ipsecvpn配置实例.doc

实验目的使用简单的配置完成IPsecVPN的实现。实验拓扑配置要点R1：crypto isakmp policy 10hash md5authentication pre-sharecrypto isakmp key cisco address 23.1.1.3 255.255.255.0crypto ipsec transform-set ccie esp-des esp-md5-hmaccrypto map VPN 10 ipsec-isakmpset peer 23.1.1.3set transform-set cciematch address 100interface Serial1/1ip address 12.1.1.1 255.255.255.0serial restart-delay 0crypto map VPNR3：crypto isakmp policy 10hash md5authentication pre-sharecrypto isakmp key cisco address 12.1.1.1 255.255.255.0crypto ipsec transform-set cisco esp-des esp-md5-hmaccrypto map VPN 10 ipsec-isakmpset peer 12.1.1.1set transform-set ciscomatch address 100interface Serial1/0ip address 23.1.1.3 255.255.255.0serial restart-delay 0crypto map VPN实验验证R3上开启debug，查看交互信息：R1#ping 3.3.3.3 source 1.1.1.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:Packet sent with a source address of 1.1.1.1.!Success rate is 80 percent (4/5), round-trip min/avg/max = 16/57/164 msR3#*Jul 27 20:03:31.910: ISAKMP (0:0): received packet from 12.1.1.1 dport 500 sport 500 Global (N) NEW SA*Jul 27 20:03:31.914: ISAKMP: Created a peer struct for 12.1.1.1, peer port 500*Jul 27 20:03:31.914: ISAKMP: New peer created peer = 0x65B5BB30 peer_handle = 0x80000005*Jul 27 20:03:31.918: ISAKMP: Locking peer struct 0x65B5BB30, refcount 1 for crypto_isakmp_process_block*Jul 27 20:03:31.922: ISAKMP: local port 500, remote port 500*Jul 27 20:03:31.926: insert sa successfully sa = 65B77620*Jul 27 20:03:31.930: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH*Jul 27 20:03:31.930: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1IKE第一阶段，第一个包交换*Jul 27 20:03:31.946: ISAKMP:(0): processing SA payload. message ID = 0*Jul 27 20:03:31.950: ISAKMP:(0): processing vendor id payload*Jul 27 20:03:31.950: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch*Jul 27 20:03:31.962: ISAKMP:(0):found peer pre-shared key matching 12.1.1.1*Jul 27 20:03:31.962: ISAKMP:(0): local preshared key found*Jul 27 20:03:31.962: ISAKMP : Scanning profiles for xauth .*Jul 27 20:03:31.962: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy*Jul 27 20:03:31.966: ISAKMP: encryption DES-CBC*Jul 27 20:03:31.966: ISAKMP: hash MD5*Jul 27 20:03:31.966: ISAKMP: default group 1*Jul 27 20:03:31.966: ISAKMP: auth pre-share*Jul 27 20:03:31.966: ISAKMP: life type in seconds*Jul 27 20:03:31.966: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80*Jul 27 20:03:31.966: ISAKMP:(0):atts are acceptable. Next payload is 0*Jul 27 20:03:31.970: ISAKMP:(0): processing vendor id payload*Jul 27 20:03:31.970: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch*Jul 27 20:03:31.970: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE*Jul 27 20:03:31.970: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1*Jul 27 20:03:31.974: ISAKMP:(0): sending packet to 12.1.1.1 my_port 500 peer_port 500 (R) MM_SA_SETUP发协包到对方PEER13.1.1.3 源端口:500 目标端口:500*Jul 27 20:03:31.974: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE*Jul 27 20:03:31.978: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2*Jul 27 20:03:32.026: ISAKMP (0:0): received packet from 12.1.1.1 dport 500 sport 500 Global (R) MM_SA_SETUP*Jul 27 20:03:32.026: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH*Jul 27 20:03:32.026: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3*Jul 27 20:03:32.026: ISAKMP:(0): processing KE payload. message ID = 0*Jul 27 20:03:32.054: ISAKMP:(0): processing NONCE payload. message ID = 0*Jul 27 20:03:32.058: ISAKMP:(0):found peer pre-shared key matching 12.1.1.1*Jul 27 20:03:32.058: ISAKMP:(1002): processing vendor id payload*Jul 27 20:03:32.062: ISAKMP:(1002): vendor ID is Unity*Jul 27 20:03:32.062: ISAKMP:(1002): processing vendor id payload*Jul 27 20:03:32.062: ISAKMP:(1002): vendor ID is DPD*Jul 27 20:03:32.062: ISAKMP:(1002): processing vendor id payload*Jul 27 20:03:32.062: ISAKMP:(1002): speaking to another IOS box!