PC1:
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet1/0
ip address 10.1.1.10 255.255.255.0
duplex auto
speed auto
!
ip route 2.2.2.0 255.255.255.0 10.1.1.1
GW1:
crypto isakmp policy 10 //配置第一阶段策略
encr 3des
hash md5
authentication pre-share
group 16
crypto isakmp key cisco address 64.1.1.1 //配置认证密钥
!
crypto ipsec transform-set SET esp-aes esp-sha512-hmac //配置第二阶段策略
!
crypto map cisco 10 ipsec-isakmp //关联策略
set peer 64.1.1.1
set transform-set SET
set pfs group16
match address ***
!
interface FastEthernet1/0
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/1
ip address 202.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map cisco //应用加密图
!
ip route 1.1.1.0 255.255.255.0 10.1.1.10
ip route 2.2.2.0 255.255.255.0 202.1.1.10
ip route 64.1.1.1 255.255.255.255 202.1.1.10
!
ip access-list extended *** //感兴趣流
permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
Internet:
interface FastEthernet1/0
ip address 202.1.1.10 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/1
ip address 64.1.1.10 255.255.255.0
duplex auto
speed auto
GW2:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 16
crypto isakmp key cisco address 202.1.1.1
!
crypto ipsec transform-set SET esp-aes esp-sha512-hmac
!
crypto map cisco 10 ipsec-isakmp
set peer 202.1.1.1
set transform-set SET
set pfs group16
match address ***
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet1/0
ip address 64.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map cisco
!
ip route 1.1.1.0 255.255.255.0 64.1.1.10
ip route 202.1.1.1 255.255.255.255 64.1.1.10
!
ip access-list extended ***
permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
debug分析:
*Sep 7 12:37:15.387: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 202.1.1.1:500, remote= 64.1.1.1:500,
local_proxy= 1.1.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 2.2.2.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-aes esp-sha512-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Sep 7 12:37:15.399: ISAKMP:(0): SA request profile is (NULL)
*Sep 7 12:37:15.399: ISAKMP: Created a peer struct for 64.1.1.1, peer port 500
*Sep 7 12:37:15.403: ISAKMP: New peer created peer = 0x6763D150 peer_handle = 0x80000002
*Sep 7 12:37:15.403: ISAKMP: Locking peer struct 0x6763D150, refcount 1 for isakmp_initiator
*Sep 7 12:37:15.407: ISAKMP: local port 500, remote port 500
*Sep 7 12:37:15.407: ISAKMP: set new node 0 to QM_IDLE
*Sep 7 12:37:15.419: ISAKMP:(0):insert sa successfully sa = 67604E20
*Sep 7 12:37:15.423: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*
GW1#Sep 7 12:37:15.423: ISAKMP:(0):found peer pre-shared key matching 64.1.1.1
*Sep 7 12:37:15.427: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Sep 7 12:37:15.427: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Sep 7 12:37:15.427: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Sep 7 12:37:15.427: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Sep 7 12:37:15.427: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Sep 7 12:37:15.427: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Sep 7 12:37:15.431: ISAKMP:(0): beginning Main Mode exchange //开始主模式
*Sep 7 12:37:15.431: ISAKMP:(0): sending packet to 64.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE 发送第一个包
*Sep 7 12:37:15.431: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Sep 7 12:37:15.527: ISAKMP (0): received packet from 64.1.1.1 dport 500 sport 500 Global (I) MM_NO_STATE 接收第二个包
*Sep 7 12:37:15.543: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Sep 7 12:37:15.547: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
GW1#*Sep 7 12:37:15.555: ISAKMP:(0): processing SA payload. message ID = 0
*Sep 7 12:37:15.559: ISAKMP:(0): processing vendor id payload
*Sep 7 12:37:15.559: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Sep 7 12:37:15.559: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Sep 7 12:37:15.563: ISAKMP:(0):found peer pre-shared key matching 64.1.1.1
*Sep 7 12:37:15.563: ISAKMP:(0): local preshared key found
*Sep 7 12:37:15.567: ISAKMP : Scanning profiles for xauth ...
