Configurer le client Easy VPN Remote PIX 501/506 sur un routeur IOS en mode extension réseau avec authentification étendue

Options de téléchargement

PDF (241.7 KB)
Consulter à l'aide d'Adobe Reader sur un grand nombre d'appareils
ePub (109.8 KB)
Consulter à l’aide de différentes applications sur iPhone, iPad, Android ou Windows Phone
Mobi (Kindle) (134.8 KB)
Consulter sur un appareil Kindle ou à l’aide d’une application Kindle sur plusieurs appareils

Mis à jour:26 septembre 2008

ID du document:23783

Langage exempt de préjugés

Dans le cadre de la documentation associée à ce produit, nous nous efforçons d’utiliser un langage exempt de préjugés. Dans cet ensemble de documents, le langage exempt de discrimination renvoie à une langue qui exclut la discrimination en fonction de l’âge, des handicaps, du genre, de l’appartenance raciale de l’identité ethnique, de l’orientation sexuelle, de la situation socio-économique et de l’intersectionnalité. Des exceptions peuvent s’appliquer dans les documents si le langage est codé en dur dans les interfaces utilisateurs du produit logiciel, si le langage utilisé est basé sur la documentation RFP ou si le langage utilisé provient d’un produit tiers référencé. Découvrez comment Cisco utilise le langage inclusif.

À propos de cette traduction

Cisco a traduit ce document en traduction automatisée vérifiée par une personne dans le cadre d’un service mondial permettant à nos utilisateurs d’obtenir le contenu d’assistance dans leur propre langue. Il convient cependant de noter que même la meilleure traduction automatisée ne sera pas aussi précise que celle fournie par un traducteur professionnel.

Contenu

Introduction

Conditions préalables

Conditions requises

Components Used

Conventions

Configuration

Diagramme du réseau

Configurations

Vérification

Commandes PIX show et exemple de sortie

Commandes show et exemple de sortie IOS

Dépannage

Commandes de débogage PIX et exemple de sortie

Commandes de débogage IOS et exemple de sortie

Informations connexes

Introduction

Ce document illustre la configuration d'IPSec entre la fonctionnalité de client matériel Easy VPN Remote PIX et la fonctionnalité Easy VPN Server disponible dans les versions ultérieures du logiciel Cisco IOS®. La fonctionnalité Easy VPN Remote pour le PIX a été introduite dans PIX version 6.2 et est également appelée client matériel/EzVPN. Lorsque Easy VPN Remote se connecte à un périphérique de tête de réseau, il existe au moins cinq associations de sécurité (SA), dont une IKE (Internet Key Exchange) et quatre associations IPSec. Lorsque Easy VPN Remote se connecte à la tête de réseau, il négocie toujours deux SA IPSec avec l'adresse IP de l'interface externe du PIX à n'importe quelle adresse derrière le serveur VPN. Ceci peut être utilisé à des fins de gestion pour se connecter à l'interface externe du PIX à partir du réseau derrière le routeur Cisco IOS (soit via Secure Shell [SSH], Secure HTTP for PIX Device Manager [PDM] ou Telnet). L'SA est créée par défaut sans configuration, et les deux autres SA sont créées pour le trafic de données entre les réseaux derrière le PIX et le routeur Cisco IOS.

Reportez-vous à PIX-to-PIX 6.x : Exemple de configuration de Easy VPN (NEM) pour plus d'informations sur un scénario similaire où le PIX 506 6.x agit en tant que serveur Easy VPN.

Référez-vous à Exemple de configuration de PIX/ASA 7.x Easy VPN avec un ASA 5500 en tant que serveur et PIX 506E en tant que client (NEM) pour plus d'informations sur un scénario similaire où PIX/ASA 7.x agit en tant que serveur Easy VPN.

Référez-vous à Exemple de configuration Easy VPN PIX/ASA 7.x avec un ASA 5500 comme serveur et Cisco 871 comme exemple de configuration Easy VPN Remote pour plus d'informations sur un scénario similaire où le routeur Cisco 871 agit comme Easy VPN Remote.

