- Cisco Community
- シスコ コミュニティ
- セキュリティ
- [TKB] セキュリティ ドキュメント
- packet-tracer で VPN 設定をテストする
- RSS フィードを購読する
- 新着としてマーク
- 既読としてマーク
- ブックマーク
- 購読
- 印刷用ページ
- 不適切なコンテンツを報告
- RSS フィードを購読する
- 新着としてマーク
- 既読としてマーク
- ブックマーク
- 購読
- 印刷用ページ
- 不適切なコンテンツを報告
2010-07-27 07:40 PM
IOS では拡張 ping コマンド、もしくは ping コマンドに source オプションを付けて、簡単に送信元アドレスを指定して ICMP パケットを生成することができます。これは VPN の設定を実施した後、動作確認を行ないたい際に非常に便利な機能です。
Router# ping 192.168.20.1 source fa0/1
それに対して、ASA ではインターフェースを指定して ping すると、ルーティングの設定を無視してそのインターフェースからパケットを出力してしまいます。とは言え、ASA間、もしくは ASA と IOS ルータ間で VPN を設定したら、ASA 側から設定が正しいかをテストする方法がないわけではありません。packet-tracer というコマンドがあります。
例えば、下記の VPN 環境を使います。ASA と Cisco1841 ルータ間に L2L VPN を張り、サブネット 192.168.20.0/24 と 192.168.30.0/24 のトラフィックが VPN の対象トラフィックになります。
------ (inside) ASA (outside) ----------- C1841 ------
192.168.20.0/24 192.168.10.0/24 192.168.30.0/24
設定完了後、logging もしくは debug の設定を行った上で、ASA で下記のように packet-tracer コマンドを実施します。出力は本来の packet-tracer の出力と packet-tracer によって発生した VPN 関連のログメッセージが混ざっている形となります。
ciscoasa(config)# packet-tracer input inside tcp 192.168.20.2 1025 192.168.30.1 80
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
%ASA-7-609001: Built local-host inside:192.168.20.2
%ASA-7-609001: Built local-host outside:192.168.30.1
%ASA-7-609002: Teardown local-host inside:192.168.20.2 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.30.1 duration 0:00:00
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-5-713041: IP = 192.168.10.2, IKE Initiator: New Phase 1, Intf inside, IKE Peer 192.168.10.2 local Proxy Address 192.168.20.0, remote Proxy Address 192.168.30.0, Crypto map (MAP)
%ASA-7-715046: IP = 192.168.10.2, constructing ISAKMP SA payload
%ASA-7-715046: IP = 192.168.10.2, constructing NAT-Traversal VID ver 02 payload
%ASA-7-715046: IP = 192.168.10.2, constructing NAT-Traversal VID ver 03 payload
%ASA-7-715046: IP = 192.168.10.2, constructing NAT-Traversal VID ver RFC payload
%ASA-7-715046: IP = 192.168.10.2, constructing Fragmentation VID + extended capabilities payload
%ASA-7-713236: IP = 192.168.10.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.30.0 255.255.255.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
%ASA-7-713236: IP = 192.168.10.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104
%ASA-7-715047: IP = 192.168.10.2, processing SA payload
%ASA-7-713906: IP = 192.168.10.2, Oakley proposal is acceptable
%ASA-7-715047: IP = 192.168.10.2, processing VID payload
%ASA-7-715049: IP = 192.168.10.2, Received NAT-Traversal RFC VID
%ASA-7-715046: IP = 192.168.10.2, constructing ke payload
%ASA-7-715046: IP = 192.168.10.2, constructing nonce payload
%ASA-7-715046: IP = 192.168.10.2, constructing Cisco Unity VID payload
%ASA-7-715046: IP = 192.168.10.2, constructing xauth V6 VID payload
%ASA-7-715048: IP = 192.168.10.2, Send IOS VID
%ASA-7-715038: IP = 192.168.10.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
%ASA-7-715046: IP = 192.168.10.2, constructing VID payload
%ASA-7-715048: IP = 192.168.10.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-715046: IP = 192.168.10.2, constructing NAT-Discovery payload
%ASA-7-713906: IP = 192.168.10.2, computing NAT Discovery hash
%ASA-7-715046: IP = 192.168.10.2, constructing NAT-Discovery payload
%ASA-7-713906: IP = 192.168.10.2, computing NAT Discovery hash
%ASA-7-713236: IP = 192.168.10.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 296
%ASA-7-713236: IP = 192.168.10.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 296
%ASA-7-715047: IP = 192.168.10.2, processing ke payload
%ASA-7-715047: IP = 192.168.10.2, processing ISA_KE payload
%ASA-7-715047: IP = 192.168.10.2, processing nonce payload
%ASA-7-715047: IP = 192.168.10.2, processing VID payload
%ASA-7-715049: IP = 192.168.10.2, Received Cisco Unity client VID
%ASA-7-715047: IP = 192.168.10.2, processing VID payload
%ASA-7-715049: IP = 192.168.10.2, Received DPD VID
%ASA-7-715047: IP = 192.168.10.2, processing VID payload
%ASA-7-715038: IP = 192.168.10.2, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000f7f)
%ASA-7-715047: IP = 192.168.10.2, processing VID payload
%ASA-7-715049: IP = 192.168.10.2, Received xauth V6 VID
%ASA-7-715047: IP = 192.168.10.2, processing NAT-Discovery payload
%ASA-7-713906: IP = 192.168.10.2, computing NAT Discovery hash
%ASA-7-715047: IP = 192.168.10.2, processing NAT-Discovery payload
%ASA-7-713906: IP = 192.168.10.2, computing NAT Discovery hash
%ASA-7-713906: IP = 192.168.10.2, Connection landed on tunnel_group 192.168.10.2
%ASA-7-713906: Group = 192.168.10.2, IP = 192.168.10.2, Generating keys for Initiator...
