La présentation est en train de télécharger. S'il vous plaît, attendez

La présentation est en train de télécharger. S'il vous plaît, attendez

Configuration - IPSEC dynamique Routeur LAN à LAN et client VPN

Publié parMargaretMargaret Jacobs Modifié depuis plus de 6 années

Présentations similaires

Présentation au sujet: "Configuration - IPSEC dynamique Routeur LAN à LAN et client VPN"— Transcription de la présentation:

1 Configuration - IPSEC dynamique Routeur LAN à LAN et client VPN
ccnp_cch

2 Sommaire - Composants utilisés • Configuration • Vérification
• Introduction - Composants utilisés • Configuration - Schéma du réseau Configurations Client VPN • Vérification ccnp_cch

3 Introduction Cette configuration montre une configuration LAN à LAN entre deux routeurs dans un environnement "hub and spoke" avec un routeur, celui de l'extrémité distante (spoke) recevant son adresse IP via un serveur DHCP (Dynamic Host Configuration Protocol). Se connectant au même routeur central des clients VPN utilisent Xauth (eXtended Authentication). Jusqu'à présent, cela était impossible avec l'utilisation de clés pré-par- tagées génériques sur le routeur central car vous pouvez configurer ce routeur pour Xauth pour les clients VPN ce qui aurait fermé la connexion LAN à LAN. L'introduction de profils IPSec dans l'IOS Cisco release 12.2(15)T rend cette configura- tion possible car vous pouvez faire une correspondance sur d'autres propriétés de con- nexion (groupe VPN Client, adresse IP de l'extrémité, FQDN (Fully Qualified Domain Name)), etc..) au lieu de l'adresse IP de l'extrémité seule. La configuration du routeur d'extrémité montrée ci-dessous peut être répliquée sur tous les autres routeurs d'extrémité se connectant au même routeur central. La seule différence est la liste d'accès qui référence le trafic devant être crypté. Composants utilisés Les profils ont été introduits dans l'IOS Cisco Release 12.2(15)T mais à cause du bug Cisco CSCea77140 vous devez opérer avec l'IOS Cisco Release 12.3(2)T pour que cette configuration fonctionne correctement. Les configurations suivantes ont été testées en utilisant les les versions logicielles et matérielles suivantes : ● Cisco IOS Release 12.3(3) sur le routeur central ● Cisco IOS Release 12.2(17a) sur le routeur distant ● Cisco Client VPN 4.0(1) Configuration Dans cette section sont présentées les informations nécessaires pour configurer les fonctionnalités décrites dans ce document. Schéma du réseau /24 /24 Adresse IP négociée Internet Hub Spoke Client VPN ccnp_cch

4 Configurations ccnp_cch Routeur Hub version 12.3
service timestamps debug datetime msec service timestamps log datetime msec service password−encryption ! hostname Hub no logging on username gfullage password E070A0E2649 aaa new−model aaa authentication login clientauth local aaa authorization network groupauthor local aaa session−id common ip subnet−zero no ip domain lookup !−−− Keyring définit la clé pré−partagée générique. crypto keyring spokes pre−shared−key address key cisco123 crypto isakmp policy 10 encryption 3des authentication pre−share group 2 !−−− Configuration VPN Client pour le groupe "testgroup" !−−− (ce nom est configuré dans le Client VPN). crypto isakmp client configuration group testgroup key cisco321 dns wins domain cisco.com pool ippool ccnp_cch

5 ccnp_cch !−−− Profil pour une connexion LAN−à−LAN, référençant la clé
!−−− pre−partagée générique et une identité générique sans XAuth crypto isakmp profile L2L description LAN−to−LAN for spoke router(s) connection keyring spokes match identity address !−−− Profil pour des connexions Client VPN, correspondant au !−−− groupe "testgroup" et définissant les propriétés XAuth. crypto isakmp profile VPNclient description VPN clients profile match identity group testgroup client authentication list clientauth isakmp authorization list groupauthor client configuration address respond ! crypto ipsec transform−set myset esp−3des esp−sha−hmac !−−− Deux instances de la crypto map dynamique !−−− référence les deux profils IPSec ci-dessus. crypto dynamic−map dynmap 5 set transform−set myset set isakmp−profile VPNclient crypto dynamic−map dynmap 10 set isakmp−profile L2L !−−− La crypto−map fait référence aux deux !−−− instances de la crypto map dynamique ci-dessus. crypto map mymap 10 ipsec−isakmp dynamic dynmap interface FastEthernet0/0 description Outside interface ip address no ip mroute−cache duplex auto speed auto crypto map mymap ccnp_cch

