從傳統EzVPN遷移至增強型EzVPN配置示例

簡介

本文檔介紹如何配置Easy VPN(EzVPN)設定，其中，分支1使用增強的EzVPN連線到中心，而分支2使用舊式EzVPN連線到同一中心。集線器配置為增強型EzVPN。  增強型EzVPN與傳統EzVPN的區別在於前者使用動態虛擬通道介面(dVTI)，而後者使用加密對映。思科dVTI是使用Cisco EzVPN的客戶可用於伺服器和遠端配置的方法。通道為每個EzVPN連線提供按需獨立的虛擬接入介面。虛擬存取介面的組態會從虛擬模板組態克隆，虛擬模板組態包括IPsec組態和虛擬模板介面上設定的任何Cisco IOS^®軟體功能，例如QoS、NetFlow或存取控制清單(ACL)。

藉助IPsec dVTI和Cisco EzVPN，使用者可以為遠端訪問VPN提供高度安全的連線，這些連線可以與Cisco AVVID（語音、影片和整合資料架構）相結合，通過IP網路提供融合的語音、影片和資料。

必要條件

需求

思科建議您瞭解EzVPN。

採用元件

本檔案中的資訊是根據Cisco IOS版本15.4(2)T。

本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除（預設）的組態來啟動。如果您的網路正在作用，請確保您已瞭解任何指令可能造成的影響。

背景資訊

採用dVTI配置的Cisco EzVPN提供可路由介面，以選擇性地將流量傳送到不同的目的地，例如EzVPN集中器、不同的站點對站點對等或網際網路。IPsec dVTI配置不需要IPsec會話到物理介面的靜態對映。這樣可靈活地在任何實體介面上傳送和接收加密流量，例如在多路徑的情況下。流量從通道介面轉送或轉送到通道介面時會進行加密。

流量會透過IP路由表轉送到通道介面或從通道介面轉送。路由在網際網路金鑰交換(IKE)模式配置期間動態獲知，並插入指向dVTI的路由表中。動態IP路由可用於通過VPN傳播路由。與在本機IPsec配置中使用帶加密對映的ACL相比，使用IP路由將流量轉發到加密可以簡化IPsec VPN配置。

在低於Cisco IOS版本12.4(2)T的版本中，在通道開啟/通道關閉過渡時，必須解析和應用在模式配置期間推送的屬性。當這些屬性導致在介面上應用配置時，必須覆蓋現有配置。藉助dVTI支援功能，可將隧道啟動配置應用於單獨的介面，這樣在隧道啟動時可以更輕鬆地支援單獨的功能。應用於進入通道的流量的功能（在加密之前）可以與應用於未通過通道的流量的功能（例如分割通道流量和通道未開啟時離開裝置的流量）分開。

當EzVPN協商成功時，虛擬訪問介面的線路協定狀態將更改為up。當EzVPN隧道由於安全關聯到期或被刪除而關閉時，虛擬訪問介面的線路協定狀態將更改為down。

路由表在EzVPN虛擬介面配置中充當流量選擇器，也就是說，路由將替換加密對映上的訪問清單。在虛擬介面配置中，如果EzVPN伺服器配置了IPsec dVTI，則EzVPN會協商單個IPsec安全關聯。無論配置的EzVPN模式如何，都會建立此單一安全關聯。

建立安全關聯後，會新增指向虛擬接入介面的路由，以將流量定向到公司網路。EzVPN還向VPN集中器新增路由，以便將IPsec封裝的資料包路由到公司網路。在非拆分模式下新增指向虛擬接入介面的預設路由。當EzVPN伺服器「推送」拆分隧道時，拆分隧道子網將成為指向虛擬訪問的路由新增到的目標。無論哪種情況，如果對等點（VPN集中器）未直接連線，EzVPN都會向對等點新增路由。

附註：大多數運行Cisco EzVPN客戶端軟體的路由器都配置了預設路由。配置的預設路由的度量值必須大於1，因為EzVPN新增的預設路由的度量值為1。該路由指向虛擬訪問介面，以便在集中器不「推送」拆分隧道屬性時，所有流量都定向到公司網路。

