如何检查状态、清除、恢复和监控 IPSEC VPN 隧道

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
L2 Linker
No ratings

解决办法

概述

本文档可用于验证IPSEC隧道的状态、验证隧道监控、清除隧道和恢复隧道。


详细信息

1. 手动启动 VPN ike 1阶段 和 2阶段的 SA。


VPN 隧道只有当有有流量发往隧道时才会进行协商 。(按需)
如果您想手动启动隧道,没有实际流量,您可以使用以下命令。
注意:手动启动只能从 CLI进行 。

 

> test vpn ike-sa 


Start time: Dec.04 00:03:37

Initiate 1 IKE SA.


> test vpn ipsec-sa 


Start time: Dec.04 00:03:41

Initiate 1 IPSec SA.

 

 2. 检查 ike 1阶段的 状态(在 ikev1 的情况下)

GUI:
导航到 Network->IPSec Tunnels

绿色表示打开

xzuo_1-1673339839307.png

 

红色表示关闭

xzuo_2-1673339870788.png

 

 您可以单击 IKE 信息以获取 一阶段SA 的详细信息。 
 ike 一阶段 sa 打开:

xzuo_3-1673339979303.png

如果 ike phase1 sa 关闭,则 ike 信息将为空

 

 CLI:
ike 1阶段 sa 打开

> show vpn ike-sa 

IKEv1 phase-1 SAs

GwID/client IP  Peer-Address           Gateway Name           Role Mode Algorithm             Established     Expiration      V  ST Xt Phase2

--------------  ------------           ------------           ---- ---- ---------             -----------     ----------      -  -- -- ------

38              203.0.113.100          ike-gw                 Init Main PSK/DH20/A256/SHA512  Dec.03 22:37:01 Dec.04 06:37:01 v1 13 1  1      

Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found.

IKEv1 phase-2 SAs

Gateway Name           TnID     Tunnel                 GwID/IP          Role Algorithm          SPI(in)  SPI(out) MsgID    ST Xt 

------------           ----     ------                 -------          ---- ---------          -------  -------- -----    -- -- 

ike-gw                 139      ipsec-tunnel:lab-proxy 38               Init ESP/DH20/tunl/     A25ADE56 C79A64B7 B3E9927A 9  1   

Show IKEv1 phase2 SA: Total 1 gateways found. 1 ike sa found.

There is no IKEv2 SA found.

 

 ike 1阶段 sa 关闭:

ike phase1 sa down:

> show vpn ike-sa

There is no IKEv1 phase-1 SA found.

 或者

> show vpn ike-sa

IKEv1 phase-1 SAs

GwID/client IP  Peer-Address           Gateway Name           Role Mode Algorithm             Established     Expiration      V  ST Xt Phase2

--------------  ------------           ------------           ---- ---- ---------             -----------     ----------      -  -- -- ------

38              203.0.113.100          ike-gw                 Init Main PSK/    /    /                                        v1 3  2  0      

Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found.

 

 如果1阶段SA 关闭,您将看不到对端 IP 和 已建立的连接状态。

对于 ikev2,当你点击IKE信息时,IKE信息的细节显示是一样的

GUI:

xzuo_4-1673340493923.png

 

Ikev2 CLI:

 

> show vpn ike-sa 


There is no IKEv1 phase-1 SA found.


There is no IKEv1 phase-2 SA found.



IKEv2 SAs

Gateway ID      Peer-Address           Gateway Name           Role SN       Algorithm             Established     Expiration      Xt Child  ST                  

----------      ------------           ------------           ---- --       ---------             -----------     ----------      -- -----  --                  

38              203.0.113.100          ike-gw                 Resp 2        PSK/DH20/A256/SHA512  Dec.04 00:10:58 Dec.04 08:10:58 0  1      Established          


IKEv2 IPSec Child SAs

Gateway Name           TnID     Tunnel                    ID       Parent   Role SPI(in)  SPI(out) MsgID    ST              

------------           ----     ------                    --       ------   ---- -------  -------- -----    --              

ike-gw                 139      ipsec-tunnel:lab-proxyid1 2        2        Resp DA76A187 9E1E9372 00000001 Mature           


Show IKEv2 SA: Total 1 gateways found. 1 ike sa found.

