安全 : Cisco PIX 500 系列安全设备

使用 Cisco Secure ACS 身份验证的 PIX/ASA 7.x 和 Cisco VPN 客户端 4.x 配置示例

2015 年 8 月 28 日 - 机器翻译
其他版本: PDFpdf | 英语 (2014 年 9 月 29 日) | 反馈


目录


简介

本配置示例显示如何使用 Cisco 安全访问控制服务器(ACS 版本 3.2)在 Cisco VPN Client(适用于 Windows 的 4.x 版本)与 PIX 500 系列安全设备 7.x 之间设置远程访问 VPN 连接以进行扩展身份验证 (Xauth)。

要了解有关 PIX/ASA 7.x 中使用 Cisco VPN Client 4.8 的相同方案的更多信息,请参阅 PIX/ASA 7.x 和适用于 Windows 的 Cisco VPN Client 使用 Microsoft Windows 2003 IAS RADIUS 身份验证的配置示例

要了解相同 PIX 6.x 与 Cisco VPN 客户端 3.5 配置的详细信息,请参阅 Cisco Secure PIX 6.x 和适用于 Windows 的 Cisco VPN 客户端 3.5 与 Microsoft Windows 2000 和 2003 IAS RADIUS 身份验证

先决条件

要求

在尝试进行此配置之前,请确保可以从 Internet 访问 PIX 500 系列安全设备。

使用的组件

本文档中的信息基于以下软件和硬件版本:

  • PIX 515E 系列安全设备软件版本 7.1(1)

  • 适用于 Windows 的 Cisco VPN 客户端 4.8 版

  • 思科安全访问控制服务器(ACS)版本3.2

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。

相关产品

此配置还可以用于 Cisco ASA 5500 系列安全设备。

规则

有关文档规则的详细信息,请参阅 Cisco 技术提示规则

背景信息

远程访问 VPN 满足了移动工作者的安全连接组织网络的需要。移动用户可以使用安装在其 PC 机上的 VPN 客户端软件来建立安全连接。VPN 客户端将会向已配置为接受这些请求的中心站点设备发起连接。在本示例中,中心站点设备是一台使用动态加密映射的 PIX 500 系列安全设备。

本配置示例针对 IPsec 隧道配置了以下要素:

  • 对 PIX 上的外部接口应用加密映射。

  • 利用 RADIUS 数据库实现 VPN 客户端的 Xauth。

  • 从地址池中为 VPN 客户端动态分配专用 IP 地址。

  • nat 0 access-list 命令功能,此功能允许 LAN 上的主机使用远程用户的专用 IP 地址,同时仍可从 PIX 处获得网络地址转换 (NAT) 地址,以访问不受信任的网络。

配置

使用Windows 2003年互联网认证服务(IAS)服务器,在此部分,您提交以信息配置与Xauth的远程访问虚拟专用网连接。

注意: 使用命令查找工具仅限注册用户)可获取有关本部分所使用命令的详细信息。

网络图

本文档使用以下网络设置:

/image/gif/paws/82480/pixasa7x-vpn4x-acs-auth-1.gif

配置

本文档使用以下配置:

PIX 515E 安全设备
PIX Version 7.1(1)
!
hostname PIX

!--- Specify the domain name for the security appliance.

domain-name cisco.com
enable password 9jNfZuG3TC5tCVH0 encrypted
names


!--- Configure the outside and inside interfaces.

!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 10.10.1.2 255.255.255.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.11.1.1 255.255.255.0
!

!--- Output is suppressed.

!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive


!--- Specify the interface which points toward the DNS server
!--- to enable the PIX to use DNS.

dns domain-lookup inside
dns server-group DefaultDNS
 timeout 30


!--- Specify the location of the DNS server in the DefaultDNS group.


 name-server 172.16.1.1

 domain-name cisco.com


!--- This access list is used for a nat zero command. 
!--- This command prevents traffic that matches the access list from undergoing NAT.


access-list 101 extended permit ip 172.16.0.0 255.255.0.0 10.16.20.0 255.255.255.00

pager lines 24
logging buffer-size 500000
logging console debugging
logging monitor errors
mtu outside 1500
mtu inside 1500

!--- Create a pool of addresses from which IP addresses are assigned 
!--- dynamically to the remote VPN Clients.


ip local pool vpnclient 10.16.20.1-10.16.20.5

no failover
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400


!--- NAT 0 prevents NAT for networks specified in the ACL 101.
!--- The nat 1 command specifies Port Address Translation (PAT)
!--- using the outside interface (10.10.1.2) for all other traffic.


global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 10.10.0.0 255.255.255.0 10.10.1.1 1
route outside 0.0.0.0 0.0.0.0 10.11.1.1 1
route inside 172.16.0.0 255.255.0.0 10.11.1.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute


!--- Create the AAA server group "vpn" and specify the protocol as RADIUS.
!--- Specify the Cisco Secure ACS server as a member of the "vpn" group and provide the
!--- location and key.


aaa-server vpn protocol radius
aaa-server vpn host 10.11.1.2
 key cisco123


!--- Create the VPN users' group policy and specify the DNS server IP address
!--- and the domain name in the group policy.

group-policy vpn3000 internal
group-policy vpn3000 attributes
 dns-server value 172.16.1.1
 default-domain value cisco.com


!--- In order to identify remote access users to the security appliance, 
!--- you can also configure usernames and passwords on the device
!--- in addition to using AAA. 


username vpn3000 password nPtKy7KDCerzhKeX encrypted
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart


!--- PHASE 2 CONFIGURATION ---!
!--- The encryption types for Phase 2 are defined here.  
!--- A single Data Encryption Standard (DES) encryption with
!--- the md5 hash algorithm is used.


crypto ipsec transform-set my-set esp-des esp-md5-hmac


!--- Defines a dynamic crypto map with 
!--- the specified encryption settings.


crypto dynamic-map dynmap 10 set transform-set my-set


!--- Enable Reverse Route Injection (RRI), which allows the security appliance 
!--- to learn routing information for connected clients.


crypto dynamic-map dynmap 10 set reverse-route


!--- Binds the dynamic map to the IPsec/ISAKMP process.


crypto map mymap 10 ipsec-isakmp dynamic dynmap


!--- Specifies the interface to be used with 
!--- the settings defined in this configuration.


crypto map mymap interface outside


!--- PHASE 1 CONFIGURATION ---!

!--- This configuration uses ISAKMP policy 10.   
!--- Policy 65535 is included in the configuration by default.
!--- The configuration commands here define the Phase 
!--- 1 policy parameters that are used.


isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000

isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400


!--- The security appliance provides the default tunnel groups
!--- for remote access (DefaultRAGroup). 


tunnel-group DefaultRAGroup general-attributes
 authentication-server-group (outside) vpn


!--- Create a new tunnel group and set the connection 
!--- type to IPsec remote access (ipsec-ra).


tunnel-group vpn3000 type ipsec-ra
 

!--- Associate the VPN Client pool to the tunnel group using the address pool.
!--- Associate the AAA server group (VPN) with the tunnel group.


tunnel-group vpn3000 general-attributes
 address-pool vpnclient
 authentication-server-group vpn
 

!--- Enter the pre-shared-key to configure the authentication method.


tunnel-group vpn3000 ipsec-attributes
 pre-shared-key *

telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:ecb58c5d8ce805b3610b198c73a3d0cf
: end

VPN 客户端 4.8 配置

完成以下这些步骤,配置 VPN 客户端 4.8。

  1. 选择开始 > 程序 > Cisco Systems VPN 客户端 > VPN 客户端

  2. 单击 New 以启动 Create New VPN Connection Entry 窗口。

    pixasa7x-vpn4x-acs-auth-2.gif

  3. 输入 Connection Entry 的名称与说明。在 Host 框中输入 PIX 防火墙的外部 IP 地址。然后输入 VPN 组的名称和口令,并单击 Save

    /image/gif/paws/82480/pixasa7x-vpn4x-acs-auth-3.gif

  4. 单击要使用的连接,然后从 VPN 客户端主窗口中单击 Connect

    /image/gif/paws/82480/pixasa7x-vpn4x-acs-auth-4.gif

  5. 出现提示时,输入用于 xauth 的 Username 和 Password 信息,然后单击 OK 以连接远程网络。

    /image/gif/paws/82480/pixasa7x-vpn4x-acs-auth-5.gif

  6. VPN 客户端即会与中心站点的 PIX 建立连接。

    /image/gif/paws/82480/pixasa7x-vpn4x-acs-auth-6.gif

  7. 选择 Status > Statistics 以查看 VPN 客户端的隧道统计数据。

    pixasa7x-vpn4x-acs-auth-7.gif

使用 Cisco Secure ACS 配置 RADIUS 服务器

完成以下步骤,以便在 Cisco Secure ACS 中配置 RADIUS。

  1. 在左侧选择 Network Configuration,然后单击 Add Entry,为 TACACS+ 或 RADIUS 服务器数据库中的 PIX 添加条目。根据 PIX 配置选择服务器数据库。

    pixasa7x-vpn4x-acs-auth-8.gif

  2. 在 Client IP Address 字段中输入 10.11.1.1 ,在共享密钥 Key 字段中输入 cisco123。在 Authenticate Using 下拉框中选择 RADIUS (Cisco IOS/PIX)。单击 Submit

    pixasa7x-vpn4x-acs-auth-9.gif

    注意: 共享密钥应该与 PIX 中配置的相同。

    aaa-server vpn host 10.11.1.2
     key cisco123
    

    注意: 如果要选择 ACACS+ protocol 进行身份验证,则请在 Authenticate Using 下拉菜单中选择 TACACS+(Cisco IOS)。

  3. 在 User 字段中,输入 Cisco Secure 数据库中的用户名,然后单击 Add/Edit

    在本示例中,用户名是 administrator

    pixasa7x-vpn4x-acs-auth-10.gif

  4. 在下一个窗口中,输入 administrator 的口令。在本示例中,口令也是 password1。如果需要,可将用户帐户映射到组。完成后,单击 Submit

    /image/gif/paws/82480/pixasa7x-vpn4x-acs-auth-11.gif

验证

AAA 身份验证

从 PIX 中,在全局配置模式下使用 Test 关键字和 aaa authentication 命令,以使用 AAA 服务器验证用户身份。输入命令后,PIX 将会提示您输入要验证的用户名和口令。当用户凭证有效通过验证后,您将会收到 Authentication Successful 消息。

pix(config-aaa-server-host)#test aaa authentication radius host 10.11.1.2

Username: administrator
Password: *****

INFO: Attempting Authentication test to IP address <10.11.1.2> (timeout: 12 sec
onds)
INFO: Authentication Successful

显示命令

本部分所提供的信息可用于确认您的配置是否正常工作。

命令输出解释程序仅限注册用户)(OIT) 支持某些 show 命令。使用 OIT 可查看对 show 命令输出的分析。

  • show crypto isakmp sa — 显示对等体上的所有当前 IKE 安全关联 (SA)。

  • show crypto ipsec sa — 显示当前 SA 使用的设置。

PIX#show crypto ipsec sa
				interface: outside
    Crypto map tag: dynmap, seq num: 10, local addr: 10.10.1.2

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.16.20.1/255.255.255.255/0/0)
      current_peer: 10.0.0.1, username: administrator
      dynamic allocated peer ip: 10.16.20.1

      #pkts encaps: 33, #pkts encrypt: 33, #pkts digest: 33
      #pkts decaps: 33, #pkts decrypt: 33, #pkts verify: 33
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.10.1.2, remote crypto endpt.: 10.0.0.1

      path mtu 1500, ipsec overhead 60, media mtu 1500
      current outbound spi: CA8BF3BC

    inbound esp sas:
      spi: 0xE4F08D9F (3840970143)
         transform: esp-des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: dynmap
         sa timing: remaining key lifetime (sec): 28689
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xCA8BF3BC (3398169532)
         transform: esp-des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: dynmap
         sa timing: remaining key lifetime (sec): 28687
         IV size: 8 bytes
         replay detection support: Y

故障排除

本部分提供的信息可用于对配置进行故障排除。此外本部分还提供了 debug 输出示例。

清除安全关联

排除故障时,请务必在完成更改后清除现有安全关联。在 PIX 的特权模式下,使用以下命令:

  • clear [crypto] ipsec sa - 删除活动 IPsec SA。关键字 crypto 是可选的。

  • clear [crypto] isakmp sa - 删除活动 IKE SA。关键字 crypto 是可选的。

故障排除命令

命令输出解释程序仅限注册用户)(OIT) 支持某些 show 命令。使用 OIT 可查看对 show 命令输出的分析。

注意: 使用 debug 命令之前,请参阅有关 Debug 命令的重要信息

  • debug crypto ipsec - 显示第 2 阶段的 IPsec 协商。

  • debug crypto isakmp - 显示第 1 阶段的 ISAKMP 协商。

调试输出示例

PIX 防火墙

PIX#debug crypto isakmp 7
PIX# May 22 22:32:25 [IKEv1]: IP = 10.0.0.1, IKE_DECODE RECEIVED Message (msgid=
9117fc3d) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length :
 80
May 22 22:32:25 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, processing hash payload
May 22 22:32:25 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, processing notify payload
May 22 22:32:25 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1


!--- Dead-Peer-Detection exchange

0.0.0.1, Received keep-alive of type DPD R-U-THERE (seq number 0x36a6342)
May 22 22:32:25 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x36a6342)
May 22 22:32:25 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, constructing blank hash payload
May 22 22:32:25 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, constructing qm hash payload
May 22 22:32:25 [IKEv1]: IP = 10.0.0.1, IKE_DECODE SENDING Message (msgid=4c047e
39) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
May 22 22:32:36 [IKEv1]: IP = 10.0.0.1, IKE_DECODE RECEIVED Message (msgid=a1063
306) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
May 22 22:32:36 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, processing hash payload
May 22 22:32:36 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, processing notify payload
May 22 22:32:36 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, Received keep-alive of type DPD R-U-THERE (seq number 0x36a6343)
May 22 22:32:36 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x36a6343)
May 22 22:32:36 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, constructing blank hash payload
May 22 22:32:36 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, constructing qm hash payload
May 22 22:32:36 [IKEv1]: IP = 10.0.0.1, IKE_DECODE SENDING Message (msgid=ceada9
19) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
May 22 22:32:47 [IKEv1]: IP = 10.0.0.1, IKE_DECODE RECEIVED Message (msgid=ab66b
5e2) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
May 22 22:32:47 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, processing hash payload
May 22 22:32:47 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, processing notify payload
May 22 22:32:47 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, Received keep-alive of type DPD R-U-THERE (seq number 0x36a6344)
May 22 22:32:47 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x36a6344)
May 22 22:32:47 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, constructing blank hash payload
May 22 22:32:47 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, constructing qm hash payload
May 22 22:32:47 [IKEv1]: IP = 10.0.0.1, IKE_DECODE SENDING Message (msgid=b5341b
a5) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
May 22 22:32:58 [IKEv1]: IP = 10.0.0.1, IKE_DECODE RECEIVED Message (msgid=22d77
ee7) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
May 22 22:32:58 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, processing hash payload
May 22 22:32:58 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, processing notify payload
May 22 22:32:58 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, Received keep-alive of type DPD R-U-THERE (seq number 0x36a6345)
May 22 22:32:58 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x36a6345)
May 22 22:32:58 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, constructing blank hash payload
May 22 22:32:58 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, constructing qm hash payload
May 22 22:32:58 [IKEv1]: IP = 10.0.0.1, IKE_DECODE SENDING Message (msgid=8d688b
d2) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
May 22 22:33:14 [IKEv1]: IP = 10.0.0.1, IKE_DECODE RECEIVED Message (msgid=f949a
e6) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
May 22 22:33:14 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, processing hash payload
May 22 22:33:14 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, processing notify payload
May 22 22:33:14 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, Received keep-alive of type DPD R-U-THERE (seq number 0x36a6346)
May 22 22:33:14 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x36a6346)
May 22 22:33:14 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, constructing blank hash payload
May 22 22:33:14 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, constructing qm hash payload
May 22 22:33:14 [IKEv1]: IP = 10.0.0.1, IKE_DECODE SENDING Message (msgid=fd9fef
25) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
May 22 22:33:25 [IKEv1]: IP = 10.0.0.1, IKE_DECODE RECEIVED Message (msgid=54d3b
543) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
May 22 22:33:25 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, processing hash payload
May 22 22:33:25 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, processing notify payload
May 22 22:33:25 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, Received keep-alive of type DPD R-U-THERE (seq number 0x36a6347)
May 22 22:33:25 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x36a6347)
May 22 22:33:26 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, constructing blank hash payload
May 22 22:33:26 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, constructing qm hash payload
May 22 22:33:26 [IKEv1]: IP = 10.0.0.1, IKE_DECODE SENDING Message (msgid=4d4102
0b) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
May 22 22:33:37 [IKEv1]: IP = 10.0.0.1, IKE_DECODE RECEIVED Message (msgid=af7ad
910) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
May 22 22:33:37 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, processing hash payload
May 22 22:33:37 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, processing notify payload
May 22 22:33:37 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, Received keep-alive of type DPD R-U-THERE (seq number 0x36a6348)
May 22 22:33:37 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x36a6348)
May 22 22:33:37 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, constructing blank hash payload
May 22 22:33:37 [IKEv1 DEBUG]: Group = vpn3000, Username = administrator, IP = 1
0.0.0.1, constructing qm hash payload
May 22 22:33:37 [IKEv1]: IP = 10.0.0.1, IKE_DECODE SENDING Message (msgid=84cd22
35) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80

PIX#debug crypto ipsec 7


!--- Deletes the old SAs.

PIX# IPSEC: Deleted inbound decrypt rule, SPI 0xA7E3E225
    Rule ID: 0x0243DD38
IPSEC: Deleted inbound permit rule, SPI 0xA7E3E225
    Rule ID: 0x024BA720
IPSEC: Deleted inbound tunnel flow rule, SPI 0xA7E3E225
    Rule ID: 0x02445A48
IPSEC: Deleted inbound VPN context, SPI 0xA7E3E225
    VPN handle: 0x018F68A8
IPSEC: Deleted outbound encrypt rule, SPI 0xB9C97D06
    Rule ID: 0x024479B0
IPSEC: Deleted outbound permit rule, SPI 0xB9C97D06
    Rule ID: 0x0243E9E0
IPSEC: Deleted outbound VPN context, SPI 0xB9C97D06
    VPN handle: 0x0224F490


!--- Creates new SAs.

IPSEC: New embryonic SA created @ 0x02448B38,
    SCB: 0x024487E0,
    Direction: inbound
    SPI      : 0xE4F08D9F
    Session ID: 0x00000001
    VPIF num  : 0x00000001
    Tunnel type: ra
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: New embryonic SA created @ 0x02446750,
    SCB: 0x02511DD8,
    Direction: outbound
    SPI      : 0xCA8BF3BC
    Session ID: 0x00000001
    VPIF num  : 0x00000001
    Tunnel type: ra
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: Completed host OBSA update, SPI 0xCA8BF3BC
IPSEC: Creating outbound VPN context, SPI 0xCA8BF3BC
    Flags: 0x00000005
    SA   : 0x02446750
    SPI  : 0xCA8BF3BC
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x00000000
    SCB  : 0x02511DD8
    Channel: 0x014A42F0
IPSEC: Completed outbound VPN context, SPI 0xCA8BF3BC
    VPN handle: 0x024B9868
IPSEC: New outbound encrypt rule, SPI 0xCA8BF3BC
    Src addr: 0.0.0.0
    Src mask: 0.0.0.0
    Dst addr: 10.16.20.1
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 0
    Use protocol: false
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed outbound encrypt rule, SPI 0xCA8BF3BC
    Rule ID: 0x024B9B58
IPSEC: New outbound permit rule, SPI 0xCA8BF3BC
    Src addr: 10.10.1.2
    Src mask: 255.255.255.255
    Dst addr: 10.0.0.1
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0xCA8BF3BC
    Use SPI: true
IPSEC: Completed outbound permit rule, SPI 0xCA8BF3BC
    Rule ID: 0x024E7D18
IPSEC: Completed host IBSA update, SPI 0xE4F08D9F
IPSEC: Creating inbound VPN context, SPI 0xE4F08D9F
    Flags: 0x00000006
    SA   : 0x02448B38
    SPI  : 0xE4F08D9F
    MTU  : 0 bytes
    VCID : 0x00000000
    Peer : 0x024B9868
    SCB  : 0x024487E0
    Channel: 0x014A42F0
IPSEC: Completed inbound VPN context, SPI 0xE4F08D9F
    VPN handle: 0x024D90A8
IPSEC: Updating outbound VPN context 0x024B9868, SPI 0xCA8BF3BC
    Flags: 0x00000005
    SA   : 0x02446750
    SPI  : 0xCA8BF3BC
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x024D90A8
    SCB  : 0x02511DD8
    Channel: 0x014A42F0
IPSEC: Completed outbound VPN context, SPI 0xCA8BF3BC
    VPN handle: 0x024B9868
IPSEC: Completed outbound inner rule, SPI 0xCA8BF3BC
    Rule ID: 0x024B9B58
IPSEC: Completed outbound outer SPD rule, SPI 0xCA8BF3BC
    Rule ID: 0x024E7D18
IPSEC: New inbound tunnel flow rule, SPI 0xE4F08D9F
    Src addr: 10.16.20.1
    Src mask: 255.255.255.255
    Dst addr: 0.0.0.0
    Dst mask: 0.0.0.0
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 0
    Use protocol: false
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0xE4F08D9F
    Rule ID: 0x0243DD38
IPSEC: New inbound decrypt rule, SPI 0xE4F08D9F
    Src addr: 10.0.0.1
    Src mask: 255.255.255.255
    Dst addr: 10.10.1.2
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0xE4F08D9F
    Use SPI: true
IPSEC: Completed inbound decrypt rule, SPI 0xE4F08D9F
    Rule ID: 0x02440628
IPSEC: New inbound permit rule, SPI 0xE4F08D9F
    Src addr: 10.0.0.1
    Src mask: 255.255.255.255
    Dst addr: 10.10.1.2
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0xE4F08D9F
    Use SPI: true
IPSEC: Completed inbound permit rule, SPI 0xE4F08D9F
    Rule ID: 0x0251A970

适用于 Windows 的 VPN 客户端 4.8

选择 Log > Log settings 以便在 VPN 客户端中启用日志级别。

pixasa7x-vpn4x-acs-auth-12.gif

选择 Log > Log Window 以查看 VPN 客户端中的日志项。

pixasa7x-vpn4x-acs-auth-13.gif

相关的思科支持社区讨论

思科支持社区是您提问、解答问题、分享建议以及与工作伙伴协作的论坛。


相关信息


Document ID: 82480