当前位置：文档之家› 配置ASA Dynamic IPsec IOS and Dynamicallyaddressed PIX with NAT

配置ASA Dynamic IPsec IOS and Dynamicallyaddressed PIX with NAT

配置ASA Dynamic IPsec IOS and

Dynamicallyaddressed PIX with NAT

一、网络拓扑

软件版本： Router ：Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 12.4(11)T, RELEASE SOFTWARE (fc2) ASA ：Cisco PIX Security Appliance Software Version 7.2(2) 注意在文档中填充黄色不是VPN 的配置，而是CBAC 的配置。这个例子是非常简单，主要配置基于动态地址配置动态VPN 的配置。二、具体配置

ASA# show running-config

: Saved

PIX Version 7.2(3)

hostname ASA

enable password 8Ry2YjIyt7RRXU24 encrypted

names

interface Ethernet0

nameif outside

security-level 0

ip address dhcp

interface Ethernet1

nameif inside 制作人：张

选波

security-level 100

ip address 172.16.1.1 255.255.255.0

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list ipsec extended permit ip 172.16.1.0 255.255.255.0 172.16.2.0

255.255.255.0

access-list nonat extended permit ip 172.16.1.0 255.255.255.0 172.16.2.0

255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 88.1.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set vpn esp-des esp-md5-hmac

crypto map map1 10 match address ipsec

crypto map map1 10 set peer 99.1.1.2

crypto map map1 10 set transform-set vpn

crypto map map1 interface outside

crypto isakmp enable outside

crypto isakmp policy 110

authentication pre-share

encryption des

hash md5

group 1

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des 制作人：张选波

hash sha group 2 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 ! class-map net match default-inspection-traffic ! ! policy-map type inspect dns dnsmap parameters message-length maximum 512 policy-map map1 class net inspect dns dnsmap inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect icmp !

service-policy map1 global

tunnel-group 99.1.1.2 type ipsec-l2l

tunnel-group 99.1.1.2 ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:00000000000000000000000000000000

: end

R1#show running-config

Building configuration...

Current configuration : 1522 bytes 制作人：张选波

version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! ! no aaa new-model ip cef ! ! ! ! ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! crypto isakmp policy 110

hash md5

authentication pre-share

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

crypto ipsec transform-set vpn esp-des esp-md5-hmac

crypto dynamic-map dymap 10

set transform-set vpn

match address 110

crypto map map1 10 ipsec-isakmp dynamic dymap

! 制作人：张选波

interface FastEthernet0/0

ip address 172.16.2.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex half

interface Ethernet1/0

ip address 99.1.1.2 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex half

crypto map map1

interface Ethernet1/1

no ip address

shutdown

duplex half

interface Ethernet1/2

no ip address

shutdown

duplex half

interface Ethernet1/3

no ip address

shutdown

duplex half

ip route 0.0.0.0 0.0.0.0 99.1.1.1

no ip http server

no ip http secure-server

ip nat inside source list 100 interface Ethernet1/0 overload

logging alarm informational

access-list 100 deny ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 100 permit ip 172.16.2.0 0.0.0.255 any

access-list 110 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255

! 制作人：张选波

! ! ! control-plane ! ! ! ! ! ! gatekeeper shutdown ! ! line con 0 exec-timeout 0 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 ! ! end internet#sh running-config

Building configuration...

Current configuration : 965 bytes

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname internet

boot-start-marker

boot-end-marker

no aaa new-model

ip cef

! 制作人：张选波

no ip dhcp use vrf connected

i p dhcp pool net

network 88.1.1.0 255.255.255.0

default-router 88.1.1.1

multilink bundle-name authenticated

interface FastEthernet0/0

no ip address

shutdown

duplex half

interface Ethernet1/0

ip address 88.1.1.1 255.255.255.0

duplex half

interface Ethernet1/1

ip address 99.1.1.1 255.255.255.0

duplex half

interface Ethernet1/2

no ip address

shutdown

duplex half

interface Ethernet1/3

no ip address

shutdown

duplex half

no ip http server

no ip http secure-server

! 制作人：张选波

logging alarm informational ! ! ! ! ! ! control-plane ! ! ! ! ! ! gatekeeper shutdown ! ! line con 0 exec-timeout 0 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 ! ! end 三、验证配置

R2#ping 172.16.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 120/169/248 ms

R1#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

99.1.1.2 88.1.1.2 QM_IDLE 1001 0 ACTIVE

IPv6 Crypto ISAKMP SA

制作人：张选波

R1#sh crypto ipsec sa

interface: Ethernet1/0

Crypto map tag: map1, local addr 99.1.1.2

protected vrf: (none)

local ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)

current_peer 88.1.1.2 port 500

PERMIT, flags={}

#pkts encaps: 54, #pkts encrypt: 54, #pkts digest: 54

#pkts decaps: 54, #pkts decrypt: 54, #pkts verify: 54

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 99.1.1.2, remote crypto endpt.: 88.1.1.2

path mtu 1500, ip mtu 1500, ip mtu idb Ethernet1/0

current outbound spi: 0x4E88B97B(1317583227)

inbound esp sas:

spi: 0x3C896639(1015637561)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 1, flow_id: SW:1, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4523857/3328)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x4E88B97B(1317583227)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 2, flow_id: SW:2, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4523857/3327)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE 制作人：张选波

outbound ah sas:

outbound pcp sas:

ASA# sh crypto isakmp sa

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 99.1.1.2

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

ASA# sh crypto ipsec sa interface: outside Crypto map tag: map1, seq num: 10, local addr: 88.1.1.2 access-list ipsec permit ip 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0 local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0) current_peer: 99.1.1.2 #pkts encaps: 54, #pkts encrypt: 54, #pkts digest: 54

#pkts decaps: 54, #pkts decrypt: 54, #pkts verify: 54

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 54, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0

local crypto endpt.: 88.1.1.2, remote crypto endpt.: 99.1.1.2

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 3C896639

inbound esp sas:

spi: 0x4E88B97B (1317583227)

transform: esp-des esp-md5-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 1, crypto-map: map1

sa timing: remaining key lifetime (kB/sec): (4274994/3458)

IV size: 8 bytes 制作人：张选波

replay detection support: Y

outbound esp sas:

spi: 0x3C896639 (1015637561)

transform: esp-des esp-md5-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 1, crypto-map: map1

sa timing: remaining key lifetime (kB/sec): (4274994/3458)

IV size: 8 bytes

replay detection support: Y

ASA# sh crypto ipsec stats

IPsec Global Statistics

-----------------------

Active tunnels: 1

Previous tunnels: 1

Inbound

Bytes: 5400

Decompressed bytes: 5400

Packets: 54

Dropped packets: 0

Replay failures: 0

Authentications: 54

Authentication failures: 0

Decryptions: 54

Decryption failures: 0

Decapsulated fragments needing reassembly: 0

Outbound

Bytes: 5400

Uncompressed bytes: 5400

Packets: 54

Dropped packets: 0

Authentications: 54

Authentication failures: 0

Encryptions: 54

Encryption failures: 0

Fragmentation successes: 0

Pre-fragmentation successses: 0

Post-fragmentation successes: 0

Fragmentation failures: 0

Pre-fragmentation failures: 0

Post-fragmentation failures: 0

Fragments created: 0

PMTUs sent: 0 制作人：张选波

PMTUs rcvd: 0

Protocol failures: 0

Missing SA failures: 0

System capacity failures: 0

ASA# sh crypto isakmp stats

Global IKE Statistics

Active Tunnels: 1

Previous Tunnels: 1

In Octets: 1160

In Packets: 11

In Drop Packets: 0

In Notifys: 7

In P2 Exchanges: 0

In P2 Exchange Invalids: 0

In P2 Exchange Rejects: 0

In P2 Sa Delete Requests: 0

Out Octets: 1320

Out Packets: 12

Out Drop Packets: 0

Out Notifys: 14

Out P2 Exchanges: 1

Out P2 Exchange Invalids: 0

Out P2 Exchange Rejects: 0

Out P2 Sa Delete Requests: 0

Initiator Tunnels: 1

Initiator Fails: 0

Responder Fails: 0

System Capacity Fails: 0

Auth Fails: 0

Decrypt Fails: 0

Hash Valid Fails: 0

No Sa Fails: 0

ASA# show ip address

System IP Addresses:

Interface Name IP address Subnet mask Method Ethernet0 outside 88.1.1.2 255.255.255.0 DHCP Ethernet1 inside 172.16.1.1 255.255.255.0 manual Current IP Addresses:

Interface Name IP address Subnet mask Method Ethernet0 outside 88.1.1.2 255.255.255.0 DHCP Ethernet1 inside 172.16.1.1 255.255.255.0 manual 制作人：张选波

四、Troubleshoot

ASA# debug crypto isakmp 7

ASA# Mar 09 13:58:42 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Mar 09 13:58:42 [IKEv1]: IP = 99.1.1.2, IKE Initiator: New Phase 1, Intf inside, IKE Peer 99.1.1.2 local Proxy Address 172.16.1.0, remote Proxy Address 172.16.2.0, Crypto map (map1)

Mar 09 13:58:42 [IKEv1 DEBUG]: IP = 99.1.1.2, constructing ISAKMP SA payload Mar 09 13:58:42 [IKEv1 DEBUG]: IP = 99.1.1.2, constructing Fragmentation VID + extended capabilities payload

Mar 09 13:58:42 [IKEv1]: IP = 99.1.1.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 144

Mar 09 13:58:42 [IKEv1]: IP = 99.1.1.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 84

Mar 09 13:58:42 [IKEv1 DEBUG]: IP = 99.1.1.2, processing SA payload

Mar 09 13:58:42 [IKEv1 DEBUG]: IP = 99.1.1.2, Oakley proposal is acceptable

Mar 09 13:58:42 [IKEv1 DEBUG]: IP = 99.1.1.2, constructing ke payload

Mar 09 13:58:42 [IKEv1 DEBUG]: IP = 99.1.1.2, constructing nonce payload

Mar 09 13:58:42 [IKEv1 DEBUG]: IP = 99.1.1.2, constructing Cisco Unity VID payload Mar 09 13:58:42 [IKEv1 DEBUG]: IP = 99.1.1.2, constructing xauth V6 VID payload Mar 09 13:58:42 [IKEv1 DEBUG]: IP = 99.1.1.2, Send IOS VID

Mar 09 13:58:42 [IKEv1 DEBUG]: IP = 99.1.1.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)

Mar 09 13:58:42 [IKEv1 DEBUG]: IP = 99.1.1.2, constructing VID payload

Mar 09 13:58:42 [IKEv1 DEBUG]: IP = 99.1.1.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

Mar 09 13:58:42 [IKEv1]: IP = 99.1.1.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224

Mar 09 13:58:42 [IKEv1]: IP = 99.1.1.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224

Mar 09 13:58:42 [IKEv1 DEBUG]: IP = 99.1.1.2, processing ke payload

Mar 09 13:58:42 [IKEv1 DEBUG]: IP = 99.1.1.2, processing ISA_KE payload

Mar 09 13:58:42 [IKEv1 DEBUG]: IP = 99.1.1.2, processing nonce payload

Mar 09 13:58:42 [IKEv1 DEBUG]: IP = 99.1.1.2, processing VID payload

Mar 09 13:58:42 [IKEv1 DEBUG]: IP = 99.1.1.2, Received Cisco Unity client VID Mar 09 13:58:42 [IKEv1 DEBUG]: IP = 99.1.1.2, processing VID payload

Mar 09 13:58:42 [IKEv1 DEBUG]: IP = 99.1.1.2, Received DPD VID

Mar 09 13:58:42 [IKEv1 DEBUG]: IP = 99.1.1.2, processing VID payload

Mar 09 13:58:42 [IKEv1 DEBUG]: IP = 99.1.1.2, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 0000077f)

Mar 09 13:58:42 [IKEv1 DEBUG]: IP = 99.1.1.2, processing VID payload 制作人：张选波

Mar 09 13:58:42 [IKEv1 DEBUG]: IP = 99.1.1.2, Received xauth V6 VID Mar 09 13:58:42 [IKEv1]: IP = 99.1.1.2, Connection landed on tunnel_group 99.1.1.2 Mar 09 13:58:42 [IKEv1 DEBUG]: Group = 99.1.1.2, IP = 99.1.1.2, Generating keys for Initiator... Mar 09 13:58:42 [IKEv1 DEBUG]: Group = 99.1.1.2, IP = 99.1.1.2, constructing ID payload Mar 09 13:58:42 [IKEv1 DEBUG]: Group = 99.1.1.2, IP = 99.1.1.2, constructing hash payload Mar 09 13:58:42 [IKEv1 DEBUG]: Group = 99.1.1.2, IP = 99.1.1.2, Computing hash for ISAKMP Mar 09 13:58:42 [IKEv1 DEBUG]: IP = 99.1.1.2, Constructing IOS keep alive payload: proposal=32767/32767 sec. Mar 09 13:58:42 [IKEv1 DEBUG]: Group = 99.1.1.2, IP = 99.1.1.2, constructing dpd vid payload Mar 09 13:58:42 [IKEv1]: IP = 99.1.1.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92 Mar 09 13:58:43 [IKEv1]: IP = 99.1.1.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 60 Mar 09 13:58:43 [IKEv1 DEBUG]: Group = 99.1.1.2, IP = 99.1.1.2, processing ID payload Mar 09 13:58:43 [IKEv1 DEBUG]: Group = 99.1.1.2, IP = 99.1.1.2, processing hash payload Mar 09 13:58:43 [IKEv1 DEBUG]: Group = 99.1.1.2, IP = 99.1.1.2, Computing hash for ISAKMP Mar 09 13:58:43 [IKEv1]: IP = 99.1.1.2, Connection landed on tunnel_group 99.1.1.2 Mar 09 13:58:43 [IKEv1]: Group = 99.1.1.2, IP = 99.1.1.2, Freeing previously allocated memory for authorization-dn-attributes Mar 09 13:58:43 [IKEv1 DEBUG]: Group = 99.1.1.2, IP = 99.1.1.2, Oakley begin quick mode Mar 09 13:58:43 [IKEv1]: Group = 99.1.1.2, IP = 99.1.1.2, PHASE 1 COMPLETED Mar 09 13:58:43 [IKEv1]: IP = 99.1.1.2, Keep-alive type for this connection: DPD

Mar 09 13:58:43 [IKEv1 DEBUG]: Group = 99.1.1.2, IP = 99.1.1.2, Starting P1 rekey timer: 82080 seconds.

Mar 09 13:58:43 [IKEv1 DEBUG]: Group = 99.1.1.2, IP = 99.1.1.2, IKE got SPI from key engine: SPI = 0x35e2d6b3

Mar 09 13:58:43 [IKEv1 DEBUG]: Group = 99.1.1.2, IP = 99.1.1.2, oakley constucting quick mode

Mar 09 13:58:43 [IKEv1 DEBUG]: Group = 99.1.1.2, IP = 99.1.1.2, constructing blank hash payload

Mar 09 13:58:43 [IKEv1 DEBUG]: Group = 99.1.1.2, IP = 99.1.1.2, constructing IPSec SA payload

Mar 09 13:58:43 [IKEv1 DEBUG]: Group = 99.1.1.2, IP = 99.1.1.2, constructing IPSec nonce payload

Mar 09 13:58:43 [IKEv1 DEBUG]: Group = 99.1.1.2, IP = 99.1.1.2, constructing proxy ID 制作人：张选波

Mar 09 13:58:43 [IKEv1 DEBUG]: Group = 99.1.1.2, IP = 99.1.1.2, Transmitting Proxy Id: Local subnet: 172.16.1.0 mask 255.255.255.0 Protocol 0 Port 0

Remote subnet: 172.16.2.0 Mask 255.255.255.0 Protocol 0 Port 0

Mar 09 13:58:43 [IKEv1 DEBUG]: Group = 99.1.1.2, IP = 99.1.1.2, constructing qm hash payload

Mar 09 13:58:43 [IKEv1]: IP = 99.1.1.2, IKE_DECODE SENDING Message

(msgid=3c988995) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID

(5) + NOTIFY (11) + NONE (0) total length : 192

Mar 09 13:58:43 [IKEv1]: IP = 99.1.1.2, IKE_DECODE RECEIVED Message

(msgid=3c988995) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID

(5) + NOTIFY (11) + NONE (0) total length : 192

Mar 09 13:58:43 [IKEv1 DEBUG]: Group = 99.1.1.2, IP = 99.1.1.2, processing hash payload

Mar 09 13:58:43 [IKEv1 DEBUG]: Group = 99.1.1.2, IP = 99.1.1.2, processing SA payload Mar 09 13:58:43 [IKEv1 DEBUG]: Group = 99.1.1.2, IP = 99.1.1.2, processing nonce payload

Mar 09 13:58:43 [IKEv1 DEBUG]: Group = 99.1.1.2, IP = 99.1.1.2, processing ID payload Mar 09 13:58:43 [IKEv1 DEBUG]: Group = 99.1.1.2, IP = 99.1.1.2, processing ID payload Mar 09 13:58:43 [IKEv1 DEBUG]: Group = 99.1.1.2, IP = 99.1.1.2, processing notify payload

Mar 09 13:58:43 [IKEv1]: Group = 99.1.1.2, IP = 99.1.1.2, Responder forcing change of IPSec rekeying duration from 28800 to 3600 seconds

Mar 09 13:58:43 [IKEv1 DEBUG]: Group = 99.1.1.2, IP = 99.1.1.2, loading all IPSEC SAs Mar 09 13:58:43 [IKEv1 DEBUG]: Group = 99.1.1.2, IP = 99.1.1.2, Generating Quick Mode Key!

Mar 09 13:58:43 [IKEv1 DEBUG]: Group = 99.1.1.2, IP = 99.1.1.2, Generating Quick Mode Key!

Mar 09 13:58:43 [IKEv1]: Group = 99.1.1.2, IP = 99.1.1.2, Security negotiation complete for LAN-to-LAN Group (99.1.1.2) Initiator, Inbound SPI = 0x35e2d6b3, Outbound SPI = 0x6530aa90

Mar 09 13:58:43 [IKEv1 DEBUG]: Group = 99.1.1.2, IP = 99.1.1.2, oakley constructing final quick mode

Mar 09 13:58:43 [IKEv1]: IP = 99.1.1.2, IKE_DECODE SENDING Message

(msgid=3c988995) with payloads : HDR + HASH (8) + NONE (0) total length : 72

Mar 09 13:58:43 [IKEv1 DEBUG]: Group = 99.1.1.2, IP = 99.1.1.2, IKE got a KEY_ADD msg for SA: SPI = 0x6530aa90

Mar 09 13:58:43 [IKEv1 DEBUG]: Group = 99.1.1.2, IP = 99.1.1.2, Pitcher: received KEY_UPDATE, spi 0x35e2d6b3

Mar 09 13:58:43 [IKEv1 DEBUG]: Group = 99.1.1.2, IP = 99.1.1.2, Starting P2 rekey timer: 3060 seconds.

Mar 09 13:58:43 [IKEv1]: Group = 99.1.1.2, IP = 99.1.1.2, PHASE 2 COMPLETED (msgid=3c988995)

ASA#

制作人：张选波

R1#debug crypto isakmp

Crypto ISAKMP debugging is on

R1#

*Mar 9 21:59:43.011: ISAKMP (0:0): received packet from 88.1.1.2 dport 500 sport 500 Global (N) NEW SA

*Mar 9 21:59:43.015: ISAKMP: Created a peer struct for 88.1.1.2, peer port 500

*Mar 9 21:59:43.015: ISAKMP: New peer created peer = 0x67DAF79C peer_handle = 0x80000003

*Mar 9 21:59:43.015: ISAKMP: Locking peer struct 0x67DAF79C, refcount 1 for crypto_isakmp_process_block

*Mar 9 21:59:43.015: ISAKMP: local port 500, remote port 500

*Mar 9 21:59:43.019: insert sa successfully sa = 67DA4F8C

*Mar 9 21:59:43.019: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Mar 9 21:59:43.023: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

*Mar 9 21:59:43.027: ISAKMP:(0): processing SA payload. message ID = 0

*Mar 9 21:59:43.027: ISAKMP:(0): processing vendor id payload

*Mar 9 21:59:43.031: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch *Mar 9 21:59:43.031: ISAKMP:(0):found peer pre-shared key matching 88.1.1.2 *Mar 9 21:59:43.031: ISAKMP:(0): local preshared key found

*Mar 9 21:59:43.031: ISAKMP : Scanning profiles for xauth ...

*Mar 9 21:59:43.035: ISAKMP:(0):Checking ISAKMP transform 1 against priority 110 policy

*Mar 9 21:59:43.035: ISAKMP: default group 1

*Mar 9 21:59:43.035: ISAKMP: encryption DES-CBC

*Mar 9 21:59:43.035: ISAKMP: hash MD5

*Mar 9 21:59:43.035: ISAKMP: auth pre-share

*Mar 9 21:59:43.035: ISAKMP: life type in seconds

*Mar 9 21:59:43.039: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 *Mar 9 21:59:43.039: ISAKMP:(0):atts are acceptable. Next payload is 3

*Mar 9 21:59:43.043: ISAKMP:(0): processing vendor id payload

*Mar 9 21:59:43.043: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch *Mar 9 21:59:43.043: ISAKMP:(0):Input = IKE_MESG_INTERNAL,

IKE_PROCESS_MAIN_MODE

*Mar 9 21:59:43.047: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

*Mar 9 21:59:43.051: ISAKMP:(0): sending packet to 88.1.1.2 my_port 500 peer_port 500 (R) MM_SA_SETUP

*Mar 9 21:59:43.055: ISAKMP:(0):Input = IKE_MESG_INTERNAL,

IKE_PROCESS_COMPLETE

*Mar 9 21:59:43.059: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2

*Mar 9 21:59:43.375: ISAKMP (0:0): received packet from 88.1.1.2 dport 500 sport 500 制作人：张选波

Global (R) MM_SA_SETUP

*Mar 9 21:59:43.379: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Mar 9 21:59:43.383: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3

*Mar 9 21:59:43.387: ISAKMP:(0): processing KE payload. message ID = 0

*Mar 9 21:59:43.483: ISAKMP:(0): processing NONCE payload. message ID = 0 *Mar 9 21:59:43.499: ISAKMP:(0):found peer pre-shared key matching 88.1.1.2 *Mar 9 21:59:43.503: ISAKMP:(1002): processing vendor id payload

*Mar 9 21:59:43.503: ISAKMP:(1002): vendor ID is Unity

*Mar 9 21:59:43.507: ISAKMP:(1002): processing vendor id payload

*Mar 9 21:59:43.507: ISAKMP:(1002): vendor ID seems Unity/DPD but major 67 mismatch

*Mar 9 21:59:43.507: ISAKMP:(1002): vendor ID is XAUTH

*Mar 9 21:59:43.507: ISAKMP:(1002): processing vendor id payload

*Mar 9 21:59:43.511: ISAKMP:(1002): speaking to another IOS box!

*Mar 9 21:59:43.511: ISAKMP:(1002): processing vendor id payload

*Mar 9 21:59:43.511: ISAKMP:(1002):vendor ID seems Unity/DPD but hash mismatch *Mar 9 21:59:43.515: ISAKMP:(1002):Input = IKE_MESG_INTERNAL,

IKE_PROCESS_MAIN_MODE

*Mar 9 21:59:43.515: ISAKMP:(1002):Old State = IKE_R_MM3 New State = IKE_R_MM3

*Mar 9 21:59:43.523: ISAKMP:(1002): sending packet to 88.1.1.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Mar 9 21:59:43.527: ISAKMP:(1002):Input = IKE_MESG_INTERNAL,

IKE_PROCESS_COMPLETE

*Mar 9 21:59:43.527: ISAKMP:(1002):Old State = IKE_R_MM3 New State = IKE_R_MM4

*Mar 9 21:59:43.775: ISAKMP (0:1002): received packet from 88.1.1.2 dport 500 sport 500 Global (R) MM_KEY_EXCH

*Mar 9 21:59:43.779: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER,

IKE_MM_EXCH

*Mar 9 21:59:43.783: ISAKMP:(1002):Old State = IKE_R_MM4 New State = IKE_R_MM5

*Mar 9 21:59:43.787: ISAKMP:(1002): processing ID payload. message ID = 0 *Mar 9 21:59:43.787: ISAKMP (0:1002): ID payload

next-payload : 8

type : 1

address : 88.1.1.2

protocol : 17

port : 500

length : 12 制作人：张选波

*Mar 9 21:59:43.791: ISAKMP:(0):: peer matches *none* of the profiles *Mar 9 21:59:43.791: ISAKMP:(1002): processing HASH payload. message ID = 0 *Mar 9 21:59:43.791: ISAKMP:received payload type 17 *Mar 9 21:59:43.795: ISAKMP:(1002): processing vendor id payload *Mar 9 21:59:43.795: ISAKMP:(1002): vendor ID is DPD *Mar 9 21:59:43.795: ISAKMP:(1002):SA authentication status: authenticated *Mar 9 21:59:43.795: ISAKMP:(1002):SA has been authenticated with 88.1.1.2 *Mar 9 21:59:43.799: ISAKMP: Trying to insert a peer 99.1.1.2/88.1.1.2/500/, and inserted successfully 67DAF79C. *Mar 9 21:59:43.799: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Mar 9 21:59:43.803: ISAKMP:(1002):Old State = IKE_R_MM5 New State = IKE_R_MM5 *Mar 9 21:59:43.807: ISAKMP:(1002):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR *Mar 9 21:59:43.811: ISAKMP (0:1002): ID payload next-payload : 8 type : 1

address : 99.1.1.2

protocol : 17

port : 500

length : 12

*Mar 9 21:59:43.811: ISAKMP:(1002):Total payload length: 12

*Mar 9 21:59:43.815: ISAKMP:(1002): sending packet to 88.1.1.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Mar 9 21:59:43.819: ISAKMP:(1002):Input = IKE_MESG_INTERNAL,

IKE_PROCESS_COMPLETE

*Mar 9 21:59:43.819: ISAKMP:(1002):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

*Mar 9 21:59:43.823: ISAKMP:(1002):Input = IKE_MESG_INTERNAL,

IKE_PHASE1_COMPLETE

*Mar 9 21:59:43.827: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Mar 9 21:59:43.979: ISAKMP (0:1002): received packet from 88.1.1.2 dport 500 sport 500 Global (R) QM_IDLE

*Mar 9 21:59:43.979: ISAKMP: set new node 1016629653 to QM_IDLE *Mar 9 21:59:43.983: ISAKMP:(1002): processing HASH payload. message ID = 1016629653

*Mar 9 21:59:43.983: ISAKMP:(1002): processing SA payload. message ID = 1016629653 制作人：张选波

*Mar 9 21:59:43.987: ISAKMP:(1002):Checking IPSec proposal 1

*Mar 9 21:59:43.987: ISAKMP: transform 1, ESP_DES

*Mar 9 21:59:43.987: ISAKMP: attributes in transform:

*Mar 9 21:59:43.987: ISAKMP: SA life type in seconds

*Mar 9 21:59:43.987: ISAKMP: SA life duration (basic) of 28800

*Mar 9 21:59:43.987: ISAKMP: SA life type in kilobytes

*Mar 9 21:59:43.991: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 *Mar 9 21:59:43.991: ISAKMP: encaps is 1 (Tunnel)

*Mar 9 21:59:43.991: ISAKMP: authenticator is HMAC-MD5

*Mar 9 21:59:43.995: ISAKMP:(1002):atts are acceptable.

*Mar 9 21:59:43.995: ISAKMP:(1002): processing NONCE payload. message ID = 1016629653

*Mar 9 21:59:43.999: ISAKMP:(1002): processing ID payload. message ID =

1016629653

*Mar 9 21:59:43.999: ISAKMP:(1002): processing ID payload. message ID =

1016629653

*Mar 9 21:59:43.999: ISAKMP:(1002): processing NOTIFY INITIAL_CONTACT protocol 1

spi 0, message ID = 1016629653, sa = 67DA4F8C

*Mar 9 21:59:43.999: ISAKMP:(1002):SA authentication status:

authenticated

*Mar 9 21:59:44.003: ISAKMP:(1002): Process initial contact,

bring down existing phase 1 and 2 SA's with local 99.1.1.2 remote 88.1.1.2 remote port 500

*Mar 9 21:59:44.007: ISAKMP:(1002):QM Responder gets spi

*Mar 9 21:59:44.007: ISAKMP:(1002):Node 1016629653, Input =

IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Mar 9 21:59:44.007: ISAKMP:(1002):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE

*Mar 9 21:59:44.031: ISAKMP:(1002): Creating IPSec SAs

*Mar 9 21:59:44.031: inbound SA from 88.1.1.2 to 99.1.1.2 (f/i) 0/ 0 (proxy 172.16.1.0 to 172.16.2.0)

*Mar 9 21:59:44.031: has spi 0x6530AA90 and conn_id 0

*Mar 9 21:59:44.031: lifetime of 28800 seconds

*Mar 9 21:59:44.031: lifetime of 4608000 kilobytes

*Mar 9 21:59:44.035: outbound SA from 99.1.1.2 to 88.1.1.2 (f/i) 0/0 (proxy 172.16.2.0 to 172.16.1.0)

*Mar 9 21:59:44.035: has spi 0x35E2D6B3 and conn_id 0

*Mar 9 21:59:44.035: lifetime of 28800 seconds

*Mar 9 21:59:44.035: lifetime of 4608000 kilobytes

*Mar 9 21:59:44.039: ISAKMP:(1002): sending packet to 88.1.1.2 my_port 500 peer_port 500 (R) QM_IDLE

*Mar 9 21:59:44.043: ISAKMP:(1002):Node 1016629653, Input =

IKE_MESG_INTERNAL, IKE_GOT_SPI 制作人：张选波

*Mar 9 21:59:44.043: ISAKMP:(1002):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2

*Mar 9 21:59:44.099: ISAKMP (0:1002): received packet from 88.1.1.2 dport 500 sport 500 Global (R) QM_IDLE

*Mar 9 21:59:44.103: ISAKMP:(1002):deleting node 1016629653 error FALSE reason "QM done (await)"

*Mar 9 21:59:44.107: ISAKMP:(1002):Node 1016629653, Input =

IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Mar 9 21:59:44.107: ISAKMP:(1002):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE

ASA# debug crypto ipsec 7

ASA# IPSEC: New embryonic SA created @ 0x027BE338,

SCB: 0x027C0C10,

Direction: inbound

SPI : 0x5ED30013

Session ID: 0x00000003

VPIF num : 0x00000001

Tunnel type: l2l

Protocol : esp

Lifetime : 240 seconds

IPSEC: New embryonic SA created @ 0x027C0EC0,

SCB: 0x027BFA50,

Direction: outbound

SPI : 0xD362B315

Session ID: 0x00000003

VPIF num : 0x00000001

Tunnel type: l2l

Protocol : esp

Lifetime : 240 seconds

IPSEC: Completed host OBSA update, SPI 0xD362B315

IPSEC: Creating outbound VPN context, SPI 0xD362B315

Flags: 0x00000005

SA : 0x027C0EC0

SPI : 0xD362B315

MTU : 1500 bytes

VCID : 0x00000000

Peer : 0x00000000

SCB : 0x027BFA50

Channel: 0x01766418

IPSEC: Completed outbound VPN context, SPI 0xD362B315

VPN handle: 0x00015954

IPSEC: New outbound encrypt rule, SPI 0xD362B315

Src addr: 172.16.1.0 制作人：张选波