ISAKMP Profile技术是IKE协商的一种新型配置方式。它主要的作用是映射我们第一阶段ISAKMP参数到第
二阶段IPSec隧道,可以实现一个设备和多个站点建立多个隧道。还可以很好的消除不同×××之间的影
响,让第一阶段策略和第二阶段策略关联的更加紧密。并且ISAKMP Profile普遍在EZ×××和VRF-ware
IPSec ×××配置里边被采用。
Site1 :
crypto keyring ccie
pre-shared-key address 61.128.1.1 key cisco
!
crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp profile isaprof
keyring ccie
match identity address 61.128.1.1 255.255.255.255
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map ccie 10 ipsec-isakmp
set peer 61.128.1.1
set transform-set myset
set isakmp-profile isaprof
match address ***
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 202.100.1.1 255.255.255.0
crypto map ccie
!
ip route 0.0.0.0 0.0.0.0 202.100.1.10
!
ip access-list extended ***
permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
Internet:
interface FastEthernet0/0
ip address 202.100.1.10 255.255.255.0
!
interface FastEthernet0/1
ip address 61.128.1.10 255.255.255.0
!
end
Site2:
crypto keyring ccie
pre-shared-key address 202.100.1.1 key cisco
!
crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp profile isaprof
keyring ccie
match identity address 202.100.1.1 255.255.255.255
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map ccie 10 ipsec-isakmp
set peer 202.100.1.1
set transform-set myset
set isakmp-profile isaprof
match address ***
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/0
ip address 61.128.1.1 255.255.255.0
crypto map ccie
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 61.128.1.10
!
ip access-list extended ***
permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
!
测试:
Site1#ping 2.2.2.2 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 104/133/148 ms
Site1#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: ccie, local addr 202.100.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)
current_peer 61.128.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 202.100.1.1, remote crypto endpt.: 61.128.1.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x96AB8F14(2527825684)
inbound esp sas:
spi: 0xF41D2511(4095550737)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, crypto map: ccie
sa timing: remaining key lifetime (k/sec): (4566332/2033)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x96AB8F14(2527825684)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: ccie
sa timing: remaining key lifetime (k/sec): (4566332/2031)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Site1#show crypto session
Crypto session current status
Interface: FastEthernet0/0
Profile: isaprof
Session status: UP-ACTIVE
Peer: 61.128.1.1 port 500
IKE SA: local 202.100.1.1/500 remote 61.128.1.1/500 Active
IPSEC FLOW: permit ip 1.1.1.0/255.255.255.0 2.2.2.0/255.255.255.0
Active SAs: 2, origin: crypto map