0

我的帖子

个人中心

设置

  发新话题
二个公司建立L2L VPN

SiteA  outsiteIP  57.208.48.26    LAN 10.1.1.0/24
SiteB  outsiteIP  51.210.178.186    LAN 192.168.0.0/24  

无法建立 请帮忙看一下什么问题


SiteA
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Type help or '?' for a list of available commands.
ASA5510>
ASA5510> en
Password: **********
ASA5510# show run
: Saved
:
ASA Version 8.2(2)
!
hostname ASA5510
domain-name test.com
enable password mgXqoEJSeX2UwbDs encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.1.1.13 SEC_China_Fileserver description SEC China Fileserver
name 10.1.1.17 SEC_China_SQL_SLUTIL description SEC China SQL SLUTIL
name 10.1.1.230 Jacky description jacky's notebook
name 10.1.1.226 vivian description vivian's IP
name 10.1.1.227 betty description betty's IP
name 10.1.1.228 allen description allen's IP
name 10.1.1.225 Ivring description ivring's IP
name 10.1.1.7 SEC_China_SL6server description SEC China SL6server
name 10.1.1.212 mytest_pc
name 10.1.1.98 zhuzd_IP
name 10.1.1.171 zhouzd_IP
name 10.1.2.230 jackytest
name 10.1.2.2 eng-131 description ENG Repare Station PLT-A
name 10.1.1.243 jackyxu
name 10.1.1.76 zhanghj_pc
name 10.210.1.42 SEC_MP_Fileserver_2 description SEC MP Fileserver
name 10.210.1.46 SEC_MP_TS_2 description SEC MP Terminal Services
name 10.210.1.16 SEC_MP_CTRX_2 description SEC_MP_CTRX
name 10.210.103.0 CORP_VPN_VLAN_2
name 10.210.2.0 HOOP_VLAN_2
name 10.210.6.0 MEX_VLAN_2
name 10.210.3.0 MP_DHCP_VLAN_2
name 10.210.4.0 SWDT_VLAN_
name 10.210.1.26 SEC_Eng_Fileserver description SEC ENG Fileserver
name 10.210.1.54 SEC_SVN_server description SEC ENG SVN
name 10.210.1.29 SEC_Licensing_server description SEC Licensing Server
name 10.210.1.90 CvmWebTest
name 10.210.1.30 CvmWeb
name 10.210.1.28 newCvmWeb

dns-guard
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.1.1.3 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 57.208.48.26 255.255.255.248
!
interface Ethernet0/2
nameif DMZ
security-level 100
ip address 10.1.2.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif guanli
security-level 100
ip address 192.168.50.1 255.255.255.0
management-only
!
regex URL1 "\.taobao\.com"
regex URL2 "\.jd\.com"
regex URL3 "\.youku\.com"
regex URL4 "\.tudou\.com"
regex URL5 "\.letv\.com"
regex URL6 "\.tianya\.cn"
regex URL7 "\.vip\.com"
regex URL8 "\.58\.com"
boot system disk0:/asa822-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name test.com
same-security-traffic permit inter-interface
object-group network SEC_China_Allowed
description SEC MP servers that SEC China is allowed to access
network-object host SEC_MP_Fileserver_2
network-object host SEC_MP_TS_2
network-object host SEC_MP_CTRX_2
network-object CORP_VPN_VLAN_2 255.255.255.0
network-object HOOP_VLAN_2 255.255.255.0
network-object MP_DHCP_VLAN_2 255.255.255.0
network-object SWDT_VLAN_ 255.255.255.0
network-object host SEC_Eng_Fileserver
network-object host SEC_SVN_server
network-object host SEC_Licensing_server
network-object host CvmWebTest
network-object host CvmWeb
network-object host newCvmWeb
network-object MEX_VLAN_2 255.255.254.0
object-group network SEC_MP_Accessible
description Servers that can be accessed by SEC MP
network-object host SEC_China_Fileserver
network-object host SEC_China_SQL_SLUTIL
network-object host Jacky
network-object host vivian
network-object host betty
network-object host allen
network-object host Ivring
network-object host SEC_China_SL6server
network-object host mytest_pc
network-object host zhuzd_IP
network-object host zhouzd_IP
object-group network deny_vpn_access_internet
network-object host jackyxu
network-object host zhanghj_pc
object-group network Url
network-object 10.1.1.0 255.255.255.0
network-object 10.1.2.0 255.255.255.0
object-group network taobaoip
network-object host 140.205.153.54
network-object host 140.205.32.93
network-object host 101.227.160.102
network-object host 104.16.25.190
network-object host 140.205.170.63
network-object host 58.216.17.240
network-object host 58.216.17.140
network-object host 140.205.96.1
network-object host 58.216.17.250
network-object host 140.205.243.65
network-object host 42.156.180.26
network-object host 222.186.49.250
network-object host 222.186.49.240
network-object host 61.155.221.253
network-object host 140.205.115.99
network-object host 122.225.34.250
network-object host 140.205.248.253
network-object host 58.215.145.28
network-object host 58.220.1.110
network-object host 61.155.221.240
network-object host 58.220.27.121
network-object host 140.205.16.112
network-object host 140.205.243.66
network-object host 106.11.14.99
network-object host 110.75.96.109
network-object host 211.150.65.35
network-object host 101.226.76.164
network-object host 222.186.49.177
network-object host 180.97.168.252
network-object host 140.205.174.90
network-object host 140.205.153.72
network-object host 140.205.164.47
network-object host 216.58.221.36
network-object host 222.186.49.225
network-object host 180.97.168.254
network-object host 106.11.15.99
network-object host 140.205.250.55
network-object host 140.205.16.113
network-object host 140.205.170.87
network-object host 180.96.11.177
access-list 101 extended permit icmp any any
access-list 101 extended permit ip any any
access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list no-nat extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list vpnsplit standard permit 10.1.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip object-group SEC_MP_Accessible object-group SEC_China_Allowed
access-list 102 extended permit tcp object-group deny_vpn_access_internet any eq smtp
access-list 102 extended permit tcp object-group deny_vpn_access_internet any eq pop3
access-list 102 extended permit tcp object-group deny_vpn_access_internet any eq domain
access-list 102 extended permit tcp 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list 102 extended permit tcp 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 102 extended deny tcp object-group deny_vpn_access_internet any
access-list 102 extended permit tcp 10.1.2.32 255.255.255.224 any eq pop3
access-list 102 extended permit tcp 10.1.2.32 255.255.255.224 any eq smtp
access-list 102 extended permit tcp 10.1.2.32 255.255.255.224 any eq domain
access-list 102 extended deny tcp 10.1.2.32 255.255.255.224 any
access-list 102 extended permit ip any any
access-list 102 extended permit tcp any any eq smtp
access-list 102 extended permit tcp any any eq pop3
access-list 102 extended permit tcp any any eq domain
access-list 104 extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 104 extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list 104 extended permit tcp any any eq pop3
access-list 104 extended permit tcp any any eq smtp
access-list 104 extended permit tcp any any eq domain
access-list 104 extended deny tcp object-group deny_vpn_access_internet any
access-list 104 extended deny tcp 10.1.2.0 255.255.255.128 any
access-list 104 extended deny ip 10.1.1.0 255.255.255.0 object-group taobaoip
access-list 104 extended permit ip any any
access-list rate_limit_1 extended permit ip any host 10.1.1.203
access-list rate_limit_1 extended permit ip host 10.1.1.203 any
access-list Url_filter extended permit tcp object-group Url any eq www
access-list s2sdst extended permit ip 10.1.1.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging monitor alerts
logging trap warnings
logging history informational
logging asdm informational
logging host inside 10.1.1.20
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
mtu guanli 1500
ip local pool vpn-pool 172.16.100.1-172.16.100.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 10.1.1.0 255.255.255.0
nat (inside) 1 10.1.5.0 255.255.255.0
nat (inside) 1 10.1.6.0 255.255.255.0
nat (DMZ) 0 access-list no-nat
nat (DMZ) 1 10.1.2.0 255.255.255.0
static (inside,outside) tcp 57.208.48.30 ftp SEC_China_Fileserver ftp netmask 255.255.255.255
access-group 104 in interface inside
access-group 101 in interface outside
access-group 104 in interface DMZ
route outside 0.0.0.0 0.0.0.0 57.208.48.25 1
route inside 10.1.5.0 255.255.255.0 10.1.1.5 1
route inside 10.1.6.0 255.255.255.0 10.1.1.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.1.1.0 255.255.255.0 inside
http 192.168.50.0 255.255.255.0 guanli
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set vpnset esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dymap 10 set transform-set vpnset
crypto dynamic-map dymap 10 set reverse-route
crypto map vpnmap 10 ipsec-isakmp dynamic dymap
crypto map vpnmap 100 match address s2sdst
crypto map vpnmap 100 set peer 51.210.178.186
crypto map vpnmap 100 set transform-set ESP-DES-SHA
crypto map vpnmap interface outside
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2      
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet 10.1.1.0 255.255.255.0 inside
telnet 10.1.2.0 255.255.255.0 DMZ
telnet 192.168.1.0 255.255.255.0 guanli
telnet timeout 5
ssh 10.1.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
ssh version 1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy secchina internal
group-policy secchina attributes
dns-server value 10.1.1.11 10.1.1.12
vpn-idle-timeout 3600000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplit
username fraczekl password vVdYy3P7JcFB.4iZ encrypted privilege 15
username cisco password 3USUcOPFUiMCO4Jk encrypted
username chinavpn password pKE03T4wKEjMO8L9 encrypted
username jacky password CFUG8xBf9yN39Z/W encrypted
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2
tunnel-group secchina type remote-access
tunnel-group secchina general-attributes
address-pool vpn-pool
default-group-policy secchina
tunnel-group secchina ipsec-attributes
pre-shared-key *****
tunnel-group 51.210.178.186 type ipsec-l2l
tunnel-group 51.210.178.186 ipsec-attributes
pre-shared-key *****
!
class-map rate
class-map rate_limit_1
match access-list rate_limit_1
class-map Url_filter_class
match access-list Url_filter
class-map inspection_default
match default-inspection-traffic
class-map type regex match-any Url_class
match regex URL1
match regex URL2
match regex URL3
match regex URL5
match regex URL6
match regex URL4
match regex URL7
match regex URL8
class-map type inspect http match-all Http_url_class
match request header host regex class Url_class
!
!
policy-map type inspect http Http_url_policy
parameters   
class Http_url_class
  drop-connection log
policy-map Inside_http_url_policy
class Url_filter_class
  inspect http Http_url_policy
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
policy-map rate_limit
class rate_limit_1
  police input 409500 614000
  police output 409500 614000
!
service-policy global_policy global
service-policy Inside_http_url_policy interface inside
service-policy Inside_http_url_policy interface DMZ
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0fda0f4f4147b9c5af1b47fe66172c12
: end
ASA5510#                     


----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

SiteB

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ASA Version 8.2(2)
!
hostname dst
domain-name dst.com
enable password mgXqoEJSeX2UwbDs encrypted
passwd Opm7nsaBn/dtpNva encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 51.210.178.186 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!            
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name dst.com
access-list icmp extended permit icmp any any
access-list 101 extended permit ip any any
access-list 101 extended permit icmp any any
access-list 102 extended permit icmp any any
access-list 102 extended permit ip any any
access-list no-nat extended permit ip 192.168.0.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list no-nat extended permit ip 192.168.0.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list vpnsplit standard permit 192.168.0.0 255.255.255.0
access-list l2lsecwj extended permit ip 192.168.0.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpn-pool 172.16.100.1-172.16.100.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 102 in interface outside
access-group 101 in interface inside
route outside 0.0.0.0 0.0.0.0 51.210.178.185 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ipsec transform-set vpnset esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dymap 10 set transform-set vpnset
crypto dynamic-map dymap 10 set reverse-route
crypto map vpnmap 10 ipsec-isakmp dynamic dymap
crypto map vpnmap 100 match address l2lsecwj
crypto map vpnmap 100 set peer 57.208.48.26
crypto map vpnmap 100 set transform-set ESP-DES-SHA
crypto map vpnmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5

console timeout 0

dhcpd dns 192.168.0.2 221.6.4.66
!
dhcpd address 192.168.0.100-192.168.0.199 inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy secdst internal
group-policy secdst attributes
vpn-idle-timeout 3600000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplit
username dstvpn password qOJicFdBm4JeSm01 encrypted
username clarkep password RKBIAk9trwpvrKNw encrypted
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2
tunnel-group secdst type remote-access
tunnel-group secdst general-attributes
address-pool vpn-pool
default-group-policy secdst
tunnel-group secdst ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 20 retry 2
tunnel-group 57.208.48.26 type ipsec-l2l
tunnel-group 57.208.48.26 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:611617c79584d8acad7dff24a7d390cd
: end
dst#   


Debug


dst# debug crypto isakmMay 16 21:47:29 [IKEv1]: Group = 57.208.48.26, IP = 57.208.48.26, QM FSM error (P2 struct &0xacf8bf40, mess id 0x5b2399f2)!
May 16 21:47:29 [IKEv1]: Group = 57.208.48.26, IP = 57.208.48.26, Removing peer from correlator table failed, no match!
May 16 21:47:29 [IKEv1]: Group = 57.208.48.26, IP = 57.208.48.26, Session is being torn down. Reason: Phase 2 Mismatch



hi,buddy:

u should deeply inspect your problem,by:

debug crypto isakmp 7
debug crypto ipsec 7

best regards
本帖最近评分记录
  • vsop5207 无忧币 +3 热心广援 2017-5-23 09:17



引用:
原帖由 wanglin35232988 于 2017-5-18 08:37 发表
hi,buddy:

u should deeply inspect your problem,by:

debug crypto isakmp 7
debug crypto ipsec 7

best regards
你好 这是 debug crypto isakmp 7 的日志

May 17 15:38:33 [IKEv1]: IP = 57.208.48.26, Connection landed on tunnel_group 57.208.48.26
May 17 15:38:33 [IKEv1 DEBUG]: Group = 57.208.48.26, IP = 57.208.48.26, Generating keys for Responder...
May 17 15:38:33 [IKEv1]: IP = 57.208.48.26, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 272
May 17 15:38:33 [IKEv1]: IP = 57.208.48.26, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
May 17 15:38:33 [IKEv1 DEBUG]: Group = 57.208.48.26, IP = 57.208.48.26, processing ID payload
May 17 15:38:33 [IKEv1 DEBUG]: Group = 57.208.48.26, IP = 57.208.48.26, processing hash payload
May 17 15:38:33 [IKEv1 DEBUG]: Group = 57.208.48.26, IP = 57.208.48.26, Computing hash for ISAKMP
May 17 15:38:33 [IKEv1 DEBUG]: IP = 57.208.48.26, Processing IOS keep alive payload: proposal=32767/32767 sec.
May 17 15:38:33 [IKEv1 DEBUG]: Group = 57.208.48.26, IP = 57.208.48.26, processing VID payload
May 17 15:38:33 [IKEv1 DEBUG]: Group = 57.208.48.26, IP = 57.208.48.26, Received DPD VID
May 17 15:38:33 [IKEv1]: Group = 57.208.48.26, IP = 57.208.48.26, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
May 17 15:38:33 [IKEv1]: IP = 57.208.48.26, Connection landed on tunnel_group 57.208.48.26
May 17 15:38:33 [IKEv1 DEBUG]: Group = 57.208.48.26, IP = 57.208.48.26, constructing ID payload
May 17 15:38:33 [IKEv1 DEBUG]: Group = 57.208.48.26, IP = 57.208.48.26, constructing hash payload
May 17 15:38:33 [IKEv1 DEBUG]: Group = 57.208.48.26, IP = 57.208.48.26, Computing hash for ISAKMP
May 17 15:38:33 [IKEv1 DEBUG]: IP = 57.208.48.26, Constructing IOS keep alive payload: proposal=32767/32767 sec.
May 17 15:38:33 [IKEv1 DEBUG]: Group = 57.208.48.26, IP = 57.208.48.26, constructing dpd vid payload
May 17 15:38:33 [IKEv1]: IP = 57.208.48.26, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
May 17 15:38:33 [IKEv1]: Group = 57.208.48.26, IP = 57.208.48.26, PHASE 1 COMPLETED
May 17 15:38:33 [IKEv1]: IP = 57.208.48.26, Keep-alive type for this connection: DPD
May 17 15:38:33 [IKEv1 DEBUG]: Group = 57.208.48.26, IP = 57.208.48.26, Starting P1 rekey timer: 82080 seconds.
May 17 15:38:33 [IKEv1]: IP = 57.208.48.26, IKE_DECODE RECEIVED Message (msgid=b7573685) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 300
May 17 15:38:33 [IKEv1 DEBUG]: Group = 57.208.48.26, IP = 57.208.48.26, processing hash payload
May 17 15:38:33 [IKEv1 DEBUG]: Group = 57.208.48.26, IP = 57.208.48.26, processing SA payload
May 17 15:38:33 [IKEv1 DEBUG]: Group = 57.208.48.26, IP = 57.208.48.26, processing nonce payload
May 17 15:38:33 [IKEv1 DEBUG]: Group = 57.208.48.26, IP = 57.208.48.26, processing ke payload
May 17 15:38:33 [IKEv1 DEBUG]: Group = 57.208.48.26, IP = 57.208.48.26, processing ISA_KE for PFS in phase 2
May 17 15:38:33 [IKEv1 DEBUG]: Group = 57.208.48.26, IP = 57.208.48.26, processing ID payload
May 17 15:38:33 [IKEv1]: Group = 57.208.48.26, IP = 57.208.48.26, Received remote IP Proxy Subnet data in ID Payload:   Address 10.1.1.0, Mask 255.255.255.0, Protocol 0, Port 0
May 17 15:38:33 [IKEv1 DEBUG]: Group = 57.208.48.26, IP = 57.208.48.26, processing ID payload
May 17 15:38:33 [IKEv1]: Group = 57.208.48.26, IP = 57.208.48.26, Received local IP Proxy Subnet data in ID Payload:   Address 192.168.0.0, Mask 255.255.255.0, Protocol 0, Port 0
May 17 15:38:33 [IKEv1 DEBUG]: Group = 57.208.48.26, IP = 57.208.48.26, processing notify payload
May 17 15:38:33 [IKEv1]: Group = 57.208.48.26, IP = 57.208.48.26, QM IsRekeyed old sa not found by addr
May 17 15:38:33 [IKEv1]: Group = 57.208.48.26, IP = 57.208.48.26, IKE Remote Peer configured for crypto map: dymap
May 17 15:38:33 [IKEv1 DEBUG]: Group = 57.208.48.26, IP = 57.208.48.26, processing IPSec SA payload
May 17 15:38:33 [IKEv1]: Group = 57.208.48.26, IP = 57.208.48.26, All IPSec SA proposals found unacceptable!
May 17 15:38:33 [IKEv1 DEBUG]: Group = 57.208.48.26, IP = 57.208.48.26, sending notify message
May 17 15:38:33 [IKEv1 DEBUG]: Group = 57.208.48.26, IP = 57.208.48.26, constructing blank hash payload
May 17 15:38:33 [IKEv1 DEBUG]: Group = 57.208.48.26, IP = 57.208.48.26, constructing ipsec notify payload for msg id b7573685
May 17 15:38:33 [IKEv1 DEBUG]: Group = 57.208.48.26, IP = 57.208.48.26, constructing qm hash payload
May 17 15:38:33 [IKEv1]: IP = 57.208.48.26, IKE_DECODE SENDING Message (msgid=48223273) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
May 17 15:38:33 [IKEv1]: Group = 57.208.48.26, IP = 57.208.48.26, QM FSM error (P2 struct &0xad074fc8, mess id 0xb7573685)!
May 17 15:38:33 [IKEv1 DEBUG]: Group = 57.208.48.26, IP = 57.208.48.26, IKE QM Responder FSM error history (struct &0xad074fc8)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
May 17 15:38:33 [IKEv1 DEBUG]: Group = 57.208.48.26, IP = 57.208.48.26, sending delete/delete with reason message
May 17 15:38:33 [IKEv1]: Group = 57.208.48.26, IP = 57.208.48.26, Removing peer from correlator table failed, no match!
May 17 15:38:33 [IKEv1]: Group = 57.208.48.26, IP = 57.208.48.26, Deleting static route for L2L peer that came in on a dynamic map. address: 10.1.1.0, mask: 255.255.255.0
May 17 15:38:33 [IKEv1 DEBUG]: Group = 57.208.48.26, IP = 57.208.48.26, IKE SA MM:b8360e77 rcv'd Terminate: state MM_ACTIVE  flags 0x0001c042, refcnt 1, tuncnt 0
May 17 15:38:33 [IKEv1 DEBUG]: Group = 57.208.48.26, IP = 57.208.48.26, IKE SA MM:b8360e77 terminating:  flags 0x0101c002, refcnt 0, tuncnt 0
May 17 15:38:33 [IKEv1 DEBUG]: Group = 57.208.48.26, IP = 57.208.48.26, sending delete/delete with reason message
May 17 15:38:33 [IKEv1 DEBUG]: Group = 57.208.48.26, IP = 57.208.48.26, constructing blank hash payload
May 17 15:38:33 [IKEv1 DEBUG]: Group = 57.208.48.26, IP = 57.208.48.26, constructing IKE delete payload
May 17 15:38:33 [IKEv1 DEBUG]: Group = 57.208.48.26, IP = 57.208.48.26, constructing qm hash payload
May 17 15:38:33 [IKEv1]: IP = 57.208.48.26, IKE_DECODE SENDING Message (msgid=392a425e) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
May 17 15:38:33 [IKEv1]: Group = 57.208.48.26, IP = 57.208.48.26, Session is being torn down. Reason: Phase 2 Mismatch
May 17 15:38:33 [IKEv1]: Ignoring msg to mark SA with dsID 8531968 dead because SA deleted
May 17 15:38:33 [IKEv1]: IP = 57.208.48.26, Received encrypted packet with no matching SA, dropping



‹‹ 上一贴:关于思科无线控制器WLC2504 重启之后时间恢复到2000年 ...   |   下一贴:各位大牛,C4503一早日志报这个信息,啥问题?急~~! ... ››
  发新话题
快速回复主题
关于我们 | 诚聘英才 | 联系我们 | 网站大事 | 友情链接 |意见反馈 | 网站地图
Copyright©2005-2017 51CTO.COM
本论坛言论纯属发布者个人意见,不代表51CTO网站立场!如有疑义,请与管理员联系:bbs@51cto.com