6 ccnp_cch ! interface FastEthernet0/1 description Inside interface
ip address duplex auto speed auto no keepalive ip local pool ippool no ip http server no ip http secure−server ip classless ip route ip route call rsvp−sync dial−peer cor custom line con 0 exec−timeout 0 0 escape−character 27 line aux 0 line vty 0 4 password 7 121A0C041104 end ccnp_cch

7 ccnp_cch Routeur Spoke version 12.2
service timestamps debug datetime msec service timestamps log datetime msec no service password−encryption ! hostname Spoke no logging on ip subnet−zero no ip domain lookup ip cef crypto isakmp policy 10 encryption 3des authentication pre−share group 2 crypto isakmp key cisco123 address crypto ipsec transform−set myset esp−3des esp−sha−hmac !−−− Crypto map standard sur le routeur Spoke !−−− référençant l'adresse IP connue du routeur Hub. crypto map mymap 10 ipsec−isakmp set peer set transform−set myset match address 100 controller ISA 5/1 interface FastEthernet0/0 description Outside interface !−−− Dans la réalité on utiliserait !−−− "ip address dhcp" ou "ip address negotiated". ip address duplex auto speed auto crypto map mymap ccnp_cch

8 ccnp_cch interface FastEthernet0/1 description Inside interface
ip address duplex auto speed auto no keepalive ! interface ATM1/0 no ip address shutdown no atm ilmi−keepalive ip classless ip route no ip http server no ip http secure−server !−−− Liste d'access standard référençant le trafic devant être !−−− crypté, c'est la seule chose qui a besoin d'être changée !−−− entre les différents routeurs d'extrémité. access−list 100 permit ip call rsvp−sync mgcp profile default line con 0 exec−timeout 0 0 line aux 0 line vty 0 4 password cisco login end ccnp_cch

9 Client VPN Vérification ccnp_cch
Créez une nouvelle connexion en donnant l'adresse IP du routeur Central. le nom du groupe de cet exemple est "testgroup" et le mot de passe est "cisco321" comme cela peut être vu dans la configuration du routeur central. Vérification Cette section fournit des informations que vous pouvez utiliser pour confirmer que vo- tre configuration fonctionne correctement. Les commandes debug exécutées sur le routeur central peuvent confirmer que les pa- ramètres corrects correspondent pour le routeur d'extrémité et les clients VPN. ● debug crypto isakmp − Affiche les messages au sujet des événements IKE (Internet Key Exchange). ● debug crypto ipsec − Affiche les évènements IPSec. ccnp_cch

10 Voici la sortie sur le routeur d'extrémité pour la connexion: ISAKMP (0:0): received packet from dport 500 sport 500 Global (N) NEW SA ISAKMP: local port 500, remote port 500 ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 63E4C3A0 ISAKMP (0:2): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH ISAKMP (0:2): Old State = IKE_READY New State = IKE_R_MM1 ISAKMP (0:2): processing SA payload. message ID = 0 ISAKMP (0:2): processing vendor id payload ISAKMP (0:2): vendor ID seems Unity/DPD but major 157 mismatch ISAKMP (0:2): vendor ID is NAT−T v3 ISAKMP (0:2): vendor ID seems Unity/DPD but major 123 mismatch ISAKMP (0:2): vendor ID is NAT−T v2 ISAKMP: Looking for a matching key for in default ISAKMP: Looking for a matching key for in spokes : success ISAKMP (0:2): found peer pre−shared key matching ISAKMP (0:2) local preshared key found ISAKMP : Scanning profiles for xauth ... L2L VPNclient ISAKMP (0:2) Authentication by xauth preshared ISAKMP (0:2): Checking ISAKMP transform 1 against priority 10 policy ISAKMP: encryption 3DES−CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre−share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP (0:2): atts are acceptable. Next payload is 0 ISAKMP (0:2): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE ISAKMP (0:2): Old State = IKE_R_MM1 New State = IKE_R_MM1 ISAKMP (0:2): constructed NAT−T vendor−03 ID ISAKMP (0:2): sending packet to my_port 500 peer_port 500 (R) MM_SA_SETUP ISAKMP (0:2): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE ISAKMP (0:2): Old State = IKE_R_MM1 New State = IKE_R_MM2 ISAKMP (0:2): received packet from dport 500 sport 500 Global (R) MM_SA_SETUP ISAKMP (0:2): Old State = IKE_R_MM2 New State = IKE_R_MM3 ISAKMP (0:2): processing KE payload. message ID = 0 ISAKMP (0:2): processing NONCE payload. message ID = 0 ccnp_cch

