21
IPsec SA negotiation is performed in phase 2 negotiation. Something wrong might occur in phase 2
negotiation.
To resolve the problem:
1. On the initiator, display IKE debugging information by using the debugging ike all
command. The key debugging information is as follows:
*Nov 7 09:23:08:808 2014 ROUTER IKE/7/DEBUG: send message:
//The initiator sent the first packet for negotiation.
*Nov 7 09:23:08:808 2014 ROUTER IKE/7/DEBUG: ICOOKIE: 0xb8a20d7c014806fa
*Nov 7 09:23:08:808 2014 ROUTER IKE/7/DEBUG: RCOOKIE: 0x0000000000000000
…………………
*Nov 7 09:23:09:365 2014 ROUTER IKE/7/DEBUG: exchange state machine(I): finished step
0, advancing...
*Nov 7 09:23:09:415 2014 ROUTER IKE/7/DEBUG: received message:
//The device received a reply packet from the peer (the second packet for negotiation).
*Nov 7 09:23:09:516 2014 ROUTER IKE/7/DEBUG: ICOOKIE: 0xb8a20d7c014806fa
*Nov 7 09:23:09:566 2014 ROUTER IKE/7/DEBUG: RCOOKIE: 0x67a9145eb46c41d9
…………………
*Nov 7 09:23:13:510 2014 ROUTER IKE/7/DEBUG: exchange state machine(I): finished step
1, advancing...
…………………
*Nov 7 09:23:14:820 2014 ROUTER IKE/7/DEBUG: send message:
//The device sent the third packet for negotiation.
*Nov 7 09:23:14:920 2014 ROUTER IKE/7/DEBUG: ICOOKIE: 0xb8a20d7c014806fa
*Nov 7 09:23:14:971 2014 ROUTER IKE/7/DEBUG: RCOOKIE: 0x67a9145eb46c41d9
…………………
Aggressive
mode
Quickmode
Initiat o r Receiver
Unencrypted,iCookie=xxx,rCookie=xxx,Payload:SA,KEY
EXCHANGE,NONCE,VendorID,Identificat ion,HASH
Encrypted,Payload:KEYEXCHANGE,NONCE,ID
Encrypted,Payload:SA,NONCE,ID
Encrypted,Payload:SA,NONCE,ID,HASH
Encrypted,Payload:HASH
Unencrypted,iCookie=xxx,rCookie=0,Payload:SA,KEY
EXCHANGE,NONCE,VendorID,Identification
To Next Page
Loading...
