推荐点击下面图片,通过本站淘宝优惠价购买:
首页支持文档与软件文档中心路由器H3C CR系列核心路由器H3C CR16000-F 路由器参考指南命令参考H3C CR16000-F路由器 Debugging命令参考-R826X-6W10012-安全
https://www.h3c.com/cn/d_202205/1616066_30005_0.htm
1 IPsec
1.1 IPsec Debuging命令
1.1.1 debugging ipsec
debugging ipsec命令用来打开IPsec调试信息开关。
undo debugging ipsec命令用来关闭IPsec调试信息开关。
【命令】
debugging ipsec { all | error | event | packet [ { policy | ipv6-policy } policy-name [ seq-number ] | profile profile-name | spi { ipv4-address | ipv6 ipv6-address } { ah | esp } spi-number | remote { ipv4-address | ipv6 ipv6-address } }
undo debugging ipsec { all | error | event | packet }
【缺省情况】
IPsec的调试信息开关处于关闭状态。
【视图】
用户视图
【缺省用户角色】
network-admin
【参数】
all:表示IPsec所有调试信息开关。
error:表示IPsec错误调试信息开关。
event:表示IPsec事件调试信息开关。
packet:表示IPsec报文调试信息开关。
policy:指定IPsec安全策略。
ipv6-policy:指定IPv6 IPsec安全策略。
policy-name:表示IPsec安全策略的名称,为1~63个字符的字符串,不区分大小写。
seq-number:表示IPsec安全策略表项的顺序号,取值范围为1~6553。
profile profile-name:指定IPsec安全框架,profile-name表示IPsec安全框架的名称,为1~63个字符的字符串,不区分大小写。
spi:指定SPI的三元组信息(SPI、安全协议、IPsec隧道对端地址)。
ipv4-address:指定IPsec隧道对端的IPv4地址。
ipv6 ipv6-address:指定IPsec隧道对端的IPv6地址。
ah:指定AH协议。
esp:指定ESP协议。
spi-number:表示SPI的序号,取值范围为256~4294967295。
remote:指定IPsec隧道对端的IP地址。
ipv4-address:指定IPsec隧道对端的IPv4地址。
ipv6 ipv6-address:指定IPsec隧道对端的IPv6地址。
【使用指导】
表1-1 debugging ipsec error命令输出信息描述表
字段 | 描述 |
Failed to allocate memory. | 分配内存失败 |
Failed to set an IPv6 header variable to 0. | 将IPv6头可变部分置零时出错 |
Failed to add SP entry in kernel. | 向内核添加SP(Security Policy,安全策略) entry失败 |
Failed to find SP entry in kernel. | 在内核中查找SP entry失败 |
The SP doesn't exist in kernel. | 内核中不存在SP |
The IPsec tunnel doesn't exist in kernel. | 内核中不存在IPsec隧道 |
The DPD doesn't exist in kernel. | 内核中不存在DPD(Dead Peer Detection,对等体存活检测) |
Failed to require CCFJOB structure. | 申请CCF JOB结构失败 |
Failed to encrypt CCF. | CCF加密失败 |
The SA doesn't exist. | SA不存在 |
Failed to decrypt CCF. | CCF解密失败 |
Failed to create CCF session. | 创建CCF session失败 |
The packet hash values don’t match. | 解封装后的报文哈希值不匹配 |
No SA in IPsec tunnel. | IPsec隧道中没有SA |
Can't find next SA in AH-ESP mode. | AH-ESP模式下,下一个SA找不到 |
IPsec tunnel has been deleted or updated when fast forwarding is performed. | 快转时IPsec隧道已经被删除或更新 |
Packet should have been encrypted by IPsec. | 报文本应该被IPsec保护 |
SA has been deleted or updated when fast forwarding is performed. | 快转时SA已经被删除或更新 |
In transport mode, SA address doesn’t match packet address. | 传输模式下,报文中的地址与SA中的不一致 |
The packet is too big: size = size. | 报文过大,报文大小为size |
Failed to add outer IP header. | 添加外部IP头失败 |
The packet is not an IPsec packet. | 非IPsec报文 |
Can't find SP. | 找不到SP |
Can't find SA by SP. | 根据SP查找不到对应的SA |
Failed to add node to invalid SPI hash table. | 向无效SPI哈希表添加节点失败 |
Failed to add SA to IPsec tunnel. | 向IPsec隧道添加SA失败 |
Failed to connect to the IPsec daemon. | 连接IPsec用户态守护进程失败 |
The block-flow-table doesn't exist. | 阻流表不存在 |
The ACL mode is wrong. | ACL模式错误 |
Received replayed packet. | 收到了重放包 |
Can’t find SA when processing ICMP too big packet: SPI = spi. | 在处理ICMP过大报文过程中找不到SA,SPI值为spi |
No SA in IPsec tunnel. | IPsec隧道没有任何SA |
Invalid IPsec profile index. | 无效的IPsec profile索引 |
Failed to get IPsec profile name. | 获取IPsec profile名称失败 |
After decryption, source address check failed. | 解封装后源地址检查失败 |
Failed to create lipc socket. | 创建lipc socket失败 |
The SP already exists. | SP已经存在 |
Failed to add SP in kernel. | 向内核添加SP失败 |
Failed to add profile SP in kernel | 向内核添加profile SP失败 |
Failed to add SA in kernel. | 向内核添加SA失败 |
Failed to delete SA in kernel. | 删除内核中的SA失败 |
Failed to add IPsec tunnel in kernel. | 向内核添加IPsec隧道失败 |
Failed to delete tunnel in kernel. | 删除内核中的IPsec隧道失败 |
Failed to add DPD in kernel. | 向内核添加DPD失败 |
Failed to delete DPD in kernel. | 删除内核中的DPD失败 |
The SP entry doesn't exist in kernel. | 内核SP entry不存在 |
Number of SAs exceeded the limit. | SA数量超过最大值 |
Failed to create IPsec IF-CB. | 创建IPsec接口控制块失败 |
Failed to set IPsec IF-CB to interface (ifIndex = ifindex) | 向接口上设置IPsec接口控制块失败,其接口索引为ifindex |
Failed to change the aging timer for block-flow-table. | 修改阻流表的老化时间失败 |
Failed to create policy/template. | 由命令行创建策略/模板失败 |
Failed to create policy/template group. | 由命令行创建策略组/模板组失败 |
Failed to initialize policy hash table. | 策略哈希表初始化失败 |
Failed to recover policy/template. | 恢复策略/模板失败 |
Failed to recover policy/template group. | 恢复策略组/模板组失败 |
Failed to recover transform reference. | 恢复提议的引用关系失败 |
Failed to save policy/template/profile info to DBM. | 向DBM中保存策略/模板/profile信息失败 |
Failed to delete policy/template/profile info from DBM. | 从DBM中删除策略/模板/profile信息失败 |
Failed to save system configuration to DBM. | 向DBM中保存系统配置失败 |
Failed to save transform configuration to DBM. | 向DBM中保存提议配置失败 |
Failed to get system configuration from DBM. | 从DBM中读取系统配置失败 |
Failed to save source interface configuration to DBM. | 向DBM中保存源接口配置失败 |
Failed to save interface configuration to DBM. | 向DBM中保存接口配置失败 |
Failed to get interface name by ifIndex. | 通过接口索引获取接口名称失败 |
Failed to start IPsec daemon. | 启动IPsec进程失败 |
Failed to alloc SP index. | 分配SP索引失败 |
Failed to malloc SP. | 分配SP资源失败 |
Failed to malloc SP entry. | 分配SP entry资源失败 |
Failed to update kernel SP entry. | 更新内核的SP entry失败 |
Failed to find SP entry. | 查找SP entry 失败 |
Failed to add SP to array. | 将SP加入数组失败 |
Failed to find template group. | 查找模板组失败 |
Failed to add policy SP to kernel | 向内核添加policy SP失败 |
Failed to find policy SP. | 查找policy SP失败 |
Failed to add profile SP to kernel. | 向内核添加profile SP失败 |
Failed to get SP when filling ISAKMP SA data. | 填充ISAKMP SA数据时获取SP失败 |
Failed to get DPD when filling ISAKMP SA data. | 填充ISAKMP SA数据时获取DPD失败 |
Failed to add IPsec tunnel when adding manual SA. | 添加手工SA时添加IPsec隧道失败 |
Failed to add IPsec tunnel during ISSU update process. | 进行ISSU升级时,添加IPsec隧道失败 |
Failed to add SA when adding manual SA. | 添加手工SA时添加SA失败 |
Failed to fill SA when adding ISAKMP SA. | 添加ISAKMP方式SA时填充SA失败 |
Failed to add IPsec tunnel when adding ISAKMP SA. | 添加ISAKMP方式SA时添加IPsec隧道失败 |
Failed to add timer when adding ISAKMP SA. | 添加ISAKMP方式SA时添加定时器失败 |
Failed to alloc SPI. | 分配SPI失败 |
Failed to alloc new SPI for ISAKMP SA. | 分配ISAKMP方式SA的新SPI失败 |
Failed to alloc larva SA index when adding larva SA. | 添加临时SA时分配临时SA索引失败 |
Failed to add larval SA. | 添加临时SA失败 |
Failed to alloc SA index. | 分配SA索引失败 |
Failed to alloc ISAKMP SA index. | 分配ISAKMP方式SA的索引失败 |
Failed to alloc manual SA index. | 分配手工方式SA的索引失败 |
Failed to add SA. | 添加SA失败 |
Failed to add SA to kernel. | 向内核添加SA失败 |
Failed to add SA to kernel during ISSU update process. | 当进行ISSU升级时向内核添加SA失败 |
Failed to alloc DPD Index. | 分配DPD索引失败 |
Failed to add DPD timer. | 添加DPD定时器失败 |
Failed to add DPD to kernel. | 向内核添加DPD失败 |
Failed to add DPD timer during smooth processing with IKE. | 和IKE进行平滑处理时添加DPD定时器失败 |
Failed to add DPD to kernel during smooth processing with IKE. | 和IKE进行平滑处理时向内核添加DPD数据失败 |
The same outbound profile SA has existed. SPI: spi Protocol: protocol. | 已存在相同的出方向profile SA(IPsec profile生成的SA)。SPI值为spi,协议类型为protocol |
The same outbound policy SA has existed. SPI: spi, Remote address: remote-addr, Protocol: protocol. | 已存在相同出方向的policy SA(IPsec policy生成的SA)。SPI值为SPI,对端地址为remote-addr,协议类型为protocol |
Failed to generate static route. | 新建IPsec隧道时,生成路由信息失败 |
Failed to add static route. | 新建IPsec隧道时,路由模块添加静态路由失败 |
Failed to delete static route. | 删除IPsec隧道时,路由模块删除静态路由失败 |
Failed to notify route module of starting to smooth IPv4 static routes. | 和路由模块平滑路由过程中通知路由模块开始平滑IPv4路由,通知失败 |
Failed to notify route module of starting to smooth IPv6 static routes. | 和路由模块平滑路由过程中通知路由模块开始平滑IPv6路由,通知失败 |
Failed to subscribe service events. | 订阅服务事件失败 |
Failed to set IPsec fragmentation before encryption configuration to kernel. | 向内核设置IPsec加密前分片功能失败 |
Can't find IPsec policy when setting group name. | 设置GDOI组名称时查找IPsec安全策略失败 |
Failed to create GDOI SA entry. | 创建GDOI SA entry失败 |
Failed to allocate GDOI IPsec SA index. | 申请GDOI类型IPsec SA索引资源失败 |
Failed to find GDOI SP SA entry. | 查找GDOI类型SP SA表项失败 |
Failed to get SP when comparing decrypted packets with ACL. | 将解封装后的报文进行ACL匹配时查找SP失败 |
Failed to pre-fragment packet. Dropped the packet. | 对报文进行预分片处理失败,丢弃报文 |
Can't find shared source SP entry. | 不能查找到共享源接口的SP entry |
Inbound IPsec processing: source address=src-addr, destination address=des-addr, protocol=pro. Packet was dropped according to IPsec policy policyname(sequence number: seqnum). | 报文入方向IPsec处理:源地址为src-addr,目的地址为des-addr,协议为:pro。根据IPsec策略(序列号为seqnum)的匹配结果,该报文被丢弃 |
Failed to get IF CB: ifIndex=index. | 获取接口控制块失败,接口索引为index |
Inbound IPsec processing: Failed to check packet by ACL. | 入方向IPsec处理:报文未通过ACL检查 |
Inbound IPsec fast processing: SPI not match. | 入方向IPsec快转处理:SPI与快转表不匹配 |
Failed to Convert Buf To Mbuf. Dropped packet. | 转换快转BUF为慢转MBUF失败,丢弃报文 |
Inbound IPsec fast processing: Failed to check packet by ACL. | 入方向IPsec快转处理:报文未通过ACL检查 |
Failed to get Packet Info. | 获取报文信息失败 |
Inbound IPsec fast GDOI processing: Failed to check packet. | 入方向IPsec GDOI快转处理:检查报文失败 |
Output IPsec fast processing: Max loopCount exceeded. | 出方向IPsec快转处理:报文的本地回环计数超出最大值 |
Output IPsec fast processing: Failed to get IPsec cache data. | 出方向IPsec快转处理:获取IPsec快转表数据失败 |
Inbound AH processing: Dropped packet matching GDOI SA (SPI: spi). | 入方向AH报文处理:报文匹配上GDOI类型SA的报文(SPI为spi),被丢弃 |
Failed to add IPsec SA in kernel: invalid IPsec SA index. | 在内核中添加IPsec SA失败,该IPsec SA的索引非法 |
Failed to add IPsec SA to array hash in kernel. | 在内核中添加IPsec SA到哈希队列失败 |
Failed to add IPsec SA to outbound hash in kernel. | 在内核中添加IPsec SA到出方向哈希队列失败 |
Failed to add IPsec SA to inbound hash in kernel. | 在内核中添加IPsec SA到入方向哈希队列失败 |
Failed to get packet information. | 获取解封装后的报文信息失败 |
No SA in GDOI flow. | 找不到用于保护GDOI流的SA |
Failed to add outbound SA (index: index) for GDOI flow. | 设置保护GDOI流的出方向SA失败 |
Failed to add flow to HIPAC. | 向流表中添加流失败 |
Failed to alloc memory in kernel. | 在内核中分配内存失败 |
Failed to add GDOI flow to array hash table in kernel. | 在内核中添加GDOI类型的流到哈希表失败 |
Failed to add GDOI flow in kernel. | 在内核中添加GDOI类型的流失败 |
Failed to find IPsec SA with index index when switching SA in kernel. | 当在内核中切换SA时根据索引index查找IPsec SA失败 |
Can't find policy/template when setting security ACL. | 设置security ACL时查找IPsec安全策略/模版失败 |
Failed to add GDOI flow to SP. | 添加GDOI类型的流信息到SP失败 |
Failed to add IPsec SA when adding GDOI SA to SP. | 添加GDOI SA到SP的过程中添加IPsec SA失败 |
Failed to find GDOI SP when adding GDOI SA to SP. | 添加GDOI SA到SP的过程中查找GDOI SP失败 |
Failed to find IPsec SP when adding GDOI SA to SP. | 添加GDOI SA到SP的过程中查找IPsec SP失败 |
Failed to send message of dereference GDOI group to GM. | 发送解除IPsec策略引用GDOI组的消息到GM失败 |
Failed to send message of reference GDOI group to GM. | 发送IPsec策略引用GDOI组的消息到GM失败 |
Failed to add download resource to GDOI SP. | 添加KS下发的flow和IPsec资源到GDOI SP失败 |
Failed to add GDOI SP index. | 增加GDOI SP索引失败 |
Failed to create GDOI SP. | 创建GDOI SP失败 |
Failed to get GDOI group. | 获取GDOI组失败 |
Failed to find GDOI SA entry to set current SPI(spi). | 设置SPI为spi的当前SPI时查找GDOI SA表项失败 |
Failed to set outbound IPsec SA (index: index) to kernel. | 在内核设置索引为index的出方向IPsec SA失败 |
Failed to find GDOI IPsec SA index with SPI spi to set outbound IPsec SA. | 设置出方向IPsec SA时查找SPI为spi的GDOI类型的IPsec SA索引失败 |
Failed to add all GDOI SA entries to SP. | 将所有GDOI SA添加到SP时失败 |
Failed to add IPsec SA index to GDOI SP SA entry. | 添加IPsec SA索引到GDOI SP SA表项失败 |
Failed to create GDOI SP flow. | 创建GDOI SP流失败 |
Failed to find IPsec GDOI SP when clearing ACL check flag. | 清除ACL检查标记时查找IPsec GDOI SP失败 |
Failed to find IPsec GDOI SP when setting ACL check flag. | 设置ACL检查标记时查找IPsec GDOI SP失败 |
Failed to find GDOI SP when display GDOI SA. | 显示GDOI SA时查找GDOI SP失败 |
Failed to find SP SA Entry when display GDOI SA. | 显示GDOI SA时查找SP SA Entry失败 |
Failed to get packet information. | 获取解密后报文信息失败 |
No IPv6 SA in GDOI Flow. | GDOI流中没有IPv6 SA |
Failed to add GDOI IPsec SA in kernel. | 在内核中添加GDOI类型的IPsec SA失败 |
Failed to delete GDOI IPsec SA in kernel. | 在内核中删除GDOI类型的IPsec SA失败 |
Failed to switch GDOI IPsec SA (index: index) in kernel. | 在内核中切换GDOI IPsec SA(index为index)失败 |
Failed to find IPsec SA with index (index) when updating SA in kernel. | 在内核中更新SA时查找IPsec SA(index为index)失败 |
Failed to allocate asynchronous encryption data memory. | 申请异步加密数据内存失败 |
Failed to allocate asynchronous data. | 申请异步数据内存失败 |
Failed to match ACL by packet information. | 报文信息与ACL匹配失败 |
Inbound AH processing: Dropped packet matching GDOI SA (SPI: spi). | 入方向AH报文处理:接收到匹配上SPI为spi的GDOI SA的报文,丢弃报文 |
Inbound AH IPv6 processing: Dropped packet matching GDOI SA (SPI: spi). | 入方向AH IPv6报文处理:接收到匹配上SPI为spi的GDOI SA的报文,丢弃报文 |
Inbound AH IPv6 processing: Received invalid packet (SPI: spi). Dropped the packet. | 入方向AH IPv6报文处理,接收到匹配上SPI为spi的GDOI SA的报文,丢弃报文 |
Inbound IPsec ESP processing: Authentication failed. | 入方向IPsec ESP报文处理:验证失败 |
Inbound IPsec ESP processing: Received invalid SPI spi. | 入方向IPsec ESP报文处理:接收到一个非法的SPI值为spi |
Inbound IPsec processing: Failed to process QoS before decapsulation. | 入方向IPsec处理:解封装前QoS处理失败 |
Failed to set IPsec fragmentation configuration to kernel. | 向内核设置IPsec加密后分片功能开关失败 |
Failed to install IKE. | 初始化IKE失败 |
Invalid length of synchronization update SA. | 要同步更新的SA长度非法 |
Processing GDOI synchronization message of switching SA (index: index): Failed to find outbound SA. | 处理GDOI切换索引为index的SA的同步消息:查找出方向SA失败 |
Processing GDOI synchronization message of switching SA (index: index): Failed to find GDOI SP SA entry. | 处理GDOI切换索引为index的SA的同步消息:查找GDOI类型的SP SA表项失败 |
Processing GDOI synchronization message of switching SA (index: index): Failed to send sync message to kernel. | 处理GDOI切换索引为index的SA的同步消息:向内核发送同步信息失败 |
Invalid length of sync SA. | 要同步的SA长度非法 |
Failed to add SA to backup card. | 向备用主控板添加SA失败 |
Failed to add local SA to backup card. | 向备用主控板添加本地SA失败 |
Invalid length of sync GDOI flow. | 要同步的GDOI流长度非法 |
Failed to add GDOI flow.to backup card. | 同步添加GDOI流失败 |
Failed to allocate memory to sync GDOI SP SA entry. | 申请要同步的GDOI类型的SP SA表项空间失败 |
Failed to create synchronization GDOI SP SA entry. | 创建要同步的GDOI类型的SP SA表项失败 |
Failed to add synchronization GDOI flow. | 同步添加GDOI流失败 |
Failed to find GDOI SP SA entry to update SA (SPI: spi). | 更新SPI为spi的IPsec SA时查找GDOI类型SP SA表项失败 |
Failed to find outbound IPsec SA index with SPI spi to update IPsec SA. | 更新IPsec SA时查找SPI为spi的出方向IPsec SA索引失败 |
Failed to update inbound and outbound IPsec SAs. | 更新一套IPsec SA失败 |
Failed to get IPsec SA indexes to update inbound and outbound IPsec SAs. | 更新IPsec SA时获取一套IPsec SA索引失败 |
Failed to send IPsec SA (index: index) update message to kernel. | 向内核发送更新索引为index的IPsec SA消息失败 |
Updating GDOI IPsec SA: Failed to find outbound IPsec SA with index(index). | 更新GDOI IPsec SA:通过值为index的索引获取出方向IPsec SA失败 |
Updating outbound GDOI IPsec SA: Unsupported protocol(PROTO) . | 更新GDOI类型出方向IPsec SA:不支持的协议类型 PROTO |
Updating GDOI IPsec SA: Failed to find inbound IPsec SA with index(index). | 更新GDOI类型IPsec SA:通过值为index的索引查找入方向IPsec SA失败 |
Updating inbound GDOI IPsec SA: Unsupported protocol protocol-type. | 更新GDOI类型入方向IPsec SA:不支持的协议类型protocol-type |
Smooth processiong: Failed to smooth GDOI SP flow of group (name: GroupName). | 平滑处理:创建GDOI安全策略流失败 |
Smooth processiong:Failed to find GDOI SP SA entry to add IPsec GDOI SA. | 平滑处理:添加IPsec GDOI SA时,查找不到对应的GDOI安全策略表项 |
Smooth processiong: Failed to add IPsec GDOI SA by GDOI SA entry. | 平滑处理:通过GDOI SA表项添加IPsec GDOI SA失败 |
Smooth processiong: Failed to add GDOI SA to SP. | 平滑处理:添加GDOI SA到安全策略失败 |
Smooth processiong: Failed to create GDOI SP flow | 平滑处理:创建GDOI安全策略流失败 |
Smooth processiong: Failed to create GDOI SP SA entry. | 平滑处理:创建GDOI安全策略SA表项失败 |
Failed to set GDOI outbound IPsec SA(index: index) to kernel. | 下发索引为index的GDOI出方向IPsec SA到内核失败 |
Restoring GDOI SP SA entry: Failed to allocate GDOI SP SA entry. | 恢复GDOI安全策略SA表项:申请GDOI安全策略SA表项空间失败 |
Failed to restore GDOI IPsec SA index. | 恢复GDOI IPsec SA索引失败 |
Failed to cache GDOI SP SA entry when smoothing GDOI flow. | 平滑GDOI流时,缓存GDOI安全策略SA表项失败 |
Failed to rebuild group (name: GroupName) GDOI SP flow. | 重建名为GroupName组的GDOI安全策略流失败 |
Failed to allocate GDOI SP SA entry. | 申请GDOI安全策略SA表项空间失败 |
Failed to add GDOI SP SA entry. | 添加GDOI安全策略SA表项失败 |
Failed to allocate GDOI SP flow. | 申请GDOI安全策略流空间失败 |
Failed to allocate GDOI SP. | 申请GDOI安全策略空间失败 |
Failed to create GDOI SP SA entry: not enough resources. | 内存不足,创建GDOI安全策略SA表项失败 |
Failed to create GDOI IPsec SA index: not enough resources. | 内存不足,创建GDOI IPsec SA索引失败 |
Failed to create GDOI SP: not enough resources. | 内存不足,创建GDOI安全策略失败 |
Failed to allocate GDOI SP SA entry index. | 申请GDOI安全策略SA表项索引失败 |
Failed to add IPsec GDOI SA by GDOI SA entry. | 通过GDOI SA表项添加IPsec GDOI SA失败 |
Smooth processiong: Failed to add no-context data to SP because resources were short. | 平滑处理:内存不足,将缓存的没有上下文的数据下发到接口失败 |
Smooth processiong: Failed to add no-context IPsec GDOI SA by GDOI SA entry. | 平滑处理:添加安全策略SA表项下记录的没有上下文的GDOI SA失败 |
Smooth processiong: Failed to find GDOI SA when adding no-context GDOI SA | 平滑处理:添加没有上下文的GDOI SA时,查找GDOI SA失败 |
Smooth processiong: Failed to add IPsec GDOI SA when adding no-context GDOI SA | 平滑处理:添加没有上下文的GDOI SA时,添加IPsec GDOI SA失败 |
Smooth processiong: Failed to add IPsec SA index when adding no-context GDOI SA | 平滑处理:添加没有上下文的GDOI SA时,添加IPsec SA索引失败 |
Failed to add GDOI flow to kernel. | 添加GDOI流到内核失败 |
