VPN zwischen Sonicwall-Produkten und Cisco Security Appliance - Konfigurationsbeispiel

Download-Optionen

PDF (349.2 KB)
Mit Adobe Reader auf verschiedenen Geräten anzeigen
ePub (281.8 KB)
In verschiedenen Apps auf iPhone, iPad, Android, Sony Reader oder Windows Phone anzeigen
Mobi (Kindle) (335.2 KB)
Auf einem Kindle-Gerät oder einer Kindle-App auf mehreren Geräten anzeigen

Aktualisiert:5. Januar 2007

Dokument-ID:66171

Inklusive Sprache

In dem Dokumentationssatz für dieses Produkt wird die Verwendung inklusiver Sprache angestrebt. Für die Zwecke dieses Dokumentationssatzes wird Sprache als „inklusiv“ verstanden, wenn sie keine Diskriminierung aufgrund von Alter, körperlicher und/oder geistiger Behinderung, Geschlechtszugehörigkeit und -identität, ethnischer Identität, sexueller Orientierung, sozioökonomischem Status und Intersektionalität impliziert. Dennoch können in der Dokumentation stilistische Abweichungen von diesem Bemühen auftreten, wenn Text verwendet wird, der in Benutzeroberflächen der Produktsoftware fest codiert ist, auf RFP-Dokumentation basiert oder von einem genannten Drittanbieterprodukt verwendet wird. Hier erfahren Sie mehr darüber, wie Cisco inklusive Sprache verwendet.

Informationen zu dieser Übersetzung

Cisco hat dieses Dokument maschinell übersetzen und von einem menschlichen Übersetzer editieren und korrigieren lassen, um unseren Benutzern auf der ganzen Welt Support-Inhalte in ihrer eigenen Sprache zu bieten. Bitte beachten Sie, dass selbst die beste maschinelle Übersetzung nicht so genau ist wie eine von einem professionellen Übersetzer angefertigte. Cisco Systems, Inc. übernimmt keine Haftung für die Richtigkeit dieser Übersetzungen und empfiehlt, immer das englische Originaldokument (siehe bereitgestellter Link) heranzuziehen.

Inhalt

Einführung

Voraussetzungen

Anforderungen

Verwendete Komponenten

Zugehörige Produkte

Konventionen

Konfigurieren

Netzwerkdiagramm

Sonicwall-Konfiguration

Konfiguration des IPsec-Hauptmodus

Konfiguration des aggressiven IPsec-Modus

Überprüfen

Fehlerbehebung

Zugehörige Informationen

Einführung

In diesem Dokument wird veranschaulicht, wie ein IPsec-Tunnel mit vorinstallierten Schlüsseln konfiguriert wird, um unter Verwendung des aggressiven und des Hauptmodus zwischen zwei privaten Netzwerken zu kommunizieren. In diesem Beispiel handelt es sich bei den kommunizierenden Netzwerken um das private Netzwerk 192.168.1.x innerhalb der Cisco Security Appliance (PIX/ASA) und das private Netzwerk 172.22.1.x innerhalb der ^SonicwallTM TZ170 Firewall.

Voraussetzungen

Anforderungen

Stellen Sie sicher, dass Sie diese Anforderungen erfüllen, bevor Sie versuchen, diese Konfiguration durchzuführen:

Der Datenverkehr aus der Cisco Security Appliance und innerhalb der Sonicwall TZ170 sollte vor Beginn dieser Konfiguration ins Internet fließen (hier durch die 10.x.x.x-Netzwerke dargestellt).
Benutzer sollten mit der IPsec-Aushandlung vertraut sein. Dieser Prozess kann in fünf Schritte unterteilt werden, die zwei IKE-Phasen (Internet Key Exchange) umfassen.
1. Ein IPsec-Tunnel wird durch interessanten Datenverkehr initiiert. Datenverkehr gilt als interessant, wenn er zwischen den IPsec-Peers übertragen wird.
2. In IKE Phase 1 handeln die IPsec-Peers die etablierte IKE Security Association (SA)-Richtlinie aus. Nach der Authentifizierung der Peers wird ein sicherer Tunnel mithilfe von Internet Security Association und Key Management Protocol (ISAKMP) erstellt.
3. In IKE Phase 2 verwenden die IPsec-Peers den authentifizierten und sicheren Tunnel, um IPsec-SA-Transformationen auszuhandeln. Die Aushandlung der freigegebenen Richtlinie bestimmt, wie der IPsec-Tunnel eingerichtet wird.
4. Der IPsec-Tunnel wird erstellt, und Daten werden zwischen den IPsec-Peers übertragen, basierend auf den in den IPsec-Transformationssätzen konfigurierten IPsec-Parametern.
5. Der IPsec-Tunnel endet, wenn die IPsec-SAs gelöscht werden oder ihre Lebensdauer abläuft.

Verwendete Komponenten

Die Informationen in diesem Dokument basieren auf den folgenden Software- und Hardwareversionen:

Cisco PIX 515E Version 6.3(5)
Cisco PIX 515 Version 7.0(2)
Sonicwall TZ170, SonicOS Standard 2.2.0.1

Die Informationen in diesem Dokument wurden von den Geräten in einer bestimmten Laborumgebung erstellt. Alle in diesem Dokument verwendeten Geräte haben mit einer leeren (Standard-)Konfiguration begonnen. Wenn Ihr Netzwerk in Betrieb ist, stellen Sie sicher, dass Sie die potenziellen Auswirkungen eines Befehls verstehen.

Zugehörige Produkte

Diese Konfiguration kann auch mit den folgenden Hardware- und Softwareversionen verwendet werden:

Die PIX 6.3(5)-Konfiguration kann mit allen anderen Cisco PIX-Firewall-Produkten verwendet werden, die diese Softwareversion ausführen (PIX 501, 506 usw.)
Die PIX/ASA 7.0(2)-Konfiguration kann nur auf Geräten verwendet werden, auf denen die Software PIX 7.0 (ohne 501, 506 und möglicherweise einige ältere 515) sowie die Cisco ASA 5500-Serie ausgeführt wird.

Konventionen

Weitere Informationen zu Dokumentkonventionen finden Sie in den Cisco Technical Tips Conventions (Technische Tipps zu Konventionen von Cisco).

Konfigurieren

In diesem Abschnitt erhalten Sie Informationen zum Konfigurieren der in diesem Dokument beschriebenen Funktionen.

Hinweis: Verwenden Sie das Command Lookup Tool (nur registrierte Kunden), um weitere Informationen zu den in diesem Abschnitt verwendeten Befehlen zu erhalten.

Hinweis: Im IPsec-aggressiven Modus muss die Sonicwall den IPsec-Tunnel zur PIX initiieren. Sie können dies sehen, wenn Sie die Debugger für diese Konfiguration analysieren. Dies ist in der Funktionsweise des IPsec-aggressiven Modus begründet.

Netzwerkdiagramm

In diesem Dokument wird die folgende Netzwerkeinrichtung verwendet:

Sonicwall-Konfiguration

Die Konfiguration der Sonicwall TZ170 erfolgt über eine webbasierte Benutzeroberfläche.

Gehen Sie wie folgt vor:

Stellen Sie über einen Standard-Webbrowser eine Verbindung zur IP-Adresse des Routers an einer der internen Schnittstellen her.

Dadurch wird das Anmeldefenster geöffnet.
Melden Sie sich beim Sonicwall-Gerät an, und wählen Sie VPN > Settings aus.
Geben Sie die IP-Adresse des VPN-Peers und den vorinstallierten geheimen Schlüssel ein, der verwendet wird. Klicken Sie unter Zielnetzwerke auf Hinzufügen.
Geben Sie das Zielnetzwerk ein.

Das Fenster Einstellungen wird angezeigt.
Klicken Sie oben im Fenster Einstellungen auf die Registerkarte Vorschläge.
Wählen Sie den Austausch aus, den Sie für diese Konfiguration verwenden möchten (Hauptmodus oder aggressiver Modus), zusammen mit den übrigen Einstellungen für Phase 1 und Phase 2.

In dieser Beispielkonfiguration wird die AES-256-Verschlüsselung für beide Phasen mit dem SHA1-Hash-Algorithmus für die Authentifizierung und der 1024-Bit-Diffie-Hellman-Gruppe 2 für die IKE-Richtlinie verwendet.
Klicken Sie auf die Registerkarte Erweitert.

Auf dieser Registerkarte können Sie weitere Optionen konfigurieren. Dies sind die Einstellungen für diese Beispielkonfiguration.
Klicken Sie auf OK.

Wenn Sie diese Konfiguration und die Konfiguration auf dem Remote-PIX abgeschlossen haben, sollte das Fenster Einstellungen dem Fenster Einstellungen für dieses Beispiel ähneln.

Konfiguration des IPsec-Hauptmodus

In diesem Abschnitt werden folgende Konfigurationen verwendet:

Cisco PIX 515e, Version 6.3(5)
Cisco PIX 515 Version 7.0(2)

Cisco PIX 515e, Version 6.3(5)
pix515e-635#show running-config : Saved : PIX Version 6.3(5) !--- Sets the hardware speed to auto on both interfaces. interface ethernet0 auto interface ethernet1 auto !--- Specifies the inside and outside interfaces. nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pix515e-635 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names !--- Specifies the traffic that can pass through the IPsec tunnel. access-list pixtosw permit ip 192.168.1.0 255.255.255.0 172.22.1.0 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 !--- Sets the inside and outside IP addresses and subnet masks. ip address outside 10.20.20.1 255.255.255.0 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 !--- Instructs PIX to perform PAT on the IP address on the outside interface. global (outside) 1 interface !--- Specifies addresses to be exempt from NAT (traffic to be tunneled). nat (inside) 0 access-list pixtosw !--- Specifies which addresses should use NAT (all except those exempted). nat (inside) 1 0.0.0.0 0.0.0.0 0 0 !--- Specifies the default route on the outside interface. route outside 0.0.0.0 0.0.0.0 10.20.20.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable !--- Implicit permit for all packets that come from IPsec tunnels. sysopt connection permit-ipsec !--- PHASE 2 CONFIGURATION: !--- Defines the transform set for Phase 2 encryption and authentication. !--- Austinlab is the name of the transform set that uses aes-256 encryption !--- as well as the SHA1 hash algorithm for authentication. crypto ipsec transform-set austinlab esp-aes-256 esp-sha-hmac !--- Specifies IKE is used to establish the IPsec SAs for the map "maptosw". crypto map maptosw 67 ipsec-isakmp !--- Specifies the ACL "pixtosw" to use with this map . crypto map maptosw 67 match address pixtosw !--- Specifies the IPsec peer for this map. crypto map maptosw 67 set peer 10.10.10.1 !--- Specifies the transform set to use. crypto map maptosw 67 set transform-set austinlab !--- Specifies the interface to use with this map. crypto map maptosw interface outside !--- PHASE 1 CONFIGURATION !--- Specifies the interface to use for the IPsec tunnel. isakmp enable outside !--- Specifies the preshared key and the addresses to use with that key. !--- In this case only one address is used with the preshared key cisco123. isakmp key ******** address 10.10.10.1 netmask 255.255.255.255 !--- Defines how the PIX identifies itself in !--- IKE negotiations (IP address in this case). isakmp identity address !--- These five commands specify the Phase 1 configuration settings !--- specific to this sample configuration. isakmp policy 13 authentication pre-share isakmp policy 13 encryption aes-256 isakmp policy 13 hash sha isakmp policy 13 group 2 isakmp policy 13 lifetime 28800 telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:07a3815d59db9965b72c7d8a7aaf7f5f : end pix515e-635#