 

 

3. 检查第 2 阶段 ipsec 隧道是否启动:

GUI:
导航到 Network->IPSec Tunnels

绿色表示向上

xzuo_5-1673340686549.png

 

红色表示向下

xzuo_6-1673340769607.png

 

您可以单击隧道信息以获取 Phase2 SA 的详细信息。

xzuo_7-1673340811855.png

 

 

CLI:

> show vpn ipsec-sa

GwID/client IP  TnID   Peer-Address           Tunnel(Gateway)                                Algorithm          SPI(in)  SPI(out) life(Sec/KB)            

--------------  ----   ------------           ---------------                                ---------          -------  -------- ------------            

38              139    203.0.113.100          ipsec-tunnel:lab-proxyid1(ike-gw)              ESP/G256/          F2B7CEF0 F248D17B 2269/0 

 

 4. 检查隧道间的加密和解密(encap/decap)

> show vpn flow 

total tunnels configured:                                     1

filter - type IPSec, state any

total IPSec tunnel configured:                                1

total IPSec tunnel shown:                                     1

id    name                          state   monitor local-ip                      peer-ip                       tunnel-i/f  

--    ----                          -----   ------- --------                      -------                       ----------  

139   ipsec-tunnel:lab-proxyid1     active  off     198.51.100.100                203.0.113.100                 tunnel.1  

 

注意:对于隧道监控,监控状态为down表示被监控的目的IP不可达,off表示没有配置隧道监控。

请注意隧道 ID,在此示例中 - 隧道 ID 为 139 

 

> show vpn flow tunnel-id 139

tunnel  ipsec-tunnel:lab-proxyid1

        id:                     139

        type:                   IPSec

        gateway id:             38

        local ip:               198.51.100.100

        peer ip:                203.0.113.100

        inner interface:        tunnel.1 

        outer interface:        ethernet1/1

        state:                  active

        session:                568665

        tunnel mtu:             1432

        soft lifetime:          3579

        hard lifetime:          3600

        lifetime remain:        2154 sec

        lifesize remain:        N/A

        latest rekey:           1446 seconds ago

        monitor:                off

          monitor packets seen: 0

          monitor packets reply:0

        en/decap context:       736       

        local spi:              F2B7CEF0

        remote spi:             F248D17B

        key type:               auto key

        protocol:               ESP

        auth algorithm:         SHA512

        enc  algorithm:         AES256GCM16

        proxy-id:

          local ip:             10.133.133.0/24

          remote ip:            10.134.134.0/24

          protocol:             0  

          local port:           0   

          remote port:          0

        anti replay check:      yes

        copy tos:               no

        enable gre encap:       no

        authentication errors:  0

        decryption errors:      0

        inner packet warnings:  0

        replay packets:         0

        packets received 

          when lifetime expired:0

          when lifesize expired:0

        sending sequence:       4280

        receive sequence:       4280

        encap packets:          8153

        decap packets:          8153

        encap bytes:            717464

        decap bytes:            717464

        key acquire requests:   90

        owner state:            0

        owner cpuid:            s1dp0

        ownership:              1

 

多次运行命令  show vpn flow tunnel-id <id>,查看计数器值的趋势。
身份验证错误、解密错误、重放数据包的不断增加表明隧道流量存在问题。
当隧道中有正常的流量时,encap/decap packets/bytes 会增加。

 

 5. 清除以下命令将拆除 VPN 隧道:

 > clear vpn ike-sa gateway <gw-name>
Delete IKEv1 IKE SA: Total 1 gateways found.
 
> clear vpn ipsec-sa tunnel <tunnel-name>
Delete IKEv1 IPSec SA: Total 1 tunnels found.

 

 

Rate this article:
  • 1470 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎01-18-2023 12:35 AM
Updated by: