ISCW实验12：使用SDM配置GRE over IPSec-CSDN博客

实验过程：
第一步配置R1支持SDM
R1(config)# int e1/0
R1(config-if)# ip add 192.168.1.200 255.255.255.0
R1(config-if)# no sh
R1(config-if)# int f0/0
R1(config-if)# ip add 172.16.0.1 255.255.255.0
R1(config-if)# no sh
R1(config-if)# exit
R1(config)#
R1(config)# ip http server
R1(config)# ip http authentication local
R1(config)# username suyajuncn privilege 15 password suyajuncn
R1(config)# lin vty 0 4
R1(config-line)# transport input ssh telnet
R1(config-line)# login local
R1(config-line)# end

第二步配置R2支持SDM
R2(config)# int e1/0
R2(config-if)# ip add 192.168.1.201 255.255.255.0
R2(config-if)# no sh
R2(config-if)# int f0/0
R2(config-if)# ip add 172.16.0.2 255.255.255.0
R2(config-if)# no sh
R2(config-if)# exit
R2(config)#
R2(config)# ip http server
R2(config)# ip http authen local
R2(config)# username suyajuncn privilege 15 password suyajuncn
R2(config)# lin vty 0 4
R2(config-line)# transport input ssh telnet
R2(config-line)# login local
R2(config-line)# end

第三步在SDM→×××→站点到站点×××→创建安全GRE通道（GRE ove IPSec）

第四步在GRE通道信息界面中：通道来源选择FastEthernet0/0，通道目标IP地址选择172.16.0.2，GRE通道的IP地址输入10.0.0.1/24

第五步在备用链路中默认，点击下一步

第六步在×××验证信息中选择预共享密钥，输入密钥点击下一步

第七步默认IKE策略，点击下一步

第八步默认变换集配置，点击下一步

第九步在选择路由协议中选择静态路由点击下一步

第十步在静态路由信息中选择为所有通信开通通道

第十一步确定无误，点击结束

第十二步使用SDM配置R2

第十三步在R1上进行测试与调试
R1# ping 10.0.0.2 source 10.0.0.1

使用扩展ping，指定源和目的地

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.1

*Jun 25 01:37:26.111: IPSEC(recalculate_mtu): reset sadb_root 66BCB4FC mtu to 1420
*Jun 25 01:37:26.347: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 172.16.0.1, remote= 172.16.0.2,
    local_proxy= 172.16.0.1/255.255.255.255/47/0 (type=1),
    remote_proxy= 172.16.0.2/255.255.255.255/47/0 (type=1),
    protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jun 25 01:37:26.355: ISAKMP:(0): SA request profile is (NULL)
*Jun 25 01:37:26.359: ISAKMP: Created a peer struct for 172.16.0.2, peer port 500
*Jun 25 01:37:26.359: ISAKMP: New peer created peer = 0x65D551A8 peer_handle = 0x80000003
*Jun 25 01:37:26.359: ISAKMP: Locking peer struct 0x65D551A8, refcount 1 for isakmp_initiator
*Jun 25 01:37:26.363: ISAKMP: local port 500, remote port 500
*Jun 25 01:37:26.363: ISAKMP: set new node 0 to QM_IDLE
*Jun 25 01:37:26.363: insert sa successfully sa = 65DD4B10
*Jun 25 01:37:26.363: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Jun 25 01:37:26.367: ISAKMP:(0):found peer pre-shared key matching 172.16.0.2
*Jun 25 01:37:26.367: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jun 25 01:37:26.371: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Jun 25 01:37:26.371: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Jun 25 01:37:26.371: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Jun 25 01:37:26.371: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jun 25 01:37:26.375: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

*Jun 25 01:37:26.375: ISAKMP:(0): beginning Main Mode exchange
*Jun 25 01:37:26.375: ISAKMP:(0): sending packet to 172.16.0.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 25 01:37:26.379: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 25 01:37:26.551: ISAKMP (0:0): received packet from 172.16.0.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Jun 25 01:37:26.555: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EX.!!CH
*Jun 25 01:37:26.555: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2

*Jun 25 01:37:26.559: ISAKMP:(0): processing SA payload. message ID = 0
*Jun 25 01:37:26.563: ISAKMP:(0): processing vendor id payload
*Jun 25 01:37:26.563: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jun 25 01:37:26.563: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Jun 25 01:37:26.567: ISAKMP:(0):found peer pre-shared key matching 172.16.0.2
*Jun 25 01:37:26.567: ISAKMP:(0): local preshared key found
*Jun 25 01:37:26.567: ISAKMP : Scanning profiles for xauth ...
*Jun 25 01:37:26.567: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Jun 25 01:37:26.567: ISAKMP:      encryption 3DES-CBC
*Jun 25 01:37:26.571: ISAKMP:      hash SHA
*Jun 25 01:37:26.571: ISAKMP:      default group 2
*Jun 25 01:37:26.571: ISAKMP:      auth pre-share
*Jun 25 01:37:26.571: ISAKMP:      life type in seconds
*Jun 25 01:37:26.571: ISAKMP:      life duration (VPI) of 0x0 0x1 0x51 0x!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 108/138/200 ms
R1#80
*Jun 25 01:37:26.575: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jun 25 01:37:26.575: ISAKMP:(0):Acceptable atts:actual life: 0
*Jun 25 01:37:26.575: ISAKMP:(0):Acceptable atts:life: 0
*Jun 25 01:37:26.579: ISAKMP:(0):Fill atts in sa vpi_length:4
*Jun 25 01:37:26.579: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Jun 25 01:37:26.579: ISAKMP:(0):Returning Actual lifetime: 86400
*Jun 25 01:37:26.579: ISAKMP:(0)::Started lifetime timer: 86400.

*Jun 25 01:37:26.583: ISAKMP:(0): processing vendor id payload
*Jun 25 01:37:26.583: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jun 25 01:37:26.583: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Jun 25 01:37:26.583: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 25 01:37:26.587: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2

*Jun 25 01:37:26.595: ISAKMP:(0): sending packet to 172.16.0.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Jun 25 01:37:26.595: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 25 01:37:26.599: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 25 01:37:26.599: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3

*Jun 25 01:37:26.715: ISAKMP (0:0): received packet from 172.16.0.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*Jun 25 01:37:26.719: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 25 01:37:26.719: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4

*Jun 25 01:37:26.767: ISAKMP:(0): processing KE payload. message ID = 0
*Jun 25 01:37:26.859: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jun 25 01:37:26.859: ISAKMP:(0):found peer pre-shared key matching 172.16.0.2
*Jun 25 01:37
R1#:26.863: ISAKMP:(1002): processing vendor id payload
*Jun 25 01:37:26.863: ISAKMP:(1002): vendor ID is Unity
*Jun 25 01:37:26.863: ISAKMP:(1002): processing vendor id payload
*Jun 25 01:37:26.867: ISAKMP:(1002): vendor ID is DPD
*Jun 25 01:37:26.867: ISAKMP:(1002): processing vendor id payload
*Jun 25 01:37:26.867: ISAKMP:(1002): speaking to another IOS box!
*Jun 25 01:37:26.871: ISAKMP:received payload type 20
*Jun 25 01:37:26.871: ISAKMP:received payload type 20
*Jun 25 01:37:26.871: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 25 01:37:26.871: ISAKMP:(1002):Old State = IKE_I_MM4 New State = IKE_I_MM4

*Jun 25 01:37:26.879: ISAKMP:(1002):Send initial contact
*Jun 25 01:37:26.883: ISAKMP:(1002):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Jun 25 01:37:26.883: ISAKMP (0:1002): ID payload
        next-payload : 8
        type         : 1
        address      : 172.16.0.1
        protocol     : 17
        port         : 500
        length       : 12
*Jun
R1# 25 01:37:26.887: ISAKMP:(1002):Total payload length: 12
*Jun 25 01:37:26.887: ISAKMP:(1002): sending packet to 172.16.0.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jun 25 01:37:26.891: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Jun 25 01:37:26.891: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 25 01:37:26.891: ISAKMP:(1002):Old State = IKE_I_MM4 New State = IKE_I_MM5

*Jun 25 01:37:26.955: ISAKMP (0:1002): received packet from 172.16.0.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jun 25 01:37:26.959: ISAKMP:(1002): processing ID payload. message ID = 0
*Jun 25 01:37:26.959: ISAKMP (0:1002): ID payload
        next-payload : 8
        type         : 1
        address      : 172.16.0.2
        protocol     : 17
        port         : 500
        length       : 12
*Jun 25 01:37:26.959: ISAKMP:(0):: peer matches *none* of the profiles
*Jun 25 01:37:26.963: ISAKMP:(1002): processing HASH payload. message ID = 0
*Jun 25 01:37:26.963: ISAKMP:(1002):SA authentication status:
        authenticated
*Jun 25 01:37:26.967: ISAKMP:(1002):SA has been authenticated with 172.16.0.2
*Jun 25 01:37:26.967: ISAKMP: Trying to insert a peer 172.16.0.1/172.16.0.2/500/, and inserted successfully 65D551A8.
*Jun 25 01:37:26.967: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 25 01:37:26.971: ISAKMP:(1002):Old Stat
R1#e = IKE_I_MM5 New State = IKE_I_MM6

*Jun 25 01:37:26.975: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 25 01:37:26.975: ISAKMP:(1002):Old State = IKE_I_MM6 New State = IKE_I_MM6

*Jun 25 01:37:26.983: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 25 01:37:26.983: ISAKMP:(1002):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

