收藏
下载资源

ipsecvpn建立详解

上传人:第*** 文档编号:38921412 上传时间:2018-05-09 格式:DOC 页数:10 大小:60.19KB
返回 下载 相关 举报
ipsecvpn建立详解_第1页
第1页 / 共10页
ipsecvpn建立详解_第2页
第2页 / 共10页
ipsecvpn建立详解_第3页
第3页 / 共10页
ipsecvpn建立详解_第4页
第4页 / 共10页
ipsecvpn建立详解_第5页
第5页 / 共10页
点击查看更多>>
资源描述

《ipsecvpn建立详解》由会员分享,可在线阅读,更多相关《ipsecvpn建立详解(10页珍藏版)》请在金锄头文库上搜索。

1、IPSEC VPN 建立详解(实验版)建立详解(实验版) RT1:crypto isakmp policy 10 /设置 ISAKMP 策略 encr 3des /使用 3DES 加密 hash md5 /用 MD5 作为摘要算法 authentication pre-share /认证方式以预共享密钥 group 2 /定义 DH 算法为组 2crypto isakmp identity address /使用用 IP 地址作为身份标识 crypto isakmp key cisco1 address 172.1.2.2 /配置预共享密钥和对方 IPcrypto isakmp key cis

2、co2 address 172.1.3.2/配置预共享密钥和对方 IPcrypto ipsec transform-set cisco esp-aes esp-md5-hmac /配置传输集参数,用来协商 IPSEC SA 的策略!crypto map RT1 10 ipsec-isakmp /配置加密图 set peer 172.1.2.2 /设置对等体 set transform-set cisco /调用传输集 match address 101 /匹配感兴趣流量 crypto map RT1 20 ipsec-isakmp set peer 172.1.3.2 set transfor

3、m-set cisco match address 102interface Ethernet0/0 ip address 172.1.1.2 255.255.255.240crypto map RT1 /在接口上应用加密图 access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.36.0 0.0.0.255 /定义感兴趣流量access-list 102 permit ip 192.168.20.0 0.0.0.255 192.168.40.0 0.0.0.255/定义感兴趣流量ip route 0.0.0.0 0.0.0.0 172

4、.1.1.1 /两个加密点间必须要通 RT2:crypto isakmp policy 10 /ISAKMP 参数需跟对端一致 encr 3des hash md5 authentication pre-share group 2crypto isakmp identity addresscrypto isakmp key cisco1 address 172.1.1.2 /共享密钥需跟对端一致crypto ipsec transform-set cisco esp-aes esp-md5-hmac /IPSEC 参数跟对端一致!crypto map RT2 10 ipsec-isakmp s

5、et peer 172.1.1.2 set transform-set cisco match address 101interface Ethernet0/0 ip address 172.1.2.2 255.255.255.240crypto map RT2access-list 101 permit ip 192.168.36.0 0.0.0.255 192.168.20.0 0.0.0.255ip route 0.0.0.0 0.0.0.0 172.1.2.1 /两个加密点间必须要通 RT3:crypto isakmp policy 10/ISAKMP 参数需跟对端一致 encr 3d

6、es hash md5 authentication pre-share group 2crypto isakmp key cisco2 address 172.1.1.2 /共享密钥需跟对端一致crypto isakmp identity addresscrypto ipsec transform-set cisco esp-aes esp-md5-hmac /IPSEC 参数跟对端一致!crypto map RT3 10 ipsec-isakmp set peer 172.1.1.2 set transform-set cisco match address 101interface Et

7、hernet0/0 ip address 172.1.3.2 255.255.255.240crypto map RT3access-list 101 permit ip 192.168.40.0 0.0.0.255 192.168.20.0 0.0.0.255ip route 0.0.0.0 0.0.0.0 172.1.3.1 /两个加密点间必须要通 ISAKMP SA(双向,第一阶段协商完成建立)RT3#show crypto isakmp sadst src state conn-id slot status172.1.1.2 172.1.3.2 QM_IDLE 1 0 ACTIVEIP

8、SEC SA(两个单向,inbound 和outbound,第二阶段完成建立)RT3#show crypto ipsec sainbound esp sas: spi: 0x88A9E91(143302289) /安全参数索引 transform: esp-aes esp-md5-hmac ,/IPSEC 协商参数 in use settings =Tunnel, conn id: 2001, flow_id: SW:1, crypto map: RT3 /应用的加密图sa timing: remaining key lifetime (k/sec): (4528168/1384) IV si

9、ze: 16 bytes replay detection support: Y Status: ACTIVE /SA 为活跃状态 outbound esp sas: spi: 0xB2979D58(2996280664) /安全参数索引 transform: esp-aes esp-md5-hmac ,/IPSEC 协商参数 in use settings =Tunnel, conn id: 2002, flow_id: SW:2, crypto map: RT3 /应用的加密图sa timing: remaining key lifetime (k/sec): (4528168/1374)

10、 IV size: 16 bytes replay detection support: Y Status: ACTIVE /SA 为活跃状态 debug 信息分析 IKE 过程:*Mar 1 00:24:11.715: ISAKMP: received ke message (1/1)*Mar 1 00:24:11.719: ISAKMP:(0:0:N/A:0): SA request profile is (NULL) 请求配置文件为空,因为没使用profile*Mar 1 00:24:11.719: ISAKMP: Created a peer struct for 172.1.1.2,

11、 peer port 500 创建一个对等体 172.1.1.2,对端端口为 500*Mar 1 00:24:11.723: ISAKMP: New peer created peer = 0x64960A40 peer_handle = 0x80000002 创建新的对等体为 0x64960A40,对等名柄为0x80000002*Mar 1 00:24:11.727: ISAKMP: Locking peer struct 0x64960A40, IKE refcount 1 for isakmp_initiator 锁定对等体为 0x64960A40,isakmp 初始化为 IKE 计数*

12、Mar 1 00:24:11.731: ISAKMP: local port 500, remote port 500 本地端口为500,远端口为 500*Mar 1 00:24:11.731: ISAKMP: set new node 0 to QM_IDLE 为 QM_IDLE 设置新的节点0*Mar 1 00:24:11.735: insert sa successfully sa = 646EC2A4 成功插入安全关联*Mar 1 00:24:11.739: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mo

13、de. 不能开始积极模式,尝试主模式*Mar 1 00:24:11.743: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 172.1.1.2 找到对方的共享密钥匹配172.1.1.2*Mar 1 00:24:11.747: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID*Mar 1 00:24:11.747: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID*Mar 1 00:24:11.747: ISAKMP:(0:0:N/

14、A:0): constructed NAT-T vendor-02 ID*Mar 1 00:24:11.747: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM *Mar 1 00:24:11.751: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1 老的状态 IKE_READY,新的状态IEK_I_MM1 *Mar 1 00:24:11.755: ISAKMP:(0:0:N/A:0): beginning Main Mode exchang

15、e 开始主模式交换*Mar 1 00:24:11.759: ISAKMP:(0:0:N/A:0): sending packet to 172.1.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE 开始发第一个包,进入第阶段一的 MM_NO_STATE 状态*Mar 1 00:24:21.763: ISAKMP:(0:0:N/A:0):retransmitting phase 1 MM_NO_STATE.重传阶段 1 MM_NO_STATE .*Mar 1 00:24:21.763: ISAKMP (0:0):incrementing error counter on sa, attempt 1 of 5: retransmit phase 1 递增错误 SA,尝试 1 5 错误计数器:重发阶段1 *Mar 1 00:24:21.763: ISAKMP:(0:0:N/A:0): sending packet to 172.1.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE*Mar 1 00:24:31.763: ISAKMP:(0:0:N

展开阅读全文
相关资源
相关搜索

当前位置:首页 > 办公文档 > 其它办公文档

电脑版 |金锄头文库版权所有
经营许可证:蜀ICP备13022795号 | 川公网安备 51140202000112号