SVTI與GRE相比節省4個字節的GRE頭部
一,Site1配置:
crypto isakmp policy 10 //定義第一階段ISAKMP安全協商策略,show crypto policy。
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 61.128.1.1
!
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
mode tunnel #SVTI技術使用默認的隧道模式
!
crypto ipsec profile To_site2_ipsec
set transform-set cisco
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
tunnel source 202.100.1.1
tunnel destination 61.128.1.1
tunnel mode ipsec ipv4 #與GRE IPSEC 配置不同,SVTI使用IPSEC IPVE隧道模式
tunnel protection ipsec profile To_site2_ipsec
!
interface FastEthernet0/0
ip address 202.100.1.1 255.255.255.0
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 1.1.1.0 0.0.0.255 area 0
network 172.16.1.0 0.0.0.255 area 0
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 202.100.1.10
!
Site1#
二,Site2配置:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.1.1
!
!
crypto ipsec transform-set cisco esp-des
!
crypto ipsec profile To_site1_ipsec
set transform-set cisco
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
tunnel source FastEthernet1/0
tunnel destination 202.100.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile To_site1_ipsec
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 61.128.1.1 255.255.255.0
duplex auto
speed auto
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 61.128.1.10
Site2#
三,測試:
Site1# ping 2.2.2.2 so 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/53/76 ms
Site1#
四,狀態查看命令:
Site1#show crypto engi conn ac
ID Interface IP-Address State Algorithm Encrypt Decrypt
4 FastEthernet0/0 202.100.1.1 set HMAC_MD5+3DES_56_C 0 0
2002 FastEthernet0/0 202.100.1.1 set DES+MD5 26 0
2004 FastEthernet0/0 202.100.1.1 set DES+MD5 0 25
Site1#show crypto isakmp sa
dst src state conn-id slot status
202.100.1.1 61.128.1.1 QM_IDLE 4 0 ACTIVE
Site1#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 202.100.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) #加密流爲任意到任意
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 61.128.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 27, #pkts encrypt: 27, #pkts digest: 27
#pkts decaps: 26, #pkts decrypt: 26, #pkts verify: 26
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 202.100.1.1, remote crypto endpt.: 61.128.1.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xCA895958(3397998936)
inbound esp sas:
spi: 0x962F864(157481060)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, } #使用隧道模式
conn id: 2004, flow_id: SW:4, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4508692/3542)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xCA895958(3397998936)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4508692/3540)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Site1#clear crypto sa #清除、新建IPSEC SA 安全關聯。
Site1#