Konfigurieren von IPSec zwischen Cisco IOS-Routern und dem Cisco VPN-Client mithilfe von Vertrauenszertifikaten (2024)

Inhalt

Einführung

Bevor Sie beginnen

Konventionen

Voraussetzungen

Verwendete Komponenten

Konfigurieren

Netzwerkdiagramm

Einführung

In diesem Dokument wird veranschaulicht, wie ein IPSec-VPN-Tunnel zwischen einem Cisco IOS®-Router und einem Cisco VPN Client 3.x mithilfe von Entrust-Zertifikaten konfiguriert wird. Diese Funktion wird von der Cisco IOS Software, Version 12.2(8)T und höher, unterstützt. Im Konfigurationsbeispiel in diesem Dokument wird auch das Anmeldeverfahren der Zertifizierungsstelle (CA) für den Cisco IOS-Router und den Cisco VPN-Client hervorgehoben, bei dem Entrust als CA-Server verwendet wird.

Bevor Sie beginnen

Konventionen

Weitere Informationen zu Dokumentkonventionen finden Sie in den Cisco Technical Tips Conventions.

Voraussetzungen

Für dieses Dokument bestehen keine besonderen Voraussetzungen.

Verwendete Komponenten

Die Informationen in diesem Dokument basieren auf den unten stehenden Software- und Hardwareversionen.

Ein Cisco 3640-Router mit Cisco IOS-Software, Version 12.2(8)T (IOS-Image: c3640-ik8o3s-mz.122-8.T)
Ein Cisco VPN Client 4.0.1 auf einem PC mit Windows 2000
Ein Entrust CA-Server, der als CA-Server verwendet wird
See Also
Configuring IPsec IKEv2 Remote Access VPN with Cisco Secure Firewall

Die in diesem Dokument enthaltenen Informationen wurden aus Geräten in einer bestimmten Laborumgebung erstellt. Alle in diesem Dokument verwendeten Geräte haben mit einer leeren (Standard-)Konfiguration begonnen. Wenn Sie in einem Live-Netzwerk arbeiten, stellen Sie sicher, dass Sie die potenziellen Auswirkungen eines Befehls verstehen, bevor Sie es verwenden.

Konfigurieren

In diesem Abschnitt erhalten Sie Informationen zum Konfigurieren der in diesem Dokument beschriebenen Funktionen.

Hinweis: Um weitere Informationen zu den in diesem Dokument verwendeten Befehlen zu erhalten, verwenden Sie das Command Lookup Tool (nur registrierte Kunden).

Netzwerkdiagramm

In diesem Dokument wird die im Diagramm unten dargestellte Netzwerkeinrichtung verwendet.

Konfigurationen

In diesem Dokument werden die unten angegebenen Konfigurationen verwendet.

Router-Konfigurationen
Zertifikatsregistrierung für den Cisco VPN Client
Konfigurieren einer VPN-Verbindung auf dem Cisco VPN-Client

Router-Konfigurationen

Zertifikatregistrierung auf dem IOS-Router 3640
3640-Konfiguration

Zertifikatregistrierung auf dem IOS-Router 3640
!--- Define a hostname and domain name for the router. !--- The fully qualified domain name (FQDN) will be used !--- as the identity of the router during certificate enrollment.3640(config)#ip domain-name sjpki.com!--- Generate RSA (encryption and authentication) keys.3640(config)#crypto key generate rsaThe name for the keys will be: 3640.sjpki.comChoose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus [512]:% Generating 512 bit RSA keys ...[OK]!--- Define the CA identity. Note that in Cisco IOS Software !--- Release 12.2(8)T, the crypto ca trustpoint command !--- replaces the crypto ca identity command from previous !--- Cisco IOS versions. So that the router will try to enroll !--- to the CA server automatically when its certificates !--- expire, auto-enroll was turned on.3640(config)#crypto ca trustpoint SJPKI3640(ca-trustpoint)# enrollment url http://171.69.89.126 3640(ca-trustpoint)#enrollment mode ra3640(ca-trustpoint)#crl query ldap://171.69.89.1263640(ca-trustpoint)#serial-number none3640(ca-trustpoint)#ip-address none3640(ca-trustpoint)#password revokeme3640(ca-trustpoint)#auto-enroll3640(ca-trustpoint)#usage ike!--- Retrieves CA and registration authority (RA) !--- certificates from the CA server.3640(config)#crypto ca authen SJPKICertificate has the following attributes:Fingerprint: 0D8E6CF8 C63D7068 3BA4B90A 16054812% Do you accept this certificate? [yes/no]: yTrustpoint CA certificate accepted.3640(config)#!--- Enroll to CA server and get router's own certificate.3640(config)#crypto ca enroll SJPKI%% Start certificate enrollment ..% The subject name in the certificate will be: 3640.sjpki.com% Certificate request sent to Certificate Authority% The certificate request fingerprint will be displayed.% The 'show crypto ca certificate' command will also show the fingerprint.3640(config)# Fingerprint: D9CE886E B4B76115 B7149128 6658E7CA00:58:17: CRYPTO_PKI: status = 102: certificate request pending00:58:39: CRYPTO_PKI: status = 102: certificate request pending00:59:42: %CRYPTO-6-CERTRET: Certificate received from Certificate Authority

Zertifikatregistrierung auf dem IOS-Router 3640

!--- Define a hostname and domain name for the router. !--- The fully qualified domain name (FQDN) will be used !--- as the identity of the router during certificate enrollment.3640(config)#ip domain-name sjpki.com!--- Generate RSA (encryption and authentication) keys.3640(config)#crypto key generate rsaThe name for the keys will be: 3640.sjpki.comChoose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus [512]:% Generating 512 bit RSA keys ...[OK]!--- Define the CA identity. Note that in Cisco IOS Software !--- Release 12.2(8)T, the crypto ca trustpoint command !--- replaces the crypto ca identity command from previous !--- Cisco IOS versions. So that the router will try to enroll !--- to the CA server automatically when its certificates !--- expire, auto-enroll was turned on.3640(config)#crypto ca trustpoint SJPKI3640(ca-trustpoint)# enrollment url http://171.69.89.126 3640(ca-trustpoint)#enrollment mode ra3640(ca-trustpoint)#crl query ldap://171.69.89.1263640(ca-trustpoint)#serial-number none3640(ca-trustpoint)#ip-address none3640(ca-trustpoint)#password revokeme3640(ca-trustpoint)#auto-enroll3640(ca-trustpoint)#usage ike!--- Retrieves CA and registration authority (RA) !--- certificates from the CA server.3640(config)#crypto ca authen SJPKICertificate has the following attributes:Fingerprint: 0D8E6CF8 C63D7068 3BA4B90A 16054812% Do you accept this certificate? [yes/no]: yTrustpoint CA certificate accepted.3640(config)#!--- Enroll to CA server and get router's own certificate.3640(config)#crypto ca enroll SJPKI%% Start certificate enrollment ..% The subject name in the certificate will be: 3640.sjpki.com% Certificate request sent to Certificate Authority% The certificate request fingerprint will be displayed.% The 'show crypto ca certificate' command will also show the fingerprint.3640(config)# Fingerprint: D9CE886E B4B76115 B7149128 6658E7CA00:58:17: CRYPTO_PKI: status = 102: certificate request pending00:58:39: CRYPTO_PKI: status = 102: certificate request pending00:59:42: %CRYPTO-6-CERTRET: Certificate received from Certificate Authority

3640-Konfiguration
version 12.2service timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname 3640!logging buffered 4096 debugging!--- Define local authentication as the authentication method !--- for Internet Key Exchange (IKE) XAUTH. !--- Note that "ClientAuth" is the tag associated with the crypto map.aaa new-modelaaa authentication login ClientAuth localaaa authorization network ClientAuth localaaa session-id commonenable secret 5 $1$v49A$bfcGOfwF7qdKQqZxCIN770!username vpnclient password 0 cisco123ip subnet-zero!!ip domain-name sjpki.com!ip audit notify logip audit po max-events 100!crypto ca trustpoint SJPKIenrollment mode raenrollment url http://171.69.89.126:80usage ikeserial-number noneip-address nonepassword 7 1405171D030F2F2621crl query ldap://171.69.89.126auto-enrollcrypto ca certificate chain SJPKIcertificate ca 3C9CC54B308202E4 3082024D A0030201 0202043C 9CC54B30 0D06092A 864886F7 0D0101050500302D 310B3009 06035504 06130275 73310E30 0C060355 040A1305 636973636F310E30 0C060355 040B1305 736A7670 6E301E17 0D303230 33323331 37343132355A170D 32323033 32333138 31313235 5A302D31 0B300906 03550406 13027573310E300C 06035504 0A130563 6973636F 310E300C 06035504 0B130573 6A76706E30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00AD0B5BDACB1B4B 6CBE7138 2A97AA1D A2D3565C 56EE74D7 32A61D4F 7FBA7E53 44A4C8CC94E16825 99369D85 7B6F5A15 60D9AD92 8AF8800E E3E70E01 757FD5DE 470C4996A379181A 00709FE5 9C7C5A14 959F77B1 A746F8F7 1F0077FB 99E54DAC 8F3C355F31964497 F36E7511 EF09B23D 52CDCD2F 50E471B7 F1FFCB05 4E6EB7F4 710203010001A382 010F3082 010B3011 06096086 480186F8 42010104 04030200 07304F0603551D1F 04483046 3044A042 A040A43E 303C310B 30090603 55040613 027573310E300C06 0355040A 13056369 73636F31 0E300C06 0355040B 1305736A 76706E310D300B06 03550403 13044352 4C31302B 0603551D 10042430 22800F32 3030323033323331 37343132 355A810F 32303232 30333233 31383131 32355A30 0B0603551D0F0404 03020106 301F0603 551D2304 18301680 14F7931A 99D0E447 69928CC0A9FF647D F53E627F 5A301D06 03551D0E 04160414 F7931A99 D0E44769 928CC0A9FF647DF5 3E627F5A 300C0603 551D1304 05300301 01FF301D 06092A86 4886F67D07410004 10300E1B 0856352E 303A342E 30030204 90300D06 092A8648 86F70D0101050500 03818100 3C6AB8D8 9E3F140D D5D051AB 7032AF51 BD357804 4D7FA32CEB42D1EA 2AFA1EEF 548C175E FAB9B4C7 DE0E0744 0916FC71 B87768F3 28B605E9A054900B 5E249835 3112E7FF F0B579F5 F06858F8 5940CA9C E0FC4E98 66C50A402ABEAF37 9DB339C0 F98EDC0C E28C82CD B2465D46 5E3AB18E 0FEEE09A 37D5850672AE135E 3B48662Dquitcertificate ra-encrypt 3C9CC573308202E1 3082024A A0030201 0202043C 9CC57330 0D06092A 864886F7 0D0101050500302D 310B3009 06035504 06130275 73310E30 0C060355 040A1305 636973636F310E30 0C060355 040B1305 736A7670 6E301E17 0D303230 33323332 32353234355A170D 30353033 32333233 32323435 5A305631 0B300906 03550406 13027573310E300C 06035504 0A130563 6973636F 310E300C 06035504 0B130573 6A76706E31273025 06035504 03131E65 6E747275 73745650 4E636F6E 6E656374 6F7220456E747275 7374504B 4930819F 300D0609 2A864886 F70D0101 01050003 818D003081890281 8100AC0B BA3BC6CF 7C303853 C1C191F6 5CD91A41 2F6143B4 6662D7CBA4CD6633 45DBAEC7 7664F88B D62C5DA9 6087C097 5F498BF5 3DDC7ACF 1F4BFA30DA112550 841FC5AD 45AEEE65 EA1EB935 473BF5F4 3F6FDE88 E05D7097 FD8C452550ECE9F7 4B3EA152 0DDB8867 A7DB5FEB D7886405 4DCB7486 9D8E1E96 5E3495D8989017F1 CA7D0203 010001A3 81E43081 E1300B06 03551D0F 04040302 0520301B0603551D 09041430 12301006 092A8648 86F67D07 441D3103 02010130 4F0603551D1F0448 30463044 A042A040 A43E303C 310B3009 06035504 06130275 73310E300C060355 040A1305 63697363 6F310E30 0C060355 040B1305 736A7670 6E310D300B060355 04031304 43524C31 301F0603 551D2304 18301680 14F7931A 99D0E44769928CC0 A9FF647D F53E627F 5A301D06 03551D0E 04160414 2DDB5231 390276849C982D0D E4528CBC CFFB97B3 30090603 551D1304 02300030 1906092A 864886F67D074100 040C300A 1B045635 2E300302 04B0300D 06092A86 4886F70D 0101050500038181 001423E0 A88F4F28 FF69BD65 F35FDCD7 BE1ACB2C 9AF076CD 407D2698D9237E02 2026B349 799BD983 C6FE9EB1 41E3728A 0FB37EE2 E0CE0071 6194EDF8D21A9DED A7372E20 6FFE0468 014ED8EB 018FBB96 A683B210 A32C0673 D2C2785A818C8EC8 2B9549EF 356C96BF 8F396064 1F6D7B50 D3354171 ACA45AE7 D550F42A30922C78 E6quitcertificate ra-sign 3C9CC57430820310 30820279 A0030201 0202043C 9CC57430 0D06092A 864886F7 0D0101050500302D 310B3009 06035504 06130275 73310E30 0C060355 040A1305 636973636F310E30 0C060355 040B1305 736A7670 6E301E17 0D303230 33323332 32353234355A170D 30353033 32333233 32323435 5A305631 0B300906 03550406 13027573310E300C 06035504 0A130563 6973636F 310E300C 06035504 0B130573 6A76706E31273025 06035504 03131E65 6E747275 73745650 4E636F6E 6E656374 6F7220456E747275 7374504B 4930819F 300D0609 2A864886 F70D0101 01050003 818D003081890281 8100AC87 EF7C0E8E 2120B81F D231EE87 78CB4238 9F5E5F3B D1D1C9F7B35993EF 7118104A 26C38AB4 7DDE9B1D 3A685A73 9788A221 AC3199D7 0D91D3152276DAF7 F58C5A1C 690B3CC8 7C1CBE03 8BD81993 F4644D30 B3388741 A0A0C4FCBA469358 08C39FA0 152424F9 6E55651C 565B024C A862F557 85D925AA 6074959AAC8E934B 48090203 010001A3 82011230 82010E30 0B060355 1D0F0404 03020780302B0603 551D1004 24302280 0F323030 32303332 33323235 3234355A 810F323030343034 32393033 32323435 5A301B06 03551D09 04143012 30100609 2A864886F67D0744 1D310302 0101304F 0603551D 1F044830 463044A0 42A040A4 3E303C310B300906 03550406 13027573 310E300C 06035504 0A130563 6973636F 310E300C06035504 0B130573 6A76706E 310D300B 06035504 03130443 524C3130 1F0603551D230418 30168014 F7931A99 D0E44769 928CC0A9 FF647DF5 3E627F5A 301D0603551D0E04 160414AA 2E19FD77 6824DE9B 41DB46FC 15229D09 48D4EF30 090603551D130402 30003019 06092A86 4886F67D 07410004 0C300A1B 0456352E 30030204B0300D06 092A8648 86F70D01 01050500 03818100 9EA074F8 12D60655 181B7E4BCEC7F891 950F22E3 83344504 CBF49334 3DB683F1 32FE454E 2C3F7B6A 6E80B7F85D3B29A0 06AC428B BBAA3381 4209F50C CD8A7D30 4A6842ED 6B683B94 8423E58BB2E27650 D1104DEB 56678757 7B744187 D99955F7 DF1BCED2 849D4F9A F22CDA7C203E19C6 125AC104 608E37DF 600F97B9 B4DCF0CEquitcertificate 3C9CC602308202C0 30820229 A0030201 0202043C 9CC60230 0D06092A 864886F7 0D0101050500302D 310B3009 06035504 06130275 73310E30 0C060355 040A1305 636973636F310E30 0C060355 040B1305 736A7670 6E301E17 0D303230 34303832 32323534365A170D 30333034 30383232 35353436 5A304C31 0B300906 03550406 13027573310E300C 06035504 0A130563 6973636F 310E300C 06035504 0B130573 6A76706E311D301B 06092A86 4886F70D 01090216 0E333634 302E736A 706B692E 636F6D305C300D06 092A8648 86F70D01 01010500 034B0030 48024100 B7C253B7 B915A6293CC1514F 39F8BB0A 503D0D10 D9C95D78 106D8944 48D28864 72760A06 859DA91A0F9304E3 9CA87FFB FA3846FA 5C798970 4D8E6203 FE701A67 02030100 01A3820110308201 0C300B06 03551D0F 04040302 05A03019 0603551D 11041230 10820E333634302E 736A706B 692E636F 6D302B06 03551D10 04243022 800F3230 3032303430383232 32353436 5A810F32 30303231 32323031 30353534 365A304F 0603551D1F044830 463044A0 42A040A4 3E303C31 0B300906 03550406 13027573 310E300C06035504 0A130563 6973636F 310E300C 06035504 0B130573 6A76706E 310D300B06035504 03130443 524C3130 1F060355 1D230418 30168014 F7931A99 D0E44769928CC0A9 FF647DF5 3E627F5A 301D0603 551D0E04 16041413 C98FDF5A AEF253F084D39E4B 44A10B1F A2622730 09060355 1D130402 30003019 06092A86 4886F67D07410004 0C300A1B 0456352E 30030204 B0300D06 092A8648 86F70D01 0105050003818100 671FC222 EADDC030 F8053380 5EEE91E5 69D3F5A7 5AC037F9 539EF9CB25ECD678 365A954A FFD3141B 17DEEB9F 1DFE6F97 8B8FDD18 47458858 A0517D212EE68C30 F359C5F9 647354F8 F92F2346 B999EFB7 029F30FB AC096829 58DC7E13EE1FA3F6 BAAF794A 0157B0B1 4935CD3A 7B613B65 940412F8 C6301264 A7E53742 75E1E403quit!--- Define Internet Security Association and Key Management !--- Protocol (ISAKMP) policy. The IKE authentication method !--- "rsa-sig" will be used, but it doesn't show up in !--- the configuration since it is the default method. crypto isakmp policy 1group 2!--- Use FQDN as the ISAKMP identity.crypto isakmp identity hostname!--- Define the VPN group for Cisco VPN Client. !--- The VPN group name "sjvpn" matches !--- the Organizational Unit (OU) name of the client's certificate. !--- Access list "acl 100" defines the split-tunneling traffic, and !--- "vpnpool" defines the IP pool from which the VPN Client !--- receives its IP address during the IKE negotiation.crypto isakmp client configuration group sjvpndns 10.1.1.5wins 10.1.1.5domain sjpki.compool vpnpoolacl 101!!-- Define crypto map configuration. crypto ipsec transform-set myset esp-des esp-md5-hmac!crypto dynamic-map vpnclient 10set transform-set myset!!crypto map vpn client authentication list ClientAuthcrypto map vpn isakmp authorization list ClientAuthcrypto map vpn client configuration address respondcrypto map vpn 10 ipsec-isakmp dynamic vpnclient!!!fax interface-type fax-mailmta receive maximum-recipients 0!!interface Loopback0ip address 10.1.2.1 255.255.255.0!interface Ethernet0/0ip address 10.1.3.1 255.255.255.0no keepalivehalf-duplex!interface Ethernet0/1ip address 172.16.172.40 255.255.255.240half-duplexcrypto map vpn!interface BRI1/0no ip addressshutdown!interface BRI1/1no ip addressshutdown!interface BRI1/2no ip addressshutdown!interface BRI1/3no ip addressshutdown!interface Serial2/0no ip addressshutdownno fair-queue!interface Serial2/1no ip addressshutdown!interface Serial2/2no ip addressshutdown!interface Serial2/3no ip addressshutdown!interface Serial3/0no ip addressshutdown!interface Serial3/1no ip addressshutdown!interface Serial3/2no ip addressshutdown!interface Serial3/3no ip addressshutdown!ip local pool vpnpool 10.1.1.10 10.1.1.50ip classlessip route 0.0.0.0 0.0.0.0 172.16.172.33no ip http serverip pim bidir-enable!!access-list 101 permit ip 10.1.0.0 0.0.255.255 10.1.1.0 0.0.0.255!call rsvp-sync!!mgcp profile default!dial-peer cor custom!!line con 0line aux 0line vty 0 4password cisco!!end

