セキュリティと VPN : IPSec ネゴシエーション/IKE プロトコル

拡張認証を伴ったネットワーク拡張モードで PIX 501/506 Easy VPN Remote ハードウェア クライアントを IOS ルータに対して設定

2002 年 10 月 30 日 - ライター翻訳版
その他のバージョン: PDFpdf | 機械翻訳版 (2013 年 8 月 21 日) | 英語版 (2008 年 9 月 26 日) | フィードバック

目次


概要

この文書では、PIX の Easy VPN Remote ハードウェア クライアント機能と、Cisco IOS(R) ソフトウェアの新しいリリースで使用可能になった Easy VPN Server 機能との間に、IPSec を設定する方法について説明します。PIX の Easy VPN Remote 機能は、PIX バージョン 6.2 で導入され、ハードウェア クライアントまたは EzVPN クライアントとも呼ばれます。Easy VPN Remote がヘッドエンド デバイスに接続する場合、最低でも 5 つの security association(SA; セキュリティ結合)が存在します。このうちの 1 つが Internet Key Exchange(IKE; インターネット鍵交換)で、他の 4 つが IPSec 結合です。Easy VPN Remote がヘッドエンドに接続する際には、PIX の外部インターフェイスの IP アドレスから VPN サーバの背後にあるアドレスとの間で、2 つの IPSec SA についてのネゴシエーションが行われます。これは、IOS ルータの背後にあるネットワークから PIX の外部インターフェイスへ接続(PIX Device Manager(PDM)使用での Secure Shell(SSH)またはセキュア HTTP、または Telnet のいずれかを経由)するための管理用に使用されることがあります。SA の作成は、PIX および Cisco IOS ルータの背後にあるネットワーク間でのデータ トラフィック用に作成される 2 つの SA と同様に、何の設定も必要とせずにデフォルトで自動的に行われます。

表記法

文書の表記法の詳細は、「シスコ テクニカル ティップスの表記法」を参照してください。

構成

この項では、この文書で説明する機能を設定するために必要な情報を紹介します。

注:この文書で使用するコマンドの詳細を調べるには、IOS Command Lookup ツールを使用してください。このツールへのリンクは、この文書の「ツール情報」の項にあります。

使用するコンポーネント

この設定は、次に示すソフトウェアとハードウェアのバージョンを使用して作成およびテストされました。

  • PIX ファイアウォール、ソフトウェア バージョン 6.2(1)
  • Cisco IOS ルータ、ソフトウェア バージョン 12.2(8)T(Easy VPN Server 機能はこのリリースから導入)。

この文書の情報は、特定のラボ環境にあるデバイスに基づいて作成されています。この文書で使用するすべてのデバイスは、デフォルトの状態から設定(作業)を開始しました。実稼動中のネットワークで作業をしている場合、実際にコマンドを使用する前に、その潜在的な影響について理解しておく必要があります。

ネットワーク ダイアグラム

この文書では、次の図に示すネットワーク設定を使用します。

ネットワーク ダイアグラム

注:ルータのインターフェイスの .66 のアドレスは、ダイナミックに割り当てられます。PC では自身のデフォルト ゲートウェイが .106 のアドレスであるとダイナミックに学習します。

設定

この文書では、次に示す設定を使用します。

Cisco IOS ルータの設定
term len 0

 ezvpn_server#show running-config

 Building configuration...

 

 Current configuration : 1961 bytes

 !

 version 12.2

 service config

 service timestamps debug uptime

 service timestamps log uptime

 no service password-encryption

 !

 hostname ezvpn_server

 !

 !--- 認証、許可、会計(AAA)のアクセス制御モデルを

 !--- 有効にします。

 aaa new-model 

 !

 !

 !--- ユーザの認証に X-Auth を有効にします。

 aaa authentication login userauthen local

 !--- グループに権限を与えます。

 aaa authorization network groupauthor local

 aaa session-id common

 enable password ww

 !

 !--- IPSec ユーザのローカル認証のために、

 !--- ユーザにパスワードを割り当てます。

 username remoteuser1 password 0 remotepass1 

 ip subnet-zero

 ip cef

 !

 !

 no ip domain-lookup

 !

 ip audit notify log

 ip audit po max-events 100

 !

 !--- ハードウェア クライアントのフェーズ 1 ネゴシエーションのための Internet Security

 !--- Association and Key Management Protocol(ISAKMP)ポリシーを作成します。

 crypto isakmp policy 10

  authentication pre-share

  group 2 

 !

 !--- ハードウェア クライアントの認証のために、WINS サーバと DNS サーバの

 !--- アドレスの指定に使用されるグループを作成します。

 crypto isakmp client configuration group hwclient

  key test123

  dns 10.48.66.75

  wins 10.48.66.95

  domain cisco.com

  pool ippool

 !

 !

 !--- 実際のデータ暗号化のためのフェーズ 2 ポリシーを作成します。

 crypto ipsec transform-set myset esp-des esp-md5-hmac 

 !

 !--- ダイナミック マップを作成し、上で作成したトランスフォーム セットを適用します。

 crypto dynamic-map dynmap 10

  set transform-set myset 

 !

 no crypto engine accelerator 5

 !

 !--- 実際の暗号マップを作成し、前に作成した aaa リストを適用

 !--- します。

 crypto map clientmap client authentication list userauthen

 crypto map clientmap isakmp authorization list groupauthor

 crypto map clientmap client configuration address respond

 crypto map clientmap 10 ipsec-isakmp dynamic dynmap 

 !

 !

 !

 !

 !

 !

 !

 !

 !

 controller ISA 5/1

 !

 !

 !

 interface FastEthernet0/0

 !--- ルータをダイナミック ホスト コンフィギュレーション プロトコル(DHCP)クライアント

 !--- として定義します。

  ip address dhcp

  duplex auto

  speed auto 

 !

 interface FastEthernet0/1

  ip address 209.165.201.10 255.255.224.0

  duplex auto

  speed auto

  !--- 外部インターフェイスに暗号マップを適用します。

  crypto map clientmap 

 !

 interface Serial1/0

  no ip address

  shutdown

  no fair-queue

  serial restart_delay 0

 !

 interface Serial1/1

  no ip address

  shutdown

  serial restart_delay 0

 !

 interface Serial1/2

  no ip address

  shutdown

  serial restart_delay 0

 !

 interface Serial1/3

  no ip address

  shutdown

  serial restart_delay 0

 !

 !--- 各 VPN Client に割り当てるアドレスのプールを作成します。

 ip local pool ippool 172.16.1.1 172.16.1.20 

 ip classless

 ip route 0.0.0.0 0.0.0.0 209.165.201.5 

 no ip http server

 ip pim bidir-enable

 !

 !

 !

 call rsvp-sync

 !

 !

 mgcp profile default

 !

 !

 line con 0

  exec-timeout 0 0

 line aux 0

 line vty 0 4

  exec-timeout 0 0

  password ww

 !

 !

 end

 

PIX の設定
    pix506(config)# write terminal
    
     Building configuration...
    
     : Saved
    
     :
    
     PIX Version 6.2(2)
    
     nameif ethernet0 outside security0
    
     nameif ethernet1 inside security100
    
     enable password 8Ry2YjIyt7RRXU24 encrypted
    
     passwd 2KFQnbNIdI.2KYOU encrypted
    
     hostname pix506
    
     fixup protocol ftp 21
    
     fixup protocol http 80
    
     fixup protocol h323 h225 1720
    
     fixup protocol h323 ras 1718-1719
    
     fixup protocol ils 389
    
     fixup protocol rsh 514
    
     fixup protocol rtsp 554
    
     fixup protocol smtp 25
    
     fixup protocol sqlnet 1521
    
     fixup protocol sip 5060
    
     fixup protocol skinny 2000
    
     names
    
     no pager
    
     !--- 速度と二重化の設定をします。
    
     interface ethernet0 10full
    
     interface ethernet1 auto 
    
     mtu outside 1500
    
     mtu inside 1500
    
     !--- PIX の内部と外部インターフェイスの IP アドレスを定義します。
    
     ip address outside 209.165.201.5 255.255.224.0
    
     ip address inside 192.168.10.5 255.255.255.0
    
     ip audit info action alarm
    
     ip audit attack action alarm
    
     pdm history enable
    
     arp timeout 14400
    
     !--- 外部ルータをデフォルト ゲートウェイとして定義します。
    
     !--- 通常はこの IP アドレスが ISP のルータのアドレスになります。
    
     route outside 0.0.0.0 0.0.0.0 209.165.201.10 1
    
     timeout xlate 3:00:00
    
     timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
    
        rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
    
     timeout uauth 0:05:00 absolute
    
     aaa-server TACACS+ protocol tacacs+
    
     aaa-server RADIUS protocol radius
    
     aaa-server LOCAL protocol local
    
     no snmp-server location
    
     no snmp-server contact
    
     snmp-server community public
    
     no snmp-server enable traps
    
     floodguard enable
    
     no sysopt route dnat
    
     telnet timeout 5
    
     ssh timeout 5
    
     !--- Easy VPN Remote のパラメータを定義します。
    
     !--- これは IKE ネゴシエーションで使用される事前共有鍵です。
    
     vpnclient vpngroup hwclient password ******** 
    
     !--- これは拡張認証のユーザ名とパスワードです。
    
     vpnclient username remoteuser1 password ******** 
    
     !--- VPN ピアの IP アドレスを定義します。
    
     vpnclient server 209.165.201.10 
    
     !--- クライアント/PAT(ポート アドレス変換)モードと、ネットワーク拡張モード(NEM)の
    
     !--- どちらを使用するかを指定します。
    
     vpnclient mode network-extension-mode 
    
     terminal width 80
    
     Cryptochecksum:513b95e4bc43732dcfaa9206b182f88b
    
     : end
    
     [OK]
    
     

確認

この項の情報を使用すると、設定が正常に動作していることを確認できます。

一部の show コマンドは、show コマンド出力の分析を表示する Output Interpreter ツールでサポートされます。このツールへのリンクは、この文書の「ツール情報」の項にあります。

PIX の show コマンドと出力例

  • vpnclient enable コマンド - Easy VPN Remote の接続をイネーブルにします。NEM では、ヘッドエンドの Easy VPN Server と交換するトラフィックがない場合でも、トンネルはアップ状態になっています。
    pix506(config)# vpnclient enable
  • show crypto isakmp policy - 各 IKE ポリシーに対するパラメータを表示します。
    pix506(config)# show crypto isakmp policy
    
     
    
     Default protection suite
    
             encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
    
             hash algorithm:         Secure Hash Standard
    
             authentication method:  Rivest-Shamir-Adleman Signature
    
             Diffie-Hellman group:   #1 (768 bit)
    
             lifetime:               86400 seconds, no volume limit
    
     

    ハードウェア クライアントがイネーブルにされた後の show crypto isakmp policy コマンドの出力は、次のとおりです。

    pix506(config)# show crypto isakmp policy
    
     
    
     Protection suite of priority 65010
    
             encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
    
             hash algorithm:         Secure Hash Standard
    
             authentication method:  Pre-Shared Key with XAUTH
    
             Diffie-Hellman group:   #2 (1024 bit)
    
             lifetime:               86400 seconds, no volume limit
    
     Protection suite of priority 65020
    
             encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
    
             hash algorithm:         Message Digest 5
    
             authentication method:  Pre-Shared Key with XAUTH
    
             Diffie-Hellman group:   #2 (1024 bit)
    
             lifetime:               86400 seconds, no volume limit
    
     Protection suite of priority 65110
    
             encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
    
             hash algorithm:         Secure Hash Standard
    
             authentication method:  Pre-Shared Key
    
             Diffie-Hellman group:   #2 (1024 bit)
    
             lifetime:               86400 seconds, no volume limit
    
     Protection suite of priority 65120
    
             encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
    
             hash algorithm:         Message Digest 5
    
             authentication method:  Pre-Shared Key
    
             Diffie-Hellman group:   #2 (1024 bit)
    
             lifetime:               86400 seconds, no volume limit
    
     Default protection suite
    
             encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
    
             hash algorithm:         Secure Hash Standard
    
             authentication method:  Rivest-Shamir-Adleman Signature
    
             Diffie-Hellman group:   #1 (768 bit)
    
             lifetime:               86400 seconds, no volume limit
    
     
  • show crypto ipsec transform - 現在の IPSec トランスフォームを表示します。
    pix506(config)# show crypto ipsec transform
    
     pix506(config)# 

    ハードウェア クライアントがイネーブルにされた後の show crypto ipsec transform コマンドの出力は、次のとおりです。出力結果からわかるとおり、vpnclient enable コマンドを使用する前は、ISAKMP に対する保護 suite はデフォルトのみの 1 つです。コマンドが実行された後、Easy VPN Remote によって、デフォルト保護の suite の他に 4 つのプロポーザルが自動的に構築されます。さらに、イネーブル コマンドが使用される前に IPSec トランスフォーム セットは無く、コマンドが実行された後にトランスフォーム セットはダイナミックに構築されています。

    pix506(config)# show crypto ipsec transform
    
     
    
     Transform set _vpnc_tset_3: { esp-des esp-sha-hmac  }
    
        will negotiate = { Tunnel,  },
    
     
    
     Transform set _vpnc_tset_4: { esp-des esp-md5-hmac  }
    
        will negotiate = { Tunnel,  },
    
     
  • show crypto isakmp sa - ピアの現在の IKE SA をすべて表示します。
    pix506(config)# show crypto isakmp sa
    
     Total     : 1
    
     Embryonic : 0
    
             dst             src          state       pending    created
    
       209.165.201.10    209.165.201.5    QM_IDLE         0           2
    
     
  • show vpnclient - VPN Client または Easy VPN Remote デバイスの設定情報を表示します。
    pix506(config)# show vpnclient
    
     
    
     Local Configuration
    
     vpnclient vpngroup hwclient password ********
    
     vpnclient username remoteuser1 password ********
    
     vpnclient server 209.165.201.10
    
     vpnclient mode network-extension-mode
    
     vpnclient enable
    
     !--- The following is the policy that was obtained from the Easy VPN Server.
    
