CCNP(ISCW)实验:使用SDM配置Site-to-Site IPSEC ***

企业开发 2021-01-15 23:05:30 阅读次数: 0

CCNP(ISCW)实验:使用SDM配置Site-to-Site IPSEC ***
实验说明:

  1. 在R1与R2之间使用快速以太网进行连接。
  2. 在R1上的1.1.1.1/24希望与R2上的2.2.2.2/24网络之间通过 ipsec ***进行通信
  3. 采用预共享密钥配置
  4. 使用SDM配置

实验过程:

第一步:配置R1支持SDM
R1(config)#username admin privilege 15 password admin
R1(config)#line vty 0 4
R1(config-line)#login local
R1(config-line)#exi
R1(config)#ip http server
R1(config)#ip http secure-server
R1(config)#ip http authentication local
R1(config)#int e1/0
R1(config-if)#ip add 192.168.1.2 255.255.255.0
R1(config-if)#no sh
R1(config-if)#int e0/0
R1(config-if)#ip add 200.1.1.1 255.255.255.0

第二步:配置R2支持SDM
R2(config)#username admin pri 15 pass admin
R2(config)#ip http server
R2(config)#ip http secure-server
R2(config)#ip http authentication local
R2(config-if)#int e0/0
R2(config-if)#ip add 200.1.1.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#int e1/0
R2(config-if)#ip add 192.168.1.3 255.255.255.0

第三步:使用SDM登录R1开始进行配置
CCNP(ISCW)实验:使用SDM配置Site-to-Site IPSEC ***
第四步:输入http认证密码
CCNP(ISCW)实验:使用SDM配置Site-to-Site IPSEC ***

第五步:登录之后图示如下
CCNP(ISCW)实验:使用SDM配置Site-to-Site IPSEC ***

第六步:建立一个回环地址

CCNP(ISCW)实验:使用SDM配置Site-to-Site IPSEC ***

第七步:输入回环地址

CCNP(ISCW)实验:使用SDM配置Site-to-Site IPSEC ***
第八步:选择***—点到点的***—创建点到点的***---启动选定的任务
CCNP(ISCW)实验:使用SDM配置Site-to-Site IPSEC ***

第九步:逐步操作向导

CCNP(ISCW)实验:使用SDM配置Site-to-Site IPSEC ***

第十步:选择***连接的接口,输入***对等体的ip地址,和共享密钥。
CCNP(ISCW)实验:使用SDM配置Site-to-Site IPSEC ***

第11步:这里IKE策略选择默认的策略

CCNP(ISCW)实验:使用SDM配置Site-to-Site IPSEC ***
第12步:在变换集中选择默认的变换集

CCNP(ISCW)实验:使用SDM配置Site-to-Site IPSEC ***

第13步:在感兴趣流中定义,选择
CCNP(ISCW)实验:使用SDM配置Site-to-Site IPSEC ***

第14步:在添加规则中选择添加
CCNP(ISCW)实验:使用SDM配置Site-to-Site IPSEC ***

第15步:在添加扩展规则项中,

CCNP(ISCW)实验:使用SDM配置Site-to-Site IPSEC ***

第16步:确定无误后,点击完成
CCNP(ISCW)实验:使用SDM配置Site-to-Site IPSEC ***
CCNP(ISCW)实验:使用SDM配置Site-to-Site IPSEC ***

第17步:show run可以看到刚才配置的信息
access-list 100 remark *** icmp
access-list 100 remark SDM_ACL Category=4
access-list 100 remark icmp
access-list 100 permit icmp host 1.1.1.1 host 2.2.2.2 conversion-error log

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 200.1.1.2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to200.1.1.2
set peer 200.1.1.2
set transform-set ESP-3DES-SHA
match address 100

第18步:在R1上添加一第静态路由

CCNP(ISCW)实验:使用SDM配置Site-to-Site IPSEC ***
第19步:以相同的方法在R2进行配置
第20步:测试效果
R1#ping 2.2.2.2 sou 1.1.1.1
//这里可以在SDM上ping
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1