3640-Konfiguration

version 12.2service timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname 3640!logging buffered 4096 debugging!--- Define local authentication as the authentication method !--- for Internet Key Exchange (IKE) XAUTH. !--- Note that "ClientAuth" is the tag associated with the crypto map.aaa new-modelaaa authentication login ClientAuth localaaa authorization network ClientAuth localaaa session-id commonenable secret 5 $1$v49A$bfcGOfwF7qdKQqZxCIN770!username vpnclient password 0 cisco123ip subnet-zero!!ip domain-name sjpki.com!ip audit notify logip audit po max-events 100!crypto ca trustpoint SJPKIenrollment mode raenrollment url http://171.69.89.126:80usage ikeserial-number noneip-address nonepassword 7 1405171D030F2F2621crl query ldap://171.69.89.126auto-enrollcrypto ca certificate chain SJPKIcertificate ca 3C9CC54B308202E4 3082024D A0030201 0202043C 9CC54B30 0D06092A 864886F7 0D0101050500302D 310B3009 06035504 06130275 73310E30 0C060355 040A1305 636973636F310E30 0C060355 040B1305 736A7670 6E301E17 0D303230 33323331 37343132355A170D 32323033 32333138 31313235 5A302D31 0B300906 03550406 13027573310E300C 06035504 0A130563 6973636F 310E300C 06035504 0B130573 6A76706E30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00AD0B5BDACB1B4B 6CBE7138 2A97AA1D A2D3565C 56EE74D7 32A61D4F 7FBA7E53 44A4C8CC94E16825 99369D85 7B6F5A15 60D9AD92 8AF8800E E3E70E01 757FD5DE 470C4996A379181A 00709FE5 9C7C5A14 959F77B1 A746F8F7 1F0077FB 99E54DAC 8F3C355F31964497 F36E7511 EF09B23D 52CDCD2F 50E471B7 F1FFCB05 4E6EB7F4 710203010001A382 010F3082 010B3011 06096086 480186F8 42010104 04030200 07304F0603551D1F 04483046 3044A042 A040A43E 303C310B 30090603 55040613 027573310E300C06 0355040A 13056369 73636F31 0E300C06 0355040B 1305736A 76706E310D300B06 03550403 13044352 4C31302B 0603551D 10042430 22800F32 3030323033323331 37343132 355A810F 32303232 30333233 31383131 32355A30 0B0603551D0F0404 03020106 301F0603 551D2304 18301680 14F7931A 99D0E447 69928CC0A9FF647D F53E627F 5A301D06 03551D0E 04160414 F7931A99 D0E44769 928CC0A9FF647DF5 3E627F5A 300C0603 551D1304 05300301 01FF301D 06092A86 4886F67D07410004 10300E1B 0856352E 303A342E 30030204 90300D06 092A8648 86F70D0101050500 03818100 3C6AB8D8 9E3F140D D5D051AB 7032AF51 BD357804 4D7FA32CEB42D1EA 2AFA1EEF 548C175E FAB9B4C7 DE0E0744 0916FC71 B87768F3 28B605E9A054900B 5E249835 3112E7FF F0B579F5 F06858F8 5940CA9C E0FC4E98 66C50A402ABEAF37 9DB339C0 F98EDC0C E28C82CD B2465D46 5E3AB18E 0FEEE09A 37D5850672AE135E 3B48662Dquitcertificate ra-encrypt 3C9CC573308202E1 3082024A A0030201 0202043C 9CC57330 0D06092A 864886F7 0D0101050500302D 310B3009 06035504 06130275 73310E30 0C060355 040A1305 636973636F310E30 0C060355 040B1305 736A7670 6E301E17 0D303230 33323332 32353234355A170D 30353033 32333233 32323435 5A305631 0B300906 03550406 13027573310E300C 06035504 0A130563 6973636F 310E300C 06035504 0B130573 6A76706E31273025 06035504 03131E65 6E747275 73745650 4E636F6E 6E656374 6F7220456E747275 7374504B 4930819F 300D0609 2A864886 F70D0101 01050003 818D003081890281 8100AC0B BA3BC6CF 7C303853 C1C191F6 5CD91A41 2F6143B4 6662D7CBA4CD6633 45DBAEC7 7664F88B D62C5DA9 6087C097 5F498BF5 3DDC7ACF 1F4BFA30DA112550 841FC5AD 45AEEE65 EA1EB935 473BF5F4 3F6FDE88 E05D7097 FD8C452550ECE9F7 4B3EA152 0DDB8867 A7DB5FEB D7886405 4DCB7486 9D8E1E96 5E3495D8989017F1 CA7D0203 010001A3 81E43081 E1300B06 03551D0F 04040302 0520301B0603551D 09041430 12301006 092A8648 86F67D07 441D3103 02010130 4F0603551D1F0448 30463044 A042A040 A43E303C 310B3009 06035504 06130275 73310E300C060355 040A1305 63697363 6F310E30 0C060355 040B1305 736A7670 6E310D300B060355 04031304 43524C31 301F0603 551D2304 18301680 14F7931A 99D0E44769928CC0 A9FF647D F53E627F 5A301D06 03551D0E 04160414 2DDB5231 390276849C982D0D E4528CBC CFFB97B3 30090603 551D1304 02300030 1906092A 864886F67D074100 040C300A 1B045635 2E300302 04B0300D 06092A86 4886F70D 0101050500038181 001423E0 A88F4F28 FF69BD65 F35FDCD7 BE1ACB2C 9AF076CD 407D2698D9237E02 2026B349 799BD983 C6FE9EB1 41E3728A 0FB37EE2 E0CE0071 6194EDF8D21A9DED A7372E20 6FFE0468 014ED8EB 018FBB96 A683B210 A32C0673 D2C2785A818C8EC8 2B9549EF 356C96BF 8F396064 1F6D7B50 D3354171 ACA45AE7 D550F42A30922C78 E6quitcertificate ra-sign 3C9CC57430820310 30820279 A0030201 0202043C 9CC57430 0D06092A 864886F7 0D0101050500302D 310B3009 06035504 06130275 73310E30 0C060355 040A1305 636973636F310E30 0C060355 040B1305 736A7670 6E301E17 0D303230 33323332 32353234355A170D 30353033 32333233 32323435 5A305631 0B300906 03550406 13027573310E300C 06035504 0A130563 6973636F 310E300C 06035504 0B130573 6A76706E31273025 06035504 03131E65 6E747275 73745650 4E636F6E 6E656374 6F7220456E747275 7374504B 4930819F 300D0609 2A864886 F70D0101 01050003 818D003081890281 8100AC87 EF7C0E8E 2120B81F D231EE87 78CB4238 9F5E5F3B D1D1C9F7B35993EF 7118104A 26C38AB4 7DDE9B1D 3A685A73 9788A221 AC3199D7 0D91D3152276DAF7 F58C5A1C 690B3CC8 7C1CBE03 8BD81993 F4644D30 B3388741 A0A0C4FCBA469358 08C39FA0 152424F9 6E55651C 565B024C A862F557 85D925AA 6074959AAC8E934B 48090203 010001A3 82011230 82010E30 0B060355 1D0F0404 03020780302B0603 551D1004 24302280 0F323030 32303332 33323235 3234355A 810F323030343034 32393033 32323435 5A301B06 03551D09 04143012 30100609 2A864886F67D0744 1D310302 0101304F 0603551D 1F044830 463044A0 42A040A4 3E303C310B300906 03550406 13027573 310E300C 06035504 0A130563 6973636F 310E300C06035504 0B130573 6A76706E 310D300B 06035504 03130443 524C3130 1F0603551D230418 30168014 F7931A99 D0E44769 928CC0A9 FF647DF5 3E627F5A 301D0603551D0E04 160414AA 2E19FD77 6824DE9B 41DB46FC 15229D09 48D4EF30 090603551D130402 30003019 06092A86 4886F67D 07410004 0C300A1B 0456352E 30030204B0300D06 092A8648 86F70D01 01050500 03818100 9EA074F8 12D60655 181B7E4BCEC7F891 950F22E3 83344504 CBF49334 3DB683F1 32FE454E 2C3F7B6A 6E80B7F85D3B29A0 06AC428B BBAA3381 4209F50C CD8A7D30 4A6842ED 6B683B94 8423E58BB2E27650 D1104DEB 56678757 7B744187 D99955F7 DF1BCED2 849D4F9A F22CDA7C203E19C6 125AC104 608E37DF 600F97B9 B4DCF0CEquitcertificate 3C9CC602308202C0 30820229 A0030201 0202043C 9CC60230 0D06092A 864886F7 0D0101050500302D 310B3009 06035504 06130275 73310E30 0C060355 040A1305 636973636F310E30 0C060355 040B1305 736A7670 6E301E17 0D303230 34303832 32323534365A170D 30333034 30383232 35353436 5A304C31 0B300906 03550406 13027573310E300C 06035504 0A130563 6973636F 310E300C 06035504 0B130573 6A76706E311D301B 06092A86 4886F70D 01090216 0E333634 302E736A 706B692E 636F6D305C300D06 092A8648 86F70D01 01010500 034B0030 48024100 B7C253B7 B915A6293CC1514F 39F8BB0A 503D0D10 D9C95D78 106D8944 48D28864 72760A06 859DA91A0F9304E3 9CA87FFB FA3846FA 5C798970 4D8E6203 FE701A67 02030100 01A3820110308201 0C300B06 03551D0F 04040302 05A03019 0603551D 11041230 10820E333634302E 736A706B 692E636F 6D302B06 03551D10 04243022 800F3230 3032303430383232 32353436 5A810F32 30303231 32323031 30353534 365A304F 0603551D1F044830 463044A0 42A040A4 3E303C31 0B300906 03550406 13027573 310E300C06035504 0A130563 6973636F 310E300C 06035504 0B130573 6A76706E 310D300B06035504 03130443 524C3130 1F060355 1D230418 30168014 F7931A99 D0E44769928CC0A9 FF647DF5 3E627F5A 301D0603 551D0E04 16041413 C98FDF5A AEF253F084D39E4B 44A10B1F A2622730 09060355 1D130402 30003019 06092A86 4886F67D07410004 0C300A1B 0456352E 30030204 B0300D06 092A8648 86F70D01 0105050003818100 671FC222 EADDC030 F8053380 5EEE91E5 69D3F5A7 5AC037F9 539EF9CB25ECD678 365A954A FFD3141B 17DEEB9F 1DFE6F97 8B8FDD18 47458858 A0517D212EE68C30 F359C5F9 647354F8 F92F2346 B999EFB7 029F30FB AC096829 58DC7E13EE1FA3F6 BAAF794A 0157B0B1 4935CD3A 7B613B65 940412F8 C6301264 A7E53742 75E1E403quit!--- Define Internet Security Association and Key Management !--- Protocol (ISAKMP) policy. The IKE authentication method !--- "rsa-sig" will be used, but it doesn't show up in !--- the configuration since it is the default method. crypto isakmp policy 1group 2!--- Use FQDN as the ISAKMP identity.crypto isakmp identity hostname!--- Define the VPN group for Cisco VPN Client. !--- The VPN group name "sjvpn" matches !--- the Organizational Unit (OU) name of the client's certificate. !--- Access list "acl 100" defines the split-tunneling traffic, and !--- "vpnpool" defines the IP pool from which the VPN Client !--- receives its IP address during the IKE negotiation.crypto isakmp client configuration group sjvpndns 10.1.1.5wins 10.1.1.5domain sjpki.compool vpnpoolacl 101!!-- Define crypto map configuration. crypto ipsec transform-set myset esp-des esp-md5-hmac!crypto dynamic-map vpnclient 10set transform-set myset!!crypto map vpn client authentication list ClientAuthcrypto map vpn isakmp authorization list ClientAuthcrypto map vpn client configuration address respondcrypto map vpn 10 ipsec-isakmp dynamic vpnclient!!!fax interface-type fax-mailmta receive maximum-recipients 0!!interface Loopback0ip address 10.1.2.1 255.255.255.0!interface Ethernet0/0ip address 10.1.3.1 255.255.255.0no keepalivehalf-duplex!interface Ethernet0/1ip address 172.16.172.40 255.255.255.240half-duplexcrypto map vpn!interface BRI1/0no ip addressshutdown!interface BRI1/1no ip addressshutdown!interface BRI1/2no ip addressshutdown!interface BRI1/3no ip addressshutdown!interface Serial2/0no ip addressshutdownno fair-queue!interface Serial2/1no ip addressshutdown!interface Serial2/2no ip addressshutdown!interface Serial2/3no ip addressshutdown!interface Serial3/0no ip addressshutdown!interface Serial3/1no ip addressshutdown!interface Serial3/2no ip addressshutdown!interface Serial3/3no ip addressshutdown!ip local pool vpnpool 10.1.1.10 10.1.1.50ip classlessip route 0.0.0.0 0.0.0.0 172.16.172.33no ip http serverip pim bidir-enable!!access-list 101 permit ip 10.1.0.0 0.0.255.255 10.1.1.0 0.0.0.255!call rsvp-sync!!mgcp profile default!dial-peer cor custom!!line con 0line aux 0line vty 0 4password cisco!!end

