IPSEC IKEv2 Debug分析

网络拓扑

image-20240102113949000

IPSEC Debug分析

  1. FGT-SH发起协商,FGT-BJ进行Debug查看,下面是FGT-BJ的debug输出。

    diagnose debug application ike -1
    diagnose debug  enable
    
  2. 收到发起方的数据包,SA_INIT交互的第1个包。

    ike 0: comes 200.1.1.2:500->100.1.1.2:500,ifindex=10,vrf=0....
    ike 0: IKEv2 exchange=SA_INIT id=0640897749c18520/0000000000000000 len=632
    ike 0: in 0640897749C185200000000000000000212022080000000000000278220000F002000034010100050300000C0100000C800E00800300000802000005030000080300000C0300000804000005000000080400000E02000034020100050300000C0100000C800E01000300000802000005030000080300000C0300000804000005000000080400000E0200002C030100040300000C01000014800E008003000008020000050300000804000005000000080400000E0200002C040100040300000C01000014800E010003000008020000060300000804000005000000080400000E0000002C050100040300000C0100001C800E010003000008020000050300000804000005000000080400000E28000108000E0000D7B68B7EF380848D233FF08CD57789166A356E53E982392A157953AE8939C833D28C94436514956B08E168503B92D5B09E97FBA36CBCC3B3CBCB5DC9640C6E6F073FFC88B01DC668D8AF3B61AC2D46B71524B91ECD8CE68F1529986A43BB2E357CFDEE972FFBFCB2B5BC92A38BE6B9E8BEB47A923216AA3753346BB764CF7760E526B1FD010A8FB51E7B1BB7F80782D53B8C6690852F4D03969CE4CFE8F2252360A4F5672A5C76BA16E45053259BF8E0A154E9BFF1709B7A72ECF15ED1936E512288D639935CF8096D9F4B8527444CE4C13657F6B751371B6E183B688870C466D5E439DD1AA319306DBC2C6F5EDC76A1F4EF5223F306E09B3F990FDFF6675B1D290000242941FAF7F9BCFBFA6A308624D8327BB7BDBA4C72BAAA79E27F5FE76580056BE82900001C000040046248FDD09A0E5B87EFEE4EBE51267EFAA176C9692900001C00004005B85DCDB85885019864A547D5DB8E60946F538368000000080000402E
    
  3. VPN-to-SH有匹配的proposal。

    ike 0:0640897749c18520/0000000000000000:8: responder received SA_INIT msg
    ike 0:0640897749c18520/0000000000000000:8: received notify type NAT_DETECTION_SOURCE_IP
    ike 0:0640897749c18520/0000000000000000:8: received notify type NAT_DETECTION_DESTINATION_IP
    ike 0:0640897749c18520/0000000000000000:8: received notify type FRAGMENTATION_SUPPORTED
    ike 0:0640897749c18520/0000000000000000:8: incoming proposal:
    ike 0:0640897749c18520/0000000000000000:8: proposal id = 1:
    ike 0:0640897749c18520/0000000000000000:8:   protocol = IKEv2:
    ike 0:0640897749c18520/0000000000000000:8:      encapsulation = IKEv2/none
    ike 0:0640897749c18520/0000000000000000:8:         type=ENCR, val=AES_CBC (key_len = 128)
    ike 0:0640897749c18520/0000000000000000:8:         type=INTEGR, val=AUTH_HMAC_SHA2_256_128
    ike 0:0640897749c18520/0000000000000000:8:         type=PRF, val=PRF_HMAC_SHA2_256
    ike 0:0640897749c18520/0000000000000000:8:         type=DH_GROUP, val=MODP2048.
    ike 0:0640897749c18520/0000000000000000:8:         type=DH_GROUP, val=MODP1536.
    ike 0:0640897749c18520/0000000000000000:8: proposal id = 2:
    ike 0:0640897749c18520/0000000000000000:8:   protocol = IKEv2:
    ike 0:0640897749c18520/0000000000000000:8:      encapsulation = IKEv2/none
    ike 0:0640897749c18520/0000000000000000:8:         type=ENCR, val=AES_CBC (key_len = 256)
    ike 0:0640897749c18520/0000000000000000:8:         type=INTEGR, val=AUTH_HMAC_SHA2_256_128
    ike 0:0640897749c18520/0000000000000000:8:         type=PRF, val=PRF_HMAC_SHA2_256
    ike 0:0640897749c18520/0000000000000000:8:         type=DH_GROUP, val=MODP2048.
    ike 0:0640897749c18520/0000000000000000:8:         type=DH_GROUP, val=MODP1536.
    ike 0:0640897749c18520/0000000000000000:8: proposal id = 3:
    ike 0:0640897749c18520/0000000000000000:8:   protocol = IKEv2:
    ike 0:0640897749c18520/0000000000000000:8:      encapsulation = IKEv2/none
    ike 0:0640897749c18520/0000000000000000:8:         type=ENCR, val=AES_GCM_16 (key_len = 128)
    ike 0:0640897749c18520/0000000000000000:8:         type=PRF, val=PRF_HMAC_SHA2_256
    ike 0:0640897749c18520/0000000000000000:8:         type=DH_GROUP, val=MODP2048.
    ike 0:0640897749c18520/0000000000000000:8:         type=DH_GROUP, val=MODP1536.
    ike 0:0640897749c18520/0000000000000000:8: proposal id = 4:
    ike 0:0640897749c18520/0000000000000000:8:   protocol = IKEv2:
    ike 0:0640897749c18520/0000000000000000:8:      encapsulation = IKEv2/none
    ike 0:0640897749c18520/0000000000000000:8:         type=ENCR, val=AES_GCM_16 (key_len = 256)
    ike 0:0640897749c18520/0000000000000000:8:         type=PRF, val=PRF_HMAC_SHA2_384
    ike 0:0640897749c18520/0000000000000000:8:         type=DH_GROUP, val=MODP2048.
    ike 0:0640897749c18520/0000000000000000:8:         type=DH_GROUP, val=MODP1536.
    ike 0:0640897749c18520/0000000000000000:8: proposal id = 5:
    ike 0:0640897749c18520/0000000000000000:8:   protocol = IKEv2:
    ike 0:0640897749c18520/0000000000000000:8:      encapsulation = IKEv2/none
    ike 0:0640897749c18520/0000000000000000:8:         type=ENCR, val=CHACHA20_POLY1305 (key_len = 256)
    ike 0:0640897749c18520/0000000000000000:8:         type=PRF, val=PRF_HMAC_SHA2_256
    ike 0:0640897749c18520/0000000000000000:8:         type=DH_GROUP, val=MODP2048.
    ike 0:0640897749c18520/0000000000000000:8:         type=DH_GROUP, val=MODP1536.
    ike 0:0640897749c18520/0000000000000000:8: matched proposal id 1
    ike 0:0640897749c18520/0000000000000000:8: proposal id = 1:
    ike 0:0640897749c18520/0000000000000000:8:   protocol = IKEv2:
    ike 0:0640897749c18520/0000000000000000:8:      encapsulation = IKEv2/none
    ike 0:0640897749c18520/0000000000000000:8:         type=ENCR, val=AES_CBC (key_len = 128)
    ike 0:0640897749c18520/0000000000000000:8:         type=INTEGR, val=AUTH_HMAC_SHA2_256_128
    ike 0:0640897749c18520/0000000000000000:8:         type=PRF, val=PRF_HMAC_SHA2_256
    ike 0:0640897749c18520/0000000000000000:8:         type=DH_GROUP, val=MODP2048.
    ike 0:0640897749c18520/0000000000000000:8: lifetime=86400
    ike 0:0640897749c18520/0000000000000000:8: SA proposal chosen, matched gateway VPN-to-SH
    ike 0:VPN-to-SH: created connection: 0x829cec0 10 100.1.1.2->200.1.1.2:500.
    ike 0:VPN-to-SH:8: processing notify type NAT_DETECTION_SOURCE_IP
    ike 0:VPN-to-SH:8: processing NAT-D payload
    ike 0:VPN-to-SH:8: NAT not detected 
    ike 0:VPN-to-SH:8: process NAT-D
    ike 0:VPN-to-SH:8: processing notify type NAT_DETECTION_DESTINATION_IP
    ike 0:VPN-to-SH:8: processing NAT-D payload
    ike 0:VPN-to-SH:8: NAT not detected 
    ike 0:VPN-to-SH:8: process NAT-D
    ike 0:VPN-to-SH:8: processing notify type FRAGMENTATION_SUPPORTED
    ike 0:VPN-to-SH:8: responder preparing SA_INIT msg
    ike 0:VPN-to-SH:8: generate DH public value request queued
    ike 0:VPN-to-SH:8: responder preparing SA_INIT msg
    ike 0:VPN-to-SH:8: compute DH shared secret request queued
    ike 0:VPN-to-SH:8: responder preparing SA_INIT msg
    
  4. 响应方回复的数据包,SA_INIT交互的第2个包,回复选定的proposal,临时随机数。

    ike 0:VPN-to-SH:8: out 0640897749C1852079D668275E8FAB852120222000000000000001A8220000300000002C010100040300000C0100000C800E00800300000802000005030000080300000C000000080400000E28000108000E000032F9A820F465C00102EAE1056B3A4DF6DE5B01C6A412F62CFF70E4A8C0657841624ADE35189F3859E91FA1D4EB8AD2079B2672CAE23B4EB3483F687782E7DD184617255D9D3CF5987140EFB5E4CE13CC8791F17848D159153FDEE42249BA69969FD50497EE35CECBD972655A69B5B754395D7CEB23D3594484A61E9D73DBA6DB2F174C96C4378F68BDDE672F8D58DDABC40414048E78E9B443A4A61D4FF49F286E19EE15FF0F4F1BF1FA65E247EAEAB3F3E8DA4DDB4629B4117A26D001F31511C33FDDB6B6FCA71459CE367717A6A31C45AFC519A1FBC4F7785D60831FF06B926E1B03FB978B4D668E4CF129FA9334E6D3CE4B4C42653AEB779F484257A57F6F29000014C40061FEA012E49F9283F72CE763FF882900001C000040046697454FC958F7F6395BF1C4E736670A949CC29F2900001C00004005BF5FEB5E231B18D249058CB0FACC069964298451000000080000402E
    ike 0:VPN-to-SH:8: sent IKE msg (SA_INIT_RESPONSE): 100.1.1.2:500->200.1.1.2:500, len=424, vrf=0,
    
  5. 生成IKE SA和会话秘钥。

    id=0640897749c18520/79d668275e8fab85
    ike 0:VPN-to-SH:8: IKE SA 0640897749c18520/79d668275e8fab85 SK_ei 16:45B41A6D8E1483FD7AFBE6FAC7AD5404
    ike 0:VPN-to-SH:8: IKE SA 0640897749c18520/79d668275e8fab85 SK_er 16:A49B75CD8B161C9B2BF811E347C84897
    ike 0:VPN-to-SH:8: IKE SA 0640897749c18520/79d668275e8fab85 SK_ai 32:9C8219F27844C989B0FBF7DDF69965A779FF2871503BCCA63B8915E0556E0729
    ike 0:VPN-to-SH:8: IKE SA 0640897749c18520/79d668275e8fab85 SK_ar 32:C3B60A61FC4AA1C9660568AC39CC2957AC01101FAB71C1D44AFCA83A2303E14F
    
  6. 收到发起方的数据包,IKE_AUTH交互的第1个包。

    ike 0: comes 200.1.1.2:500->100.1.1.2:500,ifindex=10,vrf=0....
    ike 0: IKEv2 exchange=AUTH id=0640897749c18520/79d668275e8fab85:00000001 len=448
    ike 0: in 0640897749C1852079D668275E8FAB852E20230800000001000001C0230001A4E1AC49EE91ACC84D384E33FC743CD8013E9CAC48143D241030DFAF21A7349A62273BA50FB9FF55C8EA7DAC579275E067A8AF56F7982C4B09BC7838438CDA3A7E1922135D0025DFD7F875743BF4EFC02F139D07A0DBE919ECDBCE30D2C703943CFCC76A587FC78A45CA0BC4AF9EFA50BFEA9E0BB9142944F32F0447B60648788C76A52C81F8EA155BAF403E2B6E9CFED650E38EBD52F56C33D131ED95A1C812BAC7DE00FEC27E85BA265268086E144ADF658829BA388745E16C256E988A9F86C4B6206DBC8F354C6DB2D708D2487174F41E3D5E4BF856E1461104858CCFE4FA217592DD616E15431ACB1E9DC0016A4F5D61A7E77B44425DE471512E9C42CF92B8642E0C5DF0F2B5C605DAAF1BB2CCCA507F275BC4F68E6F263634FF8B66D7F5879329736025E32B14AE0E06C0D4483625F2C462DE381FF0234A65E5E2E1F0A2D048EF0496B949F5357C76CC8496BF54E65D61011E069E8DD4038B18981DFD7D1BE41A70D76305361B72DB470F287C99DE1ADC38B51796FF1E5E678387D66E8042BE112EF7EBE5847EB61EAAAAD105C0DF10257BEA8229AEF457366958F9181AE3
    ike 0:VPN-to-SH:8: dec 0640897749C1852079D668275E8FAB852E2023080000000100000198230000042900000C01000000C8010102270000080000400029000028020000004C6DA8BCBDEB2583A8A9810615789489134006FEBCA456E407D70393DB45904821000008000040242C0001040200002801030403DB38E2B90300000C0100000C800E0080030000080300000200000008050000000200002802030403DB38E2B90300000C0100000C800E0100030000080300000200000008050000000200002803030403DB38E2B90300000C0100000C800E0080030000080300000C00000008050000000200002804030403DB38E2B90300000C0100000C800E0100030000080300000C00000008050000000200002005030402DB38E2B90300000C01000014800E008000000008050000000200002006030402DB38E2B90300000C01000014800E010000000008050000000000002007030402DB38E2B90300000C0100001C800E010000000008050000002D00001801000000070000100000FFFFC0A80100C0A801FF0000001801000000070000100000FFFFC0A80000C0A800FF
    ike 0:VPN-to-SH:8: responder received AUTH msg
    ike 0:VPN-to-SH:8: processing notify type INITIAL_CONTACT
    ike 0:VPN-to-SH:8: processing notify type MESSAGE_ID_SYNC_SUPPORTED
    
