ipsecvpn配置实例.doc_咨信网zixin.com.cn

资源描述

实验目的使用简单的配置完成IPsecVPN的实现。实验拓扑配置要点 R1：crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key cisco address 23.1.1.3 255.255.255.0 crypto ipsec transform-set ccie esp-des esp-md5-hmac crypto map VPN 10 ipsec-isakmp set peer 23.1.1.3 set transform-set ccie match address 100 interface Serial1/1 ip address 12.1.1.1 255.255.255.0 serial restart-delay 0 crypto map VPN R3：crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key cisco address 12.1.1.1 255.255.255.0 crypto ipsec transform-set cisco esp-des esp-md5-hmac crypto map VPN 10 ipsec-isakmp set peer 12.1.1.1 set transform-set cisco match address 100 interface Serial1/0 ip address 23.1.1.3 255.255.255.0 serial restart-delay 0 crypto map VPN 实验验证 R3上开启debug，查看交互信息： R1#ping 3.3.3.3 source 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: Packet sent with a source address of 1.1.1.1 .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 16/57/164 ms R3# *Jul 27 20:03:31.910: ISAKMP (0:0): received packet from 12.1.1.1 dport 500 sport 500 Global (N) NEW SA *Jul 27 20:03:31.914: ISAKMP: Created a peer struct for 12.1.1.1, peer port 500 *Jul 27 20:03:31.914: ISAKMP: New peer created peer = 0x65B5BB30 peer_handle = 0x80000005 *Jul 27 20:03:31.918: ISAKMP: Locking peer struct 0x65B5BB30, refcount 1 for crypto_isakmp_process_block *Jul 27 20:03:31.922: ISAKMP: local port 500, remote port 500 *Jul 27 20:03:31.926: insert sa successfully sa = 65B77620 *Jul 27 20:03:31.930: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Jul 27 20:03:31.930: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1 IKE第一阶段，第一个包交换 *Jul 27 20:03:31.946: ISAKMP:(0): processing SA payload. message ID = 0 *Jul 27 20:03:31.950: ISAKMP:(0): processing vendor id payload *Jul 27 20:03:31.950: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch *Jul 27 20:03:31.962: ISAKMP:(0):found peer pre-shared key matching 12.1.1.1 *Jul 27 20:03:31.962: ISAKMP:(0): local preshared key found *Jul 27 20:03:31.962: ISAKMP : Scanning profiles for xauth ... *Jul 27 20:03:31.962: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy *Jul 27 20:03:31.966: ISAKMP: encryption DES-CBC *Jul 27 20:03:31.966: ISAKMP: hash MD5 *Jul 27 20:03:31.966: ISAKMP: default group 1 *Jul 27 20:03:31.966: ISAKMP: auth pre-share *Jul 27 20:03:31.966: ISAKMP: life type in seconds *Jul 27 20:03:31.966: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 *Jul 27 20:03:31.966: ISAKMP:(0):atts are acceptable. Next payload is 0 *Jul 27 20:03:31.970: ISAKMP:(0): processing vendor id payload *Jul 27 20:03:31.970: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch *Jul 27 20:03:31.970: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Jul 27 20:03:31.970: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1 *Jul 27 20:03:31.974: ISAKMP:(0): sending packet to 12.1.1.1 my_port 500 peer_port 500 (R) MM_SA_SETUP发协包到对方PEER"13.1.1.3" 源端口:500 目标端口:500 *Jul 27 20:03:31.974: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Jul 27 20:03:31.978: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2 *Jul 27 20:03:32.026: ISAKMP (0:0): received packet from 12.1.1.1 dport 500 sport 500 Global (R) MM_SA_SETUP *Jul 27 20:03:32.026: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Jul 27 20:03:32.026: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3 *Jul 27 20:03:32.026: ISAKMP:(0): processing KE payload. message ID = 0 *Jul 27 20:03:32.054: ISAKMP:(0): processing NONCE payload. message ID = 0 *Jul 27 20:03:32.058: ISAKMP:(0):found peer pre-shared key matching 12.1.1.1 *Jul 27 20:03:32.058: ISAKMP:(1002): processing vendor id payload *Jul 27 20:03:32.062: ISAKMP:(1002): vendor ID is Unity *Jul 27 20:03:32.062: ISAKMP:(1002): processing vendor id payload *Jul 27 20:03:32.062: ISAKMP:(1002): vendor ID is DPD *Jul 27 20:03:32.062: ISAKMP:(1002): processing vendor id payload *Jul 27 20:03:32.062: ISAKMP:(1002): speaking to another IOS box! *Jul 27 20:03:32.062: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Jul 27 20:03:32.062: ISAKMP:(1002):Old State = IKE_R_MM3 New State = IKE_R_MM3 *Jul 27 20:03:32.066: ISAKMP:(1002): sending packet to 12.