-
IPSEC
VPN
建立详解(实验版)
RT1
:
crypto isakmp
policy 10
//
设置
I
SAKMP
策略
encr 3des
//
使用
3DES
加密
hash md5
//
用<
/p>
MD5
作为摘要算法
authentication pre-share
//
认证方式以预共享密钥
group 2
p>
//
定义
DH
算<
/p>
法为组
2crypto isakmp identity
address
//
使用用
IP
p>
地址作为身份标识
crypto isakmp key
cisco1 address 172.1.2.2
//
配
置
预共享密钥和对方
IPcrypto isakmp key
cisco2 address 172.1.3.2//
配置预共享密钥和对方
IPcrypto ipsec transform-set cisco esp-aes
esp-md5-hmac
//
配置传输集参数,用来协商
IPSEC
SA
的策
略
!crypto map
RT1 10 ipsec-isakmp
//
配置加密图
set peer
172.1.2.2
//<
/p>
设置对等
体
set
transform-set cisco
//
调用传输集
match
address 101
//
匹配感兴趣流量
crypto
map RT1 20 ipsec-isakmp
set peer
172.1.3.2 set transform-set cisco match address
102interface Ethernet0/0
ip address
172.1.1.2 255.255.255.240crypto map RT1
//<
/p>
在接口上应用加密图
access-list 101
permit ip 192.168.20.0 0.0.0.255 192.168.36.0
0.0.0.255
//
定义感兴趣流量
access-
list 102 permit ip 192.168.20.0 0.0.0.255
192.168.40.0
0.0.0.255//
定义感兴趣流量
ip route
0.0.0.0 0.0.0.0 172.1.1.1
//
两个加密点间必须要通
RT2
:
crypto isakmp policy 10
//ISAKMP
参数需跟对端一
致
encr 3des hash md5 authentication pre-
share group 2crypto isakmp identity addresscrypto
isakmp key cisco1 address
172.1.1.2
//
共享密钥需跟对端一致
crypto
ipsec transform-set cisco esp-aes esp-md5-hmac //I
PSEC
参数跟对端一
致
!crypt
o map RT2 10 ipsec-isakmp set peer 172.1.1.2 set
transform-set cisco match address 101interface
Ethernet0/
0 ip address 172.1.2.2
255.255.255.240crypto map RT2access-list 101
permit ip 192.168.36.0 0.0.0.255 192.168.20.0
0.
0.0.255ip route 0.0.0.0 0.0.0.0
172.1.2.1 //
两个加密点间必须要通
RT3
:
crypto isakmp policy 10//ISAKMP
< br>参数需跟对端一
致
encr 3des hash
md5 authentication pre-share group 2crypto isakmp
key cisco2 address 172.1.1.2
//
< br>共享密钥需跟对端
一致
crypto isakmp
identity addresscrypto ipsec transform-set cisco
esp-aes esp-md5-hmac //IPSEC
参数跟对端一
致
!crypto map RT3 10 ipsec-isakmp
set peer 172.1.1.2 set transform-set cisco match
address 101interface Ethernet0/
0 ip
address 172.1.3.2 255.255.255.240crypto map
RT3access-list 101 permit ip 192.168.40.0
0.0.0.255 192.168.20.0 0.
0.0.255ip
route 0.0.0.0 0.0.0.0 172.1.3.1
//
两个加密点间必须要通
ISAKMP
SA
(双向,第一阶段协商完成建立)
RT3#show crypto isakmp
sadst src state
conn-id slot status
172.1.1.2
172.1.3.2
QM_IDLE 1
0 ACTIVE
IPSEC SA
(两个单向,
inbound
和
outbound
,第二阶段完成建立)
RT3#show crypto ipsec
sa
inbound esp sas:
spi: 0x88A9E91(143302289)
//
安全参数索
引
transform: esp-
aes esp-md5-hmac
,//IPSEC
协商参
数
in use settings ={Tunnel, }
conn
id: 2001, flow_id: SW:1, crypto map: RT3
//
应用的加密
图
sa timing: remaining key lifetime (k/sec):
(4528168/1384) IV size: 16 bytes
replay detection
support: Y
Status: ACTIVE
//SA
为活跃状态
outbound
esp sas:
spi:
0xB2979D58(2996280664)
//
p>
安全参数
索引
transform: esp-aes esp-md5-hmac
,//IPSEC
协商参
数
in use settings ={Tunnel, }
conn
id: 2002, flow_id: SW:2, crypto map: RT3
//
应用的加密
图
sa timing: remaining key lifetime (k/sec):
(4528168/1374) IV size: 16 bytes
replay detection
support: Y
Status: ACTIVE
//SA
为活跃状态
debug
信息分析
IKE
过程:
*Mar 1 00:24:11.715: ISAKMP: received
ke message (1/1)
*Mar 1
00:24:11.719: ISAKMP:(0:0:N/A:0):
SA
request profile is (NULL)
请求配置文件为空,因为没使
用
profile
*Mar 1
00:24:11.719: ISAKMP:
Created a peer
struct for 172.1.1.2, peer port 500
创建一个
对等体
172.1.1.2,
对端
端口
为
500
*Mar 1 00:24:11.723:
ISAKMP:
New peer created peer =
0x64960A40 peer_handle = 0x80000002
创建新
的对等体为
0x64960A40
,对等名柄为
0x80000002
*Mar 1 00:24:11.727:
ISAKMP:
Locking peer struct 0x64960A40,
IKE refcount 1 for isakmp_initiator
锁定对
等体为
0x64960A40
,
isakmp
初始化为
IKE
计数1
*Mar 1 00:24:11.731:
ISAKMP:
local port 500, remote port 500
本地端口为
500,
远端口为
500
*Mar 1 00:24:11.731: ISAKMP:
set new node 0 to QM_IDLE
为
QM_IDLE
设置新的节点
0
*Mar 1
00:24:11.735:
insert sa successfully sa
= 646EC2A4
成功插入安全关联
*Mar 1
00:24:11.739: ISAKMP:(0:0:N/A:0):
Can
not start Aggressive mode, trying Main mode.
