²½Öè4£ºÊÕ¼¯ÐÅÏ¢ÁªÏµ4008111000

Èç¹û¾­ÒÔÉÏ1-3¸ö²½ÖèÅŲéºó¹ÊÕÏÎÞ·¨½â¾ö£¬Ç뽫¸ù¾Ý²½Öè1-3¼ì²éÅäÖôò°üѹËõ£¬Í¬Ê±×¼±¸ºÃNGFWÉ豸µÄÔ¶³Ì·½Ê½ºóÁªÏµ4008-111000ЭÖú´¦Àí¡£

ÐèÒªÊÕ¼¯µÄÐÅÏ¢£º

1£©dia deb en

     diagnose  vpn ike log-filter  dst   1.1.1.1        // ¹ýÂËike£¬ 1.1.1.1Ϊ¶Ô¶ËvpnµØÖ·£¬¸Ã²ÎÊý¿ÉÑ¡

     dia deb app ike -ÐÅÏ¢¸´ÖƳÉÎı¾£»

 

 

 

IPsecÏà¹ØÃüÁî

 

Õï¶ÏIKEЭÉ̹ý³Ì

 

 

ike 0:vpn: created connection: 0x9999da0 11 192.168.1.99->192.168.1.200:500.

ike 0:vpn:0: initiator: main mode is sending 1st message...

ike 0:vpn:0: cookie 60062ee10ae80df2/0000000000000000

ike 0:vpn:0: out 60062EE10AE80DF200000000000000000110020000000000000001140D00005800000001000000010000004C010100020300002001010000800B0001800C7080800100058003000180020002800400050000002402010000800B0001800C708080010007800E00808003000180020002800400050D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE000402A0

ike 0:vpn:0: sent IKE msg (ident_i1send): 192.168.1.99:500->192.168.1.200:500, len=276, id=60062ee10ae80df2/0000000000000000

ike 0: comes 192.168.1.200:500->192.168.1.99:500,ifindex=11....

ike 0: IKEv1 exchange=Identity Protection id=60062ee10ae80df2/619b08256edcc8bb len=140

ike 0: in 60062EE10AE80DF2619B08256EDCC8BB01100200000000000000008C0D000034000000010000000100000028010100010000002001010000800B0001800C7080800100058003000180020002800400050D0000144A131C81070358455C5728F20E95452F0D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE0005203B

ike 0:vpn:0: initiator: main mode get 1st response...

ike 0:vpn:0: VID RFC 3947 4A131C81070358455C5728F20E95452F

ike 0:vpn:0: VID DPD AFCAD71368A1F1C96B8696FC77570100

ike 0:vpn:0: DPD negotiated

ike 0:vpn:0: VID FORTIGATE 8299031757A36082C6A621DE0005203B

ike 0:vpn:0: peer is FortiGate/FortiOS (v5 b8251)

ike 0:vpn:0: selected NAT-T version: RFC 3947

ike 0:vpn:0: negotiation result                                                                                           //½×¶Î1ЭÉ̳ɹ¦

ike 0:vpn:0: proposal id = 1:

ike 0:vpn:0:   protocol id = ISAKMP:

ike 0:vpn:0:      trans_id = KEY_IKE.

ike 0:vpn:0:      encapsulation = IKE/none

ike 0:vpn:0:         type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.

ike 0:vpn:0:         type=OAKLEY_HASH_ALG, val=SHA.

ike 0:vpn:0:         type=AUTH_METHOD, val=PRESHARED_KEY.

ike 0:vpn:0:         type=OAKLEY_GROUP, val=1536.

ike 0:vpn:0: ISKAMP SA lifetime=28800

ike 0:vpn:0: out 60062EE10AE80DF2619B08256EDCC8BB0410020000000000000001240A0000C46DB5EC180A4F0C4030219397167553CFA132468D0CF79662DCCF770775078B6647774A107C0FD2DF0456FB983AD998B8FFAC0F7243DC04B109FF8E3CDDD4212B7C1936B5FCA44710F43F801E2347A5AADDF4C85CBDD25124439B811663EBADC0877104F1D6532F9DBA6E084F2075F076F847F4A7FF190EF0117BDE4E94BAB2D6FF8DB1712C534A3641A5F29E3E108EEE322EBA06B3937A80B63FDCB0BA8D61AB00C93945C80C1286CDB276AAD373B8065B18B88151395299DF41F7C01906F8DC1400001404426E2ADEA17956B255A89F6C4BD55D14000018AECC850CA4A81927D4A4AB4C376E3233AE6A266E0000001841DCE051595A1E3620D42FCA045EB15811695B2A

ike 0:vpn:0: sent IKE msg (ident_i2send): 192.168.1.99:500->192.168.1.200:500, len=292, id=60062ee10ae80df2/619b08256edcc8bb

ike 0: comes 192.168.1.200:500->192.168.1.99:500,ifindex=11....

