概述
本文档可用于验证IPSEC隧道的状态、验证隧道监控、清除隧道和恢复隧道。
详细信息
1. 手动启动 VPN ike 1阶段 和 2阶段的 SA。
VPN 隧道只有当有有流量发往隧道时才会进行协商 。(按需)
如果您想手动启动隧道,没有实际流量,您可以使用以下命令。
注意:手动启动只能从 CLI进行 。
> test vpn ike-sa Start time: Dec.04 00:03:37 Initiate 1 IKE SA. > test vpn ipsec-sa Start time: Dec.04 00:03:41 Initiate 1 IPSec SA.
2. 检查 ike 1阶段的 状态(在 ikev1 的情况下)
GUI:
导航到 Network->IPSec Tunnels
绿色表示打开
红色表示关闭
您可以单击 IKE 信息以获取 一阶段SA 的详细信息。
ike 一阶段 sa 打开:
如果 ike phase1 sa 关闭,则 ike 信息将为空
CLI:
ike 1阶段 sa 打开
> show vpn ike-sa IKEv1 phase-1 SAs GwID/client IP Peer-Address Gateway Name Role Mode Algorithm Established Expiration V ST Xt Phase2 -------------- ------------ ------------ ---- ---- --------- ----------- ---------- - -- -- ------ 38 203.0.113.100 ike-gw Init Main PSK/DH20/A256/SHA512 Dec.03 22:37:01 Dec.04 06:37:01 v1 13 1 1 Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found. IKEv1 phase-2 SAs Gateway Name TnID Tunnel GwID/IP Role Algorithm SPI(in) SPI(out) MsgID ST Xt ------------ ---- ------ ------- ---- --------- ------- -------- ----- -- -- ike-gw 139 ipsec-tunnel:lab-proxy 38 Init ESP/DH20/tunl/ A25ADE56 C79A64B7 B3E9927A 9 1 Show IKEv1 phase2 SA: Total 1 gateways found. 1 ike sa found. There is no IKEv2 SA found.
ike 1阶段 sa 关闭:
ike phase1 sa down:
> show vpn ike-sa There is no IKEv1 phase-1 SA found.
或者
> show vpn ike-sa IKEv1 phase-1 SAs GwID/client IP Peer-Address Gateway Name Role Mode Algorithm Established Expiration V ST Xt Phase2 -------------- ------------ ------------ ---- ---- --------- ----------- ---------- - -- -- ------ 38 203.0.113.100 ike-gw Init Main PSK/ / / v1 3 2 0 Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found.
如果1阶段SA 关闭,您将看不到对端 IP 和 已建立的连接状态。
对于 ikev2,当你点击IKE信息时,IKE信息的细节显示是一样的:
GUI:
Ikev2 CLI:
> show vpn ike-sa There is no IKEv1 phase-1 SA found. There is no IKEv1 phase-2 SA found. IKEv2 SAs Gateway ID Peer-Address Gateway Name Role SN Algorithm Established Expiration Xt Child ST ---------- ------------ ------------ ---- -- --------- ----------- ---------- -- ----- -- 38 203.0.113.100 ike-gw Resp 2 PSK/DH20/A256/SHA512 Dec.04 00:10:58 Dec.04 08:10:58 0 1 Established IKEv2 IPSec Child SAs Gateway Name TnID Tunnel ID Parent Role SPI(in) SPI(out) MsgID ST ------------ ---- ------ -- ------ ---- ------- -------- ----- -- ike-gw 139 ipsec-tunnel:lab-proxyid1 2 2 Resp DA76A187 9E1E9372 00000001 Mature Show IKEv2 SA: Total 1 gateways found. 1 ike sa found.
3. 检查第 2 阶段 ipsec 隧道是否启动:
GUI:
导航到 Network->IPSec Tunnels
绿色表示向上
红色表示向下
您可以单击隧道信息以获取 Phase2 SA 的详细信息。
CLI:
> show vpn ipsec-sa
GwID/client IP TnID Peer-Address Tunnel(Gateway) Algorithm SPI(in) SPI(out) life(Sec/KB)
-------------- ---- ------------ --------------- --------- ------- -------- ------------
38 139 203.0.113.100 ipsec-tunnel:lab-proxyid1(ike-gw) ESP/G256/ F2B7CEF0 F248D17B 2269/0
4. 检查隧道间的加密和解密(encap/decap)
> show vpn flow total tunnels configured: 1 filter - type IPSec, state any total IPSec tunnel configured: 1 total IPSec tunnel shown: 1 id name state monitor local-ip peer-ip tunnel-i/f -- ---- ----- ------- -------- ------- ---------- 139 ipsec-tunnel:lab-proxyid1 active off 198.51.100.100 203.0.113.100 tunnel.1
注意:对于隧道监控,监控状态为down表示被监控的目的IP不可达,off表示没有配置隧道监控。
请注意隧道 ID,在此示例中 - 隧道 ID 为 139
> show vpn flow tunnel-id 139
tunnel ipsec-tunnel:lab-proxyid1
id: 139
type: IPSec
gateway id: 38
local ip: 198.51.100.100
peer ip: 203.0.113.100
inner interface: tunnel.1
outer interface: ethernet1/1
state: active
session: 568665
tunnel mtu: 1432
soft lifetime: 3579
hard lifetime: 3600
lifetime remain: 2154 sec
lifesize remain: N/A
latest rekey: 1446 seconds ago
monitor: off
monitor packets seen: 0
monitor packets reply:0
en/decap context: 736
local spi: F2B7CEF0
remote spi: F248D17B
key type: auto key
protocol: ESP
auth algorithm: SHA512
enc algorithm: AES256GCM16
proxy-id:
local ip: 10.133.133.0/24
remote ip: 10.134.134.0/24
protocol: 0
local port: 0
remote port: 0
anti replay check: yes
copy tos: no
enable gre encap: no
authentication errors: 0
decryption errors: 0
inner packet warnings: 0
replay packets: 0
packets received
when lifetime expired:0
when lifesize expired:0
sending sequence: 4280
receive sequence: 4280
encap packets: 8153
decap packets: 8153
encap bytes: 717464
decap bytes: 717464
key acquire requests: 90
owner state: 0
owner cpuid: s1dp0
ownership: 1
多次运行命令 show vpn flow tunnel-id <id>,查看计数器值的趋势。
身份验证错误、解密错误、重放数据包的不断增加表明隧道流量存在问题。
当隧道中有正常的流量时,encap/decap packets/bytes 会增加。
5. 清除以下命令将拆除 VPN 隧道:
> clear vpn ike-sa gateway <gw-name>
Delete IKEv1 IKE SA: Total 1 gateways found.
> clear vpn ipsec-sa tunnel <tunnel-name>
Delete IKEv1 IPSec SA: Total 1 tunnels found.