QoS可用於提高網路中不同應用的效能。在此配置中，流量整形用於兩個站點之間，以限制站點之間應傳輸的總流量。此外，QoS配置可以支援Cisco IOS軟體中提供的任何QoS功能組合，以支援任何語音、影片或資料應用。

附註：本指南中的QoS配置僅用於演示。預計VTI可擴充性的結果會類似使用IPsec的點對點(P2P)通用路由封裝(GRE)。有關擴展和效能的注意事項，請聯絡您的思科代表。如需其他資訊，請參閱使用IP安全性設定虛擬通道介面。

優勢

• 簡化管理
  客戶可以使用Cisco IOS虛擬模板根據需要為IPsec克隆新的虛擬接入介面，從而簡化VPN配置的複雜性並降低成本。此外，現有的管理應用程式現在可以對不同站點的不同介面進行監控，以實現監控目的。
• 提供可路由介面
  Cisco IPsec VTI可以支援所有型別的IP路由協定。客戶可以使用這些功能來連線更大的辦公環境，如分支機構。
• 改善擴展
  IPsec VTI對每個站點使用單個安全關聯，這些關聯覆蓋不同型別的流量，從而改進了擴展。
• 提供定義功能的靈活性
  IPsec VTI是其自身介面內的封裝。這樣可以靈活地定義IPsec VTI上明文流量的功能，並定義物理介面上加密流量的功能。

設定

附註：使用命令查詢工具(僅供已註冊客戶使用)可獲取本節中使用的命令的更多資訊。

網路圖表

配置摘要

集線器配置

hostname Hub
!
no aaa new-model
!
no ip domain lookup
!
username test-user privilege 15 password 0 cisco123
!
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp client configuration group En-Ezvpn
 key test-En-Ezvpn
crypto isakmp profile En-EzVpn-Isakmp-Profile
   match identity group En-Ezvpn
   isakmp authorization list default
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set VPN-TS esp-aes esp-sha-hmac
 mode tunnel
!
crypto ipsec profile En-EzVpn-Ipsec-Profile
 set transform-set VPN-TS
 set isakmp-profile En-EzVpn-Isakmp-Profile
!
!
interface Loopback0
 description Router-ID
 ip address 10.0.0.1 255.255.255.255
!
interface Loopback1
 description inside-network
 ip address 192.168.0.1 255.255.255.255
!
interface Ethernet0/0
 description WAN-Link
 ip address 172.16.0.1 255.255.255.0
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile En-EzVpn-Ipsec-Profile
!
router eigrp 1
 network 10.0.0.1 0.0.0.0
 network 192.168.0.1 0.0.0.0
 network 192.168.1.1 0.0.0.0
!
ip route 0.0.0.0 0.0.0.0 172.16.0.100
!
end

分支1（增強型EzVPN）配置

hostname Spoke1
!
no aaa new-model
!
interface Loopback0
 description Router-ID
 ip address 10.0.1.1 255.255.255.255
 crypto ipsec client ezvpn En-EzVpn inside
!
interface Loopback1
 description Inside-network
 ip address 192.168.1.1 255.255.255.255
!
interface Ethernet0/0
 description WAN-Link
 ip address 172.16.1.1 255.255.255.0
 crypto ipsec client ezvpn En-EzVpn
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel mode ipsec ipv4
!
router eigrp 1
 network 10.0.1.1 0.0.0.0
 network 192.168.1.1 0.0.0.0
!
ip route 0.0.0.0 0.0.0.0 172.16.1.100
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
!
crypto ipsec client ezvpn En-EzVpn
 connect auto
 group En-Ezvpn key test-En-Ezvpn
 mode network-extension
 peer 172.16.0.1
 virtual-interface 1
!
end

