交换机 : Cisco PIX 500 系列安全设备

使用 TACACS+ 认证验证的 PIX/ASA 7.x 增强的分支到客户端 VPN 配置示例

2016 年 10 月 27 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 8 月 22 日) | 反馈


目录


简介

本文档说明如何配置 PIX 安全设备之间的 LAN 到 LAN 会话,并允许 VPN 客户端在使用 Cisco Secure ACS for windows 进行 TACACS+ 身份验证的情况下通过集线器 (PIX1) 访问分支网络 (PIX3)。此外,本文档还展示了如何使用通过集线器 PIX 安全设备的 VPN 客户端到分支的连接来配置静态 LAN 到 LAN 隧道。PIX 版本 7.0 改进了对分支到分支 VPN 通信的支持。PIX 7.0 允许加密数据流进入并离开同一接口。

same-security-traffic 命令与启用分支到分支 VPN 支持的 intra-interface 关键字一起使用时,该命令允许数据流进入和退出同一接口。有关详细信息,请参阅 Cisco 安全设备命令行配置指南中的允许接口内数据流 部分。

注意: 为避免网络中的 IP 地址重叠,请将完全不同的 IP 地址池分配到 VPN 客户端,例如,10.x.x.x、172.16.x.x 或 192.168.x.x。此 IP 编址方案可帮助排除网络故障。

注意: 在 PIX 版本 7.2 及更高版本中,intra-interface 关键字允许所有数据流(而不仅是 IPsec 数据流)进入和退出同一接口。

注意: 本文档用于 PIX/ASA 7.x 配置。要了解有关 PIX 6.x 配置的详细信息,请参阅使用 VPN 客户端和扩展身份验证配置集线器和远程 PIX 之间的 IPSec

有关集线器 PIX 重定向从 VPN 客户端的数据流到 Internet 的方案的详细信息,请参阅 PIX/ASA 7.x 以及用于公共 Internet VPN 的单接口 VPN 客户端配置示例

要了解有关在 PIX 和 Cisco VPN 集中器之间配置 LAN 到 LAN 隧道的方案的详细信息,请参阅 PIX 7.x 和 VPN 3000 集中器之间的 IPsec 隧道配置示例

对IOS路由器LAN到LAN IPSec隧道配置示例的参考的PIX/ASA 7.x安全工具为了得知更多在PIX/ASA和Cisco IOS�路由器之间的LAN-to-LAN隧道的方案。

先决条件

要求

集线器 PIX 安全设备需要运行版本 7.0 或更高版本。

注意: 有关如何将 PIX 安全设备升级到版本 7.0 的详细信息,请参阅从 Cisco PIX 6.2 或 6.3 升级到 Cisco PIX 软件版本 7.0 的用户指南

使用的组件

本文档中的信息基于以下软件和硬件版本:

  • PIX - 515 版本 7.0.1 (PIX1)

  • VPN 客户端版本 4.6.02.0011

  • PIX - 515 版本 6.3.4 (PIX3)

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。

规则

有关文档规则的详细信息,请参阅 Cisco 技术提示规则

警告

配置

本部分提供了用于配置本文档所述功能的信息。

注意: 要查找有关本文档所用命令的其他信息,请使用命令查找工具仅限注册用户)。

注意: 对于 PIX 安全设备 7.x LAN 到 LAN (L2L) VPN 配置,您必须在 tunnel-group <name> type ipsec-l2l 命令中将隧道组的 <name> 指定为远程对等体 IP 地址,以创建和管理 IPsec 的连接特定记录的数据库。

网络图

本文档使用以下网络设置:

/image/gif/paws/64693/pix70-enh-spk-client-vpn-11.gif

注意: 此配置中使用的 IP 编址方案在 Internet 上不可合法路由。这些地址是在实验室环境中使用的 RFC 1918 地址。leavingcisco.com

配置

本文档使用以下配置:

PIX1
PIX Version 7.0(1) 
no names
!
interface Ethernet0
nameif outside
security-level 0
ip address 172.18.124.170 255.255.255.0 
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0 
!
interface Ethernet2
shutdown
nameif intf2
security-level 4
no ip address
!
interface Ethernet3
shutdown
nameif intf3
security-level 6
no ip address
!
interface Ethernet4
shutdown
nameif intf4
security-level 8
no ip address
!
interface Ethernet5
shutdown
nameif intf5
security-level 10
no ip address
!
enable password 9jNfZuG3TC5tCVH0 encrypted
passwd OnTrBUG1Tp0edmkr encrypted
hostname PIX1
domain-name cisco.com
boot system flash:/image.bin
ftp mode passive

!--- Command to permit IPsec traffic to enter and exit the same interface.

same-security-traffic permit intra-interface


!--- Access-list for interesting traffic to be encrypted between 
!--- the hub (PIX1) and spoke (PIX3) networks.

access-list 100 extended permit ip 10.10.10.0 255.255.255.0 10.11.10.0 255.255.255.0


!--- Access-list for interesting traffic to be encrypted 
!--- between the VPN Client networks and spoke (PIX3) networks. 

access-list 100 extended permit ip 192.168.10.0 255.255.255.0 10.11.10.0 255.255.255.0


!--- Access-list for interesting traffic to bypass the 
!--- Network Address Translation (NAT) process.

access-list nonat extended permit ip 10.10.10.0 255.255.255.0 10.11.10.0 255.255.255.0 
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0


!--- Standard access-list to allow split-tunnel for the VPN Clients.
 
access-list splittunnel standard permit 10.10.10.0 255.255.255.0 
access-list splittunnel standard permit 10.11.10.0 255.255.255.0 
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500


!--- Address pool for the VPN Clients.

ip local pool vpnpool 192.168.10.1-192.168.10.254
no failover
monitor-interface outside
monitor-interface inside
monitor-interface intf2
monitor-interface intf3
monitor-interface intf4
monitor-interface intf5
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface


!--- Bypass NAT process for IPsec traffic.

nat (inside) 0 access-list nonat
nat (inside) 1 10.10.10.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 172.18.124.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius


!--- Configuration of TACACS+ server on the inside interface with server 
!--- tag name as mytacacs 

aaa-server mytacacs protocol tacacs+
aaa-server mytacacs (inside) host 10.10.10.100 key123 timeout 5



!--- Configuration of group-policy for VPN Clients.

group-policy clientgroup internal
group-policy clientgroup attributes
vpn-idle-timeout 20

!--- See Note 2.



!--- Enable and bind split-tunnel parameters to the group-policy.

split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp


!--- Configuration of IPsec Phase 2.

crypto ipsec transform-set myset esp-3des esp-sha-hmac 


!--- Crypto map configuration for VPN Clients that connect to this PIX.

crypto dynamic-map rtpdynmap 20 set transform-set myset


!--- Crypto map configuration for a static LAN-to-LAN tunnel.

crypto map mymap 10 match address 100
crypto map mymap 10 set peer 172.20.77.10 
crypto map mymap 10 set transform-set myset


!--- Binding the dynamic map to the crypto map process.

crypto map mymap 20 ipsec-isakmp dynamic rtpdynmap


!--- Crypto map applied to the outside interface.

crypto map mymap interface outside
isakmp identity address 
isakmp enable outside


!--- Configuration of Internet Security Association and Key Management 
!--- Protocol (ISAKMP) policy.

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
isakmp disconnect-notify
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 1
console timeout 0
tunnel-group DefaultRAGroup type ipsec-ra
tunnel-group DefaultRAGroup general-attributes
authentication-server-group none
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *


!--- Configuration of tunnel-group for the static LAN-to-LAN tunnel.
!--- See the second note in the Configure section
!--- of this document in order to configure tunnel-group.
!--- The tunnel group name must be the IP address of the remote peer.

tunnel-group 172.20.77.10 type ipsec-l2l
tunnel-group 172.20.77.10 ipsec-attributes


!--- Configuraiton of a pre-shared key for the static LAN-to-LAN tunnel.

pre-shared-key *


!--- Configuration of tunnel-group with group information for VPN Clients.

tunnel-group rtptacvpn type ipsec-ra


!--- Configuration of group parameters for the VPN Clients.

tunnel-group rtptacvpn general-attributes
address-pool vpnpool


!--- Enable user authentication.

authentication-server-group mytacacs
authorization-server-group LOCAL


!--- Bind group-policy parameters to the tunnel-group for VPN Clients.

default-group-policy clientgroup
tunnel-group rtptacvpn ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512 
inspect ftp 
inspect h323 h225 
inspect h323 ras 
inspect http 
inspect netbios 
inspect rsh 
inspect rtsp 
inspect skinny 
inspect esmtp 
inspect sqlnet 
inspect sunrpc 
inspect tftp 
inspect sip 
inspect xdmcp 
!
service-policy global_policy global
Cryptochecksum:646541da0da9a4c764effd2e05633018
: end

注释 1:必须配置 sysopt connection permit-ipsec 命令以允许所有经过入站 IPsec 验证的加密会话。在 PIX 7.0 中,sysopt 命令没有出现在运行的配置中。要验证 sysopt connection permit-ipsec 命令是否已启用,请执行 show running-config sysopt 命令。注释 2:为了VPN客户端能连接通过在用户数据报协议(UDP)的IPsec,请配置在PIX设备的策略部分的此输出。
group-policy clientgroup attributes
vpn-idle-timeout 20
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
注释 3:要使 VPN 客户端能够通过 IPsec over TCP 进行连接,请在 PIX 设备的 global configuration 中配置此命令。
isakmp ipsec-over-tcp port 10000

PIX3
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX3
domain-name cisco.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names

!--- Access-list for the encryption of traffic 
!--- between PIX3 and PIX1 networks.

access-list 100 permit ip 10.11.10.0 255.255.255.0 10.10.10.0 255.255.255.0


!--- Access-list for the encryption of traffic 
!--- between the PIX3 network and the VPN Client address pool.

access-list 100 permit ip 
-
10.11.10.0 255.255.255.0 192.168.10.0 255.255.255.0 


!--- Access-list used to bypass the NAT process.

access-list nonat permit ip 10.11.10.0 255.255.255.0 10.10.10.0 255.255.255.0 
access-list nonat permit ip 10.11.10.0 255.255.255.0 192.168.10.0 255.255.255.0 
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 172.20.77.10 255.255.0.0
ip address inside 10.11.10.1 255.255.255.0
no ip address intf2
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm history enable
arp timeout 14400
global (outside) 1 interface


!--- Bind ACL nonat to the NAT statement 
!--- in order to avoid NAT on the IPsec packets.

nat (inside) 0 access-list nonat
nat (inside) 1 10.11.10.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 172.20.77.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server LOCAL protocol local 
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable


!--- Permits all inbound IPsec authenticated cipher sessions.

sysopt connection permit-ipsec


!--- Defines IPsec encryption and authentication algorithms.

crypto ipsec transform-set myset esp-3des esp-sha-hmac


!--- Defines crypto map.
 
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 100
crypto map mymap 10 set peer 172.18.124.170
crypto map mymap 10 set transform-set myset


!--- Apply crypto map on the outside interface.

crypto map mymap interface outside
isakmp enable outside


!--- Defines the pre-shared secret key used for Internet Key Exchange (IKE) authentication.

isakmp key ******** address 172.18.124.170 netmask 255.255.255.0 no-xauth 
isakmp identity address


!--- Defines the ISAKMP policy. 

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:cb5c245112db607e3a9a85328d1295db
: end

VPN 客户端配置

完成以下步骤以在 VPN 客户端上创建新的连接条目。

  1. 输入主机 IP 地址(PIX1 外部 IP 地址)。

  2. 在 Authentication 选项卡下,输入组属性(在 PIX 设备上配置的组名和口令)。

    /image/gif/paws/64693/pix70-enh-spk-client-vpn-2.gif

  3. 在 Transport 选项卡下,选择要用于 VPN 客户端连接的隧道方法。在此配置中,已对直接 IPsec 连接禁用了 Enable Transport Tunneling

    /image/gif/paws/64693/pix70-enh-spk-client-vpn-2.gif

  4. 单击 Save 以保存在 VPN 客户端上配置的连接配置文件。

    pix70-enh-spk-client-vpn-4.gif

TACACS+ 服务器

要配置 TACACS+ 服务器,请完成以下步骤:

