拓扑图如下:
R1
上的基本配置
Router(config)#no ip do lo
关闭域名解析
Router(config)#line con 0 console
口配置
Router(config-line)#logg s
开启日志同步
Router(config-line)#no exec-t
关闭超时
Router(config-line)#exit
Router(config)#int lo 0
回环接口配置
Router(config-if)#ip add 2.2.2.2 255.255.255.0
Router(config-if)#no sh
Router(config-if)#int e0/0 e0/0
接口配置
Router(config-if)#ip add 192.168.1.1 255.255.255.0
Router(config-if)#no sh
Router(config-if)#^Z
Router(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.2
配置默认路由,由于
IPsec ×××
不支持动态路由故只有使用默认或静态路由
Router#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 40/60/68 ms
Router(config)#crypto isakmp enable
启动
isakmp
Router(config)#crypto isakmp policy 10
定义
isakmp
策略集,以便端点之间建立
isakmp
对等体关系
Router(config-isakmp)#authentication pre-share
配置对等体验证方式为预共享密钥
Router(config-isakmp)#encryption 3des
配置消息交换加密方法为
3des
Router(config-isakmp)#group 5
使用
diffie-hellman
密钥交换参数为
1536
位
Router(config-isakmp)#hash sha
配置消息完整性算法
sha-1
Router(config-isakmp)#lifetime 86400 isakmp
建立
saD
寿命
Router(config)#crypto isakmp key cisco address 192.168.1.2
配置预共享密钥,密钥为
cisco
,远程对等体为
ip
地址
192.168.1.2
A pre-shared key for address mask 192.168.1.2 255.255.255.255 already exists
r2
的配置
Router(config)#no ip do lo
关闭域名
Router(config)#line console 0 console
口配置
Router(config-line)#logg s
日志同步
Router(config-line)#no exec-t
关闭超时
Router(config-line)#exit
Router(config)#int lo 0
回环接口配置
Router(config-if)#ip add 1.1.1.1 255.255.255.0
Router(config-if)#no sh
Router(config)#int e0/0 e0/0
接口配置
Router(config-if)#ip add 192.168.1.2 255.255.255.0
Router(config-if)#no sh
Router(config-if)#exit
Router(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1
配置默认路由
Router(config)#^Z
Router#sh ip route
查看路由表
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.1.1 to network 0.0.0.0
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
C 192.168.1.0/24 is directly connected, Ethernet0/0
S* 0.0.0.0/0 [1/0] via 192.168.1.1
Router#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/57/76 ms
commands, one per line. End with CNTL/Z.
Router(config)#crypto isakmp enable r2
上配置同
r1
配置同
Router(config)#crypto isakmp policy 10
Router(config-isakmp)#authentication ?
pre-share Pre-Shared Key
预共享密钥
rsa-encr Rivest-Shamir-Adleman Encryption RSA
加密
rsa-sig Rivest-Shamir-Adleman Signature RSA
签名
Router(config-isakmp)#authentication pre-share
Router(config-isakmp)#encryption ?
3des Three key triple DES 3des
加密算法
aes AES - Advanced Encryption Standard.
高级加密标准
des DES - Data Encryption Standard (56 bit keys).
数据加密标准
Router(config-isakmp)#encryption 3des
Router(config-isakmp)#group 5
可选三种
Router(config-isakmp)#group ?
1 Diffie-Hellman group 1
2 Diffie-Hellman group 2
5 Diffie-Hellman group 5
Router(config-isakmp)#hash ?
md5 Message Digest 5 MD5
散列算法
sha Secure Hash Standard
完整性算法
Router(config-isakmp)#hash sha
Router(config-isakmp)#lifetime 86400
Router(config-isakmp)#exit
Router(config)#crypto isakmp key cisco address 192.168.1.1
A pre-shared key for address mask 192.168.1.1 255.255.255.255 already exists
crypto ipsec transform-set 1233 esp-3des esp-md5-hmac
创建一个变换集
1233
,交换数据被
MD5
保护
exit
crypto map R1×××10 ipsec-isakmp
建立
IPsec
加密映射,使用
isakmp
建立
IPsec sa
,以保护当前加密映射的指定数据库
set peer 192.168.1.2
指定对等体
set transform-set 1233
指定交换集
match address 100
引用扩展
ACL
crypto ipsec transform-set 1234 esp-3des esp-md5-hmac
同上
exit
crypto map R1×××10 ipsec-isakmp
set peer 192.168.1.1
set transform-set 1234
match address 100
r1
上的配置
Router(config)#access-list 100 permit icmp 2.2.2.2 0.0.0.0 1.1.1.1 0.0.0.0
定义保护什么样的数据流
IPsec
保护
Router(config)#int e0/0
Router(config-if)#crypto map R1×××
将加密映射到应用接口
Router(config-if)#^Z
r2
上的配置
Router(config)#access-list 100 permit icmp 1.1.1.1 0.0.0.0 2.2.2.2 0.0.0.0
同上
Router(config)#int e0/0
Router(config-if)#crypto map R2×××
Router(config-if)#^Z
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
*Mar 1 01:07:18.235: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 192.168.1.1, remote= 192.168.1.2,
本地
ip
地址
192.168.1.1
,目标地址
192.168.1.2
local_proxy= 2.2.2.2/255.255.255.255/1/0 (type=1),
本地代理
2.2.2.2
remote_proxy= 1.1.1.1/255.255.255.255/1/0 (type=1),
目的代理
1.1.1.1
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
传输协议
esp
lifedur= 3600s and 4608000kb,
spi= 0x4D12771D(1293055773), conn_id= 0, keysize= 0, flags= 0x400A
*Mar 1 01:07:18.239: ISAKMP: received ke message (1/1)
*Mar 1 01:07:18.243: ISAKMP (0:0): SA request profile is (NULL)
*Mar 1 01:07:18.243: ISAKMP: local port 500, remote port 500
*Mar 1 01:07:18.243: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 01:07:18.243: ISAKMP: insert sa successfully sa = 63EA13F0
*Mar 1 01:07:18.243: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode.
*Mar 1 01:07:18.247: ISAKMP: Looking for a matching key for 192.168.1.2 in default :
success
*Mar 1 01:07:18.247: ISAKMP (0:1): found peer pre-shared key matching 192.168.1.2
*Mar 1 01:07:18.247: ISAKMP (0:1): constructed NAT-T vendor-07 ID
*Mar 1 01:07:18.247: ISAKMP (0:1): constructed NAT-T vendor-03 ID
*Mar 1 01:07:18.247: ISAKMP (0:1): constructed NAT-T vendor-02 ID
*Mar 1 01:07:18.247: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 1 01:07:18.251: ISAKMP (0:1): Old State = IKE_READY New State = IKE_I_MM1
IKE
协商开启,开始发送
isakmp
消息
*Mar 1 01:07:18.251: ISAKMP (0:1): beginning Main Mode exchange
IKE
主模式开启
*Mar 1 01:07:18.251: ISAKMP (0:1): sending packet to 192.168.1.2 my_port 500 peer_port
500 (I) MM_NO_STATE
协商发起,
192.168.1.1
向
192.168.1.2.
应对于
r1
上的配置策略
*Mar 1 01:07:18.419: ISAKMP (0:1): received packet from 192.168.1.2 dport 500 sport 500
r1
从
r2
收到接受提议的回复
Global (I) MM_NO_STATE
*Mar 1 01:07:18.423: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 01:07:18.423: ISAKMP (0:1): Old State = IKE_I_MM1 New State = IKE_I_MM2
IKE
开始交换第二条消息
*Mar 1 01:07:18.423: ISAKMP (0:1): processing SA payload. message ID = 0
*Mar 1 01:07:18.423: ISAKMP (0:1): processing vendor id payload
*Mar 1 01:07:18.423: ISAKMP (0:1): vendor ID seems U.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 28/59/112 ms
Router#nity/DPD but major 245 mismatch
*Mar 1 01:07:18.427: ISAKMP (0:1): vendor ID is NAT-T v7
*Mar 1 01:07:18.427: ISAKMP: Looking for a matching key for 192.168.1.2 in default :
success
*Mar 1 01:07:18.427: ISAKMP (0:1): found peer pre-shared key matching 192.168.1.2
*Mar 1 01:07:18.427: ISAKMP (0:1) local preshared key found
*Mar 1 01:07:18.427: ISAKMP : Scanning profiles for xauth ...
*Mar 1 01:07:18.427: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy
策略核对,核对
IKE
阶段
1
,路由器与远程对等体策略核对
*Mar 1 01:07:18.427: ISAKMP: encryption 3DES-CBC
*Mar 1 01:07:18.431: ISAKMP: hash SHA
*Mar 1 01:07:18.431: ISAKMP: default group 5
*Mar 1 01:07:18.431: ISAKMP: auth pre-share
*Mar 1 01:07:18.431: ISAKMP: life type in seconds
*Mar 1 01:07:18.431: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Mar 1 01:07:18.431: ISAKMP (0:1): atts are acceptable. Next payload is 0
策略已经匹配,显示
atts
。下面开始进入
IKE
第二阶段
*Mar 1 01:07:18.535: ISAKMP (0:1): processing vendor id payload
*Mar 1 01:07:18.535: ISAKMP
Router# (0:1): vendor ID seems Unity/DPD but major 245 mismatch
*Mar 1 01:07:18.535: ISAKMP (0:1): vendor ID is NAT-T v7
*Mar 1 01:07:18.535: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 01:07:18.535: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM2
发送协商的第二条消息
*Mar 1 01:07:18.539: ISAKMP (0:1): sending packet to 192.168.1.2 my_port 500 peer_port
500 (I) MM_SA_SETUP
R1
将
diffe-heffie-hellman
公开密钥值和临时值发送给
r2
*Mar 1 01:07:18.543: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 01:07:18.543: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM3
发送协商的第三条消息
*Mar 1 01:07:18.707: ISAKMP (0:1): received packet from 192.168.1.2 dport 500 sport 500
Global (I) MM_SA_SETUP
收到
r2
给
r1
的回复信息
*Mar 1 01:07:18.711: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 01:07:18.711: ISAKMP (0:1): Old State = IKE_I_MM3 New State = IKE_I_MM4
发送协商的第四条消息
*Mar 1 01:07:18.711: ISAKMP (0:1): processing KE payload. message ID = 0
*Mar 1 01:07:18.827: ISAKMP (0:1): processing NONCE payload. message ID = 0
*Mar
Router# 1 01:07:18.827: ISAKMP: Looking for a matching key for 192.168.1.2 in default :
success
*Mar 1 01:07:18.827: ISAKMP (0:1): found peer pre-shared key matching 192.168.1.2
*Mar 1 01:07:18.835: ISAKMP (0:1): SKEYID state generated
*Mar 1 01:07:18.835: ISAKMP (0:1): processing vendor id payload
*Mar 1 01:07:18.835: ISAKMP (0:1): vendor ID is Unity
*Mar 1 01:07:18.835: ISAKMP (0:1): processing vendor id payload
*Mar 1 01:07:18.835: ISAKMP (0:1): vendor ID is DPD
*Mar 1 01:07:18.835: ISAKMP (0:1): processing vendor id payload
*Mar 1 01:07:18.835: ISAKMP (0:1): speaking to another IOS box!
*Mar 1 01:07:18.835: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 01:07:18.835: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM4
发送协商的第五条消息
*Mar 1 01:07:18.839: ISAKMP (0:1): Send initial contact
*Mar 1 01:07:18.839: ISAKMP (0:1): SA is doing pre-shared key authentication using id
type ID_IPV4_ADDR
*Mar 1 01:07:18.843: ISAKMP (0:1): ID payload
next-
Router#payload : 8
type : 1
address : 192.168.1.1
protocol : 17
port : 500
length : 12
*Mar 1 01:07:18.843: ISAKMP (1): Total payload length: 12
*Mar 1 01:07:18.847: ISAKMP (0:1): sending packet to 192.168.1.2 my_port 500 peer_port
500 (I) MM_KEY_EXCH
*Mar 1 01:07:18.847: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 01:07:18.847: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM5
*Mar 1 01:07:18.915: ISAKMP (0:1): received packet from 192.168.1.2 dport 500 sport 500
Global (I) MM_KEY_EXCH
r1
收到
r2
的响应,
IKE
中的第六条信息
*Mar 1 01:07:18.919: ISAKMP (0:1): processing ID payload. message ID = 0
*Mar 1 01:07:18.919: ISAKMP (0:1): ID payload
next-payload : 8
type : 1
address : 192.168.1.2
protocol : 17
port : 500
length : 12
*Mar 1 01:07:18.919: ISAKMP (0:1): processing HASH payload. message ID = 0
*Mar 1 01:07:18.923: ISAKMP (0:1): SA authentication status:
authenticated
*Mar 1
Router#01:07:18.923: ISAKMP (0:1): SA has been authenticated with 192.168.1.2
*Mar 1 01:07:18.923: ISAKMP (0:1): peer matches *none* of the profiles
*Mar 1 01:07:18.923: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 01:07:18.927: ISAKMP (0:1): Old State = IKE_I_MM5 New State = IKE_I_MM6
*Mar 1 01:07:18.927: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 01:07:18.927: ISAKMP (0:1): Old State = IKE_I_MM6 New State = IKE_I_MM6
*Mar 1 01:07:18.931: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 01:07:18.931: ISAKMP (0:1): Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
主模式协商完成
*Mar 1 01:07:18.931: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of 1537451169
*Mar 1 01:07:18.939: ISAKMP (0:1): sending packet to 192.168.1.2 my_port 500 peer_port
500 (I) QM_IDLE
*Mar 1 01:07:18.939: ISAKMP (0:1): Node 1537451169, Input = IKE_MESG_INTERNAL,
IKE_INIT_QM
*Mar 1 01:07:18.939: ISAKMP (0:1): Old State = IKE_QM
Router#_READY New State = IKE_QM_I_QM1
R1
发送快速协商的第一条消息,包含
IPsec
提议
*Mar 1 01:07:18.943: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar 1 01:07:18.943: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State =
IKE_P1_COMPLETE
*Mar 1 01:07:19.291: ISAKMP (0:1): received packet from 192.168.1.2 dport 500 sport 500
Global (I) QM_IDLE
*Mar 1 01:07:19.295: ISAKMP (0:1): processing HASH payload. message ID = 1537451169
*Mar 1 01:07:19.299: ISAKMP (0:1): processing SA payload. message ID = 1537451169
*Mar 1 01:07:19.299: ISAKMP (0:1): Checking IPSec proposal 1
*Mar 1 01:07:19.299: ISAKMP: transform 1, ESP_3DES
*Mar 1 01:07:19.299: ISAKMP: attributes in transform:
*Mar 1 01:07:19.299: ISAKMP: encaps is 1 (Tunnel)
*Mar 1 01:07:19.299: ISAKMP: SA life type in seconds
*Mar 1 01:07:19.299: ISAKMP: SA life duration (basic) of 3600
*Mar 1 01:07:19.299: ISAKMP: SA life type in kilobytes
*Mar 1 01:07:19.303: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0
Router#x0
*Mar 1 01:07:19.303: ISAKMP: authenticator is HMAC-MD5
*Mar 1 01:07:19.303: ISAKMP (0:1): atts are acceptable.
*Mar 1 01:07:19.303: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.1.2,
local_proxy= 2.2.2.2/255.255.255.255/1/0 (type=1),
remote_proxy= 1.1.1.1/255.255.255.255/1/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
*Mar 1 01:07:19.307: IPSEC(kei_proxy): head = R1×××, map->ivrf = , kei->ivrf =
*Mar 1 01:07:19.311: ISAKMP (0:1): processing NONCE payload. message ID = 1537451169
*Mar 1 01:07:19.311: ISAKMP (0:1): processing ID payload. message ID = 1537451169
*Mar 1 01:07:19.311: ISAKMP (0:1): processing ID payload. message ID = 1537451169
*Mar 1 01:07:19.319: ISAKMP (0:1): Creating IPSec SAs
*Mar 1 01:07:19.323: inbound SA from 192.168.1.2 to 192.168.1.1 (f/i)
Router# 0/ 0
(proxy 1.1.1.1 to 2.2.2.2)
*Mar 1 01:07:19.323: has spi 0x4D12771D and conn_id 2000 and flags 2
*Mar 1 01:07:19.323: lifetime of 3600 seconds
*Mar 1 01:07:19.323: lifetime of 4608000 kilobytes
*Mar 1 01:07:19.323: has client flags 0x0
*Mar 1 01:07:19.323: outbound SA from 192.168.1.1 to 192.168.1.2 (f/i)
0/ 0 (proxy 2.2.2.2 to 1.1.1.1 )
*Mar 1 01:07:19.323: has spi 984465209 and conn_id 2001 and flags A
*Mar 1 01:07:19.327: lifetime of 3600 seconds
*Mar 1 01:07:19.327: lifetime of 4608000 kilobytes
*Mar 1 01:07:19.327: has client flags 0x0
*Mar 1 01:07:19.327: ISAKMP (0:1): sending packet to 192.168.1.2 my_port 500 peer_port
500 (I) QM_IDLE
*Mar 1 01:07:19.331: ISAKMP (0:1): deleting node 1537451169 error FALSE reason ""
*Mar 1 01:07:19.331: ISAKMP (0:1): Node 1537451169, Input = IKE_MESG_FROM_PEER,
IKE_QM_EXCH
*Mar 1 01:07:19.331: ISAKMP (0:1
Router#): Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
*Mar 1 01:07:19.331: IPSEC(key_engine): got a queue event...
*Mar 1 01:07:19.331: IPSEC(initialize_sas): ,
(key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.1.2,
local_proxy= 2.2.2.2/0.0.0.0/1/0 (type=1),
remote_proxy= 1.1.1.1/0.0.0.0/1/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x4D12771D(1293055773), conn_id= 2000, keysize= 0, flags= 0x2
*Mar 1 01:07:19.335: IPSEC(initialize_sas): ,
(key eng. msg.) OUTBOUND local= 192.168.1.1, remote= 192.168.1.2,
local_proxy= 2.2.2.2/0.0.0.0/1/0 (type=1),
remote_proxy= 1.1.1.1/0.0.0.0/1/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x3AADBF39(984465209), conn_id= 2001, keysize= 0, flags= 0xA
*Mar 1 01:07:19.339: IPSEC(kei_proxy): head = R1×××, map->ivrf = , kei->ivrf =
*Mar 1 01:07
Router#:19.339: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies
and 192.168.1.2
*Mar 1 01:07:19.343: IPSEC(add mtree): src 2.2.2.2, dest 1.1.1.1, dest_port 0
*Mar 1 01:07:19.343: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.1.1, sa_prot= 50,
sa_spi= 0x4D12771D(1293055773),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2000
*Mar 1 01:07:19.343: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.1.2, sa_prot= 50,
sa_spi= 0x3AADBF39(984465209),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2001
Router#sh crypto engine connections active
查看加密解密报文
ID Interface IP-Address State Algorithm Encrypt Decrypt
1 Ethernet0/0 192.168.1.1 set HMAC_SHA+3DES_56_C 0 0
2000 Ethernet0/0 192.168.1.1 set HMAC_MD5+3DES_56_C 0 39
2001 Ethernet0/0 192.168.1.1 set HMAC_MD5+3DES_56_C 39 0
Router#sh crypto isakmp sa
查看
IKE
阶段
1
的数据连接
dst src state conn-id slot
192.168.1.2 192.168.1.1 QM_IDLE 1 0
Router#sh crypto ipsec sa
连接
2
建立的
IPsec
数据连接
interface: Ethernet0/0
Crypto map tag: R1×××, local addr. 192.168.1.1
protected vrf:
local ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/1/0)
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/1/0)
current_peer: 192.168.1.2:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 39, #pkts encrypt: 39, #pkts digest 39
#pkts decaps: 39, #pkts decrypt: 39, #pkts verify 39
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.1.2
path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
current outbound spi: 3AADBF39
inbound esp sas:
spi: 0x4D12771D(1293055773)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: R1×××
sa timing: remaining key lifetime (k/sec): (4515934/2784)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3AADBF39(984465209)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2001, flow_id: 2, crypto map: R1×××
sa timing: remaining key lifetime (k/sec): (4515934/2780)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas: