vpn排错指南

1.

没有

debug

解释触发过程

-------> Router --map----->

1.< /p>

包进入

router

，

< br>(

检查路由

)

，路由引导流量出 适当接口。

******

缺少去往对方通讯点的

路由，或者没有引导对接口。

2.

包在接口上撞击

(map)

******

正确的接口下没有

map

3.

流量 匹配

map

的

(acl)

，触发加密

*** ***map

配置的

acl

错误，

不能够匹配上感兴趣流

4.

发起和

peer

的

IKE

协商，

协商包检查

(

路由

)

去往对方

peer ******

缺少对方< /p>

peer

（加密点）

的路由

错误可能

logging console

感兴趣流

*** ***

缺少去往对方通讯点的

路由，或者没有引导对接口。

******

正确的接口下没有

map

******map

配置的

acl

错误，

不能够匹配上感兴趣流

peer

*** ***

缺少对方

peer

（加密点）< /p>

的路由

*** ***

由于

nat

感兴趣流改变，

需要在

nat

里排除感兴趣流

******

重敲重运用

2.

有

debug

MM

1--2

主要作用：

peer. Proposals

错误可能

1.

（< /p>

2500

）

10:41:57: ISAKMP (0:2): sending packet to 22.22.22.22 (I) MM_NO_STATE

10:41:57: ISAKMP (0:2): received packet from 22.22.22.22 (I) MM_NO_STA

TE

10:41:57: ISAKMP (0:2): Notify has no hash. Rejected.

（

2600

）

*Mar

1 00:15:34.515: ISAKMP: reserved not zero on NOTIFY payload!

*Mar

1

00:15:34.515:

%CRYPTO-4-IKMP_BAD_MESSAGE:

IKE

message

from

150.100.1.2

failed its sanity check or is malformed.

策略错误：检查认证策略

hash

策略

group

策略

加密策略

时间策略

2.

（

25 00

）

11:00:06: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed

with peer at 22.22.22.22

...

（

2600

）

*Mar

1 00:20:27.800: ISAKMP: reserved not zero on NOTIFY payload!

*Mar

1

00:20:27.800:

%CRYPTO-4-IKMP_BAD_MESSAGE:

IKE

message

from

150.100.1.2

failed its sanity check or is malformed

更新源错误：

本地的更新源是否是对方设置的

peer

，

检查

cry map cisco local-address

的

使用是否正确。

3.< /p>

（

2500

）

10:49:08: ISAKMP (0:1): No Cert or pre- shared address key.

10:49:08: ISAKMP (0:1): Can not start Main mode

10:49:08: ISAKMP (0:1): Can not start aggressive mode.

10:49:08: ISAKMP (0:1): purging SA.

10:49:08: ISAKMP (0:1): purging node -1300701206......

（

2600

）

*Mar

1 00:28:49.066: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode.

*Mar

1 00:28:49.066: ISAKMP: Looking for a matching key for 150.100.1.100 in default

*Mar

1 00:28:49.066: ISAKMP: Looking for a matching key for 150.100.1.100 in keyring

*Mar

1 00:28:49.0.66: ISAKMP (0:1): No pre-shared key with 150.100.1.100!

*Mar

1 00:28:49.066: ISAKMP (0:1): No Cert or pre-shared address key.

*Mar

1 00:28:49.070: ISAKMP (0:1): construct_initial_message: Can not start Main mode

*Mar

1 00:28:49.070: ISAKMP (0:1): purging SA., sa=82D9802C, delme=82D9802C

*Mar

1 00:28:49.070: ISAKMP (0:1): purging node 889095291..

peer

错误：

检查

cry isa key cisco address

后边的地址是否和

cry map

下

set peer

的地址相

同

4.< /p>

（

2500

）

2d15h: ISAKMP (0:3): sending packet to 123.1.1.2 (I) MM_NO_STATE.....

2d15h: ISAKMP (0:3): retransmitting phase 1 MM_NO_STA

TE...

2d15h: ISAKMP (0:3): incrementing error counter on sa: retransmit phase 1

2d15h: ISAKMP (0:3): retransmitting phase 1 MM_NO_STA

TE

2d15h: ISAKMP (0:3): sending packet to 123.1.1.2 (I) MM_NO_STATE.

2d15h: ISAKMP (0:2): purging node -1637699089....

（

2600

）

*Mar

1 00:36:46.905: ISAKMP (0:1): retransmitting phase 1 MM_NO_STA

TE...

*Mar

1 00:36:46.905: ISAKMP (0:1): incrementing error counter on sa: retransmit phase

1

*Mar

1 00:36:46.905: ISAKMP (0:1): retransmitting phase 1 MM_NO_STA

TE

*Mar

1

00:36:46.905:

ISAKMP

(0:1):

sending

packet

to

150.100.1.2

my_port

500

peer_port 500 (I) MM_NO_STA

TE.....

*Mar

1 00:36:56.905: ISAKMP (0:1): retransmitting phase 1 MM_NO_STA

TE...

*Mar

1 00:36:56.905: ISAKMP (0:1): incrementing error counter on sa: retransmit phase

1

*Mar

1 00:36:56.905: ISAKMP (0:1): retransmitting phase 1 MM_NO_STA

TE

*Mar

1

00:36:56.905:

ISAKMP

(0:1):

sending

packet

to

150.100.1.2

my_port

500