基于CA认证的IPsec VPN问题 
版权声明:原创作品,允许转载,转载时请务必以超链接形式标明文章 原始出处 、作者信息和本声明。否则将追究法律责任。http://netwalk.blog.51cto.com/173717/66970 |
基于CA认证的IPsec VPN问题
1、环境描述
(fa0/1:192.168.0.212)RR5(fa0/0:10.2.1.1)-------(fa0/0:10.2.1.3)RR7(fa0/1:192.168.0.213)
RR5配置为CA server。
其中10是外口,其VPN隧道;192是内口,模拟各自的内网。 2、问题描述
两台router均能顺利从ca server上获取证书。 在ipsec vpn过程中,ike交换失败。 3、配置和debug
RR5:
Current configuration : 5616 bytes ! ! Last configuration change at 16:45:51 CST Fri Jan 4 2008 ! NVRAM config last updated at 16:36:51 CST Fri Jan 4 2008 ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname RR5 ! boot-start-marker boot-end-marker ! logging buffered 52000 debugging ! no aaa new-model memory-size iomem 5 clock timezone CST 8 ip cef ! ! ! ! no ip domain lookup ip domain name sys.com ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto pki server sys database archive pem password 7 08701E1D5D4C53404A grant auto cdp-url [url]http://192.168.0.212[/url] ! crypto pki trustpoint sys revocation-check crl rsakeypair sys ! crypto pki trustpoint sys1 enrollment url [url]http://192.168.0.212:80[/url] serial-number none fqdn RR5.sys.com ip-address none password revocation-check crl rsakeypair RR5.sys.com auto-enroll ! ! crypto pki certificate chain sys certificate ca 01 308201F5 3082015E A0030201 02020101 300D0609 2A864886 F70D0101 04050030 0E310C30 0A060355 04031303 73797330 1E170D30 38303130 34303833 3333325A 170D3131 30313033 30383333 33325A30 0E310C30 0A060355 04031303 73797330 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 C381C6FB 5821BAD9 91F5B2F6 C818223D 2662EC3A 05C4047A F7452F2F 161082BA 3064CC85 F6434CEC BDA7AABD BB1E31F4 5E5D3F3F D54A2064 C6F654B4 40751949 6C4460F3 C444C2CE 0244FCE4 890CC35A EFC56E97 61626351 290C2DA4 A8010698 9C193715 0F297659 D28B41A5 7B5A4A91 02A956DA DCC8EAAA 8F5D1A62 ACBD3083 02030100 01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D 0F0101FF 04040302 0186301F 0603551D 23041830 168014E8 647D867C 2B0570F3 A9B74DA5 687FF550 CE477230 1D060355 1D0E0416 0414E864 7D867C2B 0570F3A9 B74DA568 7FF550CE 4772300D 06092A86 4886F70D 01010405 00038181 004571EF 7A855DDC 30061D85 7B03ED0F 20BC4B94 6E4BE588 F165D030 56A1A12F CB85C7C6 7F39EC2E 44021504 35C3AE49 C13B65F5 4580ED2F A5C38E59 C71AFC18 7A0ECBD2 F7AF71C1 DC608917 B675BBC5 6428EFDE 6EDD6A13 05597A6E FF3DC9F3 F38FB619 0838CD3F 92BC7EC3 E30D3586 CB3FB38C D810AD94 C7BECFB2 D98D2217 43 quit crypto pki certificate chain sys1 certificate 02 308201D2 3082013B A0030201 02020102 300D0609 2A864886 F70D0101 04050030 0E310C30 0A060355 04031303 73797330 1E170D30 38303130 34303833 3835345A 170D3039 30313033 30383338 35345A30 1C311A30 1806092A 864886F7 0D010902 160B5252 352E7379 732E636F 6D305C30 0D06092A 864886F7 0D010101 0500034B 00304802 4100D720 734C8D41 FE3C6A68 EF6946DB 60EAF693 201FC5CA 14A93C7D 2266E36B E45596AD 1D3982A2 EDC3EE95 16EEB484 65259C3D 01F33729 C164CC6B 33190AB8 B98B0203 010001A3 76307430 25060355 1D1F041E 301C301A A018A016 86146874 74703A2F 2F313932 2E313638 2E302E32 3132300B 0603551D 0F040403 0205A030 1F060355 1D230418 30168014 E8647D86 7C2B0570 F3A9B74D A5687FF5 50CE4772 301D0603 551D0E04 16041480 43458F97 109EFD97 15C262C1 0FC6B0D8 E23F5E30 0D06092A 864886F7 0D010104 05000381 81008ED0 8E41CAEE EE2185CA 320D5D28 6894DE8B B49A8622 CCCA3063 D313E3BB F2B56F6A 926219A9 624486C9 E7CDC4F5 504DB1EB 37864782 E783D13B 60FC16C8 3BBEFF89 2ADBEA99 0FD9FF06 D5148A52 7B6FC37A 