IPsec×××的实现_没兴趣的技术博客

使用简单的配置完成IPsec×××的实现。

R1：crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key cisco address 23.1.1.3 255.255.255.0

crypto ipsec transform-set ccie esp-des esp-md5-hmac

crypto map ××× 10 ipsec-isakmp

set peer 23.1.1.3

set transform-set ccie

match address 100

interface Serial1/1

ip address 12.1.1.1 255.255.255.0

serial restart-delay 0

crypto map ×××

R3：crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key cisco address 12.1.1.1 255.255.255.0

crypto ipsec transform-set cisco esp-des esp-md5-hmac

crypto map ××× 10 ipsec-isakmp

set peer 12.1.1.1

set transform-set cisco

match address 100

interface Serial1/0

ip address 23.1.1.3 255.255.255.0

serial restart-delay 0

crypto map ×××

R3上开启debug，查看交互信息：

R1#ping 3.3.3.3 source 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 16/57/164 ms

R3#

*Jul 27 20:03:31.910: ISAKMP (0:0): received packet from 12.1.1.1 dport 500 sport 500 Global (N) NEW SA

*Jul 27 20:03:31.914: ISAKMP: Created a peer struct for 12.1.1.1, peer port 500

*Jul 27 20:03:31.914: ISAKMP: New peer created peer = 0x65B5BB30 peer_handle = 0x80000005

*Jul 27 20:03:31.918: ISAKMP: Locking peer struct 0x65B5BB30, refcount 1 for crypto_isakmp_process_block

*Jul 27 20:03:31.922: ISAKMP: local port 500, remote port 500

*Jul 27 20:03:31.926: insert sa successfully sa = 65B77620

*Jul 27 20:03:31.930: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jul 27 20:03:31.930: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

IKE第一阶段，第一个包交换

*Jul 27 20:03:31.946: ISAKMP:(0): processing SA payload. message ID = 0

*Jul 27 20:03:31.950: ISAKMP:(0): processing vendor id payload

*Jul 27 20:03:31.950: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

*Jul 27 20:03:31.962: ISAKMP:(0):found peer pre-shared key matching 12.1.1.1

*Jul 27 20:03:31.962: ISAKMP:(0): local preshared key found

*Jul 27 20:03:31.962: ISAKMP : Scanning profiles for xauth ...

*Jul 27 20:03:31.962: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

*Jul 27 20:03:31.966: ISAKMP: encryption DES-CBC

*Jul 27 20:03:31.966: ISAKMP: hash MD5

*Jul 27 20:03:31.966: ISAKMP: default group 1

*Jul 27 20:03:31.966: ISAKMP: auth pre-share

*Jul 27 20:03:31.966: ISAKMP: life type in seconds

*Jul 27 20:03:31.966: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

*Jul 27 20:03:31.966: ISAKMP:(0):atts are acceptable. Next payload is 0

*Jul 27 20:03:31.970: ISAKMP:(0): processing vendor id payload

*Jul 27 20:03:31.970: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

*Jul 27 20:03:31.970: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jul 27 20:03:31.970: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

*Jul 27 20:03:31.974: ISAKMP:(0): sending packet to 12.1.1.1 my_port 500 peer_port 500 (R) MM_SA_SETUP发协包到对方PEER"13.1.1.3" 源端口:500 目标端口:500

*Jul 27 20:03:31.974: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Jul 27 20:03:31.978: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2

*Jul 27 20:03:32.026: ISAKMP (0:0): received packet from 12.1.1.1 dport 500 sport 500 Global (R) MM_SA_SETUP

*Jul 27 20:03:32.026: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jul 27 20:03:32.026: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3

*Jul 27 20:03:32.026: ISAKMP:(0): processing KE payload. message ID = 0

*Jul 27 20:03:32.054: ISAKMP:(0): processing NONCE payload. message ID = 0

*Jul 27 20:03:32.058: ISAKMP:(0):found peer pre-shared key matching 12.1.1.1

*Jul 27 20:03:32.058: ISAKMP:(1002): processing vendor id payload

*Jul 27 20:03:32.062: ISAKMP:(1002): vendor ID is Unity

*Jul 27 20:03:32.062: ISAKMP:(1002): processing vendor id payload

*Jul 27 20:03:32.062: ISAKMP:(1002): vendor ID is DPD

*Jul 27 20:03:32.062: ISAKMP:(1002): processing vendor id payload

*Jul 27 20:03:32.062: ISAKMP:(1002): speaking to another IOS box!

