安全 : Cisco ASA 5500 系列自适应安全设备

积极模式)排除故障技术说明的ASA IPsec和IKE调试(IKEv1

2015 年 8 月 28 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 4 月 23 日) | 反馈

简介

本文描述在思科可适应安全工具(ASA)的调试,当使用积极模式和预先共享密钥(PSK)时。某些调试线路的转换到配置里也讨论。思科推荐您有IPsec和Internet Key Exchange (IKE)基础知识。

在通道设立了后,本文不讨论通过流量。

贡献用Atri巴苏和Marcin Latosiewicz, Cisco TAC工程师。

核心问题

IKE和IPsec调试有时隐秘,但是您能使用他们为了了解与IPSec VPN隧道建立的问题。

方案

积极模式在Easy VPN (ezvpn)的情况下典型地使用与软件(Cisco VPN Client)和硬件客户端(思科ASA 5505可适应安全工具或Cisco IOS 软件路由器),但是,只有当使用时预先共享密钥。不同于主模式,积极模式包括三个消息。

调试是从运行软件版本8.3.2并且作为EzVPN服务器的ASA。EzVPN客户端是软件客户端。

使用的调试指令

这些是用于本文的调试指令:

debug crypto isakmp 127
debug crypto ipsec 127

ASA 配置

在本例中的ASA配置被认为严格基本;没有使用外部服务器。

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.48.67.14 255.255.254.0

crypto ipsec transform-set TRA esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DYN 10 set transform-set TRA
crypto dynamic-map DYN 10 set reverse-route

crypto map MAP 65000 ipsec-isakmp dynamic DYN
crypto map MAP interface outside
crypto isakmp enable outside

crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
lifetime 86400

username cisco password  cisco
username cisco attributes
vpn-framed-ip-address 192.168.1.100 255.255.255.0

tunnel-group EZ type remote-access
tunnel-group EZ general-attributes
 default-group-policy EZ
tunnel-group EZ ipsec-attributes
 pre-shared-key *****

group-policy EZ internal
group-policy EZ attributes
 password-storage enable
 dns-server value 192.168.1.99
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelall
 split-tunnel-network-list value split
 default-domain value jyoungta-labdomain.cisco.com

调试

注意:使用 debug 命令之前,请参阅有关 Debug 命令的重要信息

服务器消息说明

调试

客户端消息消息说明

 49711:28:30.28908/24/12Sev=Info/6IKE/0x6300003B
尝试建立与64.102.156.88的连接。
49811:28:30.29708/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->SA:I_Cookie=D56197780D7BE3E5 R_Cookie=0000000000000000CurState :
AM_INITIALEvent :EV_INITIATOR
49911:28:30.29708/24/12Sev=Info/4IKE/0x63000001
开始IKE阶段1协商
50011:28:30.29708/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->SA:I_Cookie=D56197780D7BE3E5 R_Cookie=0000000000000000CurState :
AM_SND_MSG1Event :EV_GEN_DHKEY
50111:28:30.30408/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->SA:I_Cookie=D56197780D7BE3E5 R_Cookie=0000000000000000CurState :
AM_SND_MSG1Event :EV_BLD_MSG
50211:28:30.30408/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->SA:I_Cookie=D56197780D7BE3E5 R_Cookie=0000000000000000CurState :
AM_SND_MSG1Event :EV_START_RETRY_TMR
50311:28:30.30408/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->SA:I_Cookie=D56197780D7BE3E5 R_Cookie=0000000000000000CurState :
AM_SND_MSG1Event :EV_SND_MSG

积极模式开始。构建AM1。此进程包括:
- ISAKMP HDR
-包含客户端和建议支持的所有转换有效载荷的安全工具(SA)
-密钥交换有效负载
-阶段1发起者ID
-目前

 50411:28:30.30408/24/12Sev=Info/4IKE/0x63000013
发送>>> ISAKMP AG (SA、KE、NON, ID OAK, VID(Xauth)、VID(dpd), VID(Frag), (natT)的VID, VID(Unity))到64.102.156.88

发送AM1。

 <===============积极的消息1 (AM1) =============== 

从客户端的接收AM1。

八月24 11:31:03 [IKEv1]IP = 64.102.156.87, IKE_DECODE接收消息(msgid=0)与有效载荷:HDR + SA (1) + KE (4) + NONCE (10) + ID (5) +供应商(13) +供应商(13) +供应商(13) +供应商(13) +供应商(13) +无(0个)总长度:84950611:28:30.33308/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->SA:I_Cookie=D56197780D7BE3E5
R_Cookie=0000000000000000CurState :
AM_WAIT_MSG2Event :EV_NO_EVENT

等待从服务器的答复。

处理AM1。compare接收建议和转换与为匹配已经配置的那些。

相关配置:

ISAKMP在接口启用,并且匹配至少的一项策略定义什么客户端发送:

crypto isakmp enable 
outside
crypto isakmp policy
10
authentication pre-
share
encryption aes
hash sha
group 2
lifetime 86400

匹配标识名称存在的隧道群:

tunnel-group EZ type 
remote-access
tunnel-group EZ
general-attributes
default-group-policy
EZ
tunnel-group EZ ipsec-
attributes
pre-shared-key cisco
八月24 11:31:03 [IKEv1调试] IP = 64.102.156.87,处理SA有效负载
八月24 11:31:03 [IKEv1调试] IP = 64.102.156.87,处理ke有效负载
八月24 11:31:03 [IKEv1调试] IP = 64.102.156.87,处理ISA_KE有效负载
八月24 11:31:03 [IKEv1调试] IP = 64.102.156.87,处理NONCE有效负载
八月24 11:31:03 [IKEv1调试] IP = 64.102.156.87,处理ID有效负载
八月24 11:31:03 [IKEv1调试] IP = 64.102.156.87,处理VID有效负载
八月24 11:31:03 [IKEv1调试] IP = 64.102.156.87,已接收Xauth V6 VID
八月24 11:31:03 [IKEv1调试] IP = 64.102.156.87,处理VID有效负载
八月24 11:31:03 [IKEv1调试] IP = 64.102.156.87,已接收DPD VID
八月24 11:31:03 [IKEv1调试] IP = 64.102.156.87,处理VID有效负载
八月24 11:31:03 [IKEv1调试] IP = 64.102.156.87,已接收分段VID
八月24 11:31:03 [IKEv1调试] IP = 64.102.156.87, IKE对等体包括的IKE分段功能标志:主模式:TrueAggressive模式:错误
八月24 11:31:03 [IKEv1调试] IP = 64.102.156.87,处理VID有效负载
八月24 11:31:03 [IKEv1调试] IP = 64.102.156.87,已接收NAT遍历Ver 02 VID
八月24 11:31:03 [IKEv1调试] IP = 64.102.156.87,处理VID有效负载
八月24 11:31:03 [IKEv1调试] IP = 64.102.156.87,已接收Cisco Unity客户端VID
八月24 11:31:03 [IKEv1]IP = 64.102.156.87,在tunnel_group登陆的连接ipsec
八月24 11:31:03 [IKEv1调试] Group= ipsec, IP = 64.102.156.87,处理SA IKE有效负载
八月24 11:31:03 [IKEv1]Phase 1失败:类组说明的不匹配的attribute type :Rcv'd :组2Cfg'd :Group5
八月24 11:31:03 [IKEv1]Phase 1失败:类组说明的不匹配的attribute type :Rcv'd :组2Cfg'd :Group5
八月24 11:31:03 [IKEv1]Phase 1失败:类组说明的不匹配的attribute type :Rcv'd :组2Cfg'd :Group5
八月24 11:31:03 [IKEv1]Phase 1失败:类组说明的不匹配的attribute type :Rcv'd :组2Cfg'd :Group5
八月24 11:31:03 [IKEv1]Phase 1失败:类组说明的不匹配的attribute type :Rcv'd :组2Cfg'd :Group5
八月24 11:31:03 [IKEv1]Phase 1失败:类组说明的不匹配的attribute type :Rcv'd :组2Cfg'd :Group5
八月24 11:31:03 [IKEv1]Phase 1失败:类组说明的不匹配的attribute type :Rcv'd :组2Cfg'd :Group5
八月24 11:31:03 [IKEv1]Phase 1失败:类组说明的不匹配的attribute type :Rcv'd :组2Cfg'd :Group5
八月24 11:31:03 [IKEv1]Phase 1失败:类组说明的不匹配的attribute type :Rcv'd :组2Cfg'd :Group5
八月24 11:31:03 [IKEv1]Phase 1失败:类组说明的不匹配的attribute type :Rcv'd :组2Cfg'd :Group5
八月24 11:31:03 [IKEv1]Phase 1失败:类组说明的不匹配的attribute type :Rcv'd :组2Cfg'd :Group5
八月24 11:31:03 [IKEv1]Phase 1失败:类组说明的不匹配的attribute type :Rcv'd :组2Cfg'd :Group5
八月24 11:31:03 [IKEv1]Phase 1失败:类组说明的不匹配的attribute type :Rcv'd :组2Cfg'd :Group5
八月24 11:31:03 [IKEv1]Phase 1失败:类组说明的不匹配的attribute type :Rcv'd :组2Cfg'd :Group5
八月24 11:31:03 [IKEv1]Phase 1失败:类组说明的不匹配的attribute type :Rcv'd :组2Cfg'd :Group5
八月24 11:31:03 [IKEv1]Phase 1失败:类组说明的不匹配的attribute type :Rcv'd :组2Cfg'd :Group5
八月24 11:31:03 [IKEv1调试] Group= ipsec, IP = 64.102.156.87, SA IKE建议# 1,转换# 5 acceptableMatches全局IKE条目# 1
 

