拓扑图如下:



R1 上的基本配置
Router(config)#no ip do lo         关闭域名解析
Router(config)#line con 0        console 口配置
Router(config-line)#logg s        开启日志同步
Router(config-line)#no exec-t       关闭超时
Router(config-line)#exit
Router(config)#int lo 0           回环接口配置     
Router(config-if)#ip add 2.2.2.2 255.255.255.0
Router(config-if)#no sh
Router(config-if)#int e0/0       e0/0 接口配置
Router(config-if)#ip add 192.168.1.1 255.255.255.0
Router(config-if)#no sh
Router(config-if)#^Z
Router(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.2      配置默认路由,由于 IPsec ××× 不支持动态路由故只有使用默认或静态路由
 
Router#ping 192.168.1.2
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 40/60/68 ms
 
Router(config)#crypto isakmp enable   启动 isakmp
Router(config)#crypto isakmp policy 10      定义 isakmp 策略集,以便端点之间建立 isakmp 对等体关系
Router(config-isakmp)#authentication pre-share         配置对等体验证方式为预共享密钥
Router(config-isakmp)#encryption 3des            配置消息交换加密方法为 3des
Router(config-isakmp)#group 5            使用 diffie-hellman 密钥交换参数为 1536
Router(config-isakmp)#hash sha             配置消息完整性算法 sha-1
Router(config-isakmp)#lifetime 86400      isakmp 建立 saD 寿命
Router(config)#crypto isakmp key cisco address 192.168.1.2        配置预共享密钥,密钥为 cisco ,远程对等体为 ip 地址 192.168.1.2
A pre-shared key for address mask 192.168.1.2 255.255.255.255 already exists
 
 
r2 的配置
 
 
Router(config)#no ip do lo         关闭域名
Router(config)#line console 0   console 口配置
Router(config-line)#logg s          日志同步
Router(config-line)#no exec-t        关闭超时
Router(config-line)#exit
Router(config)#int lo 0    回环接口配置
Router(config-if)#ip add 1.1.1.1 255.255.255.0
Router(config-if)#no sh
 
Router(config)#int e0/0     e0/0 接口配置
Router(config-if)#ip add 192.168.1.2 255.255.255.0
Router(config-if)#no sh
Router(config-if)#exit
Router(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1   配置默认路由
Router(config)#^Z
 
Router#sh ip route 查看路由表
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
 
Gateway of last resort is 192.168.1.1 to network 0.0.0.0
 
     1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Loopback0
C    192.168.1.0/24 is directly connected, Ethernet0/0
S*   0.0.0.0/0 [1/0] via 192.168.1.1
Router#ping 2.2.2.2
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/57/76 ms
 
commands, one per line.  End with CNTL/Z.
Router(config)#crypto isakmp enable        r2 上配置同 r1 配置同
Router(config)#crypto isakmp policy 10
Router(config-isakmp)#authentication ?        
  pre-share  Pre-Shared Key             预共享密钥
  rsa-encr   Rivest-Shamir-Adleman Encryption         RSA 加密
 rsa-sig    Rivest-Shamir-Adleman Signature         RSA 签名
 
Router(config-isakmp)#authentication pre-share
Router(config-isakmp)#encryption ?
  3des  Three key triple DES        3des 加密算法
  aes   AES - Advanced Encryption Standard.        高级加密标准
  des   DES - Data Encryption Standard (56 bit keys).  数据加密标准   
 
Router(config-isakmp)#encryption 3des
Router(config-isakmp)#group 5       可选三种
Router(config-isakmp)#group ?
  1  Diffie-Hellman group 1
  2  Diffie-Hellman group 2
  5  Diffie-Hellman group 5
 
Router(config-isakmp)#hash ?     
  md5  Message Digest 5         MD5 散列算法
  sha  Secure Hash Standard      完整性算法
 
