基于CA认证的IPsec ×××问题
其中10是外口,其×××隧道;192是内口,模拟各自的内网。
两台router均能顺利从ca server上获取证书。
在ipsec ***过程中,ike交换失败。
!
! Last configuration change at 16:45:51 CST Fri Jan 4 2008
! NVRAM config last updated at 16:36:51 CST Fri Jan 4 2008
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RR5
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
!
no aaa new-model
memory-size iomem 5
clock timezone CST 8
ip cef
!
!
!
!
no ip domain lookup
ip domain name sys.com
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki server sys
database archive pem password 7 08701E1D5D4C53404A
grant auto
cdp-url [url]http://192.168.0.212[/url]
!
crypto pki trustpoint sys
revocation-check crl
rsakeypair sys
!
crypto pki trustpoint sys1
enrollment url [url]http://192.168.0.212:80[/url]
serial-number none
fqdn RR5.sys.com
ip-address none
password
revocation-check crl
rsakeypair RR5.sys.com
auto-enroll
!
!
crypto pki certificate chain sys
certificate ca 01
308201F5 3082015E A0030201 02020101 300D0609 2A864886 F70D0101 04050030
0E310C30 0A060355 04031303 73797330 1E170D30 38303130 34303833 3333325A
170D3131 30313033 30383333 33325A30 0E310C30 0A060355 04031303 73797330
819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 C381C6FB
5821BAD9 91F5B2F6 C818223D 2662EC3A 05C4047A F7452F2F 161082BA 3064CC85
F6434CEC BDA7AABD BB1E31F4 5E5D3F3F D54A2064 C6F654B4 40751949 6C4460F3
C444C2CE 0244FCE4 890CC35A EFC56E97 61626351 290C2DA4 A8010698 9C193715
0F297659 D28B41A5 7B5A4A91 02A956DA DCC8EAAA 8F5D1A62 ACBD3083 02030100
01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D 0F0101FF
04040302 0186301F 0603551D 23041830 168014E8 647D867C 2B0570F3 A9B74DA5
687FF550 CE477230 1D060355 1D0E0416 0414E864 7D867C2B 0570F3A9 B74DA568
7FF550CE 4772300D 06092A86 4886F70D 01010405 00038181 004571EF 7A855DDC
30061D85 7B03ED0F 20BC4B94 6E4BE588 F165D030 56A1A12F CB85C7C6 7F39EC2E
44021504 35C3AE49 C13B65F5 4580ED2F A5C38E59 C71AFC18 7A0ECBD2 F7AF71C1
DC608917 B675BBC5 6428EFDE 6EDD6A13 05597A6E FF3DC9F3 F38FB619 0838CD3F
92BC7EC3 E30D3586 CB3FB38C D810AD94 C7BECFB2 D98D2217 43
quit
crypto pki certificate chain sys1
certificate 02
308201D2 3082013B A0030201 02020102 300D0609 2A864886 F70D0101 04050030
0E310C30 0A060355 04031303 73797330 1E170D30 38303130 34303833 3835345A
170D3039 30313033 30383338 35345A30 1C311A30 1806092A 864886F7 0D010902
160B5252 352E7379 732E636F 6D305C30 0D06092A 864886F7 0D010101 0500034B
00304802 4100D720 734C8D41 FE3C6A68 EF6946DB 60EAF693 201FC5CA 14A93C7D
2266E36B E45596AD 1D3982A2 EDC3EE95 16EEB484 65259C3D 01F33729 C164CC6B
33190AB8 B98B0203 010001A3 76307430 25060355 1D1F041E 301C301A A018A016
86146874 74703A2F 2F313932 2E313638 2E302E32 3132300B 0603551D 0F040403
0205A030 1F060355 1D230418 30168014 E8647D86 7C2B0570 F3A9B74D A5687FF5
50CE4772 301D0603 551D0E04 16041480 43458F97 109EFD97 15C262C1 0FC6B0D8
E23F5E30 0D06092A 864886F7 0D010104 05000381 81008ED0 8E41CAEE EE2185CA
320D5D28 6894DE8B B49A8622 CCCA3063 D313E3BB F2B56F6A 926219A9 624486C9
E7CDC4F5 504DB1EB 37864782 E783D13B 60FC16C8 3BBEFF89 2ADBEA99 0FD9FF06
D5148A52 7B6FC37A 0B61F551 CEFFFABE 5CCC47CC 7DE3D912 EC4A975D F78F3611
6404CB77 F3FD1E47 D2ACBF6F 8532E36F 45968AC2 BC44
quit
certificate ca 01
308201F5 3082015E A0030201 02020101 300D0609 2A864886 F70D0101 04050030
0E310C30 0A060355 04031303 73797330 1E170D30 38303130 34303833 3333325A
170D3131 30313033 30383333 33325A30 0E310C30 0A060355 04031303 73797330
819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 C381C6FB
5821BAD9 91F5B2F6 C818223D 2662EC3A 05C4047A F7452F2F 161082BA 3064CC85
F6434CEC BDA7AABD BB1E31F4 5E5D3F3F D54A2064 C6F654B4 40751949 6C4460F3
C444C2CE 0244FCE4 890CC35A EFC56E97 61626351 290C2DA4 A8010698 9C193715
0F297659 D28B41A5 7B5A4A91 02A956DA DCC8EAAA 8F5D1A62 ACBD3083 02030100
01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D 0F0101FF
04040302 0186301F 0603551D 23041830 168014E8 647D867C 2B0570F3 A9B74DA5
687FF550 CE477230 1D060355 1D0E0416 0414E864 7D867C2B 0570F3A9 B74DA568
7FF550CE 4772300D 06092A86 4886F70D 01010405 00038181 004571EF 7A855DDC
30061D85 7B03ED0F 20BC4B94 6E4BE588 F165D030 56A1A12F CB85C7C6 7F39EC2E
44021504 35C3AE49 C13B65F5 4580ED2F A5C38E59 C71AFC18 7A0ECBD2 F7AF71C1
DC608917 B675BBC5 6428EFDE 6EDD6A13 05597A6E FF3DC9F3 F38FB619 0838CD3F
92BC7EC3 E30D3586 CB3FB38C D810AD94 C7BECFB2 D98D2217 43
quit
username sys privilege 15 password 0 sys
!
!
!
crypto isakmp policy 1
encr 3des
group 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to10.2.1.3
set peer 10.2.1.3
set transform-set ESP-3DES-SHA
match address 100
!
!
!
!
interface FastEthernet0/0
ip address 10.2.1.1 255.255.255.0
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface FastEthernet0/1
ip address 192.168.0.212 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
ip http server
no ip http secure-server
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.2.1.0 0.0.0.255 10.2.1.0 0.0.0.255
no cdp advertise-v2
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 35791 0
timeout login response 300
line aux 0
line vty 0 4
exec-timeout 35791 0
timeout login response 300
login local
transport input ssh
line vty 5 15
exec-timeout 35791 0
timeout login response 300
login local
transport input ssh
!
ntp clock-period 17179838
ntp server 202.112.10.60 source FastEthernet0/1
!
end
RR5 RSA:
Usage: General Purpose Key
Key is not exportable.
Key Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D72073 4C8D41FE
3C6A68EF 6946DB60 EAF69320 1FC5CA14 A93C7D22 66E36BE4 5596AD1D 3982A2ED
C3EE9516 EEB48465 259C3D01 F33729C1 64CC6B33 190AB8B9 8B020301 0001
% Key pair was generated at: 16:33:25 CST Jan 4 2008
Key name: sys
Usage: General Purpose Key
Key is exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00C381C6
FB5821BA D991F5B2 F6C81822 3D2662EC 3A05C404 7AF7452F 2F161082 BA3064CC
85F6434C ECBDA7AA BDBB1E31 F45E5D3F 3FD54A20 64C6F654 B4407519 496C4460
F3C444C2 CE0244FC E4890CC3 5AEFC56E 97616263 51290C2D A4A80106 989C1937
150F2976 59D28B41 A57B5A4A 9102A956 DADCC8EA AA8F5D1A 62ACBD30 83020301 0001
% Key pair was generated at: 16:38:04 CST Jan 4 2008
Key name: RR5.sys.com.server
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00DEDC3E 27DF78B7
C910701A 6AB96579 B58EF440 4166CCB2 3A841B6B ADB8463B 990BAB13 1A93B48C
494AE68C 3EEB2252 C0202EEE 3A33E7C9 F9F5D5F8 4FF5DB34 4BF5CEF4 51DC768D
5B363758 25AA86B7 6014C940 518150E0 79205D83 980706BB 59020301 0001
RR7:
!
! Last configuration change at 16:49:42 CST Fri Jan 4 2008
! NVRAM config last updated at 16:36:45 CST Fri Jan 4 2008
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RR7
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
clock timezone CST 8
ip cef
!
!
!
