在ASAv上使用ASDM或CLI配置IKEv1 IPsec站點到站點隧道

下載選項

  • PDF     (1.0 MB)
    在多種裝置上使用 Adobe Reader 檢視
  • ePub     (606.9 KB)
    在 iPhone、iPad、Android、Sony Reader 或 Windows Phone 上的各種應用程式中檢視
  • Mobi (Kindle)     (867.1 KB)
    在 Kindle 裝置或多部裝置的 Kindle 應用程式上檢視
已更新: 2018 年 4 月 13 日
文件 ID:119141

無偏見用語

本產品的文件集力求使用無偏見用語。針對本文件集的目的,無偏見係定義為未根據年齡、身心障礙、性別、種族身分、民族身分、性別傾向、社會經濟地位及交織性表示歧視的用語。由於本產品軟體使用者介面中硬式編碼的語言、根據 RFP 文件使用的語言,或引用第三方產品的語言,因此本文件中可能會出現例外狀況。深入瞭解思科如何使用包容性用語。

關於此翻譯

思科已使用電腦和人工技術翻譯本文件,讓全世界的使用者能夠以自己的語言理解支援內容。請注意,即使是最佳機器翻譯,也不如專業譯者翻譯的內容準確。Cisco Systems, Inc. 對這些翻譯的準確度概不負責,並建議一律查看原始英文文件(提供連結)。

    簡介

    本文檔介紹如何在運行v9.18.3的兩個思科安全防火牆虛擬(ASAv)之間配置IKEv1 IPsec站點到站點隧道。

    必要條件

    需求

    思科建議您瞭解以下主題:

    • 必須建立端到端IP連線
    • 必須允許以下協定:
      1. 適用於IPsec控制平面的使用者資料包通訊協定(UDP)500和4500
      2. 為IPsec資料平面封裝安全負載(ESP)IP協定50

    採用元件

    本檔案中的資訊是根據以下軟體和硬體版本:

    • 運行軟體版本9.18.3的Cisco安全防火牆ASA虛擬

    本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。

    設定

    本節介紹如何通過自適應安全裝置管理器(ASDM)VPN嚮導或通過CLI配置站點到站點VPN隧道。

    網路圖表

    此拓撲用於本文檔中的示例:

    拓撲圖表拓撲圖表


    通過ASDM VPN嚮導配置

    完成以下步驟,以便通過ASDM嚮導設定站點到站點VPN隧道:

    1. 開啟ASDM並導航至Wizards > VPN Wizards > Site-to-site VPN Wizard。

      VPN嚮導導航VPN嚮導導航
    2. 在進入Next「嚮導」首頁後,按一下。

      VPN嚮導視窗1VPN嚮導視窗1

      :最新的ASDM版本提供影片連結,解釋此配置。

    3. 配置對等IP地址。在本示例中,站點B上的對等IP地址設定為10.106.67.91。如果在站點A上配置對等IP地址,則必須將其更改為10.106.67.90。還指定了可以到達遠端端的介面。完成Next後按一下。

      VPN嚮導視窗2VPN嚮導視窗2
    4. 配置本地和遠端網路(流量源和目標)。此圖顯示了站點B的配置(與站點A相反)。

      VPN嚮導視窗3VPN嚮導視窗3
    5. 在Security頁面上,配置預共用金鑰(其兩端必須匹配)。完成Next後按一下。

      VPN嚮導視窗4VPN嚮導視窗4
    6. 為ASA上的流量配置源介面。ASDM根據ASA版本自動建立網路地址轉換(NAT)規則,並在最後步驟中將其與配置其餘部分一起推送。

      :對於本文檔中使用的示例,「inside」是流量的來源。

      VPN嚮導視窗5VPN嚮導視窗5
    7. 現在,該嚮導提供推送到ASA的配置的摘要。檢視並驗證配置設定,然後按一下Finish。

      VPN嚮導視窗6VPN嚮導視窗6

    通過CLI配置

    本節介紹如何通過CLI配置IKEv1 IPsec站點到站點隧道。

    配置站點B

    提示:有關ASA的IKEv2配置示例,請參閱ASA和路由器之間的站點到站點IKEv2隧道配置示例Cisco文檔。

    第1階段(IKEv1)

    完成第1階段配置的以下步驟:

    1. 在CLI中輸入以下命令以在外部介面上啟用IKEv1:

      crypto ikev1 enable outside
    2. 建立IKEv1策略,該策略定義用於雜湊、身份驗證、Diffie-Hellman組、生存期和加密的演算法/方法:

      crypto ikev1 policy 1
      ! The 1 in the above command refers to the Policy suite priority (1 highest, 65535 lowest)
        authentication pre-share
        encryption aes-256
        hash sha
        group 14
        lifetime 86400
    3. 在IPsec屬性下建立隧道組,並配置對等IP地址和隧道預共用金鑰:

      tunnel-group 10.106.67.90 type ipsec-l2l
      tunnel-group 10.106.67.90 ipsec-attributes
       ikev1 pre-shared-key cisco
       ! Note the IKEv1 keyword at the beginning of the pre-shared-key command.
      4.

