ASA 不是很好,所以请记住这一点。
我需要更换 ASA,但似乎无法获得有关第 1 阶段和第 2 阶段的一些信息。我可以从第 1 阶段获得除 DH 组(获得 PFS 组 1,这如何翻译?)和第 2 阶段的所有信息我也得不到一生。
为此,我得到以下信息:
显示加密 ips sa
接口:ISP2 加密映射标签:outside_map,seq num:1,本地地址:216.xxx
access-list outside_cryptomap extended permit ip 10.10.x.x 255.255.255.0 192.168.16.0 255.255.255.0
local ident (addr/mask/prot/port): (10.10.x.x/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.x.x.x/255.255.255.0/0/0)
current_peer: 66.x.x.x
#pkts encaps: 1475193, #pkts encrypt: 1475193, #pkts digest: 1475193
#pkts decaps: 998141, #pkts decrypt: 998141, #pkts verify: 998141
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1475193, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 216.x.x.x/0, remote crypto endpt.: 66.x.x.x/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 48186D7D
current inbound spi : F51B80AE
inbound esp sas:
spi: 0xxxxxx (xxxxxxx)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 1, IKEv1, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4361108/20145)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xxxxxxxx (xxxxxxxxx)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 1, IKEv1, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4341378/20145)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
我有显示运行以及以下输出: show crypto ikev1 sa detail
show crypto ips sa
show vpn-sessiondb detail l2l
我需要运行哪些命令才能获得所需的一切?
谢谢,