Failed to find entry to add GDOI SP SA. | 添加GDOI安全策略SA时找不到表项 |
Failed to add GDOI update download data to SP: not enough resources. | 内存不足,将GDOI的更新数据添加至安全策略失败 |
Failed to add GDOI download data to SP: not enough resources. | 内存不足,将GDOI下发的数据添加到安全策略失败 |
Failed to update GDOI IPsec SA to kernel. | 更新GDOI IPsec SA到内核失败 |
Smooth processing: Failed to add GDOI SA entry. | 平滑处理:添加GDOI SA表项失败 |
Smooth processing: Failed to add GDOI IPsec SA. | 平滑处理:添加GDOI IPsec SA失败 |
Smooth processing: Failed to add GDOI IPsec SA to kernel. | 平滑处理:添加GDOI IPsec SA到内核失败 |
Smooth processing: Failed to add GDOI SA(SPI: spi). | 平滑处理:添加SPI为spi的GDOI SA失败 |
Smooth processing: Failed to add GDOI IPsec SA because resources were short. | 平滑处理:内存不足,添加GDOI IPsec SA失败 |
Smooth processing: Failed to add GDOI IPsec SA because context was invalid. | 平滑处理:上下文非法,添加GDOI IPsec SA失败 |
Failed to allocate GDOI SA entry. | 申请GDOI SA表项空间失败 |
Failed to find SA entry to create GDOI SA. | 添加GDOI SA时,查找SA表项失败 |
Failed to allocate GDOI SA. | 申请GDOI SA空间失败 |
Failed to find SA entry to create GDOI SA update data. | 创建GDOI SA的更新数据时,查找SA表项失败 |
Failed to allocate GDOI SA update data. | 申请GDOI SA更新数据空间失败 |
Failed to add GDOI IPsec SA to kernel. | 添加GDOI IPsec SA到内核失败 |
Failed to add GDOI IPsec SA. | 添加GDOI IPsec SA失败 |
Failed to add GDOI IPsec SA: not enough resources. | 内存不足,添加GDOI IPsec SA失败 |
Restoring GDOI SP SA Entry: Failed to find GDOI SP. | 恢复GDOI安全策略SA表项时,查找GDOI安全策略失败 |
Processing group(name: GroupName) smooth end message: Failed to find GDOI group. | 处理GDOI组平滑结束消息:获取GDOI组失败 |
Processing group(name: GroupName) smooth end message: Failed to add download resource to all interfaces. | 处理GDOI组平滑结束消息:将资源下发到所有接口失败 |
Processing group(name: GroupName) smooth begin message: Failed to find GDOI group. | 处理GDOI组平滑开始消息:获取GDOI组失败 |
Processing group(name: GroupName) smooth TEK message: Failed to find GDOI group. | 处理GDOI组平滑TEK消息:获取GDOI组失败 |
Processing group(name: GroupName) smooth TEK message: Failed to add GDOI SA(SPI: spi). | 处理GDOI组平滑TEK消息:添加SPI为spi的GDOI SA失败 |
Processing group(name: GroupName) smooth flow message: Failed to find GDOI group. | 处理GDOI组平滑流消息:获取GDOI组失败 |
Processing group(name: GroupName) smooth flow message: Failed to add GDOI flow(rule num). | 处理GDOI组平滑流消息:添加ACL规则编号为num的GDOI流失败 |
Failed to reference GDOI group: not enough resources. | 内存不足,引用GDOI组失败 |
IPsec policy SPName family (SPFamily ) and GDOI GM group GroupName family (GroupFamily) not match. | SPName策略的IPsec协议簇版本为SPFamily,与名为GroupName的GDOI GM组的协议簇GroupFamily不符合 |
Processing group(name: GroupName) delete-all message: Failed to find GDOI group. | 处理组GDOI组删除所有数据消息:获取GDOI组失败 |
Processing group(name: GroupName) batch-update-TEK message: Failed to find GDOI group. | 处理组GDOI组批量更新TEK消息:获取GDOI组失败 |
Processing group(name: GroupName) batch-update-TEK message: Failed to find GDOI SA(SPI: spi). | 处理组GDOI组批量更新TEK消息:获取SPI为spi的GDOI SA失败 |
Processing group(name: GroupName) batch-sync-flow message: Failed to find GDOI group. | 处理组GDOI组批量同步流消息:获取GDOI组失败 |
Processing group(name: GroupName) batch-sync-flow message: Failed to synchronize GDOI flow | 处理GDOI组批量同步流消息:同步GDOI流失败 |
Processing group(name: GroupName) batch-set-outbound-TEK message: Failed to find GDOI group. | 处理GDOI组批量配置出方向TEK消息:获取GDOI组失败 |
Processing group(name: GroupName) batch-set-outbound-TEK message: Failed to set outbound SA(SPI: spi). | 处理GDOI组批量配置出方向TEK消息:设置SPI为spi的出方向SA失败 |
Processing group(name: GroupName) batch-update end message: Stop processing: not enough resources. | 处理GDOI组批量更新结束消息:内存不足,处理中断 |
Processing group(name: GroupName) batch-update end message: Failed to find GDOI group. | 处理GDOI组批量更新结束消息:查找GDOI组失败 |
Processing group(name: GroupName) batch-update end message: Failed to add download resource to all interfaces. | 处理GDOI组批量更新结束消息:添加下发数据到所有接口失败 |
Processing group(name: GroupName) batch-delete-TEK-SPI message: Failed to find GDOI group. | 处理GDOI组批量删除TEK SPI消息:查找GDOI组失败 |
Processing group(name: GroupName) batch-delete-TEK-flow message: Failed to find GDOI group. | 处理GDOI组批量删除TEK流消息:查找GDOI组失败 |
Processing group(name: GroupName) batch-delete-TEK-flow message: Failed to cache GDOI flow(rule rule). | 处理GDOI组批量删除TEK流消息:缓存编号为rule的GDOI流失败 |
Processing group(name: GroupName) batch-update begin message: Stop processing: not enough resources. | 处理GDOI组批量更新开始消息:内存不足,处理中断 |
Processing group(name: GroupName) batch-update begin message: Failed to find GDOI group. | 处理GDOI组批量更新开始消息:查找GDOI组失败 |
Processing group(name: GroupName) batch-add-TEK message: Processing stopped because resources were short | 处理GDOI组批量添加TEK消息:内存不足,处理中断 |
Processing group(name: GroupName) batch-add-TEK message: Failed to find GDOI group. | 处理GDOI组批量添加TEK消息:查找GDOI组失败 |
Processing group(name: GroupName) batch-add-TEK message: Failed to Cached GDOI SA(SPI: spi). | 处理GDOI组批量添加TEK消息:缓存SPI为spi的GDOI SA失败 |
Processing group(name: GroupName) batch-add-flow message: Stop processing: not enough resources. | 处理GDOI组批量添加流消息:内存不足,处理中断 |
Processing group(name: GroupName) batch-add-flow message: Failed to find GDOI group. | 处理GDOI组批量添加流消息:获取GDOI组失败 |
Processing group(name: GroupName) batch-add-flow message: Failed to add GDOI flow(rule rule). | 处理GDOI组批量添加流消息:添加编号为rule的GDOI流失败 |
Smooth processing: Failed to find IPsec SP when adding GDOI group(name: GroupName) smooth data to SP. | 平滑处理:添加GDOI组数据到接口时,查找IPsec安全策略失败 |
Smooth processing: Failed to find GDOI SP when adding GDOI group(name: GroupName) smooth data to SP. | 平滑处理:添加GDOI组数据到接口时,查找GDOI安全策略失败 |
Smooth processing:Failed to add smooth data to SP when adding GDOI group(name: GroupName) smooth data to SP. | 平滑处理:添加GDOI组数据到接口时,添加平滑数据失败 |
Failed to find GDOI group (name: GroupName) when recovering GDOI SP. | 恢复GDOI安全策略时,查找名为GroupName的GDOI组失败 |
Failed to recover GDOI SP(index: index). | 恢复索引为index的GDOI安全策略失败 |
Failed to add SA to IF: not enough resources. | 内存不足,添加SA到接口失败 |
Failed to find SA entry when adding GDOI SA to SP. | 添加GDOI SA到安全策略时,查找SA表项失败 |
Failed to find IPsec SP when adding GDOI SA to SP. | 添加GDOI SA到安全策略时,查找IPsec安全策略失败 |
Failed to find GDOI SP when adding GDOI SA to SP. | 添加GDOI SA到安全策略时,查找GDOI安全策略失败 |
Failed to add IPsec SA when adding GDOI SA to SP. | 添加GDOI SA到安全策略时,添加IPsec SA失败 |
Failed to Set outbound IPsec SA (index: index) to kernel. | 下发索引为index的出方向IPsec SA到内核失败 |
Failed to find GDOI SP when adding SA. | 添加SA时,查找GDOI安全策略失败 |
Failed to find group GroupName when adding SA. | 添加SA时,查找组名为GroupName组失败 |
Failed to add download resource to GDOI SP. | 将下发的数据添加到GDOI安全策略失败 |
Failed to cache GDOI flow(rule num) to be deleted. | 缓存待删除的ACL规则编号为num的GDOI流失败 |
Failed to cache GDOI SA (SPI: spi). | 缓存SPI为spi的GDOI SA失败 |
Failed to create SP index: not enough resources. | 内存不足,创建安全策略索引失败 |
Failed to allocate GDOI group index. | 申请GDOI组索引空间失败 |
Failed to allocate GDOI group: not enough resources. | 内存不足,申请GDOI组空间失败 |
Failed to allocate GDOI group. | 申请GDOI组空间失败 |
Smooth processing: Failed to find IPsec SP when adding no-context data of GDOI group group-name to SP. | 平滑处理:添加GDOI组没有上下文的数据到安全策略时,查找IPsec安全策略失败 |
Smooth processing:Failed to find GDOI SP when adding no-context data of GDOI group group-name to SP. | 平滑处理:添加GDOI组没有上下文的数据到安全策略时,查找GDOI安全策略失败 |
Smooth processing:Failed to add smooth data to SP when adding no-context data of GDOI group group-name to SP. | 平滑处理:添加GDOI组没有上下文的数据到安全策略时,添加平滑数据到安全策略失败 |
Smooth processing: Failed to find IPsec SP when adding GDOI group(name: GroupName) update data to SP. | 平滑处理:添加GDOI组更新数据到安全策略时,查找IPsec安全策略失败 |
Smooth processing: Failed to find GDOI SP when adding GDOI group(name: GroupName) update data to SP. | 平滑处理:添加GDOI组更新数据到安全策略时,查找GDOI安全策略失败 |
Smooth processing: Failed to add update data to SP when adding GDOI group(name: GroupName) update data to SP. | 平滑处理:添加GDOI组更新数据到安全策略时,添加更新数据到安全策略失败 |
Smooth processing: Failed to add smooth data when adding GDOI group(name: GroupName) download data to SP. | 平滑处理:添加GDOI组下发的数据到安全策略时,添加平滑数据失败 |
Smooth processing: Failed to create GDOI flow. | 平滑处理:创建GDOI流失败 |
Smooth processing: Failed to add GDOI flow. | 平滑处理:添加GDOI流失败 |
Failed to create GDOI flow. | 创建GDOI流失败 |
Failed to allocate flow: not enough resources. | 内存不足,申请流空间失败 |
Processing check group(name: GroupName) reference message: No interface referenced this group. | 处理检查名为GroupName组的检查组引用信息时,没有接口引用了这个组 |
Processing check group(name: GroupName) reference message: Failed to send message. | 处理检查名为GroupName组的检查组引用信息时,发送消息失败 |
表1-2 debugging ipsec event命令输出信息描述表
字段 | 描述 |
The IPsec IF-CB(ifIndex = ifindex) will be deleted in kernel. | 内核中的IPsec的接口控制快(接口序号为ifindex)将要被删除掉 |
Can't find block-flow-table. | 找不到阻流表 |
Can't find an IPsec tunnel to match the flow. | 找不到匹配流的IPsec隧道 |
IPsec daemon successfully connected. | 成功连接到IPsec用户态守护进程 |
IPsec daemon disconnected. | 与用户态守护进程失去连接 |
Sent SA-Acquire message: SP ID = ID. | 发送SA协商请求,对应SP的ID为ID |
Sent SA-Expire message: SP ID = SPID, tunnel ID = TNLID. | 发送SA重协商请求,对应SP的ID为SPID,Tunnel ID为TNLID |
Sent Invalid-SPI message: SPI = spi. | 发送Invalid-SPI消息, SPI值为spi |
Sent DPD-Request message: DPD ID = DPDID | 发送DPD探测请求消息, DPD ID为DPDID |
Updated outbound SA of IPsec tunnel: SA ID = saindex. | 更新IPsec隧道出方向的SA,SA序号为saindex |
Received an interface event message for interface interface-type interface-num, event: event. | 收到响应接口事件消息,接口名称为interface-type interface-num,接口事件为event |
Received interface network layer event message. | 收到响应接口网络层事件消息 |
Received an event message for slot slot-id, event: event. | 收到响应接口板事件消息,板号为slot-number,消息类型为event |
Received an ACL message for ACL acl-number, event: event. | 收到ACL消息,ACL编号为acl-number,消息类型为event |
Received an address message for interface interface-type interface-num, event: event. | 收到地址消息,接口名称为interface-type interface-num,消息类型为event |
Sent notify message to kernel: slot slot-id, event: event. | 发送notify消息给内核,板号为slot-number,消息类型为event |
Sent msg to kernel. | 向内核发送消息msg,msg是消息类型,包括以下几种: · add SP entry:添加SP entry · update SP entry:更新SP entry · delete SP entry:删除SP entry · add source-if SP entry:添加源接口SP entry · delete source-if SP entry:删除源接口SP entry · add SP:添加SP · update SP:更新SP · delete SP:删除SP · add profile SP:添加profile SP · delete profile SP:删除profile SP · update profile SP:更新profile SP |
Added SA to kernel successfully . | 向内核添加SA成功 |
SA successfully added in kernel. | 内核添加SA成功 |
SA successfully deleted in kernel. | 删除内核中的SA成功 |
Added outbound SA to IPsec tunnel(SA ID = sa-index) | 向IPsec隧道添加出方向SA(SA索引为sa-index) |
Added tunnel to kernel successfully. | 向内核添加IPsec隧道成功 |
IPsec tunnel successfully added in kernel. | 内核添加IPsec隧道成功 |
IPsec tunnel successfully deleted in kernel. | 删除内核中的IPsec隧道成功 |
IPsec tunnel successfully added to list. | 向链表添加IPsec隧道成功 |
IPsec tunnel added to aggregation-hash | 向聚合哈希表中添加IPsec隧道成功 |
Added SP entry. | 添加SP entry |
Added SP by policy. | 根据策略添加SP |
SP entry successfully added in kernel. | 内核成功添加SP entry |
SP successfully added in kernel. | 内核成功添加SP |
Added policy SA by manual SP, SP index: index, SP sequence number: sp-seq. | 成功根据手工SP添加策略SA,SP索引为sp-index,SP序号为sp-seq |
Successfully added an IPsec tunnel during ISSU update process. | 在ISSU升级时成功添加IPsec隧道 |
Added an IPsec tunnel when adding manual SA: tunnel index = tunnel-id, tunnel sequence number = tunnel_seq. | 添加手工SA过程中成功添加IPsec隧道。IPsec隧道索引是tunnel-id,IPsec隧道序号是tunnel_seq |
Added manual SAs. Number of SAs added is number. | 成功添加手工SA。添加的SA的个数number |
No. ordinal-number SA: index = sa-id, sequence number = sa-seq. | 第ordinal-number个SA的索引是sa-id,SA的序列号是sa-seq |
Added SA context to SP. | 成功向SP中添加SA内容 |
Added an IPsec tunnel when adding ISAKMP SA: tunnel index = tunnel-id, tunnel sequence number = tunnel_seq. | 添加ISAKMP方式SA过程中成功添加IPsec隧道。IPsec隧道索引是tunnel-id,IPsec隧道序号是tunnel_seq |
Added ISAKMP SAs. Number of SAs added is number. No. ordinal-number SA: index = sa-id, sequence number = sa-seq. | 成功添加ISAKMP方式SA。添加的SA的个数number,第ordinal-number个的SA索引是sa-id,SA序号是sa-seq |
Added SA context to IKE. | 向IKE发送SA内容 |
Timer successfully added when adding ISAKMP SA. | 添加ISAKMP方式SA时添加定时器成功 |
Started to smoothly process SA with IKE. | 开始和IKE进行平滑SA |
Finished smooth processing SA with IKE. | 结束和IKE平滑SA |
Started to smoothly process IPsec tunnel with IKE. | 开始和IKE进行平滑IPsec隧道 |
Finished smooth processing IPsec tunnel with IKE. | 结束和IKE平滑IPsec隧道 |
Started to smoothly process DPD with IKE. | 开始和IKE进行平滑DPD |
Finished smooth processing DPD with IKE. | 结束和IKE平滑DPD |
Sent msg message to slot:slot-id, message type is type-id. | 向slot-id号接口板发送msg消息,消息ID是type-id 消息类型和其对应的类型ID如下: · debug:调试,类型ID为3 · anti-replay check:抗重放检查,类型ID为4 · decryption check:解封装后检查,类型ID为5 · log switch:log开关,类型ID为6 · idle:空闲,类型ID为7 · global df-bit:全局df-bit设置,类型ID为8 · df-bit:接口df-bit设置,类型ID为9 · all global configuration:所有全局配置,类型ID为10 · add SP entry:添加SP entry,类型ID为11 · update SP entry:更新SP entry,类型ID为12 · delete SP entry:删除SP entry/类型ID为13 · add SP:添加SP/类型ID为14 · update SP:更新SP/类型ID为15 · delete SP:删除SP/类型ID为16 · add profile SP:添加profile SP,类型ID为17 · update profile SP:更新profile SP,类型ID为18 · delete profile SP:删除profile SP,类型ID为19 · add tunnel:添加tunnel,类型ID为20 · delete tunnel:删除tunnel,类型ID为21 · add SA:添加SA,类型ID为22 · delete SA:删除SA,类型ID为23 · update MTU:更新MTU,类型ID为24 · switch SA:切换SA,类型ID为25 · delete block-flow table:删除阻流表/类型ID为26 · add DPD:添加DPD/类型ID为27 · update DPD:更新DPD,类型ID为28 · delete DPD:删除DPD,类型ID为29 · update DPD index of SA:更新SA的DPD索引,类型ID为30 · reset statistics:重置统计计数,类型ID为31 · idle report:idle报告,类型ID为32 · smooth start:平滑开始,类型ID为32 · smooth end:平滑结束,类型ID为34 |
Adding route: Dest/Mask: ip-address/mask-length, Next hop: ip-address , Source vpn instance: vpn-name, Destination vpn instance: vpn-name, Tag: tag-value, Preference: preference-num | 新建IPsec隧道时,即将添加一条静态路由信息 · Dest/Mask:目的IP地址/掩码长度 · Next hop:下一跳IP地址 · Source vpn instance:路由目的地址所属的VPN · Destination vpn instance:路由下一跳地址所属的VPN · Tag:路由标记 · Preference:路由优先级 |
Deleting route: Dest/Mask: ip-address/mask-length, Next hop: ip-address, Source vpn instance: vpn-name, Destination vpn instance: vpn-name, Tag: tag-value, Preference: preference-num | 删除IPsec隧道时,即将删除一条静态路由信息 |
Successfully added a static route. | 新建IPsec隧道时,路由模块添加静态路由成功 |
Only increased the reference count of the static route but didn't add it. | 新建IPsec隧道时,发现已经向路由模块添加过相同的静态路由,则不再通知路由模块添加此路由仅增加该路由的引用计数 |
Successfully deleted a static route. | 删除IPsec隧道时,路由模块删除静态路由成功 |
Only reduced the reference count of the static route but didn't delete it. | 删除IPsec隧道时,发现两个以上IPsec隧道对应同一条静态路由,则不通知路由模块删除该静态路由仅减少该路由的引用计数 |
Started to smoothly process the IPv4 static routes. | 开始对IPv4静态路由进行平滑处理 |
Started to smoothly process the IPv6 static routes. | 开始对IPv6静态路由进行平滑处理 |
Finished smooth processing of the IPv4 static routes. | 结束对IPv4静态路由的平滑处理 |
Finished smooth processing of the IPv6 static routes. | 结束对IPv6静态路由的平滑处理 |
Successfully subscribed service events. | 成功订阅所有的服务事件 |
Received a service event: the status of IPv4 route service is up. | 接收到一个IPv4路由服务up事件 |
Received a service event: the status of IPv4route service is down. | 接收到一个IPv4路由服务down事件 |
Received a service event: the status of IPv6 route service is up. | 接收到一个IPv6路由服务up事件 |
Received a service event: the status of IPv6 route service is down. | 接收到一个IPv6路由服务down事件 |
Deleted GDOI SA with SPI spi successfully. | 成功删除SPI为spi的GDOI SA |
GDOI SA(SPI: %u) already existed. | SPI为spi的GDOI SA已经存在 |
Added GDOI IPsec SA (SPI=spi, index=index, sequence number=seq-num) successfully. | 添加GDOI类型的IPsec SA成功(SPI为spi,索引为index,序列号为seq-num) |
Created GDOI SA entry successfully. | 创建GDOI SA表项成功 |
Created GDOI SP SA entry successfully. | 创建GDOI SP SA表项成功 |
添加GDOI流信息到内核成功 | |
Deleted GDOI SP flow successfully. | 删除GDOI SP流信息成功 |
Deleted GDOI SP SA entry successfully. | 删除GDOI SP SA表项成功 |
Found GDOI SA: SPI=spi, SrcPort=src-port, DstPort=dst-port. | 找到GDOI类型的IPsec SA(SPI为spi,源端口号为src-port,目的端口号为dst-port) |
GDOI flow has been updated. | GDOI类型的流被更新 |
Added outbound SA(index: index) to GDOI flow successfully. | 向GDOI类型的流添加出方向SA(索引为index)成功 |
Deleted outbound SA(index: index) from GDOI flow. | 删除保护GDOI流的索引为index的SA |
Added flow to HIPAC successfully. | 向流表中添加GDOI流成功 |
Deleted GDOI flow successfully in kernel. | 在内核中删除GDOI流成功 |
Added GDOI IPsec SA successfully in kernel. | 在内核中添加GDOI IPsec SA成功 |
Added GDOI flow successfully in kernel. | 在内核中添加GDOI流成功 |
Failed to find IPsec SA with index index when deleting SA in kernel. | 当在内核中删除SA时根据IPsec SA索引index查找IPsec SA失败 |
Deleted GDOI SA successfully in kernel. | 在内核中删除GDOI SA成功 |
Switched GDOI SA(index: index) successfully in kernel. | 在内核中切换GDOI SA(索引为index)成功 |
Added GDOI IPsec SA to kernel successfully. | 添加GDOI IPsec SA到内核成功 |
Set GDOI outbound IPsec SA(index: index) to kernel successfully. | 设置索引为index的出方向GDOI IPsec SA到内核成功 |
Created GDOI SP SA entry successfully. | 创建GDOI SP SA entry成功 |
GDOI IPv6 flow has been updated. | GDOI IPv6流更新成功 |
Deleted GDOI IPsec SA successfully in kernel. | 在内核中删除GDOI IPsec SA成功 |
Switched GDOI IPsec SA(index: index) successfully in kernel. | 在内核中切换index为index的GDO IPsec SA成功 |
IPsec tunnel has been updated. | IPsec隧道更新成功 |
Created GDOI flow successfully. | 创建GDOI流成功 |
Smooth processing: Added GDOI flow successfully. | 平滑处理:添加GDOI流成功 |
Deleted GDOI group(name: GroupName) successfully. | 删除组名为GroupName的GDOI组成功 |
Restored GDOI group(name: GroupName) successfully. | 恢复组名为GroupName的GDOI组成功 |
Restored GDOI SP(index: index) successfully. | 恢复索引为index的GDOI安全策略成功 |
Cached GDOI SA(SPI: spi) successfully. | 恢复索引为index的GDOI安全策略成功 |
Started to smoothly process GDOI group with IKE. | 开始和IKE模块平滑GDOI组数据 |
Checked GDOI group after smooth with IKE. | 和IKE模块平滑后,检查GDOI组 |
Processing group(name: GroupName) batch-add-flow message: Added GDOI flow(rule num) successfully | 处理GDOI组的批量添加流信息:添加ACL规则编号为num的GDOI流成功 |
Processing group(name: GroupName) batch-add-flow message: GDOI flow(rule num) already exist. | 处理GDOI组的批量添加流信息:ACL规则编号为num的GDOI流已经存在 |
Processing group(name: GroupName) batch-sync-flow message:Synchronize GDOI flow successfully. | 处理GDOI组的批量同步流信息:同步GDOI流成功 |
Processing group(name: GroupName) batch-delete-TEK-flow message: Cached GDOI flow(rule num) successfully. | 处理GDOI组的批量删除TEK流信息:缓存ACL规则编号为num的GDOI流成功 |
Processing group(name: GroupName) add-TEK message: Cached GDOI SA(SPI: spi) successfully. | 处理GDOI组的添加TEK信息:缓存SPI为spi的GDOI SA成功 |
Processing group(name: GroupName) add-TEK message: GDOI SA(SPI: spi) already exist. | 处理GDOI组的添加TEK信息:SPI为spi的GDOI SA已经存在 |
Processing group(name: GroupName) delete-all message: Deleted all GDOI flow and SA successfully. | 处理GDOI组的删除所有数据信息:删除所有GDOI流和SA成功 |
Processing group(name: GroupName) smooth-flow message: Added GDOI flow(rule num) successfully. | 处理GDOI组的平滑流信息:添加ACL规则编号为num的GDOI流成功 |
Processing group(name: GroupName) smooth-flow message: GDOI flow(rule num) already exist. | 处理GDOI组的平滑流信息:ACL规则编号为num的GDOI流已经存在 |
Processing group(name: GroupName) smooth-TEK message: Added GDOI SA(SPI: spi) successfully. | 处理GDOI组的平滑TEK信息:添加SPI为spi的GDOI SA成功 |
Processing group(name: GroupName) smooth-TEK message: GDOI SA(SPI: spi) already exist. | 处理GDOI组的平滑TEK信息:SPI为spi的GDOI SA已经存在 |
Updated GDOI IPsec SA to kernel successfully. | 向内核更新GDOI IPsec SA成功 |
Smooth processing: Added GDOI IPsec SA (SPI=spi, index=index, sequence number=seq-num) successfully. | 平滑处理:添加GDOI类型的IPsec SA成功(SPI为spi,索引为index,序列号为seq-num) |
Started to smoothly process GDOI SA with IKE. | 开始和IKE模块平滑GDOI SA |
Finished smooth processing GDOI SA with IKE. | 结束和IKE模块平滑GDOI SA |
Smooth processing: Added GDOI SA entry successfully. | 平滑处理:创建GDOI SA表项成功 |
Restored GDOI SP SA entry successfully. | 恢复GDOI安全策略SA数据成功 |
Rebuilt group(name: GroupName) GDOI SP flow successfully. | 重建组名为GroupName的组的GDOI安全策略流成功 |
Set GDOI outbound IPsec SA(index: index) to kernel successfully. | 下发GDOI出方向索引为index的IPsec SA到内核成功 |
Smooth processing: Created GDOI SP SA entry successfully. | 平滑处理:添加GDOI安全策略SA表项成功 |
Smooth processing: Added no context smooth GDOI SP SA entry successfully. | 平滑处理:添加无上下文的GDOI安全策略SA成功 |
Started to smoothly process GDOI SP flow with IKE. | 开始和IKE模块平滑GDOI安全策略流 |
Finished smooth processing GDOI SP flow with IKE. | 和IKE模块平滑GDOI安全策略流结束 |
Started to smoothly process GDOI IPsec SA with IKE. | 开始和IKE模块平滑GDOI IPsec SA |
Finished smooth processing GDOI IPsec SA with IKE. | 和IKE模块平滑GDOI IPsec SA结束 |
Added synchronization GDOI flow to kernel successfully. | 下发同步GDOI流信息到内核成功 |
Deleted synchronization GDOI SP SA entry successfully. | 删除同步GDOI安全策略SA表项成功 |
Created synchronization GDOI SP SA entry successfully. | 创建同步GDOI安全策略SA表项成功 |
Added sync GDOI flow successfully. | 添加同步的GDOI流成功 |
Deleted sync GDOI flow successfully.. | 删除同步的GDOI流成功 |
Added sync SA successfully. | 添加同步SA成功 |
Processing GDOI synchronization message of switching SA(index: index): Switched SA successfully. | 处理切换索引为index的GDOI同步消息:切换SA成功 |
Deleted sync SA (SPI: spi) successfully. | 删除同步的SPI为spi的SA成功 |
Processing check group(name: GroupName) reference message successfully. | 处理检查名为GroupName组的检查组引用信息时,发送消息成功 |
表1-3 debugging ipsec packet命令输出信息描述表
描述 | |
Packet will be sent to CCF for sync-encryption. | 报文将被发送到CCF执行同步加密操作 |
Packet will be sent to CCF for sync-decryption | 报文将被发送到CCF执行同步解密操作 |
Packet will be sent to CCF for asyn-encryption. | 报文将被发送到CCF执行异步加密操作 |
Packet will be sent to CCF for asyn-decryption. | 报文将被发送到CCF执行异步解密操作 |
Found SA with SPI spi. | 已经找到SPI为spi的SA |
Packet matches SP spid. | 报文匹配SP,SP ID为spid. |
Packet has been encrypted by SA whose SPI is spi. | 报文已经被SPI为spi的SA加密 |
Packet has been decrypted by SA whose SPI is spi. | 报文已经被SPI为spi的SA解密 |
ESP auth algorithm: auth, ESP encp algorithm: encp. | ESP采用的认证算法为auth,加密算法为encp |
AH auth algorithm: auth | AH采用的认证算法为auth |
Src : src Dst : dst SPI : spi | 报文的源地址为,目的地址为,SPI值为spi |
Received IPsec(AH) packet | 入方向收到AH报文 |
Received IPsec(ESP) packet | 入方向收到ESP报文 |
Received IPSec packet from fast forwarding | 快转入方向收到IPsec报文 |
Sent routing protocol packet by IPsec | 路由协议报文经由IPsec发送 |
Sent IPsec packet | 报文经由IPsec发送 |
Sent packet by IPsec fast forwarding | 报文经由IPsec快转发送 |
Added IP fast forwarding entry. | 添加快转表项 |
Added IPv6 fast forwarding entry. | 添加IPv6快转表项 |
Failed to find SA by SP. | 根据SP找不到对应的SA |
The packet is too big, mtu = mtu, packet len = len. | 报文过大,MTU值为mtu,长度为len |
The reason of dropping packet is reason. | 报文被丢弃的原因为reason,包括以下几种: · Packet too long:报文太长 · Invalid SPI:无效SPI · No available SA:找不到SA · No available IPsec tunnel:找不到IPsec隧道 · Encryption failed:加密失败 · Decryption failed:解密失败 · Loop too many times:本机循环次数过多 · ACL check failed:ACL检查失败 · Address does not match with SA:报文地址与SA中的地址不匹配 · Anti-replay sequence number reached the max:抗重放序号达到最大值 · The encapsulation mode does not match:封装类型不匹配 · Receive a ESP dummy packet:收到ESP保活报文 · Memory alloc failed:内存分配失败 · Packet length wrong:长度错误 · Replayed packet:重放报文 · Authentication failed:认证失败 · Security protocol set of SA does not match:SA的安全协议组合与对端不匹配 |
Inbound IPsec AH processing: Authentication succeeded. | 入方向IPsec AH处理:认证成功 |
Outbound IPsec AH processing: Authentication finished, anti-replay SN is sn . | 出方向IPsec AH处理:认证完成,抗重放序号为sn |
Inbound IPsec ESP processing: Decryption succeeded. | 入方向IPsec ESP处理:解密成功 |
Outbound IPsec ESP processing: Encryption succeeded, anti-replay SN is sn. | 出方向IPsec ESP处理:加密成功,抗重放序号为sn |
Outbound IPsec processing: Sent packet back to IP forwarding. | 出方向IPsec处理:将报文重新发送给IP转发 |
Inbound IPsec processing: Sent packet back to IP forwarding. | 入方向IPsec处理:将报文重新发送给IP转发 |
Outbound IPsec processing: Sent packet back to IP forwarding for following process. | 出方向IPsec处理:将报文返回转发继续处理后续业务 |
IPsec processing: Tunnel mode | 采用隧道模式 |
IPsec processing: Transport mode | 采用传输模式 |
Started outbound processing after CCF processing. | CCF处理后开始出方向处理 |
Started inbound processing after CCF processing. | CCF处理后开始入方向处理 |
Restored the original IP header during AH processing | AH处理过程中恢复原始IP头内容 |
Updated IV during ESP processing. | ESP处理过程中更新IV内容 |
Started outbound fast forwarding after CCF processing. | CCF处理后开始出方向快转处理 |
Started inbound fast forwarding after CCF processing. | CCF处理后开始入方向快转处理 |
Failed to find SA by SP. | 根据SP查找SA失败 |
Outbound IPsec processing: Packet encapsulated successfully. | 出方向IPsec处理:报文加封装处理成功 |
IPsec output processing for relay packet: flag=flag, data length=length | 板间透传报文IPsec出方向处理:报文标记为flag,数据长度为length |
Received a UDP fragment: src port=src-port, dst port=dst-port. | 收到一个UDP分片报文(源端口号为src-port,目的端口号为dst-port) |
Inbound IPsec GDOI processing: Sent packet back to IP forwarding. | 入方向IPsec GDOI处理:将报文发送回IP转发处理 |
Received IPsec(ESP) packet: packet length=length | 接收到ESP封装的IPsec报文,报文长度为length |
Failed to find SA by SA index. | 根据SA索引查找SA失败 |
Packet oversize: MTU=mtu, packet length=length. | 报文过大, ,最大传输单元值为mtu,报文长度为length |
Sent packet by GDOI fast forwarding | 根据GDOI快转表发送报文 |
Outbound GDOI ESP forwarding processing: Encryption succeeded. | 出方向GDOI的ESP报文转发处理:加封装成功 |
--- Sent GDOI packet --- | 发送GDOI报文 |
--- Sent IPv6 GDOI packet by IPsec fast forwarding --- | 通过IPsec快转发送IPv6 GDOI报文 |
--- Sent IPsec packet --- | 发送IPsec报文 |
--- Sent IPv6 packet by IPsec fast forwarding --- | 通过IPsec快转发送IPv6报文 |
Failed to prepare IPv6 packet | 准备IPv6报文失败 |
MBUF relay sent to node LipNode. | 消息透传至编号为LipNode的单板 |
FS MBUF relay sent to node LipNode. | 快转消息透传至编号为LipNode的单板 |
Adding svti tunnel fast-forwarding cache. | 正在添加SVTI隧道快转cache |
Adding advpn/gre tunnel fast-forwarding cache. | 正在添加ADVPN/GRE隧道快转cache |
Failed to get SP: IPsec smooth not end. | 获取SP失败,IPsec未平滑结束 |
Failed to get SP: IPsec process not running. | 获取SP失败,IPsec进程未启动 |
Failed to find SP by index and sequence number. | 通过index和SeqNum查找SP失败 |
Failed to get SP: Creating SA timed out. | 获取SP时生成SA超时 |
Failed to get SP by interface: Target node not online. | 通过普通接口获取SP时,目标接口板不在线 |
Failed to get interface when getting SP by mGRE. | 按照mGRE方式获取SP时,获取接口失败 |
Failed to get SP by mGRE: Invalid interface type. | 尝试按照mGRE方式获取SP失败,无效的接口类型 |
Failed to get SP by mGRE: No tunnel protection configuration. | 尝试按照mGRE方式获取SP失败,缺少相关配置 |
Failed to get SP by mGRE: profile profile not found. | 尝试按照mGRE方式获取SP失败,未找到profile profile |
Failed to get SP by mGRE: wrong profile type. | 尝试按照mGRE方式获取SP失败,profile类型错误 |
Failed to find profile SP by profile profile when getting SP by mgre. | 按照mGRE方式获取SP时,通过profile profile查找SP失败 |
Failed to get SP by mGRE: SP type not ISAKMP. | 尝试按照mGRE方式获取SP失败,SP不是IKE方式的 |
Failed to get SP by mGRE. | 尝试按照mGRE方式获取SP失败 |
Failed to get SP by SVTI: invalid interface type. | 尝试按照SVTI方式获取SP失败,无效的接口类型 |
Failed to get SP by SVTI: no tunnel protection configuration. | 尝试按照SVTI方式获取SP失败,缺少相关配置 |
Failed to get SP by SVTI: profile profile not found. | 尝试按照SVTI方式获取SP失败,未找到profile profile |
Failed to get SP by SVTI: wrong type of profile profile. | 尝试按照SVTI方式获取SP失败,profile profile类型错误 |
Failed to find profile SP by profile profile when getting SP by svti. | 按照SVTI方式获取SP时,通过profile profile查找SP失败 |
Failed to get SP by SVTI: SP type not ISAKMP. | 尝试按照SVTI方式获取SP失败,SP不是IKE方式的 |
Failed to match SVTI flow: IKE profile not match. | 匹配SVTI流失败,IKE profile不匹配 |
Failed to match SVTI flow: flow not match with ACL. | 匹配SVTI流失败,匹配ACL失败 |
Failed to get interface data when getting SP by L3 interface. | 通过三层口获取SP时,获取接口数据失败 |
Failed to get SP by L3 interface: no SP entry found by key. | 尝试通过三层口获取SP失败,根据SP ENTRY KEY找不到SP ENTRY |
Failed to get SP by L3 interface: no source interface SP entry found by key. | 尝试通过三层口获取SP失败,根据共享源接口的SP ENTRY KEY找不到SP ENTRY |
Failed to match SP when getting SP by L3 interface: SP's mode not ISAKMP. | 通过三层口获取SP时,匹配SP失败,SP不是IKE方式的 |
Failed to match SP when getting SP by L3 interface: SP negotiation not complete. | 通过三层口获取SP时,匹配SP失败,SP未协商完成 |
Rejected peer's request of any flow: SP's mode was ISAKMP template and no ACL was specified. | IKE模板方式且未配置ACL,任意流不触发协商 |
Failed to match SP when getting SP by L3 interface: Could not find policy by SP. | 通过三层口获取SP时,匹配SP失败,通过SP找不到policy |
Failed to match profile: IKE profile was profile1 while IPsec used profile profile2. | 匹配profile失败,profile profile1和profile profile2 |
Failed to match flow: ACL not match. | 匹配流失败,ACL不匹配 |
Failed to match flow: renegotiation SP's index or sequence number changed. | 匹配流失败,重协商SP的index或sequence num有变化 |
SP SP-ID is not complete. | SP SP-ID不完整 |
Failed to get SP (SP ID=SP-ID): Local address not match (SP's address=address1, phase 2 policy's address=address2). | 获取SP SP-ID时,Local地址不匹配,SP携带的地址是address1,二阶段policy的地址是address2 |
Failed to get SP (SP ID=SP-ID): Remote address not exist (hostname=hostname). | 获取SP时,对端地址不存在 |
Failed to get SP (SP ID=SP-ID): Remote address not match (SP's address=address1, phase 2 policy's address=address2). | 获取SP时,对端地址不匹配 |
Failed to match SP when getting SP by L3 interface: no transform-set in SP. | 通过三层口获取SP时,匹配SP失败,SP中没有transform-set |
Failed to create larval SA when getting SP by L3 interface. | 通过三层口获取SP时,创建larval SA失败 |
Failed to get SP matching ACL. | 获取匹配ACL的SP失败 |
【举例】
# 设备上已存在满配的SP,配置手工方式的IPsec安全策略mypolicy,并打开IPsec错误调试信息开关。当将策略mypolicy应用于接口GigabitEthernet3/1/1上的时候,输出如下IPsec错误调试信息。
<Sysname> debugging ipsec error
<Sysname> system-view
[Sysname] interface gigabitethernet 3/1/1
[Sysname-GigabitEthernet3/1/1] ipsec policy mypolicy
*Jul 14 16:45:16:157 2012 Sysname IPSEC/7/ERROR: -MDC=1;
Failed to alloc SP index.
// 分配SP索引失败
# 在设备上配置手工方式的IPsec安全策略mypolicy,并打开IPsec事件调试开关。当将策略mypolicy应用于接口GigabitEthernet3/1/1上时,会生成SP和SA,输出如下IPsec事件调试信息。
<Sysname> debugging ipsec event
*Jul 18 15:28:55:020 2012 Sysname IPSEC/7/event:
SP entry successfully added in kernel.
// 内核成功添加SP entry
*Jul 18 15:28:55:020 2012 Sysname IPSEC/7/ERROR:
Sent add SP entry message to kernel.
// 向内核发送添加SP entry的消息
*Jul 18 15:28:55:020 2012 Sysname IPSEC/7/ERROR:
Added SP entry.
// 添加SP entry
*Jul 18 15:28:55:022 2012 Sysname IPSEC/7/event:
SP successfully added in kernel.
// 内核成功添加SP
*Jul 18 15:28:55:022 2012 Sysname IPSEC/7/ERROR:
Sent add SP message to kernel.
// 向内核发送添加SP的消息
*Jul 18 15:28:55:023 2012 Sysname IPSEC/7/ERROR:
Added SP by policy.
// 根据策略添加SP
*Jul 18 15:28:55:024 2012 Sysname IPSEC/7/ERROR:
Added policy SA by manual SP, SP index is 0, SP sequence number is 2.
// 成功根据手工SP添加策略SA,SP索引为0,SP序号为2
*Jul 18 15:28:55:026 2012 Sysname IPSEC/7/event:
IPsec tunnel added to aggregation-hash.
// 向聚合哈希表中添加IPsec隧道成功
*Jul 18 15:28:55:026 2012 Sysname IPSEC/7/event:
IPsec tunnel successfully added in kernel.
// 内核添加IPsec隧道成功
*Jul 18 15:28:55:026 2012 Sysname IPSEC/7/ERROR:
Added tunnel to kernel successfully.
// 向内核添加IPsec隧道成功
*Jul 18 15:28:55:026 2012 HP IPSEC/7/ERROR:
Added an IPsec tunnel when adding manual SA: tunnel index = 0, tunnel sequence number = 2.
// 添加手工SA过程中添加IPsec隧道,隧道索引为0,隧道序号为2
*Jul 18 15:28:55:027 2012 Sysname IPSEC/7/event:
SA succussfully added in kernel.
// 内核成功添加SA
*Jul 18 15:28:55:027 2012 Sysname IPSEC/7/event:
SA succussfully added in kernel.
// 内核成功添加SA
*Jul 18 15:28:55:027 2012 Sysname IPSEC/7/event:
Added outbound SA to IPsec tunnel(SA ID = 1).
// 成功向IPsec隧道添加出方向SA(SA索引为1)
*Jul 18 15:28:55:027 2012 Sysname IPSEC/7/event:
SA succussfully added in kernel.
// 内核成功添加SA
*Jul 18 15:28:55:027 2012 Sysname IPSEC/7/event:
SA succussfully added in kernel.
// 内核成功添加SA
*Jul 18 15:28:55:027 2012 Sysname IPSEC/7/ERROR:
Added SA to kernel successfully.
// 成功向内核添加SA
*Jul 18 15:28:55:027 2012 Sysname IPSEC/7/ERROR:
Added manual SAs. Number of SAs added is 4.
// 成功添加手工SA,SA的个数为4
*Jul 18 15:28:55:027 2012 Sysname IPSEC/7/ERROR:
No.1 SA: index = 3, sequence number = 2.
*Jul 18 15:28:55:028 2012 Sysname IPSEC/7/ERROR:
No.2 SA: index = 2, sequence number = 2.
*Jul 18 15:28:55:028 2012 Sysname IPSEC/7/ERROR:
No.3 SA: index = 1, sequence number = 2.
*Jul 18 15:28:55:028 2012 Sysname IPSEC/7/ERROR:
No.4 SA: index = 0, sequence number = 2.
// 第一个SA的索引为3,SA的序号为2
// 第二个SA的索引为2,SA的序号为2
// 第三个SA的索引为1,SA的序号为2
// 第四个SA的索引为0,SA的序号为2
*Jul 18 15:28:55:029 2012 Sysname IPSEC/7/ERROR:
Added SA context to SP.
// 成功向SP添加SA上下文
# 在设备上配置手工方式的IPsec安全策略,应用于接口GigabitEthernet3/1/1上,并打开IPsec的报文调试信息开关。当从本机ping对端的时候,输出如下IPsec报文调试信息。
<Sysname> debugging ipsec packet
<Sysname> ping -c 1 10.10.10.2
PING 10.10.10.2 (10.10.10.2): 56 data bytes, press CTRL_C to break
*Jul 14 16:55:10:211 2012 Sysname IPSEC/7/packet: -MDC=1-Slot=1;
--- Sent IPsec packet ---
// 出方向发送IPsec处理的报文
*Jul 14 16:55:10:211 2012 Sysname IPSEC/7/packet: -MDC=1-Slot=1;
Added IP fast forwarding entry.
// 添加快转表项
*Jul 14 16:55:10:211 2012 Sysname IPSEC/7/packet: -MDC=1-Slot=1;
Outbound IPsec processing: Src : 10.10.10.1 Dst : 10.10.10.2 SPI : 1114
// 出方向IPsec处理:源地址:10.10.10.1,目的地址:10.10.10.2,SPI: 1114
*Jul 14 16:55:10:211 2012 Sysname IPSEC/7/packet: -MDC=1-Slot=1;
Outbound IPsec processing: ESP auth algorithm: SHA1, ESP encp algorithm: DES-CBC.
// 出方向IPsec处理:ESP认证算法为SHA1,ESP加密算法为DES-CBC
*Jul 14 16:55:10:211 2012 Sysname IPSEC/7/packet: -MDC=1-Slot=1;
Packet will be sent to CCF for sync-encryption.
// 报文将被发送到CCF执行同步加密操作
*Jul 14 16:55:10:211 2012 Sysname IPSEC/7/packet: -MDC=1-Slot=1;
Outbound IPsec ESP processing: Encryption succeeded, anti-replay SN is 0.
// 出方向IPsec ESP处理:加密完成,抗重放序号为0
*Jul 14 16:55:10:211 2012 Sysname IPSEC/7/packet: -MDC=1-Slot=1;
Outbound IPsec processing: AH auth algorithm: MD5.
// 出方向IPsec处理:AH认证算法为MD5
*Jul 14 16:55:10:211 2012 Sysname IPSEC/7/packet: -MDC=1-Slot=1;
Packet will be sent to CCF for sync-encryption.
// 报文将被发送到CCF执行同步加密操作
*Jul 14 16:55:10:211 2012 Sysname IPSEC/7/packet: -MDC=1-Slot=1;
Outbound IPsec AH processing: Authentication finished, anti-replay SN is 0.
// 出方向IPsec AH处理:认证完成,抗重放序号为0
*Jul 14 16:55:10:211 2012 Sysname IPSEC/7/packet: -MDC=1-Slot=1;
Outbound IPsec processing: Sent packet back to IP forwarding.
// 出方向IPsec处理:将报文重新发送给IP转发
# 在设备上配置IPsec安全策略,使用异步加密卡,并打开IPsec的报文调试信息开关。当从本机ping对端的时候,输出如下IPsec报文调试信息。
*Jul 14 16:55:10:211 2012 Sysname IPSEC/7/packet: -MDC=1-Slot=1;
Started outbound processing after CCF processing.
// CCF处理后开始出方向处理
*Jul 14 16:55:10:211 2012 Sysname IPSEC/7/packet: -MDC=1-Slot=1;
Started inbound processing after CCF processing.
// CCF处理后开始入方向处理
*Jul 14 16:55:10:211 2012 Sysname IPSEC/7/packet: -MDC=1-Slot=1;
Restored the original IP header during AH processing.
// AH处理过程中恢复原始IP头内容
*Jul 14 16:55:10:211 2012 Sysname IPSEC/7/packet: -MDC=1-Slot=1;
Updated IV during ESP processing.
// ESP处理过程中更新IV内容
*Jul 14 16:55:10:211 2012 Sysname IPSEC/7/packet: -MDC=1-Slot=1;
Started outbound fast forwarding after CCF processing.
// CCF处理后开始出方向快转处理
*Jul 14 16:55:10:211 2012 Sysname IPSEC/7/packet: -MDC=1-Slot=1;
Started inbound fast forwarding after CCF processing.