Zertifikatsregistrierung für den Cisco VPN Client

In den folgenden Screenshots werden die Verfahren zur Registrierung des Cisco VPN Client für Entrust-Zertifikate veranschaulicht. In diesem Fall wurde die netzwerkbasierte Anmeldung verwendet.

Starten Sie den VPN-Client, wählen Sie die Registerkarte Zertifikate aus, und klicken Sie auf Registrieren.
Wählen Sie Online als Zertifikateinschreibungstyp aus, und füllen Sie dann die entsprechenden Felder für URL, Domäne und Kennwort aus. Klicken Sie abschließend auf Weiter.
Geben Sie Ihre Informationen in die Zertifikatfelder ein. Wenn Sie Informationen auf dem vorherigen Bildschirm bearbeiten müssen, klicken Sie auf Zurück. Andernfalls klicken Sie auf Registrieren, wenn Sie fertig sind.
Wenn das Fenster für den Registrierungsstatus Ihre Anfrage zur Anmeldung beim CA-Server bestätigt, klicken Sie auf OK, um fortzufahren.
Nach der Registrierung sollte der VPN Client ein persönliches Zertifikat, ein CA-Root-Zertifikat und zwei RA-Zertifikate erhalten. Der Bildschirm "Digital Certificate" (Digitales Zertifikat) überprüft das Zertifikat des VPN-Clients. Um das Zertifikat anzuzeigen, gehen Sie zu Zertifikate > Anzeigen. Das Zertifikat sollte ähnlich wie im folgenden Beispiel aussehen.

Konfigurieren einer VPN-Verbindung auf dem Cisco VPN-Client

In den folgenden Screenshots wird veranschaulicht, wie eine neue Verbindung auf dem Cisco VPN Client mit dem Cisco IOS-Router konfiguriert wird.

Starten Sie den VPN-Client, wählen Sie die Registerkarte Connection Entries aus, und klicken Sie auf Neu, um eine neue Verbindung zu erstellen.
Geben Sie den Verbindungsnamen, die Beschreibung und die Host-IP-Adresse ein. Das Feld "Certificate Authentication" (Zertifikatsauthentifizierung) wird automatisch mit Informationen zum VPN-Client ausgefüllt. Klicken Sie abschließend auf Speichern.
Um eine Verbindung herzustellen, wählen Sie den Eintrag für die neue Verbindung aus, und klicken Sie dann auf Verbinden.

Überprüfen

Dieser Abschnitt enthält Informationen, mit denen Sie überprüfen können, ob Ihre Konfiguration ordnungsgemäß funktioniert.

Bestimmte show-Befehle werden vom Output Interpreter Tool unterstützt (nur registrierte Kunden), mit dem Sie eine Analyse der show-Befehlsausgabe anzeigen können.

3640#show crypto isakmp sadst src state conn-id slot172.16.172.40 171.69.89.129 QM_IDLE 1 0

3640#show crypto ipsec sainterface: Ethernet0/1Crypto map tag: vpn, local addr. 172.16.172.40local ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)remote ident (addr/mask/prot/port): (10.1.1.11/255.255.255.255/0/0)current_peer: 171.69.89.129PERMIT, flags={}#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4#pkts decaps: 17, #pkts decrypt: 17, #pkts verify 17#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0, #send errors 0, #recv errors 0local crypto endpt.: 172.16.172.40, remote crypto endpt.: 171.69.89.129path mtu 1500, media mtu 1500current outbound spi: E73672A9inbound esp sas:spi: 0xADA266D3(2913101523)transform: esp-des esp-md5-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 2002, flow_id: 3, crypto map: vpn sa timing: remaining key lifetime (k/sec): (4607997/3526)IV size: 8 bytesreplay detection support: Yinbound ah sas:inbound pcp sas:outbound esp sas:spi: 0xE73672A9(3879105193)transform: esp-des esp-md5-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 2003, flow_id: 4, crypto map: vpnsa timing: remaining key lifetime (k/sec): (4607999/3526)IV size: 8 bytesreplay detection support: Youtbound ah sas:outbound pcp sas:local ident (addr/mask/prot/port): (172.16.172.40/255.255.255.255/0/0)remote ident (addr/mask/prot/port): (10.1.1.11/255.255.255.255/0/0)current_peer: 171.69.89.129PERMIT, flags={}#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0, #send errors 0, #recv errors 0local crypto endpt.: 172.16.172.40, remote crypto endpt.: 171.69.89.129path mtu 1500, media mtu 1500current outbound spi: 1E04D17Cinbound esp sas:spi: 0x96D25C98(2530368664)transform: esp-des esp-md5-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 2000, flow_id: 1, crypto map: vpnsa timing: remaining key lifetime (k/sec): (4608000/3527)IV size: 8 bytesreplay detection support: Yinbound ah sas:inbound pcp sas:outbound esp sas:spi: 0x1E04D17C(503632252)transform: esp-des esp-md5-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 2001, flow_id: 2, crypto map: vpnsa timing: remaining key lifetime (k/sec): (4608000/3527)IV size: 8 bytesreplay detection support: Youtbound ah sas:outbound pcp sas:

3640#show crypto engine connection activeID Interface IP-Address State Algorithm Encrypt Decrypt1 Ethernet0/1 172.16.172.40 set HMAC_SHA+DES_56_CB 0 02000 Ethernet0/1 172.16.172.40 set HMAC_MD5+DES_56_CB 0 02001 Ethernet0/1 172.16.172.40 set HMAC_MD5+DES_56_CB 0 02002 Ethernet0/1 172.16.172.40 set HMAC_MD5+DES_56_CB 0 202003 Ethernet0/1 172.16.172.40 set HMAC_MD5+DES_56_CB 4 0

Fehlerbehebung

Dieser Abschnitt enthält Informationen zur Fehlerbehebung in Ihrer Konfiguration.

Im Folgenden finden Sie die Debug-Ausgabe einer funktionierenden IKE-Aushandlung, die auf dem Cisco 3640-Router erfasst wurde. Die folgenden DebuggingInnen wurden aktiviert.

