配置ASA到ASA動態到靜態IKEv1/IPsec
簡介
本文檔介紹如何使ASA能夠接受來自任何動態對等體的動態IPsec站點到站點VPN連線。
必要條件
需求
思科建議您瞭解以下主題:
- 調適型安全裝置(ASA)
採用元件
本文檔中的資訊基於Cisco ASA (5510和5520)防火牆軟體版本9.x及更高版本。
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
背景資訊
本文檔介紹如何使自適應安全裝置(ASA)能夠接受來自任何動態對等體(本例中為ASA)的動態IPsec站點到站點VPN連線。如本文檔中的網路圖所示,僅當從遠端ASA端啟動隧道時,才會建立IPSec隧道。由於動態IPSec配置,Central-ASA無法啟動VPN隧道。Remote-ASA的IP地址未知。
配置Central-ASA以動態接受來自萬用字元IP地址(0.0.0.0/0)和萬用字元預共用金鑰的連線。然後將Remote-ASA配置為按照crypto access-list的指定加密從本地到Central-ASA子網的流量。兩端均執行網路地址轉換(NAT)免除,以繞過IPsec流量的NAT。
設定
網路圖表
ASDM配置
Central-ASA(靜態對等體)
在具有靜態IP地址的ASA上,設定VPN的方式使其接受來自未知對等體的動態連線,同時仍使用IKEv1預共用金鑰對對等體進行身份驗證:
- 選擇Configuration > Site-to-Site VPN > Advanced > Crypto Maps。該窗口顯示已存在的加密對映條目的清單(如果有)。由於ASA不知道對等體IP地址是什麼,因此,為了使ASA能夠接受連線,請使用匹配的轉換集(IPsec方案)配置動態對映。按一下Add。
- 在Create IPsec Rule窗口中,從Tunnel Policy (Crypto Map) - Basic頁籤中,從Interface下拉選單中選擇outside,然後從Policy Type下拉選單中選擇dynamic。在Priority欄位中,如果動態對映下有多個條目,請為此條目分配優先順序。然後,按一下IKE v1 IPsec Proposal欄位旁邊的Select以選擇IPsec提議。
- 當Select IPsec Proposals (Transform Sets)對話方塊打開時,請從當前IPsec建議中進行選擇,或按一下Add以建立一個新建議並使用。完成後按一下OK。
- 在Tunnel Policy (Crypto Map)-Advanced頁籤中,選中Enable NAT-T覈取方塊(如果任一對等體位於NAT裝置之後,則需使用此覈取方塊)和Enable Reverse Route Injection覈取方塊。當動態對等體的VPN隧道啟動時,ASA會為協商的遠端VPN網路安裝指向VPN介面的動態路由。
或者,也可以從Traffic Selection頁籤定義動態對等體的相關VPN流量,然後按一下OK。
如前所述,由於ASA沒有關於遠端動態對等體IP地址的任何資訊,未知連線請求會位於預設情況下存在於ASA上的DefaultL2LGroup下。要使身份驗證成功,遠端對等體上配置的預共用金鑰(在本示例中為cisco123)需要與DefaultL2LGroup下的金鑰匹配。
- 選擇Configuration > Site-to-Site VPN > Advanced > Tunnel Groups,選擇DefaultL2LGroup,按一下Edit並配置所需的預共用金鑰。完成後按一下OK。
- 選擇Configuration > Site-to-Site VPN > Group Policies,然後選擇您選擇的組策略(在本示例中預設組策略)。 按一下Edit並在Edit Internal Group Policy對話方塊中編輯組策略。完成後按一下OK。
- 選擇Configuration > Firewall > NAT Rules,然後從Add Nat Rule窗口中為VPN資料流配置無nat (NAT-EXEMPT)規則。完成後按一下OK。
Remote-ASA(動態對等體)
- 在ASDM應用程式連線到ASA後,選擇Wizards > VPN Wizards > Site-to-site VPN Wizard。
- 按「Next」(下一步)。
- 從VPN Access Interface下拉選單中選擇outside以指定遠端對等體的外部IP地址。選擇應用加密對映的介面(WAN)。按「Next」(下一步)。
- 指定必須允許透過VPN隧道的主機/網路。在此步驟中,您需要為VPN隧道提供本地網路和遠端網路。點選Local Network和Remote Network欄位旁的按鈕,並根據要求選擇地址。完成後,按一下Next。
T
- 輸入要使用的身份驗證資訊,在本例中此資訊是預共用金鑰。本示例中使用的預共用金鑰是cisco123。如果您配置LAN到LAN (L2L) VPN,預設情況下Tunnel Group Name為遠端對等體IP地址。
或
您可以自定義配置,使其包括您選擇的IKE和IPSec策略。對等體之間至少需要有一個匹配的策略:
- 在Authentication Methods頁籤中,在Pre-shared Key欄位中輸入IKE版本1預共用金鑰。在本例中為cisco123。
- 按一下Encryption Algorithms頁籤。
- 在Authentication Methods頁籤中,在Pre-shared Key欄位中輸入IKE版本1預共用金鑰。在本例中為cisco123。
- 點選IKE Policy欄位旁的Manage,點選Add並配置自定義IKE策略(phase-1)。完成後按一下OK。
- 按一下IPsec Proposal欄位旁邊的Select,然後選擇所需的IPsec Proposal。完成後,按一下Next。
或者,您可以轉到完全正向保密頁籤並選中啟用完全正向保密(PFS)覈取方塊。完成後,按一下Next。
- 選中Exempt ASA side host/network from address translation旁邊的框以防止隧道資料流從網路地址轉換開始。從下拉選單中選擇local或inside,以便設定可訪問本地網路的介面。按「Next」(下一步)。
- ASDM顯示剛才配置的VPN的摘要。驗證並按一下Finish。
CLI配置
中央ASA(靜態對等體)配置
- 為VPN流量配置NO-NAT/NAT-EXEMPT規則,如以下示例所示:
object network 10.1.1.0-remote_network
subnet 10.1.1.0 255.255.255.0
object network 10.1.2.0-inside_network
subnet 10.1.2.0 255.255.255.0
nat (inside,outside) source static 10.1.2.0-inside_network 10.1.2.0-inside_network
destination static 10.1.1.0-remote_network 10.1.1.0-remote_network
no-proxy-arp route-lookup - 在DefaultL2LGroup下配置預共用金鑰,以驗證任何遠端動態-L2L對等體:
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key cisco123 - 定義階段2/ISAKMP策略:
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400 - 定義階段2轉換集/IPsec策略:
crypto ipsec ikev1 transform-set tset esp-aes-256 esp-sha-hmac
- 使用以下引數配置動態對映:
- 所需的轉換集
- 啟用反向路由注入(RRI),允許安全裝置獲知連線的客戶端的路由資訊(可選)
crypto dynamic-map outside_dyn_map 1 set ikev1 transform-set tset
crypto dynamic-map outside_dyn_map 1 set reverse-route - 將動態對映繫結到加密對映,應用加密對映並在外部介面上啟用ISAKMP/IKEv1:
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ikev1 enable outside
Remote-ASA(動態對等體)
- 為VPN流量配置NAT免除規則:
object network 10.1.1.0-inside_network
subnet 10.1.1.0 255.255.255.0
object network 10.1.2.0-remote_network
subnet 10.1.2.0 255.255.255.0
nat (inside,outside) source static 10.1.1.0-inside_network 10.1.1.0-inside_network
destination static 10.1.2.0-remote_network 10.1.2.0-remote_network
no-proxy-arp route-lookup - 為靜態VPN對等體和預共用金鑰配置隧道組。
tunnel-group 172.16.2.1 type ipsec-l2l
tunnel-group 172.16.2.1 ipsec-attributes
ikev1 pre-shared-key cisco123 - 定義階段1/ISAKMP策略:
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400 - 定義階段2轉換集/IPsec策略:
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
- 配置定義相關VPN流量/網路的訪問清單:
access-list outside_cryptomap extended permit ip object
10.1.1.0-inside_network object 10.1.2.0-remote_network - 使用以下引數配置靜態加密對映:
- Crypto/VPN access-list
- 遠端IPsec對等體IP地址
- 所需的轉換集
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 172.16.2.1
crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA - 應用加密對映並在外部介面上啟用ISAKMP/IKEv1:
crypto map outside_map interface outside
crypto ikev1 enable outside
驗證
使用本節內容,確認組態是否正常運作。
命令輸出解釋程式工具支援某些show命令。使用命令輸出解釋程式工具檢視show命令輸出的分析。
附註:只有完成註冊的思科使用者能存取思科內部工具與資訊。
- show crypto isakmp sa -顯示對等體上的所有當前IKE安全關聯(SA)。
- show crypto ipsec sa -顯示所有當前IPsec SA。
本節顯示兩個ASA的示例驗證輸出。
中央ASA
Central-ASA#show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 172.16.1.1
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Central-ASA# show crypto ipsec sa
interface: outside
Crypto map tag: outside_dyn_map, seq num: 1, local addr: 172.16.2.1
local ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
current_peer: 172.16.1.1
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 172.16.2.1/0, remote crypto endpt.: 172.16.1.1/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 30D071C0
current inbound spi : 38DA6E51
inbound esp sas:
spi: 0x38DA6E51 (953839185)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (kB/sec): (3914999/28588)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0x30D071C0 (818966976)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (kB/sec): (3914999/28588)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
遠端ASA
Remote-ASA#show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 172.16.2.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Remote-ASA#show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 172.16.1.1
access-list outside_cryptomap extended permit ip 10.1.1.0
255.255.255.0 10.1.2.0 255.255.255.0
local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)
current_peer: 172.16.2.1
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 172.16.1.1/0, remote crypto endpt.: 172.16.2.1/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 38DA6E51
current inbound spi : 30D071C0
inbound esp sas:
spi: 0x30D071C0 (818966976)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 8192, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373999/28676)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0x38DA6E51 (953839185)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 8192, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373999/28676)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
疑難排解
本節提供的資訊可用於對組態進行疑難排解。
命令輸出解釋程式工具支援某些show 命令。使用Output Interpreter工具就可以檢視show 命令輸出的分析。
附註:只有完成註冊的思科使用者能存取思科內部工具與資訊。
附註:使用 debug 指令之前,請先參閱有關 Debug 指令的重要資訊。
使用以下命令:
clear crypto ikev1 sa <peer IP address>
Clears the Phase 1 SA for a specific peer.
在PIX/ASA軟體版本8.0(3)及更高版本中,可以使用clear crypto isakmp sa<peer ip address>命令清除單個IKE SA。在早於8.0(3)的軟體版本中,請使用vpn-sessiondb logoff tunnel-group <tunnel-group-name>命令清除單個隧道的IKE和IPsec SA。
Remote-ASA#vpn-sessiondb logoff tunnel-group 172.16.2.1
Do you want to logoff the VPN session(s)? [confirm]
INFO: Number of sessions from TunnelGroup "172.16.2.1" logged off : 1
clear crypto ipsec sa peer <peer IP address>
!!! Clears the required Phase 2 SA for specific peer.
debug crypto condition peer < Peer address>
!!! Set IPsec/ISAKMP debug filters.
debug crypto isakmp sa <debug level>
!!! Provides debug details of ISAKMP SA negotiation.
debug crypto ipsec sa <debug level>
!!! Provides debug details of IPsec SA negotiations
undebug all
!!! To stop the debugs
使用的調試:
debug cry condition peer <remote peer public IP>
debug cry ikev1 127
debug cry ipsec 127
遠端ASA(啟動器)
輸入以下Packet Tracer命令以啟動隧道:
Remote-ASA#packet-tracer input inside icmp 10.1.1.10 8 0 10.1.2.10 detailed
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
Jan 19 22:00:06 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple:
Prot=1, saddr=10.1.1.10, sport=0, daddr=10.1.2.10, dport=0
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
Jan 19 22:00:06 [IKEv1]IP = 172.16.2.1, IKE Initiator: New Phase 1, Intf
inside, IKE Peer 172.16.2.1 local Proxy Address 10.1.1.0, remote Proxy Address
10.1.2.0, Crypto map (outside_map)
:
.
Jan 19 22:00:06 [IKEv1]IP = 172.16.2.1, IKE_DECODE SENDING Message (msgid=0)
with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) +
VENDOR (13) + NONE (0) total length : 172
Jan 19 22:00:06 [IKEv1]IP = 172.16.2.1, IKE_DECODE RECEIVED Message (msgid=0)
with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0)
total length : 132
:
.
Jan 19 22:00:06 [IKEv1]IP = 172.16.2.1, IKE_DECODE SENDING Message (msgid=0)
with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) +
VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
Jan 19 22:00:06 [IKEv1]IP = 172.16.2.1, IKE_DECODE RECEIVED Message (msgid=0)
with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) +
VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
:
.
Jan 19 22:00:06 [IKEv1]IP = 172.16.2.1, Connection landed on tunnel_group 172.16.2.1
<skipped>...
Jan 19 22:00:06 [IKEv1]IP = 172.16.2.1, IKE_DECODE SENDING Message (msgid=0) with
payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) +
NONE (0) total length : 96
Jan 19 22:00:06 [IKEv1]Group = 172.16.2.1, IP = 172.16.2.1,
Automatic NAT Detection Status: Remote end is NOT behind a NAT device
This end is NOT behind a NAT device
Jan 19 22:00:06 [IKEv1]IP = 172.16.2.1, IKE_DECODE RECEIVED Message
(msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128)
+ VENDOR (13) + NONE (0) total length : 96
Jan 19 22:00:06 [IKEv1 DEBUG]Group = 172.16.2.1, IP = 172.16.2.1, processing ID payload
Jan 19 22:00:06 [IKEv1 DECODE]Group = 172.16.2.1, IP = 172.16.2.1,
ID_IPV4_ADDR ID received 172.16.2.1
:
.
Jan 19 22:00:06 [IKEv1]IP = 172.16.2.1, Connection landed on tunnel_group 172.16.2.1
Jan 19 22:00:06 [IKEv1 DEBUG]Group = 172.16.2.1, IP = 172.16.2.1,
Oakley begin quick mode
Jan 19 22:00:06 [IKEv1]Group = 172.16.2.1, IP = 172.16.2.1, PHASE 1 COMPLETED
Jan 19 22:00:06 [IKEv1 DECODE]Group = 172.16.2.1, IP = 172.16.2.1, IKE Initiator
starting QM: msg id = c45c7b30
:
.
Jan 19 22:00:06 [IKEv1 DEBUG]Group = 172.16.2.1, IP = 172.16.2.1, Transmitting Proxy Id:
Local subnet: 10.1.1.0 mask 255.255.255.0 Protocol 0 Port 0
Remote subnet: 10.1.2.0 Mask 255.255.255.0 Protocol 0 Port 0
:
.
Jan 19 22:00:06 [IKEv1]IP = 172.16.2.1, IKE_DECODE SENDING Message
(msgid=c45c7b30) with payloads : HDR + HASH (8) + SA (1) + NONCE
(10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 200
Jan 19 22:00:06 [IKEv1]IP = 172.16.2.1, IKE_DECODE RECEIVED Message
(msgid=c45c7b30) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) +
ID (5) + ID (5) + NONE (0) total length : 172
:
.
Jan 19 22:00:06 [IKEv1 DEBUG]Group = 172.16.2.1, IP = 172.16.2.1, processing ID payload
Jan 19 22:00:06 [IKEv1 DECODE]Group = 172.16.2.1, IP = 172.16.2.1,
ID_IPV4_ADDR_SUBNET ID received--10.1.1.0--255.255.255.0
Jan 19 22:00:06 [IKEv1 DEBUG]Group = 172.16.2.1, IP = 172.16.2.1, processing ID payload
Jan 19 22:00:06 [IKEv1 DECODE]Group = 172.16.2.1, IP = 172.16.2.1,
ID_IPV4_ADDR_SUBNET ID received--10.1.2.0--255.255.255.0
:
.
Jan 19 22:00:06 [IKEv1]Group = 172.16.2.1, IP = 172.16.2.1,
Security negotiation complete for LAN-to-LAN Group (172.16.2.1)
Initiator, Inbound SPI = 0x30d071c0, Outbound SPI = 0x38da6e51
:
.
Jan 19 22:00:06 [IKEv1]IP = 172.16.2.1, IKE_DECODE SENDING Message
(msgid=c45c7b30) with payloads : HDR + HASH (8) + NONE (0) total length : 76
:
.
Jan 19 22:00:06 [IKEv1]Group = 172.16.2.1, IP = 172.16.2.1,
PHASE 2 COMPLETED (msgid=c45c7b30)
Central-ASA(響應程式)
Jan 20 12:42:35 [IKEv1]IP = 172.16.1.1, IKE_DECODE RECEIVED Message (msgid=0)
with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) +
VENDOR (13) + NONE (0) total length : 172
:
.
Jan 20 12:42:35 [IKEv1]IP = 172.16.1.1, IKE_DECODE SENDING Message (msgid=0)
with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length
:
132
Jan 20 12:42:35 [IKEv1]IP = 172.16.1.1, IKE_DECODE RECEIVED Message (msgid=0)
with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13)
+ VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
:
.
Jan 20 12:42:35 [IKEv1]IP = 172.16.1.1, Connection landed on tunnel_group
DefaultL2LGroup
Jan 20 12:42:35 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 172.16.1.1,
Generating keys for Responder...
Jan 20 12:42:35 [IKEv1]IP = 172.16.1.1, IKE_DECODE SENDING Message (msgid=0)
with payloads : HDR + KE (4) + NONCE (10) +
VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) +
NONE (0) total length : 304
Jan 20 12:42:35 [IKEv1]IP = 172.16.1.1, IKE_DECODE RECEIVED Message (msgid=0)
with payloads : HDR + ID (5) + HASH (8)
+ IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
Jan 20 12:42:35 [IKEv1 DECODE]Group = DefaultL2LGroup, IP = 172.16.1.1,
ID_IPV4_ADDR ID received 172.16.1.1
:
.
Jan 20 12:42:35 [IKEv1]IP = 172.16.1.1, IKE_DECODE SENDING Message (msgid=0)
with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) +
VENDOR (13) + NONE (0) total length : 96
Jan 20 12:42:35 [IKEv1]Group = DefaultL2LGroup, IP = 172.16.1.1, PHASE 1 COMPLETED
:
.
Jan 20 12:42:35 [IKEv1 DECODE]IP = 172.16.1.1, IKE Responder starting QM:
msg id = c45c7b30
Jan 20 12:42:35 [IKEv1]IP = 172.16.1.1, IKE_DECODE
RECEIVED Message (msgid=c45c7b30) with payloads : HDR + HASH (8) + SA (1) +
NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 200
:
.
Jan 20 12:42:35 [IKEv1]Group = DefaultL2LGroup, IP = 172.16.1.1, Received remote
IP Proxy Subnet data in ID Payload: Address 10.1.1.0, Mask 255.255.255.0,
Protocol 0, Port 0 :
.
Jan 20 12:42:35 [IKEv1]Group = DefaultL2LGroup,
IP = 172.16.1.1, Received local
IP Proxy Subnet data in ID Payload: Address 10.1.2.0, Mask 255.255.255.0,
Protocol 0, Port 0 Jan 20 12:42:35 [IKEv1 DEBUG]Group = DefaultL2LGroup,
IP = 172.16.1.1, processing notify payload
Jan 20 12:42:35 [IKEv1] Group = DefaultL2LGroup, IP = 172.16.1.1, QM
IsRekeyed old sa not found by addr
Jan 20 12:42:35 [IKEv1]Group = DefaultL2LGroup, IP = 172.16.1.1, Static Crypto Map
check, map outside_dyn_map, seq = 1 is a successful match
Jan 20 12:42:35 [IKEv1]Group = DefaultL2LGroup, IP = 172.16.1.1, IKE
Remote Peer configured for crypto map: outside_dyn_map
:
.
Jan 20 12:42:35 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 172.16.1.1,
Transmitting Proxy Id: Remote subnet: 10.1.1.0 Mask 255.255.255.0 Protocol 0 Port 0
Local subnet: 10.1.2.0 mask 255.255.255.0 Protocol 0 Port 0 :
.
Jan 20 12:42:35 [IKEv1]IP = 172.16.1.1, IKE_DECODE SENDING Message (msgid=c45c7b30)
with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE
(0) total length : 172 Jan 20 12:42:35 [IKEv1]IP = 172.16.1.1, IKE_DECODE RECEIVED
Message (msgid=c45c7b30) with payloads : HDR + HASH (8) + NONE (0) total length : 52:
.
Jan 20 12:42:35 [IKEv1]Group = DefaultL2LGroup, IP = 172.16.1.1, Security
negotiation complete for LAN-to-LAN Group (DefaultL2LGroup) Responder,
Inbound SPI = 0x38da6e51, Outbound SPI = 0x30d071c0 :
.
Jan 20 12:42:35 [IKEv1]Group = DefaultL2LGroup, IP = 172.16.1.1,
PHASE 2 COMPLETED (msgid=c45c7b30)
Jan 20 12:42:35 [IKEv1]Group = DefaultL2LGroup, IP = 172.16.1.1, Adding static
route for L2L peer coming in on a dynamic map. address: 10.1.1.0, mask: 255.255.255.0
相關資訊
修訂記錄
| 修訂 | 發佈日期 | 意見 |
|---|---|---|
1.0 |
22-Jun-2015 |
初始版本 |
意見