IPsec 隧道配置

实验步骤及要求：
1、配置各台路由器的IP 地址，并且使用Ping 命令确认各路由器的直连口的互
通。
2、在R1 和R3 上配置静态路由。确保Internet 网络骨干可以相互通信。
R1(config)#ip route 0.0.0.0 0.0.0.0 202.102.48.66
R3(config)#ip route 0.0.0.0 0.0.0.0 211.64.135.33
3、在R1 路由器上配置IKE 阶段一需要使用策略。
R1(config)#crypto isakmp enable
4、配置预共享密钥,在两台对等体路由器上密钥必须一致。
R1(config)#crypto isakmp key 0 ciscokey address 211.64.135.34
5、为IKE 阶段一的协商，配置ISAKMP 的策略。可以在本地配置多个ISAKMP 的
策略，在与对等体协商，会选择一个匹配策略，而不管策略的编号。
R1(config)#
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#hash md5
R1(config-isakmp)#encryption des
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#lifetime 86400
R1(config-isakmp)#group 1
R1(config-isakmp)#exit
R1(config)#
6、配置IPsec 变换集,其用于IKE 阶段二的IPsec 的SA 协商。指定协商的加密
参数。
其包含了安全和压缩协议、散列算法和加密算法。
本配置使用了esp 与des 的协作的认证加密算法，实现对数据的保护。并且指定
其用于隧道模式。
R1(config)#crypto ipsec transform-set my_trans esp-des
R1(cfg-crypto-trans)#mode tunnel
R1(cfg-crypto-trans)#exit
R1(config)#
7、配置加密访问控制列表，用于指出那些数据流是需要加密的，有时也被称为
定义IPsec 的感兴趣流。
通过ACL 配置，标识出从本地到达192.168.0.0/16 网络的所有IP 数据包均会
批注 [stanley665]: 在R1
路由器上启用ISAKMP。
在新版本ISAKMP 默认是开启
的。
批注 [stanley666]: 其中0
表示使用一个未加密的密
钥。如果想使用加密的密钥，
需要使用6 的配置选项。
ciscokey 为配置的密钥。
address 标识了对等体是谁。
也可以使用hostname 进行配
置。
批注 [stanley667]:
启用ISAKMP
配置散列算法为md5，其用于
确保数据完整性。MD5 的算法
是理论上是不可逆的。
指定加密算法为DES，还有
3DES 和AES 等选项。
DES 一种对称的加密算法。
认证方法使用预共享密钥进
行认证。
lifetime 指出协商后的SA
的寿命。
配置使用DH 组1 进行密钥交
换。
DH1/2 密钥长度：768/1024
DH 还有组５和组７。
319
被加密并且从IPsec 隧道中通过。
R1(config)#access-list 100 permit ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.255.255
R1(config)#
8、配置加密映射表，用于关联相关的变换集。
R1(config)#crypto map ***_to_R3 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#set peer 211.64.135.34
R1(config-crypto-map)#set transform-set my_trans
R1(config-crypto-map)#match address 100
R1(config-crypto-map)#exit
R1(config)#exit
R1#
9、将加密映射表应用到需要建立隧道接口。
R1(config)#interface serial 1/1
R1(config-if)#crypto map ***_to_R3
R1(config-if)#exit
R1(config)#
10、在R3 采用如上配置进行配置IKE 阶段1 和阶段2。
R3(config)#crypto isakmp enable
R3(config)#
R3(config)#crypto isakmp key 0 ciscokey address 202.102.48.65
R3(config)#
R3(config)#crypto isakmp policy 2
R3(config-isakmp)#hash md5
R3(config-isakmp)#encryption des
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#lifetime 86400
R3(config-isakmp)#group 1
R3(config-isakmp)#exit
R3(config)#
R3(config)#crypto ipsec transform-set my_trans esp-des
R3(cfg-crypto-trans)#mode tunnel
R3(cfg-crypto-trans)#exit
R3(config)#
R3(config)#access-list 100 permit ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255
R3(config)#
R3(config)#crypto map ***_to_R1 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R3(config-crypto-map)#set peer 202.102.48.65
批注 [stanley668]: 可以
为多个对等体建立IPsec
SA，则需要在配置多个MAP
条目。
批注 [stanley669]: 指定
对等为211.64.135.34
批注 [stanley670]: 引用
之前所定义的IPsec 的变换
集。
批注 [stanley671]: 针对
acl 100 所指定的数据流进
行保护。
320
R3(config-crypto-map)#set transform-set my_trans
R3(config-crypto-map)#match address 100
R3(config-crypto-map)#exit
R3(config)#interface serial 1/0
R3(config-if)#crypto map ***_to_R1
R3(config-if)#exit
R3(config)#
11、在R1 路由器打开ISAKMP 的调试。
R1#
R1#debug crypto isakmp
Crypto ISAKMP debugging is on
R1#
R1#debug crypto ipsec
Crypto IPSEC debugging is on
R1#
12、确认R1 和R3 的ISAKMP 的策略。
R1#show crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
R1#
R3#show crypto isakmp policy
Global IKE policy
Protection suite of priority 2
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
批注 [stanley672]: 自定
义的ISAKMP 的策略设置。
批注 [stanley673]: 默认
的系统配置的ISAKMP 的策略
批注 [stanley674]: R3 的
ISAKMP 自定义的策略。其配
置必须要与R1 的策略配置一
致。
321
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
R3#
13、在R1 与R3 上查看ISAKMP 的预共享密钥配置，并确认双方配置一致。
R1#show crypto isakmp key
Keyring Hostname/Address Preshared Key
default 211.64.135.34 ciscokey
R1#
R3#show crypto isakmp key
Keyring Hostname/Address Preshared Key
default 202.102.48.65 ciscokey
R3#
14、在R1 与R3 上查看IPsec 的变换集。
R1#show crypto ipsec transform-set
Transform set my_trans: { esp-des }
will negotiate = { Tunnel, },
R1#
R3#show crypto ipsec transform-set
Transform set my_trans: { esp-des }
will negotiate = { Tunnel, },
R3#
15、在R1 上使用扩展命令去ping 路由器R2 回环口的私有地址。
R1#ping
Protocol [ip]:
Target IP address: 192.168.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.16.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
批注 [stanley675]: 默认
的系统配置的ISAKMP 的策略
批注 [stanley676]: 隧道
方式。
批注 [stanley677]: 指定
源地址，其源地址必须与ACL
所指定的源地址相匹配。
批注 [stanley678]: 指定
目标地址。也必须与ACL 所
匹配。否则不能触发ISAKMP
的协商。
322
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
*Jun 5 17:08:59.519: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 202.102.48.65, remote= 211.64.135.34,
local_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4),
remote_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jun 5 17:08:59.535: ISAKMP:(0): SA request profile is (NULL)
*Jun 5 17:08:59.539: ISAKMP: Created a peer struct for 211.64.135.34, peer port 500
*Jun 5 17:08:59.539: ISAKMP: New peer created peer = 0x653F9630 peer_handle = 0x80000005
*Jun 5 17:08:59.543: ISAKMP: Locking peer struct 0x653F9630, refcount 1 for isakmp_initiator
*Jun 5 17:08:59.547: ISAKMP: local port 500, remote port 500
*Jun 5 17:08:59.547: ISAKMP: set new node 0 to QM_IDLE
*Jun 5 17:08:59.551: insert sa successfully sa = 65D68724
*Jun 5 17:08:59.555: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Jun 5 17:08:59.555: ISAKMP:(0):found peer pre-shared key matching 211.64.135.34
*Jun 5 17:08:59.559: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Jun 5 17:08:59.559: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Jun 5 17:08:59.559: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Jun 5 17:08:59.559: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jun 5 17:08:59.559: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Jun 5 17:08:59.559: ISAKMP:(0): beginning Main Mode exchange
*Jun 5 17:08:59.559: ISAKMP:(0): sending packet to 211.64.135.34 my_port 500 peer_port 500
(I) MM_NO_STATE
*Jun 5 17:08:59.663: ISAKMP (0:0): received packet from 211.64.135.34 dport 500 sport 500
Global (I) MM_NO_STATE
*Jun 5 17:08:59.671: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 5 17:08:59.671: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Jun 5 17:08:59.683: ISAKMP:(0): processing SA payload. message ID = 0
*Jun 5 17:08:59.687: ISAKMP:(0): processing vendor id payload
*J.
Success rate is 80 percent (4/5), round-trip min/avg/max = 36/53/64 ms
R1#un 5 17:08:59.687: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Jun 5 17:08:59.691: ISAKMP (0:0): vendor ID is NAT-T v7
批注 [stanley679]: IKE 阶
段一默认会采用积极模式进
行协商。
批注 [stanley680]: 发现
对等体所配置的密钥，与本
地配置的密钥时匹配的。
预共享密钥，主要目的是确
认对等体是可信任的。
后面会发现多个预共享密钥
被发现信息。其目的是每个
协商数据包都会携带密钥。
以确保对等体可信。
批注 [stanley681]: 开始
主动模式交换。
批注 [stanley682]: ISAKM
P 默认使用UDP 的500 号端口
与对等体进行协商。
323
*Jun 5 17:08:59.691: ISAKMP:(0):found peer pre-shared key matching 211.64.135.34
*Jun 5 17:08:59.695: ISAKMP:(0): local preshared key found
*Jun 5 17:08:59.695: ISAKMP : Scanning profiles for xauth ...
*Jun 5 17:08:59.699: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Jun 5 17:08:59.699: ISAKMP: encryption DES-CBC
*Jun 5 17:08:59.703: ISAKMP: hash MD5
*Jun 5 17:08:59.703: ISAKMP: default group 1
*Jun 5 17:08:59.707: ISAKMP: auth pre-share
*Jun 5 17:08:59.711: ISAKMP: life type in seconds
*Jun 5 17:08:59.711: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Jun 5 17:08:59.719: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jun 5 17:08:59.723: ISAKMP:(0): processing vendor id payload
*Jun 5 17:08:59.723: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Jun 5 17:08:59.727: ISAKMP (0:0): vendor ID is NAT-T v7
*Jun 5 17:08:59.727: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 5 17:08:59.727: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Jun 5 17:08:59.727: ISAKMP:(0): sending packet to 211.64.135.34 my_port 500 peer_port 500
(I) MM_SA_SETUP
*Jun 5 17:08:59.727: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 5 17:08:59.731: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Jun 5 17:08:59.951: ISAKMP (0:0): received packet from 211.64.135.34 dport 500 sport 500
Global (I) MM_SA_SETUP
*Jun 5 17:08:59.959: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 5 17:08:59.959: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Jun 5 17:08:59.975: ISAKMP:(0): processing KE payload. message ID = 0
*Jun 5 17:09:00.007: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jun 5 17:09:00.007: ISAKMP:(0):found peer pre-shared key matching 211.64.135.34
*Jun 5 17:09:00.019: ISAKMP:(1001): processing vendor id payload
*Jun 5 17:09:00.019: ISAKMP:(1001): vendor ID is Unity
*Jun 5 17:09:00.023: ISAKMP:(1001): processing vendor id payload
*Jun 5 17:09:00.023: ISAKMP:(1001): vendor ID is DPD
*Jun 5 17:09:00.027: ISAKMP:(1001): processing vendor id payload
*Jun 5 17:09:00.031: ISAKMP:(1001): speaking to another IOS box!
*Jun 5 17:09:00.031: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 5 17:09:00.031: ISAKMP:(1001):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Jun 5 17:09:00.031: ISAKMP:(1001):Send initial contact
*Jun 5 17:09:00.031: ISAKMP:(1001):SA is doing pre-shared key authentication using id type
ID_IPV4_ADDR
*Jun 5 17:09:00.031: ISAKMP (0:1001): ID payload
next-payload : 8
type : 1
批注 [stanley683]: 发现
对等体所配置的密钥，与本
地配置的密钥时匹配的。
批注 [stanley684]: 检查
本地配置的ISAKMP 的策略。
批注 [stanley685]: 此处
显示对等体所配置的ISAKMP
策略属性是正确的。
批注 [stanley686]: 发现
对等体所配置的密钥，与本
地配置的密钥时匹配的。
批注 [stanley687]: 此处
信息显示IKE 阶段一的安全
关联已经创建成功。
后续信息陆续显示IKE 的一
些其它的协商信息。
324
address : 202.102.48.65
protocol : 17
port : 500
length : 12
*Jun 5 17:09:00.031: ISAKMP:(1001):Total payload length: 12
*Jun 5 17:09:00.031: ISAKMP:(1001): sending packet to 211.64.135.34 my_port 500 peer_port
500 (I) MM_KEY_EXCH
*Jun 5 17:09:00.031: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 5 17:09:00.031: ISAKMP:(1001):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Jun 5 17:09:00.139: ISAKMP (0:1001): received packet from 211.64.135.34 dport 500 sport 500
Global (I) MM_KEY_EXCH
*Jun 5 17:09:00.147: ISAKMP:(1001): processing ID payload. message ID = 0
*Jun 5 17:09:00.151: ISAKMP (0:1001): ID payload
next-payload : 8
type : 1
address : 211.64.135.34
protocol : 17
port : 500
length : 12
*Jun 5 17:09:00.151: ISAKMP:(0):: peer matches *none* of the profiles
*Jun 5 17:09:00.151: ISAKMP:(1001): processing HASH payload. message ID = 0
*Jun 5 17:09:00.151: ISAKMP:(1001):SA authentication status:
authenticated
*Jun 5 17:09:00.151: ISAKMP:(1001):SA has been authenticated with 211.64.135.34
*Jun 5 17:09:00.151: ISAKMP: Trying to insert a peer 202.102.48.65/211.64.135.34/500/, and
inserted successfully 653F9630.
*Jun 5 17:09:00.151: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 5 17:09:00.151: ISAKMP:(1001):Old State = IKE_I_MM5 New State = IKE_I_MM6
*Jun 5 17:09:00.151: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 5 17:09:00.151: ISAKMP:(1001):Old State = IKE_I_MM6 New State = IKE_I_MM6
*Jun 5 17:09:00.151: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 5 17:09:00.151: ISAKMP:(1001):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
*Jun 5 17:09:00.151: ISAKMP:(1001):beginning Quick Mode exchange, M-ID of -544134848
*Jun 5 17:09:00.151: ISAKMP:(1001):QM Initiator gets spi
*Jun 5 17:09:00.151: ISAKMP:(1001): sending packet to 211.64.135.34 my_port 500 peer_port
500 (I) QM_IDLE
*Jun 5 17:09:00.151: ISAKMP:(1001):Node -544134848, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jun 5 17:09:00.151: ISAKMP:(1001):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Jun 5 17:09:00.151: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jun 5 17:09:00.151: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
批注 [stanley688]: 此处
确定的IKE 阶段一的协商完
成。
这是因为CISCO 的信息反馈
的延迟造成的。
批注 [stanley689]: 开始
IKE 阶段二的快速模式的协
商。
批注 [stanley690]: 快速
模式开始协商并计算SPI 号。
325
*Jun 5 17:09:00.299: ISAKMP (0:1001): received packet from 211.64.135.34 dport 500 sport 500
Global (I) QM_IDLE
*Jun 5 17:09:00.307: ISAKMP:(1001): processing HASH payload. message ID = -544134848
*Jun 5 17:09:00.307: ISAKMP:(1001): processing SA payload. message ID = -544134848
*Jun 5 17:09:00.311: ISAKMP:(1001):Checking IPSec proposal 1
*Jun 5 17:09:00.311: ISAKMP: transform 1, ESP_DES
*Jun 5 17:09:00.311: ISAKMP: attributes in transform:
*Jun 5 17:09:00.311: ISAKMP: encaps is 1 (Tunnel)
*Jun 5 17:09:00.311: ISAKMP: SA life type in seconds
*Jun 5 17:09:00.311: ISAKMP: SA life duration (basic) of 3600
*Jun 5 17:09:00.311: ISAKMP: SA life type in kilobytes
*Jun 5 17:09:00.311: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jun 5 17:09:00.311: ISAKMP:(1001):atts are acceptable.
*Jun 5 17:09:00.311: IPSEC(validate_proposal_request): proposal part #1
*Jun 5 17:09:00.311: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 202.102.48.65, remote= 211.64.135.34,
local_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4),
remote_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4),
protocol= ESP, transform= esp-des (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jun 5 17:09:00.311: Crypto mapdb : proxy_match
src addr : 172.16.0.0
dst addr : 192.168.0.0
protocol : 0
src port : 0
dst port : 0
*Jun 5 17:09:00.311: ISAKMP:(1001): processing NONCE payload. message ID = -544134848
*Jun 5 17:09:00.311: ISAKMP:(1001): processing ID payload. message ID = -544134848
*Jun 5 17:09:00.311: ISAKMP:(1001): processing ID payload. message ID = -544134848
*Jun 5 17:09:00.311: ISAKMP:(1001): Creating IPSec SAs
*Jun 5 17:09:00.311: inbound SA from 211.64.135.34 to 202.102.48.65 (f/i) 0/ 0
(proxy 192.168.0.0 to 172.16.0.0)
*Jun 5 17:09:00.311: has spi 0x702868C8 and conn_id 0
*Jun 5 17:09:00.311: lifetime of 3600 seconds
*Jun 5 17:09:00.311: lifetime of 4608000 kilobytes
*Jun 5 17:09:00.311: outbound SA from 202.102.48.65 to 211.64.135.34 (f/i) 0/0
(proxy 172.16.0.0 to 192.168.0.0)
*Jun 5 17:09:00.311: has spi 0xA9133A18 and conn_id 0
*Jun 5 17:09:00.311: lifetime of 3600 seconds
*Jun 5 17:09:00.311: lifetime of 4608000 kilobytes
*Jun 5 17:09:00.311: ISAKMP:(1001): sending packet to 211.64.135.34 my_port 500 peer_port
批注 [stanley691]: 检测
proposal 中的IPsec 的变换
集。
批注 [stanley692]: 此处
显示IPsec 的变换集确认成
功。
批注 [stanley693]: IPsec
隧道方式，协议是ESP，使用
DES 进行数据加密。
批注 [stanley694]: 此信
息为入站的安全关联索引
为：0x702868c8，在以后进
行数据传输时，会使用此索
引进行数据加密和认证的传
输。
批注 [stanley695]: 此信
息为出站的安全关联索引
号。
326
500 (I) QM_IDLE
*Jun 5 17:09:00.311: ISAKMP:(1001):deleting node -544134848 error FALSE reason "No Error"
*Jun 5 17:09:00.311: ISAKMP:(1001):Node -544134848, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jun 5 17:09:00.311: ISAKMP:(1001):Old State = IKE_QM_I_QM1 New State =
IKE_QM_PHASE2_COMPLETE
*Jun 5 17:09:00.311: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jun 5 17:09:00.311: Crypto mapdb : proxy_match
src addr : 172.16.0.0
dst addr : 192.168.0.0
protocol : 0
src port : 0
dst port : 0
*Jun 5 17:09:00.311: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same
proxies and peer 211.64.135.34
*Jun 5 17:09:00.311: IPSEC(policy_db_add_ident): src 172.16.0.0, dest 192.168.0.0, dest_port
0
*Jun 5 17:09:00.311: IPSEC(create_sa): sa created,
(sa) sa_dest= 202.102.48.65, sa_proto= 50,
sa_spi= 0x702868C8(1881696456),
sa_trans= esp-des , sa_conn_id= 1
*Jun 5 17:09:00.311: IPSEC(create_sa): sa created,
(sa) sa_dest= 211.64.135.34, sa_proto= 50,
sa_spi= 0xA9133A18(2836609560),
sa_trans= esp-des , sa_conn_id= 2
*Jun 5 17:09:00.311: IPSEC(update_current_outbound_sa): updated peer 211.64.135.34 current
outbound sa to SPI A9133A18
.!!!!
R1#
16、查看本地的IKE 阶段一的安全关联。
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
211.64.135.34 202.102.48.65 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
R1#
16、查看IKE 阶段二的IPsec 的安全关联。
R1#show crypto ipsec sa
批注 [stanley696]: 此处
信息显示IKE 阶段二的
IPsec 的安全关联已经协商
成功。
批注 [stanley697]: 已经
可以与对等的环回口进行安
全的数据传输。
批注 [stanley698]: Isakm
p 的SA 处于ACTIVE 状态。
QM 的状态积极模式.
327
interface: Serial1/1
Crypto map tag: ***_to_R3, local addr 202.102.48.65
…………
local crypto endpt.: 202.102.48.65, remote crypto endpt.: 211.64.135.34
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/1
current outbound spi: 0xA9133A18(2836609560)
inbound esp sas:
spi: 0x702868C8(1881696456)
transform: esp-des ,
in use settings ={Tunnel, }
conn id: 1, flow_id: 1, crypto map: ***_to_R3
sa timing: remaining key lifetime (k/sec): (4436970/1326)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE
…………
outbound esp sas:
spi: 0xA9133A18(2836609560)
transform: esp-des ,
in use settings ={Tunnel, }
conn id: 2, flow_id: 2, crypto map: ***_to_R3
sa timing: remaining key lifetime (k/sec): (4436970/1325)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE
…………
R1#
17、在R1 和R3 路由器上再次使用扩展的ping 命令确认IPsec 的site-to-site
隧道。
R1#ping
Protocol [ip]:
Target IP address: 192.168.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.16.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
批注 [stanley699]: S1/1
接口的加密图标记。
批注 [stanley700]: 进站
的SPI 号，及认证加密方法。
以及相关的状态信息。
批注 [stanley701]: 出站
的SPI 号及认证加密方法。
以及相关的状态信息。
328
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/102/140 ms
R1#
R3#ping
Protocol [ip]:
Target IP address: 172.16.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/95/144 ms
R3#
18、实验完成。

转载于:https://blog.51cto.com/xingweipan/299668