シスコサポートコミュニティ
キャンセル
次の結果を表示 
次の代わりに検索 
もしかして: 

IOS 15.0(1)M4 Site-to-Site IPSec VPN デバッグ出力例 + コメント

IOS 15.0(1)M4 で動作している、cisco1941 ルータで、Site-to-Site IPSec VPN の簡単な構成を組むときの

設定例とデバッグ出力例 + コメントです。取得したデバッグは、IPSec VPN のトラブルシュートを実施する

際にもっともベーシックに使用される、

debug crypto isakmp

debug crypto ipsec

の二つです。

Site-to-Site VPN を構築するときのトラブルシュートの際に、以下のデバッグ出力例と比較すると問題を

切り分けるときの参考になるかもしれません。また、TAC にケースオープンするような場合、negotiation の

どこまで上手くいっていて、どこから上手く進んでいないかを切り分けてからオープンいただくと、問題の

早期解決に役に立つと思いますので、ご利用いただければと思います。

ネットワーク構成図:

今回は、下のような構成で、2台の C1941 ルータを用意し、VPN の暗号化対象のトラフィックは、お互いの

Loopback interface(100.1.1.1、100.2.2.2)間の通信としています。暗号化対象を変えるときは、暗号化

対象を指定している access-list VPNACL の定義を変更してください。

diagram.png

設定例:

VPN に関係のあるところは青地にしておきます。

INITIATOR

======================================================================

c1941-1#show run

Building configuration...

Current configuration : 1376 bytes

!

! Last configuration change at 09:42:50 UTC Tue Oct 18 2011

!

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname c1941-1

!

boot-start-marker

boot-end-marker

!

logging buffered 147483647

no logging console

!

no aaa new-model

!

!

!

!

ip source-route

ip cef

!

!

!

!

!

no ipv6 cef

multilink bundle-name authenticated

!

!

!

!

!

!

redundancy

!

!

!

!

crypto isakmp policy 1

hash md5

authentication pre-share

group 2

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set TS esp-des esp-md5-hmac

!

crypto map CM 1 ipsec-isakmp

set peer 10.1.19.42

set transform-set TS

match address VPNACL

!

!

!

!

!

interface Loopback0

ip address 100.1.1.1 255.255.255.255

!

!

interface GigabitEthernet0/0

ip address 10.1.19.41 255.255.0.0

duplex auto

speed auto

crypto map CM

!

!

interface GigabitEthernet0/1

ip address dhcp

duplex auto

speed auto

!

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip route 10.0.1.1 255.255.255.255 10.1.255.254

ip route 100.2.2.2 255.255.255.255 10.1.19.42

!

ip access-list extended VPNACL

permit ip host 100.1.1.1 host 100.2.2.2

!

!

!

!

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line vty 0 4

login

!

scheduler allocate 20000 1000

end

c1941-1#

======================================================================

RESPONDER

======================================================================

c1941-2#show run

Building configuration...

Current configuration : 1552 bytes

!

! Last configuration change at 09:49:10 UTC Tue Oct 18 2011

!

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname c1941-2

!

boot-start-marker

boot-end-marker

!

logging buffered 147483647

no logging console

!

no aaa new-model

!

!

!

!

ip source-route

ip cef

!

!

!

!

!

no ipv6 cef

multilink bundle-name authenticated

!

!

!

!

!

!

redundancy

!

!

!

!

crypto isakmp policy 1

hash md5

authentication pre-share

group 2

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set TS esp-des esp-md5-hmac

!

crypto map CM 1 ipsec-isakmp

set peer 10.1.19.41

set transform-set TS

match address VPNACL

!

!

!

!

!

interface Loopback0

ip address 100.2.2.2 255.255.255.255

!

!

interface GigabitEthernet0/0

ip address 10.1.19.42 255.255.0.0

duplex auto

speed auto

crypto map CM

!

!

interface GigabitEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

!

interface FastEthernet0/1/0

!

!

interface FastEthernet0/1/1

!

!

interface FastEthernet0/1/2

!

!

interface FastEthernet0/1/3

!

!

interface Vlan1

no ip address

!

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip route 10.0.1.1 255.255.255.255 10.1.255.254

ip route 100.1.1.1 255.255.255.255 10.1.19.41

!

ip access-list extended VPNACL

permit ip host 100.2.2.2 host 100.1.1.1

!

!

!

!

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line vty 0 4

login

!

scheduler allocate 20000 1000

end

c1941-2#

======================================================================

デバッグ出力:

赤字で、どのようなイベントかをコメントしました。用語の詳しい説明は省きましたが、コメントで質問いた

だければお答えする可能性もあります。念のため、いじっていない debug は debug.txt という名前で

添付しておきました。

INITIATOR

======================================================================

c1941-1#ping 100.2.2.2 sou lo0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 100.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 100.1.1.1

IPsec の対象通信を検知し、ISAKMP に対して IPSec SA を request します。

*Oct 18 09:39:03.119: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 10.1.19.41, remote= 10.1.19.42,

    local_proxy= 100.1.1.1/255.255.255.255/0/0 (type=1),

    remote_proxy= 100.2.2.2/255.255.255.255/0/0 (type=1),

    protocol= ESP, transform= esp-des esp-md5-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

SA request を受けて、ISAKMP は対向機器との negotiation を開始します。

*Oct 18 09:39:03.123: ISAKMP:(0): SA request profile is (NULL)

*Oct 18 09:39:03.123: ISAKMP: Created a peer struct for 10.1.19.42, peer port 500

*Oct 18 09:39:03.123: ISAKMP: New peer created peer = 0x300039A4 peer_handle = 0x80000004

*Oct 18 09:39:03.123: ISAKMP: Locking peer struct 0x300039A4, refcount 1 for isakmp_initiator

*Oct 18 09:39:03.123: ISAKMP: local port 500, remote port 500

*Oct 18 09:39:03.123: ISAKMP: set new node 0 to QM_IDLE

*Oct 18 09:39:03.123: ISAKMP:(0):insert sa successfully sa = 39F9163C

*Oct 18 09:39:03.123: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

*Oct 18 09:39:03.123: ISAKMP:(0):found peer pre-shared key matching 10.1.19.42

*Oct 18 09:39:03.123: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

*Oct 18 09:39:03.123: ISAKMP:(0): constructed NAT-T vendor-07 ID

*Oct 18 09:39:03.123: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Oct 18 09:39:03.123: ISAKMP:(0): constructed NAT-T vendor-02 ID

*Oct 18 09:39:03.123: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Oct 18 09:39:03.123: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

MainMode でのネゴシエーションを開始し、MM1 パケットを送信します。

*Oct 18 09:39:03.123: ISAKMP:(0): beginning Main Mode exchange

*Oct 18 09:39:03.123: ISAKMP:(0): sending packet to 10.1.19.42 my_port 500 peer_port 500 (I) MM_NO_STATE

*Oct 18 09:39:03.123: ISAKMP:(0):Sending an IKE IPv4 Packet.

対向から、MM2 を受信し、その処理を開始します。

*Oct 18 09:39:03.127: ISAKMP (0): received packet from 10.1.19.42 dport 500 sport 500 Global (I) MM_NO_STATE

*Oct 18 09:39:03.127: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Oct 18 09:39:03.127: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

*Oct 18 09:39:03.127: ISAKMP:(0): processing SA payload. message ID = 0

*Oct 18 09:39:03.127: ISAKMP:(0): processing vendor id payload

*Oct 18 09:39:03.127: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Oct 18 09:39:03.127: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Oct 18 09:39:03.127: ISAKMP:(0):found peer pre-shared key matching 10.1.19.42

*Oct 18 09:39:03.127: ISAKMP:(0): local preshared key found

*Oct 18 09:39:03.127: ISAKMP : Scanning profiles for xauth ...

*Oct 18 09:39:03.127: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy

*Oct 18 09:39:03.127: ISAKMP:      encryption DES-CBC

*Oct 18 09:39:03.127: ISAKMP:      hash MD5

*Oct 18 09:39:03.127: ISAKMP:      default group 2

*Oct 18 09:39:03.127: ISAKMP:      auth pre-share

*Oct 18 09:39:03.127: ISAKMP:      life type in seconds

*Oct 18 09:39:03.127: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*Oct 18 09:39:03.127: ISAKMP:(0):atts are acceptable. Next payload is 0

*Oct 18 09:39:03.127: ISAKMP:(0):Acceptable atts:actual life: 0

*Oct 18 09:39:03.127: ISAKMP:(0):Acceptable atts:life: 0

*Oct 18 09:39:03.127: ISAKMP:(0):Fill atts in sa vpi_length:4

*Oct 18 09:39:03.127: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

*Oct 18 09:39:03.127: ISAKMP:(0):Returning Actual lifetime: 86400

*Oct 18 09:39:03.127: ISAKMP:(0)::Started lifetime timer: 86400.

*Oct 18 09:39:03.127: ISAKMP:(0): processing vendor id payload

*Oct 18 09:39:03.127: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Oct 18 09:39:03.127: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Oct 18 09:39:03.127: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Oct 18 09:39:03.127: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

対向からの MM2 の処理を完了し、MM3 を送信。

*Oct 18 09:39:03.127: ISAKMP:(0): sending packet to 10.1.19.42 my_port 500 peer_port 500 (I) MM_SA_SETUP

*Oct 18 09:39:03.127: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Oct 18 09:39:03.127: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Oct 18 09:39:03.127: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

対向からの MM4 を受信し、その処理を実施。

*Oct 18 09:39:03.155: ISAKMP (0): received packet from 10.1.19.42 dport 500 sport 500 Global (I) MM_SA_SETUP

*Oct 18 09:39:03.155: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Oct 18 09:39:03.155: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

*Oct 18 09:39:03.155: ISAKMP:(0): processing KE payload. message ID = 0

*Oct 18 09:39:03.183: ISAKMP:(0): processing NONCE payload. message ID = 0

*Oct 18 09:39:03.183: ISAKMP:(0):found peer pre-shared key matching 10.1.19.42

*Oct 18 09:39:03.183: ISAKMP:(1003): processing vendor id payload

*Oct 18 09:39:03.183: ISAKMP:(1003): vendor ID is Unity

*Oct 18 09:39:03.183: ISAKMP:(1003): processing vendor id payload

*Oct 18 09:39:03.183: ISAKMP:(1003): vendor ID is DPD

*Oct 18 09:39:03.183: ISAKMP:(1003): processing vendor id payload

*Oct 18 09:39:03.183: ISAKMP:(1003): speaking to another IOS box!

*Oct 18 09:39:03.183: ISAKMP:received payload type 20

*Oct 18 09:39:03.183: ISAKMP (1003): His hash no match - this node outside NAT

*Oct 18 09:39:03.183: ISAKMP:received payload type 20

*Oct 18 09:39:03.183: ISAKMP (1003): No NAT Found for self or peer

*Oct 18 09:39:03.183: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Oct 18 09:39:03.183: ISAKMP:(1003):Old State = IKE_I_MM4  New State = IKE_I_MM4

*Oct 18 09:39:03.183: ISAKMP:(1003):Send initial contact

*Oct 18 09:39:03.183: ISAKMP:(1003):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Oct 18 09:39:03.183: ISAKMP (1003): ID payload

        next-payload : 8

        type         : 1

        address      : 10.1.19.41

        protocol     : 17

        port         : 500

        length       : 12

*Oct 18 09:39:03.183: ISAKMP:(1003):Total payload length: 12

MM5 パケットを作成し、送信

*Oct 18 09:39:03.183: ISAKMP:(1003): sending packet to 10.1.19.42 my_port 500 peer_port 500 (I) MM_KEY_EXCH

*Oct 18 09:39:03.183: ISAKMP:(1003):Sending an IKE IPv4 Packet.

*Oct 18 09:39:03.183: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Oct 18 09:39:03.183: ISAKMP:(1003):Old State = IKE_I_MM4  New State = IKE_I_MM5

対向から MM6 を受信し、その処理を実施。

*Oct 18 09:39:03.187: ISAKMP (1003): received packet from 10.1.19.42 dport 500 sport 500 Global (I) MM_KEY_EXCH

*Oct 18 09:39:03.187: ISAKMP:(1003): processing ID payload. message ID = 0

*Oct 18 09:39:03.187: ISAKMP (1003): ID payload

        next-payload : 8

        type         : 1

        address      : 10.1.19.42

        protocol     : 17

        port         : 500

        length       : 12

*Oct 18 09:39:03.187: ISAKMP:(0):: peer matches *none* of the profiles

*Oct 18 09:39:03.187: ISAKMP:(1003): processing HASH payload. message ID = 0

*Oct 18 09:39:03.187: ISAKMP:(1003):SA authentication status:

        authenticated

*Oct 18 09:39:03.187: ISAKMP:(1003):SA has been authenticated with 10.1.19.42

*Oct 18 09:39:03.187: ISAKMP: Trying to insert a peer 10.1.19.41/10.1.19.42/500/,  and inserted successfully 300039A4.

*Oct 18 09:39:03.187: ISAKMP:(1003):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Oct 18 09:39:03.187: ISAKMP:(1003):Old State = IKE_I_MM5  New State = IKE_I_MM6

*Oct 18 09:39:03.187: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Oct 18 09:39:03.187: ISAKMP:(1003):Old State = IKE_I_MM6  New State = IKE_I_MM6

*Oct 18 09:39:03.187: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Oct 18 09:39:03.187: ISAKMP:(1003):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

ここまでのやり取り、MM1~MM6 が完了すると、Phase1 のネゴシエーションが完了です。

これ以降は、Phase2 のネゴシエーションとなり、Phase1 で作成したトンネルの中で IPSec SA

を作成するためのネゴシエーションを行います。

QuickMode ネゴシエーションの最初のパケットである QM1 を送信します。

*Oct 18 09:39:03.187: ISAKMP:(1003):beginning Quick Mode exchange, M-ID of 23802134

*Oct 18 09:39:03.187: ISAKMP:(1003):QM Initiator gets spi

*Oct 18 09:39:03.187: ISAKMP:(1003): sending packet to 10.1.19.42 my_port 500 peer_port 500 (I) QM_IDLE

*Oct 18 09:39:03.187: ISAKMP:(1003):Sending an IKE IPv4 Packet.

*Oct 18 09:39:03.187: ISAKMP:(1003):Node 23802134, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

*Oct 18 09:39:03.187: ISAKMP:(1003):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

*Oct 18 09:39:03.187: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Oct 18 09:39:03.187: ISAKMP:(1003):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

対向からの QM2 を受信し、その処理を実施します。

QuickMode の場合、QM1、QM2 のやり取りで、暗号化に必要なやり取りはほぼ完了しますので、

IPSec SA の作成も行われます。

*Oct 18 09:39:03.191: ISAKMP (1003): received packet from 10.1.19.42 dport 500 sport 500 Global (I) QM_IDLE

*Oct 18 09:39:03.191: ISAKMP:(1003): processing HASH payload. message ID = 23802134

*Oct 18 09:39:03.191: ISAKMP:(1003): processing SA payload. message ID = 23802134

*Oct 18 09:39:03.191: ISAKMP:(1003):Checking IPSec proposal 1

*Oct 18 09:39:03.191: ISAKMP: transform 1, ESP_DES

*Oct 18 09:39:03.191: ISAKMP:   attributes in transform:

*Oct 18 09:39:03.191: ISAKMP:      encaps is 1 (Tunnel)

*Oct 18 09:39:03.191: ISAKMP:      SA life type in seconds

*Oct 18 09:39:03.191: ISAKMP:      SA life duration (basic) of 3600

*Oct 18 09:39:03.191: ISAKMP:      SA life type in kilobytes

*Oct 18 09:39:03.191: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0

*Oct 18 09:39:03.191: ISAKMP:      authenticator is HMAC-MD5

*Oct 18 09:39:03.191: ISAKMP:(1003):atts are acceptable.

*Oct 18 09:39:03.191: IPSEC(validate_proposal_request): proposal part #1

*Oct 18 09:39:03.191: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 10.1.19.41, remote= 10.1.19.42,

    local_proxy= 100.1.1.1/255.255.255.255/0/0 (type=1),

    remote_proxy= 100.2.2.2/255.255.255.255/0/0 (type=1),

    protocol= ESP, transform= NONE  (Tunnel),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

*Oct 18 09:39:03.191: Crypto mapdb : proxy_match

        src addr     : 100.1.1.1

        dst addr     : 100.2.2.2

        protocol     : 0

        src port     : 0

        dst port     : 0

*Oct 18 09:39:03.191: ISAKMP:(1003): processing NONCE payload. message ID = 23802134

*Oct 18 09:39:03.191: ISAKMP:(1003): processing ID payload. message ID = 23802134

*Oct 18 09:39:03.191: ISAKMP:(1003): processing ID payload. message ID = 23802134

*Oct 18 09:39:03.191: ISAKMP:(1003): Creating IPSec SAs

*Oct 18 09:39:03.191:         inbound SA from 10.1.19.42 to 10.1.19.41 (f/i)  0/ 0

        (proxy 100.2.2.2 to 100.1.1.1)

*Oct 18 09:39:03.191:         has spi 0xEC009093 and conn_id 0

*Oct 18 09:39:03.191:         lifetime of 3600 seconds

*Oct 18 09:39:03.191:         lifetime of 4608000 kilobytes

*Oct 18 09:39:03.191:         outbound SA from 10.1.19.41 to 10.1.19.42 (f/i) 0/0

        (proxy 100.1.1.1 to 100.2.2.2)

*Oct 18 09:39:03.191:         has spi  0xA20754EF and conn_id 0

*Oct 18 09:39:03.191:         lifetime of 3600 seconds

*Oct 18 09:39:03.191:         lifetime of 4608000 kilobytes

対向機器に、QM2 を正常に受信したとこを伝えるために、QM3 を送信します。

*Oct 18 09:39:03.191: ISAKMP:(1003): sending packet to 10.1.19.42 my_port 500 peer_port 500 (I) QM_IDLE

*Oct 18 09:39:03.191: ISAKMP:(1003):Sending an IKE IPv4 Packet.

*Oct 18 09:39:03.191: ISAKMP:(1003):deleting node 23802134 error FALSE reason "No Error"

*Oct 18 09:39:03.191: ISAKMP:(1003):Node 23802134, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Oct 18 09:39:03.191: ISAKMP:(1003):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE

ISAKMP による IPSec SA の情報が正常に IPSec に伝わり、IKE ネゴシエーションが完了します。

*Oct 18 09:39:03.191: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Oct 18 09:39:03.191: Crypto mapdb : proxy_match

        src addr     : 100.1.1.1

        dst addr     : 100.2.2.2

        protocol     : 0

        src port     : 0

        dst port     : 0

*Oct 18 09:39:03.191: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 10.1.19.42

*Oct 18 09:39:03.191: IPSEC(crypto_ipsec_sa_find_ident_head): added peer 10.1.19.42

*Oct 18 09:39:03.191: IPSEC(policy_db_add_ident): src 100.1.1.1, dest 100.2.2.2, dest_port 0

*Oct 18 09:39:03.191: IPSEC(create_sa): sa created,

  (sa) sa_dest= 10.1.19.41, sa_proto= 50,

    sa_spi= 0xEC009093(3959459987),

    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2005

    sa_lifetime(k/sec)= (4383705/3600)

*Oct 18 09:39:03.191: IPSEC(create_sa): sa created,

  (sa) sa_dest= 10.1.19.42, sa_proto= 50,

    sa_spi= 0xA20754EF(2718389487),

    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2006

    sa_lifetime(k/sec)= (4383705/3600)

*Oct 18 09:39:03.191: IPSEC(update_current_outbound_sa): updated peer 10.1.19.42 current outbound sa to SPI A20754EF

c1941-1#

======================================================================

RESPONDER

======================================================================

c1941-2#

対向機器からの MM1( IKE ネゴシエーションの最初のメッセージ)を受信処理を開始します。

MM1 には、Initiator の提示する Phase1 SA のパラメータに関する情報が含まれています。

*Oct 18 09:45:18.887: ISAKMP (0): received packet from 10.1.19.41 dport 500 sport 500 Global (N) NEW SA

*Oct 18 09:45:18.887: ISAKMP: Created a peer struct for 10.1.19.41, peer port 500

*Oct 18 09:45:18.887: ISAKMP: New peer created peer = 0x305BD920 peer_handle = 0x80000004

*Oct 18 09:45:18.887: ISAKMP: Locking peer struct 0x305BD920, refcount 1 for crypto_isakmp_process_block

*Oct 18 09:45:18.887: ISAKMP: local port 500, remote port 500

*Oct 18 09:45:18.887: ISAKMP:(0):insert sa successfully sa = 26CF2EC4

*Oct 18 09:45:18.887: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Oct 18 09:45:18.887: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

*Oct 18 09:45:18.887: ISAKMP:(0): processing SA payload. message ID = 0

*Oct 18 09:45:18.887: ISAKMP:(0): processing vendor id payload

*Oct 18 09:45:18.887: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Oct 18 09:45:18.887: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Oct 18 09:45:18.887: ISAKMP:(0): processing vendor id payload

*Oct 18 09:45:18.887: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

*Oct 18 09:45:18.887: ISAKMP (0): vendor ID is NAT-T v7

*Oct 18 09:45:18.887: ISAKMP:(0): processing vendor id payload

*Oct 18 09:45:18.887: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

*Oct 18 09:45:18.887: ISAKMP:(0): vendor ID is NAT-T v3

*Oct 18 09:45:18.887: ISAKMP:(0): processing vendor id payload

*Oct 18 09:45:18.887: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

*Oct 18 09:45:18.887: ISAKMP:(0): vendor ID is NAT-T v2

*Oct 18 09:45:18.887: ISAKMP:(0):found peer pre-shared key matching 10.1.19.41

*Oct 18 09:45:18.887: ISAKMP:(0): local preshared key found

*Oct 18 09:45:18.887: ISAKMP : Scanning profiles for xauth ...

*Oct 18 09:45:18.887: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy

*Oct 18 09:45:18.887: ISAKMP:      encryption DES-CBC

*Oct 18 09:45:18.887: ISAKMP:      hash MD5

*Oct 18 09:45:18.887: ISAKMP:      default group 2

*Oct 18 09:45:18.887: ISAKMP:      auth pre-share

*Oct 18 09:45:18.887: ISAKMP:      life type in seconds

*Oct 18 09:45:18.887: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*Oct 18 09:45:18.887: ISAKMP:(0):atts are acceptable. Next payload is 0 (対向からのプロポーザルは受け入れ可能)

*Oct 18 09:45:18.887: ISAKMP:(0):Acceptable atts:actual life: 0

*Oct 18 09:45:18.887: ISAKMP:(0):Acceptable atts:life: 0

*Oct 18 09:45:18.887: ISAKMP:(0):Fill atts in sa vpi_length:4

*Oct 18 09:45:18.887: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

*Oct 18 09:45:18.887: ISAKMP:(0):Returning Actual lifetime: 86400

*Oct 18 09:45:18.887: ISAKMP:(0)::Started lifetime timer: 86400.

*Oct 18 09:45:18.887: ISAKMP:(0): processing vendor id payload

*Oct 18 09:45:18.887: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Oct 18 09:45:18.887: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Oct 18 09:45:18.887: ISAKMP:(0): processing vendor id payload

*Oct 18 09:45:18.887: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

*Oct 18 09:45:18.887: ISAKMP (0): vendor ID is NAT-T v7

*Oct 18 09:45:18.887: ISAKMP:(0): processing vendor id payload

*Oct 18 09:45:18.887: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

*Oct 18 09:45:18.887: ISAKMP:(0): vendor ID is NAT-T v3

*Oct 18 09:45:18.887: ISAKMP:(0): processing vendor id payload

*Oct 18 09:45:18.887: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

*Oct 18 09:45:18.887: ISAKMP:(0): vendor ID is NAT-T v2

*Oct 18 09:45:18.887: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Oct 18 09:45:18.887: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

*Oct 18 09:45:18.887: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

対向からの MM1 に含まれるプロポーザルのうち、実際に使用するものを選択して含め、MM2 を送信。

*Oct 18 09:45:18.891: ISAKMP:(0): sending packet to 10.1.19.41 my_port 500 peer_port 500 (R) MM_SA_SETUP

*Oct 18 09:45:18.891: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Oct 18 09:45:18.891: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Oct 18 09:45:18.891: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2

対向からの MM3 を受信。その処理を行う。

*Oct 18 09:45:18.891: ISAKMP (0): received packet from 10.1.19.41 dport 500 sport 500 Global (R) MM_SA_SETUP

*Oct 18 09:45:18.891: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Oct 18 09:45:18.891: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_R_MM3

*Oct 18 09:45:18.891: ISAKMP:(0): processing KE payload. message ID = 0

*Oct 18 09:45:18.919: ISAKMP:(0): processing NONCE payload. message ID = 0

*Oct 18 09:45:18.919: ISAKMP:(0):found peer pre-shared key matching 10.1.19.41

*Oct 18 09:45:18.919: ISAKMP:(1003): processing vendor id payload

*Oct 18 09:45:18.919: ISAKMP:(1003): vendor ID is DPD

*Oct 18 09:45:18.919: ISAKMP:(1003): processing vendor id payload

*Oct 18 09:45:18.919: ISAKMP:(1003): speaking to another IOS box!