*Jul 27 20:03:32.062: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jul 27 20:03:32.062: ISAKMP:(1002):Old State = IKE_R_MM3 New State = IKE_R_MM3

*Jul 27 20:03:32.066: ISAKMP:(1002): sending packet to 12.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Jul 27 20:03:32.066: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Jul 27 20:03:32.066: ISAKMP:(1002):Old State = IKE_R_MM3 New State = IKE_R_MM4

*Jul 27 20:03:32.122: ISAKMP (0:1002): received packet from 12.1.1.1 dport 500 sport 500 Global (R) MM_KEY_EXCH

*Jul 27 20:03:32.122: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jul 27 20:03:32.122: ISAKMP:(1002):Old State = IKE_R_MM4 New State = IKE_R_MM5

*Jul 27 20:03:32.122: ISAKMP:(1002): processing ID payload. message ID = 0

*Jul 27 20:03:32.122: ISAKMP (0:1002): ID payload

next-payload : 8

type : 1

address : 12.1.1.1

protocol : 17

port : 500

length : 12

*Jul 27 20:03:32.122: ISAKMP:(0):: peer matches *none* of the profiles

*Jul 27 20:03:32.126: ISAKMP:(1002): processing HASH payload. message ID = 0

*Jul 27 20:03:32.126: ISAKMP:(1002): processing NOTIFY INITIAL_CONTACT protocol 1

spi 0, message ID = 0, sa = 65B77620

*Jul 27 20:03:32.126: ISAKMP:(1002):SA authentication status:

authenticated

*Jul 27 20:03:32.126: ISAKMP:(1002):SA has been authenticated with 12.1.1.1

*Jul 27 20:03:32.126: ISAKMP:(1002):SA authentication status:

authenticated

*Jul 27 20:03:32.126: ISAKMP:(1002): Process initial contact,

bring down existing phase 1 and 2 SA's with local 23.1.1.3 remote 12.1.1.1 remote port 500

*Jul 27 20:03:32.130: ISAKMP: Trying to insert a peer 23.1.1.3/12.1.1.1/500/, and inserted successfully 65B5BB30.

*Jul 27 20:03:32.130: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jul 27 20:03:32.130: ISAKMP:(1002):Old State = IKE_R_MM5 New State = IKE_R_MM5

*Jul 27 20:03:32.130: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Jul 27 20:03:32.134: ISAKMP:(1002):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Jul 27 20:03:32.134: ISAKMP (0:1002): ID payload

next-payload : 8

type : 1

address : 23.1.1.3

protocol : 17

port : 500

length : 12

*Jul 27 20:03:32.134: ISAKMP:(1002):Total payload length: 12

*Jul 27 20:03:32.134: ISAKMP:(1002): sending packet to 12.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Jul 27 20:03:32.134: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Jul 27 20:03:32.134: ISAKMP:(1002):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

第一阶段完成。

*Jul 27 20:03:32.142: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Jul 27 20:03:32.142: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Jul 27 20:03:32.158: ISAKMP (0:1002): received packet from 12.1.1.1 dport 500 sport 500 Global (R) QM_IDLE

*Jul 27 20:03:32.158: ISAKMP: set new node -1769201649 to QM_IDLE

*Jul 27 20:03:32.162: ISAKMP:(1002): processing HASH payload. message ID = -1769201649

*Jul 27 20:03:32.162: ISAKMP:(1002): processing SA payload. message ID = -1769201649

*Jul 27 20:03:32.162: ISAKMP:(1002):Checking IPSec proposal 1

*Jul 27 20:03:32.162: ISAKMP: transform 1, ESP_DES

*Jul 27 20:03:32.162: ISAKMP: attributes in transform:

*Jul 27 20:03:32.162: ISAKMP: encaps is 1 (Tunnel)

*Jul 27 20:03:32.162: ISAKMP: SA life type in seconds

*Jul 27 20:03:32.162: ISAKMP: SA life duration (basic) of 3600

*Jul 27 20:03:32.162: ISAKMP: SA life type in kilobytes

*Jul 27 20:03:32.162: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

*Jul 27 20:03:32.162: ISAKMP: authenticator is HMAC-MD5

*Jul 27 20:03:32.162: ISAKMP:(1002):atts are acceptable.策略匹配协商完成

*Jul 27 20:03:32.162: IPSEC(validate_proposal_request): proposal part #1

*Jul 27 20:03:32.162: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 23.1.1.3, remote= 12.1.1.1,

local_proxy= 3.3.3.0/255.255.255.0/0/0 (type=4),

remote_proxy= 1.1.1.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

*Jul 27 20:03:32.166: Crypto mapdb : proxy_match

src addr : 3.3.3.0

dst addr : 1.1.1.0

protocol : 0

src port : 0

dst port : 0

*Jul 27 20:03:32.170: ISAKMP:(1002): processing NONCE payload. message ID = -1769201649

*Jul 27 20:03:32.170: ISAKMP:(1002): processing ID payload. message ID = -1769201649

*Jul 27 20:03:32.170: ISAKMP:(1002):QM Responder gets spi

*Jul 27 20:03:32.170: ISAKMP:(1002):Node -1769201649, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Jul 27 20:03:32.170: ISAKMP:(1002):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE

*Jul 27 20:03:32.170: ISAKMP:(1002): Creating IPSec SAs创建IPsec SA

*Jul 27 20:03:32.170: inbound SA from 12.1.1.1 to 23.1.1.3 (f/i) 0/ 0

(proxy 1.1.1.0 to 3.3.3.0)

*Jul 27 20:03:32.170: has spi 0x12160605 and conn_id 0

*Jul 27 20:03:32.170: lifetime of 3600 seconds

*Jul 27 20:03:32.170: lifetime of 4608000 kilobytes

*Jul 27 20:03:32.170: outbound SA from 23.1.1.3 to 12.1.1.1 (f/i) 0/0

(proxy 3.3.3.0 to 1.1.1.0)

*Jul 27 20:03:32.170: has spi 0xDD947DA9 and conn_id 0

*Jul 27 20:03:32.170: lifetime of 3600 seconds

*Jul 27 20:03:32.170: lifetime of 4608000 kilobytes

*Jul 27 20:03:32.170: ISAKMP:(1002): sending packet to 12.1.1.1 my_port 500 peer_port 500 (R) QM_IDLE

*Jul 27 20:03:32.170: ISAKMP:(1002):Node -1769201649, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI

*Jul 27 20:03:32.174: ISAKMP:(1002):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2

*Jul 27 20:03:32.178: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Jul 27 20:03:32.178: Crypto mapdb : proxy_match

src addr : 3.3.3.0

dst addr : 1.1.1.0

protocol : 0

src port : 0

dst port : 0

*Jul 27 20:03:32.182: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 12.1.1.1

*Jul 27 20:03:32.182: IPSEC(policy_db_add_ident): src 3.3.3.0, dest 1.1.1.0, dest_port 0

*Jul 27 20:03:32.182: IPSEC(create_sa): sa created,

(sa) sa_dest= 23.1.1.3, sa_proto= 50,

sa_spi= 0x12160605(303433221),

sa_trans= esp-des esp-md5-hmac , sa_conn_id= 3

*Jul 27 20:03:32.182: IPSEC(create_sa): sa created,

(sa) sa_dest= 12.1.1.1, sa_proto= 50,

sa_spi= 0xDD947DA9(3717496233),

sa_trans= esp-des esp-md5-hmac , sa_conn_id= 4

*Jul 27 20:03:32.210: ISAKMP (0:1002): received packet from 12.1.1.1 dport 500 sport 500 Global (R) QM_IDLE

*Jul 27 20:03:32.210: ISAKMP:(1002):deleting node -1769201649 error FALSE reason "QM done (await)"

*Jul 27 20:03:32.210: ISAKMP:(1002):Node -1769201649, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Jul 27 20:03:32.210: ISAKMP:(1002):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE第二阶段完成

*Jul 27 20:03:32.214: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Jul 27 20:03:32.214: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP

*Jul 27 20:03:32.214: IPSEC(key_engine_enable_outbound): enable SA with spi 3717496233/50

*Jul 27 20:03:32.214: IPSEC(update_current_outbound_sa): updated peer 12.1.1.1 current outbound sa to SPI DD947DA9

最后在看一次R2的路由表：

R2#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

2.0.0.0/24 is subnetted, 1 subnets

C 2.2.2.0 is directly connected, Loopback10

23.0.0.0/24 is subnetted, 1 subnets

C 23.1.1.0 is directly connected, Serial1/1

12.0.0.0/24 is subnetted, 1 subnets

C 12.1.1.0 is directly connected, Serial1/0

可以看到R2根本没有那两条路由。

本人刚学习IPsec×××，全做交流，有什么错误，欢迎指正。

官方博客	全部文章	热门标签	班级博客
了解我们	网站地图	意见反馈

鸿蒙开发者社区	51CTO学堂
51CTO	软考资讯

IPsec×××的实现

IPsec×××的实现

实验目的

实验拓扑

配置要点

实验验证

51CTO博客