9D838AB44A0FD78AE099670A5724CDA917FD2333912E8012FC9BD51D393517FA78184BC5351B2883ABA8F6AA876D1327D6E79ACD13A921C56EF904E29073200647A1DFA2228B0334AC8BF881814A612AF98637D691383A2D9FF3901FAF6ADF04FCEC55B
ike 0:VPN-to-SH:3:230: responder received first quick-mode message
ike 0:VPN-to-SH:3: dec D281703DCFC7FC74D07504953E9D86060810200103B7F8E60000026C01000024F703EDB480571505460F14635B22E25FDFF7DF6B9E191863AA7EB50C0E12D04F0A0000EC0000000100000001000000E001030407DB38E2B403000020010C0000800100018002A8C08004000180060080800500028003000E03000020020C0000800100018002A8C08004000180060100800500028003000E03000020030C0000800100018002A8C08004000180060080800500058003000E03000020040C0000800100018002A8C08004000180060100800500058003000E0300001C05140000800100018002A8C080040001800600808003000E0300001C06140000800100018002A8C080040001800601008003000E0000001C071C0000800100018002A8C080040001800601008003000E040000149FD42C6D9B3DFD82CB79295C580709A305000104A2533113195DAEB243659EAF23432B20E32C34FDA0642C25C1EE2B76EB5E2E6C2548A3B88F58251C805676AC034AB82D49AEE335AFA2F81D2CD91B85B7BA20A614C30C1A18BBFAD91A0096377FCD2B23EE36457D337899F356C65A95EFC1510AB13F053C29A4110A046F7875F15CB6D9D7EE6839883A6BF2BAA63F50C121FAC79535E3473F8923779BEB886F401A298ADDE0D158CA543089CDCF1724714916CD066A8135AB09BC90B19B3C5B11AC81A18CCD85A3FF06B205D0A053659596D46CD57809980095C4BEC4F9256453E2F65857DD22E05A558466F54DB7A8F65DF67F6F7372CA2C9EBC88ACEBE89140D4B52538F79B73BA7B3EEE86AB669A455D05900500001004000000C0A80100FFFFFF000000001004000000C0A80000FFFFFF0042BE359222C53C07

