安全 : Cisco ASA 5500 系列自适应安全设备

主模式)排除故障TechNote的ASA IPsec和IKE调试(IKEv1

2015 年 8 月 28 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 4 月 23 日) | 反馈

简介

本文描述在可适应安全工具(ASA)的调试,当使用主模式和预先共享密钥(PSK)时。某些调试线路的转换到配置里也讨论。

在本文没讨论的主题包括通过流量在通道以后设立了和IPsec或Internet Key Exchange (IKE)基本概念。

贡献用Atri巴苏, Marcin Latosiewicz和杰伊新泰勒, Cisco TAC工程师。

先决条件

要求

本文读者应该有这些主题知识。

  • PSK

  • IKE

使用的组件

本文档中的信息基于下列硬件和软件版本:

  • 思科ASA 8.3.2

  • 运行IOS 12.4T的路由器

规则

有关文档规则的详细信息,请参阅 Cisco 技术提示规则

核心问题

IKE和IPsec调试有时隐秘,但是您能使用他们了解IPSec VPN隧道建立问题哪里查找。

方案

当证书使用验证时,主模式典型地使用在LAN-to-LAN隧道之间或,一旦远程访问(EzVPN)。

调试是从运行软件版本8.3.2的两ASA。两个设备将形成LAN-to-LAN隧道。

两个主要方案描述:

  • ASA作为IKE的发起者
  • ASA作为IKE的响应方

使用的调试指令

这些是用于本文的调试指令:

  • debug crypto isakmp 127
  • debug crypto ipsec 127

ASA 配置

IPsec 配置

crypto ipsec transform-set TRANSFORM esp-aes esp-sha-hmac
crypto map MAP 10 match address VPN
crypto map MAP 10 set peer 10.0.0.2
crypto map MAP 10 set transform-set TRANSFORM
crypto map MAP 10 set reverse-route
crypto map MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 10.0.0.2 type ipsec-l2l
tunnel-group 10.0.0.2 ipsec-attributes
pre-shared-key cisco
access-list VPN extended permit tcp 192.168.1.0
255.255.255.0 192.168.2.0 255.255.255.0
access-list VPN extended permit icmp 192.168.1.0
255.255.255.0 192.168.2.0 255.255.255.0

IP配置

 

ciscoasa# show ip

System IP Addresses:

Interface               Name     IP address     Subnet mask     Method

GigabitEthernet0/0       inside     192.168.1.1     255.255.255.0   manual
GigabitEthernet0/1       outside   10.0.0.1          255.255.255.0   manual

Current IP Addresses:

Interface               Name      IP address     Subnet mask     Method

GigabitEthernet0/0       inside    192.168.1.1     255.255.255.0   manual
GigabitEthernet0/1       outside   10.0.0.1         255.255.255.0   manual

NAT 配置

object network INSIDE-RANGE
 subnet 192.168.1.0 255.255.255.0object network FOREIGN_NETWORK
 subnet 192.168.2.0 255.255.255
nat (inside,outside) source static INSIDE-RANGE INSIDE-RANGE
destination static FOREIGN_NETWORK FOREIGN_NETWORK

调试

发起者消息说明
调试
响应方消息说明
主模式交换开始;策略未共享,并且对等体仍然是在MM_NO_STATE。作为发起者, ASA开始修建有效负载。
[IKEv1 DEBUG]: Pitcher: received a key acquire 
message, spi 0x0 IPSEC(crypto_map_check)-3: Looking
for crypto map matching 5-tuple: Prot=1,
saddr=192.168.1.2, sport=2816, daddr=192.168.2.1
dport=2816 IPSEC(crypto_map_check)-3:
Checking crypto map MAP 10: matched.
[IKEv1]: IP = 10.0.0.2, IKE Initiator: New Phase 1,
Intf inside, IKE Peer 10.0.0.2 local Proxy Address
192.168.1.0, remote Proxy Address 192.168.2.0,
Crypto map (MAP)
 
构建MM1。此进程包括最初的提议对于IKE和支持的NAT-T供应商。
[IKEv1 DEBUG]: IP = 10.0.0.2, 
constructing ISAKMP SA payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
constructing NAT-Traversal VID ver 02 payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
constructing NAT-Traversal VID ver 03 payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
constructing NAT-Traversal VID ver RFC payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
constructing Fragmentation VID
+ extended capabilities payload
发送MM1。
[IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING 
Message (msgid=0) with payloads : HDR
+ SA (1) + VENDOR (13) + VENDOR (13)
+ VENDOR (13) + VENDOR (13)
+ NONE (0) total length : 168
 
