全系列VPN技术集锦第一卷第3章(Site-to-Site IPsec VPN)

例4 作为IPsec协商的发起者的路由器show命令输出

The command below shows the state of the crypto ISAKMP SA. It is shown here in QM IDLE, meaning that quick mode has completed successfully.

Initiator#show crypto isakmp sa

dst             src             state           conn-id    slot

172.16.172.20   172.16.172.10   QM_IDLE               1       0

The command below gives details on both the incoming and outgoing IPsec SAs. It gives information on the attributes negotiated during the exchange as well as statistics for how many packets have been exchanged via each of these SAs.

Initiator#show crypto ipsec sa

interface: Ethernet1/0

    Crypto map tag: vpn, local addr. 172.16.172.10

   local  ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)

   current_peer: 172.16.172.20

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4

    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

    #send errors 6, #recv errors 0

local crypto endpt.: 172.16.172.10, remote crypto endpt.: 172.16.172.20

     path mtu 1500, media mtu 1500

     current outbound spi: EB84DC85

     inbound esp sas:

      spi: 0x8EAB0B22(2393574178)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        slot: 0, conn id: 2029, flow_id: 1, crypto map: vpn

        sa timing: remaining key lifetime (k/sec): (4607998/3347)

        IV size: 8 bytes

        replay detection support: Y

inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xEB84DC85(3951352965)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        slot: 0, conn id: 2030, flow_id: 2, crypto map: vpn

        sa timing: remaining key lifetime (k/sec): (4607999/3347)

        IV size: 8 bytes

        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:

The command below basically prints the configuration of the crypto map on the router

 

Initiator#show crypto map

Crypto Map "vpn" 10 ipsec-isakmp

        Peer = 172.16.172.20

        Extended IP access list 101

            access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

        Current peer: 172.16.172.20

        Security association lifetime: 4608000 kilobytes/3600 seconds

        PFS (Y/N): N

        Transform sets={ myset, }

        Interfaces using crypto map vpn:

                Ethernet1/0

 

例5 作为IPsec协商的响应者的路由器debug

Responder#show debug

Cryptographic Subsystem:

  Crypto ISAKMP debugging is on

  Crypto Engine debugging is on

  Crypto IPSEC debugging is on

1w1d: ISAKMP (0:0): received packet from 172.16.172.10 (N) NEW SA

1w1d: ISAKMP: local port 500, remote port 500

1w1d: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Old State = IKE_READY  New State = IKE_R_MM1

1w1d: ISAKMP (0:1): processing SA payload. message ID = 0

1w1d: ISAKMP (0:1): found peer pre-shared key matching 172.16.172.10

1w1d: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy

1w1d: ISAKMP:      encryption 3DES-CBC

1w1d: ISAKMP:      hash SHA

1w1d: ISAKMP:      default group 1

1w1d: ISAKMP:      auth pre-share

1w1d: ISAKMP:      life type in seconds

1w1d: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

1w1d: ISAKMP (0:1): atts are acceptable. Next payload is 0

1w1d: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Old State = IKE_R_MM1  New State = IKE_R_MM1

1w1d: ISAKMP (0:1): sending packet to 172.16.172.10 (R) MM_SA_SETUP

1w1d: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Old State = IKE_R_MM1  New State = IKE_R_MM2

1w1d: ISAKMP (0:1): received packet from 172.16.172.10 (R) MM_SA_SETUP

1w1d: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Old State = IKE_R_MM2  New State = IKE_R_MM3

1w1d: ISAKMP (0:1): processing KE payload. message ID = 0

1w1d: ISAKMP (0:1): processing NONCE payload. message ID = 0

1w1d: ISAKMP (0:1): found peer pre-shared key matching 172.16.172.10

1w1d: ISAKMP (0:1): SKEYID state generated

1w1d: ISAKMP (0:1): processing vendor id payload

1w1d: ISAKMP (0:1): vendor ID is Unity

1w1d: ISAKMP (0:1): processing vendor id payload

1w1d: ISAKMP (0:1): vendor ID is DPD

1w1d: ISAKMP (0:1): processing vendor id payload

1w1d: ISAKMP (0:1): speaking to another IOS box!

1w1d: ISAKMP (0:1): processing vendor id payload

1w1d: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Old State = IKE_R_MM3  New State = IKE_R_MM3

1w1d: ISAKMP (0:1): sending packet to 172.16.172.10 (R) MM_KEY_EXCH

1w1d: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Old State = IKE_R_MM3  New State = IKE_R_MM4

1w1d: ISAKMP (0:1): received packet from 172.16.172.10 (R) MM_KEY_EXCH

1w1d: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Old State = IKE_R_MM4  New State = IKE_R_MM5

1w1d: ISAKMP (0:1): processing ID payload. message ID = 0

1w1d: ISAKMP (0:1): processing HASH payload. message ID = 0

1w1d: ISAKMP (0:1): SA has been authenticated with 172.16.172.10

1w1d: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Old State = IKE_R_MM5  New State = IKE_R_MM5

1w1d: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

1w1d: ISAKMP (1): ID payload

        next-payload : 8

        type         : 1

        protocol     : 17

        port         : 500

        length       : 8

1w1d: ISAKMP (1): Total payload length: 12

1w1d: ISAKMP (0:1): sending packet to 172.16.172.10 (R) QM_IDLE

1w1d: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

1w1d: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

1w1d: ISAKMP (0:1): received packet from 172.16.172.10 (R) QM_IDLE

1w1d: ISAKMP (0:1): processing HASH payload. message ID = 965273472

1w1d: ISAKMP (0:1): processing SA payload. message ID = 965273472

1w1d: ISAKMP (0:1): Checking IPsec proposal 1

1w1d: ISAKMP: transform 1, ESP_3DES

1w1d: ISAKMP:   attributes in transform:

1w1d: ISAKMP:      encaps is 1

1w1d: ISAKMP:      SA life type in seconds

1w1d: ISAKMP:      SA life duration (basic) of 3600

1w1d: ISAKMP:      SA life type in kilobytes

1w1d: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0

1w1d: ISAKMP:      authenticator is HMAC-MD5

1w1d: ISAKMP (0:1): atts are acceptable.

1w1d: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 172.16.172.20, remote= 172.16.172.10,

    local_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-3des esp-md5-hmac ,

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

1w1d: ISAKMP (0:1): processing NONCE payload. message ID = 965273472

1w1d: ISAKMP (0:1): processing ID payload. message ID = 965273472

1w1d: ISAKMP (0:1): processing ID payload. message ID = 965273472

1w1d: ISAKMP (0:1): asking for 1 spis from ipsec

1w1d: ISAKMP (0:1): Node 965273472, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE

1w1d: IPSEC(key_engine): got a queue event...

1w1d: IPSEC(spi_response): getting spi 3951352965 for SA

        from 172.16.172.20   to 172.16.172.10   for prot 3

1w1d: ISAKMP: received ke message (2/1)

1w1d: ISAKMP (0:1): sending packet to 172.16.172.10 (R) QM_IDLE

1w1d: ISAKMP (0:1): Node 965273472, Input = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY

Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2

1w1d: ISAKMP (0:1): received packet from 172.16.172.10 (R) QM_IDLE

1w1d: ISAKMP (0:1): Creating IPsec SAs

1w1d:         inbound SA from 172.16.172.10 to 172.16.172.20

        (proxy 10.1.1.0 to 10.1.2.0)

1w1d:         has spi 0xEB84DC85 and conn_id 2029 and flags 4

1w1d:         lifetime of 3600 seconds

1w1d:         lifetime of 4608000 kilobytes

1w1d:         outbound SA from 172.16.172.20   to 172.16.172.10 

(proxy 10.1.2.0 to 10.1.1.0)

1w1d:         has spi -1901393118 and conn_id 2030 and flags C

1w1d:         lifetime of 3600 seconds

1w1d:         lifetime of 4608000 kilobytes

1w1d: ISAKMP (0:1): deleting node 965273472 error FALSE reason "quick mode done (await()"

1w1d: ISAKMP (0:1): Node 965273472, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE

1w1d: IPSEC(key_engine): got a queue event...

1w1d: IPSEC(initialize_sas): ,

  (key eng. msg.) INBOUND local= 172.16.172.20, remote= 172.16.172.10,

    local_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-3des esp-md5-hmac ,

    lifedur= 3600s and 4608000kb,

    spi= 0xEB84DC85(3951352965), conn_id= 2029, keysize= 0, flags= 0x4

1w1d: IPSEC(initialize_sas): ,

  (key eng. msg.) OUTBOUND local= 172.16.172.20, remote= 172.16.172.10,

    local_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-3des esp-md5-hmac ,

    lifedur= 3600s and 4608000kb,

    spi= 0x8EAB0B22(2393574178), conn_id= 2030, keysize= 0, flags= 0xC

1w1d: IPSEC(create_sa): sa created,

  (sa) sa_dest= 172.16.172.20, sa_prot= 50,

    sa_spi= 0xEB84DC85(3951352965),

    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2029

1w1d: IPSEC(create_sa): sa created,

  (sa) sa_dest= 172.16.172.10, sa_prot= 50,

    sa_spi= 0x8EAB0B22(2393574178),

    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2030

1w1d: ISAKMP (0:1): purging node 965273472

 

例6 作为IPsec协商的响应者的路由器show命令输出

Responder#show cry isa sa

dst             src             state           conn-id    slot

172.16.172.10   172.16.172.20   QM_IDLE               1       0

Responder#show crypto ipsec sa

interface: Ethernet1/0

    Crypto map tag: vpn, local addr. 172.16.172.20

   local  ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)

   current_peer: 172.16.172.10

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4

    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 172.16.172.20, remote crypto endpt.: 172.16.172.10

     path mtu 1500, media mtu 1500

     current outbound spi: 8EAB0B22

inbound esp sas:

      spi: 0xEB84DC85(3951352965)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        slot: 0, conn id: 2029, flow_id: 1, crypto map: vpn

        sa timing: remaining key lifetime (k/sec): (4607998/3326)

        IV size: 8 bytes

        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x8EAB0B22(2393574178)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        slot: 0, conn id: 2030, flow_id: 2, crypto map: vpn

        sa timing: remaining key lifetime (k/sec): (4607999/3326)

        IV size: 8 bytes

        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:

 

Initiator#show cry map

Crypto Map "vpn" 10 ipsec-isakmp

        Peer = 172.16.172.10

        Extended IP access list 101

            access-list 101 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255

        Current peer: 172.16.172.10

        Security association lifetime: 4608000 kilobytes/3600 seconds

        PFS (Y/N): N

        Transform sets={ myset, }

        Interfaces using crypto map vpn:

                Ethernet1/0