实验过程:
第一步 基本接口配置
R1:
R1(config)#int lo0
R1(config-if)#ip add 1.1.1.1 255.255.255.0
R1(config-if)#int f0/0
R1(config-if)#ip add 192.168.1.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.2
第一步 基本接口配置
R1:
R1(config)#int lo0
R1(config-if)#ip add 1.1.1.1 255.255.255.0
R1(config-if)#int f0/0
R1(config-if)#ip add 192.168.1.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.2
R2:
R2(config)#int lo0
R2(config-if)#ip add 2.2.2.2 255.255.255.0
R2(config-if)#int f0/0
R2(config-if)#ip add 192.168.1.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#exit
R2(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1
R2(config)#int lo0
R2(config-if)#ip add 2.2.2.2 255.255.255.0
R2(config-if)#int f0/0
R2(config-if)#ip add 192.168.1.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#exit
R2(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1
第二步 配置互联网密钥交换(IKE)
R1:
R1(config)#crypto isakmp enable
// 在全局下启动ISAKMP(默认情况下被启动)
R1(config)#crypto isakmp policy 10
// 定义ISAKMP策略集,以便在IPSec端点之间建立ISAKMP对等体关系,这里的10是代表的优先级,取值范围在1-10000,1表示优先级最高
R1(config-isakmp)#authentication rsa-encr
// 配置对等体身份验证方法为预共享密钥
R1(config-isakmp)#encryption 3des
// 配置消息加密算法为3des
R1(config-isakmp)#group 5
// 配置密钥交换参数为1536位的Deffie-Hellman
R1(config-isakmp)#hash sha
// 配置消息完整性(散列)算法为SHA-1(160比特签名)
R1(config-isakmp)#lifetime 86400
// 配置ISAKMP建立的SA的寿命
R1(config-isakmp)#exit
R1(config)#crypto isakmp key 0 cisco add 192.168.1.2
// 配置预共享密钥,密钥为cisco,远程对等体的IP地址为192.168.1.2
R1:
R1(config)#crypto isakmp enable
// 在全局下启动ISAKMP(默认情况下被启动)
R1(config)#crypto isakmp policy 10
// 定义ISAKMP策略集,以便在IPSec端点之间建立ISAKMP对等体关系,这里的10是代表的优先级,取值范围在1-10000,1表示优先级最高
R1(config-isakmp)#authentication rsa-encr
// 配置对等体身份验证方法为预共享密钥
R1(config-isakmp)#encryption 3des
// 配置消息加密算法为3des
R1(config-isakmp)#group 5
// 配置密钥交换参数为1536位的Deffie-Hellman
R1(config-isakmp)#hash sha
// 配置消息完整性(散列)算法为SHA-1(160比特签名)
R1(config-isakmp)#lifetime 86400
// 配置ISAKMP建立的SA的寿命
R1(config-isakmp)#exit
R1(config)#crypto isakmp key 0 cisco add 192.168.1.2
// 配置预共享密钥,密钥为cisco,远程对等体的IP地址为192.168.1.2
R2:
R2(config)#crypto isakmp enable
R2(config)#crypto isakmp policy 10
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#encryption 3des
R2(config-isakmp)#group 5
R2(config-isakmp)#hash sha
R2(config-isakmp)#lifetime 86400
R2(config-isakmp)#exit
R2(config)#crypto isakmp key 0 cisco add 192.168.1.1
R2(config)#crypto isakmp enable
R2(config)#crypto isakmp policy 10
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#encryption 3des
R2(config-isakmp)#group 5
R2(config-isakmp)#hash sha
R2(config-isakmp)#lifetime 86400
R2(config-isakmp)#exit
R2(config)#crypto isakmp key 0 cisco add 192.168.1.1
第三步 配置IPSEC变换集
R1:
R1(config)#crypto ipsec transform-set R1set esp-3des esp-md5-hmac
// 创建一个变换集名为R1set,变换集定义数据流量如何被保护。如果不配置连接模式,默认就是tunnel,即mode tunnel
R1(cfg-crypto-trans)#exit
R1(config)#crypto map R!××× 10 ipsec-isakmp
// 建立IPSec加密映射,使用ISAKMP建立IPSEC SA,以保护当前加密映射条目指定的数据库
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#set peer 192.168.1.2
// 指定对等体IP地址
R1(config-crypto-map)#set transform-set R1set
// 指定变换集
R1(config-crypto-map)#match address 100
// 引用扩展ACL
R1(config-crypto-map)#exit
R1:
R1(config)#crypto ipsec transform-set R1set esp-3des esp-md5-hmac
// 创建一个变换集名为R1set,变换集定义数据流量如何被保护。如果不配置连接模式,默认就是tunnel,即mode tunnel
R1(cfg-crypto-trans)#exit
R1(config)#crypto map R!××× 10 ipsec-isakmp
// 建立IPSec加密映射,使用ISAKMP建立IPSEC SA,以保护当前加密映射条目指定的数据库
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#set peer 192.168.1.2
// 指定对等体IP地址
R1(config-crypto-map)#set transform-set R1set
// 指定变换集
R1(config-crypto-map)#match address 100
// 引用扩展ACL
R1(config-crypto-map)#exit
R2:
R2(config)#crypto ipsec transform-set R2set esp-3des esp-md5-hmac
R2(cfg-crypto-trans)#exit
R2(config)#crypto map R2××× 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R2(config-crypto-map)#set peer 192.168.1.1
R2(config-crypto-map)#set transform-set R2set
R2(config-crypto-map)#match address 100
R2(config-crypto-map)#exit
R2(config)#crypto ipsec transform-set R2set esp-3des esp-md5-hmac
R2(cfg-crypto-trans)#exit
R2(config)#crypto map R2××× 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R2(config-crypto-map)#set peer 192.168.1.1
R2(config-crypto-map)#set transform-set R2set
R2(config-crypto-map)#match address 100
R2(config-crypto-map)#exit
第四步 定义触发流量,即IPSec连接保护何种流量
R1:
R1(config)#access-list 100 permit icmp host 1.1.1.1 host 2.2.2.2
R1(config)#int f0/0
R1(config-if)#crypto map R!×××
R1(config-if)#end
R1:
R1(config)#access-list 100 permit icmp host 1.1.1.1 host 2.2.2.2
R1(config)#int f0/0
R1(config-if)#crypto map R!×××
R1(config-if)#end
R2:
R2(config)#access-list 100 permit icmp host 2.2.2.2 host 1.1.1.1
R2(config)#int f0/0
R2(config-if)#crypto map R2×××
R2(config-if)#end
R2(config)#access-list 100 permit icmp host 2.2.2.2 host 1.1.1.1
R2(config)#int f0/0
R2(config-if)#crypto map R2×××
R2(config-if)#end
第五步 使用Ping流量测试IPSEC配置
R1#debug crypto isakmp
Crypto ISAKMP debugging is on
R1#debug crypto ipsec
Crypto IPSEC debugging is on
R1#ping 2.2.2.2 source 1.1.1.1
R1#debug crypto isakmp
Crypto ISAKMP debugging is on
R1#debug crypto ipsec
Crypto IPSEC debugging is on
R1#ping 2.2.2.2 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
*Jun 22 21:17:12.067: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 192.168.1.1, remote= 192.168.1.2,
local_proxy= 1.1.1.1/255.255.255.255/1/0 (type=1),
remote_proxy= 2.2.2.2/255.255.255.255/1/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jun 22 21:17:12.075: ISAKMP:(0): SA request profile is (NULL)
*Jun 22 21:17:12.075: ISAKMP: Created a peer struct for 192.168.1.2, peer port 500
*Jun 22 21:17:12.075: ISAKMP: New peer created peer = 0x65EF6474 peer_handle = 0x80000002
*Jun 22 21:17:12.079: ISAKMP: Locking peer struct 0x65EF6474, refcount 1 for isakmp_initiator
*Jun 22 21:17:12.079: ISAKMP: local port 500, remote port 500
*Jun 22 21:17:12.079: ISAKMP: set new node 0 to QM_IDLE
*Jun 22 21:17:12.095: insert sa successfully sa = 65E3510C
*Jun 22 21:17:12.095: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Jun 22 21:17:12.095: ISAKMP:(0):found peer pre-shared key matching 192.168.1.2
*Jun 22 21:17:12.099: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jun 22 21:17:12.099: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Jun 22 21:17:12.099: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Jun 22 21:17:12.103: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Jun 22 21:17:12.103: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jun 22 21:17:12.103: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
(key eng. msg.) OUTBOUND local= 192.168.1.1, remote= 192.168.1.2,
local_proxy= 1.1.1.1/255.255.255.255/1/0 (type=1),
remote_proxy= 2.2.2.2/255.255.255.255/1/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jun 22 21:17:12.075: ISAKMP:(0): SA request profile is (NULL)
*Jun 22 21:17:12.075: ISAKMP: Created a peer struct for 192.168.1.2, peer port 500
*Jun 22 21:17:12.075: ISAKMP: New peer created peer = 0x65EF6474 peer_handle = 0x80000002
*Jun 22 21:17:12.079: ISAKMP: Locking peer struct 0x65EF6474, refcount 1 for isakmp_initiator
*Jun 22 21:17:12.079: ISAKMP: local port 500, remote port 500
*Jun 22 21:17:12.079: ISAKMP: set new node 0 to QM_IDLE
*Jun 22 21:17:12.095: insert sa successfully sa = 65E3510C
*Jun 22 21:17:12.095: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Jun 22 21:17:12.095: ISAKMP:(0):found peer pre-shared key matching 192.168.1.2
*Jun 22 21:17:12.099: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jun 22 21:17:12.099: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Jun 22 21:17:12.099: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Jun 22 21:17:12.103: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Jun 22 21:17:12.103: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jun 22 21:17:12.103: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Jun 22 21:17:12.103: ISAKMP:(0): beginning Main Mode exchange
*Jun 22 21:17:12.107: ISAKMP:(0): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 22 21:17:12.107: ISAKMP:(0):Sending an IKE IPv4 Packet......
Success rate is 0 percent (0/5)
R1#
*Jun 22 21:17:22.111: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 22 21:17:22.111: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Jun 22 21:17:22.111: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jun 22 21:17:22.115: ISAKMP:(0): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 22 21:17:22.115: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 22 21:17:22.223: ISAKMP (0:0): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Jun 22 21:17:22.235: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 22 21:17:22.235: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Jun 22 21:17:12.107: ISAKMP:(0): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 22 21:17:12.107: ISAKMP:(0):Sending an IKE IPv4 Packet......
Success rate is 0 percent (0/5)
R1#
*Jun 22 21:17:22.111: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 22 21:17:22.111: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Jun 22 21:17:22.111: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jun 22 21:17:22.115: ISAKMP:(0): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 22 21:17:22.115: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 22 21:17:22.223: ISAKMP (0:0): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Jun 22 21:17:22.235: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 22 21:17:22.235: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Jun 22 21:17:22.243: ISAKMP:(0): processing SA payload. message ID = 0
*Jun 22 21:17:22.243: ISAKMP:(0): processing vendor id payload
*Jun 22 21:17:22.243: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jun 22 21:17:22.247: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Jun 22 21:17:22.247: ISAKMP:(0):found peer pre-shared key matching 192.168.1.2
*Jun 22 21:17:22.247: ISAKMP:(0): local preshared key found
*Jun 22 21:17:22.247: ISAKMP : Scanning profiles for xauth ...
*Jun 22 21:17:22.251: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Jun 22 21:17:22.251: ISAKMP: encryption 3DES-CBC
*Jun 22 21:17:22.251: ISAKMP: hash SHA
*Jun 22 21:17:22.251: ISAKMP: default group 5
*Jun 22 21:17:22.251: ISAKMP: auth pre-share
*Jun 22 21:17:22.251: ISAKMP: life type in seconds
*Jun 22 21:17:22.255: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Jun 22 21:17:22.255: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jun
R1# 22 21:17:22.255: ISAKMP:(0):Acceptable atts:actual life: 0
*Jun 22 21:17:22.259: ISAKMP:(0):Acceptable atts:life: 0
*Jun 22 21:17:22.259: ISAKMP:(0):Fill atts in sa vpi_length:4
*Jun 22 21:17:22.259: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Jun 22 21:17:22.259: ISAKMP:(0):Returning Actual lifetime: 86400
*Jun 22 21:17:22.263: ISAKMP:(0)::Started lifetime timer: 86400.
*Jun 22 21:17:22.243: ISAKMP:(0): processing vendor id payload
*Jun 22 21:17:22.243: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jun 22 21:17:22.247: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Jun 22 21:17:22.247: ISAKMP:(0):found peer pre-shared key matching 192.168.1.2
*Jun 22 21:17:22.247: ISAKMP:(0): local preshared key found
*Jun 22 21:17:22.247: ISAKMP : Scanning profiles for xauth ...
*Jun 22 21:17:22.251: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Jun 22 21:17:22.251: ISAKMP: encryption 3DES-CBC
*Jun 22 21:17:22.251: ISAKMP: hash SHA
*Jun 22 21:17:22.251: ISAKMP: default group 5
*Jun 22 21:17:22.251: ISAKMP: auth pre-share
*Jun 22 21:17:22.251: ISAKMP: life type in seconds
*Jun 22 21:17:22.255: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Jun 22 21:17:22.255: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jun
R1# 22 21:17:22.255: ISAKMP:(0):Acceptable atts:actual life: 0
*Jun 22 21:17:22.259: ISAKMP:(0):Acceptable atts:life: 0
*Jun 22 21:17:22.259: ISAKMP:(0):Fill atts in sa vpi_length:4
*Jun 22 21:17:22.259: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Jun 22 21:17:22.259: ISAKMP:(0):Returning Actual lifetime: 86400
*Jun 22 21:17:22.263: ISAKMP:(0)::Started lifetime timer: 86400.
*Jun 22 21:17:22.263: ISAKMP:(0): processing vendor id payload
*Jun 22 21:17:22.263: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jun 22 21:17:22.263: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Jun 22 21:17:22.267: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 22 21:17:22.267: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Jun 22 21:17:22.263: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jun 22 21:17:22.263: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Jun 22 21:17:22.267: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 22 21:17:22.267: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Jun 22 21:17:22.275: ISAKMP:(0): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Jun 22 21:17:22.279: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 22 21:17:22.279: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 22 21:17:22.279: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Jun 22 21:17:22.279: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 22 21:17:22.279: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 22 21:17:22.279: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Jun 22 21:17:22.551: ISAKMP (0:0): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*Jun 22 21:17:22.555: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 22 21:17:22.555: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Jun 22 21:17:22.555: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 22 21:17:22.555: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Jun 22 21:17:22.563: ISAKMP:(0): processing KE payload. message ID = 0
*Jun 22 21:17:22.711: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jun 22 21:17:22.715: ISAKMP:(0):found peer pr
R1#e-shared key matching 192.168.1.2
*Jun 22 21:17:22.719: ISAKMP:(1001): processing vendor id payload
*Jun 22 21:17:22.719: ISAKMP:(1001): vendor ID is Unity
*Jun 22 21:17:22.723: ISAKMP:(1001): processing vendor id payload
*Jun 22 21:17:22.723: ISAKMP:(1001): vendor ID is DPD
*Jun 22 21:17:22.723: ISAKMP:(1001): processing vendor id payload
*Jun 22 21:17:22.723: ISAKMP:(1001): speaking to another IOS box!
*Jun 22 21:17:22.723: ISAKMP:received payload type 20
*Jun 22 21:17:22.723: ISAKMP:received payload type 20
*Jun 22 21:17:22.723: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 22 21:17:22.723: ISAKMP:(1001):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Jun 22 21:17:22.711: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jun 22 21:17:22.715: ISAKMP:(0):found peer pr
R1#e-shared key matching 192.168.1.2
*Jun 22 21:17:22.719: ISAKMP:(1001): processing vendor id payload
*Jun 22 21:17:22.719: ISAKMP:(1001): vendor ID is Unity
*Jun 22 21:17:22.723: ISAKMP:(1001): processing vendor id payload
*Jun 22 21:17:22.723: ISAKMP:(1001): vendor ID is DPD
*Jun 22 21:17:22.723: ISAKMP:(1001): processing vendor id payload
*Jun 22 21:17:22.723: ISAKMP:(1001): speaking to another IOS box!
