セキュリティ : Cisco ASA 5500-X シリーズ次世代型ファイアウォール

ASA IPSec および IKE デバッグ- IKEv1 アグレッシブモード

2013 年 2 月 10 日 - 機械翻訳について
その他のバージョン: PDFpdf | 英語版 (2012 年 8 月 17 日) | フィードバック


目次

概要
前提条件
      要件
      使用するコンポーネント
      表記法
主な問題
シナリオ
      使用されるデバッグ
      ハードウェアクライアント 設定
      ASA 設定
デバッグ
      フェーズ 1 -アグレッシブモード
      フェーズ 1.5 - Xauth およびモードコンフィギュレーション
      フェーズ 2 - Quick Mode
確立されたトンネル
      ISAKMP
      IPSEC
Cisco サポート コミュニティ - 特集対話
関連情報

概要

この資料はアグレッシブモードおよび事前共有キー(PSK)が使用されているとき適応性があるセキュリティ アプライアンス モデル(ASA)のデバッグを理解するために情報を提供したものです。

この資料はまた方法で情報を設定のある特定のデバッグ行を変換する提供したものです。

説明されていない何がこの資料で:

  • トンネルが確立された後トラフィックの通過

  • IPSec またはインターネット鍵交換 (IKE)の基本概念

注: この資料のコンテンツは Atri Basu によって、Cisco TAC エンジニア作成されました。

前提条件

要件

次の項目に関する知識があることが推奨されます。

  • 適応性があるセキュリティ アプライアンス モデル

  • IPSec または IKE の基本的な知識

使用するコンポーネント

この文書に記載されている情報はこれらのにハードウェア および ソフトウェア・バージョン基づいています。

  • ASA 8.3.2

表記法

ドキュメント表記の詳細は、『シスコ テクニカル ティップスの表記法』を参照してください。

主な問題

IKE および IPSec デバッグは頻繁に Cisco のテクニカル・アシスタンス・センタ (TAC) IPSec VPN トンネル確立における問題がどこに見つけられるか理解するのに使用しますそれらを秘密になりがちです。

シナリオ

アグレッシブモードは EZVPN の場合には一般的に 事前共有キー(PSK)を使用するときだけだけ、ソフトウェア(Cisco VPN Client)およびハードウェアクライアント両方(ASA 5505 か IOSルータ)、使用されます。

これらのデバッグは ASA 8.3.2 (EZVPN サーバ)からあります。 EzVPN クライアントはクライアントモードのルータ、です。

使用されるデバッグ

debug crypto isakmp 127

debug crypto ipsec 127

ハードウェアクライアント 設定

crypto ipsec client ezvpn EZ
connect manual
group EZ key cisco
mode client
peer 10.48.67.14
username cisco password cisco
xauth userid mode local

interface FastEthernet4
ip address 10.48.66.23 255.255.254.0
duplex auto
speed auto
crypto ipsec client ezvpn EZ
end

interface Vlan1
ip address 172.16.0.1 255.255.255.0
crypto ipsec client ezvpn EZ inside
end

ASA 設定

ASA 設定は厳しく基本的であるために外部サーバ使用されます意味されません。

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.48.67.14 255.255.254.0

 
crypto ipsec transform-set TRA esp-aes esp-sha-hmac

 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

 
crypto dynamic-map DYN 10 set transform-set TRA
crypto dynamic-map DYN 10 set reverse-route

 
crypto map MAP 65000 ipsec-isakmp dynamic DYN
crypto map MAP interface outside

 
crypto isakmp enable outside

 
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

 

username cisco password  cisco
username cisco attributes
vpn-framed-ip-address 192.168.1.100 255.255.255.0

tunnel-group EZ type remote-access
tunnel-group EZ general-attributes
default-group-policy EZ
tunnel-group EZ ipsec-attributes
pre-shared-key *****

group-policy EZ internal
group-policy EZ attributes
password-storage enable

デバッグ

フェーズ 1 -アグレッシブモード

アグレッシブモードは 3 つのメッセージで構成されています。

アグレッシブモード メッセージ 1 (AM1); クライアントからサーバに送信 される

下記のものを含んでいます:

  • 機能(ベンダー ID)

  • ISAKMPプロポーザル

  • グループ(識別)

  • ハッシュされた PSK

  • Diffie-Hellman交換

%ASA-6-302015: Built inbound UDP connection 655 for outside:10.48.66.23/500 (10.48.66.23/500) 
to identity:10.48.67.14/500 (10.48.67.14/500)

%ASA-7-713236: IP = 10.48.66.23, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + 
VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + 
VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 1134

%ASA-7-715047: IP = 10.48.66.23, processing SA payload

%ASA-7-715047: IP = 10.48.66.23, processing VID payload

%ASA-7-715049: IP = 10.48.66.23, Received NAT-Traversal RFC VID

%ASA-7-715047: IP = 10.48.66.23, processing VID payload

%ASA-7-715047: IP = 10.48.66.23, processing VID payload

%ASA-7-715049: IP = 10.48.66.23, Received NAT-Traversal ver 03 VID

%ASA-7-715047: IP = 10.48.66.23, processing VID payload

%ASA-7-715049: IP = 10.48.66.23, Received NAT-Traversal ver 02 VID

%ASA-7-715047: IP = 10.48.66.23, processing ke payload

%ASA-7-715047: IP = 10.48.66.23, processing ISA_KE payload

%ASA-7-715047: IP = 10.48.66.23, processing nonce payload

%ASA-7-715047: IP = 10.48.66.23, processing ID payload

%ASA-7-715047: IP = 10.48.66.23, processing VID payload

%ASA-7-715049: IP = 10.48.66.23, Received DPD VID

%ASA-7-715047: IP = 10.48.66.23, processing VID payload

%ASA-7-715049: IP = 10.48.66.23, Received xauth V6 VID

%ASA-7-715047: IP = 10.48.66.23, processing VID payload

%ASA-7-715050: IP = 10.48.66.23, Claims to be IOS but failed authentication

%ASA-7-715047: IP = 10.48.66.23, processing VID payload

%ASA-7-715049: IP = 10.48.66.23, Received Cisco Unity client VID

%ASA-7-713906: IP = 10.48.66.23, Connection landed on tunnel_group EZ

%ASA-7-715047: Group = EZ, IP = 10.48.66.23, processing IKE SA payload

%ASA-7-715028: Group = EZ, IP = 10.48.66.23, IKE SA Proposal # 1, Transform # 1 acceptable  
Matches global IKE entry # 1

Oct 28 15:30:24 [IKEv1]: IP = 10.48.66.23, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + 
VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + 
VENDOR (13) + VENDOR (13) + NONE (0) total length : 1134

関係のある構成:

ISAKMP は定義されるインターフェイスおよび少なくとも 1 ポリシーでクライアントが送信 したものと一致します有効に なりま。

crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

識別名前提供と一致しているトンネル グループ。

tunnel-group EZ type remote-access
tunnel-group EZ general-attributes
default-group-policy EZ
tunnel-group EZ ipsec-attributes
pre-shared-key cisco

アグレッシブモード メッセージ 2 (AM2); サーバからクライアントに送信 される。

  • 機能

  • Diffie-Hellman交換

  • NAT 検出 ペイロード

Oct 28 15:30:24 [IKEv1 DEBUG]%ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing ISAKMP SA payload
%ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing ke payload
%ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing nonce payload
%ASA-7-713906: Group = EZ, IP = 10.48.66.23, Generating keys for Responder...
: IP = 10.48.66.23, processing SA payload
%ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing ID payload
%ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing hash payload
%ASA-7-715076: Group = EZ, IP = 10.48.66.23, Computing hash for ISAKMP
%ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing Cisco Unity VID payload
%ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing xauth V6 VID payload
%ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing dpd vid payload
%ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing NAT-Traversal VID ver 02 payload
%ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing NAT-Discovery payload
%ASA-7-713906: Group = EZ, IP = 10.48.66.23, computing NAT Discovery hash
%ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing NAT-Discovery payload
%ASA-7-713906: Group = EZ, IP = 10.48.66.23, computing NAT Discovery hash
%ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing Fragmentation VID + extended capabilities payload
%ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing VID payload
%ASA-7-715048: Group = EZ, IP = 10.48.66.23, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

%ASA-7-713236: IP = 10.48.66.23, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + 
NONCE (10) + ID (5) + HASH (8)+ VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + 
VENDOR (13) + VENDOR (13) + NONE (0) total length : 444
Oct 28 15:30:24 [IKEv1 DEBUG]: IP = 10.48.66.23, processing VID payload

アグレッシブモード メッセージ 3 (AM3); クライアントからサーバに送信 される。

含んでいます:

  • NAT ディスカバリおよびデシジョン

%ASA-7-713236: IP = 10.48.66.23, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + 
NAT-D (130) + 
NAT-D (130) + NOTIFY (11) + NONE (0) total length : 128
%ASA-7-715047: Group = EZ, IP = 10.48.66.23, processing hash payload
%ASA-7-715076: Group = EZ, IP = 10.48.66.23, Computing hash for ISAKMP
%ASA-7-715047: Group = EZ, IP = 10.48.66.23, processing NAT-Discovery payload
%ASA-7-713906: Group = EZ, IP = 10.48.66.23, computing NAT Discovery hash
%ASA-7-715047: Group = EZ, IP = 10.48.66.23, processing NAT-Discovery payload
%ASA-7-713906: Group = EZ, IP = 10.48.66.23, computing NAT Discovery hash
%ASA-7-715047: Group = EZ, IP = 10.48.66.23, processing notify payload
%ASA-6-713172: Group = EZ, IP = 10.48.66.23, Automatic NAT Detection Status:     Remote end is NOT behind a NAT 
device     This end is NOT behind a NAT device
%ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing blank hash payload
%ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing qm hash payload

フェーズ 1.5 - Xauth およびモードコンフィギュレーション

Xauth -拡張認証。 ユーザ認証。

Oct 28 15:30:24 [IKEv1]: IP = 10.48.66.23, IKE_DECODE SENDING Message (msgid=7f8bcb91) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0)total length : 72
Oct 28 15:30:24 [IKEv1]: IP = 10.48.66.23, IKE_DECODE RECEIVED Message (msgid=7f8bcb91) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 82
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, IP = 10.48.66.23, process_attr(): Enter!
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, IP = 10.48.66.23, Processing MODE_CFG Reply attributes.
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKEGetUserAttributes: primary DNS = cleared
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKEGetUserAttributes: secondary DNS = cleared
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKEGetUserAttributes: primary WINS = cleared
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKEGetUserAttributes: secondary WINS = cleared
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKEGetUserAttributes: IP Compression = disabled
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKEGetUserAttributes: Split Tunneling Policy = Disabled
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKEGetUserAttributes: Browser Proxy Setting = no-modify
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKEGetUserAttributes: Browser Proxy Bypass Local = disable
Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, User (cisco) authenticated.
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, constructing blank hash payload
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, constructing qm hash payload
Oct 28 15:30:24 [IKEv1]: IP = 10.48.66.23, IKE_DECODE SENDING Message (msgid=a5d79e97) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0)total length : 64
Oct 28 15:30:24 [IKEv1]: IP = 10.48.66.23, IKE_DECODE RECEIVED Message (msgid=a5d79e97) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, process_attr(): Enter!
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Processing cfg ACK attributes

関係のある構成:

username cisco password cisco

モード コンフィグ-認証属性を要求し、提供して下さい

含んでいます:

  • クライアントを設定するパラメータのための要求。

  • 応答-少なくとも、および一般的なシナリオの IP アドレスおよびマスク。

Oct 28 15:30:24 [IKEv1]: IP = 10.48.66.23, IKE_DECODE RECEIVED Message (msgid=f582f52e) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 393
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, process_attr(): Enter!
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Processing cfg Request attributes
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for IPV4 address!
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for IPV4 net mask!
Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, Received unknown transaction mode attribute: 28692
Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, Received unknown transaction mode attribute: 28693
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for DNS server address!
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for DNS server address!
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for WINS server address!
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for WINS server address!
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for Split Tunnel List!
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for Split DNS!
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for Default Domain Name!
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for Save PW setting!
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for Local LAN Include!
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for PFS setting!
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for backup ip-sec peer list!
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for Application Version!
Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, Client Type: IOS  Client Application Version: 12.4(20)T5
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for Banner!
Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, Received unknown transaction mode attribute: 28695
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for DHCP hostname for DDNS is: bsns-871-3!
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Obtained IP addr (192.168.1.100) prior to initiating Mode Cfg(XAuth enabled)
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Sending subnet mask (255.255.255.0) to remote client
Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, Assigned private IP address 192.168.1.100 to remote user
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, constructing blank hash payload
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, constructing qm hash payload
Oct 28 15:30:24 [IKEv1]: IP = 10.48.66.23, IKE_DECODE SENDING Message (msgid=f582f52e) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0)total length : 173



Oct 28 15:30:24 [IKEv1 DECODE]: IP = 10.48.66.23, IKE Responder starting QM: msg id = 8bd3cce6
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Delay Quick Mode processing, Cert/Trans Exch/RM DSID in progress
Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, Gratuitous ARP sent for 192.168.1.100
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Resume Quick Mode processing, Cert/Trans Exch/RM DSID completed
Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, PHASE 1 COMPLETED
Oct 28 15:30:24 [IKEv1]: IP = 10.48.66.23, IKE_DECODE SENDING Message (msgid=6531fd86) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 92

関係のある構成:

(この場合注は、ユーザ同じ IP 常に割り当てられます)

username cisco attributes
vpn-framed-ip-address 192.168.1.100 255.255.255.0

この場合、IPSecフェーズ 1 は完了し、これは始まります:

フェーズ 2 - Quick Mode

Quick Mode メッセージ 1 (QM1)

  • フェーズ 2 暗号化アルゴリズム(IPsec トランスフォーム セット)

  • トンネルタイプおよび暗号化

  • プロキシ ID -か」。トンネルに置くことを望む何を「

Oct 28 15:30:24 [IKEv1]: IP = 10.48.66.23, IKE_DECODE RECEIVED Message (msgid=8bd3cce6) with payloads : HDR + HASH (8) + SA 
(1) + NONCE (10)+ ID (5) + ID (5) + NONE (0) total length : 1276

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, processing hash payload

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, processing SA payload

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, processing nonce payload

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, processing ID payload

Oct 28 15:30:24 [IKEv1 DECODE]: Group = EZ, Username = cisco, IP = 10.48.66.23, ID_IPV4_ADDR ID received

192.168.1.100

Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, Received remote Proxy Host data in ID Payload: Address 
192.168.1.100, Protocol 0, Port 0

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, processing ID payload

Oct 28 15:30:24 [IKEv1 DECODE]: Group = EZ, Username = cisco, IP = 10.48.66.23, ID_IPV4_ADDR_SUBNET ID received--0.0.0.0--0.0.0.0

Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, Received local IP Proxy Subnet data in ID Payload:   Address 
0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0

Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, QM IsRekeyed old sa not found by addr

Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKE Remote Peer configured for crypto map: DYN

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, processing IPSec SA payload

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, IPSec SA Proposal # 1, Transform # 1 acceptable  
Matches global IPSec SA entry # 10

関係のある構成:

crypto dynamic-map DYN 10 set transform-set TRA

Quick Mode メッセージ 2 (QM2)

Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKE: requesting SPI!

IPSEC: New embryonic SA created @ 0x5416EBD0,

    SCB: 0x53707C08,

    Direction: inbound

    SPI      : 0xD6602721

    Session ID: 0x00067000

    VPIF num  : 0x00000002

    Tunnel type: ra

    Protocol   : esp

    Lifetime   : 240 seconds

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKE got SPI from key engine: SPI = 0xd6602721

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, oakley constucting quick mode

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, constructing blank hash payload

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, constructing IPSec SA payload

Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, Overriding Initiator's IPSec rekeying duration from 2147483 
to 28800 seconds

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, constructing IPSec nonce payload

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, constructing proxy ID

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Transmitting Proxy Id:

  Remote host: 192.168.1.100  Protocol 0  Port 0

  Local subnet:  0.0.0.0  mask 0.0.0.0 Protocol 0  Port 0

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Sending RESPONDER LIFETIME notification to Initiator

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, constructing qm hash payload

Oct 28 15:30:24 [IKEv1 DECODE]: Group = EZ, Username = cisco, IP =  10.48.66.23, IKE Responder sending 2nd QM pkt: msg id = 8bd3cce6

Oct 28 15:30:24 [IKEv1]: IP = 10.48.66.23, IKE_DECODE SENDING Message

(msgid=8bd3cce6) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) +

ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 196

関係のある構成:

tunnel-group EZ type remote-access  !(tunnel type ra = tunnel type remote-access)
crypto ipsec transform-set TRA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN 10 set transform-set TRA
crypto map MAP 65000 ipsec-isakmp dynamic DYN
crypto map MAP interface outside

Quick Mode メッセージ 3 (QM3)

Oct 28 15:30:24 [IKEv1]: IP = 10.48.66.23, IKE_DECODE RECEIVED Message (msgid=8bd3cce6) with payloads : HDR + HASH (8) + NONE (0) total length : 52

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, processing hash payload

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, loading all IPSEC SAs

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Generating Quick Mode Key!

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, NP encrypt rule look up for crypto map DYN 10 matching ACL Unknown: returned cs_id=53cacff8; rule=00000000

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Generating Quick Mode Key!

IPSEC: New embryonic SA created @ 0x54173AD0,

    SCB: 0x536EFC00,

    Direction: outbound

    SPI      : 0x8C52372D

    Session ID: 0x00067000

    VPIF num  : 0x00000002

    Tunnel type: ra

    Protocol   : esp

    Lifetime   : 240 seconds

IPSEC: Completed host OBSA update, SPI 0x8C52372D

IPSEC: Creating outbound VPN context, SPI 0x8C52372D

    Flags: 0x00000005

    SA   : 0x54173AD0

    SPI  : 0x8C52372D

    MTU  : 1500 bytes

    VCID : 0x00000000

    Peer : 0x00000000

    SCB  : 0x04E59681

    Channel: 0x4C69CD00

IPSEC: Completed outbound VPN context, SPI 0x8C52372D

    VPN handle: 0x0019BB3C

IPSEC: New outbound encrypt rule, SPI 0x8C52372D

    Src addr: 0.0.0.0

    Src mask: 0.0.0.0

    Dst addr: 192.168.1.100

    Dst mask: 255.255.255.255

    Src ports

      Upper: 0

      Lower: 0

      Op   : ignore

    Dst ports

      Upper: 0

      Lower: 0

      Op   : ignore

    Protocol: 0

    Use protocol: false

    SPI: 0x00000000

    Use SPI: false

IPSEC: Completed outbound encrypt rule, SPI 0x8C52372D

    Rule ID: 0x536FEF98

IPSEC: New outbound permit rule, SPI 0x8C52372D

    Src addr: 10.48.67.14

    Src mask: 255.255.255.255

    Dst addr: 10.48.66.23

    Dst mask: 255.255.255.255

    Src ports

      Upper: 0

      Lower: 0

      Op   : ignore

    Dst ports

      Upper: 0

      Lower: 0

      Op   : ignore

    Protocol: 50

    Use protocol: true

    SPI: 0x8C52372D

    Use SPI: true

IPSEC: Completed outbound permit rule, SPI 0x8C52372D

    Rule ID: 0x4CB82D38

IPSEC: Applying VPN filter BLA_3

IPSEC: Completed outbound user rule, SPI 0x8C52372D

    Rule ID: 0x00000004

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, NP encrypt rule look up for crypto map DYN 10 matching ACL Unknown: returned cs_id=53cacff8; rule=00000000

Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, Security negotiation complete for User (cisco)  Responder, Inbound SPI = 0xd6602721, Outbound SPI = 0x8c52372d

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKE got a KEY_ADD msg for SA: SPI = 0x8c52372d

IPSEC: Completed host IBSA update, SPI 0xD6602721

IPSEC: Creating inbound VPN context, SPI 0xD6602721

    Flags: 0x00000006

    SA   : 0x5416EBD0

    SPI  : 0xD6602721

    MTU  : 0 bytes

    VCID : 0x00000000

    Peer : 0x0019BB3C

    SCB  : 0x04E50703

    Channel: 0x4C69CD00

IPSEC: Completed inbound VPN context, SPI 0xD6602721

    VPN handle: 0x0019C174

IPSEC: Updating outbound VPN context 0x0019BB3C, SPI 0x8C52372D

    Flags: 0x00000005

    SA   : 0x54173AD0

    SPI  : 0x8C52372D

    MTU  : 1500 bytes

    VCID : 0x00000000

    Peer : 0x0019C174

    SCB  : 0x04E59681

    Channel: 0x4C69CD00

IPSEC: Completed outbound VPN context, SPI 0x8C52372D

    VPN handle: 0x0019BB3C

IPSEC: Completed outbound inner rule, SPI 0x8C52372D

    Rule ID: 0x536FEF98

IPSEC: Completed outbound outer SPD rule, SPI 0x8C52372D

    Rule ID: 0x4CB82D38

IPSEC: New inbound tunnel flow rule, SPI 0xD6602721

    Src addr: 192.168.1.100

    Src mask: 255.255.255.255

    Dst addr: 0.0.0.0

    Dst mask: 0.0.0.0

    Src ports

      Upper: 0

      Lower: 0

      Op   : ignore

    Dst ports

      Upper: 0

      Lower: 0

      Op   : ignore

    Protocol: 0

    Use protocol: false

    SPI: 0x00000000

    Use SPI: false

IPSEC: Completed inbound tunnel flow rule, SPI 0xD6602721

    Rule ID: 0x4CB84870

IPSEC: New inbound decrypt rule, SPI 0xD6602721

    Src addr: 10.48.66.23

    Src mask: 255.255.255.255

    Dst addr: 10.48.67.14

    Dst mask: 255.255.255.255

    Src ports

      Upper: 0

      Lower: 0

      Op   : ignore

    Dst ports

      Upper: 0

      Lower: 0

      Op   : ignore

    Protocol: 50

    Use protocol: true

    SPI: 0xD6602721

    Use SPI: true

IPSEC: Completed inbound decrypt rule, SPI 0xD6602721

    Rule ID: 0x541476E0

IPSEC: New inbound permit rule, SPI 0xD6602721

    Src addr: 10.48.66.23

    Src mask: 255.255.255.255

    Dst addr: 10.48.67.14

    Dst mask: 255.255.255.255

    Src ports

      Upper: 0

      Lower: 0

      Op   : ignore

    Dst ports

      Upper: 0

      Lower: 0

      Op   : ignore

    Protocol: 50

    Use protocol: true

    SPI: 0xD6602721

    Use SPI: true

IPSEC: Completed inbound permit rule, SPI 0xD6602721

    Rule ID: 0x4CB840B0

IPSEC: Applying VPN filter BLA_3

IPSEC: Completed inbound user rule, SPI 0xD6602721

    Rule ID: 0x00000004

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Pitcher: received KEY_UPDATE, spi 0xd6602721

Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Starting P2 rekey timer: 27360 seconds.

Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, Adding static route for client address: 192.168.1.100

Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, PHASE 2 COMPLETED (msgid=8bd3cce6)

関係のある構成:

crypto ipsec transform-set TRA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN 10 set transform-set TRA
crypto dynamic-map DYN 10 set reverse-route   !adding static route ...

フェーズ 2 は今終わりますが、クライアントはまたそれ自身についての情報を送信 します。

よく調べる場合、見つける必要があります:

  • EzVPN クライアントのホスト名

  • クライアントで動作するソフトウェア

  • ソフトウェアの位置および名前

Oct 28 15:30:24 [IKEv1]: IP = 10.48.66.23, IKE_DECODE RECEIVED Message (msgid=91facca9) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 184
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, processing hash payload
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, processing notify payload
Oct 28 15:30:24 [IKEv1 DECODE]: OBSOLETE DESCRIPTOR - INDEX 1
Oct 28 15:30:24 [IKEv1 DECODE]: 0000: 00000000 7534000B 62736E73 2D383731     ....u4..bsns-871
0010: 2D332E75 32000943 6973636F 20383731     -3.u2..Cisco 871
0020: 7535000B 46484B30 39343431 32513675     u5..FHK094412Q6u
0030: 36000932 32383538 39353638 75390009     6..228589568u9..
0040: 31343532 31363331 32753300 2B666C61     145216312u3.+fla
0050: 73683A63 3837302D 61647669 70736572     sh:c870-advipser
0060: 76696365 736B392D 6D7A2E31 32342D32     vicesk9-mz.124-2
0070: 302E5435 2E62696E                       0.T5.bin

 
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Processing PSK Hash
Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 192.168.1.100, Inconsistent PSK hash size
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, PSK Hash Verification Failed!

確立されたトンネル

ISAKMP

コマンド:

sh cry isa sa det

出力:

Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

 
1   IKE Peer: 10.48.66.23
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
    Encrypt : aes             Hash    : SHA
    Auth    : preshared       Lifetime: 86400
    Lifetime Remaining: 86387

AM_ACTIVE は-アグレッシブモード アクティブです。

IPSEC

コマンド:

sh crypto ipsec sa

出力: (ネゴシエートされるより異なる SPI 値に注意して下さい。 これはフェーズ 2 キーの再生成の後に実際同じトンネルです。)

interface: outside
    Crypto map tag: DYN, seq num: 10, local addr: 10.48.67.14

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.1.100/255.255.255.255/0/0)
      current_peer: 10.48.66.23, username: cisco
      dynamic allocated peer ip: 192.168.1.100

     #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
      #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.48.67.14/0, remote crypto endpt.: 10.48.66.23/0
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: C4B9A77C
      current inbound spi : EA2B6B15
 
    inbound esp sas:
      spi: 0xEA2B6B15 (3928714005)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 425984, crypto-map: DYN
         sa timing: remaining key lifetime (sec): 28714
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x0000003F
    outbound esp sas:
      spi: 0xC4B9A77C (3300501372)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 425984, crypto-map: DYN
         sa timing: remaining key lifetime (sec): 28714
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Cisco サポート コミュニティ - 特集対話

Cisco サポート コミュニティでは、フォーラムに参加して情報交換することができます。現在、このドキュメントに関連するトピックについて次のような対話が行われています。


関連情報


Document ID: 113595