*Jul 27 20:03:32.062: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE*Jul 27 20:03:32.062: ISAKMP:(1002):Old State = IKE_R_MM3 New State = IKE_R_MM3*Jul 27 20:03:32.066: ISAKMP:(1002): sending packet to 12.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH*Jul 27 20:03:32.066: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE*Jul 27 20:03:32.066: ISAKMP:(1002):Old State = IKE_R_MM3 New State = IKE_R_MM4*Jul 27 20:03:32.122: ISAKMP (0:1002): received packet from 12.1.1.1 dport 500 sport 500 Global (R) MM_KEY_EXCH*Jul 27 20:03:32.122: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH*Jul 27 20:03:32.122: ISAKMP:(1002):Old State = IKE_R_MM4 New State = IKE_R_MM5*Jul 27 20:03:32.122: ISAKMP:(1002): processing ID payload. message ID = 0*Jul 27 20:03:32.122: ISAKMP (0:1002): ID payload next-payload : 8 type : 1 address : 12.1.1.1 protocol : 17 port : 500 length : 12*Jul 27 20:03:32.122: ISAKMP:(0): peer matches *none* of the profiles*Jul 27 20:03:32.126: ISAKMP:(1002): processing HASH payload. message ID = 0*Jul 27 20:03:32.126: ISAKMP:(1002): processing NOTIFY INITIAL_CONTACT protocol 1 spi 0, message ID = 0, sa = 65B77620*Jul 27 20:03:32.126: ISAKMP:(1002):SA authentication status: authenticated*Jul 27 20:03:32.126: ISAKMP:(1002):SA has been authenticated with 12.1.1.1*Jul 27 20:03:32.126: ISAKMP:(1002):SA authentication status: authenticated*Jul 27 20:03:32.126: ISAKMP:(1002): Process initial contact,bring down existing phase 1 and 2 SAs with local 23.1.1.3 remote 12.1.1.1 remote port 500*Jul 27 20:03:32.130: ISAKMP: Trying to insert a peer 23.1.1.3/12.1.1.1/500/, and inserted successfully 65B5BB30.*Jul 27 20:03:32.130: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE*Jul 27 20:03:32.130: ISAKMP:(1002):Old State = IKE_R_MM5 New State = IKE_R_MM5*Jul 27 20:03:32.130: IPSEC(key_engine): got a queue event with 1 KMI message(s)*Jul 27 20:03:32.134: ISAKMP:(1002):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR*Jul 27 20:03:32.134: ISAKMP (0:1002): ID payload next-payload : 8 type : 1 address : 23.1.1.3 protocol : 17 port : 500 length : 12*Jul 27 20:03:32.134: ISAKMP:(1002):Total payload length: 12*Jul 27 20:03:32.134: ISAKMP:(1002): sending packet to 12.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH*Jul 27 20:03:32.134: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE*Jul 27 20:03:32.134: ISAKMP:(1002):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE第一阶段完成。*Jul 27 20:03:32.142: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE*Jul 27 20:03:32.142: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE*Jul 27 20:03:32.158: ISAKMP (0:1002): received packet from 12.1.1.1 dport 500 sport 500 Global (R) QM_IDLE*Jul 27 20:03:32.158: ISAKMP: set new node -1769201649 to QM_IDLE*Jul 27 20:03:32.162: ISAKMP:(1002): processing HASH payload. message ID = -1769201649*Jul 27 20:03:32.162: ISAKMP:(1002): processing SA payload. message ID = -1769201649*Jul 27 20:03:32.162: ISAKMP:(1002):Checking IPSec proposal 1*Jul 27 20:03:32.162: ISAKMP: transform 1, ESP_DES*Jul 27 20:03:32.162: ISAKMP: attributes in transform:*Jul 27 20:03:32.162: ISAKMP: encaps is 1 (Tunnel)*Jul 27 20:03:32.162: ISAKMP: SA life type in seconds*Jul 27 20:03:32.162: ISAKMP: SA life duration (basic) of 3600*Jul 27 20:03:32.162: ISAKMP: SA life type in kilobytes*Jul 27 20:03:32.162: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0*Jul 27 20:03:32.162: ISAKMP: authenticator is HMAC-MD5*Jul 27 20:03:32.162: ISAKMP:(1002):atts are acceptable.策略匹配协商完成*Jul 27 20:03:32.162: IPSEC(validate_proposal_request): proposal part #1*Jul 27 20:03:32.162: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 23.1.1.3, remote= 12.1.1.1, local_proxy= 3.3.3.0/255.255.255.0/0/0 (type=4), remote_proxy= 1.1.1.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0*Jul 27 20:03:32.166: Crypto mapdb : proxy_match src addr : 3.3.3.0 dst addr : 1.1.1.0 protocol : 0 src port : 0 dst port : 0*Jul 27 20:03:32.170: ISAKMP:(1002): processing NONCE payload. message ID = -1769201649*Jul 27 20:03:32.170: ISAKMP:(1002): processing ID payload. message ID = -1769201649*Jul 27 20:03:32.170: ISAKMP:(1002): processing ID payload. message ID = -1769201649*Jul 27 20:03:32.170: ISAKMP:(1002):QM Responder gets spi*Jul 27 20:03:32.170: ISAKMP:(1002):Node -1769201649, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH*Jul 27 20:03:32.170: ISAKMP:(1002):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE*Jul 27 20:03:32.170: ISAKMP:(1002): Creating IPSec SAs创建IPsec SA*Jul 27 20:03:32.170: inbound SA from 12.1.1.1 to 23.1.1.3 (f/i) 0/ 0 (proxy 1.1.1.0 to 3.3.3.0)*Jul 27 20:03:32.170: has spi 0x12160605 and conn_id 0*Jul 27 20:03:32.170: lifetime of 3600 seconds*Jul 27 20:03:32.170: lifetime of 4608000 kilobytes*Jul 27 20:03:32.170: outbound SA from 23.1.1.3 to 12.1.1.1 (f/i) 0/0 (proxy 3.3.3.0 to 1.1.1.0)*Jul 27 20:03:32.170: has spi 0xDD947DA9 and conn_id 0*Jul 27 20:03:32.170: lifetime of 3600 seconds*Jul 27 20:03:32.170: lifetime of 4608000 kilobytes*Jul 27 20:03:32.170: ISAKMP:(1002): sending packet to 12.1.1.1 my_port 500 peer_port 500 (R) QM_IDLE*Jul 27 20:03:32.170: ISAKMP:(1002):Node -1769201649, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI*Jul 27 20:03:32.174: ISAKMP:(1002):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2*Jul 27 20:03:32.178: IPSEC(key_engine): got a queue event with 1 KMI message(s)*Jul 27 20:03:32.178: Crypto mapdb : proxy_match src addr : 3.3.3.0 dst addr : 1.1.1.0 protocol : 0 src port : 0 dst port : 0*Jul 27 20:03:32.182: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 12.1.1.1*Jul 27 20:03:32.182: IPSEC(policy_db_add_ident): src 3.3.3.0, dest 1.1.1.0, dest_port 0*Jul 27 20:03:32.182: IPSEC(create_sa): sa created, (sa) sa_dest= 23.1.1.3, sa_proto= 50, sa_spi= 0x12160605(303433221), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 3*Jul 27 20:03:32.182: IPSEC(create_sa): sa created, (sa) sa_dest= 12.1.1.1, sa_proto= 50, sa_spi= 0xDD947DA9(3717496233), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 4*Jul 27 20:03:32.210: ISAKMP (0:1002): received packet from 12.1.1.1 dport 500 sport 500 Global (R) QM_IDLE*Jul 27 20:03:32.210: ISAKMP:(1002):deleting node -1769201649 error FALSE reason QM done (await)*Jul 27 20:03:32.210: ISAKMP:(1002):Node -1769201649, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH*Jul 27 20:03:32.210: ISAKMP:(1002):Old State = IKE