注意：在輸入客戶端配置之前，需要定義虛擬模板。若沒有相同編號的現有虛擬模板，路由器將不會接受virtual-interface 1命令。

分支2（傳統EzVPN）配置

hostname Spoke2
!
no aaa new-model
!
no ip domain lookup
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
!
crypto ipsec client ezvpn Leg-Ezvpn
 connect auto
 group En-Ezvpn key test-En-Ezvpn
 mode network-extension
 peer 172.16.0.1
 xauth userid mode interactive
!
!
interface Loopback0
 ip address 10.0.2.1 255.255.255.255
 crypto ipsec client ezvpn Leg-Ezvpn inside
!
interface Loopback1
 ip address 192.168.2.1 255.255.255.255
!
interface Ethernet0/0
 ip address 172.16.2.1 255.255.255.0
 crypto ipsec client ezvpn Leg-Ezvpn
!
ip route 0.0.0.0 0.0.0.0 172.16.2.100
!
end

驗證

使用本節內容，確認您的組態是否正常運作。

輸出直譯器工具(僅供已註冊客戶使用)支援某些show命令。使用輸出直譯器工具來檢視show命令輸出的分析。

中心到分支1通道

第1階段

Hub#show crypto isakmp sa det
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       T - cTCP encapsulation, X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.

1006  172.16.0.1      172.16.2.1             ACTIVE aes  sha    psk  2  23:54:53 C
       Engine-id:Conn-id =  SW:6

1005  172.16.0.1      172.16.1.1             ACTIVE aes  sha    psk  2  23:02:14 C
       Engine-id:Conn-id =  SW:5

IPv6 Crypto ISAKMP SA

第2階段

這裡的代理是針對any/any的，這意味著任何退出Virtual Access 1的流量都會被加密並傳送到172.16.1.1。

Hub#show crypto ipsec sa peer 172.16.1.1 detail

interface: Virtual-Access1
    Crypto map tag: Virtual-Access1-head-0, local addr 172.16.0.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 172.16.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 776, #pkts encrypt: 776, #pkts digest: 776
    #pkts decaps: 771, #pkts decrypt: 771, #pkts verify: 771
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #pkts no sa (send) 0, #pkts invalid sa (rcv) 0
    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
    #pkts invalid prot (recv) 0, #pkts verify failed: 0
    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
    ##pkts replay failed (rcv): 0
    #pkts tagged (send): 0, #pkts untagged (rcv): 0
    #pkts not tagged (send): 0, #pkts not untagged (rcv): 0
    #pkts internal err (send): 0, #pkts internal err (recv) 0

     local crypto endpt.: 172.16.0.1, remote crypto endpt.: 172.16.1.1
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
     current outbound spi: 0x9159A91E(2438572318)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xB82853D4(3089650644)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 13, flow_id: SW:13, sibling_flags 80000040, crypto map:
 Virtual-Access1-head-0
        sa timing: remaining key lifetime (k/sec): (4342983/3529)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x9159A91E(2438572318)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 14, flow_id: SW:14, sibling_flags 80000040, crypto map:
 Virtual-Access1-head-0
        sa timing: remaining key lifetime (k/sec): (4342983/3529)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

EIGRP

Hub#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(1)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
0   172.16.1.1              Vi1                      13 00:59:28   31  1398  0  3

附註：分支2不形成條目，因為在沒有可路由介面的情況下，無法形成增強型內部網關路由協定(EIGRP)對等體。這是在輻條上使用dVTI的優勢之一。

輻條1

第1階段

Spoke1#show cry is sa det
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       T - cTCP encapsulation, X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.

