*Jan 15 14:40:25:561 2025 F1000-C8150 IKE/7/ERROR: vrf = 0, local = 116.128.224.66, remote = 140.207.7.56/500
Can't find IKE SA.
*Jan 15 14:40:22:559 2025 F1000-C8150 IKE/7/ERROR: 2th byte of the structure ISAKMP Identification Payload must be 0.
*Jan 15 14:40:22:559 2025 F1000-C8150 IKE/7/ERROR: vrf = 0, local = 116.128.224.66, remote = 140.207.7.56/500
Failed to parse phase 1 packet. Reason INVALID_PAYLOAD_TYPE.
*Jan 15 14:40:22:560 2025 F1000-C8150 IKE/7/ERROR: vrf = 0, local = 116.128.224.66, remote = 140.207.7.56/500
Failed to negotiate IKE SA.
本端ike配置如下:
ike profile nsyh
keychain nsyh
local-identity address 116.128.224.66
match remote identity address 140.207.7.56
proposal 10
#
ike proposal 10
encryption-algorithm aes-cbc-256
dh group2
authentication-algorithm sha256
#
#
ike keychain nsyh
match local address 116.128.224.66
pre-shared-key address 140.207.7.56 key c ******
#
对端配置如图所示
检查一下你的500端口咯,是防火墙吗?防火墙策略放通没
(0)
放通了
放通了
根据提供的日志信息,可以看出问题发生在 IKE(Internet Key Exchange)协议的 Phase 1 阶段,交换双方在建立安全会话时未能成功。以下是日志中主要错误及其可能原因和解决方案:
原因:
解决方案:
原因:
解决方案:
display current-configuration | include ike
确保协议版本一致:
ike version 1
原因:
解决方案:
ike proposal <proposal_name>
authentication-method pre-share
encryption-algorithm aes-cbc-128
hash-algorithm sha1
dh-group 2
sa-duration 86400
原因:
解决方案:
system-view
ike peer <peer_name>
pre-shared-key cipher <key>
检查本地 IKE 配置
system-view
ike proposal 1
authentication-method pre-share
encryption-algorithm aes-cbc-256
hash-algorithm sha2-256
dh-group 14
sa-duration 86400
quit
ike peer peer1
remote-address 140.207.7.56
ike-proposal 1
pre-shared-key cipher your_psk
quit
查看当前 IKE SA 状态
display ike sa
检查网络连通性
ping
或 traceroute
检查网络连通性。启用调试日志
debugging ike all
如问题仍未解决,建议提供双方配置以便进一步分析。
(0)
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明