CCNP(ISCW)实验:采用预共享密钥的Site-to-Site IPSEC ***

企业开发 2021-01-12 09:36:51 阅读次数: 0

CCNP(ISCW)实验:采用预共享密钥的Site-to-Site IPSEC ***
实验说明:

  1. 在R1、R2之间使用快速以太网进行连接
  2. 在R1上的1.1.1.1/24 希望与R2上的2.2.2.2/24网络之间通过 ipsec ***
  3. 采用预共享密钥配置

实验过程:

第一步:基本接口配置
R1(config)#int lo0
R1(config-if)#ip add 1.1.1.1 255.255.255.0
R1(config-if)#int e0/0
R1(config-if)#ip add 192.168.1.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#ip route 0.0.0.0 0.0.0.0 192.168.1.2

R2(config)#int lo0
R2(config-if)#ip add 2.2.2.2 255.255.255.0
R2(config-if)#int e0/0
R2(config-if)#ip add 192.168.1.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#ip route 0.0.0.0 0.0.0.0 192.168.1.1

第二步:配置互联网密钥交换(IKE)
R1(config)#crypto isakmp enable
//在全局下启动isakmp (默认情况下被启动)
R1(config)#crypto isakmp policy 10
//定义isakmp 策略集,以便在ipsec端点之间建立isakmp对等体关系,这里的10是代表的优先级,取值范围在1-10000,1表示优先级最高
R1(config-isakmp)#authentication pre-share
// 配置对等体身份验证方法为预共享密钥
R1(config-isakmp)#encryption 3des
// 配置消息加密算法为3des
R1(config-isakmp)#group 5
//配置密钥交换参数为1536位的Deffie-Hellman
R1(config-isakmp)#hash sha
//配置消息完整性(散列)算法为SHA-1(160比特签名)
R1(config-isakmp)#lifetime 86400
//配置ISAKMP建立的SA的寿命
R1(config)#crypto isakmp key cisco add 192.168.1.2
//配置预共享密钥,密钥为cisco,远程对等体的IP地址为192.168.1.2

R2(config)#Cryp is en
R2(config)#Cry is pol 10
R2(config-isakmp)#Aut pre
R2(config-isakmp)#Enc 3d
R2(config-isakmp)#Gro 5
R2(config-isakmp)#Hash sha
R2(config-isakmp)#Life 86400
R2(config-isakmp)#Exit
R2(config)#Cryp isa key cisco add 192.168.1.1

第三步:配置ipsec交换集
R1(config)#cry ipsec transform-set R1set esp-3des esp-sha-hmac
//创建一个变换集名为R1set,变换集定义数据流量如何被保护。如果不配置连接模式,默认就是tunnel,即mode tunnel
R1(config)#crypto map R1*** 10 ipsec-isakmp
// 建立IPSec加密映射,使用ISAKMP建立IPSEC SA,以保护当前加密映射条目指定的数据库
R1(config-crypto-map)#set peer 192.168.1.2
// 指定对等体IP地址
R1(config-crypto-map)#set transform-set R1set
// 指定变换集
R1(config-crypto-map)#match add 100
// 引用扩展ACL

R2(config)# cryp ips transform-set R2set esp-3des esp-sha-hmac
R2(cfg-crypto-trans)#exi
R2(config)#crypto map R2*** 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
//新的映射没有启用。
R2(config-crypto-map)#set peer 192.168.1.1
R2(config-crypto-map)#set transform-set R2set
R2(config-crypto-map)#match add 100

第四步:定义触发流量,即ipsec连接保护何种流量
R1(config)#access-list 100 permit icmp 1.1.1.1 0.0.0.0 2.2.2.2 0.0.0.0
//定义对什么样的流量进行ipsec保护
R1(config)#int e0/0
R1(config-if)#crypto map R1***
//将加密映射应用到接口
*Mar 1 00:26:14.451: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

R2(config)#access-list 100 permit icmp 2.2.2.2 0.0.0.0 1.1.1.1 0.0.0.0
R2(config)#int e0/0
R2(config-if)#crypto map R2***

第五步:使用ping 流量调试ipsec配置
R1#debug crypto isakmp
Crypto ISAKMP debugging is on
R1#debug crypto ipsec
Crypto IPSEC debugging is on
R1#ping 2.2.2.2 sou 1.1.1.1

扫描二维码关注公众号,回复: 12136828 查看本文章

.!!!!
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1

Mar 1 00:30:49.951: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 192.168.1.1, remote= 192.168.1.2,
local_proxy= 1.1.1.1/255.255.255.255/1/0 (type=1),
remote_proxy= 2.2.2.2/255.255.255.255/1/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xDE7C1239(3732673081), conn_id= 0, keysize= 0, flags= 0x400A
Mar 1 00:30:49.955: ISAKMP: received ke message (1/1)
Mar 1 00:30:49.955: ISAKMP (0:0): SA request profile is (NULL)
Mar 1 00:30:49.955: ISAKMP: local port 500, remote port 500
Mar 1 00:30:49.959: ISAKMP: set new node 0 to QM_IDLE
Mar 1 00:30:49.959: ISAKMP: insert sa successfully sa = 63D1C4B4
Mar 1 