IP : Cisco PIX 500 系列安全设备

PIX/ASA 7.x:IPSec 隧道相关数据流的 DMZ 接口部分的配置示例

2016 年 10 月 24 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 8 月 22 日) | 反馈


目录


简介

此配置允许具有 PIX 7.x 的两个 Cisco Secure PIX 防火墙运行从一个 PIX 的内部和非隔离区 (DMZ) 接口到 Internet 或使用 IPsec 的任何公共网络上的另一个 PIX 的简单 VPN 隧道。

IPsec 是在 IPsec 对等体之间提供数据保密性、数据完整性和数据来源身份验证的多种开放式标准的组合。

先决条件

要求

尝试进行此配置之前,请确保满足以下要求:

使用的组件

本文档中的信息基于具有 DMZ 接口并使用 Cisco PIX 安全设备软件 7.2(1) 版的 Cisco Secure PIX 515E 防火墙。

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。

规则

有关文档规则的详细信息,请参阅 Cisco 技术提示规则

背景信息

IPsec协商可以被分解为五个步骤并且包括两个Internet Key Exchange (IKE)相位。

  1. IPsec 隧道由相关数据流启动。如果数据流在 IPsec 对等体之间传输,则它会被认为是相关数据流。

  2. 在 IKE 第 1 阶段中,IPsec 对等体对建立的 IKE 安全关联 (SA) 策略进行协商。验证对等体的身份后,即使用 ISAKMP 创建安全隧道。

  3. 在 IKE 第 2 阶段中,IPsec 对等体使用经身份验证的安全隧道对 IPsec SA 转换进行协商。共享策略的协商决定建立 IPsec 隧道的方式。

  4. 根据 IPsec 转换集中配置的 IPsec 参数,将在 IPsec 对等体之间创建 IPsec 隧道并传输数据。

  5. 如果删除了 IPsec SA,或者 IPsec SA 的生存时间到期,则 IPsec 隧道将终止。

    注意: 如果两个 IKE 阶段中的 SA 在对等体上不匹配,则两个 PIX 之间的 IPsec 协商将失败。

配置

本部分提供有关配置一个 PIX 上的内部接口和 DMZ 接口与另一个 PIX 之间 IPsec 隧道的信息。

此配置假定已具备基本的路由配置,并且可端到端访问各个设备。在本文档中,可以用下面这些 show 命令验证配置。

  • show isakmp

  • show isakmp policy

  • show access-list

  • show crypto ipsec transform-set

  • show crypto isakmp sa

  • show crypto ipsec sa

有关这些 show 命令的详细信息,请参阅 Cisco Secure PIX 防火墙命令参考

IKE 第 1 阶段和 IKE 第 2 阶段中形成安全 IPsec 隧道。

注意: 使用命令查找工具仅限注册用户)可获取有关本部分所使用命令的详细信息。

网络图

本文档使用以下网络设置:

/image/gif/paws/69385/pix-asa-7x-dmz-ipsec-tunnel-1.gif

配置

本文档使用以下配置:

预共享密钥的 IKE 配置

通过使用 isakmp enable 命令在 IPsec 终止接口上启用 IKE。在此场景中,外部接口为两个 PIX 上的 IPsec 终止接口。在两个 PIX 上都配置 IKE。在两个 PIX 上都使用 isakmp enable 命令。

使用 isakmp policy 命令定义 IKE 协商期间所使用的 IKE 策略。使用此命令时,必须分配一个优先级,以便唯一地标识策略。在本例中,向策略分配了优先级 10。

PIX1(config)#isakmp policy 10 authentication pre-share
PIX1(config)#isakmp policy 10 encryption des
PIX1(config)#isakmp policy 10 hash md5
PIX1(config)#isakmp policy 10 group 1
PIX1(config)#isakmp policy 10 lifetime 1000

还将此策略设置为:

  • 使用预共享密钥

  • 对数据身份验证使用 MD5 哈希算法

  • 请使用DES封装安全有效载荷(ESP)

  • 使用 Diffie-Hellman group1

  • 设置 SA 生存时间

使用 show isakmp policy 命令验证是否真正用您选择的所有参数配置了策略。

要创建并管理 IPSec 隧道的连接特定记录的数据库,请在全局配置模式下使用 tunnel-group 命令。隧道组的名称必须是对等体的 IP 地址。类型应为 IPsec LAN 到 LAN。在 IPsec 隧道配置模式下发出 pre-shared-key <密码> 命令,如下所示:

PIX1(config)#tunnel-group 172.16.2.5 type ipsec-l2l
PIX1(config)#tunnel-group 172.16.2.5 ipsec-attributes
PIX1(config-tunnel-ipsec)#pre-shared-key cisco

网络地址转换(NAT)配置

此设置对要通过隧道传输的流量使用 NAT 免除。这表示对于相关流量不进行 NAT 处理。其他流量使用端口地址转换(PAT)更改数据包的源IP地址到外部接口的IP地址。

PIX1(config)#access-list NoNAT extended permit ip 10.2.2.0 255.255.255.0 10.6.6.0 255.255.255.0
PIX1(config)#access-list NoNAT extended permit ip 10.3.3.0 255.255.255.0 10.6.6.0 255.255.255.0
PIX1(config)#access-list PAT permit ip 10.2.2.0 255.255.255.0 any
PIX1(config)#access-list PAT permit ip 10.3.3.0 255.255.255.0 any
PIX1(config)#nat (inside) 0 access-list NoNAT
PIX1(config)#nat (inside) 1 access-list PAT
PIX1(config)#nat (DMZ) 0 access-list NoNAT
PIX1(config)#nat (DMZ) 1 access-list PAT 
PIX1(config)#global (outside) 1 interface

同样,在 PIX2 上为要通过隧道传输的流量配置身份 NAT,而使用 PAT 发送所有其他流量。

PIX2(config)#access-list NoNAT extended permit ip 10.6.6.0 255.255.255.0 10.2.2.0 255.255.255.0
PIX2(config)#access-list NoNAT extended permit ip 10.6.6.0 255.255.255.0 10.3.3.0 255.255.255.0
PIX2(config)#nat (inside) 0 access-list NoNAT
PIX2(config)#nat (inside) 1 10.6.6.0 255.255.255.0
PIX2(config)#global (outside) 1 interface

IPsec 配置

当其中一个 PIX 收到目标为另一个 PIX 的内部网络的流量时启动 IPsec。此流量被视为需要受 IPsec 保护的相关流量。访问列表用于确定哪些流量启动了 IKE 和 IPsec 协商。名为 INTERESTING 的访问列表允许将流量从 PIX1 防火墙上的 10.2.2.0 和 10.3.3.0 网络发送到 PIX2 防火墙上的 10.6.6.0 网络。

PIX1(config)#access-list INTERESTING extended permit ip 10.2.2.0 255.255.255.0 10.6.6.0 255.255.255.0
PIX1(config)#access-list INTERESTING extended permit ip 10.3.3.0 255.255.255.0 10.6.6.0 255.255.255.0

IPsec 转换集定义对等体用于保护数据流的安全策略。通过使用 crypto ipsec transform-set 命令定义 IPsec 转换。必须为转换集选择一个唯一的名称,并且最多可以选择三个转换用于定义 IPsec 安全协议。此配置只使用了两个转换:

  • esp-md5-hmac

  • esp-des

PIX1(config)#crypto ipsec transform-set my-set esp-des esp-md5-hmac

加密映射设置加密流量的 IPsec SA。您必须分配映射名称和序号,然后定义加密映射参数以创建加密映射。加密映射“mymap”使用 IKE 建立 IPsec SA,并对与 INTERESTING 访问列表匹配、设置了对等体以及使用 my-set transform-set 实施其流量安全策略的任何内容进行加密。

PIX1(config)#crypto map mymap 20 match address INTERESTING
PIX1(config)#crypto map mymap 20 set peer 172.16.2.5
PIX1(config)#crypto map mymap 20 set transform-set my-set

