CCNP(ISCW)实验：采用预共享密钥的Site-to-Site IPSEC VPN

实验说明：

1. 在R1、R2之间使用快速以太网进行连接
2. 在R1上的1.1.1.1/24 希望与R2上的2.2.2.2/24网络之间通过 ipsec vpn
3. 采用预共享密钥配置

实验过程：

第一步：基本接口配置 R1(config)#int lo0 R1(config-if)#ip add 1.1.1.1 255.255.255.0 R1(config-if)#int e0/0 R1(config-if)#ip add 192.168.1.1 255.255.255.0 R1(config-if)#no sh R1(config-if)#ip route 0.0.0.0 0.0.0.0 192.168.1.2

R2(config)#int lo0 R2(config-if)#ip add 2.2.2.2 255.255.255.0 R2(config-if)#int e0/0 R2(config-if)#ip add 192.168.1.2 255.255.255.0 R2(config-if)#no sh R2(config-if)#ip route 0.0.0.0 0.0.0.0 192.168.1.1

第二步：配置互联网密钥交换（IKE） R1(config)#crypto isakmp enable //在全局下启动isakmp （默认情况下被启动） R1(config)#crypto isakmp policy 10 //定义isakmp 策略集，以便在ipsec端点之间建立isakmp对等体关系，这里的10是代表的优先级，取值范围在1-10000，1表示优先级最高 R1(config-isakmp)#authentication pre-share // 配置对等体身份验证方法为预共享密钥 R1(config-isakmp)#encryption 3des // 配置消息加密算法为3des R1(config-isakmp)#group 5 //配置密钥交换参数为1536位的Deffie-Hellman R1(config-isakmp)#hash sha //配置消息完整性（散列）算法为SHA-1（160比特签名） R1(config-isakmp)#lifetime 86400 //配置ISAKMP建立的SA的寿命 R1(config)#crypto isakmp key cisco add 192.168.1.2 //配置预共享密钥，密钥为cisco，远程对等体的IP地址为192.168.1.2

R2(config)#Cryp is en R2(config)#Cry is pol 10 R2(config-isakmp)#Aut pre R2(config-isakmp)#Enc 3d R2(config-isakmp)#Gro 5 R2(config-isakmp)#Hash sha R2(config-isakmp)#Life 86400 R2(config-isakmp)#Exit R2(config)#Cryp isa key cisco add 192.168.1.1

第三步：配置ipsec交换集 R1(config)#cry ipsec transform-set R1set esp-3des esp-sha-hmac //创建一个变换集名为R1set，变换集定义数据流量如何被保护。如果不配置连接模式，默认就是tunnel，即mode tunnel R1(config)#crypto map R1vpn 10 ipsec-isakmp // 建立IPSec加密映射，使用ISAKMP建立IPSEC SA，以保护当前加密映射条目指定的数据库 R1(config-crypto-map)#set peer 192.168.1.2
// 指定对等体IP地址 R1(config-crypto-map)#set transform-set R1set // 指定变换集 R1(config-crypto-map)#match add 100 // 引用扩展ACL

R2(config)# cryp ips transform-set R2set esp-3des esp-sha-hmac
R2(cfg-crypto-trans)#exi R2(config)#crypto map R2vpn 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. //新的映射没有启用。 R2(config-crypto-map)#set peer 192.168.1.1 R2(config-crypto-map)#set transform-set R2set R2(config-crypto-map)#match add 100

第四步：定义触发流量，即ipsec连接保护何种流量 R1(config)#access-list 100 permit icmp 1.1.1.1 0.0.0.0 2.2.2.2 0.0.0.0 //定义对什么样的流量进行ipsec保护 R1(config)#int e0/0 R1(config-if)#crypto map R1vpn //将加密映射应用到接口 *Mar 1 00:26:14.451: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

R2(config)#access-list 100 permit icmp 2.2.2.2 0.0.0.0 1.1.1.1 0.0.0.0 R2(config)#int e0/0 R2(config-if)#crypto map R2vpn

第五步：使用ping 流量调试ipsec配置 R1#debug crypto isakmp Crypto ISAKMP debugging is on R1#debug crypto ipsec Crypto IPSEC debugging is on R1#ping 2.2.2.2 sou 1.1.1.1

.!!!! Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: Packet sent with a source address of 1.1.1.1

*Mar 1 00:30:49.951: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 192.168.1.1, remote= 192.168.1.2, local_proxy= 1.1.1.1/255.255.255.255/1/0 (type=1), remote_proxy= 2.2.2.2/255.255.255.255/1/0 (type=1), protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0xDE7C1239(3732673081), conn_id= 0, keysize= 0, flags= 0x400A *Mar 1 00:30:49.955: ISAKMP: received ke message (1/1) *Mar 1 00:30:49.955: ISAKMP (0:0): SA request profile is (NULL) *Mar 1 00:30:49.955: ISAKMP: local port 500, remote port 500 *Mar 1 00:30:49.959: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 00:30:49.959: ISAKMP: insert sa successfully sa = 63D1C4B4 *Mar 1 00:30:49.959: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode. *Mar 1 00:30:49.959: ISAKMP: Looking for a matching key for 192.168.1.2 in default : success *Mar 1 00:30:49.959: ISAKMP (0:1): found peer pre-shared key matching 192.168.1.2 *Mar 1 00:30:49.963: ISAKMP (0:1): constructed NAT-T vendor-07 ID *Mar 1 00:30:49.963: ISAKMP (0:1): constructed NAT-T vendor-03 ID *Mar 1 00:30:49.963: ISAKMP (0:1): constructed NAT-T vendor-02 ID *Mar 1 00:30:49.963: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM *Mar 1 00:30:49.963: ISAKMP (0:1): Old State = IKE_READY New State = IKE_I_MM1 //这里表明IKE协商已经被发启，主模式中的第一条isakmp消息即将被发送，I表示为发起方，如果为应答方则为R. *Mar 1 00:30:49.963: ISAKMP (0:1): beginning Main Mode exchange //这里表示IKE主模式协商即将开始 *Mar 1 00:30:49.963: ISAKMP (0:1): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE *Mar 1 00:30:50.163: ISAKMP (0:1): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_NO_STATE //主模式协商以R1为发起方向R2发送IKE sa提议开始，这些提议对应R1上的配置（crypto isakmp policy） *Mar 1 00:30:50.167: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Mar 1 00:30:50.167: ISAKMP (0:1): Old State = IKE_I_MM1 New State = IKE_I_MM2 //IKE交换中的第二第消息 *Mar 1 00:30:50.167: ISAKMP (0:1): processing SA payload. message ID = 0 //开始处理SA有效负载，其中包括被接受的提议，这里的消息ID用于被phase1各phase2中交换的消息区分开来，因此在整个主模式协商期间消息ID始终为0 *Mar 1 00:30:50.171: ISAKMP (0:1): processing vendor id payload *Mar 1 00:30:50.171: ISAKMP (0:1): vendor ID seems U Success rate is 80 percent (4/5), round-trip min/avg/max = 32/40/52 ms R1#nity/DPD but major 245 mismatch *Mar 1 00:30:50.171: ISAKMP (0:1): vendor ID is NAT-T v7 *Mar 1 00:30:50.171: ISAKMP: Looking for a matching key for 192.168.1.2 in default : success *Mar 1 00:30:50.171: ISAKMP (0:1): found peer pre-shared key matching 192.168.1.2 *Mar 1 00:30:50.171: ISAKMP (0:1) local preshared key found *Mar 1 00:30:50.171: ISAKMP : Scanning profiles for xauth ... *Mar 1 00:30:50.175: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy //两个对等体交换了它们的IKE阶段1策略，路由器正在比较远程对等体的策略和本地策略10 *Mar 1 00:30:50.175: ISAKMP: encryption 3DES-CBC *Mar 1 00:30:50.175: ISAKMP: hash SHA *Mar 1 00:30:50.175: ISAKMP: default group 5 *Mar 1 00:30:50.175: ISAKMP: auth pre-share *Mar 1 00:30:50.175: ISAKMP: life type in seconds *Mar 1 00:30:50.175: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 *Mar 1 00:30:50.179: ISAKMP (0:1): atts are acceptable. Next payload is 0 //策略已经匹配了，atts代表就可接受的，现在可以开始交换hiffice-hellman公开密钥值和临时值（随机数） *Mar 1 00:30:50.271: ISAKMP (0:1): processing vendor id payload *Mar 1 00:30:50.271: ISAKMP R1# (0:1): vendor ID seems Unity/DPD but major 245 mismatch *Mar 1 00:30:50.271: ISAKMP (0:1): vendor ID is NAT-T v7 *Mar 1 00:30:50.271: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Mar 1 00:30:50.275: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM2 *Mar 1 00:30:50.279: ISAKMP (0:1): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP /R1将期diffie-hffie-hellman公开密钥值和临时值发送给R2 *Mar 1 00:30:50.279: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Mar 1 00:30:50.279: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM3 //发送了IKE协商中第三条消息 *Mar 1 00:30:50.459: ISAKMP (0:1): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP //R1收到 了R2的响应 *Mar 1 00:30:50.463: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Mar 1 00:30:50.463: ISAKMP (0:1): Old State = IKE_I_MM3 New State = IKE_I_MM4 //状态变为第四条，表明该响应是主模式中的第四条消息。 *Mar 1 00:30:50.463: ISAKMP (0:1): processing KE payload. message ID = 0 *Mar 1 00:30:50.583: ISAKMP (0:1): processing NONCE payload. message ID = 0 *Mar R1# 1 00:30:50.583: ISAKMP: Looking for a matching key for 192.168.1.2 in default : success *Mar 1 00:30:50.587: ISAKMP (0:1): found peer pre-shared key matching 192.168.1.2 *Mar 1 00:30:50.591: ISAKMP (0:1): SKEYID state generated //这里显示了skeyid sate generated 这表明tlkyo 已经生成了密资料 *Mar 1 00:30:50.591: ISAKMP (0:1): processing vendor id payload *Mar 1 00:30:50.595: ISAKMP (0:1): vendor ID is Unity *Mar 1 00:30:50.595: ISAKMP (0:1): processing vendor id payload *Mar 1 00:30:50.595: ISAKMP (0:1): vendor ID is DPD *Mar 1 00:30:50.595: ISAKMP (0:1): processing vendor id payload *Mar 1 00:30:50.595: ISAKMP (0:1): speaking to another IOS box! //显示了厂商ID有效负载，表明该消息来自另一台cisco路由器 *Mar 1 00:30:50.595: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Mar 1 00:30:50.595: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM4 *Mar 1 00:30:50.595: ISAKMP (0:1): Send initial contact *Mar 1 00:30:50.595: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR *Mar 1 00:30:50.595: ISAKMP (0:1): ID payload next- R1#payload : 8 type : 1 address : 192.168.1.1 protocol : 17 port : 500 length : 12 *Mar 1 00:30:50.595: ISAKMP (1): Total payload length: 12 *Mar 1 00:30:50.595: ISAKMP (0:1): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH *Mar 1 00:30:50.595: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Mar 1 00:30:50.595: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM5 //5条消息 *Mar 1 00:30:50.691: ISAKMP (0:1): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH *Mar 1 00:30:50.695: ISAKMP (0:1): processing ID payload. message ID = 0 *Mar 1 00:30:50.695: ISAKMP (0:1): ID payload next-payload : 8 type : 1 address : 192.168.1.2 protocol : 17 port : 500 length : 12 *Mar 1 00:30:50.695: ISAKMP (0:1): processing HASH payload. message ID = 0 *Mar 1 00:30:50.699: ISAKMP (0:1): SA authentication status: authenticated *Mar 1 R1#00:30:50.699: ISAKMP (0:1): SA has been authenticated with 192.168.1.2 *Mar 1 00:30:50.699: ISAKMP (0:1): peer matches none of the profiles *Mar 1 00:30:50.699: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Mar 1 00:30:50.703: ISAKMP (0:1): Old State = IKE_I_MM5 New State = IKE_I_MM6