*Jun 22 21:17:22.723: ISAKMP:received payload type 20
*Jun 22 21:17:22.723: ISAKMP:received payload type 20
*Jun 22 21:17:22.723: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 22 21:17:22.723: ISAKMP:(1001):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Jun 22 21:17:22.727: ISAKMP:(1001):Send initial contact
*Jun 22 21:17:22.727: ISAKMP:(1001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Jun 22 21:17:22.731: ISAKMP (0:1001): ID payload
next-payload : 8
type : 1
address : 192.168.1.1
protocol : 17
R1#
port : 500
length : 12
*Jun 22 21:17:22.731: ISAKMP:(1001):Total payload length: 12
*Jun 22 21:17:22.731: ISAKMP:(1001): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jun 22 21:17:22.731: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Jun 22 21:17:22.735: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 22 21:17:22.735: ISAKMP:(1001):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Jun 22 21:17:22.727: ISAKMP:(1001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Jun 22 21:17:22.731: ISAKMP (0:1001): ID payload
next-payload : 8
type : 1
address : 192.168.1.1
protocol : 17
R1#
port : 500
length : 12
*Jun 22 21:17:22.731: ISAKMP:(1001):Total payload length: 12
*Jun 22 21:17:22.731: ISAKMP:(1001): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jun 22 21:17:22.731: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Jun 22 21:17:22.735: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 22 21:17:22.735: ISAKMP:(1001):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Jun 22 21:17:22.815: ISAKMP (0:1001): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jun 22 21:17:22.819: ISAKMP:(1001): processing ID payload. message ID = 0
*Jun 22 21:17:22.819: ISAKMP (0:1001): ID payload
next-payload : 8
type : 1
address : 192.168.1.2
protocol : 17
port : 500
length : 12
*Jun 22 21:17:22.819: ISAKMP:(0):: peer matches *none* of the profiles
*Jun 22 21:17:22.823: ISAKMP:(1001): processing HASH payload. message ID = 0
*Jun 22 21:17:22.823: ISAKMP:(1001):SA authentication status:
authenticated
*Jun 22 21:17:22.827: ISAKMP:(1001):SA has been authenticated with 192.168.1.2
*Jun 22 21:17:22.827: ISAKMP: Trying to insert a peer 192.168.1.1/192.168.1.2/500/, and inserted successfully 65EF6474.
*Jun 22 21:17:22.831: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 22 21:17:22.831: ISAKMP:(1001):Old State = IKE_I_MM5 New State = IKE_I_MM6
*Jun 22 21:17:22.819: ISAKMP:(1001): processing ID payload. message ID = 0
*Jun 22 21:17:22.819: ISAKMP (0:1001): ID payload
next-payload : 8
type : 1
address : 192.168.1.2
protocol : 17
port : 500
length : 12
*Jun 22 21:17:22.819: ISAKMP:(0):: peer matches *none* of the profiles
*Jun 22 21:17:22.823: ISAKMP:(1001): processing HASH payload. message ID = 0
*Jun 22 21:17:22.823: ISAKMP:(1001):SA authentication status:
authenticated
*Jun 22 21:17:22.827: ISAKMP:(1001):SA has been authenticated with 192.168.1.2
*Jun 22 21:17:22.827: ISAKMP: Trying to insert a peer 192.168.1.1/192.168.1.2/500/, and inserted successfully 65EF6474.
*Jun 22 21:17:22.831: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 22 21:17:22.831: ISAKMP:(1001):Old State = IKE_I_MM5 New State = IKE_I_MM6
*Jun 22 21:17:22.835: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 22 21:17:22.839: ISAKMP:(1001):Old State = IKE_I_MM6 New State = IKE_I_MM6
*Jun 22 21:17:22.839: ISAKMP:(1001):Old State = IKE_I_MM6 New State = IKE_I_MM6
*Jun 22 21:17:22.843: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 22 21:17:22.847: ISAKMP:(1001):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
*Jun 22 21:17:22.847: ISAKMP:(1001):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
*Jun 22 21:17:22.851: ISAKMP:(1001):beginning Quick Mode exchange, M-ID of 192606138
*Jun 22 21:17:22.851: ISAKMP:(1001):QM Initiator gets spi
*Jun
R1# 22 21:17:22.859: ISAKMP:(1001): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) QM_IDLE
*Jun 22 21:17:22.859: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Jun 22 21:17:22.859: ISAKMP:(1001):Node 192606138, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jun 22 21:17:22.863: ISAKMP:(1001):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Jun 22 21:17:22.863: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jun 22 21:17:22.863: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jun 22 21:17:22.851: ISAKMP:(1001):QM Initiator gets spi
