• 全部
  • 经验案例
  • 典型配置
  • 技术公告
  • FAQ
  • 漏洞说明
  • 全部
  • 全部
  • 大数据引擎
  • 知了引擎
产品线
搜索
取消
案例类型
发布者
是否解决
是否官方
时间
搜索引擎
匹配模式
高级搜索

IPSEC VPN建立不成功

2022-01-20提问
  • 1关注
  • 2收藏,2299浏览
粉丝:0人 关注:0人

问题描述:

F1000-C8150的防火墙和对端建IPSEC VPN,两边都是固定IP的,一直建立不起来,打开DEBUG信息,发现一直只有出去的加密数据,收不到inbound方向的解密数据,是不是对端没有问应,导致IPSEC VPN建 立不起来

组网及组网描述:

F1000-C8150的防火墙和对端建IPSEC VPN,两边都是固定IP的,一直建立不起来,打开DEBUG信息,发现一直只有出去的加密数据,收不到inbound方向的解密数据,是不是对端没有问应,导致IPSEC VPN建 立不起来

最佳答案

粉丝:51人 关注:5人

(1)IPSEC的建立第一步首先是公网能通;

(2)然后两边的配置需要高度的镜像。

看你的配置没啥问题,公网通了以后,debug ike all renote 139.159.222.86,对端出发我们一下,看看这个信息。

4 个回答
粉丝:6人 关注:1人

有可能,协商是两端的事情,需要对端也看下

粉丝:22人 关注:11人

估计对端没有回

粉丝:167人 关注:1人

参考官网IPSEC排错点穴神功

http://www.h3c.com/cn/d_201411/921533_30005_0.htm



粉丝:0人 关注:0人

对端公网iP139.159.222.86是通的,下面是debug ike all renote 139.159.222.86内容和IKE SA、IPSEC SA两个阶段都有

<FW>debug ike all remote-address 139.159.222.86
This command is CPU intensive and might affect ongoing services. Are you sure you want to continue? [Y/N]:y
<FW>t d
The current terminal is enabled to display debugging logs.
<FW>t m
The current terminal is enabled to display logs.
<FW>sys
System View: return to User View with Ctrl+Z.
[FW]in en
Information center is enabled.
[FW]
[FW]
[FW]*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
--- Sent IPsec packet, pkt len : 60 ---
*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
Attent to match Mqc(0), ifIndex is 3, digest is 0, no result.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
Attent to match Mqc(1), ifIndex is 3, digest is 0, no result.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
Last dest lip is NULL.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: src IP = 192.168.76.1, dst IP = 10.34.26.39, SPI = 189012751.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
Alloc IPsec cache: Global fs seq : 38, Private index : 0, Private seq : 5.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/EVENT:
Add ip fastforward cache : ulDirtection = 2, ifIndexOut = 4
*Jan 20 12:56:13:557 2022 FW IPSEC/7/EVENT:
Added IP fast forwarding entry.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: ESP auth algorithm: SHA1, ESP encp algorithm: AES-CBC-128.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
Packet will be sent to CCF for sync-encryption.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
Outbound IPsec ESP processing: Encryption succeeded, anti-replay SN is 1.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: Packet encapsulated successfully.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/EVENT:
Start to fill reply cache key, SrcAddr : 121.15.132.153, DstAddr : 139.159.222.86, SPI :189012751, SrcPort : 2884, DstPort : 6927.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/EVENT:
Fill output IPsec packet reply cache key.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/EVENT:
Find another sa, spi : 0x811eab44, SrcPort : 33054, DstPort : 43844.
*Jan 20 12:56:18:317 2022 FW IPSEC/7/PACKET:
FS Check : fs sequence num in IPsec fast cache is 38, current fs sequence num is 38
*Jan 20 12:56:18:317 2022 FW IPSEC/7/PACKET:
FS Check : No Change. Tunnel index = 0, Tunnel seq = 5.
*Jan 20 12:56:18:317 2022 FW IPSEC/7/PACKET:
--- Sent packet by IPsec fast forwarding ---
*Jan 20 12:56:18:317 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: src IP = 192.168.76.1, dst IP = 10.34.26.39, SPI = 189012751.
*Jan 20 12:56:18:317 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: ESP auth algorithm: SHA1, ESP encp algorithm: AES-CBC-128.
*Jan 20 12:56:18:317 2022 FW IPSEC/7/PACKET:
Packet will be sent to CCF for sync-encryption.
*Jan 20 12:56:18:317 2022 FW IPSEC/7/PACKET:
Outbound IPsec ESP processing: Encryption succeeded, anti-replay SN is 2.
*Jan 20 12:56:18:317 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: Packet encapsulated successfully.
*Jan 20 12:56:23:319 2022 FW IPSEC/7/PACKET:
FS Check : fs sequence num in IPsec fast cache is 38, current fs sequence num is 38
*Jan 20 12:56:23:319 2022 FW IPSEC/7/PACKET:
FS Check : No Change. Tunnel index = 0, Tunnel seq = 5.
*Jan 20 12:56:23:319 2022 FW IPSEC/7/PACKET:
--- Sent packet by IPsec fast forwarding ---
*Jan 20 12:56:23:319 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: src IP = 192.168.76.1, dst IP = 10.34.26.39, SPI = 189012751.
*Jan 20 12:56:23:319 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: ESP auth algorithm: SHA1, ESP encp algorithm: AES-CBC-128.
*Jan 20 12:56:23:319 2022 FW IPSEC/7/PACKET:
Packet will be sent to CCF for sync-encryption.
*Jan 20 12:56:23:319 2022 FW IPSEC/7/PACKET:
Outbound IPsec ESP processing: Encryption succeeded, anti-replay SN is 3.
*Jan 20 12:56:23:319 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: Packet encapsulated successfully.
*Jan 20 12:56:34:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received packet from 139.159.222.86 source port 500 destination port 500.
*Jan 20 12:56:34:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500