第二阶段有匹配的感兴趣流和proposal
ike 0:VPN-to-SH:3:230: peer proposal is: peer:0:192.168.1.0-192.168.1.255:0, me:0:192.168.0.0-192.168.0.255:0
ike 0:VPN-to-SH:3:VPN-to-SH:230: trying
ike 0:VPN-to-SH:3:VPN-to-SH:230: matched phase2
ike 0:VPN-to-SH:3:VPN-to-SH:230: autokey
ike 0:VPN-to-SH:3:VPN-to-SH:230: my proposal:
ike 0:VPN-to-SH:3:VPN-to-SH:230: proposal id = 1:
ike 0:VPN-to-SH:3:VPN-to-SH:230:   protocol id = IPSEC_ESP:
ike 0:VPN-to-SH:3:VPN-to-SH:230:   PFS DH group = 14
ike 0:VPN-to-SH:3:VPN-to-SH:230:      trans_id = ESP_AES_CBC (key_len = 128)
ike 0:VPN-to-SH:3:VPN-to-SH:230:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:3:VPN-to-SH:230:         type = AUTH_ALG, val=SHA1
ike 0:VPN-to-SH:3:VPN-to-SH:230:      trans_id = ESP_AES_CBC (key_len = 256)
ike 0:VPN-to-SH:3:VPN-to-SH:230:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:3:VPN-to-SH:230:         type = AUTH_ALG, val=SHA1
ike 0:VPN-to-SH:3:VPN-to-SH:230:      trans_id = ESP_AES_CBC (key_len = 128)
ike 0:VPN-to-SH:3:VPN-to-SH:230:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:3:VPN-to-SH:230:         type = AUTH_ALG, val=SHA2_256
ike 0:VPN-to-SH:3:VPN-to-SH:230:      trans_id = ESP_AES_CBC (key_len = 256)
ike 0:VPN-to-SH:3:VPN-to-SH:230:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:3:VPN-to-SH:230:         type = AUTH_ALG, val=SHA2_256
ike 0:VPN-to-SH:3:VPN-to-SH:230:      trans_id = ESP_AES_GCM_16 (key_len = 128)
ike 0:VPN-to-SH:3:VPN-to-SH:230:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:3:VPN-to-SH:230:         type = AUTH_ALG, val=NULL
ike 0:VPN-to-SH:3:VPN-to-SH:230:      trans_id = ESP_AES_GCM_16 (key_len = 256)
ike 0:VPN-to-SH:3:VPN-to-SH:230:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:3:VPN-to-SH:230:         type = AUTH_ALG, val=NULL
ike 0:VPN-to-SH:3:VPN-to-SH:230:      trans_id = ESP_CHACHA20_POLY1305 (key_len = 256)
ike 0:VPN-to-SH:3:VPN-to-SH:230:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:3:VPN-to-SH:230:         type = AUTH_ALG, val=NULL
ike 0:VPN-to-SH:3:VPN-to-SH:230: proposal id = 2:
ike 0:VPN-to-SH:3:VPN-to-SH:230:   protocol id = IPSEC_ESP:
ike 0:VPN-to-SH:3:VPN-to-SH:230:   PFS DH group = 5
ike 0:VPN-to-SH:3:VPN-to-SH:230:      trans_id = ESP_AES_CBC (key_len = 128)
ike 0:VPN-to-SH:3:VPN-to-SH:230:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:3:VPN-to-SH:230:         type = AUTH_ALG, val=SHA1
ike 0:VPN-to-SH:3:VPN-to-SH:230:      trans_id = ESP_AES_CBC (key_len = 256)
ike 0:VPN-to-SH:3:VPN-to-SH:230:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:3:VPN-to-SH:230:         type = AUTH_ALG, val=SHA1
ike 0:VPN-to-SH:3:VPN-to-SH:230:      trans_id = ESP_AES_CBC (key_len = 128)
ike 0:VPN-to-SH:3:VPN-to-SH:230:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:3:VPN-to-SH:230:         type = AUTH_ALG, val=SHA2_256
ike 0:VPN-to-SH:3:VPN-to-SH:230:      trans_id = ESP_AES_CBC (key_len = 256)
ike 0:VPN-to-SH:3:VPN-to-SH:230:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:3:VPN-to-SH:230:         type = AUTH_ALG, val=SHA2_256
ike 0:VPN-to-SH:3:VPN-to-SH:230:      trans_id = ESP_AES_GCM_16 (key_len = 128)
ike 0:VPN-to-SH:3:VPN-to-SH:230:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:3:VPN-to-SH:230:         type = AUTH_ALG, val=NULL