0B61F551 CEFFFABE 5CCC47CC 7DE3D912 EC4A975D F78F3611 6404CB77 F3FD1E47 D2ACBF6F 8532E36F 45968AC2 BC44 quit certificate ca 01 308201F5 3082015E A0030201 02020101 300D0609 2A864886 F70D0101 04050030 0E310C30 0A060355 04031303 73797330 1E170D30 38303130 34303833 3333325A 170D3131 30313033 30383333 33325A30 0E310C30 0A060355 04031303 73797330 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 C381C6FB 5821BAD9 91F5B2F6 C818223D 2662EC3A 05C4047A F7452F2F 161082BA 3064CC85 F6434CEC BDA7AABD BB1E31F4 5E5D3F3F D54A2064 C6F654B4 40751949 6C4460F3 C444C2CE 0244FCE4 890CC35A EFC56E97 61626351 290C2DA4 A8010698 9C193715 0F297659 D28B41A5 7B5A4A91 02A956DA DCC8EAAA 8F5D1A62 ACBD3083 02030100 01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D 0F0101FF 04040302 0186301F 0603551D 23041830 168014E8 647D867C 2B0570F3 A9B74DA5 687FF550 CE477230 1D060355 1D0E0416 0414E864 7D867C2B 0570F3A9 B74DA568 7FF550CE 4772300D 06092A86 4886F70D 01010405 00038181 004571EF 7A855DDC 30061D85 7B03ED0F 20BC4B94 6E4BE588 F165D030 56A1A12F CB85C7C6 7F39EC2E 44021504 35C3AE49 C13B65F5 4580ED2F A5C38E59 C71AFC18 7A0ECBD2 F7AF71C1 DC608917 B675BBC5 6428EFDE 6EDD6A13 05597A6E FF3DC9F3 F38FB619 0838CD3F 92BC7EC3 E30D3586 CB3FB38C D810AD94 C7BECFB2 D98D2217 43 quit username sys privilege 15 password 0 sys ! ! ! crypto isakmp policy 1 encr 3des group 2 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to10.2.1.3 set peer 10.2.1.3 set transform-set ESP-3DES-SHA match address 100 ! ! ! ! interface FastEthernet0/0 ip address 10.2.1.1 255.255.255.0 duplex auto speed auto crypto map SDM_CMAP_1 ! interface FastEthernet0/1 ip address 192.168.0.212 255.255.255.0 duplex auto speed auto ! ip route 0.0.0.0 0.0.0.0 192.168.0.1 ! ! ip http server no ip http secure-server ! access-list 100 remark SDM_ACL Category=4 access-list 100 remark IPSec Rule access-list 100 permit ip 10.2.1.0 0.0.0.255 10.2.1.0 0.0.0.255 no cdp advertise-v2 ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 exec-timeout 35791 0 timeout login response 300 line aux 0 line vty 0 4 exec-timeout 35791 0 timeout login response 300 login local transport input ssh line vty 5 15 exec-timeout 35791 0 timeout login response 300 login local transport input ssh ! ntp clock-period 17179838 ntp server 202.112.10.60 source FastEthernet0/1 ! end RR5 RSA: Key name: RR5.sys.com Usage: General Purpose Key Key is not exportable. Key Data: 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D72073 4C8D41FE 3C6A68EF 6946DB60 EAF69320 1FC5CA14 A93C7D22 66E36BE4 5596AD1D 3982A2ED C3EE9516 EEB48465 259C3D01 F33729C1 64CC6B33 190AB8B9 8B020301 0001 % Key pair was generated at: 16:33:25 CST Jan 4 2008 Key name: sys Usage: General Purpose Key Key is exportable. Key Data: 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00C381C6 FB5821BA D991F5B2 F6C81822 3D2662EC 3A05C404 7AF7452F 2F161082 BA3064CC 85F6434C ECBDA7AA BDBB1E31 F45E5D3F 3FD54A20 64C6F654 B4407519 496C4460 F3C444C2 CE0244FC E4890CC3 5AEFC56E 97616263 51290C2D A4A80106 989C1937 150F2976 59D28B41 A57B5A4A 9102A956 DADCC8EA AA8F5D1A 62ACBD30 83020301 0001 % Key pair was generated at: 16:38:04 CST Jan 4 2008 Key name: RR5.sys.com.server Usage: Encryption Key Key is not exportable. Key Data: 307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00DEDC3E 27DF78B7 C910701A 6AB96579 B58EF440 4166CCB2 3A841B6B ADB8463B 990BAB13 1A93B48C 494AE68C 3EEB2252 C0202EEE 3A33E7C9 F9F5D5F8 4FF5DB34 4BF5CEF4 51DC768D 5B363758 25AA86B7 6014C940 518150E0 79205D83 980706BB 59020301 0001 RR7: Current configuration : 4115 bytes ! ! Last configuration change at 16:49:42 CST Fri Jan 4 2008 ! NVRAM config last updated at 16:36:45 CST Fri Jan 4 2008 ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname RR7 ! boot-start-marker boot-end-marker ! ! no aaa new-model memory-size iomem 5 clock timezone CST 8 ip cef ! ! ! ! no ip domain lookup ip domain name sys.com ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto pki trustpoint sys1 enrollment url [url]http://192.168.0.212:80[/url] serial-number none fqdn RR7.sys.com ip-address none password revocation-check crl rsakeypair RR7.sys.com.server auto-enroll ! ! crypto pki certificate chain sys1 certificate 03 308201D2 3082013B A0030201 02020103 300D0609 2A864886 F70D0101 04050030 0E310C30 0A060355 04031303 73797330 1E170D30 38303130 34303834 3332375A 170D3039 30313033 30383433 32375A30 1C311A30 1806092A 864886F7 0D010902 160B5252 372E7379 732E636F 6D305C30 0D06092A 864886F7 0D010101 0500034B 00304802 4100ECD4 325C3869 1A2E3D16 969A9563 FC65A08D 11CD2BED 0C8A8352 2A7D1E82 944BD373 1A457C68 05AE2DFA 26ABB34B 107191FB 7581BAAB 7560B64F 210E4E38 0A710203 010001A3 76307430 25060355 1D1F041E 301C301A A018A016 86146874 74703A2F 2F313932 2E313638 2E302E32 3132300B 0603551D 0F040403 0205A030 1F060355 1D230418 30168014 E8647D86 7C2B0570 F3A9B74D A5687FF5 50CE4772 301D0603 551D0E04 16041455 C9FBBF6A CAE04089 9EC2349F D8086AE5 3379CF30 0D06092A 864886F7 0D010104 05000381 810059C4 334A9AB3 D2AA7769 1493106C 6921EF7F 9E9AFD1D FE2CF5C6 515D1AA6 2F61FF72 D443C62A 59F113B9 C1A782A7 E3C6A229 82286962 B2E1B9BC AB40EA8B 4C671B30 9226A122 2D4E427A 5DD6569B 99B8F3D7 F3EACECB B738B477 9B5BAA95 1C6DACF7 C52A2DD9 A668CCDC F5EE1D03 68828778 102A736C 10E11CC9 D8F972F9 73B5 quit certificate ca 01 308201F5 3082015E A0030201 02020101 300D0609 2A864886 F70D0101 04050030 0E310C30 0A060355 04031303 73797330 1E170D30 38303130 34303833 3333325A 170D3131 30313033 30383333 33325A30 0E310C30 0A060355 04031303 73797330 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 C381C6FB 5821BAD9 91F5B2F6 C818223D 2662EC3A 05C4047A F7452F2F 161082BA 3064CC85 F6434CEC BDA7AABD BB1E31F4 5E5D3F3F D54A2064 C6F654B4 40751949 6C4460F3 C444C2CE 0244FCE4 890CC35A EFC56E97 61626351 290C2DA4 A8010698 9C193715 0F297659 D28B41A5 7B5A4A91 02A956DA DCC8EAAA 8F5D1A62 ACBD3083 02030100 01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D 0F0101FF 04040302 0186301F 0603551D 23041830 168014E8 647D867C 2B0570F3 A9B74DA5 687FF550 CE477230 1D060355 1D0E0416 0414E864 7D867C2B 0570F3A9 B74DA568 7FF550CE 4772300D 06092A86 4886F70D 01010405 00038181 004571EF 7A855DDC 30061D85 7B03ED0F 20BC4B94 6E4BE588 F165D030 56A1A12F CB85C7C6 7F39EC2E 44021504 35C3AE49 C13B65F5 4580ED2F A5C38E59 C71AFC18 7A0ECBD2 F7AF71C1 DC608917 B675BBC5 6428EFDE 6EDD6A13 05597A6E FF3DC9F3 F38FB619 0838CD3F 92BC7EC3 E30D3586 CB3FB38C D810AD94 C7BECFB2 D98D2217 43 quit username sys privilege 15 password 0 sys ! ! ! crypto isakmp policy 1 encr 3des group 2 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to10.2.1.1 set peer 10.2.1.1 set transform-set ESP-3DES-SHA match address 100 ! ! ! ! interface FastEthernet0/0 ip address 10.2.1.3 255.255.255.0 duplex auto speed auto crypto map SDM_CMAP_1 ! interface FastEthernet0/1 ip address 192.168.0.213 255.255.255.0 duplex auto speed auto ! ip route 0.0.0.0 0.0.0.0 192.168.0.1 ! ! ip http server no ip http secure-server ! access-list 100 remark SDM_ACL Category=4 access-list 100 remark IPSec Rule access-list 100 permit ip 10.2.1.0 0.0.0.255 10.2.1.0 0.0.0.255 no cdp advertise-v2 ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 exec-timeout 35791 0 timeout login response 300 line aux 0 line vty 0 4 exec-timeout 35791 0 timeout login response 300 login local transport input ssh line vty 5 15 exec-timeout 35791 0 timeout login response 300 login local transport input ssh ! ntp clock-period 17179866 ! end RR7 RSA: Key name: RR7.sys.com Usage: General Purpose Key Key is not exportable. Key Data: 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D5305A 709071D7 544B8CD7 ADE9D306 F5E59763 0AEFB0CF 6A3E7482 143806BB C7E04B14 CFD60844 5D8D524B 8D6FC6F4 00ECFF14 7F60734D D4FFA4E3 F6CFDAC8 AB020301 0001 % Key pair was generated at: 16:43:26 CST Jan 4 2008 Key name: RR7.sys.com.server Usage: General Purpose Key Key is not exportable. Key Data: 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00ECD432 5C38691A 2E3D1696 9A9563FC 65A08D11 CD2BED0C 8A83522A 7D1E8294 4BD3731A 457C6805 AE2DFA26 ABB34B10 7191FB75 81BAAB75 60B64F21 0E4E380A 71020301 0001 DEBUG:(一次icmp,rr5->rr7)
RR5: RR5#ping 10.2.1.3 re 1 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 10.2.1.3, timeout is 2 seconds: Jan 4 09:03:24.653: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 10.2.1.1, remote= 10.2.1.3, local_proxy= 10.2.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 10.2.1.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0xF8A42403(4171506691), conn_id= 0, keysize= 0, flags= 0x400A Jan 4 09:03:24.669: ISAKMP: received ke message (1/1) Jan 4 09:03:24.669: ISAKMP:(0:0:N/A:0): SA request profile is (NULL) Jan 4 09:03:24.669: ISAKMP: Created a peer struct for 10.2.1.3, peer port 500 Jan 4 09:03:24.669: ISAKMP: New peer created peer = 0x656EF148 peer_handle = 0x80000003 Jan 4 09:03:24.669: ISAKMP: Locking peer struct 0x656EF148, IKE refcount 1 for isakmp_initiator Jan 4 09:03:24.669: ISAKMP: local port 500, remote port 500 Jan 4 09:03:24.669: ISAKMP: set new node 0 to QM_IDLE Jan 4 09:03:24.669: insert sa successfully sa = 65E0B1E0 Jan 4 09:03:24.669: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode. Jan 4 09:03:24.669: ISAKMP:(0:0:N/A:0):No pre-shared key with 10.2.1.3! Jan 4 09:03:24.669: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID Jan 4 09:03:24.669: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID Jan 4 09:03:24.669: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID Jan 4 09:03:24.669: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM Jan 4 09:03:24.669: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1 Jan 4 09:03:24.673: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange Jan 4 09:03:24.677: ISAKMP:(0:0:N/A:0): sending packet to 10.2.1.3 my_port 500 peer_port 500 (I) MM_NO_STATE Jan 4 09:03:24.769: ISAKMP (0:0): received packet from 10.2.1.3 dport 500 sport 500 Global (I) MM_NO_STATE Jan 4 09:03:24.777: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Jan 4 09:03:24.777: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1 New State = IKE_I_MM2 Jan 4 09. Success rate is 0 percent (0/1) RR5#:03:24.777: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0 Jan 4 09:03:24.777: ISAKMP:(0:0:N/A:0): processing vendor id payload Jan 4 09:03:24.777: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch Jan 4 09:03:24.777: ISAKMP (0:0): vendor ID is NAT-T v7 Jan 4 09:03:24.777: ISAKMP : Scanning profiles for xauth ... Jan 4 09:03:24.777: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy Jan 4 09:03:24.777: ISAKMP: encryption 3DES-CBC Jan 4 09:03:24.777: ISAKMP: hash SHA Jan 4 09:03:24.777: ISAKMP: default group 2 Jan 4 09:03:24.777: ISAKMP: auth RSA sig Jan 4 09:03:24.777: ISAKMP: life type in seconds Jan 4 09:03:24.777: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 Jan 4 09:03:24.777: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0 Jan 4 09:03:24.809: ISAKMP:(0:1:SW:1): processing vendor id payload Jan 4 09:03:24.809: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 245 mismatch Jan 4 09:03:24.809: ISAKMP (0:134217729): vendor ID is NAT-T v7 Jan 4 09:03:24.809: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Jan 4 09:03:24.809: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM2 Jan 4 09:03:24.817: ISAKMP (0:134217729): constructing CERT_REQ for issuer cn=sys Jan 4 09:03:24.821: ISAKMP:(0:1:SW:1): sending packet to 10.2.1.3 my_port 500 peer_port 500 (I) MM_SA_SETUP Jan 4 09:03:24.825: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Jan 4 09:03:24.825: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM3 Jan 4 09:03:24.909: ISAKMP (0:134217729): received packet from 10.2.1.3 dport 500 sport 500 Global (I) MM_SA_SETUP Jan 4 09:03:24.917: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Jan 4 09:03:24.921: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM3 New State = IKE_I_MM4 Jan 4 09:03:24.929: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0 Jan 4 09:03:24.965: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 0 Jan 4 09:03:24.965: ISAKMP:(0:1:SW:1):SKEYID state generated Jan 4 09:03:24.965: ISAKMP:(0:1:SW:1): processing CERT_REQ payload. message ID = 0 Jan 4 09:03:24.965: ISAKMP:(0:1:SW:1): peer wants a CT_X509_SIGNATURE cert Jan 4 09:03:24.965: ISAKMP:(0:1:SW:1): peer want cert issued by Jan 4 09:03:24.965: ISAKMP:(0:1:SW:1): Choosing trustpoint sys1 as issuer Jan 4 09:03:24.965: ISAKMP:(0:1:SW:1): processing vendor id payload Jan 4 09:03:24.965: ISAKMP:(0:1:SW:1): vendor ID is Unity Jan 4 09:03:24.965: ISAKMP:(0:1:SW:1): processing vendor id payload Jan 4 09:03:24.969: ISAKMP:(0:1:SW:1): vendor ID is DPD Jan 4 09:03:24.973: ISAKMP:(0:1:SW:1): processing vendor id payload Jan 4 09:03:24.977: ISAKMP:(0:1:SW:1): speaking to another IOS box! Jan 4 09:03:24.977: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Jan 4 09:03:24.981: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM4 Jan 4 09:03:24.981: ISAKMP:(0:1:SW:1):Send initial contact Jan 4 09:03:24.997: ISAKMP:(0:1:SW:1):My ID configured as IPv4 Addr, but Addr not in Cert! Jan 4 09:03:25.001: ISAKMP:(0:1:SW:1):Using FQDN as My ID Jan 4 09:03:25.005: ISAKMP:(0:1:SW:1):SA is doing RSA signature authentication using id type ID_FQDN Jan 4 09:03:25.005: ISAKMP (0:134217729): ID payload next-payload : 6 type : 2 FQDN name : RR5.sys.com protocol : 17 port : 500 length : 19 Jan 4 09:03:25.013: ISAKMP:(0:1:SW:1):Total payload length: 19 Jan 4 09:03:25.025: ISAKMP (0:134217729): constructing CERT payload for hostname=RR5.sys.com Jan 4 09:03:25.025: ISAKMP:(0:1:SW:1): using the sys1 trustpoint's keypair to sign Jan 4 09:03:25.121: ISAKMP:(0:1:SW:1): sending packet to 10.2.1.3 my_port 500 peer_port 500 (I) MM_KEY_EXCH Jan 4 09:03:25.121: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Jan 4 09:03:25.125: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM5 Jan 4 09:03:25.193: ISAKMP (0:134217729): received packet from 10.2.1.3 dport 500 sport 500 Global (I) MM_KEY_EXCH Jan 4 09:03:25.197: ISAKMP (0:134217729): received packet from 10.2.1.3 dport 500 sport 500 Global (I) MM_KEY_EXCH Jan 4 09:03:25.197: ISAKMP (0:134217729): received packet from 10.2.1.3 dport 500 sport 500 Global (I) MM_KEY_EXCH Jan 4 09:03:25.197: ISAKMP (0:134217729): received packet from 10.2.1.3 dport 500 sport 500 Global (I) MM_KEY_EXCH Jan 4 09:03:25.197: ISAKMP (0:134217729): received packet from 10.2.1.3 dport 500 sport 500 Global (I) MM_KEY_EXCH Jan 4 09:03:25.197: ISAKMP: Info Notify message requeue retry counter exceeded sa request from 10.2.1.3 to 10.2.1.1. Jan 4 09:03:54.653: IPSEC(key_engine): request timer fired: count = 1, (identity) local= 10.2.1.1, remote= 10.2.1.3, local_proxy= 10.2.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 10.2.1.0/255.255.255.0/0/0 (type=4) Jan 4 09:03:54.661: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 10.2.1.1, remote= 10.2.1.3, local_proxy= 10.2.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 10.2.1.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x27F80664(670565988), conn_id= 0, keysize= 0, flags= 0x400A Jan 4 09:03:54.669: ISAKMP: received ke message (1/1) Jan 4 09:03:54.669: ISAKMP: set new node 0 to QM_IDLE Jan 4 09:03:54.669: ISAKMP:(0:1:SW:1):SA is still budding. Attached new ipsec request to it. (local 10.2.1.1, remote 10.2.1.3) Jan 4 09:04:24.661: IPSEC(key_engine): request timer fired: count = 2, (identity) local= 10.2.1.1, remote= 10.2.1.3, local_proxy= 10.2.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 10.2.1.0/255.255.255.0/0/0 (type=4) Jan 4 09:04:24.673: ISAKMP: received ke message (3/1) Jan 4 09:04:24.673: ISAKMP:(0:1:SW:1):peer does not do paranoid keepalives. Jan 4 09:04:24.677: ISAKMP:(0:1:SW:1):deleting SA reason "P1 delete notify (in)" state (I) MM_KEY_EXCH (peer 10.2.1.3) Jan 4 09:04:24.685: ISAKMP:(0:1:SW:1):deleting SA reason "P1 delete notify (in)" state (I) MM_KEY_EXCH (peer 10.2.1.3) Jan 4 09:04:24.685: ISAKMP: Unlocking IKE struct 0x656EF148 for isadb_mark_sa_deleted(), count 0 Jan 4 09:04:24.685: ISAKMP: Deleting peer node by peer_reap for 10.2.1.3: 656EF148 Jan 4 09:04:24.685: ISAKMP:(0:1:SW:1):deleting node -1691002163 error FALSE reason "IKE deleted" Jan 4 09:04:24.685: ISAKMP:(0:1:SW:1):deleting node -1683647828 error FALSE reason "IKE deleted" Jan 4 09:04:24.685: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL Jan 4 09:04:24.685: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM5 New State = IKE_DEST_SA Jan 4 09:04:24.685: IPSEC(key_engine): got a queue event with 1 kei messages RR7: .Jan 4 09:03:24.687: ISAKMP (0:0): received packet from 10.2.1.1 dport 500 sport 500 Global (N) NEW SA .Jan 4 09:03:24.691: ISAKMP: Created a peer struct for 10.2.1.1, peer port 500 .Jan 4 09:03:24.695: ISAKMP: New peer created peer = 0x64E84168 peer_handle = 0x80000003 .Jan 4 09:03:24.695: ISAKMP: Locking peer struct 0x64E84168, IKE refcount 1 for crypto_isakmp_process_block .Jan 4 09:03:24.695: ISAKMP: local port 500, remote port 500 .Jan 4 09:03:24.695: insert sa successfully sa = 64E82B2C .Jan 4 09:03:24.695: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH .Jan 4 09:03:24.699: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_R_MM1 .Jan 4 09:03:24.707: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0 .Jan 4 09:03:24.707: ISAKMP:(0:0:N/A:0): processing vendor id payload .Jan 4 09:03:24.711: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch .Jan 4 09:03:24.711: ISAKMP (0:0): vendor ID is NAT-T v7 .Jan 4 09:03:24.711: ISAKMP:(0:0:N/A:0): processing vendor id payload .Jan 4 09:03:24.711: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch .Jan 4 09:03:24.711: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3 .Jan 4 09:03:24.711: ISAKMP:(0:0:N/A:0): processing vendor id payload .Jan 4 09:03:24.711: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch .Jan 4 09:03:24.711: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2 .Jan 4 09:03:24.711: ISAKMP : Scanning profiles for xauth ... .Jan 4 09:03:24.711: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy .Jan 4 09:03:24.711: ISAKMP: encryption 3DES-CBC .Jan 4 09:03:24.711: ISAKMP: hash SHA .Jan 4 09:03:24.711: ISAKMP: default group 2 .Jan 4 09:03:24.711: ISAKMP: auth RSA sig .Jan 4 09:03:24.711: ISAKMP: life type in seconds .Jan 4 09:03:24.711: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 .Jan 4 09:03:24.711: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 3 .Jan 4 09:03:24.743: ISAKMP:(0:1:SW:1): processing vendor id payload .Jan 4 09:03:24.743: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 245 mismatch .Jan 4 09:03:24.743: ISAKMP (0:134217729): vendor ID is NAT-T v7 .Jan 4 09:03:24.743: ISAKMP:(0:1:SW:1): processing vendor id payload .Jan 4 09:03:24.743: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 157 mismatch .Jan 4 09:03:24.743: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v3 .Jan 4 09:03:24.743: ISAKMP:(0:1:SW:1): processing vendor id payload .Jan 4 09:03:24.743: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 123 mismatch .Jan 4 09:03:24.743: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v2 .Jan 4 09:03:24.743: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE .Jan 4 09:03:24.743: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM1 .Jan 4 09:03:24.747: ISAKMP:(0:1:SW:1): constructed NAT-T vendor-07 ID .Jan 4 09:03:24.751: ISAKMP:(0:1:SW:1): sending packet to 10.2.1.1 my_port 500 peer_port 500 (R) MM_SA_SETUP .Jan 4 09:03:24.755: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE .Jan 4 09:03:24.759: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM2 .Jan 4 09:03:24.815: ISAKMP (0:134217729): received packet from 10.2.1.1 dport 500 sport 500 Global (R) MM_SA_SETUP .Jan 4 09:03:24.819: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH .Jan 4 09:03:24.819: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM2 New State = IKE_R_MM3 .Jan 4 09:03:24.819: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0 .Jan 4 09:03:24.867: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 0 .Jan 4 09:03:24.867: ISAKMP:(0:1:SW:1):SKEYID state generated .Jan 4 09:03:24.867: ISAKMP:(0:1:SW:1): processing CERT_REQ payload. message ID = 0 .Jan 4 09:03:24.867: ISAKMP:(0:1:SW:1): peer wants a CT_X509_SIGNATURE cert .Jan 4 09:03:24.867: ISAKMP:(0:1:SW:1): peer want cert issued by .Jan 4 09:03:24.871: ISAKMP:(0:1:SW:1): Choosing trustpoint sys1 as issuer .Jan 4 09:03:24.875: ISAKMP:(0:1:SW:1): processing vendor id payload .Jan 4 09:03:24.879: ISAKMP:(0:1:SW:1): vendor ID is Unity .Jan 4 09:03:24.883: ISAKMP:(0:1:SW:1): processing vendor id payload .Jan 4 09:03:24.883: ISAKMP:(0:1:SW:1): vendor ID is DPD .Jan 4 09:03:24.883: ISAKMP:(0:1:SW:1): processing vendor id payload .Jan 4 09:03:24.883: ISAKMP:(0:1:SW:1): speaking to another IOS box! .Jan 4 09:03:24.883: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE .Jan 4 09:03:24.883: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM3 .Jan 4 09:03:24.883: ISAKMP (0:134217729): constructing CERT_REQ for issuer cn=sys .Jan 4 09:03:24.883: ISAKMP:(0:1:SW:1): sending packet to 10.2.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH .Jan 4 09:03:24.883: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE .Jan 4 09:03:24.883: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM4 .Jan 4 09:03:25.127: ISAKMP (0:134217729): received packet from 10.2.1.1 dport 500 sport 500 Global (R) MM_KEY_EXCH .Jan 4 09:03:25.135: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH .Jan 4 09:03:25.139: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM4 New State = IKE_R_MM5 .Jan 4 09:03:25.147: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 0 .Jan 4 09:03:25.147: ISAKMP (0:134217729): ID payload next-payload : 6 type : 2 FQDN name : RR5.sys.com protocol : 17 port : 500 length : 19 .Jan 4 09:03:25.147: ISAKMP:(0:1:SW:1):: peer matches *none* of the profiles .Jan 4 09:03:25.147: ISAKMP:(0:1:SW:1): processing CERT payload. message ID = 0 .Jan 4 09:03:25.147: ISAKMP:(0:1:SW:1): processing a CT_X509_SIGNATURE cert .Jan 4 09:03:25.147: ISAKMP:(0:1:SW:1): peer's pubkey isn't cached .Jan 4 09:03:25.179: CRYPTO_PKI: Poll CRL - unrecognized URI in FULLNAME URI .Jan 4 09:03:25.179: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 10.2.1.1 is bad: certificate invalid .Jan 4 09:03:25.179: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE .Jan 4 09:03:25.179: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5 .Jan 4 09:03:25.179: ISAKMP:(0:1:SW:1): sending packet to 10.2.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH .Jan 4 09:03:25.179: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR .Jan 4 09:03:25.179: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM4 .Jan 4 09:04:39.695: ISAKMP: quick mode timer expired. .Jan 4 09:04:39.699: ISAKMP:(0:1:SW:1):src 10.2.1.1 dst 10.2.1.3, SA is not authenticated .Jan 4 09:04:39.699: ISAKMP:(0:1:SW:1):peer does not do paranoid keepalives. .Jan 4 09:04:39.703: ISAKMP:(0:1:SW:1):deleting SA reason "QM_TIMER expired" state (R) MM_KEY_EXCH (peer 10.2.1.1) .Jan 4 09:04:39.711: ISAKMP:(0:1:SW:1):deleting SA reason "QM_TIMER expired" state (R) MM_KEY_EXCH (peer 10.2.1.1) .Jan 4 09:04:39.711: ISAKMP: Unlocking IKE struct 0x64E84168 for isadb_mark_sa_deleted(), count 0 .Jan 4 09:04:39.711: ISAKMP: Deleting peer node by peer_reap for 10.2.1.1: 64E84168 .Jan 4 09:04:39.711: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL .Jan 4 09:04:39.711: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM4 New State = IKE_DEST_SA .Jan 4 09:04:39.711: IPSEC(key_engine): got a queue event with 1 kei messages 目前问题原因未知,但是可以肯定的是密钥交换一半的过程中失败了。
问了好多坛子都无果,先贴这儿,回头用。 本文出自 “水煮豆豆_网络爬爬” 博客,请务必保留此出处http://netwalk.blog.51cto.com/173717/66970 本文出自 51CTO.COM技术博客 |
beansprouts
博客统计信息
热门文章
最新评论
友情链接