     Downloaded Dynamic Policy
    
     Current Server : 209.165.201.10
    
     Primary DNS    : 10.48.66.75
    
     Primary WINS   : 10.48.66.95
    
     Default Domain : cisco.com
    
     PFS Enabled    : No
    
     
  • show crypto ipsec sa - ピア間に構築された IPSec SA を表示します。
    pix506(config)# show crypto ipsec sa 
    
     !--- このコマンドは、Easy VPN Server の背後にある PC から、PIX の背後にある PC へ
    
     !--- PING を試みた後に実行します。
    
     
    
     interface: outside
    
         Crypto map tag: _vpnc_cm, local addr. 209.165.201.5
    
     
    
        local  ident (addr/mask/prot/port): (209.165.201.5/255.255.255.255/0/0)
    
        remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
    
        current_peer: 209.165.201.10
    
          PERMIT, flags={origin_is_acl,}
    
         #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    
         #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    
         #pkts compressed: 0, #pkts decompressed: 0
    
         #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    
         #send errors 1, #recv errors 0
    
     
    
          local crypto endpt.: 209.165.201.5, remote crypto endpt.: 209.165.201.10
    
          path mtu 1500, ipsec overhead 56, media mtu 1500
    
          current outbound spi: dc76c779
    
     
    
          inbound esp sas:
    
           spi: 0x95835a6d(2508413549)
    
             transform: esp-des esp-md5-hmac ,
    
             in use settings ={Tunnel, }
    
             slot: 0, conn id: 7, crypto map: _vpnc_cm
    
             sa timing: remaining key lifetime (k/sec): (4608000/3383)
    
             IV size: 8 bytes
    
             replay detection support: Y
    
     
    
     
    
          inbound ah sas:
    
     
    
     
    
          inbound pcp sas:
    
     
    
     
    
          outbound esp sas:
    
           spi: 0xdc76c779(3698771833)
    
             transform: esp-des esp-md5-hmac ,
    
             in use settings ={Tunnel, }
    
             slot: 0, conn id: 8, crypto map: _vpnc_cm
    
             sa timing: remaining key lifetime (k/sec): (4608000/3383)
    
             IV size: 8 bytes
    
             replay detection support: Y
    
     
    
     
    
          outbound ah sas:
    
     
    
     
    
          outbound pcp sas:
    
     
    
     
    
     
    
        local  ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
    
        remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
    
        current_peer: 209.165.201.10
    
          PERMIT, flags={origin_is_acl,}
    
         #pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4
    
         #pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
    
         #pkts compressed: 0, #pkts decompressed: 0
    
         #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    
         #send errors 1, #recv errors 0
    
     !--- 上で示すように、Easy VPN Remote(PIX)と Easy VPN Server(IOS)間で
    
     !--- PING パケットが正しく交換されています。
    
     
    
          local crypto endpt.: 209.165.201.5, remote crypto endpt.: 209.165.201.10
    
          path mtu 1500, ipsec overhead 56, media mtu 1500
    
          current outbound spi: a5049ee2
    
     
    
          inbound esp sas:
    
           spi: 0x98c8e307(2563302151)
    
             transform: esp-des esp-md5-hmac ,
    
             in use settings ={Tunnel, }
    
             slot: 0, conn id: 5, crypto map: _vpnc_cm
    
             sa timing: remaining key lifetime (k/sec): (4607999/3373)
    
             IV size: 8 bytes
    
             replay detection support: Y
    
     
    
     
    
          inbound ah sas:
    
     
    
     
    
          inbound pcp sas:
    
     
    
     
    
          outbound esp sas:
    
           spi: 0xa5049ee2(2768543458)
    
             transform: esp-des esp-md5-hmac ,
    
             in use settings ={Tunnel, }
    
             slot: 0, conn id: 6, crypto map: _vpnc_cm
    
             sa timing: remaining key lifetime (k/sec): (4607999/3373)
    
             IV size: 8 bytes
    
             replay detection support: Y
    
     
    
     
    
          outbound ah sas:
    
     
    
     
    
          outbound pcp sas:
    
     	 
  • show access-list - アクセス リストの内容を表示します。
    access-list _vpnc_acl; 2 elements
    
     access-list _vpnc_acl permit ip 192.168.10.0 255.255.255.0 any (hitcnt=15)
    
     access-list _vpnc_acl permit ip host 209.165.201.5 any (hitcnt=3)
    
     
    
     !--- 上記の出力は、暗号化の対象となるトラフィックを識別するために
    
     !--- ダイナミックに構築されたアクセス リストです。 
    
     

IOS の show コマンドと出力例

  • show crypto isakmp sa - ピアの現在の IKE SA をすべて表示します。
    ezvpn_server#show crypto isakmp sa
    
     dst             src             state           conn-id    slot
    
     209.165.201.10  209.165.201.5   QM_IDLE               2       0 
  • show crypto ipsec sa - ピア間に構築された IPSec SA を表示します。
    ezvpn_server#show crypto ipsec sa
    
     !--- このコマンドは、Easy VPN Server の背後にある PC から、PIX の背後にある PC へ
    
     !--- PING を試みた後に実行します。
    
     interface: FastEthernet0/1
    
         Crypto map tag: clientmap, local addr. 209.165.201.10
    
     
    
        local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
    
        remote ident (addr/mask/prot/port): (209.165.201.5/255.255.255.255/0/0)
    
        current_peer: 209.165.201.5
    
          PERMIT, flags={}
    
         #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    
         #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    
         #pkts compressed: 0, #pkts decompressed: 0
    
         #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    
         #send errors 0, #recv errors 0
    
     
    
          local crypto endpt.: 209.165.201.10, remote crypto endpt.: 209.165.201.5
    
          path mtu 1500, media mtu 1500
    
          current outbound spi: 95835A6D
    
     
    
          inbound esp sas:
    
           spi: 0xDC76C779(3698771833)
    
             transform: esp-des esp-md5-hmac ,
    
             in use settings ={Tunnel, }
    
             slot: 0, conn id: 2000, flow_id: 1, crypto map: clientmap
    
             sa timing: remaining key lifetime (k/sec): (4608000/3535)
    
             IV size: 8 bytes
    
             replay detection support: Y
    
     
    
          inbound ah sas:
    
     
    
          inbound pcp sas:
    
     
    
          outbound esp sas:
    
           spi: 0x95835A6D(2508413549)
    
             transform: esp-des esp-md5-hmac ,
    
             in use settings ={Tunnel, }
    
             slot: 0, conn id: 2001, flow_id: 2, crypto map: clientmap
    
             sa timing: remaining key lifetime (k/sec): (4608000/3526)
    
             IV size: 8 bytes
    
             replay detection support: Y
    
     
    
          outbound ah sas:
    
     
    
          outbound pcp sas:
    
     
    
     
    
        local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
    
        remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
    
        current_peer: 209.165.201.5
    
          PERMIT, flags={}
    
         #pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4
    
         #pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4 
    
     !--- 上で示すように、Easy VPN Remote(PIX)と Easy VPN Server(IOS)間で
    
     !--- PING パケットが正しく交換されています。
    
         #pkts compressed: 0, #pkts decompressed: 0
    
         #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    
         #send errors 0, #recv errors 0
    
     
    
          local crypto endpt.: 209.165.201.10, remote crypto endpt.: 209.165.201.5
    
          path mtu 1500, media mtu 1500
    
          current outbound spi: 98C8E307
    
     
    
          inbound esp sas:
    
           spi: 0xA5049EE2(2768543458)
    
             transform: esp-des esp-md5-hmac ,
    
             in use settings ={Tunnel, }
    
             slot: 0, conn id: 2002, flow_id: 3, crypto map: clientmap
    
             sa timing: remaining key lifetime (k/sec): (4607999/3493)
    
             IV size: 8 bytes
    
             replay detection support: Y
    
     
    
          inbound ah sas:
    
