IPSec
实践闯未来!本人FJXSUNMIT,初来报道,互相学习研究CISCO技术!
 
IPSec ××× 设备链路冗余实验:(上为拓扑图)
基本实验配置:
R1
R1#sh run
hostname R1<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

no ip domain lookup
!
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key sbb address 202.100.1.1
crypto isakmp key sbb address 61.128.128.1
crypto isakmp keepalive 10
!
crypto ipsec transform-set sbb esp-3des esp-md5-hmac
!
crypto map sbb 10 ipsec-isakmp
 set peer 202.100.1.1
 set peer 61.128.128.1设置双peer
 set transform-set sbb
 match address 100
!
interface Loopback0
 ip address <?xml:namespace prefix = st1 ns = "urn:schemas-microsoft-com:office:smarttags" />1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.1.1.1 255.255.255.0
 duplex half
 crypto map sbb接口绑定 加密图
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0指定静态路由
access-list 100 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255匹配×××流量
!line con 0
 exec-timeout 0 0

 

R1#

 

R2
hostname R2

!
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key sbb address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10Keepalive 时间
!
crypto ipsec transform-set sbb esp-3des esp-md5-hmac 加密方式
!
crypto dynamic-map sbb 10
 set transform-set sbb
 reverse-routeRRI动态反向注入更细化静态路由,使数据那里进,那里出!
!      
crypto map sbb 10 ipsec-isakmp dynamic sbb
!
interface FastEthernet0/0
 ip address 202.100.1.1 255.255.255.0
 duplex half
 crypto map sbb接口绑定 加密图
!
router ospf 1
 log-adjacency-changes
 redistribute static subnets
 network 2.2.2.0 0.0.0.255 area 0
 default-information originate
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
line con 0
 exec-timeout 0 0

 

R3
hostname R3

 

crypto isakmp policy 10
 authentication pre-share
crypto isakmp key sbb address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set sbb esp-3des esp-md5-hmac
!
crypto dynamic-map sbb 10
 set transform-set sbb
 reverse-route
!     
crypto map sbb 10 ipsec-isakmp dynamic sbb
!
interface FastEthernet0/0
 ip address 61.128.128.1 255.255.255.0
 duplex half
 crypto map sbb
!
interface Serial1/0
 ip address 2.2.2.3 255.255.255.0
 serial restart-delay 0
!
router ospf 1
 log-adjacency-changes
 redistribute static subnets
 network 2.2.2.0 0.0.0.255 area 0
 default-information originate
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
line con 0
 exec-timeout 0 0

 

R1#sh crypto isakmp sa

dst             src             state          conn-id slot
61.128.128.1    10.1.1.1        QM_IDLE              4    0

 

R1#sh crypto engine connections active

 

  ID Interface            IP-Address      State  Algorithm           Encrypt  Decrypt
   4 FastEthernet0/0      10.1.1.1        set    HMAC_SHA+DES_56_CB        0        0
2000 FastEthernet0/0      10.1.1.1        set    HMAC_MD5+3DES_56_C        0      251
2001 FastEthernet0/0      10.1.1.1        set    HMAC_MD5+3DES_56_C      251        0

 

R1#sh crypto ipsec sa

 

interface: FastEthernet0/0
    Crypto map tag: sbb, local addr. 10.1.1.1

 

   protected vrf:
   local  ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)
   current_peer: 61.128.128.1:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1308, #pkts encrypt: 1308, #pkts digest 1308
    #pkts decaps: 1268, #pkts decrypt: 1268, #pkts verify 1268
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 16, #recv errors 0

 

     local crypto endpt.: 10.1.1.1, remote crypto endpt.: 202.100.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0

 

     inbound esp sas:

 

     inbound ah sas:
         
     inbound pcp sas:

 

     outbound esp sas:

 

     outbound ah sas:

 

     outbound pcp sas:

 

     local crypto endpt.: 10.1.1.1, remote crypto endpt.: 61.128.128.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: E6FFCD15

 

     inbound esp sas:
      spi: 0x93B5E8F5(2478172405)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2000, flow_id: 1, crypto map: sbb
        sa timing: remaining key lifetime (k/sec): (4425511/3307)
        IV size: 8 bytes
        replay detection support: Y

 

     inbound ah sas:
         
     inbound pcp sas:

 

     outbound esp sas:
      spi: 0xE6FFCD15(3875523861)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2001, flow_id: 2, crypto map: sbb
        sa timing: remaining key lifetime (k/sec): (4425511/3307)
        IV size: 8 bytes
        replay detection support: Y

 

     outbound ah sas:

 

     outbound pcp sas:

 

R1#sh crypto isakmp policy

 

Global IKE policy
Protection suite of priority 10
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit
R1#
实验测试结果:

R1#ping 2.2.2.3 source 1.1.1.1 repeat 500

 

Type escape sequence to abort.
Sending 500, 100-byte ICMP Echos to 2.2.2.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.............!!!!!!!!!!!!shutdown 总部一接口时
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!...
Success rate is 96 percent (484/500), round-trip min/avg/max = 44/107/1336 ms
R1#ping 2.2.2.3 source 1.1.1.1 repeat 500

 

Type escape sequence to abort.
Sending 500, 100-byte ICMP Echos to 2.2.2.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
..............!!
*Mar 15 14:36:51.599: %CRYPTO-4-IKMP_NO_SA: IKE message from 202.100.1.1     has no SA and is not an initialization offer!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!.顺利 切换
*Mar 15 14:37:10.283: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for
        destaddr=10.1.1.1, prot=50, spi=0xF44B9632(-196372942), srcaddr=61.128.128.1.......!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!