Добрый всем день!
Не могу разобраться с диагностикой IPsec phase II в реализации site-to-site vpn
Phase1:
router-vpn#sh crypto isa sa
dst src state conn-id slot status
220.0.220.120 221.0.221.121 QM_IDLE 1044 0 ACTIVEPhase-2
router-vpn#sh crypto ipsec sa peer 220.0.220.120
interface: FastEthernet0/0
Crypto map tag: clientmap, local addr 221.0.221.121
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.20.1.1/255.255.255.255/0/0)
current_peer 220.0.220.120 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 221.0.221.121, remote crypto endpt.: 220.0.220.120
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x15CF2F53(365899603)
inbound esp sas:
spi: 0x3FC88013(1070104595)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3003, flow_id: FPGA:3, crypto map: clientmap
sa timing: remaining key lifetime (k/sec): (4573591/3441)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x15CF2F53(365899603)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3018, flow_id: FPGA:18, crypto map: clientmap
sa timing: remaining key lifetime (k/sec): (4573590/3441)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Отсюда видно, что пакеты криптуются и уходят, но не возвращаются назад.
debug crypto ipsec показывает следующее:
router-vpn#sh crypto ipsec sa peer 220.0.220.120
067814: Jun 3 09:16:11.453: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 221.0.221.121, remote= 220.0.220.120,
local_proxy= 192.168.1.1/255.255.255.255/0/0 (type=1),
remote_proxy= 172.20.1.1/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x3FC88013(1070104595), conn_id= 0, keysize= 0, flags= 0x400B
067815: Jun 3 09:16:11.637: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 221.0.221.121, remote= 220.0.220.120,
local_proxy= 192.168.1.1/255.255.255.255/0/0 (type=1),
remote_proxy= 172.20.1.1/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x12
067816: Jun 3 09:16:11.637: Crypto mapdb : proxy_match
src addr : 192.168.1.1
dst addr : 172.20.1.1
protocol : 0
src port : 0
dst port : 0
067817: Jun 3 09:16:11.637: Crypto mapdb : proxy_match
src addr : 192.168.1.1
dst addr : 172.20.1.1
protocol : 0
src port : 0
dst port : 0
067818: Jun 3 09:16:11.681: %CRYPTO-6-EZVPN_CONNECTION_UP: (Server) Mode=NEM Client_type=UNKNOWN User= Group
=220.0.220.120 Client_public_addr=220.0.220.120 Server_public_addr=221.0.221.121
067819: Jun 3 09:16:11.681: IPSEC(key_engine): got a queue event with 2 kei messages
067820: Jun 3 09:16:11.685: IPSEC(initialize_sas): ,
(key eng. msg.) INBOUND local= 221.0.221.121, remote= 220.0.220.120,
local_proxy= 192.168.1.1/255.255.255.255/0/0 (type=1),
remote_proxy= 172.20.1.1/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x3FC88013(1070104595), conn_id= 0, keysize= 0, flags= 0x13
067821: Jun 3 09:16:11.685: IPSEC(initialize_sas): ,
(key eng. msg.) OUTBOUND local= 221.0.221.121, remote= 220.0.220.120,
local_proxy= 192.168.1.1/255.255.255.255/0/0 (type=1),
remote_proxy= 172.20.1.1/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x15CF2F53(365899603), conn_id= 0, keysize= 0, flags= 0x1B
067822: Jun 3 09:16:11.685: Crypto mapdb : proxy_match
src addr : 192.168.1.1
dst addr : 172.20.1.1
protocol : 0
src port : 0
dst port : 0
067823: Jun 3 09:16:11.685: Crypto mapdb : proxy_match
src addr : 192.168.1.1
dst addr : 172.20.1.1
protocol : 0
src port : 0
dst port : 0
067824: Jun 3 09:16:11.685: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and 220.0.220.120
067825: Jun 3 09:16:11.685: IPSec: Flow_switching Allocated flow for sibling 80004EFF
067826: Jun 3 09:16:11.685: IPSEC(policy_db_add_ident): src 192.168.1.1, dest 172.20.1.1, dest_port 0
067827: Jun 3 09:16:11.685: IPSEC(create_sa): starting idle timer, 1800 seconds
067828: Jun 3 09:16:11.685: IPSEC(create_sa): sa created,
(sa) sa_dest= 221.0.221.121, sa_proto= 50,
sa_spi= 0x3FC88013(1070104595),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3003
sa_lifetime(k/sec)= (4573591/3600)
067829: Jun 3 09:16:11.685: IPSEC(create_sa): sa created,
(sa) sa_dest= 220.0.220.120, sa_proto= 50,
sa_spi= 0x15CF2F53(365899603),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3018
sa_lifetime(k/sec)= (4573591/3600)
067830: Jun 3 09:16:11.693: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 220.0.220.120:500 Id: 220.0.220.120
Вариант для распечатки
(ok) on 03-Июн-13, 15:23 