*Jun 25 01:37:26.991: ISAKMP:(1002):beginning Quick Mode exchange, M-ID of -687785689
*Jun 25 01:37:26.991: ISAKMP:(1002):QM Initiator gets spi
*Jun 25 01:37:26.995: ISAKMP:(1002): sending packet to 172.16.0.2 my_port 500 peer_port 500 (I) QM_IDLE
*Jun 25 01:37:26.995: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Jun 25 01:37:26.999: ISAKMP:(1002):Node -687785689, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jun 25 01:37:26.999: ISAKMP:(1002):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Jun 25 01:37:27.003: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jun 25 01:37:27.003: IS
R1#AKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Jun 25 01:37:27.199: ISAKMP (0:1002): received packet from 172.16.0.2 dport 500 sport 500 Global (I) QM_IDLE
*Jun 25 01:37:27.203: ISAKMP:(1002): processing HASH payload. message ID = -687785689
*Jun 25 01:37:27.203: ISAKMP:(1002): processing SA payload. message ID = -687785689
*Jun 25 01:37:27.203: ISAKMP:(1002):Checking IPSec proposal 1
*Jun 25 01:37:27.207: ISAKMP: transform 1, ESP_3DES
*Jun 25 01:37:27.207: ISAKMP:   attributes in transform:
*Jun 25 01:37:27.207: ISAKMP:      encaps is 1 (Tunnel)
*Jun 25 01:37:27.207: ISAKMP:      SA life type in seconds
*Jun 25 01:37:27.207: ISAKMP:      SA life duration (basic) of 3600
*Jun 25 01:37:27.211: ISAKMP:      SA life type in kilobytes
*Jun 25 01:37:27.211: ISAKMP:      SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jun 25 01:37:27.211: ISAKMP:      authenticator is HMAC-SHA
*Jun 25 01:37:27.211: ISAKMP:(1002):atts are acceptable.
*Jun 25 01:37
R1#:27.215: IPSEC(validate_proposal_request): proposal part #1
*Jun 25 01:37:27.215: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.16.0.1, remote= 172.16.0.2,
    local_proxy= 172.16.0.1/255.255.255.255/47/0 (type=1),
    remote_proxy= 172.16.0.2/255.255.255.255/47/0 (type=1),
    protocol= ESP, transform= NONE (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jun 25 01:37:27.219: Crypto mapdb : proxy_match
        src addr     : 172.16.0.1
        dst addr     : 172.16.0.2
        protocol     : 47
        src port     : 0
        dst port     : 0
*Jun 25 01:37:27.223: ISAKMP:(1002): processing NONCE payload. message ID = -687785689
*Jun 25 01:37:27.223: ISAKMP:(1002): processing ID payload. message ID = -687785689
*Jun 25 01:37:27.223: ISAKMP:(1002): processing ID payload. message ID = -687785689
*Jun 25 01:37:27.231: ISAKMP:(1002): Creating IPSec SAs
*Jun 25 01:37:27.235:         inbound SA from 172.16.0.2 to 172.16.
R1#0.1 (f/i) 0/ 0
        (proxy 172.16.0.2 to 172.16.0.1)
*Jun 25 01:37:27.235:         has spi 0xE9113378 and conn_id 0
*Jun 25 01:37:27.235:         lifetime of 3600 seconds
*Jun 25 01:37:27.235:         lifetime of 4608000 kilobytes
*Jun 25 01:37:27.235:         outbound SA from 172.16.0.1 to 172.16.0.2 (f/i) 0/0
        (proxy 172.16.0.1 to 172.16.0.2)
*Jun 25 01:37:27.239:         has spi 0xCCE2E669 and conn_id 0
*Jun 25 01:37:27.239:         lifetime of 3600 seconds
*Jun 25 01:37:27.239:         lifetime of 4608000 kilobytes
*Jun 25 01:37:27.243: ISAKMP:(1002): sending packet to 172.16.0.2 my_port 500 peer_port 500 (I) QM_IDLE
*Jun 25 01:37:27.243: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Jun 25 01:37:27.243: ISAKMP:(1002):deleting node -687785689 error FALSE reason "No Error"
*Jun 25 01:37:27.247: ISAKMP:(1002):Node -687785689, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jun 25 01:37:27.247: ISAKMP:(1002):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_CO
R1#MPLETE
*Jun 25 01:37:27.251: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jun 25 01:37:27.251: Crypto mapdb : proxy_match
        src addr     : 172.16.0.1
        dst addr     : 172.16.0.2
        protocol     : 47
        src port     : 0
        dst port     : 0
*Jun 25 01:37:27.255: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 172.16.0.2
*Jun 25 01:37:27.255: IPSEC(policy_db_add_ident): src 172.16.0.1, dest 172.16.0.2, dest_port 0

*Jun 25 01:37:27.259: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.16.0.1, sa_proto= 50,
    sa_spi= 0xE9113378(3910218616),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3
*Jun 25 01:37:27.259: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.16.0.2, sa_proto= 50,
    sa_spi= 0xCCE2E669(3437422185),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 4
*Jun 25 01:37:27.263: IPSEC(update_current_outbound_sa): updated peer 172.16.0.2 current outbound sa to SPI CCE2E669
R1#
*Jun 25 01:37:36.111: IPSEC(recalculate_mtu): reset sadb_root 66BCB4FC mtu to 1420
R1#u all
All possible debugging has been turned off

R1# ping 10.0.0.2 source 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 84/164/292 ms
R1#

转载于:https://blog.51cto.com/hackerjx/98852