安全 : Cisco PIX 500 系列安全设备

PIX/ASA:多个 VPN 组客户端在连接到安全设备后使用不同 VLAN 的配置示例

2015 年 8 月 28 日 - 机器翻译
其他版本: PDFpdf | 英语 (2014 年 10 月 1 日) | 反馈


目录


简介

此示例配置展示如何在用 PIX 500 系列安全设备建立 IPsec 隧道之后,设置多个 VPN 组客户端以使用不同的 VLAN。

先决条件

要求

在尝试进行此配置之前,请确保满足以下要求:

  • 通过 Internet 可访问 PIX 500 系列安全设备 7.x 和 VPN 客户端 4.x。

使用的组件

本文档中的信息基于以下软件和硬件版本:

  • PIX 515E 系列安全设备软件版本 7.1(1)

  • 适用于 Windows 的 Cisco VPN 客户端 4.8 版

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。

相关产品

还可以将此配置用于 Cisco ASA 5500 系列自适应安全设备。

规则

有关文档规则的详细信息,请参阅 Cisco 技术提示规则

背景信息

在本配置示例中,有两个 VPN 客户端(user1 和 user2),并有两个不同的 VLAN,名为 vlan2 和 vlan3。建立 IPsec 隧道后,user1 应只能连接到 vlan2,而 user2 应只能连接到 vlan3。

PIX 安全设备的 Ethernet 1 接口的子接口 (Ethernet 1.1) 和子接口 (Ethernet 1.2) 下分别创建了 vlan2 和 vlan3。必须启用物理接口,然后流量才能通过启用的子接口。

一般而言,如果从 Cisco VPN 客户端到 PIX 防火墙建立了 IPsec 隧道,则所有流量都通过隧道发送到 PIX 防火墙。如果一次连接了许多客户端,则这样做在资源用量方面代价很高。为了避免使用如此大量的资源,可以使用分割隧道。分割隧道仅对相关流量加密,其余流量则发往 Internet,而不加密进入隧道。

注意: 如果要在将数据发往 Internet 之前以隧道传输所有流量,请参阅公共 Internet 单接口 VPN 的 PIX/ASA 7.x 和 VPN 客户端配置示例获取详细信息。

配置

本部分提供有关在 PIX 安全设备中使用不同的 VLAN 配置多个远程访问 VPN 连接的信息。

注意: 使用命令查找工具仅限注册用户)可获取有关本部分所使用命令的详细信息。

网络图

本文档使用以下网络设置:

/image/gif/paws/69393/multi-vpngroup-clients-diff-vlans-1.gif

配置

本文档使用以下配置:

PIX 515E 安全设备配置
PIX Version 7.1(1)
!
hostname pix
enable password 9jNfZuG3TC5tCVH0 encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 172.16.1.1 255.255.255.0
!
interface Ethernet1
 no nameif
 no security-level
 no ip address


!--- Configure the sub-interfaces on the inside interface.
!--- Configure VLAN to the respective sub-interfaces.

!
interface Ethernet1.1
 vlan 2
 nameif vlan2
 security-level 100
 ip address 10.0.1.1 255.255.255.0
!
interface Ethernet1.2
 vlan 3
 nameif vlan3
 security-level 100
 ip address 10.0.2.1 255.255.255.0
!


!--- Output is suppressed.


!
passwd 9jNfZuG3TC5tCVH0 encrypted
ftp mode passive


!--- This access list is used for a nat zero command that prevents 
!--- traffic from undergoing network address translation (NAT).


access-list no-nat-vpn1-group extended permit ip 10.0.1.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list no-nat-vpn2-group extended permit ip 10.0.2.0 255.255.255.0 10.0.2.0 255.255.255.0



!--- This access list is used for the split tunneling 
!--- to be downloaded to the VPN Client to tell the interesting traffic to be encrypted.


access-list SPLIT-Tunnel-vpn1group standard permit 10.0.1.0 255.255.255.0
access-list SPLIT-Tunnel-vpn2group standard permit 10.0.2.0 255.255.255.0

pager lines 24
logging console debugging
mtu outside 1500
mtu vlan2 1500
mtu vlan3 1500


!--- Create a pool of addresses from which IP addresses are assigned 
!--- dynamically to the remote VPN Clients.
!--- The pool user1 IP address is assigned to the tunnel group (vpn1).
!--- The pool user2 IP address is assigned to the tunnel group (vpn2).


ip local pool user1 10.0.1.10-10.0.1.15 mask 255.255.255.0
ip local pool user2 10.0.2.10-10.0.2.15 mask 255.255.255.0

no failover
no asdm history enable
arp timeout 14400


!--- NAT 0 prevents NAT for the networks specified in the access list.
!--- The nat 1 command specifies port address translation (PAT)
!--- using the outside interface IP address for all other traffic.


global (outside) 1 interface
nat (vlan2) 0 access-list no-nat-vpn1-group
nat (vlan2) 1 0.0.0.0 0.0.0.0
nat (vlan3) 0 access-list no-nat-vpn2-group
nat (vlan3) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 172.16.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute


!--- Enter group-policy attributes mode for the group policy (vpn2).


group-policy vpn2 internal
group-policy vpn2 attributes


!--- The split tunnel policy tunnels all traffic from or to the specified networks.


 split-tunnel-policy tunnelspecified


!--- Split tunnel in group-policy configuration mode identifies
!--- an access list (SPLIT-Tunnel-vpn2group) that enumerates the network to be 
!--- tunneled from the VPN Client.
!--- After the IPsec tunnel formation, the access list (SPLIT-Tunnel-vpn2group) has to be  
!--- downloaded to the VPN Client of vpn2 (tunnel group).

  
 split-tunnel-network-list value SPLIT-Tunnel-vpn2group

group-policy vpn1 internal
group-policy vpn1 attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-Tunnel-vpn1group


!--- Configure usernames and passwords
!--- to identify remote access users to the PIX Security Appliance.


username vpn2 password 5RBT6B6kO6ZsK4e3 encrypted
username vpn1 password Rgp2OnMV8tB9079o encrypted

no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart


!--- PHASE 2 CONFIGURATION ---!
!--- The encryption types for Phase 2 are defined here.  
!--- A single DES encryption with
!--- the md5 hash algorithm is used.


crypto ipsec transform-set my-set esp-des esp-md5-hmac


!--- Defines a dynamic crypto map with 
!--- the specified encryption settings.


crypto dynamic-map dynmap 10 set transform-set my-set


!--- Enable Reverse Route Information (RRI), which allows the 
!--- PIX Security Appliance to learn routing information for connected clients.


crypto dynamic-map dynmap 10 set reverse-route


!--- Binds the dynamic map to the IPsec/ISAKMP process.


crypto map mymap 10 ipsec-isakmp dynamic dynmap


!--- Specifies the interface to be used with 
!--- the settings defined in this configuration.


crypto map mymap interface outside


!--- PHASE 1 CONFIGURATION ---!
!--- This configuration uses ISAKMP policy 10.   
!--- Policy 65535 is included in the configuration by default.
!--- The configuration commands here define the Phase 
!--- 1 policy parameters that are used.


isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000

isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group vpn type ipsec-ra


!--- Sets the connection type to IPsec remote access (ipsec-ra).


tunnel-group vpn1 type ipsec-ra


!--- Configures an address pool for the tunnel group and enters the general-attributes mode. 
!--- Associates the user1 pool to the tunnel group (vpn1) that uses the address pool.


tunnel-group vpn1 general-attributes
 address-pool user1


!--- Specifies the set of attributes that the user inherits by default 
!--- in tunnel-group general-attributes configuration mode.
!--- Tunnel groups identify the group policy for a specific connection.


 default-group-policy vpn1


!--- Enter the ipsec-attributes mode to configure the authentication method 
!--- by entering the preshared key.
!--- You need to use the same preshared key on both 
!--- devices (PIX and VPN Client) for this remote access connection.


tunnel-group vpn1 ipsec-attributes
 pre-shared-key *

tunnel-group vpn2 type ipsec-ra
tunnel-group vpn2 general-attributes
 address-pool user2
 default-group-policy vpn2
tunnel-group vpn2 ipsec-attributes
 pre-shared-key *

telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:0becb57df25d69a098b25bf07994b6b6
: end
pix#

VPN 客户端 4.8 配置

完成以下这些步骤,配置 VPN 客户端 4.8。

  1. 选择 Start > Programs > Cisco Systems VPN Client > VPN Client

  2. 单击 New 以启动 Create New VPN Connection Entry 窗口。

    multi-vpngroup-clients-diff-vlans-2.gif

  3. 输入 Connection Entry 的名称与说明。在 Host 框中输入 PIX 防火墙的外部 IP 地址。然后,输入隧道组名称(本例中为 vpn2)和预共享密钥,再单击 Save

    multi-vpngroup-clients-diff-vlans-3.gif

  4. 单击要使用的连接,然后从 VPN 客户端主窗口中单击 Connect

    multi-vpngroup-clients-diff-vlans-4.gif

  5. 出现提示后,输入在 PIX 中配置的 Username 和 Password 信息,然后单击 OK 连接远程网络。

    multi-vpngroup-clients-diff-vlans-5.gif

  6. 随后 Cisco VPN 客户端即与 PIX 在中心站点相连。

    multi-vpngroup-clients-diff-vlans-6.gif

  7. 选择 Status > Statistics 查看 Cisco VPN 客户端的隧道统计信息。

    multi-vpngroup-clients-diff-vlans-7.gif

  8. 选择 Status > Statistics,然后单击 Route Details 检查 Cisco VPN 客户端的路由详细信息。

    此时已从 PIX 下载了访问列表,以便为访问列表中指定的网络形成受保护的网络连接。其余流量直接进入 Internet,而不加密进入隧道。

    multi-vpngroup-clients-diff-vlans-8.gif

验证

本部分所提供的信息可用于确认您的配置是否正常工作。

命令输出解释程序仅限注册用户)(OIT) 支持某些 show 命令。使用 OIT 可查看对 show 命令输出的分析。

  • show crypto isakmp sa - 显示对等体上的所有当前 IKE 安全关联 (SA)。

  • show crypto ipsec sa - 显示当前 SA 使用的设置。

pix#show crypto ipsec sa
interface: outside
    Crypto map tag: dynmap, seq num: 10, local addr: 172.16.1.1

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.0.2.10/255.255.255.255/0/0)
      current_peer: 10.0.0.2, username: vpn2
      dynamic allocated peer ip: 10.0.2.10

      #pkts encaps: 200, #pkts encrypt: 200, #pkts digest: 200
      #pkts decaps: 201, #pkts decrypt: 201, #pkts verify: 201
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 200, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 172.16.1.1, remote crypto endpt.: 10.0.0.2

      path mtu 1500, ipsec overhead 60, media mtu 1500
      current outbound spi: 7233CD22

    inbound esp sas:
      spi: 0x2F8C6D57 (797732183)
         transform: esp-des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: dynmap
         sa timing: remaining key lifetime (sec): 28703
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x7233CD22 (1915997474)
         transform: esp-des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: dynmap
         sa timing: remaining key lifetime (sec): 28701
         IV size: 8 bytes
         replay detection support: Y

故障排除

本部分提供的信息可用于对配置进行故障排除。此外本部分还提供了 debug 输出示例。

故障排除命令

命令输出解释程序仅限注册用户)(OIT) 支持某些 show 命令。使用 OIT 可查看对 show 命令输出的分析。

注意: 使用 debug 命令之前,请参阅有关 debug 命令的重要信息IP 安全故障排除 - 了解和使用 debug 命令

  • debug crypto ipsec - 显示第 2 阶段的 IPsec 协商。

  • debug crypto isakmp - 显示第 1 阶段的 ISAKMP 协商。

清除 SA

对隧道配置做出更改后,请确保清除 SA。在 PIX 的特权模式下使用以下这些命令:

  • clear [crypto] ipsec sa - 删除活动 IPsec SA。关键字“crypto”为可选。

  • clear [crypto] isakmp sa - 删除活动 IKE SA。关键字“crypto”为可选。

调试输出示例

PIX 防火墙

PIX#debug crypto isakmp 7
pix# May 31 02:39:55 [IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=
0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + V
ENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 8
48
May 31 02:39:55 [IKEv1 DEBUG]: IP = 10.0.0.2, processing SA payload
May 31 02:39:55 [IKEv1 DEBUG]: IP = 10.0.0.2, processing ke payload
May 31 02:39:55 [IKEv1 DEBUG]: IP = 10.0.0.2, processing ISA_KE payload
May 31 02:39:55 [IKEv1 DEBUG]: IP = 10.0.0.2, processing nonce payload
May 31 02:39:55 [IKEv1 DEBUG]: IP = 10.0.0.2, processing ID payload
May 31 02:39:55 [IKEv1 DEBUG]: IP = 10.0.0.2, processing VID payload
May 31 02:39:55 [IKEv1 DEBUG]: IP = 10.0.0.2, Received xauth V6 VID
May 31 02:39:55 [IKEv1 DEBUG]: IP = 10.0.0.2, processing VID payload
May 31 02:39:55 [IKEv1 DEBUG]: IP = 10.0.0.2, Received DPD VID
May 31 02:39:55 [IKEv1 DEBUG]: IP = 10.0.0.2, processing VID payload
May 31 02:39:55 [IKEv1 DEBUG]: IP = 10.0.0.2, Received Fragmentation VID
May 31 02:39:55 [IKEv1 DEBUG]: IP = 10.0.0.2, IKE Peer included IKE fragmentatio
n capability flags:  Main Mode:        True  Aggressive Mode:  False
May 31 02:39:55 [IKEv1 DEBUG]: IP = 10.0.0.2, processing VID payload
May 31 02:39:55 [IKEv1 DEBUG]: IP = 10.0.0.2, Received NAT-Traversal ver 02 VID
May 31 02:39:55 [IKEv1 DEBUG]: IP = 10.0.0.2, processing VID payload
May 31 02:39:55 [IKEv1 DEBUG]: IP = 10.0.0.2, Received Cisco Unity client VID
May 31 02:39:55 [IKEv1]: IP = 10.0.0.2, Connection landed on tunnel_group vpn2
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, processing IKE SA pa
yload
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, IKE SA Proposal # 1,
 Transform # 9 acceptable  Matches global IKE entry # 2
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, constructing ISAKMP
SA payload
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, constructing ke payl
oad
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, constructing nonce p
ayload
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, Generating keys for
Responder...
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, constructing ID payl
oad
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, constructing hash pa
yload
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, Computing hash for I
SAKMP
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, constructing Cisco U
nity VID payload
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, constructing xauth V
6 VID payload
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, constructing dpd vid
 payload
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, constructing Fragmen
tation VID + extended capabilities payload
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, constructing VID pay
load
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, Send Altiga/Cisco VP
N3000/Cisco ASA GW VID
May 31 02:39:55 [IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=0) wit
h payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13
) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total lengt
h : 371
May 31 02:39:55 [IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) wi
th payloads : HDR + HASH (8) + NOTIFY (11) + VENDOR (13) + VENDOR (13) + NONE (0
) total length : 120
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, processing hash payl
oad
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, Computing hash for I
SAKMP
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, processing notify pa
yload
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, processing VID paylo
ad
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, Processing IOS/PIX V
endor ID payload (version: 1.0.0, capabilities: 00000408)
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, processing VID paylo
ad
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, Received Cisco Unity
 client VID
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, constructing blank h
ash payload
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, constructing qm hash
 payload
May 31 02:39:55 [IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=732d96
ba) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 104
May 31 02:39:59 [IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=732d9
6ba) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 84
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, process_attr(): Ente
r!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, Processing MODE_CFG
Reply attributes.


!--- User (vpn2) attributes from the tunnel group (vpn2) are downloaded
!--- to the VPN Client.


May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, IKE
GetUserAttributes: primary DNS = cleared
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, IKE
GetUserAttributes: secondary DNS = cleared
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, IKE
GetUserAttributes: primary WINS = cleared
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, IKE
GetUserAttributes: secondary WINS = cleared
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, IKE
GetUserAttributes: split tunneling list = SPLIT-Tunnel-vpn2group
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, IKE
GetUserAttributes: IP Compression = disabled


!--- Split tunnel policy attributes are downloaded to the VPN Client (user2).


May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, IKE
GetUserAttributes: Split Tunneling Policy = Split Network
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, User (vpn
2) authenticated.
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, con
structing blank hash payload
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, con
structing qm hash payload
May 31 02:39:59 [IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=2b0b30
6) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64
May 31 02:39:59 [IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=2b0b3
06) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 60
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, pro
cess_attr(): Enter!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Pro
cessing cfg ACK attributes
May 31 02:39:59 [IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=b983e
913) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 194
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, pro
cess_attr(): Enter!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Pro
cessing cfg Request attributes
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for IPV4 address!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for IPV4 net mask!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for DNS server address!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for WINS server address!
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Received
unsupported transaction mode attribute: 5
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for Banner!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for Save PW setting!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for Default Domain Name!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for Split Tunnel List!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for Split DNS!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for PFS setting!
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Received
unknown transaction mode attribute: 28683
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for backup ip-sec peer list!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for Application Version!
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Client Ty
pe: WinNT  Client Application Version: 4.8.01.0300
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for FWTYPE!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for DHCP hostname for DDNS is: tsweb-laptop!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for UDP Port!


!--- Assigns the private address to the remote user.


May 26 01:43:19 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Assigned
private IP address 10.0.4.1 to remote user
May 26 01:43:19 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, con
structing blank hash payload
May 26 01:43:19 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, con
structing qm hash payload
May 26 01:43:19 [IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=751f67
7d) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 189
May 26 01:43:19 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Del
ay Quick Mode processing, Cert/Trans Exch/RM DSID in progress
May 26 01:43:19 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Res
ume Quick Mode processing, Cert/Trans Exch/RM DSID completed


!--- ISAKMP (Phase 1) process is complete.


May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, PHASE 1 COMPLETED
May 31 02:39:59 [IKEv1]: IP = 10.0.0.2, Keep-alive type for this connection: DPD
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Sta
rting phase 1 rekey timer: 82080000 (ms)
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, sen
ding notify message
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, con
structing blank hash payload
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, con
structing qm hash payload
May 31 02:39:59 [IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=1a3238
c3) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 92
May 31 02:39:59 [IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=a8bc0
892) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NO
NE (0) total length : 1026
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, pro
cessing hash payload
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, pro
cessing SA payload
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, pro
cessing nonce payload
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, pro
cessing ID payload
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Received
remote Proxy Host data in ID Payload:  Address 10.0.2.10, Protocol 0, Port 0
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, pro
cessing ID payload
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Received
local IP Proxy Subnet data in ID Payload:   Address 0.0.0.0, Mask 0.0.0.0, Proto
col 0, Port 0
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, QM IsReke
yed old sa not found by addr
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, IKE Remot
e Peer configured for crypto map: dynmap
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, pro
cessing IPSec SA payload
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, IPS
ec SA Proposal # 14, Transform # 1 acceptable  Matches global IPSec SA entry # 10
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, IKE: requ
esting SPI!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, IKE
 got SPI from key engine: SPI = 0xb9b5c50a
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, oak
ley constucting quick mode
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, con
structing blank hash payload
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, con
structing IPSec SA payload
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Overridin
g Initiator's IPSec rekeying duration from 2147483 to 28800 seconds
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, con
structing IPSec nonce payload
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, con
structing proxy ID
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Tra
nsmitting Proxy Id:
  Remote host: 10.0.2.10  Protocol 0  Port 0
  Local subnet:  0.0.0.0  mask 0.0.0.0 Protocol 0  Port 0
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Sen
ding RESPONDER LIFETIME notification to Initiator
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, con
structing qm hash payload
May 31 02:39:59 [IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=a8bc08
92) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOT
IFY (11) + NONE (0) total length : 180
May 31 02:39:59 [IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=a8bc0
892) with payloads : HDR + HASH (8) + NONE (0) total length : 52
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, pro
cessing hash payload
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, loa
ding all IPSEC SAs
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Gen
erating Quick Mode Key!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Gen
erating Quick Mode Key!
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Security
negotiation complete for User (vpn2)  Responder, Inbound SPI = 0xb9b5c50a, Outbo
und SPI = 0x691a0f90
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, IKE
 got a KEY_ADD msg for SA: SPI = 0x691a0f90
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Pit
cher: received KEY_UPDATE, spi 0xb9b5c50a
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Starting
P2 Rekey timer to expire in 27360 seconds


!--- Adds a static route for the client IP address in the PIX and 
!--- the Phase 2 completed notification.


May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Adding st
atic route for client address: 10.0.2.10
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, PHASE 2 C
OMPLETED (msgid=a8bc0892)



PIX#debug crypto ipsec 7
pix# IPSEC: New embryonic SA created @ 0x02501E38,
    SCB: 0x02501DA8,
    Direction: inbound
    SPI      : 0x2F8C6D57
    Session ID: 0x00000001
    VPIF num  : 0x00000001
    Tunnel type: ra
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: New embryonic SA created @ 0x02483448,
    SCB: 0x02507930,
    Direction: outbound
    SPI      : 0x7233CD22
    Session ID: 0x00000001
    VPIF num  : 0x00000001
    Tunnel type: ra
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: Completed host OBSA update, SPI 0x7233CD22
IPSEC: Creating outbound VPN context, SPI 0x7233CD22
    Flags: 0x00000005
    SA   : 0x02483448
    SPI  : 0x7233CD22
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x00000000
    SCB  : 0x02507930
    Channel: 0x014A42F0
IPSEC: Completed outbound VPN context, SPI 0x7233CD22
    VPN handle: 0x0245DBE8
IPSEC: New outbound encrypt rule, SPI 0x7233CD22
    Src addr: 0.0.0.0
    Src mask: 0.0.0.0
    Dst addr: 10.0.2.10
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 0
    Use protocol: false
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed outbound encrypt rule, SPI 0x7233CD22
    Rule ID: 0x025077F8
IPSEC: New outbound permit rule, SPI 0x7233CD22
    Src addr: 172.16.1.1
    Src mask: 255.255.255.255
    Dst addr: 10.0.0.2
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x7233CD22
    Use SPI: true
IPSEC: Completed outbound permit rule, SPI 0x7233CD22
    Rule ID: 0x0245DC98
IPSEC: Completed host IBSA update, SPI 0x2F8C6D57
IPSEC: Creating inbound VPN context, SPI 0x2F8C6D57
    Flags: 0x00000006
    SA   : 0x02501E38
    SPI  : 0x2F8C6D57
    MTU  : 0 bytes
    VCID : 0x00000000
    Peer : 0x0245DBE8
    SCB  : 0x02501DA8
    Channel: 0x014A42F0
IPSEC: Completed inbound VPN context, SPI 0x2F8C6D57
    VPN handle: 0x024736F0
IPSEC: Updating outbound VPN context 0x0245DBE8, SPI 0x7233CD22
    Flags: 0x00000005
    SA   : 0x02483448
    SPI  : 0x7233CD22
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x024736F0
    SCB  : 0x02507930
    Channel: 0x014A42F0
IPSEC: Completed outbound VPN context, SPI 0x7233CD22
    VPN handle: 0x0245DBE8
IPSEC: Completed outbound inner rule, SPI 0x7233CD22
    Rule ID: 0x025077F8
IPSEC: Completed outbound outer SPD rule, SPI 0x7233CD22
    Rule ID: 0x0245DC98


!--- The IP address is assigned to the VPN Client 
!--- from the pool (user2) of the PIX.


IPSEC: New inbound tunnel flow rule, SPI 0x2F8C6D57
    Src addr: 10.0.2.10
    Src mask: 255.255.255.255
    Dst addr: 0.0.0.0
    Dst mask: 0.0.0.0
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 0
    Use protocol: false
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0x2F8C6D57
    Rule ID: 0x02515C88
IPSEC: New inbound decrypt rule, SPI 0x2F8C6D57
    Src addr: 10.0.0.2
    Src mask: 255.255.255.255
    Dst addr: 172.16.1.1
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x2F8C6D57
    Use SPI: true
IPSEC: Completed inbound decrypt rule, SPI 0x2F8C6D57
    Rule ID: 0x022A7D10


!--- Inbound rule for the VPN Client is downloaded from 
!--- the split tunnel access list of the PIX.


IPSEC: New inbound permit rule, SPI 0x2F8C6D57
    Src addr: 10.0.0.2
    Src mask: 255.255.255.255
    Dst addr: 172.16.1.1
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x2F8C6D57
    Use SPI: true
IPSEC: Completed inbound permit rule, SPI 0x2F8C6D57
    Rule ID: 0x02507788

适用于 Windows 的 VPN 客户端 4.8

选择 Log > Log Settings,在 Cisco VPN 客户端中启用日志级别。

multi-vpngroup-clients-diff-vlans-9.gif

选择 Log > Log Windows 查看 Cisco VPN 客户端中的日志项。此时将为 vpn2 隧道组用户从 PIX 下载分割隧道访问列表。

multi-vpngroup-clients-diff-vlans-10.gif

相关的思科支持社区讨论

思科支持社区是您提问、解答问题、分享建议以及与工作伙伴协作的论坛。


相关信息


Document ID: 69393