构建AM2。此进程包括:
-选择的策略
- Diffie-Hellman (DH)
-响应方ID
-验证
-网络地址转换(NAT)检测有效负载

八月24 11:31:03 [IKEv1调试] Group= ipsec, IP = 64.102.156.87,修建SA ISAKMP有效负载
八月24 11:31:03 [IKEv1调试] Group= ipsec, IP = 64.102.156.87,修建ke有效负载
八月24 11:31:03 [IKEv1调试] Group= ipsec, IP = 64.102.156.87,修建目前有效负载
八月24 11:31:03 [IKEv1调试] Group= ipsec, IP = 64.102.156.87,生成响应方的密钥…
八月24 11:31:03 [IKEv1调试] Group= ipsec, IP = 64.102.156.87,修建ID有效负载
八月24 11:31:03 [IKEv1调试] Group= ipsec, IP = 64.102.156.87,修建哈希有效负载
八月24 11:31:03 [IKEv1调试] Group= ipsec, IP = 64.102.156.87, ISAKMP的计算的哈希
八月24 11:31:03 [IKEv1调试] Group= ipsec, IP = 64.102.156.87,修建Cisco Unity VID有效负载
八月24 11:31:03 [IKEv1调试] Group= ipsec, IP = 64.102.156.87,修建Xauth V6 VID有效负载
八月24 11:31:03 [IKEv1调试] Group= ipsec, IP = 64.102.156.87,修建dpd vid有效负载
八月24 11:31:03 [IKEv1调试] Group= ipsec, IP = 64.102.156.87,修建NAT遍历VID Ver 02有效负载
八月24 11:31:03 [IKEv1调试] Group= ipsec, IP = 64.102.156.87,修建Nat发现号有效负载
八月24 11:31:03 [IKEv1调试] Group= ipsec, IP = 64.102.156.87,计算的NAT发现号哈希
八月24 11:31:03 [IKEv1调试] Group= ipsec, IP = 64.102.156.87,修建Nat发现号有效负载
八月24 11:31:03 [IKEv1调试] Group= ipsec, IP = 64.102.156.87,计算的NAT发现号哈希
八月24 11:31:03 [IKEv1调试] Group= ipsec, IP = 64.102.156.87,修建分段VID +扩展了功能有效负载
八月24 11:31:03 [IKEv1调试] Group= ipsec, IP = 64.102.156.87,修建VID有效负载
八月24 11:31:03 [IKEv1调试] Group= ipsec, IP = 64.102.156.87,发送Altiga /Cisco VPN3000/Cisco ASA GW VID
 

发送AM2。

八月24 11:31:03 [IKEv1]IP = 64.102.156.87,发送消息(msgid=0)与有效载荷的IKE_DECODE :HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) +供应商(13) +供应商(13) +供应商(13) +供应商(13) + NAT-D (130) + NAT-D (130) +供应商(13) +供应商(13) +无(0个)总长度:444 
 ===============积极的消息2 (AM2) ===============> 
 50711:28:30.40208/24/12Sev=Info/5IKE/0x6300002F
已接收ISAKMP信息包:对等体= 64.102.156.8
50811:28:30.40308/24/12Sev=Info/4IKE/0x63000014
接收<<< ISAKMP AG (SA OAK, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), (natT)的VID, NAT-D, NAT-D, VID(Frag), VID (?))从64.102.156.88
51011:28:30.41208/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->SA:I_Cookie=D56197780D7BE3E5 R_Cookie=1B301D2DE710EDA0CurState :
AM_WAIT_MSG2Event :EV_RCVD_MSG

接收AM2。

 51111:28:30.41208/24/12Sev=Info/5IKE/0x63000001
对等体是Cisco-Unity兼容对等体
51211:28:30.41208/24/12Sev=Info/5IKE/0x63000001
对等体支持XAUTH
51311:28:30.41208/24/12Sev=Info/5IKE/0x63000001
对等体支持DPD
51411:28:30.41208/24/12Sev=Info/5IKE/0x63000001
对等体支持NAT-T
51511:28:30.41208/24/12Sev=Info/5IKE/0x63000001
对等体支持IKE分段有效载荷
51611:28:30.41208/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->SA:I_Cookie=D56197780D7BE3E5 R_Cookie=1B301D2DE710EDA0CurState :
AM_WAIT_MSG2Event :EV_GEN_SKEYID
51711:28:30.42208/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->SA:I_Cookie=D56197780D7BE3E5 R_Cookie=1B301D2DE710EDA0CurState :
AM_WAIT_MSG2Event :EV_AUTHENTICATE_PEER
51811:28:30.42208/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->SA:I_Cookie=D56197780D7BE3E5 R_Cookie=1B301D2DE710EDA0CurState :
AM_WAIT_MSG2Event :EV_ADJUST_PORT
51911:28:30.42208/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->SA:I_Cookie=D56197780D7BE3E5 R_Cookie=1B301D2DE710EDA0CurState :
AM_WAIT_MSG2Event :EV_CRYPTO_ACTIVE

进程AM 2。

 52011:28:30.42208/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->SA:I_Cookie=D56197780D7BE3E5 R_Cookie=1B301D2DE710EDA0CurState :
AM_SND_MSG3Event :EV_BLD_MSG]
52111:28:30.42208/24/12Sev=Debug/8IKE/0x63000001
IOS厂商ID Contruction开始
52211:28:30.42208/24/12Sev=Info/6IKE/0x63000001
IOS厂商ID成功的Contruction

构建AM3。此进程包括客户端验证。这时所有数据与加密相关已经交换。

 52311:28:30.42308/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->SA:I_Cookie=D56197780D7BE3E5 R_Cookie=1B301D2DE710EDA0CurState :
AM_SND_MSG3Event :EV_SND_MSG
52411:28:30.42308/24/12Sev=Info/4IKE/0x63000013
发送>>> ISAKMP AG OAK * (HASH,通知:STATUS_INITIAL_CONTACT、NAT-D, NAT-D, VID (?), VID(Unity))到64.102.156.88

发送AM3。

 <===============积极的消息3 (AM3) =============== 

从客户端的接收AM3。

八月24 11:31:03 [IKEv1]IP = 64.102.156.87, IKE_DECODE接收消息(msgid=0)与有效载荷:HDR + HASH (8) +通知(11) + NAT-D (130) + NAT-D (130) +供应商(13) +供应商(13) +无(0个)总长度:168 

进程AM 3.确认NAT横越(NAT-T)使用。两边当前准备开始数据流加密。

八月24 11:31:03 [IKEv1调试] Group= ipsec, IP = 64.102.156.87,处理散列法有效负载
八月24 11:31:03 [IKEv1调试] Group= ipsec, IP = 64.102.156.87, ISAKMP的计算的哈希
八月24 11:31:03 [IKEv1调试] Group= ipsec, IP = 64.102.156.87,处理通知有效负载
八月24 11:31:03 [IKEv1调试] Group= ipsec, IP = 64.102.156.87,处理Nat发现号有效负载
八月24 11:31:03 [IKEv1调试] Group= ipsec, IP = 64.102.156.87,计算的NAT发现号哈希
八月24 11:31:03 [IKEv1调试] Group= ipsec, IP = 64.102.156.87,处理Nat发现号有效负载
八月24 11:31:03 [IKEv1调试] Group= ipsec, IP = 64.102.156.87,计算的NAT发现号哈希
八月24 11:31:03 [IKEv1调试] Group= ipsec, IP = 64.102.156.87,处理VID有效负载
八月24 11:31:03 [IKEv1调试] Group= ipsec, IP = 64.102.156.87,处理IOS/PIX厂商ID有效负载(版本:1.0.0,功能:00000408)
八月24 11:31:03 [IKEv1调试] Group= ipsec, IP = 64.102.156.87,处理VID有效负载
八月24 11:31:03 [IKEv1调试] Group= ipsec, IP = 64.102.156.87,已接收Cisco Unity客户端VID
八月24 11:31:03 [IKEv1]Group = ipsec, IP = 64.102.156.87,自动NAT检测
状态:远程endISbehind NAT deviceThisend不是在NAT设备后
 

启动相位1.5 (XAUTH),并且请求用户凭证。

八月24 11:31:03 [IKEv1调试] Group= ipsec, IP = 64.102.156.87,修建空白的哈希有效负载
八月24 11:31:03 [IKEv1调试] Group= ipsec, IP = 64.102.156.87,修建qm哈希有效负载
八月24 11:31:03 [IKEv1]IP = 64.102.156.87,发送消息(msgid=fb709d4d)与有效载荷的IKE_DECODE :HDR + HASH (8) + ATTR (14) +无(0个)总长度:72
 
  =============== Xauth -凭证请求===============> 
 53511:28:30.43008/24/12Sev=Info/4IKE/0x63000014
接收<<< ISAKMP OAK TRANS * (HASH, ATTR)从64.102.156.88
53611:28:30.43108/24/12Sev=Decode/11IKE/0x63000001
ISAKMP报头
发起者COOKIE:D56197780D7BE3E5
响应方COOKIE:1B301D2DE710EDA0
下有效负载:哈希
Ver (Hex):10
Exchange类型:处理
标志:(加密)
MessageID(Hex):FB709D4D
Length:76
有效负载哈希
下有效负载:属性
保留:00
有效载荷长度:24
数据(在十六进制) :C779D5CBC5C75E3576C478A15A7CAB8A83A232D0
有效负载属性
下有效负载:无
保留:00
有效载荷长度:20
类型:ISAKMP_CFG_REQUEST
保留:00
标识符:0000
XAUTH类型:通用的
扩展登录用户命名:(空)
扩展登录用户密码:(空)
53711:28:30.43108/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->TM:MsgID=FB709D4DCurState :TM_INITIALEvent :EV_RCVD_MSG

接收验证请求。解密的有效负载显示空用户名和密码字段。

 53811:28:30.43108/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->TM:MsgID=FB709D4DCurState :TM_PCS_XAUTH_REQEvent :EV_INIT_XAUTH
53911:28:30.43108/24/12 Sev=Debug/7IKE/0x63000076
NAV Trace->TM:MsgID=FB709D4DCurState :TM_PCS_XAUTH_REQEvent :EV_START_RETRY_TMR
54011:28:30.43208/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->TM:MsgID=FB709D4DCurState :TM_WAIT_4USEREvent :EV_NO_EVENT
541个11:28:36.41508/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->TM:MsgID=FB709D4DCurState :TM_WAIT_4USEREvent :EV_RCVD_USER_INPUT

启动相位1.5 (XAUTH)。启动重试次数计时器,等候用户输入。当重试次数计时器用尽时,连接自动切断。

 54211:28:36.41508/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->TM:MsgID=FB709D4DCurState :TM_WAIT_4USEREvent :EV_SND_MSG
54311:28:36.41508/24/12Sev=Info/4IKE/0x63000013
发送>>> ISAKMP OAK TRANS * (HASH, ATTR)到64.102.156.88
54411:28:36.41508/24/12Sev=Decode/11IKE/0x63000001
ISAKMP报头
发起者COOKIE:D56197780D7BE3E5
响应方COOKIE:1B301D2DE710EDA0
下有效负载:哈希
Ver (Hex):10
Exchange类型:处理
标志:(加密)
MessageID(Hex):FB709D4D
Length:85
有效负载哈希
下有效负载:属性
保留:00
有效载荷长度:24
数据(在十六进制) :1A3645155BE9A81CB80FCDB5F7F24E03FF8239F5
有效负载属性
下有效负载:无
保留:00
有效载荷长度:33
类型:ISAKMP_CFG_REPLY
保留:00
标识符:0000
XAUTH类型:通用的
扩展登录用户命名:(没显示的数据)
扩展登录用户密码:(没显示的数据)

一旦用户输入接收,请发送用户凭证到服务器。解密的有效负载显示被填装的(但是隐藏)用户名和密码字段。发送模式配置请求(多种属性)。

  <===============扩展登录用户凭证=============== 

接收用户凭证。

八月24 11:31:09 [IKEv1]IP = 64.102.156.87, IKE_DECODE接收消息(msgid=fb709d4d)与有效载荷:HDR + HASH (8) + ATTR (14) +无(0)
总长度:85
八月24 11:31:09 [IKEv1调试] Group= ipsec, IP = 64.102.156.87, process_attr() :回车!
 

进程用户凭证。验证凭证,并且生成模式配置有效负载。

相关配置:

username cisco 
password cisco
八月24 11:31:09 [IKEv1调试] Group= ipsec, IP = 64.102.156.87,处理MODE_CFG回复属性。
八月24 11:31:09 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87, IKEGetUserAttributes :主要的DNS = 192.168.1.99
八月24 11:31:09 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87, IKEGetUserAttributes :辅助DNS =清除了
八月24 11:31:09 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87, IKEGetUserAttributes :主WINS =清除了
八月24 11:31:09 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87, IKEGetUserAttributes :第二WINS =清除了
八月24 11:31:09 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87, IKEGetUserAttributes :分割隧道列表=已分解
八月24 11:31:09 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87, IKEGetUserAttributes :默认域= jyoungta-labdomain.cisco.com
八月24 11:31:09 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87, IKEGetUserAttributes :IP压缩=禁用
八月24 11:31:09 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87, IKEGetUserAttributes :分割隧道策略=禁用
八月24 11:31:09 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87, IKEGetUserAttributes :浏览器代理设置= NO-修改
八月24 11:31:09 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87, IKEGetUserAttributes :浏览器代理旁路本地=禁用
八月24 11:31:09 [IKEv1]Group = ipsec, Username= user1, IP = 64.102.156.87,用户(user1)验证。
 

发送xuath结果。

八月24 11:31:09 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,修建空白的哈希有效负载
八月24 11:31:09 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,修建qm哈希有效负载
八月24 11:31:09 [IKEv1]IP = 64.102.156.87,发送消息(msgid=5b6910ff)与有效载荷的IKE_DECODE :HDR + HASH (8) + ATTR (14) +无(0个)总长度:64
 
  =============== Xauth -授权结果===============> 
 54511:28:36.41608/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->TM:MsgID=FB709D4DCurState :TM_XAUTHREQ_DONEEvent :EV_XAUTHREQ_DONE
54611:28:36.41608/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->TM:MsgID=FB709D4DCurState :TM_XAUTHREQ_DONEEvent :EV_NO_EVENT
54711:28:36.42408/24/12Sev=Info/5IKE/0x6300002F
已接收ISAKMP信息包:对等体= 64.102.156.88
54811:28:36.42408/24/12Sev=Info/4IKE/0x63000014
接收<<< ISAKMP OAK TRANS * (HASH, ATTR)从64.102.156.88
54911:28:36.42508/24/12Sev=Decode/11IKE/0x63000001
ISAKMP报头
发起者COOKIE:D56197780D7BE3E5
响应方COOKIE:1B301D2DE710EDA0
下有效负载:哈希
Ver (Hex):10
Exchange类型:处理
标志:(加密)
MessageID(Hex):5B6910FF
Length:76
有效负载哈希
下有效负载:属性
保留:00
有效载荷长度:24
数据(在十六进制) :7DCF47827164198731639BFB7595F694C9DDFE85
有效负载属性
下有效负载:无
保留:00
有效载荷长度:12
类型:ISAKMP_CFG_SET
保留:00
标识符:0000
XAUTH状态:帕斯
55011:28:36.42508/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->TM:MsgID=5B6910FFCurState :TM_INITIALEvent :EV_RCVD_MSG
55111:28:36.42508/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->TM:MsgID=5B6910FFCurState :TM_PCS_XAUTH_SETEvent :EV_INIT_XAUTH
55211:28:36.42508/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->TM:MsgID=5B6910FFCurState :TM_PCS_XAUTH_SETEvent :EV_CHK_AUTH_RESULT

接收验证结果和进程结果。

 55311:28:36.42508/24/12Sev=Info/4IKE/0x63000013
发送>>> ISAKMP OAK TRANS * (HASH, ATTR)到64.102.156.88

ACK结果。

  <=============== Xauth -确认=============== 

接收和进程ACK;从服务器的无响应。

八月24 11:31:09 [IKEv1]IP = 64.102.156.87, IKE_DECODE接收消息(msgid=5b6910ff)与有效载荷:HDR + HASH (8) + ATTR (14) +无(0个)总长度:60
八月24 11:31:09 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87, process_attr() :回车!
八月24 11:31:09 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,处理cfg ACK属性
 
 55511:28:36.42608/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->TM:MsgID=5B6910FFCurState :TM_XAUTH_DONEEvent :
EV_XAUTH_DONE_SUC
55611:28:36.42608/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->TM:MsgID=5B6910FFCurState :TM_XAUTH_DONEEvent :EV_NO_EVENT
55711:28:36.42608/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->TM:MsgID=FB709D4DCurState :TM_XAUTHREQ_DONEEvent :EV_TERM_REQUEST
55811:28:36.42608/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->TM:MsgID=FB709D4DCurState :TM_FREEEvent :EV_REMOVE
55911:28:36.42608/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->TM:MsgID=FB709D4DCurState :TM_FREEEvent :EV_NO_EVENT
56011:28:36.42608/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->SA:I_Cookie=D56197780D7BE3E5 R_Cookie=1B301D2DE710EDA0CurState :
CMN_XAUTH_PROGEvent :EV_XAUTH_DONE_SUC
56111:28:38.40608/24/12Sev=Debug/8IKE/0x6300004C
开始SA (I_Cookie=D56197780D7BE3E5 IKE的DPD计时器
R_Cookie=1B301D2DE710EDA0) sa->state = 1, sa->dpd.worry_freq(mSec) = 5000
56211:28:38.40608/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->SA:I_Cookie=D56197780D7BE3E5 R_Cookie=1B301D2DE710EDA0CurState :
CMN_MODECFG_PROGEvent :EV_INIT_MODECFG
56311:28:38.40608/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->SA:I_Cookie=D56197780D7BE3E5 R_Cookie=1B301D2DE710EDA0CurState :
CMN_MODECFG_PROGEvent :EV_NO_EVENT
56411:28:38.40608/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->TM:MsgID=84B4B653CurState :TM_INITIALEvent :EV_INIT_MODECFG
56511:28:38.40808/24/12Sev=Info/5IKE/0x6300005E
发送防火墙请求的客户端对集中器
56611:28:38.40908/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->TM:MsgID=84B4B653CurState :TM_SND_MODECFGREQEvent :
EV_START_RETRY_TMR

生成模式设置请求。解密的有效负载表示从服务器的请求的参数。

 56711:28:38.40908/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->TM:MsgID=84B4B653CurState :TM_SND_MODECFGREQEvent :EV_SND_MSG
56811:28:38.40908/24/12Sev=Info/4IKE/0x63000013
发送>>> ISAKMP OAK TRANS * (HASH, ATTR)到64.102.156.88
56911:28:38.62708/24/12Sev=Decode/11IKE/0x63000001
ISAKMP报头
发起者COOKIE:D56197780D7BE3E5
响应方COOKIE:1B301D2DE710EDA0
下有效负载:哈希
Ver (Hex):10
Exchange类型:处理
标志:(加密)
MessageID(Hex):84B4B653
Length:183

有效负载哈希
下有效负载:属性
保留:00
有效载荷长度:24
数据(在十六进制) :81BFBF6721A744A815D69A315EF4AAA571D6B687

有效负载属性
下有效负载:无
保留:00
有效载荷长度:131
类型:ISAKMP_CFG_REQUEST
保留:00
标识符:0000
IPv4 地址:(空)
IPv4网络屏蔽:(空)
IPv4 DNS:(空)
IPv4 NBNS (WINS) :(空)
地址终止:(空)
思科分机:班纳:(空)
思科分机:保存PWD :(空)
思科分机:默认域名:(空)
思科分机:已分解包括:(空)
思科分机:分割DNS命名:(空)
思科分机:执行PFS:(空)
未知:(空)
思科分机:备份服务器:(空)
思科分机:智能卡删除断开:(空)
应用程序版本:Cisco系统VPN客户端5.0.07.0290:WinNT
思科分机:防火墙类型:(空)
思科分机:动态DNS主机名:ATBASU-LABBOX

发送模式设置请求。

 <===============模式设置请求=============== 

接收模式设置请求。

八月24 11:31:11 [IKEv1]IP
= 64.102.156.87, IKE_DECODE接收消息(msgid=84b4b653)与有效载荷:HDR + HASH (8) + ATTR (14) +无(0个)总长度:183
八月24 11:31:11 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87, process_attr() :回车!
57011:28:38.62808/24/12Sev= Debug/7IKE/0x63000076
NAV Trace->TM:MsgID=84B4B653CurState :TM_WAIT_MODECFGREPLYEvent :EV_NO_EVENT

