¶øÈôÊǵ±³ö½ü¿ö̬ΪMM_SI1_WR1, MM_SA_SETUP¡¢MM_SI2_WR2, MM_VERIFY¡¢MM_SI3_WR3, MM_VERIFYʱ³½����£¬×¢Ã÷ISAKMP SAÎÞ·¨ÐÉ̳ɹ¦����¡£
£¨¶þ£©×éÍøÍØÆË
£¨Èý£©¿ÉÄÜÔÒò
1¡¢Á¬Í¨ÐÔÒì³£
2¡¢³ö½Ó¿ÚδŲÓÃvpn¼ÓÃÜͼ
3¡¢×ܲ¿ºÍ·ÖÖ§policyÕ½ÊõÅäÖò»Ò»ÖÂ
4¡¢Ô¤¹²ÏíÃÜÔ¿ÅäÖÃÃýÎó
5¡¢FQDNÅäÖÃÃýÎó
6¡¢ÔËÓªÉ̹ýÂË
7¡¢×ܲ¿Îª¶þ¼¶Â·ÓɵÄÇé¿öϳö¿ÚÉ豸ûÓÐÅäÖÃÓ³Éä
8¡¢¶àÏß·»·¾³ÏÂѡ·ÃýÎó
£¨ËÄ£©´¦Öò½Öè
²½Öè1¡¢¶Ô±È·ÖÖ§ºÍ×ܲ¿ÅäÖÃ
È·ÈÏÔ¤¹²ÏíÃØÔ¿¡¢µÚÒ»½×ÐÉ̲ÎÊý¡¢µÚ¶þ½×¶ÎÐÉ̲ÎÊý¡¢¸ÐÐËÖÂÁ÷µÈÊÇ·ñÒ»ÖÂ
a¡¢ÅäÖÃIPsec µÚÒ»½×¶Î
²½Öè2¡¢È·¶¨VPNÊÇ·ñ³ÉÁ¢³É¹¦
a¡¢Web½çÃæÏÔʾÀ¶É«µÄÇé¿ö»òµã»÷ÏÔʾÒѽÓÈë
b¡¢ºÅÁîÐÐÄܹ»Í¨¹ýshow crypto state²é¿´VPNµÚÒ»½×¶ÎµÄÇé¿ö
show crypto is sa ²é¿´µÚÒ»½×¶Î³ÉÁ¢µÄÇé¿ö����£¬IDLE״̬°µÊ¾ÊdzÉÁ¢Õý³£µÄ״̬
¡¾²¹³ä¡¿
Ò»½×¶Î³ÉÁ¢²»³É¹¦×´Ì¬ÏÔʾ
1¡¢·ÖÖ§µÄ״̬»úΪMM_SI1_WR1, MM_SA_SETUP����£¬¶ø×ܲ¿Ã»ÓÐ״̬»úÐÅÏ¢
µÚÒ»¸ö±¨ÎÄ·¢³ö����£¬×ܲ¿Ã»ÓÐÊÕµ½
2¡¢·ÖÖ§µÄ״̬»úΪMM_SI1_WR1, MM_SA_SETUP����£¬²¢ÇÒ´òÓ¡Send ISAKMP negotiate message failed, errno:148, No route to host syslog
µÚÒ»¸ö±¨ÎÄ·¢³ö����£¬µ«ÊÇ·ÓÉѡ·ʧ°Ü£¨²é³ÏÂת·¢Â·ÓÉ£©
3¡¢·ÖÖ§ºÍ×ܲ¿µÄ״̬»ú¶¼Îª£ºMM_SI1_WR1, MM_SA_SETUP
Äܹ»Í¨¹ýdebug cry is²é¿´����£¬ÈôÌáÐÑno proposal chosen����£¬ÐÉ̲ÎÊý²»Ò»ÖÂ������£»ÈôÊDZØÒªÅäÖÃfqdn����£¬±ØҪʹÓÃÒ°Âùģʽ¶Ô½Ó
4¡¢·ÖÖ§ºÍ×ܲ¿µÄ״̬»ú¶¼Îª£ºMM_SI2_WR2, MM_VERIFY
¿¨ÔÚÈýËı¨ÎĽ»»¥����£¬Äܹ»Í¨¹ýdebug cry isÐÅÏ¢²é¿´ÈÕÖ¾����£¬Í¨³£À´ËµÊDZ¨ÎijÁ´«����£¬»òÕßʹÓÃÖ¤ÊéÐÉÌ����£¬Ö¤Êé×°ÖôæÔÚÎÊÌâ
5¡¢·ÖÖ§ºÍ×ܲ¿µÄ״̬»ú¶¼Îª£ºMM_SI3_WR3, MM_VERIFY
Ô¤¹²ÏíÃÜÔ¿²»Ò»ÖÂ����£¬Éí·ÝÑé֤ʧ°Ü����£¬nat»·¾³³öÏÖ¶ª°ü����£¬Í¨¹ýdebug cry is²é¿´ÐÉ̵ÄÇé¿ö����£¬ÒÔ¼°É豸±íÍø¿Ú×¥°üÄܹ»½øÒ»²½²é¿´ÏÂ
²½Öè3¡¢²é³×ܲ¿ºÍ·ÖÖ§ÊÇ·ñÁ¬Í¨ÐÔÒì³£
a¡¢×ܲ¿ºÍ·Ö²¿³ÉÁ¢VPNÊ×ÏÈÒª±£ÕÏ×Ü·Ö²¿µÄ¹«ÍøµØÖ·Á¬Í¨ÐÔÕý³£����£¬ÈçÏÂͼ����£¬Èç¹ûÏÂͼÁ½Ì¨É豸¶¼Îª³ö¿Ú����£¬½Ó¿ÚÉϵÄÅäÖõÄÊǹ«ÍøµØÖ·×ܲ¿³ö¿ÚIP
³ö¿ÚµØÖ·Á¬Í¨ÐÔ²âÊÔ����£¬ºÅÁîÐÐÉÏ´ø¶ÔÓ¦½Ó¿ÚµØַΪԴping¶Ô¶Ë¹«ÍøµØÖ·����£¬ÈçÏÂͼ
b¡¢ÈôÊÇ×Ü·Ö²¿ÁªÍ¨ÐÔ²»Í¨����£¬show crypto stateÊÇûÓдòÓ¡ÐÅÏ¢µÄ
²½Öè4¡¢²é³VPNÆ¥Åä¶ÔÓ¦µÄ³ö½Ó¿ÚÏÂÊÇ·ñŲÓÃVPN¼ÓÃÜͼ
a¡¢ºÅÁîÐÐÏÂŲÓüÓÃÜͼµÄºÅÁî
×ܲ¿ÈôÊÇûÓÐŲÓüÓÃÜͼµÄÇé¿öÏÂ����£¬×ܲ¿show crypto stateûÓдòÓ¡ÐÅÏ¢����£¬·Ö²¿show crypto state¿¨ÔÚµÚÒ»¡¢¶þ±¨ÎĽ»»¥×´Ì¬
·Ö²¿£º
·Ö²¿Ã»ÓÐŲÓüÓÃÜͼµÄÇé¿öÏÂ����£¬×Ü·Ö²¿show crypto state¶¼Ã»ÓдòÓ¡ÐÅÏ¢×ܲ¿£º
·Ö²¿£º
²½Öè5¡¢²é³×ܲ¿ºÍ·ÖÖ§policyÕ½ÊõÅäÖò»Ò»ÖÂ×Ü·Ö²¿Ö®¼äisaÕ½Êõ²ÎÊý±ØÒªÖðÒ»¶ÔÓ¦����£¬ÈôÊDz»Ò»ÑùÊdzÉÁ¢²»ÆðÀ´µÄ����£¬¾ßÌåÈçÏÂͼ
·Ö²¿£º
¡¾²¹³ä¡¿
µÚÒ»½×¶ÎÐÉ̲ÎÊý¶Ô±¨ºÅÁîÐÐΪshow crypto isa policy
b¡¢ÈôÊÇÓÉÓÚµÚÒ»½×¶ÎÐÉ̲ÎÊý²»Ò»ÖÂ����£¬µ¼ÖÂshow crypto state¿¨ÔÚµÚÒ»¡¢¶þ±¨ÎĽ»»¥×´Ì¬
Ö÷ģʽÐÉÌʧ°Ü����£¬show crypto state·¢ÏÖ·ÖÖ§µÄ״̬»úΪMM_SI1_WR1, MM_SA_SETUP����£¬¶ø×ܲ¿Ã»ÓÐ״̬»úÐÅÏ¢
²½Öè6¡¢²é³Ô¤¹²ÏíÃÜÔ¿ÅäÖÃÊÇ·ñÃýÎó
Ô¤¹²ÏíÃÜÔ¿ÅäÖÃÃýÎóµ¼ÖÂIPsecµÚÒ»½×¶ÎÐÉÌÎå¡¢Áù¸ö±¨ÎĽ»»¥²»³É¹¦����£¬ÔÚ×Ü·Ö²¿ÉÏͨ¹ýshow crypto state¿´µ½µÄ״̬±ðÀëΪ
·Ö²¿£º
×ܲ¿£º
¡¾²¹³ä¡¿
11.xµÄÉ豸Äܹ»²é¿´µ±Ç°ÅäÖõÄÔ¤¹²ÏíÃÜÔ¿ÊǼ¸¶à����£¬Í¨¹ýºÅÁîshow crypto isa key decrypt
²½Öè7¡¢²é³ÊÇ·ñQDNÅäÖÃÃýÎó
·Ö²¿ÏÔʾÎåÁù¸ö±¨ÎĽ»»¥×´Ì¬
×ܲ¿ÏÔʾµÚÒ»½×¶Î³ÉÁ¢ÊµÏÖ
×ܲ¿ÅäÖãº
·ÖÖ§FQDN¶ÔÓ¦µÄºÅÁîÐÐÅäÖÃΪ£ºself-identity fqdn EG3000GE
·Ö²¿ÅäÖãº
×ܲ¿FQDNÅäÖÃΪ£º
self-identity fqdn EG3000SE
crypto isakmp key 7 151b5f7246 hostname EG3000GE
crypto map gi0/7 1 ipsec-isakmp
set peer EG3000GE
·Ö²¿ÉϵĶԶËID±ØÒªºÍ×ܲ¿µÄ±¾»úIDÒ»ÖÂ
²½Öè8¡¢²é³ÊÇ·ñÔËÓªÉ̹ýÂË
Äܹ»Í¨¹ýshow ip f f | in 500²é¿´¶ÔÓ¦µÄÁ÷±íÐÅÏ¢ÊÇ·ñÓе½EG����£¬ÈôÊÇûÓÐ����£¬²¢ÇÒÉ豸Éϲ¢Ã»ÓÐip session filterµÄÅäÖýøÐйýÂË����£¬Äܹ»ÒÉ»óÔËÓªÉÌÎÊÌâ.
²½Öè9¡¢×ܲ¿Îª¶þ¼¶Â·ÓɵÄÇé¿öϳö¿ÚÉ豸ûÓÐÅäÖÃÓ³Éä
ÍøÂçÍØÆËΪ³ö¿Ú·ÓÉÏÂÁªEGÏÂÁªÄÚÍø����£¬EG×÷Ϊ¶þ¼¶Â·ÓÉÅäÖÃIPsec×ܲ¿����£¬±ØÒªÔÚ×ܲ¿³ö¿ÚÅäÖÃÓ³ÉäUDP4500ºÍ500
¶ÔÓ¦web½çÃæÅäÖãº
¶Ô±¨ºÅÁîÐÐÅäÖãº
²½Öè10¡¢¶àÏß·»·¾³ÏÂѡ·ÃýÎó
Äܹ»Í¨¹ý²é¿´Á÷±íµÄ³ö½Ó¿ÚÅжÏÊÇ·ñÊÇÀ´»Øõ辶²»Ò»ÖÂ
½â¾ö¹æ»®£º¶àÏß·µÄÇé¿öÏÂÓпÉÄܵ¼ÖÂÀ´»Øõ辶²»Ò»ÖÂ����£¬½¨ÒéÅäÖÃÒ»Ìõ¾²Ì¬Â·ÓÉ����£¬Ö÷ÕŵØÖ·Ö¸Ïò¶Ô¶Ë¹«ÍøµØÖ·×߶ÔÓ¦µÄÏÂÒ»Ìø����£¬±£ÕÏÀ´»Øõ辶һÖÂ
¾ßÌåÅäÖÃÈçÏ£º
²é¿´IPSEC±¨ÎÄѡ·²½Ö裺
sh ip f m | in FLOW-AUDIT-K ---show³öÀ´ºó����£¬²é¿´µÚÒ»ÁеÄÊýÖµ
sh ip f pri ÊýÖµ | in 500
£¨Î壩ÐÅÏ¢ÍøÂç
ÈôÊÇÉÏÊö²½Öè½øÐÐÅäÖò鳺óÈÔ¾ÉÎÞ·¨Õý³£³ÉÁ¢IPSec VPN����£¬Äܹ»ÍøÂçÒÔÏÂÐÅÏ¢Ö®ºó·´À¡ 4008-111-000¹¤³Ìʦ����£¬ÐÖúÄú½øÒ»²½ÅŲé¹ÊÕÏ����¡£
show version
show int usage
sh tcp connect
sh ip udp
sh memory
sh cpu | ex 0.00
sh exec
show coredump file
show run
show log reverse
show ip interface brief
show ip route
show crypto state £¨ÍøÂç3´Î����£¬Ã¿´Î¾àÀë5s£©
show ip fpm flow | in 500 £¨ÍøÂç3´Î����£¬Ã¿´Î¾àÀë5s£©
show ip fpm pri 1 | in 500
show crypto log
debug su
execute diagnose-cmd fdisk
execute diagnose-cmd mount
IPSEC·ÖÖ§ÐÅÏ¢ÍøÂ磺
debug cry isa
debug cry ipsec
terminal monitor
ÍøÂç5·ÖÖÓ×óÓÒ
Undebug all --ÍøÂçÍê±ØÒª¹Ø¹ØdebugÐÅÏ¢
IPSEC×ܲ¿ÐÅÏ¢ÍøÂ磺£¨ÍƼö×ܲ¿Ö»ÓÐһ·IPSECÄܹ»¿ªÆôÍøÂç����£¬³¬¹ýһ·ÒÔÉÏÉóÉ÷¿ªÆôdebug����£¬ÒÔÃâÓ°ÏìÒµÎñ£©
debug cry isa
debug cry ipsec
terminal monitor
ÍøÂç5·ÖÖÓ×óÓÒ
Undebug all --ÍøÂçÍê±ØÒª¹Ø¹ØdebugÐÅÏ¢
£¨Áù£©×ܽáÓ뽨Òé
IKE SA³ÉÁ¢Ê§°Ü³£¼ûÔÒòÊÇIKEÐÉ̱¨ÎIJ»³É´ï����£¬ºÍIKE SAÁ½¶ËÕ½Êõ£¨¼ÓÃÜËã·¨¡¢DH×é¡¢Ô¤¹²ÏíÃØÔ¿¡¢Éí·ÝÈÏÖ¤²½Ö裩²»Æ¥Åä
ÈçÓö¸Ã¹ÊÕÏÎÞ·¨¶¨Î»½â¾öµÄ¿Éµã»÷£ºÊÛºóÉÁµçÍà ´¦ÖÃ
°ä²¼¹¦·ò£º2024-06-13
µã»÷Á¿£º1262
ÎĵµÆÀ¼Û
