ASA对ASA动态对静态IKEv1/IPsec配置示例
目录
简介
本文描述如何使可适应安全工具(ASA)接受从所有动态对等体(ASA的动态IPsec站点到站点VPN连接在这种情况下)。当在本文的网络图显示, IPSec隧道设立,当通道从仅时远程ASA末端被发起。中央印制厂ASA不可以发起VPN通道由于动态IPSec配置。远程ASA的IP地址未知。
配置中央印制厂ASA为了动态地接受从通配符IP地址(0.0.0.0/0)和通配符预共享密钥的连接。远程ASA然后配置加密流量从本地到中央印制厂ASA子网如指定由crypto access-list。两边执行网络地址转换(NAT)免税为了绕过IPSec数据流的NAT。
先决条件
要求
本文档没有任何特定的要求。
使用的组件
本文档中的信息根据Cisco ASA (5510和5520)防火墙软件版本9.x和以后。
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。
配置
网络图
ASDM 配置
中央印制厂ASA (静态对等体)
在与静态IP地址的ASA,请设置VPN,在这种情况下接受从未知对等体的动态连接,当仍然验证使用IKEv1预先共享密钥时的对等体:
- 选择Configuration>站点到站点VPN >Advanced >加密映射。窗口显示已经到位加密映射项的列表(如果有其中任一)。因为ASA不了解什么对端IP地址是,为了ASA能接受连接请配置与匹配转换集(IPsec建议)的动态映射。单击 Add。
- 在创建IPsec规则窗口,从通道策略(加密映射) -基本选项,从外部从接口下拉列表选择和动态从策略类型下拉列表。在优先级字段,万一有多个条目在动态映射下,为此条目请指定优先级。其次,请单击精选在IKE v1 IPsec建议字段旁边为了选择IPsec建议。
- 当挑选IPsec建议(转换集)时对话框打开,请在现行IPsec建议中选择或单击添加为了创建新的和使用同样。完成后单击 OK。
- 从通道策略(加密映射) -高级选项卡。,检查Enable (event) NAT-T复选框(要求,如果任一对等体是在NAT设备后)和Enable (event)反向路由注入复选框。当VPN通道为动态对等体时出来, ASA安装经过协商的远程VPN网络的动态路由对VPN接口的该点。
随意地,从流量选择选项卡您能也定义动态对等体的触发的VPN流量和点击OK键。
如前面提到,因为ASA没有关于远程动态对等体IP地址的任何信息,默认情况下在ASA存在的未知连接请求登陆在DefaultL2LGroup下。为了验证能成功在远端对等体(在本例中的cisco123)配置的预先共享密钥需要配比与一个在DefaultL2LGroup下。
- 选择Configuration>站点到站点VPN >Advanced >隧道组,选择DefaultL2LGroup,单击编辑并且配置希望的预先共享密钥。完成后单击 OK。
- 选择Configuration>站点到站点VPN >组策略并且选择您的选择(默认策略组政策在这种情况下)。 单击编辑并且编辑在编辑内部组策略对话框的组策略。完成后单击 OK。
- 选择Configuration>防火墙> NAT规则和从添加nat规则窗口,配置VPN流量的没有nat (NAT-EXEMPT)规则。完成后单击 OK。
远程ASA (动态对等体)
- 一旦ASDM应用程序连接对ASA,请选择向导> VPN向导>站点到站点VPN向导。
- 单击 Next。
- 从外部从VPN访问接口下拉列表选择为了指定远端对等体的外部IP地址。选择接口(广域网)加密映射应用的地方。单击 Next。
- 指定应该允许穿过VPN通道的主机/网络。在此步骤,您需要提供本地网络,并且VPN的远程网络建立隧道。在本地网络和远程网络字段旁边单击按钮并且根据需求选择地址。当您执行时,其次请单击。
- 输入认证信息使用,是在本例中的预先共享密钥。本示例中使用的预共享密钥是 cisco123。隧道组组名是远端对等体IP地址默认情况下,如果配置LAN对LAN (L2L) VPN。
或者
您能定制配置包括您的选择IKE和IPsec策略。需要在对等体之间的至少一项匹配的策略:
- 从认证方法请在Pre-Shared Key字段选中,输入IKE版本1预先共享密钥。在本例中,它是cisco123。
- 点击加密算法选项卡。
- 从认证方法请在Pre-Shared Key字段选中,输入IKE版本1预先共享密钥。在本例中,它是cisco123。
- 单击在IKE策略字段旁边管理,单击添加并且配置自定义IKE策略(phase-1)。完成后单击 OK。
- 在IPsec建议字段旁边单击精选并且选择希望的IPsec建议。当您执行时,其次请单击。
随意地,您能去优秀的转发保密性选项卡和检查Enable (event)完整转发安全性(PFS)复选框。当您执行时,其次请单击。
- 检查从地址转换复选框的豁免ASA侧主机/network为了从开始防止隧道流量网络地址转换。从下拉列表选择本地或里面为了设置本地网络可及的接口。单击 Next。
- ASDM显示配置的VPN的摘要。验证并且点击芬通社。
CLI 配置
中央印制厂ASA (静态对等体)配置
- 配置VPN流量的一个NO-NAT/NAT-EXEMPT规则,此示例显示:
object network 10.1.1.0-remote_network
subnet 10.1.1.0 255.255.255.0
object network 10.1.2.0-inside_network
subnet 10.1.2.0 255.255.255.0
nat (inside,outside) source static 10.1.2.0-inside_network 10.1.2.0-inside_network
destination static 10.1.1.0-remote_network 10.1.1.0-remote_network
no-proxy-arp route-lookup - 配置预共享密匙在DefaultL2LGroup下为了验证所有远程Dynamic-L2L-peer :
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key cisco123 - 定义phase-2/ISAKMP策略:
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400 - 定义设置的phase-2转换/IPsec策略:
crypto ipsec ikev1 transform-set tset esp-aes-256 esp-sha-hmac
- 配置与这些参数的动态映射:
- 需要的转换集
- Enable (event)反向路由注入(RRI),允许安全工具学习连接的客户端的路由信息(可选)
crypto dynamic-map outside_dyn_map 1 set ikev1 transform-set tset
crypto dynamic-map outside_dyn_map 1 set reverse-route - 绑定动态映射对加密映射,应用加密映射并且启用在外部接口的ISAKMP/IKEv1 :
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ikev1 enable outside
远程ASA (动态对等体)
- 配置VPN流量的一个NAT免税规则:
object network 10.1.1.0-inside_network
subnet 10.1.1.0 255.255.255.0
object network 10.1.2.0-remote_network
subnet 10.1.2.0 255.255.255.0
nat (inside,outside) source static 10.1.1.0-inside_network 10.1.1.0-inside_network
destination static 10.1.2.0-remote_network 10.1.2.0-remote_network
no-proxy-arp route-lookup - 配置一静态VPN对等项和预共享密匙的一隧道群。
tunnel-group 172.16.2.1 type ipsec-l2l
tunnel-group 172.16.2.1 ipsec-attributes
ikev1 pre-shared-key cisco123 - 定义PHASE-1/ISAKMP策略:
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400 - 定义设置的phase-2转换/IPsec策略:
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
- 配置定义了有趣的VPN流量/network的access-list :
access-list outside_cryptomap extended permit ip object
10.1.1.0-inside_network object 10.1.2.0-remote_network - 配置与这些参数的静态加密映射:
- 访问列表Crypto/VPN
- 远程IPSec对等体IP地址
- 需要的转换集
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 172.16.2.1
crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA - 应用加密映射并且启用在外部接口的ISAKMP/IKEv1 :
crypto map outside_map interface outside
crypto ikev1 enable outside
验证
请使用此部分确认配置适当地工作。
命令输出解释程序工具(仅限注册用户)支持某些 show 命令。请使用Output Interpreter Tool为了查看show命令输出分析。
- show crypto isakmp sa -显示所有当前IKE安全关联(SA)在对等体。
- show crypto ipsec sa -显示所有当前IPSec SAS。
此部分显示示例两ASA的验证outout。
中央印制厂ASA
Central-ASA#show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 172.16.1.1
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Central-ASA# show crypto ipsec sa
interface: outside
Crypto map tag: outside_dyn_map, seq num: 1, local addr: 172.16.2.1
local ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
current_peer: 172.16.1.1
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 172.16.2.1/0, remote crypto endpt.: 172.16.1.1/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 30D071C0
current inbound spi : 38DA6E51
inbound esp sas:
spi: 0x38DA6E51 (953839185)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (kB/sec): (3914999/28588)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0x30D071C0 (818966976)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (kB/sec): (3914999/28588)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
远程ASA
Remote-ASA#show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 172.16.2.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Remote-ASA#show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 172.16.1.1
access-list outside_cryptomap extended permit ip 10.1.1.0
255.255.255.0 10.1.2.0 255.255.255.0
local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)
current_peer: 172.16.2.1
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 172.16.1.1/0, remote crypto endpt.: 172.16.2.1/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 38DA6E51
current inbound spi : 30D071C0
inbound esp sas:
spi: 0x30D071C0 (818966976)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 8192, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373999/28676)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0x38DA6E51 (953839185)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 8192, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373999/28676)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
故障排除
本部分提供了可用于对配置进行故障排除的信息。
命令输出解释程序工具(仅限注册用户)支持某些 show 命令。请使用Output Interpreter Tool为了查看show命令输出分析。
注意:使用 debug 命令之前,请参阅有关 Debug 命令的重要信息。
使用以下命令可以:
clear crypto ikev1 sa <peer IP address>
Clears the Phase 1 SA for a specific peer.
使用clear crypto isakmp sa <peer IP地址>command,在PIX/ASA软件版本8.0(3)和以上中,个人IKE SA可以被清除。在软件版本中早于8.0(3),使用vpn-sessiondb注销隧道群<tunnel-group-name>命令为了清除IKE和IPSec SAS单个通道的。
Remote-ASA#vpn-sessiondb logoff tunnel-group 172.16.2.1
Do you want to logoff the VPN session(s)? [confirm]
INFO: Number of sessions from TunnelGroup "172.16.2.1" logged off : 1
clear crypto ipsec sa peer <peer IP address>
!!! Clears the required Phase 2 SA for specific peer.
debug crypto condition peer < Peer address>
!!! Set IPsec/ISAKMP debug filters.
debug crypto isakmp sa <debug level>
!!! Provides debug details of ISAKMP SA negotiation.
debug crypto ipsec sa <debug level>
!!! Provides debug details of IPsec SA negotiations
undebug all
!!! To stop the debugs
使用的调试:
debug cry condition peer <remote peer public IP>
debug cry ikev1 127
debug cry ipsec 127
远程ASA (发起者)
输入此数据包追踪器命令为了发起通道:
Remote-ASA#packet-tracer input inside icmp 10.1.1.10 8 0 10.1.2.10 detailed
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
Jan 19 22:00:06 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple:
Prot=1, saddr=10.1.1.10, sport=0, daddr=10.1.2.10, dport=0
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
Jan 19 22:00:06 [IKEv1]IP = 172.16.2.1, IKE Initiator: New Phase 1, Intf
inside, IKE Peer 172.16.2.1 local Proxy Address 10.1.1.0, remote Proxy Address
10.1.2.0, Crypto map (outside_map)
:
.
Jan 19 22:00:06 [IKEv1]IP = 172.16.2.1, IKE_DECODE SENDING Message (msgid=0)
with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) +
VENDOR (13) + NONE (0) total length : 172
Jan 19 22:00:06 [IKEv1]IP = 172.16.2.1, IKE_DECODE RECEIVED Message (msgid=0)
with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0)
total length : 132
:
.
Jan 19 22:00:06 [IKEv1]IP = 172.16.2.1, IKE_DECODE SENDING Message (msgid=0)
with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) +
VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
Jan 19 22:00:06 [IKEv1]IP = 172.16.2.1, IKE_DECODE RECEIVED Message (msgid=0)
with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) +
VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
:
.
Jan 19 22:00:06 [IKEv1]IP = 172.16.2.1, Connection landed on tunnel_group 172.16.2.1
<skipped>...
Jan 19 22:00:06 [IKEv1]IP = 172.16.2.1, IKE_DECODE SENDING Message (msgid=0) with
payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) +
NONE (0) total length : 96
Jan 19 22:00:06 [IKEv1]Group = 172.16.2.1, IP = 172.16.2.1,
Automatic NAT Detection Status: Remote end is NOT behind a NAT device
This end is NOT behind a NAT device
Jan 19 22:00:06 [IKEv1]IP = 172.16.2.1, IKE_DECODE RECEIVED Message
(msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128)
+ VENDOR (13) + NONE (0) total length : 96
Jan 19 22:00:06 [IKEv1 DEBUG]Group = 172.16.2.1, IP = 172.16.2.1, processing ID payload
Jan 19 22:00:06 [IKEv1 DECODE]Group = 172.16.2.1, IP = 172.16.2.1,
ID_IPV4_ADDR ID received 172.16.2.1
:
.
Jan 19 22:00:06 [IKEv1]IP = 172.16.2.1, Connection landed on tunnel_group 172.16.2.1
Jan 19 22:00:06 [IKEv1 DEBUG]Group = 172.16.2.1, IP = 172.16.2.1,
Oakley begin quick mode
Jan 19 22:00:06 [IKEv1]Group = 172.16.2.1, IP = 172.16.2.1, PHASE 1 COMPLETED
Jan 19 22:00:06 [IKEv1 DECODE]Group = 172.16.2.1, IP = 172.16.2.1, IKE Initiator
starting QM: msg id = c45c7b30
:
.
Jan 19 22:00:06 [IKEv1 DEBUG]Group = 172.16.2.1, IP = 172.16.2.1, Transmitting Proxy Id:
Local subnet: 10.1.1.0 mask 255.255.255.0 Protocol 0 Port 0
Remote subnet: 10.1.2.0 Mask 255.255.255.0 Protocol 0 Port 0
:
.
Jan 19 22:00:06 [IKEv1]IP = 172.16.2.1, IKE_DECODE SENDING Message
(msgid=c45c7b30) with payloads : HDR + HASH (8) + SA (1) + NONCE
(10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 200
Jan 19 22:00:06 [IKEv1]IP = 172.16.2.1, IKE_DECODE RECEIVED Message
(msgid=c45c7b30) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) +
ID (5) + ID (5) + NONE (0) total length : 172
:
.
Jan 19 22:00:06 [IKEv1 DEBUG]Group = 172.16.2.1, IP = 172.16.2.1, processing ID payload
Jan 19 22:00:06 [IKEv1 DECODE]Group = 172.16.2.1, IP = 172.16.2.1,
ID_IPV4_ADDR_SUBNET ID received--10.1.1.0--255.255.255.0
Jan 19 22:00:06 [IKEv1 DEBUG]Group = 172.16.2.1, IP = 172.16.2.1, processing ID payload
Jan 19 22:00:06 [IKEv1 DECODE]Group = 172.16.2.1, IP = 172.16.2.1,
ID_IPV4_ADDR_SUBNET ID received--10.1.2.0--255.255.255.0
:
.
Jan 19 22:00:06 [IKEv1]Group = 172.16.2.1, IP = 172.16.2.1,
Security negotiation complete for LAN-to-LAN Group (172.16.2.1)
Initiator, Inbound SPI = 0x30d071c0, Outbound SPI = 0x38da6e51
:
.
Jan 19 22:00:06 [IKEv1]IP = 172.16.2.1, IKE_DECODE SENDING Message
(msgid=c45c7b30) with payloads : HDR + HASH (8) + NONE (0) total length : 76
:
.
Jan 19 22:00:06 [IKEv1]Group = 172.16.2.1, IP = 172.16.2.1,
PHASE 2 COMPLETED (msgid=c45c7b30)
中央印制厂ASA (响应方)
Jan 20 12:42:35 [IKEv1]IP = 172.16.1.1, IKE_DECODE RECEIVED Message (msgid=0)
with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) +
VENDOR (13) + NONE (0) total length : 172
:
.
Jan 20 12:42:35 [IKEv1]IP = 172.16.1.1, IKE_DECODE SENDING Message (msgid=0)
with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length
:
132
Jan 20 12:42:35 [IKEv1]IP = 172.16.1.1, IKE_DECODE RECEIVED Message (msgid=0)
with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13)
+ VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
:
.
Jan 20 12:42:35 [IKEv1]IP = 172.16.1.1, Connection landed on tunnel_group
DefaultL2LGroup
Jan 20 12:42:35 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 172.16.1.1,
Generating keys for Responder...
Jan 20 12:42:35 [IKEv1]IP = 172.16.1.1, IKE_DECODE SENDING Message (msgid=0)
with payloads : HDR + KE (4) + NONCE (10) +
VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) +
NONE (0) total length : 304
Jan 20 12:42:35 [IKEv1]IP = 172.16.1.1, IKE_DECODE RECEIVED Message (msgid=0)
with payloads : HDR + ID (5) + HASH (8)
+ IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
Jan 20 12:42:35 [IKEv1 DECODE]Group = DefaultL2LGroup, IP = 172.16.1.1,
ID_IPV4_ADDR ID received 172.16.1.1
:
.
Jan 20 12:42:35 [IKEv1]IP = 172.16.1.1, IKE_DECODE SENDING Message (msgid=0)
with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) +
VENDOR (13) + NONE (0) total length : 96
Jan 20 12:42:35 [IKEv1]Group = DefaultL2LGroup, IP = 172.16.1.1, PHASE 1 COMPLETED
:
.
Jan 20 12:42:35 [IKEv1 DECODE]IP = 172.16.1.1, IKE Responder starting QM:
msg id = c45c7b30
Jan 20 12:42:35 [IKEv1]IP = 172.16.1.1, IKE_DECODE
RECEIVED Message (msgid=c45c7b30) with payloads : HDR + HASH (8) + SA (1) +
NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 200
:
.
Jan 20 12:42:35 [IKEv1]Group = DefaultL2LGroup, IP = 172.16.1.1, Received remote
IP Proxy Subnet data in ID Payload: Address 10.1.1.0, Mask 255.255.255.0,
Protocol 0, Port 0 :
.
Jan 20 12:42:35 [IKEv1]Group = DefaultL2LGroup,
IP = 172.16.1.1, Received local
IP Proxy Subnet data in ID Payload: Address 10.1.2.0, Mask 255.255.255.0,
Protocol 0, Port 0 Jan 20 12:42:35 [IKEv1 DEBUG]Group = DefaultL2LGroup,
IP = 172.16.1.1, processing notify payload
Jan 20 12:42:35 [IKEv1] Group = DefaultL2LGroup, IP = 172.16.1.1, QM
IsRekeyed old sa not found by addr
Jan 20 12:42:35 [IKEv1]Group = DefaultL2LGroup, IP = 172.16.1.1, Static Crypto Map
check, map outside_dyn_map, seq = 1 is a successful match
Jan 20 12:42:35 [IKEv1]Group = DefaultL2LGroup, IP = 172.16.1.1, IKE
Remote Peer configured for crypto map: outside_dyn_map
:
.
Jan 20 12:42:35 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 172.16.1.1,
Transmitting Proxy Id: Remote subnet: 10.1.1.0 Mask 255.255.255.0 Protocol 0 Port 0
Local subnet: 10.1.2.0 mask 255.255.255.0 Protocol 0 Port 0 :
.
Jan 20 12:42:35 [IKEv1]IP = 172.16.1.1, IKE_DECODE SENDING Message (msgid=c45c7b30)
with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE
(0) total length : 172 Jan 20 12:42:35 [IKEv1]IP = 172.16.1.1, IKE_DECODE RECEIVED
Message (msgid=c45c7b30) with payloads : HDR + HASH (8) + NONE (0) total length : 52:
.
Jan 20 12:42:35 [IKEv1]Group = DefaultL2LGroup, IP = 172.16.1.1, Security
negotiation complete for LAN-to-LAN Group (DefaultL2LGroup) Responder,
Inbound SPI = 0x38da6e51, Outbound SPI = 0x30d071c0 :
.
Jan 20 12:42:35 [IKEv1]Group = DefaultL2LGroup, IP = 172.16.1.1,
PHASE 2 COMPLETED (msgid=c45c7b30)
Jan 20 12:42:35 [IKEv1]Group = DefaultL2LGroup, IP = 172.16.1.1, Adding static
route for L2L peer coming in on a dynamic map. address: 10.1.1.0, mask: 255.255.255.0
反馈