IPsecVPNisakmpaggressivemode实验配置Word格式.docx
《IPsecVPNisakmpaggressivemode实验配置Word格式.docx》由会员分享,可在线阅读,更多相关《IPsecVPNisakmpaggressivemode实验配置Word格式.docx(19页珍藏版)》请在冰豆网上搜索。
group2
cryptoisakmppeeraddress172.16.2.1
setaggressive-modepasswordxinjialove
setaggressive-modeclient-endpointfqdnxinjialove
cryptoipsectransform-setxinjialoveesp-desesp-md5-hmac
cryptomapxinjialove10ipsec-isakmp
setpeer172.16.2.1
settransform-setxinjialove
matchaddress100
interfaceLoopback0
ipaddress1.1.1.1255.255.255.255
interfaceFastEthernet0/0
noipaddress
shutdown
duplexauto
speedauto
interfaceSerial1/0
serialrestart-delay0
interfaceSerial1/1
ipaddress172.16.1.1255.255.255.0
cryptomapxinjialove
interfaceSerial1/2
interfaceSerial1/3
interfaceFastEthernet2/0
noiphttpserver
noiphttpsecure-server
iproute0.0.0.00.0.0.0Serial1/1
access-list100permitiphost1.1.1.1host3.3.3.3
control-plane
linecon0
loggingsynchronous
lineaux0
linevty04
end
VPNHUBconfiguration
VPNHUB#shrun
1338bytes
hostnameVPNHUB
resourcepolicy
cryptoisakmpkeyxinjialovehostnamexinjialove
cryptodynamic-mapxinjialove10
reverse-route
cryptomapxinjialove10ipsec-isakmpdynamicxinjialove
ipaddress3.3.3.3255.255.255.255
duplexhalf
ipaddress172.16.2.1255.255.255.0
iproute0.0.0.00.0.0.0Serial1/0
loggingalarminformational
stopbits1
show信息
SPOKE#shcryptoisakmpsa
dstsrcstateconn-idslotstatus
172.16.2.1172.16.1.1QM_IDLE10ACTIVE
SPOKE#shcry
SPOKE#shcryptoip
SPOKE#shcryptoipsecsa
interface:
Serial1/1
Cryptomaptag:
xinjialove,localaddr172.16.1.1
protectedvrf:
(none)
localident(addr/mask/prot/port):
(1.1.1.1/255.255.255.255/0/0)
remoteident(addr/mask/prot/port):
(3.3.3.3/255.255.255.255/0/0)
current_peer172.16.2.1port500
PERMIT,flags={origin_is_acl,}
#pktsencaps:
4,#pktsencrypt:
4,#pktsdigest:
4
#pktsdecaps:
4,#pktsdecrypt:
4,#pktsverify:
#pktscompressed:
0,#pktsdecompressed:
0
#pktsnotcompressed:
0,#pktscompr.failed:
#pktsnotdecompressed:
0,#pktsdecompressfailed:
#senderrors6,#recverrors0
localcryptoendpt.:
172.16.1.1,remotecryptoendpt.:
172.16.2.1
pathmtu1500,ipmtu1500,ipmtuidbSerial1/1
currentoutboundspi:
0xD5ACDF48(3584876360)
inboundespsas:
spi:
0x2EF3D077(787730551)
transform:
esp-desesp-md5-hmac,
inusesettings={Tunnel,}
connid:
2002,flow_id:
SW:
2,cryptomap:
xinjialove
satiming:
remainingkeylifetime(k/sec):
(4570740/2085)
IVsize:
8bytes
replaydetectionsupport:
Y
Status:
ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
2001,flow_id:
1,cryptomap:
(4570740/2084)
outboundahsas:
outboundpcpsas:
VPNHUB#shiproute
Codes:
C-connected,S-static,R-RIP,M-mobile,B-BGP
D-EIGRP,EX-EIGRPexternal,O-OSPF,IA-OSPFinterarea
N1-OSPFNSSAexternaltype1,N2-OSPFNSSAexternaltype2
E1-OSPFexternaltype1,E2-OSPFexternaltype2
i-IS-IS,su-IS-ISsummary,L1-IS-ISlevel-1,L2-IS-ISlevel-2
ia-IS-ISinterarea,*-candidatedefault,U-per-userstaticroute
o-ODR,P-periodicdownloadedstaticroute
Gatewayoflastresortis0.0.0.0tonetwork0.0.0.0
1.0.0.0/32issubnetted,1subnets
S1.1.1.1[1/0]via172.16.1.1#VPNreverse-route
3.0.0.0/32issubnetted,1subnets
C3.3.3.3isdirectlyconnected,Loopback0
172.16.0.0/24issubnetted,1subnets
C172.16.2.0isdirectlyconnected,Serial1/0
S*0.0.0.0/0isdirectlyconnected,Serial1/0
DEBUG信息
SPOKE#debugcryptoisakmp
SPOKE#ping3.3.3.3sourceloop0repeat1
Typeescapesequencetoabort.
Sending1,100-byteICMPEchosto3.3.3.3,timeoutis2seconds:
Packetsentwithasourceaddressof1.1.1.1
*Mar101:
10:
12.683:
ISAKMP:
receivedkemessage(1/1)
(0:
0:
N/A:
0):
SArequestprofileis(NULL)
Createdapeerstructfor172.16.2.1,peerport5
Newpeercreatedpeer=0x649D5570peer_handle=
x80000012
Lockingpeerstruct0x649D5570,IKErefcount1fo
isakmp_initiator
localport500,remoteport500
setnewnode0toQM_IDLE
insertsasuccessfullysa=64596D00
SAhastunnelattributesset.
constructedNAT-Tvendor-07ID
constructedNAT-Tvendor-03ID
constructedNAT-Tvendor-02ID
12.691:
1:
SW:
1):
SAisdoingpre-sharedkeyauthenticati
nusingidtypeID_FQDN
ISAKMP(0:
134217729):
IDpayload
next-payload:
13
type:
2
FQDNname:
protocol:
17
port:
length:
18
Totalpayloadlength:
Input=IKE_MESG_FROM_IPSEC,IKE_SA_REQ
AM
OldState=IKE_READYNewState=IKE_
_AM1
beginningAggressiveModeexchange
sendingpacketto172.16.2.1my_port5
0peer_port500(I)AG_INIT_EXCH
12.799:
receivedpacketfrom172.16.2.1dpo
t500sport500Global(I)AG_INIT_EXCH
12.807:
processingSApayload.messageID=0
processingIDpayload.messageID=0
10
1
address.
Successrateis0percent(0/1)
SPOKE#:
12
:
peermatches*none*oftheprofiles
processingvendoridpayload
vendorIDisUnity
vendorIDisDPD
speakingtoanotherIOSbox!
SAusingtunnelpasswordaspre-shared
ey.
localpresharedkeyfound
ISAKMP:
Scanningprofilesforxauth...
CheckingISAKMPtransform1againstpri
rity10policy
encryptionDES-CBC
hashMD5
ISAKM
SPOKE#P:
defaultgroup2
authpre-share
lifetypeinseconds
lifeduration(VPI)of0x00x10x510x80
attsareacceptable.Nextpayloadis0
vendorIDisNAT-Tv7
processingKEpayload.messageID=0
12.823:
processingNONCEpayload.messageID=
SKEYIDstategenerated
processingHASHpayload.messageID=
SAauthenticationstatus:
authenticated
SAhasbeenauthenticatedwith172.16.2
1
Tryingtoinsertapeer172.16.1.1/172.16.2.1/500
SPOKE#,andinsertedsuccessfully649D5570.
升级会员 