ipsec 无法建立的问题
- 0关注
- 1收藏,1216浏览
问题描述:
ike协商无法成功,一端是msr5040另一端是secpath F1000,以下是ping测试的调试信息:
secpath:
H3C Comware Software Comware software, Version 3.40, Release 1661
msr:
H3C Comware Platform Software Comware Software, Version 5.20, Release 2105P22, Standard
X、Y代表真实IP
<H3C-5040>
*May 17 12:58:26:921 2019 H3C-5040 IKE/7/DEBUG: Connection name is X.X.X.X,Y.Y.Y.Y,500,0;#a,10-10
*May 17 12:58:26:921 2019 H3C-5040 IKE/7/DEBUG: Check connection: SA for X.X.X.X,Y.Y.Y.Y,500,0;#a,10-10 missing
*May 17 12:58:26:921 2019 H3C-5040 IKE/7/DEBUG: exchange lookup : name = X.X.X.X,Y.Y.Y.Y,500,0;#a,10-10 phase = 2
*May 17 12:58:26:921 2019 H3C-5040 IKE/7/DEBUG: exchange lookup : name = X.X.X.X,Y.Y.Y.Y,500,0; phase = 1
*May 17 12:58:26:921 2019 H3C-5040 IKE/7/DEBUG: exchange create(i): 903a650
*May 17 12:58:26:921 2019 H3C-5040 IKE/7/DEBUG: message add payload SA
*May 17 12:58:26:922 2019 H3C-5040 IKE/7/DEBUG: DOI: 1
*May 17 12:58:26:922 2019 H3C-5040 IKE/7/DEBUG: message add payload PROPOSAL
*May 17 12:58:26:922 2019 H3C-5040 IKE/7/DEBUG: NO: 1
*May 17 12:58:26:922 2019 H3C-5040 IKE/7/DEBUG: PROTO: ISAKMP
*May 17 12:58:26:922 2019 H3C-5040 IKE/7/DEBUG: SPI_SZ: 0
*May 17 12:58:26:922 2019 H3C-5040 IKE/7/DEBUG: NTRANSFORMS: 2
*May 17 12:58:26:922 2019 H3C-5040 IKE/7/DEBUG: message add payload TRANSFOR
M
*May 17 12:58:26:923 2019 H3C-5040 IKE/7/DEBUG: NO: 0
*May 17 12:58:26:923 2019 H3C-5040 IKE/7/DEBUG: ID: 1
*May 17 12:58:26:923 2019 H3C-5040 IKE/7/DEBUG: Transform 0's attributes
*May 17 12:58:26:923 2019 H3C-5040 IKE/7/DEBUG: Attribute ENCRYPTION_ALGOR
ITHM : DES_CBC
*May 17 12:58:26:923 2019 H3C-5040 IKE/7/DEBUG: Attribute HASH_ALGORITHM :
MD5
*May 17 12:58:26:923 2019 H3C-5040 IKE/7/DEBUG: Attribute AUTHENTICATION_M
ETHOD : PRE_SHARED
*May 17 12:58:26:923 2019 H3C-5040 IKE/7/DEBUG: Attribute GROUP_DESCRIPTIO
N : MODP_1024
*May 17 12:58:26:923 2019 H3C-5040 IKE/7/DEBUG: Attribute LIFE_TYPE : SECO
NDS
*May 17 12:58:26:924 2019 H3C-5040 IKE/7/DEBUG: Attribute LIFE_DURATION :
86400
*May 17 12:58:26:924 2019 H3C-5040 IKE/7/DEBUG: message add payload TRANSFOR
M
*May 17 12:58:26:924 2019 H3C-5040 IKE/7/DEBUG: NO: 1
*May 17 12:58:26:924 2019 H3C-5040 IKE/7/DEBUG: ID: 1
*May 17 12:58:26:924 2019 H3C-5040 IKE/7/DEBUG: Transform 1's attributes
*May 17 12:58:26:924 2019 H3C-5040 IKE/7/DEBUG: Attribute ENCRYPTION_ALGOR
ITHM : DES_CBC
*May 17 12:58:26:924 2019 H3C-5040 IKE/7/DEBUG: Attribute HASH_ALGORITHM :
SHA
*May 17 12:58:26:924 2019 H3C-5040 IKE/7/DEBUG: Attribute AUTHENTICATION_M
ETHOD : PRE_SHARED
*May 17 12:58:26:924 2019 H3C-5040 IKE/7/DEBUG: Attribute GROUP_DESCRIPTIO
N : MODP_768
*May 17 12:58:26:924 2019 H3C-5040 IKE/7/DEBUG: Attribute LIFE_TYPE : SECO
NDS
*May 17 12:58:26:924 2019 H3C-5040 IKE/7/DEBUG: Attribute LIFE_DURATION :
86400
*May 17 12:58:26:924 2019 H3C-5040 IKE/7/DEBUG: initiator send SA message
*May 17 12:58:26:924 2019 H3C-5040 IKE/7/DEBUG: send VID: initiator not supp
ort nat traversal
*May 17 12:58:26:925 2019 H3C-5040 IKE/7/DEBUG: initiator send SA VID
*May 17 12:58:26:925 2019 H3C-5040 IKE/7/DEBUG: exchange validate: checking
for required SA
*May 17 12:58:26:925 2019 H3C-5040 IKE/7/DEBUG: message send:
*May 17 12:58:26:925 2019 H3C-5040 IKE/7/DEBUG: ICOOKIE: 0xfc029e46b97b328
4
*May 17 12:58:26:925 2019 H3C-5040 IKE/7/DEBUG: RCOOKIE: 0x000000000000000
0
*May 17 12:58:26:925 2019 H3C-5040 IKE/7/DEBUG: NEXT_PAYLOAD: SA
*May 17 12:58:26:925 2019 H3C-5040 IKE/7/DEBUG: VERSION: 16
*May 17 12:58:26:925 2019 H3C-5040 IKE/7/DEBUG: EXCH_TYPE: ID_PROT
*May 17 12:58:26:925 2019 H3C-5040 IKE/7/DEBUG: FLAGS: [ ]
*May 17 12:58:26:925 2019 H3C-5040 IKE/7/DEBUG: MESSAGE_ID: 0x00000000
*May 17 12:58:26:925 2019 H3C-5040 IKE/7/DEBUG: LENGTH: 120
*May 17 12:58:26:925 2019 H3C-5040 IKE/7/DEBUG: exchange run(i): finished st
ep 0, advancing...
*May 17 12:58:37:921 2019 H3C-5040 IKE/7/DEBUG: message send:
*May 17 12:58:37:921 2019 H3C-5040 IKE/7/DEBUG: ICOOKIE: 0xfc029e46b97b328
4
*May 17 12:58:37:921 2019 H3C-5040 IKE/7/DEBUG: RCOOKIE: 0x000000000000000
0
*May 17 12:58:37:922 2019 H3C-5040 IKE/7/DEBUG: NEXT_PAYLOAD: SA
*May 17 12:58:37:922 2019 H3C-5040 IKE/7/DEBUG: VERSION: 16
*May 17 12:58:37:922 2019 H3C-5040 IKE/7/DEBUG: EXCH_TYPE: ID_PROT
*May 17 12:58:37:922 2019 H3C-5040 IKE/7/DEBUG: FLAGS: [ ]
*May 17 12:58:37:922 2019 H3C-5040 IKE/7/DEBUG: MESSAGE_ID: 0x00000000
*May 17 12:58:37:922 2019 H3C-5040 IKE/7/DEBUG: LENGTH: 120
<H3C-5040>dis ike sa
total phase-1 SAs: 0
connection-id peer flag phase doi
----------------------------------------------------------
10 <unnamed> NONE 1 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
- 2019-05-17提问
- 举报
-
(0)
最佳答案
画个表,把两端的参数一一对应起来,看看哪里不适配,参照下面的案例检查下配置:
http://www.h3c.com/cn/d_201809/1112592_30005_0.htm#_Toc524421155
- 2019-05-17回答
- 评论(1)
- 举报
-
(0)
已核对过,参数都一致,debg ike error没有信息输出debg ipsec error会有如下输出:*May 17 14:15:04:890 2019 H3C-5040 IPSEC/7/DBG: IPsec_ERROR: Do IPsec: non-existant TDB!
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
已核对过,参数都一致,debg ike error没有信息输出debg ipsec error会有如下输出:*May 17 14:15:04:890 2019 H3C-5040 IPSEC/7/DBG: IPsec_ERROR: Do IPsec: non-existant TDB!