SVTI實驗簡單配置

R2 配置：

crypto isakmp policy 1
?encr 3des
?hash md5
?authentication pre-share
?group 2

################################

配置階段1 policy 第 1 2個包交換的信息

################################
crypto isakmp key cisco123 address 200.1.1.4??// 配置預共享密鑰???
!
!
crypto ipsec transform-set ccie esp-des esp-md5-hmac??
?mode tunnel

#################################

配置階段2 transform? 轉換集

#################################
!
!
crypto ipsec profile ikeprof
?set transform-set ccie

!
!
interface Tunnel0
?ip address 1.1.1.1 255.255.255.0
?tunnel source 100.1.1.2
?tunnel destination 200.1.1.4
?tunnel protection ipsec profile ikeprof
!
interface Ethernet0/0
?ip address 10.1.1.2 255.255.255.0
!
interface Ethernet0/1
?ip address 100.1.1.2 255.255.255.0

!
router ospf 1
?network 1.1.1.0 0.0.0.255 area 0
?network 10.1.1.0 0.0.0.255 area 0

################################

將隧道口宣告ospf進程

################################
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 100.1.1.3

R2# show crypto session
Crypto session current status

Interface: Tunnel0
Session status: UP-ACTIVE????
Peer: 200.1.1.4 port 500
? Session ID: 0?
? IKEv1 SA: local 100.1.1.2/500 remote 200.1.1.4/500 Active
? Session ID: 0?
? IKEv1 SA: local 100.1.1.2/500 remote 200.1.1.4/500 Active
? IPSEC FLOW: permit 47 host 100.1.1.2 host 200.1.1.4
??????? Active SAs: 6, origin: crypto map

R2#show crypto engine connections active
Crypto Engine Connections

?? ID? Type??? Algorithm?????????? Encrypt? Decrypt LastSeqN IP-Address
??? 1? IPsec?? DES+MD5?????????????????? 0??????? 1??????? 1 100.1.1.2
??? 2? IPsec?? DES+MD5?????????????????? 0??????? 0??????? 0 100.1.1.2
??? 3? IPsec?? DES+MD5?????????????????? 0??????? 0??????? 0 100.1.1.2
??? 4? IPsec?? DES+MD5?????????????????? 0??????? 0??????? 0 100.1.1.2
??? 5? IPsec?? DES+MD5?????????????????? 0????? 203????? 203 100.1.1.2
??? 6? IPsec?? DES+MD5???????????????? 204??????? 0??????? 0 100.1.1.2
?1001? IKE???? MD5+3DES????????????????? 0??????? 0??????? 0 100.1.1.2
?1002? IKE???? MD5+3DES????????????????? 0??????? 0??????? 0 100.1.1.2

R2#show crypto ipsec sa | include spi
???? current outbound spi: 0x214BF7A1(558626721)
????? spi: 0xB86713B9(3093763001)
????? spi: 0xA66B2E85(2792042117)
????? spi: 0x74849EDE(1954848478)
????? spi: 0xC1C0AB59(3250629465)
????? spi: 0xF0B7C9F6(4038576630)
????? spi: 0x214BF7A1(558626721)
R2#show crypto ipsec sa?????????????

interface: Tunnel0
??? Crypto map tag: Tunnel0-head-0, local addr 100.1.1.2

?? protected vrf: (none)
?? local? ident (addr/mask/prot/port): (100.1.1.2/255.255.255.255/47/0)
?? remote ident (addr/mask/prot/port): (200.1.1.4/255.255.255.255/47/0)
?? current_peer 200.1.1.4 port 500
???? PERMIT, flags={origin_is_acl,}
??? #pkts encaps: 212, #pkts encrypt: 212, #pkts digest: 212
??? #pkts decaps: 212, #pkts decrypt: 212, #pkts verify: 212
??? #pkts compressed: 0, #pkts decompressed: 0
??? #pkts not compressed: 0, #pkts compr. failed: 0
??? #pkts not decompressed: 0, #pkts decompress failed: 0
??? #send errors 0, #recv errors 0

???? local crypto endpt.: 100.1.1.2, remote crypto endpt.: 200.1.1.4
???? plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/1
???? current outbound spi: 0x214BF7A1(558626721)
???? PFS (Y/N): N, DH group: none

???? inbound esp sas:
????? spi: 0xB86713B9(3093763001)
??????? transform: esp-des esp-md5-hmac ,
??????? in use settings ={Tunnel, }
??????? conn id: 1, flow_id: SW:1, sibling_flags 80004040, crypto map: Tunnel0-head-0
??????? sa timing: remaining key lifetime (k/sec): (4608000/1700)
??????? IV size: 8 bytes
??????? replay detection support: Y
??????? ecn bit support: Y status: off
??????? Status: ACTIVE(ACTIVE)
????? spi: 0xA66B2E85(2792042117)
??????? transform: esp-des esp-md5-hmac ,
??????? in use settings ={Tunnel, }
??????? conn id: 3, flow_id: SW:3, sibling_flags 80000040, crypto map: Tunnel0-head-0
??????? sa timing: remaining key lifetime (k/sec): (4608000/1708)
??????? IV size: 8 bytes
??????? replay detection support: Y
??????? ecn bit support: Y status: off
??????? Status: ACTIVE(ACTIVE)
????? spi: 0x74849EDE(1954848478)
??????? transform: esp-des esp-md5-hmac ,
??????? in use settings ={Tunnel, }
??????? conn id: 5, flow_id: SW:5, sibling_flags 80000040, crypto map: Tunnel0-head-0
??????? sa timing: remaining key lifetime (k/sec): (4284714/1708)
??????? IV size: 8 bytes
??????? replay detection support: Y
??????? ecn bit support: Y status: off
??????? Status: ACTIVE(ACTIVE)

???? inbound ah sas:

???? inbound pcp sas:

???? outbound esp sas:
????? spi: 0xC1C0AB59(3250629465)
??????? transform: esp-des esp-md5-hmac ,
??????? in use settings ={Tunnel, }
??????? conn id: 2, flow_id: SW:2, sibling_flags 80004040, crypto map: Tunnel0-head-0
??????? sa timing: remaining key lifetime (k/sec): (4608000/1700)
??????? IV size: 8 bytes
??????? replay detection support: Y
??????? ecn bit support: Y status: off
??????? Status: ACTIVE(ACTIVE)
????? spi: 0xF0B7C9F6(4038576630)
??????? transform: esp-des esp-md5-hmac ,
??????? in use settings ={Tunnel, }
??????? conn id: 4, flow_id: SW:4, sibling_flags 80000040, crypto map: Tunnel0-head-0
??????? sa timing: remaining key lifetime (k/sec): (4608000/1708)
??????? IV size: 8 bytes
??????? replay detection support: Y
??????? ecn bit support: Y status: off
??????? Status: ACTIVE(ACTIVE)
????? spi: 0x214BF7A1(558626721)
??????? transform: esp-des esp-md5-hmac ,
??????? in use settings ={Tunnel, }
??????? conn id: 6, flow_id: SW:6, sibling_flags 80000040, crypto map: Tunnel0-head-0
??????? sa timing: remaining key lifetime (k/sec): (4284714/1708)
??????? IV size: 8 bytes
??????? replay detection support: Y
??????? ecn bit support: Y status: off
??????? Status: ACTIVE(ACTIVE)

???? outbound ah sas:

???? outbound pcp sas:
R2#

轉載于:https://blog.51cto.com/oppoa10000k/1769569

總結

以上是生活随笔為你收集整理的Cisco IPSec *** Gre over --- SVTI的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。