安全 : Cisco PIX 500 系列安全设备

PIX/ASA:具有PIX 515E的Easy VPN作为服务器和ASA 5505作为客户端(NEM)的配置示例

2015 年 8 月 28 日 - 机器翻译
其他版本: PDFpdf | 英语 (2014 年 9 月 15 日) | 反馈


目录


简介

本文档提供了 Cisco PIX 515E 和使用带有网络扩展模式 (NEM) 的 Easy VPN 的 Cisco 自适应安全设备 (ASA) 5505 之间的 IPsec 的配置示例。Cisco Easy VPN 解决方案包括位于主站点的 Easy VPN 服务器和位于远程办公室的 Easy VPN 硬件客户端。Cisco ASA 5505 可以用作 Cisco Easy VPN 硬件客户端或 Cisco Easy VPN 服务器(有时称为前端设备),但不能同时用作此二者。在此处的拓扑中,Cisco PIX 515E 用作 Easy VPN Server,而 ASA 5505 用作 Easy VPN Remote Client(硬件客户端)。

Easy VPN 硬件客户端支持以下两种运行模式之一:客户端模式或网络扩展模式 (NEM)。运行模式决定了是否可以通过隧道从企业网络访问 Easy VPN 硬件客户端之后的主机。

客户端模式(也称为端口地址转换 (PAT) 模式)将 Easy VPN 客户端专用网络上的所有设备与企业网络上的设备隔离。Easy VPN 客户端对其内部主机的所有 VPN 数据流执行 PAT。Easy VPN 客户端内部接口或内部主机均不需要 IP 地址管理。

NEM 使内部接口和所有内部主机均可通过隧道在整个企业网络上路由。内部网络上的主机从预配置了静态 IP 地址的可访问子网(使用静态方式或 DHCP)获取其 IP 地址。PAT 不适用于 NEM 模式下的 VPN 数据流。此模式不要求每个客户端均进行 VPN 配置。进行了 NEM 模式配置的 ASA 5505 支持隧道自动启动功能。此配置必须存储组名称、用户名和密码。

如果启用了安全单元身份验证,则会禁用隧道自动启动功能。Easy VPN 客户端的专用端的网络和地址处于隐藏状态,无法直接对其进行访问。

Easy VPN 硬件客户端没有默认模式。但是,如果未在自适应安全设备管理器 (ASDM) 中指定模式,则 ASDM 将会自动选择客户端模式。使用 CLI 配置 Easy VPN 硬件客户端时,必须指定某个模式。

有关将 Cisco 871 路由器用作 Easy VPN Remote 的类似方案的详细信息,请参阅将 ASA 5500 用作服务器,将 Cisco 871 用作 Easy VPN Remote 的 PIX/ASA 7.x Easy VPN 配置示例

先决条件

要求

尝试进行此配置之前,请确保满足以下要求:

  • 基本了解以下内容:

    • IPsec

    • Easy VPN

    • ASA/PIX 安全设备

使用的组件

本文档中的信息基于以下软件和硬件版本:

  • Easy VPN Remote 硬件客户端为运行 7.2(1) 版本及更高版本的 ASA 5505。

  • Easy VPN 服务器为运行 7.x 版本及更高版本的 PIX 515E。

注意: 本文档中的 Easy VPN 服务器配置适用于运行 7.x 版本及更高版本的 PIX/ASA。

注意: 仅 ASA 5505 支持 Easy VPN 客户端配置。

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。

规则

有关文档规则的详细信息,请参阅 Cisco 技术提示规则

背景信息

使用 Easy VPN 解决方案可从以下方面简化 VPN 的部署和管理:

本配置示例针对 IPsec 隧道配置了以下要素:

  • 位于远程站点的主机不再需要运行 VPN 客户端软件。

  • 安全策略驻留在中央服务器上,在建立 VPN 连接时,安全策略将被推送至远程硬件客户端。

  • 仅需要在本地设置少量的配置参数,降低了对于现场管理的需求。

将 ASA 5505 用作 Easy VPN 硬件客户端时,也可对其进行相应配置,使其执行基本的防火墙服务,例如阻止对 DMZ 中的设备进行未经授权的访问。但是,如果对 ASA 5505 进行配置,将其用作 Easy VPN 硬件客户端,则它将无法建立其他类型的隧道。例如,不可将 ASA 5505 同时用作 Easy VPN 硬件客户端和标准点对点 VPN 部署的某一端

配置

本部分提供有关如何配置本文档所述功能的信息。

注意: 使用命令查找工具仅限注册用户)可获取有关本部分所使用命令的详细信息。

网络图

配置为 Easy VPN 网络扩展模式时,ASA 5505 不会通过使用公共 IP 地址替换的方式隐藏本地主机的 IP 地址。因此,在 VPN 连接另一端的主机可以直接与本地网络上的主机进行通信。配置 NEM 时,Easy VPN 客户端后的网络不应与 Easy VPN 服务器后的网络重叠。下图显示了包含以网络扩展模式运行的 ASA 5505 的示例网络拓扑。

/image/gif/paws/98528/ezvpn-asa5505-515e-1.gif

配置

本文档使用以下配置:

Easy VPN 服务器 (PIX 515E)
pixfirewall#write terminal
PIX Version 8.0(2)
!
hostname pixfirewall
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!

!--- Configure the outside and inside interfaces.

interface Ethernet0
 nameif outside
 security-level 0
 ip address 10.20.20.1 255.255.255.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 172.22.1.1 255.255.255.0
!

!--- Output Suppressed

!
interface Ethernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive


!--- This access list is used for a nat zero command that prevents 
!--- traffic, which matches the access list, so it does  
!--- not undergo network address translation (NAT).


access-list no-nat extended permit ip 172.22.1.0 255.255.255.0 172.16.1.0 255.255.255.0

!--- This access list is used to define the traffic 
!--- that should pass through the tunnel.
!--- It is bound to the group policy, which defines 
!--- a dynamic crypto map.

access-list ezvpn1 extended permit ip 172.22.1.0 255.255.255.0 172.16.1.0 255.255.255.0

pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-602.bin
no asdm history enable
arp timeout 14400



!--- Specify the NAT configuration.  
!--- NAT 0 prevents NAT for the ACL defined in this configuration.
!--- The nat 1 command specifies NAT for all other traffic.

global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 10.20.20.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart




!--- PHASE 2 CONFIGURATION ---!
!--- The encryption types for Phase 2 are defined here.  
!--- A single DES encryption with
!--- the md5 hash algorithm is used.

crypto ipsec transform-set mySET esp-des esp-md5-hmac


!--- This command defines a dynamic crypto map 
!--- with the specified encryption settings.

crypto dynamic-map myDYN-MAP 5 set transform-set mySET


!--- This command binds the dynamic map to 
!--- the IPsec/ISAKMP process.

crypto map myMAP 60 ipsec-isakmp dynamic myDYN-MAP


!--- This command specifies the interface to be used  
!--- with the settings defined in this configuration.

crypto map myMAP interface outside


!--- PHASE 1 CONFIGURATION ---!

!--- This configuration uses isakmp policy 1.   
!--- Policy 65535 is included in the default
!--- configuration. These configuration commands  
!--- define the Phase 1 policies that are used.

crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global


!--- This defines the group policy you use with Easy VPN.  
!--- Specify the networks that should pass through
!--- the tunnel and that you want to 
!--- use network extension mode.

group-policy myGROUP internal
group-policy myGROUP attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ezvpn1
 nem enable
 

!--- The username and password associated with 
!--- this VPN connection are defined here.  You
!--- can also use AAA for this function.

