본 제품에 대한 문서 세트는 편견 없는 언어를 사용하기 위해 노력합니다. 본 설명서 세트의 목적상, 편견 없는 언어는 나이, 장애, 성별, 인종 정체성, 민족 정체성, 성적 지향성, 사회 경제적 지위 및 교차성에 기초한 차별을 의미하지 않는 언어로 정의됩니다. 제품 소프트웨어의 사용자 인터페이스에서 하드코딩된 언어, RFP 설명서에 기초한 언어 또는 참조된 서드파티 제품에서 사용하는 언어로 인해 설명서에 예외가 있을 수 있습니다. 시스코에서 어떤 방식으로 포용적인 언어를 사용하고 있는지 자세히 알아보세요.
Cisco는 전 세계 사용자에게 다양한 언어로 지원 콘텐츠를 제공하기 위해 기계 번역 기술과 수작업 번역을 병행하여 이 문서를 번역했습니다. 아무리 품질이 높은 기계 번역이라도 전문 번역가의 번역 결과물만큼 정확하지는 않습니다. Cisco Systems, Inc.는 이 같은 번역에 대해 어떠한 책임도 지지 않으며 항상 원본 영문 문서(링크 제공됨)를 참조할 것을 권장합니다.
이 문서에서는 VPN 사용자가 IPsec LAN-to-LAN(L2L) 터널을 통해 다른 라우터에 연결하면서 인터넷에 액세스할 수 있도록 허용하는 방법에 대한 샘플 컨피그레이션을 제공합니다.이 컨피그레이션은 스플릿 터널링을 활성화할 때 수행됩니다.스플릿 터널링을 사용하면 VPN 사용자가 IPsec 터널을 통해 회사 리소스에 액세스하는 동시에 인터넷에 액세스할 수 있습니다.
이 문서에 대한 특정 요건이 없습니다.
이 문서의 정보는 Cisco IOS® Software Release 12.4가 포함된 Cisco 3640 라우터를 기반으로 합니다.
이 문서의 정보는 특정 랩 환경의 디바이스를 토대로 작성되었습니다.이 문서에 사용된 모든 디바이스는 초기화된(기본) 컨피그레이션으로 시작되었습니다.현재 네트워크가 작동 중인 경우, 모든 명령어의 잠재적인 영향을 미리 숙지하시기 바랍니다.
문서 규칙에 대한 자세한 내용은 Cisco 기술 팁 규칙을 참조하십시오.
이 섹션에서는 이 문서에 설명된 기능을 구성하는 정보를 제공합니다.
이 문서에서는 다음 네트워크 설정을 사용합니다.
참고: 이 구성에 사용된 IP 주소 지정 체계는 인터넷에서 합법적으로 라우팅할 수 없습니다.이는 실습 환경에서 사용된 RFC 1918 주소입니다.
이 문서에서는 다음 구성을 사용합니다.
라우터 A |
---|
RouterA#show running-config Building configuration... Current configuration : 1132 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R9 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! resource policy ! ! !--- Create an ISAKMP policy for Phase 1 |
라우터 B |
---|
RouterB#show running-config Building configuration... Current configuration : 835 bytes ! version 12.4 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname R2 ! ! ip subnet-zero ! ! !--- Create an ISAKMP policy for Phase 1 |
이 섹션에서는 컨피그레이션이 제대로 작동하는지 확인하는 데 사용할 수 있는 정보를 제공합니다.
Cisco CLI Analyzer(등록된 고객만 해당)는 특정 show 명령을 지원합니다.Cisco CLI Analyzer를 사용하여 show 명령 출력의 분석을 봅니다.
show crypto ipsec sa - 현재 SA(보안 연결)에서 사용하는 설정을 표시합니다.
RouterA#show crypto ipsec sa interface: Serial2/0 Crypto map tag: mymap, local addr 172.16.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0) current_peer 10.0.0.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 43, #pkts encrypt: 43, #pkts digest: 43 #pkts decaps: 43, #pkts decrypt: 43, #pkts verify: 43 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 4, #recv errors 0 local crypto endpt.: 172.16.1.1, remote crypto endpt.: 10.0.0.2 path mtu 1500, ip mtu 1500, ip mtu idb Serial2/0 current outbound spi: 0x267BC43(40352835) inbound esp sas: spi: 0xD9F4BC76(3656694902) transform: esp-des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2001, flow_id: SW:1, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4558868/3550) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x267BC43(40352835) transform: esp-des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2002, flow_id: SW:2, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4558868/3548) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:
show crypto isakmp sa - 피어의 현재 IKE SA를 모두 표시합니다.
RouterA#show crypto isakmp sa dst src state conn-id slot status 10.0.0.2 172.16.1.1 QM_IDLE 1 0 ACTIVE
이 섹션에서는 컨피그레이션 문제를 해결하는 데 사용할 수 있는 정보를 제공합니다.샘플 디버그 출력도 표시됩니다.
