PIX-to-PIX 6.x: Easy VPN(NEM) 컨피그레이션 예

다운로드 옵션

  • PDF     (260.9 KB)
    다양한 디바이스에서 Adobe Reader로 보기
  • ePub     (102.6 KB)
    iPhone, iPad, Android, Sony Reader 또는 Windows Phone의 다양한 앱에서 보기
  • Mobi (Kindle)     (114.7 KB)
    Kindle 디바이스에서 보기 또는 다양한 디바이스의 Kindle 앱에서 보기
업데이트:2008년 9월 26일
문서 ID:40820

편견 없는 언어

본 제품에 대한 문서 세트는 편견 없는 언어를 사용하기 위해 노력합니다. 본 설명서 세트의 목적상, 편견 없는 언어는 나이, 장애, 성별, 인종 정체성, 민족 정체성, 성적 지향성, 사회 경제적 지위 및 교차성에 기초한 차별을 의미하지 않는 언어로 정의됩니다. 제품 소프트웨어의 사용자 인터페이스에서 하드코딩된 언어, RFP 설명서에 기초한 언어 또는 참조된 서드파티 제품에서 사용하는 언어로 인해 설명서에 예외가 있을 수 있습니다. 시스코에서 어떤 방식으로 포용적인 언어를 사용하고 있는지 자세히 알아보세요.

이 번역에 관하여

Cisco는 전 세계 사용자에게 다양한 언어로 지원 콘텐츠를 제공하기 위해 기계 번역 기술과 수작업 번역을 병행하여 이 문서를 번역했습니다. 아무리 품질이 높은 기계 번역이라도 전문 번역가의 번역 결과물만큼 정확하지는 않습니다. Cisco Systems, Inc.는 이 같은 번역에 대해 어떠한 책임도 지지 않으며 항상 원본 영문 문서(링크 제공됨)를 참조할 것을 권장합니다.

소개

이 문서에서는 PIX Easy VPN Remote Hardware Client와 PIX Easy VPN Server 간의 IPsec에 대한 샘플 컨피그레이션을 제공합니다. PIX용 Easy VPN Remote 기능은 PIX 버전 6.2에서 도입되었으며 하드웨어 클라이언트/EzVPN 클라이언트라고도 합니다. Cisco Easy VPN Server는 PIX Software 버전 6.0 이상에서 지원됩니다.

보안 어플라이언스 소프트웨어 버전 7.x 함께 실행되는 동일한 시나리오에 대한 자세한 내용은 ASA 5500이 포함된 PIX/ASA 7.x Easy VPN(서버 및 NEM으로 PIX 506E as the Client(NEM) 컨피그레이션 예)를 참조하십시오.

Cisco 871 Router가 Easy VPN Remote로 작동하는 유사한 시나리오에 대한 자세한 내용은 ASA 5500이 포함된 PIX/ASA 7.x Easy VPN with a ASA 5500 as the Server 및 Cisco 871을 참조하십시오.

Cisco VPN 3000 Concentrator가 Easy VPN Server 작동하는 유사한 시나리오에 대한 자세한 내용은 PIX 501/506 Series Security Appliance with VPN 300 Concentrator 구성 예를 참조하십시오.

Cisco IOS® 라우터가 Easy VPN Server 작동하는 유사한 시나리오에 대한 자세한 내용은 네트워크 확장 모드의 IOS 라우터에 대한 PIX 501/506 Easy VPN Remote to an IOS Router with Extended Authentication Configuration 예를 참조하십시오.

사전 요구 사항

요구 사항

이 구성을 시도하기 전에 다음 요구 사항을 충족해야 합니다.

  • PIX Easy VPN Remote Hardware Client가 PIX Software 버전 6.2 이상을 실행하는 PIX 501 또는 PIX 506/506E인지 확인합니다.

  • Easy VPN Server가 PIX 소프트웨어 버전 6.0 이상을 실행하는 PIX 방화벽인지 확인합니다.

사용되는 구성 요소

이 문서의 정보는 다음 소프트웨어 및 하드웨어 버전을 기반으로 합니다.

  • PIX Easy VPN Remote Hardware Client는 PIX Software 버전 6.3(1)을 실행하는 PIX 501입니다.

  • Easy VPN Server는 PIX Software 버전 6.3(1)을 실행하는 PIX 515입니다.

이 문서의 정보는 특정 랩 환경의 디바이스를 토대로 작성되었습니다. 이 문서에 사용된 모든 디바이스는 초기화된(기본) 컨피그레이션으로 시작되었습니다. 현재 네트워크가 작동 중인 경우, 모든 명령어의 잠재적인 영향을 미리 숙지하시기 바랍니다.

표기 규칙

문서 규칙에 대한 자세한 내용은 Cisco 기술 팁 규칙을 참조하십시오.

구성

이 섹션에는 이 문서에서 설명하는 기능을 구성하기 위한 정보가 표시됩니다.

참고: 명령 조회 도구(등록된 고객만 해당)를 사용하여 이 섹션에 사용된 명령에 대한 자세한 내용을 확인하십시오.

네트워크 다이어그램

이 문서에서는 다음 네트워크 설정을 사용합니다.

easyvpn-pix-01.gif

구성

이 문서에서는 다음 구성을 사용합니다.

PIX Easy VPN 서버 
pix515#write terminal
Building configuration...
: Saved
:
PIX Version 6.3(1)

!--- Specify speed and duplex settings.

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix515
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names

!--- Specify split tunnelling access list and "nonat" access list.

access-list 101 permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500

!--- Define IP address for the PIX's inside and outside interfaces.

ip address outside 172.16.2.1 255.255.255.0
ip address inside 10.2.2.1 255.255.255.0
no ip address intf2
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.3.3.1-10.3.3.254
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm history enable
arp timeout 14400

!--- Configure Network Address Translation (NAT)/ !--- Port Address Translation (PAT) for regular traffic, !--- as well as NAT for IPsec traffic.

global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

!--- Define the outside router as the default gateway. !--- Typically this is the IP address of your !--- Internet service provider's (ISP) router.

route outside 0.0.0.0 0.0.0.0 172.16.2.2 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
aaa-server LOCAL protocol local 
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec

!--- Configure IPsec transform set and dynamic crypto map.

crypto ipsec transform-set myset esp-aes esp-md5-hmac 
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap

!--- Apply crypto map to the outside interface.

crypto map mymap interface outside

!--- Configure Phase 1 Internet Security Association !-- and Key Management Protocol (ISAKMP) parameters.

isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

!--- Configure VPNGroup parameters, to be sent down to the client.

vpngroup mygroup address-pool ippool
vpngroup mygroup dns-server 10.2.2.2
vpngroup mygroup wins-server 10.2.2.2
vpngroup mygroup default-domain cisco.com
vpngroup mygroup split-tunnel 101
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********
vpngroup idle-time idle-time 1800
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:67106d7a5a3aa3da0caaeea93b9fc8d6
: end
[OK]
pix515#

PIX Easy VPN Remote Hardware Client 
pix501#write terminal
Building configuration...
: Saved
:
PIX Version 6.3(1)

!--- Specify speed and duplex settings.

interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix501
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 24
mtu outside 1500
mtu inside 1500

!--- Define IP address for the PIX's inside and outside interfaces.

ip address outside 172.16.1.1 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400

!--- Configure NAT for traffic that is not encrypted.

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

!--- Define the outside router as the default gateway. !--- Typically this is the IP address of your ISP's router.

route outside 0.0.0.0 0.0.0.0 172.16.1.2 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
aaa-server LOCAL protocol local 
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0

!--- Define Easy VPN Remote parameters.

vpnclient server 172.16.2.1
vpnclient mode network-extension-mode
vpnclient vpngroup mygroup password ********

!--- Enable the VPN Client. !--- (This automatically initiates the IPSec tunnel to the server.)

vpnclient enable
terminal width 80
Cryptochecksum:b8242b410ad8e3b372018cd1cff77f91
: end
[OK]

다음을 확인합니다.

이 섹션을 사용하여 컨피그레이션이 제대로 작동하는지 확인합니다.

Output Interpreter 도구(등록된 고객만 해당)(OIT)는 특정 show 명령을 지원합니다. OIT를 사용하여 show 명령 출력의 분석을 봅니다.

PIX Easy VPN Server show 명령 및 샘플 출력

  • show crypto isakmp sa - 피어의 현재 IKE(Internet Key Exchange) 보안 연결(SA)을 모두 표시합니다.

    pix515#show crypto isakmp sa 
Total     : 1 
Embryonic : 0 
        dst               src        state     pending     created 
     172.16.2.1      172.16.1.1    QM_IDLE         0           2 
pix515#

  • show crypto ipsec sa - 피어 간에 구축된 IPsec SA를 표시합니다.

    pix515#show crypto ipsec sa 

!--- This command was issued after a ping !--- was attempted from the PC behind the !--- Easy VPN Client to the PC !--- behind the server.
 
interface: outside 
    Crypto map tag: mymap, local addr. 172.16.2.1 

   local  ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0) 
   remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) 
   current_peer: 172.16.1.1:500 
   dynamic allocated peer ip: 0.0.0.0 

     PERMIT, flags={} 
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4 
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4 
    #pkts compressed: 0, #pkts decompressed: 0 
    #pkts not compressed: 0, #pkts compr. failed: 0, 
    #pkts decompress failed: 0 
    #send errors 0, #recv errors 0 

!--- Ping packets !--- were successfully exchanged between the !--- Easy VPN Remote Hardware Client !--- and the Easy VPN Server.
 
     local crypto endpt.: 172.16.2.1, remote crypto endpt.: 172.16.1.1 
     path mtu 1500, ipsec overhead 64, media mtu 1500 
     current outbound spi: 3a5a28e4 

     inbound esp sas: 
      spi: 0x505c96c6(1348245190) 
        transform: esp-aes esp-md5-hmac , 
        in use settings ={Tunnel, } 
        slot: 0, conn id: 2, crypto map: mymap 
        sa timing: remaining key lifetime (k/sec): (4607999/28471) 
        IV size: 16 bytes 
        replay detection support: Y 
  

     inbound ah sas: 
  

     inbound pcp sas: 
  

     outbound esp sas: 
      spi: 0x3a5a28e4(978987236) 
        transform: esp-aes esp-md5-hmac , 
        in use settings ={Tunnel, } 
        slot: 0, conn id: 1, crypto map: mymap 
        sa timing: remaining key lifetime (k/sec): (4607999/28471) 
        IV size: 16 bytes 
        replay detection support: Y 
  

     outbound ah sas: 
  

     outbound pcp sas: 
  
  

   local  ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0) 
   remote ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/0/0) 
   current_peer: 172.16.1.1:500 
   dynamic allocated peer ip: 0.0.0.0 

     PERMIT, flags={} 
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0 
    #pkts compressed: 0, #pkts decompressed: 0 
    #pkts not compressed: 0, #pkts compr. failed: 0, 
    #pkts decompress failed: 0 
    #send errors 0, #recv errors 0 

     local crypto endpt.: 172.16.2.1, remote crypto endpt.: 172.16.1.1 
     path mtu 1500, ipsec overhead 64, media mtu 1500 
     current outbound spi: 27f378f9 

     inbound esp sas: 
      spi: 0xf2bb4f00(4072361728) 
        transform: esp-aes esp-md5-hmac , 
        in use settings ={Tunnel, } 
        slot: 0, conn id: 3, crypto map: mymap 
        sa timing: remaining key lifetime (k/sec): (4608000/27796) 
        IV size: 16 bytes 
        replay detection support: Y 
  

     inbound ah sas: 
  

     inbound pcp sas: 
  

     outbound esp sas: 
      spi: 0x27f378f9(670267641) 
        transform: esp-aes esp-md5-hmac , 
        in use settings ={Tunnel, } 
        slot: 0, conn id: 4, crypto map: mymap 
        sa timing: remaining key lifetime (k/sec): (4608000/27787) 
        IV size: 16 bytes 
        replay detection support: Y 
  

     outbound ah sas: 
  

     outbound pcp sas: 
  

pix515#

PIX Easy VPN Remote Hardware Client show 명령 및 샘플 출력

  • vpnclient enable - Easy VPN Remote 연결을 활성화합니다. (NEM(Network Extension Mode)에서는 헤드엔드 Easy VPN Server와 교환할 흥미로운 트래픽이 없는 경우에도 터널이 작동합니다.)

    pix501(config)#vpnclient enable

  • show crypto isakmp policy - 각 IKE 정책에 대한 매개변수를 표시합니다.

    pix501#show crypto isakmp policy

Default protection suite 
    encryption algorithm:   DES - Data Encryption Standard (56 bit keys). 
    hash algorithm:         Secure Hash Standard 
    authentication method:  Rivest-Shamir-Adleman Signature 
    Diffie-Hellman group:   #1 (768 bit) 
    lifetime:               86400 seconds, no volume limit

    하드웨어 클라이언트가 활성화된 후 show crypto isakmp policy 명령의 출력이 여기에 표시됩니다.

    pix501(config)#show crypto isakmp policy 

Protection suite of priority 65001 
     encryption algorithm:   AES - Advanced Encryption Standard (256 bit keys). 
     hash algorithm:         Secure Hash Standard 
     authentication method:  Pre-Shared Key with XAUTH 
     Diffie-Hellman group:   #2 (1024 bit) 
     lifetime:               86400 seconds, no volume limit 
Protection suite of priority 65002 
     encryption algorithm:   AES - Advanced Encryption Standard (256 bit keys). 
     hash algorithm:         Message Digest 5 
     authentication method:  Pre-Shared Key with XAUTH 
     Diffie-Hellman group:   #2 (1024 bit) 
     lifetime:               86400 seconds, no volume limit 
Protection suite of priority 65003 
     encryption algorithm:   AES - Advanced Encryption Standard (192 bit keys). 
     hash algorithm:         Secure Hash Standard 
     authentication method:  Pre-Shared Key with XAUTH 
     Diffie-Hellman group:   #2 (1024 bit) 
     lifetime:               86400 seconds, no volume limit 
Protection suite of priority 65004 
     encryption algorithm:   AES - Advanced Encryption Standard (192 bit keys). 
     hash algorithm:         Message Digest 5 
     authentication method:  Pre-Shared Key with XAUTH 
     Diffie-Hellman group:   #2 (1024 bit) 
     lifetime:               86400 seconds, no volume limit 
Protection suite of priority 65005 
     encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys). 
     hash algorithm:         Secure Hash Standard 
     authentication method:  Pre-Shared Key with XAUTH 
     Diffie-Hellman group:   #2 (1024 bit) 
     lifetime:               86400 seconds, no volume limit 
Protection suite of priority 65006 
     encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys). 
     hash algorithm:         Message Digest 5 
     authentication method:  Pre-Shared Key with XAUTH 
     Diffie-Hellman group:   #2 (1024 bit) 
     lifetime:               86400 seconds, no volume limit 
Protection suite of priority 65007 
     encryption algorithm:   Three key triple DES 
     hash algorithm:         Secure Hash Standard 
     authentication method:  Pre-Shared Key with XAUTH 
     Diffie-Hellman group:   #2 (1024 bit) 
     lifetime:               86400 seconds, no volume limit 
Protection suite of priority 65008 
     encryption algorithm:   Three key triple DES 
     hash algorithm:         Message Digest 5 
     authentication method:  Pre-Shared Key with XAUTH 
     Diffie-Hellman group:   #2 (1024 bit) 
     lifetime:               86400 seconds, no volume limit 
Protection suite of priority 65009 
     encryption algorithm:   DES - Data Encryption Standard (56 bit keys). 
     hash algorithm:         Message Digest 5 
     authentication method:  Pre-Shared Key with XAUTH 
     Diffie-Hellman group:   #2 (1024 bit) 
     lifetime:               86400 seconds, no volume limit 
Protection suite of priority 65010 
     encryption algorithm:   AES - Advanced Encryption Standard (256 bit keys). 
     hash algorithm:         Secure Hash Standard 
     authentication method:  Pre-Shared Key 
     Diffie-Hellman group:   #2 (1024 bit) 
     lifetime:               86400 seconds, no volume limit 
Protection suite of priority 65011 
     encryption algorithm:   AES - Advanced Encryption Standard (256 bit keys). 
     hash algorithm:         Message Digest 5 
     authentication method:  Pre-Shared Key 
     Diffie-Hellman group:   #2 (1024 bit) 
     lifetime:               86400 seconds, no volume limit 
Protection suite of priority 65012 
     encryption algorithm:   AES - Advanced Encryption Standard (192 bit keys). 
     hash algorithm:         Secure Hash Standard 
     authentication method:  Pre-Shared Key 
     Diffie-Hellman group:   #2 (1024 bit) 
     lifetime:               86400 seconds, no volume limit 
Protection suite of priority 65013 
     encryption algorithm:   AES - Advanced Encryption Standard (192 bit keys). 
     hash algorithm:         Message Digest 5 
     authentication method:  Pre-Shared Key 
     Diffie-Hellman group:   #2 (1024 bit) 
     lifetime:               86400 seconds, no volume limit 
Protection suite of priority 65014 
     encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys). 
     hash algorithm:         Secure Hash Standard 
     authentication method:  Pre-Shared Key 
     Diffie-Hellman group:   #2 (1024 bit) 
     lifetime:               86400 seconds, no volume limit 
Protection suite of priority 65015 
     encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys). 
     hash algorithm:         Message Digest 5 
     authentication method:  Pre-Shared Key 
     Diffie-Hellman group:   #2 (1024 bit) 
     lifetime:               86400 seconds, no volume limit 
Protection suite of priority 65016 
     encryption algorithm:   Three key triple DES 
     hash algorithm:         Secure Hash Standard 
     authentication method:  Pre-Shared Key 
     Diffie-Hellman group:   #2 (1024 bit) 
     lifetime:               86400 seconds, no volume limit 
Protection suite of priority 65017 
     encryption algorithm:   Three key triple DES 
     hash algorithm:         Message Digest 5 
     authentication method:  Pre-Shared Key 
     Diffie-Hellman group:   #2 (1024 bit) 
     lifetime:               86400 seconds, no volume limit 
Protection suite of priority 65018 
     encryption algorithm:   DES - Data Encryption Standard (56 bit keys). 
     hash algorithm:         Message Digest 5 
     authentication method:  Pre-Shared Key 
     Diffie-Hellman group:   #2 (1024 bit) 
     lifetime:               86400 seconds, no volume limit

