LAN to LAN IPSEC ××× 的配置报告
hash md5 定义散列算法
authentication pre-share 定义认证算法
encryption des 定义加密方式
crypto isakmp key speedfull address 23.23.23.3 指定协商密钥和对等体ip
crypto ipsec transform-set sf esp-des esp-md5-hmac 再定义ipsec策略(esp为封装类型)
crypto map sf 10 ipsec-isakmp
match address 120 定义需要加密的数据流
set peer 23.23.23.3
set transform-set sf
access-list 120 permit ip 192.168.12.0 0.0.0.255 192.168.23.0 0.0.0.255
int s1/0
crypto map sf (将加密图应用到接口)
Global IKE policy
Protection suite of priority 10
encryption algorithm: DES – Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES – Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
R1#show crypto isakmp peers
Peer: 23.23.23.3 Port: 500 Local: 12.12.12.1
Phase1 id: 23.23.23.3
R1#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: DES – Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES – Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
R1#show crypto isakmp sa
dst src state conn-id slot status
12.12.12.1 23.23.23.3 QM_IDLE 1 0 ACTIVE
Easy ××× Remote Phase: 4 —这个是什么意思 ,还不是很清楚。
R1#show crypto ipsec sa
interface: Serial1/0
Crypto map tag: sf, local addr 12.12.12.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.12.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.23.0/255.255.255.0/0/0)
current_peer 23.23.23.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 96, #pkts encrypt: 96, #pkts digest: 96
#pkts decaps: 105, #pkts decrypt: 105, #pkts verify: 105
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 6, #recv errors 0
local crypto endpt.: 12.12.12.1, remote crypto endpt.: 23.23.23.3
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0
current outbound spi: 0xC1E4CEB7(3252997815)
inbound esp sas:
spi: 0x9F566494(2673239188)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: sf
sa timing: remaining key lifetime (k/sec): (4540031/1720)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC1E4CEB7(3252997815)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: sf
sa timing: remaining key lifetime (k/sec): (4540032/1719)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1# show crypto ipsec transform-set
Transform set sf: { esp-des esp-md5-hmac }
will negotiate = { Tunnel, },
Crypto Map “sf” 10 ipsec-isakmp
Peer = 23.23.23.3
Extended IP access list 120
access-list 120 permit ip 192.168.12.0 0.0.0.255 192.168.23.0 0.0.0.255
Current peer: 23.23.23.3
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
sf,
}
Interfaces using crypto map sf:
Serial1/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 108/166/264 ms
!
access-list 1 permit any
d via RIB
*Mar 1 01:33:10.183: IP: s=192.168.23.2 (local), d=192.168.12.1 (FastEthernet0/0), len 100, sending
*Mar 1 01:33:10.403: IP: s=23.23.23.2 (FastEthernet0/0), d=192.168.23.2, len 56, rcvd 1
*Mar 1 01:33:10.407: IP: tableid=0, s=192.168.23.2 (local), d=192.168.12.1 (FastEthernet0/0), route
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
!
access-list 101 deny ip 192.168.12.0 0.0.0.255 192.168.23.0 0.0.0.255
access-list 101 permit ip 192.168.12.0 0.0.0.255 any
转载于:https://blog.51cto.com/wzhj132/187560
发布者:全栈程序员-用户IM,转载请注明出处:https://javaforall.cn/110876.html原文链接:https://javaforall.cn
【正版授权,激活自己账号】: Jetbrains全家桶Ide使用,1年售后保障,每天仅需1毛
【官方授权 正版激活】: 官方授权 正版激活 支持Jetbrains家族下所有IDE 使用个人JB账号...