实验过程:
第一步 配置R1支持SDM
R1(config)# int e1/0
R1(config-if)# ip add 192.168.1.200 255.255.255.0
R1(config-if)# no sh
R1(config-if)# int f0/0
R1(config-if)# ip add 172.16.0.1 255.255.255.0
R1(config-if)# no sh
R1(config-if)# exit
R1(config)#
R1(config)# ip http server
R1(config)# ip http authentication local
R1(config)# username suyajuncn privilege 15 password suyajuncn
R1(config)# lin vty 0 4
R1(config-line)# transport input ssh telnet
R1(config-line)# login local
R1(config-line)# end
第一步 配置R1支持SDM
R1(config)# int e1/0
R1(config-if)# ip add 192.168.1.200 255.255.255.0
R1(config-if)# no sh
R1(config-if)# int f0/0
R1(config-if)# ip add 172.16.0.1 255.255.255.0
R1(config-if)# no sh
R1(config-if)# exit
R1(config)#
R1(config)# ip http server
R1(config)# ip http authentication local
R1(config)# username suyajuncn privilege 15 password suyajuncn
R1(config)# lin vty 0 4
R1(config-line)# transport input ssh telnet
R1(config-line)# login local
R1(config-line)# end
第二步 配置R2支持SDM
R2(config)# int e1/0
R2(config-if)# ip add 192.168.1.201 255.255.255.0
R2(config-if)# no sh
R2(config-if)# int f0/0
R2(config-if)# ip add 172.16.0.2 255.255.255.0
R2(config-if)# no sh
R2(config-if)# exit
R2(config)#
R2(config)# ip http server
R2(config)# ip http authen local
R2(config)# username suyajuncn privilege 15 password suyajuncn
R2(config)# lin vty 0 4
R2(config-line)# transport input ssh telnet
R2(config-line)# login local
R2(config-line)# end
R2(config)# int e1/0
R2(config-if)# ip add 192.168.1.201 255.255.255.0
R2(config-if)# no sh
R2(config-if)# int f0/0
R2(config-if)# ip add 172.16.0.2 255.255.255.0
R2(config-if)# no sh
R2(config-if)# exit
R2(config)#
R2(config)# ip http server
R2(config)# ip http authen local
R2(config)# username suyajuncn privilege 15 password suyajuncn
R2(config)# lin vty 0 4
R2(config-line)# transport input ssh telnet
R2(config-line)# login local
R2(config-line)# end
第三步 使用SDM登陆R1开始进行配置
第四步 输入HTTP认证的密码
第五步 输入登陆SDM的密码
第六步 登陆之后,选择配置→接口和连接→编辑接口和连接→新建逻辑接口→环回接口
第七步 输入loopback接口的地址
第八步 选择×××→站点到站点×××→创建站点到站点×××→启动选定的任务
第九步 选择逐步操作向导→下一步
第十步 选择×××连接接口为FastEthernet0/0,输入×××对等体IP地址为172.16.0.2,在认证中选择预共享密钥,输入密钥suyajuncn
第十一步 在IKE策略中选择默认的IKE策略
第十二步 在变换集中选择默认的变换集
第十三步 在感兴趣流量定义中,选择创建选择IPSec通信的访问列表→创建新规则
第十四步 在添加规则中选择添加
第十五步 在添加扩展规则项中,源地址输入1.1.1.1,目标地址输入2.2.2.2,协议选择ICMP
第十六步 确认无误后点击结束
第十七步 在R1上添加一条静态路由
第十八步 在CLI中用show run可以看到刚才所做的结果实际为:
R1# show run
Building configuration...
R1# show run
Building configuration...
Current configuration : 1655 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
username suyajuncn privilege 15 password 0 suyajuncn
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key suyajuncn address 172.16.0.2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
de.ion Tunnel to172.16.0.2
set peer 172.16.0.2
set transform-set ESP-3DES-SHA
match address 100
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 172.16.0.1 255.255.255.0
duplex half
crypto map SDM_CMAP_1
!
interface Ethernet1/0
ip address 192.168.1.200 255.255.255.0
duplex half
!
interface Ethernet1/1
no ip address
shutdown
duplex half
!
interface Ethernet1/2
no ip address
shutdown
duplex half
!
interface Ethernet1/3
no ip address
shutdown
duplex half
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.0.2
ip http server
ip http authentication local
no ip http secure-server
!