I-COOKIE: aa48ab8ffa1876b8
R-COOKIE: 6bbaf0edf8b1830e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: 6f189c47
length: 92
*Jan 20 12:56:34:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Decrypt the packet.
*Jan 20 12:56:34:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received ISAKMP Hash Payload.
*Jan 20 12:56:34:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received ISAKMP Notification Payload.
*Jan 20 12:56:34:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Parse informational exchange packet successfully.
*Jan 20 12:56:34:900 2022 FW IKE/7/EVENT: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Notification R_U_THERE is received.
*Jan 20 12:56:34:900 2022 FW IKE/7/DPD: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
DPD packet with sequence number 566213461 is received, COOKIEs(i/r) aa48ab8ffa1876b8/6bbaf0edf8b1830e.
*Jan 20 12:56:34:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Encrypt the packet.
*Jan 20 12:56:34:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Construct notification packet: R_U_THERE_ACK.
*Jan 20 12:56:34:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sending packet to 139.159.222.86 remote port 500, local port 500.
*Jan 20 12:56:34:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500

I-COOKIE: aa48ab8ffa1876b8
R-COOKIE: 6bbaf0edf8b1830e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: 472bf303
length: 92
*Jan 20 12:56:34:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sending an IPv4 packet.
*Jan 20 12:56:34:901 2022 FW IKE/7/EVENT: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sent data to socket successfully.
*Jan 20 12:56:42:891 2022 FW IPSEC/7/PACKET:
FS Check : fs sequence num in IPsec fast cache is 38, current fs sequence num is 38
*Jan 20 12:56:42:891 2022 FW IPSEC/7/PACKET:
FS Check : No Change. Tunnel index = 0, Tunnel seq = 5.
*Jan 20 12:56:42:891 2022 FW IPSEC/7/PACKET:
--- Sent packet by IPsec fast forwarding ---
*Jan 20 12:56:42:891 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: src IP = 192.168.76.1, dst IP = 10.34.26.39, SPI = 189012751.
*Jan 20 12:56:42:891 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: ESP auth algorithm: SHA1, ESP encp algorithm: AES-CBC-128.
*Jan 20 12:56:42:891 2022 FW IPSEC/7/PACKET:
Packet will be sent to CCF for sync-encryption.
*Jan 20 12:56:42:891 2022 FW IPSEC/7/PACKET:
Outbound IPsec ESP processing: Encryption succeeded, anti-replay SN is 4.
*Jan 20 12:56:42:891 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: Packet encapsulated successfully.
*Jan 20 12:56:52:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received packet from 139.159.222.86 source port 500 destination port 500.
*Jan 20 12:56:52:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500

I-COOKIE: aa48ab8ffa1876b8
R-COOKIE: 6bbaf0edf8b1830e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: b7834f1b
length: 92
*Jan 20 12:56:52:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Decrypt the packet.
*Jan 20 12:56:52:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received ISAKMP Hash Payload.
*Jan 20 12:56:52:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received ISAKMP Notification Payload.
*Jan 20 12:56:52:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Parse informational exchange packet successfully.
*Jan 20 12:56:52:899 2022 FW IKE/7/EVENT: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Notification R_U_THERE is received.
*Jan 20 12:56:52:899 2022 FW IKE/7/DPD: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
DPD packet with sequence number 566213462 is received, COOKIEs(i/r) aa48ab8ffa1876b8/6bbaf0edf8b1830e.
*Jan 20 12:56:52:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Encrypt the packet.
*Jan 20 12:56:52:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Construct notification packet: R_U_THERE_ACK.
*Jan 20 12:56:52:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sending packet to 139.159.222.86 remote port 500, local port 500.
*Jan 20 12:56:52:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500

I-COOKIE: aa48ab8ffa1876b8
R-COOKIE: 6bbaf0edf8b1830e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: 1e58e5e
length: 92
*Jan 20 12:56:52:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sending an IPv4 packet.
*Jan 20 12:56:52:900 2022 FW IKE/7/EVENT: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sent data to socket successfully.
*Jan 20 12:57:01:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received packet from 139.159.222.86 source port 500 destination port 500.
*Jan 20 12:57:01:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500

I-COOKIE: aa48ab8ffa1876b8
R-COOKIE: 6bbaf0edf8b1830e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: 95c79343
length: 92
*Jan 20 12:57:01:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Decrypt the packet.
*Jan 20 12:57:01:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received ISAKMP Hash Payload.
*Jan 20 12:57:01:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received ISAKMP Notification Payload.
*Jan 20 12:57:01:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Parse informational exchange packet successfully.
*Jan 20 12:57:01:899 2022 FW IKE/7/EVENT: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Notification R_U_THERE is received.
*Jan 20 12:57:01:899 2022 FW IKE/7/DPD: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
DPD packet with sequence number 566213463 is received, COOKIEs(i/r) aa48ab8ffa1876b8/6bbaf0edf8b1830e.
*Jan 20 12:57:01:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Encrypt the packet.
*Jan 20 12:57:01:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Construct notification packet: R_U_THERE_ACK.
*Jan 20 12:57:01:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sending packet to 139.159.222.86 remote port 500, local port 500.
*Jan 20 12:57:01:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500

I-COOKIE: aa48ab8ffa1876b8
R-COOKIE: 6bbaf0edf8b1830e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: c441337c
length: 92
*Jan 20 12:57:01:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sending an IPv4 packet.
*Jan 20 12:57:01:900 2022 FW IKE/7/EVENT: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sent data to socket successfully.
*Jan 20 12:57:10:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received packet from 139.159.222.86 source port 500 destination port 500.
*Jan 20 12:57:10:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500

I-COOKIE: aa48ab8ffa1876b8
R-COOKIE: 6bbaf0edf8b1830e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: b5f74967
length: 92
*Jan 20 12:57:10:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Decrypt the packet.
*Jan 20 12:57:10:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received ISAKMP Hash Payload.
*Jan 20 12:57:10:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received ISAKMP Notification Payload.
*Jan 20 12:57:10:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Parse informational exchange packet successfully.
*Jan 20 12:57:10:899 2022 FW IKE/7/EVENT: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Notification R_U_THERE is received.
*Jan 20 12:57:10:899 2022 FW IKE/7/DPD: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
DPD packet with sequence number 566213464 is received, COOKIEs(i/r) aa48ab8ffa1876b8/6bbaf0edf8b1830e.
*Jan 20 12:57:10:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Encrypt the packet.
*Jan 20 12:57:10:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Construct notification packet: R_U_THERE_ACK.
*Jan 20 12:57:10:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sending packet to 139.159.222.86 remote port 500, local port 500.
*Jan 20 12:57:10:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500

I-COOKIE: aa48ab8ffa1876b8
R-COOKIE: 6bbaf0edf8b1830e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: 8161d5e3
length: 92
*Jan 20 12:57:10:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sending an IPv4 packet.
*Jan 20 12:57:10:900 2022 FW IKE/7/EVENT: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500

Sent data to socket successfully.



