在Cisco IOS路由器上验证NAT-T的使用

Cisco IOS路由器是否对某个SA启用了NAT-T支持，可以通过如下方法判断。

自行翻译，原文来自：http://www.groupstudy.com/archives/ccielab/200611/msg01813.html

1、debug crypto isakmp

应当可以看到类似这样的输出：

NAT-Discovery Phase for router  behind NAT:
 ....
 *Mar  2 06:00:25.608: ISAKMP (0:1): constructed HIS NAT-D
 *Mar  2 06:00:25.608: ISAKMP (0:1): constructed MINE NAT-D
 .........
 *Mar  2 06:00:26.160: ISAKMP:received payload type 17
 *Mar  2 06:00:26.160: ISAKMP (0:1): Detected NAT-D payload
 *Mar  2 06:00:26.160: ISAKMP (0:1): NAT does not match MINE hash
 *Mar  2 06:00:26.160: hash received: 16 26 6 5E DB 49 79 94 C1 ED A7 9B B1 A0 D1 16
 *Mar  2 06:00:26.160: my nat hash  : E1 12 C9 D8 EE B7 50 9 3 3 4E E3 6D 53 A8 11
 *Mar  2 06:00:26.164: ISAKMP:received payload type 17
 *Mar  2 06:00:26.164: ISAKMP (0:1): Detected NAT-D payload
 *Mar  2 06:00:26.164: ISAKMP (0:1): NAT match HIS hash

2、show crypto ipsec sa

查找“in use settings ={Tunnel UDP-Encaps, }”这样的内容。

      inbound esp sas:
       spi: 0x9E520B00(2656176896)
         transform: esp-des esp-md5-hmac ,
         in use settings ={Tunnel UDP-Encaps, }
         slot: 0, conn id: 2000, flow_id: 1, crypto map: VPN
         sa timing: remaining key lifetime (k/sec): (4512807/3182)
         IV size: 8 bytes
         replay detection support: Y

3、show crypto isakmp sa detail

查找关键字“N”

Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption

C-id  Local           Remote          I-VRF    Encr Hash Auth DH Lifetime Cap.
1     130.1.19.1      130.1.239.254            des  md5  psk  2  23:51:43  DN