安全与 VPN : EzVPN

迁移从传统EzVPN到增强版EzVPN配置示例

2016 年 10 月 27 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 8 月 22 日) | 反馈

简介

本文描述如何配置设置的Easy VPN (ezvpn)分支1使用增强版EzVPN为了连接到集线器的地方,而分支2使用传统EzVPN为了连接到同一台集线器。集线器为增强版EzVPN配置。 在增强版EzVPN和传统EzVPN之间的区别是使用动态虚拟在后者的隧道接口(dVTIs)在前面和加密映射。思科dVTI是能由客户使用与思科EzVPN服务器和远程配置的方法。通道为每EzVPN连接提供一个根据要求分开的虚拟访问接口。虚拟访问接口的配置从虚拟模板配置被克隆,包括在虚拟模板接口和所有Cisco IOS软件特性配置的IPSec配置,例如QoS、Netflow或者访问控制列表(ACL)。

使用IPsec dVTIs和思科EzVPN,用户能为可以与Cisco AVVID的远程访问VPN高度提供安全连接(Architecture for Voice, Video and integrated Data)一起提供融合的语音、视频和数据在IP网络。

贡献用Atri巴苏, Cisco TAC工程师。

先决条件

要求

思科建议您有EzVPN知识。

使用的组件

本文档中的信息根据Cisco IOS版本15.4(2)T。

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。

背景信息

与dVTI配置的思科EzVPN提供一个路由可达接口选择性地发送流量到不同的目的地,例如EzVPN集中器、一不同的站点到站点对等体或者互联网。IPsec dVTI配置不要求IPSec会话静态映射对物理接口。这允许灵活性发送和收到在所有物理接口的加密流量,例如一旦多条路径。当转发从或对隧道接口时,流量加密。

流量转发到/从隧道接口由于IP路由表。路由在Internet Key Exchange (IKE)模式配置时动态地了解并且插入到路由表对dVTI的该点。动态IP路由可以用于传播在VPN间的路由。使用IP路由转发流量对加密在本地IPSec配置方面简单化IPSec VPN配置与使用ACL比较与加密映射。

在版本中早于Cisco IOS版本12.4(2)T,在通道/通道下来转换,在模式配置时推送的属性必须解析和应用。当这样属性导致配置的应用程序在接口的,现有配置必须被改写。使用dVTI支持功能,通道配置可以应用到独立接口,使更加容易支持分离的功能在通道时间。应用对进入通道的流量的功能(在加密)前可以是分别于例如应用对流量不通过通道的功能(独立的隧道留下设备的流量和流量,当通道不上升)时。

当EzVPN协商是成功的时,虚拟访问接口获得的线路通信协议状态更改对。当EzVPN通道断开时,因为安全关联超时或删除,虚拟访问接口的线路通信协议状态更改对下来。

路由表作为EzVPN虚拟接口的流量选择器配置是,路由替换在加密映射的访问列表。在虚拟接口配置中,如果EzVPN服务器配置与IPsec dVTI, EzVPN协商单个IPSec安全关联。此单个安全关联创建不管配置的EzVPN模式。

在安全关联设立后,指向虚拟访问接口的路由被添加到对公司网络的直接数据流。EzVPN也添加一个路由到VPN集中器,以便IPsec被封装的数据包被路由对公司网络。指向虚拟访问接口的默认路由被添加一旦nonsplit模式。当EzVPN服务器“推送”分割隧道时,分割隧道子网变为路由指向虚拟访问被添加的目的地。无论如何,如果对等体(VPN集中器)没有直接地连接, EzVPN添加一个路由到对等体。

注意:运行思科EzVPN客户端软件的多数路由器安排一个默认路由配置。配置的默认路由必须有极大度量值比1,因为EzVPN添加有度量值为1.的一个默认路由。对虚拟访问接口的路由点,以便所有流量被处理对公司网络,当集中器“不推送”分割隧道属性。

QoS可以用于改进不同的应用程序性能在间网络的。在此配置中,流量整形用于在两个站点之间为了限制应该传送在站点之间的数据流总量。另外, QoS配置可以支持在Cisco IOS软件方面提供的QoS功能的所有组合,支持其中任一语音,视频或者数据应用。

注意:在此指南的QoS配置是为仅演示。预计VTI可扩展性结果类似于在IPsec的点到点(P2P)通用路由封装(GRE)。对于扩展和性能注意事项,请与您的思科代表联系。关于其他信息,请参阅配置与IP安全的一个虚拟隧道接口

好处

  • 简化管理
    客户能使用简化VPN配置的复杂性并且翻译成减少的成本的Cisco IOS虚拟模板克隆, IPsec的根据要求,新建的虚拟访问接口。另外,现有管理应用能为监控目的当前监控不同的站点的独立接口。
  • 提供一个路由可达接口
    Cisco IPSec VTIs可以支持IP路由协议的所有类型。客户能使用这些功能为了连接更加大的办公室环境,例如分支机构。
  • 改进比例缩放
    IPsec VTIs使用单个安全关联每个站点,包括不同类型的流量,启用改善的比例缩放。
  • 在定义功能的提供灵活性
    IPsec VTI是在其自己的接口内的封装。这提供定义明文流量的功能的灵活性在IPsec VTIs并且定义了加密流量的功能在物理接口。

配置

注意:使用命令查找工具仅限注册用户)可获取有关本部分所使用命令的详细信息。

网络图

配置汇总

中心配置

hostname Hub
!
no aaa new-model
!
no ip domain lookup
!
username test-user privilege 15 password 0 cisco123
!
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp client configuration group En-Ezvpn
 key test-En-Ezvpn
crypto isakmp profile En-EzVpn-Isakmp-Profile
   match identity group En-Ezvpn
   isakmp authorization list default
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set VPN-TS esp-aes esp-sha-hmac
 mode tunnel
!
crypto ipsec profile En-EzVpn-Ipsec-Profile
 set transform-set VPN-TS
 set isakmp-profile En-EzVpn-Isakmp-Profile
!
!
interface Loopback0
 description Router-ID
 ip address 10.0.0.1 255.255.255.255
!
interface Loopback1
 description inside-network
 ip address 192.168.0.1 255.255.255.255
!
interface Ethernet0/0
 description WAN-Link
 ip address 172.16.0.1 255.255.255.0
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile En-EzVpn-Ipsec-Profile
!
router eigrp 1
 network 10.0.0.1 0.0.0.0
 network 192.168.0.1 0.0.0.0
 network 192.168.1.1 0.0.0.0
!
ip route 0.0.0.0 0.0.0.0 172.16.0.100
!
end

分支1 (增强版EzVPN)配置

hostname Spoke1
!
no aaa new-model
!
interface Loopback0
 description Router-ID
 ip address 10.0.1.1 255.255.255.255
 crypto ipsec client ezvpn En-EzVpn inside
!
interface Loopback1
 description Inside-network
 ip address 192.168.1.1 255.255.255.255
!
interface Ethernet0/0
 description WAN-Link
 ip address 172.16.1.1 255.255.255.0
 crypto ipsec client ezvpn En-EzVpn
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel mode ipsec ipv4
!
router eigrp 1
 network 10.0.1.1 0.0.0.0
 network 192.168.1.1 0.0.0.0
!
ip route 0.0.0.0 0.0.0.0 172.16.1.100
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
!
crypto ipsec client ezvpn En-EzVpn
 connect auto
 group En-Ezvpn key test-En-Ezvpn
 mode network-extension
 peer 172.16.0.1
 virtual-interface 1
!
end

警告:在客户端配置被输入前,虚拟模板需要定义。没有同一个编号的一个现有虚拟模板,路由器不会接受虚拟接口1命令。

分支2 (传统EzVPN)配置

hostname Spoke2
!
no aaa new-model
!
no ip domain lookup
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
!
crypto ipsec client ezvpn Leg-Ezvpn
 connect auto
 group En-Ezvpn key test-En-Ezvpn
 mode network-extension
 peer 172.16.0.1
 xauth userid mode interactive
!
!
interface Loopback0
 ip address 10.0.2.1 255.255.255.255
 crypto ipsec client ezvpn Leg-Ezvpn inside
!
interface Loopback1
 ip address 192.168.2.1 255.255.255.255
!
interface Ethernet0/0
 ip address 172.16.2.1 255.255.255.0
 crypto ipsec client ezvpn Leg-Ezvpn
!
ip route 0.0.0.0 0.0.0.0 172.16.2.100
!
end

验证

使用本部分可确认配置能否正常运行。

命令输出解释程序工具仅限注册用户)支持某些 show 命令。请使用Output Interpreter Tool为了查看show命令输出分析。

对分支1通道的集线器

第 1 阶段

Hub#show crypto isakmp sa det
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       T - cTCP encapsulation, X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.

1006  172.16.0.1      172.16.2.1             ACTIVE aes  sha    psk  2  23:54:53 C
       Engine-id:Conn-id =  SW:6

1005  172.16.0.1      172.16.1.1             ACTIVE aes  sha    psk  2  23:02:14 C
       Engine-id:Conn-id =  SW:5

IPv6 Crypto ISAKMP SA

第 2 阶段

此处代理是为暗示的其中任一/其中任一退出的所有流量虚拟访问1将被加密和发送对172.16.1.1。

Hub#show crypto ipsec sa peer 172.16.1.1 detail

interface: Virtual-Access1
    Crypto map tag: Virtual-Access1-head-0, local addr 172.16.0.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 172.16.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 776, #pkts encrypt: 776, #pkts digest: 776
    #pkts decaps: 771, #pkts decrypt: 771, #pkts verify: 771
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #pkts no sa (send) 0, #pkts invalid sa (rcv) 0
    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
    #pkts invalid prot (recv) 0, #pkts verify failed: 0
    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
    ##pkts replay failed (rcv): 0
    #pkts tagged (send): 0, #pkts untagged (rcv): 0
    #pkts not tagged (send): 0, #pkts not untagged (rcv): 0
    #pkts internal err (send): 0, #pkts internal err (recv) 0

     local crypto endpt.: 172.16.0.1, remote crypto endpt.: 172.16.1.1
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
     current outbound spi: 0x9159A91E(2438572318)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xB82853D4(3089650644)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 13, flow_id: SW:13, sibling_flags 80000040, crypto map:
Virtual-Access1-head-0
        sa timing: remaining key lifetime (k/sec): (4342983/3529)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x9159A91E(2438572318)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 14, flow_id: SW:14, sibling_flags 80000040, crypto map:
Virtual-Access1-head-0
        sa timing: remaining key lifetime (k/sec): (4342983/3529)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

EIGRP

Hub#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(1)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
0   172.16.1.1              Vi1                      13 00:59:28   31  1398  0  3

注意:没有路由可达接口,因为形成增强的内部网关路由选择协议(EIGRP)对等体是不可能的分支2不形成条目。这是其中一个使用的优点在分支的dVTIs。

分支1

第 1 阶段

Spoke1#show cry is sa det
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       T - cTCP encapsulation, X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.