Référez-vous à Exemple de configuration du client matériel VPN sur un dispositif de sécurité de la gamme PIX 501/506 avec concentrateur VPN 3000 pour plus d'informations sur un scénario similaire où le concentrateur VPN Cisco 3000 agit comme serveur Easy VPN.

Conditions préalables

Conditions requises

Aucune spécification déterminée n'est requise pour ce document.

Components Used

Les informations contenues dans ce document sont basées sur les versions de matériel et de logiciel suivantes :

Pare-feu PIX qui exécute le logiciel version 6.3(5)

Remarque : La fonctionnalité Easy VPN Client sur le PIX a été introduite dans la version 6.2.
Routeur IOS de la gamme Cisco 7200 qui exécute le logiciel version 12.4(4)T1

Remarque : La fonctionnalité Easy VPN Server a été introduite dans la version 12.2(8)T).

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Pour plus d'informations sur les conventions utilisées dans ce document, reportez-vous à Conventions relatives aux conseils techniques Cisco.

Configuration

Cette section vous fournit des informations pour configurer les fonctionnalités décrites dans ce document.

Remarque : Utilisez l’outil de recherche de commandes (clients inscrits seulement) pour en savoir plus sur les commandes figurant dans le présent document.

Diagramme du réseau

Ce document utilise la configuration réseau suivante :

Configurations

Ce document utilise les configurations suivantes :

Routeur Cisco IOS
PIX

Routeur Cisco IOS
ezvpn_server#show running-config Building configuration... Current configuration : 1894 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname ezvpn_server ! boot-start-marker boot system disk1:c7200-adventerprisek9-mz.124-4.T1.bin boot-end-marker ! ! !--- Enable the authentication, authorization, and accounting (AAA) !--- access control model. aaa new-model ! ! !--- Enable X-Auth for user authentication. aaa authentication login userauthen local !--- Enable group authorization. aaa authorization network groupauthor local ! aaa session-id common ! resource policy ! ip subnet-zero ip cef ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !--- For local authentication of the IPSec user, !--- create the user with password. username remoteuser1 password 0 remotepass username cisco password 0 cisco ! ! ! !--- Create an Internet Security Association and Key Management Protocol !--- (ISAKMP) policy for Phase 1 negotiations for the hardware client. crypto isakmp policy 10 hash md5 authentication pre-share group 2 ! !--- Create a group that will be used to specify the !--- Windows Internet Name Service (WINS) and Domain Name System (DNS) !--- servers' addresses to the hardware client for authentication. crypto isakmp client configuration group hwclient key test123 dns 172.22.1.101 wins 172.22.1.102 domain cisco.com pool ippool ! ! !--- Create the Phase 2 Policy for actual data encryption. crypto ipsec transform-set myset esp-des esp-md5-hmac ! !--- Create a dynamic map and apply the transform set that was created above. crypto dynamic-map dynmap 10 set transform-set myset ! ! !--- Create the actual crypto map, and apply !--- the aaa lists that were created earlier. crypto map clientmap client authentication list userauthen crypto map clientmap isakmp authorization list groupauthor crypto map clientmap client configuration address respond crypto map clientmap 10 ipsec-isakmp dynamic dynmap ! ! ! ! ! interface FastEthernet0/0 ip address 10.10.10.2 255.255.255.0 duplex half !--- Apply the crypto map on the outside interface. crypto map clientmap ! interface ATM2/0 no ip address shutdown no atm ilmi-keepalive ! interface FastEthernet4/0 no ip address shutdown duplex half ! interface Ethernet5/0 ip address 172.22.1.1 255.255.255.0 duplex half ! interface Ethernet5/1 no ip address shutdown duplex half ! interface Ethernet5/2 no ip address shutdown duplex half ! interface Ethernet5/3 no ip address shutdown duplex half ! !--- Create a pool of addresses to be assigned to the VPN Clients. ip local pool ippool 172.22.1.50 172.22.1.70 ip classless no ip http server no ip http secure-server ! ! ! logging alarm informational ! ! ! ! control-plane ! ! ! ! ! ! gatekeeper shutdown ! ! line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 ! ! end ezvpn_server#

Routeur Cisco IOS

ezvpn_server#show running-config
Building configuration...

Current configuration : 1894 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ezvpn_server
!
boot-start-marker
boot system disk1:c7200-adventerprisek9-mz.124-4.T1.bin
boot-end-marker
!
!

!--- Enable the authentication, authorization, and accounting (AAA) !--- access control model.

aaa new-model
!
!

!--- Enable X-Auth for user authentication.

aaa authentication login userauthen local

!--- Enable group authorization.

aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!

!--- For local authentication of the IPSec user, !--- create the user with password.

username remoteuser1 password 0 remotepass
username cisco password 0 cisco
!
!
!

!--- Create an Internet Security Association and Key Management Protocol !--- (ISAKMP) policy for Phase 1 negotiations for the hardware client.

crypto isakmp policy 10
 hash md5
 authentication pre-share
 group 2
!

!--- Create a group that will be used to specify the !--- Windows Internet Name Service (WINS) and Domain Name System (DNS) !--- servers' addresses to the hardware client for authentication.

crypto isakmp client configuration group hwclient
 key test123
 dns 172.22.1.101
 wins 172.22.1.102
 domain cisco.com
 pool ippool
!
!

!--- Create the Phase 2 Policy for actual data encryption.

crypto ipsec transform-set myset esp-des esp-md5-hmac
!

!--- Create a dynamic map and apply the transform set that was created above.

crypto dynamic-map dynmap 10
 set transform-set myset
!
!

!--- Create the actual crypto map, and apply !--- the aaa lists that were created earlier.

crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface FastEthernet0/0
 ip address 10.10.10.2 255.255.255.0
 duplex half

!--- Apply the crypto map on the outside interface.

 crypto map clientmap
!
interface ATM2/0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface FastEthernet4/0
 no ip address
 shutdown
 duplex half
!
interface Ethernet5/0
 ip address 172.22.1.1 255.255.255.0
 duplex half
!
interface Ethernet5/1
 no ip address
 shutdown
 duplex half
!
interface Ethernet5/2
 no ip address
 shutdown
 duplex half
!
interface Ethernet5/3
 no ip address
 shutdown
 duplex half
!

!--- Create a pool of addresses to be assigned to the VPN Clients.

ip local pool ippool 172.22.1.50 172.22.1.70
ip classless
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
!
!
end


ezvpn_server#

PIX
pix506#show running-config : Saved : PIX Version 6.3(5) !--- Specify speed and duplex settings. interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password WwXYvtKrnjXqGbu1 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pix506 domain-name cisco.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names pager lines 24 mtu outside 1500 mtu inside 1500 !--- Define IP addresses for the PIX's inside and outside interfaces. ip address outside 10.10.10.1 255.255.255.0 ip address inside 172.16.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 !--- Define the outside router as the default gateway. !--- Typically this is the IP address of your ISP's router. route outside 0.0.0.0 0.0.0.0 10.10.10.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh timeout 5 console timeout 0 !--- Define the VPN peer IP address. vpnclient server 10.10.10.2 !--- Specify whether Client/PAT (Port Address Translation) mode !--- is to be used or whether Network Extension Mode (NEM) is to be used. vpnclient mode network-extension-mode !--- Define Easy VPN Remote parameters. !--- This is the pre-shared key used in IKE negotiation. vpnclient vpngroup hwclient password ******** !--- This is the extended authentication username and password. vpnclient username cisco password ******** !---This enables vpnclient on the PIX. vpnclient enable terminal width 80 Cryptochecksum:fdbd365f0b4cdc6707a50efeeeb8ed44 : end

PIX

pix506#show running-config
: Saved
:
PIX Version 6.3(5)


!--- Specify speed and duplex settings.

interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password WwXYvtKrnjXqGbu1 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix506
domain-name cisco.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500


!--- Define IP addresses for the PIX's inside and outside interfaces.

ip address outside 10.10.10.1 255.255.255.0
ip address inside 172.16.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400


!--- Define the outside router as the default gateway. !--- Typically this is the IP address of your ISP's router.

route outside 0.0.0.0 0.0.0.0 10.10.10.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0


!--- Define the VPN peer IP address.

vpnclient server 10.10.10.2


!--- Specify whether Client/PAT (Port Address Translation) mode !--- is to be used or whether Network Extension Mode (NEM) is to be used.

vpnclient mode network-extension-mode


!--- Define Easy VPN Remote parameters. !--- This is the pre-shared key used in IKE negotiation.


vpnclient vpngroup hwclient password ********


!--- This is the extended authentication username and password.

vpnclient username cisco password ********


!---This enables vpnclient on the PIX.

vpnclient enable
terminal width 80
Cryptochecksum:fdbd365f0b4cdc6707a50efeeeb8ed44
: end

Vérification

Commandes PIX show et exemple de sortie

Référez-vous à cette section pour vous assurer du bon fonctionnement de votre configuration.

L'Outil Interpréteur de sortie (clients enregistrés uniquement) (OIT) prend en charge certaines commandes show. Utilisez l'OIT pour afficher une analyse de la sortie de la commande show .

vpnclient enable : active une connexion Easy VPN Remote. Dans NEM, le tunnel est actif même s'il n'y a pas de trafic intéressant à échanger avec le serveur Easy VPN de tête de réseau.
```
pix506(config)#vpnclient enable
```

show crypto isakmp policy - Affiche les paramètres de chaque stratégie IKE.

pix506(config)#show crypto isakmp policy 

Default protection suite 
        encryption algorithm:  DES - Data Encryption Standard (56 bit keys). 
        hash algorithm:        Secure Hash Standard 
        authentication method: Rivest-Shamir-Adleman Signature 
        Diffie-Hellman group:  #1 (768 bit) 
        lifetime:              86400 seconds, no volume limit

Cet exemple montre la sortie de la commande show crypto isakmp policy après l'activation du client matériel.

pix506(config)#show crypto isakmp policy 

Protection suite of priority 65001
       encryption algorithm: DES - Data Encryption Standard (56 bit keys).
       hash algorithm: Message Digest 5
       authentication method: Pre-Shared Key with XAUTH
       Diffie-Hellman group: #2 (1024 bit)
       lifetime: 86400 seconds, no volume limit
Protection suite of priority 65002
       encryption algorithm: DES - Data Encryption Standard (56 bit keys).
       hash algorithm: Message Digest 5
       authentication method: Pre-Shared Key
       Diffie-Hellman group: #2 (1024 bit)
       lifetime: 86400 seconds, no volume limit

show crypto ipsec Transformation : affiche les transformations IPSec actuelles.
```
pix506(config)#show crypto ipsec transform
```
Cet exemple montre la sortie de la commande show crypto ipsec transformation après l'activation du client matériel. Avant l'utilisation de la commande vpnclient enable, il n'existait qu'une seule suite de protection par défaut pour ISAKMP. Une fois la commande exécutée, Easy VPN Remote crée automatiquement quatre propositions en plus de la suite de protection par défaut. En outre, aucune transformation IPSec n'est définie avant l'utilisation de la commande enable. Le jeu de transformation est construit dynamiquement après l'exécution de la commande.
```
pix506(config)#show crypto ipsec transform-set

Transform set _vpnc_tset_9: { esp-des esp-md5-hmac } 
will negotiate = { Tunnel, }, 

Transform set _vpnc_tset_10: { esp-null esp-md5-hmac } 
will negotiate = { Tunnel, }, 

Transform set _vpnc_tset_11: { esp-null esp-sha-hmac } 
will negotiate = { Tunnel, },
```

show crypto isakmp sa—Affiche toutes les IKE SA actuelles chez un homologue.

pix506(config)#show crypto isakmp sa
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
      10.10.10.2       10.10.10.1    QM_IDLE         0           2

show vpnclient - Affiche les informations de configuration du client VPN ou du périphérique Easy VPN Remote.

pix506(config)#show vpnclient

LOCAL CONFIGURATION
vpnclient server 10.10.10.2
vpnclient mode network-extension-mode
vpnclient vpngroup hwclient password ********
vpnclient username cisco password ********
vpnclient enable

DOWNLOADED DYNAMIC POLICY
Current Server                     : 10.10.10.2
Primary DNS                        : 172.22.1.101
Primary WINS                       : 172.22.1.102
Default Domain                     : cisco.com
PFS Enabled                        : No
Secure Unit Authentication Enabled : No
User Authentication Enabled        : No
Backup Servers                     : Deleted by order of the headend

show crypto ipsec sa - Affiche les SA IPSec construites entre homologues.

pix506(config)#show crypto ipsec sa 
interface: outside
    Crypto map tag: _vpnc_cm, local addr. 10.10.10.1

   local  ident (addr/mask/prot/port): (10.10.10.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer: 10.10.10.2:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 3, #pkts encrypt: 3, #pkts digest 3
    #pkts decaps: 3, #pkts decrypt: 3, #pkts verify 3
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0,
    #pkts decompress failed: 0
    #send errors 0, #recv errors 0

!--- As shown here, ping packets were successfully exchanged !--- between the Easy VPN Remote (PIX) and the Easy VPN Server (IOS).

local crypto endpt.: 10.10.10.1, remote crypto endpt.: 10.10.10.2
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: 533f74a9

     inbound esp sas:
      spi: 0xad0984cc(2903082188)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 4, crypto map: _vpnc_cm
        sa timing: remaining key lifetime (k/sec): (4607999/3001)
        IV size: 8 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0x533f74a9(1396667561)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 3, crypto map: _vpnc_cm
        sa timing: remaining key lifetime (k/sec): (4607999/3001)
        IV size: 8 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer: 10.10.10.2:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 5, #pkts encrypt: 5, #pkts digest 5
    #pkts decaps: 5, #pkts decrypt: 5, #pkts verify 5
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0,
    #pkts decompress failed: 0
    #send errors 0, #recv errors 0


!--- As shown here, ping packets were successfully exchanged !--- between hosts behind the Easy VPN Remote (PIX) and the Easy !--- VPN Server (IOS).

     local crypto endpt.: 10.10.10.1, remote crypto endpt.: 10.10.10.2
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: 2eca448b

     inbound esp sas:
      spi: 0xc82c0695(3358328469)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2, crypto map: _vpnc_cm
        sa timing: remaining key lifetime (k/sec): (4607999/2997)
        IV size: 8 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0x2eca448b(785007755)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 1, crypto map: _vpnc_cm
        sa timing: remaining key lifetime (k/sec): (4607999/2988)
        IV size: 8 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:

show access-list : affiche le contenu des listes d'accès.

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
            alert-interval 300
access-list _vpnc_acl; 2 elements
access-list _vpnc_acl line 1 permit ip 172.16.1.0 255.255.255.0
 any (hitcnt=18)
access-list _vpnc_acl line 2 permit ip host 10.10.10.1
 any (hitcnt=6) 

!--- The above output shows the dynamically built access lists to identify !--- interesting traffic for encryption.

Commandes show et exemple de sortie IOS

show crypto isakmp sa—Affiche toutes les IKE SA actuelles chez un homologue.

ezvpn_server#show crypto isakmp sa 
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
10.10.10.2      10.10.10.1      QM_IDLE           1026    0 ACTIVE

show crypto ipsec sa - Affiche les SA IPSec construites entre homologues.

ezvpn_server#show crypto ipsec sa


!--- As shown above, ping packets were successfully exchanged !--- between the Easy VPN Remote (PIX) and the Easy VPN Server (IOS) !--- as well as hosts behind them.


interface: FastEthernet0/0
    Crypto map tag: clientmap, local addr 10.10.10.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.10.10.1/255.255.255.255/0/0)
   current_peer 10.10.10.1 port 500
     PERMIT, flags={}
    #pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
    #pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.10.10.2, remote crypto endpt.: 10.10.10.1
     path mtu 1500, ip mtu 1500
     current outbound spi: 0xAD0984CC(2903082188)

     inbound esp sas:
      spi: 0x533F74A9(1396667561)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 21, flow_id: SW:21, crypto map: clientmap
        sa timing: remaining key lifetime (k/sec): (4470133/2836)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xAD0984CC(2903082188)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 22, flow_id: SW:22, crypto map: clientmap
        sa timing: remaining key lifetime (k/sec): (4470133/2834)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
   current_peer 10.10.10.1 port 500
     PERMIT, flags={}
    #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
    #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.10.10.2, remote crypto endpt.: 10.10.10.1
     path mtu 1500, ip mtu 1500
     current outbound spi: 0xC82C0695(3358328469)

     inbound esp sas:
      spi: 0x2ECA448B(785007755)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 23, flow_id: SW:23, crypto map: clientmap
        sa timing: remaining key lifetime (k/sec): (4589382/2832)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xC82C0695(3358328469)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 24, flow_id: SW:24, crypto map: clientmap
        sa timing: remaining key lifetime (k/sec): (4589382/2830)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Dépannage

Utilisez cette section pour dépanner votre configuration.

Si vous avez configuré Easy VPN Remote (PIX) et Easy VPN Server (IOS) comme décrit dans ce document et que vous rencontrez toujours des problèmes, rassemblez la sortie de débogage du PIX et de l'IOS et la sortie de la commande show pour analyse par le centre d'assistance technique Cisco (TAC). Voir aussi Dépannage du PIX pour passer le trafic de données sur un tunnel IPSec établi ou Dépannage de la sécurité IP - Présentation et utilisation des commandes de débogage. Activez le débogage IPSec sur le PIX.

Commandes de débogage PIX et exemple de sortie

Commandes de débogage PIX

Remarque : Consulter les renseignements importants sur les commandes de débogage avant d’utiliser les commandes de débogage.

debug crypto ipsec — affiche les négociations IPsec de la Phase 2.
debug crypto isakmp — affiche les négociations ISAKMP de la Phase 1.

Exemple de sortie PIX

ISAKMP (0): ID payload
next-payload : 13
type         : 11
protocol     : 17
port         : 0
length       : 12pix506(config)# 
ISAKMP (0): Total payload length: 16
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0): beginning Aggressive Mode exchange
crypto_isakmp_process_block:src:10.10.10.2, dest:10.10.10.1 spt:500 dpt:500
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0


!--- The PIX checks the received proposal against !--- its dynamically generated policies looking for a match. 


ISAKMP (0): Checking ISAKMP transform 1 against priority 65001 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 65002 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 65003 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 65004 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 65005 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 65006 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 65007 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 65008 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 65009 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

crypto_isakmp_process_block:src:10.10.10.2, dest:10.10.10.1 spt:500 dpt:500
crypto_isakmp_process_block:src:10.10.10.2, dest:10.10.10.1 spt:500 dpt:500
ISAKMP : attributes being requested

crypto_isakmp_process_block:src:10.10.10.2, dest:10.10.10.1 spt:500 dpt:500
ISAKMP (0): beginning Quick Mode exchange, M-ID of -582033986:dd4eddbeIPSEC
(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x61cf8d08(1640992008) for SA 
from      10.10.10.2 to      10.10.10.1 for prot 3

crypto_isakmp_process_block:src:10.10.10.2, dest:10.10.10.1 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 3712933310

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= 10.10.10.2, src= 10.10.10.1, 
    dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), 
    src_proxy= 10.10.10.1/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-des esp-md5-hmac , 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

ISAKMP (0): processing NONCE payload. message ID = 3712933310

ISAKMP (0): processing ID payload. message ID = 3712933310
ISAKMP (0): processing ID payload. message ID = 3712933310
ISAKMP (0): processing NOTIFY payload 24576 protocol 3
spi 1327036890, message ID = 3712933310
ISAKMP (0): processing responder lifetime
ISAKMP (0): responder lifetime of 3600s
ISAKMP (0): Creating IPSec SAs
        inbound SA from   10.10.10.2 to   10.10.10.1 (proxy 0.0.0.0 to 10.10.10.1)
        has spi 1640992008 and conn_id 1 and flags 4
        lifetime of 3600 seconds
        lifetime of 4608000 kilobytes
        outbound SA from  10.10.10.1 to   10.10.10.2 (proxy 10.10.10.1 to 0.0.0.0)
        has spi 1327036890 and conn_id 2 and flags 4
        lifetime of 3600 seconds
        lifetime of 4608000 kilobytesIPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
  (key eng. msg.) dest= 10.10.10.1, src= 10.10.10.2, 
    dest_proxy= 10.10.10.1/255.255.255.255/0/0 (type=1), 
    src_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-md5-hmac , 
    lifedur= 3600s and 4608000kb, 
    spi= 0x61cf8d08(1640992008), conn_id= 1, keysize= 0, flags= 0x4
IPSEC(initialize_sas): ,
  (key eng. msg.) src= 10.10.10.1, dest= 10.10.10.2, 
    src_proxy= 10.10.10.1/255.255.255.255/0/0 (type=1), 
    dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-md5-hmac , 
    lifedur= 3600s and 4608000kb, 
    spi= 0x4f18f9da(1327036890), conn_id= 2, keysize= 0, flags= 0x4


!--- The IPSec SAs shown above are for management purposes.


VPN Peer: IPSEC: Peer ip:10.10.10.2/500 Ref cnt incremented to:2 Total VPN Peers:1
VPN Peer: IPSEC: Peer ip:10.10.10.2/500 Ref cnt incremented to:3 Total VPN Peers:1
return status is IKMP_NO_ERROR
ISAKMP (0): beginning Quick Mode exchange, M-ID of -419501328:e6feeaf0IPSEC
(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xf3d52246(4090831430) for SA 
from      10.10.10.2 to      10.10.10.1 for prot 3

crypto_isakmp_process_block:src:10.10.10.2, dest:10.10.10.1 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 3875465968

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= 10.10.10.2, src= 10.10.10.1, 
    dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), 
    src_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-md5-hmac , 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

ISAKMP (0): processing NONCE payload. message ID = 3875465968

ISAKMP (0): processing ID payload. message ID = 3875465968
ISAKMP (0): processing ID payload. message ID = 3875465968
ISAKMP (0): processing NOTIFY payload 24576 protocol 3
spi 465396864, message ID = 3875465968
ISAKMP (0): processing responder lifetime
ISAKMP (0): responder lifetime of 3600s
ISAKMP (0): Creating IPSec SAs
        inbound SA from   10.10.10.2 to 10.10.10.1 (proxy 0.0.0.0 to 172.16.1.0)
        has spi 4090831430 and conn_id 3 and flags 4
        lifetime of 3600 seconds
        lifetime of 4608000 kilobytes
        outbound SA from  10.10.10.1 to 10.10.10.2 (proxy 172.16.1.0 to 0.0.0.0)
        has spi 465396864 and conn_id 4 and flags 4
        lifetime of 3600 seconds
        lifetime of 4608000 kilobytesIPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
  (key eng. msg.) dest= 10.10.10.1, src= 10.10.10.2, 
    dest_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4), 
    src_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-md5-hmac , 
    lifedur= 3600s and 4608000kb, 
    spi= 0xf3d52246(4090831430), conn_id= 3, keysize= 0, flags= 0x4
IPSEC(initialize_sas): ,
  (key eng. msg.) src= 10.10.10.1, dest= 10.10.10.2, 
    src_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4), 
    dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-md5-hmac , 
    lifedur= 3600s and 4608000kb, 
    spi= 0x1bbd6480(465396864), conn_id= 4, keysize= 0, flags= 0x4


!--- The IPSec SAs shown above are for actual data traffic.


VPN Peer: IPSEC: Peer ip:10.10.10.2/500 Ref cnt incremented to:4 Total VPN Peers:1
VPN Peer: IPSEC: Peer ip:10.10.10.2/500 Ref cnt incremented to:5 Total VPN Peers:1

Commandes de débogage IOS et exemple de sortie

Commandes de débogage IOS