    階段2(IPsec)

    完成第2階段配置的以下步驟:

    1. 建立定義要加密和隧道化的流量的訪問清單。在本例中,感興趣的流量是來自隧道的流量,該隧道源自從10.2.2.0子網到10.1.1.0。如果站點之間涉及多個子網,則它可以包含多個條目。

      object network 10.2.2.0_24
       subnet 10.2.2.0 255.255.255.0
      object network 10.1.1.0_24
       subnet 10.1.1.0 255.255.255.0

      access-list 100 extended permit ip object 10.2.2.0_24 object 10.1.1.0_24
    2. 配置轉換集(TS),該轉換集必須包含關鍵字IKEv1。在遠端也必須建立相同的TS。 

      crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac
    3. 配置包含以下元件的加密對映:
      • 對等IP地址
      • 包含相關流量的已定義訪問清單
      • TS
      • 可選的完全向前保密(PFS)設定,它建立了一對新的Diffie-Hellman金鑰,用於保護資料(在第2階段啟動之前,兩端都必須啟用PFS)

    4. 在外部介面上應用加密對映:

      crypto map outside_map 20 match address 100
      crypto map outside_map 20 set peer 10.106.67.90
      crypto map outside_map 20 set ikev1 transform-set myset
      crypto map outside_map 20 set pfs
      crypto map outside_map interface outside
      5.

    NAT免除

    確保VPN流量不受任何其他NAT規則的約束。 以下是使用的NAT規則:

       

    nat (inside,outside) 1 source static 10.2.2.0_24 10.2.2.0_24 destination static 10.1.1.0_24 10.1.1.0_24 no-proxy-arp route-lookup

    注意:使用多個子網時,您必須建立包含所有源子網和目標子網的對象組,並在NAT規則中使用它們。

       

    object-group network 10.x.x.x_SOURCE
     network-object 10.4.4.0 255.255.255.0
     network-object 10.2.2.0 255.255.255.0

    object network 10.x.x.x_DESTINATION
     network-object 10.3.3.0 255.255.255.0
     network-object 10.1.1.0 255.255.255.0

    nat (inside,outside) 1 source static 10.x.x.x_SOURCE 10.x.x.x_SOURCE destination static 10.x.x.x_DESTINATION 10.x.x.x_DESTINATION no-proxy-arp route-lookup 


    完成示例配置

    以下是站點B的完整配置:

    crypto ikev1 enable outside

    crypto ikev1 policy 10
     authentication pre-share
     encryption aes-256
     hash sha
     group 14
     lifetime 86400

    tunnel-group 10.106.67.90 type ipsec-l2l
    tunnel-group 10.106.67.90 ipsec-attributes
     ikev1 pre-shared-key cisco
     !Note the IKEv1 keyword at the beginning of the pre-shared-key command.

    object network 10.2.2.0_24 
     subnet 10.2.2.0 255.255.255.0 
    object network 10.1.1.0_24 
     subnet 10.1.1.0 255.255.255.0

    access-list 100 extended permit ip object 10.2.2.0_24 object 10.1.1.0_24

    crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac

    crypto map outside_map 20 match address 100
    crypto map outside_map 20 set peer 10.106.67.90
    crypto map outside_map 20 set ikev1 transform-set myset
    crypto map outside_map 20 set pfs
    crypto map outside_map interface outside

    nat (inside,outside) 1 source static 10.2.2.0_24 10.2.2.0_24 destination static 10.1.1.0_24 10.1.1.0_24 no-proxy-arp route-lookup

    組策略

    組策略用於定義適用於隧道的特定設定。這些策略與隧道組結合使用。

    組策略可以定義為內部,這意味著從ASA上定義的屬性中抽取屬性,也可以定義為外部,從外部伺服器查詢屬性。 以下是用於定義組策略的命令:

    group-policy SITE_A internal

    註:您可以在組策略中定義多個屬性。有關所有可能的屬性的清單,請參閱配置組策略部分。

    組策略可選屬性

    vpn-tunnel-protocol屬性確定必須應用這些設定的隧道型別。在此範例中,使用IPsec:

    vpn-tunnel-protocol ?
     group-policy mode commands/options:
     IPSec IP Security Protocol l2tp-ipsec L2TP using IPSec for security
     svc SSL VPN Client
     webvpn WebVPN

    vpn-tunnel-protocol ikev1 - Version 8.4 and later


    您可以選擇配置隧道,使其保持空閒(無流量)且不發生故障。要配置此選項,屬性值vpn-idle-timeout(attribute value)必須使用分鐘(minutes),或者您可以將該值設定為none,這意味著隧道永遠不會關閉。 

    以下是範例:

    group-policy SITE_A attributes
      vpn-idle-timeout ?

    group-policy mode commands/options:
     <1-35791394> Number of minutes
     alert-interval Specify timeout alert interval in minutes
     none Site-to-Site (IKEv1, IKEv2) and IKEv1 remote-access: Disable
     timeout and allow an unlimited idle period; AnyConnect (SSL,
     IPSec/IKEv2): Use value of default-idle-timeout


    通道組的default-group-policy「常規」屬性下的命令定義用於為已建立的通道推送某些策略設定的組策略。未在組策略中定義的選項的預設設定取自全域性預設組策略:

    tunnel-group 10.106.67.91 general-attributes
     default-group-policy SITE_A

    驗證

    使用本節提供的資訊以驗證您的組態是否正常運作。

    ASDM

    若要從ASDM檢視隧道狀態,請導航至Monitoring > VPN。以下資料提供:

    • 對等IP地址
    • 用於建立通道的通訊協定
    • 使用的加密演算法
    • 隧道啟動的時間和啟動時間
    • 接收和傳輸的資料包數
      •

    提示:按一下Refresh,以檢視最新值,因為資料不會即時更新。

    VPN監控視窗VPN監控視窗

    CLI

    本節介紹如何通過CLI驗證您的配置。

    第1階段

    在CLI中輸入以下命令,以在站點B端驗證階段1配置:

    show crypto ikev1 sa

    IKEv1 SAs:
     
     Active SA: 1
     Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1

    1 IKE Peer: 10.106.67.91
     Type : L2L Role : initiator
     Rekey : no State : MM_ACTIVE


    第2階段

    show crypto ipsec sa命令顯示在對等體之間構建的IPsec SA。對於網路10.1.1.0和10.2.2.0之間流動的流量,在IP地址10.106.67.90和10.106.67.91之間構建加密隧道。您可以看到為入站和出站流量構建的兩個ESP SA。由於沒有AH SA,因此未使用身份驗證報頭(AH)。

    在CLI中輸入以下命令,以驗證站點A端的第2階段配置:

    interface: outside
     Crypto map tag: outside_map, seq num: 20, local addr: 10.106.67.90

     access-list 100 extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0 
     local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
     remote ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
     current_peer: 10.106.67.91


     #pkts encaps: 20, #pkts encrypt: 20, #pkts digest: 20
     #pkts decaps: 20, #pkts decrypt: 20, #pkts verify: 20
     #pkts compressed: 0, #pkts decompressed: 0
     #pkts not compressed: 20, #pkts comp failed: 0, #pkts decomp failed: 0
     #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
     #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
     #TFC rcvd: 0, #TFC sent: 0
     #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
     #send errors: 0, #recv errors: 0

     local crypto endpt.: 10.106.67.90/0, remote crypto endpt.: 10.106.67.91/0
     path mtu 1500, ipsec overhead 74(44), media mtu 1500
     PMTU time remaining (sec): 0, DF policy: copy-df
     ICMP error validation: disabled, TFC packets: disabled
     current outbound spi: F8951DA2
     current inbound spi : 662C7ABE

     inbound esp sas:
     spi: 0x662C7ABE (1714191038)
     SA State: active
     transform: esp-aes-256 esp-sha-hmac no compression 
     in use settings ={L2L, Tunnel, PFS Group 14, IKEv1, }
     slot: 0, conn_id: 1, crypto-map: outside_map
     sa timing: remaining key lifetime (kB/sec): (3914998/28074)
     IV size: 16 bytes
     replay detection support: Y
     Anti replay bitmap: 
     0x00000000 0x001FFFFF
     outbound esp sas:
     spi: 0xF8951DA2 (4170522018)
     SA State: active
     transform: esp-aes-256 esp-sha-hmac no compression 
     in use settings ={L2L, Tunnel, PFS Group 14, IKEv1, }
     slot: 0, conn_id: 1, crypto-map: outside_map
     sa timing: remaining key lifetime (kB/sec): (3914998/28073)
     IV size: 16 bytes
     replay detection support: Y
     Anti replay bitmap: 
     0x00000000 0x00000001


    在CLI中輸入以下命令,以在站點B端驗證階段2配置:

    interface: outside
     Crypto map tag: outside_map, seq num: 20, local addr: 10.106.67.91

     access-list 100 extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0 
     local ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
     remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
     current_peer: 10.106.67.90


     #pkts encaps: 20, #pkts encrypt: 20, #pkts digest: 20
     #pkts decaps: 20, #pkts decrypt: 20, #pkts verify: 20
     #pkts compressed: 0, #pkts decompressed: 0
     #pkts not compressed: 20, #pkts comp failed: 0, #pkts decomp failed: 0
     #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
     #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
     #TFC rcvd: 0, #TFC sent: 0
     #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
     #send errors: 0, #recv errors: 0

     local crypto endpt.: 10.106.67.91/0, remote crypto endpt.: 10.106.67.90/0
     path mtu 1500, ipsec overhead 74(44), media mtu 1500
     PMTU time remaining (sec): 0, DF policy: copy-df
     ICMP error validation: disabled, TFC packets: disabled
     current outbound spi: 662C7ABE
     current inbound spi : F8951DA2

     inbound esp sas:
     spi: 0xF8951DA2 (4170522018)
     SA State: active
     transform: esp-aes-256 esp-sha-hmac no compression 
     in use settings ={L2L, Tunnel, PFS Group 14, IKEv1, }
     slot: 0, conn_id: 1, crypto-map: outside_map
     sa timing: remaining key lifetime (kB/sec): (4373998/27737)
     IV size: 16 bytes
     replay detection support: Y
     Anti replay bitmap: 
     0x00000000 0x001FFFFF
     outbound esp sas:
     spi: 0x662C7ABE (1714191038)
     SA State: active
     transform: esp-aes-256 esp-sha-hmac no compression 
     in use settings ={L2L, Tunnel, PFS Group 14, IKEv1, }
     slot: 0, conn_id: 1, crypto-map: outside_map
     sa timing: remaining key lifetime (kB/sec): (4373998/27737)
     IV size: 16 bytes
     replay detection support: Y
     Anti replay bitmap: 
     0x00000000 0x00000001


    疑難排解

    使用本節提供的資訊對組態問題進行疑難排解。

    輸入以下debug命令可判斷通道失敗的位置:  

    • debug crypto ikev1 127 (第1階段)
    • debug crypto ipsec 127 (第2階段)

      •

    以下是偵錯輸出的完整範例:

    IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.1.1.10, sport=23043, daddr=10.2.2.10, dport=23043
    IPSEC(crypto_map_check)-3: Checking crypto map outside_map 20: matched.
    Mar 15 05:41:39 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
    IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.1.1.10, sport=23043, daddr=10.2.2.10, dport=23043
    IPSEC(crypto_map_check)-3: Checking crypto map outside_map 20: matched.
    Mar 15 05:41:39 [IKEv1]IP = 10.106.67.91, IKE Initiator: New Phase 1, Intf inside, IKE Peer 10.106.67.91 local Proxy Address 10.1.1.0, remote Proxy Address 10.2.2.0, Crypto map (outside_map)
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, constructing ISAKMP SA payload
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, constructing NAT-Traversal VID ver 02 payload
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, constructing NAT-Traversal VID ver 03 payload
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, constructing NAT-Traversal VID ver RFC payload
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, constructing Fragmentation VID + extended capabilities payload
    Mar 15 05:41:39 [IKEv1]IP = 10.106.67.91, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
    Mar 15 05:41:39 [IKEv1]IKE Receiver: Packet received on 10.106.67.90:500 from 10.106.67.91:500
    Mar 15 05:41:39 [IKEv1]IP = 10.106.67.91, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, processing SA payload
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, Oakley proposal is acceptable
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, processing VID payload
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, Received NAT-Traversal RFC VID
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, processing VID payload
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, Received Fragmentation VID
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, constructing ke payload
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, constructing nonce payload
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, constructing Cisco Unity VID payload
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, constructing xauth V6 VID payload
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, Send IOS VID
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, constructing VID payload
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, constructing NAT-Discovery payload
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, computing NAT Discovery hash
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, constructing NAT-Discovery payload
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, computing NAT Discovery hash
    Mar 15 05:41:39 [IKEv1]IP = 10.106.67.91, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 432
    Mar 15 05:41:39 [IKEv1]IKE Receiver: Packet received on 10.106.67.90:500 from 10.106.67.91:500
    Mar 15 05:41:39 [IKEv1]IP = 10.106.67.91, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 432
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, processing ke payload
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, processing ISA_KE payload
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, processing nonce payload
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, processing VID payload
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, Received Cisco Unity client VID
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, processing VID payload
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, Received xauth V6 VID
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, processing VID payload
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, processing VID payload
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, processing NAT-Discovery payload
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, computing NAT Discovery hash
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, processing NAT-Discovery payload
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, computing NAT Discovery hash
    Mar 15 05:41:39 [IKEv1]IP = 10.106.67.91, Connection landed on tunnel_group 10.106.67.91
    Mar 15 05:41:39 [IKEv1 DEBUG]Group = 10.106.67.91, IP = 10.106.67.91, Generating keys for Initiator...
    Mar 15 05:41:39 [IKEv1 DEBUG]Group = 10.106.67.91, IP = 10.106.67.91, constructing ID payload
    Mar 15 05:41:39 [IKEv1 DEBUG]Group = 10.106.67.91, IP = 10.106.67.91, constructing hash payload
    Mar 15 05:41:39 [IKEv1 DEBUG]Group = 10.106.67.91, IP = 10.106.67.91, Computing hash for ISAKMP
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, Constructing IOS keep alive payload: proposal=32767/32767 sec.
    Mar 15 05:41:39 [IKEv1 DEBUG]Group = 10.106.67.91, IP = 10.106.67.91, constructing dpd vid payload
    Mar 15 05:41:39 [IKEv1]IP = 10.106.67.91, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
    Mar 15 05:41:39 [IKEv1]Group = 10.106.67.91, IP = 10.106.67.91, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
    Mar 15 05:41:39 [IKEv1]IKE Receiver: Packet received on 10.106.67.90:500 from 10.106.67.91:500
    Mar 15 05:41:39 [IKEv1]IP = 10.106.67.91, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
    Mar 15 05:41:39 [IKEv1 DEBUG]Group = 10.106.67.91, IP = 10.106.67.91, processing ID payload
    Mar 15 05:41:39 [IKEv1 DECODE]Group = 10.106.67.91, IP = 10.106.67.91, ID_IPV4_ADDR ID received 10.106.67.91
    Mar 15 05:41:39 [IKEv1 DEBUG]Group = 10.106.67.91, IP = 10.106.67.91, processing hash payload
    Mar 15 05:41:39 [IKEv1 DEBUG]Group = 10.106.67.91, IP = 10.106.67.91, Computing hash for ISAKMP
    Mar 15 05:41:39 [IKEv1 DEBUG]IP = 10.106.67.91, Processing IOS keep alive payload: proposal=32767/32767 sec.
    Mar 15 05:41:39 [IKEv1 DEBUG]Group = 10.106.67.91, IP = 10.106.67.91, processing VID payload
    Mar 15 05:41:39 [IKEv1 DEBUG]Group = 10.106.67.91, IP = 10.106.67.91, Received DPD VID
    Mar 15 05:41:39 [IKEv1]IP = 10.106.67.91, Connection landed on tunnel_group 10.106.67.91
    Mar 15 05:41:39 [IKEv1 DEBUG]Group = 10.106.67.91, IP = 10.106.67.91, Oakley begin quick mode
    Mar 15 05:41:39 [IKEv1 DECODE]Group = 10.106.67.91, IP = 10.106.67.91, IKE Initiator starting QM: msg id = ad712fa9
    Mar 15 05:41:39 [IKEv1]Group = 10.106.67.91, IP = 10.106.67.91, PHASE 1 COMPLETED
    Mar 15 05:41:39 [IKEv1]IP = 10.106.67.91, Keep-alive type for this connection: DPD
    Mar 15 05:41:39 [IKEv1 DEBUG]Group = 10.106.67.91, IP = 10.106.67.91, Starting P1 rekey timer: 73440 seconds.
    Mar 15 05:41:39 [IKEv1]Group = 10.106.67.91, IP = 10.106.67.91, Add to IKEv1 Tunnel Table succeeded for SA with logical ID 8192
    Mar 15 05:41:39 [IKEv1]Group = 10.106.67.91, IP = 10.106.67.91, Add to IKEv1 MIB Table succeeded for SA with logical ID 8192
    IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
    IPSEC INFO: IPSec SA PURGE timer started SPI 0x0001B739
    IPSEC: New embryonic SA created @ 0x00007f05294f4620, 
     SCB : 0x294CFE60, 
     Direction : inbound
     SPI : 0x50EF49AD
     Session ID : 0x00002000
     VPIF num : 0x00000002
     Tunnel type : l2l
     Protocol : esp
     Lifetime : 240 seconds
     SA handle : 0x0001B739
    Mar 15 05:41:39 [IKEv1 DEBUG]Group = 10.106.67.91, IP = 10.106.67.91, IKE got SPI from key engine: SPI = 0x50ef49ad
    Mar 15 05:41:39 [IKEv1 DEBUG]Group = 10.106.67.91, IP = 10.106.67.91, oakley constructing quick mode
    Mar 15 05:41:39 [IKEv1 DEBUG]Group = 10.106.67.91, IP = 10.106.67.91, constructing blank hash payload
    Mar 15 05:41:39 [IKEv1 DEBUG]Group = 10.106.67.91, IP = 10.106.67.91, constructing IPSec SA payload
    Mar 15 05:41:39 [IKEv1 DEBUG]Group = 10.106.67.91, IP = 10.106.67.91, constructing IPSec nonce payload
    Mar 15 05:41:39 [IKEv1 DEBUG]Group = 10.106.67.91, IP = 10.106.67.91, constructing pfs ke payload
    Mar 15 05:41:39 [IKEv1 DEBUG]Group = 10.106.67.91, IP = 10.106.67.91, constructing proxy ID
    Mar 15 05:41:39 [IKEv1 DEBUG]Group = 10.106.67.91, IP = 10.106.67.91, Transmitting Proxy Id:
     Local subnet: 10.1.1.0 mask 255.255.255.0 Protocol 0 Port 0
     Remote subnet: 10.2.2.0 Mask 255.255.255.0 Protocol 0 Port 0