ike 0: IKEv1 exchange=Identity Protection id=60062ee10ae80df2/619b08256edcc8bb len=292

ike 0: in 60062EE10AE80DF2619B08256EDCC8BB0410020000000000000001240A0000C47D1BEBF3066CDCF3C6CB96C97E9DCF96EA59DDEEA918A3F834FD40AD0ED1D01821C6F489A088D02B029B989C157AA9415E81130049355882759278CD3957BA7ED149647D36521E124AB18D78FA76EA4D35C986C6B429006CF1CE4C6B33F5813A03D6A35EE0BE71AA27700ED1768991A9B35FB04011CAAEA1101E6A8390FDABFE51DF6BFB8D63B6056E1CD1E4C1A042F3026045610B98F6640DA577720FCE6DD8D8A5303E373856B59B6D26083218082B071BA738DD236583150F44B254360A0F1400001495C9A527C90CBC89C65727D8FAEFEDC91400001841DCE051595A1E3620D42FCA045EB15811695B2A00000018AECC850CA4A81927D4A4AB4C376E3233AE6A266E

ike 0:vpn:0: initiator: main mode get 2nd response...

ike 0:vpn:0: NAT not detected

ike 0:vpn:0: ISAKMP SA 60062ee10ae80df2/619b08256edcc8bb key 24:C7C5E1B939B30FED68D72F83B3637A611C7246E0894B041F         //½¨Á¢IKE SA

ike 0:vpn:0: add INITIAL-CONTACT

ike 0:vpn:0: enc 60062EE10AE80DF2619B08256EDCC8BB05100201000000000000005C0800000C01000000C0A801630B000018C4B6984D80EE7410493275233C092FEC3D6596550000001C000000010110600260062EE10AE80DF2619B08256EDCC8BB

ike 0:vpn:0: out 60062EE10AE80DF2619B08256EDCC8BB051002010000000000000064D02A57F399BB23984DFDEBED2DC7E8F9988930ED4AAC42F45C7FE9B5D19F5AFDE69B13B2F37656B46F79F9D09D9BE42E62DC7BD3A6E6B19D69A1D361C12C2E2BD7A3B0A42C6387D7

ike 0:vpn:0: sent IKE msg (ident_i3send): 192.168.1.99:500->192.168.1.200:500, len=100, id=60062ee10ae80df2/619b08256edcc8bb

ike 0: comes 192.168.1.200:500->192.168.1.99:500,ifindex=11....

ike 0: IKEv1 exchange=Identity Protection id=60062ee10ae80df2/619b08256edcc8bb len=68

ike 0: in 60062EE10AE80DF2619B08256EDCC8BB0510020100000000000000445CB227D076149757866C536409A21F2EB154EF108869B70C644C9A5D693E3AAC22FF1A05BFEE7F08

ike 0:vpn:0: initiator: main mode get 3rd response...

ike 0:vpn:0: dec 60062EE10AE80DF2619B08256EDCC8BB0510020100000000000000440800000C01000000C0A801C8000000180DD1A29663FA451B19C44ED59B32ECC51CD5ECD40C299303

ike 0:vpn:0: PSK authentication succeeded                                                                                //  ÈÏÖ¤³É¹¦

ike 0:vpn:0: authentication OK

ike 0: comes 192.168.1.200:500->192.168.1.99:500,ifindex=11....

ike 0: IKEv1 exchange=Informational id=60062ee10ae80df2/619b08256edcc8bb:9fc91c6c len=76

ike 0: in 60062EE10AE80DF2619B08256EDCC8BB081005019FC91C6C0000004C592B1195FC16B8281BDBAE018D919C3F42B3D2229F3773B8AA895799219FDA1C957821CF4D5C5B0C2E6E824AE61FC70F

ike 0: comes 192.168.1.200:500->192.168.1.99:500,ifindex=11....

ike 0: IKEv1 exchange=Informational id=3c5330683104c62f/2d57c8725bf319fa:bab12d21 len=84

ike 0: in 3C5330683104C62F2D57C8725BF319FA08100501BAB12D2100000054B3BFA055D3B46E011F00CAD92FDCEB436148B94BA16B5871E04BCEF8E69B4E488F6FC547C2E11B9089F5B6B40EA63375E2B4CFE473664F98

ike 0: no established IKE SA for exchange-type Informational from 192.168.1.200:500->192.168.1.99 11 cookie 3c5330683104c62f/2d57c8725bf319fa, drop

ike 0:vpn:0: established IKE SA 60062ee10ae80df2/619b08256edcc8bb

ike 0:vpn: schedule auto-negotiate

ike 0:vpn:0: no pending Quick-Mode negotiations

ike 0: comes 192.168.1.200:500->192.168.1.99:500,ifindex=11....

ike 0: IKEv1 exchange=Quick id=60062ee10ae80df2/619b08256edcc8bb:c0295d57 len=388

ike 0: in 60062EE10AE80DF2619B08256EDCC8BB08102001C0295D5700000184686B2D2E8D6541C89B249F05298A20BC19F4960A32A5F2996D8A0322B26C04375E60C8D460F57DD92D0408C4590214CF9F6F66473AFF519B9BCD9B123B8487B02F443224F0CA429CE28AA88EDDD885A580F64947FAB45864B69FD580E558EC68F844753AE9DCA8A2922E8125F4EF26AB3D38E78E4CE40D0D33D830A6DF760FABEDA309A41A1F448095B04122C5C1F0F3FDAA84413D61ADC3C2E35CC21E7E1F09A1ED984D82BD8CA8F0861C7692C15137541C41D4A64865A81EC166AE2A9F8463CE5047F57F596E2393B65222D0C74E929A71E04E6B718BA4D5EDEEDDD7BB4FB1DBD729E43C19C6F5BDEEF2DC176BFFAAEE0E22A21E843FF677CA26B01BA924D45A077B0BA3D4B929255BB3E821A29DCB29CBC93CA2F756FA6369FCE3FC1BAC976E2B69A22F0FEE2E42AA7E869E2BE39866C7BDB15C8D25C45D8FE465914C752A4C761035CBE4CC906D6653B901B8AC831DCC9E01E099F4EF7F77C62710E581BA95D0D08048874B99

ike 0:vpn:0:0: responder received first quick-mode message                               //¿ªÊ¼½×¶Î2 ЭÉÌ

ike 0:vpn:0: dec 60062EE10AE80DF2619B08256EDCC8BB08102001C0295D5700000184010000186FB8562B31ACF0341701E77E9011507F69CCAB6B0A00005400000001000000010000004801030402232EDC520300001C01030000800100018002070880040001800500028003000500000020020C0000800100018002070880040001800600808005000280030005040000140E63F58F06879AD3B95F081D2EEF2EEE050000C41D35979AE0D8440E40906384415A21A8D1824E439A58901126A27E3187033EC402F9C979533C69E991AC22CFB6FB9C538C4180C8F3A6F9D98843808DA30494E8A56E68760EAF881A499ADE944055CDC5999F90C191B1A686192ED051AAD8F38A141B72EA78E2203DAC58B4F8FF62AAA9CCA50AFB8ACA5790FD1CF0931ECD99FBEB480CC9BEFF2779F3558EE81A150B2C0DC8AC6E230A23578FAA38F7B7925907E35B10F386C10A635471C04D071EBF462D644A38AFAE39E942CB1E5BBF1D8CF9050000100400000001000000FF0000000000001004000000C0A80000FFFF0000F97E8D03

ike 0:vpn:0:0: peer proposal is: peer:0:1.0.0.0-1.255.255.255:0, me:0:192.168.0.0-192.168.255.255:0

ike 0:vpn:0:vpn:0: trying

ike 0:vpn:0:vpn:0: matched phase2                         

ike 0:vpn:0:vpn:0: autokey  

ike 0:vpn:0:vpn:0: my proposal:                                                         //±¾µØ½»»¥·½°¸

ike 0:vpn:0:vpn:0: proposal id = 1:

ike 0:vpn:0:vpn:0:   protocol id = IPSEC_ESP:

