Cisco IOS路由器是否对某个SA启用了NAT-T支持,可以通过如下方法判断。
自行翻译,原文来自:http://www.groupstudy.com/archives/ccielab/200611/msg01813.html
1、debug crypto isakmp
应当可以看到类似这样的输出:
NAT-Discovery Phase for router behind NAT:
....
*Mar 2 06:00:25.608: ISAKMP (0:1): constructed HIS NAT-D
*Mar 2 06:00:25.608: ISAKMP (0:1): constructed MINE NAT-D
.........
*Mar 2 06:00:26.160: ISAKMP:received payload type 17
*Mar 2 06:00:26.160: ISAKMP (0:1): Detected NAT-D payload
*Mar 2 06:00:26.160: ISAKMP (0:1): NAT does not match MINE hash
*Mar 2 06:00:26.160: hash received: 16 26 6 5E DB 49 79 94 C1 ED A7 9B B1 A0 D1 16
*Mar 2 06:00:26.160: my nat hash : E1 12 C9 D8 EE B7 50 9 3 3 4E E3 6D 53 A8 11
*Mar 2 06:00:26.164: ISAKMP:received payload type 17
*Mar 2 06:00:26.164: ISAKMP (0:1): Detected NAT-D payload
*Mar 2 06:00:26.164: ISAKMP (0:1): NAT match HIS hash
2、show crypto ipsec sa
查找“in use settings ={Tunnel UDP-Encaps, }”这样的内容。
inbound esp sas:
spi: 0x9E520B00(2656176896)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4512807/3182)
IV size: 8 bytes
replay detection support: Y
3、show crypto isakmp sa detail
查找关键字“N”
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
C-id Local Remote I-VRF Encr Hash Auth DH Lifetime Cap.
1 130.1.19.1 130.1.239.254 des md5 psk 2 23:51:43 DN