动态的CRYPTO-MAP
R2:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 5
crypto isakmp key 6 zxy address
0.0.0.0 0.0.0.0(设置的对等体为任意一个)
!
!
crypto ipsec transform-set zxy esp-des esp-sha-hmac
!
crypto dynamic-map cisco 15(先建立一个动态的MAP)
set transform-set zxy
set pfs group1 (不用访控列表)
!
crypto map cisco 15 ipsec-isakmp dynamic cisco (调用那个动态的! MAP
访控列表为CISCO 15 要先再一个静态的,在里面调用那个动态的再用在端口)
!
!interface Loopback0
ip address
2.2.2.2 255.255.255.0
!
interface FastEthernet0/0
ip address 172.16.1.2 255.255.255.0
duplex half
crypto map cisco
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
ip route
1.1.1.0 255.255.255.0 172.16.1.1
只有当R1访问R2时他们才会建立连续结,不能用动态的与拔叫静 态的。
Ipsec over gre:
用管道来运载动态路由,因为IPSEC不支持动态路由。但一般都会用动态路由的,所 以采用管道技术:
其余操作一样,只是在起链路时要建 立两边的管 道,并动态发布出去。然后除了在接口上应用MAP外还要在管道下运用。就是这一点区别!!
r1#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: zzz, local addr 172.16.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (
1.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (
20.20.20.0/255.255.255.0/0/0)
current_peer 172.16.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.1.1, remote crypto endpt.: 172.16.1.2
path mtu 1500, ip mtu 1500
current outbound spi: 0x
1A3A32AE(440021678)
inbound esp sas:
spi: 0x3E
7908F3(1048119539)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: zzz
sa timing: remaining key lifetime (k/sec): (4494433/3548)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x
1A3A32AE(440021678)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: zzz
sa timing: remaining key lifetime (k/sec): (4494433/3547)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
interface: Tunnel1
Crypto map tag: zzz, local addr 172.16.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (
1.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (
20.20.20.0/255.255.255.0/0/0)
current_peer 172.16.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.1.1, remote crypto endpt.: 172.16.1.2
path mtu 1500, ip mtu 1500
current outbound spi: 0x
1A3A32AE(440021678)
inbound esp sas:
spi: 0x3E
7908F3(1048119539)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: zzz
sa timing: remaining key lifetime (k/sec): (4494433/3546)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x
1A3A32AE(440021678)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: zzz
sa timing: remaining key lifetime (k/sec): (4494433/3546)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
转载于:https://blog.51cto.com/thinkinginmind/338502
180
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