Router(config-isakmp)#hash sha  
Router(config-isakmp)#lifetime 86400
Router(config-isakmp)#exit
Router(config)#crypto isakmp key  cisco address 192.168.1.1
A pre-shared key for address mask 192.168.1.1 255.255.255.255 already exists
 
crypto ipsec transform-set 1233 esp-3des esp-md5-hmac      创建一个变换集 1233 ,交换数据被 MD5 保护
exit
crypto map R1×××10 ipsec-isakmp            建立 IPsec 加密映射,使用 isakmp 建立 IPsec sa ,以保护当前加密映射的指定数据库
set peer 192.168.1.2      指定对等体
set transform-set 1233     指定交换集
match address 100    引用扩展 ACL
 
crypto ipsec transform-set 1234 esp-3des esp-md5-hmac        同上
exit
crypto map R1×××10 ipsec-isakmp
set peer 192.168.1.1
set transform-set 1234
match address 100
 
r1 上的配置
 
Router(config)#access-list 100 permit icmp 2.2.2.2 0.0.0.0 1.1.1.1 0.0.0.0     定义保护什么样的数据流 IPsec 保护
Router(config)#int e0/0
Router(config-if)#crypto map R1×××    将加密映射到应用接口
Router(config-if)#^Z
 
r2 上的配置
Router(config)#access-list 100 permit icmp 1.1.1.1 0.0.0.0 2.2.2.2 0.0.0.0     同上
Router(config)#int e0/0
Router(config-if)#crypto map R2×××
Router(config-if)#^Z
 
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
 
*Mar  1 01:07:18.235: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 192.168.1.1, remote= 192.168.1.2,       
本地 ip 地址 192.168.1.1 ,目标地址 192.168.1.2
    local_proxy= 2.2.2.2/255.255.255.255/1/0 (type=1),   本地代理 2.2.2.2
    remote_proxy= 1.1.1.1/255.255.255.255/1/0 (type=1),  目的代理 1.1.1.1
    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),    传输协议 esp
    lifedur= 3600s and 4608000kb,
    spi= 0x4D12771D(1293055773), conn_id= 0, keysize= 0, flags= 0x400A
*Mar  1 01:07:18.239: ISAKMP: received ke message (1/1)   
*Mar  1 01:07:18.243: ISAKMP (0:0): SA request profile is (NULL)
*Mar  1 01:07:18.243: ISAKMP: local port 500, remote port 500
*Mar  1 01:07:18.243: ISAKMP: set new node 0 to QM_IDLE     
*Mar  1 01:07:18.243: ISAKMP: insert sa successfully sa = 63EA13F0
*Mar  1 01:07:18.243: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode.
*Mar  1 01:07:18.247: ISAKMP: Looking for a matching key for 192.168.1.2 in default :
success
*Mar  1 01:07:18.247: ISAKMP (0:1): found peer pre-shared key matching 192.168.1.2
*Mar  1 01:07:18.247: ISAKMP (0:1): constructed NAT-T vendor-07 ID
*Mar  1 01:07:18.247: ISAKMP (0:1): constructed NAT-T vendor-03 ID
*Mar  1 01:07:18.247: ISAKMP (0:1): constructed NAT-T vendor-02 ID
*Mar  1 01:07:18.247: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar  1 01:07:18.251: ISAKMP (0:1): Old State = IKE_READY  New State = IKE_I_MM1
IKE 协商开启,开始发送 isakmp 消息
*Mar  1 01:07:18.251: ISAKMP (0:1): beginning Main Mode exchange
IKE 主模式开启
*Mar  1 01:07:18.251: ISAKMP (0:1): sending packet to 192.168.1.2 my_port 500 peer_port
500 (I) MM_NO_STATE
协商发起, 192.168.1.1 192.168.1.2. 应对于 r1 上的配置策略
*Mar  1 01:07:18.419: ISAKMP (0:1): received packet from 192.168.1.2 dport 500 sport 500
r1 r2 收到接受提议的回复
Global (I) MM_NO_STATE
*Mar  1 01:07:18.423: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 01:07:18.423: ISAKMP (0:1): Old State = IKE_I_MM1  New State = IKE_I_MM2
IKE 开始交换第二条消息
*Mar  1 01:07:18.423: ISAKMP (0:1): processing SA payload. message ID = 0
*Mar  1 01:07:18.423: ISAKMP (0:1): processing vendor id payload
*Mar  1 01:07:18.423: ISAKMP (0:1): vendor ID seems U.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 28/59/112 ms
Router#nity/DPD but major 245 mismatch
*Mar  1 01:07:18.427: ISAKMP (0:1): vendor ID is NAT-T v7
*Mar  1 01:07:18.427: ISAKMP: Looking for a matching key for 192.168.1.2 in default :
success
*Mar  1 01:07:18.427: ISAKMP (0:1): found peer pre-shared key matching 192.168.1.2
*Mar  1 01:07:18.427: ISAKMP (0:1) local preshared key found
*Mar  1 01:07:18.427: ISAKMP : Scanning profiles for xauth ...
*Mar  1 01:07:18.427: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy
策略核对,核对 IKE 阶段 1 ,路由器与远程对等体策略核对
*Mar  1 01:07:18.427: ISAKMP:      encryption 3DES-CBC
*Mar  1 01:07:18.431: ISAKMP:      hash SHA
*Mar  1 01:07:18.431: ISAKMP:      default group 5
*Mar  1 01:07:18.431: ISAKMP:      auth pre-share
*Mar  1 01:07:18.431: ISAKMP:      life type in seconds
*Mar  1 01:07:18.431: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
*Mar  1 01:07:18.431: ISAKMP (0:1): atts are acceptable. Next payload is 0
策略已经匹配,显示 atts 。下面开始进入 IKE 第二阶段
*Mar  1 01:07:18.535: ISAKMP (0:1): processing vendor id payload
*Mar  1 01:07:18.535: ISAKMP
Router# (0:1): vendor ID seems Unity/DPD but major 245 mismatch
*Mar  1 01:07:18.535: ISAKMP (0:1): vendor ID is NAT-T v7
*Mar  1 01:07:18.535: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 01:07:18.535: ISAKMP (0:1): Old State = IKE_I_MM2  New State = IKE_I_MM2
发送协商的第二条消息
*Mar  1 01:07:18.539: ISAKMP (0:1): sending packet to 192.168.1.2 my_port 500 peer_port
500 (I) MM_SA_SETUP
R1 diffe-heffie-hellman 公开密钥值和临时值发送给 r2
*Mar  1 01:07:18.543: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 01:07:18.543: ISAKMP (0:1): Old State = IKE_I_MM2  New State = IKE_I_MM3
发送协商的第三条消息
*Mar  1 01:07:18.707: ISAKMP (0:1): received packet from 192.168.1.2 dport 500 sport 500
Global (I) MM_SA_SETUP
收到 r2 r1 的回复信息
*Mar  1 01:07:18.711: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 01:07:18.711: ISAKMP (0:1): Old State = IKE_I_MM3  New State = IKE_I_MM4
发送协商的第四条消息
 
*Mar  1 01:07:18.711: ISAKMP (0:1): processing KE payload. message ID = 0
*Mar  1 01:07:18.827: ISAKMP (0:1): processing NONCE payload. message ID = 0
*Mar
Router#  1 01:07:18.827: ISAKMP: Looking for a matching key for 192.168.1.2 in default :
success
*Mar  1 01:07:18.827: ISAKMP (0:1): found peer pre-shared key matching 192.168.1.2
*Mar  1 01:07:18.835: ISAKMP (0:1): SKEYID state generated
*Mar  1 01:07:18.835: ISAKMP (0:1): processing vendor id payload
*Mar  1 01:07:18.835: ISAKMP (0:1): vendor ID is Unity
*Mar  1 01:07:18.835: ISAKMP (0:1): processing vendor id payload
*Mar  1 01:07:18.835: ISAKMP (0:1): vendor ID is DPD
*Mar  1 01:07:18.835: ISAKMP (0:1): processing vendor id payload
*Mar  1 01:07:18.835: ISAKMP (0:1): speaking to another IOS box!
*Mar  1 01:07:18.835: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 01:07:18.835: ISAKMP (0:1): Old State = IKE_I_MM4  New State = IKE_I_MM4
发送协商的第五条消息
*Mar  1 01:07:18.839: ISAKMP (0:1): Send initial contact
*Mar  1 01:07:18.839: ISAKMP (0:1): SA is doing pre-shared key authentication using id
type ID_IPV4_ADDR
*Mar  1 01:07:18.843: ISAKMP (0:1): ID payload
        next-
Router#payload : 8
        type         : 1
        address      : 192.168.1.1
        protocol     : 17
        port         : 500
        length       : 12
*Mar  1 01:07:18.843: ISAKMP (1): Total payload length: 12
*Mar  1 01:07:18.847: ISAKMP (0:1): sending packet to 192.168.1.2 my_port 500 peer_port
500 (I) MM_KEY_EXCH
*Mar  1 01:07:18.847: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 01:07:18.847: ISAKMP (0:1): Old State = IKE_I_MM4  New State = IKE_I_MM5
 