*Jun
R1# 22 21:17:22.859: ISAKMP:(1001): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) QM_IDLE
*Jun 22 21:17:22.859: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Jun 22 21:17:22.859: ISAKMP:(1001):Node 192606138, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jun 22 21:17:22.863: ISAKMP:(1001):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Jun 22 21:17:22.863: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jun 22 21:17:22.863: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jun 22 21:17:23.043: ISAKMP (0:1001): received packet from 192.168.1.2 dport 500 sport 500 Global (I) QM_IDLE
*Jun 22 21:17:23.047: ISAKMP:(1001): processing HASH payload. message ID = 192606138
*Jun 22 21:17:23.051: ISAKMP:(1001): processing SA payload. message ID = 192606138
*Jun 22 21:17:23.051: ISAKMP:(1001):Checking IPSec proposal 1
*Jun 22 21:17:23.051: ISAKMP: transform 1, ESP_3DES
*Jun 22 21:17:23.051: ISAKMP: attributes in transform:
*Ju
R1#n 22 21:17:23.051: ISAKMP: encaps is 1 (Tunnel)
*Jun 22 21:17:23.055: ISAKMP: SA life type in seconds
*Jun 22 21:17:23.055: ISAKMP: SA life duration (basic) of 3600
*Jun 22 21:17:23.055: ISAKMP: SA life type in kilobytes
*Jun 22 21:17:23.055: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jun 22 21:17:23.059: ISAKMP: authenticator is HMAC-MD5
*Jun 22 21:17:23.059: ISAKMP:(1001):atts are acceptable.
*Jun 22 21:17:23.059: IPSEC(validate_proposal_request): proposal part #1
*Jun 22 21:17:23.059: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.1.2,
local_proxy= 1.1.1.1/255.255.255.255/1/0 (type=1),
remote_proxy= 2.2.2.2/255.255.255.255/1/0 (type=1),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jun 22 21:17:23.063: Crypto mapdb : proxy_match
src addr : 1.1.1.1
dst addr : 2.2.2.2
protocol : 1
src port : 0
dst port : 0
*Jun 22 21:17:23.067: ISAKMP:(1001): processing NONCE payload. message ID = 192606138
*Jun 22 21:17:23.067: ISAKMP:(1001): processing ID payload. message ID = 192606138
*Jun 22 21:17:23.071: ISAKMP:(1001): processing ID payload. message ID = 192606138
*Jun 22 21:17:23.075: ISAKMP:(1001): Creating IPSec SAs
*Jun 22 21:17:23.079: inbound SA from 192.168.1.2 to 192.168.1.1 (f/i) 0/ 0
(proxy 2.2.2.2 to 1.1.1.1)
*Jun 22 21:17:23.079: has spi 0x6E0588B2 and conn_id 0
*Jun 22 21:17:23.079: lifetime of 3600 seconds
*Jun 22 21:17:23.079: lifetime of 4608000 kilobytes
*Jun 22 21:17:23.083: outbound SA from 192.168.1.1 to 192.168.1.2 (f/i) 0/0
(proxy 1.1.1.1 to 2.2.2.2)
*Jun 22 21:17:23.083: has spi 0x11E9D65F and conn_id 0
*Jun 22 21:17:23.083: lifetime of 3600 seconds
*Jun 22 21:17:23.083: lifetime of 4608000 kilobytes
*Jun 22 21:17:23.087: ISAKMP:(1001): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) QM_IDLE
*Jun 22 21:17:23.087: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Jun 22 21:17:23.091: ISAKMP:(1001):deleting node 192606138 error FALSE reason "No Error"
*Jun 22 21:17:23.091: ISAKMP:(1001):Node 192606138, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jun 22 21:17:23.091: ISAKMP:(1001):Old State = IKE_QM_I_
R1#QM1 New State = IKE_QM_PHASE2_COMPLETE
*Jun 22 21:17:23.095: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jun 22 21:17:23.099: Crypto mapdb : proxy_match
src addr : 1.1.1.1
dst addr : 2.2.2.2
protocol : 1
src port : 0
dst port : 0
*Jun 22 21:17:23.099: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 192.168.1.2
*Jun 22 21:17:23.103: IPSEC(policy_db_add_ident): src 1.1.1.1, dest 2.2.2.2, dest_port 0
*Jun 22 21:17:23.047: ISAKMP:(1001): processing HASH payload. message ID = 192606138
*Jun 22 21:17:23.051: ISAKMP:(1001): processing SA payload. message ID = 192606138
*Jun 22 21:17:23.051: ISAKMP:(1001):Checking IPSec proposal 1
*Jun 22 21:17:23.051: ISAKMP: transform 1, ESP_3DES
*Jun 22 21:17:23.051: ISAKMP: attributes in transform:
*Ju
R1#n 22 21:17:23.051: ISAKMP: encaps is 1 (Tunnel)
*Jun 22 21:17:23.055: ISAKMP: SA life type in seconds
*Jun 22 21:17:23.055: ISAKMP: SA life duration (basic) of 3600
*Jun 22 21:17:23.055: ISAKMP: SA life type in kilobytes
*Jun 22 21:17:23.055: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jun 22 21:17:23.059: ISAKMP: authenticator is HMAC-MD5
*Jun 22 21:17:23.059: ISAKMP:(1001):atts are acceptable.
