总部与分布二阶段起不来,怎么看debugging信息有问题吗,debugging信息在哪里能翻译,能看具体什么意思。采用主模式,3des,MD5,dh1
*Dec 22 15:28:43:241 2023 H3C IPSEC/7/DBG:
ipsec nat bypass is not enable.
*Dec 22 15:28:43:241 2023 H3C IPSEC/7/DBG:
ipsec nat bypass is not enable.
*Dec 22 15:28:43:241 2023 H3C IPSEC/7/DBG:
ipsec nat bypass is not enable.
*Dec 22 15:28:43:241 2023 H3C IPSEC/7/DBG:
ipsec nat bypass is not enable.
*Dec 22 15:28:43:241 2023 H3C IPSEC/7/DBG:
ipsec nat bypass is not enable.
*Dec 22 15:28:43:341 2023 H3C IKE/7/DEBUG: received message:
*Dec 22 15:28:43:392 2023 H3C IKE/7/DEBUG: ICOOKIE: 0x1d8da5014431721e
*Dec 22 15:28:43:392 2023 H3C IKE/7/DEBUG: RCOOKIE: 0x0000000000000000
*Dec 22 15:28:43:492 2023 H3C IKE/7/DEBUG: NEXT_PAYLOAD: SA
*Dec 22 15:28:43:592 2023 H3C IKE/7/DEBUG: VERSION: 16
*Dec 22 15:28:43:642 2023 H3C IKE/7/DEBUG: EXCH_TYPE: MAIN
*Dec 22 15:28:43:743 2023 H3C IKE/7/DEBUG: FLAGS: [ ]
*Dec 22 15:28:43:843 2023 H3C IKE/7/DEBUG: MESSAGE_ID: 0x00000000
*Dec 22 15:28:43:893 2023 H3C IKE/7/DEBUG: LENGTH: 284
*Dec 22 15:28:43:993 2023 H3C IKE/7/DEBUG: exchange lookup all list from COOKIE: iCOOKIE 1d8da5014431721e
*Dec 22 15:28:44:044 2023 H3C IKE/7/DEBUG: parse payloads: payload SA
*Dec 22 15:28:44:144 2023 H3C IKE/7/DEBUG: parse payloads: payload VENDOR
*Dec 22 15:28:44:194 2023 H3C IKE/7/DEBUG: parse payloads: payload VENDOR
*Dec 22 15:28:44:244 2023 H3C IKE/7/DEBUG: parse payloads: payload VENDOR
%Dec 22 15:28:44:344 2023 H3C IKE/4/IKE_PACKET_DROPPED: -Src addr=*.*.*.*-Dst addr=*.*.*.*-I_COOKIE=d9b4c92fa1613e71-R_COOKIE=0000000000000000-Cause=No proposal is chosen-Payload=PROPOSAL; IKE packet dropped.
*Dec 22 15:28:44:395 2023 H3C IKE/7/DEBUG: parse payloads: payload VENDOR
*Dec 22 15:28:44:445 2023 H3C IKE/7/DEBUG: parse payloads: payload VENDOR
*Dec 22 15:28:44:495 2023 H3C IKE/7/DEBUG: parse payloads: payload VENDOR
*Dec 22 15:28:44:646 2023 H3C IKE/7/DEBUG: validate payload SA
*Dec 22 15:28:44:696 2023 H3C IKE/7/DEBUG: DOI: 1
*Dec 22 15:28:44:796 2023 H3C IKE/7/DEBUG: unsupported Vendor ID(HEX):
*Dec 22 15:28:44:846 2023 H3C IKE/7/DEBUG: 4f454578 616c467b 5f6f606d 0d000014
*Dec 22 15:28:44:946 2023 H3C IKE/7/DEBUG: receive DPD Protocol Vendor ID
*Dec 22 15:28:45:147 2023 H3C IKE/7/DEBUG: receive rfc3947 Protocol Vendor ID
*Dec 22 15:28:45:247 2023 H3C IKE/7/DEBUG: receive draft-ietf-ipsec-nat-t-ike-03 Protocol Vendor ID
*Dec 22 15:28:45:297 2023 H3C IKE/7/DEBUG: unsupported Vendor ID(HEX):
*Dec 22 15:28:45:397 2023 H3C IKE/7/DEBUG: cd604643 35df21f8 7cfdb2fc 68b6a448
*Dec 22 15:28:45:447 2023 H3C IKE/7/DEBUG: receive draft-ietf-ipsec-nat-t-ike-01 Protocol Vendor ID
*Dec 22 15:28:45:498 2023 H3C IKE/7/DEBUG: Find IKE peer by address.