定义加密映射后,使用 crypto map mymap interface outside 命令将加密映射应用于某个接口。所选的接口应为 IPsec 终止接口。

PIX1(config)#crypto map mymap interface outside

PIX1 配置

PIX1

!--- Output is suppressed.


interface Ethernet0
 nameif outside
 security-level 0
 ip address 172.16.1.2 255.255.255.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.2.2.2 255.255.255.0
!
interface Ethernet2
 nameif DMZ1
 security-level 50
 ip address 10.3.3.2 255.255.255.0


!--- Output is suppressed.



!--- This access control list (ACL) is for NAT 0.

access-list NoNAT extended permit ip 10.2.2.0 255.255.255.0 10.6.6.0 255.255.255.0
access-list NoNAT extended permit ip 10.3.3.0 255.255.255.0 10.6.6.0 255.255.255.0


!--- This ACL defines the interesting traffic.

access-list INTERESTING extended permit ip 10.2.2.0 255.255.255.0 10.6.6.0 255.255.255.0
access-list INTERESTING extended permit ip 10.3.3.0 255.255.255.0 10.6.6.0 255.255.255.0


!--- This ACL is for PAT.

access-list PAT permit ip 10.2.2.0 255.255.255.0 any
access-list PAT permit ip 10.3.3.0 255.255.255.0 any


!--- Output is suppressed.



!--- NAT control requires NAT for inside or DMZ hosts 
!--- when they access the outside.

nat-control




!--- This is the global statement for PAT.

global (outside) 1 interface


!--- This command is for the NAT 0 entry on the inside interface.

nat (inside) 0 access-list NoNAT


!--- This command is for the PAT entry on the inside interface.

nat (inside) 1 access-list PAT 


!--- This command is for the NAT 0 entry on the DMZ interface.

nat (DMZ) 0 access-list NoNAT


!--- This command is for the PAT entry on the DMZ interface.

nat (DMZ) 1 access-list PAT


route outside 0.0.0.0 0.0.0.0 172.16.1.4 1



!--- Output is suppressed.




!--- This command defines the IPsec transform set with the 
!--- security policy that the peers use to protect the data flow.

crypto ipsec transform-set my-set esp-des esp-md5-hmac


!--- These commands allow crypto map to set up IPsec SAs
!--- for the encrypted traffic.

crypto map mymap 20 match address INTERESTING
crypto map mymap 20 set peer 172.16.2.5
crypto map mymap 20 set transform-set my-set


!--- This command applies the crypto map to the outside interface.

crypto map mymap interface outside


!--- This command applies the crypto map to the outside interface.

isakmp enable outside


!--- These commands apply the crypto map to the outside interface.

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000


!--- Output is suppressed.




!--- These commands create and manage the database of connection-specific 
!--- records for IPsec tunnels. Issue a preshared key, which should be the same as 
!--- that on the peer.

tunnel-group 172.16.2.5 type ipsec-l2l
tunnel-group 172.16.2.5 ipsec-attributes
 pre-shared-key *


!--- Output is suppressed.

PIX2 配置

PIX2 上的配置

!--- Output is suppressed.


interface Ethernet0
 nameif outside
 security-level 0
 ip address 172.16.2.5 255.255.255.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.6.6.5 255.255.255.0


!--- Output is suppressed.


access-list NoNAT extended permit ip 10.6.6.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list NoNAT extended permit ip 10.6.6.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list INTERESTING extended permit ip 10.6.6.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list INTERESTING extended permit ip 10.6.6.0 255.255.255.0 10.3.3.0 255.255.255.0


!--- Output is suppressed.



global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 10.6.6.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 172.16.2.4 1


!--- Output is suppressed.


crypto ipsec transform-set my-set esp-des esp-md5-hmac
crypto map mymap 20 match address INTERESTING
crypto map mymap 20 set peer 172.16.1.2
crypto map mymap 20 set transform-set my-set
crypto map mymap interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000


!--- Output is suppressed.


tunnel-group 172.16.1.2 type ipsec-l2l
tunnel-group 172.16.1.2 ipsec-attributes
 pre-shared-key *
telnet timeout 5


!--- Output is suppressed.

验证

使用本部分可确认配置能否正常运行。

命令输出解释程序仅限注册用户)(OIT) 支持某些 show 命令。使用 OIT 可查看对 show 命令输出的分析。

  • show crypto isakmp sa — 显示当前 IKE SA。

    PIX1#show crypto isakmp sa
    
       Active SA: 1
        Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1
    
    1   IKE Peer: 172.16.2.5
        Type    : L2L             Role    : initiator
        Rekey   : no              State   : MM_ACTIVE
  • show crypto ipsec sa - 显示当前 SA 使用的设置。

    在网络之间发送被定义为相关流量的流量后,即触发 IPsec 隧道。可使用两台主机之间的 ping 测试是否形成了隧道。


!--- This is show crypto ipsec sa command output on PIX1.

PIX1#show crypto ipsec sa
interface: outside
    Crypto map tag: mymap, seq num: 20, local addr: 172.16.1.2

      access-list INTERESTING permit ip 10.2.2.0 255.255.255.0 10.6.6.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.6.6.0/255.255.255.0/0/0)
      current_peer: 172.16.2.5


!--- This verifies that encrypted packets are 
!--- sent and recede without any errors.


      #pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
      #pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 199, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 172.16.1.2, remote crypto endpt.: 172.16.2.5

      path mtu 1500, ipsec overhead 60, media mtu 1500
      current outbound spi: 80A00578

    inbound esp sas:
      spi: 0xD92F129E (3643740830)
         transform: esp-des esp-md5-hmac
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: mymap
         sa timing: remaining key lifetime (kB/sec): (3824980/28593)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x80A00578 (2157970808)
         transform: esp-des esp-md5-hmac
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: mymap
         sa timing: remaining key lifetime (kB/sec): (3824980/28591)
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: mymap, seq num: 20, local addr: 172.16.1.2

      access-list INTERESTING permit ip 10.3.3.0 255.255.255.0 10.6.6.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.3.3.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.6.6.0/255.255.255.0/0/0)
      current_peer: 172.16.2.5

      #pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
      #pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 199, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 172.16.1.2, remote crypto endpt.: 172.16.2.5

      path mtu 1500, ipsec overhead 60, media mtu 1500
      current outbound spi: 3D0C2074

    inbound esp sas:
      spi: 0x5B64B9D6 (1533327830)
         transform: esp-des esp-md5-hmac
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: mymap
         sa timing: remaining key lifetime (kB/sec): (3824980/28658)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x3D0C2074 (1024204916)
         transform: esp-des esp-md5-hmac
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: mymap
         sa timing: remaining key lifetime (kB/sec): (3824980/28658)
         IV size: 8 bytes
         replay detection support: Y




!--- This is show crypto ipsec sa command output on PIX2.


PIX2#show crypto ipsec sa
interface: outside
    Crypto map tag: mymap, seq num: 20, local addr: 172.16.2.5

      access-list INTERESTING permit ip 10.6.6.0 255.255.255.0 10.3.3.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.6.6.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.3.3.0/255.255.255.0/0/0)
      current_peer: 172.16.1.2

      #pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
      #pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 199, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 172.16.2.5, remote crypto endpt.: 172.16.1.2

      path mtu 1500, ipsec overhead 60, media mtu 1500
      current outbound spi: 5B64B9D6

    inbound esp sas:
      spi: 0x3D0C2074 (1024204916)
         transform: esp-des esp-md5-hmac
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: mymap
         sa timing: remaining key lifetime (kB/sec): (4274980/28465)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x5B64B9D6 (1533327830)
         transform: esp-des esp-md5-hmac
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: mymap
         sa timing: remaining key lifetime (kB/sec): (4274980/28463)
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: mymap, seq num: 20, local addr: 172.16.2.5

      access-list INTERESTING permit ip 10.6.6.0 255.255.255.0 10.2.2.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.6.6.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
      current_peer: 172.16.1.2

      #pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
      #pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 199, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 172.16.2.5, remote crypto endpt.: 172.16.1.2

      path mtu 1500, ipsec overhead 60, media mtu 1500
      current outbound spi: D92F129E

    inbound esp sas:
      spi: 0x80A00578 (2157970808)
         transform: esp-des esp-md5-hmac
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: mymap
         sa timing: remaining key lifetime (kB/sec): (4274980/28393)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xD92F129E (3643740830)
         transform: esp-des esp-md5-hmac
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: mymap
         sa timing: remaining key lifetime (kB/sec): (4274980/28393)
         IV size: 8 bytes
         replay detection support: Y

故障排除

本部分提供的信息可用于对配置进行故障排除。

命令输出解释程序工具仅限注册用户)支持某些 show 命令,使用此工具可以查看对 show 命令输出的分析。

注意: 发出 debug 命令之前,请参阅有关 Debug 命令的重要信息

debug crypto isakmp — 显示有关 IPsec 连接的调试信息。

debug crypto isakmp
pix3#debug crypto isakmp 7

Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, Oakley proposal is acceptable
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, processing VID payload
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, Received Fragmentation VID
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, IKE Peer included 
IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, constructing ke payload
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, constructing nonce payload
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, constructing Cisco Unity VID payload
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, constructing xauth V6 VID payload
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, Send IOS VID
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, Constructing ASA spoofing 
IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, constructing VID payload
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 01 04:34:49 [IKEv1]: IP = 172.16.2.5, IKE_DECODE SENDING Message 
(msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + 
VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224
Jan 01 04:34:49 [IKEv1]: IP = 172.16.2.5, IKE_DECODE RECEIVED Message 
(msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + 
VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, processing ke payload
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, processing ISA_KE payload
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, processing nonce payload
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, processing VID payload
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, Received Cisco Unity client VID
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, processing VID payload
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, Received xauth V6 VID
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, processing VID payload
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, Processing VPN3000/ASA 
spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, processing VID payload
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, Received Altiga/Cisco 
VPN3000/Cisco ASA GW VID
Jan 01 04:34:49 [IKEv1]: IP = 172.16.2.5, Connection landed on tunnel_group 172.16.2.5
Jan 01 04:34:49 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
Generating keys for Initiator...
Jan 01 04:34:49 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
constructing ID payload
Jan 01 04:34:49 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
constructing hash payload
Jan 01 04:34:49 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
Computing hash for ISAKMP
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, Constructing IOS keep 
alive payload: proposal=32767/32767 sec.
Jan 01 04:34:49 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
constructing dpd vid payload
Jan 01 04:34:49 [IKEv1]: IP = 172.16.2.5, IKE_DECODE SENDING Message (msgid=0) 
with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13)
 + NONE (0) total length : 92
Jan 01 04:34:50 [IKEv1]: IP = 172.16.2.5, IKE_DECODE RECEIVED Message 
(msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) 
+ VENDOR (13) + NONE (0) total length : 92
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
processing ID payload
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
processing hash payload
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
Computing hash for ISAKMP
Jan 01 04:34:50 [IKEv1 DEBUG]: IP = 172.16.2.5, Processing IOS keep 
alive payload: proposal=32767/32767 sec.
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
processing VID payload
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
Received DPD VID
Jan 01 04:34:50 [IKEv1]: IP = 172.16.2.5, Connection landed on tunnel_group 172.16.2.5
Jan 01 04:34:50 [IKEv1]: Group = 172.16.2.5, IP = 172.16.2.5, Freeing 
previously allocated memory for authorization-dn-attributes
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
Oakley begin quick mode
Jan 01 04:34:50 [IKEv1]: Group = 172.16.2.5, IP = 172.16.2.5, PHASE 1 COMPLETED
Jan 01 04:34:50 [IKEv1]: IP = 172.16.2.5, Keep-alive type for this connection: DPD
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
Starting P1 rekey timer: 850 seconds.
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
IKE got SPI from key engine: SPI = 0x1cd9ec0c
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
oakley constucting quick mode
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
constructing blank hash payload
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
constructing IPSec SA payload
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
constructing IPSec nonce payload
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
constructing proxy ID
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
Transmitting Proxy Id:
  Local subnet:  10.2.2.0  mask 255.255.255.0 Protocol 0  Port 0
  Remote subnet: 10.6.6.0  Mask 255.255.255.0 Protocol 0  Port 0
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
constructing qm hash payload
Jan 01 04:34:50 [IKEv1]: IP = 172.16.2.5, IKE_DECODE SENDING Message 
(msgid=75aa2cf6) with payloads: HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + 
ID (5) + NOTIFY (11) + NONE (0) total length : 192
Jan 01 04:34:50 [IKEv1]: IP = 172.16.2.5, IKE_DECODE RECEIVED Message 
(msgid=75aa2cf6) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + 
ID (5) + ID (5) + NONE (0) total length : 164
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
processing hash payload
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
processing SA payload
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
processing nonce payload
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
processing ID payload
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
processing ID payload
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
loading all IPSEC SAs
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
Generating Quick Mode Key!
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
Generating Quick Mode Key!
Jan 01 04:34:50 [IKEv1]: Group = 172.16.2.5, IP = 172.16.2.5, Security negotiation 
complete for LAN-to-LAN Group (172.16.2.5)  Initiator, Inbound SPI = 0x1cd9ec0c, 
Outbound SPI = 0x489fb7ca
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
oakley constructing final quickmode
Jan 01 04:34:50 [IKEv1]: IP = 172.16.2.5, IKE_DECODE SENDING Message 
(msgid=75aa2cf6) with payloads: HDR + HASH (8) + NONE (0) total length : 72
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, IKE got 
a KEY_ADD msg for SA: SPI = 0x489fb7ca
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
Pitcher: received KEY_UPDATE, spi 0x1cd9ec0c
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
Starting P2 rekey timer: 24480 seconds.
Jan 01 04:34:50 [IKEv1]: Group = 172.16.2.5, IP = 172.16.2.5, PHASE 2 COMPLETED 
(msgid=75aa2cf6)
Jan 01 04:35:05 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
Sending keep-alive of type DPD R-U-THERE (seq number 0x52fec0b7)
Jan 01 04:35:05 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
constructing blank hash payload
Jan 01 04:35:05 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
constructing qm hash payload
Jan 01 04:35:05 [IKEv1]: IP = 172.16.2.5, IKE_DECODE SENDING Message 
(msgid=e3dd9a55) with payloads: HDR + HASH (8) + NOTIFY (11) 
+ NONE (0) total length : 80
Jan 01 04:35:05 [IKEv1]: IP = 172.16.2.5, IKE_DECODE RECEIVED 
Message (msgid=1f40840c) with payloads : HDR + HASH (8) + NOTIFY (11) + 
NONE (0) total length : 80
Jan 01 04:35:05 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
processing hash payload
Jan 01 04:35:05 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
processing notify payload
Jan 01 04:35:05 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
Received keep-alive of type DPD
R-U-THERE-ACK (seq number 0x52fec0b7)
Jan 01 04:35:15 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
Sending keep-alive of type DPD R-U-THERE (seq number 0x52fec0b8)
Jan 01 04:35:15 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
constructing blank hash payload
Jan 01 04:35:15 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
constructing qm hash payload
Jan 01 04:35:15 [IKEv1]: IP = 172.16.2.5, IKE_DECODE SENDING Message 
(msgid=928bbc7f) with payloads: HDR + HASH (8) + NOTIFY (11) + NONE (0) 
total length : 80
Jan 01 04:35:15 [IKEv1]: IP = 172.16.2.5, IKE_DECODE RECEIVED Message 
(msgid=b4745eeb) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) 
total length : 80
Jan 01 04:35:15 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
processing hash payload
Jan 01 04:35:15 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
processing notify payload
Jan 01 04:35:15 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
Received keep-alive of type DPD
R-U-THERE-ACK (seq number 0x52fec0b8)

debug crypto ipsec - 显示有关 IPsec 连接的调试信息。

debug crypto ipsec
pix1#debug crypto ipsec 7

IPSEC: New embryonic SA created @ 0x01AEAB40,
    SCB: 0x028CF0C8,
    Direction: inbound
    SPI      : 0xEFFE8E91
    Session ID: 0x00000009
    VPIF num  : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: New embryonic SA created @ 0x028F27E0,
    SCB: 0x02842188,
    Direction: outbound
    SPI      : 0xEB62E7B0
    Session ID: 0x00000009
    VPIF num  : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: Completed host OBSA update, SPI 0xEB62E7B0
IPSEC: Updating outbound VPN context 0x00076B84, SPI 0xEB62E7B0
    Flags: 0x00000005
    SA   : 0x028F27E0
    SPI  : 0xEB62E7B0
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x00000000
    SCB  : 0x02842188
    Channel: 0x01693DE8
IPSEC: Completed outbound VPN context, SPI 0xEB62E7B0
    VPN handle: 0x00076B84
IPSEC: Completed outbound inner rule, SPI 0xEB62E7B0
    Rule ID: 0x026AAAF0
IPSEC: New outbound permit rule, SPI 0xEB62E7B0

!--- Tunnel endpoints

    Src addr: 172.16.1.2
    Src mask: 255.255.255.255
    Dst addr: 172.16.2.5
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0xEB62E7B0
    Use SPI: true
IPSEC: Completed outbound permit rule, SPI 0xEB62E7B0
    Rule ID: 0x028A45F8
IPSEC: Completed host IBSA update, SPI 0xEFFE8E91
IPSEC: Creating inbound VPN context, SPI 0xEFFE8E91
    Flags: 0x00000006
    SA   : 0x01AEAB40
    SPI  : 0xEFFE8E91
    MTU  : 0 bytes
    VCID : 0x00000000
    Peer : 0x00076B84
    SCB  : 0x028CF0C8
    Channel: 0x01693DE8
IPSEC: Completed inbound VPN context, SPI 0xEFFE8E91
    VPN handle: 0x0007801C
IPSEC: Updating outbound VPN context 0x00076B84, SPI 0xEB62E7B0
    Flags: 0x00000005
    SA   : 0x028F27E0
    SPI  : 0xEB62E7B0
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x0007801C
    SCB  : 0x02842188
    Channel: 0x01693DE8
IPSEC: Completed outbound VPN context, SPI 0xEB62E7B0
    VPN handle: 0x00076B84
IPSEC: Completed outbound inner rule, SPI 0xEB62E7B0
    Rule ID: 0x026AAAF0
IPSEC: Completed outbound outer SPD rule, SPI 0xEB62E7B0
    Rule ID: 0x028A45F8
IPSEC: New inbound tunnel flow rule, SPI 0xEFFE8E91

!--- IPsec session by inside interface

    Src addr: 10.6.6.0
    Src mask: 255.255.255.0
    Dst addr: 10.2.2.0
    Dst mask: 255.255.255.0
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 0
    Use protocol: false
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0xEFFE8E91
    Rule ID: 0x01A88838
IPSEC: New inbound decrypt rule, SPI 0xEFFE8E91
    Src addr: 172.16.2.5
    Src mask: 255.255.255.255
    Dst addr: 172.16.1.2
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0xEFFE8E91
    Use SPI: true
IPSEC: Completed inbound decrypt rule, SPI 0xEFFE8E91
    Rule ID: 0x028F2710
IPSEC: New inbound permit rule, SPI 0xEFFE8E91
    Src addr: 172.16.2.5
    Src mask: 255.255.255.255
    Dst addr: 172.16.1.2
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0xEFFE8E91
    Use SPI: true
IPSEC: Completed inbound permit rule, SPI 0xEFFE8E91
    Rule ID: 0x028F3F70
IPSEC: New embryonic SA created @ 0x01AFA2E8,
    SCB: 0x028F4318,
    Direction: inbound
    SPI      : 0x9E53EEA4
    Session ID: 0x00000009
    VPIF num  : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: New embryonic SA created @ 0x0281FEA8,
    SCB: 0x01AFA6C0,
    Direction: outbound
    SPI      : 0x430107DD
    Session ID: 0x00000009
    VPIF num  : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: Completed host OBSA update, SPI 0x430107DD
IPSEC: Updating outbound VPN context 0x0007DB1C, SPI 0x430107DD
    Flags: 0x00000005
    SA   : 0x0281FEA8
    SPI  : 0x430107DD
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x00000000
    SCB  : 0x01AFA6C0
    Channel: 0x01693DE8
IPSEC: Completed outbound VPN context, SPI 0x430107DD
    VPN handle: 0x0007DB1C
IPSEC: Completed outbound inner rule, SPI 0x430107DD
    Rule ID: 0x028FA880
IPSEC: New outbound permit rule, SPI 0x430107DD
    Src addr: 172.16.1.2
    Src mask: 255.255.255.255
    Dst addr: 172.16.2.5
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x430107DD
    Use SPI: true
IPSEC: Completed outbound permit rule, SPI 0x430107DD
    Rule ID: 0x028055B0
IPSEC: Completed host IBSA update, SPI 0x9E53EEA4
IPSEC: Creating inbound VPN context, SPI 0x9E53EEA4
    Flags: 0x00000006
    SA   : 0x01AFA2E8
    SPI  : 0x9E53EEA4
    MTU  : 0 bytes
    VCID : 0x00000000
    Peer : 0x0007DB1C
    SCB  : 0x028F4318
    Channel: 0x01693DE8
IPSEC: Completed inbound VPN context, SPI 0x9E53EEA4
    VPN handle: 0x000813D4
IPSEC: Updating outbound VPN context 0x0007DB1C, SPI 0x430107DD
    Flags: 0x00000005
    SA   : 0x0281FEA8
    SPI  : 0x430107DD
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x000813D4
    SCB  : 0x01AFA6C0
    Channel: 0x01693DE8
IPSEC: Completed outbound VPN context, SPI 0x430107DD
    VPN handle: 0x0007DB1C
IPSEC: Completed outbound inner rule, SPI 0x430107DD
    Rule ID: 0x028FA880
IPSEC: Completed outbound outer SPD rule, SPI 0x430107DD
    Rule ID: 0x028055B0
IPSEC: New inbound tunnel flow rule, SPI 0x9E53EEA4

!--- IPsec session by DMZ interface

    Src addr: 10.6.6.0
    Src mask: 255.255.255.0
    Dst addr: 10.3.3.0
    Dst mask: 255.255.255.0
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 0
    Use protocol: false
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0x9E53EEA4
    Rule ID: 0x02850040
IPSEC: New inbound decrypt rule, SPI 0x9E53EEA4
    Src addr: 172.16.2.5
    Src mask: 255.255.255.255
    Dst addr: 172.16.1.2
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x9E53EEA4
    Use SPI: true
IPSEC: Completed inbound decrypt rule, SPI 0x9E53EEA4
    Rule ID: 0x0284ACF8
IPSEC: New inbound permit rule, SPI 0x9E53EEA4
    Src addr: 172.16.2.5
    Src mask: 255.255.255.255
    Dst addr: 172.16.1.2
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x9E53EEA4
    Use SPI: true
IPSEC: Completed inbound permit rule, SPI 0x9E53EEA4
    Rule ID: 0x0281FDA8

清除安全关联 (SA)

clear crypto ipsec sa peer 10.6.6.6 — 删除由指定的主机名或 IP 地址标识的对等体的所有 IPsec SA。

clear isakmp sa — 删除所有 IKE 运行时 SA 数据库。


相关信息


Document ID: 69385