Site-to-Site ××× 配置实例(共享密钥)
Site-to-Site ××× 配置实例(共享密钥)_security
 
1、具体配置如下:
R1#show running-config
*Dec 11 21:49:22.595: %SYS-5-CONFIG_I: Configured from console by console
Building configuration...
 
Current configuration : 1243 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
!
!        
!
crypto isakmp policy 110
 encr 3des
 hash md5
 authentication pre-share
 group 2 
crypto isakmp key cisco address 99.1.1.2
!
!
crypto ipsec transform-set vpn ah-md5-hmac esp-des esp-sha-hmac
!
crypto map sitevpn 10 ipsec-isakmp
 set peer 99.1.1.2
 set transform-set vpn
 match address 110
!
!
!
!
interface Loopback0
 ip address 172.16.1.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 99.1.1.1 255.255.255.252
 duplex half
!
interface Ethernet1/0
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/1
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/2
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/3
 no ip address
 shutdown
 duplex half
!
ip classless
ip route 0.0.0.0 0.0.0.0 99.1.1.2
!
no ip http server
no ip http secure-server
!        
!
access-list 110 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 stopbits 1
line aux 0
line vty 0 4
!
!        
end
 
R2#show running-config
Building configuration...
 
Current configuration : 1263 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
!
!        
!
!
crypto isakmp policy 110
 encr 3des
 hash md5
 authentication pre-share
 group 2 
crypto isakmp key cisco address 99.1.1.1
!
!
crypto ipsec transform-set vpn ah-md5-hmac esp-des esp-sha-hmac
!
crypto map sitevpn 10 ipsec-isakmp
 set peer 99.1.1.1
 set transform-set vpn
 match address 110
!
!
!
!
interface Loopback0
 ip address 172.16.2.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 99.1.1.2 255.255.255.252
 duplex half
 crypto map sitevpn
!
interface Ethernet1/0
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/1
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/2
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/3
 no ip address
 shutdown
 duplex half
!
ip classless
ip route 0.0.0.0 0.0.0.0 99.1.1.1
!
no ip http server
no ip http secure-server
!
!
access-list 110 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 stopbits 1
line aux 0
line vty 0 4
!        
!
end
 
2、验证配置
 
R2#debug crypto ipsec
Crypto IPSEC debugging is on
 
R2#ping 172.16.1.1 source 172.16.2.1
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.2.1
 
*Dec 11 21:52:54.995: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 99.1.1.2, remote= 99.1.1.1,
    local_proxy= 172.16.2.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),
    protocol= AH, transform= ah-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0xC34D28FA(3276613882), conn_id= 0, keysize= 0, flags= 0x400A
*Dec 11 21:52:54.999: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 99.1.1.2, remote= 99.1.1.1,
    local_proxy= 172.16.2.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x397AFB16(964360982), conn_id= 0, keysize= 0, flags= 0x400A
*Dec 11 21:52:56.339: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 99.1.1.2, remote= 99.1.1.1,
    local_proxy= 172.16.2.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),
    protocol= AH, transform= ah-md5-hmac  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
*Dec 11 21:52:56.347: IPSEC(validate_proposal_request): proposal part #2,
  (key eng. msg.) INBOUND local= 99.1.1.2, remote= 99.1.1.1,
    local_proxy= 172.16.2.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-sha-hmac  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
*Dec 11 21:52:56.351: Crypto mapdb : proxy_match
        src addr     : 172.16.2.0
        dst addr     : 172.16.1.0
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 11 21:52:56.367: IPSEC(key_engine): got a queue event with 4 kei messages
*Dec 11 21:52:56.367: IPSEC(initialize_sas): ,
  (key eng. msg.) INBOUND local= 99.1.1.2, remote= 99.1.1.1,
    local_proxy= 172.16.2.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),
    protocol= AH, transform= ah-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0xC34D28FA(3276613882), conn_id= 0, keysize= 0, flags= 0x2
*Dec 11 21:52:56.371: IPSEC(initialize_sas): ,
  (key eng. msg.) OUTBOUND local= 99.1.1.2, remote= 99.1.1.1,
    local_proxy= 172.16.2.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),
    protocol= AH, transform= .!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 32/68/112 ms
R2#ah-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x303B33D8(809186264), conn_id= 0, keysize= 0, flags= 0xA
*Dec 11 21:52:56.375: IPSEC(initialize_sas): ,
  (key eng. msg.) INBOUND local= 99.1.1.2, remote= 99.1.1.1,
    local_proxy= 172.16.2.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x397AFB16(964360982), conn_id= 0, keysize= 0, flags= 0x2
*Dec 11 21:52:56.379: IPSEC(initialize_sas): ,
  (key eng. msg.) OUTBOUND local= 99.1.1.2, remote= 99.1.1.1,
    local_proxy= 172.16.2.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x6D84A16(114838038), conn_id= 0, keysize= 0, flags= 0xA
*Dec 11 21:52:56.383: Crypto mapdb : proxy_match
        src addr     : 172.16.2.0
        dst addr     : 172.16.1.0
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 11 21:52:56.387: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and 99.1.1.1
*Dec 11 21:52:56.391: IPSec: Flow_switching Allocated flow for sibling 80000002
*Dec 11 21:52:56.391: IPSEC(policy_db_add_ident): src 172.16.2.0, dest 172.16.1.0, dest_port 0
 
*Dec 11 21:52:56.395: IPSEC(create_sa): sa created,
  (sa) sa_dest= 99.1.1.2, sa_proto= 51,
    sa_spi= 0xC34D28FA(3276613882),
    sa_trans= ah-md5-hmac , sa_conn_id= 2001
*Dec 11 21:52:56.395: IPSEC(create_sa): sa created,
  (sa) sa_dest= 99.1.1.1, sa_proto= 51,
    sa_spi= 0x303B33D8(809186264),
    sa_trans= ah-md5-hmac , sa_conn_id= 2002
*Dec 11 21:52:56.399: IPSEC(create_sa): sa created,
  (sa) sa_dest= 99.1.1.2, sa_proto= 50,
    sa_spi= 0x397AFB16(964360982),
    sa_trans= esp-des esp-sha-hmac , sa_conn_id= 2001
*Dec 11 21:52:56.403: IPSEC(create_sa): sa created,
  (sa) sa_dest= 99.1.1.1, sa_proto= 50,
    sa_spi= 0x6D84A16(114838038),
sa_trans= esp-des esp-sha-hmac , sa_conn_id= 2002
 
R2#ping 172.16.1.1 source 172.16.2.1
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/36/108 ms
 
 
R2#sh crypto ipsec sa
 
interface: FastEthernet0/0
    Crypto map tag: sitevpn, local addr 99.1.1.2
 
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
   current_peer 99.1.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
    #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0
 
     local crypto endpt.: 99.1.1.2, remote crypto endpt.: 99.1.1.1
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x6D84A16(114838038)
 
     inbound esp sas:
      spi: 0x397AFB16(964360982)
        transform: esp-des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: SW:1, crypto map: sitevpn
        sa timing: remaining key lifetime (k/sec): (4497696/3536)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
 
     inbound ah sas:
      spi: 0xC34D28FA(3276613882)
        transform: ah-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: SW:1, crypto map: sitevpn
        sa timing: remaining key lifetime (k/sec): (4497696/3535)
        replay detection support: Y
        Status: ACTIVE
 
     inbound pcp sas:
 
     outbound esp sas:
      spi: 0x6D84A16(114838038)
        transform: esp-des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: SW:2, crypto map: sitevpn
        sa timing: remaining key lifetime (k/sec): (4497696/3535)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
 
     outbound ah sas:
      spi: 0x303B33D8(809186264)
        transform: ah-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: SW:2, crypto map: sitevpn
        sa timing: remaining key lifetime (k/sec): (4497696/3535)
        replay detection support: Y
        Status: ACTIVE
 
     outbound pcp sas:
 
R2#sh crypto isakmp sa
dst             src             state          conn-id slot status
99.1.1.1        99.1.1.2        QM_IDLE              1    0 ACTIVE