=====================MM1========================>
 
 
[IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED 
Message (msgid=0) with payloads : HDR
+ SA (1) + VENDOR (13) + VENDOR (13)
+ VENDOR (13) + VENDOR (13)
+ NONE (0) total length : 164
从发起者接收的MM1。
[IKEv1 DEBUG]: IP = 10.0.0.2, 
processing SA payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
Oakley proposal is acceptable
[IKEv1 DEBUG]: IP = 10.0.0.2,
processing VID payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
Received NAT-Traversal RFC VID
[IKEv1 DEBUG]: IP = 10.0.0.2,
processing VID payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
processing VID payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
Received NAT-Traversal ver 03 VID
[IKEv1 DEBUG]: IP = 10.0.0.2,
processing VID payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
Received NAT-Traversal ver 02 VID
[IKEv1 DEBUG]: IP = 10.0.0.2,
processing IKE SA payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
IKE SA Proposal # 1, Transform # 1
acceptable Matches global IKE entry # 2
进程MM1。ISAKMP/IKE策略比较开始。远端对等体通告它能使用NAT-T。相关的配置:crypto isakmp policy 10个认证预共享加密3des哈希sha第2组寿命86400。
[IKEv1 DEBUG]: IP = 10.0.0.2, 
constructing ISAKMP SA payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
constructing NAT-Traversal VID ver 02 payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
constructing Fragmentation VID
+ extended capabilities payload
构建MM2。在此消息使用的ISAKMP策略设置的响应方选择。能使用的它也通告NAT-T版本。
[IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING 
Message (msgid=0) with payloads : HDR + SA (1)
+ VENDOR (13) + VENDOR (13)
+ NONE(0) total length : 128
发送MM2。
 
<===================MM2=========================
 
从响应方接收的MM2。
[IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED 
Message (msgid=0) with payloads : HDR + SA (1)
+ VENDOR (13) + NONE (0) total length : 104
 
进程MM2。
[IKEv1 DEBUG]: IP = 10.0.0.2, 
processing SA payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
Oakley proposal is acceptable
[IKEv1 DEBUG]: IP = 10.0.0.2,
processing VID payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
Received NAT-Traversal RFC VID
 
构建MM3。此进程包括NAT发现有效载荷、Diffie-Hellman (DH)密钥交换(KE)有效载荷(initator包括g、p和A到响应方)和DPD支持。
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, 
constructing ke payload
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2,
constructing nonce payload
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2,
constructing Cisco Unity VID payload
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2,
constructing xauth V6 VID payload
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2,
Send IOS VID
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2,
Constructing ASA spoofing IOS Vendor ID payload
(version: 1.0.0, capabilities: 20000001)
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2,
constructing VID payload
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2,
Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2,
constructing NAT-Discovery payload
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2,
computing NAT Discovery hash
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2,
constructing NAT-Discovery payload
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2,
computing NAT Discovery hash
 
发送MM3。
[IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING 
Message (msgid=0) with payloads : HDR + KE (4)
+ NONCE (10) + VENDOR (13) + VENDOR (13)
+ VENDOR (13) + VENDOR (13) + NAT-D (20)
+ NAT-D (20) + NONE (0) total length : 304
 
 
=========================MM3===================>
 
 
[IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED 
Message (msgid=0) with payloads : HDR + KE (4)
+ NONCE (10) + VENDOR (13) + VENDOR (13)
+ VENDOR (13) + NAT-D (130) + NAT-D (130)
+ NONE (0) total length : 284
从发起者接收的MM3。
 
[IKEv1 DEBUG]: IP = 10.0.0.2, 
processing ke payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
processing ISA_KE payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
processing nonce payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
processing VID payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
Received DPD VID
[IKEv1 DEBUG]: IP = 10.0.0.2,
processing VID payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
Processing IOS/PIX Vendor ID payload
(version: 1.0.0, capabilities: 00000f6f)
[IKEv1 DEBUG]: IP = 10.0.0.2,
processing VID payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
Received xauth V6 VID
[IKEv1 DEBUG]: IP = 10.0.0.2,
processing NAT-Discovery payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
computing NAT Discovery hash
[IKEv1 DEBUG]: IP = 10.0.0.2,
processing NAT-Discovery payload
进程MM3。从NAT-D有效载荷响应方能确定initator是否是在NAT后,并且响应方是否是在NAT后。从DH KE,有效负载响应方获得值p、g和A。
 
 [IKEv1 DEBUG]: IP = 10.0.0.2, 
computing NAT Discovery hash
[IKEv1 DEBUG]: IP = 10.0.0.2,
constructing ke payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
constructing nonce payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
constructing Cisco Unity VID payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
constructing xauth V6 VID payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
Send IOS VID
[IKEv1 DEBUG]: IP = 10.0.0.2,
Constructing ASA spoofing IOS Vendor ID payload
(version: 1.0.0, capabilities: 20000001)
[IKEv1 DEBUG]: IP = 10.0.0.2,
constructing VID payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
Send Altiga/Cisco VPN3000/Cisco ASA GW VID
[IKEv1 DEBUG]: IP = 10.0.0.2,
constructing NAT-Discovery payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
computing NAT Discovery hash
[IKEv1 DEBUG]: IP = 10.0.0.2,
constructing NAT-Discovery payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
computing NAT Discovery hash
构建MM4。此进程包括NAT发现有效负载, DH KE响应方生成“B”和“s” (退还“B”对initator)和DPD VID。
 
[IKEv1]: IP = 10.0.0.2, 
Connection landed on tunnel_group 10.0.0.2
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2, Generating keys for Responder�
对等体关联与10.0.0.2 L2L隧道组,并且加密和哈希密钥从“s”以上和预共享密钥生成。
 
 [IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING 
Message (msgid=0) with payloads : HDR + KE (4)
+ NONCE (10) + VENDOR (13) + VENDOR (13)
+ VENDOR (13) + VENDOR (13) + NAT-D (130)
+ NAT-D (130) + NONE (0) total length : 304
发送MM4。
 
<======================MM4======================
 
从响应方接收的MM4。
IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED 
Message (msgid=0) with payloads : HDR + KE (4)
+ NONCE (10) + VENDOR (13) + VENDOR (13)
+ VENDOR (13) + VENDOR (13) + NAT-D (20)
+ NAT-D (20) + NONE (0) total length : 304
 
进程MM4。从NAT-D有效载荷, initator当前能确定iniator是否是在NAT后,并且响应方是否是在NAT后。从DH KE,发起者接收“B”并且能当前生成“s.”
[IKEv1 DEBUG]: IP = 10.0.0.2, 
processing ike payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
processing ISA_KE payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
processing nonce payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
processing VID payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
Received Cisco Unity client VID
[IKEv1 DEBUG]: IP = 10.0.0.2,
processing VID payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
Received DPD VID
[IKEv1 DEBUG]: IP = 10.0.0.2,
processing VID payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
Processing IOS/PIX Vendor ID payload
(version: 1.0.0, capabilities: 00000f7f)
[IKEv1 DEBUG]: IP = 10.0.0.2,
processing VID payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
Received xauth V6 VID
[IKEv1 DEBUG]: IP = 10.0.0.2,
processing NAT-Discovery payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
computing NAT Discovery hash
[IKEv1 DEBUG]: IP = 10.0.0.2,
processing NAT-Discovery payload
[IKEv1 DEBUG]: IP = 10.0.0.2,
computing NAT Discovery hash
对等体关联与10.0.0.2 L2L隧道组,使用“s”上述和预共享密钥,并且initator生成加密和哈希密钥。
[IKEv1]: IP = 10.0.0.2, 
Connection landed on tunnel_group 10.0.0.2
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2, Generating keys for Initiator...
构建MM5。相关的配置:crypto isakmp标识自动
[IKEv1 DEBUG]: Group = 10.0.0.2, 
IP = 10.0.0.2, constructing ID payload
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2, constructing hash payload
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2, Computing hash for ISAKMP
[IKEv1 DEBUG]: IP = 10.0.0.2,
Constructing IOS keep alive payload:
proposal=32767/32767 sec.
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2, constructing dpd vid payload
发送MM5。
[IKEv1]: IP = 10.0.0.2, 
IKE_DECODE SENDING Message (msgid=0)
with payloads : HDR + ID (5) + HASH (8)
+ IOS KEEPALIVE (128) +VENDOR (13)
+ NONE (0) total length : 96
 
======================MM5======================>
 
响应方不是在任何NAT后。没有要求的NAT-T。
[IKEv1]: 
Group = 10.0.0.2,
IP = 10.0.0.2,
Automatic NAT Detection
Status: Remote end
is NOT behind a NAT
device This end is NOT
behind a NAT device
[IKEv1]: 
IP = 10.0.0.2,
IKE_DECODE RECEIVED
Message (msgid=0)
with payloads : HDR
+ ID (5) + HASH (8)
+ NONE (0) total
length : 64
从发起者接收的MM5。此进程包括远端对等体标识(ID)和在特定的隧道组的连接着陆。
 
[IKEv1 DEBUG]: Group = 10.0.0.2, 
IP = 10.0.0.2, processing ID payload
[IKEv1 DECODE]: Group = 10.0.0.2,
IP = 10.0.0.2, ID_IPV4_ADDR ID received 10.0.0.2
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2, processing hash payload
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2, Computing hash for ISAKMP
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2, processing notify payload
[IKEv1]: Group = 10.0.0.2,
IP = 10.0.0.2,Automatic NAT
[IKEv1]: IP = 10.0.0.2,
Connection landed on tunnel_group 10.0.0.2
进程MM5。与预先共享密钥的验证当前开始。验证在两对等体出现;因此,您将看到两套对应的认证过程。相关的配置:隧道组10.0.0.2类型ipsec-l2l
 
Detection Status: Remote end is NOT 
behind a NAT device This end is NOT behind
a NAT device
没有在这种情况下要求的NAT-T。
 
[IKEv1 DEBUG]: Group = 10.0.0.2, 
IP = 10.0.0.2, constructing ID payload
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2, constructing hash payload
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2, Computing hash for ISAKMP
[IKEv1 DEBUG]: IP = 10.0.0.2,
Constructing IOS keep alive payload:
proposal=32767/32767 sec.
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2, constructing dpd vid payload
构建MM6。发送标识包括重新生成密钥时期开始的和标识发送对远端对等体。
 
[IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING 
Message (msgid=0) with payloads : HDR + ID (5)
+ HASH (8) + IOS KEEPALIVE (128) +VENDOR (13)
+ NONE (0) total length : 96
发送MM6。
 
<======================MM6======================
 
从响应方接收的MM6。
[IKEv1]: 
IP = 10.0.0.2,
IKE_DECODE RECEIVED
Message (msgid=0)
with payloads : HDR
+ ID (5) + HASH (8)
+ NONE (0) total
length : 64
[IKEv1]: 
Group = 10.0.0.2,
IP = 10.0.0.2,
PHASE 1 COMPLETED
[IKEv1]: IP = 10.0.0.2,
Keep-alive
type for this
connection: DPD
[IKEv1 DEBUG]:
Group = 10.0.0.2,
IP = 10.0.0.2,
Starting P1
rekey timer:
64800 seconds.
完整的阶段1。启动isakmp重新生成密钥计时器。相关的配置:crypto isakmp policy 10认证预共享加密3des哈希sha第2组寿命86400 ciscoasa# sh run所有crypto isakmp crypto isakmp标识自动
进程MM6。此进程包括从对等体和最终决策发送的远程标识关于隧道组选择
 [IKEv1 DEBUG]: Group = 10.0.0.2, 
IP = 10.0.0.2, processing ID payload
[IKEv1 DECODE]: Group = 10.0.0.2,
IP = 10.0.0.2, ID_IPV4_ADDR ID received
10.0.0.2
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2, processing hash payload
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2, Computing hash for ISAKMP
[IKEv1]: IP = 10.0.0.2,
Connection landed on tunnel_group 10.0.0.2
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2, Oakley begin quick mode
[IKEv1 DECODE]: Group = 10.0.0.2,
IP = 10.0.0.2, IKE Initiator starting
QM: msg id = 7b80c2b0
 
完整的阶段1。启动ISAKMP重新生成密钥计时器。相关的配置:隧道组10.0.0.2类型ipsec-l2l隧道组10.0.0.2 ipsec属性预共享密钥cisco
[IKEv1]: Group = 10.0.0.2,
IP = 10.0.0.2, PHASE 1 COMPLETED
[IKEv1]: IP = 10.0.0.2,
Keep-alive type for this connection:
DPD DPD has bee negotiated and
Phase 1 is now complete.
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2, Starting P1
rekey timer: 82080 seconds.
 
第2阶段(快速模式)开始。
IPSEC: New embryonic SA 
created @ 0x53FC3C00,
SCB: 0x53F90A00,
Direction: inbound
SPI : 0xFD2D851F
Session ID: 0x00006000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
 
构建QM1。此进程包括代理ID和IPsec策略。相关的配置:crypto ipsec transform-set转换ESP aes esp-sha-hmac access-list VPN扩展了permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
[IKEv1 DEBUG]: Group = 10.0.0.2, 
IP = 10.0.0.2, IKE got SPI from key engine:
SPI = 0xfd2d851f
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2, oakley constucting quick mode
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2, constructing blank hash payload
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2, constructing IPSec SA payload
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2, constructing IPSec nonce payload
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2, constructing proxy ID
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2, Transmitting Proxy Id:
Local subnet: 192.168.1.0 mask 255.255.255.0
Protocol 1 Port 0
Remote subnet: 192.168.2.0 Mask 255.255.255.0
Protocol 1 Port 0
The local subnet (192.168.1.0/24) and expcted remote
subnet (192.168.2.0/24) are being sent
[IKEv1 DECODE]: Group = 10.0.0.2,
IP = 10.0.0.2, IKE Initiator sending Initial Contact
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2, constructing qm hash payload
[IKEv1 DECODE]: Group = 10.0.0.2,
IP = 10.0.0.2, IKE Initiator sending 1st QM pkt:
msg id = 7b80c2b0
 
发送QM1。
 [IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING   
Message (msgid=7b80c2b0) with payloads : HDR
+ HASH (8) + SA (1) + NONCE (10) + ID (5)
+ ID (5) + NOTIFY (11) + NONE (0) total length : 200
 
 
==========================QM1===================>
 
 
[IKEv1 DECODE]: IP = 10.0.0.2, 
IKE Responder starting QM: msg id = 52481cf5
[IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED
Message (msgid=52481cf5) with payloads :
HDR + HASH (8) + SA (1) + NONCE (10)
+ ID (5) + ID (5) + NONE (0) total length : 172
从发起者接收的QM1。响应方开始第2阶段(QM)。
 
[IKEv1 DEBUG]: Group = 10.0.0.2, 
IP = 10.0.0.2,
processing hash payload
[IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2,
processing SA payload
[IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2,
processing nonce payload
[IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2,
processing ID payload
进程QM1。此进程远程代理与本地比较并且选择可接受IPsec策略。相关的配置:crypto ipsec transform-set转换ESP aes esp-sha-hmac access-list VPN延伸permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0加密映射MAP 10匹配地址VPN
 
[IKEv1 DECODE]: Group = 10.0.0.2, IP = 10.0.0.2, 
ID_IPV4_ADDR_SUBNET ID
received--192.168.2.0--255.255.255.0
[IKEv1]: Group = 10.0.0.2, IP = 10.0.0.2,
Received remote IP Proxy Subnet data in ID Payload:
Address 192.168.2.0, Mask 255.255.255.0,
Protocol 1, Port 0
[IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2,
processing ID payload
[IKEv1 DECODE]: Group = 10.0.0.2, IP = 10.0.0.2,
ID_IPV4_ADDR_SUBNET ID
received--192.168.1.0--255.255.255.0
[IKEv1]: Group = 10.0.0.2, IP = 10.0.0.2,
Received local IP Proxy Subnet data in ID Payload:
Address 192.168.1.0, Mask 255.255.255.0,
Protocol 1, Port 0
远程和本地子网(192.168.2.0/24和192.168.1.0/24)接收。
 
[IKEv1]: Group = 10.0.0.2, IP = 10.0.0.2,   
QM IsRekeyed old sa not found by addr
[IKEv1]: Group = 10.0.0.2, IP = 10.0.0.2,
Static Crypto Map check, checking map = MAP,
seq = 10...
[IKEv1]: Group = 10.0.0.2, IP = 10.0.0.2,
Static Crypto Map check, map MAP,
seq = 10 is a successful match
[IKEv1]: Group = 10.0.0.2, IP = 10.0.0.2,
IKE Remote Peer configured for crypto map: MAP
[IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2,
processing IPSec SA payload
[IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2,
IPSec SA Proposal # 1, Transform # 1 acceptable
Matches global IPSec SA entry # 10
一个匹配的静态crypto条目寻找并且被找到。
 
[IKEv1]: Group = 10.0.0.2, IP = 10.0.0.2,  
IKE: requesting SPI!
IPSEC: New embryonic SA created @ 0x53FC3698,
SCB: 0x53FC2998,
Direction: inbound
SPI : 0x1698CAC7
Session ID: 0x00004000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
[IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2,
IKE got SPI from key engine: SPI = 0x1698cac7
[IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2,
oakley constructing quick mode
[IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2,
constructing blank hash payload
[IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2,
constructing IPSec SA payload
[IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2,
constructing IPSec nonce payload
[IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2,
constructing proxy ID
[IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2,
Transmitting Proxy Id:
Remote subnet: 192.168.2.0 Mask 255.255.255.0
Protocol 1 Port 0
Local subnet: 192.168.1.0 mask 255.255.255.0
Protocol 1 Port 0
[IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2,
constructing qm hash payload
[IKEv1 DECODE]: Group = 10.0.0.2, IP = 10.0.0.2,
IKE Responder sending 2nd QM pkt: msg id = 52481cf5
构建QM2。此进程包括代理身分的确认,隧道类型,并且检查为被反映的加密ACL被执行。
 
 [IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING 
Message (msgid=52481cf5) with payloads :
HDR + HASH (8) + SA (1) + NONCE (10) + ID (5)
+ ID (5) + NONE (0) total length : 172
发送QM2。
 
<=======================QM2======================
 
从响应方接收的QM2。
IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED  
Message (msgid=7b80c2b0) with payloads :
HDR + HASH (8) + SA (1) + NONCE (10)
+ ID (5) + ID (5) + NOTIFY (11)
+ NONE (0) total length : 200
 
进程QM2。在此进程,远程终端发送参数,并且最短的报价的第2阶段寿命被选择。
 [IKEv1 DEBUG]: Group = 10.0.0.2, 
IP = 10.0.0.2, processing hash payload
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2, processing SA payload
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2, processing nonce payload
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2, processing ID payload
[IKEv1 DECODE]: Group = 10.0.0.2,
IP = 10.0.0.2, ID_IPV4_ADDR_SUBNET ID
received--192.168.1.0--255.255.255.0
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2, processing ID payload
[IKEv1 DECODE]: Group = 10.0.0.2,
IP = 10.0.0.2, ID_IPV4_ADDR_SUBNET ID
received--192.168.2.0--255.255.255.0
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2, processing notify payload
[IKEv1 DECODE]: Responder Lifetime
decode follows (outb SPI[4]|attributes):
[IKEv1 DECODE]: 0000: DDE50931 80010001
00020004 00000E10 ...1............
[IKEv1]: Group = 10.0.0.2, IP = 10.0.0.2,
Responder forcing change of IPSec rekeying
duration from 28800 to 3600 seconds
based on response from peer, the ASA is
changing certain IPSEC attributes.
In this case the rekey interval
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2, loading all IPSEC SAs
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2, Generating Quick Mode Key!
找到匹配加密映射“MAP”和条目10和匹配它access-list “VPN”。
[IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2,    
NP encrypt rule look up for crypto map MAP 10
matching ACL VPN: returned cs_id=53f11198;
rule=53f11a90
设备生成各自斯皮0xfd2d851f和0xdde50931for入站和出站通流量。
 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, 
Generating Quick Mode Key!
IPSEC: New embryonic SA created @ 0x53FC3698,
SCB: 0x53F910F0,
Direction: outbound
SPI : 0xDDE50931
Session ID: 0x00006000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: Completed host OBSA update,
SPI 0xDDE50931
IPSEC: Creating outbound VPN context,
SPI 0xDDE50931
Flags: 0x00000005
SA : 0x53FC3698
SPI : 0xDDE50931
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x00000000
SCB : 0x01CF218F
Channel: 0x4C69CB80
IPSEC: Completed outbound VPN context,
SPI 0xDDE50931
VPN handle: 0x000161A4
IPSEC: New outbound encrypt rule,
SPI 0xDDE50931
Src addr: 192.168.1.0
Src mask: 255.255.255.0
Dst addr: 192.168.2.0
Dst mask: 255.255.255.0
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 1
Use protocol: true
SPI: 0x00000000
Use SPI: false
IPSEC: Completed outbound encrypt rule,
SPI 0xDDE50931
Rule ID: 0x53FC3AD8
IPSEC: New outbound permit rule,
SPI 0xDDE50931
Src addr: 10.0.0.1
Src mask: 255.255.255.255
Dst addr: 10.0.0.2
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0xDDE50931
Use SPI: true
IPSEC: Completed outbound permit rule,
SPI 0xDDE50931
Rule ID: 0x53F91538
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2,
NP encrypt rule look up for crypto map MAP 10
matching ACL VPN: returned cs_id=53f11198;
rule=53f11a90
[IKEv1]: Group = 10.0.0.2, IP = 10.0.0.2,
Security negotiation complete for LAN-to-LAN
Group (10.0.0.2) Initiator,
Inbound SPI = 0xfd2d851f,
Outbound SPI = 0xdde50931
构建QM3。确认所有斯皮创建对远端对等体。
Confirm all SPIs created to remote peer.
IPSEC: Completed host IBSA update,
SPI 0xFD2D851F
IPSEC: Creating inbound VPN context,
SPI 0xFD2D851F
Flags: 0x00000006
SA : 0x53FC3C00
SPI : 0xFD2D851F
MTU : 0 bytes
VCID : 0x00000000
Peer : 0x000161A4
SCB : 0x01CEA8EF
Channel: 0x4C69CB80
IPSEC: Completed inbound VPN context,
SPI 0xFD2D851F
VPN handle: 0x00018BBC
IPSEC: Updating outbound VPN context 0x000161A4,
SPI 0xDDE50931
Flags: 0x00000005
SA : 0x53FC3698
SPI : 0xDDE50931
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x00018BBC
SCB : 0x01CF218F
Channel: 0x4C69CB80
IPSEC: Completed outbound VPN context,
SPI 0xDDE50931
VPN handle: 0x000161A4
IPSEC: Completed outbound inner rule,
SPI 0xDDE50931
Rule ID: 0x53FC3AD8
IPSEC: Completed outbound outer SPD rule,
SPI 0xDDE50931
Rule ID: 0x53F91538
IPSEC: New inbound tunnel flow rule,
SPI 0xFD2D851F
Src addr: 192.168.2.0
Src mask: 255.255.255.0
Dst addr: 192.168.1.0
Dst mask: 255.255.255.0
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 1
Use protocol: true
SPI: 0x00000000
Use SPI: false
IPSEC: Completed inbound tunnel flow rule,
SPI 0xFD2D851F
Rule ID: 0x53F91970
IPSEC: New inbound decrypt rule,
SPI 0xFD2D851F
Src addr: 10.0.0.2
Src mask: 255.255.255.255
Dst addr: 10.0.0.1
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0xFD2D851F
Use SPI: true
IPSEC: Completed inbound decrypt rule,
SPI 0xFD2D851F
Rule ID: 0x53F91A08
IPSEC: New inbound permit rule,
SPI 0xFD2D851F
Src addr: 10.0.0.2
Src mask: 255.255.255.255
Dst addr: 10.0.0.1
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0xFD2D851F
Use SPI: true
IPSEC: Completed inbound permit rule,
SPI 0xFD2D851F
Rule ID: 0x53F91AA0
发送QM3。
[IKEv1 DECODE]: Group = 10.0.0.2, 
IP = 10.0.0.2, IKE Initiator sending 3rd
QM pkt: msg id = 7b80c2b0
 
========================QM3=====================>
 
完整的第2阶段。使用这些SPI值,发起者当前准备加密和解码数据包。
[IKEv1]: IP = 10.0.0.2, 
IKE_DECODE SENDING
Message (msgid=7b80c2b0
with payloads : HDR
+ HASH (8)
+ NONE (0)
total length :76
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2,
IKE got a KEY_ADD msg for SA:
SPI = 0xdde50931
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2,
Pitcher: received KEY_UPDATE,
spi 0xfd2d851f
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2,
Starting P2 rekey timer:
3060 seconds.
[IKEv1]: Group = 10.0.0.2,
IP = 10.0.0.2,
PHASE 2 COMPLETED
(msgid=7b80c2b0)
[IKEv1]: IP = 10.0.0.2,    
IKE_DECODE RECEIVED
Message (msgid=52481cf5)
with payloads : HDR
+ HASH (8)
+ NONE (0)
total length : 52
QM3 receivd fom发起者。
 
[IKEv1 DEBUG]: Group = 10.0.0.2, 
IP = 10.0.0.2, processing hash payload
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2, loading all IPSEC SAs
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2, Generating Quick Mode Key!
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2, NP encrypt rule look up for
crypto map MAP 10 matching ACL VPN:
returned cs_id=53f11198; rule=53f11a90
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2, Generating Quick Mode Key!
IPSEC: New embryonic SA created @ 0x53F18B00,
SCB: 0x53F8A1C0,
Direction: outbound
SPI : 0xDB680406
Session ID: 0x00004000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: Completed host OBSA update,
SPI 0xDB680406
IPSEC: Creating outbound VPN context,
SPI 0xDB680406
Flags: 0x00000005
SA : 0x53F18B00
SPI : 0xDB680406
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x00000000
SCB : 0x005E4849
Channel: 0x4C69CB80
IPSEC: Completed outbound VPN context,
SPI 0xDB680406
VPN handle: 0x0000E9B4
IPSEC: New outbound encrypt rule,
SPI 0xDB680406
Src addr: 192.168.1.0
Src mask: 255.255.255.0
Dst addr: 192.168.2.0
Dst mask: 255.255.255.0
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 1
Use protocol: true
SPI: 0x00000000
Use SPI: false
IPSEC: Completed outbound encrypt rule,
SPI 0xDB680406
Rule ID: 0x53F89160
IPSEC: New outbound permit rule,
SPI 0xDB680406
Src addr: 10.0.0.1
Src mask: 255.255.255.255
Dst addr: 10.0.0.2
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0xDB680406
Use SPI: true
IPSEC: Completed outbound permit rule,
SPI 0xDB680406
Rule ID: 0x53E47E88
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2, NP encrypt rule look up
for crypto map MAP 10 matching ACL VPN:
returned cs_id=53f11198; rule=53f11a90
进程QM3。加密密钥为数据SAS生成。在此进程中,斯皮设置为了通过流量。
[IKEv1]: Group = 10.0.0.2, IP = 10.0.0.2,   
Security negotiation complete for
LAN-to-LAN Group (10.0.0.2) Responder,
Inbound SPI = 0x1698cac7,
Outbound SPI = 0xdb680406
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2, IKE got a
KEY_ADD msg for SA: SPI = 0xdb680406
IPSEC: Completed host IBSA update,
SPI 0x1698CAC7
IPSEC: Creating inbound VPN context,
SPI 0x1698CAC7
Flags: 0x00000006
SA : 0x53FC3698
SPI : 0x1698CAC7
MTU : 0 bytes
VCID : 0x00000000
Peer : 0x0000E9B4
SCB : 0x005DAE51
Channel: 0x4C69CB80
IPSEC: Completed inbound VPN context,
SPI 0x1698CAC7
VPN handle: 0x00011A8C
IPSEC: Updating outbound VPN context 0x0000E9B4,
SPI 0xDB680406
Flags: 0x00000005
SA : 0x53F18B00
SPI : 0xDB680406
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x00011A8C
SCB : 0x005E4849
Channel: 0x4C69CB80
IPSEC: Completed outbound VPN context,
SPI 0xDB680406
VPN handle: 0x0000E9B4
IPSEC: Completed outbound inner rule,
SPI 0xDB680406
Rule ID: 0x53F89160
IPSEC: Completed outbound outer SPD rule,
SPI 0xDB680406
Rule ID: 0x53E47E88
IPSEC: New inbound tunnel flow rule,
SPI 0x1698CAC7
Src addr: 192.168.2.0
Src mask: 255.255.255.0
Dst addr: 192.168.1.0
Dst mask: 255.255.255.0
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 1
Use protocol: true
SPI: 0x00000000
Use SPI: false
IPSEC: Completed inbound tunnel flow rule,
SPI 0x1698CAC7
Rule ID: 0x53FC3E80
IPSEC: New inbound decrypt rule,
SPI 0x1698CAC7
Src addr: 10.0.0.2
Src mask: 255.255.255.255
Dst addr: 10.0.0.1
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0x1698CAC7
Use SPI: true
IPSEC: Completed inbound decrypt rule,
SPI 0x1698CAC7
Rule ID: 0x53FC3F18
IPSEC: New inbound permit rule,
SPI 0x1698CAC7
Src addr: 10.0.0.2
Src mask: 255.255.255.255
Dst addr: 10.0.0.1
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0x1698CAC7
Use SPI: true
IPSEC: Completed inbound permit rule,
SPI 0x1698CAC7
Rule ID: 0x53F8AEA8
[IKEv1 DEBUG]: Group = 10.0.0.2,
IP = 10.0.0.2, Pitcher:
received KEY_UPDATE, spi 0x1698cac7
斯皮分配到数据SAS。
[IKEv1 DEBUG]: Group = 10.0.0.2,    
IP = 10.0.0.2, Starting P2
rekey timer: 3060 seconds.
开始IPsec重新生成密钥时期。
[IKEv1]: Group = 10.0.0.2,  
IP = 10.0.0.2, PHASE 2
COMPLETED (msgid=52481cf5)
完整的第2阶段。响应方和发起者能加密/解密流量。

通道验证


注意:因为ICMP用于触发通道,只有一IPSec SA是UP。协议1 = ICMP。

show crypto ipsec sa
interface: outside
    Crypto map tag: MAP, seq num: 10, local addr: 10.0.0.1
      access-list VPN extended permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/1/0)
      remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/1/0)
      current_peer: 10.0.0.2
      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0
      local crypto endpt.: 10.0.0.1/0, remote crypto endpt.: 10.0.0.2/0
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: DB680406
      current inbound spi : 1698CAC7
    inbound esp sas:
      spi: 0x1698CAC7 (379112135)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 16384, crypto-map: MAP
         sa timing: remaining key lifetime (kB/sec): (3914999/3326)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x0000001F
    outbound esp sas:
      spi: 0xDB680406 (3681027078)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 16384, crypto-map: MAP
         sa timing: remaining key lifetime (kB/sec): (3914999/3326)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

 

show crypto isakmp sa

   Active SA: 1
   Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 10.0.0.2
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

相关信息


相关的思科支持社区讨论

思科支持社区是您提问、解答问题、分享建议以及与工作伙伴协作的论坛。


Document ID: 113574