ciscovpn完全配置指南
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
Cisco VPN 完全配置指南
PIX和ASA连接的故障诊断与排除
一、ISAKMP/IKE阶段1连接
show isakmp sa [detail]显示任何管理连接的状态
show [crypto] isakmp stats 显示管理连接的统计信息
show [crypto] isakmp ipsec-over-tcp stats 显示管理连接正在管理的任何IPSec over TCP连接的统计信息
debug crypto isakmp 显示构建一个管理连接所采取的步骤,以及通过管理连接构建数据连接所采取的步骤
debug crypto vpnclient 显示设备之间的交互,充当一台EASY VPN远端和EASY VPN 服务器之间的交互
debug crypto ca [messages | transactions]显示设备和CA在证书申请和验证功能方面的交互
debug crypto engine 显示和设备上加密/解密问题有关的事件
clear [crypto] isakmp sa [SA_ID_#] 删除所有的管理SA或通过指定SA ID号来删除一个特定的管理连接。
1、show isakmp sa命令
pix63(config)# show isakmp sa
Total : 1
Embryonic : 0
dst src state pending created 192.1.1.101 192.1.1.40 QM_IDLE 0 0
pix70(config-general)# show isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 192.1.1.40
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
通过上面的示例可以看出,FOS6.3和FOS7.0的输出内容是不同的,在FOS6.0中,建立连接时会显示QM_IDLE,而FOS7.中建立连接会显示"MM_Active" 或"AG_Active,",这主要取决于其采用的主模式还是积极模式构建管理连接。
2、debug crypto isakmp命令
在L2L会话中,如下所示
IKEv1 DEBUG]: IP = 192.1.1.40, processing SA payload (1) [IKEv1 DEBUG]: IP = 192.1.1.40, Oakley proposal is acceptable
output omitted
[IKEv1 DEBUG]: IP = 192.1.1.40, Received NAT-Traversal ver 03 VID (2)
output omitted
[IKEv1 DEBUG]: IP = 192.1.1.40, processing IKE SA (3) [IKEv1 DEBUG]: IP = 192.1.1.40, IKE SA Proposal # 1, (4) Transform # 1 acceptable Matches global IKE entry # 2
[IKEv1 DEBUG]: IP = 192.1.1.40, constructing ISA_SA for isakmp (5)
output omitted
[IKEv1 DEBUG]: IP = 192.1.1.40, processing ke payload
[IKEv1 DEBUG]: IP = 192.1.1.40, processing ISA_KE
[IKEv1 DEBUG]: IP = 192.1.1.40, processing nonce payload
[IKEv1 DEBUG]: IP = 192.1.1.40, processing VID payload
[IKEv1 DEBUG]: IP = 192.1.1.40, Received Cisco Unity client VID [IKEv1 DEBUG]: IP = 192.1.1.40, processing VID payload
[IKEv1 DEBUG]: IP = 192.1.1.40, Received DPD VID
[IKEv1 DEBUG]: IP = 192.1.1.40, processing VID payload
[IKEv1 DEBUG]: IP = 192.1.1.40, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 0000077f)
[IKEv1 DEBUG]: IP = 192.1.1.40, processing VID payload
[IKEv1 DEBUG]: IP = 192.1.1.40, Received xauth V6 VID
[IKEv1 DEBUG]: IP = 192.1.1.40, constructing ke payload
[IKEv1 DEBUG]: IP = 192.1.1.40, constructing nonce payload
[IKEv1 DEBUG]: IP = 192.1.1.40, constructing Cisco Unity VID payload [IKEv1 DEBUG]: IP = 192.1.1.40, constructing xauth V6 VID payload [IKEv1 DEBUG]: IP = 192.1.1.40, Send IOS VID
[IKEv1 DEBUG]: IP = 192.1.1.40, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
[IKEv1 DEBUG]: IP = 192.1.1.40, constructing VID payload
[IKEv1 DEBUG]: IP = 192.1.1.40, Send Altiga/Cisco
VPN3000/Cisco ASA GW VID
[IKEv1]: IP = 192.1.1.40, Connection landed on tunnel_group (6) 192.1.1.40
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Generating keys for Responder...
