问

IPSEC VPN建立不成功

IPSec VPN

2022-01-20提问

1关注
2收藏，1790浏览

zhiliao_Syjhb

zhiliao_Syjhb 二段

粉丝：0人关注：0人

问题描述：

F1000-C8150的防火墙和对端建IPSEC VPN，两边都是固定IP的，一直建立不起来，打开DEBUG信息，发现一直只有出去的加密数据，收不到inbound方向的解密数据，是不是对端没有问应，导致IPSEC VPN建立不起来

组网及组网描述：

附件下载： FW对接不成功配置2022.1.20.txt

最佳答案

远行的人

远行的人九段

粉丝：45人关注：5人

（1）IPSEC的建立第一步首先是公网能通；

（2）然后两边的配置需要高度的镜像。

看你的配置没啥问题，公网通了以后，debug ike all renote 139.159.222.86，对端出发我们一下，看看这个信息。

4 个回答

按时间按赞数

哎哟_脚滑

哎哟_脚滑八段

粉丝：5人关注：1人

有可能，协商是两端的事情，需要对端也看下

vlan划分50一次

vlan划分50一次九段

粉丝：22人关注：11人

估计对端没有回

叫我靓仔

叫我靓仔九段

粉丝：150人关注：1人

参考官网IPSEC排错点穴神功

http://www.h3c.com/cn/d_201411/921533_30005_0.htm

zhiliao_Syjhb

zhiliao_Syjhb 二段

粉丝：0人关注：0人

对端公网iP139.159.222.86是通的，下面是debug ike all renote 139.159.222.86内容和IKE SA、IPSEC SA两个阶段都有

<FW>debug ike all remote-address 139.159.222.86
This command is CPU intensive and might affect ongoing services. Are you sure you want to continue? [Y/N]:y
<FW>t d
The current terminal is enabled to display debugging logs.
<FW>t m
The current terminal is enabled to display logs.
<FW>sys
System View: return to User View with Ctrl+Z.
[FW]in en
Information center is enabled.
[FW]
[FW]
[FW]*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
--- Sent IPsec packet, pkt len : 60 ---
*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
Attent to match Mqc(0), ifIndex is 3, digest is 0, no result.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
Attent to match Mqc(1), ifIndex is 3, digest is 0, no result.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
Last dest lip is NULL.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: src IP = 192.168.76.1, dst IP = 10.34.26.39, SPI = 189012751.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
Alloc IPsec cache: Global fs seq : 38, Private index : 0, Private seq : 5.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/EVENT:
Add ip fastforward cache : ulDirtection = 2, ifIndexOut = 4
*Jan 20 12:56:13:557 2022 FW IPSEC/7/EVENT:
Added IP fast forwarding entry.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: ESP auth algorithm: SHA1, ESP encp algorithm: AES-CBC-128.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
Packet will be sent to CCF for sync-encryption.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
Outbound IPsec ESP processing: Encryption succeeded, anti-replay SN is 1.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: Packet encapsulated successfully.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/EVENT:
Start to fill reply cache key, SrcAddr : 121.15.132.153, DstAddr : 139.159.222.86, SPI :189012751, SrcPort : 2884, DstPort : 6927.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/EVENT:
Fill output IPsec packet reply cache key.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/EVENT:
Find another sa, spi : 0x811eab44, SrcPort : 33054, DstPort : 43844.
*Jan 20 12:56:18:317 2022 FW IPSEC/7/PACKET:
FS Check : fs sequence num in IPsec fast cache is 38, current fs sequence num is 38
*Jan 20 12:56:18:317 2022 FW IPSEC/7/PACKET:
FS Check : No Change. Tunnel index = 0, Tunnel seq = 5.
*Jan 20 12:56:18:317 2022 FW IPSEC/7/PACKET:
--- Sent packet by IPsec fast forwarding ---
*Jan 20 12:56:18:317 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: src IP = 192.168.76.1, dst IP = 10.34.26.39, SPI = 189012751.
*Jan 20 12:56:18:317 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: ESP auth algorithm: SHA1, ESP encp algorithm: AES-CBC-128.
*Jan 20 12:56:18:317 2022 FW IPSEC/7/PACKET:
Packet will be sent to CCF for sync-encryption.
*Jan 20 12:56:18:317 2022 FW IPSEC/7/PACKET:
Outbound IPsec ESP processing: Encryption succeeded, anti-replay SN is 2.
*Jan 20 12:56:18:317 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: Packet encapsulated successfully.
*Jan 20 12:56:23:319 2022 FW IPSEC/7/PACKET:
FS Check : fs sequence num in IPsec fast cache is 38, current fs sequence num is 38
*Jan 20 12:56:23:319 2022 FW IPSEC/7/PACKET:
FS Check : No Change. Tunnel index = 0, Tunnel seq = 5.
*Jan 20 12:56:23:319 2022 FW IPSEC/7/PACKET:
--- Sent packet by IPsec fast forwarding ---
*Jan 20 12:56:23:319 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: src IP = 192.168.76.1, dst IP = 10.34.26.39, SPI = 189012751.
*Jan 20 12:56:23:319 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: ESP auth algorithm: SHA1, ESP encp algorithm: AES-CBC-128.
*Jan 20 12:56:23:319 2022 FW IPSEC/7/PACKET:
Packet will be sent to CCF for sync-encryption.
*Jan 20 12:56:23:319 2022 FW IPSEC/7/PACKET:
Outbound IPsec ESP processing: Encryption succeeded, anti-replay SN is 3.
*Jan 20 12:56:23:319 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: Packet encapsulated successfully.
*Jan 20 12:56:34:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received packet from 139.159.222.86 source port 500 destination port 500.
*Jan 20 12:56:34:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500

I-COOKIE: aa48ab8ffa1876b8
R-COOKIE: 6bbaf0edf8b1830e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: 6f189c47
length: 92
*Jan 20 12:56:34:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Decrypt the packet.
*Jan 20 12:56:34:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received ISAKMP Hash Payload.
*Jan 20 12:56:34:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received ISAKMP Notification Payload.
*Jan 20 12:56:34:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Parse informational exchange packet successfully.
*Jan 20 12:56:34:900 2022 FW IKE/7/EVENT: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Notification R_U_THERE is received.
*Jan 20 12:56:34:900 2022 FW IKE/7/DPD: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
DPD packet with sequence number 566213461 is received, COOKIEs(i/r) aa48ab8ffa1876b8/6bbaf0edf8b1830e.
*Jan 20 12:56:34:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Encrypt the packet.
*Jan 20 12:56:34:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Construct notification packet: R_U_THERE_ACK.
*Jan 20 12:56:34:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sending packet to 139.159.222.86 remote port 500, local port 500.
*Jan 20 12:56:34:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500

I-COOKIE: aa48ab8ffa1876b8
R-COOKIE: 6bbaf0edf8b1830e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: 472bf303
length: 92
*Jan 20 12:56:34:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sending an IPv4 packet.
*Jan 20 12:56:34:901 2022 FW IKE/7/EVENT: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sent data to socket successfully.
*Jan 20 12:56:42:891 2022 FW IPSEC/7/PACKET:
FS Check : fs sequence num in IPsec fast cache is 38, current fs sequence num is 38
*Jan 20 12:56:42:891 2022 FW IPSEC/7/PACKET:
FS Check : No Change. Tunnel index = 0, Tunnel seq = 5.
*Jan 20 12:56:42:891 2022 FW IPSEC/7/PACKET:
--- Sent packet by IPsec fast forwarding ---
*Jan 20 12:56:42:891 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: src IP = 192.168.76.1, dst IP = 10.34.26.39, SPI = 189012751.
*Jan 20 12:56:42:891 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: ESP auth algorithm: SHA1, ESP encp algorithm: AES-CBC-128.
*Jan 20 12:56:42:891 2022 FW IPSEC/7/PACKET:
Packet will be sent to CCF for sync-encryption.
*Jan 20 12:56:42:891 2022 FW IPSEC/7/PACKET:
Outbound IPsec ESP processing: Encryption succeeded, anti-replay SN is 4.
*Jan 20 12:56:42:891 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: Packet encapsulated successfully.
*Jan 20 12:56:52:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received packet from 139.159.222.86 source port 500 destination port 500.
*Jan 20 12:56:52:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500

