Pour les partenaires
Vous êtes déjà partenaire?
ConnexionAvez-vous un compte?
Ce document fournit des informations sur la configuration du tunnel LAN à LAN FlexVPN entre les points d'extrémité IPv6 à l'aide de l'authentification locale (clé pré-partagée et certs).
Aucune spécification déterminée n'est requise pour ce document.
Ce document n'est pas limité à des versions de matériel et de logiciel spécifiques.
Pour plus d'informations sur les conventions utilisées dans ce document, reportez-vous à Conventions relatives aux conseils techniques Cisco.
L'adressage IPv6 n'est pas compris dans ce document. Référez-vous à Implémentation de l'adressage IPv6 et de la connectivité de base pour plus d'informations.
Routeur R1 :
ipv6 unicast-routing ! interface Ethernet0/0 no ip address ipv6 address 2001:DB8:123:1::2/64 ipv6 enable ! ipv6 route ::/0 2001:DB8:123:1::1 !
Routeur ISP :
ipv6 unicast-routing ! interface Ethernet0/0 no ip address ipv6 address 2001:DB8:123:1::1/64 ipv6 enable ! interface Ethernet0/1 no ip address ipv6 address 2001:DB8:123:2::1/64 ipv6 enable !
Routeur R2 :
ipv6 unicast-routing ! interface Ethernet0/0 no ip address ipv6 address 2001:DB8:123:2::2/64 ipv6 enable ! ipv6 route ::/0 2001:DB8:123:2::1 !
La configuration d'un LAN à LAN de base entre deux points d'extrémité IPv6 n'est pas différente d'IPv4.
Les valeurs par défaut Smart (proposition IKEv2, politique et politique d'autorisation) sont utilisées dans cet exemple.
Remarque : les paramètres par défaut Smart ne doivent pas être configurés.
crypto ikev2 authorization policy default route set interface route accept any ! crypto ikev2 proposal default encryption aes-cbc-256 aes-cbc-192 aes-cbc-128 integrity sha512 sha384 sha256 sha1 md5 group 5 2 ! crypto ikev2 policy default match fvrf any proposal default !
Routeur R1 :
crypto ikev2 keyring key peer R2.cisco.com description Pre-Shared-Key for Router2 address 2001:DB8:123:2::2/128 hostname Router2 identity address 2001:DB8:123:2::2 pre-shared-key local cisco123 pre-shared-key remote cisco456 ! crypto ikev2 profile default match identity remote address 2001:DB8:123:2::2/128 authentication remote pre-share authentication local pre-share keyring local key ! crypto ipsec profile default* set ikev2-profile default ! *as of 15.3(3)T the following line need not be explicitly configured anymore and is part of the smart default.
Routeur R2 :
crypto ikev2 keyring key peer R1.cisco.com description Pre-Shared-Key for Router1 address 2001:DB8:123:1::2/128 hostname Router1 identity address 2001:DB8:123:1::2 pre-shared-key local cisco456 pre-shared-key remote cisco123 ! crypto ikev2 profile default match identity remote address 2001:DB8:123:1::2/128 authentication remote pre-share authentication local pre-share keyring local key ! crypto ipsec profile default set ikev2-profile default !
Routeur R1 :
crypto pki trustpoint ikev2 enrollment url http://[2001:DB8:123:1::1]:80 revocation-check none crypto pki certificate map cmap 1 subject-name eq hostname = router2.cisco.com ! crypto ikev2 profile default match identity remote address 2001:DB8:123:2::2/128 match certificate cmap authentication remote rsa-sig authentication local rsa-sig pki trustpoint ikev2 ! crypto ipsec profile default set ikev2-profile default !
Routeur R2 :
crypto pki trustpoint ikev2 enrollment url http://[2001:DB8:123:1::1]:80 revocation-check none crypto pki certificate map cmap 1 subject-name eq hostname = router1.cisco.com ! crypto ikev2 profile default match identity remote address 2001:DB8:123:1::2/128 match certificate cmap authentication remote rsa-sig authentication local rsa-sig pki trustpoint ikev2 ! crypto ipsec profile default set ikev2-profile default !
Étant donné que deux types de trafic différents peuvent être utilisés, IPv4 et IPv6 sur le tunnel IPv6 existant, vous disposez de conceptions différentes telles que :
IPv6 dans le tunnel IPv6 à l'aide du mode tunnel ipsec ipv6
IPv4 dans le tunnel IPv6 à l'aide du mode tunnel gre ipv6
mode hybride où vous effectuez à la fois IPv4 et IPv6 via un tunnel en mode tunnel gre ipv6
Remarque : il est recommandé aux administrateurs d'utiliser des tunnels GRE sur des SVTI (mode IPSec). En effet, dans la plupart des déploiements, la prise en charge IPv6 implique une double pile et GRE/IPSEC prend en charge la double pile de manière transparente.
Routeur R1 :
interface Loopback0 description This is a test endpoint no ip address ipv6 address 2001:DB8:100:1::1/64 ipv6 enable ! interface Tunnel0 no ip address ipv6 address 2001:DB8:99::1/64 ipv6 enable tunnel source Ethernet0/0 tunnel mode ipsec ipv6 tunnel destination 2001:DB8:123:2::2 tunnel protection ipsec profile default ! ipv6 route 2001:DB8:200:1::/64 Tunnel0 !
Routeur R2 :
interface Loopback0 description This is a test endpoint no ip address ipv6 address 2001:DB8:200:1::1/64 ipv6 enable ! interface Tunnel0 no ip address ipv6 address 2001:DB8:99::2/64 ipv6 enable tunnel source Ethernet0/0 tunnel mode ipsec ipv6 tunnel destination 2001:DB8:123:1::2 tunnel protection ipsec profile default ! ipv6 route 2001:DB8:100:1::/64 Tunnel0 !
Commandes show :
===================== IKEv2 SA: ===================== Using PSK: ---------- Router1#show crypto ikev2 sa detailed IPv4 Crypto IKEv2 SA IPv6 Crypto IKEv2 SA Tunnel-id fvrf/ivrf Status 2 none/none READY Local 2001:DB8:123:1::2/500 Remote 2001:DB8:123:2::2/500 Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/14180 sec CE id: 0, Session-id: 1 Status Description: Negotiation done Local spi: C73B18AE83F68C11 Remote spi: EF52B3A4454D1AAA Local id: 2001:DB8:123:1::2 Remote id: 2001:DB8:123:2::2 Local req msg id: 4 Remote req msg id: 4 Local next msg id: 4 Remote next msg id: 4 Local req queued: 4 Remote req queued: 4 Local window: 5 Remote window: 5 DPD configured for 0 seconds, retry 0 NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes --------------------- Router2#show crypto ikev2 sa detailed IPv4 Crypto IKEv2 SA IPv6 Crypto IKEv2 SA Tunnel-id fvrf/ivrf Status 3 none/none READY Local 2001:DB8:123:2::2/500 Remote 2001:DB8:123:1::2/500 Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/14298 sec CE id: 0, Session-id: 1 Status Description: Negotiation done Local spi: EF52B3A4454D1AAA Remote spi: C73B18AE83F68C11 Local id: 2001:DB8:123:2::2 Remote id: 2001:DB8:123:1::2 Local req msg id: 4 Remote req msg id: 4 Local next msg id: 4 Remote next msg id: 4 Local req queued: 4 Remote req queued: 4 Local window: 5 Remote window: 5 DPD configured for 0 seconds, retry 0 NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : No Using Cert Auth: ----------------- Router1#show crypto ikev2 sa detail IPv4 Crypto IKEv2 SA IPv6 Crypto IKEv2 SA Tunnel-id fvrf/ivrf Status 1 none/none READY Local 2001:DB8:123:1::2/500 Remote 2001:DB8:123:2::2/500 Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: RSA, Auth verify: RSA Life/Active Time: 86400/18153 sec CE id: 1024, Session-id: 3 Status Description: Negotiation done Local spi: 282FE0B3B5CC7FAB Remote spi: 0D26F64871399A2B Local id: 2001:DB8:123:1::2 Remote id: 2001:DB8:123:2::2 Local req msg id: 6 Remote req msg id: 6 Local next msg id: 6 Remote next msg id: 6 Local req queued: 6 Remote req queued: 6 Local window: 5 Remote window: 5 DPD configured for 0 seconds, retry 0 NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes --------------------- Router2#show crypto ikev2 sa detail IPv4 Crypto IKEv2 SA IPv6 Crypto IKEv2 SA Tunnel-id fvrf/ivrf Status 1 none/none READY Local 2001:DB8:123:2::2/500 Remote 2001:DB8:123:1::2/500 Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: RSA, Auth verify: RSA Life/Active Time: 86400/17811 sec CE id: 1024, Session-id: 4 Status Description: Negotiation done Local spi: 0D26F64871399A2B Remote spi: 282FE0B3B5CC7FAB Local id: 2001:DB8:123:2::2 Remote id: 2001:DB8:123:1::2 Local req msg id: 6 Remote req msg id: 6 Local next msg id: 6 Remote next msg id: 6 Local req queued: 6 Remote req queued: 6 Local window: 5 Remote window: 5 DPD configured for 0 seconds, retry 0 NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : No ===================== IPSec SA: ===================== Router1#show crypto ipsec sa detail interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 2001:DB8:123:1::2 protected vrf: (none) local ident (addr/mask/prot/port): (::/0/0/0) remote ident (addr/mask/prot/port): (::/0/0/0) current_peer 2001:DB8:123:2::2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15 #pkts decaps: 15, #pkts decrypt: 15, #pkts verify: 15 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #pkts no sa (send) 0, #pkts invalid sa (rcv) 0 #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0 #pkts invalid prot (recv) 0, #pkts verify failed: 0 #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0 #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0 ##pkts replay failed (rcv): 0 #pkts tagged (send): 0, #pkts untagged (rcv): 0 #pkts not tagged (send): 0, #pkts not untagged (rcv): 0 #pkts internal err (send): 0, #pkts internal err (recv) 0 local crypto endpt.: 2001:DB8:123:1::2, remote crypto endpt.: 2001:DB8:123:2::2 path mtu 1500, ipv6 mtu 1500, ipv6 mtu idb Ethernet0/0 current outbound spi: 0xA50C0785(2769028997) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0xA065288D(2690984077) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 62, flow_id: SW:62, sibling_flags 80000041, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4226008/2911) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xA50C0785(2769028997) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 61, flow_id: SW:61, sibling_flags 80000041, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4226008/2911) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound ah sas: outbound pcp sas: --------------------- Router2#show crypto ipsec sa detail interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 2001:DB8:123:2::2 protected vrf: (none) local ident (addr/mask/prot/port): (::/0/0/0) remote ident (addr/mask/prot/port): (::/0/0/0) current_peer 2001:DB8:123:1::2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15 #pkts decaps: 15, #pkts decrypt: 15, #pkts verify: 15 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #pkts no sa (send) 0, #pkts invalid sa (rcv) 0 #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0 #pkts invalid prot (recv) 0, #pkts verify failed: 0 #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0 #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0 ##pkts replay failed (rcv): 0 #pkts tagged (send): 0, #pkts untagged (rcv): 0 #pkts not tagged (send): 0, #pkts not untagged (rcv): 0 #pkts internal err (send): 0, #pkts internal err (recv) 0 local crypto endpt.: 2001:DB8:123:2::2, remote crypto endpt.: 2001:DB8:123:1::2 path mtu 1500, ipv6 mtu 1500, ipv6 mtu idb Ethernet0/0 current outbound spi: 0xA065288D(2690984077) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0xA50C0785(2769028997) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 61, flow_id: SW:61, sibling_flags 80000041, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4231562/2833) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xA065288D(2690984077) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 62, flow_id: SW:62, sibling_flags 80000041, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4231562/2833) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound ah sas: outbound pcp sas: ===================== Routing : ===================== Router1#show ipv6 route IPv6 Routing Table - default - 9 entries S ::/0 [1/0] via 2001:DB8:123:1::1 C 2001:DB8:99::/64 [0/0] via Tunnel0, directly connected L 2001:DB8:99::1/128 [0/0] via Tunnel0, receive C 2001:DB8:100:1::/64 [0/0] via Loopback0, directly connected L 2001:DB8:100:1::1/128 [0/0] via Loopback0, receive C 2001:DB8:123:1::/64 [0/0] via Ethernet0/0, directly connected L 2001:DB8:123:1::2/128 [0/0] via Ethernet0/0, receive S 2001:DB8:200:1::/64 [1/0] via Tunnel0, directly connected L FF00::/8 [0/0] via Null0, receive --------------------- Router2#show ipv6 route IPv6 Routing Table - default - 9 entries Codes: C - Connected, L - Local, S - Static, U - Per-user Static route B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP H - NHRP, I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea IS - ISIS summary, D - EIGRP, EX - EIGRP external, NM - NEMO ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, l - LISP S ::/0 [1/0] via 2001:DB8:123:2::1 C 2001:DB8:99::/64 [0/0] via Tunnel0, directly connected L 2001:DB8:99::2/128 [0/0] via Tunnel0, receive S 2001:DB8:100:1::/64 [1/0] via Tunnel0, directly connected C 2001:DB8:123:2::/64 [0/0] via Ethernet0/0, directly connected L 2001:DB8:123:2::2/128 [0/0] via Ethernet0/0, receive C 2001:DB8:200:1::/64 [0/0] via Loopback0, directly connected L 2001:DB8:200:1::1/128 [0/0] via Loopback0, receive L FF00::/8 [0/0] via Null0, receive ===================== CEF : ===================== Router1#show ipv6 cef tu0 2001:DB8:99::/64 attached to Tunnel0 2001:DB8:200:1::/64 attached to Tunnel0 Router1#show ipv6 cef 2001:DB8:200:1::1 int 2001:DB8:200:1::/64, epoch 0, flags attached, RIB[S], refcount 4, per-destination sharing sources: RIB feature space: IPRM: 0x00048000 ifnums: Tunnel0(14) path EFE135F8, path list F1BA1F2C, share 1/1, type attached prefix, for IPv6 attached to Tunnel0, adjacency IPV6 midchain out of Tunnel0 F1BBAB80 output chain: IPV6 midchain out of Tunnel0 F1BBAB80 IPV6 adj out of Ethernet0/0, addr 2001:DB8:123:1::1 F0F7D978 Router1#show adj int | i IP|erfa|comp Protocol Interface Address IPV6 Ethernet0/0 2001:DB8:123:1::1(16) IPv6 ND IP redirect enabled Switching vector: IPv6 adjacency oce IPV6 Ethernet0/0 FE80::A8BB:CCFF:FE00:6500(2) IPv6 ND IP redirect enabled Switching vector: IPv6 adjacency oce IPV6 Tunnel0 point2point(10) IPV6 adj out of Ethernet0/0, addr 2001:DB8:123:1::1 IP redirect enabled Switching vector: IPv6 midchain adjacency oce Post encap features: IPSEC Post-encap output classification IP Tunnel stack to 2001:DB8:123:2::2 in Default (0x0) IPV6 adj out of Ethernet0/0, addr 2001:DB8:123:1::1 --------------------- Router2#show ipv6 cef tu0 2001:DB8:99::/64 attached to Tunnel0 2001:DB8:100:1::/64 attached to Tunnel0 Router2# show ipv6 cef 2001:DB8:100:1::1 int 2001:DB8:100:1::/64, epoch 0, flags attached, RIB[S], refcount 4, per-destination sharing sources: RIB feature space: IPRM: 0x00048000 ifnums: Tunnel0(14) path F1515E90, path list F2F75774, share 1/1, type attached prefix, for IPv6 attached to Tunnel0, adjacency IPV6 midchain out of Tunnel0 F0FB8E48 output chain: IPV6 midchain out of Tunnel0 F0FB8E48 IPV6 adj out of Ethernet0/0, addr 2001:DB8:123:2::1 F0FB8F78 Router2# show adj int | i IP|erfa|comp Protocol Interface Address IPV6 Ethernet0/0 2001:DB8:123:2::1(16) IPv6 ND IP redirect enabled Switching vector: IPv6 adjacency oce IPV6 Ethernet0/0 FE80::A8BB:CCFF:FE00:6510(2) IPv6 ND IP redirect enabled Switching vector: IPv6 adjacency oce IPV6 Tunnel0 point2point(10) IPV6 adj out of Ethernet0/0, addr 2001:DB8:123:2::1 IP redirect enabled Switching vector: IPv6 midchain adjacency oce Post encap features: IPSEC Post-encap output classification IP Tunnel stack to 2001:DB8:123:1::2 in Default (0x0) IPV6 adj out of Ethernet0/0, addr 2001:DB8:123:2::1
Débogues effectués lors de l'utilisation de l'authentification PSK :
debug crypto ikev2 debug crypto ipsec
Débogues effectués lors de l'utilisation de l'authentification Cert :
debug crypto ikev2 debug crypto ipsec debug crypto pki messages debug crypto pki transaction
Ce tunneling en mode mixte/hybride ne peut être réalisé qu'à l'aide de l'en-tête GRE. La commande tunnel mode gre ipv6 est utilisée. Si la commande tunnel mode ipsec ipv6 est utilisée par erreur, ceci s'affiche :
%IPSECV6-4-PKT_PROTOCOL_MISMATCH: IP protocol in packet mismatched with tunnel mode, packet from <src> to <dst> dropped by Tunnel0.
Routeur R1 :
interface Loopback1 description This is a test endpoint ip address 10.0.0.1 255.255.255.0 ! interface Tunnel0 ip address 100.0.0.1 255.255.255.0 tunnel source Ethernet0/0 tunnel mode gre ipv6 tunnel destination 2001:DB8:123:2::2 tunnel protection ipsec profile default ! ip route 20.0.0.0 255.255.255.0 Tunnel0 !
Routeur R2 :
interface Loopback1 description This is a test endpoint ip address 20.0.0.1 255.255.255.0 ! interface Tunnel0 ip address 100.0.0.2 255.255.255.0 tunnel source Ethernet0/0 tunnel mode gre ipv6 tunnel destination 2001:DB8:123:1::2 tunnel protection ipsec profile l2l ! ip route 10.0.0.0 255.255.255.0 Tunnel0 !
Commandes show :
===================== IPSec SA: ===================== Router1#show crypto ipsec sa detail interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 2001:DB8:123:1::2 protected vrf: (none) local ident (addr/mask/prot/port): (2001:DB8:123:1::2/128/47/0) remote ident (addr/mask/prot/port): (2001:DB8:123:2::2/128/47/0) current_peer 2001:DB8:123:2::2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5 #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #pkts no sa (send) 0, #pkts invalid sa (rcv) 0 #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0 #pkts invalid prot (recv) 0, #pkts verify failed: 0 #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0 #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0 ##pkts replay failed (rcv): 0 #pkts tagged (send): 0, #pkts untagged (rcv): 0 #pkts not tagged (send): 0, #pkts not untagged (rcv): 0 #pkts internal err (send): 0, #pkts internal err (recv) 0 local crypto endpt.: 2001:DB8:123:1::2, remote crypto endpt.: 2001:DB8:123:2::2 path mtu 1500, ipv6 mtu 1500, ipv6 mtu idb Ethernet0/0 current outbound spi: 0x99D16BE2(2580638690) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0xDFF1E2D(234823213) transform: esp-aes esp-sha-hmac , in use settings ={Transport, } conn id: 90, flow_id: SW:90, sibling_flags 80000001, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4222891/2971) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x99D16BE2(2580638690) transform: esp-aes esp-sha-hmac , in use settings ={Transport, } conn id: 89, flow_id: SW:89, sibling_flags 80000001, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4222891/2971) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound ah sas: outbound pcp sas: --------------------- Router2#show crypto ipsec sa detail interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 2001:DB8:123:2::2 protected vrf: (none) local ident (addr/mask/prot/port): (2001:DB8:123:2::2/128/47/0) remote ident (addr/mask/prot/port): (2001:DB8:123:1::2/128/47/0) current_peer 2001:DB8:123:1::2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5 #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #pkts no sa (send) 0, #pkts invalid sa (rcv) 0 #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0 #pkts invalid prot (recv) 0, #pkts verify failed: 0 #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0 #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0 ##pkts replay failed (rcv): 0 #pkts tagged (send): 0, #pkts untagged (rcv): 0 #pkts not tagged (send): 0, #pkts not untagged (rcv): 0 #pkts internal err (send): 0, #pkts internal err (recv) 0 local crypto endpt.: 2001:DB8:123:2::2, remote crypto endpt.: 2001:DB8:123:1::2 path mtu 1500, ipv6 mtu 1500, ipv6 mtu idb Ethernet0/0 current outbound spi: 0xDFF1E2D(234823213) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x99D16BE2(2580638690) transform: esp-aes esp-sha-hmac , in use settings ={Transport, } conn id: 89, flow_id: SW:89, sibling_flags 80000001, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4210423/2955) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xDFF1E2D(234823213) transform: esp-aes esp-sha-hmac , in use settings ={Transport, } conn id: 90, flow_id: SW:90, sibling_flags 80000001, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4210423/2955) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound ah sas: outbound pcp sas: ===================== Routing : ===================== Router1#show ip route Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.0.0.0/24 is directly connected, Loopback1 L 10.0.0.1/32 is directly connected, Loopback1 20.0.0.0/24 is subnetted, 1 subnets S 20.0.0.0 is directly connected, Tunnel0 100.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 100.0.0.0/24 is directly connected, Tunnel0 L 100.0.0.1/32 is directly connected, Tunnel0 Router1#show ipv6 route IPv6 Routing Table - default - 6 entries S ::/0 [1/0] via 2001:DB8:123:1::1 C 2001:DB8:100:1::/64 [0/0] via Loopback0, directly connected L 2001:DB8:100:1::1/128 [0/0] via Loopback0, receive C 2001:DB8:123:1::/64 [0/0] via Ethernet0/0, directly connected L 2001:DB8:123:1::2/128 [0/0] via Ethernet0/0, receive L FF00::/8 [0/0] via Null0, receive --------------------- Router2#sh ip route Gateway of last resort is not set 10.0.0.0/24 is subnetted, 1 subnets S 10.0.0.0 is directly connected, Tunnel0 20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 20.0.0.0/24 is directly connected, Loopback1 L 20.0.0.1/32 is directly connected, Loopback1 100.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 100.0.0.0/24 is directly connected, Tunnel0 L 100.0.0.2/32 is directly connected, Tunnel0 Router2#show ipv6 route IPv6 Routing Table - default - 6 entries S ::/0 [1/0] via 2001:DB8:123:2::1 C 2001:DB8:123:2::/64 [0/0] via Ethernet0/0, directly connected L 2001:DB8:123:2::2/128 [0/0] via Ethernet0/0, receive C 2001:DB8:200:1::/64 [0/0] via Loopback0, directly connected L 2001:DB8:200:1::1/128 [0/0] via Loopback0, receive L FF00::/8 [0/0] via Null0, receive ===================== CEF : ===================== Router1# sh ip cef tu0 20.0.0.0/24 attached to Tunnel0 100.0.0.0/24 attached to Tunnel0 Router1#show ip cef 20.0.0.1 internal 20.0.0.0/24, epoch 0, flags attached, RIB[S], refcount 5, per-destination sharing sources: RIB feature space: IPRM: 0x00048004 ifnums: Tunnel0(14) path EFE136D8, path list F1BA1EDC, share 1/1, type attached prefix, for IPv4 attached to Tunnel0, adjacency IP midchain out of Tunnel0 F1BBBFA0 output chain: IP midchain out of Tunnel0 F1BBBFA0 IPV6 adj out of Ethernet0/0, addr 2001:DB8:123:1::1 F0F7D978 Router1# show adj int | i IP|erfa|comp Protocol Interface Address IPV6 Ethernet0/0 2001:DB8:123:1::1(16) IPv6 ND IP redirect enabled Switching vector: IPv6 adjacency oce IPV6 Ethernet0/0 FE80::A8BB:CCFF:FE00:6500(2) IPv6 ND IP redirect enabled Switching vector: IPv6 adjacency oce IP Tunnel0 point2point(10) IPV6 adj out of Ethernet0/0, addr 2001:DB8:123:1::1 GRE IPv6 tunnel IP redirect disabled Switching vector: IPv4 midchain adj oce Post encap features: IPSEC Post-encap output classification IP Tunnel stack to 2001:DB8:123:2::2 in Default (0x0) IPV6 adj out of Ethernet0/0, addr 2001:DB8:123:1::1 --------------------- Router2#sh ip cef tu0 10.0.0.0/24 attached to Tunnel0 100.0.0.0/24 attached to Tunnel0 Router2#show ip cef 10.0.0.1 internal 10.0.0.0/24, epoch 0, flags attached, RIB[S], refcount 5, per-destination sharing sources: RIB feature space: IPRM: 0x00048004 ifnums: Tunnel0(14) path F1515DB0, path list F2F77EBC, share 1/1, type attached prefix, for IPv4 attached to Tunnel0, adjacency IP midchain out of Tunnel0 F0FB8E48 output chain: IP midchain out of Tunnel0 F0FB8E48 IPV6 adj out of Ethernet0/0, addr 2001:DB8:123:2::1 F0FB8F78 Router2# show adj int | i IP|erfa|comp Protocol Interface Address IPV6 Ethernet0/0 2001:DB8:123:2::1(16) IPv6 ND IP redirect enabled Switching vector: IPv6 adjacency oce IPV6 Ethernet0/0 FE80::A8BB:CCFF:FE00:6510(2) IPv6 ND IP redirect enabled Switching vector: IPv6 adjacency oce IP Tunnel0 point2point(10) IPV6 adj out of Ethernet0/0, addr 2001:DB8:123:2::1 GRE IPv6 tunnel IP redirect disabled Switching vector: IPv4 midchain adj oce Post encap features: IPSEC Post-encap output classification IP Tunnel stack to 2001:DB8:123:1::2 in Default (0x0) IPV6 adj out of Ethernet0/0, addr 2001:DB8:123:2::1
Débogages:
debug crypto ikev2 debug crypto ipsec
Révision | Date de publication | Commentaires |
---|---|---|
1.0 |
23-Jan-2013 |
Première publication |