!
no ip domain lookup
ip domain name sys.com
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint sys1
enrollment url [url]http://192.168.0.212:80[/url]
serial-number none
fqdn RR7.sys.com
ip-address none
password
revocation-check crl
rsakeypair RR7.sys.com.server
auto-enroll
!
!
crypto pki certificate chain sys1
certificate 03
308201D2 3082013B A0030201 02020103 300D0609 2A864886 F70D0101 04050030
0E310C30 0A060355 04031303 73797330 1E170D30 38303130 34303834 3332375A
170D3039 30313033 30383433 32375A30 1C311A30 1806092A 864886F7 0D010902
160B5252 372E7379 732E636F 6D305C30 0D06092A 864886F7 0D010101 0500034B
00304802 4100ECD4 325C3869 1A2E3D16 969A9563 FC65A08D 11CD2BED 0C8A8352
2A7D1E82 944BD373 1A457C68 05AE2DFA 26ABB34B 107191FB 7581BAAB 7560B64F
210E4E38 0A710203 010001A3 76307430 25060355 1D1F041E 301C301A A018A016
86146874 74703A2F 2F313932 2E313638 2E302E32 3132300B 0603551D 0F040403
0205A030 1F060355 1D230418 30168014 E8647D86 7C2B0570 F3A9B74D A5687FF5
50CE4772 301D0603 551D0E04 16041455 C9FBBF6A CAE04089 9EC2349F D8086AE5
3379CF30 0D06092A 864886F7 0D010104 05000381 810059C4 334A9AB3 D2AA7769
1493106C 6921EF7F 9E9AFD1D FE2CF5C6 515D1AA6 2F61FF72 D443C62A 59F113B9
C1A782A7 E3C6A229 82286962 B2E1B9BC AB40EA8B 4C671B30 9226A122 2D4E427A
5DD6569B 99B8F3D7 F3EACECB B738B477 9B5BAA95 1C6DACF7 C52A2DD9 A668CCDC
F5EE1D03 68828778 102A736C 10E11CC9 D8F972F9 73B5
quit
certificate ca 01
308201F5 3082015E A0030201 02020101 300D0609 2A864886 F70D0101 04050030
0E310C30 0A060355 04031303 73797330 1E170D30 38303130 34303833 3333325A
170D3131 30313033 30383333 33325A30 0E310C30 0A060355 04031303 73797330
819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 C381C6FB
5821BAD9 91F5B2F6 C818223D 2662EC3A 05C4047A F7452F2F 161082BA 3064CC85
F6434CEC BDA7AABD BB1E31F4 5E5D3F3F D54A2064 C6F654B4 40751949 6C4460F3
C444C2CE 0244FCE4 890CC35A EFC56E97 61626351 290C2DA4 A8010698 9C193715
0F297659 D28B41A5 7B5A4A91 02A956DA DCC8EAAA 8F5D1A62 ACBD3083 02030100
01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D 0F0101FF
04040302 0186301F 0603551D 23041830 168014E8 647D867C 2B0570F3 A9B74DA5
687FF550 CE477230 1D060355 1D0E0416 0414E864 7D867C2B 0570F3A9 B74DA568
7FF550CE 4772300D 06092A86 4886F70D 01010405 00038181 004571EF 7A855DDC
30061D85 7B03ED0F 20BC4B94 6E4BE588 F165D030 56A1A12F CB85C7C6 7F39EC2E
44021504 35C3AE49 C13B65F5 4580ED2F A5C38E59 C71AFC18 7A0ECBD2 F7AF71C1
DC608917 B675BBC5 6428EFDE 6EDD6A13 05597A6E FF3DC9F3 F38FB619 0838CD3F
92BC7EC3 E30D3586 CB3FB38C D810AD94 C7BECFB2 D98D2217 43
quit
username sys privilege 15 password 0 sys
!
!
!
crypto isakmp policy 1
encr 3des
group 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to10.2.1.1
set peer 10.2.1.1
set transform-set ESP-3DES-SHA
match address 100
!
!
!
!
interface FastEthernet0/0
ip address 10.2.1.3 255.255.255.0
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface FastEthernet0/1
ip address 192.168.0.213 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
ip http server
no ip http secure-server
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.2.1.0 0.0.0.255 10.2.1.0 0.0.0.255
no cdp advertise-v2
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 35791 0
timeout login response 300
line aux 0
line vty 0 4
exec-timeout 35791 0
timeout login response 300
login local
transport input ssh
line vty 5 15
exec-timeout 35791 0
timeout login response 300
login local
transport input ssh
!
ntp clock-period 17179866
!
end
RR7 RSA:
Usage: General Purpose Key
Key is not exportable.