%ASA-7-715046: Group = 192.168.10.2, IP = 192.168.10.2, constructing ID payload
%ASA-7-715046: Group = 192.168.10.2, IP = 192.168.10.2, constructing hash payload
%ASA-7-715076: Group = 192.168.10.2, IP = 192.168.10.2, Computing hash for ISAKMP
%ASA-7-715034: IP = 192.168.10.2, Constructing IOS keep alive payload: proposal=32767/32767 sec.
%ASA-7-715046: Group = 192.168.10.2, IP = 192.168.10.2, constructing dpd vid payload
%ASA-7-713236: IP = 192.168.10.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
%ASA-6-713172: Group = 192.168.10.2, IP = 192.168.10.2, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
%ASA-7-713236: IP = 192.168.10.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 60
%ASA-7-715047: Group = 192.168.10.2, IP = 192.168.10.2, processing ID payload
%ASA-7-714011: Group = 192.168.10.2, IP = 192.168.10.2, ID_IPV4_ADDR ID received
192.168.10.2
%ASA-7-715047: Group = 192.168.10.2, IP = 192.168.10.2, processing hash payload
%ASA-7-715076: Group = 192.168.10.2, IP = 192.168.10.2, Computing hash for ISAKMP
%ASA-7-713906: IP = 192.168.10.2, Connection landed on tunnel_group 192.168.10.2
%ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = 192.168.10.2
%ASA-7-713906: Group = 192.168.10.2, IP = 192.168.10.2, Oakley begin quick mode
%ASA-7-714002: Group = 192.168.10.2, IP = 192.168.10.2, IKE Initiator starting QM: msg id = 13129d8b
%ASA-5-713119: Group = 192.168.10.2, IP = 192.168.10.2, PHASE 1 COMPLETED
%ASA-7-713121: IP = 192.168.10.2, Keep-alive type for this connection: DPD
%ASA-7-715080: Group = 192.168.10.2, IP = 192.168.10.2, Starting P1 rekey timer: 82080 seconds.
%ASA-7-715006: Group = 192.168.10.2, IP = 192.168.10.2, IKE got SPI from key engine: SPI = 0xc8196896
%ASA-7-713906: Group = 192.168.10.2, IP = 192.168.10.2, oakley constucting quick mode
%ASA-7-715046: Group = 192.168.10.2, IP = 192.168.10.2, constructing blank hash payload
%ASA-7-715046: Group = 192.168.10.2, IP = 192.168.10.2, constructing IPSec SA payload
%ASA-7-715046: Group = 192.168.10.2, IP = 192.168.10.2, constructing IPSec nonce payload
%ASA-7-715001: Group = 192.168.10.2, IP = 192.168.10.2, constructing proxy ID
%ASA-7-713906: Group = 192.168.10.2, IP = 192.168.10.2, Transmitting Proxy Id:
Local subnet: 192.168.20.0 mask 255.255.255.0 Protocol 0 Port 0
Remote subnet: 192.168.30.0 Mask 255.255.255.0 Protocol 0 Port 0
%ASA-7-714007: Group = 192.168.10.2, IP = 192.168.10.2, IKE Initiator sending Initial Contact
%ASA-7-715046: Group = 192.168.10.2, IP = 192.168.10.2, constructing qm hash payload
%ASA-7-714004: Group = 192.168.10.2, IP = 192.168.10.2, IKE Initiator sending 1st QM pkt: msg id = 13129d8b
%ASA-7-713236: IP = 192.168.10.2, IKE_DECODE SENDING Message (msgid=13129d8b) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 192
%ASA-7-713236: IP = 192.168.10.2, IKE_DECODE RECEIVED Message (msgid=13129d8b) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 192
%ASA-7-715047: Group = 192.168.10.2, IP = 192.168.10.2, processing hash payload
%ASA-7-715047: Group = 192.168.10.2, IP = 192.168.10.2, processing SA payload
%ASA-7-715047: Group = 192.168.10.2, IP = 192.168.10.2, processing nonce payload
%ASA-7-715047: Group = 192.168.10.2, IP = 192.168.10.2, processing ID payload
%ASA-7-714011: Group = 192.168.10.2, IP = 192.168.10.2, ID_IPV4_ADDR_SUBNET ID received--192.168.20.0--255.255.255.0
%ASA-7-715047: Group = 192.168.10.2, IP = 192.168.10.2, processing ID payload
%ASA-7-714011: Group = 192.168.10.2, IP = 192.168.10.2, ID_IPV4_ADDR_SUBNET ID received--192.168.30.0--255.255.255.0
%ASA-7-715047: Group = 192.168.10.2, IP = 192.168.10.2, processing notify payload
%ASA-7-713906: Responder Lifetime decode follows (outb SPI[4]|attributes):
%ASA-7-713906: 0000: 020E6699 80010001 00020004 00000E10 ..f.............
%ASA-5-713073: Group = 192.168.10.2, IP = 192.168.10.2, Responder forcing change of IPSec rekeying duration from 28800 to 3600 seconds
%ASA-7-713906: Group = 192.168.10.2, IP = 192.168.10.2, loading all IPSEC SAs
%ASA-7-715001: Group = 192.168.10.2, IP = 192.168.10.2, Generating Quick Mode Key!
%ASA-7-715001: Group = 192.168.10.2, IP = 192.168.10.2, Generating Quick Mode Key!
%ASA-3-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x020E6699) between 192.168.10.1 and 192.168.10.2 (user= 192.168.10.2) has been created.
%ASA-5-713049: Group = 192.168.10.2, IP = 192.168.10.2, Security negotiation complete for LAN-to-LAN Group (192.168.10.2) Initiator, Inbound SPI = 0xc8196896, Outbound SPI = 0x020e6699
%ASA-7-713906: Group = 192.168.10.2, IP = 192.168.10.2, oakley constructing final quick mode
%ASA-7-714006: Group = 192.168.10.2, IP = 192.168.10.2, IKE Initiator sending 3rd QM pkt: msg id = 13129d8b
%ASA-7-713236: IP = 192.168.10.2, IKE_DECODE SENDING Message (msgid=13129d8b) with payloads : HDR + HASH (8) + NONE (0) total length : 72
%ASA-7-715007: Group = 192.168.10.2, IP = 192.168.10.2, IKE got a KEY_ADD msg for SA: SPI = 0x020e6699
%ASA-3-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xC8196896) between 192.168.10.1 and 192.168.10.2 (user= 192.168.10.2) has been created.
%ASA-7-715077: Group = 192.168.10.2, IP = 192.168.10.2, Pitcher: received KEY_UPDATE, spi 0xc8196896
%ASA-7-715080: Group = 192.168.10.2, IP = 192.168.10.2, Starting P2 rekey timer: 3060 seconds.
%ASA-5-713120: Group = 192.168.10.2, IP = 192.168.10.2, PHASE 2 COMPLETED (msgid=13129d8b)
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ciscoasa(config)# %ASA-5-111008: User 'enable_15' executed the 'packet-tracer input inside tcp 192.168.20.2 1025 192.168.30.1 80' command.
packet-tracer では DROP という結果になっているが、無視してよいです。
PHASE 1 と PHASE 2 がそれぞれ COMPLETED していることから、設定は問題ないことを確認できます。
もちろん、もし VPN の設定に何か問題があり、正常に VPN セッションを確立できない場合、Syslog や debug にはそれを示唆するメッセージを出力します。それに基づいてトラブルシューティングすれば良いです。
packet-tracer の利点は、サポートしているトラフィックの種類が豊富で、様々なパケットをテストできます。この意味では、packet-tracer は IOS の拡張 ping よりずっと強力なテストツールです。
ciscoasa(config)# packet-tracer input inside ?
exec mode commands/options:
icmp Enter this keyword if the trace packet is ICMP
rawip Enter this keyword if the trace packet is RAW IP
tcp Enter this keyword if the trace packet is TCP
udp Enter this keyword if the trace packet is UDP
検索バーにキーワード、フレーズ、または質問を入力し、お探しのものを見つけましょう
シスコ コミュニティをいち早く使いこなしていただけるよう役立つリンクをまとめました。みなさんのジャーニーがより良いものとなるようお手伝いします
下記より関連するコンテンツにアクセスできます
