實驗過程:
第一步 基本接口配置
R1:
R1(config)#int lo0
R1(config-if)#ip add 1.1.1.1 255.255.255.0
R1(config-if)#int f0/0
R1(config-if)#ip add 192.168.1.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.2
第一步 基本接口配置
R1:
R1(config)#int lo0
R1(config-if)#ip add 1.1.1.1 255.255.255.0
R1(config-if)#int f0/0
R1(config-if)#ip add 192.168.1.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.2
R2:
R2(config)#int lo0
R2(config-if)#ip add 2.2.2.2 255.255.255.0
R2(config-if)#int f0/0
R2(config-if)#ip add 192.168.1.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#exit
R2(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1
R2(config)#int lo0
R2(config-if)#ip add 2.2.2.2 255.255.255.0
R2(config-if)#int f0/0
R2(config-if)#ip add 192.168.1.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#exit
R2(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1
第二步 配置互聯網密鑰交換(IKE)
R1:
R1(config)#crypto isakmp enable
// 在全局下啓動ISAKMP(默認情況下被啓動)
R1(config)#crypto isakmp policy 10
// 定義ISAKMP策略集,以便在IPSec端點之間建立ISAKMP對等體關係,這裏的10是代表的優先級,取值範圍在1-10000,1表示優先級最高
R1(config-isakmp)#authentication rsa-encr
// 配置對等體身份驗證方法爲預共享密鑰
R1(config-isakmp)#encryption 3des
// 配置消息加密算法爲3des
R1(config-isakmp)#group 5
// 配置密鑰交換參數爲1536位的Deffie-Hellman
R1(config-isakmp)#hash sha
// 配置消息完整性(散列)算法爲SHA-1(160比特簽名)
R1(config-isakmp)#lifetime 86400
// 配置ISAKMP建立的SA的壽命
R1(config-isakmp)#exit
R1(config)#crypto isakmp key 0 cisco add 192.168.1.2
// 配置預共享密鑰,密鑰爲cisco,遠程對等體的IP地址爲192.168.1.2
R1:
R1(config)#crypto isakmp enable
// 在全局下啓動ISAKMP(默認情況下被啓動)
R1(config)#crypto isakmp policy 10
// 定義ISAKMP策略集,以便在IPSec端點之間建立ISAKMP對等體關係,這裏的10是代表的優先級,取值範圍在1-10000,1表示優先級最高
R1(config-isakmp)#authentication rsa-encr
// 配置對等體身份驗證方法爲預共享密鑰
R1(config-isakmp)#encryption 3des
// 配置消息加密算法爲3des
R1(config-isakmp)#group 5
// 配置密鑰交換參數爲1536位的Deffie-Hellman
R1(config-isakmp)#hash sha
// 配置消息完整性(散列)算法爲SHA-1(160比特簽名)
R1(config-isakmp)#lifetime 86400
// 配置ISAKMP建立的SA的壽命
R1(config-isakmp)#exit
R1(config)#crypto isakmp key 0 cisco add 192.168.1.2
// 配置預共享密鑰,密鑰爲cisco,遠程對等體的IP地址爲192.168.1.2
R2:
R2(config)#crypto isakmp enable
R2(config)#crypto isakmp policy 10
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#encryption 3des
R2(config-isakmp)#group 5
R2(config-isakmp)#hash sha
R2(config-isakmp)#lifetime 86400
R2(config-isakmp)#exit
R2(config)#crypto isakmp key 0 cisco add 192.168.1.1
R2(config)#crypto isakmp enable
R2(config)#crypto isakmp policy 10
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#encryption 3des
R2(config-isakmp)#group 5
R2(config-isakmp)#hash sha
R2(config-isakmp)#lifetime 86400
R2(config-isakmp)#exit
R2(config)#crypto isakmp key 0 cisco add 192.168.1.1
第三步 配置IPSEC變換集
R1:
R1(config)#crypto ipsec transform-set R1set esp-3des esp-md5-hmac
// 創建一個變換集名爲R1set,變換集定義數據流量如何被保護。如果不配置連接模式,默認就是tunnel,即mode tunnel
R1(cfg-crypto-trans)#exit
R1(config)#crypto map R!*** 10 ipsec-isakmp
// 建立IPSec加密映射,使用ISAKMP建立IPSEC SA,以保護當前加密映射條目指定的數據庫
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#set peer 192.168.1.2
// 指定對等體IP地址
R1(config-crypto-map)#set transform-set R1set
// 指定變換集
R1(config-crypto-map)#match address 100
// 引用擴展ACL
R1(config-crypto-map)#exit
R1:
R1(config)#crypto ipsec transform-set R1set esp-3des esp-md5-hmac
// 創建一個變換集名爲R1set,變換集定義數據流量如何被保護。如果不配置連接模式,默認就是tunnel,即mode tunnel
R1(cfg-crypto-trans)#exit
R1(config)#crypto map R!*** 10 ipsec-isakmp
// 建立IPSec加密映射,使用ISAKMP建立IPSEC SA,以保護當前加密映射條目指定的數據庫
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#set peer 192.168.1.2
// 指定對等體IP地址
R1(config-crypto-map)#set transform-set R1set
// 指定變換集
R1(config-crypto-map)#match address 100
// 引用擴展ACL
R1(config-crypto-map)#exit
R2:
R2(config)#crypto ipsec transform-set R2set esp-3des esp-md5-hmac
R2(cfg-crypto-trans)#exit
R2(config)#crypto map R2*** 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R2(config-crypto-map)#set peer 192.168.1.1
R2(config-crypto-map)#set transform-set R2set
R2(config-crypto-map)#match address 100
R2(config-crypto-map)#exit
R2(config)#crypto ipsec transform-set R2set esp-3des esp-md5-hmac
R2(cfg-crypto-trans)#exit
R2(config)#crypto map R2*** 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R2(config-crypto-map)#set peer 192.168.1.1
R2(config-crypto-map)#set transform-set R2set
R2(config-crypto-map)#match address 100
R2(config-crypto-map)#exit
第四步 定義觸發流量,即IPSec連接保護何種流量
R1:
R1(config)#access-list 100 permit icmp host 1.1.1.1 host 2.2.2.2
R1(config)#int f0/0
R1(config-if)#crypto map R!***
R1(config-if)#end
R1:
R1(config)#access-list 100 permit icmp host 1.1.1.1 host 2.2.2.2
R1(config)#int f0/0
R1(config-if)#crypto map R!***
R1(config-if)#end
R2:
R2(config)#access-list 100 permit icmp host 2.2.2.2 host 1.1.1.1
R2(config)#int f0/0
R2(config-if)#crypto map R2***
R2(config-if)#end
R2(config)#access-list 100 permit icmp host 2.2.2.2 host 1.1.1.1
R2(config)#int f0/0
R2(config-if)#crypto map R2***
R2(config-if)#end
第五步 使用Ping流量測試IPSEC配置
R1#debug crypto isakmp
Crypto ISAKMP debugging is on
R1#debug crypto ipsec
Crypto IPSEC debugging is on
R1#ping 2.2.2.2 source 1.1.1.1
R1#debug crypto isakmp
Crypto ISAKMP debugging is on
R1#debug crypto ipsec
Crypto IPSEC debugging is on
R1#ping 2.2.2.2 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
*Jun 22 21:17:12.067: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 192.168.1.1, remote= 192.168.1.2,
local_proxy= 1.1.1.1/255.255.255.255/1/0 (type=1),
remote_proxy= 2.2.2.2/255.255.255.255/1/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jun 22 21:17:12.075: ISAKMP:(0): SA request profile is (NULL)
*Jun 22 21:17:12.075: ISAKMP: Created a peer struct for 192.168.1.2, peer port 500
*Jun 22 21:17:12.075: ISAKMP: New peer created peer = 0x65EF6474 peer_handle = 0x80000002
*Jun 22 21:17:12.079: ISAKMP: Locking peer struct 0x65EF6474, refcount 1 for isakmp_initiator
*Jun 22 21:17:12.079: ISAKMP: local port 500, remote port 500
*Jun 22 21:17:12.079: ISAKMP: set new node 0 to QM_IDLE
*Jun 22 21:17:12.095: insert sa successfully sa = 65E3510C
*Jun 22 21:17:12.095: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Jun 22 21:17:12.095: ISAKMP:(0):found peer pre-shared key matching 192.168.1.2
*Jun 22 21:17:12.099: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jun 22 21:17:12.099: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Jun 22 21:17:12.099: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Jun 22 21:17:12.103: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Jun 22 21:17:12.103: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jun 22 21:17:12.103: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
(key eng. msg.) OUTBOUND local= 192.168.1.1, remote= 192.168.1.2,
local_proxy= 1.1.1.1/255.255.255.255/1/0 (type=1),
remote_proxy= 2.2.2.2/255.255.255.255/1/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jun 22 21:17:12.075: ISAKMP:(0): SA request profile is (NULL)
*Jun 22 21:17:12.075: ISAKMP: Created a peer struct for 192.168.1.2, peer port 500
*Jun 22 21:17:12.075: ISAKMP: New peer created peer = 0x65EF6474 peer_handle = 0x80000002
*Jun 22 21:17:12.079: ISAKMP: Locking peer struct 0x65EF6474, refcount 1 for isakmp_initiator
*Jun 22 21:17:12.079: ISAKMP: local port 500, remote port 500
*Jun 22 21:17:12.079: ISAKMP: set new node 0 to QM_IDLE
*Jun 22 21:17:12.095: insert sa successfully sa = 65E3510C
*Jun 22 21:17:12.095: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Jun 22 21:17:12.095: ISAKMP:(0):found peer pre-shared key matching 192.168.1.2
*Jun 22 21:17:12.099: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jun 22 21:17:12.099: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Jun 22 21:17:12.099: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Jun 22 21:17:12.103: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Jun 22 21:17:12.103: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jun 22 21:17:12.103: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Jun 22 21:17:12.103: ISAKMP:(0): beginning Main Mode exchange
*Jun 22 21:17:12.107: ISAKMP:(0): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 22 21:17:12.107: ISAKMP:(0):Sending an IKE IPv4 Packet......
Success rate is 0 percent (0/5)
R1#
*Jun 22 21:17:22.111: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 22 21:17:22.111: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Jun 22 21:17:22.111: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jun 22 21:17:22.115: ISAKMP:(0): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 22 21:17:22.115: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 22 21:17:22.223: ISAKMP (0:0): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Jun 22 21:17:22.235: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 22 21:17:22.235: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Jun 22 21:17:12.107: ISAKMP:(0): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 22 21:17:12.107: ISAKMP:(0):Sending an IKE IPv4 Packet......
Success rate is 0 percent (0/5)
R1#
*Jun 22 21:17:22.111: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 22 21:17:22.111: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Jun 22 21:17:22.111: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jun 22 21:17:22.115: ISAKMP:(0): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 22 21:17:22.115: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 22 21:17:22.223: ISAKMP (0:0): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Jun 22 21:17:22.235: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 22 21:17:22.235: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Jun 22 21:17:22.243: ISAKMP:(0): processing SA payload. message ID = 0
*Jun 22 21:17:22.243: ISAKMP:(0): processing vendor id payload
*Jun 22 21:17:22.243: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jun 22 21:17:22.247: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Jun 22 21:17:22.247: ISAKMP:(0):found peer pre-shared key matching 192.168.1.2
*Jun 22 21:17:22.247: ISAKMP:(0): local preshared key found
*Jun 22 21:17:22.247: ISAKMP : Scanning profiles for xauth ...
*Jun 22 21:17:22.251: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Jun 22 21:17:22.251: ISAKMP: encryption 3DES-CBC
*Jun 22 21:17:22.251: ISAKMP: hash SHA
*Jun 22 21:17:22.251: ISAKMP: default group 5
*Jun 22 21:17:22.251: ISAKMP: auth pre-share
*Jun 22 21:17:22.251: ISAKMP: life type in seconds
*Jun 22 21:17:22.255: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Jun 22 21:17:22.255: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jun
R1# 22 21:17:22.255: ISAKMP:(0):Acceptable atts:actual life: 0
*Jun 22 21:17:22.259: ISAKMP:(0):Acceptable atts:life: 0
*Jun 22 21:17:22.259: ISAKMP:(0):Fill atts in sa vpi_length:4
*Jun 22 21:17:22.259: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Jun 22 21:17:22.259: ISAKMP:(0):Returning Actual lifetime: 86400
*Jun 22 21:17:22.263: ISAKMP:(0)::Started lifetime timer: 86400.
*Jun 22 21:17:22.243: ISAKMP:(0): processing vendor id payload
*Jun 22 21:17:22.243: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jun 22 21:17:22.247: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Jun 22 21:17:22.247: ISAKMP:(0):found peer pre-shared key matching 192.168.1.2
*Jun 22 21:17:22.247: ISAKMP:(0): local preshared key found
*Jun 22 21:17:22.247: ISAKMP : Scanning profiles for xauth ...
*Jun 22 21:17:22.251: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Jun 22 21:17:22.251: ISAKMP: encryption 3DES-CBC
*Jun 22 21:17:22.251: ISAKMP: hash SHA
*Jun 22 21:17:22.251: ISAKMP: default group 5
*Jun 22 21:17:22.251: ISAKMP: auth pre-share
*Jun 22 21:17:22.251: ISAKMP: life type in seconds
*Jun 22 21:17:22.255: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Jun 22 21:17:22.255: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jun
R1# 22 21:17:22.255: ISAKMP:(0):Acceptable atts:actual life: 0
*Jun 22 21:17:22.259: ISAKMP:(0):Acceptable atts:life: 0
*Jun 22 21:17:22.259: ISAKMP:(0):Fill atts in sa vpi_length:4
*Jun 22 21:17:22.259: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Jun 22 21:17:22.259: ISAKMP:(0):Returning Actual lifetime: 86400
*Jun 22 21:17:22.263: ISAKMP:(0)::Started lifetime timer: 86400.
*Jun 22 21:17:22.263: ISAKMP:(0): processing vendor id payload
*Jun 22 21:17:22.263: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jun 22 21:17:22.263: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Jun 22 21:17:22.267: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 22 21:17:22.267: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Jun 22 21:17:22.263: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jun 22 21:17:22.263: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Jun 22 21:17:22.267: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 22 21:17:22.267: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Jun 22 21:17:22.275: ISAKMP:(0): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Jun 22 21:17:22.279: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 22 21:17:22.279: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 22 21:17:22.279: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Jun 22 21:17:22.279: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 22 21:17:22.279: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 22 21:17:22.279: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Jun 22 21:17:22.551: ISAKMP (0:0): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*Jun 22 21:17:22.555: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 22 21:17:22.555: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Jun 22 21:17:22.555: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 22 21:17:22.555: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Jun 22 21:17:22.563: ISAKMP:(0): processing KE payload. message ID = 0
*Jun 22 21:17:22.711: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jun 22 21:17:22.715: ISAKMP:(0):found peer pr
R1#e-shared key matching 192.168.1.2
*Jun 22 21:17:22.719: ISAKMP:(1001): processing vendor id payload
*Jun 22 21:17:22.719: ISAKMP:(1001): vendor ID is Unity
*Jun 22 21:17:22.723: ISAKMP:(1001): processing vendor id payload
*Jun 22 21:17:22.723: ISAKMP:(1001): vendor ID is DPD
*Jun 22 21:17:22.723: ISAKMP:(1001): processing vendor id payload
*Jun 22 21:17:22.723: ISAKMP:(1001): speaking to another IOS box!
*Jun 22 21:17:22.723: ISAKMP:received payload type 20
*Jun 22 21:17:22.723: ISAKMP:received payload type 20
*Jun 22 21:17:22.723: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 22 21:17:22.723: ISAKMP:(1001):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Jun 22 21:17:22.711: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jun 22 21:17:22.715: ISAKMP:(0):found peer pr
R1#e-shared key matching 192.168.1.2
*Jun 22 21:17:22.719: ISAKMP:(1001): processing vendor id payload
*Jun 22 21:17:22.719: ISAKMP:(1001): vendor ID is Unity
*Jun 22 21:17:22.723: ISAKMP:(1001): processing vendor id payload
*Jun 22 21:17:22.723: ISAKMP:(1001): vendor ID is DPD
*Jun 22 21:17:22.723: ISAKMP:(1001): processing vendor id payload
*Jun 22 21:17:22.723: ISAKMP:(1001): speaking to another IOS box!
*Jun 22 21:17:22.723: ISAKMP:received payload type 20
*Jun 22 21:17:22.723: ISAKMP:received payload type 20
*Jun 22 21:17:22.723: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 22 21:17:22.723: ISAKMP:(1001):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Jun 22 21:17:22.727: ISAKMP:(1001):Send initial contact
*Jun 22 21:17:22.727: ISAKMP:(1001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Jun 22 21:17:22.731: ISAKMP (0:1001): ID payload
next-payload : 8
type : 1
address : 192.168.1.1
protocol : 17
R1#
port : 500
length : 12
*Jun 22 21:17:22.731: ISAKMP:(1001):Total payload length: 12
*Jun 22 21:17:22.731: ISAKMP:(1001): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jun 22 21:17:22.731: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Jun 22 21:17:22.735: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 22 21:17:22.735: ISAKMP:(1001):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Jun 22 21:17:22.727: ISAKMP:(1001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Jun 22 21:17:22.731: ISAKMP (0:1001): ID payload
next-payload : 8
type : 1
address : 192.168.1.1
protocol : 17
R1#
port : 500
length : 12
*Jun 22 21:17:22.731: ISAKMP:(1001):Total payload length: 12
*Jun 22 21:17:22.731: ISAKMP:(1001): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jun 22 21:17:22.731: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Jun 22 21:17:22.735: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 22 21:17:22.735: ISAKMP:(1001):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Jun 22 21:17:22.815: ISAKMP (0:1001): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jun 22 21:17:22.819: ISAKMP:(1001): processing ID payload. message ID = 0
*Jun 22 21:17:22.819: ISAKMP (0:1001): ID payload
next-payload : 8
type : 1
address : 192.168.1.2
protocol : 17
port : 500
length : 12
*Jun 22 21:17:22.819: ISAKMP:(0):: peer matches *none* of the profiles
*Jun 22 21:17:22.823: ISAKMP:(1001): processing HASH payload. message ID = 0
*Jun 22 21:17:22.823: ISAKMP:(1001):SA authentication status:
authenticated
*Jun 22 21:17:22.827: ISAKMP:(1001):SA has been authenticated with 192.168.1.2
*Jun 22 21:17:22.827: ISAKMP: Trying to insert a peer 192.168.1.1/192.168.1.2/500/, and inserted successfully 65EF6474.
*Jun 22 21:17:22.831: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 22 21:17:22.831: ISAKMP:(1001):Old State = IKE_I_MM5 New State = IKE_I_MM6
*Jun 22 21:17:22.819: ISAKMP:(1001): processing ID payload. message ID = 0
*Jun 22 21:17:22.819: ISAKMP (0:1001): ID payload
next-payload : 8
type : 1
address : 192.168.1.2
protocol : 17
port : 500
length : 12
*Jun 22 21:17:22.819: ISAKMP:(0):: peer matches *none* of the profiles
*Jun 22 21:17:22.823: ISAKMP:(1001): processing HASH payload. message ID = 0
*Jun 22 21:17:22.823: ISAKMP:(1001):SA authentication status:
authenticated
*Jun 22 21:17:22.827: ISAKMP:(1001):SA has been authenticated with 192.168.1.2
*Jun 22 21:17:22.827: ISAKMP: Trying to insert a peer 192.168.1.1/192.168.1.2/500/, and inserted successfully 65EF6474.
*Jun 22 21:17:22.831: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 22 21:17:22.831: ISAKMP:(1001):Old State = IKE_I_MM5 New State = IKE_I_MM6
*Jun 22 21:17:22.835: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 22 21:17:22.839: ISAKMP:(1001):Old State = IKE_I_MM6 New State = IKE_I_MM6
*Jun 22 21:17:22.839: ISAKMP:(1001):Old State = IKE_I_MM6 New State = IKE_I_MM6
*Jun 22 21:17:22.843: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 22 21:17:22.847: ISAKMP:(1001):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
*Jun 22 21:17:22.847: ISAKMP:(1001):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
*Jun 22 21:17:22.851: ISAKMP:(1001):beginning Quick Mode exchange, M-ID of 192606138
*Jun 22 21:17:22.851: ISAKMP:(1001):QM Initiator gets spi
*Jun
R1# 22 21:17:22.859: ISAKMP:(1001): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) QM_IDLE
*Jun 22 21:17:22.859: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Jun 22 21:17:22.859: ISAKMP:(1001):Node 192606138, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jun 22 21:17:22.863: ISAKMP:(1001):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Jun 22 21:17:22.863: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jun 22 21:17:22.863: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jun 22 21:17:22.851: ISAKMP:(1001):QM Initiator gets spi
*Jun
R1# 22 21:17:22.859: ISAKMP:(1001): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) QM_IDLE
*Jun 22 21:17:22.859: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Jun 22 21:17:22.859: ISAKMP:(1001):Node 192606138, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jun 22 21:17:22.863: ISAKMP:(1001):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Jun 22 21:17:22.863: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jun 22 21:17:22.863: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jun 22 21:17:23.043: ISAKMP (0:1001): received packet from 192.168.1.2 dport 500 sport 500 Global (I) QM_IDLE
*Jun 22 21:17:23.047: ISAKMP:(1001): processing HASH payload. message ID = 192606138
*Jun 22 21:17:23.051: ISAKMP:(1001): processing SA payload. message ID = 192606138
*Jun 22 21:17:23.051: ISAKMP:(1001):Checking IPSec proposal 1
*Jun 22 21:17:23.051: ISAKMP: transform 1, ESP_3DES
*Jun 22 21:17:23.051: ISAKMP: attributes in transform:
*Ju
R1#n 22 21:17:23.051: ISAKMP: encaps is 1 (Tunnel)
*Jun 22 21:17:23.055: ISAKMP: SA life type in seconds
*Jun 22 21:17:23.055: ISAKMP: SA life duration (basic) of 3600
*Jun 22 21:17:23.055: ISAKMP: SA life type in kilobytes
*Jun 22 21:17:23.055: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jun 22 21:17:23.059: ISAKMP: authenticator is HMAC-MD5
*Jun 22 21:17:23.059: ISAKMP:(1001):atts are acceptable.
*Jun 22 21:17:23.059: IPSEC(validate_proposal_request): proposal part #1
*Jun 22 21:17:23.059: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.1.2,
local_proxy= 1.1.1.1/255.255.255.255/1/0 (type=1),
remote_proxy= 2.2.2.2/255.255.255.255/1/0 (type=1),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jun 22 21:17:23.063: Crypto mapdb : proxy_match
src addr : 1.1.1.1
dst addr : 2.2.2.2
protocol : 1
src port : 0
dst port : 0
*Jun 22 21:17:23.067: ISAKMP:(1001): processing NONCE payload. message ID = 192606138
*Jun 22 21:17:23.067: ISAKMP:(1001): processing ID payload. message ID = 192606138
*Jun 22 21:17:23.071: ISAKMP:(1001): processing ID payload. message ID = 192606138
*Jun 22 21:17:23.075: ISAKMP:(1001): Creating IPSec SAs
*Jun 22 21:17:23.079: inbound SA from 192.168.1.2 to 192.168.1.1 (f/i) 0/ 0
(proxy 2.2.2.2 to 1.1.1.1)
*Jun 22 21:17:23.079: has spi 0x6E0588B2 and conn_id 0
*Jun 22 21:17:23.079: lifetime of 3600 seconds
*Jun 22 21:17:23.079: lifetime of 4608000 kilobytes
*Jun 22 21:17:23.083: outbound SA from 192.168.1.1 to 192.168.1.2 (f/i) 0/0
(proxy 1.1.1.1 to 2.2.2.2)
*Jun 22 21:17:23.083: has spi 0x11E9D65F and conn_id 0
*Jun 22 21:17:23.083: lifetime of 3600 seconds
*Jun 22 21:17:23.083: lifetime of 4608000 kilobytes
*Jun 22 21:17:23.087: ISAKMP:(1001): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) QM_IDLE
*Jun 22 21:17:23.087: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Jun 22 21:17:23.091: ISAKMP:(1001):deleting node 192606138 error FALSE reason "No Error"
*Jun 22 21:17:23.091: ISAKMP:(1001):Node 192606138, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jun 22 21:17:23.091: ISAKMP:(1001):Old State = IKE_QM_I_
R1#QM1 New State = IKE_QM_PHASE2_COMPLETE
*Jun 22 21:17:23.095: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jun 22 21:17:23.099: Crypto mapdb : proxy_match
src addr : 1.1.1.1
dst addr : 2.2.2.2
protocol : 1
src port : 0
dst port : 0
*Jun 22 21:17:23.099: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 192.168.1.2
*Jun 22 21:17:23.103: IPSEC(policy_db_add_ident): src 1.1.1.1, dest 2.2.2.2, dest_port 0
*Jun 22 21:17:23.047: ISAKMP:(1001): processing HASH payload. message ID = 192606138
*Jun 22 21:17:23.051: ISAKMP:(1001): processing SA payload. message ID = 192606138
*Jun 22 21:17:23.051: ISAKMP:(1001):Checking IPSec proposal 1
*Jun 22 21:17:23.051: ISAKMP: transform 1, ESP_3DES
*Jun 22 21:17:23.051: ISAKMP: attributes in transform:
*Ju
R1#n 22 21:17:23.051: ISAKMP: encaps is 1 (Tunnel)
*Jun 22 21:17:23.055: ISAKMP: SA life type in seconds
*Jun 22 21:17:23.055: ISAKMP: SA life duration (basic) of 3600
*Jun 22 21:17:23.055: ISAKMP: SA life type in kilobytes
*Jun 22 21:17:23.055: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jun 22 21:17:23.059: ISAKMP: authenticator is HMAC-MD5
*Jun 22 21:17:23.059: ISAKMP:(1001):atts are acceptable.
*Jun 22 21:17:23.059: IPSEC(validate_proposal_request): proposal part #1
*Jun 22 21:17:23.059: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.1.2,
local_proxy= 1.1.1.1/255.255.255.255/1/0 (type=1),
remote_proxy= 2.2.2.2/255.255.255.255/1/0 (type=1),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jun 22 21:17:23.063: Crypto mapdb : proxy_match
src addr : 1.1.1.1
dst addr : 2.2.2.2
protocol : 1
src port : 0
dst port : 0
*Jun 22 21:17:23.067: ISAKMP:(1001): processing NONCE payload. message ID = 192606138
*Jun 22 21:17:23.067: ISAKMP:(1001): processing ID payload. message ID = 192606138
*Jun 22 21:17:23.071: ISAKMP:(1001): processing ID payload. message ID = 192606138
*Jun 22 21:17:23.075: ISAKMP:(1001): Creating IPSec SAs
*Jun 22 21:17:23.079: inbound SA from 192.168.1.2 to 192.168.1.1 (f/i) 0/ 0
(proxy 2.2.2.2 to 1.1.1.1)
*Jun 22 21:17:23.079: has spi 0x6E0588B2 and conn_id 0
*Jun 22 21:17:23.079: lifetime of 3600 seconds
*Jun 22 21:17:23.079: lifetime of 4608000 kilobytes
*Jun 22 21:17:23.083: outbound SA from 192.168.1.1 to 192.168.1.2 (f/i) 0/0
(proxy 1.1.1.1 to 2.2.2.2)
*Jun 22 21:17:23.083: has spi 0x11E9D65F and conn_id 0
*Jun 22 21:17:23.083: lifetime of 3600 seconds
*Jun 22 21:17:23.083: lifetime of 4608000 kilobytes
*Jun 22 21:17:23.087: ISAKMP:(1001): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) QM_IDLE
*Jun 22 21:17:23.087: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Jun 22 21:17:23.091: ISAKMP:(1001):deleting node 192606138 error FALSE reason "No Error"
*Jun 22 21:17:23.091: ISAKMP:(1001):Node 192606138, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jun 22 21:17:23.091: ISAKMP:(1001):Old State = IKE_QM_I_
R1#QM1 New State = IKE_QM_PHASE2_COMPLETE
*Jun 22 21:17:23.095: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jun 22 21:17:23.099: Crypto mapdb : proxy_match
src addr : 1.1.1.1
dst addr : 2.2.2.2
protocol : 1
src port : 0
dst port : 0
*Jun 22 21:17:23.099: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 192.168.1.2
*Jun 22 21:17:23.103: IPSEC(policy_db_add_ident): src 1.1.1.1, dest 2.2.2.2, dest_port 0
*Jun 22 21:17:23.103: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.1.1, sa_proto= 50,
sa_spi= 0x6E0588B2(1845856434),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 1
*Jun 22 21:17:23.107: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.1.2, sa_proto= 50,
sa_spi= 0x11E9D65F(300537439),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2
*Jun 22 21:17:23.107: IPSEC(update_current_outbound_sa): updated peer 192.168.1.2 current outbound sa to SPI 11E9D65F
R1#
*Jun 22 21:18:13.091: ISAKMP:(1001):purging node 192606138
R1#
R1#show crypto isakmp sa
// 查看IKE階段1的管理連接
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.1.2 192.168.1.1 QM_IDLE 1001 0 ACTIVE
(sa) sa_dest= 192.168.1.1, sa_proto= 50,
sa_spi= 0x6E0588B2(1845856434),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 1
*Jun 22 21:17:23.107: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.1.2, sa_proto= 50,
sa_spi= 0x11E9D65F(300537439),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2
*Jun 22 21:17:23.107: IPSEC(update_current_outbound_sa): updated peer 192.168.1.2 current outbound sa to SPI 11E9D65F
R1#
*Jun 22 21:18:13.091: ISAKMP:(1001):purging node 192606138
R1#
R1#show crypto isakmp sa
// 查看IKE階段1的管理連接
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.1.2 192.168.1.1 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
R1#show crypto ipsec sa
// 查看SA在IKE階段2建立的IPSec數據連接
interface: FastEthernet0/0
Crypto map tag: R!***, local addr 192.168.1.1
// 在F0/0上激活了R1***的加密映射,用於IPSec通信的路由器IP地址是192.168.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/1/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/1/0)
current_peer 192.168.1.2 port 500
PERMIT, flags={origin_is_acl,}
// 這裏顯示了參與連接的對等體的本地和遠程標識
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 5, #recv errors 0
// 這裏可以看到被封裝和加密的數據包數目
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
// IPSec連接的本地和遠程端點,以及使用的MTU
current outbound spi: 0x11E9D65F(300537439)
// 查看SA在IKE階段2建立的IPSec數據連接
interface: FastEthernet0/0
Crypto map tag: R!***, local addr 192.168.1.1
// 在F0/0上激活了R1***的加密映射,用於IPSec通信的路由器IP地址是192.168.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/1/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/1/0)
current_peer 192.168.1.2 port 500
PERMIT, flags={origin_is_acl,}
// 這裏顯示了參與連接的對等體的本地和遠程標識
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 5, #recv errors 0
// 這裏可以看到被封裝和加密的數據包數目
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
// IPSec連接的本地和遠程端點,以及使用的MTU
current outbound spi: 0x11E9D65F(300537439)
inbound esp sas:
spi: 0x6E0588B2(1845856434)
// 這裏是輸入(遠程對等體到本地路由器)ESP SA,每個連接都有一個唯一的SPI號
transform: esp-3des esp-md5-hmac ,
// 用來保護的連接的變換參數是esp-3des esp-md5-hmac
in use settings ={Tunnel, }
// 連接模式是隧道模式
conn id: 1, flow_id: SW:1, crypto map: R!***
sa timing: remaining key lifetime (k/sec): (4445781/3464)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x6E0588B2(1845856434)
// 這裏是輸入(遠程對等體到本地路由器)ESP SA,每個連接都有一個唯一的SPI號
transform: esp-3des esp-md5-hmac ,
// 用來保護的連接的變換參數是esp-3des esp-md5-hmac
in use settings ={Tunnel, }
// 連接模式是隧道模式
conn id: 1, flow_id: SW:1, crypto map: R!***
sa timing: remaining key lifetime (k/sec): (4445781/3464)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
// AH下沒有任何輸出,說明AH沒有用來保護連接
inbound pcp sas:
// AH下沒有任何輸出,說明AH沒有用來保護連接
inbound pcp sas:
outbound esp sas:
spi: 0x11E9D65F(300537439)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: R!***
sa timing: remaining key lifetime (k/sec): (4445781/3463)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x11E9D65F(300537439)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: R!***
sa timing: remaining key lifetime (k/sec): (4445781/3463)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1#
R1#show crypto session
Crypto session current status
R1#
R1#show crypto session
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 192.168.1.2 port 500
IKE SA: local 192.168.1.1/500 remote 192.168.1.2/500 Active
IPSEC FLOW: permit 1 host 1.1.1.1 host 2.2.2.2
Active SAs: 2, origin: crypto map
Session status: UP-ACTIVE
Peer: 192.168.1.2 port 500
IKE SA: local 192.168.1.1/500 remote 192.168.1.2/500 Active
IPSEC FLOW: permit 1 host 1.1.1.1 host 2.2.2.2
Active SAs: 2, origin: crypto map