等待服务器响应。

处理模式设置请求。

许多这些值在组政策通常配置。然而,因为在本例中的服务器有一个非常基本配置,您看不到他们此处。

八月24 11:31:11 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,处理cfg请求属性
八月24 11:31:11 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87, MODE_CFG :已接收要求IPV4地址!
八月24 11:31:11 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87, MODE_CFG :已接收要求IPV4网络屏蔽!
八月24 11:31:11 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87, MODE_CFG :已接收要求DNS服务器地址!
八月24 11:31:11 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87, MODE_CFG :已接收要求WINS服务器地址!
八月24 11:31:11 [IKEv1]Group = ipsec, Username= user1, IP = 64.102.156.87,已接收不支持的交易模式属性:5
八月24 11:31:11 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87, MODE_CFG :班纳的已接收请求!
八月24 11:31:11 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87, MODE_CFG :保存PW设置的已接收请求!
八月24 11:31:11 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87, MODE_CFG :已接收要求默认域名!
八月24 11:31:11 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87, MODE_CFG :已接收要求分割隧道列表!
八月24 11:31:11 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87, MODE_CFG :已接收要求分割DNS!
八月24 11:31:11 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87, MODE_CFG :PFS设置的已接收请求!
八月24 11:31:11 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87, MODE_CFG :已接收要求客户端浏览器代理设置!
八月24 11:31:11 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87, MODE_CFG :已接收要求备份ip-sec对等体列表!
八月24 11:31:11 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87, MODE_CFG :已接收要求客户端智能卡删除断开设置!
八月24 11:31:11 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87, MODE_CFG :已接收要求应用程序版本!
八月24 11:31:11 [IKEv1]Group = ipsec, Username= user1, IP = 64.102.156.87,客户端类型:WinNTClient应用程序版本:5.0.07.0290
八月24 11:31:11 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87, MODE_CFG :FWTYPE的已接收请求!
八月24 11:31:11 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87, MODE_CFG :已接收要求DDNS的DHCP主机名是:ATBASU-LABBOX!
 

修建与配置的所有值的模式设置答复。

相关配置:

注释在这种情况下,用户总是分配同样IP。

username cisco 
attributes
vpn-framed-ip-
address 192.168.1.100
255.255.255.0

group-policy EZ
internal
group-policy EZ
attributes
password-storage
enabledns-server value
192.168.1.129
vpn-tunnel-protocol
ikev1
split-tunnel-policy
tunnelall
split-tunnel-network-
list value split default-
domain value
jyoungta-
labdomain.cisco.com
八月24 11:31:11 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,在启动模式Cfg之前得到了IP地址(192.168.1.100) (启用的Xauth)
八月24 11:31:11 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,发送子网掩码(255.255.255.0)对远程客户端
八月24 11:31:11 [IKEv1]Group = ipsec, Username= user1, IP = 64.102.156.87,对远程用户的已分配专用IP地址192.168.1.100
八月24 11:31:11 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,修建空白的哈希有效负载
八月24 11:31:11 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87, construct_cfg_set :默认域= jyoungta-labdomain.cisco.com
八月24 11:31:11 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,发送客户端浏览器代理属性!
八月24 11:31:11 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,浏览器代理设置的NO-修改。浏览器代理数据在模式cfg回复不会包括
八月24 11:31:11 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,发送思科智能卡删除断开enable (event)!!
八月24 11:31:11 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,修建qm哈希有效负载
 

发送模式设置答复。

八月24 11:31:11 [IKEv1]IP = 64.102.156.87,发送消息(msgid=84b4b653)与有效载荷的IKE_DECODE :HDR + HASH (8) + ATTR (14) +无(0个)总长度:215 
 ===============模式设置答复===============> 
 57111:28:38.63808/24/12Sev=Info/5IKE/0x6300002F
已接收ISAKMP信息包:对等体= 64.102.156.88
57211:28:38.63808/24/12Sev=Info/4IKE/0x63000014
接收<<< ISAKMP OAK TRANS * (HASH, ATTR)从64.102.156.88
57311:28:38.63908/24/12Sev=Decode/11IKE/0x63000001
ISAKMP报头
发起者COOKIE:D56197780D7BE3E5
响应方COOKIE:1B301D2DE710EDA0
下有效负载:哈希
Ver (Hex):10
Exchange类型:处理
标志:(加密)
MessageID(Hex):84B4B653
Length:220
有效负载哈希
下有效负载:属性
保留:00
有效载荷长度:24
数据(在十六进制) :6DE2E70ACF6B1858846BC62E590C00A66745D14D
有效负载属性
下有效负载:无
保留:00
有效载荷长度:163
类型:ISAKMP_CFG_REPLY
保留:00
标识符:0000
IPv4 地址:192.168.1.100
IPv4网络屏蔽:255.255.255.0
IPv4 DNS:192.168.1.99
思科分机:保存PWD :否
思科分机:默认域名:
jyoungta-labdomain.cisco.com
思科分机:执行PFS:否
应用程序版本:Cisco系统,在星期四14-Jun-12 11:20的建造者建立的Inc ASA5505版本8.4(4)1
思科分机:智能卡删除断开:是

接收从服务器的模式设置参数值。

阶段1在服务器完成。启动快速模式进程。

八月24 11:31:13 [IKEv1解码] IP = 64.102.156.87,开始QM的IKE响应方:信息id= 0e83792e
八月24 11:31:13 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,处理迪莱的快速模式,进展中Cert/的Trans Exch/RM DSID
八月24 11:31:13 [IKEv1]Group = ipsec, Username= user1, IP = 64.102.156.87,为192.168.1.100发送的免费ARP
八月24 11:31:13 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,处理恢复的快速模式, Exch/RM DSID完成的Cert/Trans
八月24 11:31:13 [IKEv1]Group = ipsec, Username= user1, IP = 64.102.156.87,完成的阶段1
57411:28:38.63908/24/12Sev= Debug/7IKE/0x63000076
NAV Trace->TM:MsgID=84B4B653CurState :
TM_WAIT_MODECFGREPLYEvent :EV_RCVD_MSG
57511:28:38.63908/24/12Sev= Info/5IKE/0x63000010
MODE_CFG_REPLY :属性= INTERNAL_IPV4_ADDRESS :
value= 192.168.1.100
57611:28:38.63908/24/12Sev=Info/5IKE/0x63000010
MODE_CFG_REPLY :属性= INTERNAL_IPV4_NETMASK :
value= 255.255.255.0
57711:28:38.63908/24/12Sev= Info/5IKE/0x63000010
MODE_CFG_REPLY :属性= INTERNAL_IPV4_DNS(1) :
value= 192.168.1.99
57811:28:38.63908/24/12Sev=Info/5IKE/0x6300000D
MODE_CFG_REPLY :属性=
MODECFG_UNITY_SAVEPWD : value= 0x00000000
57911:28:38.63908/24/12Sev=Info/5IKE/0x6300000E
MODE_CFG_REPLY :属性=
MODECFG_UNITY_DEFDOMAIN : value= jyoungta-
labdomain.cisco.com
58011:28:38.63908/24/12Sev= Info/5IKE/0x6300000D
MODE_CFG_REPLY :属性= MODECFG_UNITY_PFS : value= 0x00000000
58111:28:38.63908/24/12Sev=Info/5IKE/0x6300000E
MODE_CFG_REPLY :属性= APPLICATION_VERSION,
value= Cisco系统, Inc ASA5505版本8.4(4)1建立由
在星期四14-Jun-12 11:20的建造者
58211:28:38.63908/24/12Sev= Info/5IKE/0x6300000D
MODE_CFG_REPLY :属性=
MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT : value= 0x00000001
58311:28:38.63908/24/12Sev= Info/5IKE/0x6300000D
MODE_CFG_REPLY :属性=接收和使用NAT-T
端口号, value= 0x00001194
58411:28:39.36708/24/12Sev= Debug/9IKE/0x63000093
为ini参数EnableDNSRedirection重视是1
58511:28:39.36708/24/12Sev= Debug/7IKE/0x63000076
NAV Trace->TM:MsgID=84B4B653CurState :
TM_MODECFG_DONEEvent :EV_MODECFG_DONE_SUC