不能开始积极模式,
尝试主模
式
< br>*Mar 1 00:24:11.743: ISAKMP:(0:0:N/A:0):
found peer pre-
shared key matching 172.1.1.2
找到对方的共享密钥匹
配
172.1.1.2
*Mar 1
00:24:11.747: ISAKMP:(0:0:N/A:0): constructed
NAT-T vendor-07 ID*Mar 1 00:24:11.747:
ISAKMP:(0:0:N
/A:0): constructed NAT-T
vendor-03 ID*Mar 1 00:24:11.747:
ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02
ID*Mar 1
00:24:11.747:
ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC,
IKE_SA_REQ_MM
*Mar 1 00:24:11.751:
ISAKMP:(0:0:N/A:0):Old State = IKE_READY New
State = IKE_I_MM1
老的状态
IKE_RE
ADY
,新的状态
IEK_I_MM1
*Mar 1 00:24:11.755:
ISAKMP:(0:0:N/A:0):
beginning Main Mode
exchange
开始
主模式交换
*Mar 1 00:24:11.759:
ISAKMP:(0:0:N/A:0): sending packet to 172.1.1.2
my_port 500 peer_port 500 (I)
MM_NO_STA
TE
开始
发第一个包,进入第阶段一的
MM_NO_STATE
状态
*Mar 1
00:24:21.763: ISAKMP:(0:0:N/A:0): retransmitting
phase 1 MM_NO_STATE...
重传阶段
1
MM_NO_STATE ..*Mar 1 00:24:21.763: ISAKMP (0:0):
incrementing error counter on sa, attempt 1 of 5:
retransmit pha
se 1
递增错误
SA
,尝试
1
5
错误计数器:重发阶段
1
*Mar
1 00:24:21.763: ISAKMP:(0:0:N/A:0): sending packet
to 172.1.1.2 my_port 500 peer_port 500 (I)
MM_NO_STATE*Ma
r 1 00:24:31.763:
ISAKMP:(0:0:N/A:0): retransmitting phase 1
MM_NO_STATE...*Mar 1 00:24:31.767: ISAKMP (0:0):
incr
ementing error counter on sa,
attempt 2 of 5: retransmit phase 1*Mar 1
00:24:31.771: ISAKMP:(0:0:N/A:0):
retransmit
ting phase 1 MM_NO_STATE*Mar
1 00:24:31.775: ISAKMP:(0:0:N/A:0): sending packet
to 172.1.1.2 my_port 500 peer_port
500
(I) MM_NO_STATE
重发第一个包,进入第阶段一的
MM_NO_STATE
状态
*Mar 1
00:24:31.915: ISAKMP (0:0): received packet from
172.1.1.2 dport 500 sport 500 Global (I) MM_NO_STA
TE
收到对
方的应答(第二个包)
*M
ar 1 00:24:31.935: ISAKMP:(0:0:N/A:0):Input =
IKE_MESG_FROM_PEER,
IKE_MM_EXCH
< br>开始
IKE
主模式交
换
*Mar 1 00:24:31.935:
ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1 New
State = IKE_I_MM2
老的状态为
IKE_I
_MM1
,进入新
状态
IKE_I_M
M2
*Mar 1 00:24:31.947:
ISAKMP:(0:0:N/A:0): processing SA payload. message
I
D = 0
处理
SA
负载,消息
ID
为
p>
0
*Mar 1 00:24:31.951:
ISAKMP:(0:0:N/A:0): processing vendor id payload
p>
处理
ID
负载
*M
ar 1 00:24:31.955: ISAKMP:(0:0:N/A:0): vendor ID
seems Unity/DPD but major 245 mismatch*Mar 1
00:24:31.955: ISAK
MP (0:0): vendor ID
is NAT-T v7*Mar 1 00:24:31.955:
ISAKMP:(0:0:N/A:0):found peer pre-shared key
matching 172.1.1.2
找到对等体的预共享密钥匹配
< br>172.1.1.2
*Mar 1 00:24:31.955:
ISAKMP:(0:0:N/A:0): local preshared key
found
本地预共享密
-
-
-
-
-
-
-
-
-
上一篇:超完整英语励志名言短语大合集
下一篇:机械零件名称中英文对照