ike 0:VPN-to-SH:3:VPN-to-SH:230:      trans_id = ESP_AES_GCM_16 (key_len = 256)
ike 0:VPN-to-SH:3:VPN-to-SH:230:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:3:VPN-to-SH:230:         type = AUTH_ALG, val=NULL
ike 0:VPN-to-SH:3:VPN-to-SH:230:      trans_id = ESP_CHACHA20_POLY1305 (key_len = 256)
ike 0:VPN-to-SH:3:VPN-to-SH:230:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:3:VPN-to-SH:230:         type = AUTH_ALG, val=NULL
ike 0:VPN-to-SH:3:VPN-to-SH:230: incoming proposal:
ike 0:VPN-to-SH:3:VPN-to-SH:230: proposal id = 1:
ike 0:VPN-to-SH:3:VPN-to-SH:230:   protocol id = IPSEC_ESP:
ike 0:VPN-to-SH:3:VPN-to-SH:230:   PFS DH group = 14
ike 0:VPN-to-SH:3:VPN-to-SH:230:      trans_id = ESP_AES_CBC (key_len = 128)
ike 0:VPN-to-SH:3:VPN-to-SH:230:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:3:VPN-to-SH:230:         type = AUTH_ALG, val=SHA1
ike 0:VPN-to-SH:3:VPN-to-SH:230:      trans_id = ESP_AES_CBC (key_len = 256)
ike 0:VPN-to-SH:3:VPN-to-SH:230:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:3:VPN-to-SH:230:         type = AUTH_ALG, val=SHA1
ike 0:VPN-to-SH:3:VPN-to-SH:230:      trans_id = ESP_AES_CBC (key_len = 128)
ike 0:VPN-to-SH:3:VPN-to-SH:230:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:3:VPN-to-SH:230:         type = AUTH_ALG, val=SHA2_256
ike 0:VPN-to-SH:3:VPN-to-SH:230:      trans_id = ESP_AES_CBC (key_len = 256)
ike 0:VPN-to-SH:3:VPN-to-SH:230:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:3:VPN-to-SH:230:         type = AUTH_ALG, val=SHA2_256
ike 0:VPN-to-SH:3:VPN-to-SH:230:      trans_id = ESP_AES_GCM_16 (key_len = 128)
ike 0:VPN-to-SH:3:VPN-to-SH:230:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:3:VPN-to-SH:230:         type = AUTH_ALG, val=NULL
ike 0:VPN-to-SH:3:VPN-to-SH:230:      trans_id = ESP_AES_GCM_16 (key_len = 256)
ike 0:VPN-to-SH:3:VPN-to-SH:230:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:3:VPN-to-SH:230:         type = AUTH_ALG, val=NULL
ike 0:VPN-to-SH:3:VPN-to-SH:230:      trans_id = ESP_CHACHA20_POLY1305 (key_len = 256)
ike 0:VPN-to-SH:3:VPN-to-SH:230:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:3:VPN-to-SH:230:         type = AUTH_ALG, val=NULL
ike 0:VPN-to-SH:3:VPN-to-SH:230: negotiation result
ike 0:VPN-to-SH:3:VPN-to-SH:230: proposal id = 1:
ike 0:VPN-to-SH:3:VPN-to-SH:230:   protocol id = IPSEC_ESP:
ike 0:VPN-to-SH:3:VPN-to-SH:230:   PFS DH group = 14
ike 0:VPN-to-SH:3:VPN-to-SH:230:      trans_id = ESP_AES_CBC (key_len = 128)
ike 0:VPN-to-SH:3:VPN-to-SH:230:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:3:VPN-to-SH:230:         type = AUTH_ALG, val=SHA1
ike 0:VPN-to-SH:3:VPN-to-SH:230: set pfs=MODP2048
ike 0:VPN-to-SH:3:VPN-to-SH:230: using tunnel mode.
ike 0:VPN-to-SH:3:VPN-to-SH:230: generate DH public value request queued
ike 0:VPN-to-SH:3:VPN-to-SH:230: compute DH shared secret request queued
ike 0:VPN-to-SH:3:VPN-to-SH:230: replay protection enabled
ike 0:VPN-to-SH:3:VPN-to-SH:230: SA life soft seconds=42933.
ike 0:VPN-to-SH:3:VPN-to-SH:230: SA life hard seconds=43200.
ike 0:VPN-to-SH:3:VPN-to-SH:230: IPsec SA selectors #src=1 #dst=1
ike 0:VPN-to-SH:3:VPN-to-SH:230: src 0 4 0:192.168.0.0/255.255.255.0:0
ike 0:VPN-to-SH:3:VPN-to-SH:230: dst 0 4 0:192.168.1.0/255.255.255.0:0

生成IN和OUT方向的IPSEC SA
ike 0:VPN-to-SH:3:VPN-to-SH:230: add IPsec SA: SPIs=fe02f80a/db38e2b4
ike 0:VPN-to-SH:3:VPN-to-SH:230: IPsec SA dec spi fe02f80a key 16:EC236EB218FDFDB618A4F3F9365BC2A6 auth 20:87C419704D9037DF765191533D14EAD75985138F
ike 0:VPN-to-SH:3:VPN-to-SH:230: IPsec SA enc spi db38e2b4 key 16:DD0E65226AEB9DC29360DACD7874D604 auth 20:4E1E6ADE3A2BF7F38507D2FA5202121C9C8959D6
ike 0:VPN-to-SH:3:VPN-to-SH:230: added IPsec SA: SPIs=fe02f80a/db38e2b4

隧道UP
ike 0:VPN-to-SH:3:VPN-to-SH:230: sending SNMP tunnel UP trap
ike 0:VPN-to-SH:3: enc D281703DCFC7FC74D07504953E9D86060810200103B7F8E6000001B001000024413D8E541E90DE2DD722E84C5DDB7A0305D221EA20A2D53D6762ED25D74F6E930A00003800000001000000010000002C01030401FE02F80A00000020010C0000800100018002A8C08004000180060080800500028003000E04000014C56F0A2B71A119C8EAB36D97BAC4EEA305000104DEA2BDF7CD3559834DE23B8726D4DA4B2D898E9764AB0E2EAF160F491FE06241136B6F7AFACDC1D95C11A410F81873854CB58C6F01E57007899C8117E5A195E82A1026164307EDE5755191B9D04DABBC68F8ECD89C647AADD7930F8F2D0C8192BAD7B8972E909A799255B91DF75FC3A2520918C10D2FE3520BB242299E22B16E8640BD323AB7508B1F8FD29D10BCB164841CC8D93B4C9688280998F26DA9C19B0C5299A58AFBC55E8C56171FC17DA0ED6231550F37D9468CE6DC3D0FEDAAAC946916CEC1F2D81FC1FBBA2664810466BED343E7D5E441B63367B74CB7E6B33074BBBD538FE9DB46659F4D93E28A387CF33AF6B0448BE4F81D6FB01296E4616CD70500001004000000C0A80100FFFFFF000000001004000000C0A80000FFFFFF00


响应方回复的数据包,快速模式第2个包,发送确认的安全参数和身份认证信息
ike 0:VPN-to-SH:3: out D281703DCFC7FC74D07504953E9D86060810200103B7F8E6000001BC10B04C4F733E257D73525EBEDB01FA1A25FC3BD684DD58F70CDA141AAC4F133E03D65A9D3C6E8CE741F647E0342CEF07F0DF809D58566CFF017720EA9F27B873C28BBC35235E5B1B9F3A53EB0EC357AFAD729E146B7C371228FDE746E94EB35CB1D5D046C5CC736E5F193AFB4451B0D0FD7FD6D142BFF53BA3443A16B8FEA41FDD9BA2596CEA16FFEA245EA0B0860F565062C6DEC2024E7E1B0BC2BB0FE7ECF49F5F5C721AD5E9E4C26107D1A3A6B2FCCC777E9D6B9DD5DF8A920417EC102E90E7CD7008437520568E9A0E5C67E3D918F7EC16166B8E6092EE47811FFAF75A795A97C3625E23E6D94A17538C2B4645102E0058229D4C5F6B5656AEF34B231A8E5A3D9422C534BC23F6D2CDAD5D1A17EE968D0C1B2ADD0EC1022EA1CFDAF758728C606C60CE27A4BB4DC54D76C6DBA1B208301D52F8E17759DED5F91A24A6C6328D581FC6110E17FD6166C9EA1FC21791AB183E9A1F3068B3551949E5C8A3F15DFC0348EDD2485F428598BED1B3DE1BF2E7017989E03A5F37167F64648EED3AF3F30447D5054A0AB7AD192BEA4AF625706283F673B2D93EA6D6B17537D86C1905
ike 0:VPN-to-SH:3: sent IKE msg (quick_r1send): 100.1.1.2:500->200.1.1.2:500, len=444, vrf=0, id=d281703dcfc7fc74/d07504953e9d8606:03b7f8e6


收到发起方的数据包,快速模式第3个包,发起方的确认报文
ike 0: comes 200.1.1.2:500->100.1.1.2:500,ifindex=10,vrf=0....
ike 0: IKEv1 exchange=Quick id=d281703dcfc7fc74/d07504953e9d8606:03b7f8e6 len=76 vrf=0
ike 0: in D281703DCFC7FC74D07504953E9D86060810200103B7F8E60000004CBFE7E9BC7B60005BC3C8AB90CACB6C5412DACDAAE36B845C34C802177DAD5E1D0A243A6B8BA8770B920A75A6D68626C7
ike 0:VPN-to-SH:3: dec D281703DCFC7FC74D07504953E9D86060810200103B7F8E60000004C0000002421BD4F317C5DD58943C142AE4186BE1BBE36FBC91C8600E924DC42BD95107512E61AC8842070C9A16C994E0B
ike 0:VPN-to-SH:VPN-to-SH:230: send SA_DONE SPI 0xdb38e2b4
ike 0:VPN-to-SH: link is idle 10 100.1.1.2->200.1.1.2:0 dpd=1 seqno=e5 rr=0

# diagnose debug  disable

Copyright © 2024 Fortinet Inc. All rights reserved. Powered by Fortinet TAC Team.
📲扫描下方二维码分享此页面👇
该页面修订于: 2024-01-15 09:49:37

results matching ""

    No results matching ""