从传统EzVPN迁移到增强型EzVPN配置示例
目录
简介
本文档介绍如何配置Easy VPN(EzVPN)设置,其中辐条1使用增强的EzVPN来连接到中心,而辐条2使用传统EzVPN来连接到同一中心。集线器配置为增强型EzVPN。 增强型EzVPN和传统EzVPN的区别在于前者使用动态虚拟隧道接口(dVTI),后者使用加密映射。Cisco dVTI是一种方法,可供使用Cisco EzVPN的客户用于服务器和远程配置。隧道为每个EzVPN连接提供按需独立的虚拟访问接口。虚拟访问接口的配置是从虚拟模板配置中克隆的,虚拟模板配置包括IPsec配置和在虚拟模板接口上配置的任何Cisco IOS®软件功能,如QoS、NetFlow或访问控制列表(ACL)。
借助IPsec dVTI和Cisco EzVPN,用户可以为远程访问VPN提供高度安全的连接,该连接可与Cisco AVVID(语音、视频和集成数据架构)结合使用,以通过IP网络提供融合的语音、视频和数据。
先决条件
要求
思科建议您了解EzVPN。
使用的组件
本文档中的信息基于Cisco IOS版本15.4(2)T。
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。
背景信息
具有dVTI配置的Cisco EzVPN提供可路由接口,以选择性地将流量发送到不同目的地,如EzVPN集中器、不同的站点到站点对等体或Internet。IPsec dVTI配置不需要IPsec会话到物理接口的静态映射。这允许在任何物理接口(例如在多条路径的情况下)上灵活地发送和接收加密流量。当流量从隧道接口转发或转发到隧道接口时,会对其进行加密。
流量通过IP路由表转发到隧道接口或从隧道接口转发。路由在互联网密钥交换(IKE)模式配置期间动态获知,并插入到指向dVTI的路由表中。动态IP路由可用于在VPN中传播路由。使用IP路由将流量转发到加密时,与在本地IPsec配置中使用加密映射的ACL相比,IPsec VPN配置更简化。
在早于Cisco IOS版本12.4(2)T的版本中,在隧道上行/隧道下行转换时,必须解析并应用在模式配置期间推送的属性。当此类属性导致在接口上应用配置时,必须覆盖现有配置。借助dVTI支持功能,可将隧道启动配置应用于单独的接口,使在隧道启动时支持独立功能更加容易。应用于进入隧道的流量(加密前)的功能可以与应用于未通过隧道的流量(例如,拆分隧道流量和隧道未打开时离开设备的流量)的功能分开。
当EzVPN协商成功时,虚拟接入接口的线路协议状态将更改为up。当EzVPN隧道因安全关联过期或被删除而关闭时,虚拟访问接口的线路协议状态将变为关闭。
路由表在EzVPN虚拟接口配置中充当流量选择器 — 即,路由替换加密映射上的访问列表。在虚拟接口配置中,如果EzVPN服务器已配置IPsec dVTI,则EzVPN会协商单个IPsec安全关联。无论配置了EzVPN模式如何,都会创建此单一安全关联。
建立安全关联后,会添加指向虚拟接入接口的路由,以将流量定向到企业网络。EzVPN还向VPN集中器添加路由,以便IPsec封装的数据包路由到公司网络。在非拆分模式下,会添加指向虚拟接入接口的默认路由。当EzVPN服务器“推送”拆分隧道时,拆分隧道子网将成为指向虚拟访问的路由添加到的目标。无论哪种情况,如果对等体(VPN集中器)未直接连接,EzVPN会向对等体添加路由。
QoS可用于改善整个网络中不同应用的性能。在此配置中,流量整形在两个站点之间使用,以限制站点之间应传输的总流量。此外,QoS配置可支持Cisco IOS软件中提供的任何QoS功能组合,以支持任何语音、视频或数据应用。
好处
- 简化管理
客户可以使用Cisco IOS虚拟模板按需克隆IPsec的新虚拟接入接口,从而简化VPN配置复杂性并降低成本。此外,现有管理应用程序现在可以监控不同站点的单独接口,以便进行监控。 - 提供可路由接口
Cisco IPsec VTI可支持所有类型的IP路由协议。客户可以使用这些功能来连接较大的办公室环境,如分支机构。 - 改进扩展
IPsec VTI对每个站点使用单个安全关联,涵盖不同类型的流量,从而改进扩展。 - 在定义功能方面提供灵活性
IPsec VTI是其自己接口内的封装。这为IPsec VTI上的明文流量定义功能提供了灵活性,并为物理接口上的加密流量定义功能。
配置
网络图
配置汇总
中心配置
hostname Hub
!