  1. 单击 Add Entry 以在 TACACS+ 服务器数据库中添加 PIX 的条目。

    pix70-enh-spk-client-vpn-7.gif

  2. 在 Add AAA Client 页中,输入 PIX 信息,如下图所示:

    /image/gif/paws/64693/pix70-enh-spk-client-vpn-8.gif

    • 在 AAA Client Hostname 字段中,输入 PIX 的名称。

    • 在 AAA Client IP Address 字段中,输入 10.10.10.1

    • 在 Key 字段中,输入 key123 作为共享密钥。

    • 从 Authenticate Using 下拉列表中,选择 TACACS+ (Cisco IOS),然后单击 Submit。

  3. 在 User 字段中,输入 Cisco 安全数据库中 VPN 用户的用户名,然后单击 Add/Edit

    在本例中,用户名是 cisco

    /image/gif/paws/64693/pix70-enh-spk-client-vpn-9.gif

  4. 在下一页中,输入并确认用户 cisco 的口令。

    在本例中,口令也是 cisco

    /image/gif/paws/64693/pix70-enh-spk-client-vpn-10.gif

  5. 如果要将用户帐户映射到组,请立即完成该步骤。完成时,请单击 Submit

发夹或 U 字型转向

对于进入某接口然后又从同一接口路由出去的 VPN 流量,此功能非常有用。例如,如果有星型 VPN 网络,其中安全设备是中心,而远程 VPN 网络是分支,那么,为使分支之间可以彼此通信,数据流必须进入安全设备,然后再流出到其他分支。

请使用 same-security-traffic 配置,以允许从同一接口进入和退出。

securityappliance(config)# same-security-traffic permit intra-interface

验证

本部分提供了可用于确认您的配置是否正常运行的信息。

命令输出解释程序仅限注册用户)(OIT) 支持某些 show 命令。使用 OIT 可查看对 show 命令输出的分析。

  • show crypto isakmp sa - 显示对等体上的所有当前 IKE 安全关联 (SA)。

  • show crypto ipsec sa — 显示所有当前 SA。

要测试 PIX3 和 PIX1 之间的两个专用网络之间的通信,请从这两个专用网络之一启动 ping。

在此配置中:

  • 对于静态 LAN 到 LAN,会将 ping 从 PIX3 网络 (10.11.10.x) 之后发送到 PIX1 网络 (10.10.10.x)。

  • 要使 VPN 客户端能够访问 PIX3 之后的网络,必须为 VPN 客户端网络建立从 PIX3 到 PIX1 的安全关联。

PIX1 验证
show crypto isakmp sa

 Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1 IKE Peer: 172.18.173.77
Type : user Role : responder 
Rekey : no State : AM_ACTIVE 
2 IKE Peer: 172.20.77.10
Type : L2L Role : responder 
Rekey : no State : MM_ACTIVE 



PIX1(config)#show crypto ipsec sa
interface: outside
Crypto map tag: rtpdynmap, local addr: 172.18.124.170

!--- IPsec SA for the connection between VPN Clients and the PIX1 network.

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.1/255.255.255.255/0/0)
current_peer: 172.18.173.77
dynamic allocated peer ip: 192.168.10.1

#pkts encaps: 12, #pkts encrypt: 12, #pkts digest: 12
#pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 12, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 172.18.124.170, remote crypto endpt.: 172.18.173.77

path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 1ECCB41D

inbound esp sas:
spi: 0x6C1615A7 (1813386663)
transform: esp-3des esp-sha-hmac 
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 5, crypto-map: rtpdynmap
sa timing: remaining key lifetime (sec): 28761
IV size: 8 bytes
replay detection support: Y


outbound esp sas:
spi: 0x1ECCB41D (516731933)
transform: esp-3des esp-sha-hmac 
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 5, crypto-map: rtpdynmap
sa timing: remaining key lifetime (sec): 28760
IV size: 8 bytes
replay detection support: Y

Crypto map tag: mymap, local addr: 172.18.124.170

!--- IPsec SA for connection between the VPN Clients network and PIX3 network.

local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.11.10.0/255.255.255.0/0/0)
current_peer: 172.20.77.10

#pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
#pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 8, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 172.18.124.170, remote crypto endpt.: 172.20.77.10

path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 9EF2885C

inbound esp sas:
spi: 0x82E9BF07 (2196356871)
transform: esp-3des esp-sha-hmac 
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (4274999/28786)
IV size: 8 bytes
replay detection support: Y
 

outbound esp sas:
spi: 0x9EF2885C (2666694748)
transform: esp-3des esp-sha-hmac 
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (4274999/28786)
IV size: 8 bytes
replay detection support: Y

Crypto map tag: mymap, local addr: 172.18.124.170

!--- IPsec security association for a connection between 
!--- the PIX1 and PIX3 networks.

local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.11.10.0/255.255.255.0/0/0)
current_peer: 172.20.77.10

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 172.18.124.170, remote crypto endpt.: 172.20.77.10

path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: C86585AB

inbound esp sas:
spi: 0x95604966 (2506115430)
transform: esp-3des esp-sha-hmac 
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (4274999/28653)
IV size: 8 bytes
replay detection support: Y
 

outbound esp sas:
spi: 0xC86585AB (3362096555)
transform: esp-3des esp-sha-hmac 
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (4274999/28652)
IV size: 8 bytes
replay detection support: Y

PIX3 验证
PIX3(config)#show crypto isakmp sa
Total : 1
Embryonic : 0
dst                         src                    state     pending     created
172.18.124.170 172.20.77.10 QM_IDLE         0             2
PIX3(config)#show crypto ipsec sa


interface: outside
Crypto map tag: mymap, local addr. 172.20.77.10

!--- IPsec security association for a connection between 
!--- the PIX3 and PIX1 networks.

local ident (addr/mask/prot/port): (10.11.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
current_peer: 172.18.124.170:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 172.20.77.10, remote crypto endpt.: 172.18.124.170
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 95604966

inbound esp sas:
spi: 0xc86585ab(3362096555)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 4, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607999/28213)
IV size: 8 bytes
replay detection support: Y


inbound ah sas:


inbound pcp sas:


outbound esp sas:
spi: 0x95604966(2506115430)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607999/28213)
IV size: 8 bytes
replay detection support: Y


outbound ah sas:


outbound pcp sas:



!--- IPsec security association for the connection between the VPN Client 
!--- network and PIX3 networks.

local ident (addr/mask/prot/port): (10.11.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
current_peer: 172.18.124.170:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest 8
#pkts decaps: 8, #pkts decrypt: 8, #pkts verify 8
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 172.20.77.10, remote crypto endpt.: 172.18.124.170
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 82e9bf07

inbound esp sas:
spi: 0x9ef2885c(2666694748)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607999/28295)
IV size: 8 bytes
replay detection support: Y


inbound ah sas:


inbound pcp sas:


outbound esp sas:
spi: 0x82e9bf07(2196356871)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607999/28295)
IV size: 8 bytes
replay detection support: Y


outbound ah sas:


outbound pcp sas:

VPN 客户端验证

完成以下步骤以验证 VPN 客户端:

  1. 成功连接之后,用鼠标右键单击系统托盘中显示的 VPN 客户端锁图标,然后选择 statistics 的选项。

    您可以查看有关 VPN 客户端连接以及数据包信息的加密和解密的详细资料。

    pix70-enh-spk-client-vpn-5.gif

  2. 单击 Route Details 选项卡以验证是否从 PIX 安全设备向下传送了分割隧道列表。

    pix70-enh-spk-client-vpn-6.gif

故障排除

本部分提供了可用于对配置进行故障排除的信息。

故障排除命令

命令输出解释程序仅限注册用户)(OIT) 支持某些 show 命令。使用 OIT 可查看对 show 命令输出的分析。

注意: 使用 debug 命令之前,请参阅有关 Debug 命令的重要信息

  • clear crypto isakmp sa —清除相位1安全关联(SA)。

  • clear crypto ipsec sa - 清除第 2 阶段 SA

  • debug crypto isakmp sa - 调试 ISAKMP SA 协商。

  • debug crypto ipsec sa - 调试 IPsec SA 协商。


相关信息


Document ID: 64693