IPSec***建立在两个NAT路由器上

1、测试拓扑：

2、相关说明：

实际的网络情况中，Site1和Site2之间要建立IPSec ×××，已让 Site后面的内网网段互通。但是实际的情况往往也有访问internet的需求，所以一般会有NAT的情况，例如这里的情况和一般的NAT-T不一样。做×××的设备和NAT的设备一样。

 

3、相关配置：

R1：

crypto isakmp policy 10

 encr 3des

 authentication pre-share

 group 2 

crypto isakmp key cisco address 12.1.1.2

!

!

crypto ipsec transform-set Trans esp-3des esp-md5-hmac

!

crypto map cisco 10 ipsec-isakmp

 set peer 12.1.1.2

 set transform-set Trans

 match address ***

!

!

!

!

interface Loopback0

 ip address 1.1.1.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly

!

interface Ethernet0/0

 ip address 12.1.1.1 255.255.255.0

 ip nat outside

 ip virtual-reassembly

 half-duplex

 crypto map cisco

!

ip route 2.2.2.0 255.255.255.0 12.1.1.2 >>>>这条静态路由，是为了让流量撞上×××触发流量

!

!

ip nat inside source list nat interface Ethernet0/0 overload

!

!

ip access-list extended nat

 deny   ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255 >>>>这里是为了不让1.1.1.1访问2.2.2.2的流量撞上NAT

 permit ip any any

ip access-list extended ***

 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

R2：

crypto isakmp policy 10

 encr 3des

 authentication pre-share

 group 2 

crypto isakmp key cisco address 12.1.1.1

!

!

crypto ipsec transform-set Trans esp-3des esp-md5-hmac

!

crypto map cisco 10 ipsec-isakmp

 set peer 12.1.1.1

 set transform-set Trans

 match address ***

!

!

!

!

interface Loopback0

 ip address 2.2.2.2 255.255.255.0

 ip nat outside

 ip virtual-reassembly

!

interface Ethernet0/0

 ip address 12.1.1.2 255.255.255.0

 half-duplex

 crypto map cisco

!        

ip route 1.1.1.0 255.255.255.0 12.1.1.1

!

!

ip nat inside source list nat interface Ethernet0/0 overload

!

!        

ip access-list extended nat

 deny   ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255

 permit ip any any

ip access-list extended ***

 permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255

触发×××：

 

R1#ping 2.2.2.2 so 1.1.1.1

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 32/44/48 ms

4、分析建立过程：

第一阶段：

*Mar  1 04:49:24.886: ISAKMP (0:0): received packet from 12.1.1.1 dport 500 sport 500 Global (N) NEW SA

*Mar  1 04:49:24.886: ISAKMP: Created a peer struct for 12.1.1.1, peer port 500

*Mar  1 04:49:24.886: ISAKMP: New peer created peer = 0x64F66BC4 peer_handle = 0x80000007

*Mar  1 04:49:24.890: ISAKMP: Locking peer struct 0x64F66BC4, IKE refcount 1 for crypto_isakmp_process_block

*Mar  1 04:49:24.890: ISAKMP: local port 500, remote port 500

*Mar  1 04:49:24.890: insert sa successfully sa = 646DD604

*Mar  1 04:49:24.894: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar  1 04:49:24.894: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_R_MM1

 

*Mar  1 04:49:24.898: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0

*Mar  1 04:49:24.898: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Mar  1 04:49:24.898: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch

*Mar  1 04:49:24.902: ISAKMP (0:0): vendor ID is NAT-T v7

*Mar  1 04:49:24.902: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Mar  1 04:49:24.902: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch

*Mar  1 04:49:24.902: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3

*Mar  1 04:49:24.906: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Mar  1 04:49:24.906: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch

*Mar  1 04:49:24.906: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2

*Mar  1 04:49:24.906: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 12.1.1.1

*Mar  1 04:49:24.910: ISAKMP:(0:0:N/A:0): local preshared key found

*Mar  1 04:49:24.910: ISAKMP : Scanning profiles for xauth ...

*Mar  1 04:49:24.910: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy >>>检查我们配置的isakmp policy 10

*Mar  1 04:49:24.910: ISAKMP:      encryption 3DES-CBC

*Mar  1 04:49:24.910: ISAKMP:      hash SHA

*Mar  1 04:49:24.914: ISAKMP:      default group 2

*Mar  1 04:49:24.914: ISAKMP:      auth pre-share

*Mar  1 04:49:24.914: ISAKMP:      life type in seconds

*Mar  1 04:49:24.914: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*Mar  1 04:49:24.914: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0

*Mar  1 04:49:24.946: ISAKMP:(0:1:SW:1): processing vendor id payload

*Mar  1 04:49:24.946: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 245 mismatch

*Mar  1 04:49:24.946: ISAKMP (0:134217729): vendor ID is NAT-T v7

*Mar  1 04:49:24.946: ISAKMP:(0:1:SW:1): processing vendor id payload

*Mar  1 04:49:24.946: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 157 mismatch

*Mar  1 04:49:24.946: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v3

*Mar  1 04:49:24.946: ISAKMP:(0:1:SW:1): processing vendor id payload

*Mar  1 04:49:24.946: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 123 mismatch

*Mar  1 04:49:24.946: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v2

*Mar  1 04:49:24.946: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar  1 04:49:24.946: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM1  New State = IKE_R_MM1

 

*Mar  1 04:49:24.946: ISAKMP:(0:1:SW:1): constructed NAT-T vendor-07 ID

*Mar  1 04:49:24.946: ISAKMP:(0:1:SW:1): sending packet to 12.1.1.1 my_port 500 peer_port 500 (R) MM_SA_SETUP

*Mar  1 04:49:24.950: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar  1 04:49:24.950: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM1  New State = IKE_R_MM2

 

*Mar  1 04:49:25.046: ISAKMP (0:134217729): received packet from 12.1.1.1 dport 500 sport 500 Global (R) MM_SA_SETUP

*Mar  1 04:49:25.046: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar  1 04:49:25.050: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM2  New State = IKE_R_MM3

 

*Mar  1 04:49:25.054: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0

*Mar  1 04:49:25.086: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 0

*Mar  1 04:49:25.086: ISAKMP:(0:1:SW:1):found peer pre-shared key matching 12.1.1.1

*Mar  1 04:49:25.090: ISAKMP:(0:1:SW:1):SKEYID state generated

*Mar  1 04:49:25.090: ISAKMP:(0:1:SW:1): processing vendor id payload

*Mar  1 04:49:25.090: ISAKMP:(0:1:SW:1): vendor ID is Unity

*Mar  1 04:49:25.094: ISAKMP:(0:1:SW:1): processing vendor id payload

*Mar  1 04:49:25.094: ISAKMP:(0:1:SW:1): vendor ID is DPD

*Mar  1 04:49:25.094: ISAKMP:(0:1:SW:1): processing vendor id payload

*Mar  1 04:49:25.094: ISAKMP:(0:1:SW:1): speaking to another IOS box!

*Mar  1 04:49:25.098: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar  1 04:49:25.098: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM3  New State = IKE_R_MM3

 

*Mar  1 04:49:25.102: ISAKMP:(0:1:SW:1): sending packet to 12.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Mar  1 04:49:25.102: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar  1 04:49:25.102: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM3  New State = IKE_R_MM4

 

*Mar  1 04:49:25.154: ISAKMP (0:134217729): received packet from 12.1.1.1 dport 500 sport 500 Global (R) MM_KEY_EXCH

*Mar  1 04:49:25.158: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar  1 04:49:25.158: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM4  New State = IKE_R_MM5

 

*Mar  1 04:49:25.162: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 0

*Mar  1 04:49:25.166: ISAKMP (0:134217729): ID payload

        next-payload : 8

        type         : 1

        address      : 12.1.1.1

        protocol     : 17

        port         : 500

        length       : 12

*Mar  1 04:49:25.166: ISAKMP:(0:1:SW:1):: peer matches *none* of the profiles

*Mar  1 04:49:25.166: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 0

*Mar  1 04:49:25.170: ISAKMP:(0:1:SW:1): processing NOTIFY INITIAL_CONTACT protocol 1

        spi 0, message ID = 0, sa = 646DD604

*Mar  1 04:49:25.170: ISAKMP:(0:1:SW:1):SA authentication status:

        authenticated

*Mar  1 04:49:25.174: ISAKMP:(0:1:SW:1): Process initial contact,

bring down existing phase 1 and 2 SA's with local 12.1.1.2 remote 12.1.1.1 remote port 500

*Mar  1 04:49:25.174: ISAKMP:(0:1:SW:1):SA authentication status:

        authenticated

*Mar  1 04:49:25.178: ISAKMP:(0:1:SW:1):SA has been authenticated with 12.1.1.1

*Mar  1 04:49:25.178: ISAKMP: Trying to insert a peer 12.1.1.2/12.1.1.1/500/,  and inserted successfully 64F66BC4.

*Mar  1 04:49:25.178: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar  1 04:49:25.182: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM5  New State = IKE_R_MM5

 

*Mar  1 04:49:25.182: IPSEC(key_engine): got a queue event with 1 kei messages

*Mar  1 04:49:25.186: ISAKMP:(0:1:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Mar  1 04:49:25.186: ISAKMP (0:134217729): ID payload

        next-payload : 8

        type         : 1

        address      : 12.1.1.2

        protocol     : 17

        port         : 500

        length       : 12

*Mar  1 04:49:25.190: ISAKMP:(0:1:SW:1):Total payload length: 12

*Mar  1 04:49:25.194: ISAKMP:(0:1:SW:1): sending packet to 12.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Mar  1 04:49:25.198: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar  1 04:49:25.198: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

 

*Mar  1 04:49:25.202: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Mar  1 04:49:25.202: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

 

第二阶段：

*Mar  1 04:49:25.266: ISAKMP (0:134217729): received packet from 12.1.1.1 dport 500 sport 500 Global (R) QM_IDLE     

*Mar  1 04:49:25.266: ISAKMP: set new node 1812581365 to QM_IDLE     

*Mar  1 04:49:25.270: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 1812581365

*Mar  1 04:49:25.274: ISAKMP:(0:1:SW:1): processing SA payload. message ID = 1812581365

*Mar  1 04:49:25.274: ISAKMP:(0:1:SW:1):Checking IPSec proposal 1

*Mar  1 04:49:25.274: ISAKMP: transform 1, ESP_3DES

*Mar  1 04:49:25.274: ISAKMP:   attributes in transform:

*Mar  1 04:49:25.274: ISAKMP:      encaps is 1 (Tunnel)

*Mar  1 04:49:25.278: ISAKMP:      SA life type in seconds

*Mar  1 04:49:25.278: ISAKMP:      SA life duration (basic) of 3600

*Mar  1 04:49:25.278: ISAKMP:      SA life type in kilobytes

*Mar  1 04:49:25.278: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0

*Mar  1 04:49:25.278: ISAKMP:      authenticator is HMAC-MD5

*Mar  1 04:49:25.282: ISAKMP:(0:1:SW:1):atts are acceptable.

*Mar  1 04:49:25.282: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 12.1.1.2, remote= 12.1.1.1,

    local_proxy= 2.2.2.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 1.1.1.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

*Mar  1 04:49:25.286: Crypto mapdb : proxy_match

        src addr     : 2.2.2.0

        dst addr     : 1.1.1.0

        protocol     : 0

        src port     : 0

        dst port     : 0

*Mar  1 04:49:25.290: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 1812581365

*Mar  1 04:49:25.290: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 1812581365

*Mar  1 04:49:25.290: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 1812581365

*Mar  1 04:49:25.290: ISAKMP:(0:1:SW:1): asking for 1 spis from ipsec

*Mar  1 04:49:25.290: ISAKMP:(0:1:SW:1):Node 1812581365, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Mar  1 04:49:25.290: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE

*Mar  1 04:49:25.290: IPSEC(key_engine): got a queue event with 1 kei messages

*Mar  1 04:49:25.290: IPSEC(spi_response): getting spi 2345636103 for SA

        from 12.1.1.2 to 12.1.1.1 for prot 3

*Mar  1 04:49:25.290: ISAKMP: received ke message (2/1)

*Mar  1 04:49:25.290: ISAKMP: Locking peer struct 0x64F66BC4, IPSEC refcount 1 for for stuff_ke

*Mar  1 04:49:25.290: ISAKMP:(0:1:SW:1): Creating IPSec SAs

*Mar  1 04:49:25.290:         inbound SA from 12.1.1.1 to 12.1.1.2 (f/i)  0/ 0

        (proxy 1.1.1.0 to 2.2.2.0)

*Mar  1 04:49:25.290:         has spi 0x8BCF9107 and conn_id 0 and flags 2

*Mar  1 04:49:25.290:         lifetime of 3600 seconds

*Mar  1 04:49:25.290:         lifetime of 4608000 kilobytes

*Mar  1 04:49:25.290:         has client flags 0x0

*Mar  1 04:49:25.290:         outbound SA from 12.1.1.2 to 12.1.1.1 (f/i) 0/0

        (proxy 2.2.2.0 to 1.1.1.0)

*Mar  1 04:49:25.290:         has spi 685105074 and conn_id 0 and flags A

*Mar  1 04:49:25.290:         lifetime of 3600 seconds

*Mar  1 04:49:25.290:         lifetime of 4608000 kilobytes

*Mar  1 04:49:25.290:         has client flags 0x0

*Mar  1 04:49:25.290: ISAKMP:(0:1:SW:1): sending packet to 12.1.1.1 my_port 500 peer_port 500 (R) QM_IDLE     

*Mar  1 04:49:25.290: ISAKMP:(0:1:SW:1):Node 1812581365, Input = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY

*Mar  1 04:49:25.294: ISAKMP:(0:1:SW:1):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2

*Mar  1 04:49:25.294: IPSEC(key_engine): got a queue event with 2 kei messages

*Mar  1 04:49:25.298: IPSEC(initialize_sas): ,

  (key eng. msg.) INBOUND local= 12.1.1.2, remote= 12.1.1.1,

    local_proxy= 2.2.2.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 1.1.1.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x8BCF9107(2345636103), conn_id= 0, keysize= 0, flags= 0x2

*Mar  1 04:49:25.302: IPSEC(initialize_sas): ,

  (key eng. msg.) OUTBOUND local= 12.1.1.2, remote= 12.1.1.1,

    local_proxy= 2.2.2.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 1.1.1.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x28D5DFB2(685105074), conn_id= 0, keysize= 0, flags= 0xA

*Mar  1 04:49:25.306: Crypto mapdb : proxy_match

        src addr     : 2.2.2.0

        dst addr     : 1.1.1.0

        protocol     : 0

        src port     : 0

        dst port     : 0

*Mar  1 04:49:25.306: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and 12.1.1.1

*Mar  1 04:49:25.306: IPSec: Flow_switching Allocated flow for sibling 8000000B

*Mar  1 04:49:25.310: IPSEC(policy_db_add_ident): src 2.2.2.0, dest 1.1.1.0, dest_port 0

 

*Mar  1 04:49:25.310: ISAKMP: Locking peer struct 0x64F66BC4, IPSEC refcount 2 for from create_transforms

*Mar  1 04:49:25.310: IPSEC(create_sa): sa created,

  (sa) sa_dest= 12.1.1.2, sa_proto= 50,

    sa_spi= 0x8BCF9107(2345636103),

    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2003

*Mar  1 04:49:25.314: IPSEC(create_sa): sa created,

  (sa) sa_dest= 12.1.1.1, sa_proto= 50,

    sa_spi= 0x28D5DFB2(685105074),

    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2002

*Mar  1 04:49:25.314: ISAKMP: Unlocking IPSEC struct 0x64F66BC4 from create_transforms, count 1

