ASA IPsec および IKE デバッグ(IKEv1 アグレッシブ モード)のトラブルシューティングに関するテクニカル ノート
概要
このドキュメントでは、アグレッシブ モードおよび事前共有キー(PSK)の両方を使用する場合の Cisco 適応型セキュリティ アプライアンス(ASA)のデバッグについて説明します。設定への特定のデバッグ行の変換についても説明します。このドキュメントの読者は IPsec およびインターネット キー エクスチェンジ(IKE)に関する基本的な知識を持っていることを推奨します。
このドキュメントでは、トンネルが確立した後の通過トラフィックについては説明しません。
主な問題
IKE および IPsec のデバッグはわかりにくいことがありますが、これらのデバッグを使用して、IPsec VPN トンネル確立の問題を理解できます。
シナリオ
アグレッシブモードは通常、ソフトウェア(Cisco VPN Client)とハードウェアクライアント(Cisco ASA 5505適応型セキュリティアプライアンスまたはCisco IOS?ソフトウェアルータなど)を使用しますが、事前共有キーが使用されている場合にのみ使用されます。メイン モードとは異なり、アグレッシブ モードは 3 つのメッセージで構成されます。
デバッグは、ソフトウェア バージョン 8.3.2 を実行し、EzVPN サーバとして機能する ASA から行われます。EzVPN クライアントは、ソフトウェア クライアントです。
使用した debug コマンド
このドキュメントで使用する debug コマンドは次のとおりです。
debug crypto isakmp 127
debug crypto ipsec 127
ASA の設定
この例での ASA の設定は非常に基本的であり、外部サーバは使用されません。
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.48.67.14 255.255.254.0
crypto ipsec transform-set TRA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN 10 set transform-set TRA
crypto dynamic-map DYN 10 set reverse-route
crypto map MAP 65000 ipsec-isakmp dynamic DYN
crypto map MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
username cisco password cisco
username cisco attributes
vpn-framed-ip-address 192.168.1.100 255.255.255.0
tunnel-group EZ type remote-access
tunnel-group EZ general-attributes
default-group-policy EZ
tunnel-group EZ ipsec-attributes
pre-shared-key *****
group-policy EZ internal
group-policy EZ attributes
password-storage enable
dns-server value 192.168.1.99
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelall
split-tunnel-network-list value split
default-domain value jyoungta-labdomain.cisco.com
デバッグ
サーバ メッセージの説明 |
デバッグ |
クライアント メッセージの説明 |
|||
| 49711:28:30.28908/24/12Sev=Info/6IKE/0x6300003B Attempting to establish a connection with 64.102.156.88. 49811:28:30.29708/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->SA:I_Cookie=D56197780D7BE3E5 R_Cookie=0000000000000000CurState: AM_INITIALEvent:EV_INITIATOR 49911:28:30.29708/24/12Sev=Info/4IKE/0x63000001 Starting IKE Phase 1 Negotiation 50011:28:30.29708/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->SA:I_Cookie=D56197780D7BE3E5 R_Cookie=0000000000000000CurState: AM_SND_MSG1Event:EV_GEN_DHKEY 50111:28:30.30408/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->SA:I_Cookie=D56197780D7BE3E5 R_Cookie=0000000000000000CurState: AM_SND_MSG1Event:EV_BLD_MSG 50211:28:30.30408/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->SA:I_Cookie=D56197780D7BE3E5 R_Cookie=0000000000000000CurState: AM_SND_MSG1Event:EV_START_RETRY_TMR 50311:28:30.30408/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->SA:I_Cookie=D56197780D7BE3E5 R_Cookie=0000000000000000CurState: AM_SND_MSG1Event:EV_SND_MSG |
アグレッシブ モードを開始します。AM1を構成します。このプロセスには次のものが含まれます。 |
||||
| 50411:28:30.30408/24/12Sev=Info/4IKE/0x63000013 SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 64.102.156.88 |
AM1 を送信します。 |
||||
| <=============== Aggressive Message 1 (AM1) =============== | |||||
クライアントから AM1 を受信します。 |
Aug 24 11:31:03 [IKEv1]IP = 64.102.156.87, IKE_DECODE RECEIVED Message (msgid=0) with payloads :HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length :849 | 50611:28:30.33308/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->SA:I_Cookie=D56197780D7BE3E5 R_Cookie=0000000000000000CurState: AM_WAIT_MSG2Event:EV_NO_EVENT |
サーバからの応答を待ちます。 |
||
AM1を処理します。受信したプロポーザルとトランスフォームを、すでに一致するように設定されているものと比較します。 関連コンフィギュレーション: ISAKMP はインターフェイスで有効になっており、クライアントが送信したものと一致するポリシーが少なくとも 1 つ定義されています。 crypto isakmp enable ID 名と一致するトンネル グループが存在します。 tunnel-group EZ type |
Aug 24 11:31:03 [IKEv1 DEBUG]IP = 64.102.156.87, processing SA payload Aug 24 11:31:03 [IKEv1 DEBUG]IP = 64.102.156.87, processing ke payload Aug 24 11:31:03 [IKEv1 DEBUG]IP = 64.102.156.87, processing ISA_KE payload Aug 24 11:31:03 [IKEv1 DEBUG]IP = 64.102.156.87, processing nonce payload Aug 24 11:31:03 [IKEv1 DEBUG]IP = 64.102.156.87, processing ID payload Aug 24 11:31:03 [IKEv1 DEBUG]IP = 64.102.156.87, processing VID payload Aug 24 11:31:03 [IKEv1 DEBUG]IP = 64.102.156.87, Received xauth V6 VID Aug 24 11:31:03 [IKEv1 DEBUG]IP = 64.102.156.87, processing VID payload Aug 24 11:31:03 [IKEv1 DEBUG]IP = 64.102.156.87, Received DPD VID Aug 24 11:31:03 [IKEv1 DEBUG]IP = 64.102.156.87, processing VID payload Aug 24 11:31:03 [IKEv1 DEBUG]IP = 64.102.156.87, Received Fragmentation VID Aug 24 11:31:03 [IKEv1 DEBUG]IP = 64.102.156.87, IKE Peer included IKE fragmentation capability flags:メインモード:TrueAggressive Mode:False Aug 24 11:31:03 [IKEv1 DEBUG]IP = 64.102.156.87, processing VID payload Aug 24 11:31:03 [IKEv1 DEBUG]IP = 64.102.156.87, Received NAT-Traversal ver 02 VID Aug 24 11:31:03 [IKEv1 DEBUG]IP = 64.102.156.87, processing VID payload Aug 24 11:31:03 [IKEv1 DEBUG]IP = 64.102.156.87, Received Cisco Unity client VID Aug 24 11:31:03 [IKEv1]IP = 64.102.156.87, Connection landed on tunnel_group ipsec Aug 24 11:31:03 [IKEv1 DEBUG]Group = ipsec, IP = 64.102.156.87, processing IKE SA payload 8月24 11:31:03 [IKEv1]フェーズ1の障害:クラスグループの属性タイプの不一致の説明:Rcv'd:Group 2Cfg'd:グループ 5 8月24 11:31:03 [IKEv1]フェーズ1の障害:クラスグループの属性タイプの不一致の説明:Rcv'd:Group 2Cfg'd:グループ 5 8月24 11:31:03 [IKEv1]フェーズ1の障害:クラスグループの属性タイプの不一致の説明:Rcv'd:Group 2Cfg'd:グループ 5 8月24 11:31:03 [IKEv1]フェーズ1の障害:クラスグループの属性タイプの不一致の説明:Rcv'd:Group 2Cfg'd:グループ 5 8月24 11:31:03 [IKEv1]フェーズ1の障害:クラスグループの属性タイプの不一致の説明:Rcv'd:Group 2Cfg'd:グループ 5 8月24 11:31:03 [IKEv1]フェーズ1の障害:クラスグループの属性タイプの不一致の説明:Rcv'd:Group 2Cfg'd:グループ 5 8月24 11:31:03 [IKEv1]フェーズ1の障害:クラスグループの属性タイプの不一致の説明:Rcv'd:Group 2Cfg'd:グループ 5 8月24 11:31:03 [IKEv1]フェーズ1の障害:クラスグループの属性タイプの不一致の説明:Rcv'd:Group 2Cfg'd:グループ 5 8月24 11:31:03 [IKEv1]フェーズ1の障害:クラスグループの属性タイプの不一致の説明:Rcv'd:Group 2Cfg'd:グループ 5 8月24 11:31:03 [IKEv1]フェーズ1の障害:クラスグループの属性タイプの不一致の説明:Rcv'd:Group 2Cfg'd:グループ 5 8月24 11:31:03 [IKEv1]フェーズ1の障害:クラスグループの属性タイプの不一致の説明:Rcv'd:Group 2Cfg'd:グループ 5 8月24 11:31:03 [IKEv1]フェーズ1の障害:クラスグループの属性タイプの不一致の説明:Rcv'd:Group 2Cfg'd:グループ 5 8月24 11:31:03 [IKEv1]フェーズ1の障害:クラスグループの属性タイプの不一致の説明:Rcv'd:Group 2Cfg'd:グループ 5 8月24 11:31:03 [IKEv1]フェーズ1の障害:クラスグループの属性タイプの不一致の説明:Rcv'd:Group 2Cfg'd:グループ 5 8月24 11:31:03 [IKEv1]フェーズ1の障害:クラスグループの属性タイプの不一致の説明:Rcv'd:Group 2Cfg'd:グループ 5 8月24 11:31:03 [IKEv1]フェーズ1の障害:クラスグループの属性タイプの不一致の説明:Rcv'd:Group 2Cfg'd:グループ 5 Aug 24 11:31:03 [IKEv1 DEBUG]Group = ipsec, IP = 64.102.156.87, IKE SA Proposal # 1, Transform # 5 acceptableMatches global IKE entry # 1 |
||||
AM2を構成します。このプロセスには次のものが含まれます。 |
Aug 24 11:31:03 [IKEv1 DEBUG]Group = ipsec, IP = 64.102.156.87, constructing ISAKMP SA payload Aug 24 11:31:03 [IKEv1 DEBUG]Group = ipsec, IP = 64.102.156.87, constructing ke payload Aug 24 11:31:03 [IKEv1 DEBUG]Group = ipsec, IP = 64.102.156.87, constructing nonce payload Aug 24 11:31:03 [IKEv1 DEBUG]Group = ipsec, IP = 64.102.156.87, Generating keys for Responder... Aug 24 11:31:03 [IKEv1 DEBUG]Group = ipsec, IP = 64.102.156.87, constructing ID payload Aug 24 11:31:03 [IKEv1 DEBUG]Group = ipsec, IP = 64.102.156.87, constructing hash payload Aug 24 11:31:03 [IKEv1 DEBUG]Group = ipsec, IP = 64.102.156.87, Computing hash for ISAKMP Aug 24 11:31:03 [IKEv1 DEBUG]Group = ipsec, IP = 64.102.156.87, constructing Cisco Unity VID payload Aug 24 11:31:03 [IKEv1 DEBUG]Group = ipsec, IP = 64.102.156.87, constructing xauth V6 VID payload Aug 24 11:31:03 [IKEv1 DEBUG]Group = ipsec, IP = 64.102.156.87, constructing dpd vid payload Aug 24 11:31:03 [IKEv1 DEBUG]Group = ipsec, IP = 64.102.156.87, constructing NAT-Traversal VID ver 02 payload Aug 24 11:31:03 [IKEv1 DEBUG]Group = ipsec, IP = 64.102.156.87, constructing NAT-Discovery payload Aug 24 11:31:03 [IKEv1 DEBUG]Group = ipsec, IP = 64.102.156.87, computing NAT Discovery hash Aug 24 11:31:03 [IKEv1 DEBUG]Group = ipsec, IP = 64.102.156.87, constructing NAT-Discovery payload Aug 24 11:31:03 [IKEv1 DEBUG]Group = ipsec, IP = 64.102.156.87, computing NAT Discovery hash Aug 24 11:31:03 [IKEv1 DEBUG]Group = ipsec, IP = 64.102.156.87, constructing Fragmentation VID + extended capabilities payload Aug 24 11:31:03 [IKEv1 DEBUG]Group = ipsec, IP = 64.102.156.87, constructing VID payload Aug 24 11:31:03 [IKEv1 DEBUG]Group = ipsec, IP = 64.102.156.87, Send Altiga/Cisco VPN3000/Cisco ASA GW VID |
||||
AM2 を送信します。 |
Aug 24 11:31:03 [IKEv1]IP = 64.102.156.87, IKE_DECODE SENDING Message (msgid=0) with payloads :HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length :444 | ||||
| =============== Aggressive Message 2 (AM2) ===============> | |||||
| 50711:28:30.40208/24/12Sev=Info/5IKE/0x6300002F Received ISAKMP packet:peer = 64.102.156.8 50811:28:30.40308/24/12Sev=Info/4IKE/0x63000014 RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, HASH, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, VID(Frag), VID(?)?)。64.102.156.88 51011:28:30.41208/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->SA:I_Cookie=D56197780D7BE3E5 R_Cookie=1B301D2DE710EDA0CurState: AM_WAIT_MSG2Event:EV_RCVD_MSG |
AM2 を受信します。 |
||||
| 51111:28:30.41208/24/12Sev=Info/5IKE/0x63000001 Peer is a Cisco-Unity compliant peer 51211:28:30.41208/24/12Sev=Info/5IKE/0x63000001 Peer supports XAUTH 51311:28:30.41208/24/12Sev=Info/5IKE/0x63000001 Peer supports DPD 51411:28:30.41208/24/12Sev=Info/5IKE/0x63000001 Peer supports NAT-T 51511:28:30.41208/24/12Sev=Info/5IKE/0x63000001 Peer supports IKE fragmentation payloads 51611:28:30.41208/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->SA:I_Cookie=D56197780D7BE3E5 R_Cookie=1B301D2DE710EDA0CurState: AM_WAIT_MSG2Event:EV_GEN_SKEYID 51711:28:30.42208/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->SA:I_Cookie=D56197780D7BE3E5 R_Cookie=1B301D2DE710EDA0CurState: AM_WAIT_MSG2Event:EV_AUTHENTICATE_PEER 51811:28:30.42208/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->SA:I_Cookie=D56197780D7BE3E5 R_Cookie=1B301D2DE710EDA0CurState: AM_WAIT_MSG2Event:EV_ADJUST_PORT 51911:28:30.42208/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->SA:I_Cookie=D56197780D7BE3E5 R_Cookie=1B301D2DE710EDA0CurState: AM_WAIT_MSG2Event:EV_CRYPTO_ACTIVE |
AM2 を処理します。 |
||||
| 52011:28:30.42208/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->SA:I_Cookie=D56197780D7BE3E5 R_Cookie=1B301D2DE710EDA0CurState: AM_SND_MSG3Event:EV_BLD_MSG] 52111:28:30.42208/24/12Sev=Debug/8IKE/0x63000001 IOS Vendor ID Contruction started 52211:28:30.42208/24/12Sev=Info/6IKE/0x63000001 IOS Vendor ID Contruction successful |
AM3を構成します。このプロセスにはクライアント認証が含まれます。この時点で暗号化に関連するすべてのデータがすでに交換されています。 |
||||
| 52311:28:30.42308/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->SA:I_Cookie=D56197780D7BE3E5 R_Cookie=1B301D2DE710EDA0CurState: AM_SND_MSG3Event:EV_SND_MSG 52411:28:30.42308/24/12Sev=Info/4IKE/0x63000013 >> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity))を64.102.156.88に送信 |
AM3 を送信します。 |
||||
| <=============== Aggressive Message 3 (AM3) =============== | |||||
クライアントから AM3 を受信します。 |
Aug 24 11:31:03 [IKEv1]IP = 64.102.156.87, IKE_DECODE RECEIVED Message (msgid=0) with payloads :HDR + HASH (8) + NOTIFY (11) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length :168 | ||||
AM3 を処理します。 NAT トラバーサル(NAT-T)の使用を確認します。両側でトラフィック暗号化を開始する準備ができました。 |
Aug 24 11:31:03 [IKEv1 DEBUG]Group = ipsec, IP = 64.102.156.87, processing hash payload Aug 24 11:31:03 [IKEv1 DEBUG]Group = ipsec, IP = 64.102.156.87, Computing hash for ISAKMP Aug 24 11:31:03 [IKEv1 DEBUG]Group = ipsec, IP = 64.102.156.87, processing notify payload Aug 24 11:31:03 [IKEv1 DEBUG]Group = ipsec, IP = 64.102.156.87, processing NAT-Discovery payload Aug 24 11:31:03 [IKEv1 DEBUG]Group = ipsec, IP = 64.102.156.87, computing NAT Discovery hash Aug 24 11:31:03 [IKEv1 DEBUG]Group = ipsec, IP = 64.102.156.87, processing NAT-Discovery payload Aug 24 11:31:03 [IKEv1 DEBUG]Group = ipsec, IP = 64.102.156.87, computing NAT Discovery hash Aug 24 11:31:03 [IKEv1 DEBUG]Group = ipsec, IP = 64.102.156.87, processing VID payload Aug 24 11:31:03 [IKEv1 DEBUG]Group = ipsec, IP = 64.102.156.87, Processing IOS/PIX Vendor ID payload (version:1.0.0, capabilities:00000408) Aug 24 11:31:03 [IKEv1 DEBUG]Group = ipsec, IP = 64.102.156.87, processing VID payload Aug 24 11:31:03 [IKEv1 DEBUG]Group = ipsec, IP = 64.102.156.87, Received Cisco Unity client VID Aug 24 11:31:03 [IKEv1]Group = ipsec, IP = 64.102.156.87, Automatic NAT Detection Status:Remote endISbehind a NAT deviceこのend is NOT behind a NAT device |