no aaa new-model
!
no ip domain lookup
!
username test-user privilege 15 password 0 cisco123
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp client configuration group En-Ezvpn
key test-En-Ezvpn
crypto isakmp profile En-EzVpn-Isakmp-Profile
match identity group En-Ezvpn
isakmp authorization list default
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set VPN-TS esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile En-EzVpn-Ipsec-Profile
set transform-set VPN-TS
set isakmp-profile En-EzVpn-Isakmp-Profile
!
!
interface Loopback0
description Router-ID
ip address 10.0.0.1 255.255.255.255
!
interface Loopback1
description inside-network
ip address 192.168.0.1 255.255.255.255
!
interface Ethernet0/0
description WAN-Link
ip address 172.16.0.1 255.255.255.0
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel mode ipsec ipv4
tunnel protection ipsec profile En-EzVpn-Ipsec-Profile
!
router eigrp 1
network 10.0.0.1 0.0.0.0
network 192.168.0.1 0.0.0.0
network 192.168.1.1 0.0.0.0
!
ip route 0.0.0.0 0.0.0.0 172.16.0.100
!
end
分支1(增强型EzVPN)配置
hostname Spoke1
!
no aaa new-model
!
interface Loopback0
description Router-ID
ip address 10.0.1.1 255.255.255.255
crypto ipsec client ezvpn En-EzVpn inside
!
interface Loopback1
description Inside-network
ip address 192.168.1.1 255.255.255.255
!
interface Ethernet0/0
description WAN-Link
ip address 172.16.1.1 255.255.255.0
crypto ipsec client ezvpn En-EzVpn
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel mode ipsec ipv4
!
router eigrp 1
network 10.0.1.1 0.0.0.0
network 192.168.1.1 0.0.0.0
!
ip route 0.0.0.0 0.0.0.0 172.16.1.100
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto ipsec client ezvpn En-EzVpn
connect auto
group En-Ezvpn key test-En-Ezvpn
mode network-extension
peer 172.16.0.1
virtual-interface 1
!
end
分支2(传统EzVPN)配置
hostname Spoke2
!
no aaa new-model
!
no ip domain lookup
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto ipsec client ezvpn Leg-Ezvpn
connect auto
group En-Ezvpn key test-En-Ezvpn
mode network-extension
peer 172.16.0.1
xauth userid mode interactive
!
!
interface Loopback0
ip address 10.0.2.1 255.255.255.255
crypto ipsec client ezvpn Leg-Ezvpn inside
!
interface Loopback1
ip address 192.168.2.1 255.255.255.255
!
interface Ethernet0/0
ip address 172.16.2.1 255.255.255.0
crypto ipsec client ezvpn Leg-Ezvpn
!
ip route 0.0.0.0 0.0.0.0 172.16.2.100
!
end
验证
使用本部分可确认配置能否正常运行。
命令输出解释程序工具(仅限注册用户)支持某些 show 命令。使用输出解释器工具来查看 show 命令输出的分析。
中心到分支1隧道
第 1 阶段
Hub#show crypto isakmp sa det
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1006 172.16.0.1 172.16.2.1 ACTIVE aes sha psk 2 23:54:53 C
Engine-id:Conn-id = SW:6
1005 172.16.0.1 172.16.1.1 ACTIVE aes sha psk 2 23:02:14 C
Engine-id:Conn-id = SW:5
IPv6 Crypto ISAKMP SA
第 2 阶段
此处的代理用于any/any,这意味着从虚拟访问1流出的任何流量都将被加密并发送到172.16.1.1。
Hub#show crypto ipsec sa peer 172.16.1.1 detail
interface: Virtual-Access1
Crypto map tag: Virtual-Access1-head-0, local addr 172.16.0.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 172.16.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 776, #pkts encrypt: 776, #pkts digest: 776
#pkts decaps: 771, #pkts decrypt: 771, #pkts verify: 771
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 172.16.0.1, remote crypto endpt.: 172.16.1.1
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
current outbound spi: 0x9159A91E(2438572318)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xB82853D4(3089650644)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 13, flow_id: SW:13, sibling_flags 80000040, crypto map:
Virtual-Access1-head-0
sa timing: remaining key lifetime (k/sec): (4342983/3529)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x9159A91E(2438572318)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 14, flow_id: SW:14, sibling_flags 80000040, crypto map:
Virtual-Access1-head-0
sa timing: remaining key lifetime (k/sec): (4342983/3529)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
EIGRP
Hub#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.1.1 Vi1 13 00:59:28 31 1398 0 3
辐射点1
第 1 阶段
Spoke1#show cry is sa det
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1005 172.16.1.1 172.16.0.1 ACTIVE aes sha psk 2 22:57:07 C
Engine-id:Conn-id = SW:5
IPv6 Crypto ISAKMP SA
第 2 阶段
Spoke1#show crypto ipsec sa detail
interface: Virtual-Access1
Crypto map tag: Virtual-Access1-head-0, local addr 172.16.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 172.16.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 821, #pkts encrypt: 821, #pkts digest: 821
#pkts decaps: 826, #pkts decrypt: 826, #pkts verify: 826
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 172.16.1.1, remote crypto endpt.: 172.16.0.1
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
current outbound spi: 0xB82853D4(3089650644)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x9159A91E(2438572318)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 11, flow_id: SW:11, sibling_flags 80004040, crypto map:
Virtual-Access1-head-0
sa timing: remaining key lifetime (k/sec): (4354968/3290)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xB82853D4(3089650644)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 12, flow_id: SW:12, sibling_flags 80004040, crypto map:
Virtual-Access1-head-0
sa timing: remaining key lifetime (k/sec): (4354968/3290)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
EZVPN
Spoke1#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 8
Tunnel name : En-EzVpn
Inside interface list: Loopback0
Outside interface: Virtual-Access1 (bound to Ethernet0/0)
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Save Password: Disallowed
Current EzVPN Peer: 172.16.0.1
路由 — EIGRP
在Spoke 2中,代理会使离开虚拟访问接口的所有流量都被加密。只要有一条路由指向网络的该接口,流量就会被加密:
Spoke1#ping 192.168.0.1 source loopback 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/6 ms
Spoke1#ping 192.168.0.1 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
Spoke1# sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 172.16.1.100 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 172.16.1.100
[1/0] via 0.0.0.0, Virtual-Access1
10.0.0.0/32 is subnetted, 2 subnets
D 10.0.0.1 [90/27008000] via 10.0.0.1, 01:16:15, Virtual-Access1
C 10.0.1.1 is directly connected, Loopback0
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
S 172.16.0.1/32 [1/0] via 172.16.1.100
C 172.16.1.0/24 is directly connected, Ethernet0/0
L 172.16.1.1/32 is directly connected, Ethernet0/0
192.168.0.0/32 is subnetted, 1 subnets
D 192.168.0.1 [90/27008000] via 10.0.0.1, 01:16:15, Virtual-Access1
192.168.1.0/32 is subnetted, 1 subnets
C 192.168.1.1 is directly connected, Loopback1
Spoke1#
中心到辐射点2隧道
第 1 阶段
Hub#show crypto isakmp sa det
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1006 172.16.0.1 172.16.2.1 ACTIVE aes sha psk 2 23:54:53 C
Engine-id:Conn-id = SW:6
1005 172.16.0.1 172.16.1.1 ACTIVE aes sha psk 2 23:02:14 C
Engine-id:Conn-id = SW:5
IPv6 Crypto ISAKMP SA
第 2 阶段
本示例中不使用集线器客户端配置下的拆分隧道ACL。因此,在分支上形成的代理用于分支上任何EzVPN“内部”网络到任何网络。基本上,在集线器上,任何发往辐条上“内部”网络之一的流量都将被加密并发送到172.16.2.1。
Hub#show crypto ipsec sa peer 172.16.2.1 detail
interface: Virtual-Access2
Crypto map tag: Virtual-Access2-head-0, local addr 172.16.0.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.0.2.1/255.255.255.255/0/0)
current_peer 172.16.2.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15
#pkts decaps: 15, #pkts decrypt: 15, #pkts verify: 15
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 172.16.0.1, remote crypto endpt.: 172.16.2.1
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
current outbound spi: 0x166CAC10(376220688)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x8525868A(2233829002)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 11, flow_id: SW:11, sibling_flags 80000040, crypto map:
Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4217845/1850)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x166CAC10(376220688)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 12, flow_id: SW:12, sibling_flags 80000040, crypto map:
Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4217845/1850)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
辐射点2
第 1 阶段
Spoke2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
172.16.0.1 172.16.2.1 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
第 2 阶段
Spoke2#show crypto ipsec sa detail
interface: Ethernet0/0
Crypto map tag: Ethernet0/0-head-0, local addr 172.16.2.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.2.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 172.16.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 172.16.2.1, remote crypto endpt.: 172.16.0.1
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
current outbound spi: 0x8525868A(2233829002)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x166CAC10(376220688)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, sibling_flags 80004040, crypto map:
Ethernet0/0-head-0
sa timing: remaining key lifetime (k/sec): (4336232/2830)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x8525868A(2233829002)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, sibling_flags 80004040, crypto map:
Ethernet0/0-head-0
sa timing: remaining key lifetime (k/sec): (4336232/2830)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
EZVPN
Spoke2#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 8
Tunnel name : Leg-Ezvpn
Inside interface list: Loopback0
Outside interface: Ethernet0/0
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Save Password: Disallowed
Current EzVPN Peer: 172.16.0.1
路由 — 静态
与分支1不同,分支2必须具有静态路由或使用反向路由注入(RRI)来注入路由,以告知哪些流量应被加密以及哪些不应被加密。在本示例中,仅从Loopback 0发出的流量根据代理和路由进行加密。
Spoke2#ping 192.168.0.1 source loopback 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
.....
Success rate is 0 percent (0/5)
Spoke2#ping 192.168.0.1 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/7 ms
Spoke2#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 172.16.2.100 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 172.16.2.100
10.0.0.0/32 is subnetted, 1 subnets
C 10.0.2.1 is directly connected, Loopback0
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.2.0/24 is directly connected, Ethernet0/0
L 172.16.2.1/32 is directly connected, Ethernet0/0
192.168.2.0/32 is subnetted, 1 subnets
C 192.168.2.1 is directly connected, Loopback1
故障排除
本部分提供了可用于对配置进行故障排除的信息。
集线器命令
debug crypto ipsec - 显示第 2 阶段的 IPsec 协商。
debug crypto isakmp - 显示第 1 阶段的 ISAKMP 协商。
分支命令
debug crypto ipsec - 显示第 2 阶段的 IPsec 协商。
debug crypto isakmp - 显示第 1 阶段的 ISAKMP 协商。
- debug crypto ipsec client ezvpn -显示EzVPN调试。
反馈