关于×××在DEBUG过程中可能出现的问题

最近在调试DEBUG过程中看到本文章，觉得对于×××错误信息不熟的人来说非常有用，几部囊括了所有的×××的DEBUG错误提示信息，并且作者对其进行了一定说明，遂转发希望对更多的人有帮助。

原文地址：×××(IKEv1)實驗Troubleshooting系列一：L2L-×××作者：修羅雷禪

×××中的排錯，甭管是在工作中還是在LAB中，都是挺重要的。因此，我，人為的在L2L/Ez×××/DM×××/GET×××中加入些錯誤配置，并通過Debug來分析各種錯誤。此篇博文是介紹L2L×××的，在後續的博文中，我將給大家逐一展示其他類型×××中的Troubleshooting！

一，實驗拓撲：

二，配置：

R1：

R1#sh run | sec cry

crypto isakmp policy 10

authentication pre-share

crypto isakmp key cisco address 202.100.1.2

crypto ipsec transform-set cisco esp-des esp-md5-hmac

crypto map cisco 10 ipsec-isakmp

set peer 202.100.1.2

set transform-set cisco

match address L2L×××

interface Loopback0

ip address 1.1.1.1 255.255.255.0

interface FastEthernet0/0

ip address 202.100.1.1 255.255.255.0

duplex auto

speed auto

crypto map cisco

ip route 0.0.0.0 0.0.0.0 202.100.1.2

ip access-list extended L2L×××

permit ip host 1.1.1.1 host 2.2.2.2

三，DEBUG展示：

1，配置完全正確情況下的debug：

發起方（R1)：

R1#debug cry ips

Crypto IPSEC debugging is on

R1#debug cry isa

Crypto ISAKMP debugging is on

R1#ping 2.2.2.2 so 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1

*Mar 1 00:13:31.891: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 202.100.1.1, remote= 202.100.1.2,（加密點）

local_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1),

remote_proxy= 2.2.2.2/255.255.255.255/0/0 (type=1), （感興趣流-ProxyID）

protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel), (協議類型/轉換集：加密方法，哈希類型）

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

*Mar 1 00:13:31.899: ISAKMP:(0): SA request profile is (NULL)

*Mar 1 00:13:31.899: ISAKMP: Created a peer struct for 202.100.1.2, peer port 500

*Mar 1 00:13:31.899: ISAKMP: New peer created peer = 0x65F2D2E0 peer_handle = 0x80000002

*Mar 1 00:13:31.903: ISAKMP: Locking peer struct 0x65F2D2E0, refcount 1 for isakmp_initiator

*Mar 1 00:13:31.903: ISAKMP: local port 500, remote port 500

*Mar 1 00:13:31.903: ISAKMP: set new node 0 to QM_IDLE

*Mar 1 00:13:31.923: insert sa successfully sa = 65FD96E8

*Mar 1 00:13:31.923: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

*Mar 1 00:13:31.923: ISAKMP:(0):found peer pre-shared key matching 202.100.1.2

*Mar 1 00:13:31.927: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

*Mar 1 00:13:31.927: ISAKMP:(0): constructed NAT-T vendor-07 ID

*Mar 1 00:13:31.927: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Mar 1 00:13:31.931: ISAKMP:(0): constructed NAT-T vendor-02 ID

*Mar 1 00:13:31.931: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Mar 1 00:13:31.931: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

*Mar 1 00:13:31.931: ISAKMP:(0): beginning Main Mode exchange

*Mar 1 00:13:31.935: ISAKMP:(0): sending packet to 202.100.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar 1 00:13:31.935: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar 1 00:13:32.111: ISAKMP (0:0): received packet from 202.100.1.2 dport 500 sport 500 Global (I) MM_NO_STATE（第一二個包：策略）

*Mar 1 00:13:32.123: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar 1 00:13:32.123: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2

*.!Mar 1 00:13:32.131: ISAKMP:(0): processing SA payload. message ID = 0

*Mar 1 00:13:32.131: ISAKMP:(0): processing vendor id payload

*Mar 1 00:13:32.131: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Mar 1 00:13:32.131: ISAKMP (0:0): vendor ID is NAT-T RFC 3947

*Mar 1 00:13:32.135: ISAKMP:(0):found peer pre-shared key matching 202.100.1.2

*Mar 1 00:13:32.135: ISAKMP:(0): local preshared key found

*Mar 1 00:13:32.135: ISAKMP : Scanning profiles for xauth ...

*Mar 1 00:13:32.135: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

*Mar 1 00:13:32.135: ISAKMP: encryption DES-CBC

*Mar 1 00:13:32.139: ISAKMP: hash SHA

*Mar 1 00:13:32.139: ISAKMP: default group 1

*Mar 1 00:13:32.139: ISAKMP: auth pre-share

*Mar 1 00:13:32.139: ISAKMP: life type in seconds

*Mar 1 00:13:32.139: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

*Mar 1 00:13:32.143: ISAKMP:(0):atts are acceptable. Next payload is 0 （策略是可以被接受的/一致）

*Mar 1 00:13:32.143: ISAKMP:(0):Acceptable atts:actual life: 0

*Mar 1 00:13:32.143: ISAKMP:(0):Acceptable atts:life: 0

*Mar 1 00:13:32.147: ISAKMP:(0):Fill atts in sa vpi_length:4

*Mar 1 00:13:32.147: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

*Mar 1 00:13:32.147: ISAKMP:(0):Returning Actual lifetime: 86400

*Mar 1 00:13:32.147: ISAKMP:(0)::Started lifetime timer: 86400.

*Mar 1 00:13:32.215: ISAKMP:(0): processing vendor id payload

*Mar 1 00:13:32.215: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Mar 1 00:13:32.215: ISAKMP (0:0): vendor ID is NAT-T RFC 3947

*Mar 1 00:13:32.215: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar 1 00:13:32.215: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2

*Mar 1 00:13:32.215: ISAKMP:(0): sending packet to 202.100.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP

*Mar 1 00:13:32.215: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar 1 00:13:32.219: ISAKMP:(0):Input = IKE_ME!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 72/104/128 ms SG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar 1 00:13:32.219: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3

*Mar 1 00:13:32.363: ISAKMP (0:0): received packet from 202.100.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP（第三四個包：DH/NONCE）

*Mar 1 00:13:32.367: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar 1 00:13:32.367: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4

*Mar 1 00:13:32.371: ISAKMP:(0): processing KE payload. message ID = 0

*Mar 1 00:13:32.431: ISAKMP:(0): processing NONCE payload. message ID = 0（公共值和隨機數）

*Mar 1 00:13:32.431: ISAKMP:(0):found peer pre-shared key matching 202.100.1.2

*Mar 1 00:13:32.435: ISAKMP:(1001): processing vendor id payload

*Mar 1 00:13:32.435: ISAKMP:(1001): vendor ID is Unity

*Mar 1 00:13:32.439: ISAKMP:(1001): processing vendor id payload

*Mar 1 00:13:32.439: ISAKMP:(1001): vendor ID is DPD

*Mar 1 00:13:32.439: ISAKMP:(1001): processing vendor id payload

*Mar 1 00:13:32.443: ISAKMP:(1001): speaking to another IOS box!

*Ma

R1#r 1 00:13:32.443: ISAKMP:received payload type 20

*Mar 1 00:13:32.443: ISAKMP:received payload type 20

*Mar 1 00:13:32.443: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar 1 00:13:32.447: ISAKMP:(1001):Old State = IKE_I_MM4 New State = IKE_I_MM4

*Mar 1 00:13:32.447: ISAKMP:(1001):Send initial contact

*Mar 1 00:13:32.447: ISAKMP:(1001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Mar 1 00:13:32.447: ISAKMP (0:1001): ID payload

next-payload : 8

type : 1

address : 202.100.1.1

protocol : 17

port : 500

length : 12

*Mar 1 00:13:32.447: ISAKMP:(1001):Total payload length: 12

*Mar 1 00:13:32.447: ISAKMP:(1001): sending packet to 202.100.1.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH

*Mar 1 00:13:32.447: ISAKMP:(1001):Sending an IKE IPv4 Packet.

*Mar 1 00:13:32.451: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar 1 00:13:32.451: ISAKMP:(1001):Old State = IKE_I_MM4 New State = IKE_I_MM5

*Mar 1 00:13:32.551: ISAKMP (0:1001): received packet from 202.100.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH（第五六個包：認證）

*Mar 1 00:13:32.555: ISAKMP:(1001): processing ID payload. message ID = 0

*Mar 1 00:13:32.555: ISAKMP (0:1001): ID payload

next-payload : 8

type : 1

address : 202.100.1.2

protocol : 17

port : 500

length : 12

*Mar 1 00:13:32.555: ISAKMP:(0):: peer matches *none* of the profiles

*Mar 1 00:13:32.559: ISAKMP:(1001): processing HASH payload. message ID = 0

*Mar 1 00:13:32.559: ISAKMP:(1001):SA authentication status: （認證狀態）

authenticated

*Mar 1 00:13:32.563: ISAKMP:(1001):SA has been authenticated with 202.100.1.2（認證對等體）

*Mar 1 00:13:32.563: ISAKMP: Trying to insert a peer 202.100.1.1/202.100.1.2/500/, and inserted successfully 65F2D2E0.

*Mar 1 00:13:32.563: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar 1 00:13:32.567: ISAKMP:(1001):Old State = IKE_I_MM5 New State = IKE_I_MM6

R1#

*Mar 1 00:13:32.571: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar 1 00:13:32.571: ISAKMP:(1001):Old State = IKE_I_MM6 New State = IKE_I_MM6

*Mar 1 00:13:32.579: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar 1 00:13:32.579: ISAKMP:(1001):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

*Mar 1 00:13:32.583: ISAKMP:(1001):beginning Quick Mode exchange, M-ID of 2080605730

*Mar 1 00:13:32.587: ISAKMP:(1001):QM Initiator gets spi

*Mar 1 00:13:32.591: ISAKMP:(1001): sending packet to 202.100.1.2 my_port 500 peer_port 500 (I) QM_IDLE

*Mar 1 00:13:32.591: ISAKMP:(1001):Sending an IKE IPv4 Packet.

*Mar 1 00:13:32.595: ISAKMP:(1001):Node 2080605730, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

*Mar 1 00:13:32.595: ISAKMP:(1001):Old State = IKE_QM_READY New State = IKE_QM_I_QM1

*Mar 1 00:13:32.595: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Mar 1 00:13:32.595: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Mar 1 00:13:32.783: ISAKMP (0:1001): received packet from 202.100.1.2 dport 500 sport 500 Global (I) QM_IDLE （第七八個包)

*Mar 1 00:13:32.787: ISAKMP:(1001): processing HASH payload. message ID = 2080605730

*Mar 1 00:13:32.787: ISAKMP:(1001): processing SA payload. message ID = 2080605730

*Mar 1 00:13:32.787: ISAKMP:(1001):Checking IPSec proposal 1（校驗提議）

*Mar 1 00:13:32.791: ISAKMP: transform 1, ESP_DES

*Mar 1 00:13:32.791: ISAKMP: attributes in transform:

*Mar 1 00:13:32.791: ISAKMP: encaps is 1 (Tunnel)

*Mar 1 00:13:32.791: ISAKMP: SA life type in seconds

*Mar 1 00:13:32.791: ISAKMP: SA life duration (basic) of 3600

*Mar 1 00:13:32.791: ISAKMP: SA life type in kilobytes

*Mar 1 00:13:32.795: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

*Mar 1 00:13:32.795: ISAKMP: authenticator is HMAC-MD5

*Mar 1 00:13:32.795: ISAKMP:(1001):atts are acceptable. （被接受）

*Mar 1 00:13:32.799: IPSEC(validate_proposal_request): proposal part #1

*Mar 1 00:13:32.799: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 202.100.1.1, remote= 202.100.1.2,

local_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1),

remote_proxy= 2.2.2.2/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= NONE (Tunnel),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

*Mar 1 00:13:32.803: Crypto mapdb : proxy_match

src addr : 1.1.1.1

dst addr : 2.2.2.2

protocol : 0

src port : 0

dst port : 0

*Mar 1 00:13:32.803: ISAKMP:(1001): processing NONCE payload. message ID = 2080605730

*Mar 1 00:13:32.807: ISAKMP:(1001): processing ID payload. message ID = 2080605730

*Mar 1 00:13:32.815: ISAKMP:(1001): Creating IPSec SAs

*Mar 1 00:13:32.815: inbound SA from 202.100.1.2 to 202.100.1.1 (f/i) 0/ 0

(proxy 2.2.2.2 to 1.1.1.1)

*Mar 1 00:13:32.815: has spi 0x84D750DA and conn_id 0

*Mar 1 00:13:32.815: lifetime of 3600 seconds

*Mar 1 00:13:32.819: lifetime of 4608000 kilobytes

*Mar 1 00:13:32.819: outbound SA from 202.100.1.1 to 202.100.1.2 (f/i) 0/0

(proxy 1.1.1.1 to 2.2.2.2)

*Mar 1 00:13:32.819: has spi 0x8E9C20F and conn_id 0

*Mar 1 00:13:32.819: lifetime of 3600 seconds

*Mar 1 00:13:32.819: lifetime of 4608000 kilobytes

*Mar 1 00:13:32.823: ISAKMP:(1001): sending packet to 202.100.1.2 my_port 500 peer_port 500 (I) QM_IDLE（第九個包）

*Mar 1 00:13:32.823: ISAKMP:(1001):Sending an IKE IPv4 Packet.

*Mar 1 00:13:32.827: ISAKMP:(1001):deleting node 2080605730 error FALSE reason "No Error"

*Mar 1 00:13:32.827: ISAKMP:(1001):Node 2080605730, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Mar 1 00:13:32.827: ISAKMP:(1001):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE

*Mar 1 00:13:32.831: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Mar 1 00:13:32.835: Crypto mapdb : proxy_match

src addr : 1.1.1.1

dst addr : 2.2.2.2

protocol : 0

src port : 0

dst port : 0

*Mar 1 00:13:32.835: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 202.100.1.2

*Mar 1 00:13:32.839: IPSEC(policy_db_add_ident): src 1.1.1.1, dest 2.2.2.2, dest_port 0

*Mar 1 00:13:32.839: IPSEC(create_sa): sa created,

(sa) sa_dest= 202.100.1.1, sa_proto= 50,

sa_spi= 0x84D750DA(2228703450),

sa_trans= esp-des esp-md5-hmac , sa_conn_id= 1

*Mar 1 00:13:32.843: IPSEC(create_sa): sa created,

(sa) sa_dest= 202.100.1.2, sa_proto= 50,

sa_spi= 0x8E9C20F(149537295),

sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2

*Mar 1 00:13:32.843: IPSEC(update_current_outbound_sa): updated peer 202.100.1.2 current outbound sa to SPI 8E9C20F

2，在R1設備上修改第一階段（Phase1)加密方式為3DES后，debug展示：

發起方（R1)：

R1#sh run | sec cry

crypto isakmp policy 10

encr 3des

authentication pre-share

R1#debug cry ips

Crypto IPSEC debugging is on

R1#debug cry isa

Crypto ISAKMP debugging is on

R1#ping 2.2.2.2 so 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1

*Mar 1 02:10:44.591: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 202.100.1.1, remote= 202.100.1.2,

local_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1),

remote_proxy= 2.2.2.2/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

*Mar 1 02:10:44.599: ISAKMP:(0): SA request profile is (NULL)

*Mar 1 02:10:44.599: ISAKMP: Created a peer struct for 202.100.1.2, peer port 500

*Mar 1 02:10:44.603: ISAKMP: New peer created peer = 0x663FED30 peer_handle = 0x80000006

*Mar 1 02:10:44.603: ISAKMP: Locking peer struct 0x663FED30, refcount 1 for isakmp_initiator

*Mar 1 02:10:44.603: ISAKMP: local port 500, remote port 500

*Mar 1 02:10:44.603: ISAKMP: set new node 0 to QM_IDLE

*Mar 1 02:10:44.607: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 66D4ED78

*Mar 1 02:10:44.607: ISAKMP:(0):Can not start Aggres.sive mode, trying Main mode.

*Mar 1 02:10:44.607: ISAKMP:(0):found peer pre-shared key matching 202.100.1.2

*Mar 1 02:10:44.611: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

*Mar 1 02:10:44.611: ISAKMP:(0): constructed NAT-T vendor-07 ID

*Mar 1 02:10:44.611: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Mar 1 02:10:44.615: ISAKMP:(0): constructed NAT-T vendor-02 ID

*Mar 1 02:10:44.615: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Mar 1 02:10:44.615: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

*Mar 1 02:10:44.615: ISAKMP:(0): beginning Main Mode exchange

*Mar 1 02:10:44.619: ISAKMP:(0): sending packet to 202.100.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar 1 02:10:44.619: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar 1 02:10:44.763: ISAKMP (0:0): received packet from 202.100.1.2 dport 500 sport 500 Global (I) MM_NO_STATE （第一二個包）

*Mar 1 02:10:44.763: ISAKMP:(0):Notify has no hash. Rejected.

*Mar 1 02:10:44.767: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1

*Mar 1 02:10:44.767: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

*Mar 1 02:10:44.767: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1

*Mar 1 02:10:44.767: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 202.100.1.2....

Success rate is 0 percent (0/5)(嘗試5次失敗）

*Mar 1 02:10:54.619: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Mar 1 02:10:54.619: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

*Mar 1 02:10:54.619: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Mar 1 02:10:54.623: ISAKMP:(0): sending packet to 202.100.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar 1 02:10:54.623: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar 1 02:11:04.623: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Mar 1 02:11:04.623: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

*Mar 1 02:11:04.623: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Mar 1 02:11:04.627: ISAKMP:(0): sending packet to 202.100.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar 1 02:11:04.627: ISAKMP:(0):Sending an IKE IPv4 Packet.

接收方debug：

R2#debug cry ips

Crypto IPSEC debugging is on

R2#debug cry isa

Crypto ISAKMP debugging is on

R2#

*Mar 1 02:10:37.911: ISAKMP (0:0): received packet from 202.100.1.1 dport 500 sport 500 Global (N) NEW SA（第一个包）

*Mar 1 02:10:37.943: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

*Mar 1 02:10:37.943: ISAKMP: encryption 3DES-CBC

*Mar 1 02:10:37.943: ISAKMP: hash SHA

*Mar 1 02:10:37.943: ISAKMP: default group 1

*Mar 1 02:10:37.943: ISAKMP: auth pre-share

*Mar 1 02:10:37.947: ISAKMP: life type in seconds

*Mar 1 02:10:37.947: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

*Mar 1 02:10:37.947: ISAKMP:(0):Encryption algorithm offered does not match policy!（在接受方，提示加密算法不匹配

*Mar 1 02:10:37.947: ISAKMP:(0):atts are not acceptable. Next payload is 0 P1策略沒有被接受）

*Mar 1 02:10:37.951: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65535 policy

*Mar 1 02:10:37.951: ISAKMP: encryption 3DES-CBC

*Mar 1 02:10:37.951: ISAKMP: hash SHA

*Mar 1 02:10:37.951: ISAKMP: default group 1

*Mar 1 02:10:37.951: ISAKMP: auth pre-share

*Mar 1 02:10:37.955: ISAKMP: life type in seconds

*Mar 1 02:10:37.955: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

*Mar 1 02:10:37.955: ISAKMP:(0):Encryption algorithm offered does not match policy!

*Mar 1 02:10:37.959: ISAKMP:(0):atts are not acceptable. Next payload is 0

*Mar 1 02:10:37.959: ISAKMP:(0)

R2#:no offers accepted!

*Mar 1 02:10:37.959: ISAKMP:(0): phase 1 SA policy not acceptable! (local 202.100.1.2 remote 202.100.1.1)

*Mar 1 02:10:37.959: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init

*Mar 1 02:10:37.963: ISAKMP:(0): sending packet to 202.100.1.1 my_port 500 peer_port 500 (R) MM_NO_STATE（第二个包）

*Mar 1 02:10:37.963: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar 1 02:10:37.963: ISAKMP:(0):peer does not do paranoid keepalives.

R2#

3，在R1設備上修改第一階段（Phase1)哈希方式為MD5后，debug展示：

說明：因為在發送方（R1)上的debug信息和（2）一致，所以我們只看下接收方

接收方debug:

R2#debu cry isa

Crypto ISAKMP debugging is on

R2#debu cry ips

Crypto IPSEC debugging is on

Jul 6 07:49:51.222: ISAKMP (0:0): received packet from 202.100.1.1 dport 500 sport 500 Global (N) NEW SA（第一個包）

Jul 6 07:49:51.250: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

Jul 6 07:49:51.254: ISAKMP: encryption DES-CBC

Jul 6 07:49:51.254: ISAKMP: hash MD5

Jul 6 07:49:51.254: ISAKMP: default group 1

Jul 6 07:49:51.254: ISAKMP: auth pre-share

Jul 6 07:49:51.254: ISAKMP: life type in seconds

Jul 6 07:49:51.254: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

Jul 6 07:49:51.258: ISAKMP:(0):Hash algorithm offered does not match policy!(Hash 算法不匹配）

Jul 6 07:49:51.258: ISAKMP:(0):atts are not acceptable. Next payload is 0 （不被接受）

Jul 6 07:49:51.258: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65535 policy

Jul 6 07:49:51.262: ISAKMP: encryption DES-CBC

Jul 6 07:49:51.262: ISAKMP: hash MD5

Jul 6 07:49:51.262: ISAKMP: default group 1

Jul 6 07:49:51.262: ISAKMP: auth pre-share

Jul 6 07:49:51.262: ISAKMP: life type in seconds

Jul 6 07:49:51.262: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

Jul 6 07:49:51.266: ISAKMP:(0):Hash algorithm offered does not match policy!

Jul 6 07:49:51.266: ISAKMP:(0):atts are not acceptable. Next payload is 0

Jul 6 07:49:51.266: ISAKMP:(0):no offers accepted!

Jul 6 07:49:51.270: ISAKMP:(0): phase 1 SA policy not acceptable! (local 202.100.1.2 remote 202.100.1.1) （第一階段SA策略沒有接受）

Jul 6 07:49:51.270: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init

Jul 6 07:49:51.270: ISAKMP:(0): sending packet to 202.100.1.1 my_port 500 peer_port 500 (R) MM_NO_STATE（第二個包）

Jul 6 07:49:51.274: ISAKMP:(0):Sending an IKE IPv4 Packet.

Jul 6 07:49:51.274: ISAKMP:(0):peer does not do paranoid keepalives.

4，在R1設備上修改第一階段（Phase1)認證方式為證書（簽名）后，debug展示：

發起方R1上debug：

R1#debu cry isa

Crypto ISAKMP debugging is on

R1#debu cry ips

Crypto IPSEC debugging is on

R1#ping 2.2.2.2 so 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1

Jul 6 08:11:42.867: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 202.100.1.1, remote= 202.100.1.2,

local_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1),

remote_proxy= 2.2.2.2/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

Jul 6 08:11:42.875: ISAKMP:(0): SA request profile is (NULL)

Jul 6 08:11:42.875: ISAKMP: Created a peer struct for 202.100.1.2, peer port 500

Jul 6 08:11:42.875: ISAKMP: New peer created peer = 0x663C537C peer_handle = 0x80000007

Jul 6 08:11:42.879: ISAKMP: Locking peer struct 0x663C537C, refcount 1 for isakmp_initiator

Jul 6 08:11:42.879: ISAKMP: local port 500, remote port 500

Jul 6 08:11:42.879: ISAKMP: set new node 0 to QM_IDLE

Jul 6 08:11:42.883: insert sa successfully sa = 65FDA2D4

Jul 6 08:11:42.883: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

Jul 6 08:11:42.883: ISAKMP:(0):found peer pre-shared key matching 202.100.1.2

Jul 6 08:11:42.887: ISAKMP:(0):incorrect policy settings. Unable to initiate. （錯誤的策略設置，不能夠繼續初始化）

Jul 6 08:11:42.887: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

Jul 6 08:11:42.887: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

說明：因為在本地沒有找到證書，所以進程直接被停止，壓根就沒發包的機會（P1的第一個包），所以在接收設備（R2）上是看不到debug信息的。

5，在R1設備上修改第二階段（Phase2)轉換集ESP加密方式為3DES后，debug展示：

發起方（R1）：

R1#

Jul 6 08:35:45.307: ISAKMP:(1003):QM Initiator gets spi

Jul 6 08:35:45.311: ISAKMP:(1003): sending packet to 202.100.1.2 my_port 500 peer_port 500 (I) QM_IDLE

Jul 6 08:35:45.315: ISAKMP:(1003):Sending an IKE IPv4 Packet.

Jul 6 08:35:45.315: ISAKMP:(1003):Node 1740635024, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

Jul 6 08:35:45.319: ISAKMP:(1003):Old State = IKE_QM_READY New State = IKE_QM_I_QM1

Jul 6 08:35:45.319: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

Jul 6 08:35:45.319: ISAKMP:(1003):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Jul 6 08:35:45.491: ISAKMP (0:1003): received packet from 202.100.1.2 dport 500 .sport 500 Global (I) QM_IDLE(第七八個包）

Jul 6 08:35:45.491: ISAKMP: set new node -1323774801 to QM_IDLE

Jul 6 08:35:45.495: ISAKMP:(1003): processing HASH payload. message ID = -1323774801

Jul 6 08:35:45.495: ISAKMP:(1003): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 1609483186, message ID = -1323774801, sa = 65FDA2D4

Jul 6 08:36:14.515: ISAKMP: set new node 0 to QM_IDLE

Jul 6 08:36:14.519: SA has outstanding requests(local 101.253.164.56 port 500, remote 101.253.164.28 port 500) ？？？？？？

Jul 6 08:36:14.519: ISAKMP:(1003): sitting IDLE. Starting QM immediately (QM_IDLE )

接收方（R2)debug：

R2#debu cry ips

Crypto IPSEC debugging is on

R2#debu cry isa

Crypto ISAKMP debugging is on

R2#

Jul 6 08:35:45.398: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:

{esp-3des esp-md5-hmac } （轉換集設置不一致）

Jul 6 08:35:45.402: ISAKMP:(1003): IPSec policy invalidated proposal with error 256

Jul 6 08:35:45.402: ISAKMP:(1003): phase 2 SA policy not acceptable! (local 202.100.1.2 remote 202.100.1.1) （P2的SA策略沒有被接受）

Jul 6 08:35:45.402: ISAKMP: set new node -1323774801 to QM_IDLE

Jul 6 08:35:45.406: ISAKMP:(1003):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 1714556128, message ID = -1323774801

6，在R1設備上修改第二階段（Phase2)感興趣流后（map下調用），debug展示：

A计划：

發起方=问题方（R1）：

R1#debu cry ips

Crypto IPSEC debugging is on

R1#debu cry isa

Crypto ISAKMP debugging is on

R1#ping 2.2.2.2 so 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1

Jul 6 10:13:43.643: ISAKMP:(1003):purging node 250103541....

Success rate is 0 percent (0/5)

Jul 6 10:13:53.643: ISAKMP:(1003):purging SA., sa=65FDA2D4, delme=65FDA2D4

接收方（R2）：

R2#debu cry ips

Crypto IPSEC debugging is on

R2#debu cry isa

Crypto ISAKMP debugging is on

Jul 6 10:34:40.071: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.

(ip) vrf/dest_addr= /2.2.2.2, src_addr= 1.1.1.1, prot= 1

B计划：

发起方≠问题方（R2)：

R2#ping 1.1.1.1 so 2.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 2.2.2.2

Jul 6 12:15:58.826: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 202.100.1.2, remote= 202.100.1.1,

local_proxy= 2.2.2.2/255.255.255.255/0/0 (type=1),

remote_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

Jul 6 12:15:58.834: ISAKMP: set new node 0 to QM_IDLE

Jul 6 12:15:58.834: SA has outstanding requests (local 102.44.26.132 port 500, remote 102.44.26.160 port 500)

Jul 6 12:15:58.838: ISAKMP:(1005): sitting IDLE. Starting QM immediately (QM_IDLE )

Jul 6 12:15:58.838: ISAKMP:(1005):beginning Quick Mode exchange, M-ID of -172520988

Jul 6 12:15:58.842: ISAKMP:(1005):QM Initiator gets spi

Jul 6 12:15:58.846: ISAKMP:(1005): sending packet to 202.100.1.1 my_port 500 peer_port 500 (R) QM_IDLE

Jul 6 12:15:58.846: ISAKMP:(1005):Sending an IKE IPv4 Packet.

Jul 6 12:15:58.846: ISAKMP:(1005):Node -172520988, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

Jul 6 12:15:58.850: ISAKMP:(1005):Old State = IKE_QM_READY New State = IKE_QM_I_QM1

Jul 6 12:15:59.014: ISAKMP (0:1005): received packet from 202.100.1.1 dport 500 sport 500 Global (R) QM_IDLE

Jul 6 12:15:59.018: ISAKMP: set new node 394346355 to QM_IDLE

Jul 6 12:15:59.018: ISAKMP:(1005): processing HASH payload. message ID = 394346355

Jul 6 12:15:59.022: ISAKMP:(1005): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 4118868689, message ID = 394346355, sa = 662C193C

Success rate is 0 percent (0/5)

Jul 6 12:16:28.838: ISAKMP:(1005): sitting IDLE. Starting QM immediately (QM_IDLE )

Jul 6 12:16:28.838: ISAKMP:(1005):beginning Quick Mode exchange, M-ID of 751565303

Jul 6 12:16:28.842: ISA

R2#KMP:(1005):QM Initiator gets spi

Jul 6 12:16:28.846: ISAKMP:(1005): sending packet to 202.100.1.1 my_port 500 peer_port 500 (R) QM_IDLE

Jul 6 12:16:28.846: ISAKMP:(1005):Sending an IKE IPv4 Packet.

Jul 6 12:16:28.850: ISAKMP:(1005):Node 751565303, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

Jul 6 12:16:28.850: ISAKMP:(1005):Old State = IKE_QM_READY New State = IKE_QM_I_QM1

Jul 6 12:16:29.002: ISAKMP (0:1005): received packet from 202.100.1.1 dport 500 sport 500 Global (R) QM_IDLE（第二阶段过不了）

接收方（R1)：

R1#

Jul 6 12:15:58.914: ISAKMP (0:1005): received packet from 202.100.1.2 dport 500 sport 500 Global (I) QM_IDLE

Jul 6 12:15:58.914: ISAKMP: set new node -172520988 to QM_IDLE

Jul 6 12:15:58.918: ISAKMP:(1005): processing HASH payload. message ID = -172520988

Jul 6 12:15:58.918: ISAKMP:(1005): processing SA payload. message ID = -172520988

Jul 6 12:15:58.922: ISAKMP:(1005):Checking IPSec proposal 1

Jul 6 12:15:58.922: ISAKMP: transform 1, ESP_DES

Jul 6 12:15:58.922: ISAKMP: attributes in transform:

Jul 6 12:15:58.922: ISAKMP: encaps is 1 (Tunnel)

Jul 6 12:15:58.922: ISAKMP: SA life type in seconds

Jul 6 12:15:58.922: ISAKMP: SA life duration (basic) of 3600

Jul 6 12:15:58.926: ISAKMP: SA life type in kilobytes

Jul 6 12:15:58.926: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

Jul 6 12:15:58.926: ISAKMP: authenticator is HMAC-MD5

Jul 6 12:15:58.926: ISAKMP:(1005):atts are acceptable.

Jul 6 12:15:58.930: IPSEC

R1#(validate_proposal_request): proposal part #1

Jul 6 12:15:58.930: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 202.100.1.1, remote= 202.100.1.2,

local_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1),

remote_proxy= 2.2.2.2/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= NONE (Tunnel),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

Jul 6 12:15:58.934: Crypto mapdb : proxy_match

src addr : 1.1.1.1

dst addr : 2.2.2.2

protocol : 0

src port : 0

dst port : 0

Jul 6 12:15:58.934: Crypto mapdb : proxy_match

src addr : 1.1.1.1

dst addr : 2.2.2.2

protocol : 0

src port : 0

dst port : 0

Jul 6 12:15:58.938: map_db_find_best did not find matching map

Jul 6 12:15:58.938: IPSEC(ipsec_process_proposal): proxy identities not supported（感兴趣流身份不被支持/不匹配）

Jul 6 12:15:58.938: ISAKMP:(1005): IPSec policy invalidated proposal with error 32

Jul 6 12:15:58.938: ISAKMP:(1005): phase 2 SA policy not acceptable! (local 202.100.1.1 remote 202.100.1.2)

Jul 6 12:15:58.942: ISAKMP: set new node 394346355 to QM_IDLE

Jul 6 12:15:58.942: ISAKMP:(1005):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 1714555744, message ID = 394346355

Jul 6 12:15:58.946: ISAKMP:(1005): sending packet to 202.100.1.2 my_port 500 peer_port 500 (I) QM_IDLE

Jul 6 12:15:58.946: ISAKMP:(1005):Sending an IKE IPv4 Packet.

Jul 6 12:15:58.950: ISAKMP:(1005):purging node 394346355

Jul 6 12:15:58.950: ISAKMP:(1005):deleting node -172520988 error TRUE reason "QM rejected"

Jul 6 12:15:58.950: ISAKMP:(1005):Node -172520988, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

Jul 6 12:15:58.954: ISAKMP:(1005):Old State = IKE_QM_READY New State = IKE_QM_READY

R1#

7，在R1設備上修改MAP下set peer（和cry isa key 0 cisco add 202.100.1.2加密點不一致），debug展示：

發起方=问题方（R1）：

R1#ping 2.2.2.2 so 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1

Jul 6 11:13:17.947: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 202.100.1.1, remote= 2.2.2.2,

local_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1),

remote_proxy= 2.2.2.2/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

Jul 6 11:13:17.955: ISAKMP:(0): SA request profile is (NULL)

Jul 6 11:13:17.959: ISAKMP: Created a peer struct for 2.2.2.2, peer port 500

Jul 6 11:13:17.959: ISAKMP: New peer created peer = 0x663C537C peer_handle = 0x8000000B

Jul 6 11:13:17.959: ISAKMP: Locking peer struct 0x663C537C, refcount 1 for isakmp_initiator

Jul 6 11:13:17.959: ISAKMP: local port 500, remote port 500

Jul 6 11:13:17.963: ISAKMP: set new node 0 to QM_IDLE

Jul 6 11:13:17.963: insert sa successfully sa = 661B5C78

Jul 6 11:13:17.963: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

Jul 6 11:13:17.967: ISAKMP:(0):No pre-shared key with 2.2.2.2!

Jul 6 11:13:17.967: ISAKMP:(0): No Cert or pre-shared address key.（提示加密点有问题）

Jul 6 11:13:17.967: ISAKMP:(0): construct_initial_message: Can not start Main mode

Jul 6 11:13:17.967: ISAKMP: Unlocking peer struct 0x663C537C for isadb_unlock_peer_delete_sa(), count 0

Jul 6 11:13:17.971: ISAKMP: Deleting peer node by peer_reap for 2.2.2.2: 663C537C

Jul 6 11:13:17.971: ISAKMP:(0):purging SA., sa=661B5C78, delme=661B5C78

Jul 6 11:13:17.971: ISAKMP:(0):purging node 134193081

Jul 6 11:13:17.975: ISAKMP: Error while processing SA request: Failed to initialize SA

Jul 6 11:13:17.975: ISAKMP: Error while processing KMI message 0, error 2.

Jul 6 11:13:17.979: IPSEC(key_engine): got a queue event with 1 KMI message(s).....

Success rate is 0 percent (0/5)

說明：由於pre-share address（key)不一致，导致发送方无法初始化IPsec ×××的主模式，因此，接收方收不到任何包。

8，在R2設備上修改MAP下set peer（和cry isa key 0 cisco add 202.100.1.1加密點不一致），debug展示：

发起方≠问题方（R1）：（P1是可以搞定的，就不展示了，我们从P2开始）（现象不明显）

R1#ping 2.2.2.2 so 1.1.1.1

Jul 6 11:25:59.483: ISAKMP:(1005):beginning Quick Mode exchange, M-ID of 890913439

Jul 6 11:25:59.483: ISAKMP:(1005):QM Initiator gets spi

Jul 6 11:25:59.487: ISAKMP:(1005): sending packet to 202.100.1.2 my_port 500 peer_port 500 (I) QM_IDLE

Jul 6 11:25:59.487: ISAKMP:(1005):Sending an IKE IPv4 Packet.

Jul 6 11:25:59.491: ISAKMP:(1005):Node 890913439, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

Jul 6 11:25:59.491: ISAKMP:(1005):Old State = IKE_QM_READY New State = IKE_QM_I_QM1

Jul 6 11:25:59.495: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

Jul 6 11:25:59.495: ISAKMP:(1005):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Jul 6 11:25:59.647: ISAKMP (0:1005): received packet from 202.100.1.2 dport 500 spo.rt 500 Global (I) QM_IDLE

Jul 6 11:25:59.651: ISAKMP: set new node 456611425 to QM_IDLE

Jul 6 11:25:59.651: ISAKMP:(1005): processing HASH payload. message ID = 456611425

Jul 6 11:25:59.655: ISAKMP:(1005): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 1640454669, message ID = 456611425, sa = 661B5C78

Jul 6 11:25:59.655: ISAKMP:(1005): deleting spi 1640454669 message ID = 890913439

Jul 6 11:25:59.655: ISAKMP:(1005):deleting node 890913439 error TRUE reason "Delete Larval"

Jul 6 11:25:59.659: ISAKMP:(1005):deleting node 456611425 error FALSE reason "Informational (in) state 1"

Jul 6 11:25:59.659: ISAKMP:(1005):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Jul 6 11:25:59.659: ISAKMP:(1005):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Success rate is 0 percent (0/5)

Jul 6 11:26:28.811: IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 202.100.1.1, remote= 202.100.1.2,

local_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1),

remote_proxy= 2.2.2.2/255.255.255.255/0/0 (type=1)

Jul 6 11:26:28.815: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 202.100.1.1, remote= 202.100.1.2,

local_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1),

remote_proxy= 2.2.2.2/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

Jul 6 11:26:28.819: ISAKMP: set new node 0 to QM_IDLE

Jul 6 11:26:28.819: SA has outstanding requests (local 102.27.93.220 port 500, remote 102.27.93.192 port 500) ????????

Jul 6 11:26:28.823: ISAKMP:(1005): sitting IDLE. Starting QM immediately (QM_IDLE )

Jul 6 11:26:28.823: ISAKMP:(1005):beginning Quick Mode exchange, M-ID of -64501258

Jul 6 11:26:28.827: ISAKMP:(1005):QM Initiator gets spi

Jul 6 11:26:28.831: ISAKMP:(1005): sending packet to 202.100.1.2 my_port 500 peer_port 500 (I) QM_IDLE（第二阶段过不去）

Jul 6 11:26:28.831: ISAKMP:(1005):Sending an IKE IPv4 Packet.

9，在R1設備上修改cry isa key 0 cisco add 2.2.2.2加密點和MAP下set peer不一致），debug展示：

發起方=问题方（R1）：（和7的结果一样）

————————————————————————

发起方≠问题方（R2）：

R2#ping 1.1.1.1 so 2.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 2.2.2.2

Jul 6 13:26:21.258: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 202.100.1.1.....

Success rate is 0 percent (0/5)

注意：我们现在在R1上看下debug信息：

问题方（R1）：

R1#

Jul 6 13:26:21.138: ISAKMP (0:0): received packet from 202.100.1.2 dport 500 sport 500 Global (N) NEW SA

Jul 6 13:26:21.138: ISAKMP: Created a peer struct for 202.100.1.2, peer port 500

Jul 6 13:26:21.142: ISAKMP: New peer created peer = 0x663C537C peer_handle = 0x80000015

Jul 6 13:26:21.142: ISAKMP: Locking peer struct 0x663C537C, refcount 1 for crypto_isakmp_process_block

Jul 6 13:26:21.142: ISAKMP: local port 500, remote port 500

Jul 6 13:26:21.146: insert sa successfully sa = 65FDA2D4

Jul 6 13:26:21.146: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Jul 6 13:26:21.146: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

Jul 6 13:26:21.154: ISAKMP:(0): processing SA payload. message ID = 0

Jul 6 13:26:21.154: ISAKMP:(0): processing vendor id payload

Jul 6 13:26:21.158: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

Jul 6 13:26:21.158: ISAKMP (0:0): vendor ID is NAT-T RFC 3947

Jul 6 13:26:21.158: ISAKMP:(0): processing vendor id payload

Jul 6 13:26:21.158: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

Jul 6 13:26:21.158: ISAKMP (0:0): vendor ID is NAT-T v7

Jul 6 13:26:21.162: ISAKMP:(0): processing vendor id payload

Jul 6 13:26:21.162: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

Jul 6 13:26:21.162: ISAKMP:(0): vendor ID is NAT-T v3

Jul 6 13:26:21.162: ISAKMP:(0): processing vendor id payload

Jul 6 13:26:21.166: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

Jul 6 13:26:21.166: ISAKMP:(0): vendor ID is NAT-T v2

Jul 6 13:26:21.166: ISAKMP:(0):No pre-shared key with 202.100.1.2!(不匹配對等體加密點/沒有對等體的預共享密鈅）

Jul 6 13:26:21.166: ISAKMP : Scanning profiles for xauth ...

Jul 6 13:26:21.170: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

Jul 6 13:26:21.170: ISAKMP: encryption DES-CBC

Jul 6 13:26:21.170: ISAKMP: hash SHA

Jul 6 13:26:21.170: ISAKMP: default group 1

Jul 6 13:26:21.170: ISAKMP: auth pre-share

Jul 6 13:26:21.170: ISAKMP: life type in seconds

Jul 6 13:26:21.174: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

Jul 6 13:26:21.174: ISAKMP:(0):Preshared authentication offered but does not match policy!

Jul 6 13:26:21.174: ISAKMP:(0):atts are not acceptable. Next payload is 0

Jul 6 13:26:21.178: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65535 policy

Jul 6 13:26:21.178: ISAKMP: encryption DES-CBC

Jul 6 13:26:21.178: ISAKMP: hash SHA

Jul 6 13:26:21.178: ISAKMP: default group 1

Jul 6 13:26:21.178: ISAKMP: auth pre-share

Jul 6 13:26:21.178: ISAKMP: life type in seconds

Jul 6 13:26:21.182: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

Jul 6 13:26:21.182: ISAKMP:(0):Authentication method offered does not match policy!

Jul 6 13:26:21.182: ISAKMP:(0):atts are not acceptable. Next payload is 0

Jul 6 13:26:21.186: ISAKMP:(0):no offers accepted!

Jul 6 13:26:21.186: ISAKMP:(0): phase 1 SA policy not acceptable! (local 202.100.1.1 remote 202.100.1.2)

Jul 6 13:26:21.186: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init

Jul 6 13:26:21.190: ISAKMP:(0): sending packet to 202.100.1.2 my_port 500 peer_port 500 (R) MM_NO_STATE

Jul 6 13:26:21.190: ISAKMP:(0):Sending an IKE IPv4 Packet.

Jul 6 13:26:21.190: ISAKMP:(0):peer does not do paranoid keepalives.

10，在R1設備的感興趣進出的接口（F0/0）上不調用cry map后，debug展示：

發起方=问题方（R1）：

R1#debu cry isa

Crypto ISAKMP debugging is on

R1#debu cry ips

Crypto IPSEC debugging is on

R1#ping 2.2.2.2 so 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1

.....

Success rate is 0 percent (0/5)

R1#

*Mar 1 00:11:11.899: ISAKMP:(1001):purging SA., sa=65CBF5EC, delme=65CBF5EC

沒反應

接收方（R2）：

R2#

*Mar 1 00:10:32.935: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.

(ip) vrf/dest_addr= /2.2.2.2, src_addr= 1.1.1.1, prot= 1

R2#

*Mar 1 00:10:58.555: ISAKMP:(1001):purging node -1368574511

*Mar 1 00:10:58.555: ISAKMP:(1001):purging node -1488994873

說明：

通過下圖講述CRY MAP對密文或明文流量的處理

是否感興趣流是否加密有無map oution

N/A 是有解密

是否有 drop

是否沒有 forward

N/A 是沒有解密

————————————————————————————————————————————

发起方≠问题方（R2）：

R2#ping 1.1.1.1 so 2.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 2.2.2.2

*Mar 1 00:15:14.983: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 202.100.1.2, remote= 202.100.1.1,

local_proxy= 2.2.2.2/255.255.255.255/0/0 (type=1),

remote_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

*Mar 1 00:15:14.991: ISAKMP:(0): SA request profile is (NULL)

*Mar 1 00:15:14.991: ISAKMP: Created a peer struct for 202.100.1.1, peer port 500

*Mar 1 00:15:14.995: ISAKMP: New peer created peer = 0x66C81378 peer_handle = 0x80000003

*Mar 1 00:15:14.995: ISAKMP: Locking peer struct 0x66C81378, refcount 1 for isakmp_initiator

*Mar 1 00:15:14.995: ISAKMP: local port 500, remote port 500

*Mar 1 00:15:14.995: ISAKMP: set new node 0 to QM_IDLE

*Mar 1 00:15:14.999: insert sa successfully sa = 66232F58

*Mar 1 00:15:14.999: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

*Mar 1 00:15:14.999: ISAKMP:(0):found peer pre-shared key matching 202.100.1.1

*Mar 1 00:15:15.003: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

*Mar 1 00:15:15.003: ISAKMP:(0): constructed NAT-T vendor-07 ID

*Mar 1 00:15:15.003: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Mar 1 00:15:15.007: ISAKMP:(0): constructed NAT-T vendor-02 ID

*Mar 1 00:15:15.007: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Mar 1 00:15:15.007: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

*Mar 1 00:15:15.007: ISAKMP:(0): beginning Main Mode exchange

*Mar 1 00:15:15.011: ISAKMP:(0): sending packet to 202.100.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE（第一個包）

*Mar 1 00:15:15.011: ISAKMP:(0):Sending an IKE IPv4 Packet......

Success rate is 0 percent (0/5)

*Mar 1 00:15:25.011: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Mar 1 00:15:25.011: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1（對等體沒有回包，重傳5次）

*Mar 1 00:15:25.011: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Mar 1 00:15:25.015: ISAKMP:(0): sending packet to 202.100.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar 1 00:15:25.015: ISAKMP:(0):Sending an IKE IPv4 Packet.

R2#

*Mar 1 00:15:35.015: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Mar 1 00:15:35.015: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

*Mar 1 00:15:35.015: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Mar 1 00:15:35.019: ISAKMP:(0): sending packet to 202.100.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar 1 00:15:35.019: ISAKMP:(0):Sending an IKE IPv4 Packet.

R2#

*Mar 1 00:15:44.983: IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 202.100.1.2, remote= 202.100.1.1,

local_proxy= 2.2.2.2/255.255.255.255/0/0 (type=1),

remote_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1)

*Mar 1 00:15:44.987: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 202.100.1.2, remote= 202.100.1.1,

local_proxy= 2.2.2.2/255.255.255.255/0/0 (type=1),

remote_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

*Mar 1 00:15:44.991: ISAKMP: set new node 0 to QM_IDLE

*Mar 1 00:15:44.995: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 202.100.1.2, remote 202.100.1.1)

*Mar 1 00:15:44.995: ISAKMP: Error while processing SA request: Failed to initialize SA

*Mar 1 00:15:44.995: ISAKMP: Error while processing KMI message 0, error 2.

接收方=问题方（R1）：

依然沒有任何反應

通過下圖講述CRY MAP對密文或明文流量的處理

是否感興趣流是否加密有無map oution

N/A 是有解密

是否有 drop

是否沒有 forward

N/A 是沒有解密

11，在R1設備上修改路由（沒有去往對等體的感興趣流路由），debug展示：

發起方=问题方（R1）：

完全沒反應

接收方（R2）：

完全沒反應

——————————————————————————————————————————

发起方≠问题方（R2）：

R2#sh cry en conn ac

Crypto Engine Connections

ID Interface Type Algorithm Encrypt Decrypt IP-Address

7 Fa0/0 IPsec DES+MD5 0 0 202.100.1.2

8 Fa0/0 IPsec DES+MD5 40 202.100.1.2

1004 Fa0/0 IKE SHA+DES 0 0 202.100.1.2

R2#sh cry isa sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

202.100.1.1 202.100.1.2 QM_IDLE 1004 0 ACTIVE

IPv6 Crypto ISAKMP SA

R2#sh cry ips sa

interface: FastEthernet0/0

Crypto map tag: cisco, local addr 202.100.1.2

protected vrf: (none)

local ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)

current_peer 202.100.1.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 202.100.1.2, remote crypto endpt.: 202.100.1.1

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0xAE7F8174(2927591796)

inbound esp sas:

spi: 0xBB653B0B(3143973643)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 7, flow_id: SW:7, crypto map: cisco

sa timing: remaining key lifetime (k/sec): (4387303/3568)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xAE7F8174(2927591796)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 8, flow_id: SW:8, crypto map: cisco

sa timing: remaining key lifetime (k/sec): (4387302/3566)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

R2#

接收方=问题方（R1）：

R1#sh cry en conn ac

Crypto Engine Connections

ID Interface Type Algorithm Encrypt Decrypt IP-Address

7 Fa0/0 IPsec DES+MD5 0 4 202.100.1.1

8 Fa0/0 IPsec DES+MD5 0 0 202.100.1.1

1004 Fa0/0 IKE SHA+DES 0 0 202.100.1.1

R1#sh cry isa sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

202.100.1.1 202.100.1.2 QM_IDLE 1004 0 ACTIVE

IPv6 Crypto ISAKMP SA

R1#sh cry ips sa

interface: FastEthernet0/0

Crypto map tag: cisco, local addr 202.100.1.1

protected vrf: (none)

local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)

current_peer 202.100.1.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 202.100.1.1, remote crypto endpt.: 202.100.1.2

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0xBB653B0B(3143973643)

inbound esp sas:

spi: 0xAE7F8174(2927591796)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 7, flow_id: SW:7, crypto map: cisco

sa timing: remaining key lifetime (k/sec): (4592567/3463)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xBB653B0B(3143973643)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 8, flow_id: SW:8, crypto map: cisco

sa timing: remaining key lifetime (k/sec): (4592568/3462)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

12，在R1設備上修改MAP調用的接口（從F0/0換到Lo0接口），debug展示：

發起方=问题方（R1）：

完全沒反應

接收方（R2）：

完全沒反應

————————————————————————————————————————

发起方≠问题方（R2）：

*Mar 1 01:10:06.291: ISAKMP:(1005):beginning Quick Mode exchange, M-ID of 1810455244

*Mar 1 01:10:06.295: ISAKMP:(1005):QM Initiator gets spi

*Mar 1 01:10:06.299: ISAKMP:(1005): sending packet to 202.100.1.1 my_port 500 peer_port 500 (I) QM_IDLE

*Mar 1 01:10:06.299: ISAKMP:(1005):Sending an IKE IPv4 Packet.

*Mar 1 01:10:06.303: ISAKMP:(1005):Node 1810455244, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

*Mar 1 01:10:06.303: ISAKMP:(1005):Old State = IKE_QM_READY New State = IKE_QM_I_QM1

*Mar 1 01:10:06.303: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Mar 1 01:10:06.303: ISAKMP:(1005):Old State = IKE_P1_COMPLETE New State = IKE_.P1_COMPLETE

*Mar 1 01:10:06.447: ISAKMP (0:1005): received packet from 202.100.1.1 dport 500 sport 500 Global (I) QM_IDLE（第七八個包過不去）

*Mar 1 01:10:06.451: ISAKMP: set new node -450797985 to QM_IDLE

*Mar 1 01:10:06.455: ISAKMP:(1005): processing HASH payload. message ID = -450797985

*Mar 1 01:10:06.455: ISAKMP:(1005): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 3865644607, message ID = -450797985, sa = 66232F58

*Mar 1 01:10:06.455: ISAKMP:(1005): deleting spi 3865644607 message ID = 1810455244

*Mar 1 01:10:06.455: ISAKMP:(1005):deleting node 1810455244 error TRUE reason "Delete Larval"

*Mar 1 01:10:06.459: ISAKMP:(1005):deleting node -450797985 error FALSE reason "Informational (in) state 1"

*Mar 1 01:10:06.459: ISAKMP:(1005):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

*Mar 1 01:10:06.459: ISAKMP:(1005):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Success rate is 0 percent (0/5)

R2#sh cry en conn ac

Crypto Engine Connections

ID Interface Type Algorithm Encrypt Decrypt IP-Address

1005 Fa0/0 IKE SHA+DES 0 0 202.100.1.2

R2#sh cry isa sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

202.100.1.1 202.100.1.2 QM_IDLE 1005 0 ACTIVE

IPv6 Crypto ISAKMP SA

接收方=问题方（R1）：

*Mar 1 01:10:09.739: ISAKMP (0:1005): received packet from 202.100.1.2 dport 500 sport 500 Global (R) QM_IDLE

*Mar 1 01:10:09.739: ISAKMP: set new node 1810455244 to QM_IDLE

*Mar 1 01:10:09.743: ISAKMP:(1005): processing HASH payload. message ID = 1810455244

*Mar 1 01:10:09.743: ISAKMP:(1005): processing SA payload. message ID = 1810455244

*Mar 1 01:10:09.743: ISAKMP:(1005):Checking IPSec proposal 1

*Mar 1 01:10:09.747: ISAKMP: transform 1, ESP_DES

*Mar 1 01:10:09.747: ISAKMP: attributes in transform:

*Mar 1 01:10:09.747: ISAKMP: encaps is 1 (Tunnel)

*Mar 1 01:10:09.747: ISAKMP: SA life type in seconds

*Mar 1 01:10:09.747: ISAKMP: SA life duration (basic) of 3600

*Mar 1 01:10:09.751: ISAKMP: SA life type in kilobytes

*Mar 1 01:10:09.751: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

*Mar 1 01:10:09.751: ISAKMP: authenticator is HMAC-MD5

*Mar 1 01:10:09.751:

R1# ISAKMP:(1005):atts are acceptable.

