安全 : Cisco ASA 5500 系列自适应安全设备

ASA对ASA动态对静态IKEv1/IPsec配置示例

2016 年 10 月 27 日 - 机器翻译
其他版本: PDFpdf | 英语 (2016 年 4 月 21 日) | 反馈

简介

本文描述如何使可适应安全工具(ASA)接受从所有动态对等体(ASA的动态IPsec站点到站点VPN连接在这种情况下)。当在本文的网络图显示, IPSec隧道设立,当通道从仅时远程ASA末端被发起。中央印制厂ASA不可以发起VPN通道由于动态IPSec配置。远程ASA的IP地址未知。

配置中央印制厂ASA为了动态地接受从通配符IP地址(0.0.0.0/0)和通配符预共享密钥的连接。远程ASA然后配置加密流量从本地到中央印制厂ASA子网如指定由crypto access-list。两边执行网络地址转换(NAT)免税为了绕过IPSec数据流的NAT。

贡献用Santhosha Shetty, Rahul Govindan和Adesh Gairola, Cisco TAC工程师。

先决条件

要求

本文档没有任何特定的要求。

使用的组件

本文档中的信息根据Cisco ASA (5510和5520)防火墙软件版本9.x和以后。

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。

配置

注意:使用命令查找工具仅限注册用户)可获取有关本部分所使用命令的详细信息。

网络图

ASDM 配置

中央印制厂ASA (静态对等体)

在与静态IP地址的ASA,请设置VPN,在这种情况下接受从未知对等体的动态连接,当仍然验证使用IKEv1预先共享密钥时的对等体:

  1. 选择Configuration>站点到站点VPN >Advanced >加密映射。窗口显示已经到位加密映射项的列表(如果有其中任一)。因为ASA不了解什么对端IP地址是,为了ASA能接受连接请配置与匹配转换集(IPsec建议)的动态映射。单击 Add

  2. 在创建IPsec规则窗口,从通道策略(加密映射) -基本选项,从外部从接口下拉列表选择和动态从策略类型下拉列表。在优先级字段,万一有多个条目在动态映射下,为此条目请指定优先级。其次,请单击精选在IKE v1 IPsec建议字段旁边为了选择IPsec建议。

  3. 当挑选IPsec建议(转换集)时对话框打开,请在现行IPsec建议中选择或单击添加为了创建新的和使用同样。完成后单击 OK

     

  4. 从通道策略(加密映射) -高级选项卡。,检查Enable (event) NAT-T复选框(要求,如果任一对等体是在NAT设备后)和Enable (event)反向路由注入复选框。当VPN通道为动态对等体时出来, ASA安装经过协商的远程VPN网络的动态路由对VPN接口的该点。

    随意地,从流量选择选项卡您能也定义动态对等体的触发的VPN流量和点击OK键。

     

    如前面提到,因为ASA没有关于远程动态对等体IP地址的任何信息,默认情况下在ASA存在的未知连接请求登陆在DefaultL2LGroup下。为了验证能成功在远端对等体(在本例中的cisco123)配置的预先共享密钥需要配比与一个在DefaultL2LGroup下。

  5. 选择Configuration>站点到站点VPN >Advanced >隧道组,选择DefaultL2LGroup,单击编辑并且配置希望的预先共享密钥。完成后单击 OK

    注意:这创建在静态对等体(中央印制厂ASA)的一通配符预先共享密钥。认识此预先共享密钥和其匹配的建议的所有设备/对等体能成功设立VPN通道和访问在VPN的资源。保证此PREskared密钥没有共享以未知实体并且不是容易猜测。

  6. 选择Configuration>站点到站点VPN >组策略并且选择您的选择(默认策略组政策在这种情况下)。 单击编辑并且编辑在编辑内部组策略对话框的组策略。完成后单击 OK

  7. 选择Configuration>防火墙> NAT规则和从添加nat规则窗口,配置VPN流量的没有nat (NAT-EXEMPT)规则。完成后单击 OK

远程ASA (动态对等体)

  1. 一旦ASDM应用程序连接对ASA,请选择向导> VPN向导>站点到站点VPN向导

  2. 单击 Next

  3. 从外部从VPN访问接口下拉列表选择为了指定远端对等体的外部IP地址。选择接口(广域网)加密映射应用的地方。单击 Next

  4. 指定应该允许穿过VPN通道的主机/网络。在此步骤,您需要提供本地网络,并且VPN的远程网络建立隧道。在本地网络和远程网络字段旁边单击按钮并且根据需求选择地址。当您执行时,其次请单击。