过程参数,和相应地配置。

客户端的构建和发送DPD。

八月24 11:31:13 [IKEv1]IP = 64.102.156.87,此连接的keep-alive类型:DPD
八月24 11:31:13 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,开始P1重新生成密钥计时器:82080秒。
八月24 11:31:13 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,发送通知消息
八月24 11:31:13 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,修建空白的哈希有效负载
八月24 11:31:13 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,修建qm哈希有效负载
八月24 11:31:13 [IKEv1]IP = 64.102.156.87,发送消息(msgid=be8f7821)与有效载荷的IKE_DECODE :HDR + HASH (8) +通知(11) +无(0个)总长度:92
 
 ===============对端死机检测(DPD) ===============> 
 58811:28:39.79508/24/12Sev=Debug/7IKE/0x63000015
intf_data&colon;lcl=0x0501A8C0, mask=0x00FFFFFF, bcast=0xFF01A8C0, bcast_vra=0xFF07070A
58911:28:39.79508/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->SA:I_Cookie=D56197780D7BE3E5 R_Cookie=1B301D2DE710EDA0CurState :
CMN_MODECFG_PROGEvent :EV_INIT_P2
59011:28:39.79508/24/12Sev=Info/4IKE/0x63000056
接收从驱动程序的一关键请求:本地IP = 192.168.1.100, GW IP = 64.102.156.88,远程IP = 0.0.0.0
59111:28:39.79508/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->SA:I_Cookie=D56197780D7BE3E5 R_Cookie=1B301D2DE710EDA0CurState :
CMN_ACTIVEEvent :EV_NO_EVENT
59211:28:39.79508/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->QM:MsgID=0E83792ECurState :QM_INITIALEvent :EV_INITIATOR
59311:28:39.79508/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->QM:MsgID=0E83792ECurState :QM_BLD_MSG1Event :EV_CHK_PFS
59411:28:39.79608/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->QM:MsgID=0E83792ECurState :QM_BLD_MSG1Event :EV_BLD_MSG
59511:28:39.79608/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->QM:MsgID=0E83792ECurState :QM_SND_MSG1Event :EV_START_RETRY_TMR

启动QM,相位2.构建QM1。此进程包括:
-哈希
-与客户端、隧道类型和加密支持的所有第2阶段建议的SA
-目前
-客户端ID
-代理ID

 59611:28:39.79608/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->QM:MsgID=0E83792ECurState :QM_SND_MSG1Event :EV_SND_MSG
59711:28:39.79608/24/12Sev=Info/4IKE/0x63000013
发送>>> ISAKMP OAK QM * (HASH、SA、NON、ID, ID)到64.102.156.88

发送QM1。

 <===============快速模式消息1 (QM1) =============== 

接收QM1。

八月24 11:31:13 [IKEv1]IP = 64.102.156.87, IKE_DECODE接收消息(msgid=e83792e)与有效载荷:HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) +无(0个)总长度:1026 

进程QM1。

相关配置:

crypto dynamic-map 
DYN 10 set transform-
set TRA
八月24 11:31:13 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,处理散列法有效负载
八月24 11:31:13 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,处理SA有效负载
八月24 11:31:13 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,处理NONCE有效负载
八月24 11:31:13 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,处理ID有效负载
八月24 11:31:13 [IKEv1解码] Group= ipsec, Username= user1, IP = 64.102.156.87,接收的ID_IPV4_ADDR ID
192.168.1.100
八月24 11:31:13 [IKEv1]Group = ipsec, Username= user1, IP = 64.102.156.87,在ID有效负载的已接收远程代理主机数据:地址192.168.1.100,协议0, Port0
八月24 11:31:13 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,处理ID有效负载
八月24 11:31:13 [IKEv1解码] Group= ipsec, Username= user1, IP = 64.102.156.87, ID_IPV4_ADDR_SUBNET ID received--0.0.0.0--0.0.0.0
八月24 11:31:13 [IKEv1]Group = ipsec, Username= user1, IP = 64.102.156.87,在ID有效负载的已接收本地IP代理子网数据:地址0.0.0.0,掩码0.0.0.0,协议0, Port0
八月24 11:31:13 [IKEv1]Group = ipsec, Username= user1, IP = 64.102.156.87,地址没找到的QM IsRekeyed旧有sa
八月24 11:31:13 [IKEv1]Group = ipsec, Username= user1, IP = 64.102.156.87,静态加密映射检查,检查地图=外MAP,顺序= 10…
八月24 11:31:13 [IKEv1]Group = ipsec, Username= user1, IP = 64.102.156.87,被绕过的静态加密映射检查:不完整的加密映射项!
八月24 11:31:13 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,选择UDP封装通道NAT遍历定义的仅andUDP封装传输模式
八月24 11:31:13 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,选择UDP封装通道NAT遍历定义的仅andUDP封装传输模式
八月24 11:31:13 [IKEv1]Group = ipsec, Username= user1, IP = 64.102.156.87,为加密映射配置的IKE远端对等体:外dyn MAP
八月24 11:31:13 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,处理SA IPSec有效负载
 

构建QM2。

相关配置:

tunnel-group EZ 
type remote-access !
(tunnel type ra = tunnel
type remote-access)

crypto ipsec transform-
set TRA esp-aes esp-
sha-hmac

crypto ipsec security-
association lifetime
seconds 28800

crypto ipsec security-
association lifetime
kilobytes 4608000
crypto dynamic-map
DYN 10 set transform-
set TRA

crypto map MAP 65000
ipsec-isakmp dynamic
DYN
crypto map MAP
interface outside
八月24 11:31:13 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87, SA IPSec建议# 12,转换# 1个acceptableMatches全局SA IPSec条目# 10
八月24 11:31:13 [IKEv1]Group = ipsec, Username= user1, IP = 64.102.156.87, IKE :请求SPI!
IPSEC :新的胚胎SA创建的@ 0xcfdffc90,
SCB :0xCFDFFB58,方向:入站
SPI :0x9E18ACB2
会话 ID:0x00138000
数字的VPIF :0x00000004
隧道类型:镭
协议:特别是
寿命:240秒
八月24 11:31:13 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87, IKE从关键引擎获得了SPI :SPI = 0x9e18acb2
八月24 11:31:13 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,修建快速模式的oakley
八月24 11:31:13 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,修建空白的哈希有效负载
八月24 11:31:13 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,修建SA IPSec有效负载
八月24 11:31:13 [IKEv1]Group = ipsec, Username= user1, IP = 64.102.156.87,覆盖重新生成密钥从2147483的创始者的IPSec持续时间到86400秒
八月24 11:31:13 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,修建IPSec目前有效负载
八月24 11:31:13 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,修建代理ID
八月24 11:31:13 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,传送代理Id :
远程主机:192.168.1.100Protocol 0Port 0
本地subnet:0.0.0.0mask 0.0.0.0协议0Port 0
八月24 11:31:13 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,发送应答器寿命通知对发起者
八月24 11:31:13 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,修建qm哈希有效负载
 

发送QM2。

八月24 11:31:13 [IKEv1解码] Group= ipsec, Username= user1, IP = 64.102.156.87,发送第2 QM pkt的IKE响应方:信息id= 0e83792e
八月24 11:31:13 [IKEv1]IP = 64.102.156.87,发送消息(msgid=e83792e)与有效载荷的IKE_DECODE :HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) +通知(11) +无(0个)总长度:184
 
 ===============快速模式消息2 (QM2) ===============> 
 60811:28:39.96208/24/12Sev=Info/4IKE/0x63000014
接收<<< ISAKMP OAK QM * (HASH, SA, NON, ID, ID,
通知:STATUS_RESP_LIFETIME)从64.102.156.88

接收QM2。

 60911:28:39.96408/24/12Sev=Decode/11IKE/0x63000001
ISAKMP报头
发起者COOKIE:D56197780D7BE3E5
响应方COOKIE:1B301D2DE710EDA0
下有效负载:哈希
Ver (Hex):10
Exchange类型:快速模式
标志:(加密)
MessageID(Hex):E83792E
Length:188
有效负载哈希
下有效负载:安全关联
保留:00
有效载荷长度:24
数据(在十六进制) :CABF38A62C9B88D1691E81F3857D6189534B2EC0
有效负载安全关联
下有效负载:目前
保留:00
有效载荷长度:52
土井:IPsec
情况:(SIT_IDENTITY_ONLY)

有效负载建议
下有效负载:无
保留:00
有效载荷长度:40
建议# :1
协议ID :PROTO_IPSEC_ESP
SPI大小:4
#转换:1
SPI :9E18ACB2

有效负载转换
下有效负载:无
保留:00
有效载荷长度:28
转换# :1
转换Id :ESP_3DES
Reserved2 :0000
有效类型:秒钟
使用期限(十六进制) :0020C49B
封装模式:UDP通道
Authentication Algorithm:SHA1
有效负载目前
下有效负载:识别
保留:00
有效载荷长度:24
数据(在十六进制) :3A079B75DA512473706F235EA3FCA61F1D15D4CD
有效负载识别
下有效负载:识别
保留:00
有效载荷长度:12
ID类型:IPv4地址
协议ID (UDP/TCP,等等) :0
波尔特:0
ID Data&colon;192.168.1.100
有效负载识别
下有效负载:通知
保留:00
有效载荷长度:16
ID类型:IPv4子网
协议ID (UDP/TCP,等等) :0
波尔特:0
ID Data&colon;0.0.0.0/0.0.0.0
有效负载通知
下有效负载:无
保留:00
有效载荷长度:28
土井:IPsec
协议ID :PROTO_IPSEC_ESP
Spi大小:4
通知类型:STATUS_RESP_LIFETIME
SPI :9E18ACB2
Data&colon;
有效类型:秒钟
使用期限(十六进制) :00015180

进程QM2。解密的有效负载显示选定的建议。

 61011:28:39.96508/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->QM:MsgID=0E83792ECurState :QM_WAIT_MSG2Event :EV_RCVD_MSG
61111:28:39.96508/24/12Sev=Info/5IKE/0x63000045
应答器寿命通知有值86400秒
61211:28:39.96508/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->QM:MsgID=0E83792ECurState :QM_WAIT_MSG2Event :EV_CHK_PFS
61311:28:39.96508/24/12Sev=Debug/7IKE/0x63000076

进程QM2。

 NAV Trace->QM:MsgID=0E83792ECurState :QM_BLD_MSG3Event :EV_BLD_MSG
61411:28:39.96508/24/12Sev=Debug/7IKE/0x63000076
ISAKMP报头
发起者COOKIE:D56197780D7BE3E5
响应方COOKIE:1B301D2DE710EDA0
下有效负载:哈希
Ver (Hex):10
Exchange类型:快速模式
标志:(加密)
MessageID(Hex):E83792E
Length:52

有效负载哈希
下有效负载:无
保留:00
有效载荷长度:24
数据(在十六进制) :CDDC20D91EB4B568C826D6A5770A5CF020141236

构建QM3。显示的QM3的解密的有效负载此处。此进程ncludes哈希。

 61511:28:39.96508/24/12Sev=Debug/7IKE/0x63000076
NAV Trace->QM:MsgID=0E83792ECurState :QM_SND_MSG3Event :EV_SND_MSG
61611:28:39.96508/24/12Sev=Info/4IKE/0x63000013
发送>>> ISAKMP OAK QM * (HASH)到64.102.156.88

发送QM3。客户端当前准备加密和解密。

 <===============快速模式消息3 (QM3) =============== 

接收QM3。

八月24 11:31:13 [IKEv1]IP = 64.102.156.87, IKE_DECODE接收消息(msgid=e83792e)与有效载荷:HDR + HASH (8) +无(0个)总长度:52 

进程QM3。创建入站和出站安全参数索引(斯皮)。添加主机的静态路由。

相关配置:

