采用预共享 Site-to-Site IPSEC ×××

原创

Cisco1841sw 2013-08-20 11:57:05 ©著作权

©著作权归作者所有：来自51CTO博客作者Cisco1841sw的原创作品，请联系作者获取转载授权，否则将追究法律责任

1:基本接口配置
R1:
R1(config)#int f0/0
R1(config-if)#ip add 10.0.0.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#int lo 0
R1(config-if)#ip add 1.1.1.1 255.255.255.0
R1(config-if)#no sh
R1(config)#router ospf 100
R1(config-router)#net 0.0.0.0 0.0.0.0 area 0

R2:
R2(config)#int f0/0
R2(config-if)#ip add 10.0.0.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#int lo 0
R2(config-if)#ip add 2.2.2.2 255.255.255.0
R2(config-if)#no sh
R2(config)#router ospf 100
R2(config-router)#net 0.0.0.0 0.0.0.0 area 0
2:配置互连网密钥交换(IKE)
R1:
R1(config)#crypto isakmp enable
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#group 5
R1(config-isakmp)#hash sha
R1(config-isakmp)#lifetime 86400
R1(config)#crypto isakmp key 0 zhyzhjzhj address 10.0.0.2
R2:
R2(config)#crypto isakmp enable
R2(config)#crypto isakmp policy 10
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#encryption 3des
R2(config-isakmp)#group 5
R2(config-isakmp)#hash sha
R2(config-isakmp)#lifetime 86400
R2(config)#crypto isakmp key 0 zhyzhjzhj address 10.0.0.1

3:配置IPSEC变换集
R1:
R1(config)#crypto ipsec transform-set R1set esp-3des esp-md5-hmac
R1(config)#crypto map R1××× 10 ipsec-isakmp
R1(config-crypto-map)#set peer 10.0.0.2
R1(config-crypto-map)#set transform-set R1set
R1(config-crypto-map)#match address 100
R2:
R2(config)#crypto ipsec transform-set R2set esp-3des esp-md5-hmac
R2(config)#crypto map R2××× 10 ipsec-isakmp
R2(config-crypto-map)#set peer 10.0.0.1
R2(config-crypto-map)#set transform-set R2set
R2(config-crypto-map)#match address 100
4:定义触发流,即IPSEC连接保护何种流量
R1:
R1(config)#access-list 100 permit icmp 1.1.1.1 0.0.0.0 2.2.2.2 0.0.0.0
R1(config)#int f0/0
R1(config-if)#crypto map R1××× //将加密映射应用于接口
R2:
R2(config)#access-list 100 permit icmp 2.2.2.2 0.0.0.0 1.1.1.1 0.0.0.0
R2(config)#int f0/0
R2(config-if)#crypto map R2×××

5:调试信息:
R1#debug crypto isakmp
Crypto ISAKMP debugging is on
R1#debug crypto ipsec
Crypto IPSEC debugging is on
R1#ping 2.2.2.2 sou
R1#ping 2.2.2.2 source 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1

*Mar 30 23:08:18.571: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.0.0.1, remote= 10.0.0.2,
local_proxy= 1.1.1.1/255.255.255.255/1/0 (type=1),
remote_proxy= 2.2.2.2/255.255.255.255/1/0 (type=1),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Mar 30 23:08:18.579: ISAKMP:(0): SA request profile is (NULL)
*Mar 30 23:08:18.583: ISAKMP: Created a peer struct for 10.0.0.2, peer port 500
*Mar 30 23:08:18.583: ISAKMP: New peer created peer = 0x663BD320 peer_handle = 0
x80000002
*Mar 30 23:08:18.587: ISAKMP: Locking peer struct 0x663BD320, refcount 1 for isa
kmp_initiator
*Mar 30 23:08:18.587: ISAKMP: local port 500, remote port 500
*Mar 30 23:08:18.591: ISAKMP: set new node 0 to QM_IDLE
*Mar 30 23:08:18.595: insert sa successfully sa = 655685C4
*Mar 30 23:08:18.595: ISAKMP:(0):Can not start Aggressive mode, trying Main mode
.
*Mar 30 23:08:18.599: ISAKMP:(0):found peer pre-shared key matching 10.0.0.2
*Mar 30 23:08:18.603: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Mar 30 23:08:18.607: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Mar 30 23:08:18.607: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Mar 30 23:08:18.611: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 30 23:08:18.611: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

*Mar 30 23:08:18.615: ISAKMP:(0): beginning Main Mode exchange
*Mar 30 23:08:18.619: ISAKMP:(0): sending packet to 10.0.0.2 my_port 500 peer_po
rt 500 (I) MM_NO_STATE
*Mar 30 23:08:18.743: ISAKMP (0:0): received packet from 10.0.0.2 dport 500 spor
t 500 Global (I) MM_NO_STATE
*Mar 30 23:08:18.763: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 30 23:08:18.763: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2

*Mar 30 23:08:18.775: ISAKMP:(0): processing SA payload. message ID = 0
*Mar 30 23:08:18.779: ISAKMP:(0): processing vendor id payload
*Mar 30 23:08:18.779: ISAKMP:(0.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 12/64/108 ms
R1#): vendor ID seems Unity/DPD but major 245 mismatch
*Mar 30 23:08:18.783: ISAKMP (0:0): vendor ID is NAT-T v7
*Mar 30 23:08:18.787: ISAKMP:(0):found peer pre-shared key matching 10.0.0.2
*Mar 30 23:08:18.787: ISAKMP:(0): local preshared key found
*Mar 30 23:08:18.791: ISAKMP : Scanning profiles for xauth ...
*Mar 30 23:08:18.791: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Mar 30 23:08:18.795: ISAKMP: encryption 3DES-CBC
*Mar 30 23:08:18.795: ISAKMP: hash SHA
*Mar 30 23:08:18.795: ISAKMP: default group 5
*Mar 30 23:08:18.799: ISAKMP: auth pre-share
*Mar 30 23:08:18.799: ISAKMP: life type in seconds
*Mar 30 23:08:18.799: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Mar 30 23:08:18.807: ISAKMP:(0):atts are acceptable. Next payload is 0
*Mar 30 23:08:18.811: ISAKMP:(0): processing vendor id payload
*Mar 30 23:08:18.811: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Mar 30 23:08:18.815: ISAKMP (0:0)
R1#: vendor ID is NAT-T v7
*Mar 30 23:08:18.819: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 30 23:08:18.819: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2

*Mar 30 23:08:18.823: ISAKMP:(0): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Mar 30 23:08:18.823: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 30 23:08:18.823: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3

*Mar 30 23:08:19.035: ISAKMP (0:0): received packet from 10.0.0.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*Mar 30 23:08:19.039: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 30 23:08:19.043: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4

*Mar 30 23:08:19.055: ISAKMP:(0): processing KE payload. message ID = 0
*Mar 30 23:08:19.183: ISAKMP:(0): processing NONCE payload. message ID = 0
*Mar 30 23:08:19.183: ISAKMP:(0):found peer pre-shared key matching 10.0.0.2
*Mar 30 23:08:19.199: ISAKMP:(1001): processing
R1#vendor id payload
*Mar 30 23:08:19.203: ISAKMP:(1001): vendor ID is Unity
*Mar 30 23:08:19.203: ISAKMP:(1001): processing vendor id payload
*Mar 30 23:08:19.203: ISAKMP:(1001): vendor ID is DPD
*Mar 30 23:08:19.203: ISAKMP:(1001): processing vendor id payload
*Mar 30 23:08:19.203: ISAKMP:(1001): speaking to another IOS box!
*Mar 30 23:08:19.203: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 30 23:08:19.203: ISAKMP:(1001):Old State = IKE_I_MM4 New State = IKE_I_MM4

*Mar 30 23:08:19.203: ISAKMP:(1001):Send initial contact
*Mar 30 23:08:19.203: ISAKMP:(1001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar 30 23:08:19.203: ISAKMP (0:1001): ID payload
next-payload : 8
type : 1
address : 10.0.0.1
protocol : 17
port : 500
length : 12
*Mar 30 23:08:19.203: ISAKMP:(1001):Total payload length: 12
*Mar 30 23:08:19.203: ISAKMP:(1001): sending packet to 10.0.0.2 my_port 500 peer_port 500
R1# (I) MM_KEY_EXCH
*Mar 30 23:08:19.203: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 30 23:08:19.203: ISAKMP:(1001):Old State = IKE_I_MM4 New State = IKE_I_MM5

*Mar 30 23:08:19.243: ISAKMP (0:1001): received packet from 10.0.0.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar 30 23:08:19.251: ISAKMP:(1001): processing ID payload. message ID = 0
*Mar 30 23:08:19.251: ISAKMP (0:1001): ID payload
next-payload : 8
type : 1
address : 10.0.0.2
protocol : 17
port : 500
length : 12
*Mar 30 23:08:19.251: ISAKMP:(0):: peer matches *none* of the profiles
*Mar 30 23:08:19.251: ISAKMP:(1001): processing HASH payload. message ID = 0
*Mar 30 23:08:19.251: ISAKMP:(1001):SA authentication status:
authenticated
*Mar 30 23:08:19.251: ISAKMP:(1001):SA has been authenticated with 10.0.0.2
*Mar 30 23:08:19.251: ISAKMP: Trying to insert a peer 10.0.0.1/10.0.0.2/500/, and inserted successfully 663BD320.
*Mar 30 23:08:19.25
R1#1: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 30 23:08:19.251: ISAKMP:(1001):Old State = IKE_I_MM5 New State = IKE_I_MM6

*Mar 30 23:08:19.251: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 30 23:08:19.251: ISAKMP:(1001):Old State = IKE_I_MM6 New State = IKE_I_MM6

*Mar 30 23:08:19.251: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 30 23:08:19.251: ISAKMP:(1001):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

*Mar 30 23:08:19.255: ISAKMP:(1001):beginning Quick Mode exchange, M-ID of -479716604
*Mar 30 23:08:19.259: ISAKMP:(1001):QM Initiator gets spi
*Mar 30 23:08:19.271: ISAKMP:(1001): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) QM_IDLE
*Mar 30 23:08:19.275: ISAKMP:(1001):Node -479716604, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar 30 23:08:19.279: ISAKMP:(1001):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Mar 30 23:08:19.283: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PHASE1
R1#_COMPLETE
*Mar 30 23:08:19.283: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Mar 30 23:08:19.395: ISAKMP (0:1001): received packet from 10.0.0.2 dport 500 sport 500 Global (I) QM_IDLE
*Mar 30 23:08:19.403: ISAKMP:(1001): processing HASH payload. message ID = -479716604
*Mar 30 23:08:19.403: ISAKMP:(1001): processing SA payload. message ID = -479716604
*Mar 30 23:08:19.403: ISAKMP:(1001):Checking IPSec proposal 1
*Mar 30 23:08:19.403: ISAKMP: transform 1, ESP_3DES
*Mar 30 23:08:19.403: ISAKMP: attributes in transform:
*Mar 30 23:08:19.403: ISAKMP: encaps is 1 (Tunnel)
*Mar 30 23:08:19.403: ISAKMP: SA life type in seconds
*Mar 30 23:08:19.403: ISAKMP: SA life duration (basic) of 3600
*Mar 30 23:08:19.403: ISAKMP: SA life type in kilobytes
*Mar 30 23:08:19.403: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Mar 30 23:08:19.403: ISAKMP: authenticator is HMAC-MD5
*Mar 30 23:08:19.403: ISAKMP:(1001):at
R1#ts are acceptable.
*Mar 30 23:08:19.403: IPSEC(validate_proposal_request): proposal part #1
*Mar 30 23:08:19.403: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 10.0.0.1, remote= 10.0.0.2,
local_proxy= 1.1.1.1/255.255.255.255/1/0 (type=1),
remote_proxy= 2.2.2.2/255.255.255.255/1/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Mar 30 23:08:19.403: Crypto mapdb : proxy_match
src addr : 1.1.1.1
dst addr : 2.2.2.2
protocol : 1
src port : 0
dst port : 0
*Mar 30 23:08:19.403: ISAKMP:(1001): processing NONCE payload. message ID = -479716604
*Mar 30 23:08:19.403: ISAKMP:(1001): processing ID payload. message ID = -479716604
*Mar 30 23:08:19.403: ISAKMP:(1001): processing ID payload. message ID = -479716604
*Mar 30 23:08:19.407: ISAKMP:(1001): Creating IPSec SAs
*Mar 30 23:08:19.411: inboun
R1#d SA from 10.0.0.2 to 10.0.0.1 (f/i) 0/ 0
(proxy 2.2.2.2 to 1.1.1.1)
*Mar 30 23:08:19.415: has spi 0x1AA6B7AE and conn_id 0
*Mar 30 23:08:19.415: lifetime of 3600 seconds
*Mar 30 23:08:19.415: lifetime of 4608000 kilobytes
*Mar 30 23:08:19.419: outbound SA from 10.0.0.1 to 10.0.0.2 (f/i) 0/0
(proxy 1.1.1.1 to 2.2.2.2)
*Mar 30 23:08:19.423: has spi 0x2E523B94 and conn_id 0
*Mar 30 23:08:19.423: lifetime of 3600 seconds
*Mar 30 23:08:19.423: lifetime of 4608000 kilobytes
*Mar 30 23:08:19.427: ISAKMP:(1001): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) QM_IDLE
*Mar 30 23:08:19.427: ISAKMP:(1001):deleting node -479716604 error FALSE reason "No Error"
*Mar 30 23:08:19.427: ISAKMP:(1001):Node -479716604, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 30 23:08:19.427: ISAKMP:(1001):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
*Mar 30 23:08:19.427: IPSEC(key_engine): got a q
R1#ueue event with 1 KMI message(s)
*Mar 30 23:08:19.427: Crypto mapdb : proxy_match
src addr : 1.1.1.1
dst addr : 2.2.2.2
protocol : 1
src port : 0
dst port : 0
*Mar 30 23:08:19.427: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 10.0.0.2
*Mar 30 23:08:19.427: IPSEC(policy_db_add_ident): src 1.1.1.1, dest 2.2.2.2, dest_port 0

*Mar 30 23:08:19.427: IPSEC(create_sa): sa created,
(sa) sa_dest= 10.0.0.1, sa_proto= 50,
sa_spi= 0x1AA6B7AE(447133614),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 1
*Mar 30 23:08:19.427: IPSEC(create_sa): sa created,
(sa) sa_dest= 10.0.0.2, sa_proto= 50,
sa_spi= 0x2E523B94(777141140),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2
*Mar 30 23:08:19.431: IPSEC(update_current_outbound_sa): updated peer 10.0.0.2 current outbound sa to SPI 2E523B94

R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.0.0.2 10.0.0.1 QM_IDLE 1001 0 ACTIVE

IPv6 Crypto ISAKMP SA

========================================================================================================
R1#show crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: R1×××, local addr 10.0.0.1

protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/1/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/1/0)
current_peer 10.0.0.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x2E523B94(777141140)

inbound esp sas:
spi: 0x1AA6B7AE(447133614)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: 1, crypto map: R1×××
sa timing: remaining key lifetime (k/sec): (4455635/3328)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x2E523B94(777141140)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: 2, crypto map: R1×××
sa timing: remaining key lifetime (k/sec): (4455635/3321)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:
=================================================================================================================
R1#show crypto session
Crypto session current status

Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 10.0.0.2 port 500
IKE SA: local 10.0.0.1/500 remote 10.0.0.2/500 Active
IPSEC FLOW: permit 1 host 1.1.1.1 host 2.2.2.2
Active SAs: 2, origin: crypto map