IPSec VPN冗余（使用VPN monitor）测试

4 场景1：当VPN1建立时，VPN2备份... 5

4.1 操作方法... 5

4.2 分支VPN状态分析... 5

4.3 中心端VPN状态分析... 7

5 场景2：模拟VPN1故障，此时VPN2 马上建立连接... 8

5.1 操作方法：修改VPN1 的peerip为一个错误的

5.2 分支状态分析... 9

5.3 中心端状态分析... 12

6 场景3：VPN2建立连接时，模拟VPN1此时突然好了... 14

6.1 分支端状态分析... 14

6.2 中心端状态分析... 15

7 场景4：模拟VPN隧道假死和测试DPD探测方式... 17

7.1 原因分析和DPD探测机制澄清... 17

7.2 测试和分析DPD失败后VPN假死情况... 18

7.3 使VPN发生“假死”. 18

7.4 测试DPD on-demand方式机制... 23

1 测试拓扑

FGT2_Port3(Port4)--------Router-----------port2_FGT1

FGT2 创建两条VPN（VPN1 VPN2）分别建立到FGT1的Port2的VPN

2 FGT1 中心端配置

如果按照向导配置配置拨号，默认配置如下：

l 第一阶段配配置

config vpn ipsec phase1-interface

edit "dail-up"

set type dynamic

set interface "port2"

set peertype any

set net-device disable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

set dpd on-idle // 开启DPD on-idle

set psk xxxx

set dpd-retryinterval 60

end

l 注意：

自动生成以下DPD配置

DPD 对等体探测模式是on-idle，即周期性探测

dpd-retryinterval 是60秒

dpd-retrycount 3 是3秒

l 第二阶段配置：

config vpn ipsec phase2-interface

edit "dail-up"

set phase1name "dail-up"

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set replay disable //关闭Replay

end

l 路由

自动生成，不需要手工创建

l 防火墙策略

配置略。

3 FGT2分支端配置

l VPN第一阶段配置：

config vpn ipsec phase1-interface

edit "VPN1"

set interface "port3"

set peertype any

set net-device disable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

set remote-gw 1.1.1.1

set psksecret xxx

edit "VPN2" //备份的VPN，监视主VPN1

set interface "port4"

set peertype any

set net-device disable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

set remote-gw 1.1.1.1

set monitor "VPN1" 监视主VPN1

set psksecret xxx

end

l 注意

1.第二条VPN2 监视VPN1的第一阶段状态。

监视主VPN隧道（VPN1）其up或者down做相应的动作，包括，监视到down，发起建立连接请求，监视到up，发起删除连接请求给中心端。

2.DPD探测默认生成以下配置：

set dpd on-demand

set dpd-retrycount 3

set dpd-retryinterval 20

DPD模式为on-demand 按需，即当隧道内有流量去但是没有回才会启动DPD探测，即隧道流量处理出了问题后才触发。如果隧道没有发送流量，就不会触发DPD探测，即便对端断了，但本端也认为隧道是UP的，这样会造成隧道假死现象，见场景4

所以，在实际中，强烈建议DPD不要使用默认的on-demand参数，需将DPD探测模式修改为on-idle。

l 第二阶段配置：

config vpn ipsec phase2-interface

edit "VPN1"

set phase1name "VPN1"

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set replay disable

set auto-negotiate enable

set src-subnet 10.10.20.0 255.255.255.0

edit "VPN2"

set phase1name "VPN2"

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set replay disable

set auto-negotiate enable

set src-subnet 10.10.20.0 255.255.255.0

end

l 路由：

去往两条隧道的路由，以及黑洞路由

config router static

edit 4

set dst 10.10.10.0 255.255.255.0

set device "VPN1"

edit 5

set dst 10.10.10.0 255.255.255.0

set device "VPN2"

edit 6

set dst 10.10.10.0 255.255.255.0

set distance 254

set blackhole enable

end

l 防火墙策略：

略。

4 场景1：当VPN1建立时，VPN2备份

4.2 分支VPN状态分析

分支端观察第一和第二阶段状态，发现都是VPN1 是established （up）的，VPN2是down的。

FGT-2 # diagnose vpn ike gateway list

vd: root/0

version: 1

interface: port3 5

addr: 2.2.2.2:500 -> 1.1.1.1:500

virtual-interface-addr: 10.10.11.2 -> 10.10.11.254

created: 193s ago

IKE SA: created 1/1 established 1/1 time 10/10/10 ms

IPsec SA: created 1/1 established 1/1 time 0/0/0 ms

id/spi: 74 e43a35c273c74cfe/127dbd573f23832c

direction: initiator

status: established 193-193s ago = 10ms

proposal: aes128-sha256

key: 85f83ab227b5d63a-a11cb9ffd7cbe0dc

lifetime/rekey: 86400/85906

DPD sent/recv: 00000000/00000003

FGT-2 # diagnose vpn tunnel list

list all ipsec tunnel in vd 0

------------------------------------------------------

name=VPN1 ver=1 serial=1 2.2.2.2:0->1.1.1.1:0 dst_mtu=1500

bound_if=5 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc run_state=0 accept_traffic=1

proxyid_num=1 child_num=0 refcnt=14 ilast=5 olast=45 ad=/0

stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=VPN1 proto=0 sa=1 ref=2 serial=1 auto-negotiate

src: 0:10.10.20.0/255.255.255.0:0

dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=18225 type=00 soft=0 mtu=1438 expire=42678/0B replaywin=0

seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42903/43200

dec: spi=63b74d29 esp=aes key=16 db52c94a0daa1c0ffcf50474a186689e

ah=sha1 key=20 30eafb1e4cca15d6b05f98fc6461729c112c3cbc

enc: spi=7163a2ab esp=aes key=16 16829885ffe9c45153b104e02cfd0eed

ah=sha1 key=20 d141f9f896833cc7541b87bdfbd0b690be493179

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

run_tally=1

------------------------------------------------------

name=VPN2 ver=1 serial=2 3.3.3.2:0->1.1.1.1:0 dst_mtu=1500

bound_if=6 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc run_state=0 accept_traffic=0

proxyid_num=1 child_num=0 refcnt=11 ilast=225 olast=225 ad=/0

stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=VPN2 proto=0 sa=0 ref=2 serial=3 auto-negotiate

src: 0:10.10.20.0/255.255.255.0:0

dst: 0:0.0.0.0/0.0.0.0:0

run_tally=1

4.3 中心端VPN状态分析

FGT-1 # diagnose vpn ike gateway list

vd: root/0

version: 1

interface: port2 4

addr: 1.1.1.1:500 -> 2.2.2.2:500

created: 252s ago

IKE SA: created 1/1 established 1/1 time 0/0/0 ms

IPsec SA: created 1/1 established 1/1 time 0/0/0 ms

id/spi: 13 e43a35c273c74cfe/127dbd573f23832c

direction: responder

status: established 252-252s ago = 0ms

proposal: aes128-sha256

key: 85f83ab227b5d63a-a11cb9ffd7cbe0dc

lifetime/rekey: 86400/85877

DPD sent/recv: 00000004/00000000

FGT-1 # diagnose vpn tunnel list

list all ipsec tunnel in vd 0

------------------------------------------------------

name=dail-up_1 ver=1 serial=e 1.1.1.1:0->2.2.2.2:0 dst_mtu=1500

bound_if=4 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/640 options[0280]=rgwy-chg frag-rfc run_state=1 accept_traffic=1 overlay_id=0

parent=dail-up index=1

proxyid_num=1 child_num=0 refcnt=5 ilast=12 olast=12 ad=/0

stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=2

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=dail-up proto=0 sa=1 ref=2 serial=1 add-route

src: 0:0.0.0.0-255.255.255.255:0

dst: 0:10.10.20.0-10.10.20.255:0

SA: ref=3 options=2a6 type=00 soft=0 mtu=1438 expire=43054/0B replaywin=2048

seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1

life: type=01 bytes=0/0 timeout=43186/43200

dec: spi=7163a2ab esp=aes key=16 16829885ffe9c45153b104e02cfd0eed

ah=sha1 key=20 d141f9f896833cc7541b87bdfbd0b690be493179

enc: spi=63b74d29 esp=aes key=16 db52c94a0daa1c0ffcf50474a186689e

ah=sha1 key=20 30eafb1e4cca15d6b05f98fc6461729c112c3cbc

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

------------------------------------------------------

name=dail-up ver=1 serial=1 1.1.1.1:0->0.0.0.0:0 dst_mtu=0

bound_if=4 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/512 options[0200]=frag-rfc accept_traffic=1 overlay_id=0

proxyid_num=0 child_num=1 refcnt=13 ilast=1917 olast=1917 ad=/0

stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=0 idle=60000ms retry=3 count=0 seqno=0

natt: mode=none draft=0 interval=0 remote_port=0

run_tally=1

ipv4 route tree:

10.10.20.0->10.10.20.255 1

5 场景2：模拟VPN1故障，此时VPN2 马上建立连接

5.1 操作方法：修改VPN1 的peerip为一个错误的。

config vpn ipsec phase1-interface

edit "VPN1"

set interface "port3"

set peertype any

set net-device disable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

set localid "spoke-2"

set remote-gw 1.1.1.1

set psksecret ENC vZwnUAT9oA5aS1RG6txsTxq6xCrHBsdV/fvcKmA+mgskHTk0KbElh8BDx01QmG3TH+HAyoNeflxjQJh4GgolwdWT6KRfvrknL6bkAwPlogz1ITyUOo7MPskHVF0ejcSfWnosQdcohip12Nu6vWT5yUD5K//uE6iyC8pdPN+gNMUJSQB81OBQVn0ak0QmZaBBDC0VGQ==

end

FGT-2 (VPN1) # set remote-gw 1.1.1.3

FGT-2 (VPN1) # end

再观察分支端VPN状态：

5.2 分支状态分析

FGT-2 # diagnose vpn ike gateway list

vd: root/0

version: 1

interface: port3 5

addr: 2.2.2.2:500 -> 1.1.1.3:500

virtual-interface-addr: 10.10.11.2 -> 10.10.11.254

created: 9s ago

IKE SA: created 1/1

IPsec SA: created 1/1

id/spi: 75 32702e25739b9d3a/0000000000000000

direction: responder

status: connecting, state 3, started 9s ago

vd: root/0

version: 1

interface: port4 6

addr: 3.3.3.2:500 -> 1.1.1.1:500

created: 8s ago

IKE SA: created 1/1 established 1/1 time 10/10/10 ms

IPsec SA: created 1/1 established 1/1 time 0/0/0 ms

id/spi: 76 37097d6744025a36/663e7fe24b531d01

direction: initiator

status: established 8-8s ago = 10ms

proposal: aes128-sha256

key: 74cc6362d3dba182-ba6dc72848fe0a52

lifetime/rekey: 86400/86091

DPD sent/recv: 00000000/00000000

FGT-2 # diagnose vpn tunnel list

list all ipsec tunnel in vd 0

------------------------------------------------------

name=VPN1 ver=1 serial=1 2.2.2.2:0->1.1.1.3:0 dst_mtu=1500

bound_if=5 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc run_state=0 accept_traffic=0

proxyid_num=1 child_num=0 refcnt=13 ilast=2 olast=2 ad=/0

stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=VPN1 proto=0 sa=0 ref=2 serial=1 auto-negotiate

src: 0:10.10.20.0/255.255.255.0:0

dst: 0:0.0.0.0/0.0.0.0:0

run_tally=1

------------------------------------------------------

name=VPN2 ver=1 serial=2 3.3.3.2:0->1.1.1.1:0 dst_mtu=1500

bound_if=6 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc run_state=0 accept_traffic=1

proxyid_num=1 child_num=0 refcnt=12 ilast=0 olast=61 ad=/0

stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=VPN2 proto=0 sa=1 ref=2 serial=3 auto-negotiate

src: 0:10.10.20.0/255.255.255.0:0

dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=42839/0B replaywin=2048

seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42898/43200

dec: spi=63b74d2a esp=aes key=16 5e59765ad0485860701d02058eea4e6c

ah=sha1 key=20 81429bc2a25b94dbd745016730a01f6a32b40fb2

enc: spi=7163a2ac esp=aes key=16 b866d3dee6c37f487acc871e4f84b30f

ah=sha1 key=20 4e01ce49f3e4ea5a57e9e26b472d256f6ec1496f

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

run_tally=1

注意：

第二条VPN立即建立连接。因为是手工模拟的修改的remote-gw，修改的一瞬间分支端做了两件事情

1.通知总部VPN1已经断开。

2.VPN1断开，VPN2开始协商

此时VPN1立即就断了，

所以VPN2立即就发起建立连接请求了。实际情况下可能比手工修改remote-gw要慢（根据DPD的配置情况）

分支端debug 提示：

开启的debug观察：

FGT-2 # diagnose debug application ike -1

Debug messages will be on for 30 minutes.

FGT-2 # diagnose debug enable

FGT-2 #

FGT-2 # config vpn ipsec phase1-interface

FGT-2 (phase1-interface) # edit VPN1

FGT-2 (VPN1) # set remote-gw 1.1.1.3

FGT-2 (VPN1) # end

FGT-2 # ike change cfg 1 interface 0 router 0 certs 0

ike config update start

ike 0: HA role master, HA syncing disabled

ike 0:VPN1: update

ike 0:VPN1: deleting

ike 0:VPN1: flushing

ike 0:VPN1: deleting IPsec SA with SPI 7163a2ad

ike 0:VPN1:VPN1: deleted IPsec SA with SPI 7163a2ad, SA count: 0

ike 0:VPN1: sending SNMP tunnel DOWN trap for VPN1

ike 0:VPN1:91: send IPsec SA delete, spi 63b74d2b

ike 0:VPN1:91: enc 0CC14FDAE092C2A261C7549ED881B4510810050184A75113000000500C000024886A0A251C4A77AEE128F207811B3C7E88C78FCD065968C5B72C712F9D5BBF8500000010000000010304000163B74D2B

ike 0:VPN1:91: out 0CC14FDAE092C2A261C7549ED881B4510810050184A751130000005C3626C0B50CDFF42940413EA01119D45B234EBA57D5A900D23CF42A98E8558CC557D6B2EE727FDD4D72827B9ADCE6CDBD899512566FACD33C4971B6D7F91825FE

ike 0:VPN1:91: sent IKE msg (IPsec SA_DELETE-NOTIFY): 2.2.2.2:500->1.1.1.1:500, len=92, id=0cc14fdae092c2a2/61c7549ed881b451:84a75113

ike 0:VPN1:VPN1: sending SNMP tunnel DOWN trap

ike 0:VPN1: flushed

ike 0:VPN1:91: send IKE SA delete 0cc14fdae092c2a2/61c7549ed881b451

ike 0:VPN1:91: enc 0CC14FDAE092C2A261C7549ED881B45108100501FD9AC2EE0000005C0C0000247E7749B3A2E1AB7F519C433C918BCF65B3F4AFF0D2FC3D8A99D1576BE52171D80000001C00000001011000010CC14FDAE092C2A261C7549ED881B451

ike 0:VPN1:91: out 0CC14FDAE092C2A261C7549ED881B45108100501FD9AC2EE0000006C1DB11B20B362E517A37D4210DBCC927974B25A377CCE46B7954E14DA86EB2AE3B29574CE0CEBC776090F1C68DC2297028B9AB3FBFD9496110223D922E0066CF0C7368C086052B554D2672952492F126C

ike 0:VPN1:91: sent IKE msg (ISAKMP SA DELETE-NOTIFY): 2.2.2.2:500->1.1.1.1:500, len=108, id=0cc14fdae092c2a2/61c7549ed881b451:fd9ac2ee 发送ISAMP SA DELETE-NOTIFY消息给中心端

ike 0:VPN1: deleted

ike 0:VPN1: set oper down //清除VPN1 隧道

ike 0:VPN1: schedule auto-negotiate

ike 0:VPN2: schedule auto-negotiate //VPN2开始协商。

ike 0:VPN1: address 10.10.11.2 -> 10.10.11.254

ike 0:port3: add interface

ike 0:VPN2: local-addr 3.3.3.2

ike 0:VPN2: oif 6

其它debug略

5.3 中心端状态分析

debug提示先收到 VPN1删除隧道的请求，然后再收到VPN2建立隧道的请求。

这样做是为了避免隧道冲突。

[2020/7/23 10:35:32] FGT-1 # diagnose debug application ike -1

[2020/7/23 10:35:32] Debug messages will be on for 30 minutes.

[2020/7/23 10:35:32]

[2020/7/23 10:35:33] FGT-1 # diagnose debug enable

[2020/7/23 10:35:33]

[2020/7/23 10:35:34] FGT-1 # ike config update start

[2020/7/23 10:35:34] ike 0: HA role master, HA syncing disabled

[2020/7/23 10:35:34] ike 0:dail-up: local-addr 1.1.1.1

[2020/7/23 10:35:34] ike 0:dail-up: oif 4

[2020/7/23 10:35:34] ike config update done

[2020/7/23 10:35:44] ike shrank heap by 159744 bytes

[2020/7/23 10:36:05] ike 0: comes 2.2.2.2:500->1.1.1.1:500,ifindex=4....

[2020/7/23 10:36:05] ike 0: IKEv1 exchange=Informational id=0cc14fdae092c2a2/61c7549ed881b451:84a75113 len=92

[2020/7/23 10:36:05] ike 0: in 0CC14FDAE092C2A261C7549ED881B4510810050184A751130000005C3626C0B50CDFF42940413EA01119D45B234EBA57D5A900D23CF42A98E8558CC557D6B2EE727FDD4D72827B9ADCE6CDBD899512566FACD33C4971B6D7F91825FE

[2020/7/23 10:36:05] ike 0:dail-up_1:15: dec 0CC14FDAE092C2A261C7549ED881B4510810050184A751130000005C0C000024886A0A251C4A77AEE128F207811B3C7E88C78FCD065968C5B72C712F9D5BBF8500000010000000010304000163B74D2BA0EFA0462FEEE6AED6BD920B

[2020/7/23 10:36:05] ike 0:dail-up_1:15: recv IPsec SA delete, spi count 1

[2020/7/23 10:36:05] ike 0:dail-up_1: deleting IPsec SA with SPI 63b74d2b

[2020/7/23 10:36:05] ike 0:dail-up_1:dail-up: deleted IPsec SA with SPI 63b74d2b, SA count: 0

[2020/7/23 10:36:05] ike 0:dail-up:90: del route 10.10.20.0/255.255.255.0 oif dail-up(13) metric 15 priority 0

[2020/7/23 10:36:05] ike 0:dail-up_1: sending SNMP tunnel DOWN trap for dail-up

[2020/7/23 10:36:05] ike 0:dail-up_1:dail-up: delete

[2020/7/23 10:36:05] ike 0: comes 2.2.2.2:500->1.1.1.1:500,ifindex=4....

[2020/7/23 10:36:05] ike 0: IKEv1 exchange=Informational id=0cc14fdae092c2a2/61c7549ed881b451:fd9ac2ee len=108

[2020/7/23 10:36:05] 4D2672952492F126C

[2020/7/23 10:36:05] AA71C0EF59216D2F7432293A7C8A80F

[2020/7/23 10:36:05] ike 0:dail-up_1:15: recv ISAKMP SA delete 0cc14fdae092c2a2/61c7549ed881b451

[2020/7/23 10:36:05] ike 0:dail-up_1: deleting

[2020/7/23 10:36:05] ike 0:dail-up_1: flushing

[2020/7/23 10:36:05] ike 0:dail-up_1: sending SNMP tunnel DOWN trap

[2020/7/23 10:36:05] ike 0:dail-up_1: flushed

[2020/7/23 10:36:05] ike 0:dail-up_1: delete dynamic

[2020/7/23 10:36:05] ike 0:dail-up_1: deleted

[2020/7/23 10:36:05] ike 0:dail-up: carrier down

[2020/7/23 10:36:06] ike 0: comes 3.3.3.2:500->1.1.1.1:500,ifindex=4....

其它debug略。

6 场景3：VPN2建立连接时，模拟VPN1此时突然好了

此场景下测试结果显示VPN2会断开连接，VPN1开始工作

以下是分支端状态和中心端状态分析

6.1 分支端状态分析

Debug显示先建立VPN1第一阶段连接，然后VPN2断开连接，且给中心端发送了删除VPN2连接的请求。

ike 0:VPN1:126: initiator: main mode get 3rd response...

ike 0:VPN1:126: dec 85D9F7B1508D0FED264427F85F04508B05100201000000000000005C0800000C020000007465737400000024116349EA02083BD385EAF0AFC317BCA20D2D6237741682A85227EBF27E9B204E27106AA89035FA6CDBA8124124718A0F

ike 0:VPN1:126: received peer identifier FQDN 'test'

ike 0:VPN1:126: PSK authentication succeeded

ike 0:VPN1:126: authentication OK

ike 0:VPN1:126: established IKE SA 85d9f7b1508d0fed/264427f85f04508b

ike 0:VPN1: set oper up

ike 0:VPN1: schedule auto-negotiate

ike 0:VPN2: set oper down

ike 0:VPN2: deleting

ike 0:VPN2: flushing

ike 0:VPN2: deleting IPsec SA with SPI 7163a2ae

ike 0:VPN2:VPN2: deleted IPsec SA with SPI 7163a2ae, SA count: 0

ike 0:VPN2: sending SNMP tunnel DOWN trap for VPN2

ike 0:VPN2:93: send IPsec SA delete, spi 63b74d2c

ike 0:VPN2:93: enc F55A30EFCC5848668E5D28D5E97396E80810050196D0C9AB000000500C0000241D9236DBF854DE8CC0238F35E69610E8669972CB1D4B5A0531BF793ADFBB428200000010000000010304000163B74D2C

ike 0:VPN2:93: out F55A30EFCC5848668E5D28D5E97396E80810050196D0C9AB0000005CD0034731DE9316169B74CD64BF702D28B7BFB8663A9F210F8012D8CC64CF7271C328B7C909BFC61A678AF1658CBF1A03E882280C7613261433C71A166860486E

ike 0:VPN2:93: sent IKE msg (IPsec SA_DELETE-NOTIFY): 3.3.3.2:500->1.1.1.1:500, len=92, id=f55a30efcc584866/8e5d28d5e97396e8:96d0c9ab

ike 0:VPN2:VPN2: sending SNMP tunnel DOWN trap

ike 0:VPN2: flushed

ike 0:VPN2:93: send IKE SA delete f55a30efcc584866/8e5d28d5e97396e8

ike 0:VPN2:93: enc F55A30EFCC5848668E5D28D5E97396E808100501C730EDE30000005C0C000024A3A0B908CFEE92B9B240FDC066E56083EF9B9A8421B59D107D237445359C49560000001C0000000101100001F55A30EFCC5848668E5D28D5E97396E8

ike 0:VPN2:93: out F55A30EFCC5848668E5D28D5E97396E808100501C730EDE30000006CF59D24BC9BBC0CEA3532EC8249415608FEF69D05DCB36124AEFA162EF59B248F1E0322B39D01D526F0A8E15995A9690E03D1890CCACCBCADEF023D7322F39CA2CF0B6C2CB3F4C626CA119F9EE0CA7F8A

ike 0:VPN2:93: sent IKE msg (ISAKMP SA DELETE-NOTIFY): 3.3.3.2:500->1.1.1.1:500, len=108, id=f55a30efcc584866/8e5d28d5e97396e8:c730ede3

ike 0:VPN2: deleted

ike 0:VPN1:126: no pending Quick-Mode negotiations

ike 0:VPN2: carrier down

ike 0:VPN1: carrier up

6.2 中心端状态分析

先建立VPN1第一阶段，接着收到VPN2发过来的删除VPN2隧道的请求，也是为避免VPN冲突。

ike 0: comes 2.2.2.2:500->1.1.1.1:500,ifindex=4....

ike 0: IKEv1 exchange=Identity Protection id=85d9f7b1508d0fed/264427f85f04508b len=108

ike 0: in 85D9F7B1508D0FED264427F85F04508B05100201000000000000006CD6C6F09CBE02C6BFC1332933CB7BF25EF04A23070C51646956928AC30C0B5638B328B214E678F84BA6111B07598842C302C99ADB83A6644A422B2E5DAEDA941C319B906AF2A45C48EDCD68D0D8E71E61

ike 0:dail-up:17: responder: main mode get 3rd message...

ike 0:dail-up:17: dec 85D9F7B1508D0FED264427F85F04508B05100201000000000000006C0800000F0200000073706F6B652D320B000024F566884B0E469AD753C423F7A55E7617F8B3269C50123E0F91290968711421300000001C000000010110600285D9F7B1508D0FED264427F85F04508B00

ike 0:dail-up:17: received p1 notify type INITIAL-CONTACT

ike 0:dail-up:17: received peer identifier FQDN 'spoke-2'

ike 0:dail-up:17: PSK authentication succeeded

ike 0:dail-up:17: authentication OK

ike 0:dail-up:17: enc 85D9F7B1508D0FED264427F85F04508B05100201000000000000004C0800000C020000007465737400000024116349EA02083BD385EAF0AFC317BCA20D2D6237741682A85227EBF27E9B204E

ike 0:dail-up:17: out 85D9F7B1508D0FED264427F85F04508B05100201000000000000005C4E05A530DB1EB80A2B1F36197E4F5AB764628B10DA03373EC15AE54BC540C11216AAC17E35D7DA4653408AA83BF038CBCCF36A9CABEBF9CA607A9EAFF6AE1F5B

ike 0:dail-up:17: sent IKE msg (ident_r3send): 1.1.1.1:500->2.2.2.2:500, len=92, id=85d9f7b1508d0fed/264427f85f04508b

ike 0:dail-up: adding new dynamic tunnel for 2.2.2.2:500

ike 0:dail-up_1: added new dynamic tunnel for 2.2.2.2:500

ike 0:dail-up_1:17: established IKE SA 85d9f7b1508d0fed/264427f85f04508b

ike 0:dail-up_1:17: processing INITIAL-CONTACT

ike 0:dail-up_1: flushing

ike 0:dail-up_1: flushed

ike 0:dail-up_1:17: processed INITIAL-CONTACT

ike 0:dail-up_1:17: no pending Quick-Mode negotiations

ike 0: comes 3.3.3.2:500->1.1.1.1:500,ifindex=4....

ike 0: IKEv1 exchange=Informational id=f55a30efcc584866/8e5d28d5e97396e8:96d0c9ab len=92

ike 0: in F55A30EFCC5848668E5D28D5E97396E80810050196D0C9AB0000005CD0034731DE9316169B74CD64BF702D28B7BFB8663A9F210F8012D8CC64CF7271C328B7C909BFC61A678AF1658CBF1A03E882280C7613261433C71A166860486E

ike 0:dail-up_0:16: dec F55A30EFCC5848668E5D28D5E97396E80810050196D0C9AB0000005C0C0000241D9236DBF854DE8CC0238F35E69610E8669972CB1D4B5A0531BF793ADFBB428200000010000000010304000163B74D2C0ED085CCB94D23DE0FD5310B

ike 0:dail-up_0:16: recv IPsec SA delete, spi count 1

ike 0:dail-up_0: deleting IPsec SA with SPI 63b74d2c

ike 0:dail-up_0:dail-up: deleted IPsec SA with SPI 63b74d2c, SA count: 0

ike 0:dail-up:91: del route 10.10.20.0/255.255.255.0 oif dail-up(13) metric 15 priority 0

ike 0:dail-up_0: sending SNMP tunnel DOWN trap for dail-up

ike 0:dail-up_0:dail-up: delete

ike 0: comes 3.3.3.2:500->1.1.1.1:500,ifindex=4....

ike 0: IKEv1 exchange=Informational id=f55a30efcc584866/8e5d28d5e97396e8:c730ede3 len=108

ike 0: in F55A30EFCC5848668E5D28D5E97396E808100501C730EDE30000006CF59D24BC9BBC0CEA3532EC8249415608FEF69D05DCB36124AEFA162EF59B248F1E0322B39D01D526F0A8E15995A9690E03D1890CCACCBCADEF023D7322F39CA2CF0B6C2CB3F4C626CA119F9EE0CA7F8A

ike 0:dail-up_0:16: dec F55A30EFCC5848668E5D28D5E97396E808100501C730EDE30000006C0C000024A3A0B908CFEE92B9B240FDC066E56083EF9B9A8421B59D107D237445359C49560000001C0000000101100001F55A30EFCC5848668E5D28D5E97396E8994F5158F00F4714268EEE21F0948A0F

ike 0:dail-up_0:16: recv ISAKMP SA delete f55a30efcc584866/8e5d28d5e97396e8

ike 0:dail-up_0: deleting

ike 0:dail-up_0: flushing

ike 0:dail-up_0: sending SNMP tunnel DOWN trap

7 场景4：模拟VPN隧道假死和测试DPD探测方式

即中心端看VPN已经断开，分支上看VPN仍然在连接。

7.1 原因分析和DPD探测机制澄清

DPD探测报文的逻辑和计数澄清：

1. 探测各自独立，如果分支和中心端两边配置了on-idle，只有当IPSec隧道双向都有流量时，才不发DPD探测报文的原则进行探测。

2. 探测方发送R-U-THERE，接收方回复R-U-THERE-ACK，如果发送方没有接收到接收方回复的R-U-THERE-ACK，认为此次探测失败。默认三次失败后认为VPN隧道需要down。

3. DPD探测模式有两种，一种是on-idle，一种是on-demand，on-idle：IPSec隧道内一个方向上没有流量（即idle）时，在这个方向发送DPD探测报文；只有当IPSec隧道双向都有流量时，才不发DPD探测报文。推荐使用，可以较快地发现隧道中断。On-demand：只有IPSec隧道内单向有流量时，在这个方向上发送DPD探测报文，其他情况（双向都有流量或双向都没有流量）下都不发送DPD探测报文。较少的带宽占用和更少的CPU中断影响，但检测到隧道中断的速度较慢。实际中强烈建议配置成on-idle，避免隧道假死。

4. DPD 探测要求两端设备都有能力支持才可以。两端可以不同时启用，但是只要一端启用，对端得有能力支持才可以让启用的一段发送DPD探测报文。

5. 关于DPD探测报文计数如下：

FGT-1 # diagnose vpn ike gateway list

vd: root/0

version: 1

interface: port2 4

addr: 1.1.1.1:500 -> 2.2.2.2:500

created: 1093s ago

IKE SA: created 1/1 established 1/1 time 20/20/20 ms

IPsec SA: created 1/1 established 1/1 time 30/30/30 ms

id/spi: 17 85d9f7b1508d0fed/264427f85f04508b

direction: responder

status: established 1093-1093s ago = 20ms

proposal: aes128-sha256

key: 8ad4b434152c6055-7033243bb7f99025

lifetime/rekey: 86400/85036

DPD sent/recv: 00000012/00000000

对以下计数的澄清：

DPD sent/recv：00000012/00000000

Sent 计数为发送R-U-THERE的个数，00000012表示本端发送了12个R-U-THERE的请求包。

接收方回复的R-U-THERE-ACK目前无法观察。

Recv计数为接收到对方发送的R-U-THERE的请求报文数量，而不是对方应答的R-U-THERE-ack数量。

这个计数的正确理解是，发送了12个R-U-THERE 请求包，收到的应答不知道多少。因为 recv 00000000，所以是对方没有发送R-U-THERE请求包，即对方没有发起DPD探测请求。

基于以上澄清和配置和分析中心端和分支端VPN状态

7.2 测试和分析DPD失败后VPN假死情况

7.3 使VPN发生“假死”

注意：自动生成以下DPD配置

DPD 对等体探测模式是on-idle，即周期性探测

dpd-retryinterval 是60秒

dpd-retrycount 3 是3秒

分支端：

2.DPD探测默认生成以下配置：

set dpd on-demand

set dpd-retrycount 3

set dpd-retryinterval 20

l 操作：我们断开中心端FG1的Port2接口，分支端不动。

使用debug和诊断命令来观察VPN状态。

FGT-1 # diagnose debug enable

FGT-1 # diagnose vpn ike gateway list

vd: root/0

version: 1

interface: port2 4

addr: 1.1.1.1:500 -> 2.2.2.2:500

created: 1890s ago

IKE SA: created 1/1 established 1/1 time 20/20/20 ms

IPsec SA: created 1/1 established 1/1 time 30/30/30 ms

id/spi: 17 85d9f7b1508d0fed/264427f85f04508b

direction: responder

status: established 1890-1890s ago = 20ms

proposal: aes128-sha256

key: 8ad4b434152c6055-7033243bb7f99025

lifetime/rekey: 86400/84239

DPD sent/recv: 0000001f/00000000

FGT-1 # ike shrank heap by 159744 bytes

根据配置，3 分钟后中心端VPN将因为DPD探测失败中断。

FGT-1 # diagnose debug enable

FGT-1 # diagnose vpn ike gateway list

vd: root/0

version: 1

interface: port2 4

addr: 1.1.1.1:500 -> 2.2.2.2:500

created: 1890s ago

IKE SA: created 1/1 established 1/1 time 20/20/20 ms

IPsec SA: created 1/1 established 1/1 time 30/30/30 ms

id/spi: 17 85d9f7b1508d0fed/264427f85f04508b

direction: responder

status: established 1890-1890s ago = 20ms

proposal: aes128-sha256

key: 8ad4b434152c6055-7033243bb7f99025

lifetime/rekey: 86400/84239

DPD sent/recv: 0000001f/00000000

FGT-1 # ike shrank heap by 159744 bytes

FGT-1 # ike 0:dail-up_1: link is idle 4 1.1.1.1->2.2.2.2:0 dpd=1 seqno=20 rr=0

ike 0:dail-up_1:17: send IKEv1 DPD probe, seqno 32

ike 0:dail-up_1:17: enc 85D9F7B1508D0FED264427F85F04508B08100501C47700FC000000600B00002423B45E6F8CA57F14FD308F49277EC6FE7AA1589ABF7BCEDD0C93C74C85B3D6B7000000200000000101108D2885D9F7B1508D0FED264427F85F04508B00000020

ike 0:dail-up_1:17: out 85D9F7B1508D0FED264427F85F04508B08100501C47700FC0000006CA657865E85ACB42ACB5827B462FB116C82F8A522CA7FAC79A14F23465FB3E75427BCCD06C7C8BB74B4568B4D5772BCE4D8AC2851CC7E0946FC89BDCC2C595C140590AE185C6EDEADF9E1123B35312BBA

ike 0:dail-up_1:17: could not send IKE Packet(R-U-THERE):1.1.1.1:500->2.2.2.2:500, len=108: error 101:Network is unreachable

FGT-1 # diagnose vpn ike gateway list

vd: root/0

version: 1

interface: port2 4

addr: 1.1.1.1:500 -> 2.2.2.2:500

created: 1982s ago

IKE SA: created 1/1 established 1/1 time 20/20/20 ms

IPsec SA: created 1/1 established 1/1 time 30/30/30 ms

id/spi: 17 85d9f7b1508d0fed/264427f85f04508b

direction: responder

status: established 1982-1982s ago = 20ms

proposal: aes128-sha256

key: 8ad4b434152c6055-7033243bb7f99025

lifetime/rekey: 86400/84147

DPD sent/recv: 00000020/00000000

FGT-1 # ike 0:dail-up_1: link is idle 4 1.1.1.1->2.2.2.2:0 dpd=1 seqno=20 rr=0

ike 0:dail-up_1:17: send IKEv1 DPD probe, seqno 32

ike 0:dail-up_1:17: enc 85D9F7B1508D0FED264427F85F04508B08100501E9410B70000000600B000024F647FF4E6CB0E9136E6F882DC70C76B31091BFD13A6F0D7D5E90A0DAEEE57AAD000000200000000101108D2885D9F7B1508D0FED264427F85F04508B00000020

ike 0:dail-up_1:17: out 85D9F7B1508D0FED264427F85F04508B08100501E9410B700000006C4985D4617762D63B64AAC09BDF986EF3820109898827B675F1E20C2C5E5BA402C81748670E5DED89DA2F1B087C7357FD07624EC7346352944193D4772C44F7CB30EEFAC445D675510D85EF5DAEF9E0B9

ike 0:dail-up_1:17: could not send IKE Packet(R-U-THERE):1.1.1.1:500->2.2.2.2:500, len=108: error 101:Network is unreachable

FGT-1 # diagnose vpn ike gateway list

vd: root/0

version: 1

interface: port2 4

addr: 1.1.1.1:500 -> 2.2.2.2:500

created: 2027s ago

IKE SA: created 1/1 established 1/1 time 20/20/20 ms

IPsec SA: created 1/1 established 1/1 time 30/30/30 ms

id/spi: 17 85d9f7b1508d0fed/264427f85f04508b

direction: responder

status: established 2027-2027s ago = 20ms

proposal: aes128-sha256

key: 8ad4b434152c6055-7033243bb7f99025

lifetime/rekey: 86400/84102

DPD sent/recv: 00000020/00000000

FGT-1 # ike 0:dail-up_1: link is idle 4 1.1.1.1->2.2.2.2:0 dpd=1 seqno=20 rr=0

ike 0:dail-up_1:17: send IKEv1 DPD probe, seqno 32

ike 0:dail-up_1:17: enc 85D9F7B1508D0FED264427F85F04508B081005014CB4F0DB000000600B000024712B72847586825B0C534F08CC170DB04249C5630B29949E3DB91431FC11A452000000200000000101108D2885D9F7B1508D0FED264427F85F04508B00000020

ike 0:dail-up_1:17: out 85D9F7B1508D0FED264427F85F04508B081005014CB4F0DB0000006C441E77533E39F65C5B93C47A0E3EB619C94B4AF2D570C920917BCEE05A0F6AC33D2A4DACE6EB90009629F2418891FC88A962FCD66E639DCAEC809D972A6E762E731C1D827E81E09CD88365CD0008523E

ike 0:dail-up_1:17: could not send IKE Packet(R-U-THERE):1.1.1.1:500->2.2.2.2:500, len=108: error 101:Network is unreachable

FGT-1 # diagnose debug enable

FGT-1 # diagnose vpn ike gateway list

vd: root/0

version: 1

interface: port2 4

addr: 1.1.1.1:500 -> 2.2.2.2:500

created: 2098s ago

IKE SA: created 1/1 established 1/1 time 20/20/20 ms

IPsec SA: created 1/1 established 1/1 time 30/30/30 ms

id/spi: 17 85d9f7b1508d0fed/264427f85f04508b

direction: responder

status: established 2098-2098s ago = 20ms

proposal: aes128-sha256

key: 8ad4b434152c6055-7033243bb7f99025

lifetime/rekey: 86400/84031

DPD sent/recv: 00000020/00000000

FGT-1 # ike 0:dail-up_1: link fail 4 1.1.1.1->2.2.2.2:0 dpd=1

ike 0:dail-up_1: link down 4 1.1.1.1->2.2.2.2:500

ike 0:dail-up_1: deleting

ike 0:dail-up_1: flushing

ike 0:dail-up_1: deleting IPsec SA with SPI 63b74d2d

ike 0:dail-up_1:dail-up: deleted IPsec SA with SPI 63b74d2d, SA count: 0

ike 0:dail-up:107: del route 10.10.20.0/255.255.255.0 oif dail-up(13) metric 15 priority 0

ike 0:dail-up_1: sending SNMP tunnel DOWN trap for dail-up

ike 0:dail-up_1:dail-up: delete

ike 0:dail-up_1:17: send IPsec SA delete, spi 7163a2af

ike 0:dail-up_1:17: enc 85D9F7B1508D0FED264427F85F04508B08100501A2F67260000000500C000024BFF2165580025CF068476525B105547BB73115C4160B55391459D55A83B3DD690000001000000001030400017163A2AF

ike 0:dail-up_1:17: out 85D9F7B1508D0FED264427F85F04508B08100501A2F672600000005C059A6F290CCECB8B89AE515B0DB3D6C51DA733CBF8FF8B36768A685A07B6810E2D8A8F36B4677609509F44F64974B9C51B121189D1A6EEBCA9C3AF1336451BBC

ike 0:dail-up_1:17: could not send IKE Packet(IPsec SA_DELETE-NOTIFY):1.1.1.1:500->2.2.2.2:500, len=92: error 101:Network is unreachable

ike 0:dail-up_1:dail-up: sending SNMP tunnel DOWN trap

ike 0:dail-up_1: flushed

ike 0:dail-up_1:17: send IKE SA delete 85d9f7b1508d0fed/264427f85f04508b

ike 0:dail-up_1:17: enc 85D9F7B1508D0FED264427F85F04508B08100501B062B2AD0000005C0C00002489EB8FA98B0D871EC15BD1699383D03AA488691A6E6EB3372F2B3958E4AB8D830000001C000000010110000185D9F7B1508D0FED264427F85F04508B

ike 0:dail-up_1:17: out 85D9F7B1508D0FED264427F85F04508B08100501B062B2AD0000006CE5DA1F9A358EFE41B0F9E57A62708818930B85F57CABFF7698F06CFFC647A16DA937161575EBBC97F0F62B8C89A67C23DDFC314044FF74623441AFAB5B592A2D2C95AFC0E229680F01578255052C5665

ike 0:dail-up_1:17: could not send IKE Packet(ISAKMP SA DELETE-NOTIFY):1.1.1.1:500->2.2.2.2:500, len=108: error 101:Network is unreachable

ike 0:dail-up_1: delete dynamic

ike 0:dail-up_1: deleted

ike 0:dail-up: carrier down

三次DPD探测失败后，VPN断开，中心端VPN断开

FGT-1 # ike shrank heap by 159744 bytes

diagnose vpn ike gateway list

日志显示：

date=2020-07-24 time=09:21:41 logid="0101037136" type="event" subtype="vpn" level="error" vd="root" eventtime=1595553701500631182 tz="+0800" logdesc="IPsec DPD failed" msg="IPsec DPD failure" action="dpd" remip=2.2.2.2 locip=1.1.1.1 remport=500 locport=500 outintf="port2" cookies="a62860a5b2f3985d/dcb78413cf2d01fc" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="dail-up_0" status="dpd_failure"

l 分支端状态分析

当中心端因为DPD探测断开时，分支端VPN状态还是建立状态，假死状态出现。

FGT-2 # diagnose vpn ike gateway

vd: root/0

version: 1

interface: port3 5

addr: 2.2.2.2:500 -> 1.1.1.1:500

virtual-interface-addr: 10.10.11.2 -> 10.10.11.254

created: 2303s ago

IKE SA: created 1/1 established 1/1 time 30/30/30 ms

IPsec SA: created 1/1 established 1/1 time 20/20/20 ms

id/spi: 126 85d9f7b1508d0fed/264427f85f04508b

direction: initiator

status: established 2303-2303s ago = 30ms

proposal: aes128-sha256

key: 8ad4b434152c6055-7033243bb7f99025

lifetime/rekey: 86400/83796

DPD sent/recv: 00000000/0000001f

FGT-2 # diagnose vpn tunnel list

list all ipsec tunnel in vd 0

------------------------------------------------------

name=VPN1 ver=1 serial=1 2.2.2.2:0->1.1.1.1:0 dst_mtu=1500

bound_if=5 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc run_state=0 accept_traffic=1

proxyid_num=1 child_num=0 refcnt=14 ilast=1 olast=342 ad=/0

stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=VPN1 proto=0 sa=1 ref=2 serial=1 auto-negotiate

src: 0:10.10.20.0/255.255.255.0:0

dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=18225 type=00 soft=0 mtu=1438 expire=40691/0B replaywin=0

seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42897/43200

dec: spi=63b74d2d esp=aes key=16 548e17d4d2274b657f29e4454c4671a8

ah=sha1 key=20 cff58c790420cd57188b83b4297f6473e3554df5

enc: spi=7163a2af esp=aes key=16 fa5e7faea5cd6b0be203db67512ec9d5

ah=sha1 key=20 edb6b247c7bc8aa0f8ac56fe5d50d655c36a53c0

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

run_tally=1

注意：

分支端VPN第一第二阶段依然在连接状态，此时就出现了假死情况。

如果中心端有主动发起的流量，则此时就不通了。

7.4 测试DPD on-demand方式机制

l 因为分支DPD配置的是按需，即如果VPN内有去的流量没回的流量就会触发DPD 探测请求。所以只要VPN隧道内流量触发一下（Ping VPN对端内网IP地址），DPD就会工作，就能检测到VPN已经断开了，所以模拟手工触发一下（实际中如果有分支到中心端流量，此种场景下即便出现假死，也会因为有流量请求触发DPD）

[2020/7/23 11:55:15] ike shrank heap by 159744 bytes

[2020/7/23 11:55:23] ike 0:VPN1: link is idle 5 2.2.2.2->1.1.1.1:0 dpd=2 seqno=1

[2020/7/23 11:55:23] ike 0:VPN1:0: send IKEv1 DPD probe, seqno 1

[2020/7/23 11:55:23] ike 0:VPN1:0: enc F0D77D7E192B11FB54FEF6930904B31A0810050153780425000000600B000024F83BCB9380390D271021D5DDA305F1C04DF086A76F09C3CCA1F78D9443A40F4B000000200000000101108D28F0D77D7E192B11FB54FEF6930904B31A00000001

[2020/7/23 11:55:23] ike 0:VPN1:0: out F0D77D7E192B11FB54FEF6930904B31A08100501537804250000006CEFF5E4B6A24C687353BB5AA6445DCBF6B2F1F6AB6B2C0FE36C9E9AB65DDA40FADC1DD70C28F5012385E91E079E1E2AB179E1C525EA364DD1E18EE18C0090C00CB313949D9A377DA5D5850F726F4A97ED

[2020/7/23 11:55:23] ike 0:VPN1:0: sent IKE msg (R-U-THERE): 2.2.2.2:500->1.1.1.1:500, len=108, id=f0d77d7e192b11fb/54fef6930904b31a:53780425

[2020/7/23 11:55:43] ike 0:VPN1: link is idle 5 2.2.2.2->1.1.1.1:0 dpd=2 seqno=1

[2020/7/23 11:55:43] ike 0:VPN1:0: send IKEv1 DPD probe, seqno 1

[2020/7/23 11:55:43] ike 0:VPN1:0: enc F0D77D7E192B11FB54FEF6930904B31A0810050159A7E922000000600B000024AA9F81F988B97550C03B8BEA9CB5E538496C329650D2C1923C0BD3571B780A2C000000200000000101108D28F0D77D7E192B11FB54FEF6930904B31A00000001

[2020/7/23 11:55:43] ike 0:VPN1:0: out F0D77D7E192B11FB54FEF6930904B31A0810050159A7E9220000006CB02A8282BD26B42A4B58A536621E46D395A855A8E55168F15749E2B8245388FAC0A5A1123AF52C05285894E8838BF8AAC808A7BB0B6FAB69A259726BCF68C3A901B7EE2D91DB44EA5615C69EB506A931

[2020/7/23 11:55:43] ike 0:VPN1:0: sent IKE msg (R-U-THERE): 2.2.2.2:500->1.1.1.1:500, len=108, id=f0d77d7e192b11fb/54fef6930904b31a:59a7e922

[2020/7/23 11:56:03] ike 0:VPN1: link is idle 5 2.2.2.2->1.1.1.1:0 dpd=2 seqno=1

[2020/7/23 11:56:03] ike 0:VPN1:0: send IKEv1 DPD probe, seqno 1

[2020/7/23 11:56:03] ike 0:VPN1:0: enc F0D77D7E192B11FB54FEF6930904B31A081005011E32BBA5000000600B000024933A75F4D804C7C732A2A60EF0A7A78A6495CB2E0ABC95C58977AA0D3D0039FD000000200000000101108D28F0D77D7E192B11FB54FEF6930904B31A00000001

[2020/7/23 11:56:03] ike 0:VPN1:0: out F0D77D7E192B11FB54FEF6930904B31A081005011E32BBA50000006CEA4AE0B44CBB1317EA84F2A6523EA16B0F1577547132B31BC6F47ACCE0ED7B7461A9787581A9D867D408D17AE684512A6DB12510AE28722525CF5CB61DE36C9B06B37DE093CB47FA1BB48ED3DED97C5B

[2020/7/23 11:56:03] ike 0:VPN1:0: sent IKE msg (R-U-THERE): 2.2.2.2:500->1.1.1.1:500, len=108, id=f0d77d7e192b11fb/54fef6930904b31a:1e32bba5

[2020/7/23 11:56:23] ike 0:VPN1: link fail 5 2.2.2.2->1.1.1.1:0 dpd=2

[2020/7/23 11:56:23] ike 0:VPN1: link down 5 2.2.2.2->1.1.1.1:500

[2020/7/23 11:56:23] ike 0:VPN1: deleting

[2020/7/23 11:56:23] ike 0:VPN1: flushing

[2020/7/23 11:56:23] ike 0:VPN1: deleting IPsec SA with SPI 7163a2b0

[2020/7/23 11:56:23] ike 0:VPN1:VPN1: deleted IPsec SA with SPI 7163a2b0, SA count: 0

[2020/7/23 11:56:23] ike 0:VPN1: sending SNMP tunnel DOWN trap for VPN1

[2020/7/23 11:56:23] ike 0:VPN1:0: send IPsec SA delete, spi bdfccac2

[2020/7/23 11:56:23] ike 0:VPN1:0: enc F0D77D7E192B11FB54FEF6930904B31A0810050127E0D50C000000500C000024E8B3C9F742ABC17DBBDDC1FFA24BB498E2A3B050E7B3AAB7F374385F9C19ABC1000000100000000103040001BDFCCAC2

[2020/7/23 11:56:23] ike 0:VPN1:0: out F0D77D7E192B11FB54FEF6930904B31A0810050127E0D50C0000005C52F7329A7908D929C0F89BEF92842C417A6C067A90395E5C37BEFEFCB4F0B7CF325CED79B79814EAFDD50E2B96B39C653800F1037F679EF1495AA6327B53A07E

[2020/7/23 11:56:23] ike 0:VPN1:0: sent IKE msg (IPsec SA_DELETE-NOTIFY): 2.2.2.2:500->1.1.1.1:500, len=92, id=f0d77d7e192b11fb/54fef6930904b31a:27e0d50c

[2020/7/23 11:56:23] ike 0:VPN1:VPN1: sending SNMP tunnel DOWN trap

[2020/7/23 11:56:23] ike 0:VPN1: flushed

[2020/7/23 11:56:23] ike 0:VPN1:0: send IKE SA delete f0d77d7e192b11fb/54fef6930904b31a

[2020/7/23 11:56:23] ike 0:VPN1:0: enc F0D77D7E192B11FB54FEF6930904B31A0810050172A2FF010000005C0C000024C009D0D01AF479DFFA957CC29E9C38D290E45B12DF0830E328604078C773B1570000001C0000000101100001F0D77D7E192B11FB54FEF6930904B31A

[2020/7/23 11:56:23] ike 0:VPN1:0: out F0D77D7E192B11FB54FEF6930904B31A0810050172A2FF010000006C1EBEBF201B6CC9ACB3627462082EEB3432B186D06B16409DA14351A90BC639B2562AD4D13670F194B1CCB345EA2B3A0272995B44A3F48BEE046EDE463419A6DC30589804406093F06758AA98D25F715A

[2020/7/23 11:56:23] ike 0:VPN1:0: sent IKE msg (ISAKMP SA DELETE-NOTIFY): 2.2.2.2:500->1.1.1.1:500, len=108, id=f0d77d7e192b11fb/54fef6930904b31a:72a2ff01

[2020/7/23 11:56:23] ike 0:VPN1: deleted

[2020/7/23 11:56:23] ike 0:VPN1: set oper down

[2020/7/23 11:56:23] ike 0:VPN1: schedule auto-negotiate

[2020/7/23 11:56:23] ike 0:VPN2: schedule auto-negotiate

[2020/7/23 11:56:23] ike 0:VPN1: carrier down

8 诊断命令

8.1 观察VPN状态

FGT-1 # diagnose vpn ike gateway list 观察VPN第一阶段状态

FGT-1 # diagnose vpn tunnel list 观察VPN第二阶段状态

可以过滤具体的VPN名字查看VPN状态

diagnose vpn ike filter name VPN2 列出VPN2的状态

diagnose vpn ike gateway list

8.2 Debug诊断命令

diagnose debug application ike -1观察VPN协商过程和控制报文

diagnose debug enable

如果中心端VPN比较多，需要诊断某一条VPN的协商过程，需要过滤debug的日志

l 方法1：

可以过滤的VPN对端的IP

diagnose vpn ike log filter dst-addr4 2.2.2.2 //这个意思是过滤拨入的2.2.2.1这个IP，dst-addr4的意思是VPN对端的IP。

diagnose debug application ike -1

diagnose debug enable

l 方法2：

过滤第一阶段VPN的名字

FGT-3 # diagnose vpn ike log filter name VPN2 //过滤第一阶段名字

FGT-3 # diagnose debug application ike -1 //开启debug

FGT-3 # diagnose debug enable //启用debug

清空过滤条件

diagnose vpn ike log filter clear

用名字过滤可能会包含一些没有VPN名字的协商报文，也可能VPN名字匹配错误导致没有debug，所以推荐用IP地址过滤，这样更精准。

关闭debug

diagnose debug disable 关闭debug

diagnose debug reset 重置debug

8.3 断开VPN 和发起VPN协商

l 断开第二阶段：

diagnose vpn tunnel down 第二阶段名字第一阶段名字

断开第一阶段

FGT-1 # diagnose vpn ike filter dst-addr4 2.2.2.2 //VPN的对端地址

FGT-1 # diagnose vpn ike gateway clear

l 启动第二阶段协商

此时先触发这个VPN第一阶段协商。

diagnose vpn tunnel up 第二阶段名字第一阶段名字