[FW]dis ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
5 139.159.222.86 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
[FW] dis ips sa
^
% Unrecognized command found at '^' position.
[FW] dis ipsec sa
-------------------------------
Interface: GigabitEthernet1/0/3
-------------------------------

-----------------------------
IPsec policy: policy
Sequence number: 10
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy: dh-group5
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1428
Tunnel:
local address: 121.15.132.153
remote address: 139.159.222.86
Flow:
sour addr: 192.168.76.0/255.255.255.0 port: 0 protocol: ip
dest addr: 10.34.24.0/255.255.248.0 port: 0 protocol: ip

[Inbound ESP SAs]
SPI: 2166270788 (0x811eab44)
Connection ID: 73014444032
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA idle time: 3600
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/1394
Max received sequence-number: 0
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active

[Outbound ESP SAs]
SPI: 189012751 (0x0b441b0f)
Connection ID: 73014444033
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA idle time: 3600
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/1394
Max sent sequence-number: 4
UDP encapsulation used for NAT traversal: N

Status: ActiveZ.
[FW]in en
Information center is enabled.
[FW]
[FW]
[FW]*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
--- Sent IPsec packet, pkt len : 60 ---
*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
Attent to match Mqc(0), ifIndex is 3, digest is 0, no result.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
Attent to match Mqc(1), ifIndex is 3, digest is 0, no result.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
Last dest lip is NULL.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: src IP = 192.168.76.1, dst IP = 10.34.26.39, SPI = 189012751.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
Alloc IPsec cache: Global fs seq : 38, Private index : 0, Private seq : 5.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/EVENT:
Add ip fastforward cache : ulDirtection = 2, ifIndexOut = 4
*Jan 20 12:56:13:557 2022 FW IPSEC/7/EVENT:
Added IP fast forwarding entry.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: ESP auth algorithm: SHA1, ESP encp algorithm: AES-CBC-128.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
Packet will be sent to CCF for sync-encryption.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
Outbound IPsec ESP processing: Encryption succeeded, anti-replay SN is 1.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: Packet encapsulated successfully.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/EVENT:
Start to fill reply cache key, SrcAddr : 121.15.132.153, DstAddr : 139.159.222.86, SPI :189012751, SrcPort : 2884, DstPort : 6927.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/EVENT:
Fill output IPsec packet reply cache key.
*Jan 20 12:56:13:557 2022 FW IPSEC/7/EVENT:
Find another sa, spi : 0x811eab44, SrcPort : 33054, DstPort : 43844.
*Jan 20 12:56:18:317 2022 FW IPSEC/7/PACKET:
FS Check : fs sequence num in IPsec fast cache is 38, current fs sequence num is 38
*Jan 20 12:56:18:317 2022 FW IPSEC/7/PACKET:
FS Check : No Change. Tunnel index = 0, Tunnel seq = 5.
*Jan 20 12:56:18:317 2022 FW IPSEC/7/PACKET:
--- Sent packet by IPsec fast forwarding ---
*Jan 20 12:56:18:317 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: src IP = 192.168.76.1, dst IP = 10.34.26.39, SPI = 189012751.
*Jan 20 12:56:18:317 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: ESP auth algorithm: SHA1, ESP encp algorithm: AES-CBC-128.
*Jan 20 12:56:18:317 2022 FW IPSEC/7/PACKET:
Packet will be sent to CCF for sync-encryption.
*Jan 20 12:56:18:317 2022 FW IPSEC/7/PACKET:
Outbound IPsec ESP processing: Encryption succeeded, anti-replay SN is 2.
*Jan 20 12:56:18:317 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: Packet encapsulated successfully.
*Jan 20 12:56:23:319 2022 FW IPSEC/7/PACKET:
FS Check : fs sequence num in IPsec fast cache is 38, current fs sequence num is 38
*Jan 20 12:56:23:319 2022 FW IPSEC/7/PACKET:
FS Check : No Change. Tunnel index = 0, Tunnel seq = 5.
*Jan 20 12:56:23:319 2022 FW IPSEC/7/PACKET:
--- Sent packet by IPsec fast forwarding ---
*Jan 20 12:56:23:319 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: src IP = 192.168.76.1, dst IP = 10.34.26.39, SPI = 189012751.
*Jan 20 12:56:23:319 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: ESP auth algorithm: SHA1, ESP encp algorithm: AES-CBC-128.
*Jan 20 12:56:23:319 2022 FW IPSEC/7/PACKET:
Packet will be sent to CCF for sync-encryption.
*Jan 20 12:56:23:319 2022 FW IPSEC/7/PACKET:
Outbound IPsec ESP processing: Encryption succeeded, anti-replay SN is 3.
*Jan 20 12:56:23:319 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: Packet encapsulated successfully.
*Jan 20 12:56:34:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received packet from 139.159.222.86 source port 500 destination port 500.
*Jan 20 12:56:34:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500

