IPSEC　×××建立详解（实验版）_凡人世界的技术博客

RT1：

crypto isakmp policy 10　　　　　//设置ISAKMP策略

encr 3des　　　　　　　　　　　//使用3DES加密

hash md5　　　　　　　　　　　//用MD5作为摘要算法

authentication pre-share　　　//认证方式以预共享密钥

group 2　　　　　　　　　　　　//定义DH算法为组2

crypto isakmp identity address　//使用用IP地址作为身份标识

crypto isakmp key cisco1 address 172.1.2.2　//配置预共享密钥和对方IP

crypto isakmp key cisco2 address 172.1.3.2//配置预共享密钥和对方IP

crypto ipsec transform-set cisco esp-aes esp-md5-hmac //配置传输集参数，用来协商IPSEC SA的策略

!

crypto map RT1 10 ipsec-isakmp 　//配置加密图

set peer 172.1.2.2　　　　　　　//设置对等体

set transform-set cisco 　　　　//调用传输集

match address 101　　　　　　　//匹配感兴趣流量

crypto map RT1 20 ipsec-isakmp 　

set peer 172.1.3.2

set transform-set cisco

match address 102

interface Ethernet0/0

ip address 172.1.1.2 255.255.255.240

crypto map RT1　　　　　　　　//在接口上应用加密图

access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.36.0 0.0.0.255　//定义感兴趣流量

access-list 102 permit ip 192.168.20.0 0.0.0.255 192.168.40.0 0.0.0.255

//定义感兴趣流量

ip route 0.0.0.0 0.0.0.0 172.1.1.1 //两个加密点间必须要通

RT2：

crypto isakmp policy 10　　//ISAKMP参数需跟对端一致

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp identity address

crypto isakmp key cisco1 address 172.1.1.2　//共享密钥需跟对端一致

crypto ipsec transform-set cisco esp-aes esp-md5-hmac //IPSEC参数跟对端一致

!

crypto map RT2 10 ipsec-isakmp

set peer 172.1.1.2

set transform-set cisco

match address 101

interface Ethernet0/0

ip address 172.1.2.2 255.255.255.240

crypto map RT2

access-list 101 permit ip 192.168.36.0 0.0.0.255 192.168.20.0 0.0.0.255

ip route 0.0.0.0 0.0.0.0 172.1.2.1 //两个加密点间必须要通

RT3：

crypto isakmp policy 10//ISAKMP参数需跟对端一致

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key cisco2 address 172.1.1.2　//共享密钥需跟对端一致

crypto isakmp identity address

crypto ipsec transform-set cisco esp-aes esp-md5-hmac //IPSEC参数跟对端一致

!

crypto map RT3 10 ipsec-isakmp

set peer 172.1.1.2

set transform-set cisco

match address 101

interface Ethernet0/0

ip address 172.1.3.2 255.255.255.240

crypto map RT3

access-list 101 permit ip 192.168.40.0 0.0.0.255 192.168.20.0 0.0.0.255

ip route 0.0.0.0 0.0.0.0 172.1.3.1 //两个加密点间必须要通

ISAKMP SA（双向，第一阶段协商完成建立）

RT3#show crypto isakmp sa

dst src state conn-id slot status

172.1.1.2 172.1.3.2 QM_IDLE 1 0 ACTIVE

IPSEC SA（两个单向，inbound和outbound，第二阶段完成建立）

RT3#show crypto ipsec sa

inbound esp sas:

spi: 0x88A9E91(143302289)　　　//安全参数索引

transform: esp-aes esp-md5-hmac ,//IPSEC协商参数

in use settings ={Tunnel, }

conn id: 2001, flow_id: SW:1, crypto map: RT3　//应用的加密图

sa timing: remaining key lifetime (k/sec): (4528168/1384)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE　　//SA为活跃状态

outbound esp sas:

spi: 0xB2979D58(2996280664)　　//安全参数索引

transform: esp-aes esp-md5-hmac ,//IPSEC协商参数

in use settings ={Tunnel, }

conn id: 2002, flow_id: SW:2, crypto map: RT3　//应用的加密图

sa timing: remaining key lifetime (k/sec): (4528168/1374)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE　　//SA为活跃状态

debug 信息分析IKE过程：

*Mar 1 00:24:11.715: ISAKMP: received ke message (1/1)

*Mar 1 00:24:11.719: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)　请求配置文件为空，因为没使用profile

*Mar 1 00:24:11.719: ISAKMP: Created a peer struct for 172.1.1.2, peer port 500创建一个对等体172.1.1.2,对端端口为500

*Mar 1 00:24:11.723: ISAKMP: New peer created peer = 0x64960A40 peer_handle = 0x80000002　创建新的对等体为0x64960A40，对等名柄为0x80000002

*Mar 1 00:24:11.727: ISAKMP: Locking peer struct 0x64960A40, IKE refcount 1 for isakmp_initiator　锁定对等体为0x64960A40，isakmp初始化为IKE计数１

*Mar 1 00:24:11.731: ISAKMP: local port 500, remote port 500本地端口为500,远端口为500

*Mar 1 00:24:11.731: ISAKMP: set new node 0 to QM_IDLE 为QM_IDLE 设置新的节点0

*Mar 1 00:24:11.735: insert sa successfully sa = 646EC2A4　成功插入安全关联

*Mar 1 00:24:11.739: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.　不能开始积极模式，尝试主模式

*Mar 1 00:24:11.743: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 172.1.1.2找到对方的共享密钥匹配172.1.1.2

*Mar 1 00:24:11.747: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID

*Mar 1 00:24:11.747: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID

*Mar 1 00:24:11.747: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID

*Mar 1 00:24:11.747: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM　

*Mar 1 00:24:11.751: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1 老的状态IKE_READY，新的状态IEK_I_MM1

*Mar 1 00:24:11.755: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange开始主模式交换

*Mar 1 00:24:11.759: ISAKMP:(0:0:N/A:0): sending packet to 172.1.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE开始发第一个包，进入第阶段一的MM_NO_STATE状态

*Mar 1 00:24:21.763: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...重传阶段1 MM_NO_STATE ..

*Mar 1 00:24:21.763: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1递增错误SA，尝试1 5错误计数器：重发阶段1

*Mar 1 00:24:21.763: ISAKMP:(0:0:N/A:0): sending packet to 172.1.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar 1 00:24:31.763: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...

*Mar 1 00:24:31.767: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

*Mar 1 00:24:31.771: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE

*Mar 1 00:24:31.775: ISAKMP:(0:0:N/A:0): sending packet to 172.1.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE 重发第一个包，进入第阶段一的MM_NO_STATE状态

*Mar 1 00:24:31.915: ISAKMP (0:0): received packet from 172.1.1.2 dport 500 sport 500 Global (I) MM_NO_STATE收到对方的应答（第二个包）

*Mar 1 00:24:31.935: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH开始IKE主模式交换

*Mar 1 00:24:31.935: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1 New State = IKE_I_MM2 老的状态为IKE_I_MM1，进入新状态IKE_I_MM2

*Mar 1 00:24:31.947: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0

处理SA负载，消息ID为0

*Mar 1 00:24:31.951: ISAKMP:(0:0:N/A:0): processing vendor id payload处理ID负载

*Mar 1 00:24:31.955: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch

*Mar 1 00:24:31.955: ISAKMP (0:0): vendor ID is NAT-T v7

*Mar 1 00:24:31.955: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 172.1.1.2找到对等体的预共享密钥匹配172.1.1.2

*Mar 1 00:24:31.955: ISAKMP:(0:0:N/A:0): local preshared key found本地预共享密钥找到

*Mar 1 00:24:31.955: ISAKMP : Scanning profiles for xauth ...查看配置文件的扩展认证

*Mar 1 00:24:31.955: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy　核对ISAKMP的策略信息

*Mar 1 00:24:31.955: ISAKMP: encryption 3DES-CBC　加密算法3DES块加密

*Mar 1 00:24:31.955: ISAKMP: hash MD5　摘要算法为MD5

*Mar 1 00:24:31.955: ISAKMP: default group 2　DH为组2

*Mar 1 00:24:31.955: ISAKMP: auth pre-share　认证为预共享认证

*Mar 1 00:24:31.955: ISAKMP: life type in seconds

*Mar 1 00:24:31.955: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

*Mar 1 00:24:31.955: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0属性被接受，下一个负载为0

*Mar 1 00:24:31.999: ISAKMP:(0:1:SW:1): processing vendor id payload

*Mar 1 00:24:31.999: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 245 mismatch

*Mar 1 00:24:31.999: ISAKMP (0:134217729): vendor ID is NAT-T v7

*Mar 1 00:24:31.999: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE　IKE进程运行主模式

*Mar 1 00:24:31.999: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM2 　主模式下发送SA建立报文，端口号为500

*Mar 1 00:24:32.007: ISAKMP:(0:1:SW:1): sending packet to 172.1.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP　发第三个包，进入阶段1第二状态MM_SA_SETUP

*Mar 1 00:24:32.011: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETEI　KE进程完成

*Mar 1 00:24:32.015: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM3 　进入新状态IKE_I_MM3

*Mar 1 00:24:32.139: ISAKMP (0:134217729): received packet from 172.1.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP　收到第四个包

*Mar 1 00:24:32.139: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH进入阶段1的第三个状态（发生DH交换）

*Mar 1 00:24:32.143: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM3 New State = IKE_I_MM4 进入新状态IKE_I_MM4

*Mar 1 00:24:32.151: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0处理KE负载

*Mar 1 00:24:32.203: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 0处理随机数负载

*Mar 1 00:24:32.203: ISAKMP:(0:1:SW:1):found peer pre-shared key matching 172.1.1.2找到预共享密钥匹配172.1.1.2

*Mar 1 00:24:32.203: ISAKMP:(0:1:SW:1):SKEYID state generated　生成SKEYID

*Mar 1 00:24:32.203: ISAKMP:(0:1:SW:1): processing vendor id payload

*Mar 1 00:24:32.203: ISAKMP:(0:1:SW:1): vendor ID is Unity

*Mar 1 00:24:32.203: ISAKMP:(0:1:SW:1): processing vendor id payload

*Mar 1 00:24:32.203: ISAKMP:(0:1:SW:1): vendor ID is DPD

*Mar 1 00:24:32.203: ISAKMP:(0:1:SW:1): processing vendor id payload

*Mar 1 00:24:32.203: ISAKMP:(0:1:SW:1): speaking to another IOS box!

*Mar 1 00:24:32.203: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE　IKE进程运行主模式

*Mar 1 00:24:32.207: ISAKMP:(0:1:SW:1): sending packet to 172.1.1.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH　发第四个包进入第三个状态MM_KEY_EXCH　发生DH交换

*Mar 1 00:24:32.211: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar 1 00:24:32.215: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM5 　进入新状态IKE_I_MM5

*Mar 1 00:24:32.331: ISAKMP (0:134217729): received packet from 172.1.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH

*Mar 1 00:24:32.343: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 0

*Mar 1 00:24:32.343: ISAKMP (0:134217729): ID payload

next-payload : 8　下一个负载

type : 1 　类型为1

address : 172.1.1.2 地址为172.1.1.2

protocol : 17 协议号为17，表示UDP协议

port : 500 端口号为500

length : 12　长度为12

*Mar 1 00:24:32.351: ISAKMP:(0:1:SW:1):: peer matches *none* of the profiles

*Mar 1 00:24:32.355: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 0

处理hash负载，消息ID为0

*Mar 1 00:24:32.359: ISAKMP:(0:1:SW:1):SA authentication status:

authenticated　SA认证阶段，被认证

*Mar 1 00:24:32.363: ISAKMP:(0:1:SW:1):SA has been authenticated with 172.1.1.2

SA被172.1.1.2认证

*Mar 1 00:24:32.367: ISAKMP: Trying to insert a peer 172.1.3.2/172.1.1.2/500/, and inserted successfully 64960A40.

*Mar 1 00:24:32.371: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar 1 00:24:32.375: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM5 New State = IKE_I_MM6

*Mar 1 00:24:32.375: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar 1 00:24:32.375: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM6 New State = IKE_I_MM6

*Mar 1 00:24:32.379: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar 1 00:24:32.379: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

*Mar 1 00:24:32.379: ISAKMP:(0:1:SW:1):beginning Quick Mode exchange, M-ID of -456080992　第一阶段协议完成，进入阶段2快速模式

*Mar 1 00:24:32.379: ISAKMP:(0:1:SW:1): sending packet to 172.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE

*Mar 1 00:24:32.379: ISAKMP:(0:1:SW:1):Node -456080992, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

*Mar 1 00:24:32.379: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1

*Mar 1 00:24:32.379: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Mar 1 00:24:32.379: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Mar 1 00:24:32.531: ISAKMP (0:134217729): received packet from 172.1.1.2 dport 500 sport 500 Global (I) QM_IDLE

*Mar 1 00:24:32.531: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = -456080992　　处理HASH负载

*Mar 1 00:24:32.531: ISAKMP:(0:1:SW:1): processing SA payload. message ID = -456080992　处理SA负载

*Mar 1 00:24:32.531: ISAKMP:(0:1:SW:1):Checking IPSec proposal 1　检查IPSEC提交位为1

*Mar 1 00:24:32.531: ISAKMP: transform 1, ESP_3DES　　ESP封装，3DES加密

*Mar 1 00:24:32.531: ISAKMP: attributes in transform:

*Mar 1 00:24:32.531: ISAKMP: encaps is 1 (Tunnel)隧道模式，封装ESP

*Mar 1 00:24:32.531: ISAKMP: SA life type in seconds

*Mar 1 00:24:32.531: ISAKMP: SA life duration (basic) of 3600

*Mar 1 00:24:32.531: ISAKMP: SA life type in kilobytes

*Mar 1 00:24:32.531: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

*Mar 1 00:24:32.531: ISAKMP: authenticator is HMAC-MD5　hash算法为MD5

*Mar 1 00:24:32.531: ISAKMP:(0:1:SW:1):atts are acceptable.　属性被接受

*Mar 1 00:24:32.535: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = -456080992

*Mar 1 00:24:32.539: ISAKMP:(0:1:SW:1): processing ID payload. message ID = -456080992

*Mar 1 00:24:32.543: ISAKMP:(0:1:SW:1): processing ID payload. message ID = -456080992

*Mar 1 00:24:32.555: ISAKMP: Locking peer struct 0x64960A40, IPSEC refcount 1 for for stuff_ke

*Mar 1 00:24:32.555: ISAKMP:(0:1:SW:1): Creating IPSec SAs　创建ipsec SA集

*Mar 1 00:24:32.555: inbound SA from 172.1.1.2 to 172.1.3.2 (f/i) 0/ 0

(proxy 192.168.20.0 to 192.168.40.0)inbound方向本地为172.1.3.2，远端为172.1.1.2,远端保护流量为192.168.20.0到192.168.40.0

Mar 1 00:24:32.555: has spi 0x935D598C and conn_id 0 and flags 2

安全参数索引

*Mar 1 00:24:32.555: lifetime of 3600 seconds　IPSEC密钥生存时间

*Mar 1 00:24:32.555: lifetime of 4608000 kilobytes

*Mar 1 00:24:32.555: has client flags 0x0

*Mar 1 00:24:32.555: outbound SA from 172.1.3.2 to 172.1.1.2 (f/i) 0/0

(proxy 192.168.40.0 to 192.168.20.0)出方向的IPSEC SA，从172.1.3.2到172.1.1.2,保护流量为192.168.40.0到192.168.20.0

*Mar 1 00:24:32.555: has spi -1624356453 and conn_id 0 and flags A

安全参数索引

*Mar 1 00:24:32.555: lifetime of 3600 seconds

*Mar 1 00:24:32.555: lifetime of 4608000 kilobytes

*Mar 1 00:24:32.555: has client flags 0x0

*Mar 1 00:24:32.555: ISAKMP:(0:1:SW:1): sending packet to 172.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE

*Mar 1 00:24:32.559: ISAKMP:(0:1:SW:1):deleting node -456080992 error FALSE reason "No Error"

*Mar 1 00:24:32.563: ISAKMP:(0:1:SW:1):Node -456080992, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Mar 1 00:24:32.567: ISAKMP:(0:1:SW:1):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE　IKE阶段二，快速模式完成

官方博客	全部文章	热门标签	班级博客
了解我们	网站地图	意见反馈

鸿蒙开发者社区	51CTO学堂
51CTO	软考资讯

IPSEC ×××建立详解（实验版）

IPSEC ×××建立详解（实验版）

51CTO博客

IPSEC　×××建立详解（实验版）

IPSEC　×××建立详解（实验版）