CCNP(ISCW)实验：使用SDM配置Site-to-Site IPSEC VPN

实验说明：

1. 在R1与R2之间使用快速以太网进行连接。
2. 在R1上的1.1.1.1/24希望与R2上的2.2.2.2/24网络之间通过 ipsec vpn进行通信
3. 采用预共享密钥配置
4. 使用SDM配置

实验过程：

第一步：配置R1支持SDM R1(config)#username admin privilege 15 password admin R1(config)#line vty 0 4 R1(config-line)#login local R1(config-line)#exi R1(config)#ip http server
R1(config)#ip http secure-server R1(config)#ip http authentication local R1(config)#int e1/0 R1(config-if)#ip add 192.168.1.2 255.255.255.0 R1(config-if)#no sh R1(config-if)#int e0/0 R1(config-if)#ip add 200.1.1.1 255.255.255.0

第二步：配置R2支持SDM R2(config)#username admin pri 15 pass admin R2(config)#ip http server R2(config)#ip http secure-server R2(config)#ip http authentication local R2(config-if)#int e0/0 R2(config-if)#ip add 200.1.1.2 255.255.255.0 R2(config-if)#no sh R2(config-if)#int e1/0 R2(config-if)#ip add 192.168.1.3 255.255.255.0

第三步：使用SDM登录R1开始进行配置 第四步：输入http认证密码

第五步：登录之后图示如下

第六步：建立一个回环地址

第七步：输入回环地址

第八步：选择vpn—点到点的vpn—创建点到点的vpn---启动选定的任务

第九步：逐步操作向导

第十步：选择vpn连接的接口，输入vpn对等体的ip地址，和共享密钥。

第11步：这里IKE策略选择默认的策略

第12步：在变换集中选择默认的变换集

第13步：在感兴趣流中定义，选择

第14步：在添加规则中选择添加

第15步：在添加扩展规则项中，

第16步：确定无误后，点击完成

第17步：show run可以看到刚才配置的信息 access-list 100 remark vpn icmp access-list 100 remark SDM_ACL Category=4 access-list 100 remark icmp access-list 100 permit icmp host 1.1.1.1 host 2.2.2.2 conversion-error log

crypto isakmp policy 1 encr 3des authentication pre-share group 2
crypto isakmp key cisco address 200.1.1.2 !
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac !
crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to200.1.1.2 set peer 200.1.1.2 set transform-set ESP-3DES-SHA match address 100

第18步：在R1上添加一第静态路由

第19步：以相同的方法在R2进行配置 第20步：测试效果 R1#ping 2.2.2.2 sou 1.1.1.1 //这里可以在SDM上ping Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: Packet sent with a source address of 1.1.1.1

*Mar 1 00:10:33.971: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 200.1.1.1, remote= 200.1.1.2, local_proxy= 1.1.1.1/255.255.255.255/1/0 (type=1), remote_proxy= 2.2.2.2/255.255.255.255/1/0 (type=1), protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x6577E2C8(1702355656), conn_id= 0, keysize= 0, flags= 0x400A *Mar 1 00:10:33.975: ISAKMP: received ke message (1/1) *Mar 1 00:10:33.975: ISAKMP (0:0): SA request profile is (NULL) *Mar 1 00:10:33.975: ISAKMP: local port 500, remote port 500 *Mar 1 00:10:33.979: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 00:10:33.979: ISAKMP: insert sa successfully sa = 63A8BC8C *Mar 1 00:10:33.979: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode. *Mar 1 00:10:33.979: ISAKMP: Looking for a matching key for 200.1.1.2 in default : success *Mar 1 00:10:33.979: ISAKMP (0:1): found peer pre-shared key matching 200.1.1.2 *Mar 1 00:10:33.983: ISAKMP (0:1): constructed NAT-T vendor-07 ID *Mar 1 00:10:33.983: ISAKMP (0:1): constructed NAT-T vendor-03 ID *Mar 1 00:10:33.983: ISAKMP (0:1): constructed NAT-T vendor-02 ID *Mar 1 00:10:33.983: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM *Mar 1 00:10:33.983: ISAKMP (0:1): Old State = IKE_READY New State = IKE_I_MM1

*Mar 1 00:10:33.983: ISAKMP (0:1): beginning Main Mode exchange *Mar 1 00:10:33.983: ISAKMP (0:1): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE *Mar 1 00:10:34.183: ISAKMP (0:1): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_NO_STATE *Mar 1 00:10:34.187: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Mar 1 00:10:34.187: ISAKMP (0:1): Old State = IKE_I_MM1 New State = IKE_I_MM2

*Mar 1 00:10:34.191: ISAKMP (0:1): processing SA payload. message ID = 0 *Mar 1 00:10:34.191: ISAKMP (0:1): processing vendor id payload *Mar 1 00:10:34.191: ISAKMP (0:1): vendor ID seems Unity/DPD but.!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 28/47/84 ms R1# major 245 mismatch *Mar 1 00:10:34.191: ISAKMP (0:1): vendor ID is NAT-T v7 *Mar 1 00:10:34.191: ISAKMP: Looking for a matching key for 200.1.1.2 in default : success *Mar 1 00:10:34.191: ISAKMP (0:1): found peer pre-shared key matching 200.1.1.2 *Mar 1 00:10:34.191: ISAKMP (0:1) local preshared key found *Mar 1 00:10:34.195: ISAKMP : Scanning profiles for xauth ... *Mar 1 00:10:34.195: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy *Mar 1 00:10:34.195: ISAKMP: encryption 3DES-CBC *Mar 1 00:10:34.195: ISAKMP: hash SHA *Mar 1 00:10:34.195: ISAKMP: default group 2 *Mar 1 00:10:34.195: ISAKMP: auth pre-share *Mar 1 00:10:34.195: ISAKMP: life type in seconds *Mar 1 00:10:34.195: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 *Mar 1 00:10:34.199: ISAKMP (0:1): atts are acceptable. Next payload is 0 *Mar 1 00:10:34.263: ISAKMP (0:1): processing vendor id payload *Mar 1 00:10:34.263: ISAKMP (0:1): vendor ID R1# seems Unity/DPD but major 245 mismatch *Mar 1 00:10:34.263: ISAKMP (0:1): vendor ID is NAT-T v7 *Mar 1 00:10:34.263: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Mar 1 00:10:34.263: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM2

*Mar 1 00:10:34.267: ISAKMP (0:1): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP *Mar 1 00:10:34.271: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Mar 1 00:10:34.271: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM3

*Mar 1 00:10:34.403: ISAKMP (0:1): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP *Mar 1 00:10:34.407: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Mar 1 00:10:34.407: ISAKMP (0:1): Old State = IKE_I_MM3 New State = IKE_I_MM4

*Mar 1 00:10:34.407: ISAKMP (0:1): processing KE payload. message ID = 0 *Mar 1 00:10:34.475: ISAKMP (0:1): processing NONCE payload. message ID = 0 *Mar 1 00:10:34.475: ISA R1#KMP: Looking for a matching key for 200.1.1.2 in default : success *Mar 1 00:10:34.475: ISAKMP (0:1): found peer pre-shared key matching 200.1.1.2 *Mar 1 00:10:34.483: ISAKMP (0:1): SKEYID state generated *Mar 1 00:10:34.483: ISAKMP (0:1): processing vendor id payload *Mar 1 00:10:34.483: ISAKMP (0:1): vendor ID is Unity *Mar 1 00:10:34.483: ISAKMP (0:1): processing vendor id payload *Mar 1 00:10:34.483: ISAKMP (0:1): vendor ID is DPD *Mar 1 00:10:34.487: ISAKMP (0:1): processing vendor id payload *Mar 1 00:10:34.487: ISAKMP (0:1): speaking to another IOS box! *Mar 1 00:10:34.487: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Mar 1 00:10:34.487: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM4

*Mar 1 00:10:34.487: ISAKMP (0:1): Send initial contact *Mar 1 00:10:34.487: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR *Mar 1 00:10:34.487: ISAKMP (0:1): ID payload next-payload : 8 type
R1# : 1 address : 200.1.1.1 protocol : 17 port : 500 length : 12 *Mar 1 00:10:34.487: ISAKMP (1): Total payload length: 12 *Mar 1 00:10:34.487: ISAKMP (0:1): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH *Mar 1 00:10:34.487: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Mar 1 00:10:34.487: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM5

*Mar 1 00:10:34.575: ISAKMP (0:1): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH *Mar 1 00:10:34.579: ISAKMP (0:1): processing ID payload. message ID = 0 *Mar 1 00:10:34.579: ISAKMP (0:1): ID payload next-payload : 8 type : 1 address : 200.1.1.2 protocol : 17 port : 500 length : 12 *Mar 1 00:10:34.579: ISAKMP (0:1): processing HASH payload. message ID = 0 *Mar 1 00:10:34.583: ISAKMP (0:1): SA authentication status: authenticated *Mar 1 00:10:34.583: ISAKMP (0:1): SA ha R1#s been authenticated with 200.1.1.2 *Mar 1 00:10:34.583: ISAKMP (0:1): peer matches none of the profiles *Mar 1 00:10:34.583: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Mar 1 00:10:34.587: ISAKMP (0:1): Old State = IKE_I_MM5 New State = IKE_I_MM6

*Mar 1 00:10:34.587: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Mar 1 00:10:34.587: ISAKMP (0:1): Old State = IKE_I_MM6 New State = IKE_I_MM6

*Mar 1 00:10:34.591: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Mar 1 00:10:34.591: ISAKMP (0:1): Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

*Mar 1 00:10:34.595: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of -1228454044 *Mar 1 00:10:34.599: ISAKMP (0:1): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE
*Mar 1 00:10:34.599: ISAKMP (0:1): Node -1228454044, Input = IKE_MESG_INTERNAL, IKE_INIT_QM *Mar 1 00:10:34.603: ISAKMP (0:1): Old State = IKE_QM_READY New State = IKE_QM_I_QM1 * R1#Mar 1 00:10:34.603: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE *Mar 1 00:10:34.603: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Mar 1 00:10:34.979: ISAKMP (0:1): received packet from 200.1.1.2 dport 500 sport 500 Global (I) QM_IDLE
*Mar 1 00:10:34.983: ISAKMP (0:1): processing HASH payload. message ID = -1228454044 *Mar 1 00:10:34.987: ISAKMP (0:1): processing SA payload. message ID = -1228454044 *Mar 1 00:10:34.987: ISAKMP (0:1): Checking IPSec proposal 1 *Mar 1 00:10:34.987: ISAKMP: transform 1, ESP_3DES *Mar 1 00:10:34.987: ISAKMP: attributes in transform: *Mar 1 00:10:34.987: ISAKMP: encaps is 1 (Tunnel) *Mar 1 00:10:34.987: ISAKMP: SA life type in seconds *Mar 1 00:10:34.987: ISAKMP: SA life duration (basic) of 3600 *Mar 1 00:10:34.987: ISAKMP: SA life type in kilobytes *Mar 1 00:10:34.991: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 *Mar 1 00:10:34.991: ISAKMP: R1# authenticator is HMAC-SHA *Mar 1 00:10:34.991: ISAKMP (0:1): atts are acceptable. *Mar 1 00:10:34.991: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 200.1.1.1, remote= 200.1.1.2, local_proxy= 1.1.1.1/255.255.255.255/1/0 (type=1), remote_proxy= 2.2.2.2/255.255.255.255/1/0 (type=1), protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2 *Mar 1 00:10:34.995: IPSEC(kei_proxy): head = SDM_CMAP_1, map->ivrf = , kei->ivrf = *Mar 1 00:10:34.999: ISAKMP (0:1): processing NONCE payload. message ID = -1228454044 *Mar 1 00:10:34.999: ISAKMP (0:1): processing ID payload. message ID = -1228454044 *Mar 1 00:10:34.999: ISAKMP (0:1): processing ID payload. message ID = -1228454044 *Mar 1 00:10:35.011: ISAKMP (0:1): Creating IPSec SAs *Mar 1 00:10:35.011: inbound SA from 200.1.1.2 to 200.1.1.1 (f/i) 0/ 0 (proxy 2.2.2.2 to 1 R1#.1.1.1) *Mar 1 00:10:35.011: has spi 0x6577E2C8 and conn_id 2000 and flags 2 *Mar 1 00:10:35.011: lifetime of 3600 seconds *Mar 1 00:10:35.011: lifetime of 4608000 kilobytes *Mar 1 00:10:35.015: has client flags 0x0 *Mar 1 00:10:35.015: outbound SA from 200.1.1.1 to 200.1.1.2 (f/i) 0/ 0 (proxy 1.1.1.1 to 2.2.2.2 ) *Mar 1 00:10:35.015: has spi 561929564 and conn_id 2001 and flags A *Mar 1 00:10:35.015: lifetime of 3600 seconds *Mar 1 00:10:35.015: lifetime of 4608000 kilobytes *Mar 1 00:10:35.015: has client flags 0x0 *Mar 1 00:10:35.019: ISAKMP (0:1): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE
*Mar 1 00:10:35.019: ISAKMP (0:1): deleting node -1228454044 error FALSE reason "" *Mar 1 00:10:35.019: ISAKMP (0:1): Node -1228454044, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH *Mar 1 00:10:35.019: ISAKMP (0:1): Old State = IKE_QM_I_QM1 New St R1#ate = IKE_QM_PHASE2_COMPLETE *Mar 1 00:10:35.023: IPSEC(key_engine): got a queue event... *Mar 1 00:10:35.023: IPSEC(initialize_sas): , (key eng. msg.) INBOUND local= 200.1.1.1, remote= 200.1.1.2, local_proxy= 1.1.1.1/0.0.0.0/1/0 (type=1), remote_proxy= 2.2.2.2/0.0.0.0/1/0 (type=1), protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x6577E2C8(1702355656), conn_id= 2000, keysize= 0, flags= 0x2 *Mar 1 00:10:35.023: IPSEC(initialize_sas): , (key eng. msg.) OUTBOUND local= 200.1.1.1, remote= 200.1.1.2, local_proxy= 1.1.1.1/0.0.0.0/1/0 (type=1), remote_proxy= 2.2.2.2/0.0.0.0/1/0 (type=1), protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x217E5D5C(561929564), conn_id= 2001, keysize= 0, flags= 0xA *Mar 1 00:10:35.027: IPSEC(kei_proxy): head = SDM_CMAP_1, map->ivrf = , kei->ivrf = *Mar 1 00:10:35.031: IPSEC(crypto_ipsec_sa_find_id R1#ent_head): reconnecting with the same proxies and 200.1.1.2 *Mar 1 00:10:35.031: IPSEC(add mtree): src 1.1.1.1, dest 2.2.2.2, dest_port 0

*Mar 1 00:10:35.031: IPSEC(create_sa): sa created, (sa) sa_dest= 200.1.1.1, sa_prot= 50, sa_spi= 0x6577E2C8(1702355656), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2000 *Mar 1 00:10:35.035: IPSEC(create_sa): sa created, (sa) sa_dest= 200.1.1.2, sa_prot= 50, sa_spi= 0x217E5D5C(561929564), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2001