H3C V7平台主模式(NAT穿越)下ipsec实验报告
本帖最后由 Jason 于 2020-1-29 22:43 编辑H3C V7平台主模式(NAT穿越)下ipsec实验报告某运营商云公司客户需求:通过我司VSR路由器与华为建立IPSEC时ike sa协商ok,ipsec sa为空。MSR-01、MSR-02、MSR-03路由器为我司MSR36-20,MSR-03设备在内网,ipsec采用野蛮模式并启用NAT穿越,前面出口处4G路由器作为NAT设备。组网图如下: MSR-01设备配置:# sysname MSR-01#interface LoopBack0 ip address 172.16.2.1255.255.255.255#interface GigabitEthernet0/0 port link-mode route combo enable copper ip address 100.1.1.1255.255.255.0 ipsec apply policy policy1# ip route-static 172.16.1.132 100.1.1.2#ipsec transform-set 1 esp encryption-algorithm3des-cbc espauthentication-algorithm md5#ipsec policy-template 1 1 transform-set 1 ike-profile 1#ipsec policy policy1 1 isakmp template 1#ike profile 1 keychain 1 exchange-mode aggressive match remote identity fqdnb#ike keychain 1 pre-shared-key hostname bkey cipher $c$3$SHBNrYcnJFyZd4LgSfNRFMNmRx07P8S5Wr4=# MSR-02设备配置: # sysname MSR-02#interface GigabitEthernet0/0 port link-mode routeipaddress 100.1.1.2 255.255.255.0 nat outbound 2000#interface GigabitEthernet0/1 port link-mode routeipaddress 10.1.1.1 255.255.255.0#ip route-static 172.16.1.1 32 10.1.1.2#acl basic 2000 description nat_acl rule 0 permit source10.1.1.2 0# MSR-03设备配置:sysname MSR-03#interface LoopBack0 ip address 172.16.1.1255.255.255.255#interface GigabitEthernet0/0 port link-mode route combo enable copper ip address 10.1.1.2255.255.255.0 ipsec apply policy policy1#ip route-static 0.0.0.0 0 10.1.1.1#acl advanced 3000 rule 0 permit ip source172.16.1.1 0 destination 172.16.2.1 0#ipsec transform-set 1 esp encryption-algorithm3des-cbc espauthentication-algorithm md5#ipsec policy policy1 1 isakmp transform-set 1 security acl 3000 remote-address 100.1.1.1 ike-profile 1#ike profile 1 keychain 1 exchange-mode aggressive local-identity fqdn b match remote identityaddress 100.1.1.1 255.255.255.255#ike keychain 1 pre-shared-key address100.1.1.1 255.255.255.255 key cipher $c$3$Sp6XajvQwQaKEQLnj8ax38M0YCZHRpj8Zjs=# 测试效果: ping -a 172.16.1.1 172.16.2.1Ping 172.16.2.1 (172.16.2.1) from 172.16.1.1: 56 data bytes, pressCTRL_C to breakRequest time out56 bytes from 172.16.2.1: icmp_seq=1 ttl=255 time=1.120 ms56 bytes from 172.16.2.1: icmp_seq=2 ttl=255 time=1.158 ms56 bytes from 172.16.2.1: icmp_seq=3 ttl=255 time=1.627 ms56 bytes from 172.16.2.1: icmp_seq=4 ttl=255 time=1.193 ms --- Ping statistics for 172.16.2.1 ---5 packets transmitted, 4 packets received, 20.0% packet lossround-trip min/avg/max/std-dev = 1.120/1.274/1.627/0.205 ms dis ipsec sa-------------------------------Interface: GigabitEthernet0/0------------------------------- -----------------------------IPsec policy: policy1Sequence number: 1Mode: ISAKMP ----------------------------- Tunnel id: 0 Encapsulation mode:tunnel Perfect forward secrecy: Path MTU: 1435 Tunnel: localaddress: 10.1.1.2 remote address:100.1.1.1 Flow: sour addr: 