*Mar  1 01:07:18.915: ISAKMP (0:1): received packet from 192.168.1.2 dport 500 sport 500
Global (I) MM_KEY_EXCH
r1 收到 r2 的响应, IKE 中的第六条信息
*Mar  1 01:07:18.919: ISAKMP (0:1): processing ID payload. message ID = 0
*Mar  1 01:07:18.919: ISAKMP (0:1): ID payload
        next-payload : 8
        type         : 1
        address      : 192.168.1.2
        protocol     : 17
        port         : 500
        length       : 12
*Mar  1 01:07:18.919: ISAKMP (0:1): processing HASH payload. message ID = 0
*Mar  1 01:07:18.923: ISAKMP (0:1): SA authentication status:
        authenticated
*Mar  1
Router#01:07:18.923: ISAKMP (0:1): SA has been authenticated with 192.168.1.2
*Mar  1 01:07:18.923: ISAKMP (0:1): peer matches *none* of the profiles
*Mar  1 01:07:18.923: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 01:07:18.927: ISAKMP (0:1): Old State = IKE_I_MM5  New State = IKE_I_MM6
 
*Mar  1 01:07:18.927: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 01:07:18.927: ISAKMP (0:1): Old State = IKE_I_MM6  New State = IKE_I_MM6
 
*Mar  1 01:07:18.931: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 01:07:18.931: ISAKMP (0:1): Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE
主模式协商完成
*Mar  1 01:07:18.931: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of 1537451169
*Mar  1 01:07:18.939: ISAKMP (0:1): sending packet to 192.168.1.2 my_port 500 peer_port
500 (I) QM_IDLE     
*Mar  1 01:07:18.939: ISAKMP (0:1): Node 1537451169, Input = IKE_MESG_INTERNAL,
IKE_INIT_QM
*Mar  1 01:07:18.939: ISAKMP (0:1): Old State = IKE_QM
Router#_READY  New State = IKE_QM_I_QM1
R1 发送快速协商的第一条消息,包含 IPsec 提议
*Mar  1 01:07:18.943: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar  1 01:07:18.943: ISAKMP (0:1): Old State = IKE_P1_COMPLETE  New State =
IKE_P1_COMPLETE
 
*Mar  1 01:07:19.291: ISAKMP (0:1): received packet from 192.168.1.2 dport 500 sport 500
Global (I) QM_IDLE     
*Mar  1 01:07:19.295: ISAKMP (0:1): processing HASH payload. message ID = 1537451169
*Mar  1 01:07:19.299: ISAKMP (0:1): processing SA payload. message ID = 1537451169
*Mar  1 01:07:19.299: ISAKMP (0:1): Checking IPSec proposal 1
*Mar  1 01:07:19.299: ISAKMP: transform 1, ESP_3DES
*Mar  1 01:07:19.299: ISAKMP:   attributes in transform:
*Mar  1 01:07:19.299: ISAKMP:      encaps is 1 (Tunnel)
*Mar  1 01:07:19.299: ISAKMP:      SA life type in seconds
*Mar  1 01:07:19.299: ISAKMP:      SA life duration (basic) of 3600
*Mar  1 01:07:19.299: ISAKMP:      SA life type in kilobytes
*Mar  1 01:07:19.303: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0
Router#x0
*Mar  1 01:07:19.303: ISAKMP:      authenticator is HMAC-MD5
*Mar  1 01:07:19.303: ISAKMP (0:1): atts are acceptable.
*Mar  1 01:07:19.303: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.1.2,
    local_proxy= 2.2.2.2/255.255.255.255/1/0 (type=1),
    remote_proxy= 1.1.1.1/255.255.255.255/1/0 (type=1),
    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
*Mar  1 01:07:19.307: IPSEC(kei_proxy): head = R1×××, map->ivrf = , kei->ivrf =
*Mar  1 01:07:19.311: ISAKMP (0:1): processing NONCE payload. message ID = 1537451169
*Mar  1 01:07:19.311: ISAKMP (0:1): processing ID payload. message ID = 1537451169
*Mar  1 01:07:19.311: ISAKMP (0:1): processing ID payload. message ID = 1537451169
*Mar  1 01:07:19.319: ISAKMP (0:1): Creating IPSec SAs
*Mar  1 01:07:19.323:         inbound SA from 192.168.1.2 to 192.168.1.1 (f/i)
Router#  0/ 0
        (proxy 1.1.1.1 to 2.2.2.2)
*Mar  1 01:07:19.323:         has spi 0x4D12771D and conn_id 2000 and flags 2
*Mar  1 01:07:19.323:         lifetime of 3600 seconds
*Mar  1 01:07:19.323:         lifetime of 4608000 kilobytes
*Mar  1 01:07:19.323:         has client flags 0x0
*Mar  1 01:07:19.323:         outbound SA from 192.168.1.1     to 192.168.1.2     (f/i) 
0/ 0 (proxy 2.2.2.2         to 1.1.1.1        )
*Mar  1 01:07:19.323:         has spi 984465209 and conn_id 2001 and flags A
*Mar  1 01:07:19.327:         lifetime of 3600 seconds
*Mar  1 01:07:19.327:         lifetime of 4608000 kilobytes
*Mar  1 01:07:19.327:         has client flags 0x0
*Mar  1 01:07:19.327: ISAKMP (0:1): sending packet to 192.168.1.2 my_port 500 peer_port
500 (I) QM_IDLE      
*Mar  1 01:07:19.331: ISAKMP (0:1): deleting node 1537451169 error FALSE reason ""
*Mar  1 01:07:19.331: ISAKMP (0:1): Node 1537451169, Input = IKE_MESG_FROM_PEER,
IKE_QM_EXCH
*Mar  1 01:07:19.331: ISAKMP (0:1
Router#): Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE
*Mar  1 01:07:19.331: IPSEC(key_engine): got a queue event...
*Mar  1 01:07:19.331: IPSEC(initialize_sas): ,
  (key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.1.2,
    local_proxy= 2.2.2.2/0.0.0.0/1/0 (type=1),
    remote_proxy= 1.1.1.1/0.0.0.0/1/0 (type=1),
    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x4D12771D(1293055773), conn_id= 2000, keysize= 0, flags= 0x2
*Mar  1 01:07:19.335: IPSEC(initialize_sas): ,
  (key eng. msg.) OUTBOUND local= 192.168.1.1, remote= 192.168.1.2,
    local_proxy= 2.2.2.2/0.0.0.0/1/0 (type=1),
    remote_proxy= 1.1.1.1/0.0.0.0/1/0 (type=1),
    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x3AADBF39(984465209), conn_id= 2001, keysize= 0, flags= 0xA
*Mar  1 01:07:19.339: IPSEC(kei_proxy): head = R1×××, map->ivrf = , kei->ivrf =
*Mar  1 01:07
Router#:19.339: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies
and 192.168.1.2
*Mar  1 01:07:19.343: IPSEC(add mtree): src 2.2.2.2, dest 1.1.1.1, dest_port 0
 
*Mar  1 01:07:19.343: IPSEC(create_sa): sa created,
  (sa) sa_dest= 192.168.1.1, sa_prot= 50,
    sa_spi= 0x4D12771D(1293055773),
    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2000
*Mar  1 01:07:19.343: IPSEC(create_sa): sa created,
  (sa) sa_dest= 192.168.1.2, sa_prot= 50,
    sa_spi= 0x3AADBF39(984465209),
    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2001
Router#sh crypto engine connections active      查看加密解密报文
 
  ID Interface            IP-Address      State  Algorithm           Encrypt  Decrypt
   1 Ethernet0/0          192.168.1.1     set    HMAC_SHA+3DES_56_C        0        0
2000 Ethernet0/0          192.168.1.1     set    HMAC_MD5+3DES_56_C        0       39
2001 Ethernet0/0          192.168.1.1     set    HMAC_MD5+3DES_56_C       39        0
 
Router#sh  crypto isakmp sa  查看 IKE 阶段 1 的数据连接
dst             src             state          conn-id slot
192.168.1.2     192.168.1.1     QM_IDLE              1    0
 
Router#sh  crypto ipsec sa       连接 2 建立的 IPsec 数据连接
 
interface: Ethernet0/0
    Crypto map tag: R1×××, local addr. 192.168.1.1
   protected vrf:
   local  ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/1/0)
   remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/1/0)
   current_peer: 192.168.1.2:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 39, #pkts encrypt: 39, #pkts digest 39
    #pkts decaps: 39, #pkts decrypt: 39, #pkts verify 39
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0
     local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.1.2
     path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
     current outbound spi: 3AADBF39
     inbound esp sas:
      spi: 0x4D12771D(1293055773)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2000, flow_id: 1, crypto map: R1×××
        sa timing: remaining key lifetime (k/sec): (4515934/2784)
        IV size: 8 bytes
        replay detection support: Y
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x3AADBF39(984465209)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2001, flow_id: 2, crypto map: R1×××
        sa timing: remaining key lifetime (k/sec): (4515934/2780)
        IV size: 8 bytes
        replay detection support: Y
     outbound ah sas:
 
     outbound pcp sas: