Segurança : Dispositivos de segurança Cisco PIX 500 Series

Configurando Cisco Easy VPN Com PIX-to-PIX como Servidor e Cliente

22 Maio 2008 - Tradução Manual
Outras Versões: Versão em PDFpdf | Tradução por Computador (28 Julho 2013) | Inglês (26 Setembro 2008) | Feedback


Índice

Introdução
Antes de Iniciar
     Convenções
     Pré-requisitos
     Componentes Usados
Configurar
     Diagrama de Rede
     Configurações
Verificação
     Exemplo de Saída e Comandos show do Servidor Easy VPN do PIX
     Exemplo de Saída e Comandos show do Cliente de Hardware Easy VPN Remote do PIX
Solução de Problemas
     Comandos do Servidor Easy VPN
     Comandos do Cliente de Hardware Easy VPN Remote
Discussões relacionadas da comunidade de suporte da Cisco
Informações Relacionadas

Introdução

Este documento oferece um exemplo de configuração para IPSec entre Cliente de Hardware Easy VPN Remote do PIX e o Servidor Easy VPN do PIX. O recurso Easy VPN Remote do PIX foi introduzido no PIX versão 6.2 e também é referenciado como cliente de hardware/cliente EzVPN. O Servidor Easy VPN Cisco é compatível desde a versão 6.0 do software PIX.

Antes de Iniciar

Convenções

Para obter mais informações sobre convenções em documentos, consulte as Convenções de Dicas Técnicas da Cisco.

Pré-requisitos

Antes de tentar utilizar esta configuração, preste atenção nos seguintes pré-requisitos.

  • Verifique se o Cliente de Hardware Easy VPN Remote do PIX é um PIX 501 ou PIX 506/506E executando o software PIX versão 6.2 ou posterior.

  • Verifique se o Servidor Easy VPN é uma PIX Firewall executando a versão 6.0 ou posterior do PIX Software.

Componentes Usados

As informações neste documento são baseadas nas versões de hardware e software específicos indicadas abaixo:

  • O Cliente de Hardware Easy VPN Remote do PIX é um PIX 501 executando o software PIX versão 6.3(1).

  • O Servidor Easy VPN é um PIX 515 executando o software PIX versão 6.3(1).

As informações apresentadas neste documento foram criadas a partir dos dispositivos em um ambiente de laboratório específico. Todos os dispositivos usados neste documento foram iniciados com uma configuração vazia (padrão). Caso esteja trabalhando em uma rede ativa, certifique-se de ter compreendido o possível impacto dos comandos antes de utilizá-los.

Configurar

Nesta seção, você vai conhecer informações para configurar os recursos descritos neste documento.

Observação: Para obter outras informações sobre os comandos utilizados neste documento, utilize a Ferramenta de Consulta de Comando (clientes registrados somente) .

Diagrama de Rede

Este documento utiliza a configuração de rede apresentada no diagrama abaixo.

easyvpn-pix-01.gif

Configurações

Este documento utiliza a configuração apresentada abaixo.

Easy VPN Server do PIX

pix515# write terminal
Building configuration...
: Saved
:
PIX Version 6.3(1)

                     !--- Especifica as configurações de velocidade e duplexação.
                  
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix515
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names

                     !--- Especifica a lista de túneis em divisão e lista de acesso "nonat".
                  
access-list 101 permit ip 100.2.2.0 255.255.255.0 100.1.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500

                     !--- Define o endereço IP para as interfaces internas e externas do PIX.
                  
ip address outside 10.66.79.76 255.255.255.224
ip address inside 100.2.2.1 255.255.255.0
no ip address intf2
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 100.3.3.1-100.3.3.254
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm history enable
arp timeout 14400

                     !--- Configura o Network Address Translation (NAT)/
!--- Port Address Translation (PAT) para tráfego regular,
!--- assim como NAT para tráfego IPSec.
                  
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

                     !--- Define o roteador exterior como o gateway padrão.
!--- Normalmente, esse é o endereço IP do
!--- roteador do provedor de serviço de internet (ISP)
                  
route outside 0.0.0.0 0.0.0.0 10.66.79.66 1
route outside 10.66.79.0 255.255.255.0 10.66.79.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec

                     !--- Configura o conjunto de transformação de IPSec e o mapa crypto dinâmico.
                  
crypto ipsec transform-set myset esp-aes esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap

                     !--- Aplica o mapa de criptografia à interface externa.
                  
crypto map mymap interface outside

                     !--- Configura a Associação de Segurança de Internet Fase 1
!--- e os parâmetros de Protocolo de Gerenciamento Chave (ISAKMP)
                  
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

                     !--- Configura os parâmetros de VPNGroup, para serem enviados para o cliente.
                  
vpngroup mygroup address-pool ippool
vpngroup mygroup dns-server 100.2.2.2
vpngroup mygroup wins-server 100.2.2.2
vpngroup mygroup default-domain cisco.com
vpngroup mygroup split-tunnel 101
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********
vpngroup idle-time idle-time 1800
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:67106d7a5a3aa3da0caaeea93b9fc8d6
: end
[OK]
pix515#

Cliente de Hardware Easy VPN Remote do PIX

pix501# write terminal
Building configuration...
: Saved
:
PIX Version 6.3(1)

                     !--- Especifica as configurações de velocidade e duplexação.
                  
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix501
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 24
mtu outside 1500
mtu inside 1500

                     !--- Define o endereço IP para as interfaces internas e externas do PIX.
                  
ip address outside 10.66.79.66 255.255.255.224
ip address inside 100.1.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400

                     !--- Configura o NAT para o tráfego não criptografado.
                  
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

                     !--- Define o roteador exterior como o gateway padrão.
!--- Normalmente, esse é o endereço IP do roteador do seu ISP
                  
route outside 0.0.0.0 0.0.0.0 10.66.79.76 1
route outside 10.66.79.0 255.255.255.0 10.66.79.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0

                     !--- Define os parâmetros do Easy VPN Remote.
                  
vpnclient server 10.66.79.76
vpnclient mode network-extension-mode
vpnclient vpngroup mygroup password ********

                     !--- Ativa o Cliente VPN.
!--- (Isso inicia automaticamente o túnel de IPSec para o servidor.)
                  
vpnclient enable
terminal width 80
Cryptochecksum:b8242b410ad8e3b372018cd1cff77f91
: end
[OK]

Verificação

Esta seção fornece informações que você pode usar para confirmar se a configuração está funcionando corretamente.

Alguns comandos show recebem suporte da Output Interpreter Tool (clientes registrados somente) , o que permite visualizar uma análise da saída do comandoshow.

Exemplo de Saída e Comandos show do Servidor Easy VPN do PIX

  • show crypto isakmp sa - Exibe todas as associações de segurança (SAs) de Internet Key Exchange (IKE) em um correspondente.

    pix515# show crypto isakmp sa
    Total     : 1
    Embryonic : 0
            dst               src        state     pending     created
         10.66.79.76      10.66.79.66    QM_IDLE         0           2
    pix515#
  • show crypto ipsec sa - Exibe SAs de IPSec criadas entre os pares.

    pix515# show crypto ipsec sa
                      
                         !--- Esse comando foi executado após uma tentativa de comando ping
    !--- do PC atrás do cliente
    !--- Easy VPN para o PC
    !--- atrás do servidor.
                      
    interface: outside
        Crypto map tag: mymap, local addr. 10.66.79.76
    
       local  ident (addr/mask/prot/port): (100.2.2.0/255.255.255.0/0/0)
       remote ident (addr/mask/prot/port): (100.1.1.0/255.255.255.0/0/0)
       current_peer: 10.66.79.66:500
       dynamic allocated peer ip: 0.0.0.0
    
         PERMIT, flags={}
        #pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4
        #pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0,
        #pkts decompress failed: 0
        #send errors 0, #recv errors 0
    
                         !--- Como mostrado abaixo, os pacotes ping
    !--- foram trocados com êxito entre o
    !--- Cliente de Hardware Easy VPN Remote
    !--- e o Servidor Easy VPN.
                      