Cisco PIX 515e, Version 6.3(5)

pix515e-635#show running-config
: Saved
:
PIX Version 6.3(5)

!--- Sets the hardware speed to auto on both interfaces.

interface ethernet0 auto
interface ethernet1 auto

!--- Specifies the inside and outside interfaces.

nameif ethernet0 outside security0
nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix515e-635
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names

!--- Specifies the traffic that can pass through the IPsec tunnel.

access-list pixtosw permit ip 192.168.1.0 255.255.255.0 172.22.1.0 255.255.255.0

pager lines 24
mtu outside 1500
mtu inside 1500

!--- Sets the inside and outside IP addresses and subnet masks.

ip address outside 10.20.20.1 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400

!--- Instructs PIX to perform PAT on the IP address on the outside interface.

global (outside) 1 interface

!--- Specifies addresses to be exempt from NAT (traffic to be tunneled).

nat (inside) 0 access-list pixtosw

!--- Specifies which addresses should use NAT (all except those exempted).

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

!--- Specifies the default route on the outside interface.

route outside 0.0.0.0 0.0.0.0 10.20.20.2 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable

!--- Implicit permit for all packets that come from IPsec tunnels.

sysopt connection permit-ipsec

!--- PHASE 2 CONFIGURATION: !--- Defines the transform set for Phase 2 encryption and authentication. !--- Austinlab is the name of the transform set that uses aes-256 encryption !--- as well as the SHA1 hash algorithm for authentication.

crypto ipsec transform-set austinlab esp-aes-256 esp-sha-hmac

!--- Specifies IKE is used to establish the IPsec SAs for the map "maptosw".

crypto map maptosw 67 ipsec-isakmp

!--- Specifies the ACL "pixtosw" to use with this map
.
crypto map maptosw 67 match address pixtosw

!--- Specifies the IPsec peer for this map.

crypto map maptosw 67 set peer 10.10.10.1

!--- Specifies the transform set to use.

crypto map maptosw 67 set transform-set austinlab

!--- Specifies the interface to use with this map.

crypto map maptosw interface outside

!--- PHASE 1 CONFIGURATION !--- Specifies the interface to use for the IPsec tunnel.

isakmp enable outside

!--- Specifies the preshared key and the addresses to use with that key. !--- In this case only one address is used with the preshared key cisco123.

isakmp key ******** address 10.10.10.1 netmask 255.255.255.255

!--- Defines how the PIX identifies itself in !--- IKE negotiations (IP address in this case).

isakmp identity address

!--- These five commands specify the Phase 1 configuration settings !--- specific to this sample configuration.

isakmp policy 13 authentication pre-share
isakmp policy 13 encryption aes-256
isakmp policy 13 hash sha
isakmp policy 13 group 2
isakmp policy 13 lifetime 28800

telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:07a3815d59db9965b72c7d8a7aaf7f5f
: end
pix515e-635#

Cisco PIX 515 Version 7.0(2)
pix515-702#show running-config : Saved : PIX Version 7.0(2) names ! !--- PIX 7 uses an interface configuration mode similar to Cisco IOS®. !--- This output configures the IP address, interface name, !--- and security level for interfaces Ethernet0 and Ethernet1. interface Ethernet0 nameif outside security-level 0 ip address 10.20.20.1 255.255.255.0 ! interface Ethernet1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Ethernet2 shutdown no nameif no security-level no ip address ! interface Ethernet3 shutdown no nameif no security-level no ip address ! interface Ethernet4 shutdown no nameif no security-level no ip address ! interface Ethernet5 shutdown no nameif no security-level no ip address ! enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pix515-702 domain-name cisco.com ftp mode passive !--- Specifies the traffic that can pass through the IPsec tunnel. access-list pixtosw extended permit ip 192.168.1.0 255.255.255.0 172.22.1.0 255.255.255.0 pager lines 24 mtu inside 1500 mtu outside 1500 no failover monitor-interface inside monitor-interface outside no asdm history enable arp timeout 14400 !--- Instructs PIX to perform PAT on the IP address on the outside interface. global (outside) 1 interface !--- Specifies addresses to be exempt from NAT (traffic to be tunneled). nat (inside) 0 access-list pixtosw !--- Specifies which addresses should use NAT (all except those exempted). nat (inside) 1 0.0.0.0 0.0.0.0 !--- Specifies the default route on the outside interface. route outside 0.0.0.0 0.0.0.0 10.20.20.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute no snmp-server location no snmp-server contact snmp-server enable traps snmp !--- Implicit permit for all packets that come from IPsec tunnels. sysopt connection permit-ipsec !--- PHASE 2 CONFIGURATION !--- Defines the transform set for Phase 2 encryption and authentication. !--- Austinlab is the name of the transform set that uses aes-256 encryption !--- as well as the SHA1 hash algorithm for authentication. crypto ipsec transform-set austinlab esp-aes-256 esp-sha-hmac !--- Specifies the ACL pixtosw to use with this map. crypto map maptosw 67 match address pixtosw !--- Specifies the IPsec peer for this map. crypto map maptosw 67 set peer 10.10.10.1 !--- Specifies the transform set to use. crypto map maptosw 67 set transform-set austinlab !--- Specifies the interface to use with this map . crypto map maptosw interface outside !--- PHASE 1 CONFIGURATION !--- Defines how the PIX identifies itself in !--- IKE negotiations (IP address in this case). isakmp identity address !--- Specifies the interface to use for the IPsec tunnel. isakmp enable outside !--- These five commands specify the Phase 1 configuration !--- settings specific to this sample configuration. isakmp policy 13 authentication pre-share isakmp policy 13 encryption aes-256 isakmp policy 13 hash sha isakmp policy 13 group 2 isakmp policy 13 lifetime 28800 telnet timeout 5 ssh timeout 5 console timeout 0 !--- These three lines set the IPsec attributes for the tunnel to the !--- remote peer. This is where the preshared key is defined for Phase 1 and the !--- IPsec tunnel type is set to site-to-site. tunnel-group 10.10.10.1 type ipsec-l2l tunnel-group 10.10.10.1 ipsec-attributes pre-shared-key * Cryptochecksum:092b6fc5370e2ef0cf07c2bc10f1d44a : end pix515-702#

Cisco PIX 515 Version 7.0(2)

pix515-702#show running-config
: Saved
:
PIX Version 7.0(2)
names
!