*Jun 22 21:17:23.059: IPSEC(validate_proposal_request): proposal part #1
*Jun 22 21:17:23.059: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.1.2,
local_proxy= 1.1.1.1/255.255.255.255/1/0 (type=1),
remote_proxy= 2.2.2.2/255.255.255.255/1/0 (type=1),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jun 22 21:17:23.063: Crypto mapdb : proxy_match
src addr : 1.1.1.1
dst addr : 2.2.2.2
protocol : 1
src port : 0
dst port : 0
*Jun 22 21:17:23.067: ISAKMP:(1001): processing NONCE payload. message ID = 192606138
*Jun 22 21:17:23.067: ISAKMP:(1001): processing ID payload. message ID = 192606138
*Jun 22 21:17:23.071: ISAKMP:(1001): processing ID payload. message ID = 192606138
*Jun 22 21:17:23.075: ISAKMP:(1001): Creating IPSec SAs
*Jun 22 21:17:23.079: inbound SA from 192.168.1.2 to 192.168.1.1 (f/i) 0/ 0
(proxy 2.2.2.2 to 1.1.1.1)
*Jun 22 21:17:23.079: has spi 0x6E0588B2 and conn_id 0
*Jun 22 21:17:23.079: lifetime of 3600 seconds
*Jun 22 21:17:23.079: lifetime of 4608000 kilobytes
*Jun 22 21:17:23.083: outbound SA from 192.168.1.1 to 192.168.1.2 (f/i) 0/0
(proxy 1.1.1.1 to 2.2.2.2)
*Jun 22 21:17:23.083: has spi 0x11E9D65F and conn_id 0
*Jun 22 21:17:23.083: lifetime of 3600 seconds
*Jun 22 21:17:23.083: lifetime of 4608000 kilobytes
*Jun 22 21:17:23.087: ISAKMP:(1001): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) QM_IDLE
*Jun 22 21:17:23.087: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Jun 22 21:17:23.091: ISAKMP:(1001):deleting node 192606138 error FALSE reason "No Error"
*Jun 22 21:17:23.091: ISAKMP:(1001):Node 192606138, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jun 22 21:17:23.091: ISAKMP:(1001):Old State = IKE_QM_I_
R1#QM1 New State = IKE_QM_PHASE2_COMPLETE
*Jun 22 21:17:23.095: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jun 22 21:17:23.099: Crypto mapdb : proxy_match
src addr : 1.1.1.1
dst addr : 2.2.2.2
protocol : 1
src port : 0
dst port : 0
*Jun 22 21:17:23.099: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 192.168.1.2
*Jun 22 21:17:23.103: IPSEC(policy_db_add_ident): src 1.1.1.1, dest 2.2.2.2, dest_port 0
*Jun 22 21:17:23.103: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.1.1, sa_proto= 50,
sa_spi= 0x6E0588B2(1845856434),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 1
*Jun 22 21:17:23.107: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.1.2, sa_proto= 50,
sa_spi= 0x11E9D65F(300537439),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2
*Jun 22 21:17:23.107: IPSEC(update_current_outbound_sa): updated peer 192.168.1.2 current outbound sa to SPI 11E9D65F
R1#
*Jun 22 21:18:13.091: ISAKMP:(1001):purging node 192606138
R1#
R1#show crypto isakmp sa
// 查看IKE阶段1的管理连接
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.1.2 192.168.1.1 QM_IDLE 1001 0 ACTIVE
(sa) sa_dest= 192.168.1.1, sa_proto= 50,
sa_spi= 0x6E0588B2(1845856434),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 1
*Jun 22 21:17:23.107: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.1.2, sa_proto= 50,
sa_spi= 0x11E9D65F(300537439),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2
*Jun 22 21:17:23.107: IPSEC(update_current_outbound_sa): updated peer 192.168.1.2 current outbound sa to SPI 11E9D65F
