| KS#show run
Building configuration... Current configuration : 2641 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname KS
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
ip source-route
ip cef
!
no ip domain lookup
ip domain name mlp.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
archive
log config
hidekeys
!
crypto keyring ks-key
pre-shared-key address 202.100.10.1 key ks
pre-shared-key address 202.100.20.1 key ks
pre-shared-key address 202.100.30.1 key ks
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp profile ks-isakmp-pro
keyring ks-key
match identity address 202.100.10.1 255.255.255.255
match identity address 202.100.20.1 255.255.255.255
match identity address 202.100.30.1 255.255.255.255
!
!
crypto ipsec transform-set ks-set esp-des esp-md5-hmac
mode transport
!
crypto ipsec profile ks-ipsec-pro
set transform-set ks-set
set isakmp-profile ks-isakmp-pro
!
crypto gdoi group get-group-1
identity number 123654
server local
rekey retransmit 10 number 2
rekey authentication mypubkey rsa ***key
rekey transport unicast
sa ipsec 1
profile ks-ipsec-pro
match address ipv4 gre
replay counter window-size 64
address ipv4 202.100.100.1
!
interface Loopback0
ip address 1.10.4.1 255.255.255.0
ip ospf network point-to-point
!
interface FastEthernet0/0
ip address 39.1.100.1 255.255.255.0
ip ospf network point-to-point
!
interface Tunnel0
no ip address
!
!
interface Serial1/0
ip address 202.100.100.1 255.255.255.0
serial restart-delay 0
!
!
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 202.100.100.2
no ip http server
no ip http secure-server
!
!
!
ip access-list extended gre
permit gre any any
!
!
!
control-plane
!
! gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
end
----------------------------------------------- hub-GM1#show run
Building configuration... Current configuration : 2474 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname hub-GM1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
ip source-route
ip cef
!
!
!
!
no ip domain lookup
ip domain name mlp.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
archive
log config
hidekeys
!
crypto keyring get-key
pre-shared-key address 202.100.100.1 key ks
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp profile hub-isakmp-pro
keyring get-key
match identity address 202.100.100.1 255.255.255.255
!
!
crypto gdoi group get-group-1
identity number 123654
server address ipv4 202.100.100.1
!
!
crypto map hub-map 10 gdoi
set group get-group-1
!
!
!
!
!
!
!
interface Loopback0
ip address 1.10.5.1 255.255.255.0
ip ospf network point-to-point
!
interface FastEthernet0/0
ip address 39.1.101.1 255.255.255.0
ip ospf network point-to-point
!
interface Tunnel0
bandwidth 1000
ip address 1.1.10.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication one.auth
ip nhrp map multicast dynamic
ip nhrp network-id 10
ip nhrp holdtime 360
ip nhrp redirect
ip tcp adjust-mss 1360
delay 1000
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 2012
!
!
interface Serial1/0
ip address 202.100.10.1 255.255.255.0
serial restart-delay 0
crypto map hub-map
!
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 202.100.10.2
ip route 39.1.10.0 255.255.255.0 1.1.10.2
ip route 39.1.20.0 255.255.255.0 1.1.10.3
no ip http server
no ip http secure-server
!
control-plane
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
end ------------------------------------------------- GM2#show run
Building configuration... Current configuration : 2198 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GM2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
ip domain name mlp.com
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
archive
log config
hidekeys
!
crypto keyring gm1-key
pre-shared-key address 202.100.100.1 key ks
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp profile gm1-isakmp-pro
keyring gm1-key
match identity address 202.100.100.1 255.255.255.255
!
!
crypto gdoi group get-group-1
identity number 123654
server address ipv4 202.100.100.1
!
!
crypto map gm1-map 10 gdoi
set group get-group-1
!
interface Loopback0
ip address 1.10.6.1 255.255.255.0
ip ospf network point-to-point
!
interface FastEthernet0/0
ip address 39.1.10.1 255.255.255.0
ip ospf network point-to-point
!
interface Tunnel0
bandwidth 1000
ip address 1.1.10.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication one.auth
ip nhrp map 1.1.10.1 202.100.10.1
ip nhrp map multicast 202.100.10.1
ip nhrp network-id 10
ip nhrp holdtime 360
ip nhrp nhs 1.1.10.1
ip nhrp shortcut
ip tcp adjust-mss 1360
delay 1000
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 2012
!
interface Serial1/0
ip address 202.100.20.1 255.255.255.0
serial restart-delay 0
clock rate 64000
invert txclock
crypto map gm1-map
!
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 202.100.20.2
ip route 39.1.0.0 255.255.0.0 1.1.10.1
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
!
end
--------------------------------- CKS#show cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
202.100.100.1 202.100.30.1 GDOI_IDLE 1008 ACTIVE
202.100.30.1 202.100.100.1 GDOI_REKEY 0 ACTIVE
202.100.100.1 202.100.20.1 GDOI_IDLE 1004 ACTIVE
202.100.100.1 202.100.10.1 GDOI_IDLE 1016 ACTIVE IPv6 Crypto ISAKMP SA KS#show cry gdoi ks
Total group members registered to this box: 3 Key Server Information For Group get-group-1:
Group Name : get-group-1
Group Identity : 123654
Group Members : 3
IPSec SA Direction : Both
ACL Configured:
access-list gre KS#SHOW cry gdoi
GROUP INFORMATION Group Name : get-group-1 (Unicast)
Group Identity : 123654
Group Members : 3
IPSec SA Direction : Both
Active Group Server : Local
Group Rekey Lifetime : 86400 secs
Group Rekey
Remaining Lifetime : 72982 secs
Rekey Retransmit Period : 10 secs
Rekey Retransmit Attempts: 2
Group Retransmit
Remaining Lifetime : 0 secs IPSec SA Number : 1
IPSec SA Rekey Lifetime: 3600 secs
Profile Name : ks-ipsec-pro
Replay method : Count Based
Replay Window Size : 64
SA Rekey
Remaining Lifetime : 3043 secs
ACL Configured : access-list gre Group Server list : Local KS#show cry gdoi ks member Group Member Information : Number of rekeys sent for group get-group-1 : 4 Group Member ID : 202.100.10.1
Group ID : 123654
Group Name : get-group-1
Key Server ID : 202.100.100.1
Rekeys sent : 3
Rekeys retries : 0
Rekey Acks Rcvd : 3
Rekey Acks missed : 0 Sent seq num : 1 2 3 0
Rcvd seq num : 1 2 3 0 Group Member ID : 202.100.20.1
Group ID : 123654
Group Name : get-group-1
Key Server ID : 202.100.100.1
Rekeys sent : 4
Rekeys retries : 0
Rekey Acks Rcvd : 4
Rekey Acks missed : 0 Sent seq num : 3 0 0 0
Rcvd seq num : 3 0 0 0 Group Member ID : 202.100.30.1
Group ID : 123654
Group Name : get-group-1
Key Server ID : 202.100.100.1
Rekeys sent : 3
Rekeys retries : 0
Rekey Acks Rcvd : 3
Rekey Acks missed : 0 Sent seq num : 1 2 3 0
Rcvd seq num : 1 2 3 0 hub-GM1# show cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
202.100.100.1 202.100.10.1 GDOI_IDLE 1013 ACTIVE
202.100.10.1 202.100.100.1 GDOI_REKEY 1014 ACTIVE IPv6 Crypto ISAKMP SA
GM2#SHOW CRY ISA SA
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
202.100.100.1 202.100.20.1 GDOI_IDLE 1001 0 ACTIVE
202.100.20.1 202.100.100.1 GDOI_REKEY 1002 0 ACTIVE
202.100.20.1 202.100.100.1 GDOI_REKEY 1003 0 ACTIVE IPv6 Crypto ISAKMP SA GM3#SHOW cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
202.100.100.1 202.100.30.1 GDOI_IDLE 1001 0 ACTIVE
202.100.30.1 202.100.100.1 GDOI_REKEY 1002 0 ACTIVE IPv6 Crypto ISAKMP SA hub-GM1#show cry ipsec sa interface: Serial1/0
Crypto map tag: hub-map, local addr 202.100.10.1 protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
current_peer 0.0.0.0 port 848
PERMIT, flags={origin_is_acl,}
#pkts encaps: 189, #pkts encrypt: 189, #pkts digest: 189
#pkts decaps: 245, #pkts decrypt: 245, #pkts verify: 245
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0 local crypto endpt.: 202.100.10.1, remote crypto endpt.: 0.0.0.0
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0
current outbound spi: 0x3A6B4932(980109618)
PFS (Y/N): N, DH group: none hub-GM1#show cry engin connections active
Crypto Engine Connections ID Type Algorithm Encrypt Decrypt IP-Address
15 IPsec DES+MD5 0 60 0.0.0.0
16 IPsec DES+MD5 62 0 0.0.0.0
19 IPsec DES+MD5 0 0 0.0.0.0
20 IPsec DES+MD5 0 0 0.0.0.0
1013 IKE SHA+DES 0 0 202.100.10.1
1014 IKE SHA+3DES 0 0 GM3#ping 39.1.10.1 so 39.1.20.1 re 10 Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 39.1.10.1, timeout is 2 seconds:
Packet sent with a source address of 39.1.20.1
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 136/257/416 ms GM2#ping 39.1.101.1 so 39.1.10.1 Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 39.1.101.1, timeout is 2 seconds:
Packet sent with a source address of 39.1.10.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 164/191/228 ms hub-GM1#ping 39.1.20.1 so 39.1.101.1 re 10 Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 39.1.20.1, timeout is 2 seconds:
Packet sent with a source address of 39.1.101.1
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 172/193/212 ms http://pan.baidu.com/s/1bns376R(责任编辑:admin) | 
3373
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