*Mar 1 00:30:50.703: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Mar 1 00:30:50.703: ISAKMP (0:1): Old State = IKE_I_MM6 New State = IKE_I_MM6

*Mar 1 00:30:50.707: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Mar 1 00:30:50.707: ISAKMP (0:1): Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE //状态变为IKE_P1_COMPLETE，表明主模式（phase1）协商已经完成。 *Mar 1 00:30:50.711: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of 174738581 //表明快速模式即将开始，R1即将发送的第一条快速模式消息ID（M——ID）不同于主模式中那些ID，这是一个非0值（随机） *Mar 1 00:30:50.715: ISAKMP (0:1): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) QM_IDLE
//R1发送了快速模式协商中的第一第消息，该消息中包括ip sec提议 *Mar 1 00:30:50.715: ISAKMP (0:1): Node 174738581, Input = IKE_MESG_INTERNAL, IKE_INIT_QM *Mar 1 00:30:50.719: ISAKMP (0:1): Old State = IKE_QM_R R1#EADY New State = IKE_QM_I_QM1 //表明 IKE_QM_I_QM1第一第已发送 *Mar 1 00:30:50.719: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE *Mar 1 00:30:50.719: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Mar 1 00:30:51.067: ISAKMP (0:1): received packet from 192.168.1.2 dport 500 sport 500 Global (I) QM_IDLE
//收到R2中回应，该消息包含了一系列的有效负载，其中包括了hash，sa，nonce，IE有效负载，
*Mar 1 00:30:51.071: ISAKMP (0:1): processing HASH payload. message ID = 174738581 //hash有效负载用于验证该消息及用作存活指示。 *Mar 1 00:30:51.075: ISAKMP (0:1): processing SA payload. message ID = 174738581 //sa有效负载包括ipsec提议 *Mar 1 00:30:51.075: ISAKMP (0:1): Checking IPSec proposal 1 *Mar 1 00:30:51.075: ISAKMP: transform 1, ESP_3DES *Mar 1 00:30:51.075: ISAKMP: attributes in transform: *Mar 1 00:30:51.075: ISAKMP: encaps is 1 (Tunnel) *Mar 1 00:30:51.075: ISAKMP: SA life type in seconds *Mar 1 00:30:51.075: ISAKMP: SA life duration (basic) of 3600 *Mar 1 00:30:51.075: ISAKMP: SA life type in kilobytes R1#r 1 00:30:51.079: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 *Mar 1 00:30:51.079: ISAKMP: authenticator is HMAC-MD5 *Mar 1 00:30:51.079: ISAKMP (0:1): atts are acceptable. *Mar 1 00:30:51.079: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.1.2, local_proxy= 1.1.1.1/255.255.255.255/1/0 (type=1), remote_proxy= 2.2.2.2/255.255.255.255/1/0 (type=1), protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2 *Mar 1 00:30:51.083: IPSEC(kei_proxy): head = R1vpn, map->ivrf = , kei->ivrf = *Mar 1 00:30:51.087: ISAKMP (0:1): processing NONCE payload. message ID = 174738581 *Mar 1 00:30:51.087: ISAKMP (0:1): processing ID payload. message ID = 174738581 *Mar 1 00:30:51.087: ISAKMP (0:1): processing ID payload. message ID = 174738581 *Mar 1 00:30:51.095: ISAKMP (0:1): Creating IPSec SAs *Mar 1 00:30:51.095: inbound SA from 192.168.1.2 to 192.168.1.1 (f/i) 0/ 0 R1# (proxy 2.2.2.2 to 1.1.1.1) //这里创建了入站ipsec sa 该sa位于ip地址，192.168.1.2和192.168.1.1 之间，代理身份为2.2.2.2和1.1.1.1 *Mar 1 00:30:51.099: has spi 0xDE7C1239 and conn_id 2000 and flags 2 *Mar 1 00:30:51.099: lifetime of 3600 seconds *Mar 1 00:30:51.099: lifetime of 4608000 kilobytes *Mar 1 00:30:51.099: has client flags 0x0 *Mar 1 00:30:51.099: outbound SA from 192.168.1.1 to 192.168.1.2 (f/i) 0/ 0 (proxy 1.1.1.1 to 2.2.2.2 ) *Mar 1 00:30:51.099: has spi 1645135704 and conn_id 2001 and flags A *Mar 1 00:30:51.099: lifetime of 3600 seconds *Mar 1 00:30:51.103: lifetime of 4608000 kilobytes *Mar 1 00:30:51.103: has client flags 0x0 *Mar 1 00:30:51.103: ISAKMP (0:1): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) QM_IDLE
//R1向R2发送快速模式协商中的最后一条消息，该消息用作确认在存活指示。
*Mar 1 00:30:51.103: ISAKMP (0:1): deleting node 174738581 error FALSE reason "" *Mar 1 00:30:51.107: ISAKMP (0:1): Node 174738581, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH *Mar 1 00:30:51.107: ISAKMP (0:1): Old R1#State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE //状态变为上示，表明phase2完成 *Mar 1 00:30:51.107: IPSEC(key_engine): got a queue event... *Mar 1 00:30:51.107: IPSEC(initialize_sas): , (key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.1.2, local_proxy= 1.1.1.1/0.0.0.0/1/0 (type=1), remote_proxy= 2.2.2.2/0.0.0.0/1/0 (type=1), protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0xDE7C1239(3732673081), conn_id= 2000, keysize= 0, flags= 0x2 *Mar 1 00:30:51.111: IPSEC(initialize_sas): , (key eng. msg.) OUTBOUND local= 192.168.1.1, remote= 192.168.1.2, local_proxy= 1.1.1.1/0.0.0.0/1/0 (type=1), remote_proxy= 2.2.2.2/0.0.0.0/1/0 (type=1), protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x620EC758(1645135704), conn_id= 2001, keysize= 0, flags= 0xA *Mar 1 00:30:51.115: IPSEC(kei_proxy): head = R1vpn, map->ivrf = , kei->ivrf = *Mar 1 00:30:51.11 R1#5: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and 192.168.1.2 *Mar 1 00:30:51.119: IPSEC(add mtree): src 1.1.1.1, dest 2.2.2.2, dest_port 0

