问

HCL-模拟器-ipsec

IPSec VPN

2025-01-13提问

0关注
0收藏，877浏览

小白的逆袭

小白的逆袭二段

粉丝：0人关注：2人

问题描述：

华三模拟器在路由器和防火墙上做ipsec是不是无法建立隧道，我防火墙做了实验隧道无法建立。

最佳答案

Xcheng

Xcheng 九段

粉丝：132人关注：3人

肯定可以

检查配置或debug定位吧

如

回复Xcheng:

做了几次一共就遇到这么三个debug信息

小白的逆袭发表时间：2025-01-13 更多>>

debug只在报sp无法发现sa

小白的逆袭发表时间：2025-01-13

回复小白的逆袭:

那不就是配置问题么

Xcheng 发表时间：2025-01-13

回复小白的逆袭:

建议报个培训班系统性学习下吧，或查阅官网手册等权威资料进一步确认吧

Xcheng 发表时间：2025-01-13

回复Xcheng:

我在做一下试一下吧，跟着专家发的配置做的

小白的逆袭发表时间：2025-01-13

回复Xcheng:

<zongbu>*Jan 13 10:02:08:496 2025 zongbu IPSEC/7/EVENT: -COntext=1; Sent debug message to all nodes, message type is 0x3.

小白的逆袭发表时间：2025-01-13

回复小白的逆袭:

联系相关专家吧

Xcheng 发表时间：2025-01-13

回复小白的逆袭:

或仔细检查配置吧

Xcheng 发表时间：2025-01-13

回复Xcheng:

<zongbu>*Jan 13 10:11:47:911 2025 zongbu IKE/7/EVENT: -COntext=1; Sent config set message.

小白的逆袭发表时间：2025-01-13

回复Xcheng:

做了几次一共就遇到这么三个debug信息

小白的逆袭发表时间：2025-01-13

5 个回答

按时间按赞数

hedgeknight

hedgeknight 九段

粉丝：27人关注：4人

是的，模拟软件不比真机，很多功能是有限制的，还是建议用真机做实验。

无名之辈

无名之辈九段

粉丝：112人关注：0人

您好，可以的，进一步检查配置

我是用的中心节点对应多个下级节点的配置做的，debug只报一个错误就是SP无法发现SA

小白的逆袭发表时间：2025-01-13 更多>>

我是用的中心节点对应多个下级节点的配置做的，debug只报一个错误就是SP无法发现SA

小白的逆袭发表时间：2025-01-13

zhiliao_wjxmkq

zhiliao_wjxmkq 四段

粉丝：0人关注：0人

模拟器可以配置IPSec，配置完成后，可以使用终端相互ping一下，激发一下SA建立

回复小白的逆袭:

IPSec排查，主要看一下三个部分：公网路由（看看两端公网地址通不通，可以配个安全策略放行Ping），安全策略（放行IKE和IPSec相关的，Untrust到Local，Local到Untrust），IPSec和IKE的配置是否对称（重点检查一下，把两端的配置粘出来，仔细对比一下，包括ACL也对比一下）。

zhiliao_wjxmkq 发表时间：2025-01-13 更多>>

我配置了acl，按道理不用配置去往内网的路由，但是防火墙配置了去内网的路由，ping对端内网电脑才能建立第一阶段，但无法建立第二阶段

小白的逆袭发表时间：2025-01-13

回复小白的逆袭:

zhiliao_wjxmkq 发表时间：2025-01-13

小白的逆袭

小白的逆袭二段

粉丝：0人关注：2人

[BEGIN] 2025/1/13 10:43:04

[jiedian]
[jiedian]dis
[jiedian]display cu
[jiedian]display current-configuration
#
version 7.1.064, Alpha 7164
#
sysname jiedian
#
context Admin id 1
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
xbar load-single
password-recovery enable
lpu-type f-series
#
vlan 1
#
interface NULL0
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 192.168.20.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-mode route
combo enable copper
ip address 198.76.26.2 255.255.255.0
nat outbound 3888
ipsec apply policy GE1/0/2
#
interface GigabitEthernet1/0/3
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/4
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/5
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/6
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/7
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/8
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/9
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/10
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/11
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/12
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/13
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/14
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/15
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/16
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/17
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/18
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/19
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/20
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/21
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/22
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/23
port link-mode route
combo enable copper
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/0
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/2
#
security-zone name Management
import interface GigabitEthernet1/0/1
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
user-role network-admin
#
line vty 0 4
authentication-mode scheme
user-role network-admin
#
line vty 5 63
user-role network-operator
#
ip route-static 101.88.26.0 24 198.76.26.1
#
acl advanced 3888
rule 10 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
rule 20 permit ip
#
acl advanced 3999
rule 10 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
#
domain system
#
aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$UbIhNnPevyKUwfpm$LqR3+yg1IjNct39MkOR0H0iQXLkYB3jMqM4vbAeoXOhbabIIFnjJPEGR00YiYA1Sz4LiY3FmEdru2fOLMb1shQ==
service-type telnet terminal http https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
ipsec transform-set jiedian
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec policy GE1//0/2 1 isakmp
transform-set jiedian
security acl 3999
local-address 198.76.26.2
remote-address 101.88.26.2
ike-profile 1
#
ike profile 1
keychain 1
local-identity address 198.76.26.2
match remote identity address 101.88.26.2 255.255.255.0
proposal 1
#
ike proposal 1
#
ike keychain 1
pre-shared-key address 101.88.26.2 255.255.255.0 key cipher $c$3$QNy6WhqcdyNofdwFdBAY3JCo5iCV39W2dg==
#
ip http enable
ip https enable
#
security-policy ip
rule 5 name any
action pass
#
return
[jiedian]

[jiedian]sa fo
Validating file. Please wait...
Saved the current configuration to mainboard device successfully.

-----------------------------------------

[BEGIN] 2025/1/13 10:42:34
[zongbu]
[zongbu]dis
[zongbu]display cu
[zongbu]display current-configuration
#
version 7.1.064, Alpha 7164
#
sysname zongbu
#
context Admin id 1
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
xbar load-single
password-recovery enable
lpu-type f-series
#
vlan 1
#
interface NULL0
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 192.168.10.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-mode route
combo enable copper
ip address 101.88.26.2 255.255.255.0
nat outbound 3888
ipsec apply policy GE1/0/2
#
interface GigabitEthernet1/0/3
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/4
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/5
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/6
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/7
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/8
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/9
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/10
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/11
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/12
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/13
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/14
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/15
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/16
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/17
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/18
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/19
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/20
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/21
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/22
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/23
port link-mode route
combo enable copper
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/0
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/2
#
security-zone name Management
import interface GigabitEthernet1/0/1
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
user-role network-admin
#
line vty 0 4
authentication-mode scheme
user-role network-admin
#
line vty 5 63
user-role network-operator
#
ip route-static 198.76.26.0 24 101.88.26.1
#
acl advanced 3888
rule 0 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
rule 5 permit ip
#
acl advanced 3999
rule 0 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
#
domain system
#
aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$UbIhNnPevyKUwfpm$LqR3+yg1IjNct39MkOR0H0iQXLkYB3jMqM4vbAeoXOhbabIIFnjJPEGR00YiYA1Sz4LiY3FmEdru2fOLMb1shQ==
service-type telnet terminal http https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
ipsec transform-set zongbu
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec policy GE1/0/2 1 isakmp
transform-set zongbu
security acl 3999
local-address 101.88.26.2
remote-address 198.76.26.2
ike-profile 1
#
ike profile 1
keychain 1
local-identity address 101.88.26.2
match remote identity address 198.76.26.2 255.255.255.0
proposal 1
#
ike proposal 1
#
ike keychain 1
pre-shared-key address 198.76.26.2 255.255.255.0 key cipher $c$3$aFtWBHe8ZKCW1qzBxHpFJv6suidJUNXWHQ==
#
ip http enable
ip https enable
#
security-policy ip
rule 5 name any
action pass
#
return
[zongbu]
[zongbu]
[zongbu]sa fo
Validating file. Please wait...
Saved the current configuration to mainboard device successfully.

[END] 2025/1/13 10:42:45

[END] 2025/1/13 10:43:14

[zongbu]display current-configuration | in static
ip route-static 192.168.20.0 24 101.88.26.1
ip route-static 198.76.26.0 24 101.88.26.1

[jiedian]display current-configuration | in static
ip route-static 101.88.26.0 24 198.76.26.1
ip route-static 192.168.10.0 24 192.76.26.1