!
logging alarm informational
access-list 100 permit icmp host 1.1.1.1 host 2.2.2.2
!
!
control-plane
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login local
transport input telnet ssh
!
!
end
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
username suyajuncn privilege 15 password 0 suyajuncn
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key suyajuncn address 172.16.0.2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
de.ion Tunnel to172.16.0.2
set peer 172.16.0.2
set transform-set ESP-3DES-SHA
match address 100
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 172.16.0.1 255.255.255.0
duplex half
crypto map SDM_CMAP_1
!
interface Ethernet1/0
ip address 192.168.1.200 255.255.255.0
duplex half
!
interface Ethernet1/1
no ip address
shutdown
duplex half
!
interface Ethernet1/2
no ip address
shutdown
duplex half
!
interface Ethernet1/3
no ip address
shutdown
duplex half
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.0.2
ip http server
ip http authentication local
no ip http secure-server
!
!
logging alarm informational
access-list 100 permit icmp host 1.1.1.1 host 2.2.2.2
!
!
control-plane
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login local
transport input telnet ssh
!
!
end
第十九步 按照相同的方法使用SDM配置R2
第二十步 在R1上ping 2.2.2.2测试配置效果
R1# debug crypto isakmp
Crypto ISAKMP debugging is .
R1# debug crypto ipsec
Crypto IPSEC debugging is .
R1# ping 2.2.2.2 source 1.1.1.1
R1# debug crypto isakmp
Crypto ISAKMP debugging is .
R1# debug crypto ipsec
Crypto IPSEC debugging is .
R1# ping 2.2.2.2 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
*Jun 24 23:26:13.735: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 172.16.0.1, remote= 172.16.0.2,
local_proxy= 1.1.1.1/255.255.255.255/1/0 (type=1),
remote_proxy= 2.2.2.2/255.255.255.255/1/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jun 24 23:26:13.743: ISAKMP:(0): SA request profile is (NULL)
*Jun 24 23:26:13.743: ISAKMP: Created a peer struct for 172.16.0.2, peer port 500
*Jun 24 23:26:13.743: ISAKMP: New peer created peer = 0x65D551A8 peer_handle = 0x80000002
*Jun 24 23:26:13.743: ISAKMP: Locking peer struct 0x65D551A8, refcount 1 for isakmp_initiator
*Jun 24 23:26:13.747: ISAKMP: local port 500, remote port 500
*Jun 24 23:26:13.747: ISAKMP: set new node 0 to QM_IDLE
*Jun 24 23:26:13.759: insert sa successfully sa = 66E36E4C
*Jun 24 23:26:13.763: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Jun 24 23:26:13.763: ISAKMP:(0):found peer pre-shared key matching 172.16.0.2
*Jun 24 23:26:13.767: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jun 24 23:26:13.767: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Jun 24 23:26:13.767: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Jun 24 23:26:13.767: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Jun 24 23:26:13.771: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jun 24 23:26:13.771: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
(key eng. msg.) OUTBOUND local= 172.16.0.1, remote= 172.16.0.2,
local_proxy= 1.1.1.1/255.255.255.255/1/0 (type=1),
remote_proxy= 2.2.2.2/255.255.255.255/1/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jun 24 23:26:13.743: ISAKMP:(0): SA request profile is (NULL)
*Jun 24 23:26:13.743: ISAKMP: Created a peer struct for 172.16.0.2, peer port 500
*Jun 24 23:26:13.743: ISAKMP: New peer created peer = 0x65D551A8 peer_handle = 0x80000002
*Jun 24 23:26:13.743: ISAKMP: Locking peer struct 0x65D551A8, refcount 1 for isakmp_initiator
*Jun 24 23:26:13.747: ISAKMP: local port 500, remote port 500
*Jun 24 23:26:13.747: ISAKMP: set new node 0 to QM_IDLE
*Jun 24 23:26:13.759: insert sa successfully sa = 66E36E4C
*Jun 24 23:26:13.763: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Jun 24 23:26:13.763: ISAKMP:(0):found peer pre-shared key matching 172.16.0.2
*Jun 24 23:26:13.767: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jun 24 23:26:13.767: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Jun 24 23:26:13.767: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Jun 24 23:26:13.767: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Jun 24 23:26:13.771: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jun 24 23:26:13.771: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Jun 24 23:26:13.771: ISAKMP:(0): beginning Main Mode exchange
*Jun 24 23:26:13.775: ISAKMP:(0): sending packet to 172.16.0.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 24 23:26:13.775: ISAKMP:(0):Sending an IKE IPv4 Packet......
Success rate is 0 percent (0/5)
R1#
*Jun 24 23:26:23.779: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 24 23:26:23.779: ISAKMP (0:0): incrementing error counter . sa, attempt 1 of 5: retransmit phase 1
*Jun 24 23:26:23.779: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jun 24 23:26:23.783: ISAKMP:(0): sending packet to 172.16.0.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 24 23:26:23.783: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 24 23:26:23.911: ISAKMP (0:0): received packet from 172.16.0.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Jun 24 23:26:23.923: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 24 23:26:23.923: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Jun 24 23:26:13.775: ISAKMP:(0): sending packet to 172.16.0.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 24 23:26:13.775: ISAKMP:(0):Sending an IKE IPv4 Packet......
Success rate is 0 percent (0/5)
R1#
*Jun 24 23:26:23.779: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 24 23:26:23.779: ISAKMP (0:0): incrementing error counter . sa, attempt 1 of 5: retransmit phase 1
*Jun 24 23:26:23.779: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jun 24 23:26:23.783: ISAKMP:(0): sending packet to 172.16.0.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 24 23:26:23.783: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 24 23:26:23.911: ISAKMP (0:0): received packet from 172.16.0.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Jun 24 23:26:23.923: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 24 23:26:23.923: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Jun 24 23:26:23.931: ISAKMP:(0): processing SA payload. message ID = 0
*Jun 24 23:26:23.931: ISAKMP:(0): processing vendor id payload
*Jun 24 23:26:23.931: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jun 24 23:26:23.931: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Jun 24 23:26:23.935: ISAKM
R1#P:(0):found peer pre-shared key matching 172.16.0.2
*Jun 24 23:26:23.935: ISAKMP:(0): local preshared key found
*Jun 24 23:26:23.935: ISAKMP : Scanning profiles for xauth ...
*Jun 24 23:26:23.935: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Jun 24 23:26:23.939: ISAKMP: encryption 3DES-CBC
*Jun 24 23:26:23.939: ISAKMP: hash SHA
*Jun 24 23:26:23.939: ISAKMP: default group 2
*Jun 24 23:26:23.939: ISAKMP: auth pre-share
*Jun 24 23:26:23.939: ISAKMP: life type in seconds
*Jun 24 23:26:23.939: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Jun 24 23:26:23.943: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jun 24 23:26:23.943: ISAKMP:(0):Acceptable atts:actual life: 0
*Jun 24 23:26:23.943: ISAKMP:(0):Acceptable atts:life: 0
*Jun 24 23:26:23.947: ISAKMP:(0):Fill atts in sa vpi_length:4
*Jun 24 23:26:23.947: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Jun 24 23:26:23.947: ISAKMP:(0):Returning Actual lifetime: 86
R1#400
*Jun 24 23:26:23.947: ISAKMP:(0)::Started lifetime timer: 86400.
*Jun 24 23:26:23.931: ISAKMP:(0): processing vendor id payload
*Jun 24 23:26:23.931: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jun 24 23:26:23.931: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Jun 24 23:26:23.935: ISAKM
R1#P:(0):found peer pre-shared key matching 172.16.0.2
*Jun 24 23:26:23.935: ISAKMP:(0): local preshared key found
*Jun 24 23:26:23.935: ISAKMP : Scanning profiles for xauth ...
*Jun 24 23:26:23.935: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Jun 24 23:26:23.939: ISAKMP: encryption 3DES-CBC
*Jun 24 23:26:23.939: ISAKMP: hash SHA
*Jun 24 23:26:23.939: ISAKMP: default group 2
*Jun 24 23:26:23.939: ISAKMP: auth pre-share
*Jun 24 23:26:23.939: ISAKMP: life type in seconds
*Jun 24 23:26:23.939: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Jun 24 23:26:23.943: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jun 24 23:26:23.943: ISAKMP:(0):Acceptable atts:actual life: 0
*Jun 24 23:26:23.943: ISAKMP:(0):Acceptable atts:life: 0
*Jun 24 23:26:23.947: ISAKMP:(0):Fill atts in sa vpi_length:4
*Jun 24 23:26:23.947: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Jun 24 23:26:23.947: ISAKMP:(0):Returning Actual lifetime: 86
R1#400
*Jun 24 23:26:23.947: ISAKMP:(0)::Started lifetime timer: 86400.
*Jun 24 23:26:23.951: ISAKMP:(0): processing vendor id payload
*Jun 24 23:26:23.951: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jun 24 23:26:23.951: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Jun 24 23:26:23.955: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 24 23:26:23.955: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Jun 24 23:26:23.951: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jun 24 23:26:23.951: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Jun 24 23:26:23.955: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 24 23:26:23.955: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Jun 24 23:26:23.963: ISAKMP:(0): sending packet to 172.16.0.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Jun 24 23:26:23.963: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 24 23:26:23.967: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 24 23:26:23.967: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Jun 24 23:26:23.963: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 24 23:26:23.967: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 24 23:26:23.967: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Jun 24 23:26:24.155: ISAKMP (0:0): received packet from 172.16.0.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*Jun 24 23:26:24.159: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 24 23:26:24.159: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Jun 24 23:26:24.159: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 24 23:26:24.159: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Jun 24 23:26:24.163: ISAKMP:(0): processing KE payload. message ID = 0
*Jun 24 23:26:24.251: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jun 24 23:26:24.251: ISAKMP:(0):found peer pre-shared key matching 172.16.0.2
*Jun 24 23:26:24.255: ISAKMP:(1001): processing vendor id payload
*Jun 24 23:26:24.259: ISAKMP:(1001): vendor ID is Unity
*Jun 24 23:26:24.259: ISAKMP:(1001): processing vendor id payload
*Jun 24 23:26:24.259:
R1# ISAKMP:(1001): vendor ID is DPD
*Jun 24 23:26:24.263: ISAKMP:(1001): processing vendor id payload
*Jun 24 23:26:24.263: ISAKMP:(1001): speaking to another IOS box!
*Jun 24 23:26:24.263: ISAKMP:received payload type 20
*Jun 24 23:26:24.263: ISAKMP:received payload type 20
*Jun 24 23:26:24.267: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 24 23:26:24.267: ISAKMP:(1001):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Jun 24 23:26:24.251: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jun 24 23:26:24.251: ISAKMP:(0):found peer pre-shared key matching 172.16.0.2
*Jun 24 23:26:24.255: ISAKMP:(1001): processing vendor id payload
*Jun 24 23:26:24.259: ISAKMP:(1001): vendor ID is Unity
*Jun 24 23:26:24.259: ISAKMP:(1001): processing vendor id payload
*Jun 24 23:26:24.259:
R1# ISAKMP:(1001): vendor ID is DPD
*Jun 24 23:26:24.263: ISAKMP:(1001): processing vendor id payload
*Jun 24 23:26:24.263: ISAKMP:(1001): speaking to another IOS box!
*Jun 24 23:26:24.263: ISAKMP:received payload type 20
*Jun 24 23:26:24.263: ISAKMP:received payload type 20
*Jun 24 23:26:24.267: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 24 23:26:24.267: ISAKMP:(1001):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Jun 24 23:26:24.275: ISAKMP:(1001):Send initial contact
*Jun 24 23:26:24.275: ISAKMP:(1001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Jun 24 23:26:24.275: ISAKMP (0:1001): ID payload
next-payload : 8
type : 1
address : 172.16.0.1
protocol : 17
port : 500
length : 12
*Jun 24 23:26:24.279: ISAKMP:(1001):Total payload length: 12
*Jun 24 23:26:24.283: ISAKMP:(1001): sending packet to 172.16.0.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jun 24 23:26:24.283: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Jun 24 23:26:24.283: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 24 23:26:24.287: ISAKMP:(1001):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Jun 24 23:26:24.275: ISAKMP:(1001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Jun 24 23:26:24.275: ISAKMP (0:1001): ID payload
next-payload : 8
type : 1
address : 172.16.0.1
protocol : 17
port : 500
length : 12
*Jun 24 23:26:24.279: ISAKMP:(1001):Total payload length: 12
*Jun 24 23:26:24.283: ISAKMP:(1001): sending packet to 172.16.0.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jun 24 23:26:24.283: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Jun 24 23:26:24.283: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 24 23:26:24.287: ISAKMP:(1001):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Jun 24 23:26:24.391: ISAKMP (0:1001): received packet from 172.16.0.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jun 24 23:26:24.395: ISAKMP:(1001): processing ID payload. message ID = 0
*Jun 24 23:26:24.395: ISAKMP (0:1001): ID payload
next-payload : 8
type : 1
R1#
address : 172.16.0.2
protocol : 17
port : 500
length : 12
*Jun 24 23:26:24.399: ISAKMP:(0):: peer matches *none* of the profiles
*Jun 24 23:26:24.399: ISAKMP:(1001): processing HASH payload. message ID = 0
*Jun 24 23:26:24.403: ISAKMP:(1001):SA authentication status:
authenticated
*Jun 24 23:26:24.403: ISAKMP:(1001):SA has been authenticated with 172.16.0.2
*Jun 24 23:26:24.403: ISAKMP: Trying to insert a peer 172.16.0.1/172.16.0.2/500/, and inserted successfully 65D551A8.
*Jun 24 23:26:24.407: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 24 23:26:24.407: ISAKMP:(1001):Old State = IKE_I_MM5 New State = IKE_I_MM6
*Jun 24 23:26:24.395: ISAKMP:(1001): processing ID payload. message ID = 0
*Jun 24 23:26:24.395: ISAKMP (0:1001): ID payload
next-payload : 8
type : 1
R1#
address : 172.16.0.2
protocol : 17
port : 500
length : 12
*Jun 24 23:26:24.399: ISAKMP:(0):: peer matches *none* of the profiles
*Jun 24 23:26:24.399: ISAKMP:(1001): processing HASH payload. message ID = 0
*Jun 24 23:26:24.403: ISAKMP:(1001):SA authentication status:
authenticated
*Jun 24 23:26:24.403: ISAKMP:(1001):SA has been authenticated with 172.16.0.2
*Jun 24 23:26:24.403: ISAKMP: Trying to insert a peer 172.16.0.1/172.16.0.2/500/, and inserted successfully 65D551A8.
*Jun 24 23:26:24.407: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 24 23:26:24.407: ISAKMP:(1001):Old State = IKE_I_MM5 New State = IKE_I_MM6
*Jun 24 23:26:24.415: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 24 23:26:24.415: ISAKMP:(1001):Old State = IKE_I_MM6 New State = IKE_I_MM6
*Jun 24 23:26:24.415: ISAKMP:(1001):Old State = IKE_I_MM6 New State = IKE_I_MM6
*Jun 24 23:26:24.419: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 24 23:26:24.423: ISAKMP:(1001):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
*Jun 24 23:26:24.423: ISAKMP:(1001):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
*Jun 24 23:26:24.427: ISAKMP:(1001):beginning Quick Mode exchange, M-ID of 1155095297
*Jun 24 23:26:24.431: ISAKMP:(1001):QM Initiator gets spi
*Jun 24 23:26:24.435: ISAKMP:(1001): sending packet to 172.16.0.2 my_port 500 peer_port 500 (I) QM_IDLE
*Jun 24 23:26:24.435: ISAKMP:(10
R1#01):Sending an IKE IPv4 Packet.
*Jun 24 23:26:24.439: ISAKMP:(1001):Node 1155095297, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jun 24 23:26:24.439: ISAKMP:(1001):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Jun 24 23:26:24.439: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jun 24 23:26:24.443: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jun 24 23:26:24.431: ISAKMP:(1001):QM Initiator gets spi
*Jun 24 23:26:24.435: ISAKMP:(1001): sending packet to 172.16.0.2 my_port 500 peer_port 500 (I) QM_IDLE
*Jun 24 23:26:24.435: ISAKMP:(10
R1#01):Sending an IKE IPv4 Packet.
*Jun 24 23:26:24.439: ISAKMP:(1001):Node 1155095297, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jun 24 23:26:24.439: ISAKMP:(1001):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Jun 24 23:26:24.439: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jun 24 23:26:24.443: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jun 24 23:26:24.603: ISAKMP (0:1001): received packet from 172.16.0.2 dport 500 sport 500 Global (I) QM_IDLE
*Jun 24 23:26:24.607: ISAKMP:(1001): processing HASH payload. message ID = 1155095297
*Jun 24 23:26:24.607: ISAKMP:(1001): processing SA payload. message ID = 1155095297
*Jun 24 23:26:24.607: ISAKMP:(1001):Checking IPSec proposal 1
*Jun 24 23:26:24.611: ISAKMP: transform 1, ESP_3DES
*Jun 24 23:26:24.611: ISAKMP: attributes in transform:
*Jun 24 23:26:24.611: ISAKMP: encaps is 1 (Tunnel)
*Jun 24 23:26:24.611: ISAKMP: SA life type in seconds
*Jun 24 23:26:24.611: ISAKMP: SA life duration (basic) of 3600
*Jun 24 23:26:24.615: ISAKMP: SA life type in kilobytes
*Jun 24 23:26:24.615: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jun 24 23:26:24.615: ISAKMP: authenticator is HMAC-SHA
*Jun 24 23:26:24.615: ISAKMP:(1001):atts are acceptable.
*Jun 24 23:26:24.619: IPSEC(validate_proposal_request): proposal part #1
*Jun 24 23:26:24.619: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.16.0.1, remote= 172.16.0.2,
local_proxy= 1.1.1.1/255.255.25
R1#5.255/1/0 (type=1),
remote_proxy= 2.2.2.2/255.255.255.255/1/0 (type=1),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jun 24 23:26:24.623: Crypto mapdb : proxy_match
src addr : 1.1.1.1
dst addr : 2.2.2.2
protocol : 1
src port : 0
dst port : 0
*Jun 24 23:26:24.627: ISAKMP:(1001): processing NONCE payload. message ID = 1155095297
*Jun 24 23:26:24.627: ISAKMP:(1001): processing ID payload. message ID = 1155095297
*Jun 24 23:26:24.627: ISAKMP:(1001): processing ID payload. message ID = 1155095297
*Jun 24 23:26:24.635: ISAKMP:(1001): Creating IPSec SAs
*Jun 24 23:26:24.639: inbound SA from 172.16.0.2 to 172.16.0.1 (f/i) 0/ 0
(proxy 2.2.2.2 to 1.1.1.1)
*Jun 24 23:26:24.639: has spi 0xEB888272 and conn_id 0
*Jun 24 23:26:24.639: lifetime of 3600 seconds
*Jun 24 23:26:24.639: lifetime of 4608000 kilobytes
*Jun 24 23:26:24.64
R1#3: outbound SA from 172.16.0.1 to 172.16.0.2 (f/i) 0/0
(proxy 1.1.1.1 to 2.2.2.2)
*Jun 24 23:26:24.643: has spi 0x3809EE70 and conn_id 0
*Jun 24 23:26:24.643: lifetime of 3600 seconds
*Jun 24 23:26:24.643: lifetime of 4608000 kilobytes
*Jun 24 23:26:24.647: ISAKMP:(1001): sending packet to 172.16.0.2 my_port 500 peer_port 500 (I) QM_IDLE
*Jun 24 23:26:24.647: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Jun 24 23:26:24.651: ISAKMP:(1001):deleting node 1155095297 error FALSE reason "No Error"
*Jun 24 23:26:24.651: ISAKMP:(1001):Node 1155095297, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jun 24 23:26:24.651: ISAKMP:(1001):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
*Jun 24 23:26:24.655: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jun 24 23:26:24.659: Crypto mapdb : proxy_match
src addr : 1.1.1.1
dst addr : 2.2.2.2
protocol : 1
src port : 0
dst port : 0
*Jun 24 23:26:24.659: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 172.16.0.2
*Jun 24 23:26:24.663: IPSEC(policy_db_add_ident): src 1.1.1.1, dest 2.2.2.2, dest_port 0
*Jun 24 23:26:24.607: ISAKMP:(1001): processing HASH payload. message ID = 1155095297
*Jun 24 23:26:24.607: ISAKMP:(1001): processing SA payload. message ID = 1155095297
*Jun 24 23:26:24.607: ISAKMP:(1001):Checking IPSec proposal 1
*Jun 24 23:26:24.611: ISAKMP: transform 1, ESP_3DES
*Jun 24 23:26:24.611: ISAKMP: attributes in transform:
*Jun 24 23:26:24.611: ISAKMP: encaps is 1 (Tunnel)
*Jun 24 23:26:24.611: ISAKMP: SA life type in seconds
*Jun 24 23:26:24.611: ISAKMP: SA life duration (basic) of 3600
*Jun 24 23:26:24.615: ISAKMP: SA life type in kilobytes
*Jun 24 23:26:24.615: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jun 24 23:26:24.615: ISAKMP: authenticator is HMAC-SHA
*Jun 24 23:26:24.615: ISAKMP:(1001):atts are acceptable.
*Jun 24 23:26:24.619: IPSEC(validate_proposal_request): proposal part #1
*Jun 24 23:26:24.619: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.16.0.1, remote= 172.16.0.2,
local_proxy= 1.1.1.1/255.255.25
R1#5.255/1/0 (type=1),
remote_proxy= 2.2.2.2/255.255.255.255/1/0 (type=1),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jun 24 23:26:24.623: Crypto mapdb : proxy_match
src addr : 1.1.1.1
dst addr : 2.2.2.2
protocol : 1
src port : 0
dst port : 0
*Jun 24 23:26:24.627: ISAKMP:(1001): processing NONCE payload. message ID = 1155095297
*Jun 24 23:26:24.627: ISAKMP:(1001): processing ID payload. message ID = 1155095297
*Jun 24 23:26:24.627: ISAKMP:(1001): processing ID payload. message ID = 1155095297
*Jun 24 23:26:24.635: ISAKMP:(1001): Creating IPSec SAs
*Jun 24 23:26:24.639: inbound SA from 172.16.0.2 to 172.16.0.1 (f/i) 0/ 0
(proxy 2.2.2.2 to 1.1.1.1)
*Jun 24 23:26:24.639: has spi 0xEB888272 and conn_id 0
*Jun 24 23:26:24.639: lifetime of 3600 seconds
*Jun 24 23:26:24.639: lifetime of 4608000 kilobytes
*Jun 24 23:26:24.64
R1#3: outbound SA from 172.16.0.1 to 172.16.0.2 (f/i) 0/0
(proxy 1.1.1.1 to 2.2.2.2)
*Jun 24 23:26:24.643: has spi 0x3809EE70 and conn_id 0
*Jun 24 23:26:24.643: lifetime of 3600 seconds
*Jun 24 23:26:24.643: lifetime of 4608000 kilobytes
*Jun 24 23:26:24.647: ISAKMP:(1001): sending packet to 172.16.0.2 my_port 500 peer_port 500 (I) QM_IDLE
*Jun 24 23:26:24.647: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Jun 24 23:26:24.651: ISAKMP:(1001):deleting node 1155095297 error FALSE reason "No Error"
*Jun 24 23:26:24.651: ISAKMP:(1001):Node 1155095297, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jun 24 23:26:24.651: ISAKMP:(1001):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
*Jun 24 23:26:24.655: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jun 24 23:26:24.659: Crypto mapdb : proxy_match
src addr : 1.1.1.1
dst addr : 2.2.2.2
protocol : 1
src port : 0
dst port : 0
*Jun 24 23:26:24.659: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 172.16.0.2
*Jun 24 23:26:24.663: IPSEC(policy_db_add_ident): src 1.1.1.1, dest 2.2.2.2, dest_port 0
*Jun 24 23:26:24.663: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.16.0.1, sa_proto= 50,
sa_spi= 0xEB888272(3951592050),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 1
*Jun 24 23:26:24.667: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.16.0.2, sa_proto= 50,
sa_spi= 0x3809EE70(940174960),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2
*Jun 24 23:26:24.667: IPSEC(update_current_outbound_sa): updated peer 172.16.0.2 current outbound sa to SPI 3809EE70
(sa) sa_dest= 172.16.0.1, sa_proto= 50,
sa_spi= 0xEB888272(3951592050),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 1
*Jun 24 23:26:24.667: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.16.0.2, sa_proto= 50,
sa_spi= 0x3809EE70(940174960),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2
*Jun 24 23:26:24.667: IPSEC(update_current_outbound_sa): updated peer 172.16.0.2 current outbound sa to SPI 3809EE70
R1#
ping 2.2.2.2 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 104/127/196 ms
R1#
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 104/127/196 ms
R1#
转载于:https://blog.51cto.com/hackerjx/98851
11万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