Mar 1 00:10:33.971: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 200.1.1.1, remote= 200.1.1.2,
local_proxy= 1.1.1.1/255.255.255.255/1/0 (type=1),
remote_proxy= 2.2.2.2/255.255.255.255/1/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x6577E2C8(1702355656), conn_id= 0, keysize= 0, flags= 0x400A
Mar 1 00:10:33.975: ISAKMP: received ke message (1/1)
Mar 1 00:10:33.975: ISAKMP (0:0): SA request profile is (NULL)
Mar 1 00:10:33.975: ISAKMP: local port 500, remote port 500
Mar 1 00:10:33.979: ISAKMP: set new node 0 to QM_IDLE
Mar 1 00:10:33.979: ISAKMP: insert sa successfully sa = 63A8BC8C
Mar 1 00:10:33.979: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode.
Mar 1 00:10:33.979: ISAKMP: Looking for a matching key for 200.1.1.2 in default : success
Mar 1 00:10:33.979: ISAKMP (0:1): found peer pre-shared key matching 200.1.1.2
Mar 1 00:10:33.983: ISAKMP (0:1): constructed NAT-T vendor-07 ID
Mar 1 00:10:33.983: ISAKMP (0:1): constructed NAT-T vendor-03 ID
Mar 1 00:10:33.983: ISAKMP (0:1): constructed NAT-T vendor-02 ID
Mar 1 00:10:33.983: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Mar 1 00:10:33.983: ISAKMP (0:1): Old State = IKE_READY New State = IKE_I_MM1

Mar 1 00:10:33.983: ISAKMP (0:1): beginning Main Mode exchange
Mar 1 00:10:33.983: ISAKMP (0:1): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 1 00:10:34.183: ISAKMP (0:1): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_NO_STATE
Mar 1 00:10:34.187: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 00:10:34.187: ISAKMP (0:1): Old State = IKE_I_MM1 New State = IKE_I_MM2

Mar 1 00:10:34.191: ISAKMP (0:1): processing SA payload. message ID = 0
Mar 1 00:10:34.191: ISAKMP (0:1): processing vendor id payload
Mar 1 00:10:34.191: ISAKMP (0:1): vendor ID seems Unity/DPD but.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 28/47/84 ms
R1# major 245 mismatch
Mar 1 00:10:34.191: ISAKMP (0:1): vendor ID is NAT-T v7
Mar 1 00:10:34.191: ISAKMP: Looking for a matching key for 200.1.1.2 in default : success
Mar 1 00:10:34.191: ISAKMP (0:1): found peer pre-shared key matching 200.1.1.2
Mar 1 00:10:34.191: ISAKMP (0:1) local preshared key found
Mar 1 00:10:34.195: ISAKMP : Scanning profiles for xauth ...
Mar 1 00:10:34.195: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy
Mar 1 00:10:34.195: ISAKMP: encryption 3DES-CBC
Mar 1 00:10:34.195: ISAKMP: hash SHA
Mar 1 00:10:34.195: ISAKMP: default group 2
Mar 1 00:10:34.195: ISAKMP: auth pre-share
Mar 1 00:10:34.195: ISAKMP: life type in seconds
Mar 1 00:10:34.195: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Mar 1 00:10:34.199: ISAKMP (0:1): atts are acceptable. Next payload is 0
Mar 1 00:10:34.263: ISAKMP (0:1): processing vendor id payload
Mar 1 00:10:34.263: ISAKMP (0:1): vendor ID
R1# seems Unity/DPD but major 245 mismatch
Mar 1 00:10:34.263: ISAKMP (0:1): vendor ID is NAT-T v7
Mar 1 00:10:34.263: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 00:10:34.263: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM2

Mar 1 00:10:34.267: ISAKMP (0:1): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
Mar 1 00:10:34.271: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 00:10:34.271: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM3

Mar 1 00:10:34.403: ISAKMP (0:1): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP
Mar 1 00:10:34.407: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 00:10:34.407: ISAKMP (0:1): Old State = IKE_I_MM3 New State = IKE_I_MM4

Mar 1 00:10:34.407: ISAKMP (0:1): processing KE payload. message ID = 0
Mar 1 00:10:34.475: ISAKMP (0:1): processing NONCE payload. message ID = 0
Mar 1 00:10:34.475: ISA
R1#KMP: Looking for a matching key for 200.1.1.2 in default : success
Mar 1 00:10:34.475: ISAKMP (0:1): found peer pre-shared key matching 200.1.1.2
Mar 1 00:10:34.483: ISAKMP (0:1): SKEYID state generated
Mar 1 00:10:34.483: ISAKMP (0:1): processing vendor id payload
Mar 1 00:10:34.483: ISAKMP (0:1): vendor ID is Unity
Mar 1 00:10:34.483: ISAKMP (0:1): processing vendor id payload
Mar 1 00:10:34.483: ISAKMP (0:1): vendor ID is DPD
Mar 1 00:10:34.487: ISAKMP (0:1): processing vendor id payload
Mar 1 00:10:34.487: ISAKMP (0:1): speaking to another IOS box!
Mar 1 00:10:34.487: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 00:10:34.487: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM4

Mar 1 00:10:34.487: ISAKMP (0:1): Send initial contact
Mar 1 00:10:34.487: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Mar 1 00:10:34.487: ISAKMP (0:1): ID payload
next-payload : 8
type
R1# : 1
address : 200.1.1.1
protocol : 17
port : 500
length : 12
Mar 1 00:10:34.487: ISAKMP (1): Total payload length: 12
Mar 1 00:10:34.487: ISAKMP (0:1): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Mar 1 00:10:34.487: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 00:10:34.487: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM5

Mar 1 00:10:34.575: ISAKMP (0:1): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
Mar 1 00:10:34.579: ISAKMP (0:1): processing ID payload. message ID = 0
Mar 1 00:10:34.579: ISAKMP (0:1): ID payload
next-payload : 8
type : 1
address : 200.1.1.2
protocol : 17
port : 500
length : 12
Mar 1 00:10:34.579: ISAKMP (0:1): processing HASH payload. message ID = 0
Mar 1 00:10:34.583: ISAKMP (0:1): SA authentication status:
authenticated
Mar 1 00:10:34.583: ISAKMP (0:1): SA ha
R1#s been authenticated with 200.1.1.2
Mar 1 00:10:34.583: ISAKMP (0:1): peer matches none of the profiles
Mar 1 00:10:34.583: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 00:10:34.587: ISAKMP (0:1): Old State = IKE_I_MM5 New State = IKE_I_MM6

Mar 1 00:10:34.587: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 1 00:10:34.587: ISAKMP (0:1): Old State = IKE_I_MM6 New State = IKE_I_MM6

Mar 1 00:10:34.591: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 1 00:10:34.591: ISAKMP (0:1): Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

Mar 1 00:10:34.595: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of -1228454044
Mar 1 00:10:34.599: ISAKMP (0:1): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE
Mar 1 00:10:34.599: ISAKMP (0:1): Node -1228454044, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Mar 1 00:10:34.603: ISAKMP (0:1): Old State = IKE_QM_READY New State = IKE_QM_I_QM1

