Configuration - IPSEC dynamique Routeur LAN à LAN et client VPN

Slides:



Advertisements
Présentations similaires
From Implementing Cisco IP Routing (ROUTE) Foundation Learning Guide by Diane Teare, Bob Vachon and Rick Graziani ( ) Copyright © 2015 Cisco Systems,
Advertisements

Effacer la Configuration LWAPP sur un LAP
Sécurité - Configuration de Secure Shell sur les Commutateurs et les Routeurs avec l'IOS Cisco ccnp_cch.
Sécurité - ASA/PIX 7.x - Adresse IP statique pour Client VPN IPSec avec configuration CLI et ASDM ccnp_cch.
Remote Desktop Protocol l'Appliance de Sécurité
Sécurité - Configuration d'un
QoS - Propagation de la Politique de QoS via BGP
Configurer NAT et PAT statique pour support d'un serveur Web interne
Examen Final Sécurité - TRCT Cfi_CCH.
(Certificate Revocation List)
Commande ip nat service
Sécurité - Configuration du PIX
Sécurité - Configuration NTP sur le PIX avec ou sans Tunnel IPSec
Sécurité - ASA7.x/PIX 6.x et plus
Sécurité - Configuration d'un
Tunnel pour paquets IP Multicast
Configuration Routeur SOHO77
Configuration d'un accès
BGP - Configuration iBGP et eBGP avec ou sans adresse de Loopback
Configuration BGP de base
Configuration de base de AAA sur un Server d'accès
Comprendre la politique
Sécurité - Configuration de
Configuration Routeur à Routeur avec PAT & Client VPN Cisco
Configuration Routeur SOHO77
OSPF - Configuration initiale sur Liaisons Non-Broadcast
Configuration Tunnel VPN
show ip nat translations
Client VPN pour VPN public Internet
Configuration Routeur SOHO77
Sous-résaux LAN dupliqués
Hot Standby Router Protocol standby preempt et standby track
Configuration Routeur Cisco comme Serveur VPN distant avec SDM
NAT - Supervision et Maintenance
TP Sécurité Packet Tracer - Configuration d'un VPN d'accès distant et
Sécurité - Configuration de
Sécurité - Configuration de
Intégration de NAT avec les VPNs MPLS
Sécurité - Configuration de l'autorisation d'Applets Java
Configuration - IPSEC sur ADSL sur Cisco 2600/3600 avec Carte ADSL-WIC
passant par le Tunnel IPSec
Configuration NAT Utilisation de la commande outside source list
Support de NAT pour IPSec ESP Phase II
QoS - Configuration RSVP
Sécurité - Configuration de
Sécurité - Configuration de -
QoS - Appliquer la QoS à des Sous-interfaces
Configuration Routeur SOHO77
Pile IGMPv3 de Host.
Configuration IPSec LAN Privé à LAN Privé et NAT statique
Changer les critères de nommage
RIP - Configuration des Extensions.
Comment fonctionne RADIUS?
trois réseaux internes
interfaces de couche 3 Commutateur Catalyst 4006
Configuration IPSec LAN-LAN entre PIX et Routeur avec Certificats
Sécurité - Configuration d'un
Configuration Routeur SOHO77 AAL5MUX Routage IP, Multi PVCs
Configuration d'un accès
Authentification Radius
OSPF - Routage Inter-Area
Configuration DDR Standard Sites multiples aves RNIS
entre trois routeurs utilisant des
- Configuration de Microsoft NetMeeting avec les passerelles IOS Cisco
IOS Firewall - Blocage d'applets Java
Configuration DDR RNIS avec encapsulations dynamiques multiples
Configuration IPSec Routeur vers PIX avec access-list et nat 0
Configuration Routeur SOHO77
Sécurité - Configuration de Auth-Proxy Inbound - Client VPN IPSec
EtherChannel et 802.1Q Trunking sur Catalyst 2950
Transcription de la présentation:

Configuration - IPSEC dynamique Routeur LAN à LAN et client VPN ccnp_cch

Sommaire - Composants utilisés • Configuration • Vérification • Introduction - Composants utilisés • Configuration - Schéma du réseau - Configurations - Client VPN • Vérification ccnp_cch

Introduction Cette configuration montre une configuration LAN à LAN entre deux routeurs dans un environnement "hub and spoke" avec un routeur, celui de l'extrémité distante (spoke) recevant son adresse IP via un serveur DHCP (Dynamic Host Configuration Protocol). Se connectant au même routeur central des clients VPN utilisent Xauth (eXtended Authentication). Jusqu'à présent, cela était impossible avec l'utilisation de clés pré-par- tagées génériques sur le routeur central car vous pouvez configurer ce routeur pour Xauth pour les clients VPN ce qui aurait fermé la connexion LAN à LAN. L'introduction de profils IPSec dans l'IOS Cisco release 12.2(15)T rend cette configura- tion possible car vous pouvez faire une correspondance sur d'autres propriétés de con- nexion (groupe VPN Client, adresse IP de l'extrémité, FQDN (Fully Qualified Domain Name)), etc..) au lieu de l'adresse IP de l'extrémité seule. La configuration du routeur d'extrémité montrée ci-dessous peut être répliquée sur tous les autres routeurs d'extrémité se connectant au même routeur central. La seule différence est la liste d'accès qui référence le trafic devant être crypté. Composants utilisés Les profils ont été introduits dans l'IOS Cisco Release 12.2(15)T mais à cause du bug Cisco CSCea77140 vous devez opérer avec l'IOS Cisco Release 12.3(2)T pour que cette configuration fonctionne correctement. Les configurations suivantes ont été testées en utilisant les les versions logicielles et matérielles suivantes : ● Cisco IOS Release 12.3(3) sur le routeur central ● Cisco IOS Release 12.2(17a) sur le routeur distant ● Cisco Client VPN 4.0(1) Configuration Dans cette section sont présentées les informations nécessaires pour configurer les fonctionnalités décrites dans ce document. Schéma du réseau 10.1.1.0/24 10.2.2.0/24 Adresse IP négociée 10.66.79.103 Internet Hub Spoke Client VPN ccnp_cch

Configurations ccnp_cch Routeur Hub version 12.3 service timestamps debug datetime msec service timestamps log datetime msec service password−encryption ! hostname Hub no logging on username gfullage password 7 0201024E070A0E2649 aaa new−model aaa authentication login clientauth local aaa authorization network groupauthor local aaa session−id common ip subnet−zero no ip domain lookup !−−− Keyring définit la clé pré−partagée générique. crypto keyring spokes pre−shared−key address 0.0.0.0 0.0.0.0 key cisco123 crypto isakmp policy 10 encryption 3des authentication pre−share group 2 !−−− Configuration VPN Client pour le groupe "testgroup" !−−− (ce nom est configuré dans le Client VPN). crypto isakmp client configuration group testgroup key cisco321 dns 1.1.1.1 2.2.2.2 wins 3.3.3.3 4.4.4.4 domain cisco.com pool ippool ccnp_cch

ccnp_cch !−−− Profil pour une connexion LAN−à−LAN, référençant la clé !−−− pre−partagée générique et une identité générique sans XAuth crypto isakmp profile L2L description LAN−to−LAN for spoke router(s) connection keyring spokes match identity address 0.0.0.0 !−−− Profil pour des connexions Client VPN, correspondant au !−−− groupe "testgroup" et définissant les propriétés XAuth. crypto isakmp profile VPNclient description VPN clients profile match identity group testgroup client authentication list clientauth isakmp authorization list groupauthor client configuration address respond ! crypto ipsec transform−set myset esp−3des esp−sha−hmac !−−− Deux instances de la crypto map dynamique !−−− référence les deux profils IPSec ci-dessus. crypto dynamic−map dynmap 5 set transform−set myset set isakmp−profile VPNclient crypto dynamic−map dynmap 10 set isakmp−profile L2L !−−− La crypto−map fait référence aux deux !−−− instances de la crypto map dynamique ci-dessus. crypto map mymap 10 ipsec−isakmp dynamic dynmap interface FastEthernet0/0 description Outside interface ip address 10.66.79.103 255.255.255.224 no ip mroute−cache duplex auto speed auto crypto map mymap ccnp_cch

ccnp_cch ! interface FastEthernet0/1 description Inside interface ip address 10.1.1.1 255.255.255.0 duplex auto speed auto no keepalive ip local pool ippool 10.5.5.1 10.5.5.254 no ip http server no ip http secure−server ip classless ip route 0.0.0.0 0.0.0.0 10.66.79.97 ip route 10.2.2.0 255.255.255.0 10.66.79.107 call rsvp−sync dial−peer cor custom line con 0 exec−timeout 0 0 escape−character 27 line aux 0 line vty 0 4 password 7 121A0C041104 end ccnp_cch

ccnp_cch Routeur Spoke version 12.2 service timestamps debug datetime msec service timestamps log datetime msec no service password−encryption ! hostname Spoke no logging on ip subnet−zero no ip domain lookup ip cef crypto isakmp policy 10 encryption 3des authentication pre−share group 2 crypto isakmp key cisco123 address 10.66.79.103 crypto ipsec transform−set myset esp−3des esp−sha−hmac !−−− Crypto map standard sur le routeur Spoke !−−− référençant l'adresse IP connue du routeur Hub. crypto map mymap 10 ipsec−isakmp set peer 10.66.79.103 set transform−set myset match address 100 controller ISA 5/1 interface FastEthernet0/0 description Outside interface !−−− Dans la réalité on utiliserait !−−− "ip address dhcp" ou "ip address negotiated". ip address 10.66.79.107 255.255.255.224 duplex auto speed auto crypto map mymap ccnp_cch

ccnp_cch interface FastEthernet0/1 description Inside interface ip address 10.2.2.2 255.255.255.0 duplex auto speed auto no keepalive ! interface ATM1/0 no ip address shutdown no atm ilmi−keepalive ip classless ip route 0.0.0.0 0.0.0.0 10.66.79.103 no ip http server no ip http secure−server !−−− Liste d'access standard référençant le trafic devant être !−−− crypté, c'est la seule chose qui a besoin d'être changée !−−− entre les différents routeurs d'extrémité. access−list 100 permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255 call rsvp−sync mgcp profile default line con 0 exec−timeout 0 0 line aux 0 line vty 0 4 password cisco login end ccnp_cch

Client VPN Vérification ccnp_cch Créez une nouvelle connexion en donnant l'adresse IP du routeur Central. le nom du groupe de cet exemple est "testgroup" et le mot de passe est "cisco321" comme cela peut être vu dans la configuration du routeur central. Vérification Cette section fournit des informations que vous pouvez utiliser pour confirmer que vo- tre configuration fonctionne correctement. Les commandes debug exécutées sur le routeur central peuvent confirmer que les pa- ramètres corrects correspondent pour le routeur d'extrémité et les clients VPN. ● debug crypto isakmp − Affiche les messages au sujet des événements IKE (Internet Key Exchange). ● debug crypto ipsec − Affiche les évènements IPSec. ccnp_cch

Voici la sortie sur le routeur d'extrémité pour la connexion: ISAKMP (0:0): received packet from 10.66.79.107 dport 500 sport 500 Global (N) NEW SA ISAKMP: local port 500, remote port 500 ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 63E4C3A0 ISAKMP (0:2): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH ISAKMP (0:2): Old State = IKE_READY New State = IKE_R_MM1 ISAKMP (0:2): processing SA payload. message ID = 0 ISAKMP (0:2): processing vendor id payload ISAKMP (0:2): vendor ID seems Unity/DPD but major 157 mismatch ISAKMP (0:2): vendor ID is NAT−T v3 ISAKMP (0:2): vendor ID seems Unity/DPD but major 123 mismatch ISAKMP (0:2): vendor ID is NAT−T v2 ISAKMP: Looking for a matching key for 10.66.79.107 in default ISAKMP: Looking for a matching key for 10.66.79.107 in spokes : success ISAKMP (0:2): found peer pre−shared key matching 10.66.79.107 ISAKMP (0:2) local preshared key found ISAKMP : Scanning profiles for xauth ... L2L VPNclient ISAKMP (0:2) Authentication by xauth preshared ISAKMP (0:2): Checking ISAKMP transform 1 against priority 10 policy ISAKMP: encryption 3DES−CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre−share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP (0:2): atts are acceptable. Next payload is 0 ISAKMP (0:2): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE ISAKMP (0:2): Old State = IKE_R_MM1 New State = IKE_R_MM1 ISAKMP (0:2): constructed NAT−T vendor−03 ID ISAKMP (0:2): sending packet to 10.66.79.107 my_port 500 peer_port 500 (R) MM_SA_SETUP ISAKMP (0:2): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE ISAKMP (0:2): Old State = IKE_R_MM1 New State = IKE_R_MM2 ISAKMP (0:2): received packet from 10.66.79.107 dport 500 sport 500 Global (R) MM_SA_SETUP ISAKMP (0:2): Old State = IKE_R_MM2 New State = IKE_R_MM3 ISAKMP (0:2): processing KE payload. message ID = 0 ISAKMP (0:2): processing NONCE payload. message ID = 0 ccnp_cch