username cisco password 3USUcOPFUiMCO4Jk encrypted

!--- The tunnel-group commands bind the configurations 
!--- defined in this configuration to the tunnel that is
!--- used for Easy VPN.  This tunnel name is the one 
!--- specified on the remote side.

tunnel-group mytunnel type ipsec-ra
tunnel-group mytunnel general-attributes
 default-group-policy myGROUP
tunnel-group mytunnel ipsec-attributes

!--- The pre-shared-key used is "cisco".

 pre-shared-key *
prompt hostname context
Cryptochecksum:a16e3c19d5b2ab400151e0c13d26b074
: end

ASA 5505 - Easy VPN 远程硬件客户端
ciscoasa#write terminal
:
ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!


!--- Output Suppressed

!
interface Ethernet0/7
 shutdown
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400

!--- Set the standard NAT configuration.  
!--- Easy VPN provides the NAT exceptions needed.

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 10.10.10.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0


!--- Easy VPN Client Configuration ---!
!--- Specify the IP address of the VPN server.

vpnclient server 10.20.20.1

!--- This example uses network extension mode.

vpnclient mode network-extension-mode

!--- Specify the group name and the pre-shared key.

vpnclient vpngroup mytunnel password ********

!--- Specify the authentication username and password.

vpnclient username cisco password ********

!--- In order to enable the device as hardware vpnclient, use this command.

vpnclient enable

threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!

!--- Output suppressed

!
service-policy global_policy global
prompt hostname context
Cryptochecksum:dfcc004fbc2988e4370226f8d592b205
: end

验证

使用本部分可确认配置能否正常运行。

命令输出解释程序仅限注册用户)(OIT) 支持某些 show 命令。使用 OIT 可查看对 show 命令输出的分析。

PIX Easy VPN 服务器 show 命令和示例输出

  • show crypto isakmp sa - 此命令用于显示对等体上的所有当前 Internet 密钥交换 (IKE) 安全关联 (SA)。

    pixfirewall#show crypto isakmp sa
    
       Active SA: 1
        Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1
    
    1   IKE Peer: 10.10.10.1
        Type    : user            Role    : responder
        Rekey   : no              State   : AM_ACTIVE
  • show crypto ipsec sa - 此命令用于显示对等体之间构建的 IPsec SA。

    pixfirewall#show crypto ipsec sa
    interface: outside
       Crypto map tag: myDYN-MAP, seq num: 5, local addr: 10.20.20.1
    
         local ident (addr/mask/prot/port): (172.22.1.0/255.255.255.0/0/0)
         remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
         current_peer: 10.10.10.1, username: cisco
         dynamic allocated peer ip: 0.0.0.0
    
         #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
         #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
         #pkts compressed: 0, #pkts decompressed: 0
         #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
         #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
         #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
         #send errors: 0, #recv errors: 0
    
         local crypto endpt.: 10.20.20.1, remote crypto endpt.: 10.10.10.1
    
         path mtu 1500, ipsec overhead 58, media mtu 1500
         current outbound spi: 4DC131C7
    
       inbound esp sas:
         spi: 0x6F48BB47 (1867037511)
            transform: esp-des esp-md5-hmac none
            in use settings ={RA, Tunnel, }
            slot: 0, conn_id: 4096, crypto-map: myDYN-MAP
            sa timing: remaining key lifetime (sec): 28656
            IV size: 8 bytes
            replay detection support: Y
       outbound esp sas:
         spi: 0x4DC131C7 (1304506823)
            transform: esp-des esp-md5-hmac none
            in use settings ={RA, Tunnel, }
            slot: 0, conn_id: 4096, crypto-map: myDYN-MAP
            sa timing: remaining key lifetime (sec): 28656
            IV size: 8 bytes
            replay detection support: Y
    
       Crypto map tag: myDYN-MAP, seq num: 5, local addr: 10.20.20.1
    
         local ident (addr/mask/prot/port): (172.22.1.0/255.255.255.0/0/0)
         remote ident (addr/mask/prot/port): (10.10.10.1/255.255.255.255/0/0)
         current_peer: 10.10.10.1, username: cisco
         dynamic allocated peer ip: 0.0.0.0
    
         #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
         #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
         #pkts compressed: 0, #pkts decompressed: 0
         #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
         #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
         #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
         #send errors: 0, #recv errors: 0
    
         local crypto endpt.: 10.20.20.1, remote crypto endpt.: 10.10.10.1
    
         path mtu 1500, ipsec overhead 58, media mtu 1500
         current outbound spi: DC1F63B2
    
       inbound esp sas:
         spi: 0x5288CD4D (1384697165)
            transform: esp-des esp-md5-hmac none
            in use settings ={RA, Tunnel, }
            slot: 0, conn_id: 4096, crypto-map: myDYN-MAP
            sa timing: remaining key lifetime (sec): 28634
            IV size: 8 bytes
            replay detection support: Y
       outbound esp sas:
         spi: 0xDC1F63B2 (3693044658)
            transform: esp-des esp-md5-hmac none
            in use settings ={RA, Tunnel, }
            slot: 0, conn_id: 4096, crypto-map: myDYN-MAP
            sa timing: remaining key lifetime (sec): 28634
            IV size: 8 bytes
            replay detection support: Y
    
       Crypto map tag: myDYN-MAP, seq num: 5, local addr: 10.20.20.1
    
         local ident (addr/mask/prot/port): (10.20.20.1/255.255.255.255/0/0)
         remote ident (addr/mask/prot/port): (10.10.10.1/255.255.255.255/0/0)
         current_peer: 10.10.10.1, username: cisco
         dynamic allocated peer ip: 0.0.0.0
    
         #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
         #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
         #pkts compressed: 0, #pkts decompressed: 0
         #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
         #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
         #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
         #send errors: 0, #recv errors: 0
    
         local crypto endpt.: 10.20.20.1, remote crypto endpt.: 10.10.10.1
    
         path mtu 1500, ipsec overhead 58, media mtu 1500
         current outbound spi: CADED9A2
    
       inbound esp sas:
         spi: 0xD04E7073 (3494801523)
            transform: esp-des esp-md5-hmac none
            in use settings ={RA, Tunnel, }
            slot: 0, conn_id: 4096, crypto-map: myDYN-MAP
            sa timing: remaining key lifetime (sec): 28628
            IV size: 8 bytes
            replay detection support: Y
       outbound esp sas:
         spi: 0xCADED9A2 (3403602338)
            transform: esp-des esp-md5-hmac none
            in use settings ={RA, Tunnel, }
            slot: 0, conn_id: 4096, crypto-map: myDYN-MAP
            sa timing: remaining key lifetime (sec): 28628
            IV size: 8 bytes
            replay detection support: Y

PIX Easy VPN 远程硬件客户端 show 命令和示例输出

  • vpnclient enable - 此命令用于启用 Easy VPN 远程连接。在网络扩展模式 (NEM) 下,即使没有要与前端 Easy VPN 服务器进行交换的相关数据流,隧道也会处于启用状态。

    ciscoasa(config)#vpnclient enable
    
  • show crypto isakmp sa - 此命令用于显示对等体上的所有当前 IKE SA。

    ciscoasa#show crypto isakmp sa
       Active SA: 1
        Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1
    
    1   IKE Peer: 10.20.20.1
        Type    : user            Role    : initiator
        Rekey   : no              State   : AM_ACTIVE
  • show crypto ipsec sa - 此命令用于显示对等体之间构建的 IPsec SA。

    ciscoasa#show crypto ipsec sa
    interface: outside
        Crypto map tag: _vpnc_cm, seq num: 10, local addr: 10.10.10.1
    
          access-list _vpnc_acl permit ip 172.16.1.0 255.255.255.0 172.22.1.0 255.25
    5.255.0
          local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
          remote ident (addr/mask/prot/port): (172.22.1.0/255.255.255.0/0/0)
          current_peer: 10.20.20.1, username: 10.20.20.1
          dynamic allocated peer ip: 0.0.0.0
    
          #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
          #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
          #send errors: 0, #recv errors: 0
    
          local crypto endpt.: 10.10.10.1, remote crypto endpt.: 10.20.20.1
    
          path mtu 1500, ipsec overhead 58, media mtu 1500
          current outbound spi: 6F48BB47
    
        inbound esp sas:
          spi: 0x4DC131C7 (1304506823)
             transform: esp-des esp-md5-hmac none
             in use settings ={RA, Tunnel, }
             slot: 0, conn_id: 4096, crypto-map: _vpnc_cm
             sa timing: remaining key lifetime (sec): 28786
             IV size: 8 bytes
             replay detection support: Y
        outbound esp sas:
          spi: 0x6F48BB47 (1867037511)
             transform: esp-des esp-md5-hmac none
             in use settings ={RA, Tunnel, }
             slot: 0, conn_id: 4096, crypto-map: _vpnc_cm
             sa timing: remaining key lifetime (sec): 28786
             IV size: 8 bytes
             replay detection support: Y
    
        Crypto map tag: _vpnc_cm, seq num: 10, local addr: 10.10.10.1
    
          access-list _vpnc_acl permit ip host 10.10.10.1 172.22.1.0 255.255.255.0
          local ident (addr/mask/prot/port): (10.10.10.1/255.255.255.255/0/0)
          remote ident (addr/mask/prot/port): (172.22.1.0/255.255.255.0/0/0)
          current_peer: 10.20.20.1, username: 10.20.20.1
          dynamic allocated peer ip: 0.0.0.0
    
          #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
          #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
          #send errors: 0, #recv errors: 0
    
          local crypto endpt.: 10.10.10.1, remote crypto endpt.: 10.20.20.1
    
          path mtu 1500, ipsec overhead 58, media mtu 1500
          current outbound spi: 5288CD4D
    
        inbound esp sas:
          spi: 0xDC1F63B2 (3693044658)
             transform: esp-des esp-md5-hmac none
             in use settings ={RA, Tunnel, }
             slot: 0, conn_id: 4096, crypto-map: _vpnc_cm
             sa timing: remaining key lifetime (sec): 28759
             IV size: 8 bytes
             replay detection support: Y
        outbound esp sas:
          spi: 0x5288CD4D (1384697165)
             transform: esp-des esp-md5-hmac none
             in use settings ={RA, Tunnel, }
             slot: 0, conn_id: 4096, crypto-map: _vpnc_cm
             sa timing: remaining key lifetime (sec): 28759
             IV size: 8 bytes
             replay detection support: Y
    
        Crypto map tag: _vpnc_cm, seq num: 10, local addr: 10.10.10.1
    
          access-list _vpnc_acl permit ip host 10.10.10.1 host 10.20.20.1
          local ident (addr/mask/prot/port): (10.10.10.1/255.255.255.255/0/0)
          remote ident (addr/mask/prot/port): (10.20.20.1/255.255.255.255/0/0)
          current_peer: 10.20.20.1, username: 10.20.20.1
          dynamic allocated peer ip: 0.0.0.0
    
          #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
          #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
          #send errors: 0, #recv errors: 0
    
          local crypto endpt.: 10.10.10.1, remote crypto endpt.: 10.20.20.1
    
          path mtu 1500, ipsec overhead 58, media mtu 1500
          current outbound spi: D04E7073
    
        inbound esp sas:
          spi: 0xCADED9A2 (3403602338)
             transform: esp-des esp-md5-hmac none
             in use settings ={RA, Tunnel, }
             slot: 0, conn_id: 4096, crypto-map: _vpnc_cm
             sa timing: remaining key lifetime (sec): 28752
             IV size: 8 bytes
             replay detection support: Y
        outbound esp sas:
          spi: 0xD04E7073 (3494801523)
             transform: esp-des esp-md5-hmac none
             in use settings ={RA, Tunnel, }
             slot: 0, conn_id: 4096, crypto-map: _vpnc_cm
             sa timing: remaining key lifetime (sec): 28752
             IV size: 8 bytes
             replay detection support: Y
  • show vpnclient - 此命令用于显示 VPN 客户端或 Easy VPN 远程设备配置信息。

    ciscoasa#show vpnclient
    
    LOCAL CONFIGURATION
    vpnclient server 10.20.20.1
    vpnclient mode network-extension-mode
    vpnclient vpngroup mytunnel password ********
    vpnclient username cisco password ********
    vpnclient enable
    
    DOWNLOADED DYNAMIC POLICY
    Current Server                     : 10.20.20.1
    PFS Enabled                        : No
    Secure Unit Authentication Enabled : No
    User Authentication Enabled        : No
    Split Tunnel Networks              : 172.22.1.0/255.255.255.0
    Backup Servers                     : None

故障排除

本部分提供的信息可用于对配置进行故障排除。

如果已根据本文档所述内容设置了 Easy VPN 远程硬件客户端和 Easy VPN 服务器,但是仍然遇到问题,请收集每个 PIX 的 debug 输出和 show 命令的输出,以供 Cisco 技术支持部门进行分析。有关详细信息,请参阅对 PIX 进行故障排除以在已建立的 IPSec 隧道上传输数据流IP 安全故障排除 - 了解和使用 debug 命令。在 PIX 上启用 IPsec 调试。

以下部分显示了 PIX debug 命令和示例输出。

命令输出解释程序仅限注册用户)(OIT) 支持某些 show 命令。使用 OIT 可查看对 show 命令输出的分析。

注意: 使用 debug 命令之前,请参阅有关 Debug 命令的重要信息

Easy VPN 服务器命令

  • debug crypto ipsec - 此命令用于显示第 2 阶段的 IPsec 协商。

  • debug crypto isakmp - 此命令用于显示第 1 阶段的 ISAKMP 协商。

以下为输出示例:

pixfirewall#debug crypto isakmp 2
Aug 08 03:26:09 [IKEv1]: IP = 10.10.10.1, Connection lan
ded on tunnel_group mytunnel
Aug 08 03:26:09 [IKEv1]: Group = mytunnel, Username = cisco, IP = 10.10.10.1, Us
er (cisco) authenticated.
Aug 08 03:26:09 [IKEv1]: Group = mytunnel, Username = cisco, IP = 10.10.10.1, PH
ASE 1 COMPLETED
Aug 08 03:26:09 [IKEv1]: Group = mytunnel, Username = cisco, IP = 10.10.10.1, IK
E: requesting SPI!
Aug 08 03:26:09 [IKEv1]: Group = mytunnel, Username = cisco, IP = 10.10.10.1, Se
curity negotiation complete for User (cisco)  Responder, Inbound SPI = 0xe6b089b
7, Outbound SPI = 0xcb705206

Easy VPN 远程硬件客户端命令

  • debug crypto ipsec - 此命令用于显示第 2 阶段的 IPsec 协商。

  • debug crypto isakmp - 此命令用于显示第 1 阶段的 ISAKMP 协商。

    ciscoasa#debug crypto isakmp 2
    
    Aug 08 14:16:09 [IKEv1]: IP = 10.20.20.1, Connection landed
     on tunnel_group 10.20.20.1
    Aug 08 14:16:09 [IKEv1]: IP = 10.20.20.1, Received encrypted packet with no matc
    hing SA, dropping
    Aug 08 14:16:09 [IKEv1]: IP = 10.20.20.1, Received encrypted packet with no matc
    hing SA, dropping
    Aug 08 14:16:09 [IKEv1]: IP = 10.20.20.1, Received encrypted packet with no matc
    hing SA, dropping
    Aug 08 14:16:10 [IKEv1]: Group = 10.20.20.1, IP = 10.20.20.1, PHASE 1 COMPLETED
    Aug 08 14:16:10 [IKEv1]: Group = 10.20.20.1, IP = 10.20.20.1, Security negotiati
    on complete for peer (10.20.20.1)  Initiator, Inbound SPI = 0xcb705206, Outbound
     SPI = 0xe6b089b7
    Aug 08 14:16:10 [IKEv1]: Group = 10.20.20.1, IP = 10.20.20.1, PHASE 2 COMPLETED
    (msgid=670ff816)
    Aug 08 14:16:10 [IKEv1]: Group = 10.20.20.1, IP = 10.20.20.1, IKE Initiator: New
     Phase 2, Intf inside, IKE Peer 10.20.20.1  local Proxy Address 172.16.1.0, remo
    te Proxy Address 172.22.1.0,  Crypto map (_vpnc_cm)
    Aug 08 14:16:10 [IKEv1]: Group = 10.20.20.1, IP = 10.20.20.1, Security negotiati
    on complete for peer (10.20.20.1)  Initiator, Inbound SPI = 0x3bfa93fb, Outbound
     SPI = 0x3b11bf8b
    Aug 08 14:16:10 [IKEv1]: Group = 10.20.20.1, IP = 10.20.20.1, PHASE 2 COMPLETED
    (msgid=29791739)
    Aug 08 14:16:13 [IKEv1]: Group = 10.20.20.1, IP = 10.20.20.1, IKE Initiator: New
     Phase 2, Intf NP Identity Ifc, IKE Peer 10.20.20.1  local Proxy Address 10.10.1
    0.1, remote Proxy Address 172.22.1.0,  Crypto map (_vpnc_cm)
    Aug 08 14:16:13 [IKEv1]: Group = 10.20.20.1, IP = 10.20.20.1, Security negotiati
    on complete for peer (10.20.20.1)  Initiator, Inbound SPI = 0xd329cacc, Outbound
     SPI = 0xdec3c1b6
    Aug 08 14:16:13 [IKEv1]: Group = 10.20.20.1, IP = 10.20.20.1, PHASE 2 COMPLETED
    (msgid=b303dbac)
    
    Aug 08 03:26:09 [IKEv1]: Group = mytunnel, Username = cisco, IP = 10.10.10.1, PH
    ASE 2 COMPLETED (msgid=670ff816)
    Aug 08 03:26:10 [IKEv1]: Group = mytunnel, Username = cisco, IP = 10.10.10.1, IK
    E: requesting SPI!
    Aug 08 03:26:10 [IKEv1]: Group = mytunnel, Username = cisco, IP = 10.10.10.1, Se
    curity negotiation complete for User (cisco)  Responder, Inbound SPI = 0x3b11bf8
    b, Outbound SPI = 0x3bfa93fb
    Aug 08 03:26:10 [IKEv1]: Group = mytunnel, Username = cisco, IP = 10.10.10.1, PH
    ASE 2 COMPLETED (msgid=29791739)
    Aug 08 03:26:12 [IKEv1]: Group = mytunnel, Username = cisco, IP = 10.10.10.1, IK
    E: requesting SPI!
    Aug 08 03:26:12 [IKEv1]: Group = mytunnel, Username = cisco, IP = 10.10.10.1, Se
    curity negotiation complete for User (cisco)  Responder, Inbound SPI = 0xdec3c1b
    6, Outbound SPI = 0xd329cacc
    Aug 08 03:26:12 [IKEv1]: Group = mytunnel, Username = cisco, IP = 10.10.10.1, PH
    ASE 2 COMPLETED (msgid=b303dbac)

相关的思科支持社区讨论

思科支持社区是您提问、解答问题、分享建议以及与工作伙伴协作的论坛。


相关信息


Document ID: 98528