-----------------------------------

[zongbu]*Jan 13 10:47:31:710 2025 zongbu IPSEC/7/PACKET: -COntext=1;
Failed to find SA by SP, SP Index = 0, SP Convert-Seq = 65536.
*Jan 13 10:47:31:710 2025 zongbu IPSEC/7/ERROR: -COntext=1;
The reason of dropping packet is no available IPsec tunnel.
*Jan 13 10:47:31:710 2025 zongbu IPSEC/7/EVENT: -COntext=1;
Sent SA-Acquire message : SP ID = 0
*Jan 13 10:47:31:710 2025 zongbu IPSEC/7/EVENT: -COntext=1;
Received negotiate SA message from IPsec kernel.
*Jan 13 10:47:31:710 2025 zongbu IPSEC/7/EVENT: -COntext=1;
Got SA time-based soft lifetime settings when filling Sp data.
Configured soft lifetime buffer : 0 seconds.
Configured global soft lifetime buffer : 0 seconds.
*Jan 13 10:47:31:733 2025 zongbu IPSEC/7/EVENT: -COntext=1;
The SA doesn't exist in kernel.
*Jan 13 10:47:31:733 2025 zongbu IPSEC/7/EVENT: -COntext=1;
Remote address no need to change, SP index=0.

[zongbu]di
[zongbu]dis
[zongbu]display ike sa
[zongbu]display ike sa
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
ID Profile Remote Flag Remote-Type Remote-ID
--------------------------------------------------------------------------------
3 1 198.76.26.2 RD IPV4_ADDR 198.76.26.2
[zongbu]dis
[zongbu]display ips
[zongbu]display ipsec sa
[zongbu]display ipsec sa

---------------------------------------

[jiedian]*Jan 13 10:47:30:841 2025 jiedian IKE/7/EVENT: -COntext=1; Received packet successfully.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received packet from 101.88.26.2 source port 500 destination port 500.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500

I-COOKIE: 4707425c9220ea98
R-COOKIE: 0000000000000000
next payload: SA
version: ISAKMP Version 1.0
exchange mode: Main
flags:
message ID: 0
length: 164
*Jan 13 10:47:30:841 2025 jiedian IKE/7/EVENT: -COntext=1; Phase1 process started.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Begin a new phase 1 negotiation as responder.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Responder created an SA for peer 101.88.26.2, local port 500, remote port 500.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Set IKE SA state to IKE_P1_STATE_INIT.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Security Association Payload.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Vendor ID Payload.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Vendor ID Payload.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Vendor ID Payload.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Vendor ID Payload.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Process vendor ID payload.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/EVENT: -COntext=1; Vendor ID NAT-T rfc3947 is matched.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Process SA payload.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Check ISAKMP transform 1.
*Jan 13 10:47:30:841 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Encryption algorithm is DES-CBC.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
HASH algorithm is HMAC-SHA1.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
DH group is 1.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Authentication method is Pre-shared key.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Lifetime type is 1.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Life duration is 86400.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Get pre-shared key by IKE profile .
*Jan 13 10:47:30:842 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Found pre-shared key that matches address 101.88.26.2 in keychain 1.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Attributes is acceptable.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/EVENT: -COntext=1; Oakley transform 1 is acceptable.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Constructed SA payload
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Construct NAT-T rfc3947 vendor ID payload.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Construct XAUTH Cisco Unity 1.0 vendor ID payload.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Construct XAUTH draft6 vendor ID payload.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
IKE SA state changed from IKE_P1_STATE_INIT to IKE_P1_STATE_SEND2.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Sending packet to 101.88.26.2 remote port 500, local port 500, out-interface 0.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500

I-COOKIE: 4707425c9220ea98
R-COOKIE: 324b0840145c5e8e
next payload: SA
version: ISAKMP Version 1.0
exchange mode: Main
flags:
message ID: 0
length: 136
*Jan 13 10:47:30:842 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Sending an IPv4 packet.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Send udp packet by socket 44 SrcPort 500 ifIndex 0.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Sent data to socket successfully.
*Jan 13 10:47:30:842 2025 jiedian IKE/7/EVENT: -COntext=1; IKE thread 3048594384 ErrCode 0 processes a job.
*Jan 13 10:47:30:845 2025 jiedian IKE/7/EVENT: -COntext=1; Received packet successfully.
*Jan 13 10:47:30:845 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received packet from 101.88.26.2 source port 500 destination port 500.
*Jan 13 10:47:30:845 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500

I-COOKIE: 4707425c9220ea98
R-COOKIE: 324b0840145c5e8e
next payload: KE
version: ISAKMP Version 1.0
exchange mode: Main
flags:
message ID: 0
length: 216
*Jan 13 10:47:30:845 2025 jiedian IKE/7/EVENT: -COntext=1; Phase1 process started.
*Jan 13 10:47:30:845 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Key Exchange Payload.
*Jan 13 10:47:30:845 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Nonce Payload.
*Jan 13 10:47:30:845 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP NAT-D Payload.
*Jan 13 10:47:30:845 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP NAT-D Payload.
*Jan 13 10:47:30:845 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Vendor ID Payload.
*Jan 13 10:47:30:845 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Process KE payload.
*Jan 13 10:47:30:845 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Process NONCE payload.
*Jan 13 10:47:30:845 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received 2 NAT-D payload.
*Jan 13 10:47:30:845 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Process vendor ID payload.
*Jan 13 10:47:30:846 2025 jiedian IKE/7/EVENT: -COntext=1; Vendor ID DPD is matched.
*Jan 13 10:47:30:848 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Construct KE payload.
*Jan 13 10:47:30:848 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Construct NONCE payload.
*Jan 13 10:47:30:848 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Construct NAT-D payload.
*Jan 13 10:47:30:848 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Construct DPD vendor ID payload.
*Jan 13 10:47:30:850 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
IKE SA state changed from IKE_P1_STATE_SEND2 to IKE_P1_STATE_SEND4.
*Jan 13 10:47:30:850 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Sending packet to 101.88.26.2 remote port 500, local port 500, out-interface 0.
*Jan 13 10:47:30:850 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500

I-COOKIE: 4707425c9220ea98
R-COOKIE: 324b0840145c5e8e
next payload: KE
version: ISAKMP Version 1.0
exchange mode: Main
flags:
message ID: 0
length: 216
*Jan 13 10:47:30:850 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Sending an IPv4 packet.
*Jan 13 10:47:30:851 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Send udp packet by socket 44 SrcPort 500 ifIndex 0.
*Jan 13 10:47:30:851 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Sent data to socket successfully.
*Jan 13 10:47:30:851 2025 jiedian IKE/7/EVENT: -COntext=1; IKE thread 3048594384 ErrCode 0 processes a job.
*Jan 13 10:47:30:854 2025 jiedian IKE/7/EVENT: -COntext=1; Received packet successfully.
*Jan 13 10:47:30:854 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received packet from 101.88.26.2 source port 500 destination port 500.
*Jan 13 10:47:30:854 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500

I-COOKIE: 4707425c9220ea98
R-COOKIE: 324b0840145c5e8e
next payload: ID
version: ISAKMP Version 1.0
exchange mode: Main
flags: ENCRYPT
message ID: 0
length: 92
*Jan 13 10:47:30:854 2025 jiedian IKE/7/EVENT: -COntext=1; Phase1 process started.
*Jan 13 10:47:30:854 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Decrypt the packet.
*Jan 13 10:47:30:855 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Identification Payload.
*Jan 13 10:47:30:855 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Hash Payload.
*Jan 13 10:47:30:855 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Notification Payload.
*Jan 13 10:47:30:855 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Process ID payload.
*Jan 13 10:47:30:855 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Peer ID type: IPV4_ADDR (1).
*Jan 13 10:47:30:855 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Peer ID value: address 101.88.26.2.
*Jan 13 10:47:30:855 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Update the profile with Remote identity.
*Jan 13 10:47:30:855 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
The profile 1 is matched.
*Jan 13 10:47:30:855 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Found keychain 1 in profile 1 successfully.
*Jan 13 10:47:30:855 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Verify HASH payload.
*Jan 13 10:47:30:855 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
HASH:
c7e6ab57 d7541f2c 61a66e60 8ed9ef5a 1148f77d
*Jan 13 10:47:30:855 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
HASH verification succeeded.
*Jan 13 10:47:30:856 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Notification IPSEC_INITIAL_CONTACT is received.
*Jan 13 10:47:30:856 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Local ID type: IPV4_ADDR (1).
*Jan 13 10:47:30:856 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Local ID value: 198.76.26.2.
*Jan 13 10:47:30:856 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Construct ID payload.
*Jan 13 10:47:30:856 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
HASH:
a797f0d6 851d0253 c2b0f1b0 8a85d7bc d9b058b5
*Jan 13 10:47:30:856 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Construct authentication by pre-shared-key.
*Jan 13 10:47:30:856 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Encrypt the packet.
*Jan 13 10:47:30:856 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
IKE SA state changed from IKE_P1_STATE_SEND4 to IKE_P1_STATE_ESTABLISHED.
*Jan 13 10:47:30:856 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Sending packet to 101.88.26.2 remote port 500, local port 500, out-interface 0.
*Jan 13 10:47:30:856 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500

I-COOKIE: 4707425c9220ea98
R-COOKIE: 324b0840145c5e8e
next payload: ID
version: ISAKMP Version 1.0
exchange mode: Main
flags: ENCRYPT
message ID: 0
length: 68
*Jan 13 10:47:30:856 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Sending an IPv4 packet.
*Jan 13 10:47:30:856 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Send udp packet by socket 44 SrcPort 500 ifIndex 0.
*Jan 13 10:47:30:856 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Sent data to socket successfully.
*Jan 13 10:47:30:856 2025 jiedian IKE/7/EVENT: -COntext=1;
Address 198.76.26.2 is not VirtualAddr
*Jan 13 10:47:30:856 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
The default soft lifetime 82080(seconds) was used for the IKE P1 SA.
*Jan 13 10:47:30:857 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Add tunnel, alloc new tunnel with ID [1].
*Jan 13 10:47:30:857 2025 jiedian IKE/7/EVENT: -COntext=1; IKE thread 3048594384 ErrCode 0 processes a job.
*Jan 13 10:47:30:858 2025 jiedian IKE/7/EVENT: -COntext=1; Received packet successfully.
*Jan 13 10:47:30:858 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received packet from 101.88.26.2 source port 500 destination port 500.
*Jan 13 10:47:30:858 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500

I-COOKIE: 4707425c9220ea98
R-COOKIE: 324b0840145c5e8e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Quick
flags: ENCRYPT
message ID: 620d80a0
length: 172
*Jan 13 10:47:30:860 2025 jiedian IKE/7/EVENT: -COntext=1; Phase2 process started.
*Jan 13 10:47:30:860 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Set IPsec SA state to IKE_P2_STATE_INIT.
*Jan 13 10:47:30:860 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Decrypt the packet.
*Jan 13 10:47:30:860 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Hash Payload.
*Jan 13 10:47:30:860 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Security Association Payload.
*Jan 13 10:47:30:860 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Nonce Payload.
*Jan 13 10:47:30:860 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Identification Payload (IPsec DOI).
*Jan 13 10:47:30:860 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Received ISAKMP Identification Payload (IPsec DOI).
*Jan 13 10:47:30:860 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Process HASH payload.
*Jan 13 10:47:30:860 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Validated HASH(1) successfully.
*Jan 13 10:47:30:860 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Process IPsec ID payload.
*Jan 13 10:47:30:861 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Process IPsec ID payload.
*Jan 13 10:47:30:861 2025 jiedian IPSEC/7/EVENT: -COntext=1;
Could not find tunnel, ike profile name is 1.
*Jan 13 10:47:30:861 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
IPsec SA state changed from IKE_P2_STATE_INIT to IKE_P2_STATE_GETSP.
*Jan 13 10:47:30:861 2025 jiedian IKE/7/EVENT: -COntext=1; IKE thread 3048594384 ErrCode 0 processes a job.
*Jan 13 10:47:30:861 2025 jiedian IKE/7/EVENT: -COntext=1; Received message from ipsec, message type is 10.
*Jan 13 10:47:30:861 2025 jiedian IKE/7/ERROR: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Failed to get IPsec policy for phase 2 responder. Delete IPsec SA.
*Jan 13 10:47:30:861 2025 jiedian IKE/7/ERROR: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Failed to negotiate IPsec SA.
*Jan 13 10:47:30:861 2025 jiedian IKE/7/EVENT: -COntext=1; Delete IPsec SA.
*Jan 13 10:47:30:861 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Send delete SA to IPsec, the reason is negotiate fail.
*Jan 13 10:47:30:862 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Encrypt the packet.
*Jan 13 10:47:30:862 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Construct notification packet: INVALID_ID_INFORMATION.
*Jan 13 10:47:30:862 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Sending packet to 101.88.26.2 remote port 500, local port 500, out-interface 0.
*Jan 13 10:47:30:862 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500

I-COOKIE: 4707425c9220ea98
R-COOKIE: 324b0840145c5e8e
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: ebf3f95a
length: 68
*Jan 13 10:47:30:862 2025 jiedian IKE/7/PACKET: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Sending an IPv4 packet.
*Jan 13 10:47:30:862 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Send udp packet by socket 44 SrcPort 500 ifIndex 0.
*Jan 13 10:47:30:862 2025 jiedian IKE/7/EVENT: -COntext=1; vrf = 0, local = 198.76.26.2, remote = 101.88.26.2/500
Sent data to socket successfully.

[jiedian]

奇怪的流量

奇怪的流量九段

粉丝：32人关注：11人

你的配置99%都是对的，加一下去业务段的路由就好了。。。。。。

不加路由的话，ping的时候流量无法被引导到出接口那里，也就匹配不上ipsec policy了。

还有一个ipsec policy GE1//0/2 1 isakmp我估计是编辑文本的时候出错了吧，多了个“/”。

两边都要加一下路由。

第一次ping的时候可能会丢一个包，用于触发协商，后续就不再丢包了。

可以了

小白的逆袭发表时间：2025-01-16 更多>>

好的我再试试

小白的逆袭发表时间：2025-01-14

加业务网段我也不行，能不您的配置发一下吗

小白的逆袭发表时间：2025-01-14

能把

小白的逆袭发表时间：2025-01-14

回复小白的逆袭:

我用的就是你的配置，直接复制进去然后加了条路由。

奇怪的流量发表时间：2025-01-15

回复奇怪的流量:

那就奇怪了我默认路由按道理不用加明细，就是建立不起来ike和ipsec sa

小白的逆袭发表时间：2025-01-16

可以了

小白的逆袭发表时间：2025-01-16

编辑答案

分享扩散:

➤

网站相关: 关于我们; 服务条款; 隐私政策; 帮助中心; 经验与权限; 积分规则

联系我们: 联系我们; 建议反馈

常用链接: 标杆的神器下载

关注我们: H3C官网; 新华三服务公众号; 安仔远程运维服务; 新华三商城

内容许可: 除特别说明外，用户内容均可采用知识共享署名-相同方式共享3.0中国大陆许可协议进行许可

本图标版权归新华三集团所有，仅限本社区使用，切勿用做商业目的，违者必究

浙ICP备09064986号-1 浙公网安备 33010802004416号

✖

亲~登录后才可以操作哦!

确定

✖

亲~检测到您登陆的账号未在http://hclhub.h3c.com进行注册

注册后可访问此模块

跳转hclhub

✖

你的邮箱还未认证，请认证邮箱或绑定手机后进行当前操作

✖

侵犯我的权益 >

对根叔社区有害的内容 >

辱骂、歧视、挑衅等（不友善）

侵犯我的权益

泄露了我的隐私 >

侵犯了我企业的权益 >

抄袭了我的内容 >

诽谤我 >

辱骂、歧视、挑衅等（不友善）

骚扰我

泄露了我的隐私

您好，当您发现根叔知了上有泄漏您隐私的内容时，您可以向根叔知了进行举报。请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱，我们会尽快处理。

1. 您认为哪些内容泄露了您的隐私？（请在邮件中列出您举报的内容、链接地址，并给出简短的说明）
2. 您是谁？（身份证明材料，可以是身份证或护照等证件）

侵犯了我企业的权益

您好，当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时，您可以向根叔知了进行举报。请您把以下内容通过邮件发送到 pub.zhiliao@h3c.com 邮箱，我们会在审核后尽快给您答复。

1. 您举报的内容是什么？（请在邮件中列出您举报的内容和链接地址）
2. 您是谁？（身份证明材料，可以是身份证或护照等证件）
3. 是哪家企业？（营业执照，单位登记证明等证件）
4. 您与该企业的关系是？（您是企业法人或被授权人，需提供企业委托授权书）

我们认为知名企业应该坦然接受公众讨论，对于答案中不准确的部分，我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

原文链接或出处

诽谤我

您好，当您发现根叔知了上有诽谤您的内容时，您可以向根叔知了进行举报。请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱，我们会尽快处理。

1. 您举报的内容以及侵犯了您什么权益？（请在邮件中列出您举报的内容、链接地址，并给出简短的说明）
2. 您是谁？（身份证明材料，可以是身份证或护照等证件）

我们认为知名企业应该坦然接受公众讨论，对于答案中不准确的部分，我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔社区有害的内容

垃圾广告信息

色情、暴力、血腥等违反法律法规的内容

政治敏感

不规范转载 >

辱骂、歧视、挑衅等（不友善）

骚扰我

诱导投票

不规范转载

举报说明

产品线		搜索取消
案例类型
发布者
是否解决
是否官方
时间
搜索引擎
匹配模式	默认策略匹配全词匹配整句

HCL-模拟器-ipsec

问题描述：

编辑答案

提出建议