ccnp_cch ISAKMP (0:2): SKEYID state generated ISAKMP (0:2): processing vendor id payload ISAKMP (0:2): vendor ID is Unity ISAKMP (0:2): vendor ID is DPD ISAKMP (0:2): speaking to another IOS box! ISAKMP:received payload type 17 ISAKMP (0:2): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE ISAKMP (0:2): Old State = IKE_R_MM3 New State = IKE_R_MM3 ISAKMP (0:2): sending packet to 10.66.79.107 my_port 500 peer_port 500 (R) MM_KEY_EXCH ISAKMP (0:2): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE ISAKMP (0:2): Old State = IKE_R_MM3 New State = IKE_R_MM4 ISAKMP (0:2): received packet from 10.66.79.107 dport 500 sport 500 Global (R) MM_KEY_EXCH ISAKMP (0:2): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH ISAKMP (0:2): Old State = IKE_R_MM4 New State = IKE_R_MM5 ISAKMP (0:2): processing ID payload. message ID = 0 ISAKMP (0:2): peer matches L2L profile ISAKMP: Looking for a matching key for 10.66.79.107 in default ISAKMP: Looking for a matching key for 10.66.79.107 in spokes : success ISAKMP (0:2): Found ADDRESS key in keyring spokes ISAKMP (0:2): processing HASH payload. message ID = 0 ISAKMP (0:2): processing NOTIFY INITIAL_CONTACT protocol 1 spi 0, message ID = 0, sa = 63E4C3A0 ISAKMP (0:2): Process initial contact, bring down existing phase 1 and 2 SA's with local 10.66.79.103 remote 10.66.79.107 remote port 500 ISAKMP (0:2): SA has been authenticated with 10.66.79.107 ISAKMP (0:2): Old State = IKE_R_MM5 New State = IKE_R_MM5 IPSEC(key_engine): got a queue event... ISAKMP (0:2): SA is doing pre−shared key authentication using id type ID_IPV4_ADDR ISAKMP (2): ID payload next−payload : 8 type : 1 addr : 10.66.79.103 protocol : 17 port : 500 length : 8 ISAKMP (2): Total payload length: 12 ISAKMP (0:2): Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE ISAKMP (0:2): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE ISAKMP (0:2): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Global (R) QM_IDLE ISAKMP: set new node −1681791150 to QM_IDLE ISAKMP (0:2): processing HASH payload. message ID = −1681791150 ISAKMP (0:2): processing SA payload. message ID = −1681791150 ISAKMP (0:2): Checking IPSec proposal 1 ISAKMP: transform 1, ESP_3DES ccnp_cch

ccnp_cch ISAKMP: attributes in transform: ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 3600 ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 ISAKMP: authenticator is HMAC−SHA ISAKMP (0:2): atts are acceptable. IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 10.66.79.103, remote= 10.66.79.107, local_proxy= 10.1.0.0/255.255.0.0/0/0 (type=4), remote_proxy= 10.2.0.0/255.255.0.0/0/0 (type=4), protocol= ESP, transform= esp−3des esp−sha−hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2 IPSEC(kei_proxy): head = mymap, map−>ivrf = , kei−>ivrf = ISAKMP (0:2): processing NONCE payload. message ID = −1681791150 ISAKMP (0:2): processing ID payload. message ID = −1681791150 ISAKMP (0:2): asking for 1 spis from ipsec ISAKMP (0:2): Node −1681791150, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH ISAKMP (0:2): Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE IPSEC(key_engine): got a queue event... IPSEC(spi_response): getting spi 4160053073 for SA from 10.66.79.103 to 10.66.79.107 for prot 3 ISAKMP: received ke message (2/1) ISAKMP (0:2): sending packet to 10.66.79.107 my_port 500 peer_port 500 (R) QM_IDLE ISAKMP (0:2): Node −1681791150, Input = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY ISAKMP (0:2): Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2 ISAKMP (0:2): received packet from 10.66.79.107 dport 500 sport 500 Global ISAKMP (0:2): Creating IPSec Sas inbound SA from 10.66.79.107 to 10.66.79.103 (f/i) 0/ 0 (proxy 10.2.0.0 to 10.1.0.0) has spi 0xF7F55F51 and conn_id 5123 and flags 2 lifetime of 3600 seconds lifetime of 4608000 kilobytes has client flags 0x0 outbound SA from 10.66.79.103 to 10.66.79.107 (f/i) 0/ 0 (proxy 10.1.0.0 to 10.2.0.0 ) has spi 1536928214 and conn_id 5124 and flags A ISAKMP (0:2): deleting node −1681791150 error FALSE reason "quick mode done (await)" ISAKMP (0:2): Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE IPSEC(initialize_sas): , lifedur= 3600s and 4608000kb, spi= 0xF7F55F51(4160053073), conn_id= 5123, keysize= 0, flags= 0x2 ccnp_cch

IPSEC(initialize_sas): , (key eng. msg.) OUTBOUND local= 10.66.79.103, remote= 10.66.79.107, local_proxy= 10.1.0.0/255.255.0.0/0/0 (type=4), remote_proxy= 10.2.0.0/255.255.0.0/0/0 (type=4), protocol= ESP, transform= esp−3des esp−sha−hmac , lifedur= 3600s and 4608000kb, spi= 0x5B9BA9D6(1536928214), conn_id= 5124, keysize= 0, flags= 0xA IPSEC(kei_proxy): head = mymap, map−>ivrf = , kei−>ivrf = IPSEC(add mtree): src 10.1.0.0, dest 10.2.0.0, dest_port 0 IPSEC(create_sa): sa created, (sa) sa_dest= 10.66.79.103, sa_prot= 50, sa_spi= 0xF7F55F51(4160053073), sa_trans= esp−3des esp−sha−hmac , sa_conn_id= 5123 IPSEC(create_sa): sa created, (sa) sa_dest= 10.66.79.107, sa_prot= 50, sa_spi= 0x5B9BA9D6(1536928214), sa_trans= esp−3des esp−sha−hmac , sa_conn_id= 5124 Voici la sortie pour la connexion du Client VPN ISAKMP (0:0): received packet from 64.104.225.231 dport 500 sport 500 Global (N) NEW SA ISAKMP: local port 500, remote port 500 ISAKMP: insert sa successfully sa = 63E9C5DC ISAKMP (0:3): processing SA payload. message ID = 0 ISAKMP (0:3): processing ID payload. message ID = 0 ISAKMP (0:3): peer matches VPNclient profile ISAKMP: Looking for a matching key for 64.104.225.231 in default ISAKMP: Looking for a matching key for 64.104.225.231 in spokes : success ISAKMP: Created a peer struct for 64.104.225.231, peer port 500 ISAKMP: Locking peer struct 0x63E4BFD4, IKE refcount 1 for crypto_ikmp_config_initialize_sa ISAKMP (0:3): Setting client config settings 63C9BBB0 ISAKMP (0:3): (Re)Setting client xauth list and state ISAKMP (0:3): processing vendor id payload ISAKMP (0:3): vendor ID seems Unity/DPD but major 215 mismatch ISAKMP (0:3): vendor ID is XAUTH ISAKMP (0:3): vendor ID is DPD ISAKMP (0:3): vendor ID seems Unity/DPD but major 123 mismatch ISAKMP (0:3): vendor ID is NAT−T v2 ISAKMP (0:3): vendor ID seems Unity/DPD but major 194 mismatch ISAKMP (0:3): vendor ID is Unity ISAKMP (0:3) Authentication by xauth preshared ISAKMP (0:3): Checking ISAKMP transform 9 against priority 10 policy ISAKMP: encryption 3DES−CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth XAUTHInitPreShared ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B ISAKMP (0:3): atts are acceptable. Next payload is 3 ccnp_cch

ccnp_cch ISAKMP (0:3): processing KE payload. message ID = 0 ISAKMP (0:3): processing NONCE payload. message ID = 0 ISAKMP (0:3): vendor ID is NAT−T v2 ISAKMP (0:3): Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH ISAKMP (0:3): Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT ISAKMP (0:3): received packet from 64.104.225.231 dport 500 sport 500 Global (R) AG_NO_STATE ISAKMP (0:3): phase 1 packet is a duplicate of a previous packet. ISAKMP (0:3): retransmission skipped (awaiting response from other process) ISAKMP: got callback 1 ISAKMP (0:3): SKEYID state generated ISAKMP (0:3): constructed NAT−T vendor−02 ID ISAKMP (0:3): SA is doing pre−shared key authentication plus XAUTH using id type ID_IPV4_ADDR ISAKMP (3): ID payload next−payload : 10 type : 1 addr : 10.66.79.103 protocol : 17 port : 0 length : 8 ISAKMP (3): Total payload length: 12 ISAKMP (0:3): sending packet to 64.104.225.231 my_port 500 peer_port 500 (R) AG_INIT_EXCH ISAKMP (0:3): Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY ISAKMP (0:3): Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2 Global (R) AG_INIT_EXCH ISAKMP (0:3): processing HASH payload. message ID = 0 ISAKMP (0:3): processing NOTIFY INITIAL_CONTACT protocol 1 spi 0, message ID = 0, sa = 63E9C5DC ISAKMP (0:3): Process initial contact, bring down existing phase 1 and 2 SA's with local 10.66.79.103 remote 64.104.225.231 remote port 500 ISAKMP (0:3): returning IP addr to the address pool IPSEC(key_engine): got a queue event... ISAKMP:received payload type 17 ISAKMP (0:3): SA has been authenticated with 64.104.225.231 ISAKMP: Trying to insert a peer 10.66.79.103/64.104.225.231/500/, and inserted successfully. ISAKMP: set new node −904541450 to CONF_XAUTH (R) QM_IDLE ISAKMP (0:3): purging node −904541450 ISAKMP: Sending phase 1 responder lifetime 86400 ISAKMP (0:3): Old State = IKE_R_AM2 New State = IKE_P1_COMPLETE ISAKMP (0:3): Need XAUTH ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE ISAKMP (0:3): Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_AAA_START_LOGIN_AWAIT ISAKMP: set new node 2075223653 to CONF_XAUTH ccnp_cch

ccnp_cch !−−− XAuth débute. ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2 ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2 ISAKMP (0:3): initiating peer config to 64.104.225.231. ID = 2075223653 ISAKMP (0:3): sending packet to 64.104.225.231 my_port 500 peer_port 500 (R) CONF_XAUTH ISAKMP (0:3): Input = IKE_MESG_FROM_AAA, IKE_AAA_START_LOGIN ISAKMP (0:3): Old State = IKE_XAUTH_AAA_START_LOGIN_AWAIT New State = IKE_XAUTH_REQ_SENT !−−− nom d'utilisateur et mot de passe reçus du Client VPN. ISAKMP (0:3): received packet from 64.104.225.231 dport 500 sport 500 Global (R) CONF_XAUTH ISAKMP (0:3): processing transaction payload from 64.104.225.231. message ID = 2075223653 ISAKMP: Config payload REPLY ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2 ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2 ISAKMP (0:3): deleting node 2075223653 error FALSE reason "done with xauth request/reply exchange" ISAKMP (0:3): Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY ISAKMP (0:3): Old State = IKE_XAUTH_REQ_SENT New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT ISAKMP: got callback 1 ISAKMP: set new node 643611142 to CONF_XAUTH ISAKMP (0:3): initiating peer config to 64.104.225.231. ID = 643611142 ISAKMP (0:3): Input = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN ISAKMP (0:3): Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT New State = IKE_XAUTH_SET_SENT message ID = 643611142 !−−− Succès. ISAKMP: Config payload ACK ISAKMP (0:3): XAUTH ACK Processed ISAKMP (0:3): deleting node 643611142 error FALSE reason "done with transaction" ISAKMP (0:3): Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK ISAKMP (0:3): Old State = IKE_XAUTH_SET_SENT New State = IKE_P1_COMPLETE Global (R) QM_IDLE ISAKMP: set new node 1022753295 to QM_IDLE message ID = 1022753295 ISAKMP: Config payload REQUEST ccnp_cch

