Tweet
Chào các bạn,
Mình đang xem phần IPsec trong quyển CCNP ISCW Official exam Certification Guide của Cisco Press. Trong đó có phần hướng dẫn các bước để cấu hình một VPN dựa trên IPsec. Mình sử dụng dynamips và bộ simple lab với 2 con 7200 để thực hành. Tuy nhiên, sau khi cấu hình xong theo các bước hướng dẫn và thực hiện lệnh ping để kích hoạt kênh VPN thì không thực hiện được.
Trên một router mình thấy có message này:
Còn đây là output của lệnh debug khi quá trình thương thuyết xảy ra:
Không biết có bạn nào đã gặp trường hợp tương tự hay chưa? Nếu đã gặp hoặc biết nguyên nhân của vấn đề, xin hướng dẫn mình giúp. Xin cảm ơn.
Thành.
Mình đang xem phần IPsec trong quyển CCNP ISCW Official exam Certification Guide của Cisco Press. Trong đó có phần hướng dẫn các bước để cấu hình một VPN dựa trên IPsec. Mình sử dụng dynamips và bộ simple lab với 2 con 7200 để thực hành. Tuy nhiên, sau khi cấu hình xong theo các bước hướng dẫn và thực hiện lệnh ping để kích hoạt kênh VPN thì không thực hiện được.
Trên một router mình thấy có message này:
Code:
*Oct 21 23:55:39.027: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode faied with peer at 10.0.0.1
Code:
*Oct 21 23:55:38.059: ISAKMP: received ke message (1/1)
*Oct 21 23:55:38.063: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*Oct 21 23:55:38.067: ISAKMP: Created a peer struct for 10.0.0.2, peer port 500
*Oct 21 23:55:38.067: ISAKMP: New peer created peer = 0x658FDD34 peer_handle =
x80000005
*Oct 21 23:55:38.071: ISAKMP: Locking peer struct 0x658FDD34, IKE refcount 1 fo
isakmp_initiator
*Oct 21 23:55:38.071: ISAKMP: local port 500, remote port 500
*Oct 21 23:55:38.075: ISAKMP: set new node 0 to QM_IDLE
*Oct 21 23:55:38.075: insert sa successfully sa = 6474C438
*Oct 21 23:55:38.079: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying
ain mode.
*Oct 21 23:55:38.079: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 10.
.0.2
*Oct 21 23:55:38.087: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*Oct 21 23:55:38.087: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*Oct 21 23:55:38.091: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*Oct 21 23:55:38.091: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_RE
_MM
*Oct 21 23:55:38.095: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE
I_MM1
*Oct 21 23:55:38.095: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*Oct 21 23:55:38.099: ISAKMP:(0:0:N/A:0): sending packet to 10.0.0.2 my_port 50
peer_port 500 (I) MM_NO_STATE
*Oct 21 23:55:38.271: ISAKMP (0:0): received packet from 10.0.0.2 dport 500 spo
t 500 Global (I) MM_NO_STATE
*Oct 21 23:55:38.279: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXC
*Oct 21 23:55:38.279: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1 New State = IKE
I_MM2
*Oct 21 23:55:38.287: ISAKMP:(0:0:N/A:0): process.ing SA payload. message ID =
*Oct 21 23:55:38.291: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Oct 21 23:55:38.295: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 2
5 mismatch
*Oct 21 23:55:38.295: ISAKMP (0:0): vendor ID is NAT-T v7
*Oct 21 23:55:38.299: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 10.
.0.2
*Oct 21 23:55:38.299: ISAKMP:(0:0:N/A:0): local preshared key found
*Oct 21 23:55:38.303: ISAKMP : Scanning profiles for xauth ...
*Oct 21 23:55:38.303: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against pr
ority 10 policy
*Oct 21 23:55:38.307: ISAKMP: encryption DES-CBC
*Oct 21 23:55:38.307: ISAKMP: hash MD5
*Oct 21 23:55:38.307: ISAKMP: default group 1
*Oct 21 23:55:38.311: ISAKMP: auth pre-share
*Oct 21 23:55:38.311: ISAKMP: life type in seconds
*Oct 21 23:55:38.311: ISAKMP: life duration (basic) of 3600
*Oct 21 23:55:38.315: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
*Oct 21 23:55:38.407: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct 21 23:55:38.407: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 24
mismatch
*Oct 21 23:55:38.407: ISAKMP (0:134217729): vendor ID is NAT-T v7
*Oct 21 23:55:38.411: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_
AIN_MODE
*Oct 21 23:55:38.411: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2 New State = IKE_
_MM2
*Oct 21 23:55:38.435: ISAKMP:(0:1:SW:1): sending packet to 10.0.0.2 my_port 500
peer_port 500 (I) MM_SA_SETUP
*Oct 21 23:55:38.435: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_
OMPLETE
*Oct 21 23:55:38.439: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2 New State = IKE_
_MM3
*Oct 21 23:55:38.555: ISAKMP (0:134217729): received packet from 10.0.0.2 dport
500 sport 500 Global (I) MM_SA_SETUP
*Oct 21 23:55:38.563: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 21 23:55:38.563: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM3 New State = IKE_
_MM4
*Oct 21 23:55:38.575: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0
*Oct 21 23:55:38.667: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID =
0
*Oct 21 23:55:38.667: ISAKMP:(0:1:SW:1):found peer pre-shared key matching 10.0
0.2
*Oct 21 23:55:38.667: ISAKMP:(0:1:SW:1):SKEYID state generated
*Oct 21 23:55:38.667: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct 21 23:55:38.667: ISAKMP:(0:1:SW:1): vendor ID is Unity
*Oct 21 23:55:38.667: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct 21 23:55:38.667: ISAKMP:(0:1:SW:1): vendor ID is DPD
*Oct 21 23:55:38.667: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct 21 23:55:38.667: ISAKMP:(0:1:SW:1): speaking to another IOS box!
*Oct 21 23:55:38.667: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_
AIN_MODE
*Oct 21 23:55:38.667: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4 New State = IKE_
_MM4
*Oct 21 23:55:38.679: ISAKMP:(0:1:SW:1):Send initial contact
*Oct 21 23:55:38.679: ISAKMP:(0:1:SW:1):SA is doin.g pre-shared key authenticat
on using id type ID_IPV4_ADDR
*Oct 21 23:55:38.679: ISAKMP (0:134217729): ID payload
next-payload : 8
type : 1
address : 10.0.0.1
protocol : 17
port : 500
length : 12
*Oct 21 23:55:38.679: ISAKMP:(0:1:SW:1):Total payload length: 12
*Oct 21 23:55:38.683: ISAKMP:(0:1:SW:1): sending packet to 10.0.0.2 my_port 500
peer_port 500 (I) MM_KEY_EXCH
*Oct 21 23:55:38.683: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_
OMPLETE
*Oct 21 23:55:38.687: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4 New State = IKE_
_MM5
*Oct 21 23:55:38.779: ISAKMP (0:134217729): received packet from 10.0.0.2 dport
500 sport 500 Global (I) MM_KEY_EXCH
*Oct 21 23:55:38.787: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 0
*Oct 21 23:55:38.787: ISAKMP (0:134217729): ID payload
next-payload : 8
type : 1
address : 10.0.0.2
protocol : 17
port : 500
length : 12
*Oct 21 23:55:38.791: ISAKMP:(0:1:SW:1):: peer matches *none* of the profiles
*Oct 21 23:55:38.795: ISAKMP:(0:1:SW:1): processing HASH payload. message ID =
*Oct 21 23:55:38.799: ISAKMP:(0:1:SW:1):SA authentication status:
authenticated
*Oct 21 23:55:38.803: ISAKMP:(0:1:SW:1):SA has been authenticated with 10.0.0.2
*Oct 21 23:55:38.803: ISAKMP: Trying to insert a peer 10.0.0.1/10.0.0.2/500/,
nd inserted successfully 658FDD34.
*Oct 21 23:55:38.807: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 21 23:55:38.811: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM5 New State = IKE_
_MM6
*Oct 21 23:55:38.823: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_
AIN_MODE
*Oct 21 23:55:38.827: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM6 New State = IKE_
_MM6
*Oct 21 23:55:38.835: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_
OMPLETE
*Oct 21 23:55:38.839: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM6 New State = IKE_
1_COMPLETE
*Oct 21 23:55:38.847: ISAKMP:(0:1:SW:1).:beginning Quick Mode exchange, M-ID of
2129377162
*Oct 21 23:55:38.863: ISAKMP:(0:1:SW:1): sending packet to 10.0.0.2 my_port 500
peer_port 500 (I) QM_IDLE
*Oct 21 23:55:38.867: ISAKMP:(0:1:SW:1):Node 2129377162, Input = IKE_MESG_INTER
AL, IKE_INIT_QM
*Oct 21 23:55:38.867: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY New State = I
E_QM_I_QM1
*Oct 21 23:55:38.871: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_C
MPLETE
*Oct 21 23:55:38.875: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State
IKE_P1_COMPLETE
*Oct 21 23:55:38.991: ISAKMP (0:134217729): received packet from 10.0.0.2 dport
500 sport 500 Global (I) QM_IDLE
*Oct 21 23:55:38.995: ISAKMP: set new node -1729125882 to QM_IDLE
*Oct 21 23:55:39.003: ISAKMP:(0:1:SW:1): processing HASH payload. message ID =
1729125882
*Oct 21 23:55:39.007: ISAKMP:(0:1:SW:1): processing NOTIFY PROPOSAL_NOT_CHOSEN
rotocol 3
spi 3080322591, message ID = -1729125882, sa = 6474C438
*Oct 21 23:55:39.011: ISAKMP:(0:1:SW:1): deleting spi 3080322591 message ID = 2
29377162
*Oct 21 23:55:39.011: ISAKMP:(0:1:SW:1):deleting node 2129377162 error TRUE rea
on "Delete Larval"
*Oct 21 23:55:39.015: ISAKMP:(0:1:SW:1):deleting node -1729125882 error FALSE r
ason "Informational (in) state 1"
*Oct 21 23:55:39.019: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NO
IFY
*Oct 21 23:55:39.019: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State
IKE_P1_COMPLETE
Thành.
Comment