IfIndex:0x00100005.
local addr:*.*.*.*, remote addr:*.*.*.*.
*Dec 22 15:28:45:598 2023 H3C IKE/7/DEBUG: P1 responder exchange setup Main mode: IKE peer name:1
*Dec 22 15:28:45:698 2023 H3C IKE/7/DEBUG: P1 responder exchange setup: Connection name is *.*.*.*,*.*.*.*,500,,0,0,0
*Dec 22 15:28:45:748 2023 H3C IKE/7/DEBUG: exchange setup(R): 9ee2c00
*Dec 22 15:28:45:849 2023 H3C IKE/7/DEBUG: parse payloads: payload PROPOSAL
*Dec 22 15:28:45:949 2023 H3C IKE/7/DEBUG: parse payloads: payload TRANSFORM
*Dec 22 15:28:46:049 2023 H3C IKE/7/DEBUG: parse payloads: payload TRANSFORM
*Dec 22 15:28:46:099 2023 H3C IKE/7/DEBUG: parse payloads: payload TRANSFORM
*Dec 22 15:28:46:250 2023 H3C IKE/7/DEBUG: validate payload PROPOSAL
*Dec 22 15:28:46:400 2023 H3C IKE/7/DEBUG: NO: 0
*Dec 22 15:28:46:500 2023 H3C IKE/7/DEBUG: PROTO: ISAKMP
*Dec 22 15:28:46:600 2023 H3C IKE/7/DEBUG: SPI_SZ: 0
*Dec 22 15:28:46:701 2023 H3C IKE/7/DEBUG: NTRANSFORMS: 3
*Dec 22 15:28:46:751 2023 H3C IKE/7/DEBUG: validate payload TRANSFORM
*Dec 22 15:28:46:851 2023 H3C IKE/7/DEBUG: NO: 0
*Dec 22 15:28:46:951 2023 H3C IKE/7/DEBUG: ID: 1
*Dec 22 15:28:47:001 2023 H3C IKE/7/DEBUG: Transform 0's attributes
*Dec 22 15:28:47:102 2023 H3C IKE/7/DEBUG: Attribute LIFE_TYPE : SECONDS
*Dec 22 15:28:47:152 2023 H3C IKE/7/DEBUG: Attribute LIFE_DURATION : 86400
*Dec 22 15:28:47:202 2023 H3C IKE/7/DEBUG: Attribute ENCRYPTION_ALGORITHM : AES_CBC
*Dec 22 15:28:47:252 2023 H3C IKE/7/DEBUG: Attribute HASH_ALGORITHM : MD5
*Dec 22 15:28:47:352 2023 H3C IKE/7/DEBUG: Attribute AUTHENTICATION_METHOD : PRE_SHARED
*Dec 22 15:28:47:403 2023 H3C IKE/7/DEBUG: Attribute GROUP_DESCRIPTION : MODP_1536
*Dec 22 15:28:47:453 2023 H3C IKE/7/DEBUG: Attribute KEY_LENGTH : AES_CBC_128
*Dec 22 15:28:47:503 2023 H3C IKE/7/DEBUG: validate payload TRANSFORM
*Dec 22 15:28:47:603 2023 H3C IKE/7/DEBUG: NO: 1
*Dec 22 15:28:47:654 2023 H3C IKE/7/DEBUG: ID: 1o
*Dec 22 15:28:47:854 2023 H3C IKE/7/DEBUG: Attribute LIFE_TYPE : SECONDS
*Dec 22 15:28:47:904 2023 H3C IKE/7/DEBUG: Attribute LIFE_DURATION : 86400
*Dec 22 15:28:48:006 2023 H3C IKE/7/DEBUG: Attribute ENCRYPTION_ALGORITHM : AES_CBC
*Dec 22 15:28:48:106 2023 H3C IKE/7/DEBUG: Attribute HASH_ALGORITHM : MD5
*Dec 22 15:28:48:207 2023 H3C IKE/7/DEBUG: Attribute AUTHENTICATION_METHOD : PRE_SHARED
*Dec 22 15:28:48:257 2023 H3C IKE/7/DEBUG: Attribute GROUP_DESCRIPTION : MODP_1024
*Dec 22 15:28:48:307 2023 H3C IKE/7/DEBUG: Attribute KEY_LENGTH : AES_CBC_128
