收藏 分销(赏)
立即下载 开通VIP

IPSCE的debug和show命令.docx

上传人:仙人****88 文档编号:12021090 上传时间:2025-08-28 格式:DOCX 页数:23 大小:25.91KB 下载积分:10 金币
下载 相关 举报
IPSCE的debug和show命令.docx_第1页
第1页 / 共23页
IPSCE的debug和show命令.docx_第2页
第2页 / 共23页


点击查看更多>>
资源描述
通过 DEBUG 与 SHOW 来学习 IPSEC-VPN 第一阶段指两个 ISAKMP 实体建立一个安全、验证过的信道来进行通信。这被称为 ISAKMP 安全联盟(SA)。 “主模式”和“积极模式”都能完成第一阶段的交换。“主模式”和“积极模式”只能在第一阶段中使用。 *Mar 1 00:43:53.455: ISAKMP:(0:2:SW:1):purging SA., sa=63E0FA04, delme=63E0FA04 *Mar 1 00:44:05.639: ISAKMP:(0:3:SW:1):purging node 304912037 *Mar 1 00:44:07.279: ISAKMP: received ke message (1/1) *Mar 1 00:44:07.283: ISAKMP:(0:0:N/A:0): SA request profile is (NULL) SA 是有一个或多个提议的 SA 协商负载。发起方可能提供多个协商的提议;应答方只能用一个提议来回答。 安全联盟(SA)是一组用来保护信息的策略和密钥。在本协议中,ISAKMP SA 是协商双方为保护之间的通信而使用的共享的策略和密钥。 *Mar 1 00:44:07.283: ISAKMP: Created a peer struct for 34.34.34.4, peer port 500 *Mar 1 00:44:07.283: ISAKMP: New peer created peer = 0x64A20E00 peer_handle = 0x80000005 *Mar 1 00:44:07.283: ISAKMP: Locking peer struct 0x64A20E00, IKE refcount 1 for isakmp_initiator *Mar 1 00:44:07.287: ISAKMP: local port 500, remote port 500 *Mar 1 00:44:07.287: ISAKMP: set new node 0 to QM_IDLE *Mar 1 00:44:07.287: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 64219D2C *Mar 1 00:44:07.287: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode. “主模式”和“积极模式”都能完成第一阶段的交换。“主模式”和“积极模式”只能在第一阶段中使用。 主模式是 ISAKMP 身份保护交换的实现: 头两个消息协商策略; 下两个消息交换 DiffieHellman 的公共值和必要的辅助数据(当前时间(nonce)); 最后的两个消息验证 DiffieHellman 交换。 *Mar 1 00:44:07.291: ISAKMP:(0:0:N/A:0):found peer preshared key matching 34.34.34.4 *Mar 1 00:44:07.291: ISAKMP:(0:0:N/A:0): constructed NATT vendor07 ID *Mar 1 00:44:07.295: ISAKMP:(0:0:N/A:0): constructed NATT vendor03 ID *Mar 1 00:44:07.295: ISAKMP:(0:0:N/A:0): constructed NATT vendor02 ID 头两个消息协商策略;(开始) *Mar 1 00:44:07.295: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM *Mar 1 00:44:07.295: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1 主模式(开始); *Mar 1 00:44:07.299: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange *Mar 1 00:44:07.299: ISAKMP:(0:0:N/A:0): sending packet to 34.34.34.4 my_port 500 peer_port 500 (I) MM_NO_STATE *Mar 1 00:44:07.931: ISAKMP (0:0): received packet from 34.34.34.4 dport 500 sport 500 Global (I) MM_NO_STATE *Mar 1 00:44:07.935: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Mar 1 00:44:07.935: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1 New State = IKE_I_MM2 *Mar 1 00:44:07.939: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0 第一个传输往返的交换中的负载交换。发起者可以提出多个提议;响应者只能用一个来回答。 *Mar 1 00:44:07.939: ISAKMP:(0:0:N/A:0): processing vendor id payload *Mar 1 00:44:07.939: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch *Mar 1 00:44:07.939: ISAKMP (0:0): vendor ID is NATT v7 *Mar 1 00:44:07.943: ISAKMP:(0:0:N/A:0):found peer preshared key matching 34.34.34.4 *Mar 1 00:44:07.943: ISAKMP:(0:0:N/A:0): local preshared key found *Mar 1 00:44:07.943: ISAKMP : Scanning profiles for xauth ... *Mar 1 00:44:07.943: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy 响应者选择一个转换的(transform)提议(ISAKMP SA 的属性)来应答。 *Mar 1 00:44:07.947: ISAKMP: encryption 3DESCBC *Mar 1 00:44:07.947: ISAKMP: hash SHA *Mar 1 00:44:07.947: ISAKMP: default group 2 *Mar 1 00:44:07.947: ISAKMP: auth preshare *Mar 1 00:44:07.947: ISAKMP: life type in seconds *Mar 1 00:44:07.947: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 *Mar 1 00:44:07.951: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0 *Mar 1 00:44:08.023: ISAKMP:(0:4:SW:1): processing vendor id payload *Mar 1 00:44:08.023: ISAKMP:(0:4:SW:1): vendor ID seems Unity/DPD but major 245 mismatch *Mar 1 00:44:08.023: ISAKMP (0:134217732): vendor ID is NATT v7 *Mar 1 00:44:08.027: ISAKMP:(0:4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Mar 1 00:44:08.027: ISAKMP:(0:4:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM2 头两个消息协商策略;(结束) 下两个消息交换 DiffieHellman 的公共值和必要的辅助数据(开始) *Mar 1 00:44:08.035: ISAKMP:(0:4:SW:1): sending packet to 34.34.34.4 my_port 500 peer_port 500 (I) MM_SA_SETUP *Mar 1 00:44:08.035: ISAKMP:(0:4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Mar 1 00:44:08.039: ISAKMP:(0:4:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM3 *Mar 1 00:44:08.627: ISAKMP (0:134217732): received packet from 34.34.34.4 dport 500 sport 500 Global (I) MM_SA_SETUP *Mar 1 00:44:08.627: ISAKMP:(0:4:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Mar 1 00:44:08.627: ISAKMP:(0:4:SW:1):Old State = IKE_I_MM3 New State = IKE_I_MM4 *Mar 1 00:44:08.631: ISAKMP:(0:4:SW:1): processing KE payload. message ID = 0 KE 是包含了用于 DiffieHellman 交换的公共信息的密钥交换负载。 *Mar 1 00:44:08.711: ISAKMP:(0:4:SW:1): processing NONCE payload. message ID = 0 必要的辅助数据(当前时间(nonce)) *Mar 1 00:44:08.715: ISAKMP:(0:4:SW:1):found peer preshared key matching 34.34.34.4 共享密钥 SKEYID 现用于保护和验证所有后继的通信。注意 SKEYID 未经过验证。 SKEYID 是从秘密材料中衍生出的字符串,只有某次交换中的活跃双方才知道。 *Mar 1 00:44:08.719: ISAKMP:(0:4:SW:1):SKEYID state generated *Mar 1 00:44:08.719: ISAKMP:(0:4:SW:1): processing vendor id payload 必要的辅助数据 *Mar 1 00:44:08.719: ISAKMP:(0:4:SW:1): vendor ID is Unity *Mar 1 00:44:08.723: ISAKMP:(0:4:SW:1): processing vendor id payload 必要的辅助数据 *Mar 1 00:44:08.723: ISAKMP:(0:4:SW:1): vendor ID is DPD *Mar 1 00:44:08.723: ISAKMP:(0:4:SW:1): processing vendor id payload 必要的辅助数据 *Mar 1 00:44:08.727: ISAKMP:(0:4:SW:1): speaking to another IOS box! *Mar 1 00:44:08.727: ISAKMP:(0:4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Mar 1 00:44:08.727: ISAKMP:(0:4:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM4 下两个消息交换 DiffieHellman 的公共值和必要的辅助数据(结束) 最后的两个消息验证 DiffieHellman 交换。(开始) *Mar 1 00:44:08.735: ISAKMP:(0:4:SW:1):Send initial contact *Mar 1 00:44:08.739: ISAKMP:(0:4:SW:1):SA is doing preshared key authentication using id type ID_IPV4_ADDR 当使用共享密钥的主模式时,密钥只能通过双方的 IP 地址来进行识别,因为 HASH_I 必须在发起者处理 IDir 之前计算出来。 *Mar 1 00:44:08.739: ISAKMP (0:134217732): ID payload nextpayload : 8 type : 1 address : 12.12.12.1 protocol : 17 port : 500 length : 12 *Mar 1 00:44:08.739: ISAKMP:(0:4:SW:1):Total payload length: 12 *Mar 1 00:44:08.747: ISAKMP:(0:4:SW:1): sending packet to 34.34.34.4 my_port 500 peer_port 500 (I) MM_KEY_EXCH *Mar 1 00:44:08.747: ISAKMP:(0:4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Mar 1 00:44:08.747: ISAKMP:(0:4:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM5 *Mar 1 00:44:09.343: ISAKMP (0:134217732): received packet from 34.34.34.4 dport 500 sport 500 Global (I) MM_KEY_EXCH *Mar 1 00:44:09.347: ISAKMP:(0:4:SW:1): processing ID payload. message ID = 0 *Mar 1 00:44:09.351: ISAKMP (0:134217732): ID payload nextpayload : 8 type : 1 address : 34.34.34.4 protocol : 17 port : 500 length : 12 *Mar 1 00:44:09.351: ISAKMP:(0:4:SW:1):: peer matches *none* of the profiles *Mar 1 00:44:09.351: ISAKMP:(0:4:SW:1): processing HASH payload. message ID = 0 密钥交换是用签名的 hash 来验证的。 一旦签名使用作为 ISAKMP SA 协商的一部分的验证算法来校验且通过了 则共享密钥、SKEYID 可以被认为经过验证了。 *Mar 1 00:44:09.355: ISAKMP:(0:4:SW:1):SA authentication status:authenticated *Mar 1 00:44:09.355: ISAKMP:(0:4:SW:1):SA has been authenticated with 34.34.34.4 *Mar 1 00:44:09.359: ISAKMP: Trying to insert a peer 12.12.12.1/34.34.34.4/500/, and inserted successfully 64A20E00. *Mar 1 00:44:09.359: ISAKMP:(0:4:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Mar 1 00:44:09.359: ISAKMP:(0:4:SW:1):Old State = IKE_I_MM5 New State = IKE_I_MM6 *Mar 1 00:44:09.367: ISAKMP:(0:4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Mar 1 00:44:09.367: ISAKMP:(0:4:SW:1):Old State = IKE_I_MM6 New State = IKE_I_MM6 *Mar 1 00:44:09.371: ISAKMP:(0:4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Mar 1 00:44:09.371: ISAKMP:(0:4:SW:1):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE 主模式(结束);最后的两个消息验证 DiffieHellman 交换。(结束) isakmp 协商过程(第二阶段) 快速模式基本上是一次 SA 协商和提供重放(replay)保护的当前时间(nonce)交换。 当前时间(nonce)用于产生新的密钥材料并阻止通过重放攻击产生虚假的安全联盟。 *Mar 1 00:44:09.375: ISAKMP:(0:4:SW:1):beginning Quick Mode exchange, MID of 857538544 *Mar 1 00:44:09.383: ISAKMP:(0:4:SW:1): sending packet to 34.34.34.4 my_port 500 peer_port 500 (I) QM_IDLE *Mar 1 00:44:09.387: ISAKMP:(0:4:SW:1):Node 857538544, Input = IKE_MESG_INTERNAL, IKE_INIT_QM *Mar 1 00:44:09.387: ISAKMP:(0:4:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 *Mar 1 00:44:09.387: ISAKMP:(0:4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE *Mar 1 00:44:09.391: ISAKMP:(0:4:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Mar 1 00:44:10.259: ISAKMP (0:134217732): received packet from 34.34.34.4 dport 500 sport 500 Global (I) QM_IDLE 响应者使用只包含一个转换的相似消息来应答——选择的 ESP 转换(transform)。 *Mar 1 00:44:10.263: ISAKMP:(0:4:SW:1): processing HASH payload. message ID = 857538544 *Mar 1 00:44:10.263: ISAKMP:(0:4:SW:1): processing SA payload. message ID = 857538544 *Mar 1 00:44:10.267: ISAKMP:(0:4:SW:1):Checking IPSec proposal 1 *Mar 1 00:44:10.267: ISAKMP: transform 1, ESP_3DES 选择的 ESP 转换(transform) *Mar 1 00:44:10.267: ISAKMP: attributes in transform: *Mar 1 00:44:10.267: ISAKMP: encaps is 1 (Tunnel) *Mar 1 00:44:10.267: ISAKMP: SA life type in seconds *Mar 1 00:44:10.271: ISAKMP: SA life duration (basic) of 3600 *Mar 1 00:44:10.271: ISAKMP: SA life type in kilobytes *Mar 1 00:44:10.271: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 *Mar 1 00:44:10.271: ISAKMP: authenticator is HMACSHA *Mar 1 00:44:10.271: ISAKMP:(0:4:SW:1):atts are acceptable. 当前时间(nonce)交换 *Mar 1 00:44:10.275: ISAKMP:(0:4:SW:1): processing NONCE payload. message ID = 857538544 *Mar 1 00:44:10.279: ISAKMP:(0:4:SW:1): processing ID payload. message ID = 857538544 *Mar 1 00:44:10.279: ISAKMP:(0:4:SW:1): processing ID payload. message ID = 857538544 *Mar 1 00:44:10.287: ISAKMP: Locking peer struct 0x64A20E00, IPSEC refcount 1 for for stuff_ke 单个 SA 协商导致两个安全联盟 一个入一个出 *Mar 1 00:44:10.287: ISAKMP:(0:4:SW:1): Creating IPSec SAs 一个入(inbound) *Mar 1 00:44:10.287: inbound SA from 34.34.34.4 to 12.12.12.1 (f/i) 0/ 0 (proxy 10.1.1.0 to 192.168.1.0) 在任一种情况下,“协议”和“SPI”是从包含协商的转换(transform)负载的 ISAKMP 提议负载中得到的。 每个 SA(一个由发起者选择,另一个有响应者选择)的不同的 SPI 保证了每个方向有不同的密钥。 SA 的目的地选择的 spi 用于衍生 SA 的 KEYMAT。 *Mar 1 00:44:10.291: has spi 0x20B7D334 and conn_id 0 and flags 2 *Mar 1 00:44:10.291: lifetime of 3600 seconds ISAKMP 的实现可以要求私有组在建立的它的 SA 中设置超时 *Mar 1 00:44:10.291: lifetime of 4608000 kilobytes *Mar 1 00:44:10.291: has client flags 0x0 一个出(outbound) *Mar 1 00:44:10.291: outbound SA from 12.12.12.1 to 34.34.34.4 (f/i) 0/0 (proxy 192.168.1.0 to 10.1.1.0) *Mar 1 00:44:10.295: has spi 845172765 and conn_id 0 and flags A *Mar 1 00:44:10.295: lifetime of 3600 seconds ISAKMP 的实现可以要求私有组在建立的它的 SA 中设置超时 *Mar 1 00:44:10.295: lifetime of 4608000 kilobytes *Mar 1 00:44:10.295: has client flags 0x0 要为密钥和全部的身份提供完全后继保密,双方要执行下列操作: 1.一次主模式交换来保护 ISAKMP 双方的身份。 这就建立了一个 ISAKMP SA。 2.一次快速模式交换来协商其它安全协议保护。 这就在这个协议的两端建立了一个 SA。 3.删除 ISAKMP SA 和与它相关的状态。 因为在非 ISAKMP SA 中使用的密钥是从单个临时 DiffieHellman 交换中衍生出的,PFS 是保留的。 *Mar 1 00:44:10.299: ISAKMP:(0:4:SW:1): sending packet to 34.34.34.4 my_port 500 peer_port 500 (I) QM_IDLE *Mar 1 00:44:10.299: ISAKMP:(0:4:SW:1):deleting node 857538544 error FALSE reason "No Error" 删除 ISAKMP SA 和与它相关的状态。 *Mar 1 00:44:10.303: ISAKMP:(0:4:SW:1):Node 857538544, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH *Mar 1 00:44:10.303: ISAKMP:(0:4:SW:1):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE *Mar 1 00:44:10.307: ISAKMP: Locking peer struct 0x64A20E00, IPSEC refcount 2 for from create_transforms *Mar 1 00:44:10.311: ISAKMP: Unlocking IPSEC struct 0x64A20E00 from create_transforms, count 1 *Mar 1 00:44:15.639: ISAKMP:(0:3:SW:1):purging SA., sa=63E13D50, delme=63E13D50 删除 ISAKMP SA 和与它相关的状态。 加密/解密 加密前的明文 *Mar 1 01:11:00.323: Before encryption: 05DBEE70: 4500003C CD4B0000 E..<MK.. 05DBEE80: 3F01E1C7 C0A80103 0A010102 08000E5B ?.aG@(.........[ 05DBEE90: 04003B01 61626364 65666768 696A6B6C ..?.abcdefghijkl 05DBEEA0: 6D6E6F70 71727374 75767761 62636465 mnopqrstuvwabcde 05DBEEB0: 66676869 01020204 41434143 41434141 fghi....ACACACAA 05DBEEC0: 4100 A. 加密后的密文 *Mar 1 01:11:00.339: After encryption: 05DC1DB0: 45000070 03630000 E..p.c.. 05DC1DC0: FF325BC6 0C0C0C01 22222204 CD9FAFE3 .2[F....""".M./c 05DC1DD0: 0000001E D37309EF D7A23924 5A8A4A7A ....Ss.oW"9$Z.Jz 05DC1DE0: ECC99061 FAD9B67C 81103DDA 335E5BF2 lI.azY6|..=Z3^[r 05DC1DF0: 390D69E5 2146DB40 9347A51C B38E9765 9.ie!F[@.G%.3..e 05DC1E00: B75C9F8B CC64DB6A B6F8EEE0 6600C7B6 7\..Ld[j6xn`f.G6 05DC1E10: 05F0169F 2F2631C8 803FAE76 271700B6 .p../&1H.?.v'..6 05DC1E20: 028973E4 7F4C0923 ..sd.L.# *Mar 1 01:11:00.355: post_crypto_ip_encrypt: Data just encrypted, 112 bytes *Mar 1 01:11:00.355: Process switched encrypted packet 解密前的密文 *Mar 1 01:11:00.707: Before decryption: *Mar 1 01:11:00.707: Dump particle #01 for 112 bytes 05D33100: 4500 E. 05D33110: 00700546 0000FC32 5CE32222 22040C0C .p.F..|2\c"""... 05D33120: 0C0120B7 D3340000 00240344 CEC53381 .. 7S4...$.DNE3. 05D33130: 2E363AC2 352D23E2 E402EFCD A7DD92D0 .6:B5#bd.oM'].P 05D33140: 4F030FFD 36B8357A 736095D1 40A37BCE O..}685zs`.Q@#{N 05D33150: 90847961 3B0FBBA9 FDCDA883 C072921F ..ya?.?)}M(.@r.. 05D33160: B877BA29 00BFE41B EEC9639A D404E9F6 8w:).?d.nIc.T.iv 05D33170: E96CB05B 9E743BF1 D6F136E8 8BBC il0[.t?qVq6h.< 解密后的明文 *Mar 1 01:11:00.723: After decryption: *Mar 1 01:11:00.723: Dump particle #01 for 60 bytes 05D01660: 4500003C CD4B0000 3D01E3C7 E..<MK..=.cG 05D01670: 0A010102 C0A80103 0000165B 04003B01 ....@(.....[..?. 05D01680: 61626364 65666768 696A6B6C 6D6E6F70 abcdefghijklmnop 05D01690: 71727374 75767761 62636465 66676869 qrstuvwabcdefghi 05D016A0: *Mar 1 01:11:00.735: post_crypto_ip_decrypt: Data just decrypted, 60 bytes *Mar
展开阅读全文

开通  VIP会员、SVIP会员  优惠大
下载10份以上建议开通VIP会员
下载20份以上建议开通SVIP会员

开通VIP      成为共赢上传

当前位置:首页 > 包罗万象 > 大杂烩

移动网页_全站_页脚广告1

关于我们      便捷服务       自信AI       AI导航        抽奖活动

©2010-2026 宁波自信网络信息技术有限公司  版权所有

客服电话:0574-28810668  投诉电话:18658249818

gongan.png浙公网安备33021202000488号   

icp.png浙ICP备2021020529号-1  |  浙B2-20240490  

关注我们 :微信公众号    抖音    微博    LOFTER 

客服