I-COOKIE: aa48ab8ffa1876b8
R-COOKIE: 6bbaf0edf8b1830e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: b7834f1b
length: 92
*Jan 20 12:56:52:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Decrypt the packet.
*Jan 20 12:56:52:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received ISAKMP Hash Payload.
*Jan 20 12:56:52:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received ISAKMP Notification Payload.
*Jan 20 12:56:52:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Parse informational exchange packet successfully.
*Jan 20 12:56:52:899 2022 FW IKE/7/EVENT: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Notification R_U_THERE is received.
*Jan 20 12:56:52:899 2022 FW IKE/7/DPD: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
DPD packet with sequence number 566213462 is received, COOKIEs(i/r) aa48ab8ffa1876b8/6bbaf0edf8b1830e.
*Jan 20 12:56:52:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Encrypt the packet.
*Jan 20 12:56:52:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Construct notification packet: R_U_THERE_ACK.
*Jan 20 12:56:52:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sending packet to 139.159.222.86 remote port 500, local port 500.
*Jan 20 12:56:52:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500

I-COOKIE: aa48ab8ffa1876b8
R-COOKIE: 6bbaf0edf8b1830e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: 1e58e5e
length: 92
*Jan 20 12:56:52:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sending an IPv4 packet.
*Jan 20 12:56:52:900 2022 FW IKE/7/EVENT: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sent data to socket successfully.
*Jan 20 12:57:01:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received packet from 139.159.222.86 source port 500 destination port 500.
*Jan 20 12:57:01:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500

I-COOKIE: aa48ab8ffa1876b8
R-COOKIE: 6bbaf0edf8b1830e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: 95c79343
length: 92
*Jan 20 12:57:01:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Decrypt the packet.
*Jan 20 12:57:01:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received ISAKMP Hash Payload.
*Jan 20 12:57:01:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received ISAKMP Notification Payload.
*Jan 20 12:57:01:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Parse informational exchange packet successfully.
*Jan 20 12:57:01:899 2022 FW IKE/7/EVENT: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Notification R_U_THERE is received.
*Jan 20 12:57:01:899 2022 FW IKE/7/DPD: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
DPD packet with sequence number 566213463 is received, COOKIEs(i/r) aa48ab8ffa1876b8/6bbaf0edf8b1830e.
*Jan 20 12:57:01:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Encrypt the packet.
*Jan 20 12:57:01:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Construct notification packet: R_U_THERE_ACK.
*Jan 20 12:57:01:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sending packet to 139.159.222.86 remote port 500, local port 500.
*Jan 20 12:57:01:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500

I-COOKIE: aa48ab8ffa1876b8
R-COOKIE: 6bbaf0edf8b1830e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: c441337c
length: 92
*Jan 20 12:57:01:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sending an IPv4 packet.
*Jan 20 12:57:01:900 2022 FW IKE/7/EVENT: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sent data to socket successfully.
*Jan 20 12:57:10:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received packet from 139.159.222.86 source port 500 destination port 500.
*Jan 20 12:57:10:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500

I-COOKIE: aa48ab8ffa1876b8
R-COOKIE: 6bbaf0edf8b1830e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: b5f74967
length: 92
*Jan 20 12:57:10:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Decrypt the packet.
*Jan 20 12:57:10:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received ISAKMP Hash Payload.
*Jan 20 12:57:10:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received ISAKMP Notification Payload.
*Jan 20 12:57:10:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Parse informational exchange packet successfully.
*Jan 20 12:57:10:899 2022 FW IKE/7/EVENT: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Notification R_U_THERE is received.
*Jan 20 12:57:10:899 2022 FW IKE/7/DPD: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
DPD packet with sequence number 566213464 is received, COOKIEs(i/r) aa48ab8ffa1876b8/6bbaf0edf8b1830e.
*Jan 20 12:57:10:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Encrypt the packet.
*Jan 20 12:57:10:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Construct notification packet: R_U_THERE_ACK.
*Jan 20 12:57:10:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sending packet to 139.159.222.86 remote port 500, local port 500.
*Jan 20 12:57:10:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500