!--- PIX 7 uses an interface configuration mode similar to Cisco IOS®. !--- This output configures the IP address, interface name, !--- and security level for interfaces Ethernet0 and Ethernet1.

interface Ethernet0
nameif outside
security-level 0
ip address 10.20.20.1 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix515-702
domain-name cisco.com
ftp mode passive

!--- Specifies the traffic that can pass through the IPsec tunnel.

access-list pixtosw extended permit ip 192.168.1.0 255.255.255.0 172.22.1.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
monitor-interface inside
monitor-interface outside
no asdm history enable
arp timeout 14400

!--- Instructs PIX to perform PAT on the IP address on the outside interface.

global (outside) 1 interface

!--- Specifies addresses to be exempt from NAT (traffic to be tunneled).

nat (inside) 0 access-list pixtosw

!--- Specifies which addresses should use NAT (all except those exempted).

nat (inside) 1 0.0.0.0 0.0.0.0

!--- Specifies the default route on the outside interface.

route outside 0.0.0.0 0.0.0.0 10.20.20.2 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp

!--- Implicit permit for all packets that come from IPsec tunnels.

sysopt connection permit-ipsec

!--- PHASE 2 CONFIGURATION !--- Defines the transform set for Phase 2 encryption and authentication. !--- Austinlab is the name of the transform set that uses aes-256 encryption !--- as well as the SHA1 hash algorithm for authentication.

crypto ipsec transform-set austinlab esp-aes-256 esp-sha-hmac

!--- Specifies the ACL pixtosw to use with this map.

crypto map maptosw 67 match address pixtosw

!--- Specifies the IPsec peer for this map.

crypto map maptosw 67 set peer 10.10.10.1

!--- Specifies the transform set to use.

crypto map maptosw 67 set transform-set austinlab

!--- Specifies the interface to use with this map
.
crypto map maptosw interface outside

!--- PHASE 1 CONFIGURATION !--- Defines how the PIX identifies itself in !--- IKE negotiations (IP address in this case).

isakmp identity address

!--- Specifies the interface to use for the IPsec tunnel.

isakmp enable outside

!--- These five commands specify the Phase 1 configuration !--- settings specific to this sample configuration.

isakmp policy 13 authentication pre-share
isakmp policy 13 encryption aes-256
isakmp policy 13 hash sha
isakmp policy 13 group 2
isakmp policy 13 lifetime 28800

telnet timeout 5
ssh timeout 5
console timeout 0

!--- These three lines set the IPsec attributes for the tunnel to the !--- remote peer. This is where the preshared key is defined for Phase 1 and the !--- IPsec tunnel type is set to site-to-site.

tunnel-group 10.10.10.1 type ipsec-l2l
tunnel-group 10.10.10.1 ipsec-attributes
pre-shared-key *

Cryptochecksum:092b6fc5370e2ef0cf07c2bc10f1d44a
: end
pix515-702#

Konfiguration des aggressiven IPsec-Modus

In diesem Abschnitt werden folgende Konfigurationen verwendet:

Cisco PIX 515e, Version 6.3(5)
Cisco PIX 515 Version 7.0(2)

Cisco PIX 515e, Version 6.3(5)
pix515e-635#show running-config : Saved : PIX Version 6.3(5) !--- Sets the hardware speed to auto on both interfaces. interface ethernet0 auto interface ethernet1 auto !--- Specifies the inside and outside interfaces. nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pix515e-635 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names !--- Specifies the traffic that can pass through the IPsec tunnel. access-list pixtosw permit ip 192.168.1.0 255.255.255.0 172.22.1.0 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 !--- Sets the inside and outside IP addresses and subnet masks. ip address outside 10.20.20.1 255.255.255.0 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 !--- Instructs PIX to perform PAT on the IP address on the outside interface. global (outside) 1 interface !--- Specifies addresses to be exempt from NAT (traffic to be tunneled). nat (inside) 0 access-list pixtosw !--- Specifies which addresses should use NAT (all except those exempted). nat (inside) 1 0.0.0.0 0.0.0.0 0 0 !--- Specifies the default route on the outside interface. route outside 0.0.0.0 0.0.0.0 10.20.20.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable !--- Implicit permit for all packets that come from IPsec tunnels. sysopt connection permit-ipsec !--- PHASE 2 CONFIGURATION !--- Defines the transform set for Phase 2 encryption and authentication. !--- Austinlab is the name of the transform set that uses aes-256 encryption !--- as well as the SHA1 hash algorithm for authentication. crypto ipsec transform-set austinlab esp-aes-256 esp-sha-hmac !--- Creates the dynamic map ciscopix for the transform set. crypto dynamic-map ciscopix 1 set transform-set austinlab !--- Specifies the IKE that should be used to establish SAs !--- for the dynamic map. crypto map dynmaptosw 66 ipsec-isakmp dynamic ciscopix !--- Applies the settings above to the outside interface. crypto map dynmaptosw interface outside !--- PHASE 1 CONFIGURATION !--- Specifies the interface to use for the IPsec tunnel . isakmp enable outside !--- Specifies the preshared key and the addresses to use with that key. !--- In this case only one address is used as the preshared key "cisco123". isakmp key ******** address 10.10.10.1 netmask 255.255.255.255 !--- Defines how the PIX identifies itself in !--- IKE negotiations (IP address in this case). isakmp identity address !--- These five commands specify the Phase 1 configuration settings !--- specific to this sample configuration. isakmp policy 13 authentication pre-share isakmp policy 13 encryption aes-256 isakmp policy 13 hash sha isakmp policy 13 group 2 isakmp policy 13 lifetime 28800 telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:07a3815d59db9965b72c7d8a7aaf7f5f : end pix515e-635#

Cisco PIX 515e, Version 6.3(5)

pix515e-635#show running-config
: Saved
:
PIX Version 6.3(5)

!--- Sets the hardware speed to auto on both interfaces.

interface ethernet0 auto
interface ethernet1 auto


!--- Specifies the inside and outside interfaces.

nameif ethernet0 outside security0
nameif ethernet1 inside security100         

enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix515e-635
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names


!--- Specifies the traffic that can pass through the IPsec tunnel.

access-list pixtosw permit ip 192.168.1.0 255.255.255.0 172.22.1.0 255.255.255.0

pager lines 24
mtu outside 1500
mtu inside 1500


!--- Sets the inside and outside IP addresses and subnet masks.

ip address outside 10.20.20.1 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400


!--- Instructs PIX to perform PAT on the IP address on the outside interface.

global (outside) 1 interface


!--- Specifies addresses to be exempt from NAT (traffic to be tunneled).

nat (inside) 0 access-list pixtosw


!--- Specifies which addresses should use NAT (all except those exempted).

nat (inside) 1 0.0.0.0 0.0.0.0 0 0


!--- Specifies the default route on the outside interface.

route outside 0.0.0.0 0.0.0.0 10.20.20.2 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable


!--- Implicit permit for all packets that come from IPsec tunnels.

sysopt connection permit-ipsec


 !--- PHASE 2 CONFIGURATION !--- Defines the transform set for Phase 2 encryption and authentication. !--- Austinlab is the name of the transform set that uses aes-256 encryption !--- as well as the SHA1 hash algorithm for authentication.

crypto ipsec transform-set austinlab esp-aes-256 esp-sha-hmac


!--- Creates the dynamic map ciscopix for the transform set.

crypto dynamic-map ciscopix 1 set transform-set austinlab


!--- Specifies the IKE that should be used to establish SAs !--- for the dynamic map.

crypto map dynmaptosw 66 ipsec-isakmp dynamic ciscopix


!--- Applies the settings above to the outside interface.

crypto map dynmaptosw interface outside


 !--- PHASE 1 CONFIGURATION !--- Specifies the interface to use for the IPsec tunnel
.
isakmp enable outside


!--- Specifies the preshared key and the addresses to use with that key. !--- In this case only one address is used as the preshared key "cisco123".

isakmp key ******** address 10.10.10.1 netmask 255.255.255.255


!--- Defines how the PIX identifies itself in !--- IKE negotiations (IP address in this case).

isakmp identity address


!--- These five commands specify the Phase 1 configuration settings !--- specific to this sample configuration.

isakmp policy 13 authentication pre-share
isakmp policy 13 encryption aes-256
isakmp policy 13 hash sha
isakmp policy 13 group 2
isakmp policy 13 lifetime 28800

telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:07a3815d59db9965b72c7d8a7aaf7f5f
: end
pix515e-635#

Cisco PIX 515 Version 7.0(2)
pix515-702#show running-config : Saved : PIX Version 7.0(2) names ! !--- PIX 7 uses an interface configuration mode similar to Cisco IOS. !--- This output configures the IP address, interface name, and security level for !--- interfaces Ethernet0 and Ethernet1. interface Ethernet0 nameif outside security-level 0 ip address 10.20.20.1 255.255.255.0 ! interface Ethernet1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Ethernet2 shutdown no nameif no security-level no ip address ! interface Ethernet3 shutdown no nameif no security-level no ip address ! interface Ethernet4 shutdown no nameif no security-level no ip address ! interface Ethernet5 shutdown no nameif no security-level no ip address ! enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pix515-702 domain-name cisco.com ftp mode passive !--- Specifies the traffic that can pass through the IPsec tunnel. access-list pixtosw extended permit ip 192.168.1.0 255.255.255.0 172.22.1.0 255.255.255.0 pager lines 24 mtu inside 1500 mtu outside 1500 no failover monitor-interface inside monitor-interface outside no asdm history enable arp timeout 14400 !--- Instructs PIX to perform PAT on the IP address on the outside interface. global (outside) 1 interface !--- Specifies addresses to be exempt from NAT (traffic to be tunneled). nat (inside) 0 access-list pixtosw !--- Specifies which addresses should use NAT (all except those exempted). nat (inside) 1 0.0.0.0 0.0.0.0 !--- Specifies the default route on the outside interface. route outside 0.0.0.0 0.0.0.0 10.20.20.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute no snmp-server location no snmp-server contact snmp-server enable traps snmp !--- Implicit permit for all packets that come from IPsec tunnels. sysopt connection permit-ipsec !--- PHASE 2 CONFIGURATION !--- Defines the transform set for Phase 2 encryption and authentication. !--- Austinlab is the name of the transform set that uses aes-256 encryption !--- as well as the SHA1 hash algorithm for authentication. crypto ipsec transform-set austinlab esp-aes-256 esp-sha-hmac !--- Creates the dynamic map "ciscopix" for the defined transform set. crypto dynamic-map ciscopix 1 set transform-set austinlab !--- Specifies that IKE should be used to establish SAs !--- for the defined dynamic map. crypto map dynmaptosw 66 ipsec-isakmp dynamic ciscopix !--- Applies the settings to the outside interface. crypto map dynmaptosw interface outside !--- PHASE 1 CONFIGURATION !--- Defines how the PIX identifies itself in !--- IKE negotiations (IP address in this case). isakmp identity address !--- Specifies the interface to use for the IPsec tunnel. isakmp enable outside !--- These five commands specify the Phase 1 configuration settings !--- specific to this sample configuration. isakmp policy 13 authentication pre-share isakmp policy 13 encryption aes-256 isakmp policy 13 hash sha isakmp policy 13 group 2 isakmp policy 13 lifetime 28800 telnet timeout 5 ssh timeout 5 console timeout 0 !--- These three lines set the IPsec attributes for the tunnel to the !--- remote peer. This is where the preshared key is defined for Phase 1 and the !--- IPsec tunnel type is set to site-to-site. tunnel-group 10.10.10.1 type ipsec-l2l tunnel-group 10.10.10.1 ipsec-attributes pre-shared-key * Cryptochecksum:092b6fc5370e2ef0cf07c2bc10f1d44a : end pix515-702#

Cisco PIX 515 Version 7.0(2)

pix515-702#show running-config
: Saved
:
PIX Version 7.0(2)
names
!


!--- PIX 7 uses an interface configuration mode similar to Cisco IOS. !--- This output configures the IP address, interface name, and security level for !--- interfaces Ethernet0 and Ethernet1.

interface Ethernet0
  nameif outside
  security-level 0
  ip address 10.20.20.1 255.255.255.0
!
interface Ethernet1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
  shutdown
  no nameif
  no security-level
  no ip address
!
interface Ethernet3
  shutdown
  no nameif
  no security-level
  no ip address
!
interface Ethernet4
  shutdown
  no nameif
  no security-level
  no ip address
!
interface Ethernet5
  shutdown
  no nameif
  no security-level
  no ip address
!
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix515-702
domain-name cisco.com
ftp mode passive


!--- Specifies the traffic that can pass through the IPsec tunnel.

access-list pixtosw extended permit ip 192.168.1.0 255.255.255.0 172.22.1.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
monitor-interface inside
monitor-interface outside
no asdm history enable
arp timeout 14400


!--- Instructs PIX to perform PAT on the IP address on the outside interface.

global (outside) 1 interface


!--- Specifies addresses to be exempt from NAT (traffic to be tunneled).

nat (inside) 0 access-list pixtosw


!--- Specifies which addresses should use NAT (all except those exempted).

nat (inside) 1 0.0.0.0 0.0.0.0


!--- Specifies the default route on the outside interface.

route outside 0.0.0.0 0.0.0.0 10.20.20.2 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp


!--- Implicit permit for all packets that come from IPsec tunnels.

sysopt connection permit-ipsec


 !--- PHASE 2 CONFIGURATION !--- Defines the transform set for Phase 2 encryption and authentication. !--- Austinlab is the name of the transform set that uses aes-256 encryption !--- as well as the SHA1 hash algorithm for authentication.

crypto ipsec transform-set austinlab esp-aes-256 esp-sha-hmac


!--- Creates the dynamic map "ciscopix" for the defined transform set.

crypto dynamic-map ciscopix 1 set transform-set austinlab


!--- Specifies that IKE should be used to establish SAs !--- for the defined dynamic map.

crypto map dynmaptosw 66 ipsec-isakmp dynamic ciscopix


!--- Applies the settings to the outside interface.

crypto map dynmaptosw interface outside


 !--- PHASE 1 CONFIGURATION !--- Defines how the PIX identifies itself in !--- IKE negotiations (IP address in this case).

isakmp identity address


!--- Specifies the interface to use for the IPsec tunnel.

isakmp enable outside


!--- These five commands specify the Phase 1 configuration settings !--- specific to this sample configuration.

isakmp policy 13 authentication pre-share
isakmp policy 13 encryption aes-256
isakmp policy 13 hash sha
isakmp policy 13 group 2
isakmp policy 13 lifetime 28800

telnet timeout 5
ssh timeout 5
console timeout 0


!--- These three lines set the IPsec attributes for the tunnel to the !--- remote peer. This is where the preshared key is defined for Phase 1 and the !--- IPsec tunnel type is set to site-to-site.

tunnel-group 10.10.10.1 type ipsec-l2l
tunnel-group 10.10.10.1 ipsec-attributes
pre-shared-key *

Cryptochecksum:092b6fc5370e2ef0cf07c2bc10f1d44a
: end
pix515-702#

Überprüfen

In diesem Abschnitt überprüfen Sie, ob Ihre Konfiguration ordnungsgemäß funktioniert.

Das Output Interpreter Tool (nur registrierte Kunden) (OIT) unterstützt bestimmte show-Befehle. Verwenden Sie das OIT, um eine Analyse der Ausgabe des Befehls show anzuzeigen.

show crypto isakmp sa: Zeigt alle aktuellen IKE-SAs in einem Peer an.
show crypto ipsec sa: Zeigt die von aktuellen SAs verwendeten Einstellungen an.

Diese Tabellen zeigen die Ausgaben einiger Debugger für den Main- und den Aggressive-Modus sowohl in PIX 6.3(5) als auch in PIX 7.0(2), nachdem der Tunnel vollständig eingerichtet ist.

Hinweis: Diese Informationen sollten ausreichen, um einen IPsec-Tunnel zwischen diesen beiden Hardwaretypen einzurichten. Wenn Sie Anmerkungen haben, verwenden Sie das Feedback-Formular links in diesem Dokument.

Cisco PIX 515e Version 6.3(5) - Hauptmodus
Cisco PIX 515 Version 7.0(2) - Hauptmodus
Cisco PIX 515e, Version 6.3(5) - aggressiver Modus
Cisco PIX 515 Version 7.0(2) - aggressiver Modus

Cisco PIX 515e Version 6.3(5) - Hauptmodus
pix515e-635#show crypto isakmp sa Total : 1 Embryonic : 0 dst src state pending created 10.10.10.1 10.20.20.1 QM_IDLE 0 1 pix515e-635# pix515e-635#show crypto ipsec sa interface: outside Crypto map tag: maptosw, local addr. 10.20.20.1 local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (172.22.1.0/255.255.255.0/0/0) current_peer: 10.10.10.1:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 10.20.20.1, remote crypto endpt.: 10.10.10.1 path mtu 1500, ipsec overhead 72, media mtu 1500 current outbound spi: ed0afa33 inbound esp sas: spi: 0xac624692(2892121746) transform: esp-aes-256 esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 1, crypto map: maptosw sa timing: remaining key lifetime (k/sec): (4607999/28718) IV size: 16 bytes replay detection support: Y inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xed0afa33(3976919603) transform: esp-aes-256 esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2, crypto map: maptosw sa timing: remaining key lifetime (k/sec): (4607999/28718) IV size: 16 bytes replay detection support: Y outbound ah sas: outbound pcp sas: pix515e-635#

Cisco PIX 515e Version 6.3(5) - Hauptmodus

pix515e-635#show crypto isakmp sa
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
      10.10.10.1       10.20.20.1    QM_IDLE         0           1
pix515e-635#



pix515e-635#show crypto ipsec sa


           interface: outside
           Crypto map tag: maptosw, local addr. 10.20.20.1

 local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
           remote ident (addr/mask/prot/port): (172.22.1.0/255.255.255.0/0/0)
           current_peer: 10.10.10.1:500
           PERMIT, flags={origin_is_acl,}
           #pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4
           #pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
           #pkts compressed: 0, #pkts decompressed: 0
           #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
           #send errors 1, #recv errors 0

 local crypto endpt.: 10.20.20.1, remote crypto endpt.: 10.10.10.1
           path mtu 1500, ipsec overhead 72, media mtu 1500
           current outbound spi: ed0afa33

 inbound esp sas:
           spi: 0xac624692(2892121746)
           transform: esp-aes-256 esp-sha-hmac ,
           in use settings ={Tunnel, }
           slot: 0, conn id: 1, crypto map: maptosw
           sa timing: remaining key lifetime (k/sec): (4607999/28718)
           IV size: 16 bytes
           replay detection support: Y


           inbound ah sas:


           inbound pcp sas:


           outbound esp sas:
           spi: 0xed0afa33(3976919603)
           transform: esp-aes-256 esp-sha-hmac ,
           in use settings ={Tunnel, }
           slot: 0, conn id: 2, crypto map: maptosw
           sa timing: remaining key lifetime (k/sec): (4607999/28718)
           IV size: 16 bytes
           replay detection support: Y


           outbound ah sas:


           outbound pcp sas:

pix515e-635#

Cisco PIX 515 Version 7.0(2) - Hauptmodus
pix515-702#show crypto isakmp sa Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 10.10.10.1 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE pix515-702# pix515-702#show crypto ipsec sa interface: outside Crypto map tag: maptosw, local addr: 10.20.20.1 local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (172.22.1.0/255.255.255.0/0/0) current_peer: 10.10.10.1 #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5 #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 10.20.20.1, remote crypto endpt.: 10.10.10.1 path mtu 1500, ipsec overhead 76, media mtu 1500 current outbound spi: 2D006547 inbound esp sas: spi: 0x309F7A33 (815757875) transform: esp-aes-256 esp-sha-hmac in use settings ={L2L, Tunnel, } slot: 0, conn_id: 1, crypto-map: maptosw sa timing: remaining key lifetime (kB/sec): (4274999/28739) IV size: 16 bytes replay detection support: Y outbound esp sas: spi: 0x2D006547 (755000647) transform: esp-aes-256 esp-sha-hmac in use settings ={L2L, Tunnel, } slot: 0, conn_id: 1, crypto-map: maptosw sa timing: remaining key lifetime (kB/sec): (4274999/28737) IV size: 16 bytes replay detection support: Y pix515-702#

Cisco PIX 515 Version 7.0(2) - Hauptmodus

pix515-702#show crypto isakmp sa

 Active SA: 1
           Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
           Total IKE SA: 1

1 IKE Peer: 10.10.10.1
           Type : L2L Role : initiator
           Rekey : no State : MM_ACTIVE
           pix515-702#

pix515-702#show crypto ipsec sa
interface: outside
    Crypto map tag: maptosw, local addr: 10.20.20.1

 local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
           remote ident (addr/mask/prot/port): (172.22.1.0/255.255.255.0/0/0)
           current_peer: 10.10.10.1

 #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
           #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
           #pkts compressed: 0, #pkts decompressed: 0
           #pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
           #send errors: 0, #recv errors: 0

 local crypto endpt.: 10.20.20.1, remote crypto endpt.: 10.10.10.1

 path mtu 1500, ipsec overhead 76, media mtu 1500
           current outbound spi: 2D006547

 inbound esp sas:
           spi: 0x309F7A33 (815757875)
           transform: esp-aes-256 esp-sha-hmac
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 1, crypto-map: maptosw
           sa timing: remaining key lifetime (kB/sec): (4274999/28739)
           IV size: 16 bytes
           replay detection support: Y
           outbound esp sas:
           spi: 0x2D006547 (755000647)
           transform: esp-aes-256 esp-sha-hmac
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 1, crypto-map: maptosw
           sa timing: remaining key lifetime (kB/sec): (4274999/28737)
           IV size: 16 bytes
           replay detection support: Y

pix515-702#

Cisco PIX 515e, Version 6.3(5) - aggressiver Modus
pix515e-635#show crypto isakmp sa Total : 1 Embryonic : 0 dst src state pending created 10.20.20.1 10.10.10.1 QM_IDLE 0 1 pix515e-635#show crypto ipsec sa interface: outside Crypto map tag: dynmaptosw, local addr. 10.20.20.1 local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (172.22.1.0/255.255.255.0/0/0) current_peer: 10.10.10.1:500 PERMIT, flags={} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 10.20.20.1, remote crypto endpt.: 10.10.10.1 path mtu 1500, ipsec overhead 72, media mtu 1500 current outbound spi: efb1149d inbound esp sas: spi: 0x2ad2c13c(718455100) transform: esp-aes-256 esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2, crypto map: dynmaptosw sa timing: remaining key lifetime (k/sec): (4608000/28736) IV size: 16 bytes replay detection support: Y inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xefb1149d(4021359773) transform: esp-aes-256 esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 1, crypto map: dynmaptosw sa timing: remaining key lifetime (k/sec): (4608000/28727) IV size: 16 bytes replay detection support: Y outbound ah sas: outbound pcp sas: pix515e-635#

Cisco PIX 515e, Version 6.3(5) - aggressiver Modus

pix515e-635#show crypto isakmp sa
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
      10.20.20.1       10.10.10.1    QM_IDLE         0           1

pix515e-635#show crypto ipsec sa


           interface: outside
           Crypto map tag: dynmaptosw, local addr. 10.20.20.1

 local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
           remote ident (addr/mask/prot/port): (172.22.1.0/255.255.255.0/0/0)
           current_peer: 10.10.10.1:500
           PERMIT, flags={}
           #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
           #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
           #pkts compressed: 0, #pkts decompressed: 0
           #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
           #send errors 0, #recv errors 0

 local crypto endpt.: 10.20.20.1, remote crypto endpt.: 10.10.10.1
           path mtu 1500, ipsec overhead 72, media mtu 1500
           current outbound spi: efb1149d

 inbound esp sas:
           spi: 0x2ad2c13c(718455100)
           transform: esp-aes-256 esp-sha-hmac ,
           in use settings ={Tunnel, }
           slot: 0, conn id: 2, crypto map: dynmaptosw
           sa timing: remaining key lifetime (k/sec): (4608000/28736)
           IV size: 16 bytes
           replay detection support: Y


           inbound ah sas:


           inbound pcp sas:


           outbound esp sas:
           spi: 0xefb1149d(4021359773)
           transform: esp-aes-256 esp-sha-hmac ,
           in use settings ={Tunnel, }
           slot: 0, conn id: 1, crypto map: dynmaptosw
           sa timing: remaining key lifetime (k/sec): (4608000/28727)
           IV size: 16 bytes
           replay detection support: Y


           outbound ah sas:


           outbound pcp sas:

pix515e-635#

Cisco PIX 515 Version 7.0(2) - aggressiver Modus
pix515-702#show crypto isakmp sa Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 10.10.10.1 Type : L2L Role : responder Rekey : no State : AM_ACTIVE pix515-702# pix515-702#show crypto ipsec sa interface: outside Crypto map tag: ciscopix, local addr: 10.20.20.1 local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (172.22.1.0/255.255.255.0/0/0) current_peer: 10.10.10.1 #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5 #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 10.20.20.1, remote crypto endpt.: 10.10.10.1 path mtu 1500, ipsec overhead 76, media mtu 1500 current outbound spi: D7E2F5FD inbound esp sas: spi: 0xDCBF6AD3 (3703532243) transform: esp-aes-256 esp-sha-hmac in use settings ={L2L, Tunnel, } slot: 0, conn_id: 1, crypto-map: ciscopix sa timing: remaining key lifetime (sec): 28703 IV size: 16 bytes replay detection support: Y outbound esp sas: spi: 0xD7E2F5FD (3621975549) transform: esp-aes-256 esp-sha-hmac in use settings ={L2L, Tunnel, } slot: 0, conn_id: 1, crypto-map: ciscopix sa timing: remaining key lifetime (sec): 28701 IV size: 16 bytes replay detection support: Y pix515-702#

Cisco PIX 515 Version 7.0(2) - aggressiver Modus

pix515-702#show crypto isakmp sa

 Active SA: 1
           Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
           Total IKE SA: 1

1 IKE Peer: 10.10.10.1
           Type : L2L Role : responder
           Rekey : no State : AM_ACTIVE
           pix515-702#

pix515-702#show crypto ipsec sa
           interface: outside
           Crypto map tag: ciscopix, local addr: 10.20.20.1

 local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
           remote ident (addr/mask/prot/port): (172.22.1.0/255.255.255.0/0/0)
           current_peer: 10.10.10.1

 #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
           #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
           #pkts compressed: 0, #pkts decompressed: 0
           #pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
           #send errors: 0, #recv errors: 0

 local crypto endpt.: 10.20.20.1, remote crypto endpt.: 10.10.10.1

 path mtu 1500, ipsec overhead 76, media mtu 1500
           current outbound spi: D7E2F5FD

 inbound esp sas:
           spi: 0xDCBF6AD3 (3703532243)
           transform: esp-aes-256 esp-sha-hmac
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 1, crypto-map: ciscopix
           sa timing: remaining key lifetime (sec): 28703
           IV size: 16 bytes
           replay detection support: Y
           outbound esp sas:
           spi: 0xD7E2F5FD (3621975549)
           transform: esp-aes-256 esp-sha-hmac
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 1, crypto-map: ciscopix
           sa timing: remaining key lifetime (sec): 28701
           IV size: 16 bytes
           replay detection support: Y

pix515-702#

Fehlerbehebung

Für diese Konfiguration sind derzeit keine spezifischen Informationen zur Fehlerbehebung verfügbar.

Zugehörige Informationen

War dieses Dokument hilfreich?

Feedback

Cisco kontaktieren

Eine Supportanfrage öffnen
(Erfordert einen Cisco Servicevertrag)