郑秀晶puma卫衣:ipsec vpn 建立过程debug详解

来源:百度文库 编辑:中财网 时间:2024/05/08 19:11:30

ipsec vpn 建立过程debug详解


考虑到ipsec大家基本都会配置,所以附件中是实验的配置和命令说明及截图,下面是debug详解,都是做技术的都不容易,就不要钱了~呵呵。这篇详解出自openlab培训中心的老师之手,在这里感谢openlab培训中心的两位张老师对我的教导和传授,我才可能分享给大家。
前面加一小段ipsec高级原理:
如果路由器同时处理IPSEC和NAT 对于输出的流量路由器先执行NAT后执行IPSEC  对于输入的流量路由器先执行IPSEC后执行NAT
选择符(cisco叫感兴趣流) 用ACL来实现的
IPSEC的组成部分
ESP 负载安全封装协议
AH  认证头部协议
IKE internet密钥交换协议
ESP 协议号是50 (在防火墙要放进来因为防火墙不能监控ESP的状态所以不能自动创建往回返的) 不加密IP头部  私密性和完整性,源认证。能够阻止重放攻击(每一个包都有序列号)
ESP包的字段:  SPI(明文发的。比如R1加密包发给R2 R2要解密但是SA很多 那么怎么判断用什么解密呢?就是用SPI 发送过来的加密包带SPI解密直接看自己的SPI一样就能解)
序列号:发出的数据带ACK防止防重放攻击。
下一个头部:(从这点能看出来它是一个IPV6的协议改进过来的)下一个头部指明是IP表示隧道模式  下一个头部指明TCP表明传输模式
ESP建议不要分片如果必须分片解决办法:
先分段后加密(推荐)默认的方法  支持硬件转发表
先加密后分段

AH(认证头部)
数据完整性,防重放攻击。
AH把头部也做HASH,但是只做固定的地方可变的地方不做(服务类型  棋标  分段便宜  TTL  头校验和)IP地址也HASH所以没法做NAT (IPV6的技术IPV6没有NAT)

IPSec
1相互认证       IKE
2建立IPsec sa   IKE
3加密具体流量   ESP   AH
IKE介绍
协商协议参数 (ESP|AH)
交换公共密钥 (DH交换)
对双方进行认证(预共享密钥|数字签名)
在交换后对密钥进程管理(有效期)
IKE的三个组成部分
SKEME 定义一种密钥交换 DH
OAKLEY 对多模式的支持 比如左面有des 3des 右面有des 2边要协商最后用什么加密
ISAKMP 定义了封装格式和协商包的交换方式 (真正办事的协议)
IKE阶段1的lifetime 默认1天
IKE阶段2的lifetime 默认1小时
IKE的三个模式
主模式   6messages IKE阶段1
主动模式 3messages IKE阶段1   远程vpn预共享密钥时有可能用(当时认为PC的处理能力是有限的)
快速模式 3messages IKE阶段2
9个包 主模式+快速模式
5~9是加密的
第一阶段6个包:
1,2个包  协商peer和策略(协商5~9如何加密 只是加密 协商的加密策略并不加密实际的数据)
3,4个包  DH交换密钥 (既然5~9要加密那么3,4个包来计算一个KEY   这个KEY计算3把 其中一个是用于5~9策略的加密
一个用于IKE阶段2的真正数据加密)
5,6 加密和HASH前几个包
7~9  协商阶段2数据如何加密  (加密  HASH  封装方式ESP or AH  模式隧道or传输  key lifetime默认1小时 PFS可选)
阶段1和阶段2的加密方法可以不一样因为他们是独立的。一个单向的ike sa 两个双向的IPSEC SA