*Dec 22 15:28:48:357 2023 H3C IKE/7/DEBUG: validate payload TRANSFORM
*Dec 22 15:28:48:357 2023 H3C IKE/7/DEBUG: NO: 2
*Dec 22 15:28:48:458 2023 H3C IKE/7/DEBUG: ID: 1
*Dec 22 15:28:48:508 2023 H3C IKE/7/DEBUG: Transform 2's attributes
*Dec 22 15:28:48:608 2023 H3C IKE/7/DEBUG: Attribute LIFE_TYPE : SECONDS
*Dec 22 15:28:48:708 2023 H3C IKE/7/DEBUG: Attribute LIFE_DURATION : 86400
*Dec 22 15:28:48:809 2023 H3C IKE/7/DEBUG: Attribute ENCRYPTION_ALGORITHM : AES_CBC
*Dec 22 15:28:48:909 2023 H3C IKE/7/DEBUG: Attribute HASH_ALGORITHM : MD5
*Dec 22 15:28:48:959 2023 H3C IKE/7/DEBUG: Attribute AUTHENTICATION_METHOD : PRE_SHARED
*Dec 22 15:28:49:059 2023 H3C IKE/7/DEBUG: Attribute GROUP_DESCRIPTION : MODP_768
*Dec 22 15:28:49:110 2023 H3C IKE/7/DEBUG: Attribute KEY_LENGTH : AES_CBC_128
*Dec 22 15:28:49:160 2023 H3C IKE/7/DEBUG: validate payload VENDOR
*Dec 22 15:28:49:210 2023 H3C IKE/7/DEBUG: vendor ID seen
*Dec 22 15:28:49:310 2023 H3C IKE/7/DEBUG: validate payload VENDOR
*Dec 22 15:28:49:411 2023 H3C IKE/7/DEBUG: vendor ID seen
*Dec 22 15:28:49:461 2023 H3C IKE/7/DEBUG: validate payload VENDOR
*Dec 22 15:28:49:561 2023 H3C IKE/7/DEBUG: vendor ID seen
*Dec 22 15:28:49:662 2023 H3C IKE/7/DEBUG: validate payload VENDOR
*Dec 22 15:28:49:762 2023 H3C IKE/7/DEBUG: vendor ID seen
*Dec 22 15:28:49:813 2023 H3C IKE/7/DEBUG: validate payload VENDOR
*Dec 22 15:28:49:914 2023 H3C IKE/7/DEBUG: vendor ID seen
*Dec 22 15:28:49:964 2023 H3C IKE/7/DEBUG: validate payload VENDOR
*Dec 22 15:28:50:014 2023 H3C IKE/7/DEBUG: vendor ID seen
*Dec 22 15:28:50:115 2023 H3C IKE/7/DEBUG: exchange check: checking for required SA
*Dec 22 15:28:50:165 2023 H3C IKE/7/DEBUG: negotiate sa: transform 0 proto 1 proposal 0 compatible
*Dec 22 15:28:50:215 2023 H3C IKE/7/DEBUG: negotiate sa: proposal 0 failed
*Dec 22 15:28:50:315 2023 H3C IKE/7/DEBUG: negotiate sa: transform 1 proto 1 proposal 0 compatible
*Dec 22 15:28:50:366 2023 H3C IKE/7/DEBUG: negotiate sa: proposal 0 failed
*Dec 22 15:28:50:416 2023 H3C IKE/7/DEBUG: negotiate sa: transform 2 proto 1 proposal 0 compatible
*Dec 22 15:28:50:516 2023 H3C IKE/7/DEBUG: negotiate sa: proposal 0 failed
*Dec 22 15:28:50:566 2023 H3C IKE/7/DEBUG: dropped message from *.*.*.* due to notification type NO_PROPOSAL_CHOSEN
*Dec 22 15:28:50:616 2023 H3C IKE/7/DEBUG: exchange setup(I): 9ee4140
*Dec 22 15:28:50:717 2023 H3C IKE/7/DEBUG: add payload to message: NOTIFY
