排除 PIX 故障以在已建立的 IPSec 隧道上传递数据流量

下载选项

  • PDF     (307.1 KB)
    在各种设备上使用 Adobe Reader 查看
  • ePub     (101.3 KB)
    在 iPhone、iPad、Android、Sony Reader 或 Windows Phone 上使用各种应用查看
  • Mobi (Kindle)     (107.8 KB)
    在 Kindle 设备上查看或在多个设备上使用 Kindle 应用查看
已更新: 2005 年 9 月 27 日
文档 ID:18957

非歧视性语言

此产品的文档集力求使用非歧视性语言。在本文档集中,非歧视性语言是指不隐含针对年龄、残障、性别、种族身份、族群身份、性取向、社会经济地位和交叉性的歧视的语言。由于产品软件的用户界面中使用的硬编码语言、基于 RFP 文档使用的语言或引用的第三方产品使用的语言,文档中可能无法确保完全使用非歧视性语言。 深入了解思科如何使用包容性语言。

关于此翻译

思科采用人工翻译与机器翻译相结合的方式将此文档翻译成不同语言,希望全球的用户都能通过各自的语言得到支持性的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 Cisco Systems, Inc. 对于翻译的准确性不承担任何责任,并建议您总是参考英文原始文档(已提供链接)。

简介

本文讨论了已经成功确立的思科VPN客户端和PIX之间的IPSec隧道无法传输数据这一问题,并提供了解决方案。

当您不能从VPN客户端ping通或远程登陆到配有PIX的LAN中的任何主机时,会频繁遇到不能在VPN客户端和PIX之间已经确立的IPSec隧道上传输数据的情况。换句话说,VPN客户端和PIX无法在它们之间传递加密数据。这是因为PIX具有到路由器的LAN到LAN IPsec隧道和VPN客户端。无法传递数据是使用相同访问控制列表(ACL)为LAN到LAN IPsec对等体配置nat 0和静态加密映射的结果。

先决条件

要求

本文档没有任何特定的要求。

使用的组件

本文档中的信息基于以下软件和硬件版本:

  • 思科安全PIX防火墙6.0.1

  • 运行 Cisco IOS® 软件版本 12.2(6) 的 Cisco 1720 路由器

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。

规则

有关文档约定的更多信息,请参考 Cisco 技术提示约定。

排除 PIX 故障

网络图

ipsec_tun_pass_data-a.gif

有问题的配置示例

PIX 520 
pix520-1#write terminal
Building configuration...
: Saved
:
PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix520-1
domain-name vpn.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names

!--- Access-List “140” defines interesting traffic to bypass NAT for VPN !--- and defines VPN interesting traffic. This is incorrect.

access-list 140 permit ip 192.168.4.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 140 permit ip 192.168.4.0 255.255.255.0 10.1.2.0 255.255.255.0
no pager
logging on
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap debugging
logging history debugging
logging host outside 192.168.2.6
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500

!--- IP addresses on the outside and inside interfaces.

ip address outside 172.16.172.34 255.255.255.240
ip address inside 192.168.4.50 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.1.2.1-10.1.2.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 172.16.172.57 netmask 255.255.255.255

!--- The nat 0 command bypasses NAT for the packets destined over the IPsec tunnel.

Nat (inside) 0 access-list 140
Nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 172.16.172.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip
0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
AAA-server RADIUS protocol radius
AAA-server mytest protocol tacacs+
AAA-server nasir protocol radius
snmp-server host outside 192.168.2.6
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable

!--- The sysopt command bypasses conduits or ACLs that check to be applied !--- on the inbound VPN packets after decryption.

sysopt connection permit-ipsec
no sysopt route dnat

!--- The crypto ipsec command defines IPsec encryption and authen algo.

crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset

!--- The crypto map commands define the IPsec !--- Security Assocation (SA) (Phase II SA) parameters.

crypto map mymap 5 ipsec-isakmp
crypto map mymap 5 match address 140
crypto map mymap 5 set peer 172.16.172.39
crypto map mymap 5 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside

!--- The isakmp key command defines the pre-shared key for the peer address.

isakmp key ******** address 172.16.172.39 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp identity address

!--- The isakmp policy defines the Phase 1 SA parameters.

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption Des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 192.168.4.0 255.255.255.0 inside
telnet 171.69.89.82 255.255.255.255 inside
telnet timeout 5
ssh 172.0.0.0 255.0.0.0 outside
ssh 171.0.0.0 255.255.255.0 outside
ssh 171.0.0.0 255.0.0.0 outside
ssh timeout 60
terminal width 80
Cryptochecksum:55948dc706cc700e9c10e1d24a8b125c

在有问题的配置中,ACL 140定义了相关流量或要为LAN到LAN隧道加密的流量。该配置使用与nat 0 ACL相同的ACL。

了解事件的一般顺序

当IP信息包到达PIX的内部接口时,检查检查网络地址转换(NAT)。然后,检查加密映射的ACL。

  • 如何使用nat 0。

    nat 0 ACL定义了NAT中不应包含的内容。nat 0命令中的ACL为PIX上的NAT规则被禁用的连接定义源地址和目的地地址。因此,具有与nat 0命令中定义的ACL匹配的源地址和目的地址的IP数据包会绕过PIX上的所有NAT规则。

    要借助私有地址在PIX和另一VPN设备之间实施LAN到LAN隧道,请使用nat 0命令绕过NAT。PIX防火墙上的规则可防止私有地址包含在NAT中,同时这些规则通过IPsec隧道转到远程LAN。

  • 如何使用加密ACL。

    在NAT检查后,PIX检查到达其内部接口的每个IP数据包的源和目的地,以匹配静态和动态加密映射中定义的ACL。如果PIX发现与ACL匹配,PIX将执行以下任一步骤:

    • 如果当前没有与对等IPsec设备一起为流量建立的IPsec安全关联(SA),PIX将启动IPsec协商。SA建立后,它会加密数据包,并通过IPsec隧道将其发送到IPsec对等体。

    • 如果已经有一个用对等体构建的IPSec SA,PIX就会加密IP信息包并且将加密的信息包发送到对等体IPSec设备。

  • 动态 ACL.

    一旦VPN客户端借助IPsec连接到PIX,PIX将创建一个动态ACL,该ACL指定要用于定义此IPsec连接的相关流量的源地址和目标地址。

了解PIX上的一系列问题事件

普通配置错误是使用同样ACL 用于NAT 0和静态加密映射。这些部分讨论为什么会导致错误以及如何纠正问题。

PIX配置示,当IP数据包从网络192.168.4.0/24传输到网络10.10.10.0/24和网络10.1.2.0/24(IP本地池ipool中定义的网络地址)时,nat 0 ACL 140会绕过NAT。 此外,ACL 140还定义了对等体172.16.172.39的静态加密映射的相关流量。

当IP数据包到达PIX内部接口时,NAT检查完成,然后PIX检查加密映射中的ACL。PIX从实例编号最低的加密映射开始。这是因为上例中的静态加密映射实例编号最低,因此会检查ACL 140。接下来,检查动态加密映射的动态ACL。在此配置中,ACL 140被定义为加密从网络192.168.4.0 /24发往网络10.10.10.0/24 0和10.1.2.0 /24的流量。但是,对于LAN到LAN隧道,您只想加密网络192.168之间的流量。4.0 /24和10.10.10.0 /24。这是IPsec对等路由器定义其加密ACL的方式。

了解PIX上的一系列问题事件

当客户端建立到PIX的IPsec连接时,会从IP本地池分配IP地址。在本例中,为客户端分配了10.1.2.1。PIX还生成动态ACL,如以下show crypto map命令输出所示: 

Crypto Map "mymap" 20 ipsec-isakmp
Peer = 171.69.89.120
access-list dynacl2 permit ip host 172.16.172.34 host 10.1.2.1 (hitcnt=0)
dynamic (created from dynamic map dynmap/10)
Current peer: 171.69.89.120
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ myset, }
Crypto Map "mymap" 30 ipsec-isakmp
Peer = 171.69.89.120
access-list dynacl3 permit ip any host 10.1.2.1 (hitcnt=0)
dynamic (created from dynamic map dynmap/10)
Current peer: 171.69.89.120
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ myset, }
pix520-1(config)#

show crypto map命令还显示静态加密映射: 

Crypto Map: "mymap" interfaces: { outside }
Crypto Map "mymap" 5 ipsec-isakmp
Peer = 172.16.172.39
access-list 140 permit ip 192.168.4.0 255.255.255.0 10.10.10.0255.255.255.0 
   (hitcnt=45)
access-list 140 permit ip 192.168.4.0 255.255.255.0 10.1.2.0 255.255.255.0
   (hitcnt=84)
Current peer: 172.16.172.39
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ myset,}

一旦在客户端和PIX之间建立IPsec隧道,客户端就会启动对主机192.168.4.3的ping。当主机192.168.4.3收到回应请求时,主机192.168.4.3会以回应应答进行回复,如debug icmp trace命令的输出所示。 

27: Inbound ICMP echo request (len 32 id 2 seq 7680) 
   10.1.2.1 > 192.168.4.3> 192.168.4.3
28: Outbound ICMP echo reply (Len 32 id 2 seq 7680) 
   192.168.4.3 >192.168.4.3 > 10.1.2.1
29: Inbound ICMP echo request (Len 32 id 2 seq 7936) 
   10.1.2.1 > 192.168.4.3> 192.168.4.3
30: Outbound ICMP echo reply (Len 32 id 2 seq 7936) 
   192.168.4.3 >192.168.4.3 > 10.1.2.1

然而,ECHO回复没有达到VPN客户端软件(主机10.1.2.1),并且连接发生了故障。在PIX上,您可以通过show crypto ipsec sa命令看到这一点。此输出显示,PIX解密来自VPN客户端的120个数据包,但不加密任何数据包或将加密的数据包发送到客户端。因此,封装的数据包数为零。 

pix520-1(config)#show crypto ipsec sa
interface: outside
Crypto map tag: mymap, local addr. 172.16.172.34
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.2.1/255.255.255.255/0/0)
current_peer: 171.69.89.120
dynamic allocated peer ip: 10.1.2.1
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 

!--- No packets encrypted and sent to client.

#pkts decaps: 120, #pkts decrypt: 120, #pkts verify 120 

!--- 120 packets received from client.

#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.172.34, remote crypto endpt.: 171.69.89.120
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 33a45029
inbound esp sas:
spi: 0x279fc5e9(664782313)
transform: ESP-Des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 5, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607985/27809)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound ESP sas:
spi: 0x33a45029(866406441)
transform: ESP-Des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 6, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4608000/27809)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound PCP sas:
local ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
current_peer: 172.16.172.39
PERMIT, flags={origin_is_acl,}
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10
#pkts decaps: 23, #pkts decrypt: 23, #pkts verify 23
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. Failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.172.34, remote crypto endpt.: 172.16.172.39
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: f264e92c
inbound ESP sas:
spi: 0x2772b869(661829737)
transform: ESP-Des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607997/2420)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound PCP sas:
outbound ESP sas:
spi: 0xf264e92c(4066699564)
transform: ESP-Des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607999/2420)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound PCP sas:

注意:当主机192.168.4.3回复回应请求时,IP数据包将到达PIX的内部接口。

38: Outbound ICMP echo reply (Len 32 id 2 seq 8960) 
   192.168.4.3 >192.168.4.3 > 10.1.2.1

一旦IP数据包到达内部接口,PIX将检查nat 0 ACL 140并确定IP数据包的源地址和目的地址与ACL匹配。因此,此IP数据包绕过PIX上的所有NAT规则。然后,检查加密ACL。由于静态加密映射的实例编号最低,因此首先检查其ACL。因为此示例使用ACL 140进行静态加密映射,所以PIX检查这个ACL。现在,IP数据包的源地址为192.168.4.3,目的地址为10.1.2.1。由于这与ACL 140匹配,PIX认为此IP数据包用于对等体为172.16.1的LAN到LAN IPsec隧道72.39(与我们的目标相悖)。 因此,它检查SA数据库,以查看此流量是否已存在对等体为172.16.72.39的当前SA。如show crypto ipsec sa命令的输出所示,此流量不存在SA。PIX不加密或将数据包发送到VPN客户端。相反,它会启动与对等体172.16.172.39的另一个IPsec协商,如以下输出所示: 

crypto_isakmp_process_block: src 172.16.172.39, dest 172.16.172.34
return status is IKMP_NO_ERR_NO_TRANS02303: sa_request, (key eng. msg.)
src= 172.16.172.34, dest= 172.16.172.39,
src_proxy= 192.168.4.0/255.255.255.0/0/0 (type=4),
dest_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform=
ESP-Des esp-md5-hmac , lifedur= 28800s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004
702303: sa_request, (key Eng. msg.) src= 172.16.172.34, dest=
172.16.172.39, src_proxy= 192.168.4.0/255.255.255.0/0/0 (type=4),
dest_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform=
ESP-Des esp-md5-hmac , lifedur= 28800s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANSIPSEC(key_engine): request timer
fired: count = 2,
(identity) local= 172.16.172.34, remote= 172.16.172.39,
local_proxy= 192.168.4.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4)

IPsec协商失败的原因如下:

  • 对等体172.16.172.39仅将网络10.10.10.0/24和192.168.4.0/24定义为加密映射对等体172.16.172.34的ACL中的相关流量。

  • 在两个对等体之间的IPsec协商期间,代理身份不匹配。

  • 如果对等体启动协商,而本地配置指定完全转发保密(PFS),则对等体必须执行PFS交换,否则协商失败。如果本地配置未指定组,则假设默认组1,并接受组1或组2的提议。如果本地配置指定group2,则该组必须是对等体提供的一部分,否则协商失败。如果本地配置未指定PFS,则它接受来自对等体的任何PFS提供。1024位Diffie-Hellman主模数组group2比group1提供更高的安全性,但比group1需要更多的处理时间。

    注意:加密映射set pfs命令设置IPsec以在请求此加密映射条目的新SA时请求PFS。使用no crypto map set pfs命令指定IPsec不请求PFS。此命令仅适用于IPsec-ISAKMP加密映射条目和动态加密映射条目。默认情况下,不会请求 PFS。使用PFS时,每次协商新SA时,都会发生新的Diffie-Hellman交换。这需要额外的处理时间。PFS增加了另一个安全级别,因为如果攻击者破解了一个密钥,则只有与该密钥一起发送的数据会受到攻击。在协商期间,此命令使IPsec在为加密映射条目请求新SA时请求PFS。如果set pfs语句未指定组,则发送默认值(group1)。

    注意:当PIX防火墙有许多源自PIX防火墙的隧道并终止于单个远程对等体时,与远程对等体的IKE协商可能会挂起。当PFS未启用,并且本地对等体请求许多同时重新生成密钥请求时,会发生此问题。如果出现此问题,IKE SA在超时或您使用clear [crypto] isakmp sa命令手动清除它之前不会恢复。此问题不会影响配置了许多隧道到多个对等体或许多共享同一隧道的客户端的PIX防火墙单元。如果您的配置受影响,请使用crypto map mapname seqnum set pfs命令启用PFS

PIX上的IP数据包最终被丢弃。

了解解决方案

纠正此错误的正确方法是为nat 0和静态加密映射限定2个单独的ACL。为此,示例为nat 0命令定义ACL 190,并为静态加密映射使用修改的ACL 140,如以下输出所示。

PIX520-1 
pix520-1(config)#
pix520-1(config)#write terminal
Building configuration...
: Saved
:
PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix520-1
domain-name vpn.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names

!--- Access list 140 defines interesting traffic in order to bypass NAT for VPN.

access-list 140 permit ip 192.168.4.0 255.255.255.0 10.10.10.0255.255.255.0

!--- Defines VPN interesting traffic.

access-list 190 permit ip 192.168.4.0 255.255.255.0 10.10.10.0255.255.255.0
access-list 190 permit ip 192.168.4.0 255.255.255.0 10.1.2.0 255.255.255.0
no pager
logging on
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap debugging

logging history debugging
logging host outside 192.168.2.6
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 172.16.172.34 255.255.255.240
ip address inside 192.168.4.50 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.1.2.1-10.1.2.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 172.16.172.57 netmask 255.255.255.255

!--- The nat 0 command bypasses NAT for the packets destined over the IPsec tunnel..

Nat (inside) 0 access-list 190
Nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 172.16.172.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
AAA-server TACACS+ protocol tacacs+
AAA-server RADIUS protocol radius
AAA-server mytest protocol tacacs+
AAA-server nasir protocol radius
snmp-server host outside 192.168.2.6
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset ESP-Des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset

!--- The crypto map commands define the IPsec SA (Phase II SA) parameters.

crypto map mymap 5 ipsec-isakmp
crypto map mymap 5 match address 140
crypto map mymap 5 set peer 172.16.172.39
crypto map mymap 5 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 172.16.172.39 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption Des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption Des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 192.168.4.0 255.255.255.0 inside
telnet 171.69.89.82 255.255.255.255 inside
telnet timeout 5
ssh 172.0.0.0 255.0.0.0 outside
ssh 171.0.0.0 255.255.255.0 outside
ssh 171.0.0.0 255.0.0.0 outside
ssh timeout 60
terminal width 80
Cryptochecksum:e2cb98b30d3899597b3af484fae4f9ae
: end
[OK]
pix520-1(config)# pix520-1(config)#show crypto map

在进行更改并且客户端与PIX建立IPsec隧道后,发出show crypto map命令。此命令显示,对于静态加密映射,ACL 140定义的相关流量仅为192.168.4.0/24和10.10.10.0/24,这是原始目标。此外,动态访问列表显示客户端(10.1.2.1)和PIX (172.16.172.34)定义的触发性数据流。 

pix520-1(config)#show crypto map
Crypto Map: "mymap" interfaces: { outside }
Crypto Map "mymap" 5 ipsec-isakmp
Peer = 172.16.172.39
access-list 140 permit ip 192.168.4.0 255.255.255.0 10.10.10.0255.255.255.0 
   (hitcnt=57)
Current peer: 172.16.172.39
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ myset, }
Crypto Map "mymap" 10 ipsec-isakmp
Dynamic map template tag: dynmap
Crypto Map "mymap" 20 ipsec-isakmp
Peer = 171.69.89.120
access-list dynacl4 permit ip host 172.16.172.34 host 10.1.2.1 (hitcnt=0)
dynamic (created from dynamic map dynmap/10)
Current peer: 171.69.89.120
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ myset, }
Crypto Map "mymap" 30 ipsec-isakmp
Peer = 171.69.89.120
access-list dynacl5 permit ip any host 10.1.2.1 (hitcnt=13)
dynamic (created from dynamic map dynmap/10)
Current peer: 171.69.89.120
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ myset, }

当VPN客户端10.1.2.1向主机192.168.4.3发送ping时,回应应答将到达PIX的内部接口。PIX检查NAT 0 ACL 190,并且确定IP信息包和ACL匹配。因此,数据包绕过PIX上的NAT规则。接下来,PIX检查静态加密映射ACL 140以查找匹配项。这次,IP数据包的源和目标与ACL 140不匹配。因此,PIX检查动态ACL并找到匹配项。然后,PIX检查其SA数据库,以查看是否已与客户端建立IPsec SA。由于客户端已与PIX建立IPsec连接,因此存在IPsec SA。然后,PIX加密数据包并将其发送到VPN客户端。使用PIX的show crypto ipsec sa命令输出查看信息包是否被加密和解密。在这种情况下,PIX加密了16个数据包,并将其发送到客户端。PIX还从VPN客户端接收加密数据包和解密的16个数据包。

pix520-1(config)#show crypto ipsec sa
interface: outside
Crypto map tag: mymap, local addr. 172.16.172.34
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.2.1/255.255.255.255/0/0)
current_peer: 171.69.89.120
dynamic allocated peer ip: 10.1.2.1
PERMIT, flags={}
#pkts encaps: 16, #pkts encrypt: 16,#pkts digest 16
#pkts decaps: 16, #pkts decrypt: 16, #pkts verify 16
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. Failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.172.34, remote crypto endpt.: 171.69.89.120
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 613d083d
inbound ESP sas:
spi: 0x6adf97df(1793038303)
transform: ESP-Des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 4, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607998/27420)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound PCP sas:
outbound ESP sas:
spi: 0x613d083d(1631389757)
transform: ESP-Des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607999/27420)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound PCP sas:
local ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
current_peer: 172.16.172.39
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. Failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 172.16.172.34, remote crypto endpt.: 172.16.172.39
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 58009c01
inbound ESP sas:
spi: 0x2d408709(759203593)
transform: ESP-Des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607998/3319)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound PCP sas: outbound ESP sas:
spi: 0x58009c01(1476434945)
transform: ESP-Des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607999/3319)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound PCP sas:
pix520-1(config)# sh cr isa sa
Total : 2
Embryonic : 0
dst src state pending created
172.16.172.39 172.16.172.34 QM_IDLE 0 1
172.16.172.34 171.69.89.120 QM_IDLE 0 2
pix520-1(config)# sh cr ipsec sa

路由器配置与 show 命令输出

Cisco 1720-1 
1720-1#show run
Building configuration...
Current configuration : 1592 bytes
!
! Last configuration change at 21:08:49 PST Mon Jan 7 2002
! NVRAM config last updated at 18:18:17 PST Mon Jan 7 2002
!
version 12.2
no parser cache
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 1720-1
!
no logging buffered
enable secret 5 $1$6jAs$tNxI1a/2DYFAtPLyCDXjo/
enable password ww
!
username cisco password 0 cisco
memory-size iomem 15
clock timezone PST -8
ip subnet-zero
no ip domain-lookup
ip domain-name cisco.com
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
!

!--- The crypto isakmp policy command defines the Phase 1 SA parameters.

crypto isakmp policy 15
authentication pre-share
crypto isakmp key cisco123 address 172.16.172.34
!
!

!--- The crypto ipsec transform-set command defines IPsec encryption !--- and authentication algorithims.

crypto ipsec transform-set myset ESP-Des esp-md5-hmac
!
!

!--- The crypto map command defines the IPsec SA (Phase II SA) parameters..

crypto map vpn 10 ipsec-isakmp
set peer 172.16.172.34
set transform-set myset
match address 150
!
!
!
!
!
interface FastEthernet0
ip address 172.16.172.39 255.255.255.240
speed auto

!--- The crypto map applied to the outbound interface.

crypto map vpn
interface Ethernet0
ip address 10.10.10.1 255.255.255.240
speed auto
no ip route-cache
no ip mroute-cache
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.172.33
no ip http server
ip pim bidir-enable
!

!--- Access-list defines interesting VPN traffic.

access-list 150 permit ip 10.10.10.0 0.0.0.255 192.168.4.0 0.0.0.255
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
password cisco
no login
line vty 5 15
login
!
no scheduler allocate
end
1720-1#
 

1720-1#show crypto isa sa
DST src state conn-id slot
172.16.172.39 172.16.172.34 QM_IDLE 132 0
1720-1#show crypto ipsec sa
interface: FastEthernet0
Crypto map tag: vpn, local addr. 172.16.172.39
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
current_peer: 172.16.172.34
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9 #pkts encrypt: 9 #pkts digest 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. Failed: 0, #pkts decompress failed: 0
#send errors 7, #recv errors 0
local crypto endpt.: 172.16.172.39, remote crypto endpt.: 172.16.172.34
path mtu 1500, media mtu 1500
current outbound spi: 2D408709
inbound ESP sas:
spi: 0x58009C01(1476434945)
transform: ESP-Des esp-md5-hmac ,
in use settings ={Tunnel, }

!--- IPsec SA 200 as seen in the show crypto engine connection active command.

slot: 0, conn id: 200, flow_id: 1, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4607998/3144)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound PCP sas:
outbound ESP sas:
spi: 0x2D408709(759203593)
transform: ESP-Des esp-md5-hmac ,
in use settings ={Tunnel, }

!--- IPsec SA 201 as seen in the show crypto engine connection active command.

slot: 0, conn id: 201, flow_id: 2, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4607998/3144)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound PCP sas:
1720-1#

1720-1#show crypto map
Interfaces using crypto map mymap:
Crypto Map "vpn" 10 ipsec-isakmp
Peer = 172.16.172.34
Extended IP access list 150
access-list 150 permit ip 10.10.10.0 0.0.0.255 192.168.4.0 0.0.0.255
Current peer: 172.16.172.34
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ myset, }
Interfaces using crypto map vpn: FastEthernet0

相关信息

修订历史记录

版本 发布日期 备注
1.0
27-Sep-2005
初始版本

此文档是否有帮助?

Feedback反馈

联系我们

本文档适用于以下产品