Catalyst 4224 Access Gateway Switch와 Cisco IOS Router 간 IPSec 구성

다운로드 옵션

  • PDF     (334.1 KB)
    다양한 디바이스에서 Adobe Reader로 보기
  • ePub     (100.6 KB)
    iPhone, iPad, Android, Sony Reader 또는 Windows Phone의 다양한 앱에서 보기
  • Mobi (Kindle)     (108.0 KB)
    Kindle 디바이스에서 보기 또는 다양한 디바이스의 Kindle 앱에서 보기
업데이트:2008년 1월 14일
문서 ID:24360

편견 없는 언어

본 제품에 대한 문서 세트는 편견 없는 언어를 사용하기 위해 노력합니다. 본 설명서 세트의 목적상, 편견 없는 언어는 나이, 장애, 성별, 인종 정체성, 민족 정체성, 성적 지향성, 사회 경제적 지위 및 교차성에 기초한 차별을 의미하지 않는 언어로 정의됩니다. 제품 소프트웨어의 사용자 인터페이스에서 하드코딩된 언어, RFP 설명서에 기초한 언어 또는 참조된 서드파티 제품에서 사용하는 언어로 인해 설명서에 예외가 있을 수 있습니다. 시스코에서 어떤 방식으로 포용적인 언어를 사용하고 있는지 자세히 알아보세요.

이 번역에 관하여

Cisco는 전 세계 사용자에게 다양한 언어로 지원 콘텐츠를 제공하기 위해 기계 번역 기술과 수작업 번역을 병행하여 이 문서를 번역했습니다. 아무리 품질이 높은 기계 번역이라도 전문 번역가의 번역 결과물만큼 정확하지는 않습니다. Cisco Systems, Inc.는 이 같은 번역에 대해 어떠한 책임도 지지 않으며 항상 원본 영문 문서(링크 제공됨)를 참조할 것을 권장합니다.

소개

이 문서에서는 Cisco Catalyst 4224 Access Gateway Switch와 Cisco IOS® Software를 실행하는 Cisco 라우터 간의 IPSec 샘플 컨피그레이션을 설명합니다. 암호화 맵이 적용된 액세스 게이트웨이의 VLAN1과 라우터의 FastEthernet0/1 인터페이스 간에 암호화가 수행됩니다.

사전 요구 사항

요구 사항

이 문서에 대한 특정 요건이 없습니다.

사용되는 구성 요소

이 문서의 정보는 다음 소프트웨어 및 하드웨어 버전을 기반으로 합니다.

  • Cisco IOS Software 릴리스 12.(1)14

  • IOS c4224 Software 12.2(2)YC1

이 문서의 정보는 특정 랩 환경의 디바이스를 토대로 작성되었습니다. 이 문서에 사용된 모든 디바이스는 초기화된(기본) 컨피그레이션으로 시작되었습니다. 라이브 네트워크에서 작업 중인 경우, 사용하기 전에 모든 명령의 잠재적인 영향을 미리 숙지하시기 바랍니다.

표기 규칙

문서 규칙에 대한 자세한 내용은 Cisco 기술 팁 표기 규칙을 참조하십시오.

구성

이 섹션에는 이 문서에서 설명하는 기능을 구성하기 위한 정보가 표시됩니다.

참고: 이 문서에 사용된 명령에 대한 추가 정보를 보려면 명령 조회 도구(등록된 고객만 해당)를 사용하십시오.

네트워크 다이어그램

이 문서에서는 이 네트워크 설정을 사용합니다.

ipsec_cat4224-1.gif

설정

이 문서에서는 다음 설정을 사용합니다.

Catalyst 4224 Access Gateway Switch 
triana#show version
Cisco Internetwork Operating System Software 
IOS (tm) c4224 Software (c4224-IK9O3SX3-M), Version 12.2(2)YC1, 
EARLY DEPLOYMENT RELEASE SOFTWARE (fc2) 
 
26 FastEthernet/IEEE 802.3 interface(s) 
2 Serial(sync/async) network interface(s) 
2 Channelized E1/PRI port(s) 
1 Virtual Private Network (VPN) Module(s) 

!--- Access gateway has onboard encryption service adapter.
 
8 Voice FXS interface(s) 
256K bytes of non-volatile configuration memory. 
31744K bytes of processor board System flash (Read/Write) 

Configuration register is 0x2102 

triana#show run 
Building configuration... 

Current configuration : 5111 bytes 
! 
! Last configuration change at 13:56:01 UTC Wed May 29 2002 
! NVRAM config last updated at 13:56:03 UTC Wed May 29 2002 
! 
version 12.2 
service timestamps debug datetime msec 
service timestamps log datetime msec 
no service password-encryption 
! 
hostname triana 
! 
no logging buffered 
enable password ww 
! 
memory-size iomem 25 

!--- Create the VLANS as required.

vlan 1 
 name default 
vlan 3 
 name VLAN0003 

!--- Create the VLANS as required.
 
vlan 2 
 name data 
vlan 999 
 name VLAN0999 
! 
ip subnet-zero 
no ip domain-lookup 
! 
ip audit notify log 
ip audit po max-events 100 
ip ssh time-out 120 
ip ssh authentication-retries 3 
isdn switch-type primary-net5 
voicecard mode toll-by-pass 
! 
! 
! 
! 
! 
! 
! 
ccm-manager mgcp 
! 

!--- Define Phase 1 policy.

crypto isakmp policy 10 
 authentication pre-share 
crypto isakmp key yoursecretkey address 209.165.201.6 
! 
! 

!--- Define Phase 2 policy.
 
crypto ipsec transform-set basic esp-des esp-md5-hmac 
crypto mib ipsec flowmib history tunnel size 200 
crypto mib ipsec flowmib history failure size 200 
! 

!--- Define Phase 2 policy (continued). !--- Define the encryption peer and crypto map parameters.
   
crypto map mymap 10 ipsec-isakmp 
 set peer 209.165.201.6 
 set transform-set basic 
 match address cryptoacl 
! 
! 
no spanning-tree optimize bpdu transmission 
no spanning-tree vlan 1 
no spanning-tree vlan 2 
no spanning-tree vlan 3 
! 
controller E1 2/0 
! 
controller E1 2/1 
! 
translation-rule 1 
 Rule 0 ^... 1 
! 
translation-rule 2 
 Rule 0 ^10.. 0 
 Rule 1 ^11.. 1 
 Rule 2 ^12.. 2 
 Rule 3 ^13.. 3 
 Rule 4 ^14.. 4 
 Rule 5 ^15.. 5 
 Rule 6 ^16.. 6 
 Rule 7 ^17.. 7 
 Rule 8 ^18.. 8 
 Rule 9 ^19.. 9 
! 
translation-rule 6 
 Rule 0 ^112. 119 
! 
translation-rule 7 
 Rule 0 ^1212 1196 
! 
translation-rule 3 
 Rule 0 ^. 0 
! 
translation-rule 9 
 Rule 0 ^. 9 
! 
translation-rule 99 
 Rule 0 ^90.. 0 
 Rule 1 ^91.. 1 
 Rule 2 ^92.. 2 
 Rule 3 ^93.. 3 
 Rule 4 ^94.. 4 
 Rule 5 ^95.. 5 
 Rule 6 ^96.. 6 
 Rule 7 ^97.. 7 
 Rule 8 ^98.. 8 
 Rule 9 ^99.. 9 
! 
translation-rule 999 
 Rule 0 ^2186 1196 
! 
translation-rule 1122 
 Rule 0 ^1122 528001 
 Rule 1 ^1121 519352 
! 
translation-rule 20 
 Rule 0 ^000 500 
! 
! 
! 
interface Loopback0 
 no ip address 
! 
interface FastEthernet0/0 
 no ip address 
 duplex auto 
 speed auto 
! 
interface Serial1/0 
 no ip address 
 no fair-queue 
! 
interface Serial1/1 
 no ip address 
! 
interface FastEthernet5/0 
 no ip address 
 duplex auto 
 speed auto 
! 
interface FastEthernet5/1 
 no ip address 
 shutdown 
 duplex auto 
 speed auto 
 switchport voice vlan 3 
 spanning-tree portfast 
! 

!--- For the lab setup, a host is connected on this port.

interface FastEthernet5/2 
 no ip address 
 duplex auto 
 speed auto 

!--- Place the port in VLAN 2.

switchport access vlan 2 
 spanning-tree portfast 
! 
interface FastEthernet5/3 
 no ip address 
 shutdown 
 duplex auto 
 speed auto 
 switchport access vlan 999 
 spanning-tree portfast 
! 
interface FastEthernet5/4 
 no ip address 
 duplex auto 
 speed auto 
 switchport access vlan 2 
 switchport voice vlan 3 
 spanning-tree portfast 
! 
interface FastEthernet5/5 
 no ip address 
 duplex auto 
 speed auto 
! 
interface FastEthernet5/6 
 no ip address 
 duplex auto 
 speed auto 
! 
interface FastEthernet5/7 
 no ip address 
 duplex auto 
 speed auto 
! 
interface FastEthernet5/8 
 no ip address 
 duplex auto 
 speed auto 
! 
interface FastEthernet5/9 
 no ip address 
 duplex auto 
 speed auto 
! 
interface FastEthernet5/10 
 no ip address 
 duplex auto 
 speed auto 
 switchport trunk allowed vlan 1-3 
 switchport mode trunk 

!--- By default, the port belongs to VLAN 1.
 
interface FastEthernet5/11 
 no ip address 
 duplex auto 
 speed auto 
! 
interface FastEthernet5/12 
 no ip address 
 duplex auto 
 speed auto 
! 
interface FastEthernet5/13 
 no ip address 
 duplex auto 
 speed auto 
! 
interface FastEthernet5/14 
 no ip address 
 duplex auto 
 speed auto 
! 
interface FastEthernet5/15 
 no ip address 
 duplex auto 
 speed auto 
! 
interface FastEthernet5/16 
 no ip address 
 duplex auto 
 speed auto 
! 
interface FastEthernet5/17 
 no ip address 
 duplex auto 
 speed auto 
! 
interface FastEthernet5/18 
 no ip address 
 duplex auto 
 speed auto 
! 
interface FastEthernet5/19 
 no ip address 
 duplex auto 
 speed auto 
! 
interface FastEthernet5/20 
 no ip address 
 duplex auto 
 speed auto 
! 
interface FastEthernet5/21 
 no ip address 
 duplex auto 
 speed auto 
! 
interface FastEthernet5/22 
 no ip address 
 duplex auto 
 speed auto 
! 
interface FastEthernet5/23 
 no ip address 
 duplex auto 
 speed auto 
! 
interface FastEthernet5/24 
 no ip address 
 duplex auto 
 speed auto 
! 

!--- Define an IP address and apply crypto map to enable !--- IPSec processing on this interface.
 
interface Vlan 1 
 ip address 209.165.201.5 255.255.255.224 
 crypto map mymap 
! 

