IPSecVPN建立在两个NAT路由器上

1、测试拓扑：

图片.png

2、相关说明：

实际的网络情况中，Site1和Site2之间要建立IPSec VPN，已让 Site后面的内网网段互通。但是实际的情况往往也有访问internet的需求，所以一般会有NAT的情况，例如这里的情况和一般的NAT-T不一样。做VPN的设备和NAT的设备一样。

3、相关配置：

R1：

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco address 12.1.1.2

crypto ipsec transform-set Trans esp-3des esp-md5-hmac

crypto map cisco 10 ipsec-isakmp

set peer 12.1.1.2

set transform-set Trans

match address vpn

interface Loopback0

ip address 1.1.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

interface Ethernet0/0

ip address 12.1.1.1 255.255.255.0

ip nat outside

ip virtual-reassembly

half-duplex

crypto map cisco

ip route 2.2.2.0 255.255.255.0 12.1.1.2 >>>>这条静态路由，是为了让流量撞上VPN触发流量

ip nat inside source list nat interface Ethernet0/0 overload

ip access-list extended nat

deny ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255 >>>>这里是为了不让1.1.1.1访问2.2.2.2的流量撞上NAT

permit ip any any

ip access-list extended vpn

permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

R2：

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco address 12.1.1.1

crypto ipsec transform-set Trans esp-3des esp-md5-hmac

crypto map cisco 10 ipsec-isakmp

set peer 12.1.1.1

set transform-set Trans

match address vpn

interface Loopback0

ip address 2.2.2.2 255.255.255.0

ip nat outside

ip virtual-reassembly

interface Ethernet0/0

ip address 12.1.1.2 255.255.255.0

half-duplex

crypto map cisco

ip route 1.1.1.0 255.255.255.0 12.1.1.1

ip nat inside source list nat interface Ethernet0/0 overload

ip access-list extended nat

deny ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255

permit ip any any

ip access-list extended vpn

permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255

触发VPN：

R1#ping 2.2.2.2 so 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 32/44/48 ms

4、分析建立过程：

第一阶段：

*Mar 1 04:49:24.886: ISAKMP (0:0): received packet from 12.1.1.1 dport 500 sport 500 Global (N) NEW SA

*Mar 1 04:49:24.886: ISAKMP: Created a peer struct for 12.1.1.1, peer port 500

*Mar 1 04:49:24.886: ISAKMP: New peer created peer = 0x64F66BC4 peer_handle = 0x80000007

*Mar 1 04:49:24.890: ISAKMP: Locking peer struct 0x64F66BC4, IKE refcount 1 for crypto_isakmp_process_block

*Mar 1 04:49:24.890: ISAKMP: local port 500, remote port 500

*Mar 1 04:49:24.890: insert sa successfully sa = 646DD604

*Mar 1 04:49:24.894: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar 1 04:49:24.894: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_R_MM1

*Mar 1 04:49:24.898: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0

*Mar 1 04:49:24.898: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Mar 1 04:49:24.898: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch

*Mar 1 04:49:24.902: ISAKMP (0:0): vendor ID is NAT-T v7

*Mar 1 04:49:24.902: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Mar 1 04:49:24.902: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch

*Mar 1 04:49:24.902: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3

*Mar 1 04:49:24.906: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Mar 1 04:49:24.906: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch

*Mar 1 04:49:24.906: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2

*Mar 1 04:49:24.906: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 12.1.1.1

*Mar 1 04:49:24.910: ISAKMP:(0:0:N/A:0): local preshared key found

*Mar 1 04:49:24.910: ISAKMP : Scanning profiles for xauth ...

*Mar 1 04:49:24.910: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy >>>检查我们配置的isakmp policy 10

*Mar 1 04:49:24.910: ISAKMP: encryption 3DES-CBC

*Mar 1 04:49:24.910: ISAKMP: hash SHA

*Mar 1 04:49:24.914: ISAKMP: default group 2

*Mar 1 04:49:24.914: ISAKMP: auth pre-share

*Mar 1 04:49:24.914: ISAKMP: life type in seconds

*Mar 1 04:49:24.914: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

*Mar 1 04:49:24.914: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0

*Mar 1 04:49:24.946: ISAKMP:(0:1:SW:1): processing vendor id payload

*Mar 1 04:49:24.946: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 245 mismatch

*Mar 1 04:49:24.946: ISAKMP (0:134217729): vendor ID is NAT-T v7

*Mar 1 04:49:24.946: ISAKMP:(0:1:SW:1): processing vendor id payload

*Mar 1 04:49:24.946: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 157 mismatch

*Mar 1 04:49:24.946: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v3

*Mar 1 04:49:24.946: ISAKMP:(0:1:SW:1): processing vendor id payload

*Mar 1 04:49:24.946: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 123 mismatch