R1#Mar 1 00:10:34.603: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Mar 1 00:10:34.603: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Mar 1 00:10:34.979: ISAKMP (0:1): received packet from 200.1.1.2 dport 500 sport 500 Global (I) QM_IDLE
Mar 1 00:10:34.983: ISAKMP (0:1): processing HASH payload. message ID = -1228454044
Mar 1 00:10:34.987: ISAKMP (0:1): processing SA payload. message ID = -1228454044
Mar 1 00:10:34.987: ISAKMP (0:1): Checking IPSec proposal 1
Mar 1 00:10:34.987: ISAKMP: transform 1, ESP_3DES
Mar 1 00:10:34.987: ISAKMP: attributes in transform:
Mar 1 00:10:34.987: ISAKMP: encaps is 1 (Tunnel)
Mar 1 00:10:34.987: ISAKMP: SA life type in seconds
Mar 1 00:10:34.987: ISAKMP: SA life duration (basic) of 3600
Mar 1 00:10:34.987: ISAKMP: SA life type in kilobytes
Mar 1 00:10:34.991: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
Mar 1 00:10:34.991: ISAKMP:
R1# authenticator is HMAC-SHA
Mar 1 00:10:34.991: ISAKMP (0:1): atts are acceptable.
Mar 1 00:10:34.991: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 200.1.1.1, remote= 200.1.1.2,
local_proxy= 1.1.1.1/255.255.255.255/1/0 (type=1),
remote_proxy= 2.2.2.2/255.255.255.255/1/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
Mar 1 00:10:34.995: IPSEC(kei_proxy): head = SDM_CMAP_1, map->ivrf = , kei->ivrf =
Mar 1 00:10:34.999: ISAKMP (0:1): processing NONCE payload. message ID = -1228454044
Mar 1 00:10:34.999: ISAKMP (0:1): processing ID payload. message ID = -1228454044
Mar 1 00:10:34.999: ISAKMP (0:1): processing ID payload. message ID = -1228454044
Mar 1 00:10:35.011: ISAKMP (0:1): Creating IPSec SAs
Mar 1 00:10:35.011: inbound SA from 200.1.1.2 to 200.1.1.1 (f/i) 0/ 0
(proxy 2.2.2.2 to 1
R1#.1.1.1)
Mar 1 00:10:35.011: has spi 0x6577E2C8 and conn_id 2000 and flags 2
Mar 1 00:10:35.011: lifetime of 3600 seconds
Mar 1 00:10:35.011: lifetime of 4608000 kilobytes
Mar 1 00:10:35.015: has client flags 0x0
Mar 1 00:10:35.015: outbound SA from 200.1.1.1 to 200.1.1.2 (f/i) 0/ 0 (proxy 1.1.1.1 to 2.2.2.2 )
Mar 1 00:10:35.015: has spi 561929564 and conn_id 2001 and flags A
Mar 1 00:10:35.015: lifetime of 3600 seconds
Mar 1 00:10:35.015: lifetime of 4608000 kilobytes
Mar 1 00:10:35.015: has client flags 0x0
Mar 1 00:10:35.019: ISAKMP (0:1): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE
Mar 1 00:10:35.019: ISAKMP (0:1): deleting node -1228454044 error FALSE reason ""
Mar 1 00:10:35.019: ISAKMP (0:1): Node -1228454044, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Mar 1 00:10:35.019: ISAKMP (0:1): Old State = IKE_QM_I_QM1 New St
R1#ate = IKE_QM_PHASE2_COMPLETE
Mar 1 00:10:35.023: IPSEC(key_engine): got a queue event...
Mar 1 00:10:35.023: IPSEC(initialize_sas): ,
(key eng. msg.) INBOUND local= 200.1.1.1, remote= 200.1.1.2,
local_proxy= 1.1.1.1/0.0.0.0/1/0 (type=1),
remote_proxy= 2.2.2.2/0.0.0.0/1/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x6577E2C8(1702355656), conn_id= 2000, keysize= 0, flags= 0x2
Mar 1 00:10:35.023: IPSEC(initialize_sas): ,
(key eng. msg.) OUTBOUND local= 200.1.1.1, remote= 200.1.1.2,
local_proxy= 1.1.1.1/0.0.0.0/1/0 (type=1),
remote_proxy= 2.2.2.2/0.0.0.0/1/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x217E5D5C(561929564), conn_id= 2001, keysize= 0, flags= 0xA
Mar 1 00:10:35.027: IPSEC(kei_proxy): head = SDM_CMAP_1, map->ivrf = , kei->ivrf =
Mar 1 00:10:35.031: IPSEC(crypto_ipsec_sa_find_id
R1#ent_head): reconnecting with the same proxies and 200.1.1.2
*Mar 1 00:10:35.031: IPSEC(add mtree): src 1.1.1.1, dest 2.2.2.2, dest_port 0

Mar 1 00:10:35.031: IPSEC(create_sa): sa created,
(sa) sa_dest= 200.1.1.1, sa_prot= 50,
sa_spi= 0x6577E2C8(1702355656),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2000
Mar 1 00:10:35.035: IPSEC(create_sa): sa created,
(sa) sa_dest= 200.1.1.2, sa_prot= 50,
sa_spi= 0x217E5D5C(561929564),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2001

猜你喜欢

转载自blog.51cto.com/starshomes/2591586
今日推荐
国产云输入法——仅华为无云端数据上传安全问题
开源日报 | 工业开源项目OGG 1.0;姐姐,你要和我一起配置火狐吗;苹果AI遥遥落后?Fedora 40
开放签电子签章:停止新增,优化体验,前进更进(五一假期前工作)
开源日报 | 中学生开源前端动画引擎;全球首个Llama3 8B中文版开源模型;联想电脑恐出局;Linus讽刺AI炒作
“百模大战”必有一战 | 2024中国“百模大战”竞争格局分析
最强开源大模型 Llama 3 上架 Gitee AI
虽然老乡鸡开源的不是代码,但背后的原因却让人很暖心
周排行
决策树的部分理解
STM32软件IIC的实现
RocketMQ原理解析-HA
vue-动态路由(路由的传参和接参)
利用python对Excel中的特定数据提取并写入新表
【Ubuntu】 Ubuntu16.04搭建NFS服务
Elasticsearch基础操作与对应的curl命令行,python对接实现
JVM数据存储结构 & Java的值传递和址传递
yum命令使用指南
java基础(一):java语法基础
每日归档
更多
2024-04-24(36)
2024-04-23(26)
2024-04-22(39)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)
2024-04-17(5)
2024-04-16(70)
2024-04-15(42)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022