11 ccnp_cch ISAKMP (0:2): SKEYID state generated
ISAKMP (0:2): processing vendor id payload ISAKMP (0:2): vendor ID is Unity ISAKMP (0:2): vendor ID is DPD ISAKMP (0:2): speaking to another IOS box! ISAKMP:received payload type 17 ISAKMP (0:2): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE ISAKMP (0:2): Old State = IKE_R_MM3 New State = IKE_R_MM3 ISAKMP (0:2): sending packet to my_port 500 peer_port 500 (R) MM_KEY_EXCH ISAKMP (0:2): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE ISAKMP (0:2): Old State = IKE_R_MM3 New State = IKE_R_MM4 ISAKMP (0:2): received packet from dport 500 sport 500 Global (R) MM_KEY_EXCH ISAKMP (0:2): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH ISAKMP (0:2): Old State = IKE_R_MM4 New State = IKE_R_MM5 ISAKMP (0:2): processing ID payload. message ID = 0 ISAKMP (0:2): peer matches L2L profile ISAKMP: Looking for a matching key for in default ISAKMP: Looking for a matching key for in spokes : success ISAKMP (0:2): Found ADDRESS key in keyring spokes ISAKMP (0:2): processing HASH payload. message ID = 0 ISAKMP (0:2): processing NOTIFY INITIAL_CONTACT protocol 1 spi 0, message ID = 0, sa = 63E4C3A0 ISAKMP (0:2): Process initial contact, bring down existing phase 1 and 2 SA's with local remote remote port 500 ISAKMP (0:2): SA has been authenticated with ISAKMP (0:2): Old State = IKE_R_MM5 New State = IKE_R_MM5 IPSEC(key_engine): got a queue event... ISAKMP (0:2): SA is doing pre−shared key authentication using id type ID_IPV4_ADDR ISAKMP (2): ID payload next−payload : 8 type : 1 addr : protocol : 17 port : 500 length : 8 ISAKMP (2): Total payload length: 12 ISAKMP (0:2): Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE ISAKMP (0:2): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE ISAKMP (0:2): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Global (R) QM_IDLE ISAKMP: set new node − to QM_IDLE ISAKMP (0:2): processing HASH payload. message ID = − ISAKMP (0:2): processing SA payload. message ID = − ISAKMP (0:2): Checking IPSec proposal 1 ISAKMP: transform 1, ESP_3DES ccnp_cch

12 ccnp_cch ISAKMP: attributes in transform: ISAKMP: encaps is 1
ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 3600 ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 ISAKMP: authenticator is HMAC−SHA ISAKMP (0:2): atts are acceptable. IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= , remote= , local_proxy= / /0/0 (type=4), remote_proxy= / /0/0 (type=4), protocol= ESP, transform= esp−3des esp−sha−hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2 IPSEC(kei_proxy): head = mymap, map−>ivrf = , kei−>ivrf = ISAKMP (0:2): processing NONCE payload. message ID = − ISAKMP (0:2): processing ID payload. message ID = − ISAKMP (0:2): asking for 1 spis from ipsec ISAKMP (0:2): Node − , Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH ISAKMP (0:2): Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE IPSEC(key_engine): got a queue event... IPSEC(spi_response): getting spi for SA from to for prot 3 ISAKMP: received ke message (2/1) ISAKMP (0:2): sending packet to my_port 500 peer_port 500 (R) QM_IDLE ISAKMP (0:2): Node − , Input = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY ISAKMP (0:2): Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2 ISAKMP (0:2): received packet from dport 500 sport 500 Global ISAKMP (0:2): Creating IPSec Sas inbound SA from to (f/i) 0/ 0 (proxy to ) has spi 0xF7F55F51 and conn_id 5123 and flags 2 lifetime of 3600 seconds lifetime of kilobytes has client flags 0x0 outbound SA from to (f/i) 0/ 0 (proxy to ) has spi and conn_id 5124 and flags A ISAKMP (0:2): deleting node − error FALSE reason "quick mode done (await)" ISAKMP (0:2): Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE IPSEC(initialize_sas): , lifedur= 3600s and kb, spi= 0xF7F55F51( ), conn_id= 5123, keysize= 0, flags= 0x2 ccnp_cch

13 IPSEC(initialize_sas): ,
(key eng. msg.) OUTBOUND local= , remote= , local_proxy= / /0/0 (type=4), remote_proxy= / /0/0 (type=4), protocol= ESP, transform= esp−3des esp−sha−hmac , lifedur= 3600s and kb, spi= 0x5B9BA9D6( ), conn_id= 5124, keysize= 0, flags= 0xA IPSEC(kei_proxy): head = mymap, map−>ivrf = , kei−>ivrf = IPSEC(add mtree): src , dest , dest_port 0 IPSEC(create_sa): sa created, (sa) sa_dest= , sa_prot= 50, sa_spi= 0xF7F55F51( ), sa_trans= esp−3des esp−sha−hmac , sa_conn_id= 5123 IPSEC(create_sa): sa created, (sa) sa_dest= , sa_prot= 50, sa_spi= 0x5B9BA9D6( ), sa_trans= esp−3des esp−sha−hmac , sa_conn_id= 5124 Voici la sortie pour la connexion du Client VPN ISAKMP (0:0): received packet from dport 500 sport 500 Global (N) NEW SA ISAKMP: local port 500, remote port 500 ISAKMP: insert sa successfully sa = 63E9C5DC ISAKMP (0:3): processing SA payload. message ID = 0 ISAKMP (0:3): processing ID payload. message ID = 0 ISAKMP (0:3): peer matches VPNclient profile ISAKMP: Looking for a matching key for in default ISAKMP: Looking for a matching key for in spokes : success ISAKMP: Created a peer struct for , peer port 500 ISAKMP: Locking peer struct 0x63E4BFD4, IKE refcount 1 for crypto_ikmp_config_initialize_sa ISAKMP (0:3): Setting client config settings 63C9BBB0 ISAKMP (0:3): (Re)Setting client xauth list and state ISAKMP (0:3): processing vendor id payload ISAKMP (0:3): vendor ID seems Unity/DPD but major 215 mismatch ISAKMP (0:3): vendor ID is XAUTH ISAKMP (0:3): vendor ID is DPD ISAKMP (0:3): vendor ID seems Unity/DPD but major 123 mismatch ISAKMP (0:3): vendor ID is NAT−T v2 ISAKMP (0:3): vendor ID seems Unity/DPD but major 194 mismatch ISAKMP (0:3): vendor ID is Unity ISAKMP (0:3) Authentication by xauth preshared ISAKMP (0:3): Checking ISAKMP transform 9 against priority 10 policy ISAKMP: encryption 3DES−CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth XAUTHInitPreShared ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B ISAKMP (0:3): atts are acceptable. Next payload is 3 ccnp_cch

14 ccnp_cch ISAKMP (0:3): processing KE payload. message ID = 0
ISAKMP (0:3): processing NONCE payload. message ID = 0 ISAKMP (0:3): vendor ID is NAT−T v2 ISAKMP (0:3): Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH ISAKMP (0:3): Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT ISAKMP (0:3): received packet from dport 500 sport 500 Global (R) AG_NO_STATE ISAKMP (0:3): phase 1 packet is a duplicate of a previous packet. ISAKMP (0:3): retransmission skipped (awaiting response from other process) ISAKMP: got callback 1 ISAKMP (0:3): SKEYID state generated ISAKMP (0:3): constructed NAT−T vendor−02 ID ISAKMP (0:3): SA is doing pre−shared key authentication plus XAUTH using id type ID_IPV4_ADDR ISAKMP (3): ID payload next−payload : 10 type : 1 addr : protocol : 17 port : 0 length : 8 ISAKMP (3): Total payload length: 12 ISAKMP (0:3): sending packet to my_port 500 peer_port 500 (R) AG_INIT_EXCH ISAKMP (0:3): Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY ISAKMP (0:3): Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2 Global (R) AG_INIT_EXCH ISAKMP (0:3): processing HASH payload. message ID = 0 ISAKMP (0:3): processing NOTIFY INITIAL_CONTACT protocol 1 spi 0, message ID = 0, sa = 63E9C5DC ISAKMP (0:3): Process initial contact, bring down existing phase 1 and 2 SA's with local remote remote port 500 ISAKMP (0:3): returning IP addr to the address pool IPSEC(key_engine): got a queue event... ISAKMP:received payload type 17 ISAKMP (0:3): SA has been authenticated with ISAKMP: Trying to insert a peer / /500/, and inserted successfully. ISAKMP: set new node − to CONF_XAUTH (R) QM_IDLE ISAKMP (0:3): purging node − ISAKMP: Sending phase 1 responder lifetime 86400 ISAKMP (0:3): Old State = IKE_R_AM2 New State = IKE_P1_COMPLETE ISAKMP (0:3): Need XAUTH ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE ISAKMP (0:3): Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_AAA_START_LOGIN_AWAIT ISAKMP: set new node to CONF_XAUTH ccnp_cch

15 ccnp_cch !−−− XAuth débute.
ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2 ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2 ISAKMP (0:3): initiating peer config to ID = ISAKMP (0:3): sending packet to my_port 500 peer_port 500 (R) CONF_XAUTH ISAKMP (0:3): Input = IKE_MESG_FROM_AAA, IKE_AAA_START_LOGIN ISAKMP (0:3): Old State = IKE_XAUTH_AAA_START_LOGIN_AWAIT New State = IKE_XAUTH_REQ_SENT !−−− nom d'utilisateur et mot de passe reçus du Client VPN. ISAKMP (0:3): received packet from dport 500 sport 500 Global (R) CONF_XAUTH ISAKMP (0:3): processing transaction payload from message ID = ISAKMP: Config payload REPLY ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2 ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2 ISAKMP (0:3): deleting node error FALSE reason "done with xauth request/reply exchange" ISAKMP (0:3): Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY ISAKMP (0:3): Old State = IKE_XAUTH_REQ_SENT New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT ISAKMP: got callback 1 ISAKMP: set new node to CONF_XAUTH ISAKMP (0:3): initiating peer config to ID = ISAKMP (0:3): Input = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN ISAKMP (0:3): Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT New State = IKE_XAUTH_SET_SENT message ID = !−−− Succès. ISAKMP: Config payload ACK ISAKMP (0:3): XAUTH ACK Processed ISAKMP (0:3): deleting node error FALSE reason "done with transaction" ISAKMP (0:3): Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK ISAKMP (0:3): Old State = IKE_XAUTH_SET_SENT New State = IKE_P1_COMPLETE Global (R) QM_IDLE ISAKMP: set new node to QM_IDLE message ID = ISAKMP: Config payload REQUEST ccnp_cch

16 ccnp_cch ISAKMP (0:3): checking request: ISAKMP: IP4_ADDRESS
ISAKMP: IP4_NETMASK ISAKMP: IP4_DNS ISAKMP: IP4_NBNS ISAKMP: ADDRESS_EXPIRY ISAKMP: UNKNOWN Unknown Attr: 0x7000 ISAKMP: UNKNOWN Unknown Attr: 0x7001 ISAKMP: DEFAULT_DOMAIN ISAKMP: SPLIT_INCLUDE ISAKMP: UNKNOWN Unknown Attr: 0x7003 ISAKMP: UNKNOWN Unknown Attr: 0x7007 ISAKMP: UNKNOWN Unknown Attr: 0x7009 ISAKMP: APPLICATION_VERSION ISAKMP: UNKNOWN Unknown Attr: 0x7008 ISAKMP: UNKNOWN Unknown Attr: 0x700A ISAKMP: UNKNOWN Unknown Attr: 0x7005 ISAKMP (0:3): Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST ISAKMP (0:3): Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_AUTHOR_AAA_AWAIT ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE ISAKMP (0:3): Old State = IKE_CONFIG_AUTHOR_AAA_AWAIT New State = IKE_CONFIG_AUTHOR_AAA_AWAIT ISAKMP: got callback 1 ISAKMP (0:3): attributes sent in message: Address: ISAKMP (0:3): allocating address ISAKMP: Sending private address: ISAKMP: Sending IP4_DNS server address: ISAKMP: Sending IP4_DNS server address: ISAKMP: Sending IP4_NBNS server address: ISAKMP: Sending IP4_NBNS server address: ISAKMP: Sending ADDRESS_EXPIRY seconds left to use the address: 86389 ISAKMP (0/3): Unknown Attr: UNKNOWN (0x7000) ISAKMP (0/3): Unknown Attr: UNKNOWN (0x7001) ISAKMP: Sending DEFAULT_DOMAIN default domain name: cisco.com ISAKMP (0/3): Unknown Attr: UNKNOWN (0x7003) ISAKMP (0/3): Unknown Attr: UNKNOWN (0x7007) ISAKMP (0/3): Unknown Attr: UNKNOWN (0x7009) ISAKMP: Sending APPLICATION_VERSION string: Cisco Internetwork Operating System Software IOS (tm) 3600 Software (C3660−IK9S−M), Version 12.3(1.7), MAINTENANCE INTERIM SOFTWARE Copyright (c) 1986−2003 by cisco Systems, Inc. Compiled Mon 26−May−03 11:58 by dchih ISAKMP (0/3): Unknown Attr: UNKNOWN (0x7008) ISAKMP (0/3): Unknown Attr: UNKNOWN (0x700A) ISAKMP (0/3): Unknown Attr: UNKNOWN (0x7005) ISAKMP (0:3): responding to peer config from ID = ISAKMP (0:3): sending packet to my_port 500 peer_port 500 (R) CONF_ADDR ISAKMP (0:3): deleting node error FALSE reason "" ISAKMP (0:3): Input = IKE_MESG_FROM_AAA, IKE_AAA_GROUP_ATTR New State = IKE_P1_COMPLETE ISAKMP (0:3): received packet from dport 500 sport 500 Global (R) QM_IDLE ccnp_cch

17 ccnp_cch ISAKMP: set new node 855409792 to QM_IDLE
ISAKMP (0:3): processing HASH payload. message ID = ISAKMP (0:3): processing SA payload. message ID = ISAKMP (0:3): Checking IPSec proposal 1 ISAKMP: transform 1, ESP_AES ISAKMP: attributes in transform: ISAKMP: authenticator is HMAC−MD5 ISAKMP: key length is 256 ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B ISAKMP (0:3): atts are acceptable. ISAKMP (0:3): transform 1, IPPCP LZS IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= , remote= , local_proxy= / /0/0 (type=4), remote_proxy= / /0/0 (type=1), protocol= ESP, transform= esp−aes 256 esp−md5−hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x2 IPSEC(validate_proposal_request): proposal part #2, protocol= PCP, transform= comp−lzs , spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2 IPSEC(kei_proxy): head = mymap, map−>ivrf = , kei−>ivrf = ISAKMP (0:3): Checking IPSec proposal 12 ISAKMP: transform 1, ESP_3DES ISAKMP: authenticator is HMAC−SHA ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B protocol= ESP, transform= esp−3des esp−sha−hmac , ISAKMP (0:3): processing NONCE payload. message ID = ISAKMP (0:3): processing ID payload. message ID = ccnp_cch

18 ccnp_cch ISAKMP (0:3): asking for 1 spis from ipsec
ISAKMP (0:3): Node , Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH ISAKMP (0:3): Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE %SYS−3−CPUHOG: Task ran for msec (2/0), process = Crypto IKMP, PC = 61C4FA8C. −Traceback= 61C4FA94 IPSEC(key_engine): got a queue event... IPSEC(spi_response): getting spi for SA from to for prot 3 ISAKMP: received ke message (2/1) ISAKMP (0:3): sending packet to my_port 500 peer_port 500 (R) QM_IDLE ISAKMP (0:3): received packet from dport 500 sport 500 Global (R) QM_IDLE ISAKMP: Locking peer struct 0x63E4BFD4, IPSEC refcount 1 for for stuff_ke ISAKMP (0:3): Creating IPSec SAs inbound SA from to (f/i) 0/ 0 (proxy to ) has spi 0xA4D519A8 and conn_id 5125 and flags 2 lifetime of seconds has client flags 0x0 outbound SA from to (f/i) 0/ 0 (proxy to ) has spi − and conn_id 5126 and flags A lifetime of seconds has client flags 0x0 ISAKMP (0:3): deleting node error FALSE reason "quick mode done (await)" ISAKMP (0:3): Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE IPSEC(initialize_sas): , (key eng. msg.) INBOUND local= , remote= , local_proxy= / /0/0 (type=4), remote_proxy= / /0/0 (type=1), protocol= ESP, transform= esp−3des esp−sha−hmac , lifedur= s and 0kb, spi= 0xA4D519A8( ), conn_id= 5125, keysize= 0, flags= 0x2 (key eng. msg.) OUTBOUND local= , remote= , spi= 0xFF21AF9F( ), conn_id= 5126, keysize= 0, flags= 0xA IPSEC(kei_proxy): head = mymap, map−>ivrf = , kei−>ivrf = IPSEC(add mtree): src , dest , dest_port 0 IPSEC(create_sa): sa created, (sa) sa_dest= , sa_prot= 50, sa_spi= 0xA4D519A8( ), sa_trans= esp−3des esp−sha−hmac , sa_conn_id= 5125 (sa) sa_dest= , sa_prot= 50, sa_spi= 0xFF21AF9F( ), sa_trans= esp−3des esp−sha−hmac , sa_conn_id= 5126 ccnp_cch

Télécharger ppt "Configuration - IPSEC dynamique Routeur LAN à LAN et client VPN"

Présentations similaires

From Implementing Cisco IP Routing (ROUTE) Foundation Learning Guide by Diane Teare, Bob Vachon and Rick Graziani ( ) Copyright © 2015 Cisco Systems,

From Implementing Cisco IP Routing (ROUTE) Foundation Learning Guide by Diane Teare, Bob Vachon and Rick Graziani ( ) Copyright © 2015 Cisco Systems,
Effacer la Configuration LWAPP sur un LAP

Effacer la Configuration LWAPP sur un LAP
Sécurité - Configuration de Secure Shell sur les Commutateurs et les Routeurs avec l'IOS Cisco ccnp_cch.

Sécurité - Configuration de Secure Shell sur les Commutateurs et les Routeurs avec l'IOS Cisco ccnp_cch.
Sécurité - ASA/PIX 7.x - Adresse IP statique pour Client VPN IPSec avec configuration CLI et ASDM ccnp_cch.

Sécurité - ASA/PIX 7.x - Adresse IP statique pour Client VPN IPSec avec configuration CLI et ASDM ccnp_cch.
Remote Desktop Protocol l'Appliance de Sécurité

Remote Desktop Protocol l'Appliance de Sécurité
Sécurité - Configuration d'un

Sécurité - Configuration d'un
QoS - Propagation de la Politique de QoS via BGP

QoS - Propagation de la Politique de QoS via BGP
Configurer NAT et PAT statique pour support d'un serveur Web interne

Configurer NAT et PAT statique pour support d'un serveur Web interne
Examen Final Sécurité - TRCT - 2011 Cfi_CCH.

Examen Final Sécurité - TRCT Cfi_CCH.
(Certificate Revocation List)

(Certificate Revocation List)
Commande ip nat service

Commande ip nat service
Sécurité - Configuration du PIX

Sécurité - Configuration du PIX
Sécurité - Configuration NTP sur le PIX avec ou sans Tunnel IPSec

Sécurité - Configuration NTP sur le PIX avec ou sans Tunnel IPSec
Sécurité - ASA7.x/PIX 6.x et plus

Sécurité - ASA7.x/PIX 6.x et plus
Sécurité - Configuration d'un

Sécurité - Configuration d'un
Tunnel pour paquets IP Multicast

Tunnel pour paquets IP Multicast
Configuration Routeur SOHO77

Configuration Routeur SOHO77
Configuration d'un accès

Configuration d'un accès
BGP - Configuration iBGP et eBGP avec ou sans adresse de Loopback

BGP - Configuration iBGP et eBGP avec ou sans adresse de Loopback
Configuration BGP de base

Configuration BGP de base

Présentations similaires

Annonces Google