172.16.1.1/255.255.255.255port: 0 protocol: ip dest addr:172.16.2.1/255.255.255.255port: 0protocol: ip SPI: 1295737344(0x4d3b6200) Connection ID:4294967296 Transform set:ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5 SA duration(kilobytes/sec): 1843200/3600 SA remaining duration(kilobytes/sec): 1843199/3587 Max receivedsequence-number: 4 Anti-replay checkenable: Y Anti-replay windowsize: 64 UDP encapsulation usedfor NAT traversal: Y Status: Active SPI: 3828054490(0xe42b79da) Connection ID:4294967297 Transform set:ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5 SA duration(kilobytes/sec): 1843200/3600 SA remaining duration(kilobytes/sec): 1843199/3587 Max sentsequence-number: 4 UDP encapsulation usedfor NAT traversal: Y Status: Active MSR-02 Session:
MSR-02 下连口ipsec协商过程抓包:
MSR-03 Debug IPSEC协商过程:<MSR-03><MSR-03>dis ike sa Connection-ID Remote Flag DOI------------------------------------------------------------------<MSR-03><MSR-03>terminal monitorThe current terminal is enabled to display logs.<MSR-03><MSR-03>terminal debuggingThe current terminal is enabled to display debugging logs.<MSR-03><MSR-03>debugging ike packet<MSR-03><MSR-03>debugging ipsec packet<MSR-03><MSR-03>ping -c 2 -a 172.16.1.1 172.16.2.1Ping 172.16.2.1 (172.16.2.1) from 172.16.1.1: 56 data bytes, pressCTRL_C to break*Oct 13 14:27:42:021 2015 MSR-03 IPSEC/7/PACKET:Enter IPsec output process, Flag : 0x0, Data length : 84*Oct 13 14:27:42:021 2015 MSR-03 IPSEC/7/PACKET:Failed to find SA by SP.*Oct 13 14:27:42:021 2015 MSR-03 IKE/7/PACKET: Encryption algorithm is DES-CBC.*Oct 13 14:27:42:021 2015 MSR-03 IKE/7/PACKET: Hash algorithm is HMAC-SHA1.*Oct 13 14:27:42:021 2015 MSR-03 IKE/7/PACKET: DH group 1.*Oct 13 14:27:42:021 2015 MSR-03 IKE/7/PACKET: Authentication method is Pre-shared key.*Oct 13 14:27:42:021 2015 MSR-03 IKE/7/PACKET: Lifetime type is in seconds.*Oct 13 14:27:42:021 2015 MSR-03 IKE/7/PACKET: Life duration is 86400.*Oct 13 14:27:42:021 2015 MSR-03 IKE/7/PACKET: Construct transfrompayload for transform 1.*Oct 13 14:27:42:021 2015 MSR-03 IKE/7/PACKET: Construct SApayload.*Oct 13 14:27:42:027 2015 MSR-03 IKE/7/PACKET: Construct KEpayload.*Oct 13 14:27:42:027 2015 MSR-03 IKE/7/PACKET: Construct NONCEpayload.*Oct 13 14:27:42:027 2015 MSR-03 IKE/7/PACKET: Local ID type: FQDN(2).*Oct 13 14:27:42:027 2015 MSR-03 IKE/7/PACKET: Local ID value: b.*Oct 13 14:27:42:027 2015 MSR-03 IKE/7/PACKET: Construct IDpayload.*Oct 13 14:27:42:027 2015 MSR-03 IKE/7/PACKET: Construct DPDvendor ID payload.*Oct 13 14:27:42:027 2015 MSR-03 IKE/7/PACKET: Construct NAT-Trfc3947 vendor ID payload.*Oct 13 14:27:42:027 2015 MSR-03 IKE/7/PACKET: Construct NAT-Tdraft3 vendor ID payload.*Oct 13 14:27:42:027 2015 MSR-03 IKE/7/PACKET: Construct NAT-Tdraft2 vendor ID payload.*Oct 13 14:27:42:027 2015 MSR-03 IKE/7/PACKET: Construct NAT-Tdraft1 vendor ID payload.*Oct 13 14:27:42:027 2015 MSR-03 IKE/7/PACKET: Sending packet to100.1.1.1 remote port 500, local port 500.*Oct 13 14:27:42:027 2015 MSR-03 IKE/7/PACKET:I-Cookie: d938d3f5c7e5ffd7R-Cookie: 0000000000000000next payload: SAversion: ISAKMP Version1.0exchange mode: Aggressiveflags:message ID: 0length: 316*Oct 13 14:27:42:027 2015 MSR-03 IKE/7/PACKET: Sending an IPv4packet.*Oct 13 14:27:42:027 2015 MSR-03 IPSEC/7/PACKET:Enter IPsec output process, Flag : 0x0, Data length : 344*Oct 13 14:27:42:041 2015 MSR-03 IKE/7/PACKET: Received packetfrom 100.1.1.1 source port 500 destination port 500.*Oct 13 14:27:42:041 2015 MSR-03 IKE/7/PACKET:I-Cookie: d938d3f5c7e5ffd7R-Cookie: 81b6ae6b93f514f1next payload: SAversion: ISAKMP Version1.0exchange mode: Aggressiveflags:message ID: 0length: 328*Oct 13 14:27:42:041 2015 MSR-03 IKE/7/PACKET: Received ISAKMPSecurity Association Payload.*Oct 13 14:27:42:041 2015 MSR-03 IKE/7/PACKET: Received ISAKMP KeyExchange Payload.*Oct 13 14:27:42:041 2015 MSR-03 IKE/7/PACKET: Received ISAKMPNonce Payload.*Oct 13 14:27:42:041 2015 MSR-03 IKE/7/PACKET: Received ISAKMPIdentification Payload.*Oct 13 14:27:42:041 2015 MSR-03 IKE/7/PACKET: Received ISAKMPVendor ID Payload.*Oct 13 14:27:42:041 2015 MSR-03 IKE/7/PACKET: Received ISAKMPVendor ID Payload.*Oct 13 14:27:42:041 2015 MSR-03 IKE/7/PACKET: Received ISAKMPNAT-D Payload.*Oct 13 14:27:42:041 2015 MSR-03 IKE/7/PACKET: Received ISAKMPNAT-D Payload.*Oct 13 14:27:42:041 2015 MSR-03 IKE/7/PACKET: Received ISAKMPHash Payload.*Oct 13 14:27:42:041 2015 MSR-03 IKE/7/PACKET: Process NONCEpayload.*Oct 13 14:27:42:041 2015 MSR-03 IKE/7/PACKET: Process KE payload.*Oct 13 14:27:42:041 2015 MSR-03 IKE/7/PACKET: Process ID payload.*Oct 13 14:27:42:041 2015 MSR-03 IKE/7/PACKET: Peer ID type:IPV4_ADDR (1).*Oct 13 14:27:42:041 2015 MSR-03 IKE/7/PACKET: Peer ID value:address 100.1.1.1.*Oct 13 14:27:42:041 2015 MSR-03 IKE/7/PACKET: Process SA payload.*Oct 13 14:27:42:041 2015 MSR-03 IKE/7/PACKET: Check ISAKMPtransform 1.*Oct 13 14:27:42:041 2015 MSR-03 IKE/7/PACKET: Encryption algorithm is DES-CBC.*Oct 13 14:27:42:041 2015 MSR-03 IKE/7/PACKET: HASH algorithm is HMAC-SHA1.*Oct 13 14:27:42:041 2015 MSR-03 IKE/7/PACKET: DH group is 1.*Oct 13 14:27:42:041 2015 MSR-03 IKE/7/PACKET: Authentication method is Pre-shared key.*Oct 13 14:27:42:041 2015 MSR-03 IKE/7/PACKET: Lifetime type is 1.*Oct 13 14:27:42:041 2015 MSR-03 IKE/7/PACKET: Life duration is 86400.*Oct 13 14:27:42:041 2015 MSR-03 IKE/7/PACKET: Attributes isacceptable.*Oct 13 14:27:42:041 2015 MSR-03 IKE/7/PACKET: Process vendor IDpayload.*Oct 13 14:27:42:041 2015 MSR-03 IKE/7/PACKET: Received 2 NAT-Dpayload.*Oct 13 14:27:42:047 2015 MSR-03 IKE/7/PACKET: Verify HASHpayload.*Oct 13 14:27:42:047 2015 MSR-03 IKE/7/PACKET: HASH: 06e088a9 5bc5518c 4afce23139329eea ac2e933b*Oct 13 14:27:42:047 2015 MSR-03 IKE/7/PACKET: Construct NAT-Dpayload.*Oct 13 14:27:42:047 2015 MSR-03 IKE/7/PACKET: HASH: 8facfb10 633a1269 e0bedf68a0e9275d 6156746d*Oct 13 14:27:42:047 2015 MSR-03 IKE/7/PACKET: Constructauthentication by pre-shared-key.*Oct 13 14:27:42:047 2015 MSR-03 IKE/7/PACKET: ConstructINITIAL-CONTACT payload.*Oct 13 14:27:42:047 2015 MSR-03 IKE/7/PACKET: Encrypt the packet.*Oct 13 14:27:42:047 2015 MSR-03 IKE/7/PACKET: Sending packet to100.1.1.1 remote port 4500, local port 4500.*Oct 13 14:27:42:047 2015 MSR-03 IKE/7/PACKET:I-Cookie: d938d3f5c7e5ffd7R-Cookie: 81b6ae6b93f514f1next payload: NAT-Dversion: ISAKMP Version1.0exchange mode: Aggressiveflags: ENCRYPTmessage ID: 0length: 132*Oct 13 14:27:42:048 2015 MSR-03 IKE/7/PACKET: Sending an IPv4packet.*Oct 13 14:27:42:048 2015 MSR-03 IPSEC/7/PACKET:Enter IPsec output process, Flag : 0x0, Data length : 164*Oct 13 14:27:42:048 2015 MSR-03 IKE/7/PACKET: Sending packet to100.1.1.1 remote port 4500, local port 4500.*Oct 13 14:27:42:049 2015 MSR-03 IKE/7/PACKET: Sending an IPv4packet.*Oct 13 14:27:42:049 2015 MSR-03 IKE/7/PACKET: Set attributesaccording to phase 2 transform.*Oct 13 14:27:42:049 2015 MSR-03 IKE/7/PACKET: Encapsulation mode is Tunnel-UDP.*Oct 13 14:27:42:049 2015 MSR-03 IKE/7/PACKET: in seconds*Oct 13 14:27:42:049 2015 MSR-03 IKE/7/PACKET: Life duration is 3600.*Oct 13 14:27:42:049 2015 MSR-03 IKE/7/PACKET: in kilobytes*Oct 13 14:27:42:049 2015 MSR-03 IKE/7/PACKET: Life duration is 1843200.*Oct 13 14:27:42:049 2015 MSR-03 IKE/7/PACKET: Authentication algorithm is HMAC-MD5.*Oct 13 14:27:42:049 2015 MSR-03 IKE/7/PACKET: Transform ID is 3DES-CBC.*Oct 13 14:27:42:049 2015 MSR-03 IKE/7/PACKET: Construct transform1.*Oct 13 14:27:42:049 2015 MSR-03 IKE/7/PACKET: Construct IPsecproposal 1.*Oct 13 14:27:42:049 2015 MSR-03 IKE/7/PACKET: Construct IPsec SApayload.*Oct 13 14:27:42:049 2015 MSR-03 IKE/7/PACKET: Construct NONCEpayload.*Oct 13 14:27:42:049 2015 MSR-03 IKE/7/PACKET: Construct IPsec IDpayload.*Oct 13 14:27:42:049 2015 MSR-03 IKE/7/PACKET: Construct IPsec IDpayload.*Oct 13 14:27:42:049 2015 MSR-03 IKE/7/PACKET: Construct HASH(1)payload.*Oct 13 14:27:42:049 2015 MSR-03 IKE/7/PACKET: Encrypt the packet.*Oct 13 14:27:42:049 2015 MSR-03 IKE/7/PACKET: Sending packet to100.1.1.1 remote port 4500, local port 4500.*Oct 13 14:27:42:049 2015 MSR-03 IKE/7/PACKET:I-Cookie: d938d3f5c7e5ffd7R-Cookie: 81b6ae6b93f514f1next payload: HASHversion: ISAKMP Version1.0exchange mode: Quickflags: ENCRYPTmessage ID: 881b2b3clength: 156*Oct 13 14:27:42:049 2015 MSR-03 IKE/7/PACKET: Sending an IPv4packet.*Oct 13 14:27:42:052 2015 MSR-03 IKE/7/PACKET: Received packetfrom 100.1.1.1 source port 4500 destination port 4500.*Oct 13 14:27:42:052 2015 MSR-03 IKE/7/PACKET:I-Cookie: d938d3f5c7e5ffd7R-Cookie: 81b6ae6b93f514f1next payload: HASHversion: ISAKMP Version1.0exchange mode: Quickflags: ENCRYPTmessage ID: 881b2b3clength: 156*Oct 13 14:27:42:052 2015 MSR-03 IKE/7/PACKET: Decrypt the packet.*Oct 13 14:27:42:052 2015 MSR-03 IKE/7/PACKET: Received ISAKMPHash Payload.*Oct 13 14:27:42:052 2015 MSR-03 IKE/7/PACKET: Received ISAKMPSecurity Association Payload.*Oct 13 14:27:42:052 2015 MSR-03 IKE/7/PACKET: Received ISAKMPNonce Payload.*Oct 13 14:27:42:052 2015 MSR-03 IKE/7/PACKET: Received ISAKMPIdentification Payload (IPsec DOI).*Oct 13 14:27:42:052 2015 MSR-03 IKE/7/PACKET: Received ISAKMPIdentification Payload (IPsec DOI).*Oct 13 14:27:42:052 2015 MSR-03 IKE/7/PACKET: Process HASHpayload.*Oct 13 14:27:42:052 2015 MSR-03 IKE/7/PACKET: Process IPsec SApayload.*Oct 13 14:27:42:052 2015 MSR-03 IKE/7/PACKET: Check IPsecproposal 1.*Oct 13 14:27:42:052 2015 MSR-03 IKE/7/PACKET: Parse transform 1.*Oct 13 14:27:42:052 2015 MSR-03 IKE/7/PACKET: Encapsulation mode is Tunnel-UDP.*Oct 13 14:27:42:052 2015 MSR-03 IKE/7/PACKET: Lifetime type is in seconds.*Oct 13 14:27:42:052 2015 MSR-03 IKE/7/PACKET: Life duration is 3600.*Oct 13 14:27:42:052 2015 MSR-03 IKE/7/PACKET: Lifetime type is in kilobytes.*Oct 13 14:27:42:052 2015 MSR-03 IKE/7/PACKET: Life duration is 1843200.*Oct 13 14:27:42:052 2015 MSR-03 IKE/7/PACKET: Authentication algorithm is HMAC-MD5.*Oct 13 14:27:42:052 2015 MSR-03 IKE/7/PACKET: Transform ID is 3DES-CBC.*Oct 13 14:27:42:052 2015 MSR-03 IKE/7/PACKET: The proposal isacceptable.*Oct 13 14:27:42:052 2015 MSR-03 IKE/7/PACKET: Process IPsec IDpayload.*Oct 13 14:27:42:052 2015 MSR-03 IKE/7/PACKET: Process IPsec IDpayload.*Oct 13 14:27:42:054 2015 MSR-03 IKE/7/PACKET: Construct HASH(3)payload.*Oct 13 14:27:42:054 2015 MSR-03 IKE/7/PACKET: Encrypt the packet.*Oct 13 14:27:42:054 2015 MSR-03 IKE/7/PACKET: Sending packet to100.1.1.1 remote port 4500, local port 4500.*Oct 13 14:27:42:054 2015 MSR-03 IKE/7/PACKET:I-Cookie: d938d3f5c7e5ffd7R-Cookie: 81b6ae6b93f514f1next payload: HASHversion: ISAKMP Version1.0exchange mode: Quickflags: ENCRYPTmessage ID: 881b2b3clength: 52*Oct 13 14:27:42:054 2015 MSR-03 IKE/7/PACKET: Sending an IPv4packet.Request time out56 bytes from 172.16.2.1: icmp_seq=1 ttl=255 time=1.000 ms*Oct 13 14:27:44:231 2015 MSR-03 IPSEC/7/PACKET:Enter IPsec output process, Flag : 0x0, Data length : 84*Oct 13 14:27:44:231 2015 MSR-03 IPSEC/7/PACKET:--- Sent IPsec packet ---*Oct 13 14:27:44:231 2015 MSR-03 IPSEC/7/PACKET:Outbound IPsec processing: Src : 172.16.1.1 Dst : 172.16.2.1 SPI :2569863071*Oct 13 14:27:44:231 2015 MSR-03 IPSEC/7/PACKET:Added IP fast forwarding entry.*Oct 13 14:27:44:231 2015 MSR-03 IPSEC/7/PACKET:Outbound IPsec processing: ESP auth algorithm: MD5, ESP encpalgorithm: 3DES-CBC.*Oct 13 14:27:44:231 2015 MSR-03 IPSEC/7/PACKET:Packet will be sent to CCF for sync-encryption.*Oct 13 14:27:44:231 2015 MSR-03 IPSEC/7/PACKET:Outbound IPsec ESP processing: Encryption succeeded, anti-replaySN is 1.*Oct 13 14:27:44:231 2015 MSR-03 IPSEC/7/PACKET:Outbound IPsec processing: Sent packet back to IP forwarding.*Oct 13 14:27:44:232 2015 MSR-03 IPSEC/7/PACKET:--- Received IPsec(ESP) packet, Data length : 144 ---*Oct 13 14:27:44:232 2015 MSR-03 IPSEC/7/PACKET:After IPsec UDP Process: Pkt len is 136*Oct 13 14:27:44:232 2015 MSR-03 IPSEC/7/PACKET:Inbound IPsec processing: Src : 100.1.1.1 Dst : 10.1.1.2 SPI :2291827012*Oct 13 14:27:44:232 2015 MSR-03 IPSEC/7/PACKET:Added IP fast forwarding entry.*Oct 13 14:27:44:232 2015 MSR-03 IPSEC/7/PACKET:Inbound IPsec processing: ESP auth algorithm: MD5, ESP encpalgorithm: 3DES-CBC.*Oct 13 14:27:44:232 2015 MSR-03 IPSEC/7/PACKET:Packet will be sent to CCF for sync-decryption.*Oct 13 14:27:44:232 2015 MSR-03 IPSEC/7/PACKET:Inbound IPsec ESP processing: Authentication succeeded.*Oct 13 14:27:44:232 2015 MSR-03 IPSEC/7/PACKET:Inbound IPsec ESP processing: Decryption succeeded.*Oct 13 14:27:44:232 2015 MSR-03 IPSEC/7/PACKET:IPsec processing: Tunnel mode.*Oct 13 14:27:44:232 2015 MSR-03 IPSEC/7/PACKET:Inbound ESP IPsec processing: Sent packet back to IP forwarding.Pkt len is 84. --- Ping statistics for 172.16.2.1 ---2 packets transmitted, 1 packets received, 50.0% packet lossround-trip min/avg/max/std-dev = 1.000/1.000/1.000/0.000 ms<MSR-03>%Oct 13 14:27:44:434 2015 MSR-03PING/6/PING_STATISTICS: Ping statistics for 172.16.2.1: 2 packets transmitted,1 packets received, 50.0% packet loss, round-trip min/avg/max/std-dev =1.000/1.000/1.000/0.000 ms. <MSR-03><MSR-03><MSR-03><MSR-03>ping -c 2 -a 172.16.1.1 172.16.2.1Ping 172.16.2.1 (172.16.2.1) from 172.16.1.1: 56 data bytes, pressCTRL_C to break56 bytes from 172.16.2.1: icmp_seq=0 ttl=255 time=2.000 ms*Oct 13 14:27:52:166 2015 MSR-03 IPSEC/7/PACKET:Enter IPsec output process, Flag : 0x0, Data length : 84*Oct 13 14:27:52:166 2015 MSR-03 IPSEC/7/PACKET:--- Sent IPsec packet ---*Oct 13 14:27:52:166 2015 MSR-03 IPSEC/7/PACKET:Outbound IPsec processing: Src : 172.16.1.1 Dst : 172.16.2.1 SPI :2569863071*Oct 13 14:27:52:166 2015 MSR-03 IPSEC/7/PACKET:Added IP fast forwarding entry.*Oct 13 14:27:52:166 2015 MSR-03 IPSEC/7/PACKET:Outbound IPsec processing: ESP auth algorithm: MD5, ESP encpalgorithm: 3DES-CBC.*Oct 13 14:27:52:166 2015 MSR-03 IPSEC/7/PACKET:Packet will be sent to CCF for sync-encryption.*Oct 13 14:27:52:166 2015 MSR-03 IPSEC/7/PACKET:Outbound IPsec ESP processing: Encryption succeeded, anti-replaySN is 2.*Oct 13 14:27:52:166 2015 MSR-03 IPSEC/7/PACKET:Outbound IPsec processing: Sent packet back to IP forwarding.*Oct 13 14:27:52:168 2015 MSR-03 IPSEC/7/PACKET:--- Received IPsec packet from fast forwarding, Protocl : 17---*Oct 13 14:27:52:168 2015 MSR-03 IPSEC/7/PACKET:Received a NAT traverse IPsec packet.*Oct 13 14:27:52:168 2015 MSR-03 IPSEC/7/PACKET:Inbound IPsec processing: Src : 100.1.1.1 Dst : 10.1.1.2 SPI :2291827012*Oct 13 14:27:52:168 2015 MSR-03 IPSEC/7/PACKET:Inbound IPsec processing: ESP auth algorithm: MD5, ESP encpalgorithm: 3DES-CBC.*Oct 13 14:27:52:168 2015 MSR-03 IPSEC/7/PACKET:Packet will be sent to CCF for sync-decryption.*Oct 13 14:27:52:168 2015 MSR-03 IPSEC/7/PACKET:Inbound fast IPsec ESP processing: Authentication succeeded.*Oct 13 14:27:52:168 2015 MSR-03 IPSEC/7/PACKET:Inbound IPsec ESP processing: Decryption succeeded.*Oct 13 14:27:52:168 2015 MSR-03 IPSEC/7/PACKET:IPsec processing: Tunnel mode.*Oct 13 14:27:52:168 2015 MSR-03 IPSEC/7/PACKET:Inbound IPsec processing: Sent packet back to IP forwarding.56 bytes from 172.16.2.1: icmp_seq=1 ttl=255 time=1.000 ms --- Ping statistics for 172.16.2.1 ---2 packets transmitted, 2 packets received, 0.0% packet lossround-trip min/avg/max/std-dev = 1.000/1.500/2.000/0.500 ms<MSR-03>*Oct 13 14:27:52:370 2015 MSR-03 IPSEC/7/PACKET:--- Sent packet by IPsec fast forwarding ---*Oct 13 14:27:52:370 2015 MSR-03 IPSEC/7/PACKET:Outbound IPsec processing: Src : 172.16.1.1 Dst : 172.16.2.1 SPI :2569863071*Oct 13 14:27:52:370 2015 MSR-03 IPSEC/7/PACKET:Outbound IPsec processing: ESP auth algorithm: MD5, ESP encpalgorithm: 3DES-CBC.*Oct 13 14:27:52:370 2015 MSR-03 IPSEC/7/PACKET:Packet will be sent to CCF for sync-encryption.*Oct 13 14:27:52:370 2015 MSR-03 IPSEC/7/PACKET:Outbound IPsec ESP processing: Encryption succeeded, anti-replaySN is 3.*Oct 13 14:27:52:370 2015 MSR-03 IPSEC/7/PACKET:Outbound IPsec processing: Sent packet back to IP forwarding.*Oct 13 14:27:52:371 2015 MSR-03 IPSEC/7/PACKET:--- Received IPsec packet from fast forwarding, Protocl : 17---*Oct 13 14:27:52:371 2015 MSR-03 IPSEC/7/PACKET:Received a NAT traverse IPsec packet.*Oct 13 14:27:52:371 2015 MSR-03 IPSEC/7/PACKET:Inbound IPsec processing: Src : 100.1.1.1 Dst : 10.1.1.2 SPI :2291827012*Oct 13 14:27:52:371 2015 MSR-03 IPSEC/7/PACKET:Inbound IPsec processing: ESP auth algorithm: MD5, ESP encpalgorithm: 3DES-CBC.*Oct 13 14:27:52:371 2015 MSR-03 IPSEC/7/PACKET:Packet will be sent to CCF for sync-decryption.*Oct 13 14:27:52:371 2015 MSR-03 IPSEC/7/PACKET:Inbound fast IPsec ESP processing: Authentication succeeded.*Oct 13 14:27:52:371 2015 MSR-03 IPSEC/7/PACKET:Inbound IPsec ESP processing: Decryption succeeded.*Oct 13 14:27:52:371 2015 MSR-03 IPSEC/7/PACKET:IPsec processing: Tunnel mode.*Oct 13 14:27:52:371 2015 MSR-03 IPSEC/7/PACKET:Inbound IPsec processing: Sent packet back to IP forwarding.%Oct 13 14:27:52:371 2015 MSR-03 PING/6/PING_STATISTICS: Pingstatistics for 172.16.2.1: 2 packets transmitted, 2 packets received, 0.0%packet loss, round-trip min/avg/max/std-dev = 1.000/1.500/2.000/0.500 ms. <MSR-03> 备注:1. V7平台ipsec nat穿越功能默认开启,无需手工配置。2. V7平台下主模式也可以采用nat穿越方式。 (End)
页:
[1]