网络管理 : Cisco PIX 500 系列安全设备

在Sonicwall产品和Cisco安全设备之间的VPN配置示例

2016 年 10 月 24 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 8 月 22 日) | 反馈


目录


简介

本文档演示如何为 IPsec 隧道配置预共享密钥以在两个专用网络之间使用主动模式和主模式进行通信。在本例中,通信的网络是192.168.1.x私有网络在Cisco安全设备(PIX/ASA)里面和172.22.1.x私有网络在SonicwallTM TZ170防火墙里面。

先决条件

要求

尝试进行此配置之前,请确保满足以下要求:

  • 在开始此配置前,来自 Cisco 安全设备内部和 Sonicwall TZ170 内部的流量应流向 Internet(此处用 10.x.x.x 网络表示)。

  • 用户应该熟悉 IPsec 协商。此过程可分为五个步骤,其中包括两个 Internet Key Exchange (IKE) 阶段。

    1. IPsec 隧道由相关数据流启动。如果数据流在 IPsec 对等体之间传输,则它会被认为是相关数据流。

    2. 在IKE阶段1, IPSec对等体协商已建立IKE安全关联(SA)策略。对等体经过身份验证后,会使用 Internet 安全关联和密钥管理协议 (ISAKMP) 创建安全隧道。

    3. 在 IKE 第 2 阶段中,IPsec 对等体使用经身份验证的安全隧道对 IPsec SA 转换进行协商。共享策略的协商决定建立 IPsec 隧道的方式。

    4. 根据 IPsec 转换集中配置的 IPsec 参数,将在 IPsec 对等体之间创建 IPsec 隧道并传输数据。

    5. 如果删除了 IPsec SA,或者 IPsec SA 的生存时间到期,则 IPsec 隧道将终止。

使用的组件

本文档中的信息基于以下软件和硬件版本:

  • Cisco PIX 515E 版本 6.3(5)

  • Cisco PIX 515 版本 7.0(2)

  • Sonicwall TZ170、SonicOS Standard 2.2.0.1

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。

相关产品

此配置也可用于以下硬件和软件版本:

  • PIX 6.3(5) 配置可用于运行该软件版本的所有其他 Cisco PIX 防火墙产品(如 PIX 501、506 等)

  • PIX/ASA 7.0(2) 配置只能在运行 PIX 7.0 软件系列的设备(不包括 501、506,并可能不包括某些较早的 515)和 Cisco 5500 系列 ASA 上使用。

规则

有关文档规则的详细信息,请参阅 Cisco 技术提示规则

配置

本部分提供有关如何配置本文档所述功能的信息。

注意: 使用命令查找工具仅限注册用户)可获取有关本部分所使用命令的详细信息。

注意: 在 IPsec 主动模式下,Sonicwall 必须启动与 PIX 之间的 IPsec 隧道。当您分析此配置的调试信息时,可以看到这一点。这是 IPsec 主动模式运行方式中所固有的。

网络图

本文档使用以下网络设置:

/image/gif/paws/66171/vpn-sonicwall-pixfw-1.gif

Sonicwall 配置

Sonicwall TZ170 的配置是通过基于 Web 的接口执行的。

完成这些步骤:

  1. 使用标准 Web 浏览器,在其中一个内部接口上连接到路由器的 IP 地址。

    此时将出现登录窗口。

    vpn-sonicwall-pixfw-2.gif

  2. 登录 Sonicwall 设备,然后选择 VPN > Settings

    vpn-sonicwall-pixfw-3.gif

  3. 输入 VPN 对等体的 IP 地址和要使用的预共享密钥。在 Destination Networks 下单击 Add

    /image/gif/paws/66171/vpn-sonicwall-pixfw-4.gif

  4. 输入目标网络。

    vpn-sonicwall-pixfw-5.gif

    此时将出现 Settings 窗口。

    vpn-sonicwall-pixfw-6.gif

  5. 单击 Settings 窗口顶部的 Proposals 选项卡。

  6. 选择您计划用于此配置的交换(主模式或主动模式)以及阶段 1 和阶段 2 的其余设置。

    此示例配置对两个阶段都使用 AES-256 加密,其中将 SHA1 哈希算法用于身份验证,而将 1024 位 Diffie-Hellman 组 2 用作 IKE 策略。

    vpn-sonicwall-pixfw-7.gif

  7. 单击 Advanced 选项卡。

    在此选项卡中可能有您希望配置的其他选项。这些是用于此示例配置的设置。

    /image/gif/paws/66171/vpn-sonicwall-pixfw-8.gif

  8. 单击 Ok

    完成此配置以及远程 PIX 上的配置后,显示的 Settings 窗口应该类似于此示例 Settings 窗口。

    vpn-sonicwall-pixfw-9.gif

IPsec 主模式配置

本部分使用以下配置:

Cisco PIX 515e 版本 6.3(5)
pix515e-635#show running-config
: Saved
:
PIX Version 6.3(5)

!--- Sets the hardware speed to auto on both interfaces.

interface ethernet0 auto
interface ethernet1 auto


!--- Specifies the inside and outside interfaces.

nameif ethernet0 outside security0
nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix515e-635
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names


!--- Specifies the traffic that can pass through the IPsec tunnel.

access-list pixtosw permit ip 192.168.1.0 255.255.255.0 172.22.1.0 255.255.255.0

pager lines 24
mtu outside 1500
mtu inside 1500


!--- Sets the inside and outside IP addresses and subnet masks.

ip address outside 10.20.20.1 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400


!--- Instructs PIX to perform PAT on the IP address on the outside interface.

global (outside) 1 interface


!--- Specifies addresses to be exempt from NAT (traffic to be tunneled).

nat (inside) 0 access-list pixtosw


!--- Specifies which addresses should use NAT (all except those exempted).

nat (inside) 1 0.0.0.0 0.0.0.0 0 0


!--- Specifies the default route on the outside interface.

route outside 0.0.0.0 0.0.0.0 10.20.20.2 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable


!--- Implicit permit for all packets that come from IPsec tunnels.

sysopt connection permit-ipsec


!--- PHASE 2 CONFIGURATION:
!--- Defines the transform set for Phase 2 encryption and authentication.
!--- Austinlab is the name of the transform set that uses aes-256 encryption
!--- as well as the SHA1 hash algorithm for authentication.

crypto ipsec transform-set austinlab esp-aes-256 esp-sha-hmac


!--- Specifies IKE is used to establish the IPsec SAs for the map "maptosw".

crypto map maptosw 67 ipsec-isakmp


!--- Specifies the ACL "pixtosw" to use with this map
. 
crypto map maptosw 67 match address pixtosw


!--- Specifies the IPsec peer for this map.

crypto map maptosw 67 set peer 10.10.10.1


!--- Specifies the transform set to use.

crypto map maptosw 67 set transform-set austinlab


!--- Specifies the interface to use with this map.

crypto map maptosw interface outside



!--- PHASE 1 CONFIGURATION

!--- Specifies the interface to use for the IPsec tunnel.

isakmp enable outside


!--- Specifies the preshared key and the addresses to use with that key.
!--- In this case only one address is used with the preshared key cisco123.

isakmp key ******** address 10.10.10.1 netmask 255.255.255.255


!--- Defines how the PIX identifies itself in 
!--- IKE negotiations (IP address in this case).

isakmp identity address


!--- These five commands specify the Phase 1 configuration settings 
!--- specific to this sample configuration.

isakmp policy 13 authentication pre-share
isakmp policy 13 encryption aes-256
isakmp policy 13 hash sha
isakmp policy 13 group 2
isakmp policy 13 lifetime 28800

telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:07a3815d59db9965b72c7d8a7aaf7f5f
: end
pix515e-635#

Cisco PIX 515 版本 7.0(2)
pix515-702#show running-config
: Saved
:
PIX Version 7.0(2)
names
!


!--- PIX 7 uses an interface configuration mode similar to Cisco IOS�.
!--- This output configures the IP address, interface name, 
!--- and security level for interfaces Ethernet0 and Ethernet1.

interface Ethernet0
  nameif outside
  security-level 0
  ip address 10.20.20.1 255.255.255.0
!
interface Ethernet1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
  shutdown
  no nameif
  no security-level
  no ip address
!
interface Ethernet3
  shutdown
  no nameif
  no security-level
  no ip address
!
interface Ethernet4
  shutdown
  no nameif
  no security-level
  no ip address
!
interface Ethernet5
  shutdown
  no nameif
  no security-level
  no ip address
!
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix515-702
domain-name cisco.com
ftp mode passive


!--- Specifies the traffic that can pass through the IPsec tunnel.

access-list pixtosw extended permit ip 192.168.1.0 255.255.255.0 172.22.1.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
monitor-interface inside
monitor-interface outside
no asdm history enable
arp timeout 14400


!--- Instructs PIX to perform PAT on the IP address on the outside interface.

global (outside) 1 interface


!--- Specifies addresses to be exempt from NAT (traffic to be tunneled).

nat (inside) 0 access-list pixtosw


!--- Specifies which addresses should use NAT (all except those exempted).

nat (inside) 1 0.0.0.0 0.0.0.0


!--- Specifies the default route on the outside interface.

route outside 0.0.0.0 0.0.0.0 10.20.20.2 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp


!--- Implicit permit for all packets that come from IPsec tunnels.

sysopt connection permit-ipsec



!--- PHASE 2 CONFIGURATION
!--- Defines the transform set for Phase 2 encryption and authentication.
!--- Austinlab is the name of the transform set that uses aes-256 encryption
!--- as well as the SHA1 hash algorithm for authentication.

crypto ipsec transform-set austinlab esp-aes-256 esp-sha-hmac


!--- Specifies the ACL pixtosw to use with this map.

crypto map maptosw 67 match address pixtosw


!--- Specifies the IPsec peer for this map.

crypto map maptosw 67 set peer 10.10.10.1


!--- Specifies the transform set to use.

crypto map maptosw 67 set transform-set austinlab


!--- Specifies the interface to use with this map
.
crypto map maptosw interface outside



!--- PHASE 1 CONFIGURATION

!--- Defines how the PIX identifies itself in 
!--- IKE negotiations (IP address in this case).

isakmp identity address


!--- Specifies the interface to use for the IPsec tunnel.

isakmp enable outside


!--- These five commands specify the Phase 1 configuration 
!--- settings specific to this sample configuration.

isakmp policy 13 authentication pre-share
isakmp policy 13 encryption aes-256
isakmp policy 13 hash sha
isakmp policy 13 group 2
isakmp policy 13 lifetime 28800

telnet timeout 5
ssh timeout 5
console timeout 0


!--- These three lines set the IPsec attributes for the tunnel to the
!--- remote peer. This is where the preshared key is defined for Phase 1 and the
!--- IPsec tunnel type is set to site-to-site.

tunnel-group 10.10.10.1 type ipsec-l2l
tunnel-group 10.10.10.1 ipsec-attributes
pre-shared-key *

Cryptochecksum:092b6fc5370e2ef0cf07c2bc10f1d44a
: end
pix515-702#

IPsec 主动模式配置

本部分使用以下配置:

Cisco PIX 515e 版本 6.3(5)
pix515e-635#show running-config
: Saved
:
PIX Version 6.3(5)

!--- Sets the hardware speed to auto on both interfaces.

interface ethernet0 auto
interface ethernet1 auto


!--- Specifies the inside and outside interfaces.

nameif ethernet0 outside security0
nameif ethernet1 inside security100         

enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix515e-635
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names


!--- Specifies the traffic that can pass through the IPsec tunnel.

access-list pixtosw permit ip 192.168.1.0 255.255.255.0 172.22.1.0 255.255.255.0

pager lines 24
mtu outside 1500
mtu inside 1500


!--- Sets the inside and outside IP addresses and subnet masks.

ip address outside 10.20.20.1 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400


!--- Instructs PIX to perform PAT on the IP address on the outside interface.

global (outside) 1 interface


!--- Specifies addresses to be exempt from NAT (traffic to be tunneled).

nat (inside) 0 access-list pixtosw


!--- Specifies which addresses should use NAT (all except those exempted).

nat (inside) 1 0.0.0.0 0.0.0.0 0 0


!--- Specifies the default route on the outside interface.

route outside 0.0.0.0 0.0.0.0 10.20.20.2 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable


!--- Implicit permit for all packets that come from IPsec tunnels.

sysopt connection permit-ipsec



!--- PHASE 2 CONFIGURATION
!--- Defines the transform set for Phase 2 encryption and authentication.
!--- Austinlab is the name of the transform set that uses aes-256 encryption
!--- as well as the SHA1 hash algorithm for authentication.

crypto ipsec transform-set austinlab esp-aes-256 esp-sha-hmac


!--- Creates the dynamic map ciscopix for the transform set.

crypto dynamic-map ciscopix 1 set transform-set austinlab


!--- Specifies the IKE that should be used to establish SAs 
!--- for the dynamic map.

crypto map dynmaptosw 66 ipsec-isakmp dynamic ciscopix


!--- Applies the settings above to the outside interface.

crypto map dynmaptosw interface outside



!--- PHASE 1 CONFIGURATION

!--- Specifies the interface to use for the IPsec tunnel
.
isakmp enable outside


!--- Specifies the preshared key and the addresses to use with that key.
!--- In this case only one address is used as the preshared key "cisco123".

isakmp key ******** address 10.10.10.1 netmask 255.255.255.255


!--- Defines how the PIX identifies itself in 
!--- IKE negotiations (IP address in this case).

isakmp identity address


!--- These five commands specify the Phase 1 configuration settings 
!--- specific to this sample configuration.

isakmp policy 13 authentication pre-share
isakmp policy 13 encryption aes-256
isakmp policy 13 hash sha
isakmp policy 13 group 2
isakmp policy 13 lifetime 28800

telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:07a3815d59db9965b72c7d8a7aaf7f5f
: end
pix515e-635#

Cisco PIX 515 版本 7.0(2)
pix515-702#show running-config
: Saved
:
PIX Version 7.0(2)
names
!


!--- PIX 7 uses an interface configuration mode similar to Cisco IOS.
!--- This output configures the IP address, interface name, and security level for
!--- interfaces Ethernet0 and Ethernet1.

interface Ethernet0
  nameif outside
  security-level 0
  ip address 10.20.20.1 255.255.255.0
!
interface Ethernet1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
  shutdown
  no nameif
  no security-level
  no ip address
!
interface Ethernet3
  shutdown
  no nameif
  no security-level
  no ip address
!
interface Ethernet4
  shutdown
  no nameif
  no security-level
  no ip address
!
interface Ethernet5
  shutdown
  no nameif
  no security-level
  no ip address
!
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix515-702
domain-name cisco.com
ftp mode passive


!--- Specifies the traffic that can pass through the IPsec tunnel.

access-list pixtosw extended permit ip 192.168.1.0 255.255.255.0 172.22.1.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
monitor-interface inside
monitor-interface outside
no asdm history enable
arp timeout 14400


!--- Instructs PIX to perform PAT on the IP address on the outside interface.

global (outside) 1 interface


!--- Specifies addresses to be exempt from NAT (traffic to be tunneled).

nat (inside) 0 access-list pixtosw


!--- Specifies which addresses should use NAT (all except those exempted).

nat (inside) 1 0.0.0.0 0.0.0.0


!--- Specifies the default route on the outside interface.

route outside 0.0.0.0 0.0.0.0 10.20.20.2 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp


!--- Implicit permit for all packets that come from IPsec tunnels.

sysopt connection permit-ipsec



!--- PHASE 2 CONFIGURATION
!--- Defines the transform set for Phase 2 encryption and authentication.
!--- Austinlab is the name of the transform set that uses aes-256 encryption
!--- as well as the SHA1 hash algorithm for authentication.

crypto ipsec transform-set austinlab esp-aes-256 esp-sha-hmac


!--- Creates the dynamic map "ciscopix" for the defined transform set.

crypto dynamic-map ciscopix 1 set transform-set austinlab


!--- Specifies that IKE should be used to establish SAs 
!--- for the defined dynamic map.

crypto map dynmaptosw 66 ipsec-isakmp dynamic ciscopix


!--- Applies the settings to the outside interface.

crypto map dynmaptosw interface outside



!--- PHASE 1 CONFIGURATION

!--- Defines how the PIX identifies itself in 
!--- IKE negotiations (IP address in this case).

isakmp identity address


!--- Specifies the interface to use for the IPsec tunnel.

isakmp enable outside


!--- These five commands specify the Phase 1 configuration settings 
!--- specific to this sample configuration.

isakmp policy 13 authentication pre-share
isakmp policy 13 encryption aes-256
isakmp policy 13 hash sha
isakmp policy 13 group 2
isakmp policy 13 lifetime 28800

telnet timeout 5
ssh timeout 5
console timeout 0


!--- These three lines set the IPsec attributes for the tunnel to the
!--- remote peer. This is where the preshared key is defined for Phase 1 and the
!--- IPsec tunnel type is set to site-to-site.

tunnel-group 10.10.10.1 type ipsec-l2l
tunnel-group 10.10.10.1 ipsec-attributes
pre-shared-key *

Cryptochecksum:092b6fc5370e2ef0cf07c2bc10f1d44a
: end
pix515-702#

验证

使用本部分可确认配置能否正常运行。

命令输出解释程序仅限注册用户)(OIT) 支持某些 show 命令。使用 OIT 可查看对 show 命令输出的分析。

  • show crypto isakmp sa - 显示对等体上的所有当前 IKE SA。

  • show crypto ipsec sa - 显示当前 SA 使用的设置。

这些表显示完全建立隧道后 PIX 6.3(5) 和 PIX 7.0(2) 中主模式和主动模式的一些调试输出。

注意: 对于在这两种类型的硬件之间建立 IPsec 隧道而言,这些信息应该够用了。如果您有任何意见,请使用本文档左侧的反馈表。

Cisco PIX 515e 版本 6.3(5) - 主模式
pix515e-635#show crypto isakmp sa
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
      10.10.10.1       10.20.20.1    QM_IDLE         0           1
pix515e-635#



pix515e-635#show crypto ipsec sa


           interface: outside
           Crypto map tag: maptosw, local addr. 10.20.20.1

 local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
           remote ident (addr/mask/prot/port): (172.22.1.0/255.255.255.0/0/0)
           current_peer: 10.10.10.1:500
           PERMIT, flags={origin_is_acl,}
           #pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4
           #pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
           #pkts compressed: 0, #pkts decompressed: 0
           #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
           #send errors 1, #recv errors 0

 local crypto endpt.: 10.20.20.1, remote crypto endpt.: 10.10.10.1
           path mtu 1500, ipsec overhead 72, media mtu 1500
           current outbound spi: ed0afa33

 inbound esp sas:
           spi: 0xac624692(2892121746)
           transform: esp-aes-256 esp-sha-hmac ,
           in use settings ={Tunnel, }
           slot: 0, conn id: 1, crypto map: maptosw
           sa timing: remaining key lifetime (k/sec): (4607999/28718)
           IV size: 16 bytes
           replay detection support: Y


           inbound ah sas:


           inbound pcp sas:


           outbound esp sas:
           spi: 0xed0afa33(3976919603)
           transform: esp-aes-256 esp-sha-hmac ,
           in use settings ={Tunnel, }
           slot: 0, conn id: 2, crypto map: maptosw
           sa timing: remaining key lifetime (k/sec): (4607999/28718)
           IV size: 16 bytes
           replay detection support: Y


           outbound ah sas:


           outbound pcp sas:

pix515e-635#

Cisco PIX 515 版本 7.0(2) - 主模式
pix515-702#show crypto isakmp sa

 Active SA: 1
           Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
           Total IKE SA: 1

1 IKE Peer: 10.10.10.1
           Type : L2L Role : initiator
           Rekey : no State : MM_ACTIVE
           pix515-702#

pix515-702#show crypto ipsec sa
interface: outside
    Crypto map tag: maptosw, local addr: 10.20.20.1

 local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
           remote ident (addr/mask/prot/port): (172.22.1.0/255.255.255.0/0/0)
           current_peer: 10.10.10.1

 #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
           #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
           #pkts compressed: 0, #pkts decompressed: 0
           #pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
           #send errors: 0, #recv errors: 0

 local crypto endpt.: 10.20.20.1, remote crypto endpt.: 10.10.10.1

 path mtu 1500, ipsec overhead 76, media mtu 1500
           current outbound spi: 2D006547

 inbound esp sas:
           spi: 0x309F7A33 (815757875)
           transform: esp-aes-256 esp-sha-hmac
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 1, crypto-map: maptosw
           sa timing: remaining key lifetime (kB/sec): (4274999/28739)
           IV size: 16 bytes
           replay detection support: Y
           outbound esp sas:
           spi: 0x2D006547 (755000647)
           transform: esp-aes-256 esp-sha-hmac
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 1, crypto-map: maptosw
           sa timing: remaining key lifetime (kB/sec): (4274999/28737)
           IV size: 16 bytes
           replay detection support: Y

pix515-702#

Cisco PIX 515e 版本 6.3(5) - 主动模式
pix515e-635#show crypto isakmp sa
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
      10.20.20.1       10.10.10.1    QM_IDLE         0           1

pix515e-635#show crypto ipsec sa


           interface: outside
           Crypto map tag: dynmaptosw, local addr. 10.20.20.1

 local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
           remote ident (addr/mask/prot/port): (172.22.1.0/255.255.255.0/0/0)
           current_peer: 10.10.10.1:500
           PERMIT, flags={}
           #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
           #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
           #pkts compressed: 0, #pkts decompressed: 0
           #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
           #send errors 0, #recv errors 0

 local crypto endpt.: 10.20.20.1, remote crypto endpt.: 10.10.10.1
           path mtu 1500, ipsec overhead 72, media mtu 1500
           current outbound spi: efb1149d

 inbound esp sas:
           spi: 0x2ad2c13c(718455100)
           transform: esp-aes-256 esp-sha-hmac ,
           in use settings ={Tunnel, }
           slot: 0, conn id: 2, crypto map: dynmaptosw
           sa timing: remaining key lifetime (k/sec): (4608000/28736)
           IV size: 16 bytes
           replay detection support: Y


           inbound ah sas:


           inbound pcp sas:


           outbound esp sas:
           spi: 0xefb1149d(4021359773)
           transform: esp-aes-256 esp-sha-hmac ,
           in use settings ={Tunnel, }
           slot: 0, conn id: 1, crypto map: dynmaptosw
           sa timing: remaining key lifetime (k/sec): (4608000/28727)
           IV size: 16 bytes
           replay detection support: Y


           outbound ah sas:


           outbound pcp sas:

pix515e-635#

Cisco PIX 515 版本 7.0(2) - 主动模式
pix515-702#show crypto isakmp sa

 Active SA: 1
           Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
           Total IKE SA: 1

1 IKE Peer: 10.10.10.1
           Type : L2L Role : responder
           Rekey : no State : AM_ACTIVE
           pix515-702#

pix515-702#show crypto ipsec sa
           interface: outside
           Crypto map tag: ciscopix, local addr: 10.20.20.1

 local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
           remote ident (addr/mask/prot/port): (172.22.1.0/255.255.255.0/0/0)
           current_peer: 10.10.10.1

 #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
           #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
           #pkts compressed: 0, #pkts decompressed: 0
           #pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
           #send errors: 0, #recv errors: 0

 local crypto endpt.: 10.20.20.1, remote crypto endpt.: 10.10.10.1

 path mtu 1500, ipsec overhead 76, media mtu 1500
           current outbound spi: D7E2F5FD

 inbound esp sas:
           spi: 0xDCBF6AD3 (3703532243)
           transform: esp-aes-256 esp-sha-hmac
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 1, crypto-map: ciscopix
           sa timing: remaining key lifetime (sec): 28703
           IV size: 16 bytes
           replay detection support: Y
           outbound esp sas:
           spi: 0xD7E2F5FD (3621975549)
           transform: esp-aes-256 esp-sha-hmac
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 1, crypto-map: ciscopix
           sa timing: remaining key lifetime (sec): 28701
           IV size: 16 bytes
           replay detection support: Y

pix515-702#         

故障排除

目前没有针对此配置的故障排除信息。


相关信息


Document ID: 66171