Key Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D5305A 709071D7
544B8CD7 ADE9D306 F5E59763 0AEFB0CF 6A3E7482 143806BB C7E04B14 CFD60844
5D8D524B 8D6FC6F4 00ECFF14 7F60734D D4FFA4E3 F6CFDAC8 AB020301 0001
% Key pair was generated at: 16:43:26 CST Jan 4 2008
Key name: RR7.sys.com.server
Usage: General Purpose Key
Key is not exportable.
Key Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00ECD432 5C38691A
2E3D1696 9A9563FC 65A08D11 CD2BED0C 8A83522A 7D1E8294 4BD3731A 457C6805
AE2DFA26 ABB34B10 7191FB75 81BAAB75 60B64F21 0E4E380A 71020301 0001
RR5:
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.2.1.3, timeout is 2 seconds:
Jan 4 09:03:24.653: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.2.1.1, remote= 10.2.1.3,
local_proxy= 10.2.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.2.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xF8A42403(4171506691), conn_id= 0, keysize= 0, flags= 0x400A
Jan 4 09:03:24.669: ISAKMP: received ke message (1/1)
Jan 4 09:03:24.669: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
Jan 4 09:03:24.669: ISAKMP: Created a peer struct for 10.2.1.3, peer port 500
Jan 4 09:03:24.669: ISAKMP: New peer created peer = 0x656EF148 peer_handle = 0x80000003
Jan 4 09:03:24.669: ISAKMP: Locking peer struct 0x656EF148, IKE refcount 1 for isakmp_initiator
Jan 4 09:03:24.669: ISAKMP: local port 500, remote port 500
Jan 4 09:03:24.669: ISAKMP: set new node 0 to QM_IDLE
Jan 4 09:03:24.669: insert sa successfully sa = 65E0B1E0
Jan 4 09:03:24.669: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
Jan 4 09:03:24.669: ISAKMP:(0:0:N/A:0):No pre-shared key with 10.2.1.3!
Jan 4 09:03:24.669: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
Jan 4 09:03:24.669: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
Jan 4 09:03:24.669: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
Jan 4 09:03:24.669: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Jan 4 09:03:24.669: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1
Jan 4 09:03:24.673: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
Jan 4 09:03:24.677: ISAKMP:(0:0:N/A:0): sending packet to 10.2.1.3 my_port 500 peer_port 500 (I) MM_NO_STATE
Jan 4 09:03:24.769: ISAKMP (0:0): received packet from 10.2.1.3 dport 500 sport 500 Global (I) MM_NO_STATE
Jan 4 09:03:24.777: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 4 09:03:24.777: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Jan 4 09.
Success rate is 0 percent (0/1)
RR5#:03:24.777: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
Jan 4 09:03:24.777: ISAKMP:(0:0:N/A:0): processing vendor id payload
Jan 4 09:03:24.777: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
Jan 4 09:03:24.777: ISAKMP (0:0): vendor ID is NAT-T v7
Jan 4 09:03:24.777: ISAKMP : Scanning profiles for xauth ...
Jan 4 09:03:24.777: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy
Jan 4 09:03:24.777: ISAKMP: encryption 3DES-CBC
Jan 4 09:03:24.777: ISAKMP: hash SHA
Jan 4 09:03:24.777: ISAKMP: default group 2
Jan 4 09:03:24.777: ISAKMP: auth RSA sig
Jan 4 09:03:24.777: ISAKMP: life type in seconds
Jan 4 09:03:24.777: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Jan 4 09:03:24.777: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
Jan 4 09:03:24.809: ISAKMP:(0:1:SW:1): processing vendor id payload
Jan 4 09:03:24.809: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
Jan 4 09:03:24.809: ISAKMP (0:134217729): vendor ID is NAT-T v7
Jan 4 09:03:24.809: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jan 4 09:03:24.809: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM2
Jan 4 09:03:24.817: ISAKMP (0:134217729): constructing CERT_REQ for issuer cn=sys
Jan 4 09:03:24.821: ISAKMP:(0:1:SW:1): sending packet to 10.2.1.3 my_port 500 peer_port 500 (I) MM_SA_SETUP
Jan 4 09:03:24.825: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jan 4 09:03:24.825: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM3
Jan 4 09:03:24.909: ISAKMP (0:134217729): received packet from 10.2.1.3 dport 500 sport 500 Global (I) MM_SA_SETUP
Jan 4 09:03:24.917: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 4 09:03:24.921: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM3 New State = IKE_I_MM4
Jan 4 09:03:24.929: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0
Jan 4 09:03:24.965: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 0
Jan 4 09:03:24.965: ISAKMP:(0:1:SW:1):SKEYID state generated
Jan 4 09:03:24.965: ISAKMP:(0:1:SW:1): processing CERT_REQ payload. message ID = 0
Jan 4 09:03:24.965: ISAKMP:(0:1:SW:1): peer wants a CT_X509_SIGNATURE cert
Jan 4 09:03:24.965: ISAKMP:(0:1:SW:1): peer want cert issued by
Jan 4 09:03:24.965: ISAKMP:(0:1:SW:1): Choosing trustpoint sys1 as issuer
Jan 4 09:03:24.965: ISAKMP:(0:1:SW:1): processing vendor id payload
Jan 4 09:03:24.965: ISAKMP:(0:1:SW:1): vendor ID is Unity
Jan 4 09:03:24.965: ISAKMP:(0:1:SW:1): processing vendor id payload
Jan 4 09:03:24.969: ISAKMP:(0:1:SW:1): vendor ID is DPD
Jan 4 09:03:24.973: ISAKMP:(0:1:SW:1): processing vendor id payload
Jan 4 09:03:24.977: ISAKMP:(0:1:SW:1): speaking to another IOS box!
Jan 4 09:03:24.977: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jan 4 09:03:24.981: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM4
Jan 4 09:03:24.981: ISAKMP:(0:1:SW:1):Send initial contact
Jan 4 09:03:24.997: ISAKMP:(0:1:SW:1):My ID configured as IPv4 Addr, but Addr not in Cert!
Jan 4 09:03:25.001: ISAKMP:(0:1:SW:1):Using FQDN as My ID
Jan 4 09:03:25.005: ISAKMP:(0:1:SW:1):SA is doing RSA signature authentication using id type ID_FQDN
Jan 4 09:03:25.005: ISAKMP (0:134217729): ID payload
next-payload : 6
type : 2
FQDN name : RR5.sys.com
protocol : 17
port : 500
length : 19
Jan 4 09:03:25.013: ISAKMP:(0:1:SW:1):Total payload length: 19
Jan 4 09:03:25.025: ISAKMP (0:134217729): constructing CERT payload for hostname=RR5.sys.com
Jan 4 09:03:25.025: ISAKMP:(0:1:SW:1): using the sys1 trustpoint's keypair to sign
Jan 4 09:03:25.121: ISAKMP:(0:1:SW:1): sending packet to 10.2.1.3 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Jan 4 09:03:25.121: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jan 4 09:03:25.125: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM5
Jan 4 09:03:25.193: ISAKMP (0:134217729): received packet from 10.2.1.3 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jan 4 09:03:25.197: ISAKMP (0:134217729): received packet from 10.2.1.3 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jan 4 09:03:25.197: ISAKMP (0:134217729): received packet from 10.2.1.3 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jan 4 09:03:25.197: ISAKMP (0:134217729): received packet from 10.2.1.3 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jan 4 09:03:25.197: ISAKMP (0:134217729): received packet from 10.2.1.3 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jan 4 09:03:25.197: ISAKMP: Info Notify message requeue retry counter exceeded sa request from 10.2.1.3 to 10.2.1.1.
Jan 4 09:03:54.653: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 10.2.1.1, remote= 10.2.1.3,
local_proxy= 10.2.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.2.1.0/255.255.255.0/0/0 (type=4)
Jan 4 09:03:54.661: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.2.1.1, remote= 10.2.1.3,
local_proxy= 10.2.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.2.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x27F80664(670565988), conn_id= 0, keysize= 0, flags= 0x400A
Jan 4 09:03:54.669: ISAKMP: received ke message (1/1)
Jan 4 09:03:54.669: ISAKMP: set new node 0 to QM_IDLE
Jan 4 09:03:54.669: ISAKMP:(0:1:SW:1):SA is still budding. Attached new ipsec request to it. (local 10.2.1.1, remote 10.2.1.3)
Jan 4 09:04:24.661: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 10.2.1.1, remote= 10.2.1.3,
local_proxy= 10.2.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.2.1.0/255.255.255.0/0/0 (type=4)
Jan 4 09:04:24.673: ISAKMP: received ke message (3/1)
Jan 4 09:04:24.673: ISAKMP:(0:1:SW:1):peer does not do paranoid keepalives.