     
    
          inbound pcp sas:
    
     
    
          outbound esp sas:
    
           spi: 0x98C8E307(2563302151)
    
             transform: esp-des esp-md5-hmac ,
    
             in use settings ={Tunnel, }
    
             slot: 0, conn id: 2003, flow_id: 4, crypto map: clientmap
    
             sa timing: remaining key lifetime (k/sec): (4607999/3493)
    
             IV size: 8 bytes
    
             replay detection support: Y
    
     
    
          outbound ah sas:
    
     
    
          outbound pcp sas:
    
     

トラブルシューティング

このセクションでは、設定に対してトラブルシューティングを行う方法について説明します。

この文書で説明する手順に従って Easy VPN Remote(PIX)と Easy VPN Server(IOS)を設定しても問題がある場合は、Cisco Technical Assistance Center(TAC)による分析用に、PIX と IOS からのデバッグ出力と show コマンドの出力を収集してください。「確立された IPSec トンネルを使ってデータ トラフィックを渡すための PIX に関するトラブルシューティング」または「IP セキュリティに関するトラブルシューティング - debug コマンドの理解と使用法」も参照してください。PIX で IPSec のデバッグを有効にします。

PIX の debug コマンドと出力例

PIX の debug コマンド

  • debug crypto ipsec - フェーズ 2 の IPSec ネゴシエーションを表示します。
  • debug crypto isakmp - フェーズ 1 の ISAKMP ネゴシエーションを表示します。

PIX 出力例

VPNC CLI: no isakmp keepalive 10

 VPNC CFG: IKE unconfig successful

 VPNC CLI: no crypto map         ALT_DEF_DOMAIN

         INTERNAL_IPV_NBNS

         INTERNAL_IPV_DNS

         ALT_SPLIT_INCLUDE

         ALT_SPLITDNS_NAME

         ALT_PFS

 _vpnc_cm

 VPNC CFG: crypto map deletion attempt done

 VPNC CFG: crypto unconfig successful

 VPNC CLI: no global 65001

 VPNC CLI: no nat (inside) 0 access-list _vpnc_acl

 VPNC CFG: nat unconfig attempt failed

 VPNC CLI: no access-list _vpnc_acl

 VPNC CFG: ACL deletion attempt failed

 VPNC CLI: no crypto map _vpnc_cm interface outside

 VPNC CFG: crypto map de/attach failed

 VPNC CLI: no sysopt connection permit-ipsec

 VPNC CLI: sysopt connection permit-ipsec

 VPNC CFG: transform sets configured

 VPNC CFG: crypto config successful

 VPNC CLI: isakmp keepalive 10

 VPNC CFG: IKE config successful

 VPNC CLI: no access-list _vpnc_acl

 VPNC CFG: ACL deletion attempt failed

 VPNC CLI: access-list _vpnc_acl permit ip host 209.165.201.5

    host 209.165.201.10

 VPNC CLI: crypto map _vpnc_cm 10 match address _vpnc_acl

 VPNC CFG: crypto map acl update successful

 VPNC CLI: no crypto map _vpnc_cm interface outside

 VPNC CLI: crypto map _vpnc_cm interface outside

 

 VPN Peer: ISAKMP: Added new peer: ip:209.165.201.10

    Total VPN Peers:1

 VPN Peer: ISAKMP: Peer ip:209.165.201.10 Ref cnt incremented to:1

    Total VPN Peers:1

 ISAKMP (0): ID payload

         next-payload : 13

         type         : 11

         protocol     : 17

         port         : 500

         length       : 12

 ISAKMP (0): Total payload length: 16

 ISAKMP (0): beginning Aggressive Mode exchangeVPNC INF:

    Request for IKE trigger done

 

 crypto_isakmp_process_block: src 209.165.201.10, dest 209.165.201.5

 OAK_AG exchange

 ISAKMP (0): processing SA payload. message ID = 0

 

 ISAKMP (0): Checking ISAKMP transform 1 against priority 65010 policy

 !--- PIX は、受信したプロポーザルを、ダイナミックに生成された

 !--- ポリシー 65010 と照らし合わせてチェックします。

 ISAKMP:      encryption DES-CBC

 ISAKMP:      hash SHA

 ISAKMP:      default group 2

 ISAKMP:      extended auth pre-share

 ISAKMP:      life type in seconds

 ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

 ISAKMP (0): atts are acceptable. Next payload is 0

 ISAKMP (0): processing vendor id payload

 

 ISAKMP (0): processing vendor id payload

 

 ISAKMP (0): remote peer supports dead peer detection

 

 ISAKMP (0): processing vendor id payload

 

 ISAKMP (0): speaking to another IOS box!

 

 ISAKMP (0): processing vendor id payload

 

 ISAKMP (0): received xauth v6 vendor id

 

 ISAKMP (0): processing KE payload. message ID = 0

 

 crypto_isakmp_process_block: src 209.165.201.10, dest 209.165.201.5

 crypto_isakmp_process_block: src 209.165.201.10, dest 209.165.201.5

 ISAKMP_TRANSACTION exchange

 VPNC INF: Constructing policy download req

 

 crypto_isakmp_process_block: src 209.165.201.10, dest 209.165.201.5VPNC

    INF: IPSec rmt mgmt trigger done

 

 ISAKMP (0): beginning Quick Mode exchange,

    M-ID of -1657738412:9d30eb54IPSEC(key_engine): got a queue event...

 IPSEC(spi_response): getting spi 0x95835a6d(2508413549) for SA

         from  209.165.201.10 to   209.165.201.5 for prot 3

 

 crypto_isakmp_process_block: src 209.165.201.10, dest 209.165.201.5

 OAK_QM exchange

 oakley_process_quick_mode:

 OAK_QM_IDLE

 ISAKMP (0): processing SA payload. message ID = 2637228884

 

 ISAKMP : Checking IPSec proposal 1

 

 ISAKMP: transform 1, ESP_DES

 ISAKMP:   attributes in transform:

 ISAKMP:      encaps is 1

 ISAKMP:      SA life type in seconds

 ISAKMP:      SA life duration (basic) of 28800

 ISAKMP:      SA life type in kilobytes

 ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0

 ISAKMP:      authenticator is HMAC-MD5

 

 ISAKMP (0): atts are acceptable. IPSEC(validate_proposal_request):

    proposal part #1,

   (key eng. msg.) dest= 209.165.201.10, src= 209.165.201.5,

     dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

     src_proxy= 209.165.201.5/255.255.255.255/0/0 (type=1),

     protocol= ESP, transform= esp-des esp-md5-hmac ,

     lifedur= 0s and 0kb,

     spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

 

 ISAKMP (0): processing NONCE payload. message ID = 2637228884

 

 ISAKMP (0): processing ID payload. message ID = 2637228884

 ISAKMP (0): processing ID payload. message ID = 2637228884

 ISAKMP (0): processing NOTIFY payload 24576 protocol 3

         spi 3698771833, message ID = 2637228884

 ISAKMP (0): processing responder lifetime

 ISAKMP (0): responder lifetime of 3600s

 ISAKMP (0): Creating IPSec SAs

         inbound SA from  209.165.201.10 to 209.165.201.5

 		   (proxy 0.0.0.0 to   209.165.201.5)

         has spi 2508413549 and conn_id 7 and flags 4

         lifetime of 3600 seconds

         lifetime of 4608000 kilobytes

         outbound SA from   209.165.201.5 to 209.165.201.10

 		   (proxy 209.165.201.5 to 0.0.0.0)

         has spi 3698771833 and conn_id 8 and flags 4

         lifetime of 3600 seconds

         lifetime of 4608000 kilobytesIPSEC(key_engine): got a queue event...

 IPSEC(initialize_sas): ,

   (key eng. msg.) dest= 209.165.201.5, src= 209.165.201.10,

     dest_proxy= 209.165.201.5/255.255.255.255/0/0 (type=1),

     src_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

     protocol= ESP, transform= esp-des esp-md5-hmac ,

     lifedur= 3600s and 4608000kb,

     spi= 0x95835a6d(2508413549), conn_id= 7, keysize= 0, flags= 0x4

 IPSEC(initialize_sas): ,

   (key eng. msg.) src= 209.165.201.5, dest= 209.165.201.10,

     src_proxy= 209.165.201.5/255.255.255.255/0/0 (type=1),

     dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

     protocol= ESP, transform= esp-des esp-md5-hmac ,

     lifedur= 3600s and 4608000kb,

     spi= 0xdc76c779(3698771833), conn_id= 8, keysize= 0, flags= 0x4

 !--- 上記の IPSec SA は管理用です。

 

 VPN Peer: IPSEC: Peer ip:209.165.201.10 Ref cnt incremented to:2

    Total VPN Peers:1

 VPN Peer: IPSEC: Peer ip:209.165.201.10 Ref cnt incremented to:3

    Total VPN Peers:1

 return status is IKMP_NO_ERROR

 ISAKMP (0): beginning Quick Mode exchange,

    M-ID of 359601755:156f165bIPSEC(key_engine): got a queue event...

 IPSEC(spi_response): getting spi 0x98c8e307(2563302151) for SA

         from  209.165.201.10 to   209.165.201.5 for prot 3

 

 crypto_isakmp_process_block: src 209.165.201.10, dest 209.165.201.5

 OAK_QM exchange

 oakley_process_quick_mode:

 OAK_QM_IDLE

 ISAKMP (0): processing SA payload. message ID = 359601755

 

 ISAKMP : Checking IPSec proposal 1

 

 ISAKMP: transform 1, ESP_DES

 ISAKMP:   attributes in transform:

 ISAKMP:      encaps is 1

 ISAKMP:      SA life type in seconds

 ISAKMP:      SA life duration (basic) of 28800

 ISAKMP:      SA life type in kilobytes

 ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0

 ISAKMP:      authenticator is HMAC-MD5

 ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request):

    proposal part #1,

   (key eng. msg.) dest= 209.165.201.10, src= 209.165.201.5,

     dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

     src_proxy= 192.168.10.0/255.255.255.0/0/0 (type=4),

     protocol= ESP, transform= esp-des esp-md5-hmac ,

     lifedur= 0s and 0kb,

     spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

 

 ISAKMP (0): processing NONCE payload. message ID = 359601755

 

 ISAKMP (0): processing ID payload. message ID = 359601755

 ISAKMP (0): processing ID payload. message ID = 359601755

 ISAKMP (0): processing NOTIFY payload 24576 protocol 3

         spi 2768543458, message ID = 359601755

 ISAKMP (0): processing responder lifetime

 ISAKMP (0): responder lifetime of 3600s

 ISAKMP (0): Creating IPSec SAs

         inbound SA from  209.165.201.10 to 209.165.201.5

 		   (proxy 0.0.0.0 to 192.168.10.0)

         has spi 2563302151 and conn_id 5 and flags 4

         lifetime of 3600 seconds

         lifetime of 4608000 kilobytes

         outbound SA from 209.165.201.5 to 209.165.201.10

 		   (proxy 192.168.10.0 to 0.0.0.0)

         has spi 2768543458 and conn_id 6 and flags 4

         lifetime of 3600 seconds

         lifetime of 4608000 kilobytesIPSEC(key_engine): got a queue event...

 IPSEC(initialize_sas): ,

   (key eng. msg.) dest= 209.165.201.5, src= 209.165.201.10,

     dest_proxy= 192.168.10.0/255.255.255.0/0/0 (type=4),

     src_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

     protocol= ESP, transform= esp-des esp-md5-hmac ,

     lifedur= 3600s and 4608000kb,

     spi= 0x98c8e307(2563302151), conn_id= 5, keysize= 0, flags= 0x4

 IPSEC(initialize_sas): ,

   (key eng. msg.) src= 209.165.201.5, dest= 209.165.201.10,

     src_proxy= 192.168.10.0/255.255.255.0/0/0 (type=4),

     dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

     protocol= ESP, transform= esp-des esp-md5-hmac ,

     lifedur= 3600s and 4608000kb,

     spi= 0xa5049ee2(2768543458), conn_id= 6, keysize= 0, flags= 0x4

 !--- 上記の IPSec SA は、実際のデータ トラフィック用です。

 

 VPN Peer: IPSEC: Peer ip:209.165.201.10 Ref cnt incremented to:4

    Total VPN Peers:1

 VPN Peer: IPSEC: Peer ip:209.165.201.10 Ref cnt incremented to:5

    Total VPN Peers:1

 return status is IKMP_NO_ERROR

 

IOS の debug コマンドと出力例

IOS の debug コマンド

  • debug crypto ipsec - IPSec のイベントを表示します。
  • debug crypto isakmp - IKE イベントに関するメッセージを表示します。
  • debug crypto engine - 暗号化されたトラフィックを表示します。

IOS の出力例


 ezvpn_server#

 !--- PIX で vpnclient enable コマンドが実行されると、ただちに

 !--- IOS デバイス側で IKE ネゴシエーション要求が受信されます。

 21:42:13: ISAKMP (0:0): received packet from 209.165.201.5 (N) NEW SA

 21:42:13: ISAKMP: local port 500, remote port 500

 21:42:13: ISAKMP (0:2): (Re)Setting client xauth list userauthen and state

 21:42:13: ISAKMP: Locking CONFIG struct 0x62BD0AE4

    from crypto_ikmp_config_initialize_sa, count 2

 21:42:13: ISAKMP (0:2): processing SA payload. message ID = 0

 21:42:13: ISAKMP (0:2): processing ID payload. message ID = 0

 21:42:13: ISAKMP (0:2): processing vendor id payload

 21:42:13: ISAKMP (0:2): vendor ID seems Unity/DPD but bad major

 21:42:13: ISAKMP (0:2): vendor ID is XAUTH

 21:42:13: ISAKMP (0:2): processing vendor id payload

 21:42:13: ISAKMP (0:2): vendor ID is DPD

 21:42:13: ISAKMP (0:2): processing vendor id payload

 21:42:13: ISAKMP (0:2): claimed IOS but failed authentication

 21:42:13: ISAKMP (0:2): processing vendor id payload

 21:42:13: ISAKMP (0:2): vendor ID is Unity

 21:42:13: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 10 policy

 21:42:13: ISAKMP:      encryption DES-CBC

 21:42:13: ISAKMP:      hash SHA

 21:42:13: ISAKMP:      default group 2

 21:42:13: ISAKMP:      auth XAUTHInitPreShared

 21:42:13: ISAKMP:      life type in seconds

 21:42:13: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

 21:42:13: ISAKMP (0:2): atts are acceptable. Next payload is 3

 !--- IOS デバイスと PIX の両方で ISAKMP に対するポリシーが受け入れられます。

 21:42:13: CryptoEngine0: generate alg parameter

 21:42:13: CRYPTO_ENGINE: Dh phase 1 status: 0

 21:42:13: CRYPTO_ENGINE: Dh phase 1 status: 0

 21:42:13: ISAKMP (0:2): processing KE payload. message ID = 0

 21:42:13: CryptoEngine0: generate alg parameter

 21:42:13: ISAKMP (0:2): processing NONCE payload. message ID = 0

 21:42:13: ISAKMP (0:2): processing vendor id payload

 21:42:13: ISAKMP (0:2): processing vendor id payload

 21:42:13: ISAKMP (0:2): processing vendor id payload

 21:42:13: ISAKMP (0:2): processing vendor id payload

 21:42:13: ISAKMP (0:2): Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH

 Old State = IKE_READY  New State = IKE_R_AM_AAA_AWAIT

 

 21:42:13: ISAKMP: got callback 1

 21:42:13: CryptoEngine0: create ISAKMP SKEYID for conn id 2

 21:42:13: ISAKMP (0:2): SKEYID state generated

 21:42:13: ISAKMP (0:2): SA is doing pre-shared key authentication

    plux XAUTH using id type ID_IPV4_ADDR

 21:42:13: ISAKMP (2): ID payload

         next-payload : 10

         type         : 1

         protocol     : 17

         port         : 500

         length       : 8

 21:42:13: ISAKMP (2): Total payload length: 12

 21:42:13: CryptoEngine0: generate hmac context for conn id 2

 21:42:13: ISAKMP (0:2): sending packet to 209.165.201.5 (R) AG_INIT_EXCH

 21:42:13: ISAKMP (0:2): Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY

 Old State = IKE_R_AM_AAA_AWAIT  New State = IKE_R_AM2

 

 21:42:13: ISAKMP (0:2): received packet from 209.165.201.5 (R) AG_INIT_EXCH

 21:42:13: ISAKMP (0:2): processing HASH payload. message ID = 0

 21:42:13: CryptoEngine0: generate hmac context for conn id 2

 21:42:13: ISAKMP (0:2): processing NOTIFY INITIAL_CONTACT protocol 1

         spi 0, message ID = 0, sa = 62BCF4C8

 21:42:13: ISAKMP (0:2): Process initial contact,

    bring down existing phase 1 and 2 SA's

 21:42:13: ISAKMP (0:2): returning IP addr to the address pool

 21:42:13: ISAKMP (0:2): peer does not do paranoid keepalives.

 

 21:42:13: ISAKMP (0:2): processing vendor id payload

 21:42:13: ISAKMP (0:2): processing vendor id payload

 21:42:13: ISAKMP (0:2): processing vendor id payload

 21:42:13: ISAKMP (0:2): processing vendor id payload

 21:42:13: ISAKMP (0:2): SA has been authenticated with 209.165.201.5

 21:42:13: CryptoEngine0: clear dh number for conn id 1

 21:42:13: CryptoEngine0: generate hmac context for conn id 2

 21:42:13: ISAKMP (0:2): sending packet to 209.165.201.5 (R) QM_IDLE

 21:42:13: ISAKMP (0:2): purging node 2139746711

 21:42:13: ISAKMP: Sending phase 1 responder lifetime 86400

 

 21:42:13: ISAKMP (0:2): Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH

 Old State = IKE_R_AM2  New State = IKE_P1_COMPLETE

 

 21:42:13: IPSEC(key_engine): got a queue event...

 21:42:13: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

 21:42:13: IPSEC(key_engine_delete_sas): delete all SAs shared with 209.165.201.5

 21:42:13: ISAKMP (0:2): Need XAUTH

 !--- フェーズ 1 が成功した後、IOS デバイスでは拡張認証フェーズが

 !--- 処理されます。

 21:42:13: ISAKMP (0:2): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

 Old State = IKE_P1_COMPLETE  New State = IKE_XAUTH_AAA_START_LOGIN_AWAIT

 

 21:42:13: ISAKMP: got callback 1

 21:42:13: ISAKMP/xauth: request attribute XAUTH_TYPE_V2

 21:42:13: ISAKMP/xauth: request attribute XAUTH_MESSAGE_V2

 21:42:13: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2

 21:42:13: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2

 21:42:13: CryptoEngine0: generate hmac context for conn id 2

 21:42:13: ISAKMP (0:2): initiating peer config to 209.165.201.5. ID = -519920060

 21:42:13: ISAKMP (0:2): sending packet to 209.165.201.5 (R) CONF_XAUTH

 21:42:13: ISAKMP (0:2): Input = IKE_MESG_FROM_AAA, IKE_AAA_START_LOGIN

 Old State = IKE_XAUTH_AAA_START_LOGIN_AWAIT  New State = IKE_XAUTH_REQ_SENT

 

 21:42:13: ISAKMP (0:2): received packet from 209.165.201.5 (R) CONF_XAUTH

 21:42:13: ISAKMP (0:2): processing transaction payload from 209.165.201.5.

    message ID = -519920060

 21:42:13: CryptoEngine0: generate hmac context for conn id 2

 21:42:13: ISAKMP: Config payload REPLY

 21:42:13: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2

 21:42:13: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2

 21:42:13: ISAKMP (0:2): deleting node -519920060 error FALSE

    reason "done with xauth request/reply exchange"

 21:42:13: ISAKMP (0:2): Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY

 Old State = IKE_XAUTH_REQ_SENT  New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT

 

 21:42:13: ISAKMP: got callback 1

 21:42:13: CryptoEngine0: generate hmac context for conn id 2

 21:42:13: ISAKMP (0:2): initiating peer config to

    209.165.201.5. ID = -1899629449

 21:42:13: ISAKMP (0:2): sending packet to 209.165.201.5 (R) CONF_XAUTH

 21:42:13: ISAKMP (0:2): Input = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN

 Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT  New State = IKE_XAUTH_SET_SENT

 

 21:42:13: ISAKMP (0:2): received packet from 209.165.201.5 (R) CONF_XAUTH

 21:42:13: ISAKMP (0:2): processing transaction payload

    from 209.165.201.5. message ID = -1899629449

 21:42:13: CryptoEngine0: generate hmac context for conn id 2

 21:42:13: ISAKMP: Config payload ACK

 21:42:13: ISAKMP (0:2):        XAUTH ACK Processed

 21:42:13: ISAKMP (0:2): deleting node -1899629449 error FALSE

    reason "done with transaction"

 21:42:13: ISAKMP (0:2): Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK

 Old State = IKE_XAUTH_SET_SENT  New State = IKE_P1_COMPLETE

 

 21:42:13: ISAKMP (0:2): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

 Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

 

 21:42:13: ISAKMP (0:2): received packet from 209.165.201.5 (R) QM_IDLE

 21:42:13: ISAKMP (0:2): processing transaction payload

    from 209.165.201.5. message ID = 920441477

 !--- 拡張認証が完了し、

 !--- モードの設定が処理されます。

 21:42:13: CryptoEngine0: generate hmac context for conn id 2

 21:42:13: ISAKMP: Config payload REQUEST

 21:42:13: ISAKMP (0:2): checking request:

 21:42:13: ISAKMP:    DEFAULT_DOMAIN

 21:42:13: ISAKMP:    IP4_NBNS

 21:42:13: ISAKMP:    IP4_DNS

 21:42:13: ISAKMP:    SPLIT_INCLUDE

 21:42:13: ISAKMP:    UNKNOWN Unknown Attr: 0x7003

 21:42:13: ISAKMP:    UNKNOWN Unknown Attr: 0x7007

 21:42:13: ISAKMP:    APPLICATION_VERSION

 21:42:13: ISAKMP (0:2): Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST

 Old State = IKE_P1_COMPLETE  New State = IKE_CONFIG_AUTHOR_AAA_AWAIT

 

 21:42:13: ISAKMP: got callback 1

 21:42:13: ISAKMP (0:2): attributes sent in message:

 21:42:13: ISAKMP: Sending DEFAULT_DOMAIN default domain name: cisco.com

 21:42:13: ISAKMP: Sending IP4_NBNS server address: 10.48.66.95

 21:42:13: ISAKMP: Sending IP4_DNS server address: 10.48.66.75

 21:42:13: ISAKMP: Unknown Attr: UNKNOWN (0x7003)

 21:42:13: ISAKMP: Unknown Attr: UNKNOWN (0x7007)

 21:42:13: ISAKMP: Sending APPLICATION_VERSION string:

    Cisco Internetwork Operating System Software

 IOS (tm) EGR Software (C7100-IK9O3S-M), Version 12.2(8)T4,

    RELEASE SOFTWARE (fc1)

 TAC Support: http://www.cisco.com/tac

 Copyright (c) 1986-2002 by cisco Systems, Inc.

 Compiled Sun 05-May-02 03:34 by ccai

 21:42:13: CryptoEngine0: generate hmac context for conn id 2

 21:42:13: ISAKMP (0:2): responding to peer config

    from 209.165.201.5. ID = 920441477

 21:42:13: ISAKMP (0:2): sending packet to 209.165.201.5 (R) CONF_ADDR

 21:42:13: ISAKMP (0:2): deleting node 920441477 error FALSE reason ""

 21:42:13: ISAKMP (0:2): Input = IKE_MESG_FROM_AAA, IKE_AAA_GROUP_ATTR

 Old State = IKE_CONFIG_AUTHOR_AAA_AWAIT  New State = IKE_P1_COMPLETE

 

 21:42:18: ISAKMP (0:2): received packet from 209.165.201.5 (R) QM_IDLE

 21:42:18: CryptoEngine0: generate hmac context for conn id 2

 21:42:18: ISAKMP (0:2): processing HASH payload. message ID = -1657738412

 21:42:18: ISAKMP (0:2): processing SA payload. message ID = -1657738412

 !--- フェーズ 2 の処理に進みます。

 21:42:18: ISAKMP (0:2): Checking IPSec proposal 1

 21:42:18: ISAKMP: transform 1, ESP_DES

 21:42:18: ISAKMP:   attributes in transform:

 21:42:18: ISAKMP:      encaps is 1

 21:42:18: ISAKMP:      SA life type in seconds

 21:42:18: ISAKMP:      SA life duration (basic) of 28800

 21:42:18: ISAKMP:      SA life type in kilobytes

 21:42:18: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0

 21:42:18: ISAKMP:      authenticator is HMAC-SHA

 21:42:18: validate proposal 0

 21:42:18: IPSEC(validate_proposal): transform proposal

    (prot 3, trans 2, hmac_alg 2) not supported

 21:42:18: ISAKMP (0:2): atts not acceptable. Next payload is 0

 21:42:18: ISAKMP (0:2): Checking IPSec proposal 2

 21:42:18: ISAKMP: transform 1, ESP_DES

 21:42:18: ISAKMP:   attributes in transform:

 21:42:18: ISAKMP:      encaps is 1

 21:42:18: ISAKMP:      SA life type in seconds

 21:42:18: ISAKMP:      SA life duration (basic) of 28800

 21:42:18: ISAKMP:      SA life type in kilobytes

 21:42:18: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0

 21:42:18: ISAKMP:      authenticator is HMAC-MD5

 21:42:18: validate proposal 0

 21:42:18: ISAKMP (0:2): atts are acceptable.

 21:42:18: IPSEC(validate_proposal_request): proposal part #1,

   (key eng. msg.) INBOUND local= 209.165.201.10, remote= 209.165.201.5,

     local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

     remote_proxy= 209.165.201.5/255.255.255.255/0/0 (type=1),

     protocol= ESP, transform= esp-des esp-md5-hmac ,

     lifedur= 0s and 0kb,

     spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

 21:42:18: validate proposal request 0

 21:42:18: ISAKMP (0:2): processing NONCE payload. message ID = -1657738412

 21:42:18: ISAKMP (0:2): processing ID payload. message ID = -1657738412

 21:42:18: ISAKMP (0:2): processing ID payload. message ID = -1657738412

 21:42:18: ISAKMP (0:2): asking for 1 spis from ipsec

 21:42:18: ISAKMP (0:2): Node -1657738412,

    Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

 Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE

 

 21:42:18: IPSEC(key_engine): got a queue event...

 21:42:18: IPSEC(spi_response): getting spi 3698771833 for SA

         from 209.165.201.10  to 209.165.201.5   for prot 3

 21:42:18: ISAKMP: received ke message (2/1)

 21:42:19: CryptoEngine0: generate hmac context for conn id 2

 21:42:19: ISAKMP (0:2): sending packet to 209.165.201.5 (R) QM_IDLE

 21:42:19: ISAKMP (0:2): Node -1657738412,

    Input = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY

 Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2

 

 21:42:19: ISAKMP (0:2): received packet from 209.165.201.5 (R) QM_IDLE

 21:42:19: CryptoEngine0: generate hmac context for conn id 2

 21:42:19: ipsec allocate flow 0

 21:42:19: ipsec allocate flow 0

 21:42:19: ISAKMP (0:2): Creating IPSec SAs

 21:42:19:         inbound SA from 209.165.201.5 to 209.165.201.10

         (proxy 209.165.201.5 to 0.0.0.0)

 21:42:19:         has spi 0xDC76C779 and conn_id 2000 and flags 4

 21:42:19:         lifetime of 28800 seconds

 21:42:19:         lifetime of 4608000 kilobytes

 21:42:19:         outbound SA from 209.165.201.10  to 209.165.201.5

    (proxy 0.0.0.0 to 209.165.201.5  )

 21:42:19:         has spi -1786553747 and conn_id 2001 and flags C

 21:42:19:         lifetime of 28800 seconds

 21:42:19:         lifetime of 4608000 kilobytes

 21:42:19: ISAKMP (0:2): deleting node -1657738412 error FALSE

    reason "quick mode done (await()"

 21:42:19: ISAKMP (0:2): Node -1657738412,

    Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

 Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE

 

 21:42:19: ISAKMP (0:2): received packet from 209.165.201.5 (R) QM_IDLE

 21:42:19: CryptoEngine0: generate hmac context for conn id 2

 21:42:19: ISAKMP (0:2): processing HASH payload. message ID = 359601755

 21:42:19: ISAKMP (0:2): processing SA payload. message ID = 359601755

 21:42:19: ISAKMP (0:2): Checking IPSec proposal 1

 21:42:19: ISAKMP: transform 1, ESP_DES

 21:42:19: ISAKMP:   attributes in transform:

 21:42:19: ISAKMP:      encaps is 1

 21:42:19: ISAKMP:      SA life type in seconds

 21:42:19: ISAKMP:      SA life duration (basic) of 28800

 21:42:19: ISAKMP:      SA life type in kilobytes

 21:42:19: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0

 21:42:19: ISAKMP:      authenticator is HMAC-SHA

 21:42:19: validate proposal 0

 21:42:19: IPSEC(validate_proposal): transform proposal

    (prot 3, trans 2, hmac_alg 2) not supported

 21:42:19: ISAKMP (0:2): atts not acceptable. Next payload is 0

 21:42:19: ISAKMP (0:2): Checking IPSec proposal 2

 21:42:19: ISAKMP: transform 1, ESP_DES

 21:42:19: ISAKMP:   attributes in transform:

 21:42:19: ISAKMP:      encaps is 1

 21:42:19: ISAKMP:      SA life type in seconds

 21:42:19: ISAKMP:      SA life duration (basic) of 28800

 21:42:19: ISAKMP:      SA life type in kilobytes

 21:42:19: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0

 21:42:19: ISAKMP:      authenticator is HMAC-MD5

 21:42:19: validate proposal 0

 21:42:19: ISAKMP (0:2): atts are acceptable.

 21:42:19: IPSEC(validate_proposal_request): proposal part #1,

   (key eng. msg.) INBOUND local= 209.165.201.10, remote= 209.165.201.5,

     local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

     remote_proxy= 192.168.10.0/255.255.255.0/0/0 (type=4),

     protocol= ESP, transform= esp-des esp-md5-hmac ,

     lifedur= 0s and 0kb,

     spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

 21:42:19: validate proposal request 0

 21:42:19: ISAKMP (0:2): processing NONCE payload. message ID = 359601755

 21:42:19: ISAKMP (0:2): processing ID payload. message ID = 359601755

 21:42:19: ISAKMP (0:2): processing ID payload. message ID = 359601755

 21:42:19: ISAKMP (0:2): asking for 1 spis from ipsec

 21:42:19: ISAKMP (0:2): Node 359601755, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

 Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE

 

 21:42:19: IPSEC(key_engine): got a queue event...

 21:42:19: IPSEC(initialize_sas): ,

   (key eng. msg.) INBOUND local= 209.165.201.10, remote= 209.165.201.5,

     local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

     remote_proxy= 209.165.201.5/0.0.0.0/0/0 (type=1),

     protocol= ESP, transform= esp-des esp-md5-hmac ,

     lifedur= 28800s and 4608000kb,

     spi= 0xDC76C779(3698771833), conn_id= 2000, keysize= 0, flags= 0x4

 21:42:19: IPSEC(initialize_sas): ,

   (key eng. msg.) OUTBOUND local= 209.165.201.10, remote= 209.165.201.5,

     local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

     remote_proxy= 209.165.201.5/0.0.0.0/0/0 (type=1),

     protocol= ESP, transform= esp-des esp-md5-hmac ,

     lifedur= 28800s and 4608000kb,

     spi= 0x95835A6D(2508413549), conn_id= 2001, keysize= 0, flags= 0xC

 21:42:19: IPSEC(create_sa): sa created,

   (sa) sa_dest= 209.165.201.10, sa_prot= 50,

     sa_spi= 0xDC76C779(3698771833),

     sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2000

 21:42:19: IPSEC(create_sa): sa created,

   (sa) sa_dest= 209.165.201.5, sa_prot= 50,

     sa_spi= 0x95835A6D(2508413549),

     sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2001

 !--- 上記の 2 つの IPSec SA は管理用です。

 21:42:19: IPSEC(key_engine): got a queue event...

 21:42:19: IPSEC(spi_response): getting spi 2768543458 for SA

         from 209.165.201.10  to 209.165.201.5   for prot 3

 21:42:19: ISAKMP: received ke message (4/1)

 21:42:19: ISAKMP: Locking CONFIG struct 0x62BD0AE4 for

    crypto_ikmp_config_handle_kei_mess, count 3

 21:42:19: ISAKMP: received ke message (2/1)

 21:42:19: CryptoEngine0: generate hmac context for conn id 2

 21:42:19: ISAKMP (0:2): sending packet to 209.165.201.5 (R) QM_IDLE

 21:42:19: ISAKMP (0:2): Node 359601755,

    Input = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY

 Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2

 

 21:42:19: ISAKMP (0:2): received packet from 209.165.201.5 (R) QM_IDLE

 21:42:19: CryptoEngine0: generate hmac context for conn id 2

 21:42:19: ipsec allocate flow 0

 21:42:19: ipsec allocate flow 0

 21:42:19: ISAKMP (0:2): Creating IPSec SAs

 21:42:19:         inbound SA from 209.165.201.5 to 209.165.201.10

         (proxy 192.168.10.0 to 0.0.0.0)

 21:42:19:         has spi 0xA5049EE2 and conn_id 2002 and flags 4

 21:42:19:         lifetime of 28800 seconds

 21:42:19:         lifetime of 4608000 kilobytes

 21:42:19:         outbound SA from 209.165.201.10  to 209.165.201.5

    (proxy 0.0.0.0 to 192.168.10.0   )

 21:42:19:         has spi -1731665145 and conn_id 2003 and flags C

 21:42:19:         lifetime of 28800 seconds

 21:42:19:         lifetime of 4608000 kilobytes

 21:42:19: ISAKMP (0:2): deleting node 359601755 error FALSE

    reason "quick mode done (await()"

 21:42:19: ISAKMP (0:2): Node 359601755, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

 Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE

 

 21:42:19: IPSEC(key_engine): got a queue event...

 21:42:19: IPSEC(initialize_sas): ,

   (key eng. msg.) INBOUND local= 209.165.201.10, remote= 209.165.201.5,

     local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

     remote_proxy= 192.168.10.0/255.255.255.0/0/0 (type=4),

     protocol= ESP, transform= esp-des esp-md5-hmac ,

     lifedur= 28800s and 4608000kb,

     spi= 0xA5049EE2(2768543458), conn_id= 2002, keysize= 0, flags= 0x4

 21:42:19: IPSEC(initialize_sas): ,

   (key eng. msg.) OUTBOUND local= 209.165.201.10, remote= 209.165.201.5,

     local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

     remote_proxy= 192.168.10.0/255.255.255.0/0/0 (type=4),

     protocol= ESP, transform= esp-des esp-md5-hmac ,

     lifedur= 28800s and 4608000kb,

     spi= 0x98C8E307(2563302151), conn_id= 2003, keysize= 0, flags= 0xC

 21:42:19: IPSEC(create_sa): sa created,

   (sa) sa_dest= 209.165.201.10, sa_prot= 50,

     sa_spi= 0xA5049EE2(2768543458),

     sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2002

 21:42:19: IPSEC(create_sa): sa created,

   (sa) sa_dest= 209.165.201.5, sa_prot= 50,

     sa_spi= 0x98C8E307(2563302151),

     sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2003

 21:42:19: ISAKMP: received ke message (4/1)

 21:42:19: ISAKMP: Locking CONFIG struct 0x62BD0AE4 for

    crypto_ikmp_config_handle_kei_mess, count 4

 !--- 上記の 2 つの IPSec SA は、実際のデータ トラフィック用です。

 

 


ツール情報

その他のリソースについては、シスコの「セキュリティ テクノロジー用の TAC ツール」および「VPN テクノロジー用の TAC ツール」を参照してください。


関連するシスコ サポート コミュニティ ディスカッション

シスコ サポート コミュニティは、どなたでも投稿や回答ができる情報交換スペースです。


関連情報


Document ID: 23783