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH *Jul 27 20:03:32.066: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Jul 27 20:03:32.066: ISAKMP:(1002):Old State = IKE_R_MM3 New State = IKE_R_MM4 *Jul 27 20:03:32.122: ISAKMP (0:1002): received packet from 12.1.1.1 dport 500 sport 500 Global (R) MM_KEY_EXCH *Jul 27 20:03:32.122: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Jul 27 20:03:32.122: ISAKMP:(1002):Old State = IKE_R_MM4 New State = IKE_R_MM5 *Jul 27 20:03:32.122: ISAKMP:(1002): processing ID payload. message ID = 0 *Jul 27 20:03:32.122: ISAKMP (0:1002): ID payload next-payload : 8 type : 1 address : 12.1.1.1 protocol : 17 port : 500 length : 12 *Jul 27 20:03:32.122: ISAKMP:(0):: peer matches *none* of the profiles *Jul 27 20:03:32.126: ISAKMP:(1002): processing HASH payload. message ID = 0 *Jul 27 20:03:32.126: ISAKMP:(1002): processing NOTIFY INITIAL_CONTACT protocol 1 spi 0, message ID = 0, sa = 65B77620 *Jul 27 20:03:32.126: ISAKMP:(1002):SA authentication status: authenticated *Jul 27 20:03:32.126: ISAKMP:(1002):SA has been authenticated with 12.1.1.1 *Jul 27 20:03:32.126: ISAKMP:(1002):SA authentication status: authenticated *Jul 27 20:03:32.126: ISAKMP:(1002): Process initial contact, bring down existing phase 1 and 2 SA's with local 23.1.1.3 remote 12.1.1.1 remote port 500 *Jul 27 20:03:32.130: ISAKMP: Trying to insert a peer 23.1.1.3/12.1.1.1/500/, and inserted successfully 65B5BB30. *Jul 27 20:03:32.130: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Jul 27 20:03:32.130: ISAKMP:(1002):Old State = IKE_R_MM5 New State = IKE_R_MM5 *Jul 27 20:03:32.130: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Jul 27 20:03:32.134: ISAKMP:(1002):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR *Jul 27 20:03:32.134: ISAKMP (0:1002): ID payload next-payload : 8 type : 1 address : 23.1.1.3 protocol : 17 port : 500 length : 12 *Jul 27 20:03:32.134: ISAKMP:(1002):Total payload length: 12 *Jul 27 20:03:32.134: ISAKMP:(1002): sending packet to 12.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH *Jul 27 20:03:32.134: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Jul 27 20:03:32.134: ISAKMP:(1002):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE 第一阶段完成。 *Jul 27 20:03:32.142: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE *Jul 27 20:03:32.142: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Jul 27 20:03:32.158: ISAKMP (0:1002): received packet from 12.1.1.1 dport 500 sport 500 Global (R) QM_IDLE *Jul 27 20:03:32.158: ISAKMP: set new node -1769201649 to QM_IDLE *Jul 27 20:03:32.162: ISAKMP:(1002): processing HASH payload. message ID = -1769201649 *Jul 27 20:03:32.162: ISAKMP:(1002): processing SA payload. message ID = -1769201649 *Jul 27 20:03:32.162: ISAKMP:(1002):Checking IPSec proposal 1 *Jul 27 20:03:32.162: ISAKMP: transform 1, ESP_DES *Jul 27 20:03:32.162: ISAKMP: attributes in transform: *Jul 27 20:03:32.162: ISAKMP: encaps is 1 (Tunnel) *Jul 27 20:03:32.162: ISAKMP: SA life type in seconds *Jul 27 20:03:32.162: ISAKMP: SA life duration (basic) of 3600 *Jul 27 20:03:32.162: ISAKMP: SA life type in kilobytes *Jul 27 20:03:32.162: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 *Jul 27 20:03:32.162: ISAKMP: authenticator is HMAC-MD5 *Jul 27 20:03:32.162: ISAKMP:(1002):atts are acceptable.