*Mar 1 04:49:24.946: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v2

*Mar 1 04:49:24.946: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar 1 04:49:24.946: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM1

*Mar 1 04:49:24.946: ISAKMP:(0:1:SW:1): constructed NAT-T vendor-07 ID

*Mar 1 04:49:24.946: ISAKMP:(0:1:SW:1): sending packet to 12.1.1.1 my_port 500 peer_port 500 (R) MM_SA_SETUP

*Mar 1 04:49:24.950: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar 1 04:49:24.950: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM2

*Mar 1 04:49:25.046: ISAKMP (0:134217729): received packet from 12.1.1.1 dport 500 sport 500 Global (R) MM_SA_SETUP

*Mar 1 04:49:25.046: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar 1 04:49:25.050: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM2 New State = IKE_R_MM3

*Mar 1 04:49:25.054: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0

*Mar 1 04:49:25.086: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 0

*Mar 1 04:49:25.086: ISAKMP:(0:1:SW:1):found peer pre-shared key matching 12.1.1.1

*Mar 1 04:49:25.090: ISAKMP:(0:1:SW:1):SKEYID state generated

*Mar 1 04:49:25.090: ISAKMP:(0:1:SW:1): processing vendor id payload

*Mar 1 04:49:25.090: ISAKMP:(0:1:SW:1): vendor ID is Unity

*Mar 1 04:49:25.094: ISAKMP:(0:1:SW:1): processing vendor id payload

*Mar 1 04:49:25.094: ISAKMP:(0:1:SW:1): vendor ID is DPD

*Mar 1 04:49:25.094: ISAKMP:(0:1:SW:1): processing vendor id payload

*Mar 1 04:49:25.094: ISAKMP:(0:1:SW:1): speaking to another IOS box!

*Mar 1 04:49:25.098: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar 1 04:49:25.098: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM3

*Mar 1 04:49:25.102: ISAKMP:(0:1:SW:1): sending packet to 12.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Mar 1 04:49:25.102: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar 1 04:49:25.102: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM4

*Mar 1 04:49:25.154: ISAKMP (0:134217729): received packet from 12.1.1.1 dport 500 sport 500 Global (R) MM_KEY_EXCH

*Mar 1 04:49:25.158: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar 1 04:49:25.158: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM4 New State = IKE_R_MM5

*Mar 1 04:49:25.162: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 0

*Mar 1 04:49:25.166: ISAKMP (0:134217729): ID payload

next-payload : 8

type : 1

address : 12.1.1.1

protocol : 17

port : 500

length : 12

*Mar 1 04:49:25.166: ISAKMP:(0:1:SW:1):: peer matches *none* of the profiles

*Mar 1 04:49:25.166: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 0

*Mar 1 04:49:25.170: ISAKMP:(0:1:SW:1): processing NOTIFY INITIAL_CONTACT protocol 1

spi 0, message ID = 0, sa = 646DD604

*Mar 1 04:49:25.170: ISAKMP:(0:1:SW:1):SA authentication status:

authenticated

*Mar 1 04:49:25.174: ISAKMP:(0:1:SW:1): Process initial contact,

bring down existing phase 1 and 2 SA's with local 12.1.1.2 remote 12.1.1.1 remote port 500

*Mar 1 04:49:25.174: ISAKMP:(0:1:SW:1):SA authentication status:

authenticated

*Mar 1 04:49:25.178: ISAKMP:(0:1:SW:1):SA has been authenticated with 12.1.1.1

*Mar 1 04:49:25.178: ISAKMP: Trying to insert a peer 12.1.1.2/12.1.1.1/500/, and inserted successfully 64F66BC4.

*Mar 1 04:49:25.178: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar 1 04:49:25.182: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5

*Mar 1 04:49:25.182: IPSEC(key_engine): got a queue event with 1 kei messages

*Mar 1 04:49:25.186: ISAKMP:(0:1:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Mar 1 04:49:25.186: ISAKMP (0:134217729): ID payload

next-payload : 8

type : 1

address : 12.1.1.2

protocol : 17

port : 500

length : 12

*Mar 1 04:49:25.190: ISAKMP:(0:1:SW:1):Total payload length: 12

*Mar 1 04:49:25.194: ISAKMP:(0:1:SW:1): sending packet to 12.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Mar 1 04:49:25.198: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar 1 04:49:25.198: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

*Mar 1 04:49:25.202: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Mar 1 04:49:25.202: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

第二阶段：

*Mar 1 04:49:25.266: ISAKMP (0:134217729): received packet from 12.1.1.1 dport 500 sport 500 Global (R) QM_IDLE

*Mar 1 04:49:25.266: ISAKMP: set new node 1812581365 to QM_IDLE

*Mar 1 04:49:25.270: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 1812581365

*Mar 1 04:49:25.274: ISAKMP:(0:1:SW:1): processing SA payload. message ID = 1812581365

*Mar 1 04:49:25.274: ISAKMP:(0:1:SW:1):Checking IPSec proposal 1

*Mar 1 04:49:25.274: ISAKMP: transform 1, ESP_3DES

*Mar 1 04:49:25.274: ISAKMP: attributes in transform:

*Mar 1 04:49:25.274: ISAKMP: encaps is 1 (Tunnel)

*Mar 1 04:49:25.278: ISAKMP: SA life type in seconds

*Mar 1 04:49:25.278: ISAKMP: SA life duration (basic) of 3600

*Mar 1 04:49:25.278: ISAKMP: SA life type in kilobytes

*Mar 1 04:49:25.278: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

*Mar 1 04:49:25.278: ISAKMP: authenticator is HMAC-MD5

*Mar 1 04:49:25.282: ISAKMP:(0:1:SW:1):atts are acceptable.

*Mar 1 04:49:25.282: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 12.1.1.2, remote= 12.1.1.1,

local_proxy= 2.2.2.0/255.255.255.0/0/0 (type=4),

remote_proxy= 1.1.1.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

*Mar 1 04:49:25.286: Crypto mapdb : proxy_match

src addr : 2.2.2.0

dst addr : 1.1.1.0

protocol : 0

src port : 0

dst port : 0

*Mar 1 04:49:25.290: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 1812581365

*Mar 1 04:49:25.290: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 1812581365

*Mar 1 04:49:25.290: ISAKMP:(0:1:SW:1): asking for 1 spis from ipsec

*Mar 1 04:49:25.290: ISAKMP:(0:1:SW:1):Node 1812581365, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Mar 1 04:49:25.290: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE

*Mar 1 04:49:25.290: IPSEC(key_engine): got a queue event with 1 kei messages

*Mar 1 04:49:25.290: IPSEC(spi_response): getting spi 2345636103 for SA

from 12.1.1.2 to 12.1.1.1 for prot 3

*Mar 1 04:49:25.290: ISAKMP: received ke message (2/1)

*Mar 1 04:49:25.290: ISAKMP: Locking peer struct 0x64F66BC4, IPSEC refcount 1 for for stuff_ke

*Mar 1 04:49:25.290: ISAKMP:(0:1:SW:1): Creating IPSec SAs

*Mar 1 04:49:25.290: inbound SA from 12.1.1.1 to 12.1.1.2 (f/i) 0/ 0

(proxy 1.1.1.0 to 2.2.2.0)

*Mar 1 04:49:25.290: has spi 0x8BCF9107 and conn_id 0 and flags 2

*Mar 1 04:49:25.290: lifetime of 3600 seconds

*Mar 1 04:49:25.290: lifetime of 4608000 kilobytes

*Mar 1 04:49:25.290: has client flags 0x0

*Mar 1 04:49:25.290: outbound SA from 12.1.1.2 to 12.1.1.1 (f/i) 0/0

(proxy 2.2.2.0 to 1.1.1.0)

*Mar 1 04:49:25.290: has spi 685105074 and conn_id 0 and flags A

*Mar 1 04:49:25.290: lifetime of 3600 seconds

*Mar 1 04:49:25.290: lifetime of 4608000 kilobytes

*Mar 1 04:49:25.290: has client flags 0x0

*Mar 1 04:49:25.290: ISAKMP:(0:1:SW:1): sending packet to 12.1.1.1 my_port 500 peer_port 500 (R) QM_IDLE

*Mar 1 04:49:25.290: ISAKMP:(0:1:SW:1):Node 1812581365, Input = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY

*Mar 1 04:49:25.294: ISAKMP:(0:1:SW:1):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2

*Mar 1 04:49:25.294: IPSEC(key_engine): got a queue event with 2 kei messages

*Mar 1 04:49:25.298: IPSEC(initialize_sas): ,

(key eng. msg.) INBOUND local= 12.1.1.2, remote= 12.1.1.1,

local_proxy= 2.2.2.0/255.255.255.0/0/0 (type=4),

remote_proxy= 1.1.1.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x8BCF9107(2345636103), conn_id= 0, keysize= 0, flags= 0x2

*Mar 1 04:49:25.302: IPSEC(initialize_sas): ,

(key eng. msg.) OUTBOUND local= 12.1.1.2, remote= 12.1.1.1,

local_proxy= 2.2.2.0/255.255.255.0/0/0 (type=4),

remote_proxy= 1.1.1.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x28D5DFB2(685105074), conn_id= 0, keysize= 0, flags= 0xA

*Mar 1 04:49:25.306: Crypto mapdb : proxy_match

src addr : 2.2.2.0

dst addr : 1.1.1.0

protocol : 0

src port : 0

dst port : 0

*Mar 1 04:49:25.306: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and 12.1.1.1

*Mar 1 04:49:25.306: IPSec: Flow_switching Allocated flow for sibling 8000000B

*Mar 1 04:49:25.310: IPSEC(policy_db_add_ident): src 2.2.2.0, dest 1.1.1.0, dest_port 0

*Mar 1 04:49:25.310: ISAKMP: Locking peer struct 0x64F66BC4, IPSEC refcount 2 for from create_transforms

*Mar 1 04:49:25.310: IPSEC(create_sa): sa created,

(sa) sa_dest= 12.1.1.2, sa_proto= 50,

sa_spi= 0x8BCF9107(2345636103),

sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2003

*Mar 1 04:49:25.314: IPSEC(create_sa): sa created,

(sa) sa_dest= 12.1.1.1, sa_proto= 50,

sa_spi= 0x28D5DFB2(685105074),

sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2002

*Mar 1 04:49:25.314: ISAKMP: Unlocking IPSEC struct 0x64F66BC4 from create_transforms, count 1

*Mar 1 04:49:25.374: ISAKMP (0:134217729): received packet from 12.1.1.1 dport 500 sport 500 Global (R) QM_IDLE

*Mar 1 04:49:25.378: ISAKMP:(0:1:SW:1):deleting node 1812581365 error FALSE reason "QM done (await)"

*Mar 1 04:49:25.378: ISAKMP:(0:1:SW:1):Node 1812581365, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Mar 1 04:49:25.382: ISAKMP:(0:1:SW:1):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE

*Mar 1 04:49:25.382: IPSEC(key_engine): got a queue event with 1 kei messages

*Mar 1 04:49:25.386: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP

*Mar 1 04:49:25.386: IPSEC(key_engine_enable_outbound): enable SA with spi 685105074/50

5、报文抓取：【在R2的E0/0抓取的报文】

主模式1-6个包，快速模式1-3个包

图片.png

第一个报文SA内容：R1-R2交互crypto isakmp policy 10配置的加密，校验，DH组等参数。

图片.png

第二个报文SA内容：R2-R1，1-2个包中的这些信息一致

图片.png

第三个报文Key Exchange、Vendor ID【CISCO-UNITY；DPD；XAUTH】、NAT-Discovery：R1-R2,主要交互密钥资源，以便为5-6包提供安全算法所需密钥

图片.png

第四个报文：R2-R1,格式内容和第三个报文一样

图片.png

第五个报文：R1-R2，传递的是加密的数据，5-6报文都是在加密的环境中传输的

图片.png

第六个报文：R2-R1

图片.png

快速模式的1-3个报文【R1-R2，R2-R1，R1-R2】

QM-1：

图片.png

QM-2：

图片.png

QM-3：

图片.png

6、我们验证一下建立后的情况

R1#sho crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt

2 Ethernet0/0 12.1.1.1 set HMAC_SHA+3DES_56_C 0 0

2001 Ethernet0/0 12.1.1.1 set 3DES+MD5 4 0

2004 Ethernet0/0 12.1.1.1 set 3DES+MD5 0 4

R1#show crypto isakmp sa

dst src state conn-id slot status

12.1.1.2 12.1.1.1 QM_IDLE 2 0 ACTIVE

R1#show crypto ipsec sa

interface: Ethernet0/0

Crypto map tag: cisco, local addr 12.1.1.1

protected vrf: (none)

local ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)

current_peer 12.1.1.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 12.1.1.1, remote crypto endpt.: 12.1.1.2

path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0

current outbound spi: 0x50B82D9A(1354247578)

inbound esp sas:

spi: 0x777B0338(2004550456)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 2004, flow_id: SW:4, crypto map: cisco

sa timing: remaining key lifetime (k/sec): (4391758/3437)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x50B82D9A(1354247578)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 2001, flow_id: SW:1, crypto map: cisco

sa timing: remaining key lifetime (k/sec): (4391758/3436)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

ACl匹配情况：

R1#sho access-lists

Extended IP access list nat

10 deny ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255 (5 matches)

20 permit ip any any (2 matches)

Extended IP access list vpn

10 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255 (9 matches)

可以ping公网上的地址：

R1#ping 12.1.1.2 so lo0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/22/32 ms

R1#sho acce

R1#sho access-l

R1#sho access-lists

Extended IP access list nat

10 deny ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255 (5 matches)

20 permit ip any any (3 matches) >>>>匹配了一个去做NAT

Extended IP access list vpn

10 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255 (9 matches)

R1#sho

R1#show ip nat tr

R1#show ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 12.1.1.1:23 1.1.1.1:23 12.1.1.2:23 12.1.1.2:23

IPSecVPN建立在两个NAT路由器上

猜你喜欢