3640#show debugCryptographic Subsystem:Crypto ISAKMP debugging is onCrypto Engine debugging is onCrypto IPSEC debugging is onCrypto PKI Trans debugging is on3640#00:02:30: ISAKMP (0:0): received packet from 171.69.89.129 (N) NEW SA00:02:30: ISAKMP: local port 500, remote port 50000:02:30: ISAKMP: Created a peer node for 171.69.89.12900:02:30: ISAKMP (0:1): Setting client config settings 62D99D9800:02:30: ISAKMP (0:1): (Re)Setting client xauth list ClientAuth and state00:02:30: ISAKMP: Locking CONFIG struct 0x62D99D98 from crypto_ikmp_config_initialize_sa, count 100:02:30: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCHOld State = IKE_READY New State = IKE_R_MM1 00:02:30: ISAKMP (0:1): processing SA payload. message ID = 000:02:30: ISAKMP (0:1): processing vendor id payload00:02:30: ISAKMP (0:1): vendor ID seems Unity/DPD but bad major00:02:30: ISAKMP (0:1): vendor ID is XAUTH00:02:30: ISAKMP (0:1): processing vendor id payload00:02:30: ISAKMP (0:1): vendor ID is DPD00:02:30: ISAKMP (0:1): processing vendor id payload00:02:30: ISAKMP (0:1): vendor ID is Unity00:02:30: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy00:02:30: ISAKMP: encryption 3DES-CBC00:02:30: ISAKMP: hash SHA00:02:30: ISAKMP: default group 500:02:30: ISAKMP: auth XAUTHInitRSA00:02:30: ISAKMP: life type in seconds00:02:30: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 00:02:30: ISAKMP (0:1): Encryption algorithm offered does not match policy!00:02:30: ISAKMP (0:1): atts are not acceptable. Next payload is 300:02:30: ISAKMP (0:1): Checking ISAKMP transform 2 against priority 1 policy00:02:30: ISAKMP: encryption 3DES-CBC00:02:30: ISAKMP: hash MD500:02:30: ISAKMP: default group 500:02:30: ISAKMP: auth XAUTHInitRSA00:02:30: ISAKMP: life type in seconds00:02:30: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 00:02:30: ISAKMP (0:1): Encryption algorithm offered does not match policy!00:02:30: ISAKMP (0:1): atts are not acceptable. Next payload is 300:02:30: ISAKMP (0:1): Checking ISAKMP transform 3 against priority 1 policy00:02:30: ISAKMP: encryption 3DES-CBC00:02:30: ISAKMP: hash SHA00:02:30: ISAKMP: default group 500:02:30: ISAKMP: auth RSA sig00:02:30: ISAKMP: life type in seconds00:02:30: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 00:02:30: ISAKMP (0:1): Encryption algorithm offered does not match policy!00:02:30: ISAKMP (0:1): atts are not acceptable. Next payload is 300:02:30: ISAKMP (0:1): Checking ISAKMP transform 4 against priority 1 policy00:02:30: ISAKMP: encryption 3DES-CBC00:02:30: ISAKMP: hash MD500:02:30: ISAKMP: default group 500:02:30: ISAKMP: auth RSA sig00:02:30: ISAKMP: life type in seconds00:02:30: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 00:02:30: ISAKMP (0:1): Encryption algorithm offered does not match policy!00:02:30: ISAKMP (0:1): atts are not acceptable. Next payload is 300:02:30: ISAKMP (0:1): Checking ISAKMP transform 5 against priority 1 policy00:02:30: ISAKMP: encryption 3DES-CBC00:02:30: ISAKMP: hash SHA00:02:30: ISAKMP: default group 200:02:30: ISAKMP: auth XAUTHInitRSA00:02:30: ISAKMP: life type in seconds00:02:30: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 00:02:30: ISAKMP (0:1): Encryption algorithm offered does not match policy!00:02:30: ISAKMP (0:1): atts are not acceptable. Next payload is 300:02:30: ISAKMP (0:1): Checking ISAKMP transform 6 against priority 1 policy00:02:30: ISAKMP: encryption 3DES-CBC00:02:30: ISAKMP: hash MD500:02:30: ISAKMP: default group 200:02:30: ISAKMP: auth XAUTHInitRSA00:02:30: ISAKMP: life type in seconds00:02:30: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 00:02:30: ISAKMP (0:1): Encryption algorithm offered does not match policy!00:02:30: ISAKMP (0:1): atts are not acceptable. Next payload is 300:02:30: ISAKMP (0:1): Checking ISAKMP transform 7 against priority 1 policy00:02:30: ISAKMP: encryption 3DES-CBC00:02:30: ISAKMP: hash SHA00:02:30: ISAKMP: default group 200:02:30: ISAKMP: auth RSA sig00:02:30: ISAKMP: life type in seconds00:02:30: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 00:02:30: ISAKMP (0:1): Encryption algorithm offered does not match policy!00:02:30: ISAKMP (0:1): atts are not acceptable. Next payload is 300:02:30: ISAKMP (0:1): Checking ISAKMP transform 8 against priority 1 policy00:02:30: ISAKMP: encryption 3DES-CBC00:02:30: ISAKMP: hash MD500:02:30: ISAKMP: default group 200:02:30: ISAKMP: auth RSA sig00:02:30: ISAKMP: life type in seconds00:02:30: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 00:02:30: ISAKMP (0:1): Encryption algorithm offered does not match policy!00:02:30: ISAKMP (0:1): atts are not acceptable. Next payload is 300:02:30: ISAKMP (0:1): Checking ISAKMP transform 9 against priority 1 policy00:02:30: ISAKMP: encryption 3DES-CBC00:02:30: ISAKMP: hash SHA00:02:30: ISAKMP: default group 100:02:30: ISAKMP: auth XAUTHInitRSA00:02:30: ISAKMP: life type in seconds00:02:30: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 00:02:30: ISAKMP (0:1): Encryption algorithm offered does not match policy!00:02:30: ISAKMP (0:1): atts are not acceptable. Next payload is 300:02:30: ISAKMP (0:1): Checking ISAKMP transform 10 against priority 1 policy00:02:30: ISAKMP: encryption 3DES-CBC00:02:30: ISAKMP: hash MD500:02:30: ISAKMP: default group 100:02:30: ISAKMP: auth XAUTHInitRSA00:02:30: ISAKMP: life type in seconds00:02:30: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 00:02:30: ISAKMP (0:1): Encryption algorithm offered does not match policy!00:02:30: ISAKMP (0:1): atts are not acceptable. Next payload is 300:02:30: ISAKMP (0:1): Checking ISAKMP transform 11 against priority 1 policy00:02:30: ISAKMP: encryption 3DES-CBC00:02:30: ISAKMP: hash SHA00:02:30: ISAKMP: default group 100:02:30: ISAKMP: auth RSA sig00:02:30: ISAKMP: life type in seconds00:02:30: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 00:02:30: ISAKMP (0:1): Encryption algorithm offered does not match policy!00:02:30: ISAKMP (0:1): atts are not acceptable. Next payload is 300:02:30: ISAKMP (0:1): Checking ISAKMP transform 12 against priority 1 policy00:02:30: ISAKMP: encryption 3DES-CBC00:02:30: ISAKMP: hash MD500:02:30: ISAKMP: default group 100:02:30: ISAKMP: auth RSA sig00:02:30: ISAKMP: life type in seconds00:02:30: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 00:02:30: ISAKMP (0:1): Encryption algorithm offered does not match policy!00:02:30: ISAKMP (0:1): atts are not acceptable. Next payload is 300:02:30: ISAKMP (0:1): Checking ISAKMP transform 13 against priority 1 policy00:02:30: ISAKMP: encryption DES-CBC00:02:30: ISAKMP: hash SHA00:02:30: ISAKMP: default group 500:02:30: ISAKMP: auth XAUTHInitRSA00:02:30: ISAKMP: life type in seconds00:02:30: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 00:02:30: ISAKMP (0:1): Diffie-Hellman group offered does not match policy!00:02:30: ISAKMP (0:1): atts are not acceptable. Next payload is 300:02:30: ISAKMP (0:1): Checking ISAKMP transform 14 against priority 1 policy00:02:30: ISAKMP: encryption DES-CBC00:02:30: ISAKMP: hash MD500:02:30: ISAKMP: default group 500:02:30: ISAKMP: auth XAUTHInitRSA00:02:30: ISAKMP: life type in seconds00:02:30: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 00:02:30: ISAKMP (0:1): Hash algorithm offered does not match policy!00:02:30: ISAKMP (0:1): atts are not acceptable. Next payload is 300:02:30: ISAKMP (0:1): Checking ISAKMP transform 15 against priority 1 policy00:02:30: ISAKMP: encryption DES-CBC00:02:30: ISAKMP: hash SHA00:02:30: ISAKMP: default group 500:02:30: ISAKMP: auth RSA sig00:02:30: ISAKMP: life type in seconds00:02:30: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 00:02:30: ISAKMP (0:1): Diffie-Hellman group offered does not match policy!00:02:30: ISAKMP (0:1): atts are not acceptable. Next payload is 300:02:30: ISAKMP (0:1): Checking ISAKMP transform 16 against priority 1 policy00:02:30: ISAKMP: encryption DES-CBC00:02:30: ISAKMP: hash MD500:02:30: ISAKMP: default group 500:02:30: ISAKMP: auth RSA sig00:02:30: ISAKMP: life type in seconds00:02:30: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 00:02:30: ISAKMP (0:1): Hash algorithm offered does not match policy!00:02:30: ISAKMP (0:1): atts are not acceptable. Next payload is 300:02:30: ISAKMP (0:1): Checking ISAKMP transform 17 against priority 1 policy00:02:30: ISAKMP: encryption DES-CBC00:02:30: ISAKMP: hash SHA00:02:30: ISAKMP: default group 200:02:30: ISAKMP: auth XAUTHInitRSA00:02:30: ISAKMP: life type in seconds00:02:30: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 00:02:30: ISAKMP (0:1): atts are acceptable. Next payload is 300:02:30: CryptoEngine0: generate alg parameter00:02:31: CRYPTO_ENGINE: Dh phase 1 status: 000:02:31: CRYPTO_ENGINE: Dh phase 1 status: 000:02:31: ISAKMP (0:1): processing vendor id payload00:02:31: ISAKMP (0:1): processing vendor id payload00:02:31: ISAKMP (0:1): processing vendor id payload00:02:31: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODEOld State = IKE_R_MM1 New State = IKE_R_MM1 00:02:31: ISAKMP (0:1): sending packet to 171.69.89.129 (R) MM_SA_SETUP00:02:31: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETEOld State = IKE_R_MM1 New State = IKE_R_MM2 00:02:31: ISAKMP (0:1): received packet from 171.69.89.129 (R) MM_SA_SETUP00:02:31: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCHOld State = IKE_R_MM2 New State = IKE_R_MM3 00:02:31: ISAKMP (0:1): processing KE payload. message ID = 000:02:31: CryptoEngine0: generate alg parameter00:02:31: ISAKMP (0:1): processing NONCE payload. message ID = 000:02:31: CryptoEngine0: calculate pkey hmac for conn id 100:02:31: CryptoEngine0: create ISAKMP SKEYID for conn id 100:02:31: ISAKMP (0:1): SKEYID state generated00:02:31: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODEOld State = IKE_R_MM3 New State = IKE_R_MM3 00:02:31: ISAKMP (0:1): sending packet to 171.69.89.129 (R) MM_KEY_EXCH00:02:31: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETEOld State = IKE_R_MM3 New State = IKE_R_MM4 00:02:31: ISAKMP (0:1): received packet from 171.69.89.129 (R) MM_KEY_EXCH00:02:31: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCHOld State = IKE_R_MM4 New State = IKE_R_MM5 00:02:31: ISAKMP (0:1): processing ID payload. message ID = 000:02:31: ISAKMP (0:1): processing CERT payload. message ID = 000:02:31: ISAKMP (0:1): processing a CT_X509_SIGNATURE cert00:02:31: CRYPTO_PKI: status = 0: poll CRL ldap search: server=171.69.89.126, base=CN = CRL1, OU = sjvpn, O = cisco, C = us, attribute=: scope=2, filter=cn=CRL100:02:31: CRYPTO_PKI: ldap_bind() succeeded.00:02:32: CRYPTO_PKI: set CRL update timer with delay: 8970300:02:32: CRYPTO_PKI: the current router time: 00:00:39 UTC Apr 9 200200:02:32: CRYPTO_PKI: the last CRL update time: 23:55:42 UTC Apr 8 200200:02:32: CRYPTO_PKI: the next CRL update time: 00:55:42 UTC Apr 10 200200:02:32: CRYPTO_PKI: status = 0: failed to get public key from the storage00:02:32: CRYPTO_PKI: status = 65535: failed to get issuer pubkey in cert00:02:32: CRYPTO_PKI: status = 0: failed to get public key from the storage00:02:32: CRYPTO_PKI: status = 65535: failed to get issuer pubkey in cert00:02:32: CRYPTO_PKI: status = 0: failed to get public key from the storage00:02:32: CRYPTO_PKI: status = 65535: failed to get issuer pubkey in cert00:02:32: CRYPTO_PKI: transaction GetCRL completed00:02:32: CRYPTO_PKI: blocking callback received status: 10500:02:32: CRYPTO_PKI: Certificate verified, chain status= 100:02:32: ISAKMP (0:1): OU = sjvpn00:02:32: ISAKMP (0:1): processing CERT_REQ payload. message ID = 000:02:32: ISAKMP (0:1): peer wants a CT_X509_SIGNATURE cert00:02:32: ISAKMP (0:1): peer want cert issued by OU = sjvpn, O = cisco, C = us00:02:32: ISAKMP (0:1): processing SIG payload. message ID = 000:02:32: Crypto engine 0: RSA decrypt with public key00:02:32: CryptoEngine0: CRYPTO_RSA_PUB_DECRYPT00:02:32: CryptoEngine0: generate hmac context for conn id 100:02:32: ISAKMP (0:1): processing NOTIFY INITIAL_CONTACT protocol 1spi 0, message ID = 0, sa = 62D9979400:02:32: ISAKMP (0:1): Process initial contact, bring down existing phase 1 and 2 SA's00:02:32: ISAKMP (0:1): returning IP addr to the address pool00:02:32: ISAKMP (0:1): peer does not do paranoid keepalives.00:02:32: ISAKMP (0:1): SA has been authenticated with 171.69.89.12900:02:32: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODEOld State = IKE_R_MM5 New State = IKE_R_MM5 00:02:32: IPSEC(key_engine): got a queue event...00:02:32: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP00:02:32: IPSEC(key_engine_delete_sas): delete all SAs shared with 171.69.89.129 00:02:32: ISAKMP (0:1): SA is doing RSA signature authentication plus XAUTH using id type ID_FQDN00:02:32: ISAKMP (1): ID payloadnext-payload : 6type : 2protocol : 17port : 500length : 1800:02:32: ISAKMP (1): Total payload length: 2200:02:32: CryptoEngine0: generate hmac context for conn id 100:02:32: Crypto engine 0: RSA encrypt with private key00:02:32: CryptoEngine0: CRYPTO_RSA_PRIV_ENCRYPT00:02:32: CryptoEngine0: clear dh number for conn id 100:02:32: ISAKMP (0:1): sending packet to 171.69.89.129 (R) CONF_XAUTH 00:02:32: CryptoEngine0: generate hmac context for conn id 100:02:32: ISAKMP (0:1): sending packet to 171.69.89.129 (R) CONF_XAUTH 00:02:32: ISAKMP: Sending phase 1 responder lifetime 8640000:02:32: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETEOld State = IKE_R_MM5 New State = IKE_P1_COMPLETE 00:02:32: ISAKMP (0:1): Need XAUTH00:02:32: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETEOld State = IKE_P1_COMPLETE New State = IKE_XAUTH_AAA_START_LOGIN_AWAIT 00:02:32: ISAKMP: got callback 100:02:32: ISAKMP/xauth: request attribute XAUTH_TYPE_V200:02:32: ISAKMP/xauth: request attribute XAUTH_MESSAGE_V200:02:32: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V200:02:32: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V200:02:32: CryptoEngine0: generate hmac context for conn id 100:02:32: ISAKMP (0:1): initiating peer config to 171.69.89.129. ID = -67028912500:02:32: ISAKMP (0:1): sending packet to 171.69.89.129 (R) CONF_XAUTH 00:02:32: ISAKMP (0:1): Input = IKE_MESG_FROM_AAA, IKE_AAA_START_LOGINOld State = IKE_XAUTH_AAA_START_LOGIN_AWAIT New State = IKE_XAUTH_REQ_SENT 00:02:36: ISAKMP (0:1): received packet from 171.69.89.129 (R) CONF_XAUTH 00:02:36: ISAKMP (0:1): processing transaction payload from 171.69.89.129. message ID = -67028912500:02:36: CryptoEngine0: generate hmac context for conn id 100:02:36: ISAKMP: Config payload REPLY00:02:36: ISAKMP/xauth: reply attribute XAUTH_TYPE_V2 unexpected00:02:36: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V200:02:36: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V200:02:36: ISAKMP (0:1): deleting node -670289125 error FALSE reason "done with xauth request/reply exchange"00:02:36: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLYOld State = IKE_XAUTH_REQ_SENT New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT 00:02:36: ISAKMP: got callback 100:02:36: CryptoEngine0: generate hmac context for conn id 100:02:36: ISAKMP (0:1): initiating peer config to 171.69.89.129. ID = -161022025000:02:36: ISAKMP (0:1): sending packet to 171.69.89.129 (R) CONF_XAUTH 00:02:36: ISAKMP (0:1): Input = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGINOld State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT New State = IKE_XAUTH_SET_SENT 00:02:36: ISAKMP (0:1): received packet from 171.69.89.129 (R) CONF_XAUTH 00:02:36: ISAKMP (0:1): processing transaction payload from 171.69.89.129. message ID = -161022025000:02:36: CryptoEngine0: generate hmac context for conn id 100:02:36: ISAKMP: Config payload ACK00:02:36: ISAKMP (0:1): XAUTH ACK Processed00:02:36: ISAKMP (0:1): deleting node -1610220250 error FALSE reason "done with transaction"00:02:36: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_CFG_ACKOld State = IKE_XAUTH_SET_SENT New State = IKE_P1_COMPLETE 00:02:36: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETEOld State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE 00:02:36: ISAKMP (0:1): received packet from 171.69.89.129 (R) QM_IDLE 00:02:36: ISAKMP (0:1): processing transaction payload from 171.69.89.129. message ID = 178934726400:02:36: CryptoEngine0: generate hmac context for conn id 100:02:36: ISAKMP: Config payload REQUEST00:02:36: ISAKMP (0:1): checking request:00:02:36: ISAKMP: IP4_ADDRESS00:02:36: ISAKMP: IP4_NETMASK00:02:36: ISAKMP: IP4_DNS00:02:36: ISAKMP: IP4_NBNS00:02:36: ISAKMP: ADDRESS_EXPIRY00:02:36: ISAKMP: APPLICATION_VERSION00:02:36: ISAKMP: UNKNOWN Unknown Attr: 0x700000:02:36: ISAKMP: UNKNOWN Unknown Attr: 0x700100:02:36: ISAKMP: DEFAULT_DOMAIN00:02:36: ISAKMP: SPLIT_INCLUDE00:02:36: ISAKMP: UNKNOWN Unknown Attr: 0x700700:02:36: ISAKMP: UNKNOWN Unknown Attr: 0x700800:02:36: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUESTOld State = IKE_P1_COMPLETE New State = IKE_CONFIG_AUTHOR_AAA_AWAIT 00:02:36: ISAKMP: got callback 100:02:36: ISAKMP (0:1): attributes sent in message:00:02:36: Address: 0.2.0.000:02:36: ISAKMP (0:1): allocating address 10.1.1.1000:02:36: ISAKMP: Sending private address: 10.1.1.1000:02:36: ISAKMP: Unknown Attr: IP4_NETMASK (0x2)00:02:36: ISAKMP: Sending IP4_DNS server address: 10.1.1.500:02:36: ISAKMP: Sending IP4_NBNS server address: 10.1.1.500:02:36: ISAKMP: Sending ADDRESS_EXPIRY seconds left to use the address: 8639400:02:36: ISAKMP: Sending APPLICATION_VERSION string: Cisco Internetwork Operating System Software IOS (tm) 3600 Software (C3640-IK8O3S-M), Version 12.2(8)T, RELEASE SOFTWARE (fc2)TAC Support: http://www.cisco.com/tacCopyright (c) 1986-2002 by cisco Systems, Inc.Compiled Thu 14-Feb-02 19:36 by ccai00:02:36: ISAKMP: Unknown Attr: UNKNOWN (0x7000)00:02:36: ISAKMP: Unknown Attr: UNKNOWN (0x7001)00:02:36: ISAKMP: Sending DEFAULT_DOMAIN default domain name: sjpki.com00:02:36: ISAKMP: Sending split include name 101 network 10.1.0.0 mask 255.255.0.0, protocol 0, src port 0, dst port 000:02:36: ISAKMP: Unknown Attr: UNKNOWN (0x7007)00:02:36: ISAKMP: Unknown Attr: UNKNOWN (0x7008)00:02:36: CryptoEngine0: generate hmac context for conn id 100:02:36: ISAKMP (0:1): responding to peer config from 171.69.89.129. ID = 178934726400:02:36: ISAKMP (0:1): sending packet to 171.69.89.129 (R) CONF_ADDR 00:02:36: ISAKMP (0:1): deleting node 1789347264 error FALSE reason ""00:02:36: ISAKMP (0:1): Input = IKE_MESG_FROM_AAA, IKE_AAA_GROUP_ATTROld State = IKE_CONFIG_AUTHOR_AAA_AWAIT New State = IKE_P1_COMPLETE 00:02:36: ISAKMP (0:1): received packet from 171.69.89.129 (R) QM_IDLE 00:02:36: CryptoEngine0: generate hmac context for conn id 100:02:36: ISAKMP (0:1): processing HASH payload. message ID = -146004116900:02:36: ISAKMP (0:1): processing SA payload. message ID = -146004116900:02:36: ISAKMP (0:1): Checking IPSec proposal 100:02:36: ISAKMP: transform 1, ESP_3DES00:02:36: ISAKMP: attributes in transform:00:02:36: ISAKMP: authenticator is HMAC-MD500:02:36: ISAKMP: encaps is 100:02:36: ISAKMP: SA life type in seconds00:02:36: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B 00:02:36: validate proposal 000:02:36: IPSEC(validate_proposal): transform proposal (prot 3, trans 3, hmac_alg 1) not supported00:02:36: ISAKMP (0:1): atts not acceptable. Next payload is 000:02:36: ISAKMP (0:1): skipping next ANDed proposal (1)00:02:36: ISAKMP (0:1): Checking IPSec proposal 200:02:36: ISAKMP: transform 1, ESP_3DES00:02:36: ISAKMP: attributes in transform:00:02:36: ISAKMP: authenticator is HMAC-SHA00:02:36: ISAKMP: encaps is 100:02:36: ISAKMP: SA life type in seconds00:02:36: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B 00:02:36: validate proposal 000:02:36: IPSEC(validate_proposal): transform proposal (prot 3, trans 3, hmac_alg 2) not supported00:02:36: ISAKMP (0:1): atts not acceptable. Next payload is 000:02:36: ISAKMP (0:1): skipping next ANDed proposal (2)00:02:36: ISAKMP (0:1): Checking IPSec proposal 300:02:36: ISAKMP: transform 1, ESP_3DES00:02:36: ISAKMP: attributes in transform:00:02:36: ISAKMP: authenticator is HMAC-MD500:02:36: ISAKMP: encaps is 100:02:36: ISAKMP: SA life type in seconds00:02:36: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B 00:02:36: validate proposal 000:02:36: IPSEC(validate_proposal): transform proposal (prot 3, trans 3, hmac_alg 1) not supported00:02:36: ISAKMP (0:1): atts not acceptable. Next payload is 000:02:36: ISAKMP (0:1): Checking IPSec proposal 400:02:36: ISAKMP: transform 1, ESP_3DES00:02:36: ISAKMP: attributes in transform:00:02:36: ISAKMP: authenticator is HMAC-SHA00:02:36: ISAKMP: encaps is 100:02:36: ISAKMP: SA life type in seconds00:02:36: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B 00:02:36: validate proposal 000:02:36: IPSEC(validate_proposal): transform proposal (prot 3, trans 3, hmac_alg 2) not supported00:02:36: ISAKMP (0:1): atts not acceptable. Next payload is 000:02:36: ISAKMP (0:1): Checking IPSec proposal 500:02:36: ISAKMP: transform 1, ESP_DES00:02:36: ISAKMP: attributes in transform:00:02:36: ISAKMP: authenticator is HMAC-MD500:02:36: ISAKMP: encaps is 100:02:36: ISAKMP: SA life type in seconds00:02:36: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B 00:02:36: validate proposal 000:02:36: ISAKMP (0:1): atts are acceptable.00:02:36: ISAKMP (0:1): Checking IPSec proposal 500:02:36: ISAKMP (0:1): transform 1, IPPCP LZS00:02:36: ISAKMP: attributes in transform:00:02:36: ISAKMP: encaps is 100:02:36: ISAKMP: SA life type in seconds00:02:36: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B 00:02:36: IPSEC(validate_proposal): transform proposal (prot 4, trans 3, hmac_alg 0) not supported00:02:36: ISAKMP (0:1): atts not acceptable. Next payload is 000:02:36: ISAKMP (0:1): Checking IPSec proposal 600:02:36: ISAKMP: transform 1, ESP_DES00:02:36: ISAKMP: attributes in transform:00:02:36: ISAKMP: authenticator is HMAC-SHA00:02:36: ISAKMP: encaps is 100:02:36: ISAKMP: SA life type in seconds00:02:36: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B 00:02:36: validate proposal 000:02:36: IPSEC(validate_proposal): transform proposal (prot 3, trans 2, hmac_alg 2) not supported00:02:36: ISAKMP (0:1): atts not acceptable. Next payload is 000:02:36: ISAKMP (0:1): skipping next ANDed proposal (6)00:02:36: ISAKMP (0:1): Checking IPSec proposal 700:02:36: ISAKMP: transform 1, ESP_DES00:02:36: ISAKMP: attributes in transform:00:02:36: ISAKMP: authenticator is HMAC-MD500:02:36: ISAKMP: encaps is 100:02:36: ISAKMP: SA life type in seconds00:02:36: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B 00:02:36: validate proposal 000:02:36: ISAKMP (0:1): atts are acceptable.00:02:36: IPSEC(validate_proposal_request): proposal part #1,(key eng. msg.) INBOUND local= 172.16.172.40, remote= 171.69.89.129, local_proxy= 172.16.172.40/255.255.255.255/0/0 (type=1), remote_proxy= 10.1.1.10/255.255.255.255/0/0 (type=1),protocol= ESP, transform= esp-des esp-md5-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400:02:36: validate proposal request 000:02:36: ISAKMP (0:1): processing NONCE payload. message ID = -146004116900:02:36: ISAKMP (0:1): processing ID payload. message ID = -146004116900:02:36: ISAKMP (0:1): processing ID payload. message ID = -146004116900:02:36: ISAKMP (0:1): asking for 1 spis from ipsec00:02:36: ISAKMP (0:1): Node -1460041169, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCHOld State = IKE_QM_READY New State = IKE_QM_SPI_STARVE 00:02:36: IPSEC(key_engine): got a queue event...00:02:36: IPSEC(spi_response): getting spi 1289658319 for SA from 172.16.172.40 to 171.69.89.129 for prot 300:02:36: ISAKMP: received ke message (2/1)00:02:36: CryptoEngine0: generate hmac context for conn id 100:02:36: ISAKMP (0:1): sending packet to 171.69.89.129 (R) QM_IDLE 00:02:36: ISAKMP (0:1): Node -1460041169, Input = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLYOld State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2 00:02:36: ISAKMP (0:1): received packet from 171.69.89.129 (R) QM_IDLE 00:02:36: CryptoEngine0: generate hmac context for conn id 100:02:36: ipsec allocate flow 000:02:36: ipsec allocate flow 000:02:36: ISAKMP (0:1): Creating IPSec SAs00:02:36: inbound SA from 171.69.89.129 to 172.16.172.40(proxy 10.1.1.10 to 172.16.172.40)00:02:36: has spi 0x4CDE9FCF and conn_id 2000 and flags 400:02:36: lifetime of 2147483 seconds00:02:36: outbound SA from 172.16.172.40 to 171.69.89.129 (proxy 172.16.172.40 to 10.1.1.10)00:02:36: has spi -154514029 and conn_id 2001 and flags C00:02:36: lifetime of 2147483 seconds00:02:36: ISAKMP (0:1): deleting node -1460041169 error FALSE reason "quick mode done (await()"00:02:36: ISAKMP (0:1): Node -1460041169, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCHOld State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE 00:02:36: IPSEC(key_engine): got a queue event...00:02:36: IPSEC(initialize_sas): ,(key eng. msg.) INBOUND local= 172.16.172.40, remote= 171.69.89.129, local_proxy= 172.16.172.40/0.0.0.0/0/0 (type=1), remote_proxy= 10.1.1.10/0.0.0.0/0/0 (type=1),protocol= ESP, transform= esp-des