ike 0:vpn:0:vpn:0:   PFS DH group = 5

ike 0:vpn:0:vpn:0:      trans_id = ESP_3DES

ike 0:vpn:0:vpn:0:      encapsulation = ENCAPSULATION_MODE_TUNNEL

ike 0:vpn:0:vpn:0:         type = AUTH_ALG, val=SHA1

ike 0:vpn:0:vpn:0:      trans_id = ESP_AES (key_len = 128)

ike 0:vpn:0:vpn:0:      encapsulation = ENCAPSULATION_MODE_TUNNEL

ike 0:vpn:0:vpn:0:         type = AUTH_ALG, val=SHA1

ike 0:vpn:0:vpn:0: incoming proposal:                                                   //¶Ô¶Ë½»»¥·½°¸

ike 0:vpn:0:vpn:0: proposal id = 1:

ike 0:vpn:0:vpn:0:   protocol id = IPSEC_ESP:

ike 0:vpn:0:vpn:0:   PFS DH group = 5

ike 0:vpn:0:vpn:0:      trans_id = ESP_3DES

ike 0:vpn:0:vpn:0:      encapsulation = ENCAPSULATION_MODE_TUNNEL

ike 0:vpn:0:vpn:0:         type = AUTH_ALG, val=SHA1

ike 0:vpn:0:vpn:0:      trans_id = ESP_AES (key_len = 128)

ike 0:vpn:0:vpn:0:      encapsulation = ENCAPSULATION_MODE_TUNNEL

ike 0:vpn:0:vpn:0:         type = AUTH_ALG, val=SHA1

ike 0:vpn:0:vpn:0: negotiation result                                                  //   ½×¶Î2½»»¥³É¹¦

ike 0:vpn:0:vpn:0: proposal id = 1:

ike 0:vpn:0:vpn:0:   protocol id = IPSEC_ESP:

ike 0:vpn:0:vpn:0:   PFS DH group = 5

ike 0:vpn:0:vpn:0:      trans_id = ESP_3DES

ike 0:vpn:0:vpn:0:      encapsulation = ENCAPSULATION_MODE_TUNNEL

ike 0:vpn:0:vpn:0:         type = AUTH_ALG, val=SHA1

ike 0:vpn:0:vpn:0: set pfs=1536

ike 0:vpn:0:vpn:0: using tunnel mode.

ike 0:vpn:0: enc 60062EE10AE80DF2619B08256EDCC8BB08102001C0295D5700000160010000182A3DFA8218383D902376574FCE9C690D590248930A000034000000010000000100000028010304012620F6420000001C01030000800100018002070880040001800500028003000504000014D9FC8F0DC467B4C18AB884505EDB9BD5050000C4412F94EF8E90B9309B9ECCB4791708A7985834F7CD77E4819E776E4431AD5ACB1339B4A3A9D4993DF3A4B533128ABC6C298A39B4DE65E4DFF5C7BFD33198EE524434E76303615BCFC22BB3BD6EB25AC760434612772010A3F7EFB4CA798DBC0462D8EEB099C27CE4697A61482B810FABC78861A5F3DC4F6363CE91689EB9D8BA9E549886311400B68406AEA35D422FBE611430E4DB64DB92C967EE5F522ED4A4C58A5CDBFBB5E2AC210802F77A771EFCC4E79C0F970DA909F6C3C4854FE4BF75050000100400000001000000FF0000000000001004000000C0A80000FFFF0000

ike 0:vpn:0: out 60062EE10AE80DF2619B08256EDCC8BB08102001C0295D5700000164612D3D8E4EECE61A481DDE03BB149B467A5A6C4F88AA337ADD9A8616A308E413FDF75D581DEBE341F56887F795B7DF7B7E5DCD5DF8680457D9EB7920AE11EA8168D85BE5232D0216F47FCD51A87C917BEEF833F679BBCAC1F51625ABFD5233CE45DDCDD5CC570DF944CC4B3D3AA7D000AF91CF3BFE8D20F1CEF55489DF5C64FC058D77B5093B0049FD53689297F34D3256471FB294434B6D0B616553E4471460479552148A10CFCD9F45BE722E68195FBA4F0F5A444CCBDFE18A0CBF2E502ACE60C44DF19CD293A2E2EEC4FDE0DCA1AA32911D31809FF607648A4D9562F0E67B2E3FF1350AC71A4BCC8412DC71CE0C27317413F578EEE886EE51DB83CA3A1061CCEEFF92F469E60A318D821F6E61F2B993E74A4331E5472B7ED7D00DAD2FDA6D4291E4EE22E103E00506E9C1E4853092B5F9213571B0E9CBB689989706B4C8AB21259A2A39CE1F1A

ike 0:vpn:0: sent IKE msg (quick_r1send): 192.168.1.99:500->192.168.1.200:500, len=356, id=60062ee10ae80df2/619b08256edcc8bb:c0295d57

ike 0: comes 192.168.1.200:500->192.168.1.99:500,ifindex=11....

ike 0: IKEv1 exchange=Quick id=60062ee10ae80df2/619b08256edcc8bb:c0295d57 len=60

ike 0: in 60062EE10AE80DF2619B08256EDCC8BB08102001C0295D570000003C4CC513F74B7A73AAA81F9132B1BEA8DC333E0B16C2C7E2C11FEA5717E0DC56D5

ike 0:vpn:0: dec 60062EE10AE80DF2619B08256EDCC8BB08102001C0295D570000003C0000001871079BAE27E19E73172D5182041DEA33EA0DAE486133DC31D3C83307

ike 0:vpn:0:vpn:0: replay protection enabled

ike 0:vpn:0:vpn:0: SA life soft seconds=1753.

ike 0:vpn:0:vpn:0: SA life hard seconds=1800.

ike 0:vpn:0:vpn:0: IPsec SA selectors #src=1 #dst=1

ike 0:vpn:0:vpn:0: src 0 7 0:192.168.0.0-192.168.255.255:0

ike 0:vpn:0:vpn:0: dst 0 7 0:1.0.0.0-1.255.255.255:0

ike 0:vpn:0:vpn:0: add IPsec SA: SPIs=2620f642/232edc52

ike 0:vpn:0:vpn:0: IPsec SA dec spi 2620f642 key 24:87FAB82674A9D8251B1011A4E1118475FA7C4F9B759A2366 auth       //Éú³ÉIpsec  SA         20:78E052392AD3D0F278CA89012159371BB7D0B106

ike 0:vpn:0:vpn:0: IPsec SA enc spi 232edc52 key 24:DA428083A839045A2516542065F235289CA287C777A1339C auth 20:561215C4837619B8C6FCAE5B60A98C4ACAFFC914

ike 0:vpn:0:vpn:0: added IPsec SA: SPIs=2620f642/232edc52

ike 0:vpn: link is idle 11 192.168.1.99->192.168.1.200:500 dpd=1 seqno=973

ike shrank heap by 36864 bytes

 

 

 

 

²é¿´ VPN Tunnel list

 

RG-WALL # diagnose  vpn tunnel list

list all ipsec tunnel in vd 0

------------------------------------------------------

name=vpn ver=1 serial=1 192.168.1.200:0->192.168.1.99:0 lgwy=static tun=intf mod

e=auto bound_if=3

proxyid_num=1 child_num=0 refcnt=8 ilast=4 olast=4

stat: rxp=141 txp=131 rxb=784 txb=226

dpd: mode=active on=1 idle=5000ms retry=3 count=0 seqno=120142

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=v2 proto=0 sa=1 ref=2 auto_negotiate=0 serial=4

  src: 0:1.0.0.0/255.0.0.0:0

  dst: 0:192.168.0.0/255.255.0.0:0

  SA: ref=7 options=0000000e type=00 soft=0 mtu=1436 expire=1547 replaywin=1024

seqno=80

  life: type=01 bytes=0/0 timeout=1777/1800

  dec: spi=232edc52 esp=3des key=24 da428083a839045a2516542065f235289ca287c777a1            //½âÃÜSA

339c

       ah=sha1 key=20 561215c4837619b8c6fcae5b60a98c4acaffc914

  enc: spi=2620f642 esp=3des key=24 87fab82674a9d8251b1011a4e1118475fa7c4f9b759a            //¼ÓÃÜSA

2366

       ah=sha1 key=20 78e052392ad3d0f278ca89012159371bb7d0b106

  dec:pkts/bytes=129/60, enc:pkts/bytes=131/384

  npu_flag=03 npu_rgwy=192.168.1.99 npu_lgwy=192.168.1.200 npu_selid=3