// CCF处理后开始入方向快转处理
2 IKE
2.1 IKE调试命令
2.1.1 debugging ike
【命令】
debugging ike { all | dpd | error | event | keepalive | nat-keepalive | packet } [ remote-address { ipv4-address | ipv6 ipv6-address } [ local-address { ipv4-address | ipv6 ipv6-address } | remote-port port-number | vpn-instance vpn-instance-name ] * ]
undo debugging ike { all | dpd | error | event | keepalive | nat-keepalive | packet }
【缺省情况】
IKE调试信息开关处于关闭状态。
【视图】
用户视图
【缺省用户角色】
network-admin
【参数】
all:表示所有IKE调试信息开关。
dpd:表示DPD调试信息开关。
error:表示错误调试信息开关。
event:表示事件调试信息开关。
keepalive:表示keepalive调试信息开关。
nat-keepalive:表示NAT keepalive调试信息开关。
packet:表示报文调试信息开关。
remote-address:根据对端地址过滤调试信息。
local-address:根据本端地址过滤调试信息。
ipv4-address:表示IPv4地址。
ipv6 ipv6-address:表示IPv6地址。
remote-port port-number:根据对端端口号过滤调试信息,port-number为对端端口号,取值范围0~65535。
vpn-instance vpn-instance-name:根据私网地址成员所属的VPN实例过滤调试信息。vpn-instance-name为MPLS L3VPN的VPN实例名称,为1~31个字符的字符串,区分大小写。如果未指定本参数,则表示私网地址成员不属于任何一个VPN。
【使用指导】
debugging ike 命令用来打开IKE调试开关。undo debugging ike命令用来关闭IKE调试信息开关。
表2-1 debugging ike error命令输出信息描述表
字段 | 描述 |
Failed to verify the peer signature. | 对端签名验证失败 |
HASH payload is missing. | 未在IKE报文中找到HASH载荷 |
Failed to verify the peer HASH. | 对端HASH验证失败 |
Signature payload is missing. | 未在IKE报文中找到签名载荷 |
Invalid SPI length (length) in DPD packet. | DPD报文中的SPI长度无效,长度为length |
Invalid I-Cookie in DPD packet: I-Cookie | DPD报文中的I-Cookie无效,I-Cookie的值为I-Cookie |
Invalid R-Cookie in DPD packet: R-Cookie | DPD报文:R-Cookie无效,R-Cookie的值为R-Cookie |
The length (length) of DPD sequence number is invalid. | DPD序列号的长度无效,长度为length |
Invalid DPD sequence number (number). | DPD序列号无效,序列号的值为number |
DPD packet retransmission timed out. | DPD报文的重传已超时 |
Invalid IPv4 address length (length). | 无效的IPv4地址长度,长度为length |
Invalid IPv6 address length (length). | 无效的IPv6地址长度,长度为length |
Invalid ID of IPv4 address type: ID-IPv4 | IPv4地址类型的身份无效,身份的值为ID-IPv4 |
Invalid ID of IPv6 address type: ID-IPv6 | IPv6地址类型的身份无效,身份的值为ID-IPv6 |
Invalid FQDN ID length (length). | FQDN类型的身份长度无效,长度为length |
Invalid user FQDN ID length (length). | User FQDN类型的长度身份无效,长度为length |
Failed to get DN because the certificate doesn't exist. | 获取DN失败,因为证书不存在 |
Failed to get ID data for constructing ID payload. | 构造ID载荷时获取ID数据失败 |
Invalid ID payload with protocol protocol-number and port port-number. | 无效的ID载荷,ID载荷中的协议号为protocol-number,端口号为port-number |
Invalid ID type (ID-type). | 身份类型无效,身份类型值为ID-type |
Failed to find proposal proposal-number in profile profile-name. | 在名称为profile-name的IKE profile中没有找到编号为proposal-number的proposal |
Failed to verify HASH for informational exchange. | 验证informational exchange报文中的HASH失败 |
Failed to construct delete payload. | 构造delete载荷失败 |
Invalid SPI length. | SPI长度无效 |
Protocol ID (ID) in delete payload is invalid. | delete载荷中的协议ID无效,协议号为ID |
KE payload doesn’t exist. | KE载荷不存在 |
Invalid KE payload length (length). | KE载荷的长度无效,长度为length |
Failed to construct notification payload for keepalive. | 发送keepalive报文时构造notification载荷失败 |
Length (length) of the sequence number in keepalive packet is invalid. | Keepalive报文中的序列号长度无效,长度为length |
Length (length) of the HASH payload in keepalive packet is invalid. | Keepalive报文中的HASH载荷长度无效,长度为length |
Failed to calculate HASH for verification of keepalive packet. | 验证keepalive报文时,本端计算HASH失败 |
Failed to add sequence number to keepalive packet. | 构造keepalive报文时,添加序列号失败 |
Failed to calculate HASH for keepalive. | 构造keepalive报文时,计算HASH失败 |
Failed to float port. | 切换端口失败 |
Length (length) of the nonce payload is invalid. | Nonce载荷的长度无效,长度为length |
Failed to parse the certificate request payload. | 解析证书请求载荷失败 |
No available proposal. | 没有找到可用的proposal |
Failed to get certificate. | 获取证书失败 |
Failed to get private key. | 获取私钥失败 |
Failed to construct ID payload. | 构造IPsec身份载荷失败 |
Failed to calculate hash-name. | 计算HASH失败,HASH名称为hash-name |
Failed to validate hash-name. | 验证HASH失败,HASH名称为hash-name |
Failed to compute key material. | 计算密钥材料失败 |
Failed to install IPsec SA. | 安装IPsec SA失败 |
The nonce payload doesn't exist. | Nonce载荷不存在 |
The KE payload doesn't exist. | KE载荷不存在 |
No valid DH group description in SA payload. | SA载荷中没有有效的DH group |
There are too many KE payloads. | KE载荷太多, |
The length of the KE payload does't match the DH group description. | KE载荷的长度和用于PFS的DH group描述不匹配 |
Failed to construct NAT-OA payload. | 构造NAT-OA载荷失败 |
Failed to construct RESPONDER_LIFETIME payload. | 构造RESPONDER_LIFETIME载荷失败 |
Failed to construct KE payload. | 构造KE载荷失败 |
Failed to pad for encryption. | 加密报文前的填充失败 |
Failed to send data. Reason: error-reason. | 发送报文失败,错误原因为error-reason |
No enough space in the packet for Non-ESP marker. | 报文超大,不能添加Non-ESP标记 |
Failed to decrypt the packet. | 解密报文失败 |
Non-zero message ID (Message-ID) in phase 1. | 一阶段的Message ID不为0,其值为Message-ID |
I-Cookie must not be zero. | I-Cookie不能为0 |
The first packet of phase 1 is invalid: Encryption bit is set. | 一阶段的第一条报文无效:报文的加密标识为已使能 |
The first packet of phase 1 is invalid: Non-zero R-Cookie. | 一阶段的第一条报文无效:报文的R-Cookie不为0 |
Failed to parse phase 1 packet. Reason reason. | 解析一阶段的IKE报文失败,原因为reason,可能的取值包括: · INVALID_PAYLOAD_TYPE:载荷类型无效 · DOI_NOT_SUPPORTED:不支持的DOI字段 · SITUATION_NOT_SUPPORTED:不支持的situation字段 · INVALID_COOKIE:cookie无效 · INVALID_MAJOR_VERSION:主版本号无效 · INVALID_MINOR_VERSION:次版本号无效 · INVALID_EXCHANGE_TYPE:交换类型无效 · INVALID_FLAGS:标识无效 · INVALID_MESSAGE_ID:message ID无效 · INVALID_PROTOCOL_ID:提议号无效 · INVALID_SPI:SPI无效 · INVALID_TRANSFORM_ID:transform ID无效 · ATTRIBUTES_NOT_SUPPORTED:不支持的属性 · NO_PROPOSAL_CHOSEN:没有匹配的提议 · BAD_PROPOSAL_SYNTAX:提议语法错误 · PAYLOAD_MALFORMED:载荷格式错误 · INVALID_KEY_INFORMATION:密钥信息无效 · INVALID_ID_INFORMATION:身份无效 · INVALID_CERT_ENCODING:证书编码无效 · INVALID_CERTIFICATE:证书无效 · CERT_TYPE_UNSUPPORTED:不支持的证书类型 · INVALID_CERT_AUTHORITY:证书认证失败 · INVALID_HASH_INFORMATION:HASH无效 · AUTHENTICATION_FAILED:认证失败 · INVALID_SIGNATURE:签名无效 · ADDRESS_NOTIFICATION:地址通知 · NOTIFY_SA_LIFETIME:SA生命周期通知 · CERTIFICATE_UNAVAILABLE:证书不可用 · UNSUPPORTED_EXCHANGE_TYPE:不支持的交换类型 · UNEQUAL_PAYLOAD_LENGTHS:载荷长度不相等 |
The packet is dropped because of not being encrypted | 丢弃报文,因为报文没有加密 |
Failed to parse informational exchange packet. Reason reason. | 解析informational exchange报文失败,原因是reason reason取值同上 |
Failed to parse keepalive packet because of reason. | 解析keepalive报文失败,原因是reason reason取值同上 |
Unsupported exchange type (type) in packet. | 不支持的交换类型type,取值包括: · None:不存在的交换类型 · Base:基础交换类型 · Main:主模式交换类型 · AO:Authenticaton Only交换类型 · Aggressive:野蛮模式交换类型 · Info:infomational exchange交换类型 · Mode cfg:配置模式交换类型 |
Invalid Non-ESP marker: marker. | 无效的Non-ESP标识:marker |
The received packet is too short, which is length bytes. | 收到报文的长度太小,长度为length |
Failed to receive packet. | 接收报文失败 |
Failed to bind UDP port port-number. Reason: reason. | 绑定UDP端口失败,端口号为port-number,错误原因为reason |
Failed to set UDP port port-number. Reason: reason. | 设置UDP端口失败,端口号为port-number,错误原因为reason |
Failed to add UDP port port-number to epoll. | 添加UDP端口到epoll失败,端口号为:port-number |
Failed to initiate UDP port port-number. Error code: error-number. | 初始化UDP端口失败,端口号为port-number,错误码为error-number |
byte-numberth byte of the structure struct-name must be 0. | 结构struct-name的第byte-number个字节必须为0 |
Field-name of struct-name has an unknown value: value. | 结构struct-name的域field-name的值value无效 |
field-name of struct-name has unknown members. | 结构struct-name的域field-name包含未知的成员 |
No enough bytes to get data2 from data1. | 没有足够的空间来保存从数据data1中获取的数据data2 |
No enough space in output packet for struct-name. | 报文中没有足够的空间用于保存结构struct-name |
No enough space to place length bytes of data-name in struct-name. | 结构struct-name中没有足够的空间用于保存length字节的数据 |
No enough space to place data-name in struct-name. | 结构struct-name中没有足够的空间保存数据data-name |
Failed to add the HASH payload. | 添加HASH载荷失败 |
Ignored the certificate request of type type-id. | 忽略证书请求,证书请求的类型为type-id |
Failed to get the certificate and key by certificate request. | 根据证书请求获取证书和密钥失败 |
Failed to verify the peer certificate. Reason: error-string. | 验证对端证书失败,错误原因为error-string |
Failed to find keychain keychain-name in profile profile-name. | 在IKE profile profile-name中查找keychain keychain-name失败 |
Failed to create IKE SA with core data. | 根据核心数据创建一阶段SA失败 |
Failed to create IPsec SA with core data. | 根据核心数据创建二阶段SA失败 |
Failed to receive smooth SA ACK from IPsec. | 从IPsec接收SA平滑处理的应答失败 |
Number of negotiating IKE SAs exceeded the limit. | 正在协商的IKE SA的数目超出限制 |
Number of established IKE SAs exceeded the limit. | 已经建立的IKE SA的数目超出限制 |
Attribute attribute-name is repeated. | 属性重复,属性名称为attribute-name |
Failed to construct situation. | 构造situaton字段失败 |
Failed to construct proposal payload. | 构造proposal载荷失败 |
Failed to construct transform payload. | 构造transform载荷失败 |
Failed to construct attributes. | 构造属性失败 |
Unsupported DOI doi | 不支持的DOI doi |
Proposal payload must be the last payload in SA payload, but payload-name payload is found following proposal payload. | proposal载荷必须是SA载荷中的最后一个载荷,但在proposal载荷之后还有payload-name载荷 |
Unexpected protocol ID (ID-type) found in proposal payload. | proposal载荷中的协议ID无效,协议ID号为ID-type |
Invalid SPI length (SPI-length) in proposal payload. | proposal载荷中的SPI长度无效 |
No transform payload in proposal payload. | proposal载荷中没有transform载荷 |
Transform number is not monotonically increasing. | Transform号不是单调递增的 |
Invalid transform ID: id. | 无效的transform ID:id |
No acceptable transform. | 没有可以接受的transform |
Unexpected payload-name payload in proposal. | proposal载荷中有不期望出现的载荷payload-name |
Only one transform is permitted in one proposal, but trans-count transforms are found. | 在选中的proposal载荷中只允许有一个transform,但实际有trans-count个 |
Failed to parse the IKE SA payload. | 解析IKE SA载荷失败 |
Proposal payload has more transforms than specified in the proposal payload. | proposal载荷中的transform载荷数量比proposal载荷中指定的数量多 |
Proposal payload has fewer transforms than specified in the proposal payload. | proposal载荷中的transform载荷数量比proposal载荷中指定的数量少 |
Invalid next payload (payload-type) in transform payload. | transform载荷中的next payload字段无效,载荷类型为payload-type |
SA_LIFE_TYPE attribute must be in front of the SA_LIFE_DURATION attribute. | SA_LIFE_TYPE属性必须在SA_LIFE_DURATION属性前面 |
Attribute attribute-type is repeated in IPsec transform trans-number. | 属性类型为的attribute-type属性在IPsec transform中重复,transform号为trans-number |
SA_LIFE_TYPE attribute is repeated in packet. | 属性SA_LIFE_TYPE在报文中重复 |
Unsupported IPsec attribute attribute. | 不支持的IPsec属性attribute |
SA_LIFE_TYPE IPsec attribute not followed by SA_LIFE_DURATION attribute in message. | 报文中的IPsec属性SA_LIFE_TYPE后面没有SA_LIFE_DURATION属性 |
Encapsulation mode must be specified in IPsec transform. | IPsec transform中必须指定封装模式 |
AUTH_ALGORITHM attribute is missing in AH transform. | 在AH协议的transform中没有AUTH_ALGORITHM属性 |
Transform ID (id) in transform trans-number doesn't match authentication algorithm auth-algo-name (auth-algo-value). | transform中的transform ID和认证算法不匹配,transform号为trans-number,transform ID为id,认证算法为auth-algo-name,其值为auth-algo-value |
Neither encryption algorithm nor authentication algorithm is specified in ESP proposal, which is not permitted. | ESP proposal中既没有加密算法也没有认证算法,这是不允许的 |
Unsupported ESP transform. | 不支持的ESP transform |
Unsupported ESP authentication algorithm. | 不支持的ESP认证算法 |
IPsec proposal with improper SPI size (size). | IPsec proposal中的SPI大小错误,SPI大小为size |
IPsec proposal contains invalid SPI (SPI). | IPsec proposal中的SPI无效,其值为SPI |
Failed to get SPI from IPsec proposal. | 从IPsec proposal中获取SPI失败 |
No transform in IPsec proposal. | IPsec proposal中没有transform |
SA payload contains more than one AH proposal with the same proposal number. | SA载荷中有多个AH协议的proposal对应同一个proposal号 |
SA payload contains more than one ESP proposal with the same proposal number. | SA载荷中有多个ESP协议的proposal对应同一个proposal号 |
Invalid next payload (payload-type-num) in proposal. | Proposal载荷中的next payload字段无效,其类型值为payload-type-num |
Unsupported IPsec DOI situation (situation-num). | 不支持的IPsec DOI situation,其类型值为situation-num |
Invalid IPsec proposal proposal-number. | 无效的IPsec proposal,proposal号为proposal-number |
Failed to get IPsec policy when renegotiating IPsec SA. Delete IPsec SA. | 在重协商IPsec SA时获取IPsec策略失败,删除 IPsec SA |
Failed to get IPsec policy for phase 2 responder. Delete IPsec SA. | 作为二阶段协商的响应方时,获取IPsec策略失败,删除IPsec SA |
No HASH in notification payload. | 在notification载荷中没有HASH |
Failed to send message to IPsec when getting SPI. | 获取SPI时向IPsec发消息失败 |
Failed to send message to IPsec when adding SA. | 添加SA时向IPsec发消息失败 |
Failed to send message to IPsec when deleting SA. | 删除SA时向IPsec发消息失败 |
Failed to send message to IPsec when getting SP. | 获取SP时向IPsec发消息失败 |
Failed to send message to IPsec when adding DPD. | 添加DPD时向IPsec发消息失败 |
Failed to send message to IPsec when updating DPD. | 升级DPD时向IPsec发消息失败 |
Failed to send message to IPsec when deleting DPD. | 删除DPD时向IPsec发消息失败 |
Failed to send message to IPsec when switching SA. | 切换SA时向IPsec发消息失败 |
Failed to negotiate IKE SA. | 协商IKE SA失败 |
Failed to negotiate IPsec SA. | 协商IPsec SA失败 |
Errstring. Attribute attribute-name. | 错误原因为errstring。相关的属性名称为attribute-name Errstring的内容包括: · Unsupported encryption algorithm: enc-alg:不支持的加密算法enc-alg · Unsupported HASH algorithm: hash-alg:不支持的HASH算法hash-alg · Unsupported authentication method: auth-meth:不支持的认证方法auth-meth · Unsupported DH group: group-name:不支持的DH group group-name · Unsupported lifetime type: lifetime-type:不支持的生命周期类型lifetime-type · OAKLEY_LIFE_DURATION attribute not preceded by OAKLEY_LIFE_TYPE attribute.:OAKLEY_LIFE_DURATION属性没有在OAKLEY_LIFE_TYPE属性之前 · OAKLEY_KEY_LENGTH attribute not preceded by OAKLEY_ENCRYPTION_ALGORITHM attribute:OAKLEY_KEY_LENGTH属性没有在OAKLEY_ENCRYPTION_ALGORITHM属性之前 · OAKLEY_KEY_LENGTH attribute not match OAKLEY_ENCRYPTION_ALGORITHM.:OAKLEY_KEY_LENGTH属性和OAKLEY_ENCRYPTION_ALGORITHM属性不匹配 · Failed to get encryption algorithm:获取加密算法失败 · Unsupported OAKLEY attribute attribute:不支持的OAKLEY属性attribute |
Failed to match the proposal. | 匹配proposal失败 |
Received invalid SPI message from IPsec, but no IKE SA exists. | 收到IPsec的invalid SPI消息,但是没有IKE SA |
Failed to get subject name from certificate. | 从证书中获取主题名失败 |
Failed to get local certificate. | 获取本地证书失败 |
Failed to send notification packet for deleting IPsec SA, because of no corresponding IKE SA. | 删除IPsec SA时发送notification报文失败,因为没有找到对应的IKE SA |
Failed to construct certificate request payload. | 构造证书请求载荷失败 |
Unsupported attribute attribute-type. | 不支持的属性,属性类型为attribute-type |
Invalid major version(version). | 主版本号无效,主版本号为version |
Constructed SA payload. | 构造SA载荷 |
Failed to get UDP socket. | 获取UDP socket失败 |
Failed to parse the Cert Request payload. | 解析证书请求消息失败 |
No available proposal. | 没有可用的安全提议 |
Obtained profile ProfileName. | 获取到名为ProfileName的安全profile |
Deleted GDOI GM IKE SA. | 删除GDOI GM IKE SA |
表2-2 debugging ike event命令输出信息描述表
字段 | 描述 |
Signature verification succeeded. | 验证签名成功 |
HASH verification succeeded. | 验证HASH成功 |
Delete IPsec SAs. | 删除IPsecSA |
Delete IKE SA with connection ID id. | 删除IKE SA,connection ID为id |
Update DPD configuration in IKE SA. | 更新一阶段SA中的DPD配置 |
Notify IPsec to add DPD. | 通知IPsec添加DPD |
Notify IPsec to delete DPD. | 通知IPsec删除DPD |
Notify IPsec to update DPD. | 通知IPsec更新DPD |
Process interface interface-type interface-num active event. | 处理接口激活事件,接口名为interface-type interface-num |
Process interface interface-name deactive event. | 处理接口去激活事件,接口名为interface-type interface-num |
Process interface interface-name delete event. | 处理接口删除事件,接口名为interface-type interface-num |
The board chassis chassis-num slot slot-num is inserted. | 单板插入chassic-number号成员设备的slot-number号槽位中 |
Protocol/port in phase 1 ID payload is protocol-number/port-number, which is acceptable. | 一阶段ID载荷中的协议号/端口号为protocol-number/port-number,它们是可接受的 |
Begin to construct IPsec SA delete packet. | 开始构造二阶段SA delete报文 |
Delete IKE SA with connection ID id. | 删除一阶段SA,connection ID为id |
Received IPsec SA delete packet. | 收到二阶段SA delete报文 |
Process delete payload. | 处理delete载荷 |
Ignore delete payload: packet not encrypted or IKE SA not established. | 忽略delete载荷:报文没有加密或者一阶段SA没有建立 |
Received SA acquire message from IPsec. | 收到IPsec的SA请求消息 |
Received IPsec capability. | 收到IPsec规格 |
Received smooth IPsec SA ACK. | 收到平滑IPsec SA的应答 |
IKE keepalive timed out. Delete IKE SA with connection ID id. | IKE Keepalive定时器超时,删除一阶段SA,connection ID为id |
Reset IKE keepalive timeout timer. New time value is time | 重置IKE Keepalive超时定时器,新的时间值为time |
I am behind NAT. | 我在NAT设备之后 |
Peer is behind NAT. | 对端在NAT设备之后 |
No need to float port. | 不需要切换端口 |
Float port to local port local-port and remote port remote-port | 切换端口,本端端口为local-port,对端端口为remote-port |
Sending DPD packet of type type with sequence number seq-no. | 发送type类型的DPD报文,序列号为seq-no |
Delete IKE SA by received notification. | 根据错误通知报文删除一阶段SA |
INITIAL-CONTACT message is dropped because of not being encrypted. | INITIAL-CONTACT未加密,丢弃它 |
Delete redundant SA. | 删除多余的SA |
Length (length) of notification packet is invalid. | notification报文的长度无效,长度为length |
Protocol-ID (ID) of notification packet is unsupported. | 不支持notification报文中的协议号:ID |
Notification notification-name is received. | 收到通知报文notification-name |
Inbound flow: dst-addr->src-addr | 入方向流量:目的地址->源地址 |
Outbound flow: src-addr->dst-addr | 出方向流量:源地址->目的地址 |
Validated hash-name successfully. | 验证HASH成功,HASH名称为hash-name |
Getting IPsec message timed out. Delete IPsec SA. | 获取IPsec消息超时,删除二阶段SA |
Protocol: protocol | 安全协议为protocol(AH或ESP) |
Inbound SPI: in-spi | 入方向SPI值为in-spi |
Outbound SPI: out-spi | 出方向SPI值为out-spi |
Install IPsec SAs. | 下发IPsec SA |
Lifetime in seconds: seconds | SA的生命周期为seconds秒 |
Lifetime in kilobytes: bytes | SA的生命周期为bytes字节 |
Phase 2 Exchange chooses role: Local is initiator. | 二阶段协商选择角色:本端为发起方 |
Phase 2 Exchange chooses role: Local is responder. | 二阶段协商选择角色:本端为响应方 |
Begin Quick mode exchange. | 开始进行快速模式协商过程 |
No enough space to send packet. | 没有足够的空间来发送报文 |
Retransmittion of phase 1 packet timed out. | 重传一阶段报文超时 |
Ignore phase 1 packet retransmit timeout event. | 忽略一阶段报文重传超时事件 |
Retransmittion of phase 2 packet timed out. | 重传二阶段报文超时 |
Ignore phase 2 packet retransmit timeout event. | 忽略二阶段报文重传超时事件 |
Phase 1 Exchange chooses role: Local is initiator. | 一阶段协商选择角色:本端为发起方 |
Phase 1 Exchange chooses role: Local is responder. | 一阶段协商选择角色:本端为响应方 |
Phase 1 packet is malformed: Not starting with an SA payload. | 一阶段报文格式错误:没有以SA载荷开始 |
Phase2 packet is malformed: Not starting with an HASH payload. | 二阶段报文格式错误:没有以HASH载荷开始 |
Quick mode packet is received, but IKE SA does not exist. | 收到快速模式的报文,但一阶段SA不存在 |
Quick mode packet is received, but IKE SA is incomplete. | 收到快速模式的报文,但一阶段SA不完整 |
Ignored delete SA payload because the IKE SA is not established. | 忽略删除SA的报文,因为IKE SA不存在 |
Ignored delete SA payload because the packet is not encrypted. | 忽略删除SA的报文,因为报文没有加密 |
Received informational exchange packet, but IKE SA is inexistent or incomplete. | 收到information exchange报文,但是一阶段SA不存在或者不完整 |
Received keepalive packet, but IKE SA is not existed. | 收到IKE keepaclive报文,但是一阶段SA不存在 |
Received keepalive packet, but it is not encrypted. | 收到IKE keepaclive报文,但是它没有加密 |
Received keepalive packet, but IKE SA is incomplete. | 收到IKE keepaclive报文,但是一阶段SA不完整 |
Ignore NAT keepalive packet. | 忽略NAT keepalive报文 |
Initialize UDP port. | 初始化UDP端口 |
PKI data had been changed. | PKI数据已经有所变化 |
Found pre-shared key that matches address address in keychain keychain-name. | 在keychain keychain-name中找到了预共享密钥,该预共享密钥与地址address匹配 |
Pre-shared key matching address address not found. | 根据地址address无法找到匹配的预共享密钥 |
Found keychain keychain-name in profile profile-name successfully. | 成功在IKE profile profile-name中找到keychain keychain-name |
Get profile profile-name. | 获取IKE profile profile-name |
Initiator created an SA for peer address, local port local-port, remote port remote-port. | 发起方创建SA,对端地址为address,本端端口为local-port,对端端口为remote-port |
Set IKE SA state to state-name. | 设置一阶段SA状态为state-name |
IKE SA state changed from state1 to state2. | 一阶段SA状态从state1转换到state2 |
Set IPsec SA state to state-name. | 设置二阶段SA状态为state-name |
IPsec SA state changed from state1 to state2. | 二阶段SA状态从state1转换到state2 |
Responder created an SA for peer address, local port local-port, remote port remote-port. | 发起方创建SA,对端地址为address,本端端口为local-port,对端端口为remote-port |
Delete IPsec SA. | 删除二阶段SA |
Oakley transform trans-number is acceptable. | Oakley transform是可接受的,transform号为trans-number |
Begin mode mode exchange. | 开始mode模式的IKE协商 |
IKE SA not found. Initiate IKE SA negotiation. | 没有一阶段SA,发起一阶段SA的协商 |
IKE SA is prepared for renegotiation. | 一阶段SA已经准备好进行重协商 |
IKE SA is expired. | 一阶段SA生命周期到达 |
Renegotiation has already started for this IKE SA. | 该IKE SA的重协商已经开始 |
IKE SA with connection ID connection-id has expired, and it will be deleted. | 一阶段SA生命周期到达,将其删除,connection ID为connection-id |
IPsec SA is being negotiated. | 二阶段SA正在协商 |
IPsec SA has expired and will be deleted. | 生命周期到达,删除二阶段SA |
IKE thread thread-id processes a job. | IKE线程thread-id处理一个job |
IKE thread thread-id processes a CTL-Queue msg. | IKE线程thread-id处理一个控制队列消息 |
Vendor ID verdor-id is matched. | 匹配上vendor ID verdor-id |
No vendor ID is matched. | 没有匹配的verdor ID |
IKE SA is soft expired(Timer handle: %u, Icookie: %s), renegotiate IKE SA. | IKE SA时间软超时,将发起重协商 |
IKE SA is soft expired(Timer handle: %u, Icookie: %s), no need to renegotiate IKE SA. | IKE SA时间软超时,无需发起重协商 |
IPsec SA is soft expired(timer handle:%u, message ID: 0x%x), will be renegotiated. | IPsec SA时间软超时,将发起重协商 |