    Mar 15 05:41:39 [IKEv1 DECODE]Group = 10.106.67.91, IP = 10.106.67.91, IKE Initiator sending Initial Contact
    Mar 15 05:41:39 [IKEv1 DEBUG]Group = 10.106.67.91, IP = 10.106.67.91, constructing qm hash payload
    Mar 15 05:41:39 [IKEv1 DECODE]Group = 10.106.67.91, IP = 10.106.67.91, IKE Initiator sending 1st QM pkt: msg id = ad712fa9
    Mar 15 05:41:39 [IKEv1]IP = 10.106.67.91, IKE_DECODE SENDING Message (msgid=ad712fa9) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 464
    Mar 15 05:41:39 [IKEv1]IKE Receiver: Packet received on 10.106.67.90:500 from 10.106.67.91:500
    Mar 15 05:41:39 [IKEv1]IP = 10.106.67.91, IKE_DECODE RECEIVED Message (msgid=ad712fa9) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 436
    Mar 15 05:41:39 [IKEv1 DEBUG]Group = 10.106.67.91, IP = 10.106.67.91, processing hash payload
    Mar 15 05:41:39 [IKEv1 DEBUG]Group = 10.106.67.91, IP = 10.106.67.91, processing SA payload
    Mar 15 05:41:39 [IKEv1 DEBUG]Group = 10.106.67.91, IP = 10.106.67.91, processing nonce payload
    Mar 15 05:41:39 [IKEv1 DEBUG]Group = 10.106.67.91, IP = 10.106.67.91, processing ke payload
    Mar 15 05:41:39 [IKEv1 DEBUG]Group = 10.106.67.91, IP = 10.106.67.91, processing ISA_KE for PFS in phase 2
    Mar 15 05:41:39 [IKEv1 DEBUG]Group = 10.106.67.91, IP = 10.106.67.91, processing ID payload
    Mar 15 05:41:39 [IKEv1 DECODE]Group = 10.106.67.91, IP = 10.106.67.91, ID_IPV4_ADDR_SUBNET ID received--10.1.1.0--255.255.255.0
    Mar 15 05:41:39 [IKEv1 DEBUG]Group = 10.106.67.91, IP = 10.106.67.91, processing ID payload
    Mar 15 05:41:39 [IKEv1 DECODE]Group = 10.106.67.91, IP = 10.106.67.91, ID_IPV4_ADDR_SUBNET ID received--10.2.2.0--255.255.255.0
    Mar 15 05:41:39 [IKEv1 DEBUG]Group = 10.106.67.91, IP = 10.106.67.91, loading all IPSEC SAs
    Mar 15 05:41:39 [IKEv1 DEBUG]Group = 10.106.67.91, IP = 10.106.67.91, Generating Quick Mode Key!
    Mar 15 05:41:39 [IKEv1 DEBUG]Group = 10.106.67.91, IP = 10.106.67.91, Generating Quick Mode Key!
    Mar 15 05:41:39 [IKEv1]Group = 10.106.67.91, IP = 10.106.67.91, Security negotiation complete for LAN-to-LAN Group (10.106.67.91) Initiator, Inbound SPI = 0x50ef49ad, Outbound SPI = 0xea689811
    Mar 15 05:41:39 [IKEv1 DEBUG]Group = 10.106.67.91, IP = 10.106.67.91, oakley constructing final quick mode
    Mar 15 05:41:39 [IKEv1 DECODE]Group = 10.106.67.91, IP = 10.106.67.91, IKE Initiator sending 3rd QM pkt: msg id = ad712fa9
    Mar 15 05:41:39 [IKEv1]IP = 10.106.67.91, IKE_DECODE SENDING Message (msgid=ad712fa9) with payloads : HDR + HASH (8) + NONE (0) total length : 76
    IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
    IPSEC INFO: IPSec SA PURGE timer started SPI 0x00024311
    IPSEC: New embryonic SA created @ 0x00007f05294fd920, 
     SCB : 0x294CCDB0, 
     Direction : outbound
     SPI : 0xEA689811
     Session ID : 0x00002000
     VPIF num : 0x00000002
     Tunnel type : l2l
     Protocol : esp
     Lifetime : 240 seconds
     SA handle : 0x00024311
    Rule Lookup for local 10.1.1.0 to remote 10.2.2.0
    Peer matched map outside_map sequence 20
    PROXY MATCH on crypto map outside_map seq 20
    IPSEC DEBUG: Using NP outbound permit rule for SPI 0xEA689811
    IPSEC: Completed host OBSA update, SPI 0xEA689811
    IPSEC: Creating outbound VPN context, SPI 0xEA689811
     Flags : 0x00000005
     SA : 0x00007f05294fd920
     SPI : 0xEA689811
     MTU : 1500 bytes
     VCID : 0x00000000
     Peer : 0x00000000
     SCB : 0x02CEE703
     Channel: 0x00007f0533c4f700
    IPSEC: Completed outbound VPN context, SPI 0xEA689811
    VPN handle: 0x000000000000763c
    IPSEC: New outbound encrypt rule, SPI 0xEA689811
     Src addr: 10.1.1.0
     Src mask: 255.255.255.0
     Dst addr: 10.2.2.0
     Dst mask: 255.255.255.0
     Src ports
     Upper: 0
     Lower: 0
     Op : ignore
     Dst ports
     Upper: 0
     Lower: 0
     Op : ignore
     Protocol: 0
     Use protocol: false
     SPI: 0x00000000
     Use SPI: false
    IPSEC: Completed outbound encrypt rule, SPI 0xEA689811
    Rule ID: 0x00007f05294f8a60
    IPSEC: New outbound permit rule, SPI 0xEA689811
     Src addr: 10.106.67.90
     Src mask: 255.255.255.255
     Dst addr: 10.106.67.91
     Dst mask: 255.255.255.255
     Src ports
     Upper: 0
     Lower: 0
     Op : ignore
     Dst ports
     Upper: 0
     Lower: 0
     Op : ignore
     Protocol: 50
     Use protocol: true
     SPI: 0xEA689811
     Use SPI: true
    IPSEC: Completed outbound permit rule, SPI 0xEA689811
    Rule ID: 0x00007f05294f9110
    Mar 15 05:41:39 [IKEv1 DEBUG]Group = 10.106.67.91, IP = 10.106.67.91, IKE got a KEY_ADD msg for SA: SPI = 0xea689811
    IPSEC: New embryonic SA created @ 0x00007f05294f4620, 
     SCB : 0x294CFE60, 
     Direction : inbound
     SPI : 0x50EF49AD
     Session ID : 0x00002000
     VPIF num : 0x00000002
     Tunnel type: l2l
     Protocol : esp
     Lifetime : 240 seconds
     SA handle : 0x0001B739
    Rule Lookup for local 10.1.1.0 to remote 10.2.2.0
    Peer matched map outside_map sequence 20
    PROXY MATCH on crypto map outside_map seq 20
    IPSEC DEBUG: Using NP inbound permit rule for SPI 0x50EF49AD
    IPSEC: Completed host IBSA update, SPI 0x50EF49AD
    IPSEC: Creating inbound VPN context, SPI 0x50EF49AD
     Flags: 0x00000006
     SA : 0x00007f05294f4620
     SPI : 0x50EF49AD
     MTU : 0 bytes
     VCID : 0x00000000
     Peer : 0x0000763C
     SCB : 0x02CE8BB3
     Channel: 0x00007f0533c4f700
    IPSEC: Completed inbound VPN context, SPI 0x50EF49AD
    VPN handle: 0x00000000000086bc
    IPSEC: Updating outbound VPN context 0x0000763C, SPI 0xEA689811
     Flags: 0x00000005
     SA : 0x00007f05294fd920
     SPI : 0xEA689811
     MTU : 1500 bytes
     VCID : 0x00000000
     Peer : 0x000086BC
     SCB : 0x02CEE703
     Channel: 0x00007f0533c4f700
    IPSEC: Completed outbound VPN context, SPI 0xEA689811
    VPN handle: 0x000000000000763c
    IPSEC: Completed outbound inner rule, SPI 0xEA689811
    Rule ID: 0x00007f05294f8a60
    IPSEC: Completed outbound outer SPD rule, SPI 0xEA689811
    Rule ID: 0x00007f05294f9110
    IPSEC: New inbound tunnel flow rule, SPI 0x50EF49AD
     Src addr: 10.2.2.0
     Src mask: 255.255.255.0
     Dst addr: 10.1.1.0
     Dst mask: 255.255.255.0
     Src ports
     Upper: 0
     Lower: 0
     Op : ignore
     Dst ports
     Upper: 0
     Lower: 0
     Op : ignore
     Protocol: 0
     Use protocol: false
     SPI: 0x00000000
     Use SPI: false
    IPSEC: Completed inbound tunnel flow rule, SPI 0x50EF49AD
    Rule ID: 0x00007f05294f8180
    IPSEC: New inbound decrypt rule, SPI 0x50EF49AD
     Src addr: 10.106.67.91
     Src mask: 255.255.255.255
     Dst addr: 10.106.67.90
     Dst mask: 255.255.255.255
     Src ports
     Upper: 0
     Lower: 0
     Op : ignore
     Dst ports
     Upper: 0
     Lower: 0
     Op : ignore
     Protocol: 50
     Use protocol: true
     SPI: 0x50EF49AD
     Use SPI: true
    IPSEC: Completed inbound decrypt rule, SPI 0x50EF49AD
    Rule ID: 0x00007f05294f7ad0
    IPSEC: New inbound permit rule, SPI 0x50EF49AD
     Src addr: 10.106.67.91
     Src mask: 255.255.255.255
     Dst addr: 10.106.67.90
     Dst mask: 255.255.255.255
     Src ports
     Upper: 0
     Lower: 0
     Op : ignore
     Dst ports
     Upper: 0
     Lower: 0
     Op : ignore
     Protocol: 50
     Use protocol: true
     SPI: 0x50EF49AD
     Use SPI: true
    IPSEC: Completed inbound permit rule, SPI 0x50EF49AD
    Rule ID: 0x00007f05294f4510
    IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
    IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
    Mar 15 05:41:39 [IKEv1 DEBUG]Group = 10.106.67.91, IP = 10.106.67.91, Pitcher: received KEY_UPDATE, spi 0x50ef49ad
    Mar 15 05:41:39 [IKEv1 DEBUG]Group = 10.106.67.91, IP = 10.106.67.91, Starting P2 rekey timer: 24480 seconds.
    Mar 15 05:41:39 [IKEv1]Group = 10.106.67.91, IP = 10.106.67.91, PHASE 2 COMPLETED (msgid=ad712fa9)

    修訂記錄

    修訂 發佈日期 意見
    1.0
    10-Jul-2015
    初始版本
    TAC Authored

    由思科工程師貢獻

    • Venkata Aditya B
      Cisco TAC Engineer
    • Rahul Govindan
      Cisco TAC Engineer
    • Pavan Gundu
      Technical Consulting Engineer

    這份文件是否有所幫助?

    Feedback意見

    讓思科協助您

    本文件適用於這些產品