|
GCKS(config)#do show run
Building configuration...
Current configuration : 3260 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GCKS
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
aaa new-model
!
!
aaa authentication login login local
!
!
aaa session-id common
ip source-route
ip cef
!
!
!
!
no ip domain lookup
ip domain name mlp.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
username ks1 privilege 15 secret 5 $1$BnK4$TJ5M6VaEhxh49WB.1rXon0
archive
log config
hidekeys
!
crypto keyring sk1-key
pre-shared-key address 14.1.1.226 key sk
pre-shared-key address 14.1.1.242 key sk
pre-shared-key address 14.1.1.250 key sk
pre-shared-key address 14.1.1.254 key sk
pre-shared-key address 14.1.1.66 key sk
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp profile sk1-pro
keyring sk1-key
match identity address 14.1.1.226 255.255.255.255
match identity address 14.1.1.242 255.255.255.255
match identity address 14.1.1.250 255.255.255.255
match identity address 14.1.1.254 255.255.255.255
match identity address 14.1.1.66 255.255.255.255
!
!
crypto ipsec transform-set sk1-set esp-des esp-md5-hmac
!
crypto ipsec profile sk1-ipsec-pro
set transform-set sk1-set
set isakmp-profile sk1-pro
!
crypto gdoi group get-group1
identity number 332266
server local
rekey algorithm aes 256
rekey address ipv4 110
rekey retransmit 10 number 2
rekey authentication mypubkey rsa getvpnkey
sa ipsec 1
profile sk1-ipsec-pro
match address ipv4 getvpn-traffic
replay time window-size 2
address ipv4 14.1.1.194
redundancy
local priority 100
peer address ipv4 14.1.1.226
!
!
interface Loopback0
ip address 1.10.4.1 255.255.255.0
ip ospf network point-to-point
!
interface fastethernet 0/0
ip address 39.1.100.1 255.255.255.0
ip ospf network point-to-point
!
!
interface Serial1/0
ip address 14.1.1.194 255.255.255.252
serial restart-delay 0
!
!
router ospf 88
router-id 1.10.4.1
log-adjacency-changes
network 39.1.100.0 0.0.0.255 area 0
network 0.0.0.0 255.255.255.255 area 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
ip access-list extended getvpn-traffic
permit ip 39.0.0.0 0.255.255.255 39.0.0.0 0.255.255.255
!
access-list 110 permit udp host 14.1.1.194 eq 848 host 239.0.10.10 eq 848
!
!
!
control-plane
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication login
stopbits 1
line aux 0
stopbits 1
line vty 0 5
login authentication login
!
end
-------------------------------------------------------------
KS2#show run
Building configuration...
Current configuration : 3235 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname KS2
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
aaa new-model
!
!
aaa authentication login login local
!
!
aaa session-id common
ip source-route
ip cef
!
!
!
!
no ip domain lookup
ip domain name mlp.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
username ks2 privilege 15 secret 5 $1$pvPr$JSZtEgOyVsVo9lexnXH0U.
archive
log config
hidekeys
!
crypto keyring sk2-key
pre-shared-key address 14.1.1.194 key sk
pre-shared-key address 14.1.1.242 key sk
pre-shared-key address 14.1.1.250 key sk
pre-shared-key address 14.1.1.254 key sk
pre-shared-key address 14.1.1.66 key sk
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp profile sk2-isakmp-pro
keyring sk2-key
match identity address 14.1.1.194 255.255.255.255
match identity address 14.1.1.242 255.255.255.255
match identity address 14.1.1.250 255.255.255.255
match identity address 14.1.1.254 255.255.255.255
match identity address 14.1.1.66 255.255.255.255
!
