在有VPN 3000集中器的IOS路由器上，带NEM的EzVPN配置示例

简介

本文档说明了在网络扩展模式(NEM)中将Cisco IOS®路由器配置为EzVPN以连接到Cisco VPN 3000集中器所使用的过程。新的EzVPN阶段II功能支持基本网络地址转换(NAT)配置。EzVPN阶段II源自Unity协议（VPN客户端软件）。 远程设备始终是IPsec隧道的发起方。但是，EzVPN客户端上不可配置互联网密钥交换(IKE)和IPsec提议。VPN客户端与服务器协商建议。

要使用 Easy VPN 在 PIX/ASA 7.x 和 Cisco 871 路由器之间配置 IPsec，请参阅将 ASA 5500 用作服务器，将 Cisco 871 用作 Easy VPN Remote 的 PIX/ASA 7.x Easy VPN 配置示例。

要在 Cisco IOS® Easy VPN Remote Hardware Client 和 PIX Easy VPN 服务器之间配置 IPsec，请参阅 IOS Easy VPN Remote Hardware Client 到 PIX Easy VPN 服务器配置示例。

要将 Cisco 7200 路由器配置为 EzVPN 并将 Cisco 871 路由器配置为 Easy VPN Remote，请参阅 7200 Easy VPN 服务器到 871 Easy VPN Remote 配置示例。

先决条件

要求

在尝试进行此配置之前，请检查Cisco IOS路由器是否支持EzVPN Phase II功能，并且是否具有IP连接和端到端连接以建立IPsec隧道。

使用的组件

本文档中的信息基于以下软件和硬件版本：

• 思科IOS软件版本12.2(8)YJ（EzVPN第II阶段）

• VPN 3000集中器3.6.x

• Cisco 1700 路由器

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始（默认）配置。如果您使用的是真实网络，请确保您已经了解所有命令的潜在影响。

注意：此配置最近使用Cisco IOS软件版本12.4(8)和VPN 3000集中器4.7.x版本的Cisco 3640路由器进行了测试。

规则

有关文档规则的详细信息，请参阅 Cisco 技术提示规则。

配置VPN 3000集中器

任务

在本节中，您将获得配置VPN 3000集中器的信息。

网络图

本文档使用此图所示的网络设置。环回接口用作内部子网，FastEthernet 0是Internet的默认接口。

分步说明

请完成以下步骤：

1. 选择Configuration > User Management > Groups > Add并定义组名和口令，以便为用户配置IPsec组。

   本示例使用组名turaro和密码/验证tululo。

   

2. 选择Configuration > User Management > Groups > turaro > General 以启用IPSec并禁用点对点隧道协议(PPTP)和第2层隧道协议(L2TP)。

   选择并单击“应用”。

   

3. 将Authentication设置为Internal for Extended Authentication(Xauth)，并确保Tunnel Type为Remote Access,IPSec SA为ESP-3DES-MD5。

   

4. 选择Configuration > System > Tunneling Protocols > IPSec > IKE Proposals，以确保Cisco VPN客户端(CiscoVPNClient-3DES-MD5)处于IKE（第1阶段）的活动建议中。

   注意：从VPN集中器4.1.x，确保Cisco VPN客户端在IKE的活动建议列表（第1阶段）中的步骤不同。 选择Configuration > Tunneling and Security > IPSec > IKE Proposals。

   

5. 验证您的IPsec安全关联(SA)。

   在第3步中，您的IPsec SA是ESP-3DES-MD5。如果需要，您可以创建新IPsec SA，但请确保在组上使用正确的IPsec SA。您应该为您使用的IPsec SA禁用完全转发保密(PFS)。通过选择Configuration > Policy Management > Traffic Management > SAs，选择Cisco VPN Client作为IKE建议。在文本框中键入SA名称，并做出相应选择，如下所示：

   

   注意：如果您希望选择预定义SA，则此步骤和下一步是可选的。如果客户端具有动态分配的IP地址，请在IKE对等体文本框中使用0.0.0.0。确保IKE建议设置为CiscoVPNClient-3DES-MD5，如本示例所示。

6. 不能单击允许列表中的网络绕过隧道。原因是支持分割隧道，但EzVPN客户端功能不支持旁路功能。

   

7. 选择Configuration > User Management > Users以添加用户。定义用户名和密码，将其分配给组，然后单击“添加”。

   

8. 选择Administration > Admin Sessions并检查用户是否已连接。在NEM中，VPN集中器不从池分配IP地址。

   注：如果您希望选择预定义的SA，则此步骤为可选步骤。

   

9. 单击“保存需要”或“保存”图标以保存配置。

路由器配置

show version输出

show version
Cisco Internetwork Operating System Software 
IOS (tm) C1700 Software (C1700-BK9NO3R2SY7-M), Version 12.2(8)YJ,
EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

1721-1(ADSL) uptime is 4 days, 5 hours, 33 minutes
System returned to ROM by reload
System image file is "flash:c1700-bk9no3r2sy7-mz.122-8.YJ.bin"
cisco 1721 (MPC860P) processor (revision 0x100) with 88474K/9830K bytes 
16384K bytes of processor board System flash (Read/Write)

1721-1(ADSL)#show run
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 1721-1(ADSL)
!

!--- Specify the configuration name !--- to be assigned to the interface.

crypto ipsec client ezvpn SJVPN

!--- Tunnel control; automatic is the default.

connect auto

!--- The group name and password should be the same as given in the VPN Concentrator.

 group turaro key tululo

!--- The mode that is chosen as the network extension.

 mode network-extension

!--- The tunnel peer end (VPN Concentrator public interface IP address).

 peer 172.16.172.41
!
interface Loopback0
 ip address 192.168.254.1 255.255.255.0

!--- Configure the Loopback interface !--- as the inside interface.
 
 ip nat inside

!--- Specifies the Cisco EzVPN Remote configuration name !--- to be assigned to the inside interface.
 
 crypto ipsec client ezvpn SJVPN inside
!
interface Loopback1
 ip address 192.168.253.1 255.255.255.0
 ip nat inside
 crypto ipsec client ezvpn SJVPN inside
!
interface FastEthernet0
 ip address 172.16.172.46 255.255.255.240

!--- Configure the FastEthernet interface !--- as the outside interface.
 
 ip nat outside

!--- Specifies the Cisco EzVPN Remote configuration name !--- to be assigned to the first outside interface, because !--- outside is not specified for the interface. !--- The default is outside.

 crypto ipsec client ezvpn SJVPN
!

!--- Specify the overload option with the ip nat command !--- in global configuration mode in order to enable !--- Network Address Translation (NAT) of the inside source address !--- so that multiple PCs can use the single IP address.

ip nat inside source route-map EZVPN interface FastEthernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.172.41
!
access-list 177 deny   ip 192.168.254.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 177 deny   ip 192.168.253.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 177 permit ip 192.168.253.0 0.0.0.255 any
access-list 177 permit ip 192.168.254.0 0.0.0.255 any
!
route-map EZVPN permit 10
 match ip address 177
!
!
line con 0
line aux 0
line vty 0 4
 password cisco
 login
!
no scheduler allocate
end

验证

使用本部分可确认配置能否正常运行。

命令输出解释程序（仅限注册用户）(OIT) 支持某些 show 命令。使用 OIT 可查看对 show 命令输出的分析。

配置两台设备后，Cisco 3640路由器尝试通过使用对等IP地址自动联系VPN集中器来设置VPN隧道。在交换最初的 ISAKMP 参数后，路由器显示以下消息：

Pending XAuth Request, Please enter the 
	 following command: crypto ipsec client ezvpn xauth

您必须输入提示您输入用户名和口令的 crypto ipsec client ezvpn xauth 命令。这应该与VPN集中器上配置的用户名和密码匹配（步骤7）。 一旦用户名和密码由两个对等体同意，其余参数就会同意，IPsec VPN隧道将启动。

EZVPN(SJVPN): Pending XAuth Request, Please enter the following command: 

EZVPN: crypto ipsec client ezvpn xauth    


!--- Enter the crypto ipsec client ezvpn xauth command.


crypto ipsec client ezvpn xauth

Enter Username and Password.: padma
Password: : password

故障排除

本部分提供的信息可用于对配置进行故障排除。

故障排除命令

命令输出解释程序工具（仅限注册用户）支持某些 show 命令，使用此工具可以查看对 show 命令输出的分析。

注意：在发出debug命令之前，请参阅有关Debug命令的重要信息。

• debug crypto ipsec client ezvpn — 显示显示EzVPN客户端功能的配置和实施的信息。

• debug crypto ipsec - 显示有关 IPsec 连接的调试信息。

• debug crypto isakmp - 显示有关 IPsec 连接的调试信息，并显示由于两端不兼容而被拒绝的第一组属性。

• show debug — 显示每个调试选项的状态。

Debug命令的输出

一旦输入crypto ipsec client ezvpn SJVPN命令，EzVPN Client就会尝试连接到服务器。如果更改组配置下的connect manual命令，请输入crypto ipsec client ezvpn connect SJVPN命令以启动到服务器的建议交换。

4d05h: ISAKMP (0:3): beginning Aggressive Mode exchange
4d05h: ISAKMP (0:3): sending packet to 172.16.172.41 (I) AG_INIT_EXCH
4d05h: ISAKMP (0:3): received packet from 172.16.172.41 (I) AG_INIT_EXCH
4d05h: ISAKMP (0:3): processing SA payload. message ID = 0
4d05h: ISAKMP (0:3): processing ID payload. message ID = 0
4d05h: ISAKMP (0:3): processing vendor id payload
4d05h: ISAKMP (0:3): vendor ID is Unity
4d05h: ISAKMP (0:3): processing vendor id payload
4d05h: ISAKMP (0:3): vendor ID seems Unity/DPD but bad major
4d05h: ISAKMP (0:3): vendor ID is XAUTH
4d05h: ISAKMP (0:3): processing vendor id payload
4d05h: ISAKMP (0:3): vendor ID is DPD
4d05h: ISAKMP (0:3) local preshared key found
4d05h: ISAKMP (0:3) Authentication by xauth preshared
4d05h: ISAKMP (0:3): Checking ISAKMP transform 6 against priority 65527 policy
4d05h: ISAKMP:      encryption 3DES-CBC
4d05h: ISAKMP:      hash MD5
4d05h: ISAKMP:      default group 2
4d05h: ISAKMP:      auth XAUTHInitPreShared
4d05h: ISAKMP:      life type in seconds
4d05h: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B 
4d05h: ISAKMP (0:3): Encryption algorithm offered does not match policy!
4d05h: ISAKMP (0:3): atts are not acceptable. Next payload is 0
4d05h: ISAKMP (0:3): Checking ISAKMP transform 6 against priority 65528 policy
4d05h: ISAKMP:      encryption 3DES-CBC
4d05h: ISAKMP:      hash MD5
4d05h: ISAKMP:      default group 2
4d05h: ISAKMP:      auth XAUTHInitPreShared
4d05h: ISAKMP:      life type in seconds
4d05h: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B 
4d05h: ISAKMP (0:3): Encryption algorithm offered does not match policy!
4d05h: ISAKMP (0:3): atts are not acceptable. Next payload is 0
4d05h: ISAKMP (0:3): Checking ISAKMP transform 6 against priority 65529 policy
4d05h: ISAKMP:      encryption 3DES-CBC
4d05h: ISAKMP:      hash MD5
4d05h: ISAKMP:      default group 2
4d05h: ISAKMP:      auth XAUTHInitPreShared
4d05h: ISAKMP:      life type in seconds
4d05h: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B 
4d05h: ISAKMP (0:3): Encryption algorithm offered does not match policy!
4d05h: ISAKMP (0:3): atts are not acceptable. Next payload is 0
4d05h: ISAKMP (0:3): Checking ISAKMP transform 6 against priority 65530 policy
4d05h: ISAKMP:      encryption 3DES-CBC
4d05h: ISAKMP:      hash MD5
4d05h: ISAKMP:      default group 2
4d05h: ISAKMP:      auth XAUTHInitPreShared
4d05h: ISAKMP:      life type in seconds
4d05h: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B 
4d05h: ISAKMP (0:3): Encryption algorithm offered does not match policy!
4d05h: ISAKMP (0:3): atts are not acceptable. Next payload is 0
4d05h: ISAKMP (0:3): Checking ISAKMP transform 6 against priority 65531 policy
4d05h: ISAKMP:      encryption 3DES-CBC
4d05h: ISAKMP:      hash MD5
4d05h: ISAKMP:      default group 2
4d05h: ISAKMP:      auth XAUTHInitPreShared
4d05h: ISAKMP:      life type in seconds
4d05h: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B 
4d05h: ISAKMP (0:3): Hash algorithm offered does not match policy!
4d05h: ISAKMP (0:3): atts are not acceptable. Next payload is 0
4d05h: ISAKMP (0:3): Checking ISAKMP transform 6 against priority 65532 policy
4d05h: ISAKMP:      encryption 3DES-CBC
4d05h: ISAKMP:      hash MD5
4d05h: ISAKMP:      default group 2
4d05h: ISAKMP:      auth XAUTHInitPreShared
4d05h: ISAKMP:      life type in seconds
4d05h: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B 
4d05h: ISAKMP (0:3): atts are acceptable. Next payload is 0
4d05h: ISAKMP (0:3): processing KE payload. message ID = 0
4d05h: ISAKMP (0:3): processing NONCE payload. message ID = 0
4d05h: ISAKMP (0:3): SKEYID state generated
4d05h: ISAKMP (0:3): processing HASH payload. message ID = 0
4d05h: ISAKMP (0:3): SA has been authenticated with 172.16.172.41
4d05h: ISAKMP (0:3): sending packet to 172.16.172.41 (I) AG_INIT_EXCH
4d05h: ISAKMP (0:3): Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
Old State = IKE_I_AM1  New State = IKE_P1_COMPLETE 

4d05h: IPSEC(key_engine): got a queue event...

4d05h: IPSec: Key engine got KEYENG_IKMP_MORE_SAS message

4d05h: ISAKMP (0:3): Need XAUTH

4d05h: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 

 
!--- Phase 1 (ISAKMP) is complete.

4d05h: ISAKMP: received ke message (6/1)

4d05h: ISAKMP: received KEYENG_IKMP_MORE_SAS message

4d05h: ISAKMP: set new node -857862190 to CONF_XAUTH  

!--- Initiate extended authentication.


4d05h: ISAKMP (0:3): sending packet to 172.16.172.41 (I) CONF_XAUTH   
4d05h: ISAKMP (0:3): purging node -857862190
4d05h: ISAKMP (0:3): Sending initial contact.


4d05h: ISAKMP (0:3): received packet from 172.16.172.41 (I) CONF_XAUTH   

4d05h: ISAKMP: set new node -1898481791 to CONF_XAUTH   

4d05h: ISAKMP (0:3): processing transaction payload from 
  172.16.172.41. message ID = -1898481791
4d05h: ISAKMP: Config payload REQUEST
4d05h: ISAKMP (0:3): checking request:
4d05h: ISAKMP:    XAUTH_TYPE_V2
4d05h: ISAKMP:    XAUTH_USER_NAME_V2
4d05h: ISAKMP:    XAUTH_USER_PASSWORD_V2
4d05h: ISAKMP:    XAUTH_MESSAGE_V2
4d05h: ISAKMP (0:3): Xauth process request
4d05h: ISAKMP (0:3): Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
Old State = IKE_P1_COMPLETE  New State = IKE_XAUTH_REPLY_AWAIT 

4d05h: EZVPN(SJVPN): Current State: READY
4d05h: EZVPN(SJVPN): Event: XAUTH_REQUEST
4d05h: EZVPN(SJVPN): ezvpn_xauth_request
4d05h: EZVPN(SJVPN): ezvpn_parse_xauth_msg
4d05h: EZVPN: Attributes sent in xauth request message:
4d05h:         XAUTH_TYPE_V2(SJVPN): 0
4d05h:         XAUTH_USER_NAME_V2(SJVPN):
4d05h:         XAUTH_USER_PASSWORD_V2(SJVPN):
4d05h:         XAUTH_MESSAGE_V2(SJVPN) <Enter Username and Password.>
4d05h: EZVPN(SJVPN): New State: XAUTH_REQ
4d05h: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Old State = IKE_XAUTH_REPLY_AWAIT  New State = IKE_XAUTH_REPLY_AWAIT 

4d05h: EZVPN(SJVPN): Pending XAuth Request, Please enter the following command: 

4d05h: EZVPN: crypto ipsec client ezvpn xauth    


!--- Enter the crypto ipsec client ezvpn xauth command.

crypto ipsec client ezvpn xauth

Enter Username and Password.: padma

Password: : password


!--- The router requests your username and password that is !--- configured on the server.

4d05h: EZVPN(SJVPN): Current State: XAUTH_REQ
4d05h: EZVPN(SJVPN): Event: XAUTH_PROMPTING
4d05h: EZVPN(SJVPN): New State: XAUTH_PROMPT 
1721-1(ADSL)#
4d05h: EZVPN(SJVPN): Current State: XAUTH_PROMPT
4d05h: EZVPN(SJVPN): Event: XAUTH_REQ_INFO_READY
4d05h: EZVPN(SJVPN): ezvpn_xauth_reply
4d05h:         XAUTH_TYPE_V2(SJVPN): 0
4d05h:         XAUTH_USER_NAME_V2(SJVPN): Cisco_MAE
4d05h:         XAUTH_USER_PASSWORD_V2(SJVPN): <omitted>
4d05h: EZVPN(SJVPN): New State: XAUTH_REPLIED
4d05h:         xauth-type: 0
4d05h:         username: Cisco_MAE
4d05h:         password: <omitted>
4d05h:         message <Enter Username and Password.>
4d05h: ISAKMP (0:3): responding to peer config from 172.16.172.41. ID = -1898481791
4d05h: ISAKMP (0:3): sending packet to 172.16.172.41 (I) CONF_XAUTH   
4d05h: ISAKMP (0:3): deleting node -1898481791 error FALSE reason "done with 
                     xauth request/reply exchange"
4d05h: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_XAUTH_REPLY_ATTR
Old State = IKE_XAUTH_REPLY_AWAIT  New State = IKE_XAUTH_REPLY_SENT 


4d05h: ISAKMP (0:3): received packet from 172.16.172.41 (I) CONF_XAUTH   
4d05h: ISAKMP: set new node -1602220489 to CONF_XAUTH   
4d05h: ISAKMP (0:3): processing transaction payload from 172.16.172.41. message ID = -1602220489
4d05h: ISAKMP: Config payload SET
4d05h: ISAKMP (0:3): Xauth process set, status = 1
4d05h: ISAKMP (0:3): checking SET:
4d05h: ISAKMP:    XAUTH_STATUS_V2 XAUTH-OK
4d05h: ISAKMP (0:3): attributes sent in message:
4d05h:         Status: 1
4d05h: ISAKMP (0:3): sending packet to 172.16.172.41 (I) CONF_XAUTH   
4d05h: ISAKMP (0:3): deleting node -1602220489 error FALSE reason ""


4d05h: ISAKMP (0:3): Input = IKE_MESG_FROM_PEER, IKE_CFG_SET
Old State = IKE_XAUTH_REPLY_SENT  New State = IKE_P1_COMPLETE 


4d05h: EZVPN(SJVPN): Current State: XAUTH_REPLIED
4d05h: EZVPN(SJVPN): Event: XAUTH_STATUS
4d05h: EZVPN(SJVPN): New State: READY
4d05h: ISAKMP (0:3): Need config/address
4d05h: ISAKMP (0:3): Need config/address
4d05h: ISAKMP: set new node 486952690 to CONF_ADDR    
4d05h: ISAKMP (0:3): initiating peer config to 172.16.172.41. ID = 486952690
4d05h: ISAKMP (0:3): sending packet to 172.16.172.41 (I) CONF_ADDR    
4d05h: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Old State = IKE_P1_COMPLETE  New State = IKE_CONFIG_MODE_REQ_SENT 


4d05h: ISAKMP (0:3): received packet from 172.16.172.41 (I) CONF_ADDR    
4d05h: ISAKMP (0:3): processing transaction payload from 172.16.172.41. 
                     message ID = 486952690
4d05h: ISAKMP: Config payload REPLY
4d05h: ISAKMP(0:3) process config reply
4d05h: ISAKMP (0:3): deleting node 486952690 error FALSE reason 
                     "done with transaction"
4d05h: ISAKMP (0:3): Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
Old State = IKE_CONFIG_MODE_REQ_SENT  New State = IKE_P1_COMPLETE 


4d05h: EZVPN(SJVPN): Current State: READY
4d05h: EZVPN(SJVPN): Event: MODE_CONFIG_REPLY
4d05h: EZVPN(SJVPN): ezvpn_mode_config
4d05h: EZVPN(SJVPN): ezvpn_parse_mode_config_msg
4d05h: EZVPN: Attributes sent in message
4d05h: ip_ifnat_modified: old_if 0, new_if 2
4d05h: ip_ifnat_modified: old_if 0, new_if 2
4d05h: ip_ifnat_modified: old_if 1, new_if 2
4d05h: EZVPN(SJVPN): New State: SS_OPEN
4d05h: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 


4d05h: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 172.16.172.46, remote= 172.16.172.41, 
    local_proxy= 192.168.254.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac , 
    lifedur= 2147483s and 4608000kb, 
    spi= 0xE6DB9372(3873149810), conn_id= 0, keysize= 0, flags= 0x400C
4d05h: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 172.16.172.46, remote= 172.16.172.41, 
    local_proxy= 192.168.254.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac , 
    lifedur= 2147483s and 4608000kb, 
    spi= 0x3C77C53D(1014482237), conn_id= 0, keysize= 0, flags= 0x400C
4d05h: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 172.16.172.46, remote= 172.16.172.41, 
    local_proxy= 192.168.254.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-sha-hmac , 
    lifedur= 2147483s and 4608000kb, 
    spi= 0x79BB8DF4(2042334708), conn_id= 0, keysize= 0, flags= 0x400C
4d05h: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 172.16.172.46, remote= 172.16.172.41, 
    local_proxy= 192.168.254.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-md5-hmac , 
    lifedur= 2147483s and 4608000kb, 
    spi= 0x19C3A5B2(432252338), conn_id= 0, keysize= 0, flags= 0x400C
4d05h: ISAKMP: received ke message (1/4)
4d05h: ISAKMP: set new node 0 to QM_IDLE      
4d05h: EZVPN(SJVPN): Current State: SS_OPEN
4d05h: EZVPN(SJVPN): Event: SOCKET_READY
4d05h: EZVPN(SJVPN): No state change
4d05h: ISAKMP (0:3): sitting IDLE. Starting QM immediately (QM_IDLE      )
4d05h: ISAKMP (0:3): beginning Quick Mode exchange, M-ID of -1494477527
4d05h: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 172.16.172.46, remote= 172.16.172.41, 
    local_proxy= 192.168.253.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac , 
    lifedur= 2147483s and 4608000kb, 
    spi= 0xB18CF11E(2978803998), conn_id= 0, keysize= 0, flags= 0x400C
4d05h: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 172.16.172.46, remote= 172.16.172.41, 
    local_proxy= 192.168.253.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac , 
    lifedur= 2147483s and 4608000kb,
    spi= 0xA8C469EC(2831444460), conn_id= 0, keysize= 0, flags= 0x400C
4d05h: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 172.16.172.46, remote= 172.16.172.41, 
    local_proxy= 192.168.253.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-sha-hmac , 
    lifedur= 2147483s and 4608000kb, 
    spi= 0xBC5AD5EE(3160069614), conn_id= 0, keysize= 0, flags= 0x400C
4d05h: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 172.16.172.46, remote= 172.16.172.41, 
    local_proxy= 192.168.253.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-md5-hmac , 
    lifedur= 2147483s and 4608000kb, 
    spi= 0x8C34C692(2352268946), conn_id= 0, keysize= 0, flags= 0x400C
4d05h: ISAKMP (0:3): sending packet to 172.16.172.41 (I) QM_IDLE      
4d05h: ISAKMP (0:3): Node -1494477527, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Old State = IKE_QM_READY  New State = IKE_QM_I_QM1 


4d05h: ISAKMP: received ke message (1/4)
4d05h: ISAKMP: set new node 0 to QM_IDLE      
4d05h: ISAKMP (0:3): sitting IDLE. Starting QM immediately (QM_IDLE      )
4d05h: ISAKMP (0:3): beginning Quick Mode exchange, M-ID of -1102788797
4d05h: EZVPN(SJVPN): Current State: SS_OPEN
4d05h: EZVPN(SJVPN): Event: SOCKET_READY
4d05h: EZVPN(SJVPN): No state change
4d05h: ISAKMP (0:3): sending packet to 172.16.172.41 (I) QM_IDLE      
4d05h: ISAKMP (0:3): Node -1102788797, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Old State = IKE_QM_READY  New State = IKE_QM_I_QM1 


4d05h: ISAKMP (0:3): received packet from 172.16.172.41 (I) QM_IDLE      
4d05h: ISAKMP: set new node 733055375 to QM_IDLE      
4d05h: ISAKMP (0:3): processing HASH payload. message ID = 733055375
4d05h: ISAKMP (0:3): processing NOTIFY RESPONDER_LIFETIME protocol 1
      spi 0, message ID = 733055375, sa = 820ABFA0
4d05h: ISAKMP (0:3): processing responder lifetime
4d05h: ISAKMP (0:3): start processing isakmp responder lifetime
4d05h: ISAKMP (0:3): restart ike sa timer to 86400 secs
4d05h: ISAKMP (0:3): deleting node 733055375 error FALSE reason 
                     "informational (in) state 1"
4d05h: ISAKMP (0:3): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 


4d05h: ISAKMP (0:3): received packet from 172.16.172.41 (I) QM_IDLE 


4d05h: ISAKMP (0:3): processing HASH payload. message ID = -1494477527
4d05h: ISAKMP (0:3): processing SA payload. message ID = -1494477527
4d05h: ISAKMP (0:3): Checking IPSec proposal 1
4d05h: ISAKMP: transform 1, ESP_3DES
4d05h: ISAKMP:   attributes in transform:
4d05h: ISAKMP:      SA life type in seconds
4d05h: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B 
4d05h: ISAKMP:      SA life type in kilobytes
4d05h: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 
4d05h: ISAKMP:      encaps is 1
4d05h: ISAKMP:      authenticator is HMAC-MD5
4d05h: ISAKMP (0:3): atts are acceptable.
4d05h: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 172.16.172.46, remote= 172.16.172.41, 
    local_proxy= 192.168.254.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac , 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
4d05h: ISAKMP (0:3): processing NONCE payload. message ID = -1494477527
4d05h: ISAKMP (0:3): processing ID payload. message ID = -1494477527
4d05h: ISAKMP (0:3): processing ID payload. message ID = -1494477527
4d05h: ISAKMP (0:3): processing NOTIFY RESPONDER_LIFETIME protocol 3
      spi 1344958901, message ID = -1494477527, sa = 820ABFA0
4d05h: ISAKMP (0:3): processing responder lifetime
4d05h: ISAKMP (3): responder lifetime of 28800s
4d05h: ISAKMP (3): responder lifetime of 0kb
4d05h: ISAKMP (0:3): Creating IPSec SAs
4d05h:         inbound SA from 172.16.172.41 to 172.16.172.46
        (proxy 0.0.0.0 to 192.168.254.0)
4d05h:         has spi 0x3C77C53D and conn_id 2000 and flags 4
4d05h:         lifetime of 28800 seconds
4d05h:         outbound SA from 172.16.172.46   to 172.16.172.41   
               (proxy 192.168.254.0   to 0.0.0.0        )
4d05h:         has spi 1344958901 and conn_id 2001 and flags C
4d05h:         lifetime of 28800 seconds
4d05h: ISAKMP (0:3): sending packet to 172.16.172.41 (I) QM_IDLE      
4d05h: ISAKMP (0:3): deleting node -1494477527 error FALSE reason ""
4d05h: ISAKMP (0:3): Node -1494477527, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE 
 4d05h: ISAKMP (0:3): received packet from 172.16.172.41 (I) QM_IDLE      
4d05h: ISAKMP (0:3): processing HASH payload. message ID = -1102788797
4d05h: ISAKMP (0:3): processing SA payload. message ID = -1102788797
4d05h: ISAKMP (0:3): Checking IPSec proposal 1
4d05h: ISAKMP: transform 1, ESP_3DES
4d05h: ISAKMP:   attributes in transform:
4d05h: ISAKMP:      SA life type in seconds
4d05h: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B 
4d05h: ISAKMP:      SA life type in kilobytes
4d05h: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 
4d05h: ISAKMP:      encaps is 1
4d05h: ISAKMP:      authenticator is HMAC-MD5
4d05h: ISAKMP (0:3): atts are acceptable.
4d05h: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 172.16.172.46, remote= 172.16.172.41, 
    local_proxy= 192.168.253.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
4d05h: ISAKMP (0:3): processing NONCE payload. message ID = -1102788797
4d05h: ISAKMP (0:3): processing ID payload. message ID = -1102788797
4d05h: ISAKMP (0:3): processing ID payload. message ID = -1102788797
4d05h: ISAKMP (0:3): processing NOTIFY RESPONDER_LIFETIME protocol 3
      spi 653862918, message ID = -1102788797, sa = 820ABFA0
4d05h: ISAKMP (0:3): processing responder lifetime
4d05h: ISAKMP (3): responder lifetime of 28800s
4d05h: ISAKMP (3): responder lifetime of 0kb
4d05h: IPSEC(key_engine): got a queue event...
4d05h: IPSEC(initialize_sas): ,
  (key eng. msg.) INBOUND local= 172.16.172.46, remote= 172.16.172.41, 
    local_proxy= 192.168.254.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac , 
    lifedur= 28800s and 0kb, 
    spi= 0x3C77C53D(1014482237), conn_id= 2000, keysize= 0, flags= 0x4
4d05h: IPSEC(initialize_sas): ,
  (key eng. msg.) OUTBOUND local= 172.16.172.46, remote= 172.16.172.41, 
    local_proxy= 192.168.254.0/255.255.255.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac , 
    lifedur= 28800s and 0kb, 
    spi= 0x502A71B5(1344958901), conn_id= 2001, keysize= 0, flags= 0xC
4d05h: IPSEC(create_sa): sa created,
  (sa) sa_dest= 172.16.172.46, sa_prot= 50, 
    sa_spi= 0x3C77C53D(1014482237),

!--- SPI that is used on inbound SA.

sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2000
4d05h: IPSEC(create_sa): sa created,
  (sa) sa_dest= 172.16.172.41, sa_prot= 50, 
    sa_spi= 0x502A71B5(1344958901), 

!--- SPI that is used on outbound SA.

sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2001
4d05h: ISAKMP (0:3): Creating IPSec SAs
4d05h:         inbound SA from 172.16.172.41 to 172.16.172.46
        (proxy 0.0.0.0 to 192.168.253.0)
4d05h:         has spi 0xA8C469EC and conn_id 2002 and flags 4
4d05h:         lifetime of 28800 seconds
4d05h:         outbound SA from 172.16.172.46   to 172.16.172.41   
               (proxy 192.168.253.0   to 0.0.0.0        )
4d05h:         has spi 653862918 and conn_id 2003 and flags C
4d05h:         lifetime of 28800 seconds
4d05h: ISAKMP (0:3): sending packet to 172.16.172.41 (I) QM_IDLE      
4d05h: ISAKMP (0:3): deleting node -1102788797 error FALSE reason ""
4d05h: ISAKMP (0:3): Node -1102788797, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE 


4d05h: ISAKMP: received ke message (4/1)
4d05h: ISAKMP: Locking CONFIG struct 0x81F433A4 for 
               crypto_ikmp_config_handle_kei_mess, count 3
4d05h: EZVPN(SJVPN): Current State: SS_OPEN
4d05h: EZVPN(SJVPN): Event: MTU_CHANGED
4d05h: EZVPN(SJVPN): No state change
4d05h: IPSEC(key_engine): got a queue event...
4d05h: IPSEC(initialize_sas): ,
  (key eng. msg.) INBOUND local= 172.16.172.46, remote= 172.16.172.41, 
    local_proxy= 192.168.253.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac , 
    lifedur= 28800s and 0kb, 
    spi= 0xA8C469EC(2831444460), conn_id= 2002, keysize= 0, flags= 0x4
4d05h: IPSEC(initialize_sas): ,
  (key eng. msg.) OUTBOUND local= 172.16.172.46, remote= 172.16.172.41, 
    local_proxy= 192.168.253.0/255.255.255.0/0/0 (type=4), 
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac , 
    lifedur= 28800s and 0kb, 
    spi= 0x26F92806(653862918), conn_id= 2003, keysize= 0, flags= 0xC
4d05h: IPSEC(create_sa): sa created,
  (sa) sa_dest= 172.16.172.46, sa_prot= 50, 
    sa_spi= 0xA8C469EC(2831444460), 
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2002
4d05h: IPSEC(create_sa): sa created,
  (sa) sa_dest= 172.16.172.41, sa_prot= 50, 
    sa_spi= 0x26F92806(653862918), 
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2003
4d05h: ISAKMP: received ke message (4/1)
4d05h: ISAKMP: Locking CONFIG struct 0x81F433A4 for 
               crypto_ikmp_config_handle_kei_mess, count 4
4d05h: EZVPN(SJVPN): Current State: SS_OPEN
4d05h: EZVPN(SJVPN): Event: SOCKET_UP
4d05h: ezvpn_socket_up
4d05h: EZVPN(SJVPN): New State: IPSEC_ACTIVE
4d05h: EZVPN(SJVPN): Current State: IPSEC_ACTIVE
4d05h: EZVPN(SJVPN): Event: MTU_CHANGED
4d05h: EZVPN(SJVPN): No state change
4d05h: EZVPN(SJVPN): Current State: IPSEC_ACTIVE
4d05h: EZVPN(SJVPN): Event: SOCKET_UP
4d05h: ezvpn_socket_up
4d05h: EZVPN(SJVPN): No state change

用于故障排除的相关Cisco IOS show命令

1721-1(ADSL)#show crypto ipsec client  ezvpn
 Tunnel name : SJVPN
Inside interface list: Loopback0, Loopback1,
Outside interface: FastEthernet0 
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
1721-1(ADSL)#show  crypto  isakmp  sa

         dst     src         state         conn-id    slot

172.16.172.41   172.16.172.46   QM_IDLE          3       0

1721-1(ADSL)#show crypto  ipsec sa

 interface: FastEthernet0
    Crypto map tag: FastEthernet0-head-0, local addr. 172.16.172.46
   local  ident (addr/mask/prot/port): (192.168.253.0/255.255.255.0/0/0)
 remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   current_peer: 172.16.172.41
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 100, #pkts encrypt: 100, #pkts digest 100
    #pkts decaps: 100, #pkts decrypt: 100, #pkts verify 100
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0


 local crypto endpt.: 172.16.172.46, remote crypto endpt.: 172.16.172.41
     path mtu 1500, media mtu 1500
     current outbound spi: 26F92806


inbound esp sas:
      spi: 0xA8C469EC(2831444460)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2002, flow_id: 3, crypto map: FastEthernet0-head-0
        sa timing: remaining key lifetime (k/sec): (4607848/28656)
        IV size: 8 bytes
        replay detection support: Y
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x26F92806(653862918)
 transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2003, flow_id: 4, crypto map: FastEthernet0-head-0
        sa timing: remaining key lifetime (k/sec): (4607848/28647)
        IV size: 8 bytes
        replay detection support: Y

 
     outbound ah sas:


     outbound pcp sas:

 
   local  ident (addr/mask/prot/port): (192.168.254.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer: 172.16.172.41
PERMIT, flags={origin_is_acl,}
    #pkts encaps: 105, #pkts encrypt: 105, #pkts digest 105
    #pkts decaps: 105, #pkts decrypt: 105, #pkts verify 105
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
local crypto endpt.: 172.16.172.46, remote crypto endpt.: 172.16.172.41
     path mtu 1500, media mtu 1500
     current outbound spi: 502A71B5


     inbound esp sas:
      spi: 0x3C77C53D(1014482237)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2000, flow_id: 1, crypto map: FastEthernet0-head-0
        sa timing: remaining key lifetime (k/sec): (4607847/28644)
        IV size: 8 bytes
        replay detection support: Y


     inbound ah sas:

 
     inbound pcp sas:
 

     outbound esp sas:
      spi: 0x502A71B5(1344958901)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2001, flow_id: 2, crypto map: FastEthernet0-head-0
        sa timing: remaining key lifetime (k/sec): (4607847/28644)
        IV size: 8 bytes
        replay detection support: Y


     outbound ah sas:

outbound pcp sas:

清除活动隧道

您可以使用以下命令清除隧道：

• clear crypto isakmp

• clear crypto sa

• clear crypto ipsec client ezvpn

注意：当选择“管理”>“管理会话”时，可以使用VPN集中器注销会话，在“远程访问会话”中选择用户，然后单击注销。

VPN 3000 集中器调试

选择Configuration > System > Events > Classes，以便在发生事件连接故障时启用此调试。如果显示的类不帮助您确定问题，则始终可以添加更多类。

要查看内存中的当前事件日志，可按事件类、严重性、IP地址等进行过滤，请选择“监控”>“可过滤事件日志”。

要查看IPsec协议的统计信息，请选择Monitoring > Statistics > IPSec。 此窗口显示自上次启动或重置VPN集中器以来IPsec活动（包括当前IPsec隧道）的统计信息。这些统计信息符合IPsec流监控MIB的IETF草案。“监控”>“会话”>“详细信息”窗口还显示IPsec数据。

可能出现的错误

• Cisco IOS路由器停滞在AG_INIT_EXCH状态。排除故障时，请使用以下命令打开IPsec和ISAKMP调试：

  • debug crypto ipsec

  • debug crypto isakmp

  • debug crypto ezvpn

  在Cisco IOS路由器上，您会看到：

  5d16h: ISAKMP (0:9): beginning Aggressive Mode exchange 
  5d16h: ISAKMP (0:9): sending packet to 10.48.66.115 (I) AG_INIT_EXCH 
  5d16h: ISAKMP (0:9): retransmitting phase 1 AG_INIT_EXCH... 
  5d16h: ISAKMP (0:9): incrementing error counter on sa: retransmit phase 1 
  5d16h: ISAKMP (0:9): retransmitting phase 1 AG_INIT_EXCH 
  5d16h: ISAKMP (0:9): sending packet to 10.48.66.115 (I) AG_INIT_EXCH 
  5d16h: ISAKMP (0:9): retransmitting phase 1 AG_INIT_EXCH... 
  5d16h: ISAKMP (0:9): incrementing error counter on sa: retransmit phase 1 
  5d16h: ISAKMP (0:9): retransmitting phase 1 AG_INIT_EXCH 
  5d16h: ISAKMP (0:9): sending packet to 10.48.66.115 (I) AG_INIT_EXCH 
  5d16h: ISAKMP (0:9): retransmitting phase 1 AG_INIT_EXCH... 
  5d16h: ISAKMP (0:9): incrementing error counter on sa: retransmit phase 1 
  5d16h: ISAKMP (0:9): retransmitting phase 1 AG_INIT_EXCH 
  5d16h: ISAKMP (0:9): sending packet to 10.48.66.115 (I) AG_INIT_EXCH 

  在VPN 3000集中器上，需要扩展验证。但是，所选建议不支持扩展验证。验证是否已指定Xauth的内部身份验证。启用内部身份验证并确保IKE提议的身份验证模式设置为“预共享密钥(Xauth)”，如上一屏幕截图所示。单击Modify以编辑建议书。

• 密码不正确。

  您在Cisco IOS路由器上未看到“Invalid Password”消息。在VPN集中器上，您可能看到Received unexpected event EV_ACTIVATE_NEW_SA in state AM_TM_INIT_XAUTH。

  确保密码正确。

• 用户名不正确。

  在Cisco IOS路由器上，如果密码错误，您会看到类似此的调试。在VPN集中器上，您会看到“身份验证已拒绝：原因=未找到用户。

相关信息

• Cisco VPN 3000 系列集中器支持页
• 思科Easy VPN Remote第II阶段
• Cisco VPN 3000 系列客户端支持页
• IPsec 协商/IKE 协议支持页
• 技术支持和文档 - Cisco Systems