IPsec SA is soft expired(timer handle:%u, message ID: 0x%x), no need to renegotiate. | IPsec SA时间软超时,无需发起重协商 |
IPsec SA is traffic expired(SPI:%u), will be renegotiated. | IPsec SA流量软超时,将发起重协商 |
IPsec SA is traffic expired(SPI:%u), no need to renegotiate. | IPsec SA流量软超时,无需发起重协商 |
Succeed to set responder-only flag for P1SA. | 成功设置一阶段SA的responder-only标识 |
Succeed to set responder-only flag for P2SA. | 成功设置二阶段SA的responder-only标识 |
表2-3 debugging ike packet命令输出信息描述表
字段 | 描述 |
Construct authentication data by pre-shared key. | 根据预共享密钥生成认证数据 |
Verify HASH payload. | 验证HASH载荷 |
Construct authentication data by private key. | 根据私钥生成认证数据 |
Verify signature payload. | 验证签名载荷 |
DPD packet with sequence number sequence-number is received. | 收到DPD报文,序列号为:sequence-number |
Retransmit DPD packet. | 重传DPD报文 |
Peer ID value: address address. | 对端ID值:地址address |
Peer ID value: FQDN fqdn. | 对端ID值:FQDN fqdn |
Peer ID value: User FQDN user-fqdn. | 对端ID值:User FQDN user-fqdn |
Peer ID value: DN DN-value | 对端ID值:DN,DN的内容为DN-value |
Peer ID type: ID-type (value). | 对端ID类型:ID-type,类型的值为value |
Local ID type: ID-type (value). | 本端ID类型:ID-type,类型的值为value |
Local ID value: ID-value. | 本端ID值:ID-value |
Construct ID payload. | 构造ID载荷 |
The profile profile-name is matched. | 匹配到profile为profile-name |
No profile is matched. | 没有匹配到profile |
Process ID payload. | 处理ID载荷 |
Construct notification packet: notification-type. | 构造notification报文:notification-type |
Construct delete payload. | 构造delete载荷 |
The phase 1 delete packet is received. | 收到一阶段delete报文 |
The cookies' length (length) is invalid. | Cookies的长度length无效 |
Construct KE payload. | 构造KE载荷 |
Process KE payload. | 处理KE载荷 |
Send keepalive packet with sequence number sequence-number. | 发送IKE keepalive报文,序列号为sequence-number |
Process keepalive packet with sequence number sequence-number. | 处理IKE keepalive报文,序列号为sequence-number |
Construct NAT-D payload. | 构造NAT-D载荷 |
Received count NAT-D payloads. | 收到NAT-D载荷,数量为count |
Construct NONCE payload. | 构造NONCE载荷 |
Process NONCE payload. | 处理NONCE载荷 |
Construct INITIAL-CONTACT payload. | 构造INITIAL-CONTACT载荷 |
Construct SA payload. | 构造SA载荷 |
Construct IPsec ID payload. | 构造IPsec ID载荷 |
Process HASH payload. | 处理HASH载荷 |
Construct IPsec SA payload. | 构造IPsec SA载荷 |
Construct HASH(3) payload. | 构造HASH(3)载荷 |
Process IPsec ID payload. | 处理IPsec ID载荷 |
Construct NAT-OA payload. | 构造NAT-OA载荷 |
Process NAT-OA payload: address. | 处理NAT-OA载荷,地址为address |
Received count NAT-OA payloads. | 收到NAT-OA载荷,数量为count |
Construct IPsec RESPONDER_LIFETIME payload. | 构造IPsec RESPONDER_LIFETIME载荷 |
Construct HASH(1) payload. | 构造HASH(1)载荷 |
Collision of phase 2 negotiation is found. | 二阶段协商发生碰撞 |
Construct HASH(2) payload. | 构造HASH(2)载荷 |
I-Cookie: icookie R-Cookie: rcookie next payload: next-payload version: version exchange mode: mode flags: [flag] message ID: mid length: length | · 发起方cookie:icookie · 响应方cookie:rcookie · 下一个载荷:next-payload · ISAKMP版本:version · 协商模式:mode · 标识为:flag · Message ID:mid · 报文长度:length |
Encrypt the packet. | 对报文进行加密 |
Received payload-name. | 收到载荷payload-name |
Sending packet to address, remote port remote-port, local port local-port. | 发送报文到地址address,对端端口号为remote-port,本端端口号为local-port |
Sending an IPv4 packet. | 发送一个IPv4报文 |
Sending an IPv6 packet. | 发送一个IPv6报文 |
Retransmit phase 1 packet. | 重传一阶段报文 |
Retransmit phase 2 packet. | 重传二阶段报文 |
Retransmit in response to duplicate packet. | 针对对端重发的报文,重传对应的响应报文 |
Discard duplicate packet because of exhausted retransmission. | 本端重传次数已达到最大,不再响应该重复的报文,将其丢弃 |
Discard duplicate packet with no response. | 丢弃对端重复发送的报文,不进行响应 |
Collision of phase 1 negotiation is found. | 一阶段协商发生碰撞 |
Decrypt the packet. | 对报文进行解密 |
Begin a new phase 1 negotiation as responder. | 作为响应方,开始加入一个新的一阶段协商过程 |
Parse informational exchange packet successfully. | 成功解析informational exchange报文 |
Received packet from address source port source-port destination port des-port. | 收到的来自address的报文,源端口为source-port,目的端口为des-port |
Skipping length raw bytes of name1 to get name2. | 跳过载荷name1的length字节,去获取下一个载荷name2 |
Add certificate request payload subjectname. | 添加证书请求载荷,主题名为subjectname |
Construct certificate request payload. | 构造证书请求载荷 |
Received certificate request payload that contains issuer name issuer-name. | 收到证书请求载荷,签发者名为issuer-name |
Process certificate request payload. | 处理证书请求载荷 |
The certificate request payload is empty. | 证书请求载荷是空的 |
Construct certificate payload. | 构造证书载荷 |
The profile profile-name is matched by remote certificate. | 通过对端证书匹配到一个IKE profile profile-name |
Process certificate payload. | 处理证书载荷 |
Encryption algorithm is enc-algo. | 加密算法为enc-algo |
HASH algorithm is hash-algo. | HASH算法为hash-algo |
Authentication method is auth-method. | 认证方法为auth-method |
DH group is group. | DH group为group |
Lifetime type is type. | 生命周期类型为type,type值为: · in seconds:时间生命周期 · in kilobytes:字节生命周期 |
Life duration is value. | 生命周期为value |
Key length is length bytes. | 密钥长度为length字节 |
Check ISAKMP transform trans-number. | 检查ISAKMP transform,transform号为trans-number |
Attributes is acceptable. | 属性是可接受的 |
Construct transfrom payload for transform trans-number. | 构造transform载荷,transform号为trans-number |
Encapsulation mode is mode. | 封装模式为mode,mode取值包括: · Tunnel:隧道模式 · Transport:传输模式 · Tunnel-UDP:UDP封装的隧道模式 · Transport-UDP:UDP封装的传输模式 |
Set attributes according to phase 2 transform. | 根据二阶段transform设置属性 |
Transform ID is id. | Transform ID为id |
Construct transform 1. | 构造transform 1 |
Construct IPsec proposal proposal-number. | 构造IPsec proposal,proposal号为proposal-number |
Parse transform trans-number. | 解析transform,transform号为trans-number |
The SA_LIFE_TYPE attribute is repeated in packet. | SA_LIFE_TYPE属性在报文中重复 |
Number of key rounds is round. | 密钥轮数为round |
Process IPsec SA payload. | 处理IPsec SA载荷 |
The attributes are unacceptable. | 属性不可接受 |
Construct vid-name vendor ID payload. | 构造vendor id载荷,vendor ID名称为vid-name |
Process vendor ID payload. | 处理vendor ID载荷 |
HASH:value | HASH为value |
SKEYID:value | SKEYID为value |
Extended Skeyid_e:value | 扩展的Skeyid_e为value |
Local generated new IV: value | 本地新生成的IV为value |
SKEYID_a: value | SKEYID_a为value |
SKEYID_d: value | SKEYID_d为value |
SKEYID_e: value | SKEYID_e为value |
Encrypt IV: value | 加密IV为value |
Encryption generated new IV: value | 加密新生成的IV为value |
Decrypt IV: value | 解密IV为value |
Remote new IV: value | 对端新IV为value |
The proposal is acceptable. | 提议是可以接受的 |
The proposal is unacceptable. | 提议是不能接受的 |
表2-4 debugging ike dpd命令输出信息描述表
字段 | 描述 |
Invalid I-Cookie in DPD packet: I-Cookie | DPD报文中的I-Cookie无效,I-Cookie的值为I-Cookie |
Invalid R-Cookie in DPD packet: R-Cookie | DPD报文中的R-Cookie无效,R-Cookie的值为R-Cookie |
DPD packet with sequence number seq-no is received. | 收到序列号为seq-no的DPD报文 |
Retransmit DPD packet. | 重传DPD报文 |
表2-5 debugging ike keepalive命令输出信息描述表
字段 | 描述 |
Send keepalive packet with sequence number sequence number. | 发送序号为sequence number的keepalive报文。 |
Sending packet to address,remote port remote-port,local port local-port. | 发送报文到地址address,对端端口号为remote-port,本端端口号为local-port |
表2-6 debugging ike nat-keepalive命令输出信息描述表
字段 | 描述 |
Sending packet to address,remote port remote-port,local port local-port. | 发送报文到地址address,对端端口号为remote-port,本端端口号为local-port |
【举例】
#在两个安全网关上配置了IKE协商类型的IPsec策略,在一阶段IKE协商过程中,若未找到匹配的IKE proposal,则打开IKE错误调试信息开关后将输出以下调试信息。
<Sysname> debugging ike error
*Aug 20 19:19:44:543 2012 Sysname IKE/7/ERROR: -MDC=1; No acceptable transform.
// 没有可以接受的transform
*Aug 20 19:19:44:543 2012 Sysname IKE/7/ERROR: -MDC=1; Failed to parse the IKE SA payload.
// 解析SA载荷失败
#在两个安全网关上配置了IKE协商类型的IPsec策略,若配置一阶段协商模式为主模式,认证方法为预共享密钥认证,则当有流量触发协商时,打开IKE事件调试信息开关后将输出以下调试信息。
<Sysname> debugging ike event
<Sysname> ping -c 1 192.168.222.5
PING 192.168.222.5 (192.168.222.5): 56 data bytes, press CTRL_C to break
*Aug 20 19:10:37:509 2012 Sysname IKE/7/EVENT: -MDC=1; Received SA acquire message from IPsec.
// 收到IPsec的SA请求消息
*Aug 20 19:10:37:510 2012 Sysname IKE/7/EVENT: -MDC=1; Set IPsec SA state to IKE_P2_STA
TE_INIT.
// 设置二阶段SA状态为IKE_P2_STATE_INIT
*Aug 20 19:10:37:510 2012 Sysname IKE/7/EVENT: -MDC=1; No IKE SA found, initiate IKE SA negotiation.
// 没有一阶段SA,发起一阶段SA的协商
*Aug 20 19:10:37:510 2012 Sysname IKE/7/EVENT: -MDC=1; Get profile profile1.
// 获取profile profile1
*Aug 20 19:10:37:510 2012 Sysname IKE/7/EVENT: -MDC=1; Initiator create a SA for peer 192.168.222.5, local port 500, remote port 500.
// 发起方创建SA,对端地址为192.168.222.5,本端端口为500,对端端口为500
*Aug 20 19:10:37:510 2012 Sysname IKE/7/EVENT: -MDC=1; Set IKE SA state to IKE_P1_STATE_INIT.
// 设置一阶段SA状态为IKE_P1_STATE_INIT
*Aug 20 19:10:37:510 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3083549648 processes a job.
// IKE线程3083549648处理一个job
*Aug 20 19:10:37:510 2012 Sysname IKE/7/EVENT: -MDC=1; Begin Main mode exchange.
// 开始主模式协商
*Aug 20 19:10:37:511 2012 Sysname IKE/7/EVENT: -MDC=1; Found pre-shared key that matches address 192.168.222.5 in keychain keychain1.
// 在keychain keychain1中找到了预共享密钥,预共享密钥匹配地址192.168.222.5
*Aug 20 19:10:37:511 2012 Sysname IKE/7/EVENT: -MDC=1; IKE SA state changed from IKE_P1_STATE_INIT to IKE_P1_STATE_SEND1.
// 一阶段SA状态从IKE_P1_STATE_INIT到IKE_P1_STATE_SEND1
*Aug 20 19:10:37:520 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3008052176 processes a job.
// IKE线程3008052176处理一个job
*Aug 20 19:10:37:520 2012 Sysname IKE/7/EVENT: -MDC=1; Oakley transform 1 is acceptable.
// Oakley transform是可接受的,transform号为1
*Aug 20 19:10:37:520 2012 Sysname IKE/7/EVENT: -MDC=1; Match the vendor ID NAT-T rfc3947.
// 匹配上vendor ID NAT-T rfc3947
*Aug 20 19:10:37:533 2012 Sysname IKE/7/EVENT: -MDC=1; IKE SA state changed from IKE_P1_STATE_SEND1 to IKE_P1_STATE_SEND3.
// 一阶段SA状态从IKE_P1_STATE_SEND1到IKE_P1_STATE_SEND3
*Aug 20 19:10:37:533 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3087980192 processes a Control-Queue msg.
// IKE线程3087980192处理一个控制队列消息
*Aug 20 19:10:37:566 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3083549648 processes a job.
// IKE线程3083549648处理一个job
*Aug 20 19:10:37:580 2012 Sysname IKE/7/EVENT: -MDC=1; Match the vendor ID DPD.
// 匹配上vendor ID DPD
*Aug 20 19:10:37:580 2012 Sysname IKE/7/EVENT: -MDC=1; IKE SA state changed from IKE_P1_STATE_SEND3 to IKE_P1_STATE_SEND5.
// 一阶段SA状态从IKE_P1_STATE_SEND3到IKE_P1_STATE_SEND5
*Aug 20 19:10:37:580 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3087980192 processes a Control-Queue msg.
// IKE线程3087980192处理一个控制队列消息
*Aug 20 19:10:37:584 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3075161040 processes a job.
// IKE线程3075161040处理一个job
*Aug 20 19:10:37:584 2012 Sysname IKE/7/EVENT: -MDC=1; Verify HASH successfully.
// 验证HASH成功
*Aug 20 19:10:37:585 2012 Sysname IKE/7/EVENT: -MDC=1; IKE SA state changed from IKE_P1_STATE_SEND5 to IKE_P1_STATE_ESTABLISHED.
// 一阶段SA状态从IKE_P1_STATE_SEND5到IKE_P1_STATE_ESTABLISHED
*Aug 20 19:10:37:585 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3075161040 process
es a job.
// IKE线程3075161040处理一个job
*Aug 20 19:10:37:585 2012 Sysname IKE/7/EVENT: -MDC=1; Begin Quick mode exchange.
// 开始快速模式协商
*Aug 20 19:10:37:586 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3087980192 processes a Control-Queue msg.
// IKE线程3087980192处理一个控制队列消息
*Aug 20 19:10:37:586 2012 Sysname IKE/7/EVENT: -MDC=1; IPsec SA state changed from IKE_P2_STATE_INIT to IKE_P2_STATE_GETSPI.
// 二阶段SA状态从IKE_P2_STATE_INIT到IKE_P2_STATE_GETSPI
*Aug 20 19:10:37:586 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3087980192 processes a Control-Queue msg.
// IKE线程3087980192处理一个控制队列消息
*Aug 20 19:10:37:586 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3066772432 processes a job.
// IKE线程3066772432处理一个job
*Aug 20 19:10:37:586 2012 Sysname IKE/7/EVENT: -MDC=1; IPsec SA state changed from IKE_P2_STATE_GETSPI to IKE_P2_STATE_SEND1.
// 二阶段SA状态从IKE_P2_STATE_GETSPI到IKE_P2_STATE_SEND1
*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3087980192 processes a Control-Queue msg.
// IKE线程3087980192处理一个控制队列消息
*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3033218000 processes a job.
// IKE线程3033218000处理一个job
*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; Validate HASH(2) successfully.
// 验证HASH(2)成功
*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; Install IPsec SAs.
// 下发IPsecSA
*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; inbound flow: 192.168.222.5/32->192.168.222.71/32
// 入流量为192.168.222.5/32->192.168.222.71/32
*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; outbound flow: 192.168.222.
71/32->192.168.222.5/32
// 出流量为192.168.222.71/32->192.168.222.5/32
*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; Lifetime second: 3600
// 生命周期为3600秒
*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; Lifetime kilobytes: 1843200
// 生命周期为1843200字节
*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; protocol: 51
inbound SPI: 54e4913
outbound SPI: 44213487
// 协议为51,入方向SPI为:54e4913,出方向SPI为:44213487
*Aug 20 19:10:37:592 2012 Sysname IKE/7/EVENT: -MDC=1; IPsec SA state changed from IKE_P2_STATE_SEND1 to IKE_P2_STATE_SA_CREATED.
// 二阶段SA状态从IKE_P2_STATE_SEND1到IKE_P2_STATE_SA_CREATED
*Aug 20 19:10:37:593 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3087980192 processes a Control-Queue msg.
// IKE线程3087980192处理一个控制队列消息
*Aug 20 19:10:37:594 2012 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3041606608 processes a job.
// IKE线程3041606608处理一个job
*Aug 20 19:10:37:594 2012 Sysname IKE/7/EVENT: -MDC=1; IPsec SA state changed from IKE_P2_STATE_SA_CREATED to IKE_P2_STATE_ESTABLISHED.
// 二阶段SA状态从IKE_P2_STATE_SA_CREATED到IKE_P2_STATE_ESTABLISHED
#在两个安全网关上配置了IKE协商类型的IPsec策略,若配置一阶段协商模式为主模式,认证方法为预共享密钥认证,则当有流量触发协商时,打开IKE报文调试信息开关后将输出以下调试信息。
<Sysname> debugging ike packet
<Sysname> ping -c 1 192.168.222.5
PING 192.168.222.5 (192.168.222.5): 56 data bytes, press CTRL_C to break
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Encryption algorithm is 3DES-CBC.
// 加密算法为3DES-CBC
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Hash algorithm is HMAC-MD5.
// HASH算法为HMAC-MD5
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; DH group 1.
// DH group为1
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Authentication method is Pre-shared key.
// 认证方法为Pre-shared key
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Lifetime type is Life type in seconds.
// 生命周期类型为Life type in seconds
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Life duration is 86400.
// 生命周期为86400
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Construct transform payload 1.
// 构造transform载荷,transform号为1
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Construct SA payload.
// 构造SA载荷
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Construct NAT-T rfc3947 vendor ID payload.
// 构造vendor id载荷,vendor ID名称为NAT-T rfc3947
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Construct NAT-T draft3 vendor ID payload.
// 构造vendor id载荷,vendor ID名称为NAT-T draft3
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Construct NAT-T draft2 vendor ID payload.
// 构造vendor id载荷,vendor ID名称为NAT-T draft2
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Construct NAT-T draft1 vendor ID payload.
// 构造vendor id载荷,vendor ID名称为NAT-T draft1
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Sending packet to 192.168.222.5 local port 500, remote port 500.
// 发送报文到地址192.168.222.5,本端端口号为500,对端端口号为500
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1;
I-Cookie: 3519bdda65bfeaaa
R-Cookie: 0000000000000000
next payload: SA
version: ISAKMP Version 1.0
exchange mode: Main
flags: [ ]
message ID: 0
length: 164
// 发起方cookie为:3519bdda65bfeaaa
// 响应方cookie为:0000000000000000
// 下一个载荷为:SA
// 版本为:ISAKMP Version 1.0
// 协商模式为:Main
// 标识为:[ ]
// Message ID为:0
// 长度为:164
*Aug 20 19:18:34:125 2012 Sysname IKE/7/PACKET: -MDC=1; Sending an IPv4 packet.
// 发送一个IPv4报文
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Received packet from 192.168.
222.5 source port 500 destination port 500.
// 收到的192.168.222.5报文,源端口为500,目的端口为500
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1;
I-Cookie: 3519bdda65bfeaaa
R-Cookie: 078711749a32520c
next payload: SA
version: ISAKMP Version 1.0
exchange mode: Main
flags: [ ]
message ID: 0
length: 104
// 发起方cookie为:3519bdda65bfeaaa
// 响应方cookie为:078711749a32520c
// 下一个载荷为:SA
// 版本为:ISAKMP Version 1.0
// 协商模式为:Main
// 标识为:[ ]
// Message ID为:0
// 长度为:104
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Received IKE Security Association Payload.
// 收到SA载荷
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Vendor ID Payload.
// 收到Vendor ID载荷
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Process SA payload.
// 处理SA载荷
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Check ISAKMP transform 1.
检查ISAKMP transform,transform号为1
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Encryption algorithm is 3DES-CBC.
// 加密算法为3DES-CBC
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; HASH algorithm is HMAC-MD5.
// HASH算法为HMAC-MD5
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; DH group is 1.
// DH group为1
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Authentication method is Pre-shared key.
// 认证方法为Pre-shared key
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Lifetime type is Life type in seconds.
// 生命周期类型为Life type in seconds
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Life duration is 86400.
// 生命周期为86400
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Attribuites is acceptable.
// 属性是可接受的
*Aug 20 19:18:34:127 2012 Sysname IKE/7/PACKET: -MDC=1; Process vendor ID payload.
// 处理vendor ID载荷
*Aug 20 19:18:34:137 2012 Sysname IKE/7/PACKET: -MDC=1; Construct KE payload.
// 构造IKE载荷
*Aug 20 19:18:34:137 2012 Sysname IKE/7/PACKET: -MDC=1; Construct NONCE payload.
// 构造NONCE载荷
*Aug 20 19:18:34:137 2012 Sysname IKE/7/PACKET: -MDC=1; Construct NAT-D payload.
// 构造NAT-D载荷
*Aug 20 19:18:34:138 2012 Sysname IKE/7/PACKET: -MDC=1; Construct DPD vendor ID payload.
// 构造DPD vendor ID载荷
*Aug 20 19:18:34:138 2012 Sysname IKE/7/PACKET: -MDC=1; Sending packet to 192.168.22
2.5 , remote port 500 ,local port 500.
// 发送报文到地址192.168.222.5,对端端口号为500,本端端口号为500
*Aug 20 19:18:34:138 2012 Sysname IKE/7/PACKET: -MDC=1;
I-Cookie: 3519bdda65bfeaaa
R-Cookie: 078711749a32520c
next payload: KE
version: ISAKMP Version 1.0
exchange mode: Main
flags: [ ]
message ID: 0
length: 208
// 发起方cookie为:3519bdda65bfeaaa
// 响应方cookie为:078711749a32520c
// 下一个载荷为:KE
// 版本为:ISAKMP Version 1.0
// 协商模式为:Main
// 标识为:[ ]
// Message ID为:0
// 长度为:208
*Aug 20 19:18:34:138 2012 Sysname IKE/7/PACKET: -MDC=1; Sending an IPv4 packet.
// 发送一个IPv4报文
*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Received packet from 192.168.222.5 source port 500 destination port 500.
// 收到的192.168.222.5报文,源端口为500,目的端口为500
*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1;
I-Cookie: 3519bdda65bfeaaa
R-Cookie: 078711749a32520c
next payload: KE
version: ISAKMP Version 1.0
exchange mode: Main
flags: [ ]
message ID: 0
length: 208
// 发起方cookie为:3519bdda65bfeaaa
// 响应方cookie为:078711749a32520c
// 下一个载荷为:KE
// 版本为:ISAKMP Version 1.0
// 协商模式为:Main
// 标识为:[ ]
// Message ID为:0
// 长度为:208
*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Key ExchangePayload.
// 收到ISAKMP Key Exchange载荷
*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Nonce Payload.
// 收到ISAKMP Nonce载荷
*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP NAT-D Payload.
// 收到ISAKMP NAT-D载荷
*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP NAT-D Payload.
// 收到ISAKMP NAT-D载荷
*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Vendor ID Payload.
// 收到ISAKMP Vendor ID载荷
*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Process KE payload.
// 处理KE载荷
*Aug 20 19:18:34:171 2012 Sysname IKE/7/PACKET: -MDC=1; Process NONCE payload.
// 处理NONCE载荷
*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; SKEYID:
989e79e1 620ff603 a76bb9b9 7d88a19c
// SKEYID为989e79e1 620ff603 a76bb9b9 7d88a19c
*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; SKEYID_d:
6fd7bd8f faf8480a af6c4813 4011cadd
// SKEYID_d为6fd7bd8f faf8480a af6c4813 4011cadd
*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; SKEYID_a:
cd0aeaf8 6bb94aa3 3ad50fe4 7fb0464f
// SKEYID_a为cd0aeaf8 6bb94aa3 3ad50fe4 7fb0464f
*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; SKEYID_e:
795d3765 91083053 65cacc69 000ffe09
// SKEYID_e为795d3765 91083053 65cacc69 000ffe09
*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Extended SKEYID_e:
d554084f a2a9237a 9c141dac a41c86e9 8aa14807 14db45be
// 扩展的SKEYID_e为d554084f a2a9237a 9c141dac a41c86e9 8aa14807 14db45be
*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Local generated new IV:
add7096a 4b961742
// 本地新生成的IV为add7096a 4b961742
*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Received 2 NAT-D payload.
// 收到NAT-D载荷,数量为2
*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Local ID type: IPV4_ADDR.
// 本地ID类型为:IPV4_ADDR
*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Local ID value: 192.168.222.
71.
// 本端ID值为:192.168.222.71
*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Construct ID payload.
// 构造ID载荷
*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Hash:
c5d733fa e6d1a6af ded56c05 de989aad
// HASH为c5d733fa e6d1a6af ded56c05 de989aad
*Aug 20 19:18:34:184 2012 Sysname IKE/7/PACKET: -MDC=1; Construct authentication by pre-shared key.
// 根据预共享密钥生成认证数据
*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1; Construct INITIAL-CONTACT payload.
// 构造INITIAL-CONTACT载荷
*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypt the packet.
