使用SDM　配置GRE　OVER　IPSEC--nihao

2008-7-2 11:05:08

使用SDM 配置GRE OVER IPSEC

hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
!
ip cef
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
username norvel privilege 15 password 0 norvel
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 123456 address 192.168.1.2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to192.168.1.2
set peer 192.168.1.2
set transform-set ESP-3DES-SHA
match address 100
!
!
!
!
interface Tunnel0
ip address 10.0.0.1 255.255.255.0
ip mtu 1420
tunnel source Ethernet0/0
tunnel destination 192.168.1.2
tunnel path-mtu-discovery
crypto map SDM_CMAP_1
!
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
half-duplex
crypto map SDM_CMAP_1
!
interface Ethernet1/0
ip address 172.16.18.101 255.255.0.0
half-duplex
!
ip http server
ip http authentication local
ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Tunnel0
ip route 192.168.1.2 255.255.255.255 Ethernet0/0
!
!
access-list 100 remark SDM_ACL Category=4
access-list 100 permit gre host 192.168.1.1 host 192.168.1.2
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login local
transport input telnet ssh
!
!
end

hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
!
ip cef
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
username norvel privilege 15 password 0 norvel
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 123456 address 192.168.1.1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to192.168.1.1
set peer 192.168.1.1
set transform-set ESP-3DES-SHA
match address 100
!
!
!
!
interface Tunnel0
ip address 10.0.0.2 255.255.255.0
ip mtu 1420
tunnel source Ethernet0/0
tunnel destination 192.168.1.1
tunnel path-mtu-discovery
crypto map SDM_CMAP_1
!
interface Ethernet0/0
ip address 192.168.1.2 255.255.255.0
half-duplex
crypto map SDM_CMAP_1
!
interface Ethernet1/0
ip address 172.16.18.102 255.255.0.0
half-duplex
!
interface Ethernet2/0
no ip address
shutdown
half-duplex
!
ip http server
ip http authentication local
ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Tunnel0
ip route 192.168.1.1 255.255.255.255 Ethernet0/0
!
!
access-list 100 remark SDM_ACL Category=4
access-list 100 permit gre host 192.168.1.2 host 192.168.1.1
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login local
transport input telnet ssh
!
!
end

R1#debug crypto isakmp
Crypto ISAKMP debugging is on
R1#debug cry ipsec
Crypto IPSEC debugging is on
R1#ping 10.0.0.2 so 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.1

*Mar 1 01:37:49.527: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 192.168.1.1, remote= 192.168.1.2,
    local_proxy= 192.168.1.1/255.255.255.255/47/0 (type=1),
    remote_proxy= 192.168.1.2/255.255.255.255/47/0 (type=1),
    protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x94530B(9720587), conn_id= 0, keysize= 0, flags= 0x400A
*Mar 1 01:37:49.535: ISAKMP: received ke message (1/1)
*Mar 1 01:37:49.539: ISAKMP (0:0): SA request profile is (NULL)
*Mar 1 01:37:49.539: ISAKMP: local port 500, remote port 500
*Mar 1 01:37:49.543: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 01:37:49.543: ISAKMP: insert sa successfully sa = 63BD5830
*Mar 1 01:37:49.547: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode.
*Mar 1 01:37:49.547: ISAKMP: Looking for a matching key for 192.168.1.2 in default : success
*Mar 1 01:37:49.551: ISAKMP (0:1): found peer pre-shared key matching 192.168.1.2
*Mar 1 01:37:49.551: ISAKMP (0:1): constructed NAT-T vendor-07 ID
*Mar 1 01:37:49.555: ISAKMP (0:1): constructed NAT-T vendor-03 ID
*Mar 1 01:37:49.555: ISAKMP (0:1): constructed NAT-T vendor-02 ID
*Mar 1 01:37:49.555: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 1 01:37:49.559: ISAKMP (0:1): Old State = IKE_READY New State = IKE_I_MM1

*Mar 1 01:37:49.559: ISAKMP (0:1): beginning Main Mode exchange
*Mar 1 01:37:49.559: ISAKMP (0:1): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE.....
Success rate is 0 percent (0/5)
R1#
*Mar 1 01:37:59.563: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar 1 01:37:59.563: ISAKMP (0:1): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Mar 1 01:37:59.563: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar 1 01:37:59.567: ISAKMP (0:1): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 01:37:59.743: ISAKMP (0:1): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Mar 1 01:37:59.747: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 01:37:59.747: ISAKMP (0:1): Old State = IKE_I_MM1 New State = IKE_I_MM2

*Mar 1 01:37:59.751: ISAKMP (0:1): processing SA payload. message ID = 0
*Mar 1 01:37:59.755: ISAKMP (0:1): processing vendor id payload
*Mar 1 01:37:59.755: ISAKMP (0:1): vendor ID seems Unity/DPD but major 245 mismatch
*Mar 1 01:37:59.759: ISAKMP (0:1): vendor ID is NAT-T v7
*Mar 1 01:37:59.759: ISAKMP: Looking for a matching key for 192.168.1.2 i
R1#n default : success
*Mar 1 01:37:59.759: ISAKMP (0:1): found peer pre-shared key matching 192.168.1.2
*Mar 1 01:37:59.763: ISAKMP (0:1) local preshared key found
*Mar 1 01:37:59.763: ISAKMP : Scanning profiles for xauth ...
*Mar 1 01:37:59.763: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy
*Mar 1 01:37:59.767: ISAKMP:      encryption 3DES-CBC
*Mar 1 01:37:59.767: ISAKMP:      hash SHA
*Mar 1 01:37:59.767: ISAKMP:      default group 2
*Mar 1 01:37:59.771: ISAKMP:      auth pre-share
*Mar 1 01:37:59.771: ISAKMP:      life type in seconds
*Mar 1 01:37:59.771: ISAKMP:      life duration (VPI) of 0x0 0x1 0x51 0x80
*Mar 1 01:37:59.775: ISAKMP (0:1): atts are acceptable. Next payload is 0
*Mar 1 01:37:59.847: ISAKMP (0:1): processing vendor id payload
*Mar 1 01:37:59.847: ISAKMP (0:1): vendor ID seems Unity/DPD but major 245 mismatch
*Mar 1 01:37:59.847: ISAKMP (0:1): vendor ID is NAT-T v7
*Mar 1 01:37:59.847: ISAKMP (0:1): Input = IKE_ME
R1#SG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 01:37:59.847: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM2

*Mar 1 01:37:59.847: ISAKMP (0:1): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Mar 1 01:37:59.847: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 01:37:59.847: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM3

*Mar 1 01:37:59.995: ISAKMP (0:1): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*Mar 1 01:37:59.999: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 01:37:59.999: ISAKMP (0:1): Old State = IKE_I_MM3 New State = IKE_I_MM4

*Mar 1 01:38:00.003: ISAKMP (0:1): processing KE payload. message ID = 0
*Mar 1 01:38:00.079: ISAKMP (0:1): processing NONCE payload. message ID = 0
*Mar 1 01:38:00.083: ISAKMP: Looking for a matching key for 192.168.1.2 in default : success
*Mar 1 01:38:00.083: ISAKMP (0:1): found peer pre-shared key matching 192.1
R1#68.1.2
*Mar 1 01:38:00.095: ISAKMP (0:1): SKEYID state generated
*Mar 1 01:38:00.095: ISAKMP (0:1): processing vendor id payload
*Mar 1 01:38:00.095: ISAKMP (0:1): vendor ID is Unity
*Mar 1 01:38:00.095: ISAKMP (0:1): processing vendor id payload
*Mar 1 01:38:00.095: ISAKMP (0:1): vendor ID is DPD
*Mar 1 01:38:00.095: ISAKMP (0:1): processing vendor id payload
*Mar 1 01:38:00.095: ISAKMP (0:1): speaking to another IOS box!
*Mar 1 01:38:00.095: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 01:38:00.095: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM4

*Mar 1 01:38:00.095: ISAKMP (0:1): Send initial contact
*Mar 1 01:38:00.095: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar 1 01:38:00.095: ISAKMP (0:1): ID payload
        next-payload : 8
        type         : 1
        address      : 192.168.1.1
        protocol     : 17
        port         : 500
        length       : 12
*Mar 1 01:38:00.095: ISAKMP (1): Total p
R1#ayload length: 12
*Mar 1 01:38:00.095: ISAKMP (0:1): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar 1 01:38:00.095: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 01:38:00.099: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM5