R1#
*Jun 22 21:18:13.091: ISAKMP:(1001):purging node 192606138
R1#
R1#show crypto isakmp sa
// 查看IKE阶段1的管理连接
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.1.2 192.168.1.1 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
R1#show crypto ipsec sa
// 查看SA在IKE阶段2建立的IPSec数据连接
interface: FastEthernet0/0
Crypto map tag: R!×××, local addr 192.168.1.1
// 在F0/0上激活了R1×××的加密映射,用于IPSec通信的路由器IP地址是192.168.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/1/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/1/0)
current_peer 192.168.1.2 port 500
PERMIT, flags={origin_is_acl,}
// 这里显示了参与连接的对等体的本地和远程标识
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 5, #recv errors 0
// 这里可以看到被封装和加密的数据包数目
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
// IPSec连接的本地和远程端点,以及使用的MTU
current outbound spi: 0x11E9D65F(300537439)
// 查看SA在IKE阶段2建立的IPSec数据连接
interface: FastEthernet0/0
Crypto map tag: R!×××, local addr 192.168.1.1
// 在F0/0上激活了R1×××的加密映射,用于IPSec通信的路由器IP地址是192.168.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/1/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/1/0)
current_peer 192.168.1.2 port 500
PERMIT, flags={origin_is_acl,}
// 这里显示了参与连接的对等体的本地和远程标识
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 5, #recv errors 0
// 这里可以看到被封装和加密的数据包数目
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
// IPSec连接的本地和远程端点,以及使用的MTU
current outbound spi: 0x11E9D65F(300537439)
inbound esp sas:
spi: 0x6E0588B2(1845856434)
// 这里是输入(远程对等体到本地路由器)ESP SA,每个连接都有一个唯一的SPI号
transform: esp-3des esp-md5-hmac ,
// 用来保护的连接的变换参数是esp-3des esp-md5-hmac
in use settings ={Tunnel, }
// 连接模式是隧道模式
conn id: 1, flow_id: SW:1, crypto map: R!×××
sa timing: remaining key lifetime (k/sec): (4445781/3464)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x6E0588B2(1845856434)
// 这里是输入(远程对等体到本地路由器)ESP SA,每个连接都有一个唯一的SPI号
transform: esp-3des esp-md5-hmac ,
// 用来保护的连接的变换参数是esp-3des esp-md5-hmac
in use settings ={Tunnel, }
// 连接模式是隧道模式
conn id: 1, flow_id: SW:1, crypto map: R!×××
sa timing: remaining key lifetime (k/sec): (4445781/3464)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
// AH下没有任何输出,说明AH没有用来保护连接
inbound pcp sas:
// AH下没有任何输出,说明AH没有用来保护连接
inbound pcp sas:
outbound esp sas:
spi: 0x11E9D65F(300537439)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: R!×××
sa timing: remaining key lifetime (k/sec): (4445781/3463)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x11E9D65F(300537439)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: R!×××
sa timing: remaining key lifetime (k/sec): (4445781/3463)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1#
R1#show crypto session
Crypto session current status
R1#
R1#show crypto session
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 192.168.1.2 port 500
IKE SA: local 192.168.1.1/500 remote 192.168.1.2/500 Active
IPSEC FLOW: permit 1 host 1.1.1.1 host 2.2.2.2
Active SAs: 2, origin: crypto map
Session status: UP-ACTIVE
Peer: 192.168.1.2 port 500
IKE SA: local 192.168.1.1/500 remote 192.168.1.2/500 Active
IPSEC FLOW: permit 1 host 1.1.1.1 host 2.2.2.2
Active SAs: 2, origin: crypto map