*Mar 1 01:10:09.755: IPSEC(validate_proposal_request): proposal part #1

*Mar 1 01:10:09.755: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 202.100.1.1, remote= 202.100.1.2,

local_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1),

remote_proxy= 2.2.2.2/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= NONE (Tunnel),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

*Mar 1 01:10:09.759: IPSEC(ipsec_process_proposal): invalid local address 202.100.1.1

*Mar 1 01:10:09.759: ISAKMP:(1005): IPSec policy invalidated proposal with error 8

*Mar 1 01:10:09.763: ISAKMP:(1005): phase 2 SA policy not acceptable! (local 202.100.1.1 remote 202.100.1.2)（第二階段策略沒有接受）

*Mar 1 01:10:09.763: ISAKMP: set new node -450797985 to QM_IDLE

*Mar 1 01:10:09.763: ISAKMP:(1005):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 1714555744, message ID = -450797985

*Mar 1 01:10:09.767:

R1# ISAKMP:(1005): sending packet to 202.100.1.2 my_port 500 peer_port 500 (R) QM_IDLE

*Mar 1 01:10:09.767: ISAKMP:(1005):Sending an IKE IPv4 Packet.

*Mar 1 01:10:09.771: ISAKMP:(1005):purging node -450797985

*Mar 1 01:10:09.771: ISAKMP:(1005):deleting node 1810455244 error TRUE reason "QM rejected"（快速模式拒絕）

*Mar 1 01:10:09.771: ISAKMP:(1005):Node 1810455244, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Mar 1 01:10:09.775: ISAKMP:(1005):Old State = IKE_QM_READY New State = IKE_QM_READY

R1#

*Mar 1 01:11:29.111: ISAKMP:(1005):purging node -1664783517

R1#sh cry en conn ac

Crypto Engine Connections

ID Interface Type Algorithm Encrypt Decrypt IP-Address

1005 Fa0/0 IKE SHA+DES 0 0 202.100.1.1

R1#sh cry isa sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

202.100.1.1 202.100.1.2 QM_IDLE 1005 0 ACTIVE

IPv6 Crypto ISAKMP SA

13，在R1設備上修改預共享密鈅，debug信息：

發起方=问题方（R1）：

R1#

*Mar 1 00:44:18.423: ISAKMP:(1002): sending packet to 202.100.1.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH

*Mar 1 00:44:18.423: ISAKMP:(1002):Sending an IKE IPv4 Packet.

*Mar 1 00:44:18.423: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMP.LETE

*Mar 1 00:44:18.427: ISAKMP:(1002):Old State = IKE_I_MM4 New State = IKE_I_MM5

*Mar 1 00:44:19.531: ISAKMP (0:1002): received packet from 202.100.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH

*Mar 1 00:44:19.531: ISAKMP:(1002): phase 1 packet is a duplicate of a previous packet.（第五六個包不過，嘗試5次失敗）

*Mar 1 00:44:19.531: ISAKMP:(1002): retransmitting due to retransmit phase 1

*Mar 1 00:44:20.035: ISAKMP:(1002): retransmitting phase 1 MM_KEY_EXCH...

*Mar 1 00:44:20.035: ISAKMP (0:1002): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

*Mar 1 00:44:20.035: ISAKMP:(1002): retransmitting phase 1 MM_KEY_EXCH

*Mar 1 00:44:20.039: ISAKMP:(1002): sending packet to 202.100.1.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH

*Mar 1 00:44:20.039: ISAKMP:(1002):Sending an IKE IPv4 Packet...

接收方≠问题方（R2）：

R2#

*Mar 1 00:44:15.595: ISAKMP (0:1002): received packet from 202.100.1.1 dport 500 sport 500 Global (R) MM_KEY_EXCH

*Mar 1 00:44:15.595: ISAKMP: reserved not zero on ID payload!

*Mar 1 00:44:15.599: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 202.100.1.1 failed its sanity check or is malformed

*Mar 1 00:44:15.599: ISAKMP (0:1002): incrementing error counter on sa, attempt 1 of 5: reset_retransmission

*Mar 1 00:44:16.599: ISAKMP:(1002): retransmitting phase 1 MM_KEY_EXCH...

转载于:https://blog.51cto.com/7492110/1281004

关于×××在DEBUG过程中可能出现的问题相关推荐

在Windows Server 2008 R2下搭建jsp环境（四）-在测试的过程中可能出现的问题
环境基本部署好了之后,便开始测试,一定要让他经得起"考验",他才会值得你的信赖.Tomcat服务器部署成功的的验证方法(默认端口的情况下): 1.loacalhost:8080 2 ...
单元测试debug过程中，显示variables are not available
注:我的代码是多线程异步执行的单元测试,代码在进行debug调试时,执行到某一行代码突然就显示variables are not available,多次尝试,始终是会在某一行代码处出现上述的情况. ...
【小罗的hdlbits刷题笔记4】从lemming4中的有限状态机debug过程中的一些感悟
心累,debug过程就是很烦,先说一下结论:设置变量时一定要注意位宽,否则会出现截位导致输出结果出现bug 废话不多说,先上问题 *Although Lemmings can walk, fall, ...
Debug过程中保存function的测试数据到SE37
转载链接:link 在Debug ABAP程序过程中,能将输入Function的测试数据保存到SE37,这样就可以直接在SE37中测试function,而不用再次debug整个程序. 方法如下: 1, ...
动态域名解析服务器离线会引起什么_动态域名解析过程中可能出现的问题及解决方案...
动态域名在企业中应用非常广泛,金万维动态域名作为一款平稳运行10余年的软件,已是被业界所熟知.该系统由两部分构成,一部分是客户端,运行在用户的主机上:另一部分是服务器,由金万维负责运行. 谓动态域名解 ...
Opencv3编程入门学习笔记（四）之split通道分离Debug过程中0xC0000005内存访问冲突问题
这是笔者学习<Opencv3编程入门>的第四篇博客,这篇博客主要是解决在Windows系统下VS 2013中Debug含有split分离通道色彩函数时报出的0xC0000005内存访问冲突 ...
YOLOV5使用过程中可能出现的问题及解决方法
我尝试过YOLOV5 v5.0 和 YOLOV5 v6.0,都出现了一些问题 (小声嘀咕:我刚开始搜索报错原因得到是github社区上作者的回答,结果把它他提供的解决方法都试了一遍,一点作用没有,最后 ...
Wampserver64 安装过程中可能出现的错误并解决
文章目录 1.这里要结束电脑管家或者安全软件,因为这些软件会阻止一下权限的访问. 2.这里要注意安装的路径不要出现中文否者无法启动 3.Wampserver64 由于找不到MSVCR110.dl,无 ...
MPC之SPDZ开源库安装过程中可能出现的错误
第一个错误: 执行 Scripts/tldr.sh 时出现:cp: cannot stat 'bin/Linux-avx2/*': No such file or directory 错误原因:你下的 ...

关于×××在DEBUG过程中可能出现的问题

关于×××在DEBUG过程中可能出现的问题相关推荐

最新文章

热门文章