I-COOKIE: aa48ab8ffa1876b8
R-COOKIE: 6bbaf0edf8b1830e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: 6f189c47
length: 92
*Jan 20 12:56:34:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Decrypt the packet.
*Jan 20 12:56:34:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received ISAKMP Hash Payload.
*Jan 20 12:56:34:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received ISAKMP Notification Payload.
*Jan 20 12:56:34:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Parse informational exchange packet successfully.
*Jan 20 12:56:34:900 2022 FW IKE/7/EVENT: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Notification R_U_THERE is received.
*Jan 20 12:56:34:900 2022 FW IKE/7/DPD: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
DPD packet with sequence number 566213461 is received, COOKIEs(i/r) aa48ab8ffa1876b8/6bbaf0edf8b1830e.
*Jan 20 12:56:34:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Encrypt the packet.
*Jan 20 12:56:34:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Construct notification packet: R_U_THERE_ACK.
*Jan 20 12:56:34:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sending packet to 139.159.222.86 remote port 500, local port 500.
*Jan 20 12:56:34:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500

I-COOKIE: aa48ab8ffa1876b8
R-COOKIE: 6bbaf0edf8b1830e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: 472bf303
length: 92
*Jan 20 12:56:34:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sending an IPv4 packet.
*Jan 20 12:56:34:901 2022 FW IKE/7/EVENT: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sent data to socket successfully.
*Jan 20 12:56:42:891 2022 FW IPSEC/7/PACKET:
FS Check : fs sequence num in IPsec fast cache is 38, current fs sequence num is 38
*Jan 20 12:56:42:891 2022 FW IPSEC/7/PACKET:
FS Check : No Change. Tunnel index = 0, Tunnel seq = 5.
*Jan 20 12:56:42:891 2022 FW IPSEC/7/PACKET:
--- Sent packet by IPsec fast forwarding ---
*Jan 20 12:56:42:891 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: src IP = 192.168.76.1, dst IP = 10.34.26.39, SPI = 189012751.
*Jan 20 12:56:42:891 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: ESP auth algorithm: SHA1, ESP encp algorithm: AES-CBC-128.
*Jan 20 12:56:42:891 2022 FW IPSEC/7/PACKET:
Packet will be sent to CCF for sync-encryption.
*Jan 20 12:56:42:891 2022 FW IPSEC/7/PACKET:
Outbound IPsec ESP processing: Encryption succeeded, anti-replay SN is 4.
*Jan 20 12:56:42:891 2022 FW IPSEC/7/PACKET:
Outbound IPsec processing: Packet encapsulated successfully.
*Jan 20 12:56:52:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received packet from 139.159.222.86 source port 500 destination port 500.
*Jan 20 12:56:52:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500

I-COOKIE: aa48ab8ffa1876b8
R-COOKIE: 6bbaf0edf8b1830e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: b7834f1b
length: 92
*Jan 20 12:56:52:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Decrypt the packet.
*Jan 20 12:56:52:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received ISAKMP Hash Payload.
*Jan 20 12:56:52:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received ISAKMP Notification Payload.
*Jan 20 12:56:52:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Parse informational exchange packet successfully.
*Jan 20 12:56:52:899 2022 FW IKE/7/EVENT: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Notification R_U_THERE is received.
*Jan 20 12:56:52:899 2022 FW IKE/7/DPD: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
DPD packet with sequence number 566213462 is received, COOKIEs(i/r) aa48ab8ffa1876b8/6bbaf0edf8b1830e.
*Jan 20 12:56:52:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Encrypt the packet.
*Jan 20 12:56:52:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Construct notification packet: R_U_THERE_ACK.
*Jan 20 12:56:52:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sending packet to 139.159.222.86 remote port 500, local port 500.
*Jan 20 12:56:52:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500

I-COOKIE: aa48ab8ffa1876b8
R-COOKIE: 6bbaf0edf8b1830e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: 1e58e5e
length: 92
*Jan 20 12:56:52:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sending an IPv4 packet.
*Jan 20 12:56:52:900 2022 FW IKE/7/EVENT: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sent data to socket successfully.
*Jan 20 12:57:01:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received packet from 139.159.222.86 source port 500 destination port 500.
*Jan 20 12:57:01:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500

I-COOKIE: aa48ab8ffa1876b8
R-COOKIE: 6bbaf0edf8b1830e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: 95c79343
length: 92
*Jan 20 12:57:01:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Decrypt the packet.
*Jan 20 12:57:01:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received ISAKMP Hash Payload.
*Jan 20 12:57:01:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received ISAKMP Notification Payload.
*Jan 20 12:57:01:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Parse informational exchange packet successfully.
*Jan 20 12:57:01:899 2022 FW IKE/7/EVENT: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Notification R_U_THERE is received.
*Jan 20 12:57:01:899 2022 FW IKE/7/DPD: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
DPD packet with sequence number 566213463 is received, COOKIEs(i/r) aa48ab8ffa1876b8/6bbaf0edf8b1830e.
*Jan 20 12:57:01:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Encrypt the packet.
*Jan 20 12:57:01:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Construct notification packet: R_U_THERE_ACK.
*Jan 20 12:57:01:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sending packet to 139.159.222.86 remote port 500, local port 500.
*Jan 20 12:57:01:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500

I-COOKIE: aa48ab8ffa1876b8
R-COOKIE: 6bbaf0edf8b1830e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: c441337c
length: 92
*Jan 20 12:57:01:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sending an IPv4 packet.
*Jan 20 12:57:01:900 2022 FW IKE/7/EVENT: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sent data to socket successfully.
*Jan 20 12:57:10:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received packet from 139.159.222.86 source port 500 destination port 500.
*Jan 20 12:57:10:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500

I-COOKIE: aa48ab8ffa1876b8
R-COOKIE: 6bbaf0edf8b1830e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: b5f74967
length: 92
*Jan 20 12:57:10:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Decrypt the packet.
*Jan 20 12:57:10:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received ISAKMP Hash Payload.
*Jan 20 12:57:10:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Received ISAKMP Notification Payload.
*Jan 20 12:57:10:899 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Parse informational exchange packet successfully.
*Jan 20 12:57:10:899 2022 FW IKE/7/EVENT: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Notification R_U_THERE is received.
*Jan 20 12:57:10:899 2022 FW IKE/7/DPD: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
DPD packet with sequence number 566213464 is received, COOKIEs(i/r) aa48ab8ffa1876b8/6bbaf0edf8b1830e.
*Jan 20 12:57:10:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Encrypt the packet.
*Jan 20 12:57:10:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Construct notification packet: R_U_THERE_ACK.
*Jan 20 12:57:10:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sending packet to 139.159.222.86 remote port 500, local port 500.
*Jan 20 12:57:10:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500

I-COOKIE: aa48ab8ffa1876b8
R-COOKIE: 6bbaf0edf8b1830e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: 8161d5e3
length: 92
*Jan 20 12:57:10:900 2022 FW IKE/7/PACKET: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500
Sending an IPv4 packet.
*Jan 20 12:57:10:900 2022 FW IKE/7/EVENT: vrf = 0, local = 121.15.132.153, remote = 139.159.222.86/500

Sent data to socket successfully.

两阶段的都有的话,就不是ipsec的问题了。对端触发一下我们,我们这边看内层的会话,看看收到没有,没收到那就是对端问题,收到的话,看我们的内端有没有回ping,再看看ipsec的计数。这个过程其实很好排查,但是打字数不清楚,建议400

远行的人 发表时间:2022-01-20 更多>>

两阶段的都有的话,就不是ipsec的问题了。对端触发一下我们,我们这边看内层的会话,看看收到没有,没收到那就是对端问题,收到的话,看我们的内端有没有回ping,再看看ipsec的计数。这个过程其实很好排查,但是打字数不清楚,建议400

远行的人 发表时间:2022-01-20

编辑答案

你正在编辑答案

如果你要对问题或其他回答进行点评或询问,请使用评论功能。

分享扩散:

提出建议

    +

亲~登录后才可以操作哦!

确定

亲~检测到您登陆的账号未在http://hclhub.h3c.com进行注册

注册后可访问此模块

跳转hclhub

你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作

举报

×

侵犯我的权益 >
对根叔社区有害的内容 >
辱骂、歧视、挑衅等(不友善)

侵犯我的权益

×

泄露了我的隐私 >
侵犯了我企业的权益 >
抄袭了我的内容 >
诽谤我 >
辱骂、歧视、挑衅等(不友善)
骚扰我

泄露了我的隐私

×

您好,当您发现根叔知了上有泄漏您隐私的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您认为哪些内容泄露了您的隐私?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)

侵犯了我企业的权益

×

您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 pub.zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
  • 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
  • 3. 是哪家企业?(营业执照,单位登记证明等证件)
  • 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

×

原文链接或出处

诽谤我

×

您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔社区有害的内容

×

垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载 >
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票

不规范转载

×

举报说明