Проверка построения защищенного L2 соединения между Hub1 и Spoke1

1.    Инициируйте построение защищенного L2 соединения между криптошлюзами Hub1 и Spoke1 с любого из защищаемых устройств. Для проверки выберем пары устройств host0-behind-spoke1 на host0-behind-hub1 (можно и наоборот) из Native VLAN и host1-behind-spoke1 на host1-behind-hub1 (можно и наоборот) из VLAN ID 10.

1.1.     Выполните команду ping из linux bash консоли защищаемого устройства host0-behind-spoke1.

root@host0-behind-spoke1:~# ping 192.168.100.100 -c 5

PING 192.168.100.100 (192.168.100.100) 56(84) bytes of data.

64 bytes from 192.168.100.100: icmp_seq=1 ttl=64 time=3.48 ms

64 bytes from 192.168.100.100: icmp_seq=2 ttl=64 time=3.25 ms

64 bytes from 192.168.100.100: icmp_seq=3 ttl=64 time=3.03 ms

64 bytes from 192.168.100.100: icmp_seq=4 ttl=64 time=2.71 ms

64 bytes from 192.168.100.100: icmp_seq=5 ttl=64 time=3.03 ms

 

--- 192.168.100.100 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 10ms

rtt min/avg/max/mdev = 2.706/3.099/3.481/0.263 ms

1.2.     Выполните команду ping из linux bash консоли защищаемого устройства host1-behind-spoke1.

root@host1-behind-spoke1:~# ping 192.168.101.100 -c 5

PING 192.168.101.100 (192.168.101.100) 56(84) bytes of data.

64 bytes from 192.168.101.100: icmp_seq=1 ttl=64 time=4.43 ms

64 bytes from 192.168.101.100: icmp_seq=2 ttl=64 time=3.70 ms

64 bytes from 192.168.101.100: icmp_seq=3 ttl=64 time=3.45 ms

64 bytes from 192.168.101.100: icmp_seq=4 ttl=64 time=2.47 ms

64 bytes from 192.168.101.100: icmp_seq=5 ttl=64 time=2.63 ms

 

--- 192.168.101.100 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 11ms

rtt min/avg/max/mdev = 2.473/3.336/4.428/0.719 ms

2.    Проверьте, что на криптошлюзах Hub1 и Spoke1 установлены защищенные IPsec соединения. Для этого выполните команду run sa_mgr show из cisco-like консоли криптошлюзов.

Hub1#run sa_mgr show

ISAKMP sessions: 0 initiated, 0 responded

 

ISAKMP connections:

Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd

1 17 (172.16.100.2,500)-(172.16.1.2,500) active 13220 13480

 

IPsec connections:

Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd

1 8528 (172.16.100.2,*)-(172.16.1.2,*) 97 ESP tunn 96 128

2 8529 (172.16.100.2,*)-(172.16.1.2,*) 97 ESP tunn 128 0

3 8530 (172.16.100.2,*)-(172.16.1.2,*) 97 ESP tunn 96 128

4 8531 (172.16.100.2,*)-(172.16.1.2,*) 97 ESP tunn 128 0

5 8532 (172.16.100.2,*)-(172.16.1.2,*) 97 ESP tunn 128 128

6 8533 (172.16.100.2,*)-(172.16.1.2,*) 97 ESP tunn 128 0

7 8534 (172.16.100.2,*)-(172.16.1.2,*) 97 ESP tunn 128 128

8 8535 (172.16.100.2,*)-(172.16.1.2,*) 97 ESP tunn 128 0

9 8536 (172.16.100.2,*)-(172.16.1.2,*) 97 ESP tunn 128 128

10 8537 (172.16.100.2,*)-(172.16.1.2,*) 97 ESP tunn 128 0

11 8538 (172.16.100.2,*)-(172.16.1.2,*) 97 ESP tunn 128 96

12 8539 (172.16.100.2,*)-(172.16.1.2,*) 97 ESP tunn 96 0

13 8540 (172.16.100.2,*)-(172.16.1.2,*) 97 ESP tunn 96 0

14 8541 (172.16.100.2,*)-(172.16.1.2,*) 97 ESP tunn 128 96

15 8542 (172.16.100.2,*)-(172.16.1.2,*) 97 ESP tunn 96 128

16 8543 (172.16.100.2,*)-(172.16.1.2,*) 97 ESP tunn 128 0

17 8544 (172.16.100.2,*)-(172.16.1.2,*) 97 ESP tunn 96 128

18 8545 (172.16.100.2,*)-(172.16.1.2,*) 97 ESP tunn 128 0

19 8546 (172.16.100.2,*)-(172.16.1.2,*) 97 ESP tunn 0 128

20 8547 (172.16.100.2,*)-(172.16.1.2,*) 97 ESP tunn 128 0

21 8548 (172.16.100.2,*)-(172.16.1.2,*) 97 ESP tunn 96 0

22 8549 (172.16.100.2,*)-(172.16.1.2,*) 97 ESP tunn 0 128

23 8550 (172.16.100.2,*)-(172.16.1.2,*) 97 ESP tunn 128 0

24 8551 (172.16.100.2,*)-(172.16.1.2,*) 97 ESP tunn 0 128

25 8552 (172.16.100.2,*)-(172.16.1.2,*) 97 ESP tunn 128 0

26 8553 (172.16.100.2,*)-(172.16.1.2,*) 97 ESP tunn 0 96

27 8554 (172.16.100.2,*)-(172.16.1.2,*) 97 ESP tunn 0 96

28 8555 (172.16.100.2,*)-(172.16.1.2,*) 97 ESP tunn 0 128

29 8556 (172.16.100.2,*)-(172.16.1.2,*) 97 ESP tunn 0 128

30 8557 (172.16.100.2,*)-(172.16.1.2,*) 97 ESP tunn 0 128

31 8558 (172.16.100.2,*)-(172.16.1.2,*) 97 ESP tunn 0 128

32 8559 (172.16.100.2,*)-(172.16.1.2,*) 97 ESP tunn 0 128

33 8560 (172.16.100.2,*)-(172.16.1.2,*) 97 ESP tunn 0 96

34 8561 (172.16.100.2,*)-(172.16.1.2,*) 97 ESP tunn 0 96

Spoke1#run sa_mgr show

ISAKMP sessions: 0 initiated, 0 responded

 

ISAKMP connections:

Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd

1 13 (172.16.1.2,500)-(172.16.100.2,500) active 13480 13220

 

IPsec connections:

Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd

1 8528 (172.16.1.2,*)-(172.16.100.2,*) 97 ESP tunn 128 96

2 8529 (172.16.1.2,*)-(172.16.100.2,*) 97 ESP tunn 0 128

3 8530 (172.16.1.2,*)-(172.16.100.2,*) 97 ESP tunn 128 96

4 8531 (172.16.1.2,*)-(172.16.100.2,*) 97 ESP tunn 0 128

5 8532 (172.16.1.2,*)-(172.16.100.2,*) 97 ESP tunn 128 128

6 8533 (172.16.1.2,*)-(172.16.100.2,*) 97 ESP tunn 0 128

7 8534 (172.16.1.2,*)-(172.16.100.2,*) 97 ESP tunn 128 128

8 8535 (172.16.1.2,*)-(172.16.100.2,*) 97 ESP tunn 0 128

9 8536 (172.16.1.2,*)-(172.16.100.2,*) 97 ESP tunn 128 128

10 8537 (172.16.1.2,*)-(172.16.100.2,*) 97 ESP tunn 0 128

11 8538 (172.16.1.2,*)-(172.16.100.2,*) 97 ESP tunn 96 128

12 8539 (172.16.1.2,*)-(172.16.100.2,*) 97 ESP tunn 0 96

13 8540 (172.16.1.2,*)-(172.16.100.2,*) 97 ESP tunn 0 96

14 8541 (172.16.1.2,*)-(172.16.100.2,*) 97 ESP tunn 96 128

15 8542 (172.16.1.2,*)-(172.16.100.2,*) 97 ESP tunn 128 96

16 8543 (172.16.1.2,*)-(172.16.100.2,*) 97 ESP tunn 0 128

17 8544 (172.16.1.2,*)-(172.16.100.2,*) 97 ESP tunn 128 96

18 8545 (172.16.1.2,*)-(172.16.100.2,*) 97 ESP tunn 0 128

19 8546 (172.16.1.2,*)-(172.16.100.2,*) 97 ESP tunn 128 0

20 8547 (172.16.1.2,*)-(172.16.100.2,*) 97 ESP tunn 0 128

21 8548 (172.16.1.2,*)-(172.16.100.2,*) 97 ESP tunn 0 96

22 8549 (172.16.1.2,*)-(172.16.100.2,*) 97 ESP tunn 128 0

23 8550 (172.16.1.2,*)-(172.16.100.2,*) 97 ESP tunn 0 128

24 8551 (172.16.1.2,*)-(172.16.100.2,*) 97 ESP tunn 128 0

25 8552 (172.16.1.2,*)-(172.16.100.2,*) 97 ESP tunn 0 128

26 8553 (172.16.1.2,*)-(172.16.100.2,*) 97 ESP tunn 96 0

27 8554 (172.16.1.2,*)-(172.16.100.2,*) 97 ESP tunn 96 0

28 8555 (172.16.1.2,*)-(172.16.100.2,*) 97 ESP tunn 128 0

29 8556 (172.16.1.2,*)-(172.16.100.2,*) 97 ESP tunn 128 0

30 8557 (172.16.1.2,*)-(172.16.100.2,*) 97 ESP tunn 128 0

31 8558 (172.16.1.2,*)-(172.16.100.2,*) 97 ESP tunn 128 0

32 8559 (172.16.1.2,*)-(172.16.100.2,*) 97 ESP tunn 128 0

33 8560 (172.16.1.2,*)-(172.16.100.2,*) 97 ESP tunn 96 0

34 8561 (172.16.1.2,*)-(172.16.100.2,*) 97 ESP tunn 96 0

Видно, что на криптошлюзах Hub1 и Spoke1 установлены защищенные IPsec соединения (количество защищенных IPsec соединений должно совпадать со значением параметра threads, указанно в мастере настроек L2). Если этого не произошло, то проверьте файл журнала (команда run less /var/log/cspvpngate.log). При необходимости увеличьте уровень логирования (команда logging trap debugging в консоли cisco-like) и заново инициируйте защищенное соединение.