迈普&&UTT IPSEC 兼容性测试报告

Technorati 标签: 迈普 IPsec, MAIPU IPsec

             The compatible testing report with MAIPU and UTT

1, Testing topology:

This environment is simulate ending customer environment.

MAIPU 3840 with same for ending customer life network . Same configuration also.

Uttam branch use the same IOS with customer life network. Same configuration.

The only different is the link, we use China unicon 10MB link.

2, Testing key configuration :

MAIPU 3840:

interface gigaethernet0

description LAN-network

ip address 10.102.2.2 255.255.255.0

exit

interface gigaethernet1

description WAN-link

ip address 221.10.5.200 255.255.255.0

exit

crypto ike key 1c0dae0ccd895607€ any

crypto ike proposal test

integrity md5

lifetime 28800

exit

crypto ipsec proposal test1

exit

crypto tunnel ***

local interface gigaethernet1

peer any

set authentication preshared

set mode aggressive

set ike proposal test

set ipsec proposal test1

set dpd 10 2

exit

crypto policy LAN1

flow 10.102.2.0 255.255.255.0 10.102.2.0 255.255.255.0 ip permit

exit

crypto policy ***1

flow 10.102.2.0 255.255.255.0 any ip tunnel ***

set reverse-route

exit

ip route 0.0.0.0 0.0.0.0 221.10.5.193

UTT branch:

!rebuilding running configuration...

!current running software kv1822v2008pV2EN2_500.bin 04:43:03PM-110820 5.6.0

new filter in/testI

set filter in/testI enabled Yes

set filter in/testI groupName testI

set filter in/testI type IP

set filter in/testI ip srcMask 255.248.0.0

set filter in/testI ip srcAddr 10.0.0.0

set filter in/testI ip destMask 255.255.255.0

set filter in/testI ip destAddr 10.26.1.0

new filter in/chengduI

set filter in/chengduI enabled Yes

set filter in/chengduI groupName chengduI

set filter in/chengduI type IP

set filter in/chengduI ip srcMask 255.255.255.0

set filter in/chengduI ip srcAddr 10.102.2.0

set filter in/chengduI ip destMask 255.255.255.0

set filter in/chengduI ip destAddr 192.168.0.1

new filter out/testO

set filter out/testO enabled Yes

set filter out/testO groupName testO

set filter out/testO type IP

set filter out/testO ip srcMask 255.255.255.0

set filter out/testO ip srcAddr 10.26.1.0

set filter out/testO ip destMask 255.248.0.0

set filter out/testO ip destAddr 10.0.0.0

new filter out/chengduO

set filter out/chengduO enabled Yes

set filter out/chengduO groupName chengduO

set filter out/chengduO type IP

set filter out/chengduO ip srcMask 255.255.255.0

set filter out/chengduO ip srcAddr 192.168.0.1

set filter out/chengduO ip destMask 255.255.255.0

set filter out/chengduO ip destAddr 10.102.2.0

set interface ethernet/1 ip address 10.26.1.1

set interface ethernet/1 ip address2 192.168.0.1

set interface ethernet/2 ip address 100.100.100.57

set interface ethernet/2 ip dhcpclientpnp disabled

set ip nat routing enabled

new ip nat binding/ETHbind

set ip nat binding/ETHbind enabled Yes

set ip nat binding/ETHbind profile eth2

set ip route static/Default profile eth2

set ip route static/Default gateway 100.100.100.100

set ip dhcp pool/pool1 priDNS 200.200.200.251

set ip dns priServer 200.200.200.251

set crypto ipsec nat-traverse-port 4500

new user/UTTTEST

set user/UTTTEST enabled Yes

set user/UTTTEST type IKE_FQDN

new user/UTTCYH

set user/UTTCYH enabled Yes

set user/UTTCYH type IKE_FQDN

new ipsec config/test

set ipsec config/test enabled Yes

set ipsec config/test peer 210.212.224.110

set ipsec config/test outfilter testO

set ipsec config/test infilter testI

set ipsec config/test transform-set tra_110

set ipsec config/test profile eth2

set ipsec config/test isakmp-binding testA

set ipsec config/test dpd-heartbeat 20

set ipsec config/test dpd-timeout 120

new ipsec config/chengdu

set ipsec config/chengdu enabled Yes

set ipsec config/chengdu peer 221.10.5.200

set ipsec config/chengdu outfilter chengduO

set ipsec config/chengdu infilter chengduI

set ipsec config/chengdu transform-set tra_110

set ipsec config/chengdu secsLifetime 28800

set ipsec config/chengdu profile eth2

set ipsec config/chengdu isakmp-binding chengduA

set ipsec config/chengdu dpd-heartbeat 20

set ipsec config/chengdu dpd-timeout 120

new ipsec transform-set/tra_110

set ipsec transform-set/tra_110 enabled Yes

set ipsec transform-set/tra_110 encrypt Des

set ipsec transform-set/tra_110 auth None

new ipsec transform-set/tra_101

set ipsec transform-set/tra_101 enabled Yes

set ipsec transform-set/tra_101 encrypt Des

set ipsec transform-set/tra_101 espAuth None

set ipsec transform-set/tra_101 auth Md5

new isakmp config/testA

set isakmp config/testA enabled Yes

set isakmp config/testA mode Aggres

set isakmp config/testA presharekey ManA!@#2IP$dax

set isakmp config/testA policy p_111

set isakmp config/testA localuser UTTCYH

set isakmp config/testA lifetime 28800

new isakmp config/chengduA

set isakmp config/chengduA enabled Yes

set isakmp config/chengduA mode Aggres

set isakmp config/chengduA presharekey maipu

set isakmp config/chengduA policy p_111

set isakmp config/chengduA localuser utttest

set isakmp config/chengduA lifetime 28800

new isakmp policy/p_111

set isakmp policy/p_111 enabled Yes

set isakmp policy/p_111 encrypt Des

set isakmp policy/p_111 hash Md5

set isakmp policy/p_111 group Group1

new isakmp policy/p_212

set isakmp policy/p_212 enabled Yes

set isakmp policy/p_212 hash Md5

new isakmp policy/p_112

set isakmp policy/p_112 enabled Yes

set isakmp policy/p_112 encrypt Des

set isakmp policy/p_112 hash Md5

3, Testing snapshots:

When the first time MAIPU and UTT established the IPSEC tunnel. The local LAN can ping with each other.

For the MAIPU side:

MP3840#show ver

MyPower (R) Operating System Software

MP2824 system p_w_picpath file (flash0: /flash/rp9-i-6.1.25(REL).bin), version 6.1.25(REL)(integrity), Compiled on Nov 14 2008, 19:38:09

Copyright (C) 1999 Maipu (Sichuan) Communication Technology Co., Ltd. All Rights Reserved.

MP2824 Version Information

System ID : 00017a0ee2cc

Hardware Model : RM3B-MPU204-4GE with 512 MBytes DDR SDRAM, 64 MBytes flash

Hardware Version : 030(Hotswap Supported)

MPU CPLD Version : 002

Monitor Version : 1.12

Software Version : 6.1.25(REL)(integrity)

Software Image File : flash0: /flash/rp9-i-6.1.25(REL).bin

Compiled : Nov 14 2008, 19:38:09

System Uptime is 0 hour 3 minutes 3 seconds

MP3840#

MP3840#

MP3840#

MP3840#

MP3840#show cry ike sa

localaddr peeraddr peer-identity negotiation-state sa-id

221.10.5.200 58.39.24.147 100.100.100.57 STATE_QUICK_R2 2

221.10.5.200 58.39.24.147 100.100.100.57 STATE_AGGR_R2 1

MP3840#

MP3840#

MP3840#

MP3840#show cry ike sa

localaddr peeraddr peer-identity negotiation-state sa-id

221.10.5.200 58.39.24.147 100.100.100.57 STATE_QUICK_R2 2

221.10.5.200 58.39.24.147 100.100.100.57 STATE_AGGR_R2 1

MP3840#show cry ipse sa

policy name : ***1

f (src, dst, protocol, src port, dst port) : 10.102.2.0/24 0.0.0.0/0 ip any any

policy name : subflow-1610612736, the parent policy name : ***1

f (src, dst, protocol, src port, dst port) : 10.102.2.0/24 192.168.0.0/24 ip any any

local tunnel endpoint : 221.10.5.200 remote tunnel endpoint : 58.39.24.147

the pairs of ESP ipsec sa : id : 2, algorithm : DES HMAC-MD5-96

inbound esp ipsec sa : spi : 0X1fc10201(532742657)

current input 63 packets, 5 kbytes

encapsulation mode : UDP-Encapsulation-Tunnel

replay protection : ON

remaining lifetime (seconds/kbytes) : 28728/4194294

uptime is 0 hour 1 minute 12 second

outbound esp ipsec sa : spi : 0X24d67963(618035555)

current output 63 packets, 5 kbytes

encapsulation mode : UDP-Encapsulation-Tunnel

replay protection : ON

remaining lifetime (seconds/kbytes) : 28728/4194294

uptime is 0 hour 1 minute 12 second

total sa and sa group is 1

MP3840#

For UTT branch:

DX-1822% sh crypto isa sa

name | src | dst |serialno|encryption| hash |group| lifetime

chengduO | 100.100.100.57 | 221.10.5.200 | 34 | des | md5 | 1 | 28022/28800/28800

DX-1822%

DX-1822%

DX-1822% sh crypto ipsec sa

================================================================

ipsec config profile: chengdu

interface: eth2

local address: 100.100.100.57

peer address: 221.10.5.200

mode: Tunnel

filter out group name: chengduO

filter in group name: chengduI

esp encrypt algorithm: esp-des

esp authen algorithm: esp-md5-hmac

ah authen algorithm: None

esp out spi: 0x66230203(1713570307)

esp in spi: 0x24d67962(618035554)

lifetime(secs/kbytes) 28556 secs/4194279 kbytes

Create Time: 0:00:23:40

Last Use Time: 0:00:27:21

Idle Time: 0:00:00:23

private mtu : 1400

ipsec udp encaps: YES

udp encaps: srcPort: 4500 destPort is 4500

packages statistics:

382 packets decaped.

0 packets received with errors.

0 packets received and dropped.

497 outgoing packets encaped.

0 outgoing packets with errors.

0 outgoing packets dropped.

bytes outbound : 48442 bytes.

bytes inbound: 37196 bytes.

================================================================

total: 1 SAs active!

DX-1822% revision

loadname kv1822v2008pV2EN2_500.bin yu.dehai@/data3/yu.dehai/custom/translation_taiwan_dev/2000_V2_EN/kv2000_3640_natt_test@localhost

MBID: 10430009

Feature enabled: PPPOE ××× IPSSG DMZ CBQ

Product ID: 1822

Software Revision: kv1822v2008pV2EN2_500.bin 04:43:03PM-110820 5.6.0

DX-1822%

DX-1822%

DX-1822%

DX-1822% ping -x 192.168.0.1 10.102.2.100

PING 10.102.2.100 (10.102.2.100) with 64 bytes (56 data):

Reply 64 bytes (56 data) from 10.102.2.100: seq=0 ttl=255 time=280 ms

Reply 64 bytes (56 data) from 10.102.2.100: seq=1 ttl=255 time=280 ms

Reply 64 bytes (56 data) from 10.102.2.100: seq=2 ttl=255 time=290 ms

Reply 64 bytes (56 data) from 10.102.2.100: seq=3 ttl=255 time=290 ms

Reply 64 bytes (56 data) from 10.102.2.100: seq=4 ttl=255 time=270 ms

^C

Reply 64 bytes (56 data) from 10.102.2.100: seq=5 ttl=255 time=270 ms

--- ping 10.102.2.100 statistics summary ---

6 packets sent, 6 packets received, 0% packet loss

round-trip min/avg/max = 270/280/290 ms

 

4, Testing IOS versioin:

MAIPU 3840:

MP3840#show ver

MyPower (R) Operating System Software

MP2824 system p_w_picpath file (flash0: /flash/rp9-i-6.1.25(REL).bin), version 6.1.25(REL)(integrity), Compiled on Nov 14 2008, 19:38:09

Copyright (C) 1999 Maipu (Sichuan) Communication Technology Co., Ltd. All Rights Reserved.

MP2824 Version Information

System ID : 00017a0ee2cc

Hardware Model : RM3B-MPU204-4GE with 512 MBytes DDR SDRAM, 64 MBytes flash

Hardware Version : 030(Hotswap Supported)

MPU CPLD Version : 002

Monitor Version : 1.12

Software Version : 6.1.25(REL)(integrity)

Software Image File : flash0: /flash/rp9-i-6.1.25(REL).bin

Compiled : Nov 14 2008, 19:38:09

UTT IOS version:

kv1822v2008pV2EN2_500.bin 04:43:03PM-110820 5.6.0

转载于:https://blog.51cto.com/361531/648137