IPSec故障排除:了解和使用调试指令
Contents
Introduction
Prerequisites
Requirements
Components Used
Conventions
Cisco IOS软件调试
show crypto isakmp sa
show crypto ipsec sa
show crypto engine connection active
debug crypto isakmp
debug crypto ipsec
示例错误信息
Replay Check Failed
QM FSM 错误
无效本地地址
IKE信息从X.X.X.X失败了其健全性检查或是畸形的
Processing of Main Mode Failed with Peer
Proxy Identities Not Supported
Transform Proposal Not Supported
No Cert and No Keys with Remote Peer
没到的对等体地址X.X.X.X
IPsec Packet has Invalid SPI
IPSEC(initialize_sas):Invalid Proxy IDs
被保留的没有零在有效载荷5
Hash Algorithm Offered does not Match Policy
HMAC Verification Failed
Remote Peer Not Responding
所有SA IPSec建议认为不可接受
Packet Encryption/Decryption Error
信息包接收错误由于ESP顺序失败
设法的错误设立在7600系列路由器的VPN隧道
PIX调试
show crypto isakmp sa
show crypto ipsec sa
debug crypto isakmp
debug crypto ipsec
常见路由器-VPN客户端问题
无法访问 VPN 隧道外部的子网:分割隧道
常见PIX-to-VPN客户端问题
建立隧道之后流量不流通:无法 ping 通位于 PIX 后的网络内部
建立隧道之后,用户无法浏览 Internet:分割隧道
建立隧道之后,某些应用程序无法正常工作:对客户端进行 MTU 调节
无法使用 sysopt 命令
验证访问控制列表 (ACL)
Related Information
Introduction
本文描述用于的普通的调试指令排除在两Cisco IOS的IPsec问题故障?软件和PIX/ASA。本文档假定您已配置了 IPsec。有关详细信息,请参阅常见 IPsec 错误消息和常见 IPsec 问题。
有关 IPsec VPN 问题最常用解决方案的信息,请参阅最常见的 L2L 和远程接入 IPsec VPN 故障排除解决方案。其中包含在您开始排除连接故障之前以及致电 Cisco 技术支持之前可以尝试的常见过程清单。
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
本文档中的信息基于以下软件和硬件版本:
Cisco IOS 软件IPsec 功能集。56i - 表示一重数据加密标准 (DES) 功能(适用于 Cisco IOS 软q
件版本 11.2 及更高版本)。k2 - 表示三重 DES 功能(适用于 Cisco IOS 软件版本 12.0 及更高版本)。Cisco 2600 系列及后来的产品均提供了三重 DES 功能。
PIX —V5.0和以后,要求单个或三倍DES许可证密钥为了激活。
q
The information in this document was created from the devices in a specific lab environment.All of the devices used in this document started with a cleared (default) configuration.If your network is live, make sure that you understand the potential impact of any command.
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions. Cisco IOS软件调试
本部分中的主题介绍 Cisco IOS 软件的 debug 命令。有关详细信息,请参阅常见 IPsec 错误消息和常见 IPsec 问题。
show crypto isakmp sa
此命令用于显示对等体之间构建的 Internet 安全连接和密钥管理协议 (ISAKMP) 安全关联 (SA)。
dst src state conn-id slot
12.1.1.2 12.1.1.1 QM_IDLE 1 0
show crypto ipsec sa
此命令用于显示对等体之间构建的 IPSec SA。12.1.1.1 与 12.1.1.2 之间将构建加密隧道,供网络20.1.1.0 与 10.1.1.0 之间进出的流量使用。您可看到入站和出站时构建的两个封装安全有效负载(ESP) SA。由于没有 AH SA,因此未使用身份验证报头 (AH)。
下面是 show crypto ipsec sa 命令的输出示例。
interface: FastEthernet0
Crypto map tag: test, local addr. 12.1.1.1
local ident (addr/mask/prot/port): (20.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
current_peer: 12.1.1.2
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7767918, #pkts encrypt: 7767918, #pkts digest 7767918
#pkts decaps: 7760382, #pkts decrypt: 7760382, #pkts verify 7760382
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0,
#pkts decompress failed: 0, #send errors 1, #recv errors 0
local crypto endpt.: 12.1.1.1, remote crypto endpt.: 12.1.1.2
path mtu 1500, media mtu 1500
current outbound spi: 3D3
inbound esp sas:
spi: 0x136A010F(325714191)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3442, flow_id: 1443, crypto map: test
sa timing: remaining key lifetime (k/sec): (4608000/52)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3D3(979)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3443, flow_id: 1444, crypto map: test
sa timing: remaining key lifetime (k/sec): (4608000/52)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
show crypto engine connection active
此命令用于显示构建的每个阶段 2 SA 和已发送的流量数。由于阶段 2(安全关联)SA 是单向的,因此每个 SA 只会显示一个方向的流量(加密为出站流量,解密为入站流量)。
debug crypto isakmp
下面是 debug crypto isakmp 命令的一个输出示例。
processing SA payload. message ID = 0
Checking ISAKMP transform against priority 1 policy
encryption DES-CBC
hash SHA
default group 2
auth pre-share
life type in seconds
life duration (basic) of 240
atts are acceptable. Next payload is 0
processing KE payload. message ID = 0
processing NONCE payload. message ID = 0
processing ID payload. message ID = 0
SKEYID state generated
processing HASH payload. message ID = 0
SA has been authenticated
processing SA payload. message ID = 800032287
debug crypto ipsec
此命令用于显示 IPSec 隧道终结点的源和目标。Src_proxy 和 dest_proxy 是客户端子网。将显示两个“sa created”消息,一个方向上一个。(如果同时执行 ESP 和 AH,则会显示四个消息。)
下面是 debug crypto ipsec 命令的一个输出示例。
Checking IPSec proposal 1transform 1, ESP_DES
attributes in transform:
encaps is 1
SA life type in seconds
SA life duration (basic) of 3600
SA life type in kilobytes
SA life duration (VPI) of 0x0 0x46 0x50 0x0
HMAC algorithm is SHA
atts are acceptable.