*Mar 1 01:38:00.195: ISAKMP (0:1): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar 1 01:38:00.199: ISAKMP (0:1): processing ID payload. message ID = 0
*Mar 1 01:38:00.203: ISAKMP (0:1): ID payload
        next-payload : 8
        type         : 1
        address      : 192.168.1.2
        protocol     : 17
        port         : 500
        length       : 12
*Mar 1 01:38:00.207: ISAKMP (0:1): processing HASH payload. message ID = 0
*Mar 1 01:38:00.211: ISAKMP (0:1): SA authentication status:
        authenticated
*Mar 1 01:38:00.211: ISAKMP (0:1): SA has been authenticated with 192.168.1.2
*Mar 1 01:38:00.211: ISAKMP (0:1): peer matches *none* of the profiles
*Mar 1 01:38:00.215:
R1#ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 01:38:00.215: ISAKMP (0:1): Old State = IKE_I_MM5 New State = IKE_I_MM6

*Mar 1 01:38:00.219: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 01:38:00.219: ISAKMP (0:1): Old State = IKE_I_MM6 New State = IKE_I_MM6

*Mar 1 01:38:00.223: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 01:38:00.227: ISAKMP (0:1): Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

*Mar 1 01:38:00.231: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of 2071737075
*Mar 1 01:38:00.243: ISAKMP (0:1): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) QM_IDLE
*Mar 1 01:38:00.247: ISAKMP (0:1): Node 2071737075, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar 1 01:38:00.247: ISAKMP (0:1): Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Mar 1 01:38:00.247: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar 1 01:38:00.251: ISAKMP (0:1): Old State = I
R1#KE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Mar 1 01:38:00.587: ISAKMP (0:1): received packet from 192.168.1.2 dport 500 sport 500 Global (I) QM_IDLE
*Mar 1 01:38:00.595: ISAKMP (0:1): processing HASH payload. message ID = 2071737075
*Mar 1 01:38:00.595: ISAKMP (0:1): processing SA payload. message ID = 2071737075
*Mar 1 01:38:00.599: ISAKMP (0:1): Checking IPSec proposal 1
*Mar 1 01:38:00.599: ISAKMP: transform 1, ESP_3DES
*Mar 1 01:38:00.599: ISAKMP:   attributes in transform:
*Mar 1 01:38:00.599: ISAKMP:      encaps is 1 (Tunnel)
*Mar 1 01:38:00.603: ISAKMP:      SA life type in seconds
*Mar 1 01:38:00.603: ISAKMP:      SA life duration (basic) of 3600
*Mar 1 01:38:00.603: ISAKMP:      SA life type in kilobytes
*Mar 1 01:38:00.607: ISAKMP:      SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Mar 1 01:38:00.607: ISAKMP:      authenticator is HMAC-SHA
*Mar 1 01:38:00.611: ISAKMP (0:1): atts are acceptable.
*Mar 1 01:38:00.615: IPSEC(validate_propo
R1#sal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.1.2,
    local_proxy= 192.168.1.1/255.255.255.255/47/0 (type=1),
    remote_proxy= 192.168.1.2/255.255.255.255/47/0 (type=1),
    protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
*Mar 1 01:38:00.623: IPSEC(kei_proxy): head = SDM_CMAP_1, map->ivrf = , kei->ivrf =
*Mar 1 01:38:00.627: ISAKMP (0:1): processing NONCE payload. message ID = 2071737075
*Mar 1 01:38:00.627: ISAKMP (0:1): processing ID payload. message ID = 2071737075
*Mar 1 01:38:00.627: ISAKMP (0:1): processing ID payload. message ID = 2071737075
*Mar 1 01:38:00.675: ISAKMP (0:1): Creating IPSec SAs
*Mar 1 01:38:00.675:         inbound SA from 192.168.1.2 to 192.168.1.1 (f/i) 0/ 0
        (proxy 192.168.1.2 to 192.168.1.1)
*Mar 1 01:38:00.675:         has spi 0x94530B and conn_id 2000 and flags 2
*Mar 1 01:38:00.675:
R1#       lifetime of 3600 seconds
*Mar 1 01:38:00.675:         lifetime of 4608000 kilobytes
*Mar 1 01:38:00.675:         has client flags 0x0
*Mar 1 01:38:00.675:         outbound SA from 192.168.1.1     to 192.168.1.2     (f/i) 0/ 0 (proxy 192.168.1.1     to 192.168.1.2    )
*Mar 1 01:38:00.675:         has spi -1355325657 and conn_id 2001 and flags A
*Mar 1 01:38:00.675:         lifetime of 3600 seconds
*Mar 1 01:38:00.675:         lifetime of 4608000 kilobytes
*Mar 1 01:38:00.675:         has client flags 0x0
*Mar 1 01:38:00.675: ISAKMP (0:1): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) QM_IDLE
*Mar 1 01:38:00.675: ISAKMP (0:1): deleting node 2071737075 error FALSE reason ""
*Mar 1 01:38:00.679: ISAKMP (0:1): Node 2071737075, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 1 01:38:00.679: ISAKMP (0:1): Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
*Mar 1 01:38:00.683: IPSEC(key_engine): got a queue event...
*Mar 1 01:38:00
R1#.683: IPSEC(initialize_sas): ,
(key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.1.2,
    local_proxy= 192.168.1.1/0.0.0.0/47/0 (type=1),
    remote_proxy= 192.168.1.2/0.0.0.0/47/0 (type=1),
    protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x94530B(9720587), conn_id= 2000, keysize= 0, flags= 0x2
*Mar 1 01:38:00.691: IPSEC(initialize_sas): ,
(key eng. msg.) OUTBOUND local= 192.168.1.1, remote= 192.168.1.2,
    local_proxy= 192.168.1.1/0.0.0.0/47/0 (type=1),
    remote_proxy= 192.168.1.2/0.0.0.0/47/0 (type=1),
    protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0xAF375F27(2939641639), conn_id= 2001, keysize= 0, flags= 0xA
*Mar 1 01:38:00.699: IPSEC(kei_proxy): head = SDM_CMAP_1, map->ivrf = , kei->ivrf =
*Mar 1 01:38:00.703: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and 192.168.1.2
*Mar 1 01:38:00.707:
R1#IPSEC(add mtree): src 192.168.1.1, dest 192.168.1.2, dest_port 0

*Mar 1 01:38:00.707: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.1.1, sa_prot= 50,
    sa_spi= 0x94530B(9720587),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2000
*Mar 1 01:38:00.711: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.1.2, sa_prot= 50,
    sa_spi= 0xAF375F27(2939641639),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2001

R1#ping 10.0.0.2 so 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/100/160 ms

R1#show crypto isakmp sa
dst src state conn-id slot
192.168.1.2 192.168.1.1 QM_IDLE 1 0

R1#show crypto ipsec sa

interface: Ethernet0/0
Crypto map tag: SDM_CMAP_1, local addr. 192.168.1.1

   protected vrf:
   local ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (192.168.1.2/255.255.255.255/47/0)
   current_peer: 192.168.1.2:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 5, #pkts encrypt: 5, #pkts digest 5
    #pkts decaps: 5, #pkts decrypt: 5, #pkts verify 5
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 5, #recv errors 0

     local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.1.2
     path mtu 1420, ip mtu 1420, ip mtu idb Tunnel0
     current outbound spi: AF375F27

     inbound esp sas:
      spi: 0x94530B(9720587)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2000, flow_id: 1, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4513199/3416)
        IV size: 8 bytes
        replay detection support: Y

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0xAF375F27(2939641639)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2001, flow_id: 2, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4513199/3415)
        IV size: 8 bytes
        replay detection support: Y

outbound ah sas:

outbound pcp sas:

interface: Tunnel0
Crypto map tag: SDM_CMAP_1, local addr. 192.168.1.1

     local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.1.2
     path mtu 1420, ip mtu 1420, ip mtu idb Tunnel0
     current outbound spi: AF375F27

     inbound esp sas:
      spi: 0x94530B(9720587)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2000, flow_id: 1, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4513199/3415)
        IV size: 8 bytes
        replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound ah sas:

outbound pcp sas:

阅读全文 | 回复(0) | 引用通告 | 编辑

上一篇：路由重分配和路由汇总
下一篇：使用 SDM 配置Cisco Ios Easy Vpn

公告

文章

评论

留言

连接

信息

登陆

搜索

发表评论：