实验过程:
第一步 基本接口配置
R1:
R1(config)# int lo0
R1(config-if)# ip add 1.1.1.1 255.255.255.0
R1(config-if)# int f0/0
R1(config-if)# ip add 192.168.1.1 255.255.255.0
R1(config-if)# no sh
R1(config-if)# exit
R1(config)# ip route 0.0.0.0 0.0.0.0 192.168.1.2
第一步 基本接口配置
R1:
R1(config)# int lo0
R1(config-if)# ip add 1.1.1.1 255.255.255.0
R1(config-if)# int f0/0
R1(config-if)# ip add 192.168.1.1 255.255.255.0
R1(config-if)# no sh
R1(config-if)# exit
R1(config)# ip route 0.0.0.0 0.0.0.0 192.168.1.2
R2:
R2(config)# int lo0
R2(config-if)# ip add 2.2.2.2 255.255.255.0
R2(config-if)# int f0/0
R2(config-if)# ip add 192.168.1.2 255.255.255.0
R2(config-if)# no sh
R2(config-if)# exit
R2(config)# ip route 0.0.0.0 0.0.0.0 192.168.1.1
R2(config)# int lo0
R2(config-if)# ip add 2.2.2.2 255.255.255.0
R2(config-if)# int f0/0
R2(config-if)# ip add 192.168.1.2 255.255.255.0
R2(config-if)# no sh
R2(config-if)# exit
R2(config)# ip route 0.0.0.0 0.0.0.0 192.168.1.1
第二步 配置互联网密钥交换(IKE)
R1:
R1(config)# crypto isakmp enable
R1(config)# crypto isakmp policy 10
R1(config-isakmp)# authentication rsa-encr
// 制定IKE阶段1认证方法使用非对称密钥(公钥和私钥)的RSA加密Nonce
R1(config-isakmp)# encryption 3des
R1(config-isakmp)# group 5
R1(config-isakmp)# hash sha
R1(config-isakmp)# lifetime 86400
R1(config-isakmp)# exit
R1:
R1(config)# crypto isakmp enable
R1(config)# crypto isakmp policy 10
R1(config-isakmp)# authentication rsa-encr
// 制定IKE阶段1认证方法使用非对称密钥(公钥和私钥)的RSA加密Nonce
R1(config-isakmp)# encryption 3des
R1(config-isakmp)# group 5
R1(config-isakmp)# hash sha
R1(config-isakmp)# lifetime 86400
R1(config-isakmp)# exit
R2:
R2(config)# crypto isakmp enable
R2(config)# crypto isakmp policy 10
R2(config-isakmp)# authentication rsa-encr
R2(config-isakmp)# encryption 3des
R2(config-isakmp)# group 5
R2(config-isakmp)# hash sha
R2(config-isakmp)# lifetime 86400
R2(config-isakmp)# exit
R2(config)# crypto isakmp enable
R2(config)# crypto isakmp policy 10
R2(config-isakmp)# authentication rsa-encr
R2(config-isakmp)# encryption 3des
R2(config-isakmp)# group 5
R2(config-isakmp)# hash sha
R2(config-isakmp)# lifetime 86400
R2(config-isakmp)# exit
第三步 在R1上手动生成RSA密钥
R1(config)# ip domain-name testbed.norvel.com.cn
// 给路由器配置一个FQDN名称
R1(config)# crypto key generate rsa
The name for the keys will be: R1.testbed.norvel.com.cn
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
R1(config)# ip domain-name testbed.norvel.com.cn
// 给路由器配置一个FQDN名称
R1(config)# crypto key generate rsa
The name for the keys will be: R1.testbed.norvel.com.cn
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]:
// 这里的512为生成密钥的系数
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
R1(config)# end
R1# show crypto key mypubkey rsa
% Key pair was generated at: 14:13:06 UTC Jun 23 2008
Key name: R1.testbed.norvel.com.cn
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable.
Key Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C727CC 25CEB62B
19681FF8 C77DFFD8 B9A34C09 08E23191 8A8433FF B9C03448 4A6B7E61 A7C259A1
E54E3273 99547A26 4A3A1EBE 50EB0B4F AAB73F3F 40BB9CF7 33020301 0001
% Key pair was generated at: 14:13:07 UTC Jun 23 2008
Key name: R1.testbed.norvel.com.cn.server
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00AFC66E A733480E
1BF32E5F 9C5AE606 D61AA505 7BD77DCB 2AC10304 86D46E00 BBA2ACC0 B76F3676
8EDDDB1D 57F330DF FB5813AE A8A9EC87 BEB72618 DC74421F 0D1ACF2D 5DC7902F
9D4D6760 715DC15C 8EF1303D 0BA656A6 ACEE1FEC B88ADB55 6F020301 0001
// 这里的512为生成密钥的系数
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
R1(config)# end
R1# show crypto key mypubkey rsa
% Key pair was generated at: 14:13:06 UTC Jun 23 2008
Key name: R1.testbed.norvel.com.cn
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable.
Key Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C727CC 25CEB62B
19681FF8 C77DFFD8 B9A34C09 08E23191 8A8433FF B9C03448 4A6B7E61 A7C259A1
E54E3273 99547A26 4A3A1EBE 50EB0B4F AAB73F3F 40BB9CF7 33020301 0001
% Key pair was generated at: 14:13:07 UTC Jun 23 2008
Key name: R1.testbed.norvel.com.cn.server
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00AFC66E A733480E
1BF32E5F 9C5AE606 D61AA505 7BD77DCB 2AC10304 86D46E00 BBA2ACC0 B76F3676
8EDDDB1D 57F330DF FB5813AE A8A9EC87 BEB72618 DC74421F 0D1ACF2D 5DC7902F
9D4D6760 715DC15C 8EF1303D 0BA656A6 ACEE1FEC B88ADB55 6F020301 0001
第四步 在R2上手动生成RSA密钥
R2(config)# ip domain-name testbed.norvel.com.cn
R2(config)# crypto key generate rsa
The name for the keys will be: R2.testbed.norvel.com.cn
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
R2(config)# ip domain-name testbed.norvel.com.cn
R2(config)# crypto key generate rsa
The name for the keys will be: R2.testbed.norvel.com.cn
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]:
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
R2(config)# end
R2# show crypto key mypubkey rsa
% Key pair was generated at: 14:13:36 UTC Jun 23 2008
Key name: R2.testbed.norvel.com.cn
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable.
Key Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D670AA B1778DD0
F9409866 4FFB7F07 37B35CFE 6FBCEF6D CE8F0012 D24DBD4B BFF97095 10003B50
10107587 E5F45A3D E982D004 0DB8990B 8AED2F3F 5F4C8DD4 E7020301 0001
% Key pair was generated at: 14:13:37 UTC Jun 23 2008
Key name: R2.testbed.norvel.com.cn.server
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00AC6B29 DE3F31E3
9DF44714 8FB6C827 36366AF0 4508461A 6B9A1CDE 8EAE38E5 0D6F3D37 F92584B5
CBCF79C5 2EBF962F 85299468 FD1AA687 E126274F F8DA7D3B 8B71B33C 50ECA5BE
A2A0475E 1ABD2A2D 6F6A2911 D037D5BF 595A3849 9503DCB5 69020301 0001
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
R2(config)# end
R2# show crypto key mypubkey rsa
% Key pair was generated at: 14:13:36 UTC Jun 23 2008
Key name: R2.testbed.norvel.com.cn
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable.
Key Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D670AA B1778DD0
F9409866 4FFB7F07 37B35CFE 6FBCEF6D CE8F0012 D24DBD4B BFF97095 10003B50
10107587 E5F45A3D E982D004 0DB8990B 8AED2F3F 5F4C8DD4 E7020301 0001
% Key pair was generated at: 14:13:37 UTC Jun 23 2008
Key name: R2.testbed.norvel.com.cn.server
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00AC6B29 DE3F31E3
9DF44714 8FB6C827 36366AF0 4508461A 6B9A1CDE 8EAE38E5 0D6F3D37 F92584B5
CBCF79C5 2EBF962F 85299468 FD1AA687 E126274F F8DA7D3B 8B71B33C 50ECA5BE
A2A0475E 1ABD2A2D 6F6A2911 D037D5BF 595A3849 9503DCB5 69020301 0001
第五步 在R1上配置R2的公钥
R1(config)# crypto key pubkey-chain rsa
R1(config-pubkey-chain)# addressed-key 192.168.1.2
R1(config-pubkey-key)# key-string
Enter a public key as a hexidecimal number ....
R1(config-pubkey)# $6F70D 01010105 00034B00 30480241 00D670AA B1778DD0
R1(config-pubkey)# $7B35CFE 6FBCEF6D CE8F0012 D24DBD4B BFF97095 10003B50
R1(config-pubkey)# $E5F45A3D E982D004 0DB8990B 8AED2F3F 5F4C8DD4 E7020301 0001
R1(config-pubkey)# quit
R1(config-pubkey-key)# exit
R1(config-pubkey-chain)# exit
R1(config)#
R1(config)# crypto key pubkey-chain rsa
R1(config-pubkey-chain)# addressed-key 192.168.1.2
R1(config-pubkey-key)# key-string
Enter a public key as a hexidecimal number ....
R1(config-pubkey)# $6F70D 01010105 00034B00 30480241 00D670AA B1778DD0
R1(config-pubkey)# $7B35CFE 6FBCEF6D CE8F0012 D24DBD4B BFF97095 10003B50
R1(config-pubkey)# $E5F45A3D E982D004 0DB8990B 8AED2F3F 5F4C8DD4 E7020301 0001
R1(config-pubkey)# quit
R1(config-pubkey-key)# exit
R1(config-pubkey-chain)# exit
R1(config)#
第六步 在R2上配置R1的公钥
R2(config)# crypto key pubkey-chain rsa
R2(config-pubkey-chain)# addressed-key 192.168.1.1
R2(config-pubkey-key)# key-string
Enter a public key as a hexidecimal number ....
R2(config-pubkey)# $6F70D 01010105 00034B00 30480241 00C727CC 25CEB62B
R2(config-pubkey)# $9A34C09 08E23191 8A8433FF B9C03448 4A6B7E61 A7C259A1
R2(config-pubkey)# $99547A26 4A3A1EBE 50EB0B4F AAB73F3F 40BB9CF7 33020301 0001
R2(config-pubkey)# quit
R2(config-pubkey-key)# exit
R2(config-pubkey-chain)# ^Z
R2# show crypto key pubkey-chain rsa
Codes: M - Manually configured, C - Extracted from certificate
R2(config)# crypto key pubkey-chain rsa
R2(config-pubkey-chain)# addressed-key 192.168.1.1
R2(config-pubkey-key)# key-string
Enter a public key as a hexidecimal number ....
R2(config-pubkey)# $6F70D 01010105 00034B00 30480241 00C727CC 25CEB62B
R2(config-pubkey)# $9A34C09 08E23191 8A8433FF B9C03448 4A6B7E61 A7C259A1
R2(config-pubkey)# $99547A26 4A3A1EBE 50EB0B4F AAB73F3F 40BB9CF7 33020301 0001
R2(config-pubkey)# quit
R2(config-pubkey-key)# exit
R2(config-pubkey-chain)# ^Z
R2# show crypto key pubkey-chain rsa
Codes: M - Manually configured, C - Extracted from certificate
Code Usage IP-Address/VRF Keyring Name
M General 192.168.1.1 default
M General 192.168.1.1 default
R2#
show crypto key pubkey-chain rsa address 192.168.1.1
Key address: 192.168.1.1
Usage: General Purpose Key
Source: Manually entered
Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C727CC 25CEB62B
19681FF8 C77DFFD8 B9A34C09 08E23191 8A8433FF B9C03448 4A6B7E61 A7C259A1
E54E3273 99547A26 4A3A1EBE 50EB0B4F AAB73F3F 40BB9CF7 33020301 0001
Key address: 192.168.1.1
Usage: General Purpose Key
Source: Manually entered
Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C727CC 25CEB62B
19681FF8 C77DFFD8 B9A34C09 08E23191 8A8433FF B9C03448 4A6B7E61 A7C259A1
E54E3273 99547A26 4A3A1EBE 50EB0B4F AAB73F3F 40BB9CF7 33020301 0001
第七步 配置IPSEC变换集
R1:
R1(config)# crypto ipsec transform-set R1 esp-3des esp-md5-hmac
R1(cfg-crypto-trans)# exit
R1(config)# crypto map R1××× 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)# set peer 192.168.1.2
R1(config-crypto-map)# set transform-set R1
R1(config-crypto-map)# match address 100
R1(config-crypto-map)# exit
R1:
R1(config)# crypto ipsec transform-set R1 esp-3des esp-md5-hmac
R1(cfg-crypto-trans)# exit
R1(config)# crypto map R1××× 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)# set peer 192.168.1.2
R1(config-crypto-map)# set transform-set R1
R1(config-crypto-map)# match address 100
R1(config-crypto-map)# exit
R2:
R2(config)# crypto ipsec transform-set R2 esp-3des esp-md5-hmac
R2(cfg-crypto-trans)# exit
R2(config)# crypto map R2××× 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R2(config-crypto-map)# set peer 192.168.1.1
R2(config-crypto-map)# set transform-set R2
R2(config-crypto-map)# match address 100
R2(config-crypto-map)# exit
R2(config)# crypto ipsec transform-set R2 esp-3des esp-md5-hmac
R2(cfg-crypto-trans)# exit
R2(config)# crypto map R2××× 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R2(config-crypto-map)# set peer 192.168.1.1
R2(config-crypto-map)# set transform-set R2
R2(config-crypto-map)# match address 100
R2(config-crypto-map)# exit
第八步 定义触发流量,即IPSec连接保护何种流量
R1:
R1(config)# access-list 100 permit icmp host 1.1.1.1 host 2.2.2.2
R1(config)# int f0/0
R1(config-if)# crypto map R1×××
R1(config-if)# end
R1:
R1(config)# access-list 100 permit icmp host 1.1.1.1 host 2.2.2.2
R1(config)# int f0/0
R1(config-if)# crypto map R1×××
R1(config-if)# end
R2:
R2(config)# access-list 100 permit icmp host 2.2.2.2 host 1.1.1.1
R2(config)# int f0/0
R2(config-if)# crypto map R2×××
R2(config-if)# end
R2(config)# access-list 100 permit icmp host 2.2.2.2 host 1.1.1.1
R2(config)# int f0/0
R2(config-if)# crypto map R2×××
R2(config-if)# end
第九步 在R2上进行Ping测试IPSec配置
R1# debug crypto isakmp
Crypto ISAKMP debugging is on
R1# debug crypto ipsec
Crypto IPSEC debugging is on
R1#ping 2.2.2.2 source 1.1.1.1
R1# debug crypto isakmp
Crypto ISAKMP debugging is on
R1# debug crypto ipsec
Crypto IPSEC debugging is on
R1#ping 2.2.2.2 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
*Jun 23 14:21:51.719: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 192.168.1.1, remote= 192.168.1.2,
local_proxy= 1.1.1.1/255.255.255.255/1/0 (type=1),
remote_proxy= 2.2.2.2/255.255.255.255/1/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jun 23 14:21:51.727: ISAKMP:(0): SA request profile is (NULL)
*Jun 23 14:21:51.727: ISAKMP: Created a peer struct for 192.168.1.2, peer port 500
*Jun 23 14:21:51.731: ISAKMP: New peer created peer = 0x65DB4848 peer_handle = 0x80000002
*Jun 23 14:21:51.731: ISAKMP: Locking peer struct 0x65DB4848, refcount 1 for isakmp_initiator
*Jun 23 14:21:51.731: ISAKMP: local port 500, remote port 500
*Jun 23 14:21:51.735: ISAKMP: set new node 0 to QM_IDLE
*Jun 23 14:21:51.747: insert sa successfully sa = 657C3314
*Jun 23 14:21:51.747: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Jun 23 14:21:51.747: ISAKMP:(0):No pre-shared key with 192.168.1.2!