ccnp_cch ISAKMP (0:3): checking request: ISAKMP: IP4_ADDRESS ISAKMP: IP4_NETMASK ISAKMP: IP4_DNS ISAKMP: IP4_NBNS ISAKMP: ADDRESS_EXPIRY ISAKMP: UNKNOWN Unknown Attr: 0x7000 ISAKMP: UNKNOWN Unknown Attr: 0x7001 ISAKMP: DEFAULT_DOMAIN ISAKMP: SPLIT_INCLUDE ISAKMP: UNKNOWN Unknown Attr: 0x7003 ISAKMP: UNKNOWN Unknown Attr: 0x7007 ISAKMP: UNKNOWN Unknown Attr: 0x7009 ISAKMP: APPLICATION_VERSION ISAKMP: UNKNOWN Unknown Attr: 0x7008 ISAKMP: UNKNOWN Unknown Attr: 0x700A ISAKMP: UNKNOWN Unknown Attr: 0x7005 ISAKMP (0:3): Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST ISAKMP (0:3): Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_AUTHOR_AAA_AWAIT ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE ISAKMP (0:3): Old State = IKE_CONFIG_AUTHOR_AAA_AWAIT New State = IKE_CONFIG_AUTHOR_AAA_AWAIT ISAKMP: got callback 1 ISAKMP (0:3): attributes sent in message: Address: 0.2.0.0 ISAKMP (0:3): allocating address 10.5.5.1 ISAKMP: Sending private address: 10.5.5.1 ISAKMP: Sending IP4_DNS server address: 1.1.1.1 ISAKMP: Sending IP4_DNS server address: 2.2.2.2 ISAKMP: Sending IP4_NBNS server address: 3.3.3.3 ISAKMP: Sending IP4_NBNS server address: 4.4.4.4 ISAKMP: Sending ADDRESS_EXPIRY seconds left to use the address: 86389 ISAKMP (0/3): Unknown Attr: UNKNOWN (0x7000) ISAKMP (0/3): Unknown Attr: UNKNOWN (0x7001) ISAKMP: Sending DEFAULT_DOMAIN default domain name: cisco.com ISAKMP (0/3): Unknown Attr: UNKNOWN (0x7003) ISAKMP (0/3): Unknown Attr: UNKNOWN (0x7007) ISAKMP (0/3): Unknown Attr: UNKNOWN (0x7009) ISAKMP: Sending APPLICATION_VERSION string: Cisco Internetwork Operating System Software IOS (tm) 3600 Software (C3660−IK9S−M), Version 12.3(1.7), MAINTENANCE INTERIM SOFTWARE Copyright (c) 1986−2003 by cisco Systems, Inc. Compiled Mon 26−May−03 11:58 by dchih ISAKMP (0/3): Unknown Attr: UNKNOWN (0x7008) ISAKMP (0/3): Unknown Attr: UNKNOWN (0x700A) ISAKMP (0/3): Unknown Attr: UNKNOWN (0x7005) ISAKMP (0:3): responding to peer config from 64.104.225.231. ID = 1022753295 ISAKMP (0:3): sending packet to 64.104.225.231 my_port 500 peer_port 500 (R) CONF_ADDR ISAKMP (0:3): deleting node 1022753295 error FALSE reason "" ISAKMP (0:3): Input = IKE_MESG_FROM_AAA, IKE_AAA_GROUP_ATTR New State = IKE_P1_COMPLETE ISAKMP (0:3): received packet from 64.104.225.231 dport 500 sport 500 Global (R) QM_IDLE ccnp_cch

ccnp_cch ISAKMP: set new node 855409792 to QM_IDLE ISAKMP (0:3): processing HASH payload. message ID = 855409792 ISAKMP (0:3): processing SA payload. message ID = 855409792 ISAKMP (0:3): Checking IPSec proposal 1 ISAKMP: transform 1, ESP_AES ISAKMP: attributes in transform: ISAKMP: authenticator is HMAC−MD5 ISAKMP: key length is 256 ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B ISAKMP (0:3): atts are acceptable. ISAKMP (0:3): transform 1, IPPCP LZS IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 10.66.79.103, remote= 64.104.225.231, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 10.5.5.1/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp−aes 256 esp−md5−hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x2 IPSEC(validate_proposal_request): proposal part #2, protocol= PCP, transform= comp−lzs , spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2 IPSEC(kei_proxy): head = mymap, map−>ivrf = , kei−>ivrf = ISAKMP (0:3): Checking IPSec proposal 12 ISAKMP: transform 1, ESP_3DES ISAKMP: authenticator is HMAC−SHA ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B protocol= ESP, transform= esp−3des esp−sha−hmac , ISAKMP (0:3): processing NONCE payload. message ID = 855409792 ISAKMP (0:3): processing ID payload. message ID = 855409792 ccnp_cch

ccnp_cch ISAKMP (0:3): asking for 1 spis from ipsec ISAKMP (0:3): Node 855409792, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH ISAKMP (0:3): Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE %SYS−3−CPUHOG: Task ran for 19096 msec (2/0), process = Crypto IKMP, PC = 61C4FA8C. −Traceback= 61C4FA94 IPSEC(key_engine): got a queue event... IPSEC(spi_response): getting spi 2765429160 for SA from 10.66.79.103 to 64.104.225.231 for prot 3 ISAKMP: received ke message (2/1) ISAKMP (0:3): sending packet to 64.104.225.231 my_port 500 peer_port 500 (R) QM_IDLE ISAKMP (0:3): received packet from 64.104.225.231 dport 500 sport 500 Global (R) QM_IDLE ISAKMP: Locking peer struct 0x63E4BFD4, IPSEC refcount 1 for for stuff_ke ISAKMP (0:3): Creating IPSec SAs inbound SA from 64.104.225.231 to 10.66.79.103 (f/i) 0/ 0 (proxy 10.5.5.1 to 0.0.0.0) has spi 0xA4D519A8 and conn_id 5125 and flags 2 lifetime of 2147483 seconds has client flags 0x0 outbound SA from 10.66.79.103 to 64.104.225.231 (f/i) 0/ 0 (proxy 0.0.0.0 to 10.5.5.1 ) has spi −14569569 and conn_id 5126 and flags A lifetime of 2147483 seconds has client flags 0x0 ISAKMP (0:3): deleting node 855409792 error FALSE reason "quick mode done (await)" ISAKMP (0:3): Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE IPSEC(initialize_sas): , (key eng. msg.) INBOUND local= 10.66.79.103, remote= 64.104.225.231, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 10.5.5.1/0.0.0.0/0/0 (type=1), protocol= ESP, transform= esp−3des esp−sha−hmac , lifedur= 2147483s and 0kb, spi= 0xA4D519A8(2765429160), conn_id= 5125, keysize= 0, flags= 0x2 (key eng. msg.) OUTBOUND local= 10.66.79.103, remote= 64.104.225.231, spi= 0xFF21AF9F(4280397727), conn_id= 5126, keysize= 0, flags= 0xA IPSEC(kei_proxy): head = mymap, map−>ivrf = , kei−>ivrf = IPSEC(add mtree): src 0.0.0.0, dest 10.5.5.1, dest_port 0 IPSEC(create_sa): sa created, (sa) sa_dest= 10.66.79.103, sa_prot= 50, sa_spi= 0xA4D519A8(2765429160), sa_trans= esp−3des esp−sha−hmac , sa_conn_id= 5125 (sa) sa_dest= 64.104.225.231, sa_prot= 50, sa_spi= 0xFF21AF9F(4280397727), sa_trans= esp−3des esp−sha−hmac , sa_conn_id= 5126 ccnp_cch

Feed-back: Politique de confidentialité Feed-back
Do Not Sell My Personal Information
Notre projet: SlidePlayer Les conditions d'utilisation

© 2024 SlidePlayer.fr Inc. All rights reserved.