  5. 输入认证信息使用,是在本例中的预先共享密钥。本示例中使用的预共享密钥是 cisco123。隧道组组名是远端对等体IP地址默认情况下,如果配置LAN对LAN (L2L) VPN。

    或者

    您能定制配置包括您的选择IKE和IPsec策略。需要在对等体之间的至少一项匹配的策略:

    1. 从认证方法请在Pre-Shared Key字段选中,输入IKE版本1预先共享密钥。在本例中,它是cisco123

    2. 点击加密算法选项卡。
  6. 单击在IKE策略字段旁边管理,单击添加并且配置自定义IKE策略(phase-1)。完成后单击 OK

  7. 在IPsec建议字段旁边单击精选并且选择希望的IPsec建议。当您执行时,其次请单击。

    随意地,您能去优秀的转发保密性选项卡和检查Enable (event)完整转发安全性(PFS)复选框。当您执行时,其次请单击。

  8. 检查从地址转换复选框的豁免ASA侧主机/network为了从开始防止隧道流量网络地址转换。从下拉列表选择本地或里面为了设置本地网络可及的接口。单击 Next

  9. ASDM显示配置的VPN的摘要。验证并且点击芬通社

CLI 配置

中央印制厂ASA (静态对等体)配置

  1. 配置VPN流量的一个NO-NAT/NAT-EXEMPT规则,此示例显示:
    object network 10.1.1.0-remote_network
    subnet 10.1.1.0 255.255.255.0

    object network 10.1.2.0-inside_network
     subnet 10.1.2.0 255.255.255.0

    nat (inside,outside) source static 10.1.2.0-inside_network 10.1.2.0-inside_network
    destination static 10.1.1.0-remote_network 10.1.1.0-remote_network
    no-proxy-arp route-lookup
  2. 配置预共享密匙在DefaultL2LGroup下为了验证所有远程Dynamic-L2L-peer :
    tunnel-group DefaultL2LGroup ipsec-attributes
     ikev1 pre-shared-key cisco123
  3. 定义phase-2/ISAKMP策略:
    crypto ikev1 policy 10
     authentication pre-share
     encryption aes-256
     hash sha
     group 2
     lifetime 86400
  4. 定义设置的phase-2转换/IPsec策略:
    crypto ipsec ikev1 transform-set tset esp-aes-256 esp-sha-hmac   
  5. 配置与这些参数的动态映射:
    • 需要的转换集
    • Enable (event)反向路由注入(RRI),允许安全工具学习连接的客户端的路由信息(可选)
    crypto dynamic-map outside_dyn_map 1 set ikev1 transform-set tset
    crypto dynamic-map outside_dyn_map 1 set reverse-route
  6. 绑定动态映射对加密映射,应用加密映射并且启用在外部接口的ISAKMP/IKEv1 :
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

    crypto map outside_map interface outside 
    crypto ikev1 enable outside

远程ASA (动态对等体)

  1. 配置VPN流量的一个NAT免税规则:
    object network 10.1.1.0-inside_network
    subnet 10.1.1.0 255.255.255.0

    object network 10.1.2.0-remote_network
    subnet 10.1.2.0 255.255.255.0

    nat (inside,outside) source static 10.1.1.0-inside_network 10.1.1.0-inside_network
    destination static 10.1.2.0-remote_network 10.1.2.0-remote_network
    no-proxy-arp route-lookup
  2. 配置一静态VPN对等项和预共享密匙的一隧道群。
    tunnel-group 172.16.2.1 type ipsec-l2l
    tunnel-group 172.16.2.1 ipsec-attributes
    ikev1 pre-shared-key cisco123
  3. 定义PHASE-1/ISAKMP策略:
    crypto ikev1 policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
  4. 定义设置的phase-2转换/IPsec策略:
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
  5. 配置定义了有趣的VPN流量/network的access-list :
    access-list outside_cryptomap extended permit ip object 
    10.1.1.0-inside_network object 10.1.2.0-remote_network
  6. 配置与这些参数的静态加密映射:
    • 访问列表Crypto/VPN
    • 远程IPSec对等体IP地址
    • 需要的转换集
    crypto map outside_map 1 match address outside_cryptomap
    crypto map outside_map 1 set peer 172.16.2.1
    crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA 
  7. 应用加密映射并且启用在外部接口的ISAKMP/IKEv1 :
    crypto map outside_map interface outside 
    crypto ikev1 enable outside

验证

请使用此部分确认配置适当地工作。

命令输出解释程序工具仅限注册用户)支持某些 show 命令。请使用Output Interpreter Tool为了查看show命令输出分析。

  • show crypto isakmp sa -显示所有当前IKE安全关联(SA)在对等体。
  • show crypto ipsec sa -显示所有当前IPSec SAS。

此部分显示示例两ASA的验证outout。

中央印制厂ASA

Central-ASA#show crypto isakmp sa

  IKEv1 SAs:

     Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

  1   IKE Peer: 172.16.1.1
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

    Central-ASA# show crypto ipsec sa
interface: outside
    Crypto map tag: outside_dyn_map, seq num: 1, local addr: 172.16.2.1

        local ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
      current_peer: 172.16.1.1

        #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

        local crypto endpt.: 172.16.2.1/0, remote crypto endpt.: 172.16.1.1/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 30D071C0
      current inbound spi : 38DA6E51

      inbound esp sas:
      spi: 0x38DA6E51 (953839185)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 28672, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (kB/sec): (3914999/28588)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x0000001F
    outbound esp sas:
      spi: 0x30D071C0 (818966976)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 28672, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (kB/sec): (3914999/28588)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

远程ASA

Remote-ASA#show crypto isakmp sa

  IKEv1 SAs:

     Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

  1   IKE Peer: 172.16.2.1
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

  Remote-ASA#show crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 1, local addr: 172.16.1.1

        access-list outside_cryptomap extended permit ip 10.1.1.0
255.255.255.0 10.1.2.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)

      current_peer: 172.16.2.1

        #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

        local crypto endpt.: 172.16.1.1/0, remote crypto endpt.: 172.16.2.1/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 38DA6E51
      current inbound spi : 30D071C0

      inbound esp sas:
      spi: 0x30D071C0 (818966976)

         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 8192, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4373999/28676)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x0000001F
    outbound esp sas:
      spi: 0x38DA6E51 (953839185)

         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 8192, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4373999/28676)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

故障排除

本部分提供了可用于对配置进行故障排除的信息。

命令输出解释程序工具仅限注册用户)支持某些 show 命令。请使用Output Interpreter Tool为了查看show命令输出分析。

注意:使用 debug 命令之前,请参阅有关 Debug 命令的重要信息

使用以下命令可以:

clear crypto ikev1 sa <peer IP address> 
Clears the Phase 1 SA for a specific peer.

警告:因为清除所有激活VPN通道, clear crypto isakmp sa命令是插入的。

使用clear crypto isakmp sa <peer IP地址>command,在PIX/ASA软件版本8.0(3)和以上中,个人IKE SA可以被清除。在软件版本中早于8.0(3),使用vpn-sessiondb注销隧道群<tunnel-group-name>命令为了清除IKE和IPSec SAS单个通道的。

Remote-ASA#vpn-sessiondb logoff tunnel-group 172.16.2.1
Do you want to logoff the VPN session(s)? [confirm]
INFO: Number of sessions from TunnelGroup "172.16.2.1" logged off : 1
clear crypto ipsec sa peer <peer IP address>
!!! Clears the required Phase 2 SA for specific peer.
debug crypto condition peer < Peer address>
!!! Set IPsec/ISAKMP debug filters.
debug crypto isakmp sa <debug level>
!!! Provides debug details of ISAKMP SA negotiation.
debug crypto ipsec sa <debug level>
!!! Provides debug details of IPsec SA negotiations
undebug all
!!! To stop the debugs

使用的调试:

debug cry condition peer <remote peer public IP>
debug cry ikev1 127
debug cry ipsec 127

远程ASA (发起者)

输入此数据包追踪器命令为了发起通道:

Remote-ASA#packet-tracer input inside icmp 10.1.1.10 8 0 10.1.2.10 detailed 
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
Jan 19 22:00:06 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple:
Prot=1, saddr=10.1.1.10, sport=0, daddr=10.1.2.10, dport=0
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
Jan 19 22:00:06 [IKEv1]IP = 172.16.2.1, IKE Initiator: New Phase 1, Intf
inside, IKE Peer 172.16.2.1 local Proxy Address 10.1.1.0, remote Proxy Address
10.1.2.0, Crypto map (outside_map)

:
.
Jan 19 22:00:06 [IKEv1]IP = 172.16.2.1, IKE_DECODE SENDING Message (msgid=0)
with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) +
VENDOR (13) + NONE (0) total length : 172
Jan 19 22:00:06 [IKEv1]IP = 172.16.2.1, IKE_DECODE RECEIVED Message (msgid=0)
with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0)
total length : 132
:
.
Jan 19 22:00:06 [IKEv1]IP = 172.16.2.1, IKE_DECODE SENDING Message (msgid=0)
with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) +
VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
Jan 19 22:00:06 [IKEv1]IP = 172.16.2.1, IKE_DECODE RECEIVED Message (msgid=0)
with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) +
VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
:
.
Jan 19 22:00:06 [IKEv1]IP = 172.16.2.1, Connection landed on tunnel_group 172.16.2.1
<skipped>...
Jan 19 22:00:06 [IKEv1]IP = 172.16.2.1, IKE_DECODE SENDING Message (msgid=0) with
payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) +
NONE (0) total length : 96
Jan 19 22:00:06 [IKEv1]Group = 172.16.2.1, IP = 172.16.2.1,
Automatic NAT Detection Status: Remote end is NOT behind a NAT device
This end is NOT behind a NAT device

Jan 19 22:00:06 [IKEv1]IP = 172.16.2.1, IKE_DECODE RECEIVED Message
(msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128)
+ VENDOR (13) + NONE (0) total length : 96
Jan 19 22:00:06 [IKEv1 DEBUG]Group = 172.16.2.1, IP = 172.16.2.1, processing ID payload
Jan 19 22:00:06 [IKEv1 DECODE]Group = 172.16.2.1, IP = 172.16.2.1,
ID_IPV4_ADDR ID received 172.16.2.1
:
.
Jan 19 22:00:06 [IKEv1]IP = 172.16.2.1, Connection landed on tunnel_group 172.16.2.1
Jan 19 22:00:06 [IKEv1 DEBUG]Group = 172.16.2.1, IP = 172.16.2.1,
Oakley begin quick mode
Jan 19 22:00:06 [IKEv1]Group = 172.16.2.1, IP = 172.16.2.1, PHASE 1 COMPLETED


Jan 19 22:00:06 [IKEv1 DECODE]Group = 172.16.2.1, IP = 172.16.2.1, IKE Initiator
starting QM
: msg id = c45c7b30
:
.
Jan 19 22:00:06 [IKEv1 DEBUG]Group = 172.16.2.1, IP = 172.16.2.1, Transmitting Proxy Id:
Local subnet: 10.1.1.0 mask 255.255.255.0 Protocol 0 Port 0
Remote subnet: 10.1.2.0 Mask 255.255.255.0 Protocol 0 Port 0
:
.
Jan 19 22:00:06 [IKEv1]IP = 172.16.2.1, IKE_DECODE SENDING Message
(msgid=c45c7b30) with payloads : HDR + HASH (8) + SA (1) + NONCE
(10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 200
Jan 19 22:00:06 [IKEv1]IP = 172.16.2.1, IKE_DECODE RECEIVED Message
(msgid=c45c7b30) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) +
ID (5) + ID (5) + NONE (0) total length : 172
:
.
Jan 19 22:00:06 [IKEv1 DEBUG]Group = 172.16.2.1, IP = 172.16.2.1, processing ID payload
Jan 19 22:00:06 [IKEv1 DECODE]Group = 172.16.2.1, IP = 172.16.2.1,
ID_IPV4_ADDR_SUBNET ID received--10.1.1.0--255.255.255.0

Jan 19 22:00:06 [IKEv1 DEBUG]Group = 172.16.2.1, IP = 172.16.2.1, processing ID payload
Jan 19 22:00:06 [IKEv1 DECODE]Group = 172.16.2.1, IP = 172.16.2.1,
ID_IPV4_ADDR_SUBNET ID received--10.1.2.0--255.255.255.0

:
.
Jan 19 22:00:06 [IKEv1]Group = 172.16.2.1, IP = 172.16.2.1,
Security negotiation complete for LAN-to-LAN Group (172.16.2.1)
Initiator, Inbound SPI = 0x30d071c0, Outbound SPI = 0x38da6e51
:
.
Jan 19 22:00:06 [IKEv1]IP = 172.16.2.1, IKE_DECODE SENDING Message
(msgid=c45c7b30) with payloads : HDR + HASH (8) + NONE (0) total length : 76
:
.
Jan 19 22:00:06 [IKEv1]Group = 172.16.2.1, IP = 172.16.2.1,
PHASE 2 COMPLETED
(msgid=c45c7b30)

中央印制厂ASA (响应方)

Jan 20 12:42:35 [IKEv1]IP = 172.16.1.1, IKE_DECODE RECEIVED Message (msgid=0) 
with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) +
VENDOR (13) + NONE (0) total length : 172
:
.
Jan 20 12:42:35 [IKEv1]IP = 172.16.1.1, IKE_DECODE SENDING Message (msgid=0)
with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length
:
132
Jan 20 12:42:35 [IKEv1]IP = 172.16.1.1, IKE_DECODE RECEIVED Message (msgid=0)
with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13)
+ VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
:
.
Jan 20 12:42:35 [IKEv1]IP = 172.16.1.1, Connection landed on tunnel_group
DefaultL2LGroup

Jan 20 12:42:35 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 172.16.1.1,
Generating keys for Responder...
Jan 20 12:42:35 [IKEv1]IP = 172.16.1.1, IKE_DECODE SENDING Message (msgid=0)
with payloads : HDR + KE (4) + NONCE (10) +
VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) +
NONE (0) total length : 304
Jan 20 12:42:35 [IKEv1]IP = 172.16.1.1, IKE_DECODE RECEIVED Message (msgid=0)
with payloads : HDR + ID (5) + HASH (8)
+ IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
Jan 20 12:42:35 [IKEv1 DECODE]Group = DefaultL2LGroup, IP = 172.16.1.1,
ID_IPV4_ADDR ID received 172.16.1.1
:
.
Jan 20 12:42:35 [IKEv1]IP = 172.16.1.1, IKE_DECODE SENDING Message (msgid=0)
with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) +
VENDOR (13) + NONE (0) total length : 96
Jan 20 12:42:35 [IKEv1]Group = DefaultL2LGroup, IP = 172.16.1.1, PHASE 1 COMPLETED
:
.
Jan 20 12:42:35 [IKEv1 DECODE]IP = 172.16.1.1, IKE Responder starting QM:
msg id = c45c7b30
Jan 20 12:42:35 [IKEv1]IP = 172.16.1.1, IKE_DECODE
RECEIVED Message (msgid=c45c7b30) with payloads : HDR + HASH (8) + SA (1) +
NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 200
:
.
Jan 20 12:42:35 [IKEv1]Group = DefaultL2LGroup, IP = 172.16.1.1, Received remote
IP Proxy Subnet data in ID Payload: Address 10.1.1.0, Mask 255.255.255.0,
Protocol 0, Port 0
:
.
Jan 20 12:42:35 [IKEv1]Group = DefaultL2LGroup,
IP = 172.16.1.1, Received local
IP Proxy Subnet data in ID Payload: Address 10.1.2.0, Mask 255.255.255.0,
Protocol 0, Port 0
Jan 20 12:42:35 [IKEv1 DEBUG]Group = DefaultL2LGroup,
IP = 172.16.1.1, processing notify payload
Jan 20 12:42:35 [IKEv1] Group = DefaultL2LGroup, IP = 172.16.1.1, QM
IsRekeyed old sa not found by addr
Jan 20 12:42:35 [IKEv1]Group = DefaultL2LGroup, IP = 172.16.1.1, Static Crypto Map
check, map outside_dyn_map, seq = 1 is a successful match

Jan 20 12:42:35 [IKEv1]Group = DefaultL2LGroup, IP = 172.16.1.1, IKE
Remote Peer configured for crypto map: outside_dyn_map
:
.
Jan 20 12:42:35 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 172.16.1.1,
Transmitting Proxy Id: Remote subnet: 10.1.1.0 Mask 255.255.255.0 Protocol 0 Port 0
Local subnet: 10.1.2.0 mask 255.255.255.0 Protocol 0 Port 0
:
.
Jan 20 12:42:35 [IKEv1]IP = 172.16.1.1, IKE_DECODE SENDING Message (msgid=c45c7b30)
with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE
(0) total length : 172 Jan 20 12:42:35 [IKEv1]IP = 172.16.1.1, IKE_DECODE RECEIVED
Message (msgid=c45c7b30) with payloads : HDR + HASH (8) + NONE (0) total length : 52:
.
Jan 20 12:42:35 [IKEv1]Group = DefaultL2LGroup, IP = 172.16.1.1, Security
negotiation complete for LAN-to-LAN Group (DefaultL2LGroup) Responder,
Inbound SPI = 0x38da6e51, Outbound SPI = 0x30d071c0
:
.
Jan 20 12:42:35 [IKEv1]Group = DefaultL2LGroup, IP = 172.16.1.1,
PHASE 2 COMPLETED (msgid=c45c7b30)
Jan 20 12:42:35 [IKEv1]Group = DefaultL2LGroup, IP = 172.16.1.1, Adding static
route for L2L peer coming in on a dynamic map. address: 10.1.1.0, mask: 255.255.255.0

相关信息



Document ID: 119007