セキュリティ : Cisco PIX 500 シリーズ セキュリティ アプライアンス

PIX/ASA: セキュリティ アプライアンスに接続した後、異なる VLAN を使用する複数の VPN グループ クライアントの設定例

2015 年 11 月 25 日 - 機械翻訳について
その他のバージョン: PDFpdf | 英語版 (2015 年 8 月 22 日) | フィードバック


目次


概要

この設定例では、IPSec トンネルが PIX 500 シリーズ セキュリティ アプライアンスとの間に確立された後、異なる VLAN を使用するように、複数の VPN グループ クライアントをセットアップする方法を示します。

前提条件

要件

この設定を開始する前に、次の要件が満たされていることを確認してください。

  • PIX 500 シリーズ セキュリティ アプライアンス モデル 7.x および VPN クライアント 4.x はインターネットから到達可能です。

使用するコンポーネント

このドキュメントの情報は、次のソフトウェアとハードウェアのバージョンに基づくものです。

  • PIX 515E シリーズ セキュリティ アプライアンス ソフトウェア リリース 7.1(1)

  • Cisco VPN Client バージョン 4.8(Windows 版)

このドキュメントの情報は、特定のラボ環境にあるデバイスに基づいて作成されたものです。 このドキュメントで使用するすべてのデバイスは、クリアな(デフォルト)設定で作業を開始しています。 ネットワークが稼働中の場合は、コマンドが及ぼす潜在的な影響を十分に理解しておく必要があります。

関連製品

また Cisco ASA 5500 シリーズ適応性があるセキュリティ アプライアンス モデルとこの設定を使用できます。

表記法

ドキュメント表記の詳細は、『シスコ テクニカル ティップスの表記法』を参照してください。

背景説明

この設定例では、2 VPN クライアント(user1 および user2)があり、2 つの異なる VLAN が指名された vlan2 および vlan3 あります。 IPSecトンネルが確立されれば、user1 は vlan2 および user2 にだけ接続 vlan3 にだけ接続できるはずですできるはずです。

Vlan2 はサブインターフェイスの下で作成されます(イーサネット 1.1)および vlan3 はサブインターフェイス(イーサネットの 1.2) イーサネット PIX セキュリティ アプライアンス モデルの下での 1 つのインターフェイス作成されます。 どのトラフィックでもパススルー イネーブルになったサブインターフェイスできる前に物理インターフェイスをイネーブルに設定して下さい。

一般に IPSecトンネルが Cisco VPN Client から PIXファイアウォールへの確立されれば、すべてのトラフィックは PIXファイアウォールにトンネルによって送信 されます。 これは多くのクライアントがすぐに接続される場合リソース使用の点では非常に高価になることができます。 そのような重いリソース使用を避けるために、分割トンネリングを使用できます。 分割トンネリングは関連 トラフィックだけ暗号化し、トラフィックの他はインターネットに行き、トンネルに暗号化されません。

注: インターネットにそれを送信 する前にすべてのトラフィックをトンネル伝送することを望んだら、詳細については棒設定例の公衆インターネット VPN のための PIX/ASA 7.x および VPN クライアントを参照して下さい。

設定

このセクションでは PIX セキュリティ アプライアンス モデルの異なる VLAN で複数 の 遠隔 アクセスVPN接続を、設定するための情報が表示されます。

注: このセクションで使用されているコマンドの詳細を調べるには、Command Lookup Tool登録ユーザ専用)を使用してください。

ネットワーク構成図

このドキュメントでは、次のネットワーク構成を使用しています。

/image/gif/paws/69393/multi-vpngroup-clients-diff-vlans-1.gif

設定

このドキュメントでは、次の設定を使用します。

PIX 515E セキュリティ アプライアンスの設定
PIX Version 7.1(1)
!
hostname pix
enable password 9jNfZuG3TC5tCVH0 encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 172.16.1.1 255.255.255.0
!
interface Ethernet1
 no nameif
 no security-level
 no ip address


!--- Configure the sub-interfaces on the inside interface.
!--- Configure VLAN to the respective sub-interfaces.