!
crypto ipsec transform-set sk2-set esp-des esp-md5-hmac
!
crypto ipsec profile sk2-ipsec-pro
set transform-set sk2-set
set isakmp-profile sk2-isakmp-pro
!
crypto gdoi group get-group1
identity number 332266
server local
rekey algorithm aes 256
rekey address ipv4 110
rekey retransmit 10 number 2
rekey authentication mypubkey rsa getvpnkey
sa ipsec 1
profile sk2-ipsec-pro
match address ipv4 getvpn-traffic
replay time window-size 2
address ipv4 14.1.1.226
redundancy
local priority 75
peer address ipv4 14.1.1.194
!
!
interface Loopback0
ip address 1.10.5.1 255.255.255.0
ip ospf network point-to-point
!
interface FastEthernet0/0
ip address 39.1.101.1 255.255.255.0
ip ospf network point-to-point
!
!
interface Serial1/0
ip address 14.1.1.226 255.255.255.252
serial restart-delay 0
!
!
router ospf 88
router-id 1.10.5.1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
ip access-list extended getvpn-traffic
permit ip 39.0.0.0 0.255.255.255 39.0.0.0 0.255.255.255
!
access-list 110 permit udp host 14.1.1.226 eq 848 host 239.0.10.10 eq 848
!
!
control-plane
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication login
stopbits 1
line aux 0
stopbits 1
line vty 0 5
login authentication login
!
end
---------------------------------------------------
GM1#show run
Building configuration...
Current configuration : 2276 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GM1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
ip domain name mlp.com
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
archive
log config
hidekeys
!
crypto keyring gm1-key
pre-shared-key address 14.1.1.194 key sk
pre-shared-key address 14.1.1.226 key sk
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp profile gm1-isakmp-pro
keyring gm1-key
match identity address 14.1.1.194 255.255.255.255
match identity address 14.1.1.226 255.255.255.255
!
!
crypto gdoi group get-group1
identity number 332266
server address ipv4 14.1.1.194
server address ipv4 14.1.1.226
!
!
crypto map gm1 10 gdoi
set group get-group1
match address filter
!
!
interface Loopback0
ip address 1.10.6.1 255.255.255.0
ip ospf network point-to-point
!
interface FastEthernet0/0
ip address 39.1.10.1 255.255.255.0
ip ospf network point-to-point
!
!
interface Serial1/0
ip address 14.1.1.242 255.255.255.252
serial restart-delay 0
clock rate 64000
invert txclock
crypto map gm1
!
!
!
router ospf 88
router-id 1.10.6.1
log-adjacency-changes
network 39.1.10.0 0.0.0.255 area 1
network 0.0.0.0 255.255.255.255 area 0
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip access-list extended filter
deny ip 39.1.10.0 0.0.0.255 39.1.100.0 0.0.0.255
deny ip 39.1.10.0 0.0.0.255 39.1.101.0 0.0.0.255
ip access-list extended getvpn-traffic
permit ip 39.0.0.0 0.255.255.255 39.0.0.0 0.255.255.255
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end
----------------------------------
GCKS#show cry gdoi ks members
Group Member Information :
Number of rekeys sent for group get-group1 : 10
Group Member ID : 14.1.1.242
Group ID : 332266
Group Name : get-group1
Key Server ID : 14.1.1.194
Group Member ID : 14.1.1.250
Group ID : 332266
Group Name : get-group1
Key Server ID : 14.1.1.194
Group Member ID : 14.1.1.254
Group ID : 332266
Group Name : get-group1
Key Server ID : 14.1.1.194
GCKS#show cry gdoi ks rekey
Group get-group1 (Multicast)
Number of Rekeys sent : 10
Number of Rekeys retransmitted : 20
KEK rekey lifetime (sec) : 86400
Remaining lifetime (sec) : 53602
Retransmit period : 10
Number of retransmissions : 2
IPSec SA 1 lifetime (sec) : 3600
Remaining lifetime (sec) : 3003
Number of registrations after rekey : 3
Multicast destination address : 239.0.10.10
GCKS#show cry gdoi ks replay
Anti-replay Information For Group get-group1:
Timebased Replay:
Replay Value : 92172.20 secs
Remaining sync time : 6574 secs
GCKS#show cry gdoi ks coop
Crypto Gdoi Group Name :get-group1
Group handle: 2147483650, Local Key Server handle: 2147483650
Local Address: 14.1.1.194
Local Priority: 100
Local KS Role: Primary , Local KS Status: Alive
Primary Timers:
Primary Refresh Policy Time: 20
Remaining Time: 14
Antireplay Sequence Number: 1448
Peer Sessions:
Session 1:
Server handle: 2147483651
Peer Address: 14.1.1.226
Peer Priority: 75
Peer KS Role: Secondary , Peer KS Status: Alive
Antireplay Sequence Number: 22
IKE status: Established
Counters:
Ann msgs sent: 861
Ann msgs sent with reply request: 34
Ann msgs recv: 3
Ann msgs recv with reply request: 1
Packet sent drops: 519
Packet Recv drops: 1
Total bytes sent: 496477
Total bytes recv: 2164
GCKS#show cry gdoi ks policy
Key Server Policy:
For group get-group1 (handle: 2147483650) server 14.1.1.194 (handle: 2147483650):
# of teks : 1 Seq num : 40
KEK POLICY (transport type : Multicast)
spi : 0x2B21792B99AFF504C66CADEF160DEB6
management alg : disabled encrypt alg : AES
crypto iv length : 16 key size : 32
orig life(sec): 86400 remaining life(sec): 53514
sig hash algorithm : enabled sig key length : 162
sig size : 128
sig key name : getvpnkey
TEK POLICY (encaps : ENCAPS_TUNNEL)
spi : 0x9DF4A86A access-list : getvpn-tra
# of transforms : 0 transform : ESP_DES
hmac alg : HMAC_AUTH_MD5
alg key size : 8 sig key size : 16
orig life(sec) : 3600 remaining life(sec) : 2915
tek life(sec) : 3600 elapsed time(sec) : 685
antireplay window size: 2
Replay Value 92232.63 secs
For group get-group1 (handle: 2147483650) server 14.1.1.226 (handle: 2147483651):
GCKS#show cry gdoi
GROUP INFORMATION
Group Name : get-group1 (Multicast)
Group Identity : 332266
Group Members : 3
IPSec SA Direction : Both
Active Group Server : Local
Redundancy : Configured
Local Address : 14.1.1.194
Local Priority : 100
Local KS Status : Alive
Local KS Role : Primary
Group Rekey Lifetime : 86400 secs
Group Rekey
Remaining Lifetime : 53452 secs
Rekey Retransmit Period : 10 secs
Rekey Retransmit Attempts: 2
Group Retransmit
Remaining Lifetime : 0 secs
IPSec SA Number : 1
IPSec SA Rekey Lifetime: 3600 secs
Profile Name : sk1-ipsec-pro
Replay method : Time Based
Replay Window Size : 2
SA Rekey
Remaining Lifetime : 2853 secs
ACL Configured : access-list getvpn-traffic
Group Server list : Local
GM1# show cry gdoi
GROUP INFORMATION
Group Name : get-group1
Group Identity : 332266
Rekeys received : 0
IPSec SA Direction : Both
Active Group Server : 14.1.1.194
Group Server list : 14.1.1.194
14.1.1.226
GM Reregisters in : 2671 secs
Rekey Received : never
Rekeys received
Cumulative : 0
After registration : 0
ACL Downloaded From KS 14.1.1.194:
access-list permit ip 39.0.0.0 0.255.255.255 39.0.0.0 0.255.255.255
KEK POLICY:
Rekey Transport Type : Multicast
Lifetime (secs) : 53875
Encrypt Algorithm : AES
Key Size : 256
Sig Hash Algorithm : HMAC_AUTH_SHA
Sig Key Length (bits) : 1024
TEK POLICY:
Serial1/0:
IPsec SA:
sa direction:inbound
spi: 0x9DF4A86A(2650056810)
transform: esp-des esp-md5-hmac
sa timing:remaining key lifetime (sec): (2732)
Anti-Replay(Time Based) : 2 sec interval
IPsec SA:
sa direction:outbound
spi: 0x9DF4A86A(2650056810)
transform: esp-des esp-md5-hmac
sa timing:remaining key lifetime (sec): (2732)
Anti-Replay(Time Based) : 2 sec interval
GM1# show cry gdoi gm
Group Member Information For Group get-group1:
IPSec SA Direction : Both
ACL Received From KS : gdoi_group_get-group1_temp_acl
Re-register
Remaining time : 2631 secs
GM1#ping 39.1.20.1 so 39.1.10.1 re 10
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 39.1.20.1, timeout is 2 seconds:
Packet sent with a source address of 39.1.10.1
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 156/186/228 ms
GM1#ping 39.1.100.1 so 39.1.10.1 re 10
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 39.1.100.1, timeout is 2 seconds:
Packet sent with a source address of 39.1.10.1
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 12/31/104 ms
GM1#show cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
14.1.1.194 14.1.1.242 GDOI_IDLE 1021 0 ACTIVE
239.0.10.10 14.1.1.194 GDOI_REKEY 1022 0 ACTIVE
IPv6 Crypto ISAKMP SA
GM1#show cry ipsec sa
interface: Serial1/0
Crypto map tag: gm1, local addr 14.1.1.242
protected vrf: (none)
local ident (addr/mask/prot/port): (39.0.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (39.0.0.0/255.0.0.0/0/0)
current_peer port 848
PERMIT, flags={origin_is_acl,}
#pkts encaps: 77, #pkts encrypt: 77, #pkts digest: 77
#pkts decaps: 70, #pkts decrypt: 70, #pkts verify: 70
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 14.1.1.242, remote crypto endpt.:
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0
current outbound spi: 0x9DF4A86A(2650056810)
inbound esp sas:
spi: 0x9DF4A86A(2650056810)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 39, flow_id: SW:39, crypto map: gm1
sa timing: remaining key lifetime (sec): (2448)
IV size: 8 bytes
replay detection support: Y replay window size: 2
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x9DF4A86A(2650056810)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 40, flow_id: SW:40, crypto map: gm1
sa timing: remaining key lifetime (sec): (2448)
IV size: 8 bytes
replay detection support: Y replay window size: 2
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
GM1#show cry engine connections active
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address
39 Se1/0 IPsec DES+MD5 0 20 39.0.0.0
40 Se1/0 IPsec DES+MD5 20 0 39.0.0.0
1021 Se1/0 IKE SHA+DES 0 0 14.1.1.242
1022 <none> IKE SHA+AES256 0 0
GM1#show cry gdoi
GROUP INFORMATION
Group Name : get-group1
Group Identity : 332266
Rekeys received : 0
IPSec SA Direction : Both
Active Group Server : 14.1.1.194
Group Server list : 14.1.1.194
14.1.1.226
GM Reregisters in : 2242 secs
Rekey Received : never
Rekeys received
Cumulative : 0
After registration : 0
ACL Downloaded From KS 14.1.1.194:
access-list permit ip 39.0.0.0 0.255.255.255 39.0.0.0 0.255.255.255
KEK POLICY:
Rekey Transport Type : Multicast
Lifetime (secs) : 53875
Encrypt Algorithm : AES
Key Size : 256
Sig Hash Algorithm : HMAC_AUTH_SHA
Sig Key Length (bits) : 1024
TEK POLICY:
Serial1/0:
IPsec SA:
sa direction:inbound
spi: 0x9DF4A86A(2650056810)
transform: esp-des esp-md5-hmac
sa timing:remaining key lifetime (sec): (2302)
Anti-Replay(Time Based) : 2 sec interval
IPsec SA:
sa direction:outbound
spi: 0x9DF4A86A(2650056810)
transform: esp-des esp-md5-hmac
sa timing:remaining key lifetime (sec): (2302)
Anti-Replay(Time Based) : 2 sec interval
http://pan.baidu.com/s/1bns376R
(责任编辑:admin) |