1005  172.16.1.1      172.16.0.1             ACTIVE aes  sha    psk  2  22:57:07 C
       Engine-id:Conn-id =  SW:5

IPv6 Crypto ISAKMP SA

第 2 阶段

Spoke1#show crypto ipsec sa detail

interface: Virtual-Access1
    Crypto map tag: Virtual-Access1-head-0, local addr 172.16.1.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 172.16.0.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 821, #pkts encrypt: 821, #pkts digest: 821
    #pkts decaps: 826, #pkts decrypt: 826, #pkts verify: 826
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #pkts no sa (send) 0, #pkts invalid sa (rcv) 0
    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
    #pkts invalid prot (recv) 0, #pkts verify failed: 0
    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
    ##pkts replay failed (rcv): 0
    #pkts tagged (send): 0, #pkts untagged (rcv): 0
    #pkts not tagged (send): 0, #pkts not untagged (rcv): 0
    #pkts internal err (send): 0, #pkts internal err (recv) 0

     local crypto endpt.: 172.16.1.1, remote crypto endpt.: 172.16.0.1
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
     current outbound spi: 0xB82853D4(3089650644)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x9159A91E(2438572318)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 11, flow_id: SW:11, sibling_flags 80004040, crypto map:
Virtual-Access1-head-0
        sa timing: remaining key lifetime (k/sec): (4354968/3290)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xB82853D4(3089650644)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 12, flow_id: SW:12, sibling_flags 80004040, crypto map:
Virtual-Access1-head-0
        sa timing: remaining key lifetime (k/sec): (4354968/3290)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

EZVPN

Spoke1#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 8

Tunnel name : En-EzVpn
Inside interface list: Loopback0
Outside interface: Virtual-Access1 (bound to Ethernet0/0)
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Save Password: Disallowed
Current EzVPN Peer: 172.16.0.1

路由- EIGRP

在分支2代理是这样退出虚拟访问接口的所有流量将被加密。只要有指出网络的该接口的路由,流量将被加密:

Spoke1#ping 192.168.0.1 source loopback 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/6 ms

Spoke1#ping 192.168.0.1 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms

Spoke1# sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 172.16.1.100 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 172.16.1.100
                [1/0] via 0.0.0.0, Virtual-Access1
      10.0.0.0/32 is subnetted, 2 subnets
D        10.0.0.1 [90/27008000] via 10.0.0.1, 01:16:15, Virtual-Access1
C        10.0.1.1 is directly connected, Loopback0
      172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
S        172.16.0.1/32 [1/0] via 172.16.1.100
C        172.16.1.0/24 is directly connected, Ethernet0/0
L        172.16.1.1/32 is directly connected, Ethernet0/0
      192.168.0.0/32 is subnetted, 1 subnets
D        192.168.0.1 [90/27008000] via 10.0.0.1, 01:16:15, Virtual-Access1
      192.168.1.0/32 is subnetted, 1 subnets
C        192.168.1.1 is directly connected, Loopback1
Spoke1#

对分支2通道的集线器

第 1 阶段

Hub#show crypto isakmp sa det
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       T - cTCP encapsulation, X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.

1006  172.16.0.1      172.16.2.1             ACTIVE aes  sha    psk  2  23:54:53 C
       Engine-id:Conn-id =  SW:6

1005  172.16.0.1      172.16.1.1             ACTIVE aes  sha    psk  2  23:02:14 C
       Engine-id:Conn-id =  SW:5

IPv6 Crypto ISAKMP SA

第 2 阶段

在客户端配置下的独立的隧道ACL在集线器没有用于此示例。所以在分支形成的代理是为在的所有EzVPN “里面”网络发言对任何网络。基本上,在集线器,所有流量被注定到其中一在分支的“里面”网络将被加密和发送对172.16.2.1。

Hub#show crypto ipsec sa  peer 172.16.2.1 detail

interface: Virtual-Access2
    Crypto map tag: Virtual-Access2-head-0, local addr 172.16.0.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.2.1/255.255.255.255/0/0)
   current_peer 172.16.2.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15
    #pkts decaps: 15, #pkts decrypt: 15, #pkts verify: 15
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #pkts no sa (send) 0, #pkts invalid sa (rcv) 0
    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
    #pkts invalid prot (recv) 0, #pkts verify failed: 0
    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
    ##pkts replay failed (rcv): 0
    #pkts tagged (send): 0, #pkts untagged (rcv): 0
    #pkts not tagged (send): 0, #pkts not untagged (rcv): 0
    #pkts internal err (send): 0, #pkts internal err (recv) 0

     local crypto endpt.: 172.16.0.1, remote crypto endpt.: 172.16.2.1
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
     current outbound spi: 0x166CAC10(376220688)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x8525868A(2233829002)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 11, flow_id: SW:11, sibling_flags 80000040, crypto map:
Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4217845/1850)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x166CAC10(376220688)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 12, flow_id: SW:12, sibling_flags 80000040, crypto map:
Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4217845/1850)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

分支2

第 1 阶段

Spoke2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
172.16.0.1      172.16.2.1      QM_IDLE           1001 ACTIVE

IPv6 Crypto ISAKMP SA

第 2 阶段

Spoke2#show crypto ipsec sa detail

interface: Ethernet0/0
    Crypto map tag: Ethernet0/0-head-0, local addr 172.16.2.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.0.2.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 172.16.0.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
    #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #pkts no sa (send) 0, #pkts invalid sa (rcv) 0
    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
    #pkts invalid prot (recv) 0, #pkts verify failed: 0
    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
    ##pkts replay failed (rcv): 0
    #pkts tagged (send): 0, #pkts untagged (rcv): 0
    #pkts not tagged (send): 0, #pkts not untagged (rcv): 0
    #pkts internal err (send): 0, #pkts internal err (recv) 0

     local crypto endpt.: 172.16.2.1, remote crypto endpt.: 172.16.0.1
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
     current outbound spi: 0x8525868A(2233829002)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x166CAC10(376220688)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, sibling_flags 80004040, crypto map:
Ethernet0/0-head-0
        sa timing: remaining key lifetime (k/sec): (4336232/2830)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x8525868A(2233829002)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, sibling_flags 80004040, crypto map:
Ethernet0/0-head-0
        sa timing: remaining key lifetime (k/sec): (4336232/2830)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

EZVPN

Spoke2#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 8

Tunnel name : Leg-Ezvpn
Inside interface list: Loopback0
Outside interface: Ethernet0/0
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Save Password: Disallowed
Current EzVPN Peer: 172.16.0.1

路由-静态

不同于分支1,分支2必须有静态路由或使用反向路由注入(RRI)为了注入路由告诉它什么流量应该被加密,并且什么不应该。在本例中,从Loopback0发出的仅流量根据代理和路由被加密。

Spoke2#ping 192.168.0.1 source loopback 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
.....
Success rate is 0 percent (0/5)

Spoke2#ping 192.168.0.1 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/7 ms

Spoke2#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 172.16.2.100 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 172.16.2.100
      10.0.0.0/32 is subnetted, 1 subnets
C        10.0.2.1 is directly connected, Loopback0
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.2.0/24 is directly connected, Ethernet0/0
L        172.16.2.1/32 is directly connected, Ethernet0/0
      192.168.2.0/32 is subnetted, 1 subnets
C        192.168.2.1 is directly connected, Loopback1

故障排除

本部分提供了可用于对配置进行故障排除的信息。

提示:在EzVPN通道不在配置更改以后经常出来。清除相位1和第2阶段不会带动通道在这种情况下。在大多数情况下,输入clear crypto ipsec client ezvpn <group name> in命令分支为了启动通道。

注意:使用 debug 命令之前,请参阅有关 Debug 命令的重要信息

集线器命令

  • debug crypto ipsec - 显示第 2 阶段的 IPsec 协商。

  • debug crypto isakmp - 显示第 1 阶段的 ISAKMP 协商。

口头命令

  • debug crypto ipsec - 显示第 2 阶段的 IPsec 协商。

  • debug crypto isakmp - 显示第 1 阶段的 ISAKMP 协商。

  • debug crypto ipsec client ezvpn -显示EzVPN调试。

相关信息



Document ID: 118240