平台:cisco 1841,cisco 871
IOS:c1841-advsecurityk9-mz.124-13b.bin,
(lo0:192.168.1.254)----
RTRA(f4:10.1.1.21 )-----------------------(f0/1:10.1.1.20)
RTRB----(lo0:192.168.2.254)
RTRA#sh run
Building configuration...
Building configuration...
Current configuration : 1578 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTRA
!
boot-start-marker
boot-end-marker
!
no logging console
enable password cisco
!
no aaa new-model
!
resource policy
!
ip cef
!
!
no ip domain lookup
!
!
!
!
!
!
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 10.1.1.20 no-xauth
!
!
crypto ipsec transform-set RTRB esp-aes esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 10.1.1.20
set transform-set RTRB
match address RTRB
!
!
interface Loopback0
ip address 192.168.1.254 255.255.255.0
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 10.1.1.21 255.255.255.0
no ip redirects
no ip proxy-arp
ip mtu 1492
ip virtual-reassembly
no ip mroute-cache
load-interval 30
duplex auto
speed auto
no cdp enable
crypto map mymap
!
ip route 192.168.2.0 255.255.255.0 10.1.1.21
!
no ip http server
no ip http secure-server
!
ip access-list extended RTRB
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended perimeter
permit udp host 10.1.1.20 host 10.1.1.21 eq isakmp
permit esp host 10.1.1.20 host 10.1.1.21
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip any any
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
no modem enable
line aux 0
line vty 0 4
password cisco
login
!
scheduler max-task-time 5000
end
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTRA
!
boot-start-marker
boot-end-marker
!
no logging console
enable password cisco
!
no aaa new-model
!
resource policy
!
ip cef
!
!
no ip domain lookup
!
!
!
!
!
!
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 10.1.1.20 no-xauth
!
!
crypto ipsec transform-set RTRB esp-aes esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 10.1.1.20
set transform-set RTRB
match address RTRB
!
!
interface Loopback0
ip address 192.168.1.254 255.255.255.0
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 10.1.1.21 255.255.255.0
no ip redirects
no ip proxy-arp
ip mtu 1492
ip virtual-reassembly
no ip mroute-cache
load-interval 30
duplex auto
speed auto
no cdp enable
crypto map mymap
!
ip route 192.168.2.0 255.255.255.0 10.1.1.21
!
no ip http server
no ip http secure-server
!
ip access-list extended RTRB
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended perimeter
permit udp host 10.1.1.20 host 10.1.1.21 eq isakmp
permit esp host 10.1.1.20 host 10.1.1.21
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip any any
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
no modem enable
line aux 0
line vty 0 4
password cisco
login
!
scheduler max-task-time 5000
end
RTRA#
RTRB#
RTRB#sh run
Building configuration...
Current configuration : 1639 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTRB
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
ip cef
!
!
!
!
no ip domain lookup
!
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 10.1.1.21 no-xauth
!
!
crypto ipsec transform-set RTRA esp-aes esp-md5-hmac
!
!
!
crypto map mymap 10 ipsec-isakmp
set peer 10.1.1.21
set transform-set RTRA
match address RTRA
!
!
!
!
interface Loopback0
ip address 192.168.2.254 255.255.255.0
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.1.1.20 255.255.255.0
ip access-group perimeter in
no ip redirects
ip virtual-reassembly
ip tcp adjust-mss 1300
no ip mroute-cache
duplex auto
speed auto
crypto map mymap
!
interface Serial0/0/0
no ip address
clock rate 2000000
!
ip route 192.168.1.0 255.255.255.0 10.1.1.21
!
no ip http server
no ip http secure-server
!
ip access-list extended RTRA
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended perimeter
permit udp host 10.1.1.21 host 10.1.1.20 eq isakmp
permit esp host 10.1.1.21 host 10.1.1.20
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip any any
!
!
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
password cisco
login
!
scheduler allocate 20000 1000
end
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTRB
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
ip cef
!
!
!
!
no ip domain lookup
!
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 10.1.1.21 no-xauth
!
!
crypto ipsec transform-set RTRA esp-aes esp-md5-hmac
!
!
!
crypto map mymap 10 ipsec-isakmp
set peer 10.1.1.21
set transform-set RTRA
match address RTRA
!
!
!
!
interface Loopback0
ip address 192.168.2.254 255.255.255.0
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.1.1.20 255.255.255.0
ip access-group perimeter in
no ip redirects
ip virtual-reassembly
ip tcp adjust-mss 1300
no ip mroute-cache
duplex auto
speed auto
crypto map mymap
!
interface Serial0/0/0
no ip address
clock rate 2000000
!
ip route 192.168.1.0 255.255.255.0 10.1.1.21
!
no ip http server
no ip http secure-server
!
ip access-list extended RTRA
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended perimeter
permit udp host 10.1.1.21 host 10.1.1.20 eq isakmp
permit esp host 10.1.1.21 host 10.1.1.20
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip any any
!
!
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
password cisco
login
!
scheduler allocate 20000 1000
end
RTRB#show crypto isakmp sa
dst src state conn-id slot status
193.1.1.21 193.1.1.20 QM_IDLE 1 0 ACTIVE
193.1.1.21 193.1.1.20 QM_IDLE 1 0 ACTIVE
- If you can see the above entry and the state is “QM_IDLE”, then IKE phase 1 has connected
successfully.
successfully.
RTRB#sh cry ip sa
interface: FastEthernet0/0
Crypto map tag: mymap, local addr 193.1.1.20
Crypto map tag: mymap, local addr 193.1.1.20
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 193.1.1.21 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 193.1.1.21 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 193.1.1.20, remote crypto endpt.: 193.1.1.21
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x874E7AAE(2270067374)
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x874E7AAE(2270067374)
inbound esp sas:
spi: 0xEBF15B24(3958463268)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3001, flow_id: FPGA:1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4391461/2784)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
spi: 0xEBF15B24(3958463268)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3001, flow_id: FPGA:1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4391461/2784)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x874E7AAE(2270067374)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3002, flow_id: FPGA:2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4391461/2750)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x874E7AAE(2270067374)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3002, flow_id: FPGA:2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4391461/2750)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
RTRB#
RTRB#
RTRB#sh crypto engine connections active
ID Interface IP-Address State Algorithm Encrypt Decrypt
1 FastEthernet0/0 193.1.1.20 set HMAC_MD5+3DES_56_C 0 0
3001 FastEthernet0/0 193.1.1.20 set 3DES+MD5 0 4
3002 FastEthernet0/0 193.1.1.20 set 3DES+MD5 4 0
1 FastEthernet0/0 193.1.1.20 set HMAC_MD5+3DES_56_C 0 0
3001 FastEthernet0/0 193.1.1.20 set 3DES+MD5 0 4
3002 FastEthernet0/0 193.1.1.20 set 3DES+MD5 4 0
RTRB#