安全CCIE之路——实验IPsec--静态vti.doc

VTI配置r1#show runBuilding configuration.Current configuration : 1561 bytes!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname r1!boot-start-markerboot-end-marker!no aaa new-modelmemory-size iomem 5!ip cefno ip domain lookup! ! !crypto isakmp policy 10 hash md5 authentication pre-share group 2crypto isakmp key cisco address ! !crypto ipsec transform-set cisco esp-3des esp-md5-hmac !crypto ipsec profile text set transform-set cisco !interface Loopback0 ip address !interface Tunnel1 ip address 52 tunnel source Serial0/1 tunnel destination tunnel mode ipsec ipv4 tunnel protection ipsec profile text!interface Serial0/0 no ip address shutdown serial restart-delay 0!interface Serial0/1 ip address 52 serial restart-delay 0!interface Serial0/2 no ip address shutdown serial restart-delay 0!interface Serial0/3 no ip address shutdown serial restart-delay 0!interface Ethernet1/0 no ip address shutdown half-duplex!interface Ethernet1/1 no ip address shutdown half-duplex!interface Ethernet1/2 no ip address shutdown half-duplex!interface Ethernet1/3 no ip address shutdown half-duplex!ip http serverno ip http secure-serverip route ip route Tunnel1! control-plane!line con 0 exec-timeout 0 0 logging synchronousline aux 0line vty 0 4!endr1#r3#show runBuilding configuration.Current configuration : 1561 bytes!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname r3!boot-start-markerboot-end-marker!no aaa new-modelmemory-size iomem 5!ip cefno ip domain lookup! ! !crypto isakmp policy 10 hash md5 authentication pre-share group 2crypto isakmp key cisco address ! !crypto ipsec transform-set cisco esp-3des esp-md5-hmac !crypto ipsec profile text set transform-set cisco !interface Loopback0 ip address !interface Tunnel1 ip address 52 tunnel source Serial0/0 tunnel destination tunnel mode ipsec ipv4 tunnel protection ipsec profile text!interface Serial0/0 ip address 52 serial restart-delay 0!interface Serial0/1 no ip address shutdown serial restart-delay 0!interface Serial0/2 no ip address shutdown serial restart-delay 0!interface Serial0/3 no ip address shutdown serial restart-delay 0!interface Ethernet1/0 no ip address shutdown half-duplex!interface Ethernet1/1 no ip address shutdown half-duplex!interface Ethernet1/2 no ip address shutdown half-duplex!interface Ethernet1/3 no ip address shutdown half-duplex!ip http serverno ip http secure-serverip route ip route Tunnel1! control-plane!line con 0 exec-timeout 0 0 logging synchronousline aux 0line vty 0 4!endr3#路由r1#show ip routCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static routeGateway of last resort is to network /30 is subnetted, 1 subnetsC is directly connected, Serial0/1 /8 is variably subnetted, 3 subnets, 2 masksC /24 is directly connected, Loopback0S /24 is directly connected, Tunnel1C /30 is directly connected, Tunnel1S* /0 1/0 via r1#r3#show ip routeCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static routeGateway of last resort is to network /30 is subnetted, 1 subnetsC is directly connected, Serial0/0 /8 is variably subnetted, 3 subnets, 2 masksS /24 is directly connected, Tunnel1C /24 is directly connected, Loopback0C /30 is directly connected, Tunnel1S* /0 1/0 via r3#SAr1#show crypto ipsec sainterface: Tunnel1 Crypto map tag: Tunnel1-head-0, local addr protected vrf: (none) local ident (addr/mask/prot/port): (//0/0) remote ident (addr/mask/prot/port): (//0/0) current_peer port 500 PERMIT, flags=origin_is_acl, #pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10 #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: , remote crypto endpt.: path mtu 1500, ip mtu 1500, ip mtu idb Serial0/1 current outbound spi: 0x92F54307(2465547015) inbound esp sas: spi: 0x8CADB3F5(2360194037) transform: esp-3des esp-md5-hmac , in use settings =Tunnel, conn id: 2001, flow_id: SW:1, crypto map: Tunnel1-head-0 sa timing: remaining key lifetime (k/sec): (4601932/3334) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x92F54307(2465547015) transform: esp-3des esp-md5-hmac , in use settings =Tunnel, conn id: 2002, flow_id: SW:2, crypto map: Tunnel1-head-0 sa timing: remaining key lifetime (k/sec): (4601931/3333) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:r1#show cryr1#show crypto mapCrypto Map Tunnel1-head-0 65536 ipsec-isakmp Profile name: text Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets= cisco, Crypto Map Tunnel1-head-0 65537 ipsec-isakmp Map is a PROFILE INSTANCE. Peer = Extended IP access list access-list permit ip any any Current peer: Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets= cisco, Always create SAs Interfaces using crypto map Tunnel1-head-0: Tunnel1r1#r3#show crypto ipsec sainterface: Tunnel1 Crypto map tag: Tunnel1-head-0, local addr protected vrf: (none) local ident (addr/mask/prot/port): (//0/0) remote ident (addr/mask/prot/port): (//0/0) current_peer port 500 PERMIT, flags=origin_is_acl, #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5 #pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: , remote crypto endpt.: path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0 current outbound spi: 0x8CADB3F5(2360194037) inbound esp sas: spi: 0x92F54307(2465547015) transform: esp-3des esp-md5-hmac , in use settings =Tunnel, conn id: 2001, flow_id: SW:1, crypto map: Tunnel1-head-0 sa timing: remaining key lifetime (k/sec): (4448516/3273) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x8CADB3F5(2360194037) transform: esp-3des esp-md5-hmac , in use settings =Tunnel, conn id: 2002, flow_id: SW:2, crypto map: Tunnel1-head-0 sa timing: remaining key lifetime (k/sec): (4448517/3272) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:r3#跑动态路由router ospf 1 router-id log-adjacency-changes network 55 area 0 network area 0r1#show ip route ospf /8 is variably subnetted, 3 subnets, 3 masksO /32 110/11112 via , 00:01:18, Tunnel1 r3# show ip route ospf /8 is variably subnetted, 3 subnets, 3 masksO /32 110/11112 via , 00:01:51, Tunnel1r3#r1#show ip ospf neighbor Neighbor ID Pri State Dead Time