*Mar 1 00:30:51.119: IPSEC(create_sa): sa created, (sa) sa_dest= 192.168.1.1, sa_prot= 50, sa_spi= 0xDE7C1239(3732673081), sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2000 *Mar 1 00:30:51.119: IPSEC(create_sa): sa created, (sa) sa_dest= 192.168.1.2, sa_prot= 50, sa_spi= 0x620EC758(1645135704), sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2001 R1#u all All possible debugging has been turned off R1#

第六步：其它测试 R1#sh crypto isakmp sa //查看关联 dst src state conn-id slot 192.168.1.2 192.168.1.1 QM_IDLE 1 0

R1#sh crypto ipsec sa //安全库 interface: Ethernet0/0 Crypto map tag: R1vpn, local addr. 192.168.1.1 //在e0/0上激活了R1vpn的加密映射，用于IPsec通信的路由器ip地址是192.168.1.1 protected vrf: local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/1/0) remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/1/0) current_peer: 192.168.1.2:500 PERMIT, flags={origin_is_acl,} //这里显示了参与连接的对等体的本地和远程标识 #pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 //这里可以看到被封装各加密的数据包数目 local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.1.2 path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0 //IPsec连接的本地和远程端点，以及使用的MTU current outbound spi: 620EC758

 inbound esp sas:
  spi: 0xDE7C1239(3732673081)

//这里是输入（远程到本地路由器）esp sa，每个连接都有一个唯一的spi号 transform: esp-3des esp-md5-hmac , //用来保护连接的变换参数是esp-3des esp-md5-hmac in use settings ={Tunnel, } //连接模式是隧道模式 slot: 0, conn id: 2000, flow_id: 1, crypto map: R1vpn sa timing: remaining key lifetime (k/sec): (4532812/315) IV size: 8 bytes replay detection support: Y

 inbound ah sas:

//AH下没有任何输出，说明ah没有用来保护连接 inbound pcp sas:

 outbound esp sas:
  spi: 0x620EC758(1645135704)
    transform: esp-3des esp-md5-hmac ,
    in use settings ={Tunnel, }
    slot: 0, conn id: 2001, flow_id: 2, crypto map: R1vpn
    sa timing: remaining key lifetime (k/sec): (4532812/314)
    IV size: 8 bytes
    replay detection support: Y

 outbound ah sas:

 outbound pcp sas:

Sh crypto enginee connections active //查看当前激活的连接。几个包加密，几个解密了