统一计算 : Cisco PIX 500 系列安全设备

PIX/ASA 7.x 及更高版本:使用OSPF的VPN/IPsec配置示例

2015 年 7 月 16 日 - 机器翻译
其他版本: PDFpdf | 英语 (2014 年 9 月 15 日) | 反馈


目录


简介

本文档为在 Cisco PIX 安全设备软件版本 7.x 或 Cisco 自适应安全设备 (ASA) 上带 Open Shortest Path First (OSPF) 的 VPN/IPsec 提供一个配置示例。PIX/ASA 7.x 允许通过现有 VPN 连接传送 OSPF 单播。您不再需要配置通用路由封装 (GRE) 隧道。

先决条件

要求

尝试进行此配置前,请确保您能建立 VPN 连接。

使用的组件

本文档中的信息基于以下软件和硬件版本:

  • 运行 Cisco IOS® 软件版本 12.1 及更高版本的 Cisco 2500

  • 运行 Cisco IOS 软件版本 12.0 及更高版本的 Cisco 2500

  • 运行软件版本 7.x 及更高版本的 ASA 5500 安全设备

    注意: PIX 500 系列 7.x/8.x 版运行 ASA 5500 7.x/8.x 版中看到的相同软件。本文档中的配置适用于这两个产品系列。

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。

规则

有关文档规则的详细信息,请参阅 Cisco 技术提示规则

配置

本部分提供有关如何配置本文档所述功能的信息。

注意: 使用命令查找工具仅限注册用户)可获取有关本部分所使用命令的详细信息。

网络图

本文档使用以下网络设置:

/image/gif/paws/63882/gre-ipsec-ospf-1.gif

配置

本文档使用以下配置:

路由器 Left
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Left
!
!
!
!
!
!
ip subnet-zero
ip tcp synwait-time 5
no ip domain-lookup
!
!
!
!
interface Loopback11
 ip address 11.11.11.11 255.255.255.0
!
interface Ethernet0
 ip address 10.10.10.2 255.255.255.0
 no keepalive
!
interface Serial0
 no ip address
 no keepalive
 no fair-queue
 ignore-dcd
!
interface Serial1
 no ip address
 shutdown
 ignore-dcd
!
interface BRI0
 no ip address
 shutdown
!
router ospf 11
 log-adjacency-changes
 network 10.10.10.0 0.0.0.255 area 0
 network 11.11.11.0 0.0.0.255 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip http server
!
logging trap debugging
logging 20.20.20.2
access-list 100 permit ip any any
access-list 101 permit ip any any
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 privilege level 15
 no login
!
end

路由器 House
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Right
!
aaa new-model
aaa authentication login default group tacacs+ none
aaa authorization exec default group tacacs+ none
!
!
!
!
!
ip subnet-zero
no ip domain-lookup
!
cns event-service server
!
!
!
!
!
interface Loopback22
 ip address 22.22.22.22 255.255.255.0
 no ip directed-broadcast
!
interface Tunnel0
 no ip address
 no ip directed-broadcast
!
interface Ethernet0
 ip address 20.20.20.2 255.255.255.0
 no ip directed-broadcast
!
interface Serial0
 no ip address
 no ip directed-broadcast
 no ip mroute-cache
 shutdown
 no fair-queue
!
interface Serial1
 no ip address
 no ip directed-broadcast
 shutdown
!
interface Async1
 no ip address
 no ip directed-broadcast
 encapsulation ppp
!
router ospf 22
 log-adjacency-changes
 network 20.20.20.0 0.0.0.255 area 0
 network 22.22.22.0 0.0.0.255 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 20.20.20.1
ip http server
!
!
!
line con 0
 transport input none
line 1 8
line aux 0
line vty 0 4
!
end

配置 PIX/ASA 安全设备版本 7.x

您可以使用高级安全设备管理器 (ASDM) 通过命令行界面 (CLI) 或 GUI 配置 PIX/ASA 安全设备。本部分中的配置是针对 ASA“本地”。以同样的方式配置 ASA“远程”,并且只需针对 IP 寻址的差异进行调整。

从控制台进入 PIX/ASA 以配置 PIX/ASA 安全设备版本 7.x。在原始配置下,使用交互提示启用 ASDM GUI 以从工作站 10.10.10.3 管理 PIX/ASA。

注意: 如果 OSPF 邻居不出现,请考虑选择降低最大传输单元 (MTU) 大小。

PIX/ASA-ASDM Bootstrap
Pre-configure Firewall now through interactive prompts [yes]? 
Firewall Mode [Routed]: 
Enable password [<use current password>]: cisco
Allow password recovery [yes]? 
Clock (UTC):
  Year [2006]: 
  Month [May]: 
  Day [25]: 
  Time [06:00:44]: 
Inside IP address: 10.10.10.1
Inside network mask: 255.255.255.0
Host name: Local
Domain name: cisco.com
IP address of host running Device Manager: 10.10.10.3

The following configuration will be used:
Enable password: cisco
Allow password recovery: yes
Clock (UTC): 06:00:44 May 25 2006
Firewall Mode: Routed
Inside IP address: 10.10.10.1
Inside network mask: 255.255.255.0
Host name: Local
Domain name: cisco.com
IP address of host running Device Manager: 10.10.10.3

Use this configuration and write to flash? yes
INFO: Security level for "inside" set to 100 by default.
Cryptochecksum: 34f55366 a32e232d ebc32ac1 3bfa201a 

969 bytes copied in 0.880 secs

使用 ASDM

要通过 ASDM GUI 进行配置,请完成以下步骤:

  1. 从工作站 10.10.10.3 打开浏览器并使用 ASDM。

    在本例中,您使用 https://10.10.10.1。

  2. 在提示证书时,单击 yes

  3. 使用启用口令登录。

    此登录出现在 PIX/ASA-ASDM Bootstrap 配置中。

  4. 在提示符下选择使用 ASDM 启动程序或 ASDM 作为 Java 小程序。

    只有在第一次在 PC 上运行 ASDM 时才会出现此提示。在本示例中,已选择并安装 ASDM 启动程序。

  5. 转到 ASDM 主窗口并单击“Configuration”选项卡。

    /image/gif/paws/63882/gre-ipsec-ospf-2.gif

  6. 选择 Interface > Edit 以配置外部接口。

    gre-ipsec-ospf-3.gif

  7. 单击 Ok

    gre-ipsec-ospf-4.gif

  8. 输入接口详细信息并在完成时单击 OK

    /image/gif/paws/63882/gre-ipsec-ospf-5.gif

  9. 单击“Security Level Change”对话框中的 OK

    /image/gif/paws/63882/gre-ipsec-ospf-6.gif

  10. 单击 Apply 以接受接口配置。

    gre-ipsec-ospf-7.gif

    此配置也将被推送到 PIX 上。

    注意: 此示例使用静态路由。

  11. 选择 Features > Routing > Static Route 并单击 Add

    gre-ipsec-ospf-8.gif

  12. 配置默认网关并单击 OK

    /image/gif/paws/63882/gre-ipsec-ospf-9.gif

  13. 为远程对等体配置基于主机的静态地址以避免在 OSPF 开启时可能出现的递归路由,然后单击 OK

    gre-ipsec-ospf-10.gif

  14. 单击 Apply 以接受路由配置。

    gre-ipsec-ospf-11.gif

    此配置也将被推送到 PIX 上。

  15. 选择 Wizards > VPN Wizard 以便使用 VPN 向导和创建 LAN 到 LAN 连接。

    gre-ipsec-ospf-12.gif

  16. 在“VPN Wizard”窗口中,单击 Next,在此默认选择“Site-to-Site”。

    gre-ipsec-ospf-13.gif

  17. 添加对等 IP 地址、隧道组名称(即 IP 地址)和预共享密钥信息,并单击 Next

    /image/gif/paws/63882/gre-ipsec-ospf-14.gif

  18. 添加加密类型、身份验证类型、DH 组信息,并单击 Next

    gre-ipsec-ospf-15.gif

  19. 添加 IPSec 参数、加密类型、身份验证类型信息,并单击 Next

    gre-ipsec-ospf-16.gif

  20. 配置内部主机网络。单击 Add 将地址移到此窗口内的“Selected Host/Networks”字段。完成时单击 Next

    gre-ipsec-ospf-17.gif

  21. 配置外部主机网络。单击 Add 将地址移到此窗口内的“Selected Host/Networks”字段。完成时单击 Next

    gre-ipsec-ospf-18.gif

  22. 检查“Summary”是否准确,然后单击 Next

    /image/gif/paws/63882/gre-ipsec-ospf-19.gif

  23. 选择 Configuration > VPN 以验证 VPN 向导创建的 LAN 到 LAN 隧道配置。

    /image/gif/paws/63882/gre-ipsec-ospf-20.gif

  24. 创建访问列表以允许 OSPF 数据流通过 VPN。

    此 VPN 访问列表会提供给获知的 OSPF 路由。选择 Configuration> VPN

    gre-ipsec-ospf-21.gif

  25. 选择 IPSec > IPSec Rules 并单击 Add

    gre-ipsec-ospf-22.gif

  26. 在此窗口中添加 OSPF 邻居(IP 地址)数据并单击 OK

    注意: 请务必在外部接口上工作。

    /image/gif/paws/63882/gre-ipsec-ospf-23.gif

  27. 验证信息是否正确,然后单击 Apply

    gre-ipsec-ospf-24.gif

  28. 选择 Configuration > NAT 并单击 Translation Exemption Rules 以验证 VPN 向导创建的网络地址转换 (NAT) 配置。

    /image/gif/paws/63882/gre-ipsec-ospf-25.gif

  29. 由于此示例使用 NAT,请取消选中 Enable traffic through the firewall without address translation 复选框,然后单击 Add。此步骤可配置 NAT 规则。

    /image/gif/paws/63882/gre-ipsec-ospf-26.gif

  30. 配置源网络。单击 Browse 为内部定义 NAT 池地址。然后为“Translate Address on Interface”选择 outside 并单击 Manage Pools

    gre-ipsec-ospf-27.gif

  31. 选择外部接口并单击 Add

    gre-ipsec-ospf-28.gif

  32. 在本例中,由于端口地址转换 (PAT) 使用接口的 IP 地址,请单击 Port Address Translation (PAT) using the IP address of the interface

    gre-ipsec-ospf-29.gif

  33. 配置 PAT 池之后,单击 OK

    /image/gif/paws/63882/gre-ipsec-ospf-30.gif

  34. 在“Add Address Translation Rule”窗口,选择配置的源网络将使用的地址池。

    gre-ipsec-ospf-31.gif

  35. 单击 Ok。此窗口显示 NAT 配置的输出。

    gre-ipsec-ospf-32.gif

  36. 单击 Apply 保存配置。

    /image/gif/paws/63882/gre-ipsec-ospf-33.gif

  37. 选择 Configuration > Routing > OSPF > Setup,转到“Process Instances”选项卡并选中 Enable this OSPF Process 以设置 PIX 上的 OSPF。

    /image/gif/paws/63882/gre-ipsec-ospf-34.gif

  38. 选择 Area/Networks 并单击 Add

    gre-ipsec-ospf-35.gif

  39. 在“OSPF process”字段输入一个网络的 IP 地址和网络掩码并单击 OK(MD5 已被选中以将其显示为可选元素,但不要求这样做)。

    gre-ipsec-ospf-36.gif

  40. 验证信息是否正确,然后单击 Edit

    gre-ipsec-ospf-37.gif

  41. 在“OSPF process”字段输入第二个网络和外部远程对等体的 IP 地址和网络掩码并单击 OK

    /image/gif/paws/63882/gre-ipsec-ospf-38.gif

  42. 验证信息是否正确,然后单击 Apply

    gre-ipsec-ospf-39.gif

  43. 选择 OSPF > Interface > Properties > Outside 并单击 Edit

    gre-ipsec-ospf-40.gif

  44. 对外部接口取消选定 Broadcast

    注意: 这必须是单播。

    /image/gif/paws/63882/gre-ipsec-ospf-41.gif

  45. 检查外部接口的“Broadcast”列以验证选择是否为“no”并单击 Apply

    /image/gif/paws/63882/gre-ipsec-ospf-42.gif

  46. 选择 OSPF > Static Neighbor 并单击 Add

    gre-ipsec-ospf-43.gif

  47. 在“Neighbor”字段输入 IP 地址并为接口选择 outside 。单击 Ok

    /image/gif/paws/63882/gre-ipsec-ospf-44.gif

  48. 验证信息是否正确,然后单击 Apply。此操作将完成配置。

    /image/gif/paws/63882/gre-ipsec-ospf-45.gif

选择 File > Show Running Configuration in New Window 以查看 CLI 配置。

/image/gif/paws/63882/gre-ipsec-ospf-46.gif

本地 ASA
ASA Version 7.X
no names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 30.30.30.1 255.255.255.0

!--- This line allows the unicast of OSPF over the IPsec tunnel.

 ospf network point-to-point non-broadcast

!--- This line is optional and not required for OSPF to work.
!--- Enable this option only if you want to enable MD5 digest for OSPF.

 ospf message-digest-key 10 md5 cisco
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
enable password cisco encrypted
passwd cisco encrypted
hostname Local
ftp mode passive


!--- These access control list (ACL) entries define 
!--- interesting traffic for IPsec encryption and allow
!--- the traffic to bypass NAT. Note that OSPF is permitted and only 
!--- in the crypto ACL. 


same-security-traffic permit intra-interface
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0
access-list outside_cryptomap_10 extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0
access-list outside_cryptomap_10 extended permit ospf interface outside host 40.40.40.2
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any echo inside
icmp permit any echo-reply inside
asdm image disk0:/asdm-502.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface



!--- Do not translate traffic with NAT.


nat (inside) 0 access-list nonat
nat (inside) 10 10.10.10.0 255.255.255.0
!


!--- This is OSPF. 
!--- Note: You must define the outside network of the remote peer.


router ospf 100
 network 10.10.10.0 255.255.255.0 area 0
 network 30.30.30.0 255.255.255.0 area 0
 network 40.40.40.0 255.255.255.0 area 0


!--- This is where OSPF is told where the 
!--- PEER is located.



 neighbor 40.40.40.2 interface outside
 log-adj-changes
!


!--- This is a host based static. This is not always 
!--- necessary, but recommended to prevent recursive routing loops when 
!--- OSPF comes up over the IPsec tunnel. 





route outside 40.40.40.2 255.255.255.255 30.30.30.2 1
route outside 0.0.0.0 0.0.0.0 30.30.30.2 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 sunrpc 0:10:00
h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.4.50 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp         


!--- This is the IPsec and IKE/ISAKMP configuration. 
!--- Make sure basic IPsec connectivity is present
!--- before you add in OSPF. 


crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 40.40.40.2
crypto map outside_map 10 set transform-set myset
crypto map outside_map 10 set security-association lifetime seconds 86400
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400

telnet timeout 5
ssh timeout 5
console timeout 0



tunnel-group 40.40.40.2 type ipsec-l2l
tunnel-group 40.40.40.2 ipsec-attributes
 pre-shared-key cisco

class-map inspection_default
match default-inspection-traffic

policy-map asa_global_fw_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy asa_global_fw_policy global
Cryptochecksum:3d5f16a67ec0fa20aa3882acaa348e28
: end

远程 ASA
ASA Version 7.X
no names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 40.40.40.2 255.255.255.0

!--- This line allows the unicast of OSPF over to
!--- the IPsec tunnel.

 ospf network point-to-point non-broadcast

!--- This line is optional and not required for OSPF to work.
!--- Enable this option only if you want to enable MD5 digest for OSPF.

 ospf message-digest-key 10 md5 cisco


!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 20.20.20.1 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
enable password cisco encrypted
passwd cisco encrypted
hostname Remote
ftp mode passive


!--- These ACL entries define interesting traffic for IPsec encryption and allow
!--- the traffic to bypass NAT. Note that OSPF is permitted and only in the crypto ACL.


same-security-traffic permit intra-interface
access-list nonat extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list crypto extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list crypto extended permit ospf interface outside host 30.30.30.1


pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any echo inside
icmp permit any echo-reply inside
asdm image disk0:/asdm-502.bin
no asdm history enable
arp timeout 14400
global (outside) 20 interface



!--- Do not translate traffic with NAT.

nat (inside) 0 access-list nonat
nat (inside) 20 20.20.20.0 255.255.255.0
!


!--- This is OSPF. 
!--- Note: You must define the remote peer's outside network.


router ospf 100
 network 20.20.20.0 255.255.255.0 area 0
 network 30.30.30.0 255.255.255.0 area 0
 network 40.40.40.0 255.255.255.0 area 0


!--- This is where the OSPF is told where the PEER is located.



 neighbor 30.30.30.1 interface outside
 log-adj-changes
!


!--- This is a host based static. This is not always necessary, but recommended to
prevent recursive routing loops when OSPF comes up over the IPsec tunnel.


route outside 0.0.0.0 0.0.0.0 40.40.40.1 1
route outside 30.30.30.1 255.255.255.255 40.40.40.1 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 sunrpc 0:10:00
h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.4.50 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp         


!--- This is the IPsec configuration. Make sure basic IPsec connectivity is present
before you add in OSPF. 


crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map vpn 10 match address crypto
crypto map vpn 10 set peer 30.30.30.1
crypto map vpn 10 set transform-set myset
crypto map vpn interface outside

isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400


telnet timeout 5
ssh timeout 5
console timeout 0




tunnel-group 30.30.30.1 type ipsec-l2l
tunnel-group 30.30.30.1 ipsec-attributes
 pre-shared-key cisco

class-map inspection_default
match default-inspection-traffic

policy-map asa_global_fw_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy asa_global_fw_policy global
Cryptochecksum:3d5f16a67ec0fa20aa3882acaa348e28
: end

启用反向路由注入 (RRI)

为了将远程 LAN 对 LAN VPN 网络的信息注入运行 OSPF 的网络,请参阅验证路由是否正确(针对 CLI 配置)和 LAN²LAN 网络 RRI (针对 ASDM 配置)。

验证

使用本部分可确认配置能否正常运行。

命令输出解释程序仅限注册用户)(OIT) 支持某些 show 命令。使用 OIT 可查看对 show 命令输出的分析。

  • logging buffer debugging - 显示已建立和拒绝的通过 PIX 到主机的连接。PIX 日志缓冲区存储此信息。如果使用 show log 命令,可以查看输出。

您可以使用 ASDM 启用日志记录和查看日志:

  • show crypto isakmp sa - 显示对等体之间建立的 Internet 安全连接和密钥管理协议 (ISAKMP) 安全关联 (SA)。

    Local#show crypto isakmp sa
    
    Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1
    
    1   IKE Peer: 40.40.40.2
        Type    : L2L             Role    : initiator
        Rekey   : no              State   : MM_ACTIVE
    
    
    Remote#show crypto isa sa
    
    Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1
    
    1   IKE Peer: 30.30.30.1
        Type    : L2L             Role    : responder
        Rekey   : no              State   : MM_ACTIVE
  • show crypto ipsec sa - 显示构建的每个阶段 2 SA 以及发送的流量总量。

    Local#show crypto ipsec sa
    interface: outside
        Crypto map tag: vpn, local addr: 30.30.30.1
    
          local ident (addr/mask/prot/port): (30.30.30.1/255.255.255.255/89/0)
          remote ident (addr/mask/prot/port): (40.40.40.2/255.255.255.255/89/0)
          current_peer: 40.40.40.2
    
          #pkts encaps: 355, #pkts encrypt: 355, #pkts digest: 355
          #pkts decaps: 355, #pkts decrypt: 355, #pkts verify: 355
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 355, #pkts comp failed: 0, #pkts decomp failed: 0
          #send errors: 0, #recv errors: 0
    
          local crypto endpt.: 30.30.30.1, remote crypto endpt.: 40.40.40.2
    
          path mtu 1500, ipsec overhead 60, media mtu 1500
          current outbound spi: 83444440
    
        inbound esp sas:
          spi: 0xAE9AB30C (2929373964)
             transform: esp-3des esp-sha-hmac
             in use settings ={L2L, Tunnel, }
             slot: 0, conn_id: 1, crypto-map: vpn
             sa timing: remaining key lifetime (kB/sec): (3824976/25399)
             IV size: 8 bytes
             replay detection support: Y
        outbound esp sas:
          spi: 0x83444440 (2202289216)
             transform: esp-3des esp-sha-hmac
             in use settings ={L2L, Tunnel, }
             slot: 0, conn_id: 1, crypto-map: vpn
             sa timing: remaining key lifetime (kB/sec): (3824975/25396)
             IV size: 8 bytes
             replay detection support: Y
    
    
    Remote#show crypto ipsec sa
    interface: outside
        Crypto map tag: vpn, local addr: 40.40.40.2
    
          local ident (addr/mask/prot/port): (40.40.40.2/255.255.255.255/89/0)
          remote ident (addr/mask/prot/port): (30.30.30.1/255.255.255.255/89/0)
          current_peer: 30.30.30.1
    
          #pkts encaps: 364, #pkts encrypt: 364, #pkts digest: 364
          #pkts decaps: 364, #pkts decrypt: 364, #pkts verify: 364
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 364, #pkts comp failed: 0, #pkts decomp failed: 0
          #send errors: 0, #recv errors: 0
    
          local crypto endpt.: 40.40.40.2, remote crypto endpt.: 30.30.30.1
    
          path mtu 1500, ipsec overhead 60, media mtu 1500
          current outbound spi: AE9AB30C
    
        inbound esp sas:
          spi: 0x83444440 (2202289216)
             transform: esp-3des esp-sha-hmac
             in use settings ={L2L, Tunnel, }
             slot: 0, conn_id: 1, crypto-map: vpn
             sa timing: remaining key lifetime (kB/sec): (4274975/25301)
             IV size: 8 bytes
             replay detection support: Y
        outbound esp sas:
          spi: 0xAE9AB30C (2929373964)
             transform: esp-3des esp-sha-hmac
             in use settings ={L2L, Tunnel, }
             slot: 0, conn_id: 1, crypto-map: vpn
             sa timing: remaining key lifetime (kB/sec): (4274975/25300)
             IV size: 8 bytes
             replay detection support: Y
  • show ospf neighbor - 显示已形成 OSPF 邻居关系。

    Local#show ospf neighbor
    Neighbor ID     Pri   State           Dead Time   Address         Interface
    40.40.40.2        1   FULL/  -        0:00:38     40.40.40.2      outside
    11.11.11.11       1   FULL/DR         0:00:33     10.10.10.2      inside
    
    Remote#show ospf neighbor
    Neighbor ID     Pri   State           Dead Time   Address         Interface
    30.30.30.1        1   FULL/  -        0:00:38     30.30.30.1      outside
    22.22.22.22       1   FULL/DR         0:00:38     20.20.20.2      inside
  • show debug - 显示调试输出。

    Local(config)#show debug
    debug crypto ipsec enabled at level 1
    debug crypto engine enabled at level 1
    debug crypto isakmp enabled at level 1
    
    May 25 12:49:21 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    IKE SA MM:ec9c234a rcv'd Terminate: state MM_ACTIVE  flags 0x0021c042, 
    ref2cnt 1, tuncnt 1
    May 25 12:49:21 [IKEv1 DEBUG]: sending delete/delete with reason message
    May 25 12:49:21 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    constructing blank hash
    May 25 12:49:21 [IKEv1 DEBUG]: constructing IPSec delete payload
    May 25 12:49:21 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    constructing qm hash
    May 25 12:49:21 [IKEv1]: IP = 40.40.40.2, IKE DECODE SENDING Message 
    (msgid=df6487d8) with payloads : HDR + HASH (8) + DELETE (12) + NONE 
    (0) total length : 64
    May 25 12:49:21 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    Active unit receives a delete event for remote peer 40.40.40.2.
    
    May 25 12:49:21 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    IKE Deleting SA: Remote Proxy 40.40.40.2, Local Proxy 30.30.30.1
    May 25 12:49:21 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    IKE SA MM:ec9c234a terminating:  flags 0x0121c002, refcnt 0, tuncnt 0
    May 25 12:49:21 [IKEv1 DEBUG]: sending delete/delete with reason message
    May 25 12:49:21 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    constructing blank hash
    May 25 12:49:21 [IKEv1 DEBUG]: constructing IKE delete payload
    May 25 12:49:21 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    constructing qm hash
    May 25 12:49:21 [IKEv1]: IP = 40.40.40.2, IKE DECODE SENDING Message 
    (msgid=ec167928) with payloads : HDR + HASH (8) + DELETE (12) + NONE 
    (0) total length : 76
    May 25 12:49:21 [IKEv1 DEBUG]: pitcher: received key delete msg, spi 0x504ea964
    May 25 12:49:21 [IKEv1 DEBUG]: pitcher: received key delete msg, spi 0x79fbcb2d
    28-05-05-ASA5520-2(config)# May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, 
    processing SA payload
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Oakley proposal is acceptable
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing VID payload
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Received Fragmentation VID
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, IKE Peer included IKE 
    fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing IKE SA
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, IKE SA Proposal # 1, 
    Transform # 1 acceptable  Matches global IKE entry # 3
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, constructing ISA_SA for isakmp
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, constructing Fragmentation 
    VID + extended capabilities payload
    May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, IKE DECODE SENDING Message 
    (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total 
    length : 108
    May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, IKE DECODE RECEIVED Message 
    (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR 
    (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing ke payload
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing ISA_KE
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing nonce payload
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing VID payload
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Received Cisco Unity client VID
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing VID payload
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Received xauth V6 VID
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing VID payload
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Processing VPN3000/ASA 
    spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing VID payload
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Received Altiga/Cisco 
    VPN3000/Cisco ASA GW VID
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, constructing ke payload
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, constructing nonce payload
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, constructing Cisco Unity 
    VID payload
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, constructing xauth V6 VID payload
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Send IOS VID
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Constructing ASA spoofing IOS 
    Vendor ID payload (version: 1.0.0, capabilities: 20000001)
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, constructing VID payload
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Send Altiga/Cisco 
    VPN3000/Cisco ASA GW VID
    May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, Connection landed on tunnel_group 
    40.40.40.2
    May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    Generating keys for Responder...
    May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, IKE DECODE SENDING Message 
    (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + 
    VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
    May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, IKE DECODE RECEIVED Message 
    (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (14) 
    + VENDOR (13) + NONE (0) total length : 92
    May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    Processing ID
    May 25 12:49:39 [IKEv1 DECODE]: ID_IPV4_ADDR ID received
    40.40.40.2
    May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    processing hash
    May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    computing hash
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Processing IOS keep 
    alive payload: proposal=32767/32767 sec.
    May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    processing VID payload
    May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    Received DPD VID
    May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, Connection landed on 
    tunnel_group 40.40.40.2
    May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    constructing ID
    May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    construct hash payload
    May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    computing hash
    May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Constructing IOS 
    keep alive payload: proposal=32767/32767 sec.
    May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    constructing dpd vid payload
    May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, IKE DECODE SENDING 
    Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + 
    IOS KEEPALIVE (14) + VENDOR (13) + NONE (0) total length : 92
    May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2, 
    PHASE 1 COMPLETED
    May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, Keep-alive type for 
    this connection: DPD
    May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    Starting phase 1 rekey timer: 73440000 (ms)
    May 25 12:49:39 [IKEv1 DECODE]: IP = 40.40.40.2, IKE Responder starting 
    QM: msg id = 0529ac6b
    May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, IKE DECODE RECEIVED Message 
    (msgid=529ac6b) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) 
    + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 184
    May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    processing hash
    May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    processing SA payload
    May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    processing nonce payload
    May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    Processing ID
    May 25 12:49:39 [IKEv1 DECODE]: ID_IPV4_ADDR ID received
    40.40.40.2
    May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2, 
    Received remote Proxy Host data in ID Payload:  Address 40.40.40.2, 
    Protocol 89, Port 0
    May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    Processing ID
    May 25 12:49:39 [IKEv1 DECODE]: ID_IPV4_ADDR ID received
    30.30.30.1
    May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2, 
    Received local Proxy Host data in ID Payload:  Address 30.30.30.1, 
    Protocol 89, Port 0
    May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    Processing Notify payload
    May 25 12:49:39 [IKEv1]: QM IsRekeyed old sa not found by addr
    May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2, 
    Static Crypto Map check, checking map = vpn, seq = 10...
    May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2, 
    Static Crypto Map check, map vpn, seq = 10 is a successful match
    May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2, 
    IKE Remote Peer configured for SA: vpn
    May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2, 
    processing IPSEC SA
    May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    IPSec SA Proposal # 1, Transform # 1 acceptable  Matches global 
    IPSec SA entry # 10
    May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2, 
    IKE: requesting SPI!
    May 25 12:49:39 [IKEv1]: Received unexpected event 
    EV_ACTIVATE_NEW_SA in state MM_ACTIVE
    May 25 12:49:40 [IKEv1 DEBUG]: IKE got SPI from key engine: SPI = 0xf629186e
    May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    oakley constucting quick mode
    May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    constructing blank hash
    May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    constructing ISA_SA for ipsec
    May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    constructing ipsec nonce payload
    May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    constructing proxy ID
    May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    Transmitting Proxy Id:
      Remote host: 40.40.40.2  Protocol 89  Port 0
      Local host:  30.30.30.1  Protocol 89  Port 0
    May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    constructing qm hash
    May 25 12:49:40 [IKEv1 DECODE]: IKE Responder sending 2nd QM pkt: 
    msg id = 0529ac6b
    May 25 12:49:40 [IKEv1]: IP = 40.40.40.2, IKE DECODE SENDING Message 
    (msgid=529ac6b) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) 
    + ID (5) + ID (5) + NONE (0) total length : 156
    May 25 12:49:40 [IKEv1]: IP = 40.40.40.2, IKE DECODE RECEIVED Message 
    (msgid=529ac6b) with payloads : HDR + HASH (8) + NONE (0) total length : 48
    May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    processing hash
    May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    loading all IPSEC SAs
    May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    Generating Quick Mode Key!
    May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, 
    Generating Quick Mode Key!
    May 25 12:49:40 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2, 
    Security negotiation complete for LAN-to-LAN Group (40.40.40.2)  
    Responder, Inbound SPI = 0xf629186e, Outbound SPI = 0x524e01e4
    May 25 12:49:40 [IKEv1 DEBUG]: IKE got a KEY_ADD msg for SA: SPI = 0x524e01e4
    May 25 12:49:40 [IKEv1 DEBUG]: pitcher: rcv KEY_UPDATE, spi 0xf629186e
    May 25 12:49:40 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2, 
    Starting P2 Rekey timer to expire in 24480 seconds
    May 25 12:49:40 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2, 
    PHASE 2 COMPLETED (msgid=0529ac6b)

通过检查路由器验证 LAN 到 LAN 连接通过路由的数据流:

  • show ip route - 显示 IP 路由表条目。

    Left#show ip route
    Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
           i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
           * - candidate default, U - per-user static route, o - ODR
           P - periodic downloaded static route
    
    Gateway of last resort is 10.10.10.1 to network 0.0.0.0
    
         20.0.0.0/24 is subnetted, 1 subnets
    O       20.20.20.0 [110/30] via 10.10.10.1, 00:59:37, Ethernet0
         22.0.0.0/32 is subnetted, 1 subnets
    O       22.22.22.22 [110/31] via 10.10.10.1, 00:59:37, Ethernet0
         40.0.0.0/24 is subnetted, 1 subnets
    O       40.40.40.0 [110/30] via 10.10.10.1, 00:59:37, Ethernet0
         10.0.0.0/24 is subnetted, 1 subnets
    C       10.10.10.0 is directly connected, Ethernet0
         11.0.0.0/24 is subnetted, 1 subnets
    C       11.11.11.0 is directly connected, Loopback11
         30.0.0.0/24 is subnetted, 1 subnets
    O       30.30.30.0 [110/20] via 10.10.10.1, 00:59:38, Ethernet0
    S*   0.0.0.0/0 [1/0] via 10.10.10.1
    
    
    Left#ping 20.20.20.2
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 20.20.20.2, timeout is 2 seconds:
    !!!!!
    
    Right#show ip route
    Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
           i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
           * - candidate default, U - per-user static route, o - ODR
           P - periodic downloaded static route
    
    Gateway of last resort is 20.20.20.1 to network 0.0.0.0
    
         20.0.0.0/24 is subnetted, 1 subnets
    C       20.20.20.0 is directly connected, Ethernet0
         22.0.0.0/24 is subnetted, 1 subnets
    C       22.22.22.0 is directly connected, Loopback22
         40.0.0.0/24 is subnetted, 1 subnets
    O       40.40.40.0 [110/20] via 20.20.20.1, 01:01:45, Ethernet0
         10.0.0.0/24 is subnetted, 1 subnets
    O       10.10.10.0 [110/30] via 20.20.20.1, 01:01:45, Ethernet0
         11.0.0.0/32 is subnetted, 1 subnets
    O       11.11.11.11 [110/31] via 20.20.20.1, 01:01:45, Ethernet0
         30.0.0.0/24 is subnetted, 1 subnets
    O       30.30.30.0 [110/30] via 20.20.20.1, 01:01:46, Ethernet0
    S*   0.0.0.0/0 [1/0] via 20.20.20.1
    
    
    Right#ping 10.10.10.2
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/12 ms

查看日志

完成以下步骤以查看日志:

  1. 选择 Configuration > Properties > Logging > Logging Setup,选中 Enable logging,然后单击 Apply

    gre-ipsec-ospf-47.gif

  2. 选择 Monitoring > Logging > Log Buffer > Logging Level,从下拉菜单中选择 Logging Buffer,并单击 View

    gre-ipsec-ospf-48.gif

    以下是 Log Buffer 的示例:

    gre-ipsec-ospf-49.gif

    为了查看相关图表,请选择 Monitoring > VPN > IPSEC Tunnels。然后,将“IPsec Active Tunnels”和“IKE Active Tunnels”移至 Selected Graphs,并选择 Show Graphs

    /image/gif/paws/63882/gre-ipsec-ospf-50.gif

故障排除

目前没有针对此配置的故障排除信息。

相关的思科支持社区讨论

思科支持社区是您提问、解答问题、分享建议以及与工作伙伴协作的论坛。


相关信息


Document ID: 63882