日期:(2012-05-29 15:36:38)
这些天一直研究cisco的积极模式配置,我采用的是总部静态IP与分支段ADSL的×××协商,在网上找了下,大部分都是重复的,没有真正的价值。根据自己找到的资料,联系实际操作总计了下
总部为静态IP接入的配置:
!
hostname R3
!
crypto keyring k1
pre-shared-key address 0.0.0.0 0.0.0.0 keycisco
!
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp profile l2l
keyring k1
match identity address0.0.0.0
initiate mode aggressive
!
!
crypto ipsec transform-set bbb esp-3des esp-sha-hmac
!
!
crypto dynamic-map vpnmap 1
set transform-set bbb
set isakmp-profile l2l
match address 110
!
!
crypto map vpnmap 1 ipsec-isakmp dynamic vpnmap
!
!
!
!
interface Loopback0
ip address 10.100.1.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 218.1.1.2 255.255.255.0
duplex auto
speed auto
crypto map vpnmap
!
access-list 110 permit ip 10.100.1.0 0.0.0.255 10.1.1.00.0.0.255
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 218.1.1.1
分支段为ADSL的配置:
!
hostname R2
!
vpdn enable
!
crypto isakmp policy 10
encr 3des
authentication pre-share
!
crypto isakmp peer address 218.1.1.2
set aggressive-mode password cisco
set aggressive-mode client-endpoint ipv4-address218.1.1.2
!
!
crypto ipsec transform-set bbb esp-3des esp-sha-hmac
!
crypto map vpnmap 1 ipsec-isakmp
set peer 218.1.1.2
set transform-set bbb
match address 110
!
!
!
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface Dialer0
ip address negotiated
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname cisco
ppp chap password 0 cisco
crypto map vpnmap
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
access-list 110 permit ip 10.1.1.0 0.0.0.255 10.100.1.00.0.0.255
dialer-list 1 protocol ip permit
分支段的配置也可如下:
vpdn enable
!
crypto keyring k2
pre-shared-key address 218.1.1.2 key cisco
!
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp profile L2L
keyring k2
match identity address218.1.1.2 255.255.255.255
initiate mode aggressive
!
!
crypto ipsec transform-set cisco111 esp-3des esp-sha-hmac
!
crypto map mtsbw 1 ipsec-isakmp
set peer 218.1.1.2
set transform-set cisco111
set isakmp-profile L2L
match address 110
!
!
!
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet1/0
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
!
interface Dialer0
ip address negotiated
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname cisco
ppp chap password 0 cisco
crypto map mtsbw
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
access-list 110 permit ip 10.1.1.0 0.0.0.255 10.100.1.00.0.0.255
dialer-list 1 protocol ip permit
通过R2查看×××建立情况
R2#sh crypto isakmp sa
dst src state conn-id slot status
218.1.1.2 218.2.2.2 QM_IDLE 1 0ACTIVE
ping测试:
R2#ping 10.100.1.1 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.1.1, timeout is 2seconds:
Packet sent with a source address of 10.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/33/60ms
部分debug信息:
*Mar 1 01:30:03.735: ISAKMP:(0:3:SW:1): beginningAggressive Mode exchange
*Mar 1 01:30:03.735: ISAKMP:(0:3:SW:1): sendingpacket to 218.1.1.2 my_port 500 peer_port 500 (I)AG_INIT_EXCH
*Mar 1 01:30:03.859: ISAKMP (0:134217731):received packet from 218.1.1.2 dport 500 sport 500 Global (I)AG_INIT_EXCH
*Mar 1 01:30:03.863: ISAKMP:(0:3:SW:1):processing SA payload. message ID = 0
*Mar 1 01:30:03.863: ISAKMP:(0:3:SW:1):processing ID payload. message ID = 0
*Mar 1 01:30:03.863: ISAKMP (0:134217731): IDpayload
next-payl.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/38/76ms
R2#oad : 10
type : 1
address : 218.1.1.2
protocol : 0
port : 0
length : 12
*Mar 1 01:30:03.867: ISAKMP:(0:3:SW:1):: peermatches *none* of the profiles
*Mar 1 01:30:03.867: ISAKMP:(0:3:SW:1):processing vendor id payload
*Mar 1 01:30:03.867: ISAKMP:(0:3:SW:1): vendor IDis Unity
*Mar 1 01:30:03.871: ISAKMP:(0:3:SW:1):processing vendor id payload
*Mar 1 01:30:03.871: ISAKMP:(0:3:SW:1): vendor IDis DPD
*Mar 1 01:30:03.871: ISAKMP:(0:3:SW:1):processing vendor id payload
*Mar 1 01:30:03.871: ISAKMP:(0:3:SW:1): speakingto another IOS box!