Cisco CLI Analyzer(등록된 고객만 해당)는 특정 show 명령을 지원합니다.Cisco CLI Analyzer를 사용하여 show 명령 출력의 분석을 봅니다.
참고: debug 명령을 사용하기 전에 디버그 명령에 대한 중요 정보를 참조하십시오.
debug crypto isakmp - 1단계의 ISAKMP 협상을 표시합니다.
debug crypto ipsec - 2단계의 IPsec 협상을 표시합니다.
RouterA#debug crypto isakmp *Sep 29 22:50:35.511: ISAKMP: received ke message (1/1) *Sep 29 22:50:35.511: ISAKMP:(0:0:N/A:0): SA request profile is (NULL) *Sep 29 22:50:35.511: ISAKMP: Created a peer struct for 10.0.0.2, peer port 500 *Sep 29 22:50:35.511: ISAKMP: New peer created peer = 0x64C0EF54 peer_handle = 0 x8000000C *Sep 29 22:50:35.515: ISAKMP: Locking peer struct 0x64C0EF54, IKE refcount 1 for isakmp_initiator *Sep 29 22:50:35.515: ISAKMP: local port 500, remote port 500 *Sep 29 22:50:35.515: ISAKMP: set new node 0 to QM_IDLE *Sep 29 22:50:35.515: ISAKMP: Find a dup sa in the avl tree during calling isadb _insert sa = 64CDBF3C *Sep 29 22:50:35.515: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying M ain mode. *Sep 29 22:50:35.515: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 10.0 .0.2 *Sep 29 22:50:35.515: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID *Sep 29 22:50:35.519: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID *Sep 29 22:50:35.519: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID *Sep 29 22:50:35.519: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ _MM *Sep 29 22:50:35.519: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_ I_MM1 *Sep 29 22:50:35.519: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange *Sep 29 22:50:35.519: ISAKMP:(0:0:N/A:0): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) MM_NO_STATE *Sep 29 22:50:38.451: ISAKMP (0:0): received packet from 10.0.0.2 dport 500 spor t 500 Global (I) MM_NO_STATE *Sep 29 22:50:38.451: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Sep 29 22:50:38.451: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1 New State = IKE_ I_MM2 *Sep 29 22:50:38.455: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0 *Sep 29 22:50:38.455: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 10.0 .0.2 *Sep 29 22:50:38.455: ISAKMP:(0:0:N/A:0): local preshared key found *Sep 29 22:50:38.455: ISAKMP : Scanning profiles for xauth ... *Sep 29 22:50:38.455: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against pri ority 10 policy *Sep 29 22:50:38.455: ISAKMP: encryption DES-CBC *Sep 29 22:50:38.455: ISAKMP: hash MD5 *Sep 29 22:50:38.455: ISAKMP: default group 1 *Sep 29 22:50:38.455: ISAKMP: auth pre-share *Sep 29 22:50:38.459: ISAKMP: life type in seconds *Sep 29 22:50:38.459: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 *Sep 29 22:50:38.459: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0 *Sep 29 22:50:38.547: ISAKMP:(0:4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_M AIN_MODE *Sep 29 22:50:38.547: ISAKMP:(0:4:SW:1):Old State = IKE_I_MM2 New State = IKE_I _MM2 *Sep 29 22:50:38.551: ISAKMP:(0:4:SW:1): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) MM_SA_SETUP *Sep 29 22:50:38.551: ISAKMP:(0:4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_C OMPLETE *Sep 29 22:50:38.551: ISAKMP:(0:4:SW:1):Old State = IKE_I_MM2 New State = IKE_I _MM3 *Sep 29 22:50:42.091: ISAKMP (0:134217732): received packet from 10.0.0.2 dport 500 sport 500 Global (I) MM_SA_SETUP *Sep 29 22:50:42.095: ISAKMP:(0:4:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Sep 29 22:50:42.095: ISAKMP:(0:4:SW:1):Old State = IKE_I_MM3 New State = IKE_I _MM4 *Sep 29 22:50:42.095: ISAKMP:(0:4:SW:1): processing KE payload. message ID = 0 *Sep 29 22:50:42.203: ISAKMP:(0:4:SW:1): processing NONCE payload. message ID = 0 *Sep 29 22:50:42.203: ISAKMP:(0:4:SW:1):found peer pre-shared key matching 10.0. 0.2 *Sep 29 22:50:42.207: ISAKMP:(0:4:SW:1):SKEYID state generated *Sep 29 22:50:42.207: ISAKMP:(0:4:SW:1): processing vendor id payload *Sep 29 22:50:42.207: ISAKMP:(0:4:SW:1): speaking to another IOS box! *Sep 29 22:50:42.207: ISAKMP:(0:4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_M AIN_MODE *Sep 29 22:50:42.207: ISAKMP:(0:4:SW:1):Old State = IKE_I_MM4 New State = IKE_I _MM4 *Sep 29 22:50:42.211: ISAKMP:(0:4:SW:1):Send initial contact *Sep 29 22:50:42.215: ISAKMP:(0:4:SW:1):SA is doing pre-shared key authenticatio n using id type ID_IPV4_ADDR *Sep 29 22:50:42.215: ISAKMP (0:134217732): ID payload next-payload : 8 type : 1 address : 172.16.1.1 protocol : 17 port : 500 length : 12 *Sep 29 22:50:42.215: ISAKMP:(0:4:SW:1):Total payload length: 12 *Sep 29 22:50:42.215: ISAKMP:(0:4:SW:1): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH *Sep 29 22:50:42.219: ISAKMP:(0:4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_C OMPLETE *Sep 29 22:50:42.219: ISAKMP:(0:4:SW:1):Old State = IKE_I_MM4 New State = IKE_I _MM5 *Sep 29 22:50:42.783: ISAKMP (0:134217732): received packet from 10.0.0.2 dport 500 sport 500 Global (I) MM_KEY_EXCH *Sep 29 22:50:42.783: ISAKMP:(0:4:SW:1): processing ID payload. message ID = 0 *Sep 29 22:50:42.783: ISAKMP (0:134217732): ID payload next-payload : 8 type : 1 address : 10.0.0.2 protocol : 17 port : 500 length : 12 *Sep 29 22:50:42.783: ISAKMP:(0:4:SW:1):: peer matches *none* of the profiles *Sep 29 22:50:42.787: ISAKMP:(0:4:SW:1): processing HASH payload. message ID = 0 *Sep 29 22:50:42.787: ISAKMP:(0:4:SW:1):SA authentication status: authenticated *Sep 29 22:50:42.787: ISAKMP:(0:4:SW:1):SA has been authenticated with 10.0.0.2 *Sep 29 22:50:42.787: ISAKMP: Trying to insert a peer 172.16.1.1/10.0.0.2/500/, and inserted successfully 64C0EF54. *Sep 29 22:50:42.787: ISAKMP:(0:4:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Sep 29 22:50:42.787: ISAKMP:(0:4:SW:1):Old State = IKE_I_MM5 New State = IKE_I _MM6 *Sep 29 22:50:42.791: ISAKMP:(0:4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_M AIN_MODE *Sep 29 22:50:42.791: ISAKMP:(0:4:SW:1):Old State = IKE_I_MM6 New State = IKE_I _MM6 *Sep 29 22:50:42.795: ISAKMP:(0:4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_C OMPLETE *Sep 29 22:50:42.795: ISAKMP:(0:4:SW:1):Old State = IKE_I_MM6 New State = IKE_P 1_COMPLETE *Sep 29 22:50:42.799: ISAKMP:(0:4:SW:1):beginning Quick Mode exchange, M-ID of - 966196463 *Sep 29 22:50:42.803: ISAKMP:(0:4:SW:1): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) QM_IDLE *Sep 29 22:50:42.803: ISAKMP:(0:4:SW:1):Node -966196463, Input = IKE_MESG_INTERN AL, IKE_INIT_QM *Sep 29 22:50:42.803: ISAKMP:(0:4:SW:1):Old State = IKE_QM_READY New State = IK E_QM_I_QM1 !--- IKE Phase 1 is completed successfully. *Sep 29 22:50:42.803: ISAKMP:(0:4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_CO MPLETE *Sep 29 22:50:42.803: ISAKMP:(0:4:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Sep 29 22:50:43.907: ISAKMP (0:134217732): received packet from 10.0.0.2 dport 500 sport 500 Global (I) QM_IDLE *Sep 29 22:50:43.911: ISAKMP:(0:4:SW:1): processing HASH payload. message ID = - 966196463 *Sep 29 22:50:43.911: ISAKMP:(0:4:SW:1): processing SA payload. message ID = -96 6196463 *Sep 29 22:50:43.911: ISAKMP:(0:4:SW:1):Checking IPSec proposal 1 *Sep 29 22:50:43.911: ISAKMP: transform 1, ESP_DES *Sep 29 22:50:43.911: ISAKMP: attributes in transform: *Sep 29 22:50:43.915: ISAKMP: encaps is 1 (Tunnel) *Sep 29 22:50:43.915: ISAKMP: SA life type in seconds *Sep 29 22:50:43.915: ISAKMP: SA life duration (basic) of 3600 *Sep 29 22:50:43.915: ISAKMP: SA life type in kilobytes *Sep 29 22:50:43.915: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 *Sep 29 22:50:43.915: ISAKMP: authenticator is HMAC-MD5 *Sep 29 22:50:43.915: ISAKMP:(0:4:SW:1):atts are acceptable. *Sep 29 22:50:43.915: ISAKMP:(0:4:SW:1): processing NONCE payload. message ID = -966196463 *Sep 29 22:50:43.919: ISAKMP:(0:4:SW:1): processing ID payload. message ID = -96 6196463 *Sep 29 22:50:43.919: ISAKMP:(0:4:SW:1): processing ID payload. message ID = -96 6196463 *Sep 29 22:50:43.923: ISAKMP: Locking peer struct 0x64C0EF54, IPSEC refcount 1 f or for stuff_ke *Sep 29 22:50:43.923: ISAKMP:(0:4:SW:1): Creating IPSec SAs *Sep 29 22:50:43.923: inbound SA from 10.0.0.2 to 172.16.1.1 (f/i) 0/ 0 (proxy 172.16.2.0 to 10.1.1.0) *Sep 29 22:50:43.923: has spi 0x84E11317 and conn_id 0 and flags 2 *Sep 29 22:50:43.923: lifetime of 3600 seconds *Sep 29 22:50:43.923: lifetime of 4608000 kilobytes *Sep 29 22:50:43.923: has client flags 0x0 *Sep 29 22:50:43.923: outbound SA from 172.16.1.1 to 10.0.0.2 (f/i) 0/0 (proxy 10.1.1.0 to 172.16.2.0) *Sep 29 22:50:43.923: has spi -65483228 and conn_id 0 and flags A *Sep 29 22:50:43.923: lifetime of 3600 seconds *Sep 29 22:50:43.923: lifetime of 4608000 kilobytes *Sep 29 22:50:43.923: has client flags 0x0 *Sep 29 22:50:43.927: ISAKMP:(0:4:SW:1): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) QM_IDLE *Sep 29 22:50:43.927: ISAKMP:(0:4:SW:1):deleting node -966196463 error FALSE rea son "No Error" *Sep 29 22:50:43.927: ISAKMP:(0:4:SW:1):Node -966196463, Input = IKE_MESG_FROM_P EER, IKE_QM_EXCH !--- IKE Phase 2 is completed successfully. *Sep 29 22:50:43.927: ISAKMP:(0:4:SW:1):Old State = IKE_QM_I_QM1 New State = IK E_QM_PHASE2_COMPLETE *Sep 29 22:50:43.931: ISAKMP: Locking peer struct 0x64C0EF54, IPSEC refcount 2 f or from create_transforms *Sep 29 22:50:43.931: ISAKMP: Unlocking IPSEC struct 0x64C0EF54 from create_tran sforms, count 1 RouterA#debug crypto ipsec *Sep 29 22:46:06.699: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 172.16.1.1, remote= 10.0.0.2, local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 172.16.2.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0xD9F4BC76(3656694902), conn_id= 0, keysize= 0, flags= 0x400A *Sep 29 22:46:12.631: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 172.16.1.1, remote= 10.0.0.2, local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 172.16.2.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2 *Sep 29 22:46:12.631: Crypto mapdb : proxy_match src addr : 10.1.1.0 dst addr : 172.16.2.0 protocol : 0 src port : 0 dst port : 0 *Sep 29 22:46:12.639: IPSEC(key_engine): got a queue event with 2 kei messages *Sep 29 22:46:12.639: IPSEC(initialize_sas): , (key eng. msg.) INBOUND local= 172.16.1.1, remote= 10.0.0.2, local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 172.16.2.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0xD9F4BC76(3656694902), conn_id= 0, keysize= 0, flags= 0x2 *Sep 29 22:46:12.639: IPSEC(initialize_sas): , (key eng. msg.) OUTBOUND local= 172.16.1.1, remote= 10.0.0.2, local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 172.16.2.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x267BC43(40352835), conn_id= 0, keysize= 0, flags= 0xA *Sep 29 22:46:12.639: Crypto mapdb : proxy_match src addr : 10.1.1.0 dst addr : 172.16.2.0 protocol : 0 src port : 0 dst port : 0 *Sep 29 22:46:12.643: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and 10.0.0.2 *Sep 29 22:46:12.643: IPSec: Flow_switching Allocated flow for sibling 80000006 *Sep 29 22:46:12.643: IPSEC(policy_db_add_ident): src 10.1.1.0, dest 172.16.2.0 dest_port 0 *Sep 29 22:46:12.643: IPSEC(create_sa): sa created, (sa) sa_dest= 172.16.1.1, sa_proto= 50, sa_spi= 0xD9F4BC76(3656694902), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2001 *Sep 29 22:46:12.643: IPSEC(create_sa): sa created, (sa) sa_dest= 10.0.0.2, sa_proto= 50, sa_spi= 0x267BC43(40352835), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2002