*Dec 22 15:28:50:817 2023 H3C IKE/7/DEBUG: DOI: IPSEC
*Dec 22 15:28:50:918 2023 H3C IKE/7/DEBUG: PROTO: ISAKMP
*Dec 22 15:28:51:018 2023 H3C IKE/7/DEBUG: SPI_SZ: 0
*Dec 22 15:28:51:068 2023 H3C IKE/7/DEBUG: MSG_TYPE: NO_PROPOSAL_CHOSEN
*Dec 22 15:28:51:169 2023 H3C IKE/7/DEBUG: exchange check: checking for required INFO
*Dec 22 15:28:51:269 2023 H3C IKE/7/DEBUG: send message:
*Dec 22 15:28:51:419 2023 H3C IKE/7/DEBUG: ICOOKIE: 0x1d8da5014431721e
*Dec 22 15:28:51:469 2023 H3C IKE/7/DEBUG: RCOOKIE: 0x0000000000000000
*Dec 22 15:28:51:569 2023 H3C IKE/7/DEBUG: NEXT_PAYLOAD: NOTIFY
*Dec 22 15:28:51:620 2023 H3C IKE/7/DEBUG: VERSION: 16
*Dec 22 15:28:51:670 2023 H3C IKE/7/DEBUG: EXCH_TYPE: INFO
*Dec 22 15:28:51:720 2023 H3C IKE/7/DEBUG: FLAGS: [ ]
*Dec 22 15:28:51:820 2023 H3C IKE/7/DEBUG: MESSAGE_ID: 0x00000000
*Dec 22 15:28:51:921 2023 H3C IKE/7/DEBUG: LENGTH: 44
*Dec 22 15:28:51:971 2023 H3C IKE/7/DEBUG: exchange state machine(I): finished step 0, advancing...
*Dec 22 15:28:52:021 2023 H3C IKE/7/DEBUG: exchange state machine: Failed to handle received message.
*Dec 22 15:28:52:121 2023 H3C IKE/7/DEBUG: exchange release: freeing exchange 9ee2c00
*Dec 22 15:28:52:171 2023 H3C IPSEC/7/DBG:
%Dec 22 15:28:53:877 2023 H3C IKE/4/IKE_PACKET_DROPPED: -Src addr=*.*.*.*-Dst addr=*.*.*.*-I_COOKIE=d9b4c92fa1613e71-R_COOKIE=0000000000000000-Cause=No proposal is chosen-Payload=PROPOSAL; IKE packet dropped.
(0)
最佳答案
根据您提供的日志,我发现以下几个可能的原因:
如果以上方法都不能解决您的问题,您可以尝试使用一些调试命令来排除 IPsec 问题,例如 show crypto isakmp sa, show crypto ipsec sa, debug crypto isakmp, debug crypto ipsec 等5。这些命令可以帮助您查看更多关于 IKE SA 的信息,例如 SPI, transform, key lifetime 等。
(0)
你nat 是怎么配置的?
ipsec nat bypass is not enable. 这个提示应该是nat 配置有问题,导致的
(0)
出接口没做nat啊
您好,请知:
IPSEC VPN故障排查:
1、检查公网地址的连通性
2、检查ipsec acl是否配置正确(两端ACL以互为镜像的方式配置)
3、检查ike keychain/ike profile 协商参数配置是否正确(工作模式、keychain、identity、本端/对端隧道地址或隧道名称、NAT穿越功能v7自适应)
4、检查ipsec proposal(v5平台) /ipsec transform-set(v7平台)参数两端是否一致(封装模式、安全协议、验证算法、加密算法)
5、检查设备是否创建ipsec策略,并加载协商参数(acl、ike profile 、ipsec transform-set、对端隧道IP)
6、检查ipsec策略是否应用在正确的接口上
IPSEC排查命令:
1、disp ipsec policy
2、disp acl
3、dis cu conf ike-profile
4、dis cu conf ike-keychain
5、display ike proposal
6、display ipsec transform-set
7、disp ike sa (verbose)
8、disp ipsec sa
9、reset ipsec sa
10、reset ike sa
(0)
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明
我现在已经开nat穿越了,而且acl没有问题,现在我分部只有往总部这条专线写了一条明细路由,这个接口没有默认路由,接口没有nat配置