         local crypto endpt.: 10.66.79.76, remote crypto endpt.: 10.66.79.66
         path mtu 1500, ipsec overhead 64, media mtu 1500
         current outbound spi: 3a5a28e4
    
         inbound esp sas:
          spi: 0x505c96c6(1348245190)
            transform: esp-aes esp-md5-hmac ,
            in use settings ={Tunnel, }
            slot: 0, conn id: 2, crypto map: mymap
            sa timing: remaining key lifetime (k/sec): (4607999/28471)
            IV size: 16 bytes
            replay detection support: Y
    
    
         inbound ah sas:
    
    
         inbound pcp sas:
    
    
         outbound esp sas:
          spi: 0x3a5a28e4(978987236)
            transform: esp-aes esp-md5-hmac ,
            in use settings ={Tunnel, }
            slot: 0, conn id: 1, crypto map: mymap
            sa timing: remaining key lifetime (k/sec): (4607999/28471)
            IV size: 16 bytes
            replay detection support: Y
    
    
         outbound ah sas:
    
    
         outbound pcp sas:
    
    
    
       local  ident (addr/mask/prot/port): (100.2.2.0/255.255.255.0/0/0)
       remote ident (addr/mask/prot/port): (10.66.79.66/255.255.255.255/0/0)
       current_peer: 10.66.79.66:500
       dynamic allocated peer ip: 0.0.0.0
    
         PERMIT, flags={}
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
        #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0,
        #pkts decompress failed: 0
        #send errors 0, #recv errors 0
    
         local crypto endpt.: 10.66.79.76, remote crypto endpt.: 10.66.79.66
         path mtu 1500, ipsec overhead 64, media mtu 1500
         current outbound spi: 27f378f9
    
         inbound esp sas:
          spi: 0xf2bb4f00(4072361728)
            transform: esp-aes esp-md5-hmac ,
            in use settings ={Tunnel, }
            slot: 0, conn id: 3, crypto map: mymap
            sa timing: remaining key lifetime (k/sec): (4608000/27796)
            IV size: 16 bytes
            replay detection support: Y
    
    
         inbound ah sas:
    
    
         inbound pcp sas:
    
    
         outbound esp sas:
          spi: 0x27f378f9(670267641)
            transform: esp-aes esp-md5-hmac ,
            in use settings ={Tunnel, }
            slot: 0, conn id: 4, crypto map: mymap
            sa timing: remaining key lifetime (k/sec): (4608000/27787)
            IV size: 16 bytes
            replay detection support: Y
    
    
         outbound ah sas:
    
    
         outbound pcp sas:
    
    
    pix515#

Exemplo de Saída e Comandos show do Cliente de Hardware Easy VPN Remote do PIX

  • vpnclient enable - Habilita uma conexão Easy VPN Remote. (No Network Extension Mode (NEM), o túnel é ativado mesmo quando não há nenhum tráfego interessante a ser trocado com o fim de cabeçalho Easy VPN Server.)

    pix501(config)# vpnclient enable
                   
  • show crypto isakmp policy - Exibe os parâmetros para cada política IKE.

    pix501# show crypto isakmp policy
    
    Default protection suite
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit

    A saída do comando show crypto isakmp policy depois que o cliente de hardware é habilitado, é mostrada abaixo.

    pix501(config)# show crypto isakmp policy
    
    Protection suite of priority 65001
         encryption algorithm:   AES - Advanced Encryption Standard (256 bit keys).
         hash algorithm:         Secure Hash Standard
         authentication method:  Pre-Shared Key with XAUTH
         Diffie-Hellman group:   #2 (1024 bit)
         lifetime:               86400 seconds, no volume limit
    Protection suite of priority 65002
         encryption algorithm:   AES - Advanced Encryption Standard (256 bit keys).
         hash algorithm:         Message Digest 5
         authentication method:  Pre-Shared Key with XAUTH
         Diffie-Hellman group:   #2 (1024 bit)
         lifetime:               86400 seconds, no volume limit
    Protection suite of priority 65003
         encryption algorithm:   AES - Advanced Encryption Standard (192 bit keys).
         hash algorithm:         Secure Hash Standard
         authentication method:  Pre-Shared Key with XAUTH
         Diffie-Hellman group:   #2 (1024 bit)
         lifetime:               86400 seconds, no volume limit
    Protection suite of priority 65004
         encryption algorithm:   AES - Advanced Encryption Standard (192 bit keys).
         hash algorithm:         Message Digest 5
         authentication method:  Pre-Shared Key with XAUTH
         Diffie-Hellman group:   #2 (1024 bit)
         lifetime:               86400 seconds, no volume limit
    Protection suite of priority 65005
         encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys).
         hash algorithm:         Secure Hash Standard
         authentication method:  Pre-Shared Key with XAUTH
         Diffie-Hellman group:   #2 (1024 bit)
         lifetime:               86400 seconds, no volume limit
    Protection suite of priority 65006
         encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys).
         hash algorithm:         Message Digest 5
         authentication method:  Pre-Shared Key with XAUTH
         Diffie-Hellman group:   #2 (1024 bit)
         lifetime:               86400 seconds, no volume limit
    Protection suite of priority 65007
         encryption algorithm:   Three key triple DES
         hash algorithm:         Secure Hash Standard
         authentication method:  Pre-Shared Key with XAUTH
         Diffie-Hellman group:   #2 (1024 bit)
         lifetime:               86400 seconds, no volume limit
    Protection suite of priority 65008
         encryption algorithm:   Three key triple DES
         hash algorithm:         Message Digest 5
         authentication method:  Pre-Shared Key with XAUTH
         Diffie-Hellman group:   #2 (1024 bit)
         lifetime:               86400 seconds, no volume limit
    Protection suite of priority 65009
         encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
         hash algorithm:         Message Digest 5
         authentication method:  Pre-Shared Key with XAUTH
         Diffie-Hellman group:   #2 (1024 bit)
         lifetime:               86400 seconds, no volume limit
    Protection suite of priority 65010
         encryption algorithm:   AES - Advanced Encryption Standard (256 bit keys).
         hash algorithm:         Secure Hash Standard
         authentication method:  Pre-Shared Key
         Diffie-Hellman group:   #2 (1024 bit)
         lifetime:               86400 seconds, no volume limit
    Protection suite of priority 65011
         encryption algorithm:   AES - Advanced Encryption Standard (256 bit keys).
         hash algorithm:         Message Digest 5
         authentication method:  Pre-Shared Key
         Diffie-Hellman group:   #2 (1024 bit)
         lifetime:               86400 seconds, no volume limit
    Protection suite of priority 65012
         encryption algorithm:   AES - Advanced Encryption Standard (192 bit keys).
         hash algorithm:         Secure Hash Standard
         authentication method:  Pre-Shared Key
         Diffie-Hellman group:   #2 (1024 bit)
         lifetime:               86400 seconds, no volume limit
    Protection suite of priority 65013
         encryption algorithm:   AES - Advanced Encryption Standard (192 bit keys).
         hash algorithm:         Message Digest 5
         authentication method:  Pre-Shared Key
         Diffie-Hellman group:   #2 (1024 bit)
         lifetime:               86400 seconds, no volume limit
    Protection suite of priority 65014
         encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys).
         hash algorithm:         Secure Hash Standard
         authentication method:  Pre-Shared Key
         Diffie-Hellman group:   #2 (1024 bit)
         lifetime:               86400 seconds, no volume limit
    Protection suite of priority 65015
         encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys).
         hash algorithm:         Message Digest 5
         authentication method:  Pre-Shared Key
         Diffie-Hellman group:   #2 (1024 bit)
         lifetime:               86400 seconds, no volume limit
    Protection suite of priority 65016
         encryption algorithm:   Three key triple DES
         hash algorithm:         Secure Hash Standard
         authentication method:  Pre-Shared Key
         Diffie-Hellman group:   #2 (1024 bit)
         lifetime:               86400 seconds, no volume limit
    Protection suite of priority 65017
         encryption algorithm:   Three key triple DES
         hash algorithm:         Message Digest 5
         authentication method:  Pre-Shared Key
         Diffie-Hellman group:   #2 (1024 bit)
         lifetime:               86400 seconds, no volume limit
    Protection suite of priority 65018
         encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
         hash algorithm:         Message Digest 5
         authentication method:  Pre-Shared Key
         Diffie-Hellman group:   #2 (1024 bit)
         lifetime:               86400 seconds, no volume limit
  • show crypto isakmp sa - Exibe todas as SAs IKE em um correspondente.

    pix501(config)# show crypto isakmp sa
    Total     : 1
    Embryonic : 0
            dst               src        state     pending     created
         10.66.79.76      10.66.79.66    QM_IDLE         0           1
  • show crypto ipsec sa - Exibe SAs de IPSec criadas entre os pares.

    pix501(config)# show crypto ipsec sa
                      
                         !--- Esse comando foi executado após uma tentativa do comando ping
    !--- do PC atrás do cliente
    !--- Easy VPN para o PC
    !--- atrás do servidor.
                      
    interface: outside
        Crypto map tag: _vpnc_cm, local addr. 10.66.79.66
    
       local  ident (addr/mask/prot/port): (100.1.1.0/255.255.255.0/0/0)
       remote ident (addr/mask/prot/port): (100.2.2.0/255.255.255.0/0/0)
       current_peer: 10.66.79.76:500
         PERMIT, flags={origin_is_acl,}
        #pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4
        #pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0,
        #pkts decompress failed: 0
        #send errors 1, #recv errors 0
    
                         !--- Como mostrado abaixo, os pacotes ping
    !--- foram trocados com êxito entre o
    !--- Cliente de Hardware Easy VPN Remote do PIX
    !--- e o Servidor Easy VPN.
                      
         local crypto endpt.: 10.66.79.66, remote crypto endpt.: 10.66.79.76
         path mtu 1500, ipsec overhead 64, media mtu 1500
         current outbound spi: 505c96c6
    
         inbound esp sas:
          spi: 0x3a5a28e4(978987236)
            transform: esp-aes esp-md5-hmac ,
            in use settings ={Tunnel, }
            slot: 0, conn id: 4, crypto map: _vpnc_cm
            sa timing: remaining key lifetime (k/sec): (4607999/28745)
            IV size: 16 bytes
            replay detection support: Y
    
    
         inbound ah sas:
    
    
         inbound pcp sas:
    
    
         outbound esp sas:
          spi: 0x505c96c6(1348245190)
            transform: esp-aes esp-md5-hmac ,
            in use settings ={Tunnel, }
            slot: 0, conn id: 3, crypto map: _vpnc_cm
            sa timing: remaining key lifetime (k/sec): (4607999/28745)
            IV size: 16 bytes
            replay detection support: Y
    
    
         outbound ah sas:
    
    
         outbound pcp sas:
    
    
    
       local  ident (addr/mask/prot/port): (10.66.79.66/255.255.255.255/0/0)
       remote ident (addr/mask/prot/port): (100.2.2.0/255.255.255.0/0/0)
       current_peer: 10.66.79.76:500
         PERMIT, flags={origin_is_acl,}
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
        #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0,
        #pkts decompress failed: 0
        #send errors 0, #recv errors 0
    
         local crypto endpt.: 10.66.79.66, remote crypto endpt.: 10.66.79.76
         path mtu 1500, ipsec overhead 64, media mtu 1500
         current outbound spi: f2bb4f00
    
         inbound esp sas:
          spi: 0x27f378f9(670267641)
            transform: esp-aes esp-md5-hmac ,
            in use settings ={Tunnel, }
            slot: 0, conn id: 1, crypto map: _vpnc_cm
            sa timing: remaining key lifetime (k/sec): (4608000/28125)
            IV size: 16 bytes
            replay detection support: Y
    
    
         inbound ah sas:
    
    
         inbound pcp sas:
    
    
         outbound esp sas:
          spi: 0xf2bb4f00(4072361728)
            transform: esp-aes esp-md5-hmac ,
            in use settings ={Tunnel, }
            slot: 0, conn id: 2, crypto map: _vpnc_cm
            sa timing: remaining key lifetime (k/sec): (4608000/28125)
            IV size: 16 bytes
            replay detection support: Y
    
    
         outbound ah sas:
    
    
         outbound pcp sas:
    
    
    pix501(config)#
  • show vpnclient - Exibe informações sobre configuração do dispositivo VPN Client ou Easy VPN Remote.

    pix501(config)# show vpnclient
    LOCAL CONFIGURATION
    vpnclient server 10.66.79.76
    vpnclient mode network-extension-mode
    vpnclient vpngroup mygroup password ********
    vpnclient enable
    
    DOWNLOADED DYNAMIC POLICY
    Current Server                     : 10.66.79.76
    Primary DNS                        : 100.2.2.2
    Primary WINS                       : 100.2.2.2
    Default Domain                     : cisco.com
    PFS Enabled                        : No
    Secure Unit Authentication Enabled : No
    User Authentication Enabled        : No
    Split Networks                     : 100.2.2.0/255.255.255.0
    Backup Servers                     : None
    
    pix501(config)#

Solução de Problemas

Esta seção fornece informações que podem ser utilizadas para solucionar problemas de configuração.

Se o PIX (Easy VPN Remote) e o IOS (Easy VPN Server) estiverem configurados conforme descrito neste documento e os problemas ainda ocorrem, obtenha a saída de depuração de cada PIX e a saída dos comandos show para fins de análise pelo Centro de Assistência Técnica da Cisco (TAC). Consulte também Solução de Problemas de PIX relacionados à Passagem de Tráfego de Dados em um Túnel IPSec Estabelecido ou Solução de Problemas de Segurança de IP – Entendendo e Usando Comandos debug . Habilita a depuração de IPSec no PIX

Exemplo de Saída e Comandos debug do PIX são mostrados abaixo.

Observação: Antes de emitir comandos debug, consulte Informações Importantes sobre Comandos de Depuração.

Comandos do Servidor Easy VPN

  • debug crypto ipsec — Mostra as negociações de IPSec da Fase 2.

  • debug crypto isakmp — Mostra as negociações de ISAKMP da Fase 1.

Um exemplo de saída é mostrado abaixo:

pix515(config)#

               !--- Assim que o comando vpnclient enable
!--- é emitido no cliente remoto PIX,
!--- o servidor recebe uma solicitação de negociação de IKE.
            
crypto_isakmp_process_block:src:10.66.79.66,
   dest:10.66.79.76 spt:500 dpt:500
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 256
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 256
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 192
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 192
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 128
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 128
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 10 against priority 10 policy
crypto_isakmp_process_block:src:10.66.79.66,
   dest:10.66.79.76 spt:500 dpt:500
OAK_AG exchange
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
        spi 0, message ID = 0
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine):
   got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 10.66.79.66

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

crypto_isakmp_process_block:src:10.66.79.66,
   dest:10.66.79.76 spt:500 dpt:500
ISAKMP_TRANSACTION exchange
crypto_isakmp_process_block:src:10.66.79.66,
   dest:10.66.79.76 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 4788683

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      key length is 256IPSEC(validate_proposal):
   transform proposal (prot 3, trans 12, hmac_alg 2) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 2

ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      key length is 256IPSEC(validate_proposal):
   transform proposal (prot 3, trans 12, hmac_alg 1) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 3

ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      key length is 192IPSEC(validate_proposal):
   transform proposal (prot 3, trans 12, hmac_alg 2) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 4

ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      key length is 192IPSEC(validate_proposal):
   transform proposal (prot 3, trans 12, hmac_alg 1) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 5

ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      key length is 128IPSEC(validate_proposal):
   transform proposal (prot 3, trans 12, hmac_alg 2) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 6

ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      key length is 128
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request):
   proposal part #1,
  (key eng. msg.) dest= 10.66.79.76, src= 10.66.79.66,
    dest_proxy= 100.2.2.0/255.255.255.0/0/0 (type=4),
    src_proxy= 10.66.79.66/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-aes esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x4

               !--- Ambos os PIXes aceita a política para IPSec.
            
ISAKMP (0): processing NONCE payload. message ID = 4788683

ISAKMP (0): processing ID payload. message ID = 4788683
ISAKMP (0): ID_IPV4_ADDR src 10.66.79.66 prot 0 port 0
ISAKMP (0): processing ID payload. message ID = 4788683
ISAKMP (0): ID_IPV4_ADDR_SUBNET dst 100.2.2.0/255.255.255.0 prot 0
   port 0IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xf5720496(4117890198) for SA
        from     10.66.79.66 to     10.66.79.76 for prot 3

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:10.66.79.66,
   dest:10.66.79.76 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_AUTH_AWAIT
ISAKMP (0): Creating IPSec SAs
        inbound SA from 10.66.79.66 to 10.66.79.76
   (proxy 10.66.79.66 to 100.2.2.0)
        has spi 4117890198 and conn_id 3 and flags 4
        lifetime of 28800 seconds
crypto_isakmp_process_block:src:10.66.79.66,
   dest:10.66.79.76 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
        spi 0, message ID = 843197376
ISAMKP (0): received DPD_R_U_THERE from peer 10.66.79.66
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:10.66.79.66,
   dest:10.66.79.76 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
        spi 0, message ID = 1985282089
ISAMKP (0): received DPD_R_U_THERE from peer 10.66.79.66
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:10.66.79.66,
   dest:10.66.79.76 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
        spi 0, message ID = 1510977390
ISAMKP (0): received DPD_R_U_THERE from peer 10.66.79.66
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS

Comandos do Cliente de Hardware Easy VPN Remote

  • debug crypto ipsec — Mostra as negociações de IPSec da Fase 2.

  • debug crypto isakmp — Mostra as negociações de ISAKMP da Fase 1.

pix501(config)# vpnclient enable
 (cIoSnAfKigM)P#  (0): ID payload
        next-payload : 13
        type         : 11
        protocol     : 17
        port         : 0
        length       : 11
ISAKMP (0): Total payload length: 15
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0): beginning Aggressive Mode exchange
crypto_isakmp_process_block:src:10.66.79.76,
   dest:10.66.79.66 spt:500 dpt:500
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 65001 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 128
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 65002 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 128
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 65003 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 128
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 65004 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 128
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 65005 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 128
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 65006 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 128
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 65007 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 128
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 65008 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 128
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 65009 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 128
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP : attributes being requested

crypto_isakmp_process_block:src:10.66.79.76,
   dest:10.66.79.66 spt:500 dpt:500
ISAKMP (0): beginning Quick Mode exchange,
   M-ID of 1112046058:424879eaIPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x274d3063(659370083) for SA
        from     10.66.79.76 to     10.66.79.66 for prot 3

crypto_isakmp_process_block:src:10.66.79.76,
   dest:10.66.79.66 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 1112046058

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      key length is 128
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request):
   proposal part #1,
  (key eng. msg.) dest= 10.66.79.76, src= 10.66.79.66,
    dest_proxy= 100.2.2.0/255.255.255.0/0/0 (type=4),
    src_proxy= 10.66.79.66/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-aes esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x4

ISAKMP (0): processing NONCE payload. message ID = 1112046058

ISAKMP (0): processing ID payload. message ID = 1112046058
ISAKMP (0): processing ID payload. message ID = 1112046058
ISAKMP (0): Creating IPSec SAs
        inbound SA from 10.66.79.76 to 10.66.79.66
   (proxy 100.2.2.0 to 10.66.79.66)
        has spi 659370083 and conn_id 2 and flags 4
        lifetime of 28800 seconds
        lifetime of 4608000 kilobytes
        outbound SA from 10.66.79.66 to 10.66.79.76
   (proxy 10.66.79.66 to 100.2.2.0)
        has spi 264316759 and conn_id 1 and flags 4
        lifetime of 28800 seconds
        lifetime of 4608000 kilobytesIPSEC(key_engine):
   got a queue event...
IPSEC(initialize_sas): ,
  (key eng. msg.) dest= 10.66.79.66, src= 10.66.79.76,
    dest_proxy= 10.66.79.66/255.255.255.255/0/0 (type=1),
    src_proxy= 100.2.2.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-md5-hmac ,
    lifedur= 28800s and 4608000kb,
    spi= 0x274d3063(659370083), conn_id= 2, keysize= 128, flags= 0x4
IPSEC(initialize_sas): ,
  (key eng. msg.) src= 10.66.79.66, dest= 10.66.79.76,
    src_proxy= 10.66.79.66/255.255.255.255/0/0 (type=1),
    dest_proxy= 100.2.2.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-md5-hmac ,
    lifedur= 28800s and 4608000kb,
    spi= 0xfc12757(264316759), conn_id= 1, keysize= 128, flags= 0x4

VPN Peer: IPSEC: Peer ip:10.66.79.76/500 Ref cnt incremented to:2
   Total VPN Peers:1
VPN Peer: IPSEC: Peer ip:10.66.79.76/500 Ref cnt incremented to:3
   Total VPN Peers:1
return status is IKMP_NO_ERROR
pix501(config)#
pix501(config)#
ISAKMP (0): sending NOTIFY message 36136 protocol 1
crypto_isakmp_process_block:src:10.66.79.76,
   dest:10.66.79.66 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36137 protocol 1
        spi 0, message ID = 136860646n
ISAMKP (0): received DPD_R_U_THERE_ACK from peer 10.66.79.76
  • debug vpncient — Mostra as negociações específicas para o Cliente VPN.

pix501(config)# vpnclient enable
pix501(config)# 505: VPNC CFG: transform set unconfig attempt done
506: VPNC CLI: no isakmp keepalive 10
507: VPNC CLI: no isakmp nat-traversal 20
508: VPNC CFG: IKE unconfig successful
509: VPNC CLI: no crypto map _vpnc_cm
510: VPNC CFG: crypto map deletion attempt done
511: VPNC CFG: crypto unconfig successful
512: VPNC CLI: no global (outside) 65001
513: VPNC CLI: no nat (inside) 0 access-list _vpnc_acl
514: VPNC CFG: nat unconfig attempt failed
515: VPNC CLI: no http 100.1.1.1 255.255.255.0 inside
516: VPNC CLI: no http server enable
517: VPNC CLI: no access-list _vpnc_acl
518: VPNC CFG: ACL deletion attempt failed
519: VPNC CLI: no crypto map _vpnc_cm interface outside
520: VPNC CFG: crypto map de/attach failed
521: VPNC CLI: no sysopt connection permit-ipsec
522: VPNC CLI: sysopt connection permit-ipsec
523: VPNC CFG: transform sets configured
524: VPNC CFG: crypto config successful
525: VPNC CLI: isakmp keepalive 10
526: VPNC CLI: isakmp nat-traversal 20
527: VPNC CFG: IKE config successful
528: VPNC CLI: http 100.1.1.1 255.255.255.0 inside
529: VPNC CLI: http server enable
530: VPNC CLI: no access-list _vpnc_acl
531: VPNC CFG: ACL deletion attempt failed
532: VPNC CLI: access-list _vpnc_acl
   permit ip host 10.66.79.66 host 10.66.79.76
533: VPNC CLI: crypto map _vpnc_cm 10 match address _vpnc_acl
534: VPNC CFG: crypto map acl update successful
535: VPNC CLI: no crypto map _vpnc_cm interface outside
536: VPNC CLI: crypto map _vpnc_cm interface outside
537: VPNC INF: IKE trigger request done
538: VPNC INF: Constructing policy download req
539: VPNC INF: Packing attributes for policy request
540: VPNC INF: Attributes being requested
541: VPNC ATT: ALT_DEF_DOMAIN: cisco.com
542: VPNC ATT: INTERNAL_IP4_NBNS: 100.2.2.2
543: VPNC ATT: INTERNAL_IP4_DNS: 100.2.2.2
544: VPNC ATT: ALT_SPLIT_INCLUDE
545: VPNC INF:  100.2.2.0/255.255.255.0
546: VPNC ATT: ALT_PFS: 0
547: VPNC ATT: ALT_CFG_SEC_UNIT: 0
548: VPNC ATT: ALT_CFG_USER_AUTH: 0
549: VPNC CLI: no access-list _vpnc_acl
550: VPNC CLI: access-list _vpnc_acl
   permit ip 100.1.1.0 255.255.255.0 100.2.2.0 255.255.255.0
551: VPNC CLI: access-list _vpnc_acl
   permit ip host 10.66.79.66 100.2.2.0 255.255.255.0
552: VPNC CFG: _vpnc_acl ST define done
553: VPNC CFG: Split DNS config attempt done
554: VPNC CLI: crypto map _vpnc_cm 10 match address _vpnc_acl
555: VPNC CFG: crypto map acl update successful
556: VPNC CLI: no crypto map _vpnc_cm interface outside
557: VPNC CLI: crypto map _vpnc_cm interface outside
558: VPNC CLI: no global (outside) 65001
559: VPNC CLI: no nat (inside) 0 access-list _vpnc_acl
560: VPNC CFG: nat unconfig attempt failed
561: VPNC CLI: nat (inside) 0 access-list _vpnc_acl
562: VPNC INF: IKE trigger request done

Discussões relacionadas da comunidade de suporte da Cisco

A Comunidade de Suporte da Cisco é um fórum onde você pode perguntar e responder, oferecer sugestões e colaborar com colegas.


Informações Relacionadas


Document ID: 40820