Merhabalar,

Bu yazida sizlere ipsec teknolojisinin Faz 1 asamasinda arka planda gerçeklesen asamalari anlatacagim.

IPSec teknolojisi bir çok güvenlik çözümünü bir arada sunan açik standart bir protokoller kümesidir.

Açik standart oldugu için temel yapilandirma üretici farketmeksizin aynidir. Temeli iyi anlasilirsa herhangi bir cihazda rahatlika uygulanabilir, olusan problemleri çözebilir hale gelebilirsiniz.

Yapilandirma ve dikkat etmemiz gereken yerleri IPSec Site-to-Site VPN Genel Yapilandirma yazisindan okuyabilirsiniz. Simdi Faz 1 de gerçeklesen Main Mode paketlerinden ve kontrollerinden bahsedecegim.

IPSec VPN baglantisinin gerçeklesmesi demek iki vpn ucu arasinda tanimlanan trafigin VPN tüneli içerisinde iletilebilmesi demektir. Burada tabi tünelden kastimiz ayri bir link degil,ilgili trafigin iletim hatti içerisinde sifreli bir sekilde ilerlemesidir. Araya giren bir kisi veriyi degistiremez, veriyi okuyamaz.

Faz 1 asamasinda iki VPN ucu birbirlerini dogrular, Diffie-Helman key’ini paylasir ve Faz 2 asamasindaki kurulacak oturumun parametlerini sifreleyecek ilk oturumu kurarlar.

IPSec ayarlari yapilmis bir cihaz IKE_READY durumundadir. Initiator tarafinda iletisim baslatilir.

INITIATOR:

Old State = IKE_READY New State = IKE_I_MM1: Initiator vpn tüneline girecek trafik geldiginde IKE_READY IKE_I_MM1’ geçilir.
Old State = IKE_I_MM1 New State = IKE_I_MM2: IPSec oturum istegi paketinin içerisinde initiator üzerindeki tüm faz 1 policy’lerini responder’a gönderir. Eslesme bulan responder eslestigi policy’i initiator’a gönderir. Responder’dan cevap bekler.
Old State = IKE_I_MM2 New State = IKE_I_MM3: Initiator Diffe-Helman anahtar çifti üretir. Initiator DF degisimi için public key’ini gönderir. DF key degisiminde iki tarafta kendi public ve private key’ini olustururlar. Bir public key’le sifrelenen veri sadece o private key ile çözülebilir.
Old State = IKE_I_MM3 New State = IKE_I_MM4: Initiator responder’in public key’ini alir.
Old State = IKE_I_MM4 New State = IKE_I_MM5: Initiator kimlik dogrulama için identity ve PSK’nin hash’ini gönderir.
Old State = IKE_I_MM5 New State = IKE_I_MM6: Initiator responder’in identity ve PSK’hash’ini alir. Bu degerini kendi PSK’sinin hash’i ilekarsilastirir.
Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE : Tüm asamalar basarili olursa Faz 1 tamamlanmis olur.
*Jan 31 12:38:40.743: ISAKMP:(0): SA request profile is (NULL)
*Jan 31 12:38:40.747: ISAKMP: Created a peer struct for 10.0.0.2, peer port 500
*Jan 31 12:38:40.747: ISAKMP: New peer created peer = 0x6559D1C4 peer_handle = 0x80000005
*Jan 31 12:38:40.751: ISAKMP: Locking peer struct 0x6559D1C4, refcount 1 for isakmp_initiator
*Jan 31 12:38:40.751: ISAKMP: local port 500, remote port 500
*Jan 31 12:38:40.755: ISAKMP: set new node 0 to QM_IDLE
*Jan 31 12:38:40.755: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 679FF1BC
*Jan 31 12:38:40.755: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Jan 31 12:38:40.759: ISAKMP:(0):found peer pre-shared key matching 10.0.0.2
*Jan 31 12:38:40.763: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jan 3
R1#
R1#
R1#1 12:38:40.763: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Jan 31 12:38:40.767: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Jan 31 12:38:40.767: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Jan 31 12:38:40.767: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jan 31 12:38:40.771: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

*Jan 31 12:38:40.771: ISAKMP:(0): beginning Main Mode exchange
*Jan 31 12:38:40.775: ISAKMP:(0): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 31 12:38:40.775: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 31 12:38:40.803: %SYS-5-CONFIG_I: Configured from console by console
*Jan 31 12:38:40.927: ISAKMP (0): received packet from 10.0.0.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Jan 31 12:38:40.931: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 31 12:38:40.931: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2

*Jan 31 12:38:40.935: ISAKMP:(0): processing SA payload. message ID = 0
*Jan 3
R1#1 12:38:40.939: ISAKMP:(0): processing vendor id payload
*Jan 31 12:38:40.939: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 31 12:38:40.939: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jan 31 12:38:40.939: ISAKMP:(0):found peer pre-shared key matching 10.0.0.2
*Jan 31 12:38:40.939: ISAKMP:(0): local preshared key found
*Jan 31 12:38:40.939: ISAKMP : Scanning profiles for xauth …
*Jan 31 12:38:40.939: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Jan 31 12:38:40.939: ISAKMP: encryption AES-CBC
*Jan 31 12:38:40.939: ISAKMP: keylength of 128
*Jan 31 12:38:40.939: ISAKMP: hash SHA
*Jan 31 12:38:40.939: ISAKMP: default group 5
*Jan 31 12:38:40.939: ISAKMP: auth pre-share
*Jan 31 12:38:40.939: ISAKMP: life type in seconds
*Jan 31 12:38:40.939: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Jan 31 12:38:40.939: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jan 31 12:38:40.939: ISAKMP:(0):Accept
R1#able atts:actual life: 0
*Jan 31 12:38:40.939: ISAKMP:(0):Acceptable atts:life: 0
*Jan 31 12:38:40.939: ISAKMP:(0):Fill atts in sa vpi_length:4
*Jan 31 12:38:40.939: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Jan 31 12:38:40.939: ISAKMP:(0):Returning Actual lifetime: 86400
*Jan 31 12:38:40.939: ISAKMP:(0)::Started lifetime timer: 86400.

*Jan 31 12:38:40.939: ISAKMP:(0): processing vendor id payload
*Jan 31 12:38:40.939: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 31 12:38:40.939: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jan 31 12:38:40.939: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 31 12:38:40.939: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2

*Jan 31 12:38:40.939: ISAKMP:(0): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Jan 31 12:38:40.939: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 31 12:38:40.939: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan 31 12:38:40.939:
R1#ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3

*Jan 31 12:38:40.991: ISAKMP (0): received packet from 10.0.0.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*Jan 31 12:38:40.995: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 31 12:38:40.999: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4

*Jan 31 12:38:41.003: ISAKMP:(0): processing KE payload. message ID = 0
*Jan 31 12:38:41.055: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jan 31 12:38:41.055: ISAKMP:(0):found peer pre-shared key matching 10.0.0.2
*Jan 31 12:38:41.055: ISAKMP:(1004): processing vendor id payload
*Jan 31 12:38:41.055: ISAKMP:(1004): vendor ID is Unity
*Jan 31 12:38:41.055: ISAKMP:(1004): processing vendor id payload
*Jan 31 12:38:41.055: ISAKMP:(1004): vendor ID is DPD
*Jan 31 12:38:41.055: ISAKMP:(1004): processing vendor id payload
*Jan 31 12:38:41.055: ISAKMP:(1004): speaking to another IOS box!
*Jan 31 12:38:41.059: ISAKMP:received payload type 20
*Jan 31 12:38
R1#:41.059: ISAKMP (1004): His hash no match – this node outside NAT
*Jan 31 12:38:41.059: ISAKMP:received payload type 20
*Jan 31 12:38:41.059: ISAKMP (1004): No NAT Found for self or peer
*Jan 31 12:38:41.059: ISAKMP:(1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 31 12:38:41.059: ISAKMP:(1004):Old State = IKE_I_MM4 New State = IKE_I_MM4

*Jan 31 12:38:41.059: ISAKMP:(1004):Send initial contact
*Jan 31 12:38:41.059: ISAKMP:(1004):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Jan 31 12:38:41.059: ISAKMP (1004): ID payload
next-payload : 8
type : 1
address : 10.0.0.1
protocol : 17
port : 500
length : 12
*Jan 31 12:38:41.059: ISAKMP:(1004):Total payload length: 12
*Jan 31 12:38:41.059: ISAKMP:(1004): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jan 31 12:38:41.059: ISAKMP:(1004):Sending an IKE IPv4 Packet.
*Jan 31 12:38:41.059: ISAKMP:(1004):Input = IKE_MESG_INTERNAL
R1#, IKE_PROCESS_COMPLETE
*Jan 31 12:38:41.059: ISAKMP:(1004):Old State = IKE_I_MM4 New State = IKE_I_MM5

*Jan 31 12:38:41.103: ISAKMP (1004): received packet from 10.0.0.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jan 31 12:38:41.103: ISAKMP:(1004): processing ID payload. message ID = 0
*Jan 31 12:38:41.103: ISAKMP (1004): ID payload
next-payload : 8
type : 1
address : 10.0.0.2
protocol : 17
port : 500
length : 12
*Jan 31 12:38:41.103: ISAKMP:(0):: peer matches *none* of the profiles
*Jan 31 12:38:41.107: ISAKMP:(1004): processing HASH payload. message ID = 0
*Jan 31 12:38:41.107: ISAKMP:(1004):SA authentication status:
authenticated
*Jan 31 12:38:41.107: ISAKMP:(1004):SA has been authenticated with 10.0.0.2
*Jan 31 12:38:41.107: ISAKMP: Trying to insert a peer 10.0.0.1/10.0.0.2/500/, and inserted successfully 6559D1C4.
*Jan 31 12:38:41.107: ISAKMP:(1004):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 31 12:38:41.107: ISA
R1#KMP:(1004):Old State = IKE_I_MM5 New State = IKE_I_MM6

*Jan 31 12:38:41.107: ISAKMP (1003): received packet from 10.0.0.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Jan 31 12:38:41.107: ISAKMP:(1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 31 12:38:41.107: ISAKMP:(1004):Old State = IKE_I_MM6 New State = IKE_I_MM6

*Jan 31 12:38:41.107: ISAKMP:(1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan 31 12:38:41.107: ISAKMP:(1004):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
RESPONDER:

Old State = IKE_READY New State = IKE_R_MM1: Initiator’dan gelen isakmp oturum istegi ile ipsec baglantisi tetiklenir.
Old State = IKE_R_MM1 New State = IKE_R_MM2: Responder gelen policy’lerin öncelik degerine göre ( 1 En yüksek öncelik) sirasiyla hepsini kendi en yüksek öncelikli policy’inden baslayarak eslestirmeye çalisir. Initiator 10 policy gönderdiyse responder önce kendi ilk policy’sini bu 10 policy ile karsilastirir. Eslesme bulamaz ise kendi 2. Policy’sini gelen 10 policy ile karsilastirir. Esleme bulunana kadar bu islem böyle devam eder. Gonderilen hiç bir policy eslesmez ise default policy’ler ile oturum kurulmaya çalisilinir. Üreticiden üreticiye bu default policy farklilik gösterebilir. Eslesen policy initiator’a iletilir.
Old State = IKE_R_MM2 New State = IKE_R_MM3: Responder Diffie-Helman anahtar çifti üretir.
Old State = IKE_R_MM3 New State = IKE_R_MM4: initiatordan gelen public anahtari alir. Ve kendi public anahtarini initiator’a gönderir.
Old State = IKE_R_MM4 New State = IKE_R_MM5: Responder initiator’dan gelen identity ve PSK’yi kendi bilgileri ile karsilastirir.
Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE: Responder kendi identity ve PSK’sini gönderir. Faz 1 tamamlanmis olur.
*Jan 31 12:38:40.891: ISAKMP (0): received packet from 10.0.0.1 dport 500 sport 500 Global (N) NEW SA
*Jan 31 12:38:40.895: ISAKMP: Found a peer struct for 10.0.0.1, peer port 500
*Jan 31 12:38:40.895: ISAKMP: Locking peer struct 0x67584BDC, refcount 2 for crypto_isakmp_process_block
*Jan 31 12:38:40.895: ISAKMP: local port 500, remote port 500
*Jan 31 12:38:40.899: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 68E63F0C
*Jan 31 12:38:40.903: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 31 12:38:40.903: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

*Jan 31 12:38:40.915: ISAKMP:(0): processing SA payload. message ID = 0
*Jan 31 12:38:40.915: ISAKMP:(0): processing vendor id payload
*Jan 31 12:38:40.919: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 31 12:38:40.919: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jan 31 12:38:40.923: ISAKMP:(0): processing vendor id payload
*Jan 31 12:38:40.923: ISAKMP:(0): vendor
R2(config-if)# ID seems Unity/DPD but major 245 mismatch
*Jan 31 12:38:40.923: ISAKMP (0): vendor ID is NAT-T v7
*Jan 31 12:38:40.927: ISAKMP:(0): processing vendor id payload
*Jan 31 12:38:40.927: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jan 31 12:38:40.927: ISAKMP:(0): vendor ID is NAT-T v3
*Jan 31 12:38:40.927: ISAKMP:(0): processing vendor id payload
*Jan 31 12:38:40.927: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jan 31 12:38:40.927: ISAKMP:(0): vendor ID is NAT-T v2
*Jan 31 12:38:40.927: ISAKMP:(0):found peer pre-shared key matching 10.0.0.1
*Jan 31 12:38:40.927: ISAKMP:(0): local preshared key found
*Jan 31 12:38:40.927: ISAKMP : Scanning profiles for xauth …
*Jan 31 12:38:40.927: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Jan 31 12:38:40.927: ISAKMP: encryption AES-CBC
*Jan 31 12:38:40.927: ISAKMP: keylength of 128
*Jan 31 12:38:40.927: ISAKMP: hash SHA
*Jan 31 12:38:40.927: ISAKMP: default g
R2(config-if)#roup 5
*Jan 31 12:38:40.927: ISAKMP: auth pre-share
*Jan 31 12:38:40.927: ISAKMP: life type in seconds
*Jan 31 12:38:40.927: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Jan 31 12:38:40.927: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jan 31 12:38:40.927: ISAKMP:(0):Acceptable atts:actual life: 0
*Jan 31 12:38:40.931: ISAKMP:(0):Acceptable atts:life: 0
*Jan 31 12:38:40.931: ISAKMP:(0):Fill atts in sa vpi_length:4
*Jan 31 12:38:40.931: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Jan 31 12:38:40.931: ISAKMP:(0):Returning Actual lifetime: 86400
*Jan 31 12:38:40.931: ISAKMP:(0)::Started lifetime timer: 86400.

*Jan 31 12:38:40.931: ISAKMP:(0): processing vendor id payload
*Jan 31 12:38:40.931: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 31 12:38:40.931: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jan 31 12:38:40.931: ISAKMP:(0): processing vendor id payload
*Jan 31 12:38:40.931: ISAKMP:(0): vendor ID seems Unity/DPD but
R2(config-if)#major 245 mismatch
*Jan 31 12:38:40.931: ISAKMP (0): vendor ID is NAT-T v7
*Jan 31 12:38:40.931: ISAKMP:(0): processing vendor id payload
*Jan 31 12:38:40.931: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jan 31 12:38:40.931: ISAKMP:(0): vendor ID is NAT-T v3
*Jan 31 12:38:40.931: ISAKMP:(0): processing vendor id payload
*Jan 31 12:38:40.931: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jan 31 12:38:40.931: ISAKMP:(0): vendor ID is NAT-T v2
*Jan 31 12:38:40.931: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 31 12:38:40.931: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

*Jan 31 12:38:40.931: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jan 31 12:38:40.931: ISAKMP:(0): sending packet to 10.0.0.1 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Jan 31 12:38:40.931: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 31 12:38:40.935: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan 31 12:38:40.935: ISAKMP
R2(config-if)#:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2

*Jan 31 12:38:40.951: ISAKMP (0): received packet from 10.0.0.1 dport 500 sport 500 Global (R) MM_SA_SETUP
*Jan 31 12:38:40.955: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 31 12:38:40.955: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3

*Jan 31 12:38:40.967: ISAKMP:(0): processing KE payload. message ID = 0
*Jan 31 12:38:41.015: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jan 31 12:38:41.015: ISAKMP:(0):found peer pre-shared key matching 10.0.0.1
*Jan 31 12:38:41.015: ISAKMP:(1004): processing vendor id payload
*Jan 31 12:38:41.015: ISAKMP:(1004): vendor ID is DPD
*Jan 31 12:38:41.015: ISAKMP:(1004): processing vendor id payload
*Jan 31 12:38:41.015: ISAKMP:(1004): speaking to another IOS box!
*Jan 31 12:38:41.015: ISAKMP:(1004): processing vendor id payload
*Jan 31 12:38:41.015: ISAKMP:(1004): vendor ID seems Unity/DPD but major 46 mismatch
*Jan 31 12:38:41.015: ISAKMP:(1004): vendor I
R2(config-if)#D is XAUTH
*Jan 31 12:38:41.015: ISAKMP:received payload type 20
*Jan 31 12:38:41.015: ISAKMP (1004): His hash no match – this node outside NAT
*Jan 31 12:38:41.015: ISAKMP:received payload type 20
*Jan 31 12:38:41.015: ISAKMP (1004): No NAT Found for self or peer
*Jan 31 12:38:41.015: ISAKMP:(1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 31 12:38:41.015: ISAKMP:(1004):Old State = IKE_R_MM3 New State = IKE_R_MM3

*Jan 31 12:38:41.019: ISAKMP:(1004): sending packet to 10.0.0.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jan 31 12:38:41.019: ISAKMP:(1004):Sending an IKE IPv4 Packet.
*Jan 31 12:38:41.019: ISAKMP:(1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan 31 12:38:41.019: ISAKMP:(1004):Old State = IKE_R_MM3 New State = IKE_R_MM4

*Jan 31 12:38:41.071: ISAKMP (1004): received packet from 10.0.0.1 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Jan 31 12:38:41.075: ISAKMP:(1004):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 31 12:38:41.075: ISAKMP
R2(config-if)#:(1004):Old State = IKE_R_MM4 New State = IKE_R_MM5

*Jan 31 12:38:41.083: ISAKMP:(1004): processing ID payload. message ID = 0
*Jan 31 12:38:41.083: ISAKMP (1004): ID payload
next-payload : 8
type : 1
address : 10.0.0.1
protocol : 17
port : 500
length : 12
*Jan 31 12:38:41.087: ISAKMP:(0):: peer matches *none* of the profiles
*Jan 31 12:38:41.091: ISAKMP:(1004): processing HASH payload. message ID = 0
*Jan 31 12:38:41.095: ISAKMP:(1004): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 0x68E63F0C
*Jan 31 12:38:41.095: ISAKMP:(1004):SA authentication status:
authenticated
*Jan 31 12:38:41.095: ISAKMP:(1004):SA has been authenticated with 10.0.0.1
*Jan 31 12:38:41.095: ISAKMP:(1004):SA authentication status:
authenticated
*Jan 31 12:38:41.095: ISAKMP:(1004): Process initial contact,
bring down existing phase 1 and 2 SA’s with local 10.0.0.2 remote 10.0.0.1 remote port 500
*Jan 31 12:38:41.095: ISAKMP:(1003):received initial contact, deleting SA
*Jan 31 12:38:41.095: ISAKMP:(1003):peer does not do paranoid keepalives.

*Jan 31 12:38:41.095: ISAKMP:(1003):deleting SA reason “Receive initial contact” state (R) QM_IDLE (peer 10.0.0.1)
*Jan 31 12:38:41.095: ISAKMP:(1004):Input = IKE_MESG
R2(config-if)#_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 31 12:38:41.095: ISAKMP:(1004):Old State = IKE_R_MM5 New State = IKE_R_MM5

*Jan 31 12:38:41.103: ISAKMP: set new node 221114882 to QM_IDLE
*Jan 31 12:38:41.107: ISAKMP:(1003): sending packet to 10.0.0.1 my_port 500 peer_port 500 (R) QM_IDLE
*Jan 31 12:38:41.107: ISAKMP:(1003):Sending an IKE IPv4 Packet.
*Jan 31 12:38:41.107: ISAKMP:(1003):purging node 221114882
*Jan 31 12:38:41.111: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jan 31 12:38:41.111: ISAKMP:(1003):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

*Jan 31 12:38:41.115: ISAKMP:(1004):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Jan 31 12:38:41.119: ISAKMP (1004): ID payload
next-payload : 8
type : 1
address : 10.0.0.2
protocol : 17
port : 500
length : 12
*Jan 31 12:38:41.119: ISAKMP:(1004):Total payload length: 12
*Jan 31 12:38:41.119: ISAKMP:(1004): sending packet to 1
R2(config-if)#0.0.0.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jan 31 12:38:41.119: ISAKMP:(1004):Sending an IKE IPv4 Packet.
*Jan 31 12:38:41.119: ISAKMP:(1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan 31 12:38:41.119: ISAKMP:(1004):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

Tüm bunlari debug çiktilarinda detaylica görebiliriz. Cisco bir router için show crypto isakmp sa komutunda ise;

Main Mode oturumu düsmüs ise MM_NO_StATE
Asama 1 ve 2 için MM_SA_SETUP
Asama 3 ve 4 için MM_KEY_EXCH
Asama 5 ve 6 için MM_KEY_AUTH durumlarini görebiliriz.
Tüm asamalar tamamlandiginda ise QM_IDLE durumuna geçilir. Artik Faz 2 için iletisim baslayabilir. 🙂

R1#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

10.0.0.2 10.0.0.1 QM_IDLE 1003 ACTIVE
Musa AYDIN

musa.aydin@netoburus.com

Kategoriler: NetworkSecurity

0 yorum

Bir cevap yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir