配置Cisco IOS EASY ××× Server和Cisco ××× Client

推荐原创

hackerjx 2008-09-12 11:07:34 博主文章分类：Cisco ©著作权

文章标签 Cisco VPN Server EASY Client 文章分类 iOS 移动开发

©著作权归作者所有：来自51CTO博客作者hackerjx的原创作品，如需转载，请与作者联系，否则将追究法律责任

试验说明；R1为SKY公司的网关，其F1/0接口连接互联网，用户现在出差在外，通过拨号连接到互联网上，现在希望实现用户通过internet拨号进入SKY公司的R1路由器上，拨号使用easy vpn，并能连接到SKY公司的内网，192.168.0.0/24 网段

需求拓扑：

配置Cisco IOS EASY ××× Server和Cisco ××× Client_EASY

实验要求；

1，通过cisco vpn client 拨上R1，需要ping通R1的网关的地址，

2，×××拨入成功之后，可以ping通 192.168.0.2，能访问内网服务器上的共享资源

实验过程：
第一步 R1预配置
R1(config)#int f0/0
R1(config-if)#ip add 192.168.0.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#int e1/0
R1(config-if)#ip add 192.168.1.200 255.255.255.0
R1(config-if)#no sh
R1(config-if)#end
R1#ping 192.168.1.101
// 在本实验中PC机的IP地址是192.168.1.101
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.101, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/50/168 ms
R1#

第二步配置认证策略
R1#conf t
R1(config)#aaa new-model
// 激活AAA
R1(config)#aaa authorization network vpn-client-user local
// 配置对远程接入IPSec连接的授权，组名为vpn-client-user

第三步定义用户的组策略
R1(config)#ip local pool ×××DHCP 192.168.0.100 192.168.0.150
// 配置一个内部地址池，用于分配IP地址到远程接入的×××客户端，在本实验中地址池的起始地址为192.168.0.100，终止的IP地址为192.168.0.150，在后面的组策略中会引用改地址池
R1(config)#crypto isakmp client configuration group vpn-client-user
// 配置远程接入组，组名为vpn-client-user，此组名与aaa authorization network命令中的名称一致
R1(config-isakmp-group)#key norvel.com.cn
// 配置IKE阶段1使用预共享密钥，密钥为norvel.com.cn
R1(config-isakmp-group)#pool ×××DHCP
// 配置在客户端连接的Easy ××× client所分配的IP地址池
R1(config-isakmp-group)#dns 221.11.1.67
// 给客户端分配DNS地址
R1(config-isakmp-group)#domain norvel.com.cn
// 配置分配给客户端的DNS域名
R1(config-isakmp-group)#exit
R1(config)#

第四步配置IKE阶段1策略
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#group 2
R1(config-isakmp)#hash sha
R1(config-isakmp)#exit
R1(config)#end
R1#show crypto isakmp policy

Global IKE policy
Protection suite of priority 10
        encryption algorithm:   Three key triple DES
        hash algorithm:         Secure Hash Standard
        authentication method: Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method: Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit

第五步配置动态加密映射
R1#conf t
R1(config)#crypto ipsec transform-set R1 esp-sha-hmac esp-3des
// 配置名为R1的转换集
R1(cfg-crypto-trans)#exit
R1(config)#crypto dynamic-map dyvpn 10
// 配置名为dyvpn的动态加密映射
R1(config-crypto-map)#set transform-set R1

R1(config-crypto-map)#reverse-route
//Reverse-route 生成的两条路由,不配置这条命令，是无法ping内网的设备192.168.0.2

R1(config-crypto-map)#exit

第六步配置静态加密映射
R1(config)#crypto map dyvpn isakmp authorization list vpn-client-user
// 指定应该为远程接入×××连接执行的授权，这里的vpn-client-user名称必须与aaa authorization network命令中的相同
R1(config)#crypto map dyvpn client configuration address respond
// 配置允许路由器将信息分配给远程接入客户端，respond参数使路由器等待客户端提示发送这些信息，然后路由器使用策略信息来回应
R1(config)#crypto map dyvpn 1 ipsec-isakmp dynamic dyvpn
// 配置在静态映射条目中关联动态加密映射

第七步在接口上激活静态加密映射
R1(config)#int e1/0
R1(config-if)#crypto map dyvpn
R1(config-if)# ^Z

第八步在PC机上打开Cisco ××× Client进行配置，点击New创建一个新的×××连接

配置Cisco IOS EASY ××× Server和Cisco ××× Client_EASY_02

第九步在×××连接中进行配置，连接名填写easyvpn，主机填写××× Server 192.168.1.200，name填写vpn-client-user，密码填写norvel.com.cn

第十步测试×××连接，选中easyvpn，点击Connect

配置Cisco IOS EASY ××× Server和Cisco ××× Client_EASY_04

第十一步连接成功后查看连接的统计信息

配置Cisco IOS EASY ××× Server和Cisco ××× Client_EASY_05

第十二步在××× R1上查看相关×××信息
R1#show crypto ipsec sa

interface: Ethernet1/0
Crypto map tag: dyvpn, local addr 192.168.1.200

   protected vrf: (none)
   local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.100/255.255.255.255/0/0)
   current_peer 192.168.1.101 port 1141
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.1.200, remote crypto endpt.: 192.168.1.101
     path mtu 1500, ip mtu 1500, ip mtu idb Ethernet1/0
     current outbound spi: 0x1E9D1DD2(513613266)

     inbound esp sas:
      spi: 0x469FD498(1184879768)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, crypto map: dyvpn
        sa timing: remaining key lifetime (k/sec): (4462636/3584)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0x1E9D1DD2(513613266)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, crypto map: dyvpn
        sa timing: remaining key lifetime (k/sec): (4462636/3540)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

outbound ah sas:

outbound pcp sas:
R1#

第十三步   调试IKE信息
R1#debug crypto isakmp
Crypto ISAKMP debugging is .
R1#debug crypto ipsec
Crypto IPSEC debugging is .
R1#
R1#
*Jun 25 09:30:34.967: ISAKMP (0:0): received packet from 192.168.1.101 dport 500 sport 1161 Global (N) NEW SA
*Jun 25 09:30:34.967: ISAKMP: Created a peer struct for 192.168.1.101, peer port 1161
*Jun 25 09:30:34.967: ISAKMP: New peer created peer = 0x66D74ED0 peer_handle = 0x80000006
*Jun 25 09:30:34.971: ISAKMP: Locking peer struct 0x66D74ED0, refcount 1 for crypto_isakmp_process_block
*Jun 25 09:30:34.971: ISAKMP:(0):Setting client config settings 65DD5EE0
*Jun 25 09:30:34.971: ISAKMP/xauth: initializing AAA request
*Jun 25 09:30:34.975: ISAKMP: local port 500, remote port 1161
*Jun 25 09:30:34.979: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 66F36B00
*Jun 25 09:30:34.979: ISAKMP:(0): processing SA payload. message ID = 0
*Jun 25 09:30:34.983: ISAKMP:(0): processing ID payload. message ID = 0
*Jun 25 09:30:34.983: ISAKMP (0:0): ID payload
        next-payload : 13
        type         : 11
        group id     : vpn-client-user
        protocol     : 17
        port
R1#      : 500
        length       : 23
*Jun 25 09:30:34.983: ISAKMP:(0):: peer matches *none* of the profiles
*Jun 25 09:30:34.987: ISAKMP:(0): processing vendor id payload
*Jun 25 09:30:34.987: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
*Jun 25 09:30:34.987: ISAKMP:(0): vendor ID is XAUTH
*Jun 25 09:30:34.987: ISAKMP:(0): processing vendor id payload
*Jun 25 09:30:34.991: ISAKMP:(0): vendor ID is DPD
*Jun 25 09:30:34.991: ISAKMP:(0): processing vendor id payload
*Jun 25 09:30:34.991: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Jun 25 09:30:34.991: ISAKMP:(0): processing vendor id payload
*Jun 25 09:30:34.995: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jun 25 09:30:34.995: ISAKMP:(0): vendor ID is NAT-T v2
*Jun 25 09:30:34.995: ISAKMP:(0): processing vendor id payload
*Jun 25 09:30:34.995: ISAKMP:(0): vendor ID is Unity
*Jun 25 09:30:34.999: ISAKMP : Scanning profiles for xauth ...
*Jun 25 09:30:34.999: ISAKMP:(0):Checkin
R1#g ISAKMP transform 1 against priority 10 policy
*Jun 25 09:30:34.999: ISAKMP:      encryption AES-CBC
*Jun 25 09:30:34.999: ISAKMP:      hash SHA
*Jun 25 09:30:34.999: ISAKMP:      default group 2
*Jun 25 09:30:35.003: ISAKMP:      auth XAUTHInitPreShared
*Jun 25 09:30:35.003: ISAKMP:      life type in seconds
*Jun 25 09:30:35.003: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Jun 25 09:30:35.003: ISAKMP:      keylength of 256
*Jun 25 09:30:35.007: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jun 25 09:30:35.007: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jun 25 09:30:35.007: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
*Jun 25 09:30:35.007: ISAKMP:      encryption AES-CBC
*Jun 25 09:30:35.007: ISAKMP:      hash MD5
*Jun 25 09:30:35.011: ISAKMP:      default group 2
*Jun 25 09:30:35.011: ISAKMP:      auth XAUTHInitPreShared
*Jun 25 09:30:35.011: ISAKMP:      life type in seconds
*Jun 25 09:30:35.011: ISAKM
R1#P:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Jun 25 09:30:35.015: ISAKMP:      keylength of 256
*Jun 25 09:30:35.015: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jun 25 09:30:35.015: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jun 25 09:30:35.015: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
*Jun 25 09:30:35.019: ISAKMP:      encryption AES-CBC
*Jun 25 09:30:35.019: ISAKMP:      hash SHA
*Jun 25 09:30:35.019: ISAKMP:      default group 2
*Jun 25 09:30:35.019: ISAKMP:      auth pre-share
*Jun 25 09:30:35.019: ISAKMP:      life type in seconds
*Jun 25 09:30:35.019: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Jun 25 09:30:35.023: ISAKMP:      keylength of 256
*Jun 25 09:30:35.023: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jun 25 09:30:35.023: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jun 25 09:30:35.027: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 poli
R1#cy
*Jun 25 09:30:35.027: ISAKMP:      encryption AES-CBC
*Jun 25 09:30:35.027: ISAKMP:      hash MD5
*Jun 25 09:30:35.027: ISAKMP:      default group 2
*Jun 25 09:30:35.027: ISAKMP:      auth pre-share
*Jun 25 09:30:35.027: ISAKMP:      life type in seconds
*Jun 25 09:30:35.031: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Jun 25 09:30:35.031: ISAKMP:      keylength of 256
*Jun 25 09:30:35.031: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jun 25 09:30:35.035: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jun 25 09:30:35.035: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
*Jun 25 09:30:35.035: ISAKMP:      encryption AES-CBC
*Jun 25 09:30:35.035: ISAKMP:      hash SHA
*Jun 25 09:30:35.035: ISAKMP:      default group 2
*Jun 25 09:30:35.039: ISAKMP:      auth XAUTHInitPreShared
*Jun 25 09:30:35.039: ISAKMP:      life type in seconds
*Jun 25 09:30:35.039: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*
R1#Jun 25 09:30:35.039: ISAKMP:      keylength of 128
*Jun 25 09:30:35.043: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jun 25 09:30:35.043: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jun 25 09:30:35.043: ISAKMP:(0):Checking ISAKMP transform 6 against priority 10 policy
*Jun 25 09:30:35.043: ISAKMP:      encryption AES-CBC
*Jun 25 09:30:35.047: ISAKMP:      hash MD5
*Jun 25 09:30:35.047: ISAKMP:      default group 2
*Jun 25 09:30:35.047: ISAKMP:      auth XAUTHInitPreShared
*Jun 25 09:30:35.047: ISAKMP:      life type in seconds
*Jun 25 09:30:35.047: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Jun 25 09:30:35.051: ISAKMP:      keylength of 128
*Jun 25 09:30:35.051: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jun 25 09:30:35.051: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jun 25 09:30:35.051: ISAKMP:(0):Checking ISAKMP transform 7 against priority 10 policy
*Jun 25 09:30:35.051: ISAKMP:      encryp
R1#tion AES-CBC
*Jun 25 09:30:35.051: ISAKMP:      hash SHA
*Jun 25 09:30:35.051: ISAKMP:      default group 2
*Jun 25 09:30:35.051: ISAKMP:      auth pre-share
*Jun 25 09:30:35.051: ISAKMP:      life type in seconds
*Jun 25 09:30:35.051: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Jun 25 09:30:35.051: ISAKMP:      keylength of 128
*Jun 25 09:30:35.051: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jun 25 09:30:35.051: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jun 25 09:30:35.051: ISAKMP:(0):Checking ISAKMP transform 8 against priority 10 policy
*Jun 25 09:30:35.051: ISAKMP:      encryption AES-CBC
*Jun 25 09:30:35.051: ISAKMP:      hash MD5
*Jun 25 09:30:35.051: ISAKMP:      default group 2
*Jun 25 09:30:35.051: ISAKMP:      auth pre-share
*Jun 25 09:30:35.051: ISAKMP:      life type in seconds
*Jun 25 09:30:35.051: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Jun 25 09:30:35.051: ISAKMP:      keylength of 128
*J
R1#un 25 09:30:35.051: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jun 25 09:30:35.051: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jun 25 09:30:35.051: ISAKMP:(0):Checking ISAKMP transform 9 against priority 10 policy
*Jun 25 09:30:35.051: ISAKMP:      encryption 3DES-CBC
*Jun 25 09:30:35.051: ISAKMP:      hash SHA
*Jun 25 09:30:35.051: ISAKMP:      default group 2
*Jun 25 09:30:35.051: ISAKMP:      auth XAUTHInitPreShared
*Jun 25 09:30:35.051: ISAKMP:      life type in seconds
*Jun 25 09:30:35.051: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Jun 25 09:30:35.051: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Jun 25 09:30:35.051: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jun 25 09:30:35.051: ISAKMP:(0):Checking ISAKMP transform 10 against priority 10 policy
*Jun 25 09:30:35.051: ISAKMP:      encryption 3DES-CBC
*Jun 25 09:30:35.051: ISAKMP:      hash MD5
*Jun 25 09:30:35.051: I
R1#SAKMP:      default group 2
*Jun 25 09:30:35.051: ISAKMP:      auth XAUTHInitPreShared
*Jun 25 09:30:35.051: ISAKMP:      life type in seconds
*Jun 25 09:30:35.051: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Jun 25 09:30:35.051: ISAKMP:(0):Hash algorithm offered does not match policy!
*Jun 25 09:30:35.051: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jun 25 09:30:35.051: ISAKMP:(0):Checking ISAKMP transform 11 against priority 10 policy
*Jun 25 09:30:35.051: ISAKMP:      encryption 3DES-CBC
*Jun 25 09:30:35.051: ISAKMP:      hash SHA
*Jun 25 09:30:35.051: ISAKMP:      default group 2
*Jun 25 09:30:35.051: ISAKMP:      auth pre-share
*Jun 25 09:30:35.051: ISAKMP:      life type in seconds
*Jun 25 09:30:35.051: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Jun 25 09:30:35.051: ISAKMP:(0):atts are acceptable. Next payload is 3
*Jun 25 09:30:35.051: ISAKMP:(0):Acceptable atts:actual life: 86400
*Jun 25 09:30:35.051: ISAKMP:(0):Acceptable
R1# atts:life: 0
*Jun 25 09:30:35.051: ISAKMP:(0):Fill atts in sa vpi_length:4
*Jun 25 09:30:35.051: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483
*Jun 25 09:30:35.051: ISAKMP:(0):Returning Actual lifetime: 86400
*Jun 25 09:30:35.051: ISAKMP:(0)::Started lifetime timer: 86400.

*Jun 25 09:30:35.051: ISAKMP:(0): processing KE payload. message ID = 0
*Jun 25 09:30:35.095: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jun 25 09:30:35.099: ISAKMP:(0): vendor ID is NAT-T v2
*Jun 25 09:30:35.099: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Jun 25 09:30:35.099: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT

*Jun 25 09:30:35.099: ISAKMP (0:0): received packet from 192.168.1.101 dport 500 sport 1161 Global (R) AG_NO_STATE
*Jun 25 09:30:35.099: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
*Jun 25 09:30:35.099: ISAKMP:(0): retransmission skipped (awaiting response from other process)
*Jun 25 09:30:35.103: ISAKMP:(1005): cons
R1#tructed NAT-T vendor-02 ID
*Jun 25 09:30:35.107: ISAKMP:(1005):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Jun 25 09:30:35.107: ISAKMP (0:1005): ID payload
        next-payload : 10
        type         : 1
        address      : 192.168.1.200
        protocol     : 17
        port         : 0
        length       : 12
*Jun 25 09:30:35.107: ISAKMP:(1005):Total payload length: 12
*Jun 25 09:30:35.111: ISAKMP:(1005): sending packet to 192.168.1.101 my_port 500 peer_port 1161 (R) AG_INIT_EXCH
*Jun 25 09:30:35.115: ISAKMP:(1005):Sending an IKE IPv4 Packet.
*Jun 25 09:30:35.115: ISAKMP:(1005):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
*Jun 25 09:30:35.115: ISAKMP:(1005):Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2

*Jun 25 09:30:35.211: ISAKMP (0:1005): received packet from 192.168.1.101 dport 500 sport 1161 Global (R) AG_INIT_EXCH
*Jun 25 09:30:35.211: ISAKMP:(1005): processing HASH payload. message ID = 0
*Jun 25 09:30:35.215: ISAKMP:(1005): processing NOTIFY INITIAL_
R1#CONTACT protocol 1
        spi 0, message ID = 0, sa = 66F36B00
*Jun 25 09:30:35.215: ISAKMP:received payload type 20
*Jun 25 09:30:35.219: ISAKMP:received payload type 20
*Jun 25 09:30:35.219: ISAKMP:(1005):SA authentication status:
        authenticated
*Jun 25 09:30:35.219: ISAKMP:(1005):SA has been authenticated with 192.168.1.101
*Jun 25 09:30:35.223: ISAKMP:(1005):SA authentication status:
        authenticated
*Jun 25 09:30:35.223: ISAKMP:(1005): Process initial contact,
bring down existing phase 1 and 2 SA's with local 192.168.1.200 remote 192.168.1.101 remote port 1161
*Jun 25 09:30:35.223: ISAKMP:(1005):returning IP addr to the address pool
*Jun 25 09:30:35.231: ISAKMP: Trying to insert a peer 192.168.1.200/192.168.1.101/1161/, and inserted successfully 66D74ED0.
*Jun 25 09:30:35.235: ISAKMP:(1005):Returning Actual lifetime: 86400
*Jun 25 09:30:35.235: ISAKMP: set new node -1598652706 to QM_IDLE
*Jun 25 09:30:35.239: ISAKMP:(1005):Sending NOTIFY RESPONDER_LIFETIME protocol
R1#1
        spi 1723596448, message ID = -1598652706
*Jun 25 09:30:35.239: ISAKMP:(1005): sending packet to 192.168.1.101 my_port 500 peer_port 1161 (R) QM_IDLE
*Jun 25 09:30:35.239: ISAKMP:(1005):Sending an IKE IPv4 Packet.
*Jun 25 09:30:35.243: ISAKMP:(1005):purging node -1598652706
*Jun 25 09:30:35.243: ISAKMP: Sending phase 1 responder lifetime 86400

*Jun 25 09:30:35.243: ISAKMP:(1005):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Jun 25 09:30:35.247: ISAKMP:(1005):Old State = IKE_R_AM2 New State = IKE_P1_COMPLETE

*Jun 25 09:30:35.247: ISAKMP (0:1005): received packet from 192.168.1.101 dport 500 sport 1161 Global (R) QM_IDLE
*Jun 25 09:30:35.251: ISAKMP:(1005): phase 1 packet is a duplicate of a previous packet.
*Jun 25 09:30:35.251: ISAKMP:(1005): retransmitting due to retransmit phase 1
*Jun 25 09:30:35.251: ISAKMP:(1005): no outgoing phase 1 packet to retransmit. QM_IDLE
*Jun 25 09:30:35.255: ISAKMP (0:1005): received packet from 192.168.1.101 dport 500 s
R1#port 1161 Global (R) QM_IDLE
*Jun 25 09:30:35.255: ISAKMP: set new node 1347824040 to QM_IDLE
*Jun 25 09:30:35.259: ISAKMP:(1005):processing transaction payload from 192.168.1.101. message ID = 1347824040
*Jun 25 09:30:35.259: ISAKMP: Config payload REQUEST
*Jun 25 09:30:35.263: ISAKMP:(1005):checking request:
*Jun 25 09:30:35.263: ISAKMP:    IP4_ADDRESS
*Jun 25 09:30:35.263: ISAKMP:    IP4_NETMASK
*Jun 25 09:30:35.263: ISAKMP:    IP4_DNS
*Jun 25 09:30:35.263: ISAKMP:    IP4_NBNS
*Jun 25 09:30:35.263: ISAKMP:    ADDRESS_EXPIRY
*Jun 25 09:30:35.267: ISAKMP:    MODECFG_BANNER
*Jun 25 09:30:35.267: ISAKMP:    MODECFG_SAVEPWD
*Jun 25 09:30:35.267: ISAKMP:    DEFAULT_DOMAIN
*Jun 25 09:30:35.267: ISAKMP:    SPLIT_INCLUDE
*Jun 25 09:30:35.267: ISAKMP:    SPLIT_DNS
*Jun 25 09:30:35.267: ISAKMP:    PFS
*Jun 25 09:30:35.271: ISAKMP:    MODECFG_BROWSER_PROXY
*Jun 25 09:30:35.271: ISAKMP:    BACKUP_SERVER
*Jun 25 09:30:35.271: ISAKMP:    CONFIG_MODE_UNKNOWN Unknown A
R1#ttr: 0x700C
*Jun 25 09:30:35.271: ISAKMP:    APPLICATION_VERSION
*Jun 25 09:30:35.271: ISAKMP:    FW_RECORD
*Jun 25 09:30:35.275: ISAKMP:    MODECFG_HOSTNAME
*Jun 25 09:30:35.275: ISAKMP:    CONFIG_MODE_UNKNOWN Unknown Attr: 0x7005
*Jun 25 09:30:35.279: ISAKMP/author: Author request for group vpn-client-usersuccessfully sent to AAA
*Jun 25 09:30:35.279: ISAKMP:(1005):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
*Jun 25 09:30:35.279: ISAKMP:(1005):Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_AUTHOR_AAA_AWAIT

*Jun 25 09:30:35.283: ISAKMP (0:1005): received packet from 192.168.1.101 dport 500 sport 1161 Global (R) CONF_ADDR
*Jun 25 09:30:35.283: ISAKMP:(1005): phase 2 packet is a duplicate of a previous packet.
*Jun 25 09:30:35.291: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jun 25 09:30:35.299: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jun 25 09:30:35.299: ISAKMP:(1005):Old State = IKE_CONFIG_AUTHOR_AAA_AWAIT New State = IKE
R1#_CONFIG_AUTHOR_AAA_AWAIT

*Jun 25 09:30:35.311: ISAKMP:(1005):attributes sent in message:
*Jun 25 09:30:35.311: Address: 0.2.0.0
*Jun 25 09:30:35.315: ISAKMP:(1005):allocating address 192.168.0.104
*Jun 25 09:30:35.315: ISAKMP: Sending private address: 192.168.0.104
*Jun 25 09:30:35.315: ISAKMP: Sending subnet mask: 255.255.255.0
*Jun 25 09:30:35.319: ISAKMP: Sending IP4_DNS server address: 221.11.1.67
*Jun 25 09:30:35.319: ISAKMP: Sending ADDRESS_EXPIRY seconds left to use the address: 86399
*Jun 25 09:30:35.319: ISAKMP: Sending save password reply value 0
*Jun 25 09:30:35.319: ISAKMP: Sending DEFAULT_DOMAIN default domain name: norvel.com.cn
*Jun 25 09:30:35.323: ISAKMP (0/1005): Unknown Attr: CONFIG_MODE_UNKNOWN (0x700C)
*Jun 25 09:30:35.323: ISAKMP: Sending APPLICATION_VERSION string: Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 12.4(15)T3, RELEASE SOFTWARE (fc1)
Technical Support: [url]http://www.cisco.com/techsupport[/url]
Copyright (c) 1986-2
R1#008 by Cisco Systems, Inc.
Compiled Fri 25-Jan-08 03:57 by prod_rel_team
*Jun 25 09:30:35.323: ISAKMP (0/1005): Unknown Attr: MODECFG_HOSTNAME (0x700A)
*Jun 25 09:30:35.327: ISAKMP (0/1005): Unknown Attr: CONFIG_MODE_UNKNOWN (0x7005)
*Jun 25 09:30:35.327: ISAKMP:(1005): responding to peer config from 192.168.1.101. ID = 1347824040
*Jun 25 09:30:35.331: ISAKMP:(1005): sending packet to 192.168.1.101 my_port 500 peer_port 1161 (R) CONF_ADDR
*Jun 25 09:30:35.331: ISAKMP:(1005):Sending an IKE IPv4 Packet.
*Jun 25 09:30:35.335: ISAKMP:(1005):deleting node 1347824040 error FALSE reason "No Error"
*Jun 25 09:30:35.335: ISAKMP:(1005):Talking to a Unity Client
*Jun 25 09:30:35.335: ISAKMP:(1005):Input = IKE_MESG_FROM_AAA, IKE_AAA_GROUP_ATTR
*Jun 25 09:30:35.339: ISAKMP:(1005):Old State = IKE_CONFIG_AUTHOR_AAA_AWAIT New State = IKE_P1_COMPLETE

*Jun 25 09:30:35.391: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jun 25 09:30:35.391: ISAKMP:(1005):Old State = IK
R1#E_P1_COMPLETE New State = IKE_P1_COMPLETE

*Jun 25 09:30:35.447: ISAKMP (0:1005): received packet from 192.168.1.101 dport 500 sport 1161 Global (R) QM_IDLE
*Jun 25 09:30:35.447: ISAKMP: set new node -585754297 to QM_IDLE
*Jun 25 09:30:35.455: ISAKMP:(1005): processing HASH payload. message ID = -585754297
*Jun 25 09:30:35.455: ISAKMP:(1005): processing SA payload. message ID = -585754297
*Jun 25 09:30:35.455: ISAKMP:(1005):Checking IPSec proposal 1
*Jun 25 09:30:35.459: ISAKMP: transform 1, ESP_AES
*Jun 25 09:30:35.459: ISAKMP:   attributes in transform:
*Jun 25 09:30:35.459: ISAKMP:      authenticator is HMAC-MD5
*Jun 25 09:30:35.459: ISAKMP:      key length is 256
*Jun 25 09:30:35.459: ISAKMP:      encaps is 1 (Tunnel)
*Jun 25 09:30:35.463: ISAKMP:      SA life type in seconds
*Jun 25 09:30:35.463: ISAKMP:      SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Jun 25 09:30:35.463: ISAKMP:(1005):atts are acceptable.
*Jun 25 09:30:35.467: ISAKMP:(1005):Che
R1#cking IPSec proposal 1
*Jun 25 09:30:35.467: ISAKMP:(1005):transform 1, IPPCP LZS
*Jun 25 09:30:35.467: ISAKMP:   attributes in transform:
*Jun 25 09:30:35.467: ISAKMP:      encaps is 1 (Tunnel)
*Jun 25 09:30:35.467: ISAKMP:      SA life type in seconds
*Jun 25 09:30:35.467: ISAKMP:      SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Jun 25 09:30:35.471: ISAKMP:(1005):atts are acceptable.
*Jun 25 09:30:35.471: IPSEC(validate_proposal_request): proposal part #1
*Jun 25 09:30:35.475: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.1.200, remote= 192.168.1.101,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 192.168.0.104/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= NONE (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jun 25 09:30:35.479: IPSEC(validate_proposal_request): proposal part #2
*Jun 25 09:30:35.479: IPSEC(validate_proposal_request): propo
R1#sal part #2,
(key eng. msg.) INBOUND local= 192.168.1.200, remote= 192.168.1.101,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 192.168.0.104/255.255.255.255/0/0 (type=1),
    protocol= PCP, transform= NONE (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jun 25 09:30:35.483: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
    {esp-aes 256 esp-md5-hmac comp-lzs }
*Jun 25 09:30:35.483: ISAKMP:(1005): IPSec policy invalidated proposal with error 256
*Jun 25 09:30:35.487: ISAKMP:(1005):Checking IPSec proposal 2
*Jun 25 09:30:35.487: ISAKMP: transform 1, ESP_AES
*Jun 25 09:30:35.487: ISAKMP:   attributes in transform:
*Jun 25 09:30:35.487: ISAKMP:      authenticator is HMAC-SHA
*Jun 25 09:30:35.487: ISAKMP:      key length is 256
*Jun 25 09:30:35.491: ISAKMP:      encaps is 1 (Tunnel)
*Jun 25 09:30:35.491: ISAKMP:      SA life type in seconds
*Jun 25 09:30:35.491: ISAKMP:
R1# SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Jun 25 09:30:35.491: ISAKMP:(1005):atts are acceptable.
*Jun 25 09:30:35.495: ISAKMP:(1005):Checking IPSec proposal 2
*Jun 25 09:30:35.495: ISAKMP:(1005):transform 1, IPPCP LZS
*Jun 25 09:30:35.495: ISAKMP:   attributes in transform:
*Jun 25 09:30:35.495: ISAKMP:      encaps is 1 (Tunnel)
*Jun 25 09:30:35.495: ISAKMP:      SA life type in seconds
*Jun 25 09:30:35.499: ISAKMP:      SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Jun 25 09:30:35.499: ISAKMP:(1005):atts are acceptable.
*Jun 25 09:30:35.499: IPSEC(validate_proposal_request): proposal part #1
*Jun 25 09:30:35.503: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.1.200, remote= 192.168.1.101,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 192.168.0.104/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= NONE (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, f
R1#lags= 0x0
*Jun 25 09:30:35.507: IPSEC(validate_proposal_request): proposal part #2
*Jun 25 09:30:35.507: IPSEC(validate_proposal_request): proposal part #2,
(key eng. msg.) INBOUND local= 192.168.1.200, remote= 192.168.1.101,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 192.168.0.104/255.255.255.255/0/0 (type=1),
    protocol= PCP, transform= NONE (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jun 25 09:30:35.511: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
    {esp-aes 256 esp-sha-hmac comp-lzs }
*Jun 25 09:30:35.511: ISAKMP:(1005): IPSec policy invalidated proposal with error 256
*Jun 25 09:30:35.515: ISAKMP:(1005):Checking IPSec proposal 3
*Jun 25 09:30:35.515: ISAKMP: transform 1, ESP_AES
*Jun 25 09:30:35.515: ISAKMP:   attributes in transform:
*Jun 25 09:30:35.515: ISAKMP:      authenticator is HMAC-MD5
*Jun 25 09:30:35.515: ISAKMP:      key length is 128
*Jun
R1#25 09:30:35.519: ISAKMP:      encaps is 1 (Tunnel)
*Jun 25 09:30:35.519: ISAKMP:      SA life type in seconds
*Jun 25 09:30:35.519: ISAKMP:      SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Jun 25 09:30:35.523: ISAKMP:(1005):atts are acceptable.
*Jun 25 09:30:35.523: ISAKMP:(1005):Checking IPSec proposal 3
*Jun 25 09:30:35.523: ISAKMP:(1005):transform 1, IPPCP LZS
*Jun 25 09:30:35.523: ISAKMP:   attributes in transform:
*Jun 25 09:30:35.523: ISAKMP:      encaps is 1 (Tunnel)
*Jun 25 09:30:35.527: ISAKMP:      SA life type in seconds
*Jun 25 09:30:35.527: ISAKMP:      SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Jun 25 09:30:35.527: ISAKMP:(1005):atts are acceptable.
*Jun 25 09:30:35.531: IPSEC(validate_proposal_request): proposal part #1
*Jun 25 09:30:35.531: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.1.200, remote= 192.168.1.101,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 192.168.0.104/255.
R1#255.255.255/0/0 (type=1),
    protocol= ESP, transform= NONE (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jun 25 09:30:35.535: IPSEC(validate_proposal_request): proposal part #2
*Jun 25 09:30:35.535: IPSEC(validate_proposal_request): proposal part #2,
(key eng. msg.) INBOUND local= 192.168.1.200, remote= 192.168.1.101,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 192.168.0.104/255.255.255.255/0/0 (type=1),
    protocol= PCP, transform= NONE (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jun 25 09:30:35.539: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
    {esp-aes esp-md5-hmac comp-lzs }
*Jun 25 09:30:35.539: ISAKMP:(1005): IPSec policy invalidated proposal with error 256
*Jun 25 09:30:35.543: ISAKMP:(1005):Checking IPSec proposal 4
*Jun 25 09:30:35.543: ISAKMP: transform 1, ESP_AES
*Jun 25 09:30:35.543: ISAKMP:   attri
R1#butes in transform:
*Jun 25 09:30:35.543: ISAKMP:      authenticator is HMAC-SHA
*Jun 25 09:30:35.547: ISAKMP:      key length is 128
*Jun 25 09:30:35.547: ISAKMP:      encaps is 1 (Tunnel)
*Jun 25 09:30:35.547: ISAKMP:      SA life type in seconds
*Jun 25 09:30:35.547: ISAKMP:      SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Jun 25 09:30:35.551: ISAKMP:(1005):atts are acceptable.
*Jun 25 09:30:35.551: ISAKMP:(1005):Checking IPSec proposal 4
*Jun 25 09:30:35.551: ISAKMP:(1005):transform 1, IPPCP LZS
*Jun 25 09:30:35.551: ISAKMP:   attributes in transform:
*Jun 25 09:30:35.551: ISAKMP:      encaps is 1 (Tunnel)
*Jun 25 09:30:35.555: ISAKMP:      SA life type in seconds
*Jun 25 09:30:35.555: ISAKMP:      SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Jun 25 09:30:35.555: ISAKMP:(1005):atts are acceptable.
*Jun 25 09:30:35.555: IPSEC(validate_proposal_request): proposal part #1
*Jun 25 09:30:35.555: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.
R1#) INBOUND local= 192.168.1.200, remote= 192.168.1.101,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 192.168.0.104/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= NONE (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jun 25 09:30:35.555: IPSEC(validate_proposal_request): proposal part #2
*Jun 25 09:30:35.555: IPSEC(validate_proposal_request): proposal part #2,
(key eng. msg.) INBOUND local= 192.168.1.200, remote= 192.168.1.101,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 192.168.0.104/255.255.255.255/0/0 (type=1),
    protocol= PCP, transform= NONE (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jun 25 09:30:35.555: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
    {esp-aes esp-sha-hmac comp-lzs }
*Jun 25 09:30:35.555: ISAKMP:(1005): IPSec policy invalidated proposal with error 256
*Jun 25 09:
R1#30:35.555: ISAKMP:(1005):Checking IPSec proposal 5
*Jun 25 09:30:35.555: ISAKMP: transform 1, ESP_AES
*Jun 25 09:30:35.555: ISAKMP:   attributes in transform:
*Jun 25 09:30:35.555: ISAKMP:      authenticator is HMAC-MD5
*Jun 25 09:30:35.555: ISAKMP:      key length is 256
*Jun 25 09:30:35.555: ISAKMP:      encaps is 1 (Tunnel)
*Jun 25 09:30:35.555: ISAKMP:      SA life type in seconds
*Jun 25 09:30:35.555: ISAKMP:      SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Jun 25 09:30:35.555: ISAKMP:(1005):atts are acceptable.
*Jun 25 09:30:35.555: IPSEC(validate_proposal_request): proposal part #1
*Jun 25 09:30:35.555: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.1.200, remote= 192.168.1.101,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 192.168.0.104/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= NONE (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
R1#
*Jun 25 09:30:35.555: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
    {esp-aes 256 esp-md5-hmac }
*Jun 25 09:30:35.555: ISAKMP:(1005): IPSec policy invalidated proposal with error 256
*Jun 25 09:30:35.555: ISAKMP:(1005):Checking IPSec proposal 6
*Jun 25 09:30:35.555: ISAKMP: transform 1, ESP_AES
*Jun 25 09:30:35.555: ISAKMP:   attributes in transform:
*Jun 25 09:30:35.555: ISAKMP:      authenticator is HMAC-SHA
*Jun 25 09:30:35.555: ISAKMP:      key length is 256
*Jun 25 09:30:35.555: ISAKMP:      encaps is 1 (Tunnel)
*Jun 25 09:30:35.555: ISAKMP:      SA life type in seconds
*Jun 25 09:30:35.555: ISAKMP:      SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Jun 25 09:30:35.555: ISAKMP:(1005):atts are acceptable.
*Jun 25 09:30:35.555: IPSEC(validate_proposal_request): proposal part #1
*Jun 25 09:30:35.555: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.1.200, remote= 192.168.1.101,
    l
R1#ocal_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 192.168.0.104/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= NONE (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jun 25 09:30:35.555: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
    {esp-aes 256 esp-sha-hmac }
*Jun 25 09:30:35.555: ISAKMP:(1005): IPSec policy invalidated proposal with error 256
*Jun 25 09:30:35.555: ISAKMP:(1005):Checking IPSec proposal 7
*Jun 25 09:30:35.555: ISAKMP: transform 1, ESP_AES
*Jun 25 09:30:35.555: ISAKMP:   attributes in transform:
*Jun 25 09:30:35.555: ISAKMP:      authenticator is HMAC-MD5
*Jun 25 09:30:35.555: ISAKMP:      key length is 128
*Jun 25 09:30:35.555: ISAKMP:      encaps is 1 (Tunnel)
*Jun 25 09:30:35.555: ISAKMP:      SA life type in seconds
*Jun 25 09:30:35.555: ISAKMP:      SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Jun 25 09:30:35.555: ISAKMP:(1005):atts are accep
R1#table.
*Jun 25 09:30:35.555: IPSEC(validate_proposal_request): proposal part #1
*Jun 25 09:30:35.555: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.1.200, remote= 192.168.1.101,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 192.168.0.104/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= NONE (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jun 25 09:30:35.555: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
    {esp-aes esp-md5-hmac }
*Jun 25 09:30:35.555: ISAKMP:(1005): IPSec policy invalidated proposal with error 256
*Jun 25 09:30:35.555: ISAKMP:(1005):Checking IPSec proposal 8
*Jun 25 09:30:35.555: ISAKMP: transform 1, ESP_AES
*Jun 25 09:30:35.555: ISAKMP:   attributes in transform:
*Jun 25 09:30:35.555: ISAKMP:      authenticator is HMAC-SHA
*Jun 25 09:30:35.555: ISAKMP:      key length is 128
*Jun 25 09:30:35.55
R1#5: ISAKMP:      encaps is 1 (Tunnel)
*Jun 25 09:30:35.555: ISAKMP:      SA life type in seconds
*Jun 25 09:30:35.555: ISAKMP:      SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Jun 25 09:30:35.555: ISAKMP:(1005):atts are acceptable.
*Jun 25 09:30:35.555: IPSEC(validate_proposal_request): proposal part #1
*Jun 25 09:30:35.555: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.1.200, remote= 192.168.1.101,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 192.168.0.104/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= NONE (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jun 25 09:30:35.555: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
    {esp-aes esp-sha-hmac }
*Jun 25 09:30:35.555: ISAKMP:(1005): IPSec policy invalidated proposal with error 256
*Jun 25 09:30:35.555: ISAKMP:(1005):Checking IPSec proposal 9
*Jun 25 09:30:3
R1#5.555: ISAKMP: transform 1, ESP_3DES
*Jun 25 09:30:35.555: ISAKMP:   attributes in transform:
*Jun 25 09:30:35.555: ISAKMP:      authenticator is HMAC-MD5
*Jun 25 09:30:35.555: ISAKMP:      encaps is 1 (Tunnel)
*Jun 25 09:30:35.555: ISAKMP:      SA life type in seconds
*Jun 25 09:30:35.555: ISAKMP:      SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Jun 25 09:30:35.555: ISAKMP:(1005):atts are acceptable.
*Jun 25 09:30:35.555: ISAKMP:(1005):Checking IPSec proposal 9
*Jun 25 09:30:35.555: ISAKMP:(1005):transform 1, IPPCP LZS
*Jun 25 09:30:35.555: ISAKMP:   attributes in transform:
*Jun 25 09:30:35.555: ISAKMP:      encaps is 1 (Tunnel)
*Jun 25 09:30:35.555: ISAKMP:      SA life type in seconds
*Jun 25 09:30:35.555: ISAKMP:      SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Jun 25 09:30:35.555: ISAKMP:(1005):atts are acceptable.
*Jun 25 09:30:35.555: IPSEC(validate_proposal_request): proposal part #1
*Jun 25 09:30:35.555: IPSEC(validate_proposal_request): proposal part
R1##1,
(key eng. msg.) INBOUND local= 192.168.1.200, remote= 192.168.1.101,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 192.168.0.104/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= NONE (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jun 25 09:30:35.555: IPSEC(validate_proposal_request): proposal part #2
*Jun 25 09:30:35.555: IPSEC(validate_proposal_request): proposal part #2,
(key eng. msg.) INBOUND local= 192.168.1.200, remote= 192.168.1.101,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 192.168.0.104/255.255.255.255/0/0 (type=1),
    protocol= PCP, transform= NONE (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jun 25 09:30:35.555: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
    {esp-3des esp-md5-hmac comp-lzs }
*Jun 25 09:30:35.555: ISAKMP:(1005): IPSec policy invalidated proposal with er
R1#ror 256
*Jun 25 09:30:35.555: ISAKMP:(1005):

上一篇：ISCW实验12：使用SDM配置GRE over IPSec

下一篇：使用SDM配置Cisco Easy ×××

提问和评论都可以，用心的回复会被更多人看到评论

发布评论

相关文章

官方博客	全部文章	热门标签	班级博客
了解我们	网站地图	意见反馈

鸿蒙开发者社区	51CTO学堂
51CTO	软考资讯