URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 797
[ Назад ]

Исходное сообщение
"IPSec troubleshooting"

Отправлено Tolic , 03-Июн-13 11:04 
Добрый всем день!
Не могу разобраться с диагностикой IPsec phase II в реализации site-to-site vpn
Phase1:
router-vpn#sh crypto isa sa
dst             src             state          conn-id slot status
220.0.220.120   221.0.221.121   QM_IDLE           1044    0 ACTIVE

Phase-2
router-vpn#sh crypto ipsec sa peer 220.0.220.120

interface: FastEthernet0/0
    Crypto map tag: clientmap, local addr 221.0.221.121

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (172.20.1.1/255.255.255.255/0/0)
   current_peer 220.0.220.120 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 221.0.221.121, remote crypto endpt.: 220.0.220.120
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x15CF2F53(365899603)

     inbound esp sas:
      spi: 0x3FC88013(1070104595)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3003, flow_id: FPGA:3, crypto map: clientmap
        sa timing: remaining key lifetime (k/sec): (4573591/3441)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x15CF2F53(365899603)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3018, flow_id: FPGA:18, crypto map: clientmap
        sa timing: remaining key lifetime (k/sec): (4573590/3441)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

  Отсюда видно, что пакеты криптуются и уходят, но не возвращаются назад.

debug crypto ipsec показывает следующее:

router-vpn#sh crypto ipsec sa peer 220.0.220.120
067814: Jun  3 09:16:11.453: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 221.0.221.121, remote= 220.0.220.120,
    local_proxy= 192.168.1.1/255.255.255.255/0/0 (type=1),
    remote_proxy= 172.20.1.1/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x3FC88013(1070104595), conn_id= 0, keysize= 0, flags= 0x400B
067815: Jun  3 09:16:11.637: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 221.0.221.121, remote= 220.0.220.120,
    local_proxy= 192.168.1.1/255.255.255.255/0/0 (type=1),
    remote_proxy= 172.20.1.1/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x12
067816: Jun  3 09:16:11.637: Crypto mapdb : proxy_match
        src addr     : 192.168.1.1
        dst addr     : 172.20.1.1
        protocol     : 0
        src port     : 0
        dst port     : 0
067817: Jun  3 09:16:11.637: Crypto mapdb : proxy_match
        src addr     : 192.168.1.1
        dst addr     : 172.20.1.1
        protocol     : 0
        src port     : 0
        dst port     : 0
067818: Jun  3 09:16:11.681: %CRYPTO-6-EZVPN_CONNECTION_UP: (Server)  Mode=NEM  Client_type=UNKNOWN  User=  Group
=220.0.220.120  Client_public_addr=220.0.220.120  Server_public_addr=221.0.221.121
067819: Jun  3 09:16:11.681: IPSEC(key_engine): got a queue event with 2 kei messages
067820: Jun  3 09:16:11.685: IPSEC(initialize_sas): ,
  (key eng. msg.) INBOUND local= 221.0.221.121, remote= 220.0.220.120,
    local_proxy= 192.168.1.1/255.255.255.255/0/0 (type=1),
    remote_proxy= 172.20.1.1/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x3FC88013(1070104595), conn_id= 0, keysize= 0, flags= 0x13
067821: Jun  3 09:16:11.685: IPSEC(initialize_sas): ,
  (key eng. msg.) OUTBOUND local= 221.0.221.121, remote= 220.0.220.120,
    local_proxy= 192.168.1.1/255.255.255.255/0/0 (type=1),
    remote_proxy= 172.20.1.1/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x15CF2F53(365899603), conn_id= 0, keysize= 0, flags= 0x1B
067822: Jun  3 09:16:11.685: Crypto mapdb : proxy_match
        src addr     : 192.168.1.1
        dst addr     : 172.20.1.1
        protocol     : 0
        src port     : 0
        dst port     : 0
067823: Jun  3 09:16:11.685: Crypto mapdb : proxy_match
        src addr     : 192.168.1.1
        dst addr     : 172.20.1.1
        protocol     : 0
        src port     : 0
        dst port     : 0
067824: Jun  3 09:16:11.685: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and 220.0.220.120
067825: Jun  3 09:16:11.685: IPSec: Flow_switching Allocated flow for sibling 80004EFF
067826: Jun  3 09:16:11.685: IPSEC(policy_db_add_ident): src 192.168.1.1, dest 172.20.1.1, dest_port 0

067827: Jun  3 09:16:11.685: IPSEC(create_sa): starting idle timer, 1800 seconds
067828: Jun  3 09:16:11.685: IPSEC(create_sa): sa created,
  (sa) sa_dest= 221.0.221.121, sa_proto= 50,
    sa_spi= 0x3FC88013(1070104595),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3003
    sa_lifetime(k/sec)= (4573591/3600)
067829: Jun  3 09:16:11.685: IPSEC(create_sa): sa created,
  (sa) sa_dest= 220.0.220.120, sa_proto= 50,
    sa_spi= 0x15CF2F53(365899603),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3018
    sa_lifetime(k/sec)= (4573591/3600)
067830: Jun  3 09:16:11.693: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP  .  Peer 220.0.220.120:500       Id: 220.0.220.120


Содержание

Сообщения в этом обсуждении
"IPSec troubleshooting"
Отправлено midori , 03-Июн-13 12:20 
сверяйте настройки transform set mismatch на hub и spoke/конфиг можно показать.
#debug crypto isakmp

"IPSec troubleshooting"
Отправлено McS555 , 03-Июн-13 15:23 
конфиги!!! ))