// 加密报文
*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypt IV:
add7096a 4b961742
// 加密IV为add7096a 4b961742
*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1; Encryption generated New IV: ae230a1d 7cb77287
// 加密时新生成的IV为ae230a1d 7cb77287
*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1; Process vendor ID payload.
// 处理vendor ID载荷
*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1; Sending packet to 192.168.222.5, remote port 500, local port 500.
// 发送报文到地址192.168.222.5,对端端口号为500,本端端口号为500
*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1;
I-Cookie: 3519bdda65bfeaaa
R-Cookie: 078711749a32520c
next payload: ID
version: ISAKMP Version 1.0
exchange mode: Main
flags: [ENCRYPT]
message ID: 0
length: 92
// 发起方cookie为:3519bdda65bfeaaa
// 响应方cookie为:078711749a32520c
// 下一个载荷为:ID
// 版本为:ISAKMP Version 1.0
// 协商模式为:Main
// 标识为:[ENCRYPT]
// Message ID为:0
// 长度为:92
*Aug 20 19:18:34:185 2012 Sysname IKE/7/PACKET: -MDC=1; Sending an IPv4 packet.
// 发送一个IPv4报文
*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Received packet from 192.168.
222.5, source port 500 destination port 500.
// 收到的192.168.222.5报文,源端口为500,目的端口为500
*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1;
I-cookie: 3519bdda65bfeaaa
R-Cookie: 078711749a32520c
next payload: ID
version: ISAKMP Version 1.0
exchange mode: Main
flags: [ENCRYPT]
message ID: 0
length: 60
// 发起方cookie为:3519bdda65bfeaaa
// 响应方cookie为:078711749a32520c
// 下一个载荷为:ID
// 版本为:ISAKMP Version 1.0
// 协商模式为:Main
// 标识为:[ENCRYPT]
// Message ID为:0
// 长度为:60
*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Decrypt the packet.
// 解密报文
*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Decrypt IV:
ae230a1d 7cb77287
// 解密IV为ae230a1d 7cb77287
*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Remote New IV:
4c788f75 c7ad88ab
// 对端新IV为4c788f75 c7ad88ab
*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Identification Payload.
// 收到ISAKMP Identification载荷
*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Hash Payload.
// 收到ISAKMP Hash载荷
*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Process ID payload.
// 处理ID载荷
*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Peer ID type: IPV4_ADDR.
// 对端ID类型为IPV4_ADDR
*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Peer ID value: address 192.168.222.5.
// 对端ID值为192.168.222.5
*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; Verify HASH payload.
// 验证HASH载荷
*Aug 20 19:18:34:188 2012 Sysname IKE/7/PACKET: -MDC=1; HASH:
f510f1f8 1d205e1c 9aa31c42 00b3ab9a
// HASH为f510f1f8 1d205e1c 9aa31c42 00b3ab9a
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Set attributes by phase 2 transform.
// 根据二阶段transform设置属性
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Encapsulation mode is Tunnel.
// 封装模式为Tunnel
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Life type in seconds
// 生命周期类型为Life type in seconds
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Life duration is 3600.
// 生命周期为3600
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Life type in kilobytes
// 生命周期类型为Life type in kilobytes
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Life duration is 1843200.
// 生命周期为1843200
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Authentication algorithm is HMAC-SHA1
// 认证算法为HMAC-SHA1
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Transform ID is HMAC-SHA1.
// Transform ID为HMAC-SHA1
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Construct transform 1.
// 构造transform 1
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Construct IPsec proposal 1.
// 构造IPsec proposal,proposal号为1
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Construct IPsec SA payload.
// 构造IPsec SA载荷
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Construct NONCE payload.
// 构造NONCE载荷
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Construct IPsec ID payload.
// 构造IPsec ID载荷
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Construct IPsec ID payload.
// 构造IPsec ID载荷
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Construct HASH(1) payload.
// 构造HASH(1)载荷
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypt packet.
// 加密报文
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypt IV:
836eddd9 ed30acf7
// 加密IV为836eddd9 ed30acf7
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypted Generate New IV:
3b143591 5c647ff2
// 加密时新生成的IV为3b143591 5c647ff2
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Sending packet to 192.168.22
2.5, remote port 500, local port 500.
// 发送报文到地址192.168.222.5,对端端口号为500,本端端口号为500
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1;
I-Cookie: 3519bdda65bfeaaa
R-Cookie: 078711749a32520c
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Quick
flags: [ENCRYPT]
message ID: 8a9c07c1
length: 156
// 发起方cookie为:3519bdda65bfeaaa
// 响应方cookie为:078711749a32520c
// 下一个载荷为:HASH
// 版本为:ISAKMP Version 1.0
// 协商模式为:Quick
// 标识为:[ENCRYPT]
// Message ID为:8a9c07c1
// 长度为:156
*Aug 20 19:18:34:189 2012 Sysname IKE/7/PACKET: -MDC=1; Sending an IPv4 packet.
// 发送一个IPv4报文
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Received packet from 192.168.222.5 source port 500 destination port 500.
// 收到的192.168.222.5报文,源端口为500,目的端口为500
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1;
I-Cookie: 3519bdda65bfeaaa
R-Cookie: 078711749a32520c
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Quick
flags: [ENCRYPT]
message ID: 8a9c07c1
length: 156
// 发起方cookie为:3519bdda65bfeaaa
// 响应方cookie为:078711749a32520c
// 下一个载荷为:HASH
// 版本为:ISAKMP Version 1.0
// 协商模式为:Quick
// 标识为:[ENCRYPT]
// Message ID为:8a9c07c1
// 长度为:156
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Decrypt the packet.
// 加密报文
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Decrypt IV:
3b143591 5c647ff2
// 解密IV为3b143591 5c647ff2
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Remote New IV:
4914de5c 11d57f5c
// 对端新IV为4914de5c 11d57f5c
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Hash Payload.
// 收到ISAKMP Hash 载荷
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Security Asso
ciation Payload.
// 收到ISAKMP Security Association载荷
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Nonce Payload.
// 收到ISAKMP Nonce载荷
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Identification Payload (IPsec DOI).
// 收到ISAKMP Identificatio载荷(IPsec DOI)
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Received ISAKMP Identification Payload (IPsec DOI).
// 收到ISAKMP Identificatio载荷(IPsec DOI)
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Process HASH payload.
// 处理HASH载荷
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Process IPsec SA payload.
// 处理IPsec SA载荷
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Check IPsec proposal 1.
// 检查IPsec proposal,proposal号为1
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Parse transform 1.
// 解析transform,transform号为1
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Encapsulation mode is Tunnel.
// 封装模式为Tunnel
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Lifetime type is Life type in seconds.
// 生命周期类型为Life type in seconds
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Life duration is 3600.
// 生命周期为3600
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Lifetime type is Life type in kilobytes.
// 生命周期类型为Life type in kilobytes
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Life duration is 1843200.
// 生命周期为1843200
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Authentication algorithm is HMAC-SHA1.
// 认证算法为HMAC-SHA1
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Transform ID is HMAC-SHA1.
// Transform ID为HMAC-SHA1
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; The attributes are unacceptable.
// 属性是可接受的
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Process IPsec ID Payload.
// 处理IPsec ID载荷
*Aug 20 19:18:34:193 2012 Sysname IKE/7/PACKET: -MDC=1; Process IPsec ID Payload.
// 处理IPsec ID载荷
*Aug 20 19:18:34:194 2012 Sysname IKE/7/PACKET: -MDC=1; Construct HASH(3) payload.
// 构造HASH(3)载荷
*Aug 20 19:18:34:194 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypt the packet.
// 加密报文
*Aug 20 19:18:34:194 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypt IV:
4914de5c 11d57f5c
// 加密IV为4914de5c 11d57f5c
*Aug 20 19:18:34:194 2012 Sysname IKE/7/PACKET: -MDC=1; Encrypted Generate New IV:
ecfa444e ed72ab05
// 加密时新生成的IV为ecfa444e ed72ab05
*Aug 20 19:18:34:194 2012 Sysname IKE/7/PACKET: -MDC=1; Sending packet to 192.168.222.5, remote port 500, local port 500.
// 发送报文到地址192.168.222.5,对端端口号为500,本端端口号为500
*Aug 20 19:18:34:194 2012 Sysname IKE/7/PACKET: -MDC=1;
I-Cookie: 3519bdda65bfeaaa
R-Cookie: 078711749a32520c
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Quick
flags: [ENCRYPT]
message ID: 8a9c07c1
length: 52
// 发起方cookie为:3519bdda65bfeaaa
// 响应方cookie为:078711749a32520c
// 下一个载荷为:HASH
// 版本为:ISAKMP Version 1.0
// 协商模式为:Quick
// 标识为:[ENCRYPT]
// Message ID为:8a9c07c1
// 长度为:52
*Aug 20 19:18:34:194 2012 Sysname IKE/7/PACKET: -MDC=1; Sending an IPv4 packet.
// 发送一个IPv4报文
3 IKEv2
3.1 IKEv2调试命令
3.1.1 debugging ikev2
【命令】
debugging ikev2 { { all | dpd | error | internal | nat-keepalive | packet } [ remote-address { ipv4-address | ipv6 ipv6-address } [ local-address { ipv4-address | ipv6 ipv6-address } | remote-port port-number | vpn-instance vpn-name ] * ] } | pki }
undo debugging ikev2 { all | dpd | error | internal | nat-keepalive | packet | pki }
【缺省情况】
IKEv2的调试信息开关处于关闭状态。
【视图】
用户视图
【缺省用户角色】
network-admin
【参数】
all:表示IKEv2所有调试信息开关。
dpd:表示IKEv2 DPD调试信息开关。
error:表示IKEv2错误调试信息开关。
internal:表示IKEv2内部调试信息开关。
nat-keepalive:表示IKEv2 NAT keepalive调试信息开关。
packet:表示IKEv2报文调试信息开关。
pki:表示IKEv2相关的PKI调试信息开关。
remote-address:根据对端地址过滤调试信息。
local-address:根据本端地址过滤调试信息。
ipv4-address:表示IPv4地址。
ipv6 ipv6-address:表示IPv6地址。
remote-port port-number:根据对端端口过滤调试信息,port-number为对端端口号,取值范围0~65535。
vpn-instance vpn-instance-name:根据私网地址成员所属的VPN实例过滤调试信息。vpn-instance-name为MPLS L3VPN的VPN实例名称,为1~31个字符的字符串,区分大小写。如果未指定本参数,则表示私网地址成员不属于任何一个VPN。
【使用指导】
debugging ikev2命令用来打开IKEv2调试信息开关。undo debugging ikev2命令用来关闭IKEv2调试信息开关。
表3-1 debugging ikev2 error命令输出信息描述表
字段 | 描述 |
Authorization failed. | IKEv2获取AAA授权属性失败 |
Failed to allocate PAM handle to user user-name. | IKEv2获取AAA PAM句柄失败 |
Invalid major version version. | IKEv2报文中主版本号错误 |
The address pool overlaps with an existing address pool. | 新配置的本地地址池地址范围和已有本地地址池冲突 |
Failed to compute ECDH shared key. | 计算ECDH共享密钥失败 |
Received an invalid DH group. | 收到的IKEv2报文中携带错误的或不支持的DH号 |
Required key length (keylen) over 255 times the length of the PRF output. | IKEv2计算密钥时,要求的密钥长度超过了PRF算法输出长度的255倍 |
Failed to compute keys. | 计算密钥失败 |
Failed to obtain hash algorithm. | 从加密算法库中获取Hash算法失败 |
Failed to obtain encryption algorithm. | 从crypto获取加密算法失败 |
Failed to obtain private key. | 获取DSA/ESA/EC私钥失败 |
Failed to obtain public key. | 证书方式签名AUTH载荷时,获取公钥失败 |
Failed to compute local authentication data. | 计算本端的认证数据失败 |
Failed to compute SKEYSEED. | 计算密钥种子失败 |
Failed to compute keying material. | 计算密钥材料失败 |
Failed to create IPsec keying material. | 创建IPsec密钥材料失败 |
Failed to verify peer's authentication data. | 验证对端的认证数据失败 |
Invalid length (length) for hash-and-URL encoded certificate. | hash-and-url编码方式的证书长度非法 |
A non-printable character exists in the URL of the hash-and-URL encoded certificate. Ignored the character and those that follow. | Hash-and-url编码方式的证书里的URL中有不可打印的字符,忽略掉该字符和它之后的内容 |
Invalid X509 digest length (length) in Certificate Request payload. | 证书请求载荷中X509摘要长度非法 |
Unsupported certificate request encoding type cert-encoding-type. | 不支持的证书请求编码方式 |
No certificate exists in payload. | 载荷中没有证书 |
Received an unsupported hash-and-URL encoded certificate. | 接收到对端的hash-and-url编码格式证书,但是本端不支持该格式证书 |
Failed to obtain a certificate from URL url. | 从URL地址对应的证书服务器获取证书失败 |
Unsupported certificate encoding type cert-encoding-type. | 不支持的证书编码方式 |
Failed to obtain certificate data. | 获取认证数据失败 |
Failed to construct Certificate Request payload. | 构造证书请求载荷失败 |
Failed to obtain certificate and key pair. | 获取证书和密钥对失败 |
Failed to obtain certificate request. | 获取证书请求失败 |
Failed to construct USE_TRANSPORT notification. | 构造USE_TRANSPORT通知消息失败 |
Failed to find the Child SA for rekey. | 找不到需要重协商的Child SA |
Lack of SA payload. | 报文中缺少SA载荷 |
Lack of TSi payload. | 报文中缺少TSi载荷 |
Lack of TSr payload. | 报文中缺少TSr载荷 |
Local and peer encapsulation modes not match. | 协商双方的封装模式不匹配 |
Failed to parse TS payload. | 解析TS载荷失败 |
Failed to obtain IPsec policy for rekeying IKE SA. | 重协商IKE SA时,获取IPsec策略失败 |
Failed to find IKE SA for rekey. | 找不到需要重协商的IKE SA |
Lack of NONCE payload. | IKEv2报文中缺少nonce载荷 |
Failed to generate cookie. | 生成cookie失败 |
Invalid payload attribute: type=attribute-type, length=attribute-len. | 长度为attribute-len,类型为attribute-type的载荷属性非法 |
Failed to get address pool to assign internal address. | 从AAA获取IPv4地址池失败,无法分配私网地址 |
The addresses in address pool pool-name were exhausted. | 地址池地址资源耗尽 |
Failed to assign an address from address pool pool-name to the peer. | 从地址池中为对端分配地址失败 |
Failed to get IPv6 address pool to assign internal address. | 从AAA获取IPv6地址池失败,无法分配私网地址 |
Failed to assign an address from address pool pool-name. | 从地址池获取IP地址失败 |
Configuration payload attribute attribute-name ignored: unsupported attribute. | 不支持的配置载荷属性,将其忽略 |
Unsupported Configuration payload attribute attribute-name. | 不支持的配置载荷属性 |
Failed to construct Configuration payload. | 构造配置载荷失败 |
Unsupported Configuration payload type. | 不支持的配置载荷类型 |
Failed to construct Delete payload. | 构造删除载荷失败 |
Failed to send add-DPD request. | 向IPsec进程发送添加DPD请求失败 |
Failed to send delete-DPD request. | 向IPsec进程发送删除DPD请求失败 |
Failed to increase memory for packet generator. | 构造报文时增大内存空间失败 |
Encoding type encoding-type-name supports only 8-bit alignment. | encoding-type-name编码类型要求报文中添加的内容必须8比特对齐 |
4-bit integers must be 4-bit aligned. | 要添加的4比特整数内容必须是4比特对齐 |
Attribute format flag was not set. | 未设置属性格式标记 |
Failed to generate a data block at bitpos bitpos. | 在报文的bitpos位置处生成数据块失败 |
Invalid encoding type encoding-type in rule number. | 该编码规则(编号为number)中的编码类型(类型为encoding-type)不合法 |
Failed to pad data encoded by rule number of type encoding-type. | 向报文中填充number 编码规则encoding-type编码类型的数据失败 |
Invalid ID type id-type was found during ID payload construction. | 构造ID载荷时发现不可识别的身份类型 |
Unsupported ID type (id-type). | 不支持的身份类型 |
Failed to construct payload-type payload. | 构造载荷失败 |
Received AUTHENTICATION_FAILED notification. Destroyed IKE SA. | 收到认证失败通知报文,销毁IKE SA |
Profile profile-name does not exist. | IKEv2 profile不存在 |
No keychain found in profile profile-name. | profile下没有配置keychain |
No pre-shared key found. | 没有找到预共享密钥 |
No pre-shared key found for local or peer. | 没有找到本端或对端的预共享密钥 |
Failed to create Child SA while getting SPI. | 发起方获取SPI(安全参数索引)时创建Child SA失败 |
Failed to find peer authentication method. | 没有找到对端的认证方式 |
Failed to find local pre-shared key. | 没有找到本端预共享密钥 |
No matching profile found. | 没有找到匹配的proile |
Profile profile-name does not exist. | profile不存在 |
Peer authentication method was not specified in the profile. | Profile中没有配置对端的认证方式 |
Failed to find peer pre-shared key. | 没有找到对端预共享密钥 |
IPsec policy verification failed because peer ID does not match profile profile-name. | 对端的身份信息匹配profile失败,因此对端的安全策略验证失败 |
Lack of IDr payload. | 报文中缺少响应方ID载荷 |
Peer ignored AUTH payload and proposed EAP, which was unsupported on local. | 对端忽略AUTH载荷,期望使用EAP认证方式,但是本端不支持 |
Lack of SA payload. | 报文中缺少SA载荷 |
Lack of KE payload. | 报文中缺少KE载荷 |
Lack of NONCE payload. | 报文中缺少NONCE载荷 |
Profile profile-name not found to construct AUTH exchange request. IKEv2 negotiation terminated. | 发起方构造AUTH交换请求报文时找不到对应的profile,终止IKEv2协商 |
Child SA not found. IKEv2 negotiation terminated. | 找不到Child SA,终止协商 |
Failed to find Child SA. | 查找Child SA失败 |
Authentication failed. | 认证失败 |
Failed to create new Child SA. | 新建Child SA失败 |
Failed to parse KE payload. | 解析KE载荷失败 |
Received an invalid DH group. | 收到一个不可识别的DH号 |
The peer's KE payload contained an incorrect DH group. | 对端的KE载荷中包含了错误的DH group |
The local proposed DH group dh-group1 rather than DH group dh-group2. | 本端提议使用dh-group1,而不是dh-group2 |
Failed to construct KE payload. | 构造KE载荷失败 |
Failed to parse KE payload. | 解析KE载荷失败 |
The peer's KE payload contained an incorrect DH group. | 对端的KE载荷中包含错误的DH组 |
Failed to calculate DH public key. | 计算DH公钥失败 |
Failed to parse payload-type payload. | 解析载荷失败 |
Failed to parse packet due to lack of Encrypted payload. | 收到的IKEv2协商报文中没有加密载荷,解析报文失败 |
Encrypted payload was not the last payload. | 加密载荷不是最后一个载荷 |
Invalid payload length. | 载荷长度非法 |
Number of received payload-type payloads exceeded the upper limit. | 本端收到payload-type类型的载荷数目超过最大值 |
Number of received payload-type payloads was smaller than the lower limit. | payload-type类型载荷出现的次数少于最小值 |
Invalid message: exchange type=exchange-type, request flag=flag. | 非法消息,交换类型为exchange-type,请求报文标记为flag(flag取值为true或者false) |
Invalid message. | 非法的消息 |
Failed to construct NAT-OA payload. | 构造NAT-OA载荷失败 |
Failed to parse NAT-OA payload. | 解析NAT-OA载荷失败 |
Failed to compute NAT-D. | 计算NAT-D失败 |
Unrecognized protocol (prototolID). | 不识别的协议号 |
Invalid data length (data-length) for notify-type notification. | notify-type类型的通知数据长度非法 |
Local did not accept the DH group proposed by peer. | 本端不接受对端提议的DH号 |
Local does not support the DH group proposed by peer. | 本端不支持对端提议的DH号 |
Failed to construct NOTIFY payload. | 构造通知载荷失败 |
Received an unexpected message. | 收到的消息不是本端期望接收的 |
Received message ID out of window. | 收到的报文的消息ID落在本端维护的消息窗口外 |
Received an invalid IKE SPI. | 收到的IKEv2协商报文中携带非法的IKE SPI |
Failed to verify message header. | 验证消息头失败 |
Received a too small packet. | 收到的IKEv2报文长度太短 |
Failed to create packet. | 创建报文失败 |
No message rules specified for exchange-type exchange. | 没有exchange-type类型的消息规则 |
Not enough memory for sending packet. | 没有足够的空间发送IKEv2报文 |
Not enough space for Non-ESP marker in packet. | 报文中没有足够的空间添加Non-ESP标记 |
Not enough memory for rule number with encoding type type. | 报文解析器中没有足够的内存空间给指定编码类型(type)的消息规则(编号为number) |
Message not match the specified encoding rule and encoding type. | 不符合指定编码规则和编码类型的消息 |
Failed to parse payload-type substructure payload. | 解析子结构载荷失败 |
Invalid length for payload-type substructure payload. | 子结构载荷长度非法 |
Failed to create payload. | 创建载荷失败 |
Failed to parse payload-type payload. | 解析payload-type类型的载荷失败 |
Unsupported transform type type. | 不支持的提议类型 |
Unsupported TS payload type. | 不支持的TS载荷类型 |
Failed to create payload-type payload. | 创建payload-type类型的载荷失败 |
Failed to verify payload-type payload. | 验证载荷失败 |
Unrecognized critical payload. | 不可识别的一个关键载荷 |
Failed to verify certificate. | 验证证书失败 |
Incorrect length for SHA1 output. | SHA1算法计算输出的数据长度错误 |
Profile profile-name does not exist. | Profile不存在 |
Keychain keychain-name does not exist. | Keychain不存在 |
Not enough space for processing cookie in request packet. | 请求报文中没有足够的空间处理cookie |
Ignored packets with outdated cookies. | 忽略了携带过期cookie的报文 |
Failed to send install-IPsec-SA request. | IKEv2向IPsec发送添加IPsec SA的请求失败 |
Failed to send switch-IPsec-SA request. | IKEv2向IPsec发送切换IPsec SA的请求失败 |
Message ID updated: local window left=local-window-left, local window expected=local-expected, peer window left=peer-window-left, peer window expected=peer-expected | 将本端窗口最左侧值更新为Local-window-left,将本端下次期待收到请求的Message ID更新为Local-expected 将对端窗口最左侧值更新为Remote-window-left,将对端下次要发送的Messge ID更新为Remote-expected |
Failed to move window: Received message ID was smaller than current value. | 收到的IKEv2报文中的Message ID比当前值小,移动窗口失败 |
Failed to create IKE SA with core data. | 根据核心数据创建IKE SA失败 |
Failed to create Child SA with core data. | 根据核心数据创建Child SA失败 |
Failed to find profile profile-name. | 找不到IKEv2 profile |
Failed to create IKE SA: not enough memory. | 内存不足,创建IKE SA失败 |
Failed to find profile profile-name. | 查找IKEv2 profile失败 |
Failed to create Child SA: not enough memory. | 内存不足,创建Child SA失败 |
Incorrect proposal order. | 错误的IKEv2提议顺序 |
Failed to verify payload-type payload. | 验证载荷失败 |
Inconsistent next payload type. | 不合协议逻辑的下一载荷类型 |
Invalid transform count. | 报文中的提议个数与实际携带的提议个数不符 |
Failed to add encryption algorithm attribute. | 添加加密算法属性失败 |
Failed to add transforms to SA payload. | 向SA载荷中添加提议载荷失败 |
Failed to add ESP encryption algorithm attribute. | 添加ESP加密算法属性失败 |
Unsupported ESP encryption algorithm. | 不支持的ESP加密算法 |
Unsupported ESP authentication algorithm. | 不支持的ESP认证算法 |
Unsupported AH authentication algorithm. | 不支持的AH认证算法 |
Failed to find matching IKEv2 policy. | 没有找到相匹配的IKEv2策略 |
Policy verification failed. | 没有找到已使用的IKEv2策略 |
Failed to find matching IKEv2 proposal. | 没有找到匹配的IKEv2提议 |
Failed to construct SA payload. | 构造SA载荷失败 |
Failed to find matching IKEv2 proposal. | 没有找到匹配的IKEv2提议 |
Failed to add SA payload. | 向报文中添加SA载荷失败 |
Failed to find encryption algorithm during payload encryption. | 加密载荷时找不到加密算法 |
Failed to decrypt payload: invalid payload length. | 因为载荷长度非法,解密载荷失败 |
Packet integrity verification failed. | IKEv2报文未通过完整性检查 |
Failed to encrypt payload. | 加密IKEv2报文载荷失败 |
Failed to decrypt payload. | 解密IKEv2报文载荷失败 |
Failed to parse payload-type payload. | 解析IKEv2报文payload-type载荷失败 |
IPsec process (ipsec-status) timed out and Child SA was deleted. | IPsec处理超时(当前的IPsec处理状态为ipsec-state),删除创建的Child SA |
Failed to start timer for IPsec process (ipsec-status). | 启动等待IPsec处理的定时器失败(当前的IPsec处理状态为ipsec-state) |
Responder did not use the Transport mode. | 响应方无法匹配transport封装模式 |
Child SA already exists. | 创建Child SA时发现该Child SA已经存在 |
Lack of SA payload. | 缺少SA载荷 |
Failed to send IPsec policy request. | IKEv2向IPsec发送获取IPsec策略的请求失败 |
Failed to parse payloads during Child SA establishment. | 创建Child SA过程中解析载荷失败 |
Failed to send IPsec SPI request. | IKEv2向IPsec发送获取IPsec SPI的请求失败 |
No matching IKE SA found. Ignored IPsec SA installation request. | 找不到对应的IKE SA,忽略创建IPsec SA的请求 |
Failed to find IKE SA during IPsec process (ipsec-status). | 进行IPsec处理(状态为ipsec-state)时查找IKE SA失败 |
Failed to send request to IPsec. Destroyed SA. | IKEv2向IPsec发送请求失败,销毁SA |
Failed to find IKE SA. | 查找IKE SA失败 |
[IPsec->IKE] | IPsec模块向IKE模块发送消息 |
[IPsec->IKE] Failed to find Child SA after IKE obtained IPsec policy. | IKE获取到IPsec策略后,查找不到Child SA |
[IPsec->IKE] Failed to process next status after IKE obtained IPsec policy. | IKE获取到IPsec策略 后,处理下一个状态失败 |
[IPsec->IKE] Failed to find Child SA after IKE obtained IPsec SPI. | IKE获取到IPsec SPI后,查找Child SA失败 |
[IPsec->IKE] Failed to process next status after IKE obtained IPsec SPI. | IKE获取到IPsec SPI后,处理下一个状态失败 |
[IPsec->IKE] Failed to find Child SA after IPsec SA was installed. | IKE完成添加IPsec SA处理后,查找Child SA失败 |
[IPsec->IKE] Failed to process next status after IPsec SA was installed. | IPsec添加SA后,IKEv2处理下一状态失败 |
Failed to construct packet. | 创建IKEv2报文失败 |
Invalid port range (start port start-port, end port end-port) in TSi/TSr payload. | TSi或者TSr中的端口号范围非法(开始端口号为start-port ,结束端口号为end-port) |
TSr protocol family tsr-family inconsistent with TSi protocol family tsi-family. | TSr的协议簇Tsr-family和TSi的协议簇Tsi-family不一致 |
TSr protocol range inconsistent with TSi protocol range. | TSr的协议范围和Tsi的协议范围不一致 |
Failed to construct TSi payload. | 构造TSi载荷失败 |
Failed to construct TSr payload. | 构造TSr载荷失败 |
表3-2 debugging ikev2 internal命令输出信息描述表
字段 | 描述 |
[AAA->IKE] IKE obtained authorization data from AAA. | [AAA向IKE发送消息] IKE从AAA获取授权数据 |
DH key computation succeeded. | 计算DH key成功 |
Computed IPsec SA keying material. | 计算IPsec SA密钥材料 |
Computed SKEYSEED. | 计算SKEYSEED |
Verified peer authentication data. | 验证对端的认证数据 |
Peer authentication data passed verification. | 对端认证数据验证通过 |
Local authentication method is method-name. | 本端的认证方式为method-name |
Generated authentication data. | 生成认证数据 |
Constructed AUTH payload. | 构造AUTH载荷 |
Failed to construct AUTH payload. | 构造AUTH载荷失败 |
Constructed Certificate payload. | 构造证书载荷 |
Certificate subject name subject-name | 证书主体名为subject-name |
Constructed Certificate Request payload. | 构造证书请求载荷 |
Certificate encoding type type | 证书编码方式为type |
Processed Certificate payload. | 处理证书载荷 |
Old Child SA has been replaced. Sent TEMPORARY_FAILURE notification to peer. | 重协商时Child SA已被替换,向对端发送TEMPORARY_FAILURE通知 |
IKE SA is busy. | 当前IKE SA状态机繁忙 |
(Tunnel ID tunnel-id): Received an IKE SA rekey packet, but the IKE SA was being deleted. | (Tunnel ID为tunnel-id)在删除IKE SA的过程中收到对端发送的重协商报文 |
(Tunnel ID tunnel-id): Received an IKE SA rekey packet, but the IKE SA has a half-open Child SA. | (Tunnel ID为tunnel-id)收到对端的IKE SA重协商报文,但是正在新建或者重协商该IKE SA的Child SA |
(Tunnel ID tunnel-id): Received an IKE SA rekey packet, but the Child SA was being deleted. | (Tunnel ID为tunnel-id)收到对端的IKE SA重协商报文,但是正在删除该IKE SA的Child SA |
Peer prefers encaps-mode mode. | 对端倾向使用encaps-mode封装模式 |
Received an invalid KE payload. Retried negotiation. | 收到非法KE载荷,尝试重协商 |
IPv4 address assigned by peer: ipv4-addr | 对端推送给本端的IPv4地址 |
IPv6 address assigned by peer: ipv6-addr/ipv6-prefix | 对端推送给本端的IPv6地址 |
Subnet mask assigned by peer: mask | 对端推送给本端的IPv4子网掩码 |
Constructed CP payload: cp-type. | 构造cp-type类型的CP载荷 |
Processed CP payload: cp-type. | 处理cp-type类型的CP载荷 |
AAA authorization was not configured in profile profile-name. | IKEv2 profile下没有配置AAA授权 |
[IKE->AAA] Sent an authorization request. | [IKE向AAA发送消息] IKE发送授权请求 |
Constructed Delete payload. | 构造SA删除载荷 |
Processed Delete payload. | 处理SA删除载荷 |
Constructed payload-type payload: id of type id-type. | 构造ID载荷:载荷类型为payload-type,ID类型为id-type,ID内容为id |
Processed ID payload. | 处理ID载荷 |
Constructed empty payload for keepalive request. | 为保活检查请求报文构造空载荷 |
Received keepalive response. | 收到保活检查回应报文 |
Peer did not accept the address assigned by local. | 对端不接受本端分配的地址 |
Peer accepted the address assigned by local. | 对端接受本端分配的地址 |
Selected profile profile-name. | 选择了IKEv2 profile profile-name |
Obtained pre-shared key from keychain keychain-name. | 从IKEv2 profile下引用的keychain中获取预共享密钥 |
Searched for a profile matching peer ID id of type id-type. | 根据对端的身份信息(ID类型为id-type,ID内容为id)查找IKEv2 profile |
Found matching profile profile-name. | 查找到匹配的IKEv2 profile |
Profile verification passed. | 验证IKEv2 profile成功 |
Received an INVALID_KE_PAYLOAD notification. Retried negotiation. | 发起方DH猜想失败,收到对端的INVALID_KE_PAYLOAD通知消息,尝试再次发起协商 |
SA_INIT exchange completed. | SA_INIT交换结束 |
Constructed KE payload. | 构造KE载荷 |
Processed KE payload. | 处理KE载荷 |
Computed DH public key by using dh-group. | 使用DH组dh-group计算DH公钥 |
Peer was behind NAT. | IKEv2发现对端在NAT设备之后 |
Local was behind NAT. | IKEv2发现本端在NAT设备之后 |
Constructed NAT-OAi payload. | 构造NAT-OAi载荷 |
Constructed NAT-OAr payload. | 构造NAT-Oar载荷 |
Processed NAT discovery notification. | 处理发现NAT通知载荷 |
No NAT found. | IKEv2协商双方之间不存在NAT设备 |
Constructed NONCE payload. | 构造NONCE载荷 |
Peer did not accept DH group dh-group1 and proposed DH group dh-group2. | 对端不接受采用DH组dh-group1进行协商,对端提议使用DH组dh-group2进行协商 |
Constructed NOTIFY payload: notify-type. | 构造notify-type类型的通知载荷 |
Processed notification response for IKE SA. | 处理IKE SA通知响应载荷 |
Processed NOTIFY payload in AUTH exchange response. | 处理AUTH交互中的回应报文中的通知载荷 |
Processed NOTIFY payload in Child SA exchange response. | 处理Child SA交互中的回应报文中的通知载荷 |
Processed NOTIFY payload notify-type. | 处理notify-type类型的通知载荷 |
Searched for IKEv2 policy with VRF vrf and local address address. | 查找本端地址为address、VRF为vrf的IKEv2策略 |
Used default IKEv2 policy. | 使用缺省的IKEv2策略 |
Obtained pre-shared key through hostname hostname. | 通过hostname获取预共享密钥 |
Matched peer name. | 匹配到IKEv2 Peer(名称为name) |
Obtained pre-shared key through address address. | 通过地址address获取预共享密钥 |
Obtained pre-shared key through ID id of type id-type. | 通过id-type类型的身份id获取预共享密钥 |
(Tunnel ID tunnel-id): (I) Current status status | (隧道ID为tunnel-id)发起方 当前状态 |
(Tunnel ID tunnel-id): (R) Current status status | (隧道ID为tunnel-id)响应方(R)当前状态 |
(Tunnel ID tunnel-id): IKE SA received an incorrect request priority. | IKE SA(隧道ID为tunnel-id)收到一个错误的请求等级 |
Activated new request. | 从请求队列中激活新的请求 |
(Tunnel ID: tunnel-id): Found no duplicate IKE SA. | (隧道ID为tunnel-id)没有发现重复的IKE SA |
(Tunnel ID tunnel-id): Deleted negotiation context. | (隧道ID为tunnel-id)删除协商上下文 |
Next request message ID outside of window. | 下一条IKE请求的消息ID位于消息窗口外 |
Message ID exceeded the limit. Waiting for rekey… | 消息ID到达最大值,等待重协商 |
Reclaimed IPv4 address ipv4-addr. | 回收IKEv2分配出去的IPv4地址 |
Reclaimed IPv6 address ipv6-addr ipv6-prefix. | 回收IKEv2分配出去的IPv6地址 |
Deleted Child SA (message ID messge-id). | 删除Child SA,Child SA对应的消息ID为messge-id |
Deleted Child SA (protocol protocol SPI spi). | 删除Child SA,Child SA对应的安全协议为protocol,SPI为spi Protocol的取值包括AH和ESP. |
(Tunnel ID tunnel-id): Deleted IKE SA. | (隧道ID为tunnel-id)删除IKE SA |
(Tunnel ID tunnel-id)): Found duplicate IKE SA. | (隧道ID为tunnel-id)发现重复的IKE SA |
(Tunnel ID tunnel-id): Processed IKE SA rekey collision. | 处理IKE SA的协商碰撞 |
Transform type id | 打印Transform载荷:类型为type,ID为id |
Transform type id attribute | 打印Transform载荷:类型为type,ID为id,属性为attribute |
Proposal number | 打印propsal载荷 |
Matched IKEv2 policy policy-name. | 匹配到IKEv2策略policy-name |
Constructed SA payload. | 构造SA载荷 |
Processed SA payload. | 处理SA载荷 |
Used transport mode. | 使用传输模式协商 |
Used tunnel mode. | 使用隧道模式协商 |
Processed TSi payload. | 处理TSi载荷 |
Processed TSr payload. | 处理TSr载荷 |
Constructed TSi payload. | 构造TSi载荷 |
Constructed TSr payload. | 构造TSr载荷 |
表3-3 debugging ikev2 packet命令输出信息描述表
字段 | 描述 |
Data ipv4-addr, length length | IPv4 CP载荷数据和长度 |
Data ipv6-addr/ipv6-prefix, length length | IPv6 CP载荷数据和长度 |
Attribute type type | CP载荷属性类型,可能的取值为: · INTERNAL_IP4_ADDRESS · INTERNAL_IP4_NETMASK · INTERNAL_IP4_DNS · INTERNAL_IP4_NBNS · INTERNAL_ADDRESS_EXPIRY · INTERNAL_IP4_DHCP · APPLICATION_VERSION · INTERNAL_IP6_ADDRESS · INTERNAL_IP6_NETMASK · INTERNAL_IP6_DNS · INTERNAL_IP6_NBNS · INTERNAL_IP6_DHCP · INTERNAL_IP4_SUBNET · SUPPORTED_ATTRIBUTES · INTERNAL_IP6_SUBNET · MIP6_HOME_PREFIX · INTERNAL_IP6_LINK · INTERNAL_IP6_PREFIX · HOME_AGENT_ADDRESS · INTERNAL_IP4_SERVER · INTERNAL_IP6_SERVER · UNITY_BANNER · UNITY_SAVE_PASSWD · UNITY_DEF_DOMAIN · UNITY_SPLITDNS_NAME · UNITY_SPLIT_INCLUDE · UNITY_NATT_PORT · UNITY_LOCAL_LAN · UNITY_PFS · UNITY_FW_TYPE · UNITY_BACKUP_SERVERS · UNITY_DDNS_HOSTNAME |
Assigned IPv4 address ipv4-addr from pool pool-name. | 从地址池pool-name中分配IPv4地址 |
Assigned IPv6 address ipv6-addr/ipv6-prefix from pool pool-name. | 从地址池pool-name中分配IPv6地址 |
Type type, length length | CP载荷属性,类型为type,长度为length |
Received keepalive packet. | 收到IKEv2保活检查报文 |
Responder received no AUTH request. | 响应方没有收到AUTH请求报文 |
Failed to construct ECDH public key. | 构造ECDH公钥失败 |
Unsupported DH group. | 不支持的DH号 |
Parsed the last payload (Encrypted payload). | 解析报文最后一个载荷(加密载荷) |
Payload content: | 报文载荷内容 |
Processed INVALID_SPI notification. | 处理非法SPI的通知 |
Processed INVALID_SELECTORS notification. | 处理非法selector的通知 |
Request message ID was msgid. Expected IDs were from windowleft to windowright. | 请求报文的消息ID为msgid,本端能够接收的报文消息ID窗口范围为(windowleft~windowright) |
I-SPI=i-spi R-SPI=r-spi Message ID=messge-id Exchange type=exchange-type Flags=flags Next payload=payload, length=length | IKEv2报文头信息,具体包含: · I-SPI:发起方SPI · R-SP:响应方SPI · Message ID:消息ID · Exchange type:交换类型 · Flags:请求方/响应方的标识 · Next payload:下一载荷的类型和长度 |
Received packet from peer-addr: source port source-port, destination port dest-port. | 收到来自peer-addr的对端报文源端口号为source-port,目的端口号为dest-port |
Constructed an encrypted packet. | 创建了一个被加密的报文 |
Payload content: | IKEv2报文载荷内容 |
Sent packet to address: peer port peer-port, local port local-port. | 发送报文到地址address,对端端口号为remote-port,本端端口号为local-port |
Sent an IPv4 packet. | 发送一个IPv4报文 |
Sent an IPv6 packet. | 发送一个IPv6报文 |
Current payload payload, length length, next payload next-payload | 报文载荷:当前载荷为payload,长度为length,下一载荷为next-payload |
Current payload payload, length length, DH group dh-group, next payload next-payload | 报文载荷:当前载荷为payload,长度为length,DH算法为dh-group,下一载荷为next-payload |
Current payload payload, length length, type type, next payload next-payload | 报文载荷:当前载荷为payload,长度为length,类型为type,下一载荷为next-payload |
Current payload payload, length length, encoding type encoding-type, next payload next-payload | 报文载荷:当前载荷为payload,长度为length,编码方式为encoding-type,下一载荷为next-payload |
Current payload payload, length length, method method, next payload next-payload | 报文载荷:当前载荷为payload,长度为length,认证方式为method,下一载荷为next-payload |
Current payload payload, length length, type type, protocol protocol, SPI size size, next payload next-payload | 报文载荷:当前载荷为payload,类型为type,长度为length,协议为protocol,SPI大小为size,下一载荷为next-payload |
Current payload payload, length length, type type, protocol protocol, SPI size size, SPI count spi-count, next payload next-payload | 报文载荷:当前载荷为payload,类型为type,长度为length,协议为protocol,SPI大小为size,包含的SPI数目为spi-number,下一载荷为next-payload |
Current payload payload, length length, selector count selector-count, next payload next-payload | 报文载荷:当前载荷为payload,长度为length,包含的Selector数目为number,下一载荷为next-payload |
Last proposal number, length length | proposal载荷:number为0表示为最后一个proposal载荷,为2表示此proposal载荷之后还有其他的proposal载荷,载荷长度为length |
Proposal number, protocol protocol, SPI size size, transform count transform-count | proposal载荷:当前载荷编号为number,协议为protocol,SPI大小为size,包含的Transform数目为count |
Last transform value, length length | Transform载荷,value为0表示是最后一个Transform,为3表示该Transform载荷后还有其他的Transform载荷,载荷长度为length |
Type type, transform ID transform-id | Transform载荷,类型为type,ID为transform-id |
Key length length | Transform载荷的属性:key长度为length |
TS type type, IP protocol protocol, length length | TS载荷类型为type,保护的协议为protocol,载荷长度为length |
Start port start-port, end port end-port | TS载荷的端口号范围为start-port到end-port |
Start address start-addr, end address end-addr | TS载荷的地址范围为start-addr到end-addr |
Type type, length length | CP载荷属性,类型为type,长度为length |
Current payload payload, length length, ID type type, next payload next-payload | 当前载荷为payload,长度为length,ID类型为type,下一载荷为next-payload |
Initiator received an INVALID_KE_PAYLOAD notification from responder who proposed DH group dh-group1. Initiator sent another INIT exchange request. | 发起方DH猜想失败,收到响应方的IKEV2_INVALID_KE_PAYLOAD通知载荷,响应方希望使用dh-group1进行协商,发起方重新发送init请求报文 |
Retransmitted the packet. | 重传IKEv2报文 |
Retransmission timed out. | 超过最大重传次数,IKEv2报文重传超时 |
Packet carried the same cookie as the previous packet. | 报文中携带和之前相同的cooike |
Packet carried a different cookie than the previous packet. | 报文中携带的cooike和之前的cooike不相等 |
Keepalive check timed out. | IKEv2保活检查超时 |
Retransmitted the response. | 重传IKEv2响应报文 |
Received a packet with cookie. | 收到携带cookie的IKEv2报文 |
Received a packet without cookie. | 收到不携带cookie的IKEv2报文 |
Processed response with message ID msg-id. Requests with IDs from msgleft to msgright can be sent. | 处理消息ID为msg-id的响应报文,能够发送的请求报文的消息ID范围为msgleft到msgright |
Sent response with message ID msg-id. Requests with IDs from msgleft to msgright can be accepted. | 发送消息ID为msg-id的回应报文,能够接收的请求报文消息ID范围为msgleft到msgright |
Proposal proposal-number | SA载荷内的proposal编号为proposal-number |
Encrypted payload passed integrity verification. | 对IKEv2加密载荷的完整性检查通过 |
Invalid TSr port range (start port start-port, end port end-port). | TSr端口号范围(start-port~end-port)不合法 |
表3-4 debugging ikev2 pki命令输出信息描述表
字段 | 描述 |
Certificate verification through PKI domain domain-name succeeded. | 使用PKI域domain-name验证对端证书成功 |
Obtained CA certificate from PKI domain domain-name. | 从PKI域domain-name中获取CA证书 |
Obtained local certificate and key pair from PKI domain domain-name. | 从PKI域domain-name中获取本地证书和密钥对 |
The key pair did not meet the peer's requirement. Checked the next PKI domain. | 密钥对不符合对端要求,查找下一个PKI域 |
Obtained certificate request from cache. | 从缓存中获取证书请求 |
Obtained certificate request from cache in profile profile-name. | 从IKEv2 profile profile-name下的缓存中获取证书请求 |
PKI data changed. | 与IKE相关的PKI数据发生变化 |
表3-5 debugging ikev2 ipsec命令输出信息描述表
字段 | 描述 |
[IPsec->IKE] | IPsec向IKE发送消息 |
[IKE->IPsec] | IKE向IPsec发送消息 |
[IPsec->IKE] Received a smooth IPsec SA ACK. | IKE收到了平滑IPsec SA的回应消息 |
[IKE->IPSEC] Sent add-DPD request. | IKE向IPsec发送添加DPD的请求 |
[IKE->IPsec] Sent delete-DPD request. | IKE向IPsec发送删除DPD的请求 |
Protected flow: Inbound: DstIP1/Mask1->SrcIP1/Mask11 Outbound: SrcIP1/Mask11->DstIP1/Mask1 | Child SA保护的流信息如下: · 入方向:目的地址为DstIP1,掩码为Mask1-->源地址为SrcIP1,掩码为Mask11 · 出方向:源地址为SrcIP1,掩码为Mask11-->目的地址为DstIP1,掩码为Mask1 |
[IKE->IPsec] Sent install-IPsec-SA request. | IKE向IPsec发送添加IPsec SA请的求 |
[IKE->IPsec] Sent switch-IPsec-SA request. | IKE向IPsec发送切换IPsec SA的请求 |
Traffic-based IPsec SA lifetime expired. | Child SA对应的IPsec SA流量生命周期超时 |
[IPsec->IKE] Received an invalid SPI, no matching IKE SA found. | IKE收到了一个SPI非法的消息,且查找不到对应的IKE SA |
[IKE->IPsec] Sent IPsec policy request. | IKE向IPsec发送获取IPsec策略的请求 |
[IKE->IPsec] Sent IPsec SPI request. | IKE向IPsec发送获取IPsec SPI的请求 |
[IPsec->IKE] Received IPsec SA negotiation request. | IKE收到IPsec的协商SA的请求 |
[IPsec->IKE] IPsec policy successfully obtained. | IPsec通知IKE成功获取了IPsec策略 |
[IPsec->IKE] IPsec SPI successfully obtained. | IPsec通知IKE成功获取了IPsec SPI |
[IPsec->IKE] IPsec SA successfully installed. | IPsec通知IKE成功添加了IPsec SA |
表3-6 debugging ikev2 timer命令输出信息描述表
字段 | 描述 |
Responder started a timer of number sec, waiting for AUTH exchange request. | 响应方启动number秒的等待定时器,等待接收发起方的AUTH交换请求报文 |
(Tunnel ID tunnel-id): Sent NAT-keepalive packet. | IKE SA(隧道ID为tunnel-id)发送NAT keepalive报文 |
Started hardtimer. | 启动硬超时定时器 |
Failed to create IKE SA timer. | 创建IKE SA定时器失败 |
Failed to create Child SA timer. | 创建Child SA定时器失败 |
(Tunnel ID tunnel-id): IKE SA soft lifetime expired and IKE SA was rekeyed. | (隧道ID为tunnel-id)IKE SA软生命周期超时,重协商IKE SA |
(Tunnel ID tunnel-id): IKE SA hard lifetime expired and IKE SA was deleted. | (隧道ID为tunnel-id)IKE SA硬生命周期超时,删除IKE SA |
(Tunnel ID tunnel-id): IKE SA lifetime timer (number sec) started. | (隧道ID为tunnel-id)IKE SA生命周期定时器启动,定时器超时时间为number秒 |
Failed to start hardtimer. | 启动硬超时定时器失败 |
Child SA soft lifetime expired. | Child SA的软生命周期超时 |
Child SA hard lifetime expired. | Child SA的硬生命周期超时 |
表3-7 debugging ikev2 dpd命令输出信息描述表
字段 | 描述 |
Construct empty payload for liveness check request. | 为保活检查请求报文构造空载荷 |
Received liveness check response. | 收到保活检查回应报文 |
Receive liveness check. | 收到保活检查报文 |
Retransmit DPD packet. | 重传DPD报文 |
Liveness check timeout. | 保活检查超时 |
Sending packet to address,remote port remote-port,local port local-port. | 发送报文到地址address,对端端口号为remote-port,本端端口号为local-port |
Sending an IPv4 packet. | 发送IPv4报文 |
Sending an IPv6 packet. | 发送IPv6报文 |
表3-8 debugging ikev2 nat-keepalive命令输出信息描述表
字段 | 描述 |
Sending packet to address,remote port remote-port,local port local-port. | 发送报文到地址address,对端端口号为remote-port,本端端口号为local-port |
Sending an IPv4 packet. | 发送IPv4报文 |
Sending an IPv6 packet. | 发送IPv6报文 |
【举例】
# 在两个安全网关上配置了IKEv2协商类型的IPsec安全策略,且打开IKEv2错误调试信息开关。在IKE协商过程中,若未找到匹配的IKEv2 proposal,将输出以下调试信息。
<Sysname> debugging ikev2 error
*Nov 24 05:40:16:391 2014 Sysname IKEV2/7/ERROR: -MDC=1; No proposal matched.
// 没有可以接受的提议
# 在两个安全网关上配置了IKEv2协商类型的IPsec安全策略,且打开IKEv2内部调试信息开关。若配置认证方法为预共享密钥认证,则当有流量触发IKE协商时,将输出以下调试信息。
<Sysname> debugging ikev2 internal
Ping 123.234.234.123 (123.234.234.123): 56 data bytes, press CTRL_C to break
*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/EVENT: -MDC=1; [IPsec->IKE] Received an IPsec SA
negotiation request.
// 收到IPsec协商SA请求消息
*Oct 20 09:13:57:413 2014 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3077876688 processed the request.
// IKE线程3077876688处理协商请求
*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/FSM: -MDC=1; (Tunnel ID 5):(I) Current Status: IDLE
// 当前的状态机状态:IDLE
*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/FSM: -MDC=1; Chose profile fxm.
// 选择了IKEv2 profile:fxm
*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/FSM: -MDC=1; Obtained pre-shared key from keychain fxm.
// 从IKEv2 profile fxm引用的keychain fxm中获取预共享密钥
*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/FSM: -MDC=1; Obtained pre-shared key through address 123.234.234.123.
// 通过对端地址123.234.234.123获取预共享密钥
*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/FSM: -MDC=1; Matched peer test.
// 匹配到keychain fxm下的Peer test
*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/FSM: -MDC=1; Searched for IKEv2 policy with VRF 0 and local address 123.234.234.124
// 查找与vrf 0、本端地址123.234.234.124匹配的IKEv2策略
*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed SA payload.
// 构造SA载荷
*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/FSM: -MDC=1; Proposal 1
// SA子载荷proposal 1
*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/FSM: -MDC=1; Transform ENCR 3DES-CBC
// proposal子载荷Transform加密算法为3DES
*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/FSM: -MDC=1; Transform INTEG AUTH-HMAC-MD5-96
// Transform认证算法为HMAC-MD5
*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/FSM: -MDC=1; Transform PRF PRF-HMAC-MD5
// Transform prf算法为HMAC-MD5
*Oct 20 09:13:57:413 2014 Sysname IKEV2/7/FSM: -MDC=1; Transform D-H 768-bit MODP/Group 1
// Transform DH算法为768-bit MODP/Group 1
*Oct 20 09:13:57:426 2014 Sysname IKEV2/7/FSM: -MDC=1; Computed DH public key by using 768-bit MODP/Group 1.
// 使用768-bit MODP/Group 1计算DH公钥
*Oct 20 09:13:57:426 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed KE payload.
// 构造KE载荷
*Oct 20 09:13:57:427 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed NONCE payload.
// 构造NONCE载荷
*Oct 20 09:13:57:427 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed NOTIFY payload: NAT_DETECTION_SOURCE_IP.
// 构造NAT_DETECTION_SOURCE_IP通知载荷
*Oct 20 09:13:57:427 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed NOTIFY payload: NAT_DETECTION_DESTINATION_IP.
// 构造NAT_DETECTION_DESTINATION_IP通知载荷
*Oct 20 09:13:57:427 2014 Sysname IKEV2/7/FSM: -MDC=1; (Tunnel ID 5):(I) Current Status: BUILD_INIT
// 当前的状态机状态:BUILD_INIT
*Oct 20 09:13:57:446 2014 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3077876688 processed the INIT exchange response.
// IKE线程3077876688处理解析init交互响应报文
*Oct 20 09:13:57:446 2014 Sysname IKEV2/7/FSM: -MDC=1; Processed response notification for IKE SA.
// 处理IKE SA的响应通知消息
*Oct 20 09:13:57:446 2014 Sysname IKEV2/7/FSM: -MDC=1; Processed SA payload.
// 解析处理SA载荷
*Oct 20 09:13:57:446 2014 Sysname IKEV2/7/FSM: -MDC=1; Processed KE payload.
// 解析处理KE载荷
*Oct 20 09:13:57:446 2014 Sysname IKEV2/7/FSM: -MDC=1; Processed NAT discovery notification.
// 处理NAT-D通知
*Oct 20 09:13:57:453 2014 Sysname IKEV2/7/FSM: -MDC=1; DH key computation succeeded.
// DH密钥计算完成
*Oct 20 09:13:57:453 2014 Sysname IKEV2/7/FSM: -MDC=1; Calculated SKEYSEED.
// 计算密钥种子
*Oct 20 09:13:57:453 2014 Sysname IKEV2/7/EVENT: -MDC=1; [IKE->IPsec] Sent IPsec SPI request.
// IKE向IPsec获取SPI
*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/EVENT: -MDC=1; [IPsec->IKE] IPsec SPI successfully obtained.
// 成功获取IPsec SPI
*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; (Tunnel ID 5):(I) Current Status: PROC_INIT
// 当前状态机状态:PROC_INIT
*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; SA_INIT exchange completed.
// SA INIT交换完成
*Oct 20 09:13:57:454 2014 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3077876688 processed the AUTH exchange request.
// IKE线程3077876688处理构造AUTH交换请求报文
*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed IDi payload: 123.234.234.124 of type ID_IPV4_ADDR
// 构造IDi载荷,类型为IPv4地址,地址为123.234.234.124
*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed NOTIFY payload: INITIAL_CONTACT.
// 构造 INITIAL_CONTACT 通知载荷
*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; Local authentication method is Pre-shared key.
// 本端的认证方式为预共享密钥
*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; Generated authentication data.
// 构造认证数据
*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed AUTH payload.
// 构造AUTH载荷
*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed NOTIFY payload: ESP_TFC_PADDING_NOT_SUPPORTED.
// 构造ESP_TFC_PADDING_NOT_SUPPORTED通知载荷
*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed NOTIFY payload: NON_FIRST_FRAGMENTS_ALSO.
// 构造NON_FIRST_FRAGMENTS_ALSO通知载荷
*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed NOTIFY payload: IKEV2_MESSAGE_ID_SYNC_SUPPORTED.
// 构造IKEV2_MESSAGE_ID_SYNC_SUPPORTED通知载荷
*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed SA payload.
// 构造SA载荷
*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed TSi payload.
// 构造TSi载荷
*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; Constructed TSr payload.
// 构造TSr载荷
*Oct 20 09:13:57:454 2014 Sysname IKEV2/7/FSM: -MDC=1; (Tunnel ID 5): (I) Current Status: BUILD_AUTH
// 当前状态机状态:BUILD_AUTH
*Oct 20 09:13:57:457 2014 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3077876688 processed the AUTH exchange response.
// IKE线程3077876688处理解析AUTH交换响应方报文
*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; Processed AUTH response notification.
// 处理AUTH响应通知
*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; Processed ID payload.
// 解析ID载荷
*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; Verified peer policy.
// 验证对端的IKEv2策略
*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; Verified peer authentication data.
// 验证对端的认证数据
*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; Peer authentication data passed verification.
// 对端认证数据验证通过
*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; AAA authorization was not configured in profile fxm.
// profile fxm中没有配置AAA授权
*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; Processed NOTIFY payload IKEV2_MESSAGE_ID_SYNC_SUPPORTED.
// 处理IKEV2_MESSAGE_ID_SYNC_SUPPORTED通知载荷
*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; (Tunnel ID 5):(I) Current Status: PROC_AUTH
// 当前状态机状态:处理AUTH交换响应报文
*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; Processed response notification for Child SA.
// 处理Child SA的响应通知载荷
*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; Processed SA payload.
// 处理SA载荷
*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; Processed TSi payload.
// 处理TSi载荷
*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; Processed TSr payload.
// 处理TSr载荷
*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/FSM: -MDC=1; Computed IPsec keying material.
// 计算IPsec密钥材料
*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/EVENT: -MDC=1; Protected flow:
// 保护的流信息
*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/EVENT: -MDC=1; Inbound: 123.234.234.123/32->123.234.234.124/32
// 入方向流信息:123.234.234.123/32->123.234.234.124/32
*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/EVENT: -MDC=1; Outbound: 123.234.234.124/32->123.234.234.123/32
// 出方向流信息:123.234.234.124/32->123.234.234.123/32
*Oct 20 09:13:57:457 2014 Sysname IKEV2/7/EVENT: -MDC=1; [IKE->IPsec] Sent install IPsec sa request.
// IKE向IPsec发送添加IPsec SA请求
*Oct 20 09:13:57:469 2014 Sysname IKEV2/7/FSM: -MDC=1; (Tunnel ID 5): (I) Current Status: ESTABLISHED
// 当前状态机状态:ESTABLISHED
*Oct 20 09:13:57:469 2014 Sysname IKEV2/7/FSM: -MDC=1; (Tunnel ID 5): (I) Current Status: CHILD_ESTABLISHED
// 当前状态机状态:CHILD_ESTABLISHED
*Oct 20 09:13:57:469 2014 Sysname IKEV2/7/FSM: -MDC=1; (Tunnel ID 5): (I) Current Status: READY
// 当前状态机状态:READY
*Oct 20 09:13:57:469 2014 Sysname IKEV2/7/EVENT: -MDC=1; [IPsec->IKE] Succeed to install IPsec SA.
// IPsec添加SA成功
*Oct 20 09:13:57:469 2014 Sysname IKEV2/7/TIMER: -MDC=1; (Tunnel ID 5): IKE SA lifetime timer (86400 sec) started.
// IKE SA生命周期定时器启动
*Oct 20 09:13:57:469 2014 Sysname IKEV2/7/FSM: -MDC=1; (Tunnel ID: 5): No duplicate IKE SA found.
// 协商过程中没有发现碰撞
*Oct 20 09:13:57:469 2014 Sysname IKEV2/7/FSM: -MDC=1; (Tunnel ID 5): Deleted negotiation context.
// 删除协商上下文
*Oct 20 09:13:57:469 2014 Sysname IKE/7/EVENT: -MDC=1; IKE thread 3077876688 processed a job.
// IKE线程3077876688处理一个任务
*Oct 20 09:13:57:469 2014 Sysname IKEV2/7/EVENT: -MDC=1; [IKE->IPsec] Send switch IPs
ec sa request.
// IKE向IPsec发送切换SA请求
# 在两个安全网关上配置了IKEv2协商类型的IPsec安全策略,若配置认证方法为预共享密钥认证,则当有流量触发协商时,打开IKEv2报文调试信息开关后将输出以下调试信息。
<Sysname> debugging ikev2 packet
Ping 123.234.234.123 (123.234.234.123): 56 data bytes, press CTRL_C to break
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Payload content:
// 打印载荷内容
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; SA, Length: 44, Next payload: KE
// 当前SA载荷,载荷长度44,下一载荷为KE
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last proposal: 0, Length: 40
// 当前proposal是SA载荷内唯一的proposal,载荷长度为40
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Proposal: 1, Protocol: IKE, SPI size: 0, Transform count: 4
// proposal编号为1,为IKE协议,SPI大小为0,包含4个Transform
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0x3, Length: 8
// 该Transform长度为8,不是最后一个Transform
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: ENCR, Transform ID: 3DES-CBC
// Transform类型为加密类型,3DES-CBC算法
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0x3, Length: 8
// 该Transform长度为8,不是最后一个Transform
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: INTEG, Transform ID: AUTH-HMAC-MD5-96
// Transform类型为认证类型,AUTH-HMAC-MD5-96算法
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0x3, Length: 8
// 该Transform长度为8,不是最后一个Transform
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: PRF, Transform ID: PRF-HMAC-MD5
// Transform类型为Prf,为PRF-HMAC-MD5算法
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0, Length: 8
// 该Transform长度为8,为最后一个Transform
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: D-H, Transform ID: 768-bit MODP/Group 1
// Transform类型为DH算法,768-bit MODP/Group 1算法
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; KE, Length: 104, DH: 768-bit MODP/Group 1, Next payload: NONCE
// 当前载荷为KE,长度为104,采用768-bit MODP/Group 1算法,下一载荷为NONCE
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; NONCE, Length: 36, Next payload: NOTIFY
// 当前载荷为NONCE,长度为36,下一载荷为NOTIFY
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; NOTIFY, Length: 28, Type: NAT_DETECTION_SOURCE_IP, Protocol: NO PROTOCOL, SPI size:0, Next payload: NOTIFY
// 当前载荷为NAT_DETECTION_SOURCE_IP通知载荷,长度为28,下一载荷为NOTIFY载荷
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; NOTIFY, Length: 28, Type: NAT_DETECTION_DESTINATION_IP, Protocol: NO PROTOCOL, SPI size: 0, Next payload: NO_PAYLOAD
// 当前载荷为NAT_DETECTION_DESTINATION_IP通知载荷,长度为28
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Sent packet to 123.234.234.123, Remote port 500, Local port 500.
// 向对端123.234.234.123发送报文,本端端口号为500,对端端口号为500
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1;
I-SPI: e787e1a5584f87e6
R-SPI: 0000000000000000
Message ID: 0
Exchange type: SA_INIT
Flags: REQUEST, INITIATOR
Next payload: SA, Length: 268
// 发起方SPI:e787e1a5584f87e6
// 响应方SPI:0000000000000000
// Message ID:0
// 交换类型:SA_INIT交换
// 标记:协商发起方,请求报文
// 下一个载荷:SA载荷,长度为268
*Oct 20 09:18:03:308 2014 Sysname IKEV2/7/PACKET: -MDC=1; Sent an IPv4 packet.
// 发送IPv4报文
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; Received packet from 123.234.234.123, Source port 500, Destination port 500.
// 收到对端123.234.234.123的IPv4报文,源端口号为500,目的端口号为500
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1;
I-SPI: e787e1a5584f87e6
R-SPI: e91e92c42120d7f0
Message ID: 0
Exchange type: SA_INIT
Flags: RESPONSE
Next payload: SA, Length: 276
// 发起方SPI:e787e1a5584f87e6
// 响应方SPI:e91e92c42120d7f0
// Message ID:0
// 交换类型:SA_INIT交换
// 标记:协商响应方
// 下一个载荷:SA载荷,长度为276
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; Payload content:
// 打印载荷内容
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; SA, Length: 44, Next payload: KE
// 当前载荷为SA载荷,长度44字节,下一载荷为KE
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last proposal: 0, Length: 40
// SA载荷包含一个proposal子载荷,长度为40
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; Proposal: 1, Protocol: IKE, SPI size: 0, Transform count: 4
// proposal 1,协议为IKE,SPI大小为0,包含4个Transform
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0x3, Length: 8
// 该Transform长度为8,不是最后一个Transform
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: ENCR, Transform ID: 3DES-CBC
// Transform类型为加密类型,3DES-CBC加密算法
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0x3, Length: 8
// 该Transform长度为8,不是最后一个Transform
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: INTEG, Transform ID: AUTH-HMAC-MD5-96
// Transform类型为认证类型,AUTH-HMAC-MD5-96认证算法
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0x3, Length: 8
// 该Transform长度为8,不是最后一个Transform
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: PRF, Transform ID: PRF-HMAC-MD5
// Transform类型为Prf类型,为PRF-HMAC-MD5算法
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0, Length: 8
// 该Transform长度为8,是最后一个Transform
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: D-H, Transform ID: 768-bit MODP/Group 1
// Transform类型为DH类型,768-bit MODP/Group 1 算法
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; KE, Length: 104, DH: 768-bit MODP/Group 1, Next payload: NONCE
// 当前载荷为KE载荷,长度为104,采用768-bit MODP/Group 1算法,下一载荷为NONCE
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; NONCE, Length: 36, Next payload: NOTIFY
// 当前载荷为NONCE载荷,长度为36,下一载荷为NOTIFY
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; NOTIFY, Length: 28, Type: NAT_DETECTION_SOURCE_IP, Protocol: NO PROTOCOL, SPI size: 0, Next payload: NOTIFY
// 当前载荷为NAT_DETECTION_SOURCE_IP通知载荷,长度为28,下一载荷为NOTIFY载荷
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; NOTIFY, Length: 28, Type: NAT_DETECTION_DESTINATION_IP, Protocol: NO PROTOCOL, SPI size: 0, Next payload: NOTIFY
// 当前载荷为NAT_DETECTION_DESTINATION_IP,长度28,下一载荷为NOTIFY载荷
*Oct 20 09:18:03:325 2014 Sysname IKEV2/7/PACKET: -MDC=1; NOTIFY, Length: 8, Type: HTTP_CERT_LOOKUP_SUPPORTED, Protocol: NO PROTOCOL, SPI size: 0, Next payload: NO_PAYLOAD
// 当前载荷为HTTP_CERT_LOOKUP_SUPPORTED通知载荷,长度为8
*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; Processed response with message ID 0, requests with IDs from 1 to 1 can be sent.
// 处理INIT交互响应报文(messge id=0),下一条请求报文的message id为1
*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; Built packet for encryption.
// 创建需要加密的报文
*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; Payload content:
// 打印报文内容
*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; IDi, Length: 12, Type: ID_IPV4_ADDR, Next payload: NOTIFY
// 当前载荷为IDi,长度为12字节,类型为IPv4地址类型,下一载荷为NOTIFY
*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; NOTIFY, Length: 8, Type: INITIAL_CONTACT, Protocol: NO PROTOCOL, SPI size: 0, Next payload: AUTH
// 当前载荷为INITIAL_CONTACT通知载荷,长度为8,下一载荷为AUTH载荷
*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; AUTH, Length: 24, Method: Pre-shared key, Next payload: NOTIFY
// 当前载荷为AUTH载荷,认证方式为预共享密钥,长度为24
*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; NOTIFY, Length: 8, Type: ESP_TFC_PADDING_NOT_SUPPORTED, Protocol: NO PROTOCOL, SPI size: 0, Next payload: NOTIFY
// 当前载荷为ESP_TFC_PADDING_NOT_SUPPORTED通知载荷,长度为8,下一载荷为NOTIFY
*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; NOTIFY, Length: 8, Type: NON_FIRST_FRAGMENTS_ALSO, Protocol: NO PROTOCOL, SPI size: 0, Next payload: NOTIFY
// 当前载荷为NON_FIRST_FRAGMENTS_ALSO通知载荷,长度为8,下一载荷为NOTIFY
*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; NOTIFY, Length: 8, Type: IKEV2_MESSAGE_ID_SYNC_SUPPORTED, Protocol: NO PROTOCOL, SPI size: 0, Next payload: SA
// 当前载荷为IKEV2_MESSAGE_ID_SYNC_SUPPORTED通知载荷,长度为8,下一载荷为SA
*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; SA, Length: 40, Next payload: TSi
// 当前载荷为SA,长度为40字节,下一载荷为TSi
*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last proposal: 0, Length: 36
// SA载荷包含一个proposal,长度为36
*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; Proposal: 1, Protocol: ESP, SPI size: 4, Transform count: 3
// proposal协议为ESP,SPI长度为4,包含三个Transform
*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0x3, Length: 8
// 该Transform长度为8,不是最后一个Transform
*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: INTEG, Transform ID: AUTH-HMAC-MD5-96
// Transform类型为认证类型,AUTH-HMAC-MD5-96算法
*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0x3, Length: 8
// 该Transform长度为8,不是最后一个Transform
*Oct 20 09:18:03:331 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: ENCR, Transform ID: 3DES-CBC
// Transform类型为加密类型,为3DES-CBC算法
*Oct 20 09:18:03:332 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0, Length: 8
// 该Transform长度为8,为最后一个Transform
*Oct 20 09:18:03:332 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: ESN, Transform ID: NO ESN
// Transform类型为ESN类型,为NO_ESN
*Oct 20 09:18:03:332 2014 Sysname IKEV2/7/PACKET: -MDC=1; TSi, Length: 40, Selector count: 2, Next payload: TSr
// 当前载荷为TSi载荷,包含2个Selecotr,下一载荷为TSr
*Oct 20 09:18:03:332 2014 Sysname IKEV2/7/PACKET: -MDC=1; TS type: TS_IPV4_ADDR_RANGE, IP protocol: 1, Length: 16
// 触发流TSi类型为TS_IPV4_ADDR_RANGE,协议为ICMP,长度为16
*Oct 20 09:18:03:332 2014 Sysname IKEV2/7/PACKET: -MDC=1; Start port: 0, End port: 65535
// 触发流TSi开始端口号为0,结束端口号为65535
*Oct 20 09:18:03:332 2014 Sysname IKEV2/7/PACKET: -MDC=1; Start address: 123.234.234.124, End address: 123.234.234.124
// 触发流TSi IP地址范围为123.234.234.124到123.234.234.124
*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1; TS type: TS_IPV4_ADDR_RANGE, IP protocol: 0, Length: 16
// 配置流TSi 类型为 TS_IPV4_ADDR_RANGE,协议为IPv4协议,长度为16
*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1; Start port: 0, End port: 65535
// 配置流TSi开始端口号为0,结束端口号为65535
*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1; Start address: 123.234.234.124, End address: 123.234.234.124
// 配置流TSi地址范围为123.234.234.124到123.234.234.124
*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1; TSr, Length: 40, Selector count: 2, Next payload: NO_PAYLOAD
// 当前载荷为TSr载荷,包含两个Selector
*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1; TS type: TS_IPV4_ADDR_RANGE, IP protocol: 1, Length: 16
// 触发流TSr类型为TS_IPV4_ADDR_RANGE,协议为ICMP,长度为16
*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1; Start port: 0, End port: 65535
// 触发流TSr开始端口号为0,结束端口号为0
*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1; Start address: 123.234.234.123, End address: 123.234.234.123
// 触发流TSr地址范围为123.234.234.123到123.234.234.123
*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1; TS type: TS_IPV4_ADDR_RANGE, IP protocol: 0, Length: 16
// 配置流TSr类型为TS_IPV4_ADDR_RAN GE,协议类型为IPv4,长度为16
*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1; Start port: 0, End port: 65535
// 配置流TSr开始端口号为0,结束端口号为0
*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1; Start address: 123.234.234.123, End address: 123.234.234.123
// 配置流TSr的地址范围为123.234.234.123到123.234.234.123
*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1; Sent packet to 123.234.234.123, Remote port 500, Local port 500.
// 向对端发送AUTH交换请求报文,对端地址为123.234.234.123,本端端口号为500,对端端口号为500
*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1;
I-SPI: e787e1a5584f87e6
R-SPI: e91e92c42120d7f0
Message ID: 1
Exchange type: AUTH
Flags: REQUEST, INITIATOR
Next payload: ENCRYPTED, Length: 244
// 发起方SPI:e787e1a5584f87e6
// 响应方SPI:e91e92c42120d7f0
// Message ID:1
// 交换类型:AUTH交换
// 标记:协商发起方,请求报文
// 下一个载荷:加密载荷,长度为244
*Oct 20 09:18:03:333 2014 Sysname IKEV2/7/PACKET: -MDC=1; Sent an IPv4 packet.
// 收到一个IPv4报文
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Received packet from 123.234.234.123, Source port 500, Destination port 500.
// 收到来自123.234.234.123的报文,源端口号为500,目的端口号为500
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1;
I-SPI: e787e1a5584f87e6
R-SPI: e91e92c42120d7f0
Message ID: 1
Exchange type: AUTH
Flags: RESPONSE
Next payload: ENCRYPTED, Length: 204
// 发起方SPI:e787e1a5584f87e6
// 响应方SPI:e91e92c42120d7f0
// Messge ID:1
// 交换类型:AUTH交换
// 标记:响应方
// 下一载荷加密载荷,长度204
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Payload content:
// 打印报文内容如下
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Payload ENCRYPTED found.
// 准备处理加密载荷
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Integrity check passed.
// 认证检查通过
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; IDr, Length: 12, Type: ID_IPV4_ADDR, Next payload: AUTH
// 当前载荷为IDr载荷,类型为IPv4地址,长度为12,下一载荷为AUTH
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; AUTH, Length: 24, Method: Pre-shared key, Next payload: NOTIFY
// 当前载荷为AUTH,采用的认证方式为预共享密钥,长度为24,下一载荷为 NOTIFY
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; NOTIFY, Length: 8, Type: IKEV2_MESSAGE_ID_SYNC_SUPPORTED, Protocol: NO PROTOCOL, SPI size: 0, Next payload: NOTIFY
// 当前载荷为IKEV2_MESSAGE_ID_SYNC_SUPPORTED通知载荷,长度为8,下一载荷为NOTIFY
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; NOTIFY, Length: 8, Type: ESP_TFC_PADDING_NOT_SUPPORTED, Protocol: NO PROTOCOL, SPI size: 0, Next payload: NOTIFY
// 当前载荷为 ESP_TFC_PADDING_NOT_SUPPORTED通知载荷,长度为8,下一载荷为 NOTIFY
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; NOTIFY, Length: 8, Type: NON_FIRST_FRAGMENTS_ALSO, Protocol: NO PROTOCOL, SPI size: 0, Next payload: SA
// 当前载荷为NON_FIRST_FRAGMENTS_ALSO通知载荷,长度为8,下一载荷为SA载荷
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; SA, Length: 40, Next payload: TSi
// 当前载荷为SA载荷,长度为40,下一载荷为TSi载荷
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last proposal: 0, Length: 36
// SA载荷包含一个proposal,长度为36
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Proposal: 1, Protocol: ESP, SPI size: 4, Transform count: 3
// proposal 1,协议类型为ESP,SPI大小为4字节,包含3个Transform
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0x3, Length: 8
// 该Transform长度为8,不是最后一个Transform
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: INTEG, Transform ID: AUTH-HMAC-MD5-96
// Transform 类型为认证类型, AUTH-HMAC-MD5-96算法
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0x3, Length: 8
// 该Transform长度为8,不是最后一个Transform
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: ENCR, Transform ID: 3DES-CBC
// Transform类型为加密类型,3DES-CBC算法
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Last transform: 0, Length: 8
// 该Transform长度为8,为最后一个Transform
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Type: ESN, Transform ID: NO ESN
// Transform类型为ESN,NO ESN
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; TSi, Length: 24, Selector count: 1, Next payload: TSr
// 当前载荷为TSi载荷,长度为24,包含1个Selector,下一载荷为TSr
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; TS type: TS_IPV4_ADDR_RANGE, IP protocol: 0, Length: 16
// TSi类型为TS_IPV4_ADDR_RANGE,协议为ICMP,长度为16
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Start port: 0, End port: 65535
// TSi开始端口号为0,结束端口号为65535
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Start address: 123.234.234.124, End address: 123.234.234.124
// TSi IP地址范围为23.234.234.124到123.234.234.124
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; TSr, Length: 24, Selector count: 1, Next payload: NO_PAYLOAD
// 当前为TSr载荷,长度为24,包含一个Selector
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; TS type: TS_IPV4_ADDR_RANGE, IP protocol: 0, Length: 16
// TSr的类型为TS_IPV4_ADDR_RANGE 协议为ICMP,长度为16
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Start port: 0, End port: 65535
// TSr的端口号范围为0到65535
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Start address: 123.234.234.123, End address: 123.234.234.123
// TSr的IP地址范围为123.234.234.123 到 123.234.234.123
*Oct 20 09:18:03:335 2014 Sysname IKEV2/7/PACKET: -MDC=1; Processed response with message ID 1, requests with IDs from 2 to 2 can be sent.
// 处理Messge ID为1的AUTH交互响应报文,下一次请求报文的Message
本文链接:https://hqyman.cn/post/5761.html 非本站原创文章欢迎转载,原创文章需保留本站地址!
休息一下,本站随机推荐观看栏目: