IPSCE的debug和show命令.docxVIP

通过 DEBUG 与 SHOW 来学习 IPSEC-VPN 第一阶段指两个 ISAKMP 实体建立一个安全、验证过的信道来进行通信。这被称为 ISAKMP 安全联盟（SA）。“主模式”和“积极模式”都能完成第一阶段的交换。“主模式”和“积极模式”只能在第一阶段中使用。*Mar 1 00:43:53.455: ISAKMP:(0:2:SW:1):purging SA., sa=63E0FA04, delme=63E0FA04 *Mar 1 00:44:05.639: ISAKMP:(0:3:SW:1):purging node 304912037 *Mar 1 00:44:07.279: ISAKMP: received ke message (1/1) *Mar 1 00:44:07.283: ISAKMP:(0:0:N/A:0): SA request profile is (NULL) SA 是有一个或多个提议的 SA 协商负载。发起方可能提供多个协商的提议；应答方只能用一个提议来回答。安全联盟（SA）是一组用来保护信息的策略和密钥。在本协议中，ISAKMP SA 是协商双方为保护之间的通信而使用的共享的策略和密钥。*Mar 1 00:44:07.283: ISAKMP: Created a peer struct for 34.34.34.4, peer port 500 *Mar 1 00:44:07.283: ISAKMP: New peer created peer = 0x64A20E00 peer_handle = 0*Mar 1 00:44:07.283: ISAKMP: Locking peer struct 0x64A20E00, IKE refcount 1 for isakmp_initiator*Mar 1 00:44:07.287: ISAKMP: local port 500, remote port 500 *Mar 1 00:44:07.287: ISAKMP: set new node 0 to QM_IDLE *Mar 1 00:44:07.287: ISAKMP: Find a dup sa in the avl tree during calling isadb_insertsa = 64219D2C *Mar 1 00:44:07.287: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode. “主模式”和“积极模式”都能完成第一阶段的交换。“主模式”和“积极模式”只能在第一阶段中使用。主模式是 ISAKMP 身份保护交换的实现：头两个消息协商策略；下两个消息交换DiffieHellman的公共值和必要的辅助数据（当前时间（nonce））；最后的两个消息验证DiffieHellman交换。*Mar 1 00:44:07.291: ISAKMP:(0:0:N/A:0):found peer preshared key matching 34.34.34.4 *Mar 1 00:44:07.291: ISAKMP:(0:0:N/A:0): constructed NATT vendor07 ID *Mar 1 00:44:07.295: ISAKMP:(0:0:N/A:0): constructed NATT vendor03 ID *Mar 1 00:44:07.295: ISAKMP:(0:0:N/A:0): constructed NATT vendor02 ID 头两个消息协商策略；（开始）*Mar 1 00:44:07.295: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM *Mar 1 00:44:07.295: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1 主模式（开始）；*Mar 1 00:44:07.299: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange *Mar 1 00:44:07.299: ISAKMP:(0:0:N/A:0): sending packet to 34.34.34.4 my_port 500 peer_port 500 (I) MM_NO_STATE *Mar 1 00:44:07.931: ISAKMP (0:0