!--- Define an IP address for VLAN 2.

interface Vlan 2 
 ip address 192.168.10.1 255.255.255.0 
! 
ip classless 
ip route 10.48.66.0 255.255.254.0 209.165.201.6 
no ip http server 
! 
! 
ip access-list extended cryptoacl 
 remark This is crypto ACL 
 permit ip 192.168.10.0 0.0.0.255 10.48.66.0 0.0.1.255 
call rsvp-sync 
! 
voice-port 4/0 
 output attenuation 0 
! 
voice-port 4/1 
 output attenuation 0 
! 
voice-port 4/2 
 output attenuation 0 
! 
voice-port 4/3 
 output attenuation 0 
! 
voice-port 4/4 
 output attenuation 0 
! 
voice-port 4/5 
 output attenuation 0 
! 
voice-port 4/6 
 output attenuation 0 
! 
voice-port 4/7 
 output attenuation 0 
! 
mgcp 
no mgcp timer receive-rtcp 
! 
mgcp profile default 
! 
dial-peer cor custom 
! 
! 
! 
dial-peer voice 1 voip 
! 
dial-peer voice 2 pots 
 shutdown 
! 
! 
line con 0 
 exec-timeout 0 0 
 length 0 
line vty 0 4 
 password ww 
 login 
! 
end 

triana#

Cisco IOS 라우터 
brussels#show run 
Building configuration... 

Current configuration : 1538 bytes 
! 
! Last configuration change at 17:16:19 UTC Wed May 29 2002 
! NVRAM config last updated at 13:58:44 UTC Wed May 29 2002 
! 
version 12.1 
no service single-slot-reload-enable 
service timestamps debug uptime 
service timestamps log uptime 
no service password-encryption 
! 
hostname brussels 
! 
enable secret 5 $1$/vuT$08lTvZgSFJ0xq5uTFc94u. 
! 
! 
! 
! 
! 
! 
ip subnet-zero 
no ip domain-lookup 
! 
ip cef 
ip audit notify log 
ip audit po max-events 100 
! 
! 

!--- Define Phase 1 policy.

crypto isakmp policy 10 
 authentication pre-share 
crypto isakmp key yoursecretkey address 209.165.201.5 
! 
! 

!--- Define the encryption policy for this setup.

crypto ipsec transform-set basic esp-des esp-md5-hmac 
! 

!--- Define a static crypto map entry for the remote PIX !--- with mode ipsec-isakmp. !--- This indicates that Internet Key Exchange (IKE) !--- is used to establish the IPSec !--- security associations for protecting the traffic !--- specified by this crypto map entry.
 
crypto map vpnmap 10 ipsec-isakmp 
 set peer 209.165.201.5 
 set transform-set basic 
 match address cryptoacl 
! 
! 
! 
! 
! 
! 
interface FastEthernet0/0 
 ip address 10.48.66.34 255.255.254.0 
 no ip mroute-cache 
 duplex auto 
 speed auto 
! 
interface Serial0/0 
 no ip address 
 shutdown 
! 

!--- Enable crypto processing on the interface !--- where traffic leaves the network.

interface FastEthernet0/1 
 ip address 209.165.201.6 255.255.255.224 
 no ip mroute-cache 
 duplex auto 
 speed auto 
 crypto map vpnmap 
! 
interface Serial0/1 
 no ip address 
 shutdown 
! 
interface Group-Async1 
 no ip address 
 encapsulation ppp 
 async mode dedicated 
 ppp authentication pap 
 group-range 33 40 
! 
ip classless 
ip route 192.168.10.0 255.255.255.0 209.165.201.5 
ip http server 
! 
! 

!--- This access list defines interesting traffic for IPSec.
 
ip access-list extended cryptoacl 
 permit ip 10.48.66.0 0.0.1.255 192.168.10.0 0.0.0.255 
! 
! 
line con 0 
 exec-timeout 0 0 
 length 0 
line 33 40 
 modem InOut 
line aux 0 
line vty 0 4 
 login local 
! 
end

다음을 확인합니다.

이 섹션에서는 컨피그레이션이 제대로 작동하는지 확인하는 데 사용할 수 있는 정보를 제공합니다. IPSec 작업의 확인은 debug 명령으로 수행됩니다. 라우터에서 액세스 게이트웨이 뒤의 호스트로 확장된 ping이 시도됩니다.

일부 show 명령은 출력 인터프리터 툴 에서 지원되는데(등록된 고객만), 이 툴을 사용하면 show 명령 출력의 분석 결과를 볼 수 있습니다.

  • show debug - 현재 디버그 설정을 표시합니다.

  • show crypto isakmp sa - 피어의 모든 현재 IKE SA(Security Association)를 표시합니다.

  • show crypto ipsec sa - 현재 SA에서 사용되는 설정을 표시합니다.

문제 해결

이 섹션에서는 설정 문제 해결에 사용할 수 있는 정보를 제공합니다.

트러블슈팅 명령

참고: debug 명령을 실행하기 전에 Debug 명령에 대한 중요 정보를 참조하십시오.

  • debug crypto ipsec - IPSec 이벤트를 표시합니다.

  • debug crypto isakmp - IKE 이벤트에 대한 메시지를 표시합니다.

  • debug crypto engine — 암호화 엔진의 정보를 표시합니다.

샘플 디버그

이 섹션에서는 액세스 게이트웨이 및 라우터의 샘플 디버그 출력을 제공합니다.

Catalyst 4224 Access Gateway Switch 

triana#debug crypto ipsec 
Crypto IPSEC debugging is on 
triana#debug crypto isakmp
Crypto ISAKMP debugging is on 
triana#debug crypto engine
Crypto Engine debugging is on 
triana#show debug 

Cryptographic Subsystem: 
  Crypto ISAKMP debugging is on 
  Crypto Engine debugging is on 
  Crypto IPSEC debugging is on 
triana# 
May 29 18:01:57.746: ISAKMP (0:0): received packet from 209.165.201.6 (N) NEW SA 
May 29 18:01:57.746: ISAKMP: local port 500, remote port 500 
May 29 18:01:57.746: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 
Old State = IKE_READY  New State = IKE_R_MM1 
May 29 18:01:57.746: ISAKMP (0:1): processing SA payload. message ID = 0 
May 29 18:01:57.746: ISAKMP (0:1): found peer pre-shared key 
   matching 209.165.201.6 

!--- 4224 access gateway checks the attributes for Internet Security !--- Association & Key Management Protocol (ISAKMP) negotiation !--- against the policy it has in its local configuration.

May 29 18:01:57.746: ISAKMP (0:1): Checking ISAKMP transform 1 
   against priority 10 policy 
May 29 18:01:57.746: ISAKMP:      encryption DES-CBC 
May 29 18:01:57.746: ISAKMP:      hash SHA 
May 29 18:01:57.746: ISAKMP:      default group 1 
May 29 18:01:57.746: ISAKMP:      auth pre-share

!--- The received attributes are acceptable !--- against the configured set of attributes.
 
May 29 18:01:57.746: ISAKMP (0:1): atts are acceptable. Next payload is 0 
May 29 18:01:57.746: CryptoEngine0: generate alg parameter 
May 29 18:01:57.746: CryptoEngine0: CRYPTO_ISA_DH_CREATE(hw)(ipsec) 
May 29 18:01:57.898: CRYPTO_ENGINE: Dh phase 1 status: 0 
May 29 18:01:57.898: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, 
   IKE_PROCESS_MAIN_MODE Old State = IKE_R_MM1  New State = IKE_R_MM1 

May 29 18:01:57.898: ISAKMP (0:1): SA is doing pre-shared key authentication 
                     using id type ID_IPV4_ADDR 
May 29 18:01:57.898: ISAKMP (0:1): sending packet to 209.165.201.6 (R) MM_SA_SETUP 
May 29 18:01:57.898: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 
Old State = IKE_R_MM1  New State = IKE_R_MM2 

May 29 18:01:58.094: ISAKMP (0:1): received packet from 209.165.201.6 
   (R) MM_SA_SETUP 
May 29 18:01:58.094: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 
Old State = IKE_R_MM2  New State = IKE_R_MM3 

May 29 18:01:58.098: ISAKMP (0:1): processing KE payload. message ID = 0 
May 29 18:01:58.098: CryptoEngine0: generate alg parameter 
May 29 18:01:58.098: CryptoEngine0: CRYPTO_ISA_DH_SHARE_SECRET(hw)(ipsec) 
May 29 18:01:58.246: ISAKMP (0:1): processing NONCE payload. message ID = 0 
May 29 18:01:58.246: ISAKMP (0:1): found peer pre-shared key matching 209.165.201.6 
May 29 18:01:58.250: CryptoEngine0: create ISAKMP SKEYID for conn id 1 
May 29 18:01:58.250: CryptoEngine0: CRYPTO_ISA_SA_CREATE(hw)(ipsec) 
May 29 18:01:58.250: ISAKMP (0:1): SKEYID state generated 
May 29 18:01:58.250: ISAKMP (0:1): processing vendor id payload 
May 29 18:01:58.250: ISAKMP (0:1): speaking to another IOS box! 
May 29 18:01:58.250: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 
Old State = IKE_R_MM3  New State = IKE_R_MM3 

May 29 18:01:58.250: ISAKMP (0:1): sending packet to 209.165.201.6 (R) MM_KEY_EXCH 
May 29 18:01:58.250: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 
Old State = IKE_R_MM3  New State = IKE_R_MM4 

May 29 18:01:58.490: ISAKMP (0:1): received packet from 209.165.201.6 
   (R) MM_KEY_EXCH 
May 29 18:01:58.490: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT(hw)(ipsec) 
May 29 18:01:58.490: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 
Old State = IKE_R_MM4  New State = IKE_R_MM5 

May 29 18:01:58.490: ISAKMP (0:1): processing ID payload. message ID = 0 
May 29 18:01:58.490: ISAKMP (0:1): processing HASH payload. message ID = 0 
May 29 18:01:58.490: CryptoEngine0: generate hmac context for conn id 1 
May 29 18:01:58.490: CryptoEngine0: CRYPTO_ISA_IKE_HMAC(hw)(ipsec) 
May 29 18:01:58.490: ISAKMP (0:1): SA has been authenticated with 209.165.201.6 

!--- Phase 1 authentication is successful and the SA is authenticated.
 
May 29 18:01:58.494: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 
Old State = IKE_R_MM5  New State = IKE_R_MM5 

May 29 18:01:58.494: ISAKMP (1): ID payload 
        next-payload : 8 
        type         : 1 
        protocol     : 17 
        port         : 500 
        length       : 8 
May 29 18:01:58.494: ISAKMP (1): Total payload length: 12 
May 29 18:01:58.494: CryptoEngine0: generate hmac context for conn id 1 
May 29 18:01:58.494: CryptoEngine0: CRYPTO_ISA_IKE_HMAC(hw)(ipsec) 
May 29 18:01:58.494: CryptoEngine0: clear dh number for conn id 1 
May 29 18:01:58.494: CryptoEngine0: CRYPTO_ISA_DH_DELETE(hw)(ipsec) 
May 29 18:01:58.494: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT(hw)(ipsec) 
May 29 18:01:58.494: ISAKMP (0:1): sending packet to 209.165.201.6 (R) QM_IDLE 
May 29 18:01:58.498: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 
Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE 

May 29 18:01:58.518: ISAKMP (0:1): received packet from 209.165.201.6 (R) QM_IDLE 
May 29 18:01:58.518: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT(hw)(ipsec) 
May 29 18:01:58.518: CryptoEngine0: generate hmac context for conn id 1 
May 29 18:01:58.518: CryptoEngine0: CRYPTO_ISA_IKE_HMAC(hw)(ipsec) 
May 29 18:01:58.522: ISAKMP (0:1): processing HASH payload. 
   message ID = -1809462101 
May 29 18:01:58.522: ISAKMP (0:1): processing SA payload. 
   message ID = -1809462101 

May 29 18:01:58.522: ISAKMP (0:1): Checking IPSec proposal 1 
May 29 18:01:58.522: ISAKMP: transform 1, ESP_DES 
May 29 18:01:58.522: ISAKMP:   attributes in transform: 
May 29 18:01:58.522: ISAKMP:      encaps is 1 
May 29 18:01:58.522: ISAKMP:      SA life type in seconds 
May 29 18:01:58.522: ISAKMP:      SA life duration (basic) of 3600 
May 29 18:01:58.522: ISAKMP:      SA life type in kilobytes 
May 29 18:01:58.522: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 
May 29 18:01:58.522: ISAKMP:      authenticator is HMAC-MD5 
May 29 18:01:58.522: validate proposal 0 
May 29 18:01:58.522: ISAKMP (0:1): atts are acceptable. 
May 29 18:01:58.522: IPSEC(validate_proposal_request): proposal part #1, 

!--- After the attributes are negotiated, !--- IKE asks IPSec to validate the proposal.

   (key eng. msg.) dest= 209.165.201.5, src= 209.165.201.6, 
    dest_proxy= 192.168.10.0/255.255.255.0/0/0 (type=4), 
    src_proxy= 10.48.66.0/255.255.254.0/0/0 (type=4), 
    protocol= ESP, transform= esp-des esp-md5-hmac , 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4 

!--- spi is still zero because SAs have not been set.
 
May 29 18:01:58.522: validate proposal request 0 
May 29 18:01:58.522: ISAKMP (0:1): processing NONCE payload. 
   message ID = -1809462101 
May 29 18:01:58.522: ISAKMP (0:1): processing ID payload. 
   message ID = -1809462101 
May 29 18:01:58.522: ISAKMP (1): ID_IPV4_ADDR_SUBNET src 10.48.66.0/255.255.254.0
   prot 0 port 0 
May 29 18:01:58.522: ISAKMP (0:1): processing ID payload. 
   message ID = -1809462101 
May 29 18:01:58.522: ISAKMP (1): ID_IPV4_ADDR_SUBNET dst 192.168.10.0/255.255.255.0
   prot 0 port 0 
May 29 18:01:58.522: ISAKMP (0:1): asking for 1 spis from ipsec 
May 29 18:01:58.522: ISAKMP (0:1): Node -1809462101, Input = IKE_MESG_FROM_PEER, 
   IKE_QM_EXCH 
Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE 

May 29 18:01:58.526: IPSEC(key_engine): got a queue event... 
May 29 18:01:58.526: IPSEC(spi_response): getting spi 3384026087 for SA 
        from 209.165.201.6   to 209.165.201.5   for prot 3 
May 29 18:01:58.526: ISAKMP: received ke message (2/1) 
May 29 18:01:58.774: CryptoEngine0: generate hmac context for conn id 1 
May 29 18:01:58.774: CryptoEngine0: CRYPTO_ISA_IKE_HMAC(hw)(ipsec) 
May 29 18:01:58.774: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT(hw)(ipsec) 
May 29 18:01:58.774: ISAKMP (0:1): sending packet to 209.165.201.6 (R) QM_IDLE 
May 29 18:01:58.774: ISAKMP (0:1): Node -1809462101, Input = IKE_MESG_FROM_IPSEC, 
                     IKE_SPI_REPLY 
Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2 

May 29 18:01:58.830: ISAKMP (0:1): received packet from 209.165.201.6 (R) QM_IDLE 
May 29 18:01:58.830: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT(hw)(ipsec) 
May 29 18:01:58.834: CryptoEngine0: generate hmac context for conn id 1 
May 29 18:01:58.834: CryptoEngine0: CRYPTO_ISA_IKE_HMAC(hw)(ipsec) 
May 29 18:01:58.834: ipsec allocate flow 0 
May 29 18:01:58.834: ipsec allocate flow 0 
May 29 18:01:58.834: CryptoEngine0: CRYPTO_ISA_IPSEC_KEY_CREATE(hw)(ipsec) 
May 29 18:01:58.834: CryptoEngine0: CRYPTO_ISA_IPSEC_KEY_CREATE(hw)(ipsec) 
May 29 18:01:58.838: ISAKMP (0:1): Creating IPSec SAs 
May 29 18:01:58.838:         inbound SA from 209.165.201.6 to 209.165.201.5 
        (proxy 10.48.66.0 to 192.168.10.0) 
May 29 18:01:58.838:         has spi 0xC9B423E7 and conn_id 50 and flags 4 
May 29 18:01:58.838:         lifetime of 3600 seconds 
May 29 18:01:58.838:         lifetime of 4608000 kilobytes 
May 29 18:01:58.838:         outbound SA from 209.165.201.5   to 209.165.201.6 
                             (proxy 192.168.10.0 to 10.48.66.0) 
May 29 18:01:58.838:         has spi 561973207 and conn_id 51 and flags 4 
May 29 18:01:58.838:         lifetime of 3600 seconds 
May 29 18:01:58.838:         lifetime of 4608000 kilobytes 
May 29 18:01:58.838: ISAKMP (0:1): deleting node -1809462101 error FALSE reason 
                                  "quick mode done (await()" 
May 29 18:01:58.838: ISAKMP (0:1): Node -1809462101, Input = IKE_MESG_FROM_PEER, 
                                   IKE_QM_EXCH 
Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE 

May 29 18:01:58.838: IPSEC(key_engine): got a queue event... 
May 29 18:01:58.838: IPSEC(initialize_sas): , 
  (key eng. msg.) dest= 209.165.201.5, src= 209.165.201.6, 
    dest_proxy= 192.168.10.0/255.255.255.0/0/0 (type=4), 
    src_proxy= 10.48.66.0/255.255.254.0/0/0 (type=4), 
    protocol= ESP, transform= esp-des esp-md5-hmac , 
    lifedur= 3600s and 4608000kb, 
    spi= 0xC9B423E7(3384026087), conn_id= 50, keysize= 0, flags= 0x4 

!--- IPSec SAs are now initialized and encrypted !--- communication can now take place.

 May 29 18:01:58.838: IPSEC(initialize_sas): , 
  (key eng. msg.) src= 209.165.201.5, dest= 209.165.201.6, 
    src_proxy= 192.168.10.0/255.255.255.0/0/0 (type=4), 
    dest_proxy= 10.48.66.0/255.255.254.0/0/0 (type=4), 
    protocol= ESP, transform= esp-des esp-md5-hmac , 
    lifedur= 3600s and 4608000kb, 
    spi= 0x217F07D7(561973207), conn_id= 51, keysize= 0, flags= 0x4 

!--- IPSec SAs are now initialized and encrypted !--- communication can now take place.
 
May 29 18:01:58.838: IPSEC(create_sa): sa created, 
  (sa) sa_dest= 209.165.201.5, sa_prot= 50, 
    sa_spi= 0xC9B423E7(3384026087), 
    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 50 
May 29 18:01:58.838: IPSEC(create_sa): sa created, 
  (sa) sa_dest= 209.165.201.6, sa_prot= 50, 
    sa_spi= 0x217F07D7(561973207), 
    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 51 

!--- Observe that two IPSec SAs are created. !--- Recollect that IPSec SAs are bidirectional.
 
triana# 
triana# 
triana# 
triana#show crypto isakmp sa 
dst                           src             state           conn-id    slot 
209.165.201.5   209.165.201.6   QM_IDLE           &n bsp;   1       0 

triana#show crypto ipsec sa 

interface: Vlan 1 
    Crypto map tag: mymap, local addr. 209.165.201.5 

   local  ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0) 
   remote ident (addr/mask/prot/port): (10.48.66.0/255.255.254.0/0/0) 
   current_peer: 209.165.201.6 
     PERMIT, flags={origin_is_acl,} 
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4 
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4 
    #pkts compressed: 0, #pkts decompressed: 0 
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 
    #send errors 0, #recv errors 0 

     local crypto endpt.: 209.165.201.5, remote crypto endpt.: 209.165.201.6 
     path mtu 1500, media mtu 1500 
     current outbound spi: 217F07D7 

     inbound esp sas: 
      spi: 0xC9B423E7(3384026087) 
        transform: esp-des esp-md5-hmac , 
        in use settings ={Tunnel, } 
        slot: 0, conn id: 50, flow_id: 1, crypto map: mymap 
        sa timing: remaining key lifetime (k/sec): (4607998/3536) 
        IV size: 8 bytes 
        replay detection support: Y 

     inbound ah sas: 

     inbound pcp sas: 

     outbound esp sas: 
      spi: 0x217F07D7(561973207) 
        transform: esp-des esp-md5-hmac , 
        in use settings ={Tunnel, } 
        slot: 0, conn id: 51, flow_id: 2, crypto map: mymap 
        sa timing: remaining key lifetime (k/sec): (4607999/3536) 
        IV size: 8 bytes 
        replay detection support: Y 

     outbound ah sas: 

     outbound pcp sas: 
  

triana#

Cisco IOS 라우터 

brussels#show debug 
Cryptographic Subsystem: 
  Crypto ISAKMP debugging is on 
  Crypto Engine debugging is on 
  Crypto IPSEC debugging is on 
brussels#p 
Protocol [ip]: 
Target IP address: 192.168.10.5 
Repeat count [5]: 
Datagram size [100]: 
Timeout in seconds [2]: 
Extended commands [n]: y 
Source address or interface: fastethernet0/0 
Type of service [0]: 
Set DF bit in IP header? [no]: 
Validate reply data? [no]: 
Data pattern [0xABCD]: 
Loose, Strict, Record, Timestamp, Verbose[none]: 
Sweep range of sizes [n]: 
Type escape sequence to abort. 
Sending 5, 100-byte ICMP Echos to 192.168.10.5, timeout is 2 seconds: 

May 29 18:01:54.285: IPSEC(sa_request): , 
  (key eng. msg.) src= 209.165.201.6, dest= 209.165.201.5, 
    src_proxy= 10.48.66.0/255.255.254.0/0/0 (type=4), 
    dest_proxy= 192.168.10.0/255.255.255.0/0/0 (type=4), 
    protocol= ESP, transform= esp-des esp-md5-hmac , 
    lifedur= 3600s and 4608000kb, 
    spi= 0x217F07D7(561973207), conn_id= 0, keysize= 0, flags= 0x4004 
May 29 18:01:54.285: ISAKMP: received ke message (1/1) 
May 29 18:01:54.285: ISAKMP: local port 500, remote port 500 
May 29 18:01:54.289: ISAKMP (0:1): beginning Main Mode exchange 
May 29 18:01:54.289: ISAKMP (1): sending packet to 209.165.201.5 (I) MM_NO_STATE 
May 29 18:01:54.461: ISAKMP (1): received packet from 209.165.201.5 (I) MM_NO_STATE 
May 29 18:01:54.461: ISAKMP (0:1): processing SA payload. message ID = 0 
May 29 18:01:54.461: ISAKMP (0:1): Checking ISAKMP transform 1 
   against priority 10 policy 
May 29 18:01:54.465: ISAKMP:      encryption DES-CBC 
May 29 18:01:54.465: ISAKMP:      hash SHA 
May 29 18:01:54.465: ISAKMP:      default group 1 
May 29 18:01:54.465: ISAKMP:      auth pre-share 
May 29 18:01:54.465: ISAKMP (0:1): atts are acceptable. Next payload is 0 
May 29 18:01:54.465: CryptoEngine0: generate alg parameter 
May 29 18:01:54.637: CRYPTO_ENGINE: Dh phase 1 status: 0 
May 29 18:01:54.637: CRYPTO_ENGINE: Dh phase 1 status: 0 
May 29 18:01:54.637: ISAKMP (0:1): SA is doing pre-shared key authentication 
May 29 18:01:54.637: ISAKMP (1): SA is doing pre-shared key authentication using 
                                 id type ID_IPV4_ADDR 
May 29 18:01:54.641: ISAKMP (1): sending packet to 209.165.201.5 (I) MM_SA_SETUP 
May 29 18:01:54.805: ISAKMP (1): received packet from 209.165.201.5 (I) MM_SA_SETUP 
May 29 18:01:54.805: ISAKMP (0:1): processing KE payload. message ID = 0 
May 29 18:01:54.805: CryptoEngine0: generate alg parameter 
May 29 18:01:55.021: ISAKMP (0:1): processing NONCE payload. messa.!!!! 
Success rate is 80 percent (4/5), round-trip min/avg/max = 20/21/24 ms 
brussels#ge ID = 0 
May 29 18:01:55.021: CryptoEngine0: create ISAKMP SKEYID for conn id 1 
May 29 18:01:55.025: ISAKMP (0:1): SKEYID state generated 
May 29 18:01:55.029: ISAKMP (0:1): processing vendor id payload 
May 29 18:01:55.029: ISAKMP (0:1): speaking to another IOS box! 
May 29 18:01:55.029: ISAKMP (1): ID payload 
        next-payload : 8 
        type         : 1 
        protocol     : 17 
        port         : 500 
        length       : 8 
May 29 18:01:55.029: ISAKMP (1): Total payload length: 12 
May 29 18:01:55.029: CryptoEngine0: generate hmac context for conn id 1 
May 29 18:01:55.033: ISAKMP (1): sending packet to 209.165.201.5 (I) MM_KEY_EXCH 
May 29 18:01:55.049: ISAKMP (1): received packet from 209.165.201.5 (I) MM_KEY_EXCH 
May 29 18:01:55.053: ISAKMP (0:1): processing ID payload. message ID = 0 
May 29 18:01:55.053: ISAKMP (0:1): processing HASH payload. message ID = 0 
May 29 18:01:55.053: CryptoEngine0: generate hmac context for conn id 1 
May 29 18:01:55.057: ISAKMP (0:1): SA has been authenticated with 209.165.201.5 

!--- Phase 1 is completed and Phase 2 starts now.
 
May 29 18:01:55.057: ISAKMP (0:1): beginning Quick Mode exchange, 
   M-ID of -1809462101 
May 29 18:01:55.061: CryptoEngine0: generate hmac context for conn id 1 
May 29 18:01:55.065: ISAKMP (1): sending packet to 209.165.201.5 (I) QM_IDLE 
May 29 18:01:55.065: CryptoEngine0: clear dh number for conn id 1 
May 29 18:01:55.337: ISAKMP (1): received packet from 209.165.201.5 (I) QM_IDLE 
May 29 18:01:55.341: CryptoEngine0: generate hmac context for conn id 1 
May 29 18:01:55.345: ISAKMP (0:1): processing SA payload. message ID = -1809462101 
May 29 18:01:55.345: ISAKMP (0:1): Checking IPSec proposal 1 
May 29 18:01:55.345: ISAKMP: transform 1, ESP_DES 
May 29 18:01:55.345: ISAKMP:   attributes in transform: 
May 29 18:01:55.345: ISAKMP:      encaps is 1 
May 29 18:01:55.345: ISAKMP:      SA life type in seconds 
May 29 18:01:55.345: ISAKMP:      SA life duration (basic) of 3600 
May 29 18:01:55.345: ISAKMP:      SA life type in kilobytes 
May 29 18:01:55.345: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 
May 29 18:01:55.349: ISAKMP:      authenticator is HMAC-MD5 
May 29 18:01:55.349: validate proposal 0 
May 29 18:01:55.349: ISAKMP (0:1): atts are acceptable. 
May 29 18:01:55.349: IPSEC(validate_proposal_request): proposal part #1,

!--- After negotiating the attributes, IKE asks IPSec to !--- validate the proposal.

  (key eng. msg.) dest= 209.165.201.5, src= 209.165.201.6, 
    dest_proxy= 192.168.10.0/255.255.255.0/0/0 (type=4), 
    src_proxy= 10.48.66.0/255.255.254.0/0/0 (type=4), 
    protocol= ESP, transform= esp-des esp-md5-hmac , 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4 

!--- spi is still zero because SAs have not been set.
 