*Mar  1 04:49:25.374: ISAKMP (0:134217729): received packet from 12.1.1.1 dport 500 sport 500 Global (R) QM_IDLE     

*Mar  1 04:49:25.378: ISAKMP:(0:1:SW:1):deleting node 1812581365 error FALSE reason "QM done (await)"

*Mar  1 04:49:25.378: ISAKMP:(0:1:SW:1):Node 1812581365, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Mar  1 04:49:25.382: ISAKMP:(0:1:SW:1):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE

*Mar  1 04:49:25.382: IPSEC(key_engine): got a queue event with 1 kei messages

*Mar  1 04:49:25.386: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP

*Mar  1 04:49:25.386: IPSEC(key_engine_enable_outbound): enable SA with spi 685105074/50

5、报文抓取：【在R2的E0/0抓取的报文】

主模式1-6个包，快速模式1-3个包

第一个报文SA内容：R1-R2交互crypto isakmp policy 10配置的加密，校验，DH组等参数。

第二个报文SA内容：R2-R1，1-2个包中的这些信息一致

第三个报文Key Exchange、Vendor ID【CISCO-UNITY；DPD；XAUTH】、NAT-Discovery：R1-R2,主要交互密钥资源，以便为5-6包提供安全算法所需密钥

第四个报文：R2-R1,格式内容和第三个报文一样

第五个报文：R1-R2，传递的是加密的数据，5-6报文都是在加密的环境中传输的

第六个报文：R2-R1

快速模式的1-3个报文【R1-R2，R2-R1，R1-R2】

QM-1：

QM-2：

QM-3：

6、我们验证一下建立后的情况

R1#sho crypto engine connections active

 

  ID Interface            IP-Address      State  Algorithm           Encrypt  Decrypt

   2 Ethernet0/0          12.1.1.1        set    HMAC_SHA+3DES_56_C        0        0

2001 Ethernet0/0          12.1.1.1        set    3DES+MD5                  4        0

2004 Ethernet0/0          12.1.1.1        set    3DES+MD5                  0        4

 

R1#show crypto isakmp sa

dst             src             state          conn-id slot status

12.1.1.2        12.1.1.1        QM_IDLE              2    0 ACTIVE

 

R1#show crypto ipsec sa

 

interface: Ethernet0/0

    Crypto map tag: cisco, local addr 12.1.1.1

 

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)

   current_peer 12.1.1.2 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 1, #recv errors 0

 

     local crypto endpt.: 12.1.1.1, remote crypto endpt.: 12.1.1.2

     path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0

     current outbound spi: 0x50B82D9A(1354247578)

 

     inbound esp sas:

      spi: 0x777B0338(2004550456)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 2004, flow_id: SW:4, crypto map: cisco

        sa timing: remaining key lifetime (k/sec): (4391758/3437)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

 

     inbound ah sas:

 

     inbound pcp sas:

 

     outbound esp sas:

      spi: 0x50B82D9A(1354247578)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 2001, flow_id: SW:1, crypto map: cisco

        sa timing: remaining key lifetime (k/sec): (4391758/3436)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

 

     outbound ah sas:

 

     outbound pcp sas:

ACl匹配情况：

R1#sho access-lists                    

Extended IP access list nat

    10 deny ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255 (5 matches)

    20 permit ip any any (2 matches)

Extended IP access list ***

    10 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255 (9 matches)

可以ping公网上的地址：

R1#ping 12.1.1.2 so lo0

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/22/32 ms

R1#sho acce

R1#sho access-l

R1#sho access-lists

Extended IP access list nat

    10 deny ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255 (5 matches)

    20 permit ip any any (3 matches) >>>>匹配了一个去做NAT

Extended IP access list ***

    10 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255 (9 matches)

R1#sho

R1#show ip nat tr

R1#show ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

icmp 12.1.1.1:23       1.1.1.1:23         12.1.1.2:23        12.1.1.2:23