esp-md5-hmac , lifedur= 2147483s and 0kb, spi= 0x4CDE9FCF(1289658319), conn_id= 2000, keysize= 0, flags= 0x400:02:36: IPSEC(initialize_sas): ,(key eng. msg.) OUTBOUND local= 172.16.172.40, remote= 171.69.89.129, local_proxy= 172.16.172.40/0.0.0.0/0/0 (type=1), remote_proxy= 10.1.1.10/0.0.0.0/0/0 (type=1),protocol= ESP, transform= esp-des esp-md5-hmac , lifedur= 2147483s and 0kb, spi= 0xF6CA4D93(4140453267), conn_id= 2001, keysize= 0, flags= 0xC00:02:36: IPSEC(create_sa): sa created,(sa) sa_dest= 172.16.172.40, sa_prot= 50, sa_spi= 0x4CDE9FCF(1289658319), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 200000:02:36: IPSEC(create_sa): sa created,(sa) sa_dest= 171.69.89.129, sa_prot= 50, sa_spi= 0xF6CA4D93(4140453267), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 200100:02:36: ISAKMP: received ke message (4/1)00:02:36: ISAKMP: Locking CONFIG struct 0x62D99D98 for crypto_ikmp_config_handle_kei_mess, count 200:02:37: ISAKMP (0:1): received packet from 171.69.89.129 (R) QM_IDLE 00:02:37: CryptoEngine0: generate hmac context for conn id 100:02:37: ISAKMP (0:1): processing HASH payload. message ID = 92651898300:02:37: ISAKMP (0:1): processing SA payload. message ID = 92651898300:02:37: ISAKMP (0:1): Checking IPSec proposal 100:02:37: ISAKMP: transform 1, ESP_3DES00:02:37: ISAKMP: attributes in transform:00:02:37: ISAKMP: authenticator is HMAC-MD500:02:37: ISAKMP: encaps is 100:02:37: ISAKMP: SA life type in seconds00:02:37: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B 00:02:37: validate proposal 000:02:37: IPSEC(validate_proposal): transform proposal (prot 3, trans 3, hmac_alg 1) not supported00:02:37: ISAKMP (0:1): atts not acceptable. Next payload is 000:02:37: ISAKMP (0:1): skipping next ANDed proposal (1)00:02:37: ISAKMP (0:1): Checking IPSec proposal 200:02:37: ISAKMP: transform 1, ESP_3DES00:02:37: ISAKMP: attributes in transform:00:02:37: ISAKMP: authenticator is HMAC-SHA00:02:37: ISAKMP: encaps is 100:02:37: ISAKMP: SA life type in seconds00:02:37: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B 00:02:37: validate proposal 000:02:37: IPSEC(validate_proposal): transform proposal (prot 3, trans 3, hmac_alg 2) not supported00:02:37: ISAKMP (0:1): atts not acceptable. Next payload is 000:02:37: ISAKMP (0:1): skipping next ANDed proposal (2)00:02:37: ISAKMP (0:1): Checking IPSec proposal 300:02:37: ISAKMP: transform 1, ESP_3DES00:02:37: ISAKMP: attributes in transform:00:02:37: ISAKMP: authenticator is HMAC-MD500:02:37: ISAKMP: encaps is 100:02:37: ISAKMP: SA life type in seconds00:02:37: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B 00:02:37: validate proposal 000:02:37: IPSEC(validate_proposal): transform proposal (prot 3, trans 3, hmac_alg 1) not supported00:02:37: ISAKMP (0:1): atts not acceptable. Next payload is 000:02:37: ISAKMP (0:1): Checking IPSec proposal 400:02:37: ISAKMP: transform 1, ESP_3DES00:02:37: ISAKMP: attributes in transform:00:02:37: ISAKMP: authenticator is HMAC-SHA00:02:37: ISAKMP: encaps is 100:02:37: ISAKMP: SA life type in seconds00:02:37: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B 00:02:37: validate proposal 000:02:37: IPSEC(validate_proposal): transform proposal (prot 3, trans 3, hmac_alg 2) not supported00:02:37: ISAKMP (0:1): atts not acceptable. Next payload is 000:02:37: ISAKMP (0:1): Checking IPSec proposal 500:02:37: ISAKMP: transform 1, ESP_DES00:02:37: ISAKMP: attributes in transform:00:02:37: ISAKMP: authenticator is HMAC-MD500:02:37: ISAKMP: encaps is 100:02:37: ISAKMP: SA life type in seconds00:02:37: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B 00:02:37: validate proposal 000:02:37: ISAKMP (0:1): atts are acceptable.00:02:37: ISAKMP (0:1): Checking IPSec proposal 500:02:37: ISAKMP (0:1): transform 1, IPPCP LZS00:02:37: ISAKMP: attributes in transform:00:02:37: ISAKMP: encaps is 100:02:37: ISAKMP: SA life type in seconds00:02:37: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B 00:02:37: IPSEC(validate_proposal): transform proposal (prot 4, trans 3, hmac_alg 0) not supported00:02:37: ISAKMP (0:1): atts not acceptable. Next payload is 000:02:37: ISAKMP (0:1): Checking IPSec proposal 600:02:37: ISAKMP: transform 1, ESP_DES00:02:37: ISAKMP: attributes in transform:00:02:37: ISAKMP: authenticator is HMAC-SHA00:02:37: ISAKMP: encaps is 100:02:37: ISAKMP: SA life type in seconds00:02:37: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B 00:02:37: validate proposal 000:02:37: IPSEC(validate_proposal): transform proposal (prot 3, trans 2, hmac_alg 2) not supported00:02:37: ISAKMP (0:1): atts not acceptable. Next payload is 000:02:37: ISAKMP (0:1): skipping next ANDed proposal (6)00:02:37: ISAKMP (0:1): Checking IPSec proposal 700:02:37: ISAKMP: transform 1, ESP_DES00:02:37: ISAKMP: attributes in transform:00:02:37: ISAKMP: authenticator is HMAC-MD500:02:37: ISAKMP: encaps is 100:02:37: ISAKMP: SA life type in seconds00:02:37: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B 00:02:37: validate proposal 000:02:37: ISAKMP (0:1): atts are acceptable.00:02:37: IPSEC(validate_proposal_request): proposal part #1,(key eng. msg.) INBOUND local= 172.16.172.40, remote= 171.69.89.129, local_proxy= 10.1.0.0/255.255.0.0/0/0 (type=4), remote_proxy= 10.1.1.10/255.255.255.255/0/0 (type=1),protocol= ESP, transform= esp-des esp-md5-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400:02:37: validate proposal request 000:02:37: ISAKMP (0:1): processing NONCE payload. message ID = 92651898300:02:37: ISAKMP (0:1): processing ID payload. message ID = 92651898300:02:37: ISAKMP (0:1): processing ID payload. message ID = 92651898300:02:37: ISAKMP (0:1): asking for 1 spis from ipsec00:02:37: ISAKMP (0:1): Node 926518983, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCHOld State = IKE_QM_READY New State = IKE_QM_SPI_STARVE 00:02:37: IPSEC(key_engine): got a queue event...00:02:37: IPSEC(spi_response): getting spi 1746304572 for SA from 172.16.172.40 to 171.69.89.129 for prot 300:02:37: ISAKMP: received ke message (2/1)00:02:37: CryptoEngine0: generate hmac context for conn id 100:02:37: ISAKMP (0:1): sending packet to 171.69.89.129 (R) QM_IDLE 00:02:37: ISAKMP (0:1): Node 926518983, Input = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLYOld State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2 00:02:37: ISAKMP (0:1): received packet from 171.69.89.129 (R) QM_IDLE 00:02:37: CryptoEngine0: generate hmac context for conn id 100:02:37: ipsec allocate flow 000:02:37: ipsec allocate flow 000:02:37: ISAKMP (0:1): Creating IPSec SAs00:02:37: inbound SA from 171.69.89.129 to 172.16.172.40(proxy 10.1.1.10 to 10.1.0.0)00:02:37: has spi 0x68167E3C and conn_id 2002 and flags 400:02:37: lifetime of 2147483 seconds00:02:37: outbound SA from 172.16.172.40 to 171.69.89.129 (proxy 10.1.0.0 to 10.1.1.10)00:02:37: has spi -697634356 and conn_id 2003 and flags C00:02:37: lifetime of 2147483 seconds00:02:37: ISAKMP (0:1): deleting node 926518983 error FALSE reason "quick mode done (await()"00:02:37: ISAKMP (0:1): Node 926518983, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCHOld State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE 00:02:37: IPSEC(key_engine): got a queue event...00:02:37: IPSEC(initialize_sas): ,(key eng. msg.) INBOUND local= 172.16.172.40, remote= 171.69.89.129, local_proxy= 10.1.0.0/255.255.0.0/0/0 (type=4), remote_proxy= 10.1.1.10/0.0.0.0/0/0 (type=1),protocol= ESP, transform= esp-des esp-md5-hmac , lifedur= 2147483s and 0kb, spi= 0x68167E3C(1746304572), conn_id= 2002, keysize= 0, flags= 0x400:02:37: IPSEC(initialize_sas): ,(key eng. msg.) OUTBOUND local= 172.16.172.40, remote= 171.69.89.129, local_proxy= 10.1.0.0/255.255.0.0/0/0 (type=4), remote_proxy= 10.1.1.10/0.0.0.0/0/0 (type=1),protocol= ESP, transform= esp-des esp-md5-hmac , lifedur= 2147483s and 0kb, spi= 0xD66AF1CC(3597332940), conn_id= 2003, keysize= 0, flags= 0xC00:02:37: IPSEC(create_sa): sa created,(sa) sa_dest= 172.16.172.40, sa_prot= 50, sa_spi= 0x68167E3C(1746304572), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 200200:02:37: IPSEC(create_sa): sa created,(sa) sa_dest= 171.69.89.129, sa_prot= 50, sa_spi= 0xD66AF1CC(3597332940), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2003

Zugehörige Informationen

Support-Seiten für IP Security-Produkte (IPSec)
Technischer Support - Cisco Systems