1005  172.16.1.1      172.16.0.1             ACTIVE aes  sha    psk  2  22:57:07 C
       Engine-id:Conn-id =  SW:5

IPv6 Crypto ISAKMP SA

第2階段

Spoke1#show crypto ipsec sa detail

interface: Virtual-Access1
    Crypto map tag: Virtual-Access1-head-0, local addr 172.16.1.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 172.16.0.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 821, #pkts encrypt: 821, #pkts digest: 821
    #pkts decaps: 826, #pkts decrypt: 826, #pkts verify: 826
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #pkts no sa (send) 0, #pkts invalid sa (rcv) 0
    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
    #pkts invalid prot (recv) 0, #pkts verify failed: 0
    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
    ##pkts replay failed (rcv): 0
    #pkts tagged (send): 0, #pkts untagged (rcv): 0
    #pkts not tagged (send): 0, #pkts not untagged (rcv): 0
    #pkts internal err (send): 0, #pkts internal err (recv) 0

     local crypto endpt.: 172.16.1.1, remote crypto endpt.: 172.16.0.1
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
     current outbound spi: 0xB82853D4(3089650644)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x9159A91E(2438572318)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 11, flow_id: SW:11, sibling_flags 80004040, crypto map:
 Virtual-Access1-head-0
        sa timing: remaining key lifetime (k/sec): (4354968/3290)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xB82853D4(3089650644)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 12, flow_id: SW:12, sibling_flags 80004040, crypto map:
 Virtual-Access1-head-0
        sa timing: remaining key lifetime (k/sec): (4354968/3290)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

EZVPN

Spoke1#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 8

Tunnel name : En-EzVpn
Inside interface list: Loopback0
Outside interface: Virtual-Access1 (bound to Ethernet0/0)
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Save Password: Disallowed
Current EzVPN Peer: 172.16.0.1

路由 — EIGRP

在Spoke 2中，代理可以使任何退出虛擬訪問介面的流量都得到加密。只要有路由指向網路的介面，流量就會被加密：

Spoke1#ping 192.168.0.1 source loopback 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/6 ms

Spoke1#ping 192.168.0.1 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms

Spoke1# sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 172.16.1.100 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 172.16.1.100
                [1/0] via 0.0.0.0, Virtual-Access1
      10.0.0.0/32 is subnetted, 2 subnets
D        10.0.0.1 [90/27008000] via 10.0.0.1, 01:16:15, Virtual-Access1
C        10.0.1.1 is directly connected, Loopback0
      172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
S        172.16.0.1/32 [1/0] via 172.16.1.100
C        172.16.1.0/24 is directly connected, Ethernet0/0
L        172.16.1.1/32 is directly connected, Ethernet0/0
      192.168.0.0/32 is subnetted, 1 subnets
D        192.168.0.1 [90/27008000] via 10.0.0.1, 01:16:15, Virtual-Access1
      192.168.1.0/32 is subnetted, 1 subnets
C        192.168.1.1 is directly connected, Loopback1
Spoke1#

中心到分支2通道

第1階段

Hub#show crypto isakmp sa det
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       T - cTCP encapsulation, X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.

1006  172.16.0.1      172.16.2.1             ACTIVE aes  sha    psk  2  23:54:53 C
       Engine-id:Conn-id =  SW:6

1005  172.16.0.1      172.16.1.1             ACTIVE aes  sha    psk  2  23:02:14 C
       Engine-id:Conn-id =  SW:5

IPv6 Crypto ISAKMP SA

第2階段

此範例中未使用集線器上使用者端組態下的分割通道ACL。因此，在分支上形成的代理適用於分支上的任何EzVPN「內部」網路到任何網路。基本上，在集線器上，發往輻條中某個「內部」網路的任何流量都會被加密並傳送到172.16.2.1。

Hub#show crypto ipsec sa  peer 172.16.2.1 detail

interface: Virtual-Access2
    Crypto map tag: Virtual-Access2-head-0, local addr 172.16.0.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.2.1/255.255.255.255/0/0)
   current_peer 172.16.2.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15
    #pkts decaps: 15, #pkts decrypt: 15, #pkts verify: 15
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #pkts no sa (send) 0, #pkts invalid sa (rcv) 0
    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
    #pkts invalid prot (recv) 0, #pkts verify failed: 0
    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
    ##pkts replay failed (rcv): 0
    #pkts tagged (send): 0, #pkts untagged (rcv): 0
    #pkts not tagged (send): 0, #pkts not untagged (rcv): 0
    #pkts internal err (send): 0, #pkts internal err (recv) 0

     local crypto endpt.: 172.16.0.1, remote crypto endpt.: 172.16.2.1
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
     current outbound spi: 0x166CAC10(376220688)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x8525868A(2233829002)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 11, flow_id: SW:11, sibling_flags 80000040, crypto map:
 Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4217845/1850)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x166CAC10(376220688)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 12, flow_id: SW:12, sibling_flags 80000040, crypto map:
 Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4217845/1850)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

分支2

第1階段

Spoke2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
172.16.0.1      172.16.2.1      QM_IDLE           1001 ACTIVE

IPv6 Crypto ISAKMP SA

第2階段

Spoke2#show crypto ipsec sa detail

interface: Ethernet0/0
    Crypto map tag: Ethernet0/0-head-0, local addr 172.16.2.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.0.2.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 172.16.0.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
    #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #pkts no sa (send) 0, #pkts invalid sa (rcv) 0
    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
    #pkts invalid prot (recv) 0, #pkts verify failed: 0
    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
    ##pkts replay failed (rcv): 0
    #pkts tagged (send): 0, #pkts untagged (rcv): 0
    #pkts not tagged (send): 0, #pkts not untagged (rcv): 0
    #pkts internal err (send): 0, #pkts internal err (recv) 0

     local crypto endpt.: 172.16.2.1, remote crypto endpt.: 172.16.0.1
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
     current outbound spi: 0x8525868A(2233829002)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x166CAC10(376220688)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, sibling_flags 80004040, crypto map:
 Ethernet0/0-head-0
        sa timing: remaining key lifetime (k/sec): (4336232/2830)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x8525868A(2233829002)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, sibling_flags 80004040, crypto map:
 Ethernet0/0-head-0
        sa timing: remaining key lifetime (k/sec): (4336232/2830)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

EZVPN

Spoke2#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 8

Tunnel name : Leg-Ezvpn
Inside interface list: Loopback0
Outside interface: Ethernet0/0
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Save Password: Disallowed
Current EzVPN Peer: 172.16.0.1

路由 — 靜態

與分支1不同，分支2必須擁有靜態路由或使用反向路由注入(RRI)來注入路由，以告知哪些流量應該加密，哪些不應加密。在本範例中，只有來源為Loopback 0的流量會根據代理和路由進行加密。

Spoke2#ping 192.168.0.1 source loopback 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
.....
Success rate is 0 percent (0/5)

Spoke2#ping 192.168.0.1 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/7 ms

Spoke2#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 172.16.2.100 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 172.16.2.100
      10.0.0.0/32 is subnetted, 1 subnets
C        10.0.2.1 is directly connected, Loopback0
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.2.0/24 is directly connected, Ethernet0/0
L        172.16.2.1/32 is directly connected, Ethernet0/0
      192.168.2.0/32 is subnetted, 1 subnets
C        192.168.2.1 is directly connected, Loopback1

疑難排解

本節提供的資訊可用於對組態進行疑難排解。

提示：在EzVPN中，隧道在配置更改後通常不出現。在此情況下，清除第1階段和第2階段不會啟動隧道。在大多數情況下，請在分支中輸入clear crypto ipsec client ezvpn <group-name>命令以啟動隧道。

附註：使用 debug 指令之前，請先參閱有關 Debug 指令的重要資訊。

集線器命令

• debug crypto ipsec — 顯示第2階段的IPsec協商。

• debug crypto isakmp - 顯示第1階段的ISAKMP協商。

分支命令

• debug crypto ipsec - 顯示第2階段的IPsec協商。

• debug crypto isakmp - 顯示第1階段的ISAKMP協商。

• debug crypto ipsec client ezvpn - 顯示EzVPN調試。

相關資訊

• IPsec支援頁面
• Cisco Easy VPN Remote
• Easy VPN伺服器
• IPsec虛擬通道介面
• 配置IPsec網路安全
• 配置Internet金鑰交換安全協定
• 技術支援與文件 - Cisco Systems