Jan 4 09:04:24.677: ISAKMP:(0:1:SW:1):deleting SA reason "P1 delete notify (in)" state (I) MM_KEY_EXCH (peer 10.2.1.3)
Jan 4 09:04:24.685: ISAKMP:(0:1:SW:1):deleting SA reason "P1 delete notify (in)" state (I) MM_KEY_EXCH (peer 10.2.1.3)
Jan 4 09:04:24.685: ISAKMP: Unlocking IKE struct 0x656EF148 for isadb_mark_sa_deleted(), count 0
Jan 4 09:04:24.685: ISAKMP: Deleting peer node by peer_reap for 10.2.1.3: 656EF148
Jan 4 09:04:24.685: ISAKMP:(0:1:SW:1):deleting node -1691002163 error FALSE reason "IKE deleted"
Jan 4 09:04:24.685: ISAKMP:(0:1:SW:1):deleting node -1683647828 error FALSE reason "IKE deleted"
Jan 4 09:04:24.685: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jan 4 09:04:24.685: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM5 New State = IKE_DEST_SA
Jan 4 09:04:24.685: IPSEC(key_engine): got a queue event with 1 kei messages
RR7:
.Jan 4 09:03:24.691: ISAKMP: Created a peer struct for 10.2.1.1, peer port 500
.Jan 4 09:03:24.695: ISAKMP: New peer created peer = 0x64E84168 peer_handle = 0x80000003
.Jan 4 09:03:24.695: ISAKMP: Locking peer struct 0x64E84168, IKE refcount 1 for crypto_isakmp_process_block
.Jan 4 09:03:24.695: ISAKMP: local port 500, remote port 500
.Jan 4 09:03:24.695: insert sa successfully sa = 64E82B2C
.Jan 4 09:03:24.695: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
.Jan 4 09:03:24.699: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_R_MM1
.Jan 4 09:03:24.707: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
.Jan 4 09:03:24.707: ISAKMP:(0:0:N/A:0): processing vendor id payload
.Jan 4 09:03:24.711: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
.Jan 4 09:03:24.711: ISAKMP (0:0): vendor ID is NAT-T v7
.Jan 4 09:03:24.711: ISAKMP:(0:0:N/A:0): processing vendor id payload
.Jan 4 09:03:24.711: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch
.Jan 4 09:03:24.711: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3
.Jan 4 09:03:24.711: ISAKMP:(0:0:N/A:0): processing vendor id payload
.Jan 4 09:03:24.711: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
.Jan 4 09:03:24.711: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
.Jan 4 09:03:24.711: ISAKMP : Scanning profiles for xauth ...
.Jan 4 09:03:24.711: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy
.Jan 4 09:03:24.711: ISAKMP: encryption 3DES-CBC
.Jan 4 09:03:24.711: ISAKMP: hash SHA
.Jan 4 09:03:24.711: ISAKMP: default group 2
.Jan 4 09:03:24.711: ISAKMP: auth RSA sig
.Jan 4 09:03:24.711: ISAKMP: life type in seconds
.Jan 4 09:03:24.711: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
.Jan 4 09:03:24.711: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 3
.Jan 4 09:03:24.743: ISAKMP:(0:1:SW:1): processing vendor id payload
.Jan 4 09:03:24.743: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
.Jan 4 09:03:24.743: ISAKMP (0:134217729): vendor ID is NAT-T v7
.Jan 4 09:03:24.743: ISAKMP:(0:1:SW:1): processing vendor id payload
.Jan 4 09:03:24.743: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 157 mismatch
.Jan 4 09:03:24.743: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v3
.Jan 4 09:03:24.743: ISAKMP:(0:1:SW:1): processing vendor id payload
.Jan 4 09:03:24.743: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 123 mismatch
.Jan 4 09:03:24.743: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v2
.Jan 4 09:03:24.743: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
.Jan 4 09:03:24.743: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM1
.Jan 4 09:03:24.747: ISAKMP:(0:1:SW:1): constructed NAT-T vendor-07 ID
.Jan 4 09:03:24.751: ISAKMP:(0:1:SW:1): sending packet to 10.2.1.1 my_port 500 peer_port 500 (R) MM_SA_SETUP
.Jan 4 09:03:24.755: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
.Jan 4 09:03:24.759: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM2
.Jan 4 09:03:24.815: ISAKMP (0:134217729): received packet from 10.2.1.1 dport 500 sport 500 Global (R) MM_SA_SETUP
.Jan 4 09:03:24.819: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
.Jan 4 09:03:24.819: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM2 New State = IKE_R_MM3
.Jan 4 09:03:24.819: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0
.Jan 4 09:03:24.867: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 0
.Jan 4 09:03:24.867: ISAKMP:(0:1:SW:1):SKEYID state generated
.Jan 4 09:03:24.867: ISAKMP:(0:1:SW:1): processing CERT_REQ payload. message ID = 0
.Jan 4 09:03:24.867: ISAKMP:(0:1:SW:1): peer wants a CT_X509_SIGNATURE cert
.Jan 4 09:03:24.867: ISAKMP:(0:1:SW:1): peer want cert issued by
.Jan 4 09:03:24.871: ISAKMP:(0:1:SW:1): Choosing trustpoint sys1 as issuer
.Jan 4 09:03:24.875: ISAKMP:(0:1:SW:1): processing vendor id payload
.Jan 4 09:03:24.879: ISAKMP:(0:1:SW:1): vendor ID is Unity
.Jan 4 09:03:24.883: ISAKMP:(0:1:SW:1): processing vendor id payload
.Jan 4 09:03:24.883: ISAKMP:(0:1:SW:1): vendor ID is DPD
.Jan 4 09:03:24.883: ISAKMP:(0:1:SW:1): processing vendor id payload
.Jan 4 09:03:24.883: ISAKMP:(0:1:SW:1): speaking to another IOS box!
.Jan 4 09:03:24.883: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
.Jan 4 09:03:24.883: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM3
.Jan 4 09:03:24.883: ISAKMP (0:134217729): constructing CERT_REQ for issuer cn=sys
.Jan 4 09:03:24.883: ISAKMP:(0:1:SW:1): sending packet to 10.2.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
.Jan 4 09:03:24.883: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
.Jan 4 09:03:24.883: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM4
.Jan 4 09:03:25.127: ISAKMP (0:134217729): received packet from 10.2.1.1 dport 500 sport 500 Global (R) MM_KEY_EXCH
.Jan 4 09:03:25.135: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
.Jan 4 09:03:25.139: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM4 New State = IKE_R_MM5
.Jan 4 09:03:25.147: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 0
.Jan 4 09:03:25.147: ISAKMP (0:134217729): ID payload
next-payload : 6
type : 2
FQDN name : RR5.sys.com
protocol : 17
port : 500
length : 19
.Jan 4 09:03:25.147: ISAKMP:(0:1:SW:1):: peer matches *none* of the profiles
.Jan 4 09:03:25.147: ISAKMP:(0:1:SW:1): processing CERT payload. message ID = 0
.Jan 4 09:03:25.147: ISAKMP:(0:1:SW:1): processing a CT_X509_SIGNATURE cert
.Jan 4 09:03:25.147: ISAKMP:(0:1:SW:1): peer's pubkey isn't cached
.Jan 4 09:03:25.179: CRYPTO_PKI: Poll CRL - unrecognized URI in FULLNAME URI
.Jan 4 09:03:25.179: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 10.2.1.1 is bad: certificate invalid
.Jan 4 09:03:25.179: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
.Jan 4 09:03:25.179: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5
.Jan 4 09:03:25.179: ISAKMP:(0:1:SW:1): sending packet to 10.2.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
.Jan 4 09:03:25.179: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
.Jan 4 09:03:25.179: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM4
.Jan 4 09:04:39.695: ISAKMP: quick mode timer expired.
.Jan 4 09:04:39.699: ISAKMP:(0:1:SW:1):src 10.2.1.1 dst 10.2.1.3, SA is not authenticated
.Jan 4 09:04:39.699: ISAKMP:(0:1:SW:1):peer does not do paranoid keepalives.
.Jan 4 09:04:39.703: ISAKMP:(0:1:SW:1):deleting SA reason "QM_TIMER expired" state (R) MM_KEY_EXCH (peer 10.2.1.1)
.Jan 4 09:04:39.711: ISAKMP:(0:1:SW:1):deleting SA reason "QM_TIMER expired" state (R) MM_KEY_EXCH (peer 10.2.1.1)
.Jan 4 09:04:39.711: ISAKMP: Unlocking IKE struct 0x64E84168 for isadb_mark_sa_deleted(), count 0
.Jan 4 09:04:39.711: ISAKMP: Deleting peer node by peer_reap for 10.2.1.1: 64E84168
.Jan 4 09:04:39.711: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
.Jan 4 09:04:39.711: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM4 New State = IKE_DEST_SA
.Jan 4 09:04:39.711: IPSEC(key_engine): got a queue event with 1 kei messages
转载于:https://blog.51cto.com/netwalk/66970
基于CA认证的IPsec ×××问题相关推荐
- gRPC 基于 CA 的 TLS 证书认证
前言 在上一章节中,我们提出了一个问题.就是如何保证证书的可靠性和有效性?你如何确定你 Server.Client 的证书是对的呢? CA 为了保证证书的可靠性和有效性,在这里可引入 CA 颁发的根证 ...
- LDAP服务器ca系统,基于LDAP的统一身份认证系统与CA认证的集成.pdf
基于LDAP的统一身份认证系统与CA认证的集成 , 第 33 卷 第 8 期 宜春学院学报 Vol. 33 No. 8 2011 年 8 月 Journal of Yichun College Aug ...
- Openssl搭建私有CA认证
概述 CA英文全称Certification Authority,即数字证书认机构.从广义上来说,CA是负责发放和管理数字证书的权威机构,并作为用户数字认证中受信任的第三方,承担公钥体系(PKI)中公 ...
- LNMP与CA认证的童话故事
在前面的一篇博客中,我已经介绍过,如何通过源码编译安装LAMP,见教你源码编译制作LAMP详细过程 ,这里就介绍下如何编译安装LNMP,以及如何在LNMP中添加ssl认证. LNMP,也叫做LEMP. ...
- 大型企业CA认证系统部署应用案例解析
国内某上市公司信息化起步较早,应用系统主要分布于总公司.局公司.处公司三级单位.已经初步实现OA系统的信息整合,信息化工作进一步将围绕信息流.工作流的整合,项目管理系统的建立以及公共基础安全平台建设展 ...
- CA 认证过程及 https 实现方法
CA 认证过程 CA 概述:Certificate Authority 的缩写,通常翻译成认证权威或者认证中心,主要用途是为用户发放数字证书.CA 认证的流程和公安局派出所颁发身份证的流程一样 认证中 ...
- CA认证(Certificate Authority)
什么是CA认证? CA认证,即电子认证服务是指为电子签名相关各方提供真实性.可靠性验证的活动.证书颁发机构(CA, Certificate Authority)即颁发数字证书的机构.是负责发放和管理数 ...
- kubernetes https双向认证-----ca认证
为什么写这个呢? 在没有了解k8s认证的时候干过一件蠢事,公司项目是通过bearer token进行权限认证的,当时一直在纠结这个token是哪儿来的,然后各种查询secret对比是否一样,最后找到了 ...
- 时代亿信CA认证概述
企业级CA系统(ETCA)是时代亿信在充分研究国内CA现状.结合PKI实际应用需求的基础上,独立研发的一套CA产品. 企业级CA系统采用国家密码局批准的国密算法,可挂接密钥管理中心(KMC)来管理用户 ...
最新文章
- 上三角矩阵的特征值分解
- Caffe 关于 LetNet-5 之 lenet_solver.prototxt 解析
- python类型转换-Python基本数据类型转换
- 欧洲的数据中心与美国的数据中心如何区分?
- mysql+url的配置参数详解_MySql链接url参数详解
- linux查看帮助信息,命令帮助信息的获取
- Linux逻辑运算优先级,linux中的逻辑运算和正则表达式
- oracle 扩容undo,某银行积分系统数据库RAC环境扩充undo表空间
- 前端通过ajax请求一次性上传多张图片到后台
- Uber和Lyft推个人验证PIN码功能降接送混乱
- 机顶盒文件服务器,智能网络机顶盒常见的六大玩法,别浪费了资源!
- 如何持续突破性能表现? | DX研发模式
- 指派问题程序c语言,指派问题lingo程序样例
- 方案分享丨基于海思Hi3519智能 IP 摄像机解决方案
- 我爱淘二次冲刺阶段5
- Ubuntu暂时无法解析域名“cn.archive.ubuntu.com”
- PV,V,UV的概念,采集数据
- 2020-11-07 Mybatis
- 牛P的经验、经历、感受分享
- linux 网络冲浪,命令行下的网络冲浪工具命令行浏览器介绍
热门文章
- Matlab scatter/plot绘制图时,单点的'MarkerSize'与空间位置的关系
- linux系统中tomcat使用shutdown.sh无法停止服务器进程
- 【天光学术】市场营销论文:大数据时代下的市场营销机遇与挑战(节选)
- python 自动化运维 读取交换机数据_技术干货|数据中心自动化运维技术探索之交换机零配置上线...
- userid和openid的区别_OAuth和OpenID的区别
- Android端+Java服务端+servlet+MySQL二手商城设计
- Hibernate的错误:Unknown entity或User is not mapped
- Java 切割身份证地址,省市区 详细地址工具类
- 在UC浏览器投放广告有行业限制吗?UC浏览器广告展现量介绍!
- python填表_python网上填表