||||
フェーズ 1.5(XAUTH)を開始して、ユーザ クレデンシャルを要求します。 |
Aug 24 11:31:03 [IKEv1 DEBUG]Group = ipsec, IP = 64.102.156.87, constructing blank hash payload Aug 24 11:31:03 [IKEv1 DEBUG]Group = ipsec, IP = 64.102.156.87, constructing qm hash payload Aug 24 11:31:03 [IKEv1]IP = 64.102.156.87, IKE_DECODE SENDING Message (msgid=fb709d4d) with payloads :HDR + HASH (8) + ATTR (14) + NONE (0) total length :72 |
||||
| =============== XAuth - Credentials Request ===============> | |||||
| 53511:28:30.43008/24/12Sev=Info/4IKE/0x63000014 RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 64.102.156.88 53611:28:30.43108/24/12Sev=Decode/11IKE/0x63000001 ISAKMP Header Initiator COOKIE:D56197780D7BE3E5 Responder COOKIE:1B301D2DE710EDA0 次のペイロード:ハッシュ Ver (Hex):10 交換タイプ:トランザクション フラグ:(暗号化) MessageID(Hex):FB709D4D Length:76 Payload Hash Next Payload:属性 Reserved:00 Payload Length:24 Data (In Hex):C779D5CBC5C75E3576C478A15A7CAB8A83A232D0 Payload Attributes Next Payload:なし Reserved:00 Payload Length:20 Type:ISAKMP_CFG_REQUEST Reserved:00 Identifier:0000 XAUTH Type:Generic XAUTH User Name:(空) XAUTH User Password:(空) 53711:28:30.43108/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->TM:MsgID=FB709D4DCurState:TM_INITIALEvent:EV_RCVD_MSG |
認証要求を受け取ります。復号化されたペイロードは空のユーザ名とパスワードのフィールドを示します。 |
||||
| 53811:28:30.43108/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->TM:MsgID=FB709D4DCurState:TM_PCS_XAUTH_REQEvent:EV_INIT_XAUTH 53911:28:30.43108/24/12 Sev=Debug/7IKE/0x63000076 NAV Trace->TM:MsgID=FB709D4DCurState:TM_PCS_XAUTH_REQEvent:EV_START_RETRY_TMR 54011:28:30.43208/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->TM:MsgID=FB709D4DCurState:TM_WAIT_4USEREvent:EV_NO_EVENT 541 11:28:36.41508/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->TM:MsgID=FB709D4DCurState:TM_WAIT_4USEREvent:EV_RCVD_USER_INPUT |
フェーズ 1.5(XAUTH)を開始します。 再試行タイマーを開始して、ユーザ入力を待ちます。再試行タイマーが切れると、自動的に切断されます。 |
||||
| 54211:28:36.41508/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->TM:MsgID=FB709D4DCurState:TM_WAIT_4USEREvent:EV_SND_MSG 54311:28:36.41508/24/12Sev=Info/4IKE/0x63000013 SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 64.102.156.88 54411:28:36.41508/24/12Sev=Decode/11IKE/0x63000001 ISAKMP Header Initiator COOKIE:D56197780D7BE3E5 Responder COOKIE:1B301D2DE710EDA0 次のペイロード:ハッシュ Ver (Hex):10 交換タイプ:トランザクション フラグ:(暗号化) MessageID(Hex):FB709D4D Length:85 Payload Hash Next Payload:属性 Reserved:00 Payload Length:24 Data (In Hex):1A3645155BE9A81CB80FCDB5F7F24E03FF8239F5 Payload Attributes Next Payload:なし Reserved:00 Payload Length:33 Type:ISAKMP_CFG_REPLY Reserved:00 Identifier:0000 XAUTH Type:Generic XAUTH User Name:(data not displayed) XAUTH User Password:(data not displayed) |
ユーザ入力を受信すると、サーバにユーザ クレデンシャルを送信します。復号化されたペイロードは値が設定された(非表示ではない)ユーザ名とパスワードのフィールドを示します。モード設定要求(さまざまな属性)を送信します。 |
||||
| <=============== Xauth - User Credentials =============== | |||||
ユーザ クレデンシャルを受信します。 |
Aug 24 11:31:09 [IKEv1]IP = 64.102.156.87, IKE_DECODE RECEIVED Message (msgid=fb709d4d) with payloads :HDR + HASH (8) + ATTR (14) + NONE (0) total length :85 Aug 24 11:31:09 [IKEv1 DEBUG]Group = ipsec, IP = 64.102.156.87, process_attr():Enter! |
||||
ユーザ クレデンシャルを処理します。クレデンシャルを検証し、モード設定ペイロードを生成します。 関連コンフィギュレーション: username cisco |
Aug 24 11:31:09 [IKEv1 DEBUG]Group = ipsec, IP = 64.102.156.87, Processing MODE_CFG Reply attributes. Aug 24 11:31:09 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, IKEGetUserAttributes:primary DNS = 192.168.1.99 Aug 24 11:31:09 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, IKEGetUserAttributes:secondary DNS = cleared Aug 24 11:31:09 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, IKEGetUserAttributes:primary WINS = cleared Aug 24 11:31:09 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, IKEGetUserAttributes:secondary WINS = cleared Aug 24 11:31:09 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, IKEGetUserAttributes:split tunneling list = split Aug 24 11:31:09 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, IKEGetUserAttributes:default domain = jyoungta-labdomain.cisco.com Aug 24 11:31:09 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, IKEGetUserAttributes:IP Compression = disabled Aug 24 11:31:09 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, IKEGetUserAttributes:Split Tunneling Policy = Disabled Aug 24 11:31:09 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, IKEGetUserAttributes:Browser Proxy Setting = no-modify Aug 24 11:31:09 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, IKEGetUserAttributes:Browser Proxy Bypass Local = disable Aug 24 11:31:09 [IKEv1]Group = ipsec, Username = user1, IP = 64.102.156.87, User (user1) authenticated. |
||||
xauth の結果を送信します。 |
Aug 24 11:31:09 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, constructing blank hash payload Aug 24 11:31:09 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, constructing qm hash payload Aug 24 11:31:09 [IKEv1]IP = 64.102.156.87, IKE_DECODE SENDING Message (msgid=5b6910ff) with payloads :HDR + HASH (8) + ATTR (14) + NONE (0) total length :64 |
||||
| =============== XAuth - Authorization Result ===============> | |||||
| 54511:28:36.41608/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->TM:MsgID=FB709D4DCurState:TM_XAUTHREQ_DONEEvent:EV_XAUTHREQ_DONE 54611:28:36.41608/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->TM:MsgID=FB709D4DCurState:TM_XAUTHREQ_DONEEvent:EV_NO_EVENT 54711:28:36.42408/24/12Sev=Info/5IKE/0x6300002F Received ISAKMP packet:peer = 64.102.156.88 54811:28:36.42408/24/12Sev=Info/4IKE/0x63000014 RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 64.102.156.88 54911:28:36.42508/24/12Sev=Decode/11IKE/0x63000001 ISAKMP Header Initiator COOKIE:D56197780D7BE3E5 Responder COOKIE:1B301D2DE710EDA0 次のペイロード:ハッシュ Ver (Hex):10 交換タイプ:トランザクション フラグ:(暗号化) MessageID(Hex):5B6910FF Length:76 Payload Hash Next Payload:属性 Reserved:00 Payload Length:24 Data (In Hex):7DCF47827164198731639BFB7595F694C9DDFE85 Payload Attributes Next Payload:なし Reserved:00 Payload Length:12 Type:ISAKMP_CFG_SET Reserved:00 Identifier:0000 XAUTH Status:認定製品ルールの 55011:28:36.42508/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->TM:MsgID=5B6910FFCurState:TM_INITIALEvent:EV_RCVD_MSG 55111:28:36.42508/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->TM:MsgID=5B6910FFCurState:TM_PCS_XAUTH_SETEvent:EV_INIT_XAUTH 55211:28:36.42508/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->TM:MsgID=5B6910FFCurState:TM_PCS_XAUTH_SETEvent:EV_CHK_AUTH_RESULT |
認証結果を受信し、結果を処理します。 |
||||
| 55311:28:36.42508/24/12Sev=Info/4IKE/0x63000013 SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 64.102.156.88 |
ACK の結果。 |
||||
| <=============== Xauth - Acknowledgement =============== | |||||
ACK を受信して処理します(「no response from server」)。 |
Aug 24 11:31:09 [IKEv1]IP = 64.102.156.87, IKE_DECODE RECEIVED Message (msgid=5b6910ff) with payloads :HDR + HASH (8) + ATTR (14) + NONE (0) total length :60 Aug 24 11:31:09 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, process_attr():Enter! Aug 24 11:31:09 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, Processing cfg ACK attributes |
||||
| 55511:28:36.42608/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->TM:MsgID=5B6910FFCurState:TM_XAUTH_DONEEvent: EV_XAUTH_DONE_SUC 55611:28:36.42608/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->TM:MsgID=5B6910FFCurState:TM_XAUTH_DONEEvent:EV_NO_EVENT 55711:28:36.42608/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->TM:MsgID=FB709D4DCurState:TM_XAUTHREQ_DONEEvent:EV_TERM_REQUEST 55811:28:36.42608/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->TM:MsgID=FB709D4DCurState:TM_FREEEvent:EV_REMOVE 55911:28:36.42608/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->TM:MsgID=FB709D4DCurState:TM_FREEEvent:EV_NO_EVENT 56011:28:36.42608/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->SA:I_Cookie=D56197780D7BE3E5 R_Cookie=1B301D2DE710EDA0CurState: CMN_XAUTH_PROGEvent:EV_XAUTH_DONE_SUC 56111:28:38.40608/24/12Sev=Debug/8IKE/0x6300004C Starting DPD timer for IKE SA (I_Cookie=D56197780D7BE3E5 R_Cookie=1B301D2DE710EDA0) sa->state = 1, sa->dpd.worry_freq(mSec) = 5000 56211:28:38.40608/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->SA:I_Cookie=D56197780D7BE3E5 R_Cookie=1B301D2DE710EDA0CurState: CMN_MODECFG_PROGEvent:EV_INIT_MODECFG 56311:28:38.40608/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->SA:I_Cookie=D56197780D7BE3E5 R_Cookie=1B301D2DE710EDA0CurState: CMN_MODECFG_PROGEvent:EV_NO_EVENT 56411:28:38.40608/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->TM:MsgID=84B4B653CurState:TM_INITIALEvent:EV_INIT_MODECFG 56511:28:38.40808/24/12Sev=Info/5IKE/0x6300005E Client sending a firewall request to concentrator 56611:28:38.40908/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->TM:MsgID=84B4B653CurState:TM_SND_MODECFGREQEvent: EV_START_RETRY_TMR |
モード設定要求を生成します。復号化されたペイロードは要求したサーバからのパラメータを示します。 |
||||
| 56711:28:38.40908/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->TM:MsgID=84B4B653CurState:TM_SND_MODECFGREQEvent:EV_SND_MSG 56811:28:38.40908/24/12Sev=Info/4IKE/0x63000013 SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 64.102.156.88 56911:28:38.62708/24/12Sev=Decode/11IKE/0x63000001 ISAKMP Header Initiator COOKIE:D56197780D7BE3E5 Responder COOKIE:1B301D2DE710EDA0 次のペイロード:ハッシュ Ver (Hex):10 交換タイプ:トランザクション フラグ:(暗号化) MessageID(Hex):84B4B653 Length:183 Payload Hash Next Payload:属性 Reserved:00 Payload Length:24 Data (In Hex):81BFBF6721A744A815D69A315EF4AAA571D6B687 Payload Attributes Next Payload:なし Reserved:00 Payload Length:131 Type:ISAKMP_CFG_REQUEST Reserved:00 Identifier:0000 IPv4 アドレス:(空) IPv4 Netmask:(空) IPv4 DNS:(空) IPv4 NBNS (WINS):(空) Address Expiry:(空) Cisco extension:バナー:(空) Cisco extension:Save PWD:(空) Cisco extension:Default Domain Name:(空) Cisco extension:Split Include:(空) Cisco extension:Split DNS Name:(空) Cisco extension:Do PFS:(空) 不明:(空) Cisco extension:Backup Servers:(空) Cisco extension:Smart Card Removal Disconnect:(空) Application Version:Cisco Systems VPN Client 5.0.07.0290:WinNT Cisco extension:Firewall Type:(空) Cisco extension:Dynamic DNS Hostname:ATBASU-LABBOX |
モード設定要求を送信します。 |
||||
| <=============== Mode-config Request =============== | |||||
モード設定要求を受信します。 |
Aug 24 11:31:11 [IKEv1]IP = 64.102.156.87, IKE_DECODE RECEIVED Message (msgid=84b4b653) with payloads :HDR + HASH (8) + ATTR (14) + NONE (0) total length :183 Aug 24 11:31:11 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, process_attr():Enter! |
57011:28:38.62808/24/12Sev= Debug/7IKE/0x63000076 NAV Trace->TM:MsgID=84B4B653CurState:TM_WAIT_MODECFGREPLYEvent:EV_NO_EVENT |
サーバ応答を待ちます。 |
||
モード設定要求を処理します。 これらの値の多くは、通常グループ ポリシー内で設定されます。ただし、この例でのサーバは非常に基本的な構成であるため、ここでは表示しません。 |
Aug 24 11:31:11 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, Processing cfg Request attributes Aug 24 11:31:11 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, MODE_CFG:Received request for IPV4 address! Aug 24 11:31:11 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, MODE_CFG:Received request for IPV4 net mask! Aug 24 11:31:11 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, MODE_CFG:Received request for DNS server address! Aug 24 11:31:11 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, MODE_CFG:Received request for WINS server address! Aug 24 11:31:11 [IKEv1]Group = ipsec, Username = user1, IP = 64.102.156.87, Received unsupported transaction mode attribute:5 Aug 24 11:31:11 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, MODE_CFG:Received request for Banner! Aug 24 11:31:11 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, MODE_CFG:Received request for Save PW setting! Aug 24 11:31:11 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, MODE_CFG:Received request for Default Domain Name! Aug 24 11:31:11 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, MODE_CFG:Received request for Split Tunnel List! Aug 24 11:31:11 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, MODE_CFG:Received request for Split DNS! Aug 24 11:31:11 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, MODE_CFG:Received request for PFS setting! Aug 24 11:31:11 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, MODE_CFG:Received request for Client Browser Proxy Setting! Aug 24 11:31:11 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, MODE_CFG:Received request for backup ip-sec peer list! Aug 24 11:31:11 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, MODE_CFG:Received request for Client Smartcard Removal Disconnect Setting! Aug 24 11:31:11 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, MODE_CFG:Received request for Application Version! Aug 24 11:31:11 [IKEv1]Group = ipsec, Username = user1, IP = 64.102.156.87, Client Type:WinNTClient Application Version:5.0.07.0290 Aug 24 11:31:11 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, MODE_CFG:Received request for FWTYPE! Aug 24 11:31:11 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, MODE_CFG:Received request for DHCP hostname for DDNS is:ATBASU-LABBOX! |
||||
設定されているすべての値を含むモード設定応答を構成します。 関連コンフィギュレーション: この場合、ユーザには同じ IP が常に割り当てられることに注意してください。 username cisco |
Aug 24 11:31:11 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, Obtained IP addr (192.168.1.100) prior to initiating Mode Cfg (XAuth enabled) Aug 24 11:31:11 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, Sending subnet mask (255.255.255.0) to remote client Aug 24 11:31:11 [IKEv1]Group = ipsec, Username = user1, IP = 64.102.156.87, Assigned private IP address 192.168.1.100 to remote user Aug 24 11:31:11 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, constructing blank hash payload Aug 24 11:31:11 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, construct_cfg_set:default domain = jyoungta-labdomain.cisco.com Aug 24 11:31:11 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, Send Client Browser Proxy Attributes! Aug 24 11:31:11 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, Browser Proxy set to No-Modify.Browser Proxy data will NOT be included in the mode-cfg reply Aug 24 11:31:11 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, Send Cisco Smartcard Removal Disconnect enable!! Aug 24 11:31:11 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, constructing qm hash payload |
||||
モード設定応答を送信します。 |
Aug 24 11:31:11 [IKEv1]IP = 64.102.156.87, IKE_DECODE SENDING Message (msgid=84b4b653) with payloads :HDR + HASH (8) + ATTR (14) + NONE (0) total length :215 | ||||
| =============== Mode-config Response ===============> | |||||
| 57111:28:38.63808/24/12Sev=Info/5IKE/0x6300002F Received ISAKMP packet:peer = 64.102.156.88 57211:28:38.63808/24/12Sev=Info/4IKE/0x63000014 RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 64.102.156.88 57311:28:38.63908/24/12Sev=Decode/11IKE/0x63000001 ISAKMP Header Initiator COOKIE:D56197780D7BE3E5 Responder COOKIE:1B301D2DE710EDA0 次のペイロード:ハッシュ Ver (Hex):10 交換タイプ:トランザクション フラグ:(暗号化) MessageID(Hex):84B4B653 Length:220 Payload Hash Next Payload:属性 Reserved:00 Payload Length:24 Data (In Hex):6DE2E70ACF6B1858846BC62E590C00A66745D14D Payload Attributes Next Payload:なし Reserved:00 Payload Length:163 Type:ISAKMP_CFG_REPLY Reserved:00 Identifier:0000 IPv4 アドレス:192.168.1.100 IPv4 Netmask:255.255.255.0 IPv4 DNS:192.168.1.99 Cisco extension:Save PWD:No Cisco extension:Default Domain Name: jyoungta-labdomain.cisco.com Cisco extension:Do PFS:No Application Version:Cisco Systems, Inc ASA5505 Version 8.4(4)1 built by builders on Thu 14-Jun-12 11:20 Cisco extension:Smart Card Removal Disconnect:Yes |
サーバからモード設定パラメータの値を受信します。 |
||||
フェーズ 1 がサーバで完了します。クイック モード(QM)プロセスを開始します。 |
Aug 24 11:31:13 [IKEv1 DECODE]IP = 64.102.156.87, IKE Responder starting QM:msg id = 0e83792e Aug 24 11:31:13 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, Delay Quick Mode processing, Cert/Trans Exch/RM DSID in progress Aug 24 11:31:13 [IKEv1]Group = ipsec, Username = user1, IP = 64.102.156.87, Gratuitous ARP sent for 192.168.1.100 Aug 24 11:31:13 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, Resume Quick Mode processing, Cert/Trans Exch/RM DSID completed Aug 24 11:31:13 [IKEv1]Group = ipsec, Username = user1, IP = 64.102.156.87, PHASE 1 COMPLETED |
57411:28:38.63908/24/12Sev= Debug/7IKE/0x63000076 NAV Trace->TM:MsgID=84B4B653CurState: TM_WAIT_MODECFGREPLYEvent:EV_RCVD_MSG 57511:28:38.63908/24/12Sev= Info/5IKE/0x63000010 MODE_CFG_REPLY:属性= INTERNAL_IPV4_ADDRESS:, value = 192.168.1.100 57611:28:38.63908/24/12Sev=Info/5IKE/0x63000010 MODE_CFG_REPLY:属性= INTERNAL_IPV4_NETMASK:, value = 255.255.255.0 57711:28:38.63908/24/12Sev= Info/5IKE/0x63000010 MODE_CFG_REPLY:Attribute = INTERNAL_IPV4_DNS(1):、 value = 192.168.1.99 57811:28:38.63908/24/12Sev=Info/5IKE/0x6300000D MODE_CFG_REPLY:Attribute = MODECFG_UNITY_SAVEPWD:, value = 0x00000000 57911:28:38.63908/24/12Sev=Info/5IKE/0x6300000E MODE_CFG_REPLY:Attribute = MODECFG_UNITY_DEFDOMAIN:, value = jyoungta- labdomain.cisco.com 58011:28:38.63908/24/12Sev= Info/5IKE/0x6300000D MODE_CFG_REPLY:Attribute = MODECFG_UNITY_PFS:, value = 0x00000000 58111:28:38.63908/24/12Sev=Info/5IKE/0x6300000E MODE_CFG_REPLY:Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 8.4(4)1 built by builders on Thu 14-Jun-12 11:20 58211:28:38.63908/24/12Sev= Info/5IKE/0x6300000D MODE_CFG_REPLY:Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT:, value = 0x00000001 58311:28:38.63908/24/12Sev= Info/5IKE/0x6300000D MODE_CFG_REPLY:Attribute = Received and using NAT-T port number , value = 0x00001194 58411:28:39.36708/24/12Sev= Debug/9IKE/0x63000093 Value for ini parameter EnableDNSRedirection is 1 58511:28:39.36708/24/12Sev= Debug/7IKE/0x63000076 NAV Trace->TM:MsgID=84B4B653CurState: TM_MODECFG_DONEEvent:EV_MODECFG_DONE_SUC |
パラメータを処理し、適宜設定します。 |
||
クライアントの DPD を構成して送信します。 |
Aug 24 11:31:13 [IKEv1]IP = 64.102.156.87, Keep-alive type for this connection:DPD Aug 24 11:31:13 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, Starting P1 rekey timer:82080 秒です。 Aug 24 11:31:13 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, sending notify message Aug 24 11:31:13 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, constructing blank hash payload Aug 24 11:31:13 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, constructing qm hash payload Aug 24 11:31:13 [IKEv1]IP = 64.102.156.87, IKE_DECODE SENDING Message (msgid=be8f7821) with payloads :HDR + HASH (8) + NOTIFY (11) + NONE (0) total length :92 |
||||
| =============== Dead Peer Detection (DPD) ===============> | |||||
| 58811:28:39.79508/24/12Sev=Debug/7IKE/0x63000015 intf_data:lcl=0x0501A8C0, mask=0x00FFFFFF, bcast=0xFF01A8C0, bcast_vra=0xFF07070A 58911:28:39.79508/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->SA:I_Cookie=D56197780D7BE3E5 R_Cookie=1B301D2DE710EDA0CurState: CMN_MODECFG_PROGEvent:EV_INIT_P2 59011:28:39.79508/24/12Sev=Info/4IKE/0x63000056 Received a key request from Driver:Local IP = 192.168.1.100, GW IP = 64.102.156.88, Remote IP = 0.0.0.0 59111:28:39.79508/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->SA:I_Cookie=D56197780D7BE3E5 R_Cookie=1B301D2DE710EDA0CurState: CMN_ACTIVEEvent:EV_NO_EVENT 59211:28:39.79508/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->QM:MsgID=0E83792ECurState:QM_INITIALEvent:EV_INITIATOR 59311:28:39.79508/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->QM:MsgID=0E83792ECurState:QM_BLD_MSG1Event:EV_CHK_PFS 59411:28:39.79608/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->QM:MsgID=0E83792ECurState:QM_BLD_MSG1Event:EV_BLD_MSG 59511:28:39.79608/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->QM:MsgID=0E83792ECurState:QM_SND_MSG1Event:EV_START_RETRY_TMR |
QMの開始、フェーズ2。QM1の構成。このプロセスには次のものが含まれます。 |
||||
| 59611:28:39.79608/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->QM:MsgID=0E83792ECurState:QM_SND_MSG1Event:EV_SND_MSG 59711:28:39.79608/24/12Sev=Info/4IKE/0x63000013 SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 64.102.156.88 |
QM1 を送信します。 |
||||
| <=============== Quick Mode Message 1 (QM1) =============== | |||||
QM1 を受信します。 |
Aug 24 11:31:13 [IKEv1]IP = 64.102.156.87, IKE_DECODE RECEIVED Message (msgid=e83792e) with payloads :HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length :1026 | ||||
QM1 を処理します。 関連コンフィギュレーション: crypto dynamic-map |
Aug 24 11:31:13 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, processing hash payload Aug 24 11:31:13 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, processing SA payload Aug 24 11:31:13 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, processing nonce payload Aug 24 11:31:13 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, processing ID payload Aug 24 11:31:13 [IKEv1 DECODE]Group = ipsec, Username = user1, IP = 64.102.156.87, ID_IPV4_ADDR ID received 192.168.1.100 8月24 11:31:13 [IKEv1]Group = ipsec、Username = user1、IP = 64.102.156.87、Received remote Proxy Host data in ID Payload:Address 192.168.1.100、Protocol 0、Port 0 Aug 24 11:31:13 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, processing ID payload Aug 24 11:31:13 [IKEv1 DECODE]Group = ipsec, Username = user1, IP = 64.102.156.87, ID_IPV4_ADDR_SUBNET ID received--0.0.0.0--0.0.0.0 8月24 11:31:13 [IKEv1]Group = ipsec、Username = user1、IP = 64.102.156.87、Received local IP Proxy Subnet data in ID Payload:Address 0.0.0.0、Mask 0.0.0.0、Protocol 0、Port 0 Aug 24 11:31:13 [IKEv1]Group = ipsec, Username = user1, IP = 64.102.156.87, QM IsRekeyed old sa not found by addr Aug 24 11:31:13 [IKEv1]Group = ipsec, Username = user1, IP = 64.102.156.87, Static Crypto Map check, checking map = out-map, seq = 10... Aug 24 11:31:13 [IKEv1]Group = ipsec, Username = user1, IP = 64.102.156.87, Static Crypto Map Check by-passed:Crypto map entry incomplete! Aug 24 11:31:13 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, Selecting only UDP-Encapsulated-Tunnel andUDP-Encapsulated-Transport modes defined by NAT-Traversal Aug 24 11:31:13 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, Selecting only UDP-Encapsulated-Tunnel andUDP-Encapsulated-Transport modes defined by NAT-Traversal Aug 24 11:31:13 [IKEv1]Group = ipsec, Username = user1, IP = 64.102.156.87, IKE Remote Peer configured for crypto map:out-dyn-map Aug 24 11:31:13 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, processing IPSec SA payload |
||||
QM2 を構成します。 関連コンフィギュレーション: tunnel-group EZ |
Aug 24 11:31:13 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, IPSec SA Proposal # 12, Transform # 1 acceptableMatches global IPSec SA entry # 10 Aug 24 11:31:13 [IKEv1]Group = ipsec, Username = user1, IP = 64.102.156.87, IKE:requesting SPI! IPSEC:New embryonic SA created @ 0xcfdffc90, SCB:0xCFDFFB58, Direction:inbound SPI:0x9E18ACB2 Session ID:0x00138000 VPIF num:0x00000004 Tunnel type:ra プロトコル:esp Lifetime(ライフタイム):240 秒 Aug 24 11:31:13 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, IKE got SPI from key engine:SPI = 0x9e18acb2 Aug 24 11:31:13 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, oakley constructing quick mode Aug 24 11:31:13 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, constructing blank hash payload Aug 24 11:31:13 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, constructing IPSec SA payload Aug 24 11:31:13 [IKEv1]Group = ipsec, Username = user1, IP = 64.102.156.87, Overriding Initiator's IPSec rekeying duration from 2147483 to 86400 seconds Aug 24 11:31:13 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, constructing IPSec nonce payload Aug 24 11:31:13 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, constructing proxy ID Aug 24 11:31:13 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, Transmitting Proxy Id: Remote host:192.168.1.100Protocol 0Port 0 Local subnet:0.0.0.0mask 0.0.0.0 Protocol 0Port 0 Aug 24 11:31:13 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, Sending RESPONDER LIFETIME notification to Initiator Aug 24 11:31:13 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, constructing qm hash payload |
||||
QM2 を送信します。 |
Aug 24 11:31:13 [IKEv1 DECODE]Group = ipsec, Username = user1, IP = 64.102.156.87, IKE Responder sending 2nd QM pkt:msg id = 0e83792e Aug 24 11:31:13 [IKEv1]IP = 64.102.156.87, IKE_DECODE SENDING Message (msgid=e83792e) with payloads :HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length :184 |
||||
| =============== Quick Mode Message 2 (QM2) ===============> | |||||
| 60811:28:39.96208/24/12Sev=Info/4IKE/0x63000014 RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from 64.102.156.88 |
QM2 を受信します。 |
||||
| 60911:28:39.96408/24/12Sev=Decode/11IKE/0x63000001 ISAKMP Header Initiator COOKIE:D56197780D7BE3E5 Responder COOKIE:1B301D2DE710EDA0 次のペイロード:ハッシュ Ver (Hex):10 交換タイプ:クイックモード フラグ:(暗号化) MessageID(Hex):E83792E Length:188 Payload Hash Next Payload:Security Association Reserved:00 Payload Length:24 Data (In Hex):CABF38A62C9B88D1691E81F3857D6189534B2EC0 Payload Security Association Next Payload:Nonce Reserved:00 Payload Length:52 DOI:IPSec 状況:(SIT_IDENTITY_ONLY) Payload Proposal Next Payload:なし Reserved:00 Payload Length:40 Proposal #:1 Protocol-Id:PROTO_IPSEC_ESP SPI Size:4 #of transforms:1 SPI:9E18ACB2 Payload Transform Next Payload:なし Reserved:00 Payload Length:28 Transform #:1 Transform-Id:ESP_3DES Reserved2:0000 Life Type:秒数 Life Duration (Hex):0020C49B Encapsulation Mode:UDP Tunnel Authentication Algorithm(認証アルゴリズム):SHA1 Payload Nonce Next Payload:識別子 Reserved:00 Payload Length:24 Data (In Hex):3A079B75DA512473706F235EA3FCA61F1D15D4CD Payload Identification Next Payload:識別子 Reserved:00 Payload Length:12 ID Type:IPv4 アドレス Protocol ID(UDP/TCP, etc...):0 [Port]:0 ID Data:192.168.1.100 Payload Identification Next Payload:通知 Reserved:00 Payload Length:16 ID Type:IPv4 Subnet Protocol ID(UDP/TCP, etc...):0 [Port]:0 ID Data:0.0.0.0/0.0.0.0 Payload Notification Next Payload:なし Reserved:00 Payload Length:28 DOI:IPSec Protocol-ID:PROTO_IPSEC_ESP Spi Size:4 Notify Type:STATUS_RESP_LIFETIME SPI:9E18ACB2 Data: Life Type:秒数 Life Duration (Hex):00015180 |
QM2を処理します。復号化されたペイロードに、選択されたプロポーザルが表示されます。 |
||||
| 61011:28:39.96508/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->QM:MsgID=0E83792ECurState:QM_WAIT_MSG2Event:EV_RCVD_MSG 61111:28:39.96508/24/12Sev=Info/5IKE/0x63000045 RESPONDER-LIFETIME notify has value of 86400 seconds 61211:28:39.96508/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->QM:MsgID=0E83792ECurState:QM_WAIT_MSG2Event:EV_CHK_PFS 61311:28:39.96508/24/12Sev=Debug/7IKE/0x63000076 |
QM2 を処理します。 |
||||
| NAV Trace->QM:MsgID=0E83792ECurState:QM_BLD_MSG3Event:EV_BLD_MSG 61411:28:39.96508/24/12Sev=Debug/7IKE/0x63000076 ISAKMP Header Initiator COOKIE:D56197780D7BE3E5 Responder COOKIE:1B301D2DE710EDA0 次のペイロード:ハッシュ Ver (Hex):10 交換タイプ:クイックモード フラグ:(暗号化) MessageID(Hex):E83792E Length:52 Payload Hash Next Payload:なし Reserved:00 Payload Length:24 Data (In Hex):CDDC20D91EB4B568C826D6A5770A5CF020141236 |
QM3を構築します。ここに示すQM3のペイロードが復号化されました。このプロセスにはハッシュが含まれます。 |
||||
| 61511:28:39.96508/24/12Sev=Debug/7IKE/0x63000076 NAV Trace->QM:MsgID=0E83792ECurState:QM_SND_MSG3Event:EV_SND_MSG 61611:28:39.96508/24/12Sev=Info/4IKE/0x63000013 SENDING >>> ISAKMP OAK QM *(HASH) to 64.102.156.88 |
QM3を送信します。クライアントは暗号化および復号化の準備ができました。 |
||||
| <=============== Quick Mode Message 3 (QM3) =============== | |||||
QM3 を受信します。 |
Aug 24 11:31:13 [IKEv1]IP = 64.102.156.87, IKE_DECODE RECEIVED Message (msgid=e83792e) with payloads :HDR + HASH (8) + NONE (0) total length :52 | ||||
QM3を処理します。着信および発信セキュリティパラメータインデックス(SPI)を作成します。 ホストのスタティック ルートを追加します。 関連コンフィギュレーション: crypto ipsec transform- |
Aug 24 11:31:13 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, processing hash payload Aug 24 11:31:13 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, loading all IPSEC SAs Aug 24 11:31:13 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, Generating Quick Mode Key! Aug 24 11:31:13 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, NP encrypt rule look up for crypto map out-dyn-map 10 matching ACL Unknown:returned cs_id=cc107410;rule=00000000 Aug 24 11:31:13 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, Generating Quick Mode Key! IPSEC:New embryonic SA created @ 0xccc9ed60, SCB:0xCF7F59E0, [Direction]:送信 SPI:0xC055290A Session ID:0x00138000 VPIF num:0x00000004 Tunnel type:ra プロトコル:esp Lifetime(ライフタイム):240 秒 IPSEC:Completed host OBSA update, SPI 0xC055290A IPSEC:Creating outbound VPN context, SPI 0xC055290A Flags:0x00000025 SA:0xccc9ed60 SPI:0xC055290A MTU:1500 bytes VCID :0x00000000 ピア:0x00000000 SCB:0xA5922B6B 通信チャネル:0xc82afb60 IPSEC:Completed outbound VPN context, SPI 0xC055290A VPN handle:0x0015909c IPSEC:New outbound encrypt rule, SPI 0xC055290A Src addr:0.0.0.0 Src mask:0.0.0.0 Dst addr:192.168.1.100 Dst mask:255.255.255.255 Src ports Upper:0 Lower:0 Op:無視 Dst ports Upper:0 Lower:0 Op:無視 プロトコル:0 Use protocol:false SPI:0x00000000 Use SPI:false IPSEC:Completed outbound encrypt rule, SPI 0xC055290A Rule ID:0xcb47a710 IPSEC:New outbound permit rule, SPI 0xC055290A Src addr:64.102.156.88 Src mask:255.255.255.255 Dst addr:64.102.156.87 Dst mask:255.255.255.255 Src ports Upper:4500 Lower:4500 Op:等しい Dst ports Upper:58506 Lower:58506 Op:等しい プロトコル:17 Use protocol:true SPI:0x00000000 Use SPI:false IPSEC:Completed outbound permit rule, SPI 0xC055290A Rule ID:0xcdf3cfa0 Aug 24 11:31:13 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, NP encrypt rule look up for crypto map out-dyn-map 10 matching ACL Unknown:returned cs_id=cc107410;rule=00000000 Aug 24 11:31:13 [IKEv1]Group = ipsec, Username = user1, IP = 64.102.156.87, Security negotiation complete for User (user1)Responder, Inbound SPI = 0x9e18acb2, Outbound SPI = 0xc055290a Aug 24 11:31:13 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, IKE got a KEY_ADD msg for SA:SPI = 0xc055290a IPSEC:Completed host IBSA update, SPI 0x9E18ACB2 IPSEC:Creating inbound VPN context, SPI 0x9E18ACB2 Flags:0x00000026 SA:0xcfdffc90 SPI:0x9E18ACB2 MTU:0 バイト VCID :0x00000000 ピア:0x0015909C SCB:0xA5672481 通信チャネル:0xc82afb60 IPSEC:Completed inbound VPN context, SPI 0x9E18ACB2 VPN handle:0x0016219c IPSEC:Updating outbound VPN context 0x0015909C, SPI 0xC055290A Flags:0x00000025 SA:0xccc9ed60 SPI:0xC055290A MTU:1500 bytes VCID :0x00000000 ピア:0x0016219C SCB:0xA5922B6B 通信チャネル:0xc82afb60 IPSEC:Completed outbound VPN context, SPI 0xC055290A VPN handle:0x0015909c IPSEC:Completed outbound inner rule, SPI 0xC055290A Rule ID:0xcb47a710 IPSEC:Completed outbound outer SPD rule, SPI 0xC055290A Rule ID:0xcdf3cfa0 IPSEC:New inbound tunnel flow rule, SPI 0x9E18ACB2 Src addr:192.168.1.100 Src mask:255.255.255.255 Dst addr:0.0.0.0 Dst mask:0.0.0.0 Src ports Upper:0 Lower:0 Op:無視 Dst ports Upper:0 Lower:0 Op:無視 プロトコル:0 Use protocol:false SPI:0x00000000 Use SPI:false IPSEC:Completed inbound tunnel flow rule, SPI 0x9E18ACB2 Rule ID:0xcdf15270 IPSEC:New inbound decrypt rule, SPI 0x9E18ACB2 Src addr:64.102.156.87 Src mask:255.255.255.255 Dst addr:64.102.156.88 Dst mask:255.255.255.255 Src ports Upper:58506 Lower:58506 Op:等しい Dst ports Upper:4500 Lower:4500 Op:等しい プロトコル:17 Use protocol:true SPI:0x00000000 Use SPI:false IPSEC:Completed inbound decrypt rule, SPI 0x9E18ACB2 Rule ID:0xce03c2f8 IPSEC:New inbound permit rule, SPI 0x9E18ACB2 Src addr:64.102.156.87 Src mask:255.255.255.255 Dst addr:64.102.156.88 Dst mask:255.255.255.255 Src ports Upper:58506 Lower:58506 Op:等しい Dst ports Upper:4500 Lower:4500 Op:等しい プロトコル:17 Use protocol:true SPI:0x00000000 Use SPI:false IPSEC:Completed inbound permit rule, SPI 0x9E18ACB2 Rule ID:0xcf6f58c0 Aug 24 11:31:13 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, Pitcher:received KEY_UPDATE, spi 0x9e18acb2 Aug 24 11:31:13 [IKEv1 DEBUG]Group = ipsec, Username = user1, IP = 64.102.156.87, Starting P2 rekey timer:82080 秒です。 Aug 24 11:31:13 [IKEv1]Group = ipsec, Username = user1, IP = 64.102.156.87, Adding static route for client address:192.168.1.100 |
||||
フェーズ 2 が完了しました。両側で暗号化および復号化しています。 |
Aug 24 11:31:13 [IKEv1]Group = ipsec, Username = user1, IP = 64.102.156.87, PHASE 2 COMPLETED (msgid=0e83792e) |
||||
ハードウェア クライアントの場合は、クライアントが自らに関する情報を送信するメッセージを 1 つ以上受信します。注意深く確認すると、EzVPN クライアントのホスト名、クライアント上で実行されているソフトウェア、およびソフトウェアの場所と名前がわかります。 |
Aug 24 11:31:13 [IKEv1]:IP = 10.48.66.23, IKE_DECODE RECEIVED Message (msgid=91facca9) with payloads :HDR + HASH (8) + NOTIFY (11) + NONE (0) total length :184 Aug 24 11:31:13 [IKEv1 DEBUG]:Group = EZ, Username = cisco, IP = 10.48.66.23, processing hash payload Aug 24 11:31:13 [IKEv1 DEBUG]:Group = EZ, Username = cisco, IP = 10.48.66.23, processing notify payload Aug 24 11:31:13 [IKEv1 DECODE]:OBSOLETE DESCRIPTOR - INDEX 1 Aug 24 11:31:13 [IKEv1 DECODE]:0000:00000000 7534000B 62736E73 2D383731 ...u4..bsns-871 0010:2D332E75 32000943 6973636F 20383731 -3.u2.Cisco 871 0020:7535000B 46484B30 39343431 32513675 u5..FHK094412Q6u 0030:36000932 32383538 39353638 75390009 6..228589568u9.. 0040:31343532 31363331 32753300 2B666C61 145216312u3.+fla 0050:73683A63 3837302D 61647669 70736572 sh:c870-advipser 0060:76696365 736B392D 6D7A2E31 32342D32 vicesk9-mz.124-2 0070:302E5435 2E62696E 0.T5.bin Aug 24 11:31:13 [IKEv1 DEBUG]:Group = EZ, Username = cisco, IP = 10.48.66.23, Processing PSK Hash Aug 24 11:31:13 [IKEv1]:Group = EZ, Username = cisco, IP = 192.168.1.100, Inconsistent PSK hash size Aug 24 11:31:13 [IKEv1 DEBUG]:Group = EZ, Username = cisco, IP = 10.48.66.23, PSK Hash Verification Failed! |
||||
トンネルの確認
ISAKMP
sh cry isa sa det コマンドの出力は次のとおりです。
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 10.48.66.23
Type : user Role : responder
Rekey : no State : AM_ACTIVE
Encrypt : aes Hash : SHA
Auth : preshared Lifetime: 86400
Lifetime Remaining: 86387
AM_ACTIVE - aggressive mode is active.
IPSec
トンネルのトリガーには Internet Control Message Protocol(ICMP)が使用されるため、1 つの IPSec SA のみが起動されます。プロトコル 1 は ICMP です。SPI 値は、デバッグでネゴシエートされた値と異なることに注意してください。これは実際には、フェーズ 2 のキー再生成の後と同じトンネルです。
sh crypto ipsec sa コマンドの出力は次のとおりです。
interface: outside
Crypto map tag: DYN, seq num: 10, local addr: 10.48.67.14
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.100/255.255.255.255/0/0)
current_peer: 10.48.66.23, username: cisco
dynamic allocated peer ip: 192.168.1.100
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 10.48.67.14/0, remote crypto endpt.: 10.48.66.23/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: C4B9A77C
current inbound spi : EA2B6B15
inbound esp sas:
spi: 0xEA2B6B15 (3928714005)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 425984, crypto-map: DYN
sa timing: remaining key lifetime (sec): 28714
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000003F
outbound esp sas:
spi: 0xC4B9A77C (3300501372)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 425984, crypto-map: DYN
sa timing: remaining key lifetime (sec): 28714
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
関連情報
更新履歴
| 改定 | 発行日 | コメント |
|---|---|---|
1.0 |
25-Jun-2013 |
初版 |
フィードバック