Invalid attribute combinations between peers will show up as "atts
not acceptable".
IPSEC(validate_proposal_request): proposal part #2,
(key eng. msg.) dest= 12.1.1.2, SRC= 12.1.1.1,
dest_proxy= 10.1.1.0/0.0.0.0/0/0,
src_proxy= 20.1.1.0/0.0.0.16/0/0,
protocol= ESP, transform= esp-des esp-sha-hmac
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(key_engine): got a
IPSEC(spi_response): getting spi 203563166 for SA
from 12.1.1.2 to 12.1.1.1 for prot 2
IPSEC(spi_response): getting spi 194838793 for SA
from 12.1.1.2 to 12.1.1.1 for prot 3
IPSEC(key_engine): got a
IPSEC(initialize_sas): ,
(key eng. msg.) dest= 12.1.1.2, SRC= 12.1.1.1,
dest_proxy= 10.1.1.0/255.255.255.0/0/0,
src_proxy= 20.1.1.0/255.255.255.0/0/0,
protocol= ESP, transform= esp-des esp-sha-hmac
lifedur= 3600s and 4608000kb,
spi= 0xC22209E(203563166), conn_id= 3,
keysize=0, flags= 0x4
IPSEC(initialize_sas): ,
(key eng. msg.) SRC= 12.1.1.2, dest= 12.1.1.1,
src_proxy= 10.1.1.0/255.255.255.0/0/0,
dest_proxy= 20.1.1.0/255.255.255.0/0/0,
protocol= ESP, transform= esp-des esp-sha-hmac
lifedur= 3600s and 4608000kb,
spi= 0xDED0AB4(233638580), conn_id= 6,
keysize= 0, flags= 0x4
IPSEC(create_sa): sa created,
(sa) sa_dest= 12.1.1.2, sa_prot= 50,
sa_spi= 0xB9D0109(194838793),
sa_trans= esp-des esp-sha-hmac , sa_conn_id= 5
IPSEC(create_sa): sa created,
(sa) sa_dest= 12.1.1.2, sa_prot= 50,
sa_spi= 0xDED0AB4(233638580),
sa_trans= esp-des esp-sha-hmac , sa_conn_id= 6
示例错误信息
本部分提到的错误消息示例是从下面列出的 debug 命令生成的:
debug crypto ipsec
q
debug crypto isakmp
q
debug crypt engine
q
Replay Check Failed
下面是“Replay Check Failed”错误的一个输出示例:
Checking IPSec proposal 1transform 1, ESP_DES
attributes in transform:
encaps is 1
SA life type in seconds
SA life duration (basic) of 3600
SA life type in kilobytes
SA life duration (VPI) of 0x0 0x46 0x50 0x0
HMAC algorithm is SHA
atts are acceptable.
ios 12.1Invalid attribute combinations between peers will show up as "atts not acceptable".
IPSEC(validate_proposal_request): proposal part #2,
(key eng. msg.) dest= 12.1.1.2, SRC= 12.1.1.1,
dest_proxy= 10.1.1.0/0.0.0.0/0/0,
src_proxy= 20.1.1.0/0.0.0.16/0/0,
protocol= ESP, transform= esp-des esp-sha-hmac
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(key_engine): got a
IPSEC(spi_response): getting spi 203563166 for SA
from 12.1.1.2 to 12.1.1.1 for prot 2
IPSEC(spi_response): getting spi 194838793 for SA
from 12.1.1.2 to 12.1.1.1 for prot 3
IPSEC(key_engine): got a
IPSEC(initialize_sas): ,
(key eng. msg.) dest= 12.1.1.2, SRC= 12.1.1.1,
dest_proxy= 10.1.1.0/255.255.255.0/0/0,
src_proxy= 20.1.1.0/255.255.255.0/0/0,
protocol= ESP, transform= esp-des esp-sha-hmac
lifedur= 3600s and 4608000kb,
spi= 0xC22209E(203563166), conn_id= 3,
keysize=0, flags= 0x4
IPSEC(initialize_sas): ,
(key eng. msg.) SRC= 12.1.1.2, dest= 12.1.1.1,
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论