*Jun 23 14:21:51.751: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jun 23 14:21:51.751: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Jun 23 14:21:51.751: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Jun 23 14:21:51.755: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Jun 23 14:21:51.755: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jun 23 14:21:51.755: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
(key eng. msg.) OUTBOUND local= 192.168.1.1, remote= 192.168.1.2,
local_proxy= 1.1.1.1/255.255.255.255/1/0 (type=1),
remote_proxy= 2.2.2.2/255.255.255.255/1/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jun 23 14:21:51.727: ISAKMP:(0): SA request profile is (NULL)
*Jun 23 14:21:51.727: ISAKMP: Created a peer struct for 192.168.1.2, peer port 500
*Jun 23 14:21:51.731: ISAKMP: New peer created peer = 0x65DB4848 peer_handle = 0x80000002
*Jun 23 14:21:51.731: ISAKMP: Locking peer struct 0x65DB4848, refcount 1 for isakmp_initiator
*Jun 23 14:21:51.731: ISAKMP: local port 500, remote port 500
*Jun 23 14:21:51.735: ISAKMP: set new node 0 to QM_IDLE
*Jun 23 14:21:51.747: insert sa successfully sa = 657C3314
*Jun 23 14:21:51.747: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Jun 23 14:21:51.747: ISAKMP:(0):No pre-shared key with 192.168.1.2!
*Jun 23 14:21:51.751: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jun 23 14:21:51.751: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Jun 23 14:21:51.751: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Jun 23 14:21:51.755: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Jun 23 14:21:51.755: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jun 23 14:21:51.755: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Jun 23 14:21:51.759: ISAKMP:(0): beginning Main Mode exchange
*Jun 23 14:21:51.759: ISAKMP:(0): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 23 14:21:51.759: ISAKMP:(0):Sending an IKE IPv4 Packet......
Success rate is 0 percent (0/5)
R1#
*Jun 23 14:22:01.763: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 23 14:22:01.763: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Jun 23 14:22:01.763: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jun 23 14:22:01.767: ISAKMP:(0): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 23 14:22:01.767: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 23 14:22:01.923: ISAKMP (0:0): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Jun 23 14:22:01.935: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 23 14:22:01.935: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Jun 23 14:21:51.759: ISAKMP:(0): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 23 14:21:51.759: ISAKMP:(0):Sending an IKE IPv4 Packet......
Success rate is 0 percent (0/5)
R1#
*Jun 23 14:22:01.763: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 23 14:22:01.763: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Jun 23 14:22:01.763: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jun 23 14:22:01.767: ISAKMP:(0): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 23 14:22:01.767: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 23 14:22:01.923: ISAKMP (0:0): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Jun 23 14:22:01.935: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 23 14:22:01.935: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Jun 23 14:22:01.943: ISAKMP:(0): processing SA payload. message ID = 0
*Jun 23 14:22:01.943: ISAKMP:(0): processing vendor id payload
*Jun 23 14:22:01.943: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jun 23 14:22:01.947: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Jun 23 14:22:01.947: ISA
R1#KMP : Scanning profiles for xauth ...
*Jun 23 14:22:01.947: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Jun 23 14:22:01.947: ISAKMP: encryption DES-CBC
*Jun 23 14:22:01.947: ISAKMP: hash SHA
*Jun 23 14:22:01.951: ISAKMP: default group 1
*Jun 23 14:22:01.951: ISAKMP: auth RSA sig
*Jun 23 14:22:01.951: ISAKMP: life type in seconds
*Jun 23 14:22:01.951: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Jun 23 14:22:01.955: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jun 23 14:22:01.955: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Jun 23 14:22:01.955: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65535 policy
*Jun 23 14:22:01.955: ISAKMP: encryption DES-CBC
*Jun 23 14:22:01.955: ISAKMP: hash SHA
*Jun 23 14:22:01.959: ISAKMP: default group 1
*Jun 23 14:22:01.959: ISAKMP: auth RSA sig
*Jun 23 14:22:01.959: ISAKMP: life type in seconds
*Jun 23 14:22:01.959: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Jun 23 14:22:01.963: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jun 23 14:22:01.963: ISAKMP:(0):Acceptable atts:actual life: 0
*Jun 23 14:22:01.963: ISAKMP:(0):Acceptable atts:life: 0
*Jun 23 14:22:01.963: %CRYPTO-4-IKE_DEFAULT_POLICY_ACCEPTED: IKE default policy was matched and is being used.
*Jun 23 14:22:01.967: ISAKMP:(0):Fill atts in sa vpi_length:4
*Jun
R1#23 14:22:01.967: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Jun 23 14:22:01.967: ISAKMP:(0):Returning Actual lifetime: 86400
*Jun 23 14:22:01.971: ISAKMP:(0)::Started lifetime timer: 86400.
*Jun 23 14:22:01.943: ISAKMP:(0): processing vendor id payload
*Jun 23 14:22:01.943: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jun 23 14:22:01.947: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Jun 23 14:22:01.947: ISA
R1#KMP : Scanning profiles for xauth ...
*Jun 23 14:22:01.947: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Jun 23 14:22:01.947: ISAKMP: encryption DES-CBC
*Jun 23 14:22:01.947: ISAKMP: hash SHA
*Jun 23 14:22:01.951: ISAKMP: default group 1
*Jun 23 14:22:01.951: ISAKMP: auth RSA sig
*Jun 23 14:22:01.951: ISAKMP: life type in seconds
*Jun 23 14:22:01.951: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Jun 23 14:22:01.955: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jun 23 14:22:01.955: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Jun 23 14:22:01.955: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65535 policy
*Jun 23 14:22:01.955: ISAKMP: encryption DES-CBC
*Jun 23 14:22:01.955: ISAKMP: hash SHA
*Jun 23 14:22:01.959: ISAKMP: default group 1
*Jun 23 14:22:01.959: ISAKMP: auth RSA sig
*Jun 23 14:22:01.959: ISAKMP: life type in seconds
*Jun 23 14:22:01.959: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Jun 23 14:22:01.963: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jun 23 14:22:01.963: ISAKMP:(0):Acceptable atts:actual life: 0
*Jun 23 14:22:01.963: ISAKMP:(0):Acceptable atts:life: 0
*Jun 23 14:22:01.963: %CRYPTO-4-IKE_DEFAULT_POLICY_ACCEPTED: IKE default policy was matched and is being used.
*Jun 23 14:22:01.967: ISAKMP:(0):Fill atts in sa vpi_length:4
*Jun
R1#23 14:22:01.967: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Jun 23 14:22:01.967: ISAKMP:(0):Returning Actual lifetime: 86400
*Jun 23 14:22:01.971: ISAKMP:(0)::Started lifetime timer: 86400.
*Jun 23 14:22:02.047: ISAKMP:(0): processing vendor id payload
*Jun 23 14:22:02.047: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jun 23 14:22:02.047: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Jun 23 14:22:02.051: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 23 14:22:02.051: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Jun 23 14:22:02.047: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jun 23 14:22:02.047: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Jun 23 14:22:02.051: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 23 14:22:02.051: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Jun 23 14:22:02.055: ISAKMP:(0): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Jun 23 14:22:02.055: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 23 14:22:02.059: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 23 14:22:02.059: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Jun 23 14:22:02.055: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 23 14:22:02.059: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 23 14:22:02.059: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Jun 23 14:22:02.199: ISAKMP (0:0): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*Jun 23 14:22:02.203: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 23 14:22:02.203: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Jun 23 14:22:02.203: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 23 14:22:02.203: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Jun 23 14:22:02.207: ISAKMP:(0): processing KE payload. message ID = 0
*Jun 23 14:22:02.275: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jun 23 14:22:02.283: ISAKMP:(1001): processing vendor id payload
*Jun 23 14:22:02.283: ISAKMP:(1001): vendor ID is Unity
*Jun 23 14:22:02.283: I
R1#SAKMP:(1001): processing vendor id payload
*Jun 23 14:22:02.283: ISAKMP:(1001): vendor ID is DPD
*Jun 23 14:22:02.287: ISAKMP:(1001): processing vendor id payload
*Jun 23 14:22:02.287: ISAKMP:(1001): speaking to another IOS box!
*Jun 23 14:22:02.287: ISAKMP:received payload type 20
*Jun 23 14:22:02.287: ISAKMP:received payload type 20
*Jun 23 14:22:02.291: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 23 14:22:02.291: ISAKMP:(1001):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Jun 23 14:22:02.275: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jun 23 14:22:02.283: ISAKMP:(1001): processing vendor id payload
*Jun 23 14:22:02.283: ISAKMP:(1001): vendor ID is Unity
*Jun 23 14:22:02.283: I
R1#SAKMP:(1001): processing vendor id payload
*Jun 23 14:22:02.283: ISAKMP:(1001): vendor ID is DPD
*Jun 23 14:22:02.287: ISAKMP:(1001): processing vendor id payload
*Jun 23 14:22:02.287: ISAKMP:(1001): speaking to another IOS box!
*Jun 23 14:22:02.287: ISAKMP:received payload type 20
*Jun 23 14:22:02.287: ISAKMP:received payload type 20
*Jun 23 14:22:02.291: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 23 14:22:02.291: ISAKMP:(1001):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Jun 23 14:22:02.299: ISAKMP:(1001):Send initial contact
*Jun 23 14:22:02.303: ISAKMP:(1001):SA is doing RSA signature authentication using id type ID_IPV4_ADDR
*Jun 23 14:22:02.303: ISAKMP (0:1001): ID payload
next-payload : 9
type : 1
address : 192.168.1.1
protocol : 17
port : 500
length : 12
*Jun 23 14:22:02.303: ISAKMP:(1001):Total payload length: 12
*Jun 23 14:22:02.303: ISAKMP:(1001): using the default keypair to sign
*Jun
R1# 23 14:22:02.319: ISAKMP:(1001): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jun 23 14:22:02.319: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Jun 23 14:22:02.323: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 23 14:22:02.323: ISAKMP:(1001):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Jun 23 14:22:02.303: ISAKMP:(1001):SA is doing RSA signature authentication using id type ID_IPV4_ADDR
*Jun 23 14:22:02.303: ISAKMP (0:1001): ID payload
next-payload : 9
type : 1
address : 192.168.1.1
protocol : 17
port : 500
length : 12
*Jun 23 14:22:02.303: ISAKMP:(1001):Total payload length: 12
*Jun 23 14:22:02.303: ISAKMP:(1001): using the default keypair to sign
*Jun
R1# 23 14:22:02.319: ISAKMP:(1001): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jun 23 14:22:02.319: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Jun 23 14:22:02.323: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 23 14:22:02.323: ISAKMP:(1001):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Jun 23 14:22:02.459: ISAKMP (0:1001): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jun 23 14:22:02.463: ISAKMP:(1001): processing ID payload. message ID = 0
*Jun 23 14:22:02.463: ISAKMP (0:1001): ID payload
next-payload : 9
type : 1
address : 192.168.1.2
protocol : 17
port : 500
length : 12
*Jun 23 14:22:02.467: ISAKMP:(0):: peer matches *none* of the profiles
*Jun 23 14:22:02.467: ISAKMP:(1001): processing SIG payload. message ID = 0
*Jun 23 14:22:02.479: ISAKMP:(1001):SA authentication status:
authenticated
*Jun 23 14:22:02.479: ISAKMP:(1001):SA has been authen
R1#ticated with 192.168.1.2
*Jun 23 14:22:02.483: ISAKMP: Trying to insert a peer 192.168.1.1/192.168.1.2/500/, and inserted successfully 65DB4848.
*Jun 23 14:22:02.483: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 23 14:22:02.483: ISAKMP:(1001):Old State = IKE_I_MM5 New State = IKE_I_MM6
*Jun 23 14:22:02.463: ISAKMP:(1001): processing ID payload. message ID = 0
*Jun 23 14:22:02.463: ISAKMP (0:1001): ID payload
next-payload : 9
type : 1
address : 192.168.1.2
protocol : 17
port : 500
length : 12
*Jun 23 14:22:02.467: ISAKMP:(0):: peer matches *none* of the profiles
*Jun 23 14:22:02.467: ISAKMP:(1001): processing SIG payload. message ID = 0
*Jun 23 14:22:02.479: ISAKMP:(1001):SA authentication status:
authenticated
*Jun 23 14:22:02.479: ISAKMP:(1001):SA has been authen
R1#ticated with 192.168.1.2
*Jun 23 14:22:02.483: ISAKMP: Trying to insert a peer 192.168.1.1/192.168.1.2/500/, and inserted successfully 65DB4848.
*Jun 23 14:22:02.483: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 23 14:22:02.483: ISAKMP:(1001):Old State = IKE_I_MM5 New State = IKE_I_MM6
*Jun 23 14:22:02.487: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 23 14:22:02.487: ISAKMP:(1001):Old State = IKE_I_MM6 New State = IKE_I_MM6
*Jun 23 14:22:02.487: ISAKMP:(1001):Old State = IKE_I_MM6 New State = IKE_I_MM6
*Jun 23 14:22:02.495: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 23 14:22:02.495: ISAKMP:(1001):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
*Jun 23 14:22:02.495: ISAKMP:(1001):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
*Jun 23 14:22:02.503: ISAKMP:(1001):beginning Quick Mode exchange, M-ID of 1708999450
*Jun 23 14:22:02.503: ISAKMP:(1001):QM Initiator gets spi
*Jun 23 14:22:02.507: ISAKMP:(1001): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) QM_IDLE
*Jun 23 14:22:02.511: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Jun 23 14:22:02.51
R1#1: ISAKMP:(1001):Node 1708999450, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jun 23 14:22:02.511: ISAKMP:(1001):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Jun 23 14:22:02.515: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jun 23 14:22:02.515: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jun 23 14:22:02.503: ISAKMP:(1001):QM Initiator gets spi
*Jun 23 14:22:02.507: ISAKMP:(1001): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) QM_IDLE
*Jun 23 14:22:02.511: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Jun 23 14:22:02.51
R1#1: ISAKMP:(1001):Node 1708999450, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jun 23 14:22:02.511: ISAKMP:(1001):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Jun 23 14:22:02.515: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jun 23 14:22:02.515: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jun 23 14:22:02.703: ISAKMP (0:1001): received packet from 192.168.1.2 dport 500 sport 500 Global (I) QM_IDLE
*Jun 23 14:22:02.707: ISAKMP:(1001): processing HASH payload. message ID = 1708999450
*Jun 23 14:22:02.707: ISAKMP:(1001): processing SA payload. message ID = 1708999450
*Jun 23 14:22:02.711: ISAKMP:(1001):Checking IPSec proposal 1
*Jun 23 14:22:02.711: ISAKMP: transform 1, ESP_3DES
*Jun 23 14:22:02.711: ISAKMP: attributes in transform:
*Jun 23 14:22:02.711: ISAKMP: encaps is 1 (Tunnel)
*Jun 23 14:22:02.711: ISAKMP: SA life type in seconds
*Jun 23 14:22:02.715: ISAKMP: SA life duration (basic) of 3600
*Jun 2
R1#3 14:22:02.715: ISAKMP: SA life type in kilobytes
*Jun 23 14:22:02.715: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jun 23 14:22:02.715: ISAKMP: authenticator is HMAC-MD5
*Jun 23 14:22:02.719: ISAKMP:(1001):atts are acceptable.
*Jun 23 14:22:02.719: IPSEC(validate_proposal_request): proposal part #1
*Jun 23 14:22:02.719: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.1.2,
local_proxy= 1.1.1.1/255.255.255.255/1/0 (type=1),
remote_proxy= 2.2.2.2/255.255.255.255/1/0 (type=1),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jun 23 14:22:02.723: Crypto mapdb : proxy_match
src addr : 1.1.1.1
dst addr : 2.2.2.2
protocol : 1
src port : 0
dst port : 0
*Jun 23 14:22:02.727: ISAKMP:(1001): processing NONCE payload. message ID = 1708999450
*Jun 23 14:22:02.727: ISAKMP:(1001): processing ID payload. message ID = 1708999450
*Jun 23 14:22:02.727: ISAKMP:(1001): processing ID payload. message ID = 1708999450
*Jun 23 14:22:02.735: ISAKMP:(1001): Creating IPSec SAs
*Jun 23 14:22:02.739: inbound SA from 192.168.1.2 to 192.168.1.1 (f/i) 0/ 0
(proxy 2.2.2.2 to 1.1.1.1)
*Jun 23 14:22:02.739: has spi 0xFF215805 and conn_id 0
*Jun 23 14:22:02.739: lifetime of 3600 seconds
*Jun 23 14:22:02.739: lifetime of 4608000 kilobytes
*Jun 23 14:22:02.743: outbound SA from 192.168.1.1 to 192.168.1.2 (f/i) 0/0
(proxy 1.1.1.1 to 2.2.2.2)
*Jun 23 14:22:02.743: has spi 0xB8D2DF5B and conn_id 0
*Jun 23 14:22:02.743: lifetime of 3600 seconds
*Jun 23 14:22:02.743: lifetime of 4608000 kilobytes
*Jun 23 14:22:02.747: ISAKMP:(1001): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) QM_IDLE
*Jun 23 14:22:02.747: ISAKMP:(1001):Sendi
R1#ng an IKE IPv4 Packet.
*Jun 23 14:22:02.747: ISAKMP:(1001):deleting node 1708999450 error FALSE reason "No Error"
*Jun 23 14:22:02.751: ISAKMP:(1001):Node 1708999450, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jun 23 14:22:02.751: ISAKMP:(1001):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
*Jun 23 14:22:02.755: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jun 23 14:22:02.755: Crypto mapdb : proxy_match
src addr : 1.1.1.1
dst addr : 2.2.2.2
protocol : 1
src port : 0
dst port : 0
*Jun 23 14:22:02.759: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 192.168.1.2
*Jun 23 14:22:02.759: IPSEC(policy_db_add_ident): src 1.1.1.1, dest 2.2.2.2, dest_port 0
*Jun 23 14:22:02.707: ISAKMP:(1001): processing HASH payload. message ID = 1708999450
*Jun 23 14:22:02.707: ISAKMP:(1001): processing SA payload. message ID = 1708999450
*Jun 23 14:22:02.711: ISAKMP:(1001):Checking IPSec proposal 1
*Jun 23 14:22:02.711: ISAKMP: transform 1, ESP_3DES
*Jun 23 14:22:02.711: ISAKMP: attributes in transform:
*Jun 23 14:22:02.711: ISAKMP: encaps is 1 (Tunnel)
*Jun 23 14:22:02.711: ISAKMP: SA life type in seconds
*Jun 23 14:22:02.715: ISAKMP: SA life duration (basic) of 3600
*Jun 2
R1#3 14:22:02.715: ISAKMP: SA life type in kilobytes
*Jun 23 14:22:02.715: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jun 23 14:22:02.715: ISAKMP: authenticator is HMAC-MD5
*Jun 23 14:22:02.719: ISAKMP:(1001):atts are acceptable.
*Jun 23 14:22:02.719: IPSEC(validate_proposal_request): proposal part #1
*Jun 23 14:22:02.719: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.1.2,
local_proxy= 1.1.1.1/255.255.255.255/1/0 (type=1),
remote_proxy= 2.2.2.2/255.255.255.255/1/0 (type=1),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jun 23 14:22:02.723: Crypto mapdb : proxy_match
src addr : 1.1.1.1
dst addr : 2.2.2.2
protocol : 1
src port : 0
dst port : 0
*Jun 23 14:22:02.727: ISAKMP:(1001): processing NONCE payload. message ID = 1708999450
*Jun 23 14:22:02.727: ISAKMP:(1001): processing ID payload. message ID = 1708999450
*Jun 23 14:22:02.727: ISAKMP:(1001): processing ID payload. message ID = 1708999450
*Jun 23 14:22:02.735: ISAKMP:(1001): Creating IPSec SAs
*Jun 23 14:22:02.739: inbound SA from 192.168.1.2 to 192.168.1.1 (f/i) 0/ 0
(proxy 2.2.2.2 to 1.1.1.1)
*Jun 23 14:22:02.739: has spi 0xFF215805 and conn_id 0
*Jun 23 14:22:02.739: lifetime of 3600 seconds
*Jun 23 14:22:02.739: lifetime of 4608000 kilobytes
*Jun 23 14:22:02.743: outbound SA from 192.168.1.1 to 192.168.1.2 (f/i) 0/0
(proxy 1.1.1.1 to 2.2.2.2)
*Jun 23 14:22:02.743: has spi 0xB8D2DF5B and conn_id 0
*Jun 23 14:22:02.743: lifetime of 3600 seconds
*Jun 23 14:22:02.743: lifetime of 4608000 kilobytes
*Jun 23 14:22:02.747: ISAKMP:(1001): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) QM_IDLE
*Jun 23 14:22:02.747: ISAKMP:(1001):Sendi
R1#ng an IKE IPv4 Packet.
*Jun 23 14:22:02.747: ISAKMP:(1001):deleting node 1708999450 error FALSE reason "No Error"
*Jun 23 14:22:02.751: ISAKMP:(1001):Node 1708999450, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jun 23 14:22:02.751: ISAKMP:(1001):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
*Jun 23 14:22:02.755: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jun 23 14:22:02.755: Crypto mapdb : proxy_match
src addr : 1.1.1.1
dst addr : 2.2.2.2
protocol : 1
src port : 0
dst port : 0
*Jun 23 14:22:02.759: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 192.168.1.2
*Jun 23 14:22:02.759: IPSEC(policy_db_add_ident): src 1.1.1.1, dest 2.2.2.2, dest_port 0
*Jun 23 14:22:02.763: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.1.1, sa_proto= 50,
sa_spi= 0xFF215805(4280375301),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 1
*Jun 23 14:22:02.763: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.1.2, sa_proto= 50,
sa_spi= 0xB8D2DF5B(3100827483),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2
*Jun 23 14:22:02.767: IPSEC(update_current_outbound_sa): updated peer 192.168.1.2 current outbound sa to SPI B8D2DF5B
R1#
R1# show crypto engine connections active
Crypto Engine Connections
(sa) sa_dest= 192.168.1.1, sa_proto= 50,
sa_spi= 0xFF215805(4280375301),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 1
*Jun 23 14:22:02.763: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.1.2, sa_proto= 50,
sa_spi= 0xB8D2DF5B(3100827483),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2
*Jun 23 14:22:02.767: IPSEC(update_current_outbound_sa): updated peer 192.168.1.2 current outbound sa to SPI B8D2DF5B
R1#
R1# show crypto engine connections active
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Fa0/0 IPsec 3DES+MD5 0 0 192.168.1.1
2 Fa0/0 IPsec 3DES+MD5 0 0 192.168.1.1
1001 Fa0/0 IKE SHA+DES 0 0 192.168.1.1
1 Fa0/0 IPsec 3DES+MD5 0 0 192.168.1.1
2 Fa0/0 IPsec 3DES+MD5 0 0 192.168.1.1
1001 Fa0/0 IKE SHA+DES 0 0 192.168.1.1
R1#
R1# show crypto ipsec sa
R1# show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: R1×××, local addr 192.168.1.1
Crypto map tag: R1×××, local addr 192.168.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/1/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/1/0)
current_peer 192.168.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 5, #recv errors 0
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/1/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/1/0)
current_peer 192.168.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 5, #recv errors 0
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xB8D2DF5B(3100827483)
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xB8D2DF5B(3100827483)
inbound esp sas:
spi: 0xFF215805(4280375301)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, crypto map: R1×××
sa timing: remaining key lifetime (k/sec): (4460477/3528)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0xFF215805(4280375301)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, crypto map: R1×××
sa timing: remaining key lifetime (k/sec): (4460477/3528)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xB8D2DF5B(3100827483)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: R1×××
sa timing: remaining key lifetime (k/sec): (4460477/3527)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0xB8D2DF5B(3100827483)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: R1×××
sa timing: remaining key lifetime (k/sec): (4460477/3527)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
转载于:https://blog.51cto.com/hackerjx/98827
11万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