策略匹配协商完成 *Jul 27 20:03:32.162: IPSEC(validate_proposal_request): proposal part #1 *Jul 27 20:03:32.162: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 23.1.1.3, remote= 12.1.1.1, local_proxy= 3.3.3.0/255.255.255.0/0/0 (type=4), remote_proxy= 1.1.1.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 *Jul 27 20:03:32.166: Crypto mapdb : proxy_match src addr : 3.3.3.0 dst addr : 1.1.1.0 protocol : 0 src port : 0 dst port : 0 *Jul 27 20:03:32.170: ISAKMP:(1002): processing NONCE payload. message ID = -1769201649 *Jul 27 20:03:32.170: ISAKMP:(1002): processing ID payload. message ID = -1769201649 *Jul 27 20:03:32.170: ISAKMP:(1002): processing ID payload. message ID = -1769201649 *Jul 27 20:03:32.170: ISAKMP:(1002):QM Responder gets spi *Jul 27 20:03:32.170: ISAKMP:(1002):Node -1769201649, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH *Jul 27 20:03:32.170: ISAKMP:(1002):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE *Jul 27 20:03:32.170: ISAKMP:(1002): Creating IPSec SAs创建IPsec SA *Jul 27 20:03:32.170: inbound SA from 12.1.1.1 to 23.1.1.3 (f/i) 0/ 0 (proxy 1.1.1.0 to 3.3.3.0) *Jul 27 20:03:32.170: has spi 0x12160605 and conn_id 0 *Jul 27 20:03:32.170: lifetime of 3600 seconds *Jul 27 20:03:32.170: lifetime of 4608000 kilobytes *Jul 27 20:03:32.170: outbound SA from 23.1.1.3 to 12.1.1.1 (f/i) 0/0 (proxy 3.3.3.0 to 1.1.1.0) *Jul 27 20:03:32.170: has spi 0xDD947DA9 and conn_id 0 *Jul 27 20:03:32.170: lifetime of 3600 seconds *Jul 27 20:03:32.170: lifetime of 4608000 kilobytes *Jul 27 20:03:32.170: ISAKMP:(1002): sending packet to 12.1.1.1 my_port 500 peer_port 500 (R) QM_IDLE *Jul 27 20:03:32.170: ISAKMP:(1002):Node -1769201649, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI *Jul 27 20:03:32.174: ISAKMP:(1002):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2 *Jul 27 20:03:32.178: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Jul 27 20:03:32.178: Crypto mapdb : proxy_match src addr : 3.3.3.0 dst addr : 1.1.1.0 protocol : 0 src port : 0 dst port : 0 *Jul 27 20:03:32.182: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 12.1.1.1 *Jul 27 20:03:32.182: IPSEC(policy_db_add_ident): src 3.3.3.0, dest 1.1.1.0, dest_port 0 *Jul 27 20:03:32.182: IPSEC(create_sa): sa created, (sa) sa_dest= 23.1.1.3, sa_proto= 50, sa_spi= 0x12160605(303433221), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 3 *Jul 27 20:03:32.182: IPSEC(create_sa): sa created, (sa) sa_dest= 12.1.1.1, sa_proto= 50, sa_spi= 0xDD947DA9(3717496233), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 4 *Jul 27 20:03:32.210: ISAKMP (0:1002): received packet from 12.1.1.1 dport 500 sport 500 Global (R) QM_IDLE *Jul 27 20:03:32.210: ISAKMP:(1002):deleting node -1769201649 error FALSE reason "QM done (await)" *Jul 27 20:03:32.210: ISAKMP:(1002):Node -1769201649, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH *Jul 27 20:03:32.210: ISAKMP:(1002):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE第二阶段完成 *Jul 27 20:03:32.214: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Jul 27 20:03:32.214: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP *Jul 27 20:03:32.214: IPSEC(key_engine_enable_outbound): enable SA with spi 3717496233/50 *Jul 27 20:03:32.214: IPSEC(update_current_outbound_sa): updated peer 12.1.1.1 current outbound sa to SPI DD947DA9 最后在看一次R2的路由表： R2#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 2.0.0.0/24 is subnetted, 1 subnets C 2.2.2.0 is directly connected, Loopback10 23.0.0.0/24 is subnetted, 1 subnets C 23.1.1.0 is directly connected, Serial1/1 12.0.0.0/24 is subnetted, 1 subnets C 12.1.1.0 is directly connected, Serial1/0 可以看到R2根本没有那两条路由。

展开阅读全文