山石网科-Hillstone-IPsec V_P_N常见故障debug排错心得终结版
嗨,各位好。
相信各位过来点开的时候会鄙视一句“这厮,又来搞山石了”,哈哈没错,这次确实又来了,不过这次带了点排错的心得过来,希望给未来在常见的配置过程当中,不知道怎么排错时候有些帮助。
说句真心话,山石(hillstone)确实挺好用的,不行你可以试试!!
好了,废话少说。直接上菜
ipsec的拓扑图,我临时画了一个,目的希望各位能有图看到,不然各位心里冒出千万个草泥马“NO picture NO bb”。
(这万恶的水印)无关紧要,今天的主题在俩台firewall上面。此图ipsec配置模式为tunnel路由模式***。不过本文会把策略***和路由***的常见错误一起带过,请各位细心品味
在我们平常企业组网应用中,经常会遇到组建***网络的需求,最基础的就是site to site,稍微复杂一点的全网site to site ipsec *** 互联,工作量顶大,不过安全。避免了那种hub-spoken的中心与分支的关系(虽然工作量小,但隐患很大)
大家基本都知道ipsec-***协商有俩个阶段,第一阶段和第二阶段,那么第一阶段和第二阶段分别协商什么呢?自己去看书。(:!!!!
直接上ipsec的配置中可能会到的几个问题?
公网出接口选错!如下图,这个选错就该抽鞭子!!
共享密钥填写一些有争议的字母比如(1和I、l(L)和1、O(大写o)和0)等,导致项目沟通邮件过程中,对端密钥填写错误!这种错误该扣工资!!!
第一阶段connection type 手抖选错type!这个一般不存在,不过我经常会把这里改掉让新进入团队的兄弟们去排错检查,很锻炼人!!说真的
算法写错!这个我就不列举了,直接扣工资。
PS:不瞒大家,我曾见过一家公司因为***配置俩天没配好,结果我过去检查了一下发现俩边算法填错了,当场对方的主管就把那运维工程师开除了。看得我好紧张!!!后面都不敢手滑!!
图:(省略)第二阶段自动连接没勾选!有部分其他产商设备,此项没有勾选会存在一些问题。
第二阶段代理ID未填写或填写不对?若对端是山石同款,则勾选auto即可,若是其他设备就要填写代理id了。
记住,代理ID不是后期兴趣流量的匹配定义,而是第二阶段协商的参数之一,这个观念很多入门级的“选手”都没有弄清楚!!请格外注意。所以你在策略中去放行对应流量的同时需要控制进出兴趣流量,切记严谨开放策略,否则就是any到any!!
第一阶段和第二阶段全部都up了,俩边内网流量还是无法正常通信!
此时就应该检查下tunnel的路由写过没有?、snat的指定不转换做了没有?路由模式***的策略方向是否放行正确?策略模式***的security connection方向选错没有?
大家随着我往下看,常见的配置错误以及思路简单在上面介绍了一下。现在着重聊排错环节?(访客:“铺垫这么久才进入状态,差评”!!!)
各位久等了,以下为各位演示在以上出错的情况下,hillstone cli(命令行)debug *** 调试日志的解读技巧和个人排错经典心得。
配菜,大家继续开开胃。
客户名称:(···做网工还是要有极强的保密意识,这关系到职业道德)省略
情景:拨通了L2TP-***,但是ping不同内网服务器
SSH进入hillstone底层使用debug命令:(语法如下)
debug dp filter src-ip 10.91.0.15 proto icmp 【该地址为L2TP-虚拟获取的地址】
debug dp filter dst-ip 10.10.0.1 proto icmp
debug dp basic
debug dp drop
debug self
A05-qujun-Fw[DBG](config)# clear logg debug
A05-qujun-Fw[DBG](config)# show logg debug
2015-12-17 11:23:53, DEBUG@FLOW: core 1 (sys up 0x1aa53c70a ms): Finish decap
Packet: 10.91.0.15 -> 10.9.1.1, id: 96, ip size 60, prot: 1(ICMP)
dp_prepare_pak_lookup srcip: 10.91.0.15, dstip: 10.9.1.1,prot 1
No session found, try to create session
-----------------First path creating new session-----------------
--------VR:trust-vr start--------
10.91.0.15:1->10.9.1.1:20876
NAT: ICMP protocol type/code 0800
No DNAT matches, skip DNAT
Get nexthop if_id: 9, flags: 22, nexthop: 103.20.248.1
Interface route
NAT: ICMP protocol type/code 0800
Matched source NAT: snat rule id:2
Matched source NAT: source port1->port22589
--------VR:trust-vr end--------
begin lookup predefine prot:1 port:20876
Identified as app PING (prot=1). timeout 6.
Pak src zone L2TP, dst zone untrust, prot 1, dst-port 20876.
No policy matches, default ===DENY=== 【数据没有匹配,被防火墙drop了,思考~~~~~】
Dropped: Can't find policy/policy denied. Abort!!
deny session:flow0 src 10.91.0.15 --> dst 10.9.1.1 Deny session installed successfully
-----------------------First path over (session not created)
Droppped: failed to create session, drop the packet
仔细检查下来,发现ping错了,再次debug,数据正常转发。呃,抽自己鞭子
A05-qujun-Fw[DBG](config)# show log debug
2015-12-17 11:32:39, DEBUG@FLOW: core 1 (sys up 0x1aa5bce54 ms): Finish decap
Packet: 10.91.0.15 -> 10.10.1.1, id: 100, ip size 60, prot: 1(ICMP)
dp_prepare_pak_lookup srcip: 10.91.0.15, dstip: 10.10.1.1,prot 1
No session found, try to create session
-----------------First path creating new session-----------------
--------VR:trust-vr start--------
10.91.0.15:1->10.10.1.1:20879
NAT: ICMP protocol type/code 0800
No DNAT matches, skip DNAT
Get nexthop if_id: 13, flags: 2, nexthop: 10.10.0.254
Interface route
NAT: ICMP protocol type/code 0800
No SNAT matches, or out of pool, skip SNAT
--------VR:trust-vr end--------
begin lookup predefine prot:1 port:20879
Identified as app PING (prot=1). timeout 6.
Pak src zone L2TP, dst zone dmz, prot 1, dst-port 20879.
Policy 6 matches, ===PERMIT===【数据匹配,后面就不说了,直接欢乐的转发咯】
flow0 src 10.91.0.15 --> dst 10.10.1.1 with nexthop 10.10.0.254 ifindex 13
flow1 tunnel, id=153
flow1 src 10.10.1.1 --> dst 10.91.0.15 nexthop not lookup or invalid
flow0's next hop: 0.0.0.0 flow1's next hop: 10.10.0.254
······(省略)
***错误故障debug调试主菜①:***红烧肉【注意笔者标红的地方,公网地址已和谐】
***调试中使用的语法:【以下均为此命令】
debug ***
debug *** filter ip x.x.x.x
clear logging debug
show logging debug
A05-qujun-Fw[DBG]# show log debug
2015-12-17 11:58:46, DEBUG@***: phase2 negotiation failed due to time up waiting for phase1.
2015-12-17 11:58:46, DEBUG@***: delete phase 2 handler.
2015-12-17 11:58:47, DEBUG@***: [x.x.x.x]: Resend phase1 packet d082f40cfa318a5c:481f7e4f1262f27a
2015-12-17 11:58:47, DEBUG@***:
2015-12-17 11:58:47, DEBUG@***: [x.x.x.x]: ++++++++Phase 1 main mode third msg receive START+++++++
2015-12-17 11:58:47, DEBUG@***: [x.x.x.x]: Begin decryption ...
