VPN 排错指南
目录
1.没有Debug的情况 P 4
1. 理解VPN触发过程 P 4
2. 可能的错误 P 4
2.有Debug但是无法建立VPN的情况 P 5
1.MM 1-2个包问题 P 5
2.MM 3-4个包问题 P 6
3.MM 5-6个包问题 P 6
4.QM 1-3个包问题 P 7
3. IPSEC SA建立但是无法正常通讯的情况 P 8
vs什么意思
1.没有Debug的情况
rap是什么意思啊a) 理解VPN触发过程
1.包进入VPN设备,检查对方通讯点的路由,路由引导流量出适当接口。
2.包在出接口过程中撞击上MAP。
什么是sdh3.流量匹配上MAP的ACL(感兴趣流),触发加密。
4.发起和PEER的IKE协商,VPN设备检查去往PEER的路由。
b) 可能的错误
< logging console <;可能是考试预配置,也可能是故意trouble>。
2.缺少去往对方通讯点的路由,或者没有引导对出接口。
3.正确的接口下没有map。
4.MAP配置的ACL错误,不能够匹配上感兴趣流。
5.缺少对方peer(加密点)的路由。
6.由于NAT,感兴趣流改变,需要在NAT里排除感兴趣流。
注意:先NAT后加密
7.EZVPN有时会出现不发起的现象,需要重敲重运用<;应该是特定IOS bug>
2.有Debug但是无法建立VPN的情况
1.MM 1-2个包问题
MM 1-2个包的主要作用:协商PEER ADDRESS ;第一阶段策略。
错误可能
signalA.第一种debug报错信息
(2500)
10:41:57: ISAKMP (0:2): nding packet to 22.22.22.22 (I) MM_NO_STATE
resignment
10:41:57: ISAKMP (0:2): received packet from 22.22.22.22 (I) MM_NO_STATE
10:41:57: ISAKMP (0:2): Notify has no hash. Rejected.
(2600|IOS 12.3(10)a)
*Mar 1 00:15:34.515: ISAKMP: rerved not zero on NOTIFY payload!
*Mar 1 00:15:34.515: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 150.100.1.2 failed its sanity check or is malformed.
策略错误:检查认证策略 hash策略 group策略加密策略时间策略
B.第二种debug报错信息
(2500)
derve的用法
11:00:06: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 22.22.22.22 ...
(2600|IOS 12.3(10)a)
*Mar 1 00:20:27.800: ISAKMP: rerved not zero on NOTIFY payload!
*Mar 1 00:20:27.800: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 150.100.1.2 failed its sanity check or is malformed
更新源错误:检查本地的更新源是否是对方设置的peer,检查cry map cisco local-address 的使用是否正确。
C.第三种debug报错信息
(2500)
10:49:08: ISAKMP (0:1): No Cert or pre-shared address key.
10:49:08: ISAKMP (0:1): Can not start Main mode
10:49:08: ISAKMP (0:1): Can not start aggressive mode.
10:49:08: ISAKMP (0:1): purging SA.
10:49:08: ISAKMP (0:1): purging node -
(2600|IOS 12.3(10)a)
*Mar 1 00:28:49.066: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode.
*Mar 1 00:28:49.066: ISAKMP: Looking for a matching key for 150.100.1.100 in default *Mar 1 00:28:49.066: ISAKMP: Looking for a matching key for 150.100.1.100 in keyring *Mar 1 00:28:49.0.66: ISAKMP (0:1): No pre-shared key with 150.100.1.100!
*Mar 1 00:28:49.066: ISAKMP (0:1): No Cert or pre-shared address key.
*Mar 1 00:28:49.070: ISAKMP (0:1): construct_initial_message: Can not start Main mode *Mar 1 00:28:49.070: ISAKMP (0:1): purging SA., sa=82D9802C, delme=82D9802C
*Mar 1 00:28:49.070: ISAKMP (0:1): purging node 889095291..cautionary
PEER错误:检查cry isa key cisco address 后边的地址是否和cry map 下t peer的地址相同。
D.第四种debug报错信息
(2500)
2d15h: ISAKMP (0:3): nding packet to 123.1.1.2 (I) MM_
2d15h: ISAKMP (0:3): retransmitting pha 1 MM_
2d15h: ISAKMP (0:3): incrementing error counter on sa: retransmit pha 1
2d15h: ISAKMP (0:3): retransmitting pha 1 MM_NO_STATE
2d15h: ISAKMP (0:3): nding packet to 123.1.1.2 (I) MM_NO_STATE.
2d15h: ISAKMP (0:2): purging node -
(2600|IOS 12.3(10)a)
*Mar 1 00:36:46.905: ISAKMP (0:1): retransmitting pha 1 MM_
*Mar 1 00:36:46.905: ISAKMP (0:1): incrementing error counter on sa: retransmit pha 1
*Mar 1 00:36:46.905: ISAKMP (0:1): retransmitting pha 1 MM_NO_STATE
enjoying
*Mar 1 00:36:46.905: ISAKMP (0:1): nding packet to 150.100.1.2 my_port 500 peer_port 500 (I) MM_
*Mar 1 00:36:56.905: ISAKMP (0:1): retransmitting pha 1 MM_
*Mar 1 00:36:56.905: ISAKMP (0:1): incrementing error counter on sa: retransmit pha 1
*Mar 1 00:36:56.905: ISAKMP (0:1): retransmitting pha 1 MM_NO_STATE
*Mar 1 00:36:56.905: ISAKMP (0:1): nding packet to 150.100.1.2 my_port 500 peer_port 500 (I) MM_
PEER不可达错误:检查access-list和中间pix设备的转换。
2.MM 3-4个包问题
MM 3-4个包的主要作用:Diffie-Hellman exchange
暂时未发现任何报错
3.MM 5-6个包问题
MM 5-6个包的主要作用:responder to authenticate the initiating device A.第一种debug报错信息
(2500)
10:45:43: ISAKMP (0:1): retransmitting pha 1 MM_
10:45:43: ISAKMP (0:1): incrementing error counter on sa: retransmit pha 1
10:45:43: ISAKMP (0:1): retransmitting pha 1 MM_KEY_EXCH
10:45:43: ISAKMP (0:1): nding packet to 22.22.22.22 (I) MM_KEY_EXCH
10:45:43: ISAKMP (0:1): received packet from 22.22.22.22 (I) MM_KEY_EXCH
10:45:43: ISAKMP: rerved not zero on NOTIFY payload!
10:45:43: ISAKMP (0:1): incrementing error counter on sa: ret_retransmission.
10:45:44: ISAKMP (0:1): retransmitting pha 1 MM_
10:45:44: ISAKMP (0:1): incrementing error counter on sa: retransmit pha 1
10:45:44: ISAKMP (0:1): retransmitting pha 1 MM_KEY_EXCH
10:45:44: ISAKMP (0:1): nding packet to 22.22.22.22 (I) MM_KEY_EXCH.
pas
(2600|IOS 12.3(10)a)
*Mar 1 00:56:59.857: ISAKMP (0:2): received packet from 150.100.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar 1 00:56:59.861: ISAKMP (0:2): received packet from 150.100.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar 1 00:56:59.861: ISAKMP (0:2): received packet from 150.100.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar 1 00:56:59.865: ISAKMP (0:2): received packet from 150.100.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
discotheque迪斯科舞厅
*Mar 1 00:56:59.865: ISAKMP (0:2): received packet from 150.100.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
密钥错误:检查密钥
4.QM 1-3个包问题
QM 1-3个包的主要作用:交换第二阶段策略
A.第一种debug报错信息
(2500)
12:15:22: ISAKMP (0:1): processing HASH payload. message ID = -1653044044
12:15:22: ISAKMP (0:1): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 0
(2600|IOS 12.3(10)a)
*Mar 1 00:59:39.840: ISAKMP (0:3): processing HASH payload. message ID = 878633978 *Mar 1 00:59:39.840: ISAKMP (0:3): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 第二阶段策略错误:1 transform-t 2 access-list不匹配 3 接收端没有运用map
3. IPSEC SA建立但是无法正常通讯的情况