May 29 18:01:55.353: validate proposal request 0 
May 29 18:01:55.357: ISAKMP (0:1): processing NONCE payload. 
   message ID = -1809462101 
May 29 18:01:55.357: ISAKMP (0:1): processing ID payload. message ID = -1809462101 
May 29 18:01:55.357: ISAKMP (0:1): processing ID payload. message ID = -1809462101 
May 29 18:01:55.357: CryptoEngine0: generate hmac context for conn id 1 
May 29 18:01:55.361: ipsec allocate flow 0 
May 29 18:01:55.361: ipsec allocate flow 0 
May 29 18:01:55.369: ISAKMP (0:1): Creating IPSec SAs 
May 29 18:01:55.369:         inbound SA from 209.165.201.5   to 209.165.201.6 
                             (proxy 192.168.10.0 to 10.48.66.0) 
May 29 18:01:55.369:         has spi 561973207 and conn_id 2000 and flags 4 
May 29 18:01:55.373:         lifetime of 3600 seconds 
May 29 18:01:55.373:         lifetime of 4608000 kilobytes 
May 29 18:01:55.373:         outbound SA from 209.165.201.6   to 209.165.201.5 
                             (proxy 10.48.66.0 to 192.168.10.0) 
May 29 18:01:55.373:         has spi -910941209 and conn_id 2001 and flags 4 
May 29 18:01:55.373:         lifetime of 3600 seconds 
May 29 18:01:55.373:         lifetime of 4608000 kilobytes 
May 29 18:01:55.377: ISAKMP (1): sending packet to 209.165.201.5 (I) QM_IDLE 
May 29 18:01:55.377: ISAKMP (0:1): deleting node -1809462101 error FALSE reason "" 
May 29 18:01:55.381: IPSEC(key_engine): got a queue event... 
May 29 18:01:55.381: IPSEC(initialize_sas): , 
  (key eng. msg.) dest= 209.165.201.6, src= 209.165.201.5, 
    dest_proxy= 10.48.66.0/255.255.254.0/0/0 (type=4), 
    src_proxy= 192.168.10.0/255.255.255.0/0/0 (type=4), 
    protocol= ESP, transform= esp-des esp-md5-hmac , 
    lifedur= 3600s and 4608000kb, 
    spi= 0x217F07D7(561973207), conn_id= 2000, keysize= 0, flags= 0x4 

!--- IPSec SAs are now initialized and encrypted !--- communication can now take place.

May 29 18:01:55.381: IPSEC(initialize_sas): , 
  (key eng. msg.) src= 209.165.201.6, dest= 209.165.201.5, 
    src_proxy= 10.48.66.0/255.255.254.0/0/0 (type=4), 
    dest_proxy= 192.168.10.0/255.255.255.0/0/0 (type=4), 
    protocol= ESP, transform= esp-des esp-md5-hmac , 
    lifedur= 3600s and 4608000kb, 
    spi= 0xC9B423E7(3384026087), conn_id= 2001, keysize= 0, flags= 0x4 

!--- IPSec SAs are now initialized and encrypted !--- communication can now take place.

May 29 18:01:55.385: IPSEC(create_sa): sa created, 
  (sa) sa_dest= 209.165.201.6, sa_prot= 50, 
    sa_spi= 0x217F07D7(561973207), 
    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2000 
May 29 18:01:55.385: IPSEC(create_sa): sa created, 
  (sa) sa_dest= 209.165.201.5, sa_prot= 50, 
    sa_spi= 0xC9B423E7(3384026087), 
    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2001 

!--- Observe that two IPSec SAs are created. !--- Recollect that IPSec SAs are bidirectional.
 
brussels# 

brussels#show crypto isakmp sa 
    dst           src          state        conn-id   slot 
209.165.201.5  209.165.201.6  QM_IDLE           1       0 

brussels#show crypto ipsec sa 

interface: FastEthernet0/1 
    Crypto map tag: vpnmap, local addr. 209.165.201.6 

   local  ident (addr/mask/prot/port): (10.48.66.0/255.255.254.0/0/0) 
   remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0) 
   current_peer: 209.165.201.5 
     PERMIT, flags={origin_is_acl,} 
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4 
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4 
    #pkts compressed: 0, #pkts decompressed: 0 
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 
    #send errors 1, #recv errors 0 

     local crypto endpt.: 209.165.201.6, remote crypto endpt.: 209.165.201.5 
     path mtu 1500, media mtu 1500 
     current outbound spi: C9B423E7 

     inbound esp sas: 
      spi: 0x217F07D7(561973207) 
        transform: esp-des esp-md5-hmac , 
        in use settings ={Tunnel, } 
        slot: 0, conn id: 2000, flow_id: 1, crypto map: vpnmap 
        sa timing: remaining key lifetime (k/sec): (4607998/3560) 
        IV size: 8 bytes 
        replay detection support: Y 

     inbound ah sas: 

     inbound pcp sas: 

     outbound esp sas: 
      spi: 0xC9B423E7(3384026087) 
        transform: esp-des esp-md5-hmac , 
        in use settings ={Tunnel, } 
        slot: 0, conn id: 2001, flow_id: 2, crypto map: vpnmap 
        sa timing: remaining key lifetime (k/sec): (4607999/3560) 
        IV size: 8 bytes 
        replay detection support: Y 

     outbound ah sas: 

     outbound pcp sas: 
  

brussels#

관련 정보

개정 이력

개정 게시 날짜 의견
1.0
14-Jan-2008
최초 릴리스

이 문서가 도움이 되셨습니까?

Feedback피드백

지원 문의

이 문서가 적용되는 제품