!
interface Ethernet1.1
 vlan 2
 nameif vlan2
 security-level 100
 ip address 10.0.1.1 255.255.255.0
!
interface Ethernet1.2
 vlan 3
 nameif vlan3
 security-level 100
 ip address 10.0.2.1 255.255.255.0
!


!--- Output is suppressed.


!
passwd 9jNfZuG3TC5tCVH0 encrypted
ftp mode passive


!--- This access list is used for a nat zero command that prevents 
!--- traffic from undergoing network address translation (NAT).


access-list no-nat-vpn1-group extended permit ip 10.0.1.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list no-nat-vpn2-group extended permit ip 10.0.2.0 255.255.255.0 10.0.2.0 255.255.255.0



!--- This access list is used for the split tunneling 
!--- to be downloaded to the VPN Client to tell the interesting traffic to be encrypted.


access-list SPLIT-Tunnel-vpn1group standard permit 10.0.1.0 255.255.255.0
access-list SPLIT-Tunnel-vpn2group standard permit 10.0.2.0 255.255.255.0

pager lines 24
logging console debugging
mtu outside 1500
mtu vlan2 1500
mtu vlan3 1500


!--- Create a pool of addresses from which IP addresses are assigned 
!--- dynamically to the remote VPN Clients.
!--- The pool user1 IP address is assigned to the tunnel group (vpn1).
!--- The pool user2 IP address is assigned to the tunnel group (vpn2).


ip local pool user1 10.0.1.10-10.0.1.15 mask 255.255.255.0
ip local pool user2 10.0.2.10-10.0.2.15 mask 255.255.255.0

no failover
no asdm history enable
arp timeout 14400


!--- NAT 0 prevents NAT for the networks specified in the access list.
!--- The nat 1 command specifies port address translation (PAT)
!--- using the outside interface IP address for all other traffic.


global (outside) 1 interface
nat (vlan2) 0 access-list no-nat-vpn1-group
nat (vlan2) 1 0.0.0.0 0.0.0.0
nat (vlan3) 0 access-list no-nat-vpn2-group
nat (vlan3) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 172.16.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute


!--- Enter group-policy attributes mode for the group policy (vpn2).


group-policy vpn2 internal
group-policy vpn2 attributes


!--- The split tunnel policy tunnels all traffic from or to the specified networks.


 split-tunnel-policy tunnelspecified


!--- Split tunnel in group-policy configuration mode identifies
!--- an access list (SPLIT-Tunnel-vpn2group) that enumerates the network to be 
!--- tunneled from the VPN Client.
!--- After the IPsec tunnel formation, the access list (SPLIT-Tunnel-vpn2group) has to be  
!--- downloaded to the VPN Client of vpn2 (tunnel group).

  
 split-tunnel-network-list value SPLIT-Tunnel-vpn2group

group-policy vpn1 internal
group-policy vpn1 attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-Tunnel-vpn1group


!--- Configure usernames and passwords
!--- to identify remote access users to the PIX Security Appliance.


username vpn2 password 5RBT6B6kO6ZsK4e3 encrypted
username vpn1 password Rgp2OnMV8tB9079o encrypted

no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart


!--- PHASE 2 CONFIGURATION ---!
!--- The encryption types for Phase 2 are defined here.  
!--- A single DES encryption with
!--- the md5 hash algorithm is used.


crypto ipsec transform-set my-set esp-des esp-md5-hmac


!--- Defines a dynamic crypto map with 
!--- the specified encryption settings.


crypto dynamic-map dynmap 10 set transform-set my-set


!--- Enable Reverse Route Information (RRI), which allows the 
!--- PIX Security Appliance to learn routing information for connected clients.


crypto dynamic-map dynmap 10 set reverse-route


!--- Binds the dynamic map to the IPsec/ISAKMP process.


crypto map mymap 10 ipsec-isakmp dynamic dynmap


!--- Specifies the interface to be used with 
!--- the settings defined in this configuration.


crypto map mymap interface outside


!--- PHASE 1 CONFIGURATION ---!
!--- This configuration uses ISAKMP policy 10.   
!--- Policy 65535 is included in the configuration by default.
!--- The configuration commands here define the Phase 
!--- 1 policy parameters that are used.


isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000

isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group vpn type ipsec-ra


!--- Sets the connection type to IPsec remote access (ipsec-ra).


tunnel-group vpn1 type ipsec-ra


!--- Configures an address pool for the tunnel group and enters the general-attributes mode. 
!--- Associates the user1 pool to the tunnel group (vpn1) that uses the address pool.


tunnel-group vpn1 general-attributes
 address-pool user1


!--- Specifies the set of attributes that the user inherits by default 
!--- in tunnel-group general-attributes configuration mode.
!--- Tunnel groups identify the group policy for a specific connection.


 default-group-policy vpn1


!--- Enter the ipsec-attributes mode to configure the authentication method 
!--- by entering the preshared key.
!--- You need to use the same preshared key on both 
!--- devices (PIX and VPN Client) for this remote access connection.


tunnel-group vpn1 ipsec-attributes
 pre-shared-key *

tunnel-group vpn2 type ipsec-ra
tunnel-group vpn2 general-attributes
 address-pool user2
 default-group-policy vpn2
tunnel-group vpn2 ipsec-attributes
 pre-shared-key *

telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:0becb57df25d69a098b25bf07994b6b6
: end
pix#

VPN Client 4.8 の設定

次の手順を実行して、VPN Client 4.8 を設定します。

  1. [Start] > [Programs] > [Cisco Systems VPN Client] > [VPN Client] の順に選択します。

  2. [New] をクリックして、[Create New VPN Connection Entry] ウィンドウを開きます。

    multi-vpngroup-clients-diff-vlans-2.gif

  3. 接続エントリの名前と説明を入力します。 Host ボックスに PIX Firewall の Outside の IP アドレスを入力します。 それからトンネル グループ名前(この場合、vpn2)および事前共有キーを入力し、『SAVE』 をクリック して下さい。

    multi-vpngroup-clients-diff-vlans-3.gif

  4. 使用する接続をクリックし、VPN Client のメイン ウィンドウから [Connect] をクリックします。

    multi-vpngroup-clients-diff-vlans-4.gif

  5. プロンプト表示された場合、設定されるユーザ名 および パスワード 情報を PIX で入力し、リモートネットワークに接続するために『OK』 をクリック して下さい。

    multi-vpngroup-clients-diff-vlans-5.gif

  6. Cisco VPN Client はセントラルサイトで PIX と接続されます。

    multi-vpngroup-clients-diff-vlans-6.gif

  7. Cisco VPN Client のトンネル統計情報をチェックするために Status > Statistics の順に選択 して下さい。

    multi-vpngroup-clients-diff-vlans-7.gif

  8. ルート 詳細を Status > Statistics の順に選択 し、Cisco VPN Client のルート 詳細をチェックするためにクリックして下さい。

    アクセス リストは PIX からアクセス リストで規定 される ネットワークのためのセキュア ネットワーク接続を形成するためにダウンロードされます。 トラフィックの他はインターネットにトンネルに暗号化しないで直接入ります。

    multi-vpngroup-clients-diff-vlans-8.gif

確認

このセクションでは、設定が正常に動作しているかどうかを確認する際に役立つ情報を提供しています。

Output Interpreter Tool(OIT)(登録ユーザ専用)では、特定の show コマンドがサポートされています。 OIT を使用して、show コマンド出力の解析を表示できます。

  • show crypto isakmp sa:ピアにおける現在の IKE Security Associations(SA; セキュリティ アソシエーション)をすべて表示します。

  • show crypto ipsec sa:現在の SA で使用されている設定を表示します。

pix#show crypto ipsec sa
interface: outside
    Crypto map tag: dynmap, seq num: 10, local addr: 172.16.1.1

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.0.2.10/255.255.255.255/0/0)
      current_peer: 10.0.0.2, username: vpn2
      dynamic allocated peer ip: 10.0.2.10

      #pkts encaps: 200, #pkts encrypt: 200, #pkts digest: 200
      #pkts decaps: 201, #pkts decrypt: 201, #pkts verify: 201
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 200, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 172.16.1.1, remote crypto endpt.: 10.0.0.2

      path mtu 1500, ipsec overhead 60, media mtu 1500
      current outbound spi: 7233CD22

    inbound esp sas:
      spi: 0x2F8C6D57 (797732183)
         transform: esp-des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: dynmap
         sa timing: remaining key lifetime (sec): 28703
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x7233CD22 (1915997474)
         transform: esp-des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: dynmap
         sa timing: remaining key lifetime (sec): 28701
         IV size: 8 bytes
         replay detection support: Y

トラブルシューティング

ここでは、設定のトラブルシューティングに役立つ情報について説明します。 デバッグ出力例も紹介しています。

トラブルシューティングのためのコマンド

Output Interpreter Tool(OIT)(登録ユーザ専用)では、特定の show コマンドがサポートされています。 OIT を使用して、show コマンド出力の解析を表示できます。

注: debug コマンドを使用する前に、『debug コマンドの重要な情報』および『IP Security のトラブルシューティング:debug コマンドの説明と使用』を参照してください。

  • debug crypto ipsec:フェーズ 2 の IPSec ネゴシエーションを表示します。

  • debug crypto isakmp:フェーズ 1 の ISAKMP ネゴシエーションを表示します。

クリア SA

トンネル設定への変更を行うとき、SA をクリアすること確実でであって下さい。 PIX のイネーブル モードでこれらのコマンドを使用して下さい:

  • clear [crypto] ipsec sa:アクティブな IPSec SA を削除します。 」暗号 キーワードは「オプションです。

  • clear [crypto] isakmp sa:アクティブな IKE SA を削除します。 」暗号 キーワードは「オプションです。

デバッグの出力例

PIX ファイアウォール

PIX#debug crypto isakmp 7
pix# May 31 02:39:55 [IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=
0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + V
ENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 8
48
May 31 02:39:55 [IKEv1 DEBUG]: IP = 10.0.0.2, processing SA payload
May 31 02:39:55 [IKEv1 DEBUG]: IP = 10.0.0.2, processing ke payload
May 31 02:39:55 [IKEv1 DEBUG]: IP = 10.0.0.2, processing ISA_KE payload
May 31 02:39:55 [IKEv1 DEBUG]: IP = 10.0.0.2, processing nonce payload
May 31 02:39:55 [IKEv1 DEBUG]: IP = 10.0.0.2, processing ID payload
May 31 02:39:55 [IKEv1 DEBUG]: IP = 10.0.0.2, processing VID payload
May 31 02:39:55 [IKEv1 DEBUG]: IP = 10.0.0.2, Received xauth V6 VID
May 31 02:39:55 [IKEv1 DEBUG]: IP = 10.0.0.2, processing VID payload
May 31 02:39:55 [IKEv1 DEBUG]: IP = 10.0.0.2, Received DPD VID
May 31 02:39:55 [IKEv1 DEBUG]: IP = 10.0.0.2, processing VID payload
May 31 02:39:55 [IKEv1 DEBUG]: IP = 10.0.0.2, Received Fragmentation VID
May 31 02:39:55 [IKEv1 DEBUG]: IP = 10.0.0.2, IKE Peer included IKE fragmentatio
n capability flags:  Main Mode:        True  Aggressive Mode:  False
May 31 02:39:55 [IKEv1 DEBUG]: IP = 10.0.0.2, processing VID payload
May 31 02:39:55 [IKEv1 DEBUG]: IP = 10.0.0.2, Received NAT-Traversal ver 02 VID
May 31 02:39:55 [IKEv1 DEBUG]: IP = 10.0.0.2, processing VID payload
May 31 02:39:55 [IKEv1 DEBUG]: IP = 10.0.0.2, Received Cisco Unity client VID
May 31 02:39:55 [IKEv1]: IP = 10.0.0.2, Connection landed on tunnel_group vpn2
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, processing IKE SA pa
yload
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, IKE SA Proposal # 1,
 Transform # 9 acceptable  Matches global IKE entry # 2
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, constructing ISAKMP
SA payload
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, constructing ke payl
oad
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, constructing nonce p
ayload
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, Generating keys for
Responder...
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, constructing ID payl
oad
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, constructing hash pa
yload
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, Computing hash for I
SAKMP
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, constructing Cisco U
nity VID payload
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, constructing xauth V
6 VID payload
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, constructing dpd vid
 payload
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, constructing Fragmen
tation VID + extended capabilities payload
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, constructing VID pay
load
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, Send Altiga/Cisco VP
N3000/Cisco ASA GW VID
May 31 02:39:55 [IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=0) wit
h payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13
) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total lengt
h : 371
May 31 02:39:55 [IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) wi
th payloads : HDR + HASH (8) + NOTIFY (11) + VENDOR (13) + VENDOR (13) + NONE (0
) total length : 120
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, processing hash payl
oad
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, Computing hash for I
SAKMP
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, processing notify pa
yload
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, processing VID paylo
ad
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, Processing IOS/PIX V
endor ID payload (version: 1.0.0, capabilities: 00000408)
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, processing VID paylo
ad
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, Received Cisco Unity
 client VID
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, constructing blank h
ash payload
May 31 02:39:55 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, constructing qm hash
 payload
May 31 02:39:55 [IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=732d96
ba) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 104
May 31 02:39:59 [IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=732d9
6ba) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 84
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, process_attr(): Ente
r!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, IP = 10.0.0.2, Processing MODE_CFG
Reply attributes.


!--- User (vpn2) attributes from the tunnel group (vpn2) are downloaded
!--- to the VPN Client.


May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, IKE
GetUserAttributes: primary DNS = cleared
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, IKE
GetUserAttributes: secondary DNS = cleared
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, IKE
GetUserAttributes: primary WINS = cleared
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, IKE
GetUserAttributes: secondary WINS = cleared
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, IKE
GetUserAttributes: split tunneling list = SPLIT-Tunnel-vpn2group
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, IKE
GetUserAttributes: IP Compression = disabled


!--- Split tunnel policy attributes are downloaded to the VPN Client (user2).


May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, IKE
GetUserAttributes: Split Tunneling Policy = Split Network
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, User (vpn
2) authenticated.
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, con
structing blank hash payload
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, con
structing qm hash payload
May 31 02:39:59 [IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=2b0b30
6) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64
May 31 02:39:59 [IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=2b0b3
06) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 60
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, pro
cess_attr(): Enter!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Pro
cessing cfg ACK attributes
May 31 02:39:59 [IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=b983e
913) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 194
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, pro
cess_attr(): Enter!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Pro
cessing cfg Request attributes
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for IPV4 address!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for IPV4 net mask!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for DNS server address!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for WINS server address!
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Received
unsupported transaction mode attribute: 5
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for Banner!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for Save PW setting!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for Default Domain Name!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for Split Tunnel List!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for Split DNS!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for PFS setting!
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Received
unknown transaction mode attribute: 28683
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for backup ip-sec peer list!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for Application Version!
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Client Ty
pe: WinNT  Client Application Version: 4.8.01.0300
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for FWTYPE!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for DHCP hostname for DDNS is: tsweb-laptop!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for UDP Port!


!--- Assigns the private address to the remote user.


May 26 01:43:19 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Assigned
private IP address 10.0.4.1 to remote user
May 26 01:43:19 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, con
structing blank hash payload
May 26 01:43:19 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, con
structing qm hash payload
May 26 01:43:19 [IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=751f67
7d) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 189
May 26 01:43:19 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Del
ay Quick Mode processing, Cert/Trans Exch/RM DSID in progress
May 26 01:43:19 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Res
ume Quick Mode processing, Cert/Trans Exch/RM DSID completed


!--- ISAKMP (Phase 1) process is complete.


May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, PHASE 1 COMPLETED
May 31 02:39:59 [IKEv1]: IP = 10.0.0.2, Keep-alive type for this connection: DPD
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Sta
rting phase 1 rekey timer: 82080000 (ms)
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, sen
ding notify message
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, con
structing blank hash payload
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, con
structing qm hash payload
May 31 02:39:59 [IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=1a3238
c3) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 92
May 31 02:39:59 [IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=a8bc0
892) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NO
NE (0) total length : 1026
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, pro
cessing hash payload
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, pro
cessing SA payload
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, pro
cessing nonce payload
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, pro
cessing ID payload
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Received
remote Proxy Host data in ID Payload:  Address 10.0.2.10, Protocol 0, Port 0
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, pro
cessing ID payload
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Received
local IP Proxy Subnet data in ID Payload:   Address 0.0.0.0, Mask 0.0.0.0, Proto
col 0, Port 0
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, QM IsReke
yed old sa not found by addr
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, IKE Remot
e Peer configured for crypto map: dynmap
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, pro
cessing IPSec SA payload
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, IPS
ec SA Proposal # 14, Transform # 1 acceptable  Matches global IPSec SA entry # 10
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, IKE: requ
esting SPI!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, IKE
 got SPI from key engine: SPI = 0xb9b5c50a
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, oak
ley constucting quick mode
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, con
structing blank hash payload
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, con
structing IPSec SA payload
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Overridin
g Initiator's IPSec rekeying duration from 2147483 to 28800 seconds
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, con
structing IPSec nonce payload
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, con
structing proxy ID
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Tra
nsmitting Proxy Id:
  Remote host: 10.0.2.10  Protocol 0  Port 0
  Local subnet:  0.0.0.0  mask 0.0.0.0 Protocol 0  Port 0
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Sen
ding RESPONDER LIFETIME notification to Initiator
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, con
structing qm hash payload
May 31 02:39:59 [IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=a8bc08
92) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOT
IFY (11) + NONE (0) total length : 180
May 31 02:39:59 [IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=a8bc0
892) with payloads : HDR + HASH (8) + NONE (0) total length : 52
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, pro
cessing hash payload
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, loa
ding all IPSEC SAs
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Gen
erating Quick Mode Key!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Gen
erating Quick Mode Key!
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Security
negotiation complete for User (vpn2)  Responder, Inbound SPI = 0xb9b5c50a, Outbo
und SPI = 0x691a0f90
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, IKE
 got a KEY_ADD msg for SA: SPI = 0x691a0f90
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Pit
cher: received KEY_UPDATE, spi 0xb9b5c50a
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Starting
P2 Rekey timer to expire in 27360 seconds


!--- Adds a static route for the client IP address in the PIX and 
!--- the Phase 2 completed notification.


May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Adding st
atic route for client address: 10.0.2.10
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, PHASE 2 C
OMPLETED (msgid=a8bc0892)



PIX#debug crypto ipsec 7
pix# IPSEC: New embryonic SA created @ 0x02501E38,
    SCB: 0x02501DA8,
    Direction: inbound
    SPI      : 0x2F8C6D57
    Session ID: 0x00000001
    VPIF num  : 0x00000001
    Tunnel type: ra
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: New embryonic SA created @ 0x02483448,
    SCB: 0x02507930,
    Direction: outbound
    SPI      : 0x7233CD22
    Session ID: 0x00000001
    VPIF num  : 0x00000001
    Tunnel type: ra
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: Completed host OBSA update, SPI 0x7233CD22
IPSEC: Creating outbound VPN context, SPI 0x7233CD22
    Flags: 0x00000005
    SA   : 0x02483448
    SPI  : 0x7233CD22
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x00000000
    SCB  : 0x02507930
    Channel: 0x014A42F0
IPSEC: Completed outbound VPN context, SPI 0x7233CD22
    VPN handle: 0x0245DBE8
IPSEC: New outbound encrypt rule, SPI 0x7233CD22
    Src addr: 0.0.0.0
    Src mask: 0.0.0.0
    Dst addr: 10.0.2.10
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 0
    Use protocol: false
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed outbound encrypt rule, SPI 0x7233CD22
    Rule ID: 0x025077F8
IPSEC: New outbound permit rule, SPI 0x7233CD22
    Src addr: 172.16.1.1
    Src mask: 255.255.255.255
    Dst addr: 10.0.0.2
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x7233CD22
    Use SPI: true
IPSEC: Completed outbound permit rule, SPI 0x7233CD22
    Rule ID: 0x0245DC98
IPSEC: Completed host IBSA update, SPI 0x2F8C6D57
IPSEC: Creating inbound VPN context, SPI 0x2F8C6D57
    Flags: 0x00000006
    SA   : 0x02501E38
    SPI  : 0x2F8C6D57
    MTU  : 0 bytes
    VCID : 0x00000000
    Peer : 0x0245DBE8
    SCB  : 0x02501DA8
    Channel: 0x014A42F0
IPSEC: Completed inbound VPN context, SPI 0x2F8C6D57
    VPN handle: 0x024736F0
IPSEC: Updating outbound VPN context 0x0245DBE8, SPI 0x7233CD22
    Flags: 0x00000005
    SA   : 0x02483448
    SPI  : 0x7233CD22
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x024736F0
    SCB  : 0x02507930
    Channel: 0x014A42F0
IPSEC: Completed outbound VPN context, SPI 0x7233CD22
    VPN handle: 0x0245DBE8
IPSEC: Completed outbound inner rule, SPI 0x7233CD22
    Rule ID: 0x025077F8
IPSEC: Completed outbound outer SPD rule, SPI 0x7233CD22
    Rule ID: 0x0245DC98


!--- The IP address is assigned to the VPN Client 
!--- from the pool (user2) of the PIX.


IPSEC: New inbound tunnel flow rule, SPI 0x2F8C6D57
    Src addr: 10.0.2.10
    Src mask: 255.255.255.255
    Dst addr: 0.0.0.0
    Dst mask: 0.0.0.0
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 0
    Use protocol: false
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0x2F8C6D57
    Rule ID: 0x02515C88
IPSEC: New inbound decrypt rule, SPI 0x2F8C6D57
    Src addr: 10.0.0.2
    Src mask: 255.255.255.255
    Dst addr: 172.16.1.1
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x2F8C6D57
    Use SPI: true
IPSEC: Completed inbound decrypt rule, SPI 0x2F8C6D57
    Rule ID: 0x022A7D10


!--- Inbound rule for the VPN Client is downloaded from 
!--- the split tunnel access list of the PIX.


IPSEC: New inbound permit rule, SPI 0x2F8C6D57
    Src addr: 10.0.0.2
    Src mask: 255.255.255.255
    Dst addr: 172.16.1.1
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x2F8C6D57
    Use SPI: true
IPSEC: Completed inbound permit rule, SPI 0x2F8C6D57
    Rule ID: 0x02507788

VPN Client 4.8 for Windows

Cisco VPN Client のログ レベルを有効にするために Log > Log Settings の順に選択 して下さい。

multi-vpngroup-clients-diff-vlans-9.gif

Cisco VPN Client の Log エントリを表示するために Log > Log Windows の順に選択 して下さい。 スプリットトンネル アクセス リストは vpn2 トンネル グループ ユーザ向けの PIX からダウンロードされます。

multi-vpngroup-clients-diff-vlans-10.gif

関連するシスコ サポート コミュニティ ディスカッション

シスコ サポート コミュニティは、どなたでも投稿や回答ができる情報交換スペースです。


関連情報


Document ID: 69393