*Mar 1 01:30:03.875: ISAKMP:(0:3:SW:1):SA usingtunnel password as pre-shared key.
!
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp profile l2l
keyring k1
match identity address0.0.0.0
initiate mode aggressive
!
!
crypto ipsec transform-set bbb esp-3des esp-sha-hmac
!
!
crypto dynamic-map vpnmap 1
set transform-set bbb
set isakmp-profile l2l
match address 110
!
!
crypto map vpnmap 1 ipsec-isakmp dynamic vpnmap
!
!
!
!
interface Loopback0
ip address 10.100.1.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 218.1.1.2 255.255.255.0
duplex auto
speed auto
crypto map vpnmap
!
access-list 110 permit ip 10.100.1.0 0.0.0.255 10.1.1.00.0.0.255
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 218.1.1.1
分支段为ADSL的配置:
!
hostname R2
!
vpdn enable
!
crypto isakmp policy 10
encr 3des
authentication pre-share
!
crypto isakmp peer address 218.1.1.2
set aggressive-mode password cisco
set aggressive-mode client-endpoint ipv4-address218.1.1.2
!
!
crypto ipsec transform-set bbb esp-3des esp-sha-hmac
!
crypto map vpnmap 1 ipsec-isakmp
set peer 218.1.1.2
set transform-set bbb
match address 110
!
!
!
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface Dialer0
ip address negotiated
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname cisco
ppp chap password 0 cisco
crypto map vpnmap
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
access-list 110 permit ip 10.1.1.0 0.0.0.255 10.100.1.00.0.0.255
dialer-list 1 protocol ip permit
分支段的配置也可如下:
vpdn enable
!
crypto keyring k2
pre-shared-key address 218.1.1.2 key cisco
!
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp profile L2L
keyring k2
match identity address218.1.1.2 255.255.255.255
initiate mode aggressive
!
!
crypto ipsec transform-set cisco111 esp-3des esp-sha-hmac
!
crypto map mtsbw 1 ipsec-isakmp
set peer 218.1.1.2
set transform-set cisco111
set isakmp-profile L2L
match address 110
!
!
!
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet1/0
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
!
interface Dialer0
ip address negotiated
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname cisco
ppp chap password 0 cisco
crypto map mtsbw
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
access-list 110 permit ip 10.1.1.0 0.0.0.255 10.100.1.00.0.0.255
dialer-list 1 protocol ip permit
通过R2查看×××建立情况
R2#sh crypto isakmp sa
dst src state conn-id slot status
218.1.1.2 218.2.2.2 QM_IDLE 1 0ACTIVE
ping测试:
R2#ping 10.100.1.1 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.1.1, timeout is 2seconds:
Packet sent with a source address of 10.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/33/60ms
部分debug信息:
*Mar 1 01:30:03.735: ISAKMP:(0:3:SW:1): beginningAggressive Mode exchange
*Mar 1 01:30:03.735: ISAKMP:(0:3:SW:1): sendingpacket to 218.1.1.2 my_port 500 peer_port 500 (I)AG_INIT_EXCH
*Mar 1 01:30:03.859: ISAKMP (0:134217731):received packet from 218.1.1.2 dport 500 sport 500 Global (I)AG_INIT_EXCH
*Mar 1 01:30:03.863: ISAKMP:(0:3:SW:1):processing SA payload. message ID = 0
*Mar 1 01:30:03.863: ISAKMP:(0:3:SW:1):processing ID payload. message ID = 0
*Mar 1 01:30:03.863: ISAKMP (0:134217731): IDpayload
next-payl.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/38/76ms
R2#oad : 10
type : 1
address : 218.1.1.2
protocol : 0
port : 0
length : 12
*Mar 1 01:30:03.867: ISAKMP:(0:3:SW:1):: peermatches *none* of the profiles
*Mar 1 01:30:03.867: ISAKMP:(0:3:SW:1):processing vendor id payload
*Mar 1 01:30:03.867: ISAKMP:(0:3:SW:1): vendor IDis Unity
*Mar 1 01:30:03.871: ISAKMP:(0:3:SW:1):processing vendor id payload
*Mar 1 01:30:03.871: ISAKMP:(0:3:SW:1): vendor IDis DPD
*Mar 1 01:30:03.871: ISAKMP:(0:3:SW:1):processing vendor id payload
*Mar 1 01:30:03.871: ISAKMP:(0:3:SW:1): speakingto another IOS box!
*Mar 1 01:30:03.875: ISAKMP:(0:3:SW:1):SA usingtunnel password as pre-shared key.