  7. 发起方使用IP作为自身的ID,认证成功。

    ike 0:VPN-to-SH:8: peer identifier IPV4_ADDR 200.1.1.2
    ike 0:VPN-to-SH:8: auth verify done
    ike 0:VPN-to-SH:8: responder AUTH continuation
    ike 0:VPN-to-SH:8: authentication succeeded
    ike 0:VPN-to-SH:8: responder creating new child
    
  8. 找到匹配的proposal和感兴趣流。

    ike 0:VPN-to-SH:8:423: peer proposal:
    ike 0:VPN-to-SH:8:423: TSi_0 0:192.168.1.0-192.168.1.255:0
    ike 0:VPN-to-SH:8:423: TSr_0 0:192.168.0.0-192.168.0.255:0
    ike 0:VPN-to-SH:8:VPN-to-SH:423: comparing selectors
    ike 0:VPN-to-SH:8:VPN-to-SH:423: matched by rfc-rule-2
    ike 0:VPN-to-SH:8:VPN-to-SH:423: phase2 matched by subset
    ike 0:VPN-to-SH:8:VPN-to-SH:423: accepted proposal:
    ike 0:VPN-to-SH:8:VPN-to-SH:423: TSi_0 0:192.168.1.0-192.168.1.255:0
    ike 0:VPN-to-SH:8:VPN-to-SH:423: TSr_0 0:192.168.0.0-192.168.0.255:0
    ike 0:VPN-to-SH:8:VPN-to-SH:423: autokey
    ike 0:VPN-to-SH:8:VPN-to-SH:423: incoming child SA proposal:
    ike 0:VPN-to-SH:8:VPN-to-SH:423: proposal id = 1:
    ike 0:VPN-to-SH:8:VPN-to-SH:423:   protocol = ESP:
    ike 0:VPN-to-SH:8:VPN-to-SH:423:      encapsulation = TUNNEL
    ike 0:VPN-to-SH:8:VPN-to-SH:423:         type=ENCR, val=AES_CBC (key_len = 128)
    ike 0:VPN-to-SH:8:VPN-to-SH:423:         type=INTEGR, val=SHA
    ike 0:VPN-to-SH:8:VPN-to-SH:423:         type=ESN, val=NO
    ike 0:VPN-to-SH:8:VPN-to-SH:423:         PFS is disabled
    ike 0:VPN-to-SH:8:VPN-to-SH:423: matched proposal id 1
    ike 0:VPN-to-SH:8:VPN-to-SH:423: proposal id = 1:
    ike 0:VPN-to-SH:8:VPN-to-SH:423:   protocol = ESP:
    ike 0:VPN-to-SH:8:VPN-to-SH:423:      encapsulation = TUNNEL
    ike 0:VPN-to-SH:8:VPN-to-SH:423:         type=ENCR, val=AES_CBC (key_len = 128)
    ike 0:VPN-to-SH:8:VPN-to-SH:423:         type=INTEGR, val=SHA
    ike 0:VPN-to-SH:8:VPN-to-SH:423:         type=ESN, val=NO
    ike 0:VPN-to-SH:8:VPN-to-SH:423:         PFS is disabled
    ike 0:VPN-to-SH:8:VPN-to-SH:423: lifetime=43200
    ike 0:VPN-to-SH:8: responder preparing AUTH msg
    ike 0:VPN-to-SH:8: established IKE SA 0640897749c18520/79d668275e8fab85
    ike 0:VPN-to-SH:8: check peer route: if_addr4_rcvd=0, if_addr6_rcvd=0, mode_cfg=0
    ike 0:VPN-to-SH:8: processing INITIAL-CONTACT
    ike 0:VPN-to-SH: flushing 
    ike 0:VPN-to-SH: flushed 
    ike 0:VPN-to-SH:8: processed INITIAL-CONTACT
    ike 0:VPN-to-SH: set oper up
    ike 0:VPN-to-SH:8:VPN-to-SH:423: replay protection enabled
    ike 0:VPN-to-SH:8:VPN-to-SH:423: set sa life soft seconds=42930.
    ike 0:VPN-to-SH:8:VPN-to-SH:423: set sa life hard seconds=43200.
    ike 0:VPN-to-SH:8:VPN-to-SH:423: IPsec SA selectors #src=1 #dst=1
    ike 0:VPN-to-SH:8:VPN-to-SH:423: src 0 7 0:192.168.0.0-192.168.0.255:0
    ike 0:VPN-to-SH:8:VPN-to-SH:423: dst 0 7 0:192.168.1.0-192.168.1.255:0
    ike 0:VPN-to-SH:8:VPN-to-SH:423: add IPsec SA: SPIs=fe02f80f/db38e2b9
    