  • show crypto isakmp sa - 피어의 현재 모든 IKE SA를 표시합니다.

    pix501(config)#show crypto isakmp sa 
Total     : 1 
Embryonic : 0 
        dst               src        state     pending     created 
     172.16.2.1      172.16.1.1    QM_IDLE         0           1

  • show crypto ipsec sa - 피어 간에 구축된 IPsec SA를 표시합니다.

    pix501(config)#show crypto ipsec sa 

!--- This command was issued after a ping !--- was attempted from the PC behind the !--- Easy VPN client to the PC !--- behind the server.
 
interface: outside 
    Crypto map tag: _vpnc_cm, local addr. 172.16.1.1 

   local  ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) 
   remote ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0) 
   current_peer: 172.16.2.1:500 
     PERMIT, flags={origin_is_acl,} 
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4 
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4 
    #pkts compressed: 0, #pkts decompressed: 0 
    #pkts not compressed: 0, #pkts compr. failed: 0, 
    #pkts decompress failed: 0 
    #send errors 1, #recv errors 0 

!--- Ping packets !--- were successfully exchanged between !--- the Easy VPN Remote Hardware Client !--- and the Easy VPN Server.
   
     local crypto endpt.: 172.16.1.1, remote crypto endpt.: 172.16.2.1 
     path mtu 1500, ipsec overhead 64, media mtu 1500 
     current outbound spi: 505c96c6 

     inbound esp sas: 
      spi: 0x3a5a28e4(978987236) 
        transform: esp-aes esp-md5-hmac , 
        in use settings ={Tunnel, } 
        slot: 0, conn id: 4, crypto map: _vpnc_cm 
        sa timing: remaining key lifetime (k/sec): (4607999/28745) 
        IV size: 16 bytes 
        replay detection support: Y 
  

     inbound ah sas: 
  

     inbound pcp sas: 
  

     outbound esp sas: 
      spi: 0x505c96c6(1348245190) 
        transform: esp-aes esp-md5-hmac , 
        in use settings ={Tunnel, } 
        slot: 0, conn id: 3, crypto map: _vpnc_cm 
        sa timing: remaining key lifetime (k/sec): (4607999/28745) 
        IV size: 16 bytes 
        replay detection support: Y 
  

     outbound ah sas: 
  

     outbound pcp sas: 
  
  

   local  ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/0/0) 
   remote ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0) 
   current_peer: 172.16.2.1:500 
     PERMIT, flags={origin_is_acl,} 
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0 
    #pkts compressed: 0, #pkts decompressed: 0 
    #pkts not compressed: 0, #pkts compr. failed: 0, 
    #pkts decompress failed: 0 
    #send errors 0, #recv errors 0 

     local crypto endpt.: 172.16.1.1, remote crypto endpt.: 172.16.2.1 
     path mtu 1500, ipsec overhead 64, media mtu 1500 
     current outbound spi: f2bb4f00 

     inbound esp sas: 
      spi: 0x27f378f9(670267641) 
        transform: esp-aes esp-md5-hmac , 
        in use settings ={Tunnel, } 
        slot: 0, conn id: 1, crypto map: _vpnc_cm 
        sa timing: remaining key lifetime (k/sec): (4608000/28125) 
        IV size: 16 bytes 
        replay detection support: Y 
  

     inbound ah sas: 
  

     inbound pcp sas: 
  

     outbound esp sas: 
      spi: 0xf2bb4f00(4072361728) 
        transform: esp-aes esp-md5-hmac , 
        in use settings ={Tunnel, } 
        slot: 0, conn id: 2, crypto map: _vpnc_cm 
        sa timing: remaining key lifetime (k/sec): (4608000/28125) 
        IV size: 16 bytes 
        replay detection support: Y 
  

     outbound ah sas: 
  

     outbound pcp sas: 
  

pix501(config)#

  • show vpnclient - VPN Client 또는 Easy VPN Remote 디바이스 컨피그레이션 정보를 표시합니다.

    pix501(config)#show vpnclient 
LOCAL CONFIGURATION 
vpnclient server 172.16.2.1 
vpnclient mode network-extension-mode 
vpnclient vpngroup mygroup password ******** 
vpnclient enable 

DOWNLOADED DYNAMIC POLICY 
Current Server                     : 172.16.2.1 
Primary DNS                        : 10.2.2.2 
Primary WINS                       : 10.2.2.2 
Default Domain                     : cisco.com 
PFS Enabled                        : No 
Secure Unit Authentication Enabled : No 
User Authentication Enabled        : No 
Split Networks                     : 10.2.2.0/255.255.255.0 
Backup Servers                     : None 

pix501(config)#

문제 해결

이 섹션에서는 컨피그레이션 문제를 해결하는 데 사용할 수 있는 정보를 제공합니다.

이 문서에 설명된 대로 Easy VPN Remote Hardware Client와 Easy VPN Server를 설정했지만 여전히 문제가 발생하면 각 PIX의 디버그 출력 및 show 명령의 출력을 수집하여 Cisco TAC(Technical Assistance Center)에서 분석합니다. 또한 Troubleshooting the PIX to Pass Data Traffic on an Established IPsec Tunnel 또는 IP Security Troubleshooting - Understanding and Using debug Commands를 참조하십시오. PIX에서 IPsec 디버깅을 활성화합니다.

PIX debug 명령 및 샘플 출력이 여기에 표시됩니다.

참고: debug 명령을 사용하기 전에 디버그 명령에 대한 중요 정보를 참조하십시오.

Easy VPN Server 명령

  • debug crypto ipsec - 2단계의 IPsec 협상을 표시합니다.

  • debug crypto isakmp - 1단계의 ISAKMP 협상을 표시합니다.

샘플 출력입니다.

pix515(config)# 

!--- As soon as the vpnclient enable command !--- is issued on the remote client PIX, !--- the server receives an IKE negotiation request.
 
crypto_isakmp_process_block:src:172.16.1.1, 
   dest:172.16.2.1 spt:500 dpt:500 
OAK_AG exchange 
ISAKMP (0): processing SA payload. message ID = 0 

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy 
ISAKMP:      encryption AES-CBC 
ISAKMP:      keylength of 256 
ISAKMP:      hash SHA 
ISAKMP:      default group 2 
ISAKMP:      extended auth pre-share (init) 
ISAKMP:      life type in seconds 
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP (0): atts are not acceptable. Next payload is 3 
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy 
ISAKMP:      encryption AES-CBC 
ISAKMP:      keylength of 256 
ISAKMP:      hash MD5 
ISAKMP:      default group 2 
ISAKMP:      extended auth pre-share (init) 
ISAKMP:      life type in seconds 
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP (0): atts are not acceptable. Next payload is 3 
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy 
ISAKMP:      encryption AES-CBC 
ISAKMP:      keylength of 192 
ISAKMP:      hash SHA 
ISAKMP:      default group 2 
ISAKMP:      extended auth pre-share (init) 
ISAKMP:      life type in seconds 
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP (0): atts are not acceptable. Next payload is 3 
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy 
ISAKMP:      encryption AES-CBC 
ISAKMP:      keylength of 192 
ISAKMP:      hash MD5 
ISAKMP:      default group 2 
ISAKMP:      extended auth pre-share (init) 
ISAKMP:      life type in seconds 
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP (0): atts are not acceptable. Next payload is 3 
ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy 
ISAKMP:      encryption AES-CBC 
ISAKMP:      keylength of 128 
ISAKMP:      hash SHA 
ISAKMP:      default group 2 
ISAKMP:      extended auth pre-share (init) 
ISAKMP:      life type in seconds 
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP (0): atts are not acceptable. Next payload is 3 
ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy 
ISAKMP:      encryption AES-CBC 
ISAKMP:      keylength of 128 
ISAKMP:      hash MD5 
ISAKMP:      default group 2 
ISAKMP:      extended auth pre-share (init) 
ISAKMP:      life type in seconds 
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP (0): atts are not acceptable. Next payload is 3 
ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy 
ISAKMP:      encryption 3DES-CBC 
ISAKMP:      hash SHA 
ISAKMP:      default group 2 
ISAKMP:      extended auth pre-share (init) 
ISAKMP:      life type in seconds 
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP (0): atts are not acceptable. Next payload is 3 
ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy 
ISAKMP:      encryption 3DES-CBC 
ISAKMP:      hash MD5 
ISAKMP:      default group 2 
ISAKMP:      extended auth pre-share (init) 
ISAKMP:      life type in seconds 
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP (0): atts are not acceptable. Next payload is 3 
ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy 
ISAKMP:      encryption DES-CBC 
ISAKMP:      hash MD5 
ISAKMP:      default group 2 
ISAKMP:      extended auth pre-share (init) 
ISAKMP:      life type in seconds 
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP (0): atts are not acceptable. Next payload is 3 
ISAKMP (0): Checking ISAKMP transform 10 against priority 10 policy 
crypto_isakmp_process_block:src:172.16.1.1, 
   dest:172.16.2.1 spt:500 dpt:500 
OAK_AG exchange 
ISAKMP (0): processing HASH payload. message ID = 0 
ISAKMP (0): processing NOTIFY payload 24578 protocol 1 
        spi 0, message ID = 0 
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): 
   got a queue event... 
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP 
IPSEC(key_engine_delete_sas): delete all SAs shared with 172.16.1.1 

ISAKMP (0): processing vendor id payload 

ISAKMP (0): received xauth v6 vendor id 

ISAKMP (0): processing vendor id payload 

ISAKMP (0): remote peer supports dead peer detection 

ISAKMP (0): processing vendor id payload 

ISAKMP (0): speaking to another IOS box! 

ISAKMP (0): processing vendor id payload 

crypto_isakmp_process_block:src:172.16.1.1, 
   dest:172.16.2.1 spt:500 dpt:500 
ISAKMP_TRANSACTION exchange 
crypto_isakmp_process_block:src:172.16.1.1, 
   dest:172.16.2.1 spt:500 dpt:500 
OAK_QM exchange 
oakley_process_quick_mode: 
OAK_QM_IDLE 
ISAKMP (0): processing SA payload. message ID = 4788683 

ISAKMP : Checking IPSec proposal 1 

ISAKMP: transform 1, ESP_AES 
ISAKMP:   attributes in transform: 
ISAKMP:      encaps is 1 
ISAKMP:      SA life type in seconds 
ISAKMP:      SA life duration (basic) of 28800 
ISAKMP:      SA life type in kilobytes 
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 
ISAKMP:      authenticator is HMAC-SHA 
ISAKMP:      key length is 256IPSEC(validate_proposal): 
   transform proposal (prot 3, trans 12, hmac_alg 2) not supported 

ISAKMP (0): atts not acceptable. Next payload is 0 
ISAKMP : Checking IPSec proposal 2 

ISAKMP: transform 1, ESP_AES 
ISAKMP:   attributes in transform: 
ISAKMP:      encaps is 1 
ISAKMP:      SA life type in seconds 
ISAKMP:      SA life duration (basic) of 28800 
ISAKMP:      SA life type in kilobytes 
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 
ISAKMP:      authenticator is HMAC-MD5 
ISAKMP:      key length is 256IPSEC(validate_proposal): 
   transform proposal (prot 3, trans 12, hmac_alg 1) not supported 

ISAKMP (0): atts not acceptable. Next payload is 0 
ISAKMP : Checking IPSec proposal 3 

ISAKMP: transform 1, ESP_AES 
ISAKMP:   attributes in transform: 
ISAKMP:      encaps is 1 
ISAKMP:      SA life type in seconds 
ISAKMP:      SA life duration (basic) of 28800 
ISAKMP:      SA life type in kilobytes 
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 
ISAKMP:      authenticator is HMAC-SHA 
ISAKMP:      key length is 192IPSEC(validate_proposal): 
   transform proposal (prot 3, trans 12, hmac_alg 2) not supported 

ISAKMP (0): atts not acceptable. Next payload is 0 
ISAKMP : Checking IPSec proposal 4 

ISAKMP: transform 1, ESP_AES 
ISAKMP:   attributes in transform: 
ISAKMP:      encaps is 1 
ISAKMP:      SA life type in seconds 
ISAKMP:      SA life duration (basic) of 28800 
ISAKMP:      SA life type in kilobytes 
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 
ISAKMP:      authenticator is HMAC-MD5 
ISAKMP:      key length is 192IPSEC(validate_proposal): 
   transform proposal (prot 3, trans 12, hmac_alg 1) not supported 

ISAKMP (0): atts not acceptable. Next payload is 0 
ISAKMP : Checking IPSec proposal 5 

ISAKMP: transform 1, ESP_AES 
ISAKMP:   attributes in transform: 
ISAKMP:      encaps is 1 
ISAKMP:      SA life type in seconds 
ISAKMP:      SA life duration (basic) of 28800 
ISAKMP:      SA life type in kilobytes 
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 
ISAKMP:      authenticator is HMAC-SHA 
ISAKMP:      key length is 128IPSEC(validate_proposal): 
   transform proposal (prot 3, trans 12, hmac_alg 2) not supported 

ISAKMP (0): atts not acceptable. Next payload is 0 
ISAKMP : Checking IPSec proposal 6 

ISAKMP: transform 1, ESP_AES 
ISAKMP:   attributes in transform: 
ISAKMP:      encaps is 1 
ISAKMP:      SA life type in seconds 
ISAKMP:      SA life duration (basic) of 28800 
ISAKMP:      SA life type in kilobytes 
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 
ISAKMP:      authenticator is HMAC-MD5 
ISAKMP:      key length is 128 
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): 
   proposal part #1, 
  (key eng. msg.) dest= 172.16.2.1, src= 172.16.1.1, 
    dest_proxy= 10.2.2.0/255.255.255.0/0/0 (type=4), 
    src_proxy= 172.16.1.1/255.255.255.255/0/0 (type=1), 
    protocol= ESP, transform= esp-aes esp-md5-hmac , 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x4 

!--- Both PIXes accept the policy for IPsec.
 
ISAKMP (0): processing NONCE payload. message ID = 4788683 

ISAKMP (0): processing ID payload. message ID = 4788683 
ISAKMP (0): ID_IPV4_ADDR src 172.16.1.1 prot 0 port 0 
ISAKMP (0): processing ID payload. message ID = 4788683 
ISAKMP (0): ID_IPV4_ADDR_SUBNET dst 10.2.2.0/255.255.255.0 prot 0 
   port 0IPSEC(key_engine): got a queue event... 
IPSEC(spi_response): getting spi 0xf5720496(4117890198) for SA 
        from     172.16.1.1 to     172.16.2.1 for prot 3 

return status is IKMP_NO_ERROR 
crypto_isakmp_process_block:src:172.16.1.1, 
   dest:172.16.2.1 spt:500 dpt:500 
OAK_QM exchange 
oakley_process_quick_mode: 
OAK_QM_AUTH_AWAIT 
ISAKMP (0): Creating IPSec SAs 
        inbound SA from 172.16.1.1 to 172.16.2.1 
   (proxy 172.16.1.1 to 10.2.2.0) 
        has spi 4117890198 and conn_id 3 and flags 4 
        lifetime of 28800 seconds 
crypto_isakmp_process_block:src:172.16.1.1, 
   dest:172.16.2.1 spt:500 dpt:500 
ISAKMP (0): processing NOTIFY payload 36136 protocol 1 
        spi 0, message ID = 843197376 
ISAMKP (0): received DPD_R_U_THERE from peer 172.16.1.1 
ISAKMP (0): sending NOTIFY message 36137 protocol 1 
return status is IKMP_NO_ERR_NO_TRANS 
crypto_isakmp_process_block:src:172.16.1.1, 
   dest:172.16.2.1 spt:500 dpt:500 
ISAKMP (0): processing NOTIFY payload 36136 protocol 1 
        spi 0, message ID = 1985282089 
ISAMKP (0): received DPD_R_U_THERE from peer 172.16.1.1 
ISAKMP (0): sending NOTIFY message 36137 protocol 1 
return status is IKMP_NO_ERR_NO_TRANS 
crypto_isakmp_process_block:src:172.16.1.1, 
   dest:172.16.2.1 spt:500 dpt:500 
ISAKMP (0): processing NOTIFY payload 36136 protocol 1 
        spi 0, message ID = 1510977390 
ISAMKP (0): received DPD_R_U_THERE from peer 172.16.1.1 
ISAKMP (0): sending NOTIFY message 36137 protocol 1 
return status is IKMP_NO_ERR_NO_TRANS

Easy VPN Remote Hardware Client 명령

  • debug crypto ipsec - 2단계의 IPsec 협상을 표시합니다.

  • debug crypto isakmp - 1단계의 ISAKMP 협상을 표시합니다.

pix501(config)#vpnclient enable 
 (cIoSnAfKigM)P#  (0): ID payload 
        next-payload : 13 
        type         : 11 
        protocol     : 17 
        port         : 0 
        length       : 11 
ISAKMP (0): Total payload length: 15 
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3 
ISAKMP (0): beginning Aggressive Mode exchange 
crypto_isakmp_process_block:src:172.16.2.1, 
   dest:172.16.1.1 spt:500 dpt:500 
OAK_AG exchange 
ISAKMP (0): processing SA payload. message ID = 0 

ISAKMP (0): Checking ISAKMP transform 1 against priority 65001 policy 
ISAKMP:      encryption AES-CBC 
ISAKMP:      keylength of 128 
ISAKMP:      hash MD5 
ISAKMP:      default group 2 
ISAKMP:      auth pre-share 
ISAKMP:      life type in seconds 
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP (0): atts are not acceptable. Next payload is 0 
ISAKMP (0): Checking ISAKMP transform 1 against priority 65002 policy 
ISAKMP:      encryption AES-CBC 
ISAKMP:      keylength of 128 
ISAKMP:      hash MD5 
ISAKMP:      default group 2 
ISAKMP:      auth pre-share 
ISAKMP:      life type in seconds 
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP (0): atts are not acceptable. Next payload is 0 
ISAKMP (0): Checking ISAKMP transform 1 against priority 65003 policy 
ISAKMP:      encryption AES-CBC 
ISAKMP:      keylength of 128 
ISAKMP:      hash MD5 
ISAKMP:      default group 2 
ISAKMP:      auth pre-share 
ISAKMP:      life type in seconds 
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP (0): atts are not acceptable. Next payload is 0 
ISAKMP (0): Checking ISAKMP transform 1 against priority 65004 policy 
ISAKMP:      encryption AES-CBC 
ISAKMP:      keylength of 128 
ISAKMP:      hash MD5 
ISAKMP:      default group 2 
ISAKMP:      auth pre-share 
ISAKMP:      life type in seconds 
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP (0): atts are not acceptable. Next payload is 0 
ISAKMP (0): Checking ISAKMP transform 1 against priority 65005 policy 
ISAKMP:      encryption AES-CBC 
ISAKMP:      keylength of 128 
ISAKMP:      hash MD5 
ISAKMP:      default group 2 
ISAKMP:      auth pre-share 
ISAKMP:      life type in seconds 
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP (0): atts are not acceptable. Next payload is 0 
ISAKMP (0): Checking ISAKMP transform 1 against priority 65006 policy 
ISAKMP:      encryption AES-CBC 
ISAKMP:      keylength of 128 
ISAKMP:      hash MD5 
ISAKMP:      default group 2 
ISAKMP:      auth pre-share 
ISAKMP:      life type in seconds 
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP (0): atts are not acceptable. Next payload is 0 
ISAKMP (0): Checking ISAKMP transform 1 against priority 65007 policy 
ISAKMP:      encryption AES-CBC 
ISAKMP:      keylength of 128 
ISAKMP:      hash MD5 
ISAKMP:      default group 2 
ISAKMP:      auth pre-share 
ISAKMP:      life type in seconds 
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP (0): atts are not acceptable. Next payload is 0 
ISAKMP (0): Checking ISAKMP transform 1 against priority 65008 policy 
ISAKMP:      encryption AES-CBC 
ISAKMP:      keylength of 128 
ISAKMP:      hash MD5 
ISAKMP:      default group 2 
ISAKMP:      auth pre-share 
ISAKMP:      life type in seconds 
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP (0): atts are not acceptable. Next payload is 0 
ISAKMP (0): Checking ISAKMP transform 1 against priority 65009 policy 
ISAKMP:      encryption AES-CBC 
ISAKMP:      keylength of 128 
ISAKMP:      hash MD5 
ISAKMP:      default group 2 
ISAKMP:      auth pre-share 
ISAKMP:      life type in seconds 
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP : attributes being requested 

crypto_isakmp_process_block:src:172.16.2.1, 
   dest:172.16.1.1 spt:500 dpt:500 
ISAKMP (0): beginning Quick Mode exchange, 
   M-ID of 1112046058:424879eaIPSEC(key_engine): got a queue event... 
IPSEC(spi_response): getting spi 0x274d3063(659370083) for SA 
        from     172.16.2.1 to     172.16.1.1 for prot 3 

crypto_isakmp_process_block:src:172.16.2.1, 
   dest:172.16.1.1 spt:500 dpt:500 
OAK_QM exchange 
oakley_process_quick_mode: 
OAK_QM_IDLE 
ISAKMP (0): processing SA payload. message ID = 1112046058 

ISAKMP : Checking IPSec proposal 1 

ISAKMP: transform 1, ESP_AES 
ISAKMP:   attributes in transform: 
ISAKMP:      encaps is 1 
ISAKMP:      SA life type in seconds 
ISAKMP:      SA life duration (basic) of 28800 
ISAKMP:      SA life type in kilobytes 
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 
ISAKMP:      authenticator is HMAC-MD5 
ISAKMP:      key length is 128 
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): 
   proposal part #1, 
  (key eng. msg.) dest= 172.16.2.1, src= 172.16.1.1, 
    dest_proxy= 10.2.2.0/255.255.255.0/0/0 (type=4), 
    src_proxy= 172.16.1.1/255.255.255.255/0/0 (type=1), 
    protocol= ESP, transform= esp-aes esp-md5-hmac , 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x4 

ISAKMP (0): processing NONCE payload. message ID = 1112046058 

ISAKMP (0): processing ID payload. message ID = 1112046058 
ISAKMP (0): processing ID payload. message ID = 1112046058 
ISAKMP (0): Creating IPSec SAs 
        inbound SA from 172.16.2.1 to 172.16.1.1 
   (proxy 10.2.2.0 to 172.16.1.1) 
        has spi 659370083 and conn_id 2 and flags 4 
        lifetime of 28800 seconds 
        lifetime of 4608000 kilobytes 
        outbound SA from 172.16.1.1 to 172.16.2.1 
   (proxy 172.16.1.1 to 10.2.2.0) 
        has spi 264316759 and conn_id 1 and flags 4 
        lifetime of 28800 seconds 
        lifetime of 4608000 kilobytesIPSEC(key_engine): 
   got a queue event... 
IPSEC(initialize_sas): , 
  (key eng. msg.) dest= 172.16.1.1, src= 172.16.2.1, 
    dest_proxy= 172.16.1.1/255.255.255.255/0/0 (type=1), 
    src_proxy= 10.2.2.0/255.255.255.0/0/0 (type=4), 
    protocol= ESP, transform= esp-aes esp-md5-hmac , 
    lifedur= 28800s and 4608000kb, 
    spi= 0x274d3063(659370083), conn_id= 2, keysize= 128, flags= 0x4 
IPSEC(initialize_sas): , 
  (key eng. msg.) src= 172.16.1.1, dest= 172.16.2.1, 
    src_proxy= 172.16.1.1/255.255.255.255/0/0 (type=1), 
    dest_proxy= 10.2.2.0/255.255.255.0/0/0 (type=4), 
    protocol= ESP, transform= esp-aes esp-md5-hmac , 
    lifedur= 28800s and 4608000kb, 
    spi= 0xfc12757(264316759), conn_id= 1, keysize= 128, flags= 0x4 

VPN Peer: IPSEC: Peer ip:172.16.2.1/500 Ref cnt incremented to:2 
   Total VPN Peers:1 
VPN Peer: IPSEC: Peer ip:172.16.2.1/500 Ref cnt incremented to:3 
   Total VPN Peers:1 
return status is IKMP_NO_ERROR 
pix501(config)# 
pix501(config)# 
ISAKMP (0): sending NOTIFY message 36136 protocol 1 
crypto_isakmp_process_block:src:172.16.2.1, 
   dest:172.16.1.1 spt:500 dpt:500 
ISAKMP (0): processing NOTIFY payload 36137 protocol 1 
        spi 0, message ID = 136860646n 
ISAMKP (0): received DPD_R_U_THERE_ACK from peer 172.16.2.1

  • debug vpn client - VPN 클라이언트에 해당하는 협상을 표시합니다.

pix501(config)#vpnclient enable 
pix501(config)# 505: VPNC CFG: transform set unconfig attempt done 
506: VPNC CLI: no isakmp keepalive 10 
507: VPNC CLI: no isakmp nat-traversal 20 
508: VPNC CFG: IKE unconfig successful 
509: VPNC CLI: no crypto map _vpnc_cm 
510: VPNC CFG: crypto map deletion attempt done 
511: VPNC CFG: crypto unconfig successful 
512: VPNC CLI: no global (outside) 65001 
513: VPNC CLI: no nat (inside) 0 access-list _vpnc_acl 
514: VPNC CFG: nat unconfig attempt failed 
515: VPNC CLI: no http 10.1.1.1 255.255.255.0 inside 
516: VPNC CLI: no http server enable 
517: VPNC CLI: no access-list _vpnc_acl 
518: VPNC CFG: ACL deletion attempt failed 
519: VPNC CLI: no crypto map _vpnc_cm interface outside 
520: VPNC CFG: crypto map de/attach failed 
521: VPNC CLI: no sysopt connection permit-ipsec 
522: VPNC CLI: sysopt connection permit-ipsec 
523: VPNC CFG: transform sets configured 
524: VPNC CFG: crypto config successful 
525: VPNC CLI: isakmp keepalive 10 
526: VPNC CLI: isakmp nat-traversal 20 
527: VPNC CFG: IKE config successful 
528: VPNC CLI: http 10.1.1.1 255.255.255.0 inside 
529: VPNC CLI: http server enable 
530: VPNC CLI: no access-list _vpnc_acl 
531: VPNC CFG: ACL deletion attempt failed 
532: VPNC CLI: access-list _vpnc_acl 
   permit ip host 172.16.1.1 host 172.16.2.1 
533: VPNC CLI: crypto map _vpnc_cm 10 match address _vpnc_acl 
534: VPNC CFG: crypto map acl update successful 
535: VPNC CLI: no crypto map _vpnc_cm interface outside 
536: VPNC CLI: crypto map _vpnc_cm interface outside 
537: VPNC INF: IKE trigger request done 
538: VPNC INF: Constructing policy download req 
539: VPNC INF: Packing attributes for policy request 
540: VPNC INF: Attributes being requested 
541: VPNC ATT: ALT_DEF_DOMAIN: cisco.com 
542: VPNC ATT: INTERNAL_IP4_NBNS: 10.2.2.2 
543: VPNC ATT: INTERNAL_IP4_DNS: 10.2.2.2 
544: VPNC ATT: ALT_SPLIT_INCLUDE 
545: VPNC INF:  10.2.2.0/255.255.255.0 
546: VPNC ATT: ALT_PFS: 0 
547: VPNC ATT: ALT_CFG_SEC_UNIT: 0 
548: VPNC ATT: ALT_CFG_USER_AUTH: 0 
549: VPNC CLI: no access-list _vpnc_acl 
550: VPNC CLI: access-list _vpnc_acl 
   permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0 
551: VPNC CLI: access-list _vpnc_acl 
   permit ip host 172.16.1.1 10.2.2.0 255.255.255.0 
552: VPNC CFG: _vpnc_acl ST define done 
553: VPNC CFG: Split DNS config attempt done 
554: VPNC CLI: crypto map _vpnc_cm 10 match address _vpnc_acl 
555: VPNC CFG: crypto map acl update successful 
556: VPNC CLI: no crypto map _vpnc_cm interface outside 
557: VPNC CLI: crypto map _vpnc_cm interface outside 
558: VPNC CLI: no global (outside) 65001 
559: VPNC CLI: no nat (inside) 0 access-list _vpnc_acl 
560: VPNC CFG: nat unconfig attempt failed 
561: VPNC CLI: nat (inside) 0 access-list _vpnc_acl 
562: VPNC INF: IKE trigger request done

관련 정보

개정 이력

개정 게시 날짜 의견
1.0
26-Sep-2008
최초 릴리스

이 문서가 도움이 되셨습니까?

Feedback피드백

지원 문의

이 문서가 적용되는 제품