debug IPsec的相关包交换   所有的表情都是 :( 符号和表情符号重复
*Mar  1 00:01:43.499: ISAKMP: received ke message (1/1)
*Mar  1 00:01:43.499: ISAKMP0:0:N/A:0): SA request profile is (NULL)
*Mar  1 00:01:43.499: ISAKMP: Created a peer struct for 23.23.23.3, peer port 500
*Mar  1 00:01:43.503: ISAKMP: New peer created peer = 0x64E2927C peer_handle = 0x80000002
*Mar  1 00:01:43.503: ISAKMP: Locking peer struct 0x64E2927C, IKE refcount 1 for isakmp_initiator
*Mar  1 00:01:43.503: ISAKMP: local port 500, remote port 500
*Mar  1 00:01:43.503: ISAKMP: set new node 0 to QM_IDLE      
*Mar  1 00:01:43.507: insert sa successfully sa = 64E0AC34
*Mar  1 00:01:43.507: ISAKMP0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
*Mar  1 00:01:43.507: ISAKMP0:0:N/A:0):found peer pre-shared key matching 23.23.23.3
*Mar  1 00:01:43.511: ISAKMP0:0:N/A:0): constructed NAT-T vendor-07 ID
*Mar  1 00:01:43.511: ISAKMP0:0:N/A:0): constructed NAT-T vendor-03 ID
*Mar  1 00:01:43.511: ISAKMP0:0:N/A:0): constructed NAT-T vendor-02 ID
*Mar  1 00:01:43.515: ISAKMP0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar  1 00:01:43.515: ISAKMP0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1 IKE协商已经被发起,第一条消息即将被发出
*Mar  1 00:01:43.515: ISAKMP0:0:N/A:0): beginning Main Mode exchange 主模式协商即将发起
*Mar  1 00:01:43.519: ISAKMP0:0:N/A:0): sending packet to 23.23.23.3 my_port 500 peer_port 500 (I) MM_NO_STATE.....
Success rate is 0 percent (0/5)
R1#
*Mar  1 00:01:53.519: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Mar  1 00:01:53.519: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Mar  1 00:01:53.519: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Mar  1 00:01:53.523: ISAKMP:(0:0:N/A:0): sending packet to 23.23.23.3 my_port 500 peer_port 500 (I) MM_NO_STATE
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
...
*Mar  1 00:02:03.523: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Mar  1 00:02:03.523: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Mar  1 00:02:03.523: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Mar  1 00:02:03.527: ISAKMP:(0:0:N/A:0): sending packet to 23.23.23.3 my_port 500 peer_port 500 (I) MM_NO_STATE像对等体23.23.23.3发起提议
*Mar  1 00:02:03.831: ISAKMP (0:0): received packet from 23.23.23.3 dport 500 sport 500 Global (I) MM_NO_STAT第二条消息表明从对等体受到被接受的提议
*Mar  1 00:02:03.839: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 00:02:03.839: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_I_MM2 意味着交换了第二条消息
*Mar  1 00:02:03.847: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0本地处理被接受的提议
*Mar  1 00:02:03.847: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar  1 00:02:03.847: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
*Mar  1 00:02:03.847: ISAKMP (0:0): vendor ID is NAT-T v7
*Mar  1 00:02:03.851: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 23.23.23.3
*Mar  1 00:02:03.851: ISAKMP:(0:0:N/A:0): local preshared key found
*Mar  1 00:02:03.851: ISAKMP : Scanning profiles for xauth ...
*Mar  1 00:02:03.851: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy
*Mar  1 00:02:03.855: ISAKMP:      encryption DES-CBC
*Mar  1 00:02:03.855: ISAKMP:      hash SHA
*Mar  1 00:02:03.855: ISAKMP:      default group 1
*Mar  1 00:02:03.855: ISAKMP:      auth pre-share
*Mar  1 00:02:03.855: ISAKMP:      life type in seconds
*Mar  1 00:02:03.855: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80  被接受的内容
*Mar  1 00:02:03.859: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0 本地可以接受
*Mar  1 00:02:03.931: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 00:02:03.935: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
*Mar  1 00:02:03.935: ISAKMP (0:134217729): vendor ID is NAT-T v7
*Mar  1 00:02:03.935: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTER.!
Success rate is 20 percent (1/5), round-trip min/avg/max = 192/192/192 ms
R1#NAL, IKE_PROCESS_MAIN_MODE
*Mar  1 00:02:03.939: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM2
*Mar  1 00:02:03.951: ISAKMP:(0:1:SW:1): sending packet to 23.23.23.3 my_port 500 peer_port 500 (I) MM_SA_SETUP将DH公开值和临时值发给对等体23.23.23.3
*Mar  1 00:02:03.951: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 00:02:03.955: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM3 意味着交换了第三条消息
*Mar  1 00:02:04.315: ISAKMP (0:134217729): received packet from 23.23.23.3 dport 500 sport 500 Global (I) MM_SA_SETUP
*Mar  1 00:02:04.315: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 00:02:04.319: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM3  New State = IKE_I_MM4 接收到了对方的响应,也就是第四条消息
*Mar  1 00:02:04.319: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0 处理负载
*Mar  1 00:02:04.383: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 0 处理负载
*Mar  1 00:02:04.387: ISAKMP:(0:1:SW:1):found peer pre-shared key matching 23.23.23.3
*Mar  1 00:02:04.391: ISAKMP:(0:1:SW:1):SKEYID state generated 已经生成了SKEYID_a,d,e
*Mar  1 00:02:04.391: ISAKMP:(0:1:SW:1): processing vendor id payload  处理场上负载
*Mar  1 00:02:04.391: ISAKMP:(0:1:SW:1): vendor ID is Unity   对等体和本地一样
*Mar  1 00:02:04.395: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 00:02:04.395: ISAKMP:(0:1:SW:1): vendor ID is DPD
*Mar  1 00:02:04.395: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 00:02:04.399: ISAKMP:(0:1:SW:1): speaking to another IOS box!
*Mar  1 00:02:04.399: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 00:02:04.399: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM4
*Mar  1 00:02:04.407: ISAKMP:(0:1:SW:1):Send initial contact
*Mar  1 00:02:04.407: ISAKMP:(0:1:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar  1 00:02:04.407: ISAKMP (0:134217729): ID payload
        next-payload : 8
        type         : 1
        address      : 12.12.12.1
        protocol     : 17
        port         : 500
        length       : 12
*Mar  1 00:02:04.411: ISAKMP:(0:1:SW:1):Total payload length: 12
*Mar  1 00:02:04.415: ISAKMP:(0:1:SW:1): sending packet to 23.23.23.3 my_port 500 peer_port 500 (I) MM_KEY_EXCH 第五条消息用于验证其中包含了HASH和ID
*Mar  1 00:02:04.419: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 00:02:04.419: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM5  第五条消息交换成功
*Mar  1 00:02:04.707: ISAKMP (0:134217729): received packet from 23.23.23.3 dport 500 sport 500 Global (I) MM_KEY_EXCH 接收到对等体的响应(第六条消息)其中包含了HASH和ID
*Mar  1 00:02:04.711: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 0 对ID进行处理
*Mar  1 00:02:04.711: ISAKMP (0:134217729): ID payload
        next-payload : 8
        type         : 1
        address      : 23.23.23.3
        protocol     : 17
        port         : 500
        length       : 12
*Mar  1 00:02:04.711: ISAKMP:(0:1:SW:1):: peer matches *none* of the profiles
*Mar  1 00:02:04.715: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 0 对HASH进行处理
*Mar  1 00:02:04.715: ISAKMP:(0:1:SW:1):SA authentication status:
        authenticated
*Mar  1 00:02:04.719: ISAKMP:(0:1:SW:1):SA has been authenticated with 23.23.23.3 本地正在对对等已进行验证
*Mar  1 00:02:04.719: ISAKMP: Trying to insert a peer 12.12.12.1/23.23.23.3/500/,  and inserted successfully 64E2927C.
*Mar  1 00:02:04.723: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 00:02:04.723: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM5  New State = IKE_I_MM6
*Mar  1 00:02:04.727: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 00:02:04.731: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM6  New State = IKE_I_MM6
*Mar  1 00:02:04.735: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 00:02:04.735: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE  第一阶段完成
*Mar  1 00:02:04.743: ISAKMP:(0:1:SW:1):beginning Quick Mode exchange, M-ID of 673525551 快速模式即将开始
*Mar  1 00:02:04.751: ISAKMP:(0:1:SW:1): sending packet to 23.23.23.3 my_port 500 peer_port 500 (I) QM_IDLE      发送了第二阶段第一条消息即IPSec提议
*Mar  1 00:02:04.751: ISAKMP:(0:1:SW:1):Node 673525551, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar  1 00:02:04.755: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1 第一条消息成功发送
*Mar  1 00:02:04.755: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar  1 00:02:04.755: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
*Mar  1 00:02:05.191: ISAKMP (0:134217729): received packet from 23.23.23.3 dport 500 sport 500 Global (I) QM_IDLE      收到了对等体应答其中包含HASH,SA,NONCE,ID负载
*Mar  1 00:02:05.195: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 673525551 处理HASH负载,用于验证消息
*Mar  1 00:02:05.195: ISAKMP:(0:1:SW:1): processing SA payload. message ID = 673525551 处理SA负载,包含IPSec阶段的提议
*Mar  1 00:02:05.199: ISAKMP:(0:1:SW:1):Checking IPSec proposal 1
*Mar  1 00:02:05.199: ISAKMP: transform 1, ESP_DES
*Mar  1 00:02:05.199: ISAKMP:   attributes in transform:
*Mar  1 00:02:05.199: ISAKMP:      encaps is 1 (Tunnel)
*Mar  1 00:02:05.199: ISAKMP:      SA life type in seconds
*Mar  1 00:02:05.199: ISAKMP:      SA life duration (basic) of 3600
*Mar  1 00:02:05.203: ISAKMP:      SA life type in kilobytes
*Mar  1 00:02:05.203: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
*Mar  1 00:02:05.203: ISAKMP:      authenticator is HMAC-MD5 处理提议
*Mar  1 00:02:05.203: ISAKMP:(0:1:SW:1):atts are acceptable. 接受了提议
*Mar  1 00:02:05.207: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 673525551 处理NONCE负载,就是一个随机数,放重放
*Mar  1 00:02:05.211: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 673525551
*Mar  1 00:02:05.211: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 673525551 这些ID用于标示ACL
*Mar  1 00:02:05.219: ISAKMP: Locking peer struct 0x64E2927C, IPSEC refcount 1 for for stuff_ke
*Mar  1 00:02:05.219: ISAKMP:(0:1:SW:1): Creating IPSec SAs  本地创建安全关联
*Mar  1 00:02:05.219:         inbound SA from 23.23.23.3 to 12.12.12.1 (f/i)  0/ 0 创建入站SA,SA位于23.23.23.3和12.12.12.1之间,
        (proxy 20.1.1.0 to 10.1.1.0) 这个关联加密20.1.1.0 到10.1.1.0的数据
*Mar  1 00:02:05.223:         has spi 0xD137A1B6 and conn_id 0 and flags 2 创建入站的安全索引
*Mar  1 00:02:05.223:         lifetime of 3600 seconds    创建入站的阶段二存活时间
*Mar  1
R1# 00:02:05.223:         lifetime of 4608000 kilobytes    创建入站的阶段二存活流量时间
*Mar  1 00:02:05.223:         has client flags 0x0
*Mar  1 00:02:05.223:         outbound SA from 12.12.12.1 to 23.23.23.3 (f/i) 0/0 创建出站SA,SA位于12.12.12.1和23.23.23.3之间,
        (proxy 10.1.1.0 to 20.1.1.0) 这个关联加密10.1.1.0到20.1.1.0的数据
*Mar  1 00:02:05.227:         has spi 1956049925 and conn_id 0 and flags A 创建出站的安全索引
*Mar  1 00:02:05.227:         lifetime of 3600 seconds    创建出站的阶段二存活时间
*Mar  1 00:02:05.227:         lifetime of 4608000 kilobytes   创建出站的阶段二存活流量时间
*Mar  1 00:02:05.227:         has client flags 0x0
*Mar  1 00:02:05.231: ISAKMP:(0:1:SW:1): sending packet to 23.23.23.3 my_port 500 peer_port 500 (I) QM_IDLE      发送快速模式最后一条消息,用于确认
*Mar  1 00:02:05.231: ISAKMP:(0:1:SW:1):deleting node 673525551 error FALSE reason "No Error"
*Mar  1 00:02:05.235: ISAKMP:(0:1:SW:1):Node 673525551, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar  1 00:02:05.235: ISAKMP:(0:1:SW:1):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE 阶段二完成
*Mar  1 00:02:05.239: ISAKMP: Locking peer struct 0x64E2927C, IPSEC refcount 2 for from create_transforms
*Mar  1 00:02:05.243: ISAKMP: Unlocking IPSEC struct 0x64E2927C from create_transforms, count 1

[ 本帖最后由 冷寂枫夜 于 2010-8-13 16:22 编辑 ]

附件 - 如何获取无忧币 - 下载扣无忧币规则

ipsecvpn配置详解.doc (309 KB)

2010-8-13 15:52, 下载次数: 431

搜索更多相关主题的帖子: debug ccie 技术 ipsec ipsec详解

ipsec vpn能够建立B/S结构系统吗? vpn ipsec方案 IPSEC VPN的常用软件和硬件产品 IPSec VPN、 SSL VPN隧道主要区别是什么? 如何建立VPN 怎么建立VPN? 怎样建立vpn??? 请问VPN通道怎么建立? 在xp下建立VPN 如何建立自己的VPN 建立VPN需要什么设备? 使用VPN时,为何提示“无法打开IPSec driver”?如何打开?多谢! 局域网上网,为什么启用了NAT中ALG中的IPSEC通过,就能拔上公司VPN Debug调试过程怎样的啊? 在winxp下如果建立VPN服务器 Winme 如何建立虚拟的VPN连接? IPSEC是什么意思? 大家又关于VPN的资料没有,怎样建立VPN?谢谢 其中一种VPN的工作原理介绍(如L2TP或者IPSec的工作原理介绍).高手们可以告诉我么? 通过建立VPN连接到公司总部后不能上网怎么办 asp.net站点建立在VPN网络上 访问缓慢 在 XP系统下如何建立VPN连接? 建立税务检查过程监督制度 陕北革命根据地的建立过程。