crypto ipsec transform-
set TRA esp-aes esp-
sha-hmac
crypto ipsec security-
association lifetime
seconds 28800
crypto ipsec security-
association lifetime
kilobytes 4608000
crypto dynamic-map
DYN 10 set transform-
set TRA
crypto dynamic-map
DYN 10 set reverse-
route
八月24 11:31:13 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,处理散列法有效负载
八月24 11:31:13 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,装载所有IPSec SAS
八月24 11:31:13 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,生成快速模式密钥!
八月24 11:31:13 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87, NP加密规则为加密映射外dyn MAP 10匹配的ACL未知查寻:返回
cs_id=cc107410;rule=00000000
八月24 11:31:13 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,生成快速模式密钥!
IPSEC :新的胚胎SA创建的@ 0xccc9ed60,
SCB :0xCF7F59E0,
方向:出站
SPI :0xC055290A
会话 ID:0x00138000
数字的VPIF :0x00000004
隧道类型:镭
协议:特别是
寿命:240秒
IPSEC :完成主机OBSA更新, SPI 0xC055290A
IPSEC :创建出站VPN上下文, SPI 0xC055290A
标志:0x00000025
SA :0xccc9ed60
SPI :0xC055290A
MTU:1500 字节
VCID :0x00000000
对等体:0x00000000
SCB :0xA5922B6B
信道:0xc82afb60
IPSEC :完成出站VPN上下文, SPI 0xC055290A
VPN把柄:0x0015909c
IPSEC :新出站加密规则, SPI 0xC055290A
Src地址:0.0.0.0
Src掩码:0.0.0.0
Dst地址:192.168.1.100
Dst掩码:255.255.255.255
Src端口
较大:0
更低:0
操作:忽略
Dst端口
较大:0
更低:0
操作:忽略
协议:0
使用协议:错误
SPI :0x00000000
使用SPI :错误
IPSEC :完成出站加密规则, SPI 0xC055290A
规则ID :0xcb47a710
IPSEC :新的出站permit规则, SPI 0xC055290A
Src地址:64.102.156.88
Src掩码:255.255.255.255
Dst地址:64.102.156.87
Dst掩码:255.255.255.255
Src端口
较大:4500
更低:4500
操作:等于
Dst端口
较大:58506
更低:58506
操作:等于
协议:17
使用协议:真
SPI :0x00000000
使用SPI :错误
IPSEC :完成出站permit规则, SPI 0xC055290A
规则ID :0xcdf3cfa0
八月24 11:31:13 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87, NP加密规则为加密映射外dyn MAP 10匹配的ACL未知查寻:返回
cs_id=cc107410;rule=00000000
八月24 11:31:13 [IKEv1]Group = ipsec, Username= user1, IP = 64.102.156.87,安全协商完整为用户(user1)Responder,入站SPI = 0x9e18acb2,出站
SPI = 0xc055290a
八月24 11:31:13 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87, IKE
获得了SA的一KEY_ADD信息:SPI = 0xc055290a
IPSEC :完成主机IBSA更新, SPI 0x9E18ACB2
IPSEC :创建入站VPN上下文, SPI 0x9E18ACB2
标志:0x00000026
SA :0xcfdffc90
SPI :0x9E18ACB2
MTU:0字节
VCID :0x00000000
对等体:0x0015909C
SCB :0xA5672481
信道:0xc82afb60
IPSEC :完成入站VPN上下文, SPI 0x9E18ACB2
VPN把柄:0x0016219c
IPSEC :更新出站VPN上下文0x0015909C, SPI 0xC055290A
标志:0x00000025
SA :0xccc9ed60
SPI :0xC055290A
MTU:1500 字节
VCID :0x00000000
对等体:0x0016219C
SCB :0xA5922B6B
信道:0xc82afb60
IPSEC :完成出站VPN上下文, SPI 0xC055290A
VPN把柄:0x0015909c
IPSEC :完成出站内在规则, SPI 0xC055290A
规则ID :0xcb47a710
IPSEC :完成出站外面SPD规则, SPI 0xC055290A
规则ID :0xcdf3cfa0
IPSEC :新的入站通道流规则, SPI 0x9E18ACB2
Src地址:192.168.1.100
Src掩码:255.255.255.255
Dst地址:0.0.0.0
Dst掩码:0.0.0.0
Src端口
较大:0
更低:0
操作:忽略
Dst端口
较大:0
更低:0
操作:忽略
协议:0
使用协议:错误
SPI :0x00000000
使用SPI :错误
IPSEC :完成入站通道流规则, SPI 0x9E18ACB2
规则ID :0xcdf15270
IPSEC :新的入站解密规则, SPI 0x9E18ACB2
Src地址:64.102.156.87
Src掩码:255.255.255.255
Dst地址:64.102.156.88
Dst掩码:255.255.255.255
Src端口
较大:58506
更低:58506
操作:等于
Dst端口
较大:4500
更低:4500
操作:等于
协议:17
使用协议:真
SPI :0x00000000
使用SPI :错误
IPSEC :完成入站解密规则, SPI 0x9E18ACB2
规则ID :0xce03c2f8
IPSEC :新的入站permit规则, SPI 0x9E18ACB2
Src地址:64.102.156.87
Src掩码:255.255.255.255
Dst地址:64.102.156.88
Dst掩码:255.255.255.255
Src端口
较大:58506
更低:58506
操作:等于
Dst端口
较大:4500
更低:4500
操作:等于
协议:17
使用协议:真
SPI :0x00000000
使用SPI :错误
IPSEC :完成入站permit规则, SPI 0x9E18ACB2
规则ID :0xcf6f58c0
八月24 11:31:13 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,投手:已接收KEY_UPDATE, spi 0x9e18acb2
八月24 11:31:13 [IKEv1调试] Group= ipsec, Username= user1, IP = 64.102.156.87,开始P2重新生成密钥计时器:82080秒。
八月24 11:31:13 [IKEv1]Group = ipsec, Username= user1, IP = 64.102.156.87,添加客户端地址的静态路由:192.168.1.100
 

完整的第2阶段。两边是当前加密和解密。

八月24 11:31:13 [IKEv1]Group = ipsec, Username= user1, IP = 64.102.156.87,第2阶段完成(msgid=0e83792e)

 

对于硬件客户端,一个消息还接收客户端发送关于本身的地方信息。如果仔细查找,您应该查找在客户端运行EzVPN客户端的主机名、软件和软件的位置和名称

八月24 11:31:13 [IKEv1] :IP = 10.48.66.23, IKE_DECODE接收消息(msgid=91facca9)与有效载荷:HDR + HASH (8) +通知(11) +无(0个)总长度:184
八月24 11:31:13 [IKEv1调试] :Group= EZ, Username= cisco, IP = 10.48.66.23,处理散列法有效负载
八月24 11:31:13 [IKEv1调试] :Group= EZ, Username= cisco, IP = 10.48.66.23,处理通知有效负载
八月24 11:31:13 [IKEv1解码] :过时描述符-索引1
八月24 11:31:13 [IKEv1解码] :0000 :00000000个7534000B
62736E73 2D383731
....u4. .bsns-871
0010 :2D332E75 32000943 6973636F 20383731 -3.u2。思科871
0020 :7535000B 46484B30 39343431 32513675个u5..FHK094412Q6u
0030 :36000932 32383538 39353638 75390009个6..228589568u9。
0040 :31343532 31363331 32753300个2B666C61 145216312u3.+fla
0050 :73683A63 3837302D 61647669 70736572个sh:c870-advipser
0060 :76696365个736B392D 6D7A2E31 32342D32 vicesk9-mz.124-2
0070 :302E5435 2E62696E 0.T5.bin

八月24 11:31:13 [IKEv1调试] :Group= EZ, Username= cisco, IP = 10.48.66.23,处理PSK哈希
八月24 11:31:13 [IKEv1] :Group= EZ, Username= cisco, IP = 192.168.1.100,不一致PSK哈希大小
八月24 11:31:13 [IKEv1调试] :Group= EZ, Username= cisco, IP = 10.48.66.23, PSK失败的哈希验证!
 

通道验证

ISAKMP

嘘啼声sa isa det命令的输出是:

 Active SA: 1
 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
 
1 IKE Peer: 10.48.66.23
 Type : user Role : responder
 Rekey : no State : AM_ACTIVE
 Encrypt : aes Hash : SHA
 Auth : preshared Lifetime: 86400
 Lifetime Remaining: 86387
 AM_ACTIVE - aggressive mode is active.

IPsec

因为互联网控制消息协议(ICMP)用于触发通道,只有一IPsec SA是UP。协议1是ICMP。注意SPI值与在调试协商的那个有所不同。在第2阶段重新生成密钥后,这是,实际上,同一个通道。

嘘crypto sa ipsec命令输出是:

interface: outside
 Crypto map tag: DYN, seq num: 10, local addr: 10.48.67.14
 
 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
 remote ident (addr/mask/prot/port): (192.168.1.100/255.255.255.255/0/0)
 current_peer: 10.48.66.23, username: cisco
 dynamic allocated peer ip: 192.168.1.100
 
 #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
 #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
 #pkts compressed: 0, #pkts decompressed: 0
 #pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
 #send errors: 0, #recv errors: 0
 
 local crypto endpt.: 10.48.67.14/0, remote crypto endpt.: 10.48.66.23/0
 path mtu 1500, ipsec overhead 74, media mtu 1500
 current outbound spi: C4B9A77C
 current inbound spi : EA2B6B15
 
 inbound esp sas:
 spi: 0xEA2B6B15 (3928714005)
 transform: esp-aes esp-sha-hmac no compression
 in use settings ={RA, Tunnel, }
 slot: 0, conn_id: 425984, crypto-map: DYN
 sa timing: remaining key lifetime (sec): 28714
 IV size: 16 bytes
 replay detection support: Y
 Anti replay bitmap:
 0x00000000 0x0000003F
 outbound esp sas:
 spi: 0xC4B9A77C (3300501372)
 transform: esp-aes esp-sha-hmac no compression
 in use settings ={RA, Tunnel, }
 slot: 0, conn_id: 425984, crypto-map: DYN
 sa timing: remaining key lifetime (sec): 28714
 IV size: 16 bytes
 replay detection support: Y
 Anti replay bitmap:
 0x00000000 0x00000001

相关信息


相关的思科支持社区讨论

思科支持社区是您提问、解答问题、分享建议以及与工作伙伴协作的论坛。


Document ID: 113595