没有合适的资源?快使用搜索试试~ 我知道了~
资源推荐
资源详情
资源评论
Cisco VPN 完全配置指南
PIX 和 ASA 连接的故障诊断与排除
一、 ISAKMP/IKE 阶段 1 连接
show isakmp sa [detail] 显示任何管理连接的状态
show [crypto] isakmp stats 显示管理连接的统计信息
show [crypto] isakmp ipsec-over-tcp stats 显示管理连接正在管理的任何 IPSec over
TCP 连接的统计信息
debug crypto isakmp 显示构建一个管理连接所采取的步骤,以及通过管理连接构建数
据连接所采取的步骤
debug crypto vpnclient 显示设备之间的交互, 充当一台 EASY VPN 远端和 EASY VPN
服务器之间的交互
debug crypto ca [messages | transactions] 显示设备和 CA 在证书申请和验证功能方面
的交互
debug crypto engine 显示和设备上加密 /解密问题有关的事件
clear [crypto] isakmp sa [SA_ID_#] 删除所有的管理 SA 或通过指定 SA ID 号来删除一
个特定的管理连接。
1、show isakmp sa 命令
pix63(config)# show isakmp sa
Total : 1
Embryonic : 0
dst src state pending created
192.1.1.101 192.1.1.40 QM_IDLE 0 0
pix70(config-general)# show isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during
rekey)
Total IKE SA: 1
1 IKE Peer: 192.1.1.40
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
通过上面的示例可以看出, FOS6.3 和 FOS7.0 的输出内容是不同的,在 FOS6.0 中,
建立连接时会显示 QM_IDLE ,而 FOS7. 中建立连接会显示 "MM_Active" 或 "AG_Active," ,
这主要取决于其采用的主模式还是积极模式构建管理连接。
2、debug crypto isakmp 命令
在 L2L 会话中,如下所示
IKEv1 DEBUG]: IP = 192.1.1.40, processing SA payload (1)
[IKEv1 DEBUG]: IP = 192.1.1.40, Oakley proposal is acceptable
output omitted
[IKEv1 DEBUG]: IP = 192.1.1.40, Received NAT-Traversal ver 03 VID (2)
output omitted
[IKEv1 DEBUG]: IP = 192.1.1.40, processing IKE SA (3)
[IKEv1 DEBUG]: IP = 192.1.1.40, IKE SA Proposal # 1, (4)
Transform # 1 acceptable Matches global IKE entry # 2
[IKEv1 DEBUG]: IP = 192.1.1.40, constructing ISA_SA for isakmp (5)
output omitted
[IKEv1 DEBUG]: IP = 192.1.1.40, processing ke payload
[IKEv1 DEBUG]: IP = 192.1.1.40, processing ISA_KE
[IKEv1 DEBUG]: IP = 192.1.1.40, processing nonce payload
[IKEv1 DEBUG]: IP = 192.1.1.40, processing VID payload
[IKEv1 DEBUG]: IP = 192.1.1.40, Received Cisco Unity client VID
[IKEv1 DEBUG]: IP = 192.1.1.40, processing VID payload
[IKEv1 DEBUG]: IP = 192.1.1.40, Received DPD VID
[IKEv1 DEBUG]: IP = 192.1.1.40, processing VID payload
[IKEv1 DEBUG]: IP = 192.1.1.40, Processing IOS/PIX Vendor ID payload
(version: 1.0.0, capabilities: 0000077f)
[IKEv1 DEBUG]: IP = 192.1.1.40, processing VID payload
[IKEv1 DEBUG]: IP = 192.1.1.40, Received xauth V6 VID
[IKEv1 DEBUG]: IP = 192.1.1.40, constructing ke payload
[IKEv1 DEBUG]: IP = 192.1.1.40, constructing nonce payload
[IKEv1 DEBUG]: IP = 192.1.1.40, constructing Cisco Unity VID payload
[IKEv1 DEBUG]: IP = 192.1.1.40, constructing xauth V6 VID payload
[IKEv1 DEBUG]: IP = 192.1.1.40, Send IOS VID
[IKEv1 DEBUG]: IP = 192.1.1.40, Constructing ASA spoofing IOS Vendor
ID payload (version: 1.0.0, capabilities: 20000001)
[IKEv1 DEBUG]: IP = 192.1.1.40, constructing VID payload
[IKEv1 DEBUG]: IP = 192.1.1.40, Send Altiga/Cisco
VPN3000/Cisco ASA GW VID
[IKEv1]: IP = 192.1.1.40, Connection landed on tunnel_group (6)
192.1.1.40
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Generating keys
for Responder...
[IKEv1]: IP = 192.1.1.40, IKE DECODE SENDING Message (msgid=0) with
payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13)
+ VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
[IKEv1]: IP = 192.1.1.40, IKE DECODE RECEIVED Message (msgid=0) with
payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (14) +
NOTIFY (11) + NONE (0) total length : 112
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Processing ID (7)
[IKEv1 DECODE]: ID_IPV4_ADDR ID received 192.1.1.40
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, processing hash
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, computing hash
[IKEv1 DEBUG]: IP = 192.1.1.40, Processing IOS keep alive payload:
proposal=30/10 sec.
[IKEv1 DEBUG]: IP = 192.1.1.40, Starting IOS keepalive monitor:
80 sec.
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Processing
Notify payload
[IKEv1]: IP = 192.1.1.40, Connection landed on tunnel_group
192.1.1.40
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, constructing ID
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, construct hash
payload
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, computing hash
[IKEv1 DEBUG]: IP = 192.1.1.40, Constructing IOS keep alive (8)
payload: proposal=32767/32767 sec.
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40,
constructing dpd vid payload
output omitted
[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, PHASE 1 COMPLETED (9)
[IKEv1]: IP = 192.1.1.40, Keep-alive type for this connection: DPD
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Starting
phase 1 rekey timer: 82080000 (ms)
[IKEv1 DECODE]: IP = 192.1.1.40, IKE Responder starting QM:
msg id = 4a9a7c8b
[IKEv1]: IP = 192.1.1.40, IKE DECODE RECEIVED Message (10)
(msgid=4a9a7c8b) with payloads : HDR + HASH (8) + SA (1) +
NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 172
output omitted
[IKEv1 DECODE]: ID_IPV4_ADDR_SUBNET ID received-- (11)
192.168.0.0--255.255.255.0
[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, Received remote IP
Proxy Subnet data in ID Payload: Address 192.168.0.0,
Mask 255.255.255.0, Protocol 0, Port 0
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Processing ID
[IKEv1 DECODE]: ID_IPV4_ADDR_SUBNET ID received--
192.168.2.0--255.255.255.0
[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, Received local IP Proxy
Subnet data in ID Payload: Address 192.168.2.0,
剩余14页未读,继续阅读
资源评论
- weixin_491441392023-06-21资源内容详细全面,与描述一致,对我很有用,有一定的使用价值。
- weixin_443937422023-04-19这个资源值得下载,资源内容详细全面,与描述一致,受益匪浅。
- m0_570616752023-06-12超级好的资源,很值得参考学习,对我启发很大,支持!
ll17770603473
- 粉丝: 0
- 资源: 6万+
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
最新资源
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功