*Sep 7 12:37:15.567: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Sep 7 12:37:15.567: ISAKMP: encryption 3DES-CBC
*Sep 7 12:37:15.571: ISAKMP: hash MD5
*Sep 7 12:37:15.571: ISAKMP: default group 16
*Sep 7 12:37:15.571: ISAKMP: auth pre-share
*Sep 7 12:37:15.575: ISAKMP: life type in seconds
*Sep 7 12:37:15.575: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Sep 7 12:37:15.575: ISAKMP:(0):atts are acceptable. Next payload is 0 //IKE策略匹配成功
*Sep 7 12
GW1#:37:15.575: ISAKMP:(0):Acceptable atts:actual life: 0
*Sep 7 12:37:15.575: ISAKMP:(0):Acceptable atts:life: 0
*Sep 7 12:37:15.575: ISAKMP:(0):Fill atts in sa vpi_length:4
*Sep 7 12:37:15.579: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Sep 7 12:37:15.579: ISAKMP:(0):Returning Actual lifetime: 86400
*Sep 7 12:37:15.579: ISAKMP:(0)::Started lifetime timer: 86400.
*Sep 7 12:37:15.579: ISAKMP:(0): processing vendor id payload
*Sep 7 12:37:15.579: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Sep 7 12:37:15.579: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Sep 7 12:37:15.579: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Sep 7 12:37:15.579: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Sep 7 12:37:15.579: ISAKMP:(0): sending packet to 64.1.1.1 my_port 500 peer_port 500 (I) MM_SA_SETUP //发送第三个包
*Sep 7 12:37:15.579: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Sep 7 12:37:15.583: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COM
GW1#PLETE
*Sep 7 12:37:15.583: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Sep 7 12:37:16.735: ISAKMP (0): received packet from 64.1.1.1 dport 500 sport 500 Global (I) MM_SA_SETUP //接收第三个包
*Sep 7 12:37:16.739: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Sep 7 12:37:16.739: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Sep 7 12:37:16.747: ISAKMP:(0): processing KE payload. message ID = 0 //交换DH公共值
*Sep 7 12:37:17.887: ISAKMP:(0): processing NONCE payload. message ID = 0 //交换加密用的随机数
*Sep 7 12:37:17.891: ISAKMP:(0):found peer pre-shared key matching 64.1.1.1
*Sep 7 12:37:17.895: ISAKMP:(1001): processing vendor id payload
*Sep 7 12:37:17.899: ISAKMP:(1001): vendor ID is Unity
*Sep 7 12:37:17.899: ISAKMP:(1001): processing vendor id payload
*Sep 7 12:37:17.899: ISAKMP:(1001): vendor ID is DPD
*Sep 7 12:37:17.903: ISAKMP:(1001): processing vendor id payload
*Sep 7 12:37:17.903: ISAKMP:(1001): speaking to another IOS box!
*Sep 7 12:37:17.907: ISAKMP:received p
GW1#ayload type 20
*Sep 7 12:37:17.907: ISAKMP (1001): His hash no match - this node outside NAT
*Sep 7 12:37:17.907: ISAKMP:received payload type 20
*Sep 7 12:37:17.911: ISAKMP (1001): No NAT Found for self or peer
*Sep 7 12:37:17.911: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Sep 7 12:37:17.915: ISAKMP:(1001):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Sep 7 12:37:17.927: ISAKMP:(1001):Send initial contact
*Sep 7 12:37:17.927: ISAKMP:(1001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Sep 7 12:37:17.931: ISAKMP (1001): ID payload
next-payload : 8
type : 1
address : 202.1.1.1
protocol : 17
port : 500
length : 12
*Sep 7 12:37:17.935: ISAKMP:(1001):Total payload length: 12
*Sep 7 12:37:17.939: ISAKMP:(1001): sending packet to 64.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH //发送第五个包
*Sep 7 12:37:17.943: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Sep 7 12:37:17.947: ISAKMP:(1
GW1#001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Sep 7 12:37:17.947: ISAKMP:(1001):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Sep 7 12:37:18.183: ISAKMP (1001): received packet from 64.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH //接收第六个包
*Sep 7 12:37:18.187: ISAKMP:(1001): processing ID payload. message ID = 0
*Sep 7 12:37:18.191: ISAKMP (1001): ID payload
next-payload : 8
type : 1
address : 64.1.1.1
protocol : 17
port : 500
length : 12
*Sep 7 12:37:18.195: ISAKMP:(0):: peer matches *none* of the profiles
*Sep 7 12:37:18.195: ISAKMP:(1001): processing HASH payload. message ID = 0
*Sep 7 12:37:18.199: ISAKMP:(1001):SA authentication status:
authenticated //SA已认证
*Sep 7 12:37:18.203: ISAKMP:(1001):SA has been authenticated with 64.1.1.1
*Sep 7 12:37:18.203: ISAKMP: Trying to insert a peer 202.1.1.1/64.1.1.1/500/, and inserted successfully 6763D150.
*Sep 7 12:37:18.207: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MM_
GW1#EXCH
*Sep 7 12:37:18.207: ISAKMP:(1001):Old State = IKE_I_MM5 New State = IKE_I_MM6
*Sep 7 12:37:18.219: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Sep 7 12:37:18.219: ISAKMP:(1001):Old State = IKE_I_MM6 New State = IKE_I_MM6
*Sep 7 12:37:18.227: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Sep 7 12:37:18.231: ISAKMP:(1001):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE //第一阶段完成
*Sep 7 12:37:18.239: ISAKMP:(1001):beginning Quick Mode exchange, M-ID of 703045356 //开始快速模式
*Sep 7 12:37:18.243: ISAKMP:(1001):QM Initiator gets spi
*Sep 7 12:37:18.255: ISAKMP:(1001): sending packet to 64.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE //发送第一个包
*Sep 7 12:37:18.255: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Sep 7 12:37:18.259: ISAKMP:(1001):Node 703045356, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Sep 7 12:37:18.263: ISAKMP:(1001):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Sep 7 12:37:18.263: ISAKMP:(1001):Input = IKE_MESG_INTERNAL,
GW1# IKE_PHASE1_COMPLETE
*Sep 7 12:37:18.263: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Sep 7 12:37:19.519: ISAKMP (1001): received packet from 64.1.1.1 dport 500 sport 500 Global (I) QM_IDLE //接收第一个包
*Sep 7 12:37:19.527: ISAKMP:(1001): processing HASH payload. message ID = 703045356
*Sep 7 12:37:19.527: ISAKMP:(1001): processing SA payload. message ID = 703045356
*Sep 7 12:37:19.531: ISAKMP:(1001):Checking IPSec proposal 1
*Sep 7 12:37:19.531: ISAKMP: transform 1, ESP_AES //加密为AES
*Sep 7 12:37:19.531: ISAKMP: attributes in transform:
*Sep 7 12:37:19.535: ISAKMP: encaps is 1 (Tunnel)
*Sep 7 12:37:19.535: ISAKMP: SA life type in seconds
*Sep 7 12:37:19.535: ISAKMP: SA life duration (basic) of 3600
*Sep 7 12:37:19.539: ISAKMP: SA life type in kilobytes
*Sep 7 12:37:19.539: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Sep 7 12:37:19.543: ISAKMP: authenticator is HMAC-SHA512 //HMAC为SHA512
*Sep 7 12:37:19.547: ISAKMP
GW1#: key length is 128
*Sep 7 12:37:19.547: ISAKMP: group is 16
*Sep 7 12:37:19.547: ISAKMP:(1001):atts are acceptable. //策略匹配成功
*Sep 7 12:37:19.551: IPSEC(validate_proposal_request): proposal part #1
*Sep 7 12:37:19.551: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 202.1.1.1:0, remote= 64.1.1.1:0,
local_proxy= 1.1.1.0/255.255.255.0/0/0 (type=4), //感兴趣流
remote_proxy= 2.2.2.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Sep 7 12:37:19.559: Crypto mapdb : proxy_match //感兴趣流匹配
src addr : 1.1.1.0
dst addr : 2.2.2.0
protocol : 0
src port : 0
dst port : 0
*Sep 7 12:37:19.563: ISAKMP:(1001): processing NONCE payload. message ID = 703045356
*Sep 7 12:37:19.563: ISAKMP:(1001): processing KE payload. message ID = 703045356
*Sep 7 12:37:20.751: ISAKMP:(1001): processing ID payload. message ID = 703045356
GW1#
*Sep 7 12:37:20.751: ISAKMP:(1001): processing ID payload. message ID = 703045356
*Sep 7 12:37:20.763: ISAKMP:(1001): Creating IPSec SAs
*Sep 7 12:37:20.763: inbound SA from 64.1.1.1 to 202.1.1.1 (f/i) 0/ 0
(proxy 2.2.2.0 to 1.1.1.0)
*Sep 7 12:37:20.767: has spi 0x509D91F9 and conn_id 0
*Sep 7 12:37:20.767: lifetime of 3600 seconds
*Sep 7 12:37:20.771: lifetime of 4608000 kilobytes
*Sep 7 12:37:20.771: outbound SA from 202.1.1.1 to 64.1.1.1 (f/i) 0/0
(proxy 1.1.1.0 to 2.2.2.0)
*Sep 7 12:37:20.771: has spi 0x6A40CECC and conn_id 0
*Sep 7 12:37:20.775: lifetime of 3600 seconds
*Sep 7 12:37:20.775: lifetime of 4608000 kilobytes
*Sep 7 12:37:20.779: ISAKMP:(1001): sending packet to 64.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE //发送第三个包
*Sep 7 12:37:20.779: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Sep 7 12:37:20.783: ISAKMP:(1001):deleting node 703045356 error FALSE reason "No Err
GW1#or"
*Sep 7 12:37:20.787: ISAKMP:(1001):Node 703045356, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Sep 7 12:37:20.787: ISAKMP:(1001):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE //第二阶段完成
*Sep 7 12:37:20.795: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Sep 7 12:37:20.795: Crypto mapdb : proxy_match
src addr : 1.1.1.0
dst addr : 2.2.2.0
protocol : 0
src port : 0
dst port : 0
*Sep 7 12:37:20.799: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 64.1.1.1
*Sep 7 12:37:20.803: IPSEC(policy_db_add_ident): src 1.1.1.0, dest 2.2.2.0, dest_port 0
*Sep 7 12:37:20.807: IPSEC(create_sa): sa created, //创建SPD
(sa) sa_dest= 202.1.1.1, sa_proto= 50,
sa_spi= 0x509D91F9(1352503801),
sa_trans= esp-aes esp-sha512-hmac , sa_conn_id= 1
sa_lifetime(k/sec)= (4526001/3600)
*Sep 7 12:37:20.807: IPSEC(create_sa): sa created,
(sa) sa_dest= 64.1.1.1, sa_proto= 50,
sa_spi= 0x6A40CECC(178263214
GW1#0),
sa_trans= esp-aes esp-sha512-hmac , sa_conn_id= 2
sa_lifetime(k/sec)= (4526001/3600)
*Sep 7 12:37:20.811: IPSEC(update_current_outbound_sa): get enable SA peer 64.1.1.1 current outbound sa to SPI 6A40CECC
*Sep 7 12:37:20.815: IPSEC(update_current_outbound_sa): updated peer 64.1.1.1 current outbound sa to SPI 6A40CECC
转载于:https://blog.51cto.com/q3322095/984894
248
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
