排除PIX在已建立的IPSec隧道上傳遞資料流量的故障

簡介

本文檔針對從Cisco VPN客戶端到PIX的成功建立IPsec隧道無法傳遞資料的原因提供了解決方法並提供了解決方案。

當您無法從VPN客戶端ping或Telnet到PIX後LAN上的任何主機時，經常會遇到無法在VPN客戶端和PIX之間的已建立IPsec隧道上傳遞資料的問題。換句話說，VPN客戶端和PIX無法在它們之間傳遞加密資料。出現這種情況是因為PIX具有到路由器和VPN客戶端的LAN到LAN IPsec隧道。無法傳遞資料是由於配置具有相同的訪問控制清單(ACL)，用於nat 0和LAN到LAN IPsec對等體的靜態加密對映。

必要條件

需求

本文件沒有特定需求。

採用元件

本文中的資訊係根據以下軟體和硬體版本：

• Cisco安全PIX防火牆6.0.1

• 執行Cisco IOS®軟體版本12.2(6)的Cisco 1720路由器

本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除（預設）的組態來啟動。如果您的網路正在作用，請確保您已瞭解任何指令可能造成的影響。

慣例

請參閱思科技術提示慣例以瞭解更多有關文件慣例的資訊。

排除PIX故障

網路圖表

有問題的示例配置

pix520-1#write terminal
Building configuration...
: Saved
:
PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix520-1
domain-name vpn.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names

!--- Access-List “140” defines interesting traffic to bypass NAT for VPN !--- and defines VPN interesting traffic. This is incorrect.

access-list 140 permit ip 192.168.4.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 140 permit ip 192.168.4.0 255.255.255.0 10.1.2.0 255.255.255.0
no pager
logging on
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap debugging
logging history debugging
logging host outside 192.168.2.6
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500

!--- IP addresses on the outside and inside interfaces.

ip address outside 172.16.172.34 255.255.255.240
ip address inside 192.168.4.50 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.1.2.1-10.1.2.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 172.16.172.57 netmask 255.255.255.255

!--- The nat 0 command bypasses NAT for the packets destined over the IPsec tunnel.

Nat (inside) 0 access-list 140
Nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 172.16.172.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip
0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
AAA-server RADIUS protocol radius
AAA-server mytest protocol tacacs+
AAA-server nasir protocol radius
snmp-server host outside 192.168.2.6
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable

!--- The sysopt command bypasses conduits or ACLs that check to be applied !--- on the inbound VPN packets after decryption.

sysopt connection permit-ipsec
no sysopt route dnat

!--- The crypto ipsec command defines IPsec encryption and authen algo.

crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset

!--- The crypto map commands define the IPsec !--- Security Assocation (SA) (Phase II SA) parameters.

crypto map mymap 5 ipsec-isakmp
crypto map mymap 5 match address 140
crypto map mymap 5 set peer 172.16.172.39
crypto map mymap 5 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside

!--- The isakmp key command defines the pre-shared key for the peer address.

isakmp key ******** address 172.16.172.39 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp identity address

!--- The isakmp policy defines the Phase 1 SA parameters.

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption Des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 192.168.4.0 255.255.255.0 inside
telnet 171.69.89.82 255.255.255.255 inside
telnet timeout 5
ssh 172.0.0.0 255.0.0.0 outside
ssh 171.0.0.0 255.255.255.0 outside
ssh 171.0.0.0 255.0.0.0 outside
ssh timeout 60
terminal width 80
Cryptochecksum:55948dc706cc700e9c10e1d24a8b125c

在有問題的配置中，ACL 140定義了LAN到LAN隧道的相關流量或要加密的流量。該配置使用與nat 0 ACL相同的ACL。

瞭解事件的一般順序

當IP資料包到達PIX的內部介面時，會檢查網路地址轉換(NAT)。之後，會檢查密碼編譯對應的ACL。

• 如何使用nat 0。

  nat 0 ACL定義了NAT中不應包含的內容。nat 0命令中的ACL定義了在PIX上禁用NAT規則的源地址和目的地址。因此，源地址和目標地址與nat 0命令中定義的ACL匹配的IP資料包將繞過PIX上的所有NAT規則。

  要藉助專用地址在PIX和另一個VPN裝置之間實現LAN到LAN隧道，請使用nat 0命令繞過NAT。PIX防火牆上的規則阻止私有地址包含在NAT中，同時這些規則通過IPsec隧道進入遠端LAN。

• 使用加密ACL的方式。

  NAT檢查後，PIX檢查到達其內部介面的每個IP資料包的源和目標，以匹配靜態和動態加密對映中定義的ACL。如果PIX發現與ACL匹配，則PIX會執行以下任何步驟：

  • 如果當前沒有已經使用對等IPsec裝置為流量構建的IPsec安全關聯(SA)，則PIX會啟動IPsec協商。建立SA後，會加密封包並將其透過IPsec通道傳送到IPsec對等路由器。

  • 如果已經存在與對等體一起構建的IPsec SA，則PIX會加密IP資料包，並將加密的資料包傳送到對等體IPsec裝置。

• 動態ACL。

  一旦VPN客戶端通過IPsec連線到PIX，PIX就會建立一個動態ACL，指定用於定義此IPsec連線的相關流量的源和目標地址。

瞭解PIX上的問題事件系列

常見的配置錯誤是對nat 0和靜態加密對映使用相同的ACL。以下各節討論這為什麼會導致錯誤以及如何糾正問題。

PIX 配置顯示，當IP資料包從網路192.168.4.0/24傳送到網路10.10.10.0/24和網路10.1.2.0/24（在IP本地池中定義的網路地址）時，nat 0 ACL 140會繞過NAT。 此外，ACL 140還定義了對等體172.16.172.39的靜態加密對映的相關流量。

當IP資料包進入PIX內部介面時，NAT檢查完成，然後PIX檢查加密對映中的ACL。PIX從例項編號最小的加密對映開始。這是因為上例中的靜態加密對映具有最小的例項編號，因此會檢查ACL 140。接下來，會檢查動態加密對映的動態ACL。在此配置中，ACL 140的定義為加密從網路192.168.4.0 /24到網路10.10.10.0/24 0和10.1.2.0 /24的流量。但是，對於LAN到LAN隧道，您只需要加密網路192.168.4.0 /24和10.10.0 /24之間的流量。這是IPsec對等路由器定義其加密ACL的方式。

瞭解PIX上的問題事件系列

當客戶端建立與PIX的IPsec連線時，會從IP本地池中為其分配IP地址。在此例項中，為客戶端分配了10.1.2.1。PIX還會生成動態ACL，如以下show crypto map命令輸出所示：

Crypto Map "mymap" 20 ipsec-isakmp
Peer = 171.69.89.120
access-list dynacl2 permit ip host 172.16.172.34 host 10.1.2.1 (hitcnt=0)
dynamic (created from dynamic map dynmap/10)
Current peer: 171.69.89.120
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ myset, }
Crypto Map "mymap" 30 ipsec-isakmp
Peer = 171.69.89.120
access-list dynacl3 permit ip any host 10.1.2.1 (hitcnt=0)
dynamic (created from dynamic map dynmap/10)
Current peer: 171.69.89.120
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ myset, }
pix520-1(config)#

show crypto map命令也會顯示靜態加密對映：

Crypto Map: "mymap" interfaces: { outside }
Crypto Map "mymap" 5 ipsec-isakmp
Peer = 172.16.172.39
access-list 140 permit ip 192.168.4.0 255.255.255.0 10.10.10.0255.255.255.0 
   (hitcnt=45)
access-list 140 permit ip 192.168.4.0 255.255.255.0 10.1.2.0 255.255.255.0
   (hitcnt=84)
Current peer: 172.16.172.39
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ myset,}

一旦在客戶端和PIX之間建立IPsec隧道，客戶端就會對主機192.168.4.3發起ping命令。當主機收到回應請求時，主機192.168.4.3會像debug icmp trace命令的此輸出所示使用回應回覆進行回覆。

27: Inbound ICMP echo request (len 32 id 2 seq 7680) 
   10.1.2.1 > 192.168.4.3> 192.168.4.3
28: Outbound ICMP echo reply (Len 32 id 2 seq 7680) 
   192.168.4.3 >192.168.4.3 > 10.1.2.1
29: Inbound ICMP echo request (Len 32 id 2 seq 7936) 
   10.1.2.1 > 192.168.4.3> 192.168.4.3
30: Outbound ICMP echo reply (Len 32 id 2 seq 7936) 
   192.168.4.3 >192.168.4.3 > 10.1.2.1

但是，回應回覆沒有到達VPN客戶端（主機10.1.2.1），因此ping失敗。您可以在PIX上使用show crypto ipsec sa命令的幫助中看到這一點。此輸出顯示，PIX解密來自VPN客戶端的120個資料包，但不加密任何資料包或將加密資料包傳送到客戶端。因此，封裝的資料包數量為零。

pix520-1(config)#show crypto ipsec sa
interface: outside
Crypto map tag: mymap, local addr. 172.16.172.34
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.2.1/255.255.255.255/0/0)
current_peer: 171.69.89.120
dynamic allocated peer ip: 10.1.2.1
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 

!--- No packets encrypted and sent to client.

#pkts decaps: 120, #pkts decrypt: 120, #pkts verify 120 

!--- 120 packets received from client.

#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.172.34, remote crypto endpt.: 171.69.89.120
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 33a45029
inbound esp sas:
spi: 0x279fc5e9(664782313)
transform: ESP-Des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 5, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607985/27809)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound ESP sas:
spi: 0x33a45029(866406441)
transform: ESP-Des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 6, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4608000/27809)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound PCP sas:
local ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
current_peer: 172.16.172.39
PERMIT, flags={origin_is_acl,}
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10
#pkts decaps: 23, #pkts decrypt: 23, #pkts verify 23
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. Failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.172.34, remote crypto endpt.: 172.16.172.39
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: f264e92c
inbound ESP sas:
spi: 0x2772b869(661829737)
transform: ESP-Des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607997/2420)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound PCP sas:
outbound ESP sas:
spi: 0xf264e92c(4066699564)
transform: ESP-Des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607999/2420)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound PCP sas:

注意：當主機192.168.4.3應答回應請求時，IP資料包將到達PIX的內部介面。

38: Outbound ICMP echo reply (Len 32 id 2 seq 8960) 
   192.168.4.3 >192.168.4.3 > 10.1.2.1

IP資料包到達內部介面後，PIX會檢查nat 0 ACL 140並確定IP資料包的源地址和目的地址與ACL匹配。因此，此IP資料包繞過PIX上的所有NAT規則。接下來，會檢查加密ACL。由於靜態加密對映的例項編號最小，因此首先檢查其ACL。由於此示例將ACL 140用於靜態加密對映，因此PIX會檢查此ACL。現在，IP資料包的源地址為192.168.4.3，目的地址為10.1.2.1。由於此地址與ACL 140匹配，因此PIX認為此IP資料包用於對等體為172.16.172.39的LAN到LAN IPsec隧道（與我們的目標相反）。 因此，它會檢查SA資料庫，以確定是否存在此流量的對等體172.16.72.39的當前SA。如show crypto ipsec sa命令的輸出所示，此流量不存在SA。PIX不加密資料包或將其傳送到VPN客戶端。相反，它會啟動與對等體172.16.172.39的另一個IPsec協商，如以下輸出所示：

crypto_isakmp_process_block: src 172.16.172.39, dest 172.16.172.34
return status is IKMP_NO_ERR_NO_TRANS02303: sa_request, (key eng. msg.)
src= 172.16.172.34, dest= 172.16.172.39,
src_proxy= 192.168.4.0/255.255.255.0/0/0 (type=4),
dest_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform=
ESP-Des esp-md5-hmac , lifedur= 28800s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004
702303: sa_request, (key Eng. msg.) src= 172.16.172.34, dest=
172.16.172.39, src_proxy= 192.168.4.0/255.255.255.0/0/0 (type=4),
dest_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform=
ESP-Des esp-md5-hmac , lifedur= 28800s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANSIPSEC(key_engine): request timer
fired: count = 2,
(identity) local= 172.16.172.34, remote= 172.16.172.39,
local_proxy= 192.168.4.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4)

IPsec協商失敗的原因如下：

• 對等體172.16.172.39僅將網路10.10.10.0/24和192.168.4.0/24定義為其ACL中針對加密對映對等體172.16.172.34的相關流量。

• 在兩個對等體之間的IPsec協商期間，代理標識不匹配。

• 如果對等體啟動協商且本地配置指定完全向前保密(perfect forward secrecy， PFS)，則對等體必須執行PFS交換或協商失敗。如果本地配置未指定組，則假定預設值為group1，並且接受group1或group2的提供。如果本地配置指定group2，則該組必須是對等體提供的一部分，否則協商失敗。如果本地配置不指定PFS，則它接受來自對等體的任何PFS提議。1024位Diffie-Hellman主模陣列group2比group1提供更高的安全性，但所需的處理時間比group1要長。

  註：crypto map set pfs命令將IPsec設定為在它為此加密對映條目請求新SA時請求PFS。使用no crypto map set pfs命令指定IPsec不請求PFS。此命令僅適用於IPsec-ISAKMP加密對映條目和動態加密對映條目。預設情況下，不請求PFS。使用PFS時，每次協商新的SA時，都會發生新的Diffie-Hellman交換。這要求額外的處理時間。PFS增加了另一個安全級別，因為如果一個金鑰被攻擊者破解，則只有使用該金鑰傳送的資料才會受到危害。在協商過程中，此命令使IPsec在為加密對映條目請求新SA時請求PFS。如果set pfs語句未指定組，則傳送預設值(group1)。

  注意：當PIX防火牆具有源自PIX防火牆並在單個遠端對等體上終止的多個隧道時，與遠端對等體的IKE協商可能會掛起。當PFS未啟用，並且本地對等體請求許多同時的重新生成金鑰請求時，會出現此問題。如果發生此問題，IKE SA在超時或使用clear [crypto] isakmp sa命令手動清除之前不會恢復。配置有多個通道到許多對等體或許多共用同一通道的客戶端的PIX防火牆裝置不會受到此問題的影響。如果配置受到影響，請使用crypto map mapname seqnum set pfs命令啟用PFS。

PIX上的IP資料包最終會被丟棄。

瞭解解決方案

糾正此錯誤的正確方法是為nat 0和靜態加密對映定義兩個單獨的ACL。為此，該示例為nat 0命令定義ACL 190並將修改的ACL 140用於靜態加密對映，如以下輸出所示。

pix520-1(config)#
pix520-1(config)#write terminal
Building configuration...
: Saved
:
PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix520-1
domain-name vpn.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names

!--- Access list 140 defines interesting traffic in order to bypass NAT for VPN.

access-list 140 permit ip 192.168.4.0 255.255.255.0 10.10.10.0255.255.255.0

!--- Defines VPN interesting traffic.

access-list 190 permit ip 192.168.4.0 255.255.255.0 10.10.10.0255.255.255.0
access-list 190 permit ip 192.168.4.0 255.255.255.0 10.1.2.0 255.255.255.0
no pager
logging on
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap debugging

logging history debugging
logging host outside 192.168.2.6
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 172.16.172.34 255.255.255.240
ip address inside 192.168.4.50 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.1.2.1-10.1.2.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 172.16.172.57 netmask 255.255.255.255

!--- The nat 0 command bypasses NAT for the packets destined over the IPsec tunnel..

Nat (inside) 0 access-list 190
Nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 172.16.172.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
AAA-server TACACS+ protocol tacacs+
AAA-server RADIUS protocol radius
AAA-server mytest protocol tacacs+
AAA-server nasir protocol radius
snmp-server host outside 192.168.2.6
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset ESP-Des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset

!--- The crypto map commands define the IPsec SA (Phase II SA) parameters.

crypto map mymap 5 ipsec-isakmp
crypto map mymap 5 match address 140
crypto map mymap 5 set peer 172.16.172.39
crypto map mymap 5 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 172.16.172.39 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption Des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption Des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 192.168.4.0 255.255.255.0 inside
telnet 171.69.89.82 255.255.255.255 inside
telnet timeout 5
ssh 172.0.0.0 255.0.0.0 outside
ssh 171.0.0.0 255.255.255.0 outside
ssh 171.0.0.0 255.0.0.0 outside
ssh timeout 60
terminal width 80
Cryptochecksum:e2cb98b30d3899597b3af484fae4f9ae
: end
[OK]
pix520-1(config)# pix520-1(config)#show crypto map

進行更改並且客戶端使用PIX建立IPsec隧道後，發出show crypto map命令。此命令顯示，對於靜態加密對映，ACL 140定義的關注流量僅是192.168.4.0/24和10.10.10.0/24，這是原始目標。此外，動態訪問清單還顯示了定義為客戶端(10.1.2.1)和PIX(172.16.172.34)的相關流量。

pix520-1(config)#show crypto map
Crypto Map: "mymap" interfaces: { outside }
Crypto Map "mymap" 5 ipsec-isakmp
Peer = 172.16.172.39
access-list 140 permit ip 192.168.4.0 255.255.255.0 10.10.10.0255.255.255.0 
   (hitcnt=57)
Current peer: 172.16.172.39
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ myset, }
Crypto Map "mymap" 10 ipsec-isakmp
Dynamic map template tag: dynmap
Crypto Map "mymap" 20 ipsec-isakmp
Peer = 171.69.89.120
access-list dynacl4 permit ip host 172.16.172.34 host 10.1.2.1 (hitcnt=0)
dynamic (created from dynamic map dynmap/10)
Current peer: 171.69.89.120
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ myset, }
Crypto Map "mymap" 30 ipsec-isakmp
Peer = 171.69.89.120
access-list dynacl5 permit ip any host 10.1.2.1 (hitcnt=13)
dynamic (created from dynamic map dynmap/10)
Current peer: 171.69.89.120
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ myset, }

當VPN客戶端10.1.2.1向主機192.168.4.3傳送ping時，回應要求到PIX的內部介面。PIX檢查nat 0 ACL 190並確定IP資料包與ACL匹配。因此，資料包會繞過PIX上的NAT規則。接下來，PIX檢查靜態加密對映ACL 140以查詢匹配項。這一次，IP資料包的源和目標與ACL 140不匹配。因此，PIX將檢查動態ACL並查詢匹配項。然後PIX檢查其SA資料庫，看是否已經與客戶端建立了IPsec SA。由於客戶端已經與PIX建立了IPsec連線，因此存在IPsec SA。然後PIX對資料包進行加密並將其傳送到VPN客戶端。使用PIX的show crypto ipsec sa命令輸出來檢視資料包是否已加密和解密。在這種情況下，PIX加密了16個資料包並將其傳送到客戶端。PIX還從VPN客戶端接收加密資料包和解密了16個資料包。

pix520-1(config)#show crypto ipsec sa
interface: outside
Crypto map tag: mymap, local addr. 172.16.172.34
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.2.1/255.255.255.255/0/0)
current_peer: 171.69.89.120
dynamic allocated peer ip: 10.1.2.1
PERMIT, flags={}
#pkts encaps: 16, #pkts encrypt: 16,#pkts digest 16
#pkts decaps: 16, #pkts decrypt: 16, #pkts verify 16
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. Failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.172.34, remote crypto endpt.: 171.69.89.120
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 613d083d
inbound ESP sas:
spi: 0x6adf97df(1793038303)
transform: ESP-Des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 4, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607998/27420)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound PCP sas:
outbound ESP sas:
spi: 0x613d083d(1631389757)
transform: ESP-Des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607999/27420)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound PCP sas:
local ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
current_peer: 172.16.172.39
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. Failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 172.16.172.34, remote crypto endpt.: 172.16.172.39
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 58009c01
inbound ESP sas:
spi: 0x2d408709(759203593)
transform: ESP-Des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607998/3319)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound PCP sas: outbound ESP sas:
spi: 0x58009c01(1476434945)
transform: ESP-Des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607999/3319)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound PCP sas:
pix520-1(config)# sh cr isa sa
Total : 2
Embryonic : 0
dst src state pending created
172.16.172.39 172.16.172.34 QM_IDLE 0 1
172.16.172.34 171.69.89.120 QM_IDLE 0 2
pix520-1(config)# sh cr ipsec sa

路由器配置和show命令輸出

1720-1#show run
Building configuration...
Current configuration : 1592 bytes
!
! Last configuration change at 21:08:49 PST Mon Jan 7 2002
! NVRAM config last updated at 18:18:17 PST Mon Jan 7 2002
!
version 12.2
no parser cache
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 1720-1
!
no logging buffered
enable secret 5 $1$6jAs$tNxI1a/2DYFAtPLyCDXjo/
enable password ww
!
username cisco password 0 cisco
memory-size iomem 15
clock timezone PST -8
ip subnet-zero
no ip domain-lookup
ip domain-name cisco.com
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
!

!--- The crypto isakmp policy command defines the Phase 1 SA parameters.

crypto isakmp policy 15
authentication pre-share
crypto isakmp key cisco123 address 172.16.172.34
!
!

!--- The crypto ipsec transform-set command defines IPsec encryption !--- and authentication algorithims.

crypto ipsec transform-set myset ESP-Des esp-md5-hmac
!
!

!--- The crypto map command defines the IPsec SA (Phase II SA) parameters..

crypto map vpn 10 ipsec-isakmp
set peer 172.16.172.34
set transform-set myset
match address 150
!
!
!
!
!
interface FastEthernet0
ip address 172.16.172.39 255.255.255.240
speed auto

!--- The crypto map applied to the outbound interface.

crypto map vpn
interface Ethernet0
ip address 10.10.10.1 255.255.255.240
speed auto
no ip route-cache
no ip mroute-cache
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.172.33
no ip http server
ip pim bidir-enable
!

!--- Access-list defines interesting VPN traffic.

access-list 150 permit ip 10.10.10.0 0.0.0.255 192.168.4.0 0.0.0.255
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
password cisco
no login
line vty 5 15
login
!
no scheduler allocate
end
1720-1#

1720-1#show crypto isa sa
DST src state conn-id slot
172.16.172.39 172.16.172.34 QM_IDLE 132 0
1720-1#show crypto ipsec sa
interface: FastEthernet0
Crypto map tag: vpn, local addr. 172.16.172.39
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
current_peer: 172.16.172.34
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9 #pkts encrypt: 9 #pkts digest 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. Failed: 0, #pkts decompress failed: 0
#send errors 7, #recv errors 0
local crypto endpt.: 172.16.172.39, remote crypto endpt.: 172.16.172.34
path mtu 1500, media mtu 1500
current outbound spi: 2D408709
inbound ESP sas:
spi: 0x58009C01(1476434945)
transform: ESP-Des esp-md5-hmac ,
in use settings ={Tunnel, }

!--- IPsec SA 200 as seen in the show crypto engine connection active command.

slot: 0, conn id: 200, flow_id: 1, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4607998/3144)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound PCP sas:
outbound ESP sas:
spi: 0x2D408709(759203593)
transform: ESP-Des esp-md5-hmac ,
in use settings ={Tunnel, }

!--- IPsec SA 201 as seen in the show crypto engine connection active command.

slot: 0, conn id: 201, flow_id: 2, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4607998/3144)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound PCP sas:
1720-1#

1720-1#show crypto map
Interfaces using crypto map mymap:
Crypto Map "vpn" 10 ipsec-isakmp
Peer = 172.16.172.34
Extended IP access list 150
access-list 150 permit ip 10.10.10.0 0.0.0.255 192.168.4.0 0.0.0.255
Current peer: 172.16.172.34
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ myset, }
Interfaces using crypto map vpn: FastEthernet0 

相關資訊

• Cisco PIX防火牆軟體
• Cisco Secure PIX防火牆命令參考
• 安全產品現場通知（包括PIX）
• 要求建議 (RFC)
• IPSec 協商/IKE 通訊協定
• 技術支援與文件 - Cisco Systems