  9. 生成IN和OUT方向的IPSEC SA。

    ike 0:VPN-to-SH:8:VPN-to-SH:423: IPsec SA dec spi fe02f80f key 16:81DC7F6F04EF90B86ACD5DE389290829 auth 20:6ED062D0343F9A3905CB3DF496846DDE03A3F5ED
    ike 0:VPN-to-SH:8:VPN-to-SH:423: IPsec SA enc spi db38e2b9 key 16:7AC6134E6A36AE792428800B79CC2DC2 auth 20:50EEC2F6F23A0AC711679F61DC3EE6928FC967B9
    ike 0:VPN-to-SH:8:VPN-to-SH:423: added IPsec SA: SPIs=fe02f80f/db38e2b9
    
  10. 隧道UP。

    ike 0:VPN-to-SH:8:VPN-to-SH:423: sending SNMP tunnel UP trap
    ike 0:VPN-to-SH:8: enc 2700000C01000000640101022900002802000000C55D3BB2AD28F1C48AD025D070255A48E114948725D28D20941363F40BBCAFA621000008000040242C00002C0000002801030403FE02F80F0300000C0100000C800E0080030000080300000200000008050000002D00001801000000070000100000FFFFC0A80100C0A801FF0000001801000000070000100000FFFFC0A80000C0A800FF0706050403020107
    
  11. 响应方回复的数据包,IKE_AUTH交互的第2个包,回复身份信息,感兴趣流,选定的proposal。

    ike 0:VPN-to-SH:8: out 0640897749C1852079D668275E8FAB852E20232000000001000000E0240000C44AD9A518699109640D1EA67962E73585E17D1269A94910B3672BAAB5706F353F950D18963DB076624C38DCF0C3D3CDF8D3EC991CF4CEE93D0EFA461E9E23C9362FD0F06B42E6251BDB1C2064DC0E17A8E99FE31AF55CB0E5A6786EA694DADE5CBBFA5037A0297F77F38B19891910F33430D50350FAD2A716BF45BD0493A7F2DD0E2A3FC09074C464DC2DA2EFCB7CE00D94D4822D8C81C5A15841DEB46B7017E379643FF00BA34247C836CC8F32565A082E1226E3ABB10379865E18FBACC661FF
    ike 0:VPN-to-SH:8: sent IKE msg (AUTH_RESPONSE): 100.1.1.2:500->200.1.1.2:500, len=224, vrf=0, id=0640897749c18520/79d668275e8fab85:00000001
    ike 0:VPN-to-SH: link is idle 10 100.1.1.2->200.1.1.2:0 dpd=1 seqno=16d rr=0
    
  12. 关闭Debug。

    diagnose debug disable
    

Copyright © 2024 Fortinet Inc. All rights reserved. Powered by Fortinet TAC Team.
📲扫描下方二维码分享此页面👇
该页面修订于: 2024-01-15 09:49:52

results matching ""

    No results matching ""