2015-12-17 11:58:47, DEBUG@***: [x.x.x.x]: IV was saved for next processing:
2015-12-17 11:58:47, DEBUG@***: a73f0fe2 1742d5fe
2015-12-17 11:58:47, DEBUG@***: [x.x.x.x]: with key:
2015-12-17 11:58:47, DEBUG@***: 7439a7fe b79997b9
2015-12-17 11:58:47, DEBUG@***: [x.x.x.x]: Decrypted payload by IV:
2015-12-17 11:58:47, DEBUG@***: 2bebedc2 c51b4e96
2015-12-17 11:58:47, DEBUG@***: [x.x.x.x]: Skip to trim padding
2015-12-17 11:58:47, DEBUG@***: [x.x.x.x]: Decrypted packet:
2015-12-17 11:58:47, DEBUG@***: d082f40c fa318a5c 481f7e4f 1262f27a 05100201 00000000 00000044 ba09b8b5
94a49bc2 2534d628 de147031 88bfe620 843272ae eac0e720 3e332165 099a3bab
4edd1f7c
2015-12-17 11:58:47, DEBUG@***: [x.x.x.x]: Decrypt packet sucessful!
2015-12-17 11:58:47, DEBUG@***: [x.x.x.x]: ===============Receive===============
2015-12-17 11:58:47, DEBUG@***: ISAKMP Header Format:
2015-12-17 11:58:47, DEBUG@***: Initiator Cookie:3498243084 4197550684
2015-12-17 11:58:47, DEBUG@***: Responder Cookie:1210023503 308474490
2015-12-17 11:58:47, DEBUG@***: Next Payload Type:5
2015-12-17 11:58:47, DEBUG@***: Exchange Type:2
2015-12-17 11:58:47, DEBUG@***: Flags:1
2015-12-17 11:58:47, DEBUG@***: Message ID:0
2015-12-17 11:58:47, DEBUG@***: Length:68
2015-12-17 11:58:47, DEBUG@***: Payload Generic Header:
2015-12-17 11:58:47, DEBUG@***: Next Payload Type:186
2015-12-17 11:58:47, DEBUG@***: Length:47285
2015-12-17 11:58:47, DEBUG@***: Content:
2015-12-17 11:58:47, DEBUG@***: <Identification Payload>
2015-12-17 11:58:47, DEBUG@***: ================================
2015-12-17 11:58:47, DEBUG@***: [x.x.x.x]: DUMP of above packet:
2015-12-17 11:58:47, DEBUG@***: d082f40c fa318a5c 481f7e4f 1262f27a 05100201 00000000 00000044 ba09b8b5
94a49bc2 2534d628 de147031 88bfe620 843272ae eac0e720 3e332165 099a3bab
4edd1f7c
2015-12-17 11:58:47, DEBUG@***: [x.x.x.x]: Invalid payload or failed to malloc buffer(pre-share key may mismatch).【共享密钥填写错误,各位主管看着办,扣工资的扣工资,抽鞭子的抽鞭子】
2015-12-17 11:58:47, DEBUG@***: [x.x.x.x]: ++++++++Phase 1 main mode third msg receive END+++++++
***错误故障debug调试主菜②:***凉拌西红柿【注意笔者标红的地方】
A05-qujun-Fw[DBG]# show log debug
2015-12-17 12:12:28, DEBUG@FLOW: core 1 (sys up 0x1aa8040d9 ms): Finish decap
Packet: 10.234.1.10 -> 10.10.1.1, id: 14819, ip size 60, prot: 1(ICMP)
dp_prepare_pak_lookup srcip: 10.234.1.10, dstip: 10.10.1.1,prot 1
No session found, try to create session
-----------------First path creating new session-----------------
--------VR:trust-vr start--------
10.234.1.10:1->10.10.1.1:24882
NAT: ICMP protocol type/code 0800
No DNAT matches, skip DNAT
Get nexthop if_id: 13, flags: 2, nexthop: 10.10.0.254
Interface route
Found the reverse route for force or prefer revs-route setting
NAT: ICMP protocol type/code 0800
No SNAT matches, or out of pool, skip SNAT
--------VR:trust-vr end--------
begin lookup predefine prot:1 port:24882
Identified as app PING (prot=1). timeout 6.
Pak src zone untrust, dst zone dmz, prot 1, dst-port 24882.【流量访问正确】
No policy matches, default ===DENY===【策略没匹配到,此时思考是不是策略***的policy没有置顶,导致没有匹配到被设备drop掉了】
Dropped: Can't find policy/policy denied. Abort!!
deny session:flow0 src 10.234.1.10 --> dst 10.10.1.1 Deny session installed successfully
-----------------------First path over (session not created)
Droppped: failed to create session, drop the packet
***错误故障debug调试主菜②:***蒜泥小龙虾【注意笔者标红的地方,公网地址已和谐】
A05-qujun-Fw[DBG]# show log debug
2015-12-17 21:40:38, DEBUG@***: [x.x.x.x]: Peer Main mode, try to find rmconf by IP and local if.
2015-12-17 21:40:38, DEBUG@***: [x.x.x.x]: Peer IP: x.x.x.x
2015-12-17 21:40:38, DEBUG@***: [x.x.x.x]: Local IP: 103.20.248.96
2015-12-17 21:40:38, DEBUG@***: [x.x.x.x]: Rmconf flag 80010121.
2015-12-17 21:40:38, DEBUG@***: 00020000 671577dc 00000000 00000000
2015-12-17 21:40:38, DEBUG@***: [x.x.x.x]: Get rmconf sucessful
2015-12-17 21:40:38, DEBUG@***: [x.x.x.x]: Begin to negotiate with found rmconf, name To WX-51IDC
2015-12-17 21:40:38, DEBUG@***: [x.x.x.x]: respond new phase 1 negotiation: 103.20.248.96:500<=>x.x.x.x:500
2015-12-17 21:40:38, DEBUG@***: [x.x.x.x]: begin Identity Protection mode.
2015-12-17 21:40:38, DEBUG@***:
2015-12-17 21:40:38, DEBUG@***: [x.x.x.x]: ++++++++Phase 1 main mode first msg receive START.++++++++
2015-12-17 21:40:38, DEBUG@***: [x.x.x.x]: ===============Receive===============
2015-12-17 21:40:38, DEBUG@***: ISAKMP Header Format:
2015-12-17 21:40:38, DEBUG@***: Initiator Cookie:307148809 2169817196
2015-12-17 21:40:38, DEBUG@***: Responder Cookie:0 0
2015-12-17 21:40:38, DEBUG@***: Next Payload Type:1
2015-12-17 21:40:38, DEBUG@***: Exchange Type:2
2015-12-17 21:40:38, DEBUG@***: Flags:0
2015-12-17 21:40:38, DEBUG@***: Message ID:0
2015-12-17 21:40:38, DEBUG@***: Length:124
2015-12-17 21:40:38, DEBUG@***: Payload Generic Header:
2015-12-17 21:40:38, DEBUG@***: Next Payload Type:13
2015-12-17 21:40:38, DEBUG@***: Length:56
2015-12-17 21:40:38, DEBUG@***: Content:
2015-12-17 21:40:38, DEBUG@***: <SA Info>
2015-12-17 21:40:38, DEBUG@***: Payload Generic Header:
2015-12-17 21:40:38, DEBUG@***: Next Payload Type:13
2015-12-17 21:40:38, DEBUG@***: Length:20
2015-12-17 21:40:38, DEBUG@***: Content:
2015-12-17 21:40:38, DEBUG@***: <Vender ID Payload>
2015-12-17 21:40:38, DEBUG@***: Vendor ID:
2015-12-17 21:40:38, DEBUG@***: Payload Generic Header:
2015-12-17 21:40:38, DEBUG@***: Next Payload Type:0
2015-12-17 21:40:38, DEBUG@***: Length:20
2015-12-17 21:40:38, DEBUG@***: Content:
2015-12-17 21:40:38, DEBUG@***: <Vender ID Payload>
2015-12-17 21:40:38, DEBUG@***: Vendor ID:
2015-12-17 21:40:38, DEBUG@***: ================================
2015-12-17 21:40:38, DEBUG@***: [x.x.x.x]: Dump of above packet:
2015-12-17 21:40:38, DEBUG@***: 124eb809 8154c86c 00000000 00000000 01100200 00000000 0000007c 0d000038
00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004
00015180 80010005 80030001 80020001 80040002 0d000014 afcad713 68a1f1c9
6b8696fc 77570100 00000014 36665412 e8c59732 317454ee efef85b6
2015-12-17 21:40:38, DEBUG@***: [x.x.x.x]: phase 1 (main mode): remote supports DPD
2015-12-17 21:40:38, DEBUG@***: [x.x.x.x]: Compared: DB:Peer【比较本端和对端协商参数】
2015-12-17 21:40:38, DEBUG@***: [x.x.x.x]: (lifetime = 86400:86400)
2015-12-17 21:40:38, DEBUG@***: [x.x.x.x]: (lifebyte = 0:0)
2015-12-17 21:40:38, DEBUG@***: [x.x.x.x]: enctype = DES-CBC:3DES-CBC【opps,算法配错了】
2015-12-17 21:40:38, DEBUG@***: [x.x.x.x]: (encklen = 0:0)
2015-12-17 21:40:38, DEBUG@***: [x.x.x.x]: hashtype = MD5:MD5
2015-12-17 21:40:38, DEBUG@***: [x.x.x.x]: authmethod = pre-shared key:pre-shared key
2015-12-17 21:40:38, DEBUG@***: [x.x.x.x]: dh_group = 1024-bit MODP group:1024-bit MODP group
2015-12-17 21:40:38, DEBUG@***: [x.x.x.x]: Rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = DES-CBC:3DES-CBC
2015-12-17 21:40:38, DEBUG@***: [x.x.x.x]: No suitable proposal found【没有合适的提议被发现,不说了,抽鞭子!!!!】
2015-12-17 21:40:38, DEBUG@***: [x.x.x.x]: Phase 1 (main mode): failed to get valid proposal!
2015-12-17 21:40:38, DEBUG@***: [x.x.x.x]: ++++++++Phase 1 main mode first msg receive END.++++++++
2015-12-17 21:40:38, DEBUG@***:
2015-12-17 21:40:38, DEBUG@***: [x.x.x.x]: Failed to process packet.
然后自己细心的查看了俩边的配置文件,如下图:
SITE-A与SITE-B的第一阶段配置文件show:
同时也证明了,第一阶段确实有配置出入的地方~~~~~~
***错误故障debug调试主菜③:***外婆菜【注意笔者标红的地方,公网地址已和谐】
A05-qujun-Fw[DBG]# show logg debug
2015-12-17 21:50:22, DEBUG@***: [x.x.x.x]: Receive Information.
2015-12-17 21:50:22, DEBUG@***: [x.x.x.x]: Begin decryption ...
2015-12-17 21:50:22, DEBUG@***: [x.x.x.x]: IV was saved for next processing:
2015-12-17 21:50:22, DEBUG@***: bb648cbe 7dd114ad
2015-12-17 21:50:22, DEBUG@***: [x.x.x.x]: with key:
2015-12-17 21:50:22, DEBUG@***: b13ee2ad 40c39cef
2015-12-17 21:50:22, DEBUG@***: [x.x.x.x]: Decrypted payload by IV:
2015-12-17 21:50:22, DEBUG@***: 9d8257e5 0e680b7d
2015-12-17 21:50:22, DEBUG@***: [x.x.x.x]: Skip to trim padding
2015-12-17 21:50:22, DEBUG@***: [x.x.x.x]: Decrypted packet:
2015-12-17 21:50:22, DEBUG@***: eef157b3 3b0f4a19 78058009 563e7e36 08100501 b05744e5 00000054 0b000014
709932fd 98e3b39c d23093f8 05f564f0 00000020 00000001 01108d28 eef157b3
3b0f4a19 78058009 563e7e36 00000041 0a51ae03
2015-12-17 21:50:22, DEBUG@***: [x.x.x.x]: Decrypt packet sucessful!
2015-12-17 21:50:22, DEBUG@***: [x.x.x.x]: Hash validated.
2015-12-17 21:50:22, DEBUG@***: [x.x.x.x]: DPD R-U-There received
2015-12-17 21:50:22, DEBUG@***: [x.x.x.x]: Begin encryption ...
2015-12-17 21:50:22, DEBUG@***: [x.x.x.x]: Encrypted successful!
2015-12-17 21:50:22, DEBUG@***: [x.x.x.x]: received a valid R-U-THERE, ACK sent
2015-12-17 21:50:22, DEBUG@***: [x.x.x.x]: notification message 36136:36136, doi=1 proto_id=1 spi=eef157b33b0f4a19 78058009563e7
e36 (size=16).
2015-12-17 21:50:23, DEBUG@***: [x.x.x.x]: DPD monitoring....
2015-12-17 21:50:23, DEBUG@***: [x.x.x.x]: Begin encryption ...
2015-12-17 21:50:23, DEBUG@***: [x.x.x.x]: Encrypted successful!
2015-12-17 21:50:23, DEBUG@***: [x.x.x.x]: DPD R-U-There sent (0)
2015-12-17 21:50:23, DEBUG@***: [x.x.x.x]: rescheduling send_r_u (10).
2015-12-17 21:50:23, DEBUG@***: [x.x.x.x]: Receive Information.
2015-12-17 21:50:23, DEBUG@***: [x.x.x.x]: Begin decryption ...
2015-12-17 21:50:23, DEBUG@***: [x.x.x.x]: IV was saved for next processing:
2015-12-17 21:50:23, DEBUG@***: 29503bf1 0657c560
2015-12-17 21:50:23, DEBUG@***: [x.x.x.x]: with key:
2015-12-17 21:50:23, DEBUG@***: b13ee2ad 40c39cef
2015-12-17 21:50:23, DEBUG@***: [x.x.x.x]: Decrypted payload by IV:
2015-12-17 21:50:23, DEBUG@***: ff76dc93 093f62f7
2015-12-17 21:50:23, DEBUG@***: [x.x.x.x]: Skip to trim padding
2015-12-17 21:50:23, DEBUG@***: [x.x.x.x]: Decrypted packet:
2015-12-17 21:50:23, DEBUG@***: eef157b3 3b0f4a19 78058009 563e7e36 08100501 fe48cae7 00000054 0b000014
120e019f 66e1fad1 1f9c2401 6ba98b8b 00000020 00000001 01108d29 eef157b3
3b0f4a19 78058009 563e7e36 00000771 fc7fdf03
2015-12-17 21:50:23, DEBUG@***: [x.x.x.x]: Decrypt packet sucessful!
2015-12-17 21:50:23, DEBUG@***: [x.x.x.x]: Hash validated.
2015-12-17 21:50:23, DEBUG@***: [x.x.x.x]: DPD R-U-There-Ack received
2015-12-17 21:50:23, DEBUG@***: [x.x.x.x]: received an R-U-THERE-ACK
2015-12-17 21:50:23, DEBUG@***: [x.x.x.x]: notification message 36137:36137, doi=1 proto_id=1 spi=eef157b33b0f4a19 78058009563e7
(·············省略部分协商输出日志)
2015-12-17 21:50:26, DEBUG@***: [x.x.x.x]: phase 2 (quick mode) : received IDci2:
2015-12-17 21:50:26, DEBUG@***: 04000000 0aea0100 ffffff00
2015-12-17 21:50:26, DEBUG@***: [x.x.x.x]: phase 2 (quick mode) : received IDcr2:
2015-12-17 21:50:26, DEBUG@***: 04000000 0a0a0000 ffff0000
2015-12-17 21:50:26, DEBUG@***: [x.x.x.x]: phase 2 (quick mode) : Begin to HASH(1) validate ...
2015-12-17 21:50:26, DEBUG@***: [x.x.x.x]: Phase 2 (quick mode) : HASH(1) matched.
2015-12-17 21:50:26, DEBUG@***: [x.x.x.x]: phase2 handler negotiating already exists, ignore phase2 negotiation request
2015-12-17 21:50:26, DEBUG@***: [x.x.x.x]: Detect double p2handle, Kill p for it's responder.
2015-12-17 21:50:26, DEBUG@***: [x.x.x.x]: get a src address from ID payload 10.234.1.0:0 prefixlen=24 ul_proto=255
2015-12-17 21:50:26, DEBUG@***: [x.x.x.x]: get dst address from ID payload 10.10.0.0:0 prefixlen=16 ul_proto=255
2015-12-17 21:50:26, DEBUG@***: [x.x.x.x]: Suitable SP found:10.234.1.0:0/24[ 10.10.0.0:0/16[ proto=any dir=in
2015-12-17 21:50:26, DEBUG@***: [x.x.x.x]: (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
2015-12-17 21:50:26, DEBUG@***: [x.x.x.x]: (trns_id=DES encklen=0 authtype=hmac-md5)
2015-12-17 21:50:26, DEBUG@***: life duration was in TLV.
2015-12-17 21:50:26, DEBUG@***: [x.x.x.x]: Begin compare proposals
2015-12-17 21:50:26, DEBUG@***: prop#=1 prot-id=ESP spi-size=4 #trns=1 trns#=1 trns-id=DES
2015-12-17 21:50:26, DEBUG@***: [x.x.x.x]: Begin to compare my and peer's proposal ...
2015-12-17 21:50:26, DEBUG@***: [x.x.x.x]: Peer's single bundle:
2015-12-17 21:50:26, DEBUG@***: [x.x.x.x]: (proto_id=ESP spisize=4 spi=4d804926 spi_p=00000000 encmode=Tunnel reqid=0:0)
2015-12-17 21:50:26, DEBUG@***: [x.x.x.x]: (trns_id=DES encklen=0 authtype=hmac-md5)
2015-12-17 21:50:26, DEBUG@***: [x.x.x.x]: My single bundle:
2015-12-17 21:50:26, DEBUG@***: [x.x.x.x]: (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
2015-12-17 21:50:26, DEBUG@***: [x.x.x.x]: (trns_id=DES encklen=0 authtype=hmac-md5)
2015-12-17 21:50:26, DEBUG@***: [x.x.x.x]: pfs group mismatched: my:2 peer:0【第二阶段pfs组不匹配,填写错误!!】
2015-12-17 21:50:26, DEBUG@***: [x.x.x.x]: Not matched
2015-12-17 21:50:26, DEBUG@***: [x.x.x.x]: No suitable proposals found.
2015-12-17 21:50:26, DEBUG@***: [x.x.x.x]: ++++++++Phase 2 (quick mode) first msg receive END.++++++++
同样,我在hillstone底层查看了第二阶段的配置文件show图如下:
PS:左边可能还存在代理ID没填写的问题,请大家注意。
***错误故障debug调试主菜④:***铁板鱿鱼【注意笔者标红的地方,公网地址已和谐】
A05-qujun-Fw[DBG]# show logging debug
2015-12-17 22:06:27, DEBUG@***: cookie: -1, 0, -1, 0, 0
2015-12-17 22:06:27, DEBUG@***: IPC start (SA_GET_LIFESIZE)
2015-12-17 22:06:27, DEBUG@***: Sa index : 307
2015-12-17 22:06:27, DEBUG@***: Fpmsg_send_and_recv return ok
2015-12-17 22:06:27, DEBUG@***: 4505, 1170652208, 2096965600, 4637893, 4136288.
2015-12-17 22:06:27, DEBUG@***: dp's lifesize is 04613972
2015-12-17 22:06:27, DEBUG@***: SA 307 's lifesize is 4505
2015-12-17 22:06:27, DEBUG@***: IPC start (SA_GET_LIFESIZE)
2015-12-17 22:06:27, DEBUG@***: Sa index : 202
2015-12-17 22:06:27, DEBUG@***: Fpmsg_send_and_recv return ok
2015-12-17 22:06:27, DEBUG@***: 0, 96232, 118944, 1241, 1712.
2015-12-17 22:06:27, DEBUG@***: dp's lifesize is 00
2015-12-17 22:06:27, DEBUG@***: SA 202 's lifesize is 0
2015-12-17 22:06:28, DEBUG@***: cookie: -1, 0, -1, 0, 0
2015-12-17 22:06:28, DEBUG@***: IPC start (SA_GET_LIFESIZE)
2015-12-17 22:06:28, DEBUG@***: Sa index : 307
2015-12-17 22:06:28, DEBUG@***: Fpmsg_send_and_recv return ok
2015-12-17 22:06:28, DEBUG@***: 4506, 1170653088, 2096965840, 4637902, 4136293.
2015-12-17 22:06:28, DEBUG@***: dp's lifesize is 04615152
2015-12-17 22:06:28, DEBUG@***: SA 307 's lifesize is 4506
2015-12-17 22:06:28, DEBUG@***: IPC start (SA_GET_LIFESIZE)
2015-12-17 22:06:28, DEBUG@***: Sa index : 202
2015-12-17 22:06:28, DEBUG@***: Fpmsg_send_and_recv return ok
2015-12-17 22:06:28, DEBUG@***: 0, 96232, 118944, 1241, 1712.
2015-12-17 22:06:28, DEBUG@***: dp's lifesize is 00
2015-12-17 22:06:28, DEBUG@***: SA 202 's lifesize is 0
2015-12-17 22:06:57, DEBUG@***: [x.x.x.x]: IKE daemon start ike negotiation as initiator,with this sa index:202【security connection type 选择有出入,总之仍然是配置错误!!!】
2015-12-17 22:06:57, DEBUG@***: [x.x.x.x]: Peer address not found or responder only connection-type
2015-12-17 22:06:57, DEBUG@***: [x.x.x.x]: Can not start negotiation as initiator
2015-12-17 22:07:23, DEBUG@***: cookie: -1, 0, -1, 0, 0
2015-12-17 22:07:23, DEBUG@***: IPC start (SA_GET_LIFESIZE)
2015-12-17 22:07:23, DEBUG@***: Sa index : 307
2015-12-17 22:07:23, DEBUG@***: Fpmsg_send_and_recv return ok
2015-12-17 22:07:23, DEBUG@***: 4555, 1170690240, 2096975856, 4638273, 4136501.
2015-12-17 22:07:23, DEBUG@***: dp's lifesize is 04664816
2015-12-17 22:07:23, DEBUG@***: SA 307 's lifesize is 4555
2015-12-17 22:07:23, DEBUG@***: IPC start (SA_GET_LIFESIZE)
2015-12-17 22:07:23, DEBUG@***: Sa index : 202
2015-12-17 22:07:23, DEBUG@***: Fpmsg_send_and_recv return ok
2015-12-17 22:07:23, DEBUG@***: 0, 96232, 118944, 1241, 1712.
2015-12-17 22:07:23, DEBUG@***: dp's lifesize is 00
2015-12-17 22:07:23, DEBUG@***: SA 202 's lifesize is 0
最后的错误,我就不对配置文件了,前面的常见错误举例中,也列举了security connection type的配置错误修正的选项,请各位自行往上查看即可。
至此,今天的介绍就介绍完毕了,总之此次的文章其实也只是班门弄斧。大家持批判的态度look即可,不求力赞,但求共同进步!
把学习当作每天生活的一部分,
————————————来自一家二级运营商的网工分享
- Linux 常见的故障排错
- Linux 常见的trouble shooting故障排错
- Linux 常见的trouble shooting故障排错 推荐
- Linux 常见的trouble shooting故障排错
- Linux 常见的trouble shooting故障排错
- 常见安装服务过程中遇到的故障排错
- Linux 常见的故障排错
- 配置运行Spring 入门级Demo 和常见故障解决 (Spring in Action)
- 电脑端口常见故障和维修
- 工作流引擎OBE发布Debug心得1
- 主板常见故障的维修方法
- Exchange 2013 管理小技巧一常见OAB 排错步骤之二
- 常用的网络故障排错方法
- VC6.0常见错误之::Debug Assertion Failed!
- 电脑常见故障 1
- 电脑常见主板设置故障问题的处理方法
- Linux操作操作两种常见启动故障解决方法
- 使用故障恢复控制台解决XP系统无法启动的常见故障
- 排查一些常见的系统故障
- Linux网络常见故障排除步骤