*Oct 18 09:45:18.919: ISAKMP:(1003): processing vendor id payload

*Oct 18 09:45:18.919: ISAKMP:(1003): vendor ID seems Unity/DPD but major 77 mismatch

*Oct 18 09:45:18.919: ISAKMP:(1003): vendor ID is XAUTH

*Oct 18 09:45:18.919: ISAKMP:received payload type 20

*Oct 18 09:45:18.919: ISAKMP (1003): His hash no match - this node outside NAT

*Oct 18 09:45:18.919: ISAKMP:received payload type 20

*Oct 18 09:45:18.919: ISAKMP (1003): No NAT Found for self or peer

*Oct 18 09:45:18.919: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Oct 18 09:45:18.919: ISAKMP:(1003):Old State = IKE_R_MM3  New State = IKE_R_MM3

対向機器に MM4 を送信。

*Oct 18 09:45:18.919: ISAKMP:(1003): sending packet to 10.1.19.41 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Oct 18 09:45:18.919: ISAKMP:(1003):Sending an IKE IPv4 Packet.

*Oct 18 09:45:18.919: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Oct 18 09:45:18.919: ISAKMP:(1003):Old State = IKE_R_MM3  New State = IKE_R_MM4

対向機器から MM5 を受信。その処理を実施。

*Oct 18 09:45:18.947: ISAKMP (1003): received packet from 10.1.19.41 dport 500 sport 500 Global (R) MM_KEY_EXCH

*Oct 18 09:45:18.947: ISAKMP:(1003):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Oct 18 09:45:18.947: ISAKMP:(1003):Old State = IKE_R_MM4  New State = IKE_R_MM5

*Oct 18 09:45:18.947: ISAKMP:(1003): processing ID payload. message ID = 0

*Oct 18 09:45:18.947: ISAKMP (1003): ID payload

        next-payload : 8

        type         : 1

        address      : 10.1.19.41

        protocol     : 17

        port         : 500

        length       : 12

*Oct 18 09:45:18.947: ISAKMP:(0):: peer matches *none* of the profiles

*Oct 18 09:45:18.947: ISAKMP:(1003): processing HASH payload. message ID = 0

*Oct 18 09:45:18.947: ISAKMP:(1003): processing NOTIFY INITIAL_CONTACT protocol 1

        spi 0, message ID = 0, sa = 26CF2EC4

*Oct 18 09:45:18.947: ISAKMP:(1003):SA authentication status:

        authenticated

*Oct 18 09:45:18.947: ISAKMP:(1003):SA has been authenticated with 10.1.19.41

*Oct 18 09:45:18.947: ISAKMP:(1003):SA authentication status:

        authenticated

*Oct 18 09:45:18.947: ISAKMP:(1003): Process initial contact,

bring down existing phase 1 and 2 SA's with local 10.1.19.42 remote 10.1.19.41 remote port 500

*Oct 18 09:45:18.947: ISAKMP: Trying to insert a peer 10.1.19.42/10.1.19.41/500/,  and inserted successfully 305BD920.

*Oct 18 09:45:18.947: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Oct 18 09:45:18.947: ISAKMP:(1003):Old State = IKE_R_MM5  New State = IKE_R_MM5

*Oct 18 09:45:18.947: ISAKMP:(1003):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Oct 18 09:45:18.947: ISAKMP (1003): ID payload

        next-payload : 8

        type         : 1

        address      : 10.1.19.42

        protocol     : 17

        port         : 500

        length       : 12

*Oct 18 09:45:18.947: ISAKMP:(1003):Total payload length: 12

MM6 を送信し、MainMode のネゴシエーションが完了。

*Oct 18 09:45:18.947: ISAKMP:(1003): sending packet to 10.1.19.41 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Oct 18 09:45:18.947: ISAKMP:(1003):Sending an IKE IPv4 Packet.

*Oct 18 09:45:18.947: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Oct 18 09:45:18.947: ISAKMP:(1003):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

*Oct 18 09:45:18.951: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Oct 18 09:45:18.951: ISAKMP:(1003):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

対向機器からの QM1 パケットを受信。その処理をおこないます。

*Oct 18 09:45:18.951: ISAKMP (1003): received packet from 10.1.19.41 dport 500 sport 500 Global (R) QM_IDLE

*Oct 18 09:45:18.951: ISAKMP: set new node 23802134 to QM_IDLE

*Oct 18 09:45:18.951: ISAKMP:(1003): processing HASH payload. message ID = 23802134

*Oct 18 09:45:18.951: ISAKMP:(1003): processing SA payload. message ID = 23802134

*Oct 18 09:45:18.951: ISAKMP:(1003):Checking IPSec proposal 1

*Oct 18 09:45:18.951: ISAKMP: transform 1, ESP_DES

*Oct 18 09:45:18.951: ISAKMP:   attributes in transform:

*Oct 18 09:45:18.951: ISAKMP:      encaps is 1 (Tunnel)

*Oct 18 09:45:18.951: ISAKMP:      SA life type in seconds

*Oct 18 09:45:18.951: ISAKMP:      SA life duration (basic) of 3600

*Oct 18 09:45:18.951: ISAKMP:      SA life type in kilobytes

*Oct 18 09:45:18.951: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0

*Oct 18 09:45:18.951: ISAKMP:      authenticator is HMAC-MD5

*Oct 18 09:45:18.951: ISAKMP:(1003):atts are acceptable.

*Oct 18 09:45:18.951: ISAKMP:(1003): processing NONCE payload. message ID = 23802134

*Oct 18 09:45:18.951: ISAKMP:(1003): processing ID payload. message ID = 23802134

*Oct 18 09:45:18.951: ISAKMP:(1003): processing ID payload. message ID = 23802134

*Oct 18 09:45:18.951: ISAKMP:(1003):QM Responder gets spi

*Oct 18 09:45:18.951: ISAKMP:(1003):Node 23802134, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Oct 18 09:45:18.951: ISAKMP:(1003):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE

*Oct 18 09:45:18.951: ISAKMP:(1003): Creating IPSec SAs

*Oct 18 09:45:18.951:         inbound SA from 10.1.19.41 to 10.1.19.42 (f/i)  0/ 0

        (proxy 100.1.1.1 to 100.2.2.2)

*Oct 18 09:45:18.951:         has spi 0xA20754EF and conn_id 0

*Oct 18 09:45:18.951:         lifetime of 3600 seconds

*Oct 18 09:45:18.955:         lifetime of 4608000 kilobytes

*Oct 18 09:45:18.955:         outbound SA from 10.1.19.42 to 10.1.19.41 (f/i) 0/0

        (proxy 100.2.2.2 to 100.1.1.1)

*Oct 18 09:45:18.955:         has spi  0xEC009093 and conn_id 0

*Oct 18 09:45:18.955:         lifetime of 3600 seconds

*Oct 18 09:45:18.955:         lifetime of 4608000 kilobytes

QM2 を送信し、対向機器から QM3 が帰ってくるのを待ちます。

*Oct 18 09:45:18.955: ISAKMP:(1003): sending packet to 10.1.19.41 my_port 500 peer_port 500 (R) QM_IDLE

*Oct 18 09:45:18.955: ISAKMP:(1003):Sending an IKE IPv4 Packet.

*Oct 18 09:45:18.955: ISAKMP:(1003):Node 23802134, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI

*Oct 18 09:45:18.955: ISAKMP:(1003):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2

対向から、QM3 を受け取り、正常に Quick Mode ネゴシエーションが完了したことを検知。

ネゴシエーションが完了します。

*Oct 18 09:45:18.955: ISAKMP (1003): received packet from 10.1.19.41 dport 500 sport 500 Global (R) QM_IDLE

*Oct 18 09:45:18.955: ISAKMP:(1003):deleting node 23802134 error FALSE reason "QM done (await)"

*Oct 18 09:45:18.955: ISAKMP:(1003):Node 23802134, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Oct 18 09:45:18.955: ISAKMP:(1003):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE

c1941-2#

======================================================================

4100
閲覧回数
0
いいね!
0
コメント