I-COOKIE: aa48ab8ffa1876b8
R-COOKIE: 6bbaf0edf8b1830e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: 8161d5e3
length: 92
*Jan 20 12:57:10:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sending an IPv4 packet.
*Jan 20 12:57:10:900 2022 FW IKE/7/EVENT: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500

Sent data to socket successfully.

[FW]dis ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
5 139.159.222.86 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
[FW] dis ips sa
^
% Unrecognized command found at '^' position.
[FW] dis ipsec sa
-------------------------------
Interface: GigabitEthernet1/0/3
-------------------------------

-----------------------------
IPsec policy: policy
Sequence number: 10
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy: dh-group5
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1428
Tunnel:
local address: 121.15.132.153
remote address: 139.159.222.86
Flow:
sour addr: 192.168.76.0/255.255.255.0 port: 0 protocol: ip
dest addr: 10.34.24.0/255.255.248.0 port: 0 protocol: ip

[Inbound ESP SAs]
SPI: 2166270788 (0x811eab44)
Connection ID: 73014444032
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA idle time: 3600
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/1394
Max received sequence-number: 0
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active

[Outbound ESP SAs]
SPI: 189012751 (0x0b441b0f)
Connection ID: 73014444033
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA idle time: 3600
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/1394
Max sent sequence-number: 4
UDP encapsulation used for NAT traversal: N

Status: ActiveZ.
[FW]in en
Information center is enabled.
[FW]
[FW]
[FW]*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
--- Sent IPsec packet, pkt len : 60 ---
*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
Attent to match Mqc(0), ifIndex is 3, digest is 0, no result.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
Attent to match Mqc(1), ifIndex is 3, digest is 0, no result.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
Last dest lip is NULL.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: src IP = 192.168.76.1, dst IP = 10.34.26.39, SPI = 189012751.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
Alloc IPsec cache: Global fs seq : 38, Private index : 0, Private seq : 5.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/EVENT:
Add ip fastforward cache : ulDirtection = 2, ifIndexOut = 4
*Jan 20 12:56:13:557 2022 FW IPSEC/7/EVENT:
Added IP fast forwarding entry.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: ESP auth algorithm: SHA1, ESP encp algorithm: AES-CBC-128.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
Packet will be sent to CCF for sync-encryption.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
Outbound IPsec ESP processing: Encryption succeeded, anti-replay SN is 1.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: Packet encapsulated successfully.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/EVENT:
Start to fill reply cache key, SrcAddr : 121.15.132.153, DstAddr : 139.159.222.86, SPI :189012751, SrcPort : 2884, DstPort : 6927.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/EVENT:
Fill output IPsec packet reply cache key.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/EVENT:
Find another sa, spi : 0x811eab44, SrcPort : 33054, DstPort : 43844.
*Jan 20 12:56:18:317 2022 FW IPSEC/7/PACKET:
FS Check : fs sequence num in IPsec fast cache is 38, current fs sequence num is 38
*Jan 20 12:56:18:317 2022 FW IPSEC/7/PACKET:
FS Check : No Change. Tunnel index = 0, Tunnel seq = 5.
*Jan 20 12:56:18:317 2022 FW IPSEC/7/PACKET:
--- Sent packet by IPsec fast forwarding ---
*Jan 20 12:56:18:317 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: src IP = 192.168.76.1, dst IP = 10.34.26.39, SPI = 189012751.
*Jan 20 12:56:18:317 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: ESP auth algorithm: SHA1, ESP encp algorithm: AES-CBC-128.
*Jan 20 12:56:18:317 2022 FW IPSEC/7/PACKET:
Packet will be sent to CCF for sync-encryption.
*Jan 20 12:56:18:317 2022 FW IPSEC/7/PACKET:
Outbound IPsec ESP processing: Encryption succeeded, anti-replay SN is 2.
*Jan 20 12:56:18:317 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: Packet encapsulated successfully.
*Jan 20 12:56:23:319 2022 FW IPSEC/7/PACKET:
FS Check : fs sequence num in IPsec fast cache is 38, current fs sequence num is 38
*Jan 20 12:56:23:319 2022 FW IPSEC/7/PACKET:
FS Check : No Change. Tunnel index = 0, Tunnel seq = 5.
*Jan 20 12:56:23:319 2022 FW IPSEC/7/PACKET:
--- Sent packet by IPsec fast forwarding ---
*Jan 20 12:56:23:319 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: src IP = 192.168.76.1, dst IP = 10.34.26.39, SPI = 189012751.
*Jan 20 12:56:23:319 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: ESP auth algorithm: SHA1, ESP encp algorithm: AES-CBC-128.
*Jan 20 12:56:23:319 2022 FW IPSEC/7/PACKET:
Packet will be sent to CCF for sync-encryption.
*Jan 20 12:56:23:319 2022 FW IPSEC/7/PACKET:
Outbound IPsec ESP processing: Encryption succeeded, anti-replay SN is 3.
*Jan 20 12:56:23:319 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: Packet encapsulated successfully.
*Jan 20 12:56:34:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received packet from 139.159.222.86 source port 500 destination port 500.
*Jan 20 12:56:34:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500

I-COOKIE: aa48ab8ffa1876b8
R-COOKIE: 6bbaf0edf8b1830e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: 6f189c47
length: 92
*Jan 20 12:56:34:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Decrypt the packet.
*Jan 20 12:56:34:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received ISAKMP Hash Payload.
*Jan 20 12:56:34:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received ISAKMP Notification Payload.
*Jan 20 12:56:34:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Parse informational exchange packet successfully.
*Jan 20 12:56:34:900 2022 FW IKE/7/EVENT: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Notification R_U_THERE is received.
*Jan 20 12:56:34:900 2022 FW IKE/7/DPD: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
DPD packet with sequence number 566213461 is received, COOKIEs(i/r) aa48ab8ffa1876b8/6bbaf0edf8b1830e.
*Jan 20 12:56:34:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Encrypt the packet.
*Jan 20 12:56:34:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Construct notification packet: R_U_THERE_ACK.
*Jan 20 12:56:34:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sending packet to 139.159.222.86 remote port 500, local port 500.
*Jan 20 12:56:34:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500

I-COOKIE: aa48ab8ffa1876b8
R-COOKIE: 6bbaf0edf8b1830e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: 472bf303
length: 92
*Jan 20 12:56:34:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sending an IPv4 packet.
*Jan 20 12:56:34:901 2022 FW IKE/7/EVENT: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sent data to socket successfully.
*Jan 20 12:56:42:891 2022 FW IPSEC/7/PACKET:
FS Check : fs sequence num in IPsec fast cache is 38, current fs sequence num is 38
*Jan 20 12:56:42:891 2022 FW IPSEC/7/PACKET:
FS Check : No Change. Tunnel index = 0, Tunnel seq = 5.
*Jan 20 12:56:42:891 2022 FW IPSEC/7/PACKET:
--- Sent packet by IPsec fast forwarding ---
*Jan 20 12:56:42:891 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: src IP = 192.168.76.1, dst IP = 10.34.26.39, SPI = 189012751.
*Jan 20 12:56:42:891 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: ESP auth algorithm: SHA1, ESP encp algorithm: AES-CBC-128.
*Jan 20 12:56:42:891 2022 FW IPSEC/7/PACKET:
Packet will be sent to CCF for sync-encryption.
*Jan 20 12:56:42:891 2022 FW IPSEC/7/PACKET:
Outbound IPsec ESP processing: Encryption succeeded, anti-replay SN is 4.
*Jan 20 12:56:42:891 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: Packet encapsulated successfully.
*Jan 20 12:56:52:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received packet from 139.159.222.86 source port 500 destination port 500.
*Jan 20 12:56:52:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500

I-COOKIE: aa48ab8ffa1876b8
R-COOKIE: 6bbaf0edf8b1830e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: b7834f1b
length: 92
*Jan 20 12:56:52:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Decrypt the packet.
*Jan 20 12:56:52:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received ISAKMP Hash Payload.
*Jan 20 12:56:52:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received ISAKMP Notification Payload.
*Jan 20 12:56:52:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Parse informational exchange packet successfully.
*Jan 20 12:56:52:899 2022 FW IKE/7/EVENT: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Notification R_U_THERE is received.
*Jan 20 12:56:52:899 2022 FW IKE/7/DPD: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
DPD packet with sequence number 566213462 is received, COOKIEs(i/r) aa48ab8ffa1876b8/6bbaf0edf8b1830e.
*Jan 20 12:56:52:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Encrypt the packet.
*Jan 20 12:56:52:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Construct notification packet: R_U_THERE_ACK.
*Jan 20 12:56:52:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sending packet to 139.159.222.86 remote port 500, local port 500.
*Jan 20 12:56:52:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500

I-COOKIE: aa48ab8ffa1876b8
R-COOKIE: 6bbaf0edf8b1830e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: 1e58e5e
length: 92
*Jan 20 12:56:52:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sending an IPv4 packet.
*Jan 20 12:56:52:900 2022 FW IKE/7/EVENT: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sent data to socket successfully.
*Jan 20 12:57:01:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received packet from 139.159.222.86 source port 500 destination port 500.
*Jan 20 12:57:01:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500

I-COOKIE: aa48ab8ffa1876b8
R-COOKIE: 6bbaf0edf8b1830e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: 95c79343
length: 92
*Jan 20 12:57:01:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Decrypt the packet.
*Jan 20 12:57:01:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received ISAKMP Hash Payload.
*Jan 20 12:57:01:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received ISAKMP Notification Payload.
*Jan 20 12:57:01:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Parse informational exchange packet successfully.
*Jan 20 12:57:01:899 2022 FW IKE/7/EVENT: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Notification R_U_THERE is received.
*Jan 20 12:57:01:899 2022 FW IKE/7/DPD: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
DPD packet with sequence number 566213463 is received, COOKIEs(i/r) aa48ab8ffa1876b8/6bbaf0edf8b1830e.
*Jan 20 12:57:01:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Encrypt the packet.
*Jan 20 12:57:01:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Construct notification packet: R_U_THERE_ACK.
*Jan 20 12:57:01:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sending packet to 139.159.222.86 remote port 500, local port 500.
*Jan 20 12:57:01:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500

I-COOKIE: aa48ab8ffa1876b8
R-COOKIE: 6bbaf0edf8b1830e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: c441337c
length: 92
*Jan 20 12:57:01:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sending an IPv4 packet.
*Jan 20 12:57:01:900 2022 FW IKE/7/EVENT: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sent data to socket successfully.
*Jan 20 12:57:10:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received packet from 139.159.222.86 source port 500 destination port 500.
*Jan 20 12:57:10:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500

I-COOKIE: aa48ab8ffa1876b8
R-COOKIE: 6bbaf0edf8b1830e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: b5f74967
length: 92
*Jan 20 12:57:10:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Decrypt the packet.
*Jan 20 12:57:10:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received ISAKMP Hash Payload.
*Jan 20 12:57:10:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received ISAKMP Notification Payload.
*Jan 20 12:57:10:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Parse informational exchange packet successfully.
*Jan 20 12:57:10:899 2022 FW IKE/7/EVENT: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Notification R_U_THERE is received.
*Jan 20 12:57:10:899 2022 FW IKE/7/DPD: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
DPD packet with sequence number 566213464 is received, COOKIEs(i/r) aa48ab8ffa1876b8/6bbaf0edf8b1830e.
*Jan 20 12:57:10:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Encrypt the packet.
*Jan 20 12:57:10:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Construct notification packet: R_U_THERE_ACK.
*Jan 20 12:57:10:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sending packet to 139.159.222.86 remote port 500, local port 500.
*Jan 20 12:57:10:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500

I-COOKIE: aa48ab8ffa1876b8
R-COOKIE: 6bbaf0edf8b1830e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: 8161d5e3
length: 92
*Jan 20 12:57:10:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sending an IPv4 packet.
*Jan 20 12:57:10:900 2022 FW IKE/7/EVENT: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500

Sent data to socket successfully.

两阶段的都有的话，就不是ipsec的问题了。对端触发一下我们，我们这边看内层的会话，看看收到没有，没收到那就是对端问题，收到的话，看我们的内端有没有回ping，再看看ipsec的计数。这个过程其实很好排查，但是打字数不清楚，建议400

远行的人发表时间：2022-01-20

编辑答案

分享扩散:

➤

网站相关: 关于我们; 服务条款; 帮助中心; 经验与权限; 积分规则

联系我们: 联系我们; 建议反馈

常用链接: 知了APP下载; 标杆的神器下载

关注我们: H3C官网; 新华三服务公众号; 安仔远程运维服务; 新华三商城

内容许可: 除特别说明外，用户内容均可采用知识共享署名-相同方式共享3.0中国大陆许可协议进行许可

本图标版权归新华三集团所有，仅限本社区使用，切勿用做商业目的，违者必究

浙ICP备09064986号-1 浙公网安备 33010802004416号

✖

亲~登录后才可以操作哦!

确定

✖

亲~检测到您登陆的账号未在http://hclhub.h3c.com进行注册

注册后可访问此模块

跳转hclhub

✖

你的邮箱还未认证，请认证邮箱或绑定手机后进行当前操作

✖

侵犯我的权益 >

对根叔社区有害的内容 >

辱骂、歧视、挑衅等（不友善）

侵犯我的权益

泄露了我的隐私 >

侵犯了我企业的权益 >

抄袭了我的内容 >

诽谤我 >

辱骂、歧视、挑衅等（不友善）

骚扰我

泄露了我的隐私

您好，当您发现根叔知了上有泄漏您隐私的内容时，您可以向根叔知了进行举报。请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱，我们会尽快处理。

1. 您认为哪些内容泄露了您的隐私？（请在邮件中列出您举报的内容、链接地址，并给出简短的说明）
2. 您是谁？（身份证明材料，可以是身份证或护照等证件）

侵犯了我企业的权益

您好，当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时，您可以向根叔知了进行举报。请您把以下内容通过邮件发送到 pub.zhiliao@h3c.com 邮箱，我们会在审核后尽快给您答复。

1. 您举报的内容是什么？（请在邮件中列出您举报的内容和链接地址）
2. 您是谁？（身份证明材料，可以是身份证或护照等证件）
3. 是哪家企业？（营业执照，单位登记证明等证件）
4. 您与该企业的关系是？（您是企业法人或被授权人，需提供企业委托授权书）

我们认为知名企业应该坦然接受公众讨论，对于答案中不准确的部分，我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

原文链接或出处

诽谤我

您好，当您发现根叔知了上有诽谤您的内容时，您可以向根叔知了进行举报。请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱，我们会尽快处理。

1. 您举报的内容以及侵犯了您什么权益？（请在邮件中列出您举报的内容、链接地址，并给出简短的说明）
2. 您是谁？（身份证明材料，可以是身份证或护照等证件）

我们认为知名企业应该坦然接受公众讨论，对于答案中不准确的部分，我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔社区有害的内容

垃圾广告信息

色情、暴力、血腥等违反法律法规的内容

政治敏感

不规范转载 >

辱骂、歧视、挑衅等（不友善）

骚扰我

诱导投票

不规范转载

举报说明

产品线		搜索取消
案例类型
发布者
是否解决
是否官方
时间
搜索引擎
匹配模式	默认策略匹配全词匹配整句

IPSEC VPN建立不成功

问题描述：

组网及组网描述：

编辑答案

提出建议