[IKEv1]: IP = 192.1.1.40, IKE DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256 [IKEv1]: IP = 192.1.1.40, IKE DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (14) +
NOTIFY (11) + NONE (0) total length : 112
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Processing ID (7) [IKEv1 DECODE]: ID_IPV4_ADDR ID received 192.1.1.40
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, processing hash [IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, computing hash [IKEv1 DEBUG]: IP = 192.1.1.40, Processing IOS keep alive payload: proposal=30/10 sec.
[IKEv1 DEBUG]: IP = 192.1.1.40, Starting IOS keepalive monitor:
80 sec.
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Processing
Notify payload
[IKEv1]: IP = 192.1.1.40, Connection landed on tunnel_group
192.1.1.40
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, constructing ID [IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, construct hash payload
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, computing hash [IKEv1 DEBUG]: IP = 192.1.1.40, Constructing IOS keep alive (8) payload: proposal=32767/32767 sec.
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40,
constructing dpd vid payload
output omitted
[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, PHASE 1 COMPLETED (9) [IKEv1]: IP = 192.1.1.40, Keep-alive type for this connection: DPD [IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Starting
phase 1 rekey timer: 82080000 (ms)
[IKEv1 DECODE]: IP = 192.1.1.40, IKE Responder starting QM:
msg id = 4a9a7c8b
[IKEv1]: IP = 192.1.1.40, IKE DECODE RECEIVED Message (10) (msgid=4a9a7c8b) with payloads : HDR + HASH (8) + SA (1) +
NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 172
output omitted
[IKEv1 DECODE]: ID_IPV4_ADDR_SUBNET ID received-- (11) 192.168.0.0--255.255.255.0
[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, Received remote IP Proxy Subnet data in ID Payload: Address 192.168.0.0,
Mask 255.255.255.0, Protocol 0, Port 0
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Processing ID [IKEv1 DECODE]: ID_IPV4_ADDR_SUBNET ID received--
192.168.2.0--255.255.255.0
[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, Received local IP Proxy Subnet data in ID Payload: Address 192.168.2.0,
Mask 255.255.255.0, Protocol 0, Port 0
[IKEv1]: QM IsRekeyed old sa not found by addr
[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, Static Crypto Map (12) check, checking map = mymap, seq = 10...
[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, Static Crypto Map
check, map mymap, seq = 10 is a successful match
[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, IKE Remote Peer
configured for SA: mymap
[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, processing IPSEC SA [IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, IPsec SA (13) Proposal # 1, Transform # 1 acceptable Matches global IPsec SA entry # 10
[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, IKE: requesting SPI! [IKEv1 DEBUG]: IKE got SPI from key engine: SPI = 0xcc3dcb5a
output omitted
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Transmitting (14) Proxy Id: Remote subnet: 192.168.0.0 Mask 255.255.255.0
Protocol 0 Port 0 Local subnet: 192.168.2.0
mask 255.255.255.0 Protocol 0 Port 0
output omitted
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, loading all (15) IPSEC SAs
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Generating
Quick Mode Key!
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Generating
Quick Mode Key!
[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, Security (16) negotiation complete for LAN-to-LAN Group (192.1.1.40)
Responder, Inbound SPI = 0xcc3dcb5a, Outbound SPI = 0x382e1cb2 [IKEv1 DEBUG]: IKE got a KEY_ADD msg for SA: SPI = 0x382e1cb2 [IKEv1 DEBUG]: pitcher: rcv KEY_UPDATE, spi 0xcc3dcb5a
[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, Starting P2 Rekey timer to expire in 3420 seconds
[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, PHASE 2 COMPLETED (17) (msgid=4a9a7c8b)
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Sending (18) keep-alive of type DPD R-U-THERE (seq number 0x3252ed2c)
(1)主模式的交换正在开始,没有策略被共享,对等设备还处于一个MM_NO_STATE
(2)远端对等设备正在测试NAT-T的使用
(3)在这里开始了ISAKMP/IKE策略的比较
(4)这个消息代表了一个匹配的策略已经找到
(5)正在建立管理连接
(6)对等设备和192.1.1.20的L2L隧道组关联,正在产生加密和散列密钥
(7)这里是预共享密钥验证开始的地方
(8)DPD正在被协商
(9)阶段1完成了
(10)阶段2开始了
(11)接收到了远端子网,并且正在和本地子见多进行比较
(12)正在查找一个匹配的静态crypto条目并且已找到
(13)这台设备为数据连接发现了一具匹配的数据传输集
(14)为镜像的crypto ACL执行检查
(15)为数据SA产生密钥
(16)SPI被分配给数据的SA
(17)阶段2完成了
(18)一个DPD的keepalive正在被发送给管理连接的远端对等设备。
如果在阶段1的策略中存在不匹配的策略会显示如下信息
[IKEv1 DEBUG]: IP = 192.1.1.40, processing SA payload
[IKEv1]: IP = 192.1.1.40, IKE DECODE SENDING Message (msgid=0)
with payloads : HDR + NOTIFY (11) + NONE (0) total length : 100 [IKEv1 DEBUG]: IP = 192.1.1.40, All SA proposals found unacceptable [IKEv1]: IP = 192.1.1.40, Error processing payload: Payload ID: 1 [IKEv1 DEBUG]: IP = 192.1.1.40, IKE MM Responder FSM error
history (struct &0x19f49a0) <state>, <event>: MM_DONE,
EV_ERROR-->MM_START, EV_RCV_MSG-->MM_START, EV_
START_MM-->MM_START, EV_START_MM
[IKEv1 DEBUG]: IP = 192.1.1.40, IKE SA MM:2d31c23f terminating:
flags 0x01000002, refcnt 0, tuncnt 0
[IKEv1 DEBUG]: sending delete/delete with reason message
如果在阶段1中存在预共享密钥不匹配时,会显示如下信息。
[IKEv1 DEBUG]: IP = 192.1.1.40, processing SA payload
[IKEv1 DEBUG]: IP = 192.1.1.40, Oakley proposal is acceptable
output omitted
[IKEv1 DEBUG]: IP = 192.1.1.40, IKE SA Proposal # 1,
Transform # 1 acceptable Matches global IKE entry # 3
output omitted
[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, Received
encrypted Oakley Main Mode packet with invalid payloads,
MessID = 0
[IKEv1]: IP = 192.1.1.40, IKE DECODE SENDING Message (msgid=0)
with payloads : HDR + NOTIFY (11) + NONE (0) total length : 136
[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, ERROR, had problems decrypting packet, probably due to mismatched pre-shared key. Aborting
[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, Duplicate Phase 1
packet detected. Retransmitting last packet.
output omitted
Jun 29 17:39:09 [IKEv1 DEBUG]: sending delete/delete with reason message
output omitted
在远程访问会话中。
[IKEv1 DEBUG]: IP = 192.1.1.77, processing SA payload (1)
output omitted
[IKEv1 DEBUG]: IP = 192.1.1.77, IKE Peer included IKE
fragmentation capability flags: Main Mode: True
Aggressive Mode: False
[IKEv1 DEBUG]: IP = 192.1.1.77, processing VID payload
[IKEv1 DEBUG]: IP = 192.1.1.77, Received Cisco Unity client VID (2) [IKEv1]: IP = 192.1.1.77, Connection landed on tunnel_
group salesgroup
[IKEv1 DEBUG]: Group = salesgroup, IP = 192.1.1.77, processing
IKE SA
[IKEv1 DEBUG]: Group = salesgroup, IP = 192.1.1.77, IKE SA (3) Proposal # 1, Transform # 5 acceptable Matches global
IKE entry # 1
[IKEv1 DEBUG]: Group = salesgroup, IP = 192.1.1.77, constructing ISA_SA for isakmp
[IKEv1 DEBUG]: Group = salesgroup, IP = 192.1.1.77, constructing nonce payload
output omitted
[IKEv1 DEBUG]: Processing MODE_CFG Reply attributes. (4) [IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, IKEGetUserAttributes: primary DNS = 4.2.2.1 [IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, IKEGetUserAttributes: secondary DNS = cleared [IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, IKEGetUserAttributes: primary WINS = cleared [IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, IKEGetUserAttributes: secondary WINS = cleared [IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, IKEGetUserAttributes: IP Compression = disabled [IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, IKEGetUserAttributes: Split Tunneling
Policy = Disabled
[IKEv1]: Group = salesgroup, Username = salesuser, (5) IP = 192.1.1.77, User (salesuser) authenticated.
output omitted
[IKEv1 DEBUG]: Processing cfg Request attributes (6) [IKEv1 DEBUG]: MODE_CFG: Received request for IPV4 address! [IKEv1 DEBUG]: MODE_CFG: Received request for IPV4 net mask! [IKEv1 DEBUG]: MODE_CFG: Received request for DNS server address! [IKEv1 DEBUG]: MODE_CFG: Received request for WINS server address! [IKEv1]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, Received unsupported transaction mode
attribute: 5
[IKEv1 DEBUG]: MODE_CFG: Received request for Banner!
[IKEv1 DEBUG]: MODE_CFG: Received request for Save PW setting! [IKEv1 DEBUG]: MODE_CFG: Received request for Default Domain Name! [IKEv1 DEBUG]: MODE_CFG: Received request for Split Tunnel List! [IKEv1 DEBUG]: MODE_CFG: Received request for Split DNS!
[IKEv1 DEBUG]: MODE_CFG: Received request for PFS setting!
[IKEv1]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, Received unknown transaction mode attribute: 28683
[IKEv1 DEBUG]: MODE_CFG: Received request for backup ip-sec peer list!
[IKEv1 DEBUG]: MODE_CFG: Received request for Application (7) Version!
[IKEv1]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, Client Type: WinNT Client Application
Version: 4.6.01.0019
[IKEv1 DEBUG]: MODE_CFG: Received request for FWTYPE!
[IKEv1 DEBUG]: MODE_CFG: Received request for DHCP hostname for
DDNS is: i7500!
[IKEv1 DEBUG]: MODE_CFG: Received request for UDP Port!
[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser, (8) IP = 192.1.1.77, constructing blank hash
[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, constructing qm hash
[IKEv1]: IP = 192.1.1.77, IKE DECODE SENDING Message
(msgid=e9f26b16) with payloads : HDR + HASH (8) + ATTR (14)
+ NONE (0) total length : 170
[IKEv1 DECODE]: IP = 192.1.1.77, IKE Responder starting QM:
msg id = d9fcc34b
[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, Delay Quick Mode processing, Cert/Trans
Exch/RM DSID in progress
[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, Resume Quick Mode processing, Cert/Trans
Exch/RM DSID completed
[IKEv1]: Group = salesgroup, Username = salesuser, (9) IP = 192.1.1.77, PHASE 1 COMPLETED
output omitted
[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser, (10) IP = 192.1.1.77, constructing blank hash
[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, constructing qm hash
[IKEv1]: IP = 192.1.1.77, IKE DECODE SENDING Message
(msgid=3b776e14) with payloads : HDR + HASH (8) +
NOTIFY (11) + NONE (0) total length : 92
[IKEv1]: IP = 192.1.1.77, IKE DECODE RECEIVED Message
(msgid=d9fcc34b) with payloads : HDR + HASH (8) + SA (1)
+ NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 1026 [IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, processing hash
[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, processing SA payload
[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, processing nonce payload
[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, Processing ID
[IKEv1 DECODE]: ID_IPV4_ADDR ID received 192.168.2.200 (11) [IKEv1]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, Received remote Proxy Host data in ID
Payload: Address 192.168.2.200, Protocol 0, Port 0
[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, Processing ID
[IKEv1 DECODE]: ID_IPV4_ADDR_SUBNET ID received--
0.0.0.0--0.0.0.0
[IKEv1]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, Received local IP Proxy Subnet data in ID
Payload: Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0 [IKEv1]: QM IsRekeyed old sa not found by addr (12) [IKEv1]: Group = salesgroup, Username = salesuser, (13) IP = 192.1.1.77, Static Crypto Map check, checking
map = mymap, seq = 10...
[IKEv1]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, Static Crypto Map check, map = mymap,
seq = 10, ACL does not match proxy IDs src:192.168.2.200
dst:0.0.0.0
[IKEv1]: Group = salesgroup, Username = salesuser, (14) IP = 192.1.1.77, IKE Remote Peer configured for SA: dynmap [IKEv1]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, processing IPSEC SA
[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser, (15) IP = 192.1.1.77, IPsec SA Proposal # 11, Transform # 1
acceptable Matches global IPsec SA entry # 1
output omitted
[IKEv1]: Group = salesgroup, Username = salesuser, (16) IP = 192.1.1.77, Overriding Initiator's IPsec rekeying
duration from 2147483 to 28800 seconds
output omitted
[IKEv1]: Group = salesgroup, Username = salesuser, (17) IP = 192.1.1.77, Security negotiation complete for
User (salesuser) Responder, Inbound SPI = 0x46ffd888,
Outbound SPI = 0xfc4dd2f3
[IKEv1 DEBUG]: IKE got a KEY_ADD msg for SA: SPI = 0xfc4dd2f3 [IKEv1 DEBUG]: pitcher: rcv KEY_UPDATE, spi 0x46ffd888
output omitted
[IKEv1]: Group = salesgroup, Username = salesuser, (18) IP = 192.1.1.77, Adding static route for client address:
192.168.2.200
[IKEv1]: Group = salesgroup, Username = salesuser, (19) IP = 192.1.1.77, PHASE 2 COMPLETED (msgid=d9fcc34b)
output omitted
[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser, (20) IP = 192.1.1.77, Received keep-alive of type DPD R-U-THERE
(seq number 0xa780a31f)
[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0xa780a31f)
output omitted
(1)远程设备发起了到设备的会话
(2)远端设备将它的身份类型和它想连接的组发送给服务器
(3)一个匹配的阶段1策略被发现,远端设备的策略5匹配服务器的和一个策略(4)远端设备发起了IKE策略被发现,设备确定其相关的参数
(5)组验证成功
(6)远程为组所定义的策略发送一个IKE模式配置请求
(7)在IKE模式配置期间,设备学习到客户端的类型和版本
(8)服务器发回IKE模式配置参数
(9)完成了ISAKMP/IKE阶段1
(10)快速模式开始了策略的交换
(11)客户端的内部地址是192.168.2.200,它发送的代理消息表明所有它的流量都被保护
(12)执行一个检查来确定客户端没有重新连接
(13)设备半代理信息和它的第一个crypto map条目进行对比,并且发现它不匹配这个条目。
(14)设备半代理信息和它的第二个crypto map条目进行对比,这是对于远程访问用户的一个动态的crypto map。
(15)找到一个匹配的数据传输集
(16)数据SA的生存周期在两台设备上是不一样的,协商的是较低的
(17)两个IPSec的数据SA被建立,并且SPI被分配
(18)因为RRI已启动,对于远端设备内部地址的一条静态路由被添加到服务器的本地路由表中
(19)因为DPD在阶段1中被协商,DPD现在发生了。
3、debug crypto vpnclient命令
可以使用debug crypto vpnclient命令来解决故障诊断与排除客户端特定的配置和连接建立的问题。
下面是基于FOS6.3的EASY VPN远端设备的远程访问连接。
VPNC CFG: transform set unconfig attempt done (1) VPNC CLI: no isakmp keepalive 10 5
VPNC CLI: no isakmp nat-traversal 20
VPNC CFG: IKE unconfig successful
VPNC CLI: no crypto map _vpnc_cm
VPNC CFG: crypto map deletion attempt done
VPNC CFG: crypto unconfig successful
VPNC CLI: no global (outside) 65001
VPNC CLI: no nat (inside) 0 access-list _vpnc_acl
VPNC CFG: nat unconfig attempt failed
VPNC CLI: no http 192.168.3.1 255.255.255.0 inside
VPNC CLI: no http server enable
VPNC CLI: no access-list _vpnc_acl
VPNC CFG: ACL deletion attempt failed
VPNC CLI: no crypto map _vpnc_cm interface outside
VPNC CFG: crypto map de/attach failed
VPNC CFG: transform sets configured (2) VPNC CFG: crypto config successful
VPNC CLI: isakmp keepalive 10 5
VPNC CLI: isakmp nat-traversal 20
VPNC CFG: IKE config successful
VPNC CLI: http 192.168.3.1 255.255.255.0 inside
VPNC CLI: http server enable
VPNC CLI: aaa-server _vpnc_nwp_server protocol tacacs+
VPNC CLI: aaa-server _vpnc_nwp_server (outside) host 192.1.1.100 VPNC CLI: access-list _vpnc_nwp_acl permit ip any any
VPNC CLI: aaa authentication match _vpnc_nwp_acl outbound
vpnc_nwp_server
VPNC CLI: no access-list _vpnc_acl
VPNC CFG: ACL deletion attempt failed
VPNC CLI: access-list _vpnc_acl permit ip host 192.1.1.101 (3) host 192.1.1.100
VPNC CLI: crypto map _vpnc_cm 10 match address _vpnc_acl
VPNC CFG: crypto map acl update successful
VPNC CLI: no crypto map _vpnc_cm interface outside
VPNC CLI: crypto map _vpnc_cm interface outside
VPNC INF: IKE trigger request done (4) VPNC INF: Constructing policy download req
VPNC INF: Packing attributes for policy request
VPNC INF: Attributes being requested
VPNC ATT: INTERNAL_IP4_DNS: 4.2.2.1
VPNC ATT: ALT_PFS: 0
VPNC INF: Received application version 'Cisco Systems, Inc (5) PIX-515 Version 7.0(1) built by builders on
Thu 31-Mar-05 14:37'
VPNC ATT: ALT_CFG_SEC_UNIT: 0
VPNC ATT: ALT_CFG_USER_AUTH: 0
VPNC CLI: no aaa authentication match _vpnc_nwp_acl outbound _
vpnc_nwp_server
VPNC CLI: no access-list _vpnc_nwp_acl permit ip any any
VPNC CLI: no aaa-server _vpnc_nwp_server
VPNC CLI: no access-list _vpnc_acl
VPNC CLI: access-list _vpnc_acl permit ip (6) 192.168.3.0 255.255.255.0 any
VPNC CLI: access-list _vpnc_acl permit ip
host 192.1.1.101 any
VPNC CLI: access-list _vpnc_acl permit ip
host 192.1.1.101 host 192.1.1.100
VPNC CFG: _vpnc_acl no ST define done
VPNC CLI: crypto map _vpnc_cm 10 match address _vpnc_acl
VPNC CFG: crypto map acl update successful
VPNC CLI: no crypto map _vpnc_cm interface outside
VPNC CLI: crypto map _vpnc_cm interface outside
VPNC CLI: no global (outside) 65001 (7) VPNC CLI: no nat (inside) 0 access-list _vpnc_acl
VPNC CFG: nat unconfig attempt failed
VPNC CLI: nat (inside) 0 access-list _vpnc_acl
VPNC INF: IKE trigger request done (8)
output omitted
(1)VPN远端功能在PIX第一次被启动,所以PIX首先清除可能导致任何冲突发生的VPN命令
(2)当试图清除所有相关的VPN命令后,远端设备接着配置必要的VPN命令(3)一个ACL被构建来允许PIX和Easy VPN服务器之间的通信
(4)PIX远端发起了到服务器的连接并且发送了它的策略
(5)服务器是一台FOS7.0的PIX515E
(6)服务器分离隧道
(7)基于分离隧道的策略,已配置适当的地址转换策略
(8)到服务器的隧道现在已经建立了
二、ISAKMP/IKE阶段2连接
show crypto engine [verify] 显示设备的cryptox引擎的利用率的统计信息
show crypto interface [counters] 显示安装在设备上的VAC/VAC+卡
show crypto accelerator statistics显示安装在设备上的VAC/VAC+卡
show crypto protocol statistics {ikev1 | ipsec}显示关于管理或数据连接的一般流量统计信息
show [crypto] ipsec sa 显示建立在两台IPSec对等设备之间的数据SA,及其连接的组件和数据包统计信息
debug crypto isakmp 建立管理连接和通过管理连接构建数据连接所采取的步骤
debug crypto ipsec 显示在两台对等设备之间的两个单向的数据SA的实际建立过程clear crypto [ipsec] sa [counters | mapmap_name|peer IP_address| entry IP_address{ah | esp} SPI_#] 清除统计信息
debug crypto ipsec命令
此命令是用来检查对等设备之间建立数据连接,如下所示的FOS6.3设备上成功建立IPSec数据的SA
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
(1)
IPSEC(key_engine_delete_sas): delete all SAs shared with
192.1.1.40
IPSEC(validate_proposal_request): proposal part #1,
(2)
(key eng. msg.) dest= 192.1.1.101, src= 192.1.1.40,
dest_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
src_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-aes esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x4
IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xffc3de48(4291026504) for SA (3)
from 192.1.1.40 to 192.1.1.101 for prot 3
IPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): , (4)
(key eng. msg.) dest= 192.1.1.101, src= 192.1.1.40,
dest_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
src_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-aes esp-md5-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0xffc3de48(4291026504), conn_id= 2, keysize= 128,
flags= 0x4
IPSEC(initialize_sas): , (5)
(key eng. msg.) src= 192.1.1.101, dest= 192.1.1.40,
src_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
dest_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-aes esp-md5-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x378ef8b8(932116664), conn_id= 1, keysize= 128,
flags= 0x4
(1)在新的数据SA添加到两台对等设备之前,任何现有的数据SA都会被删除(2)一个匹配的传输集和crypto ACL已找到
(3)远程对等设备为来自远程对等设备到本地的SA分配一个SPI值
(4)来自本地设备到远程对等设备的SA被初始化,并且分配了一个SPI值
(5)来自远程对等设备到本地设备的SA被初始化。
一个不匹配的数据传输集的例子
ISAKMP (0): processing SA payload. message ID = 2686916944 ISAKMP : Checking IPsec proposal 1
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 3600
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 ISAKMP: authenticator is HMAC-SHA
ISAKMP: key length is 128IPSEC(validate_proposal):
transform proposal (prot 3, trans 12, hmac_alg 2) not supported ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): SA not acceptable!
output omitted
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine_delete_sas): delete all SAs shared with 192.1.1.40 IPSEC(validate_proposal): transform proposal (prot 3, trans 12, hmac_alg 2) not supported
一个不匹配的crypto ACL
ISAKMP (0): processing SA payload. message ID = 2620452987 ISAKMP : Checking IPsec proposal 1
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 3600
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 ISAKMP: authenticator is HMAC-MD5
ISAKMP: key length is 128
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 192.1.1.101, src= 192.1.1.40,
dest_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
src_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-aes esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x4
IPSEC(validate_transform_proposal): proxy identities not supported IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 192.1.1.101, src= 192.1.1.40,
dest_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
src_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-aes esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x4
IPSEC(validate_transform_proposal): proxy identities not supported ISAKMP: IPsec policy invalidated proposal
ISAKMP (0): SA not acceptable!
output omitted
以上是基于ASA的一些VPN建立连接时出现的一些状态,但在实际的环境中会有很多的状态,请注意其正确建立连接的过程。
关于VPN配置一些问题今天在这里告一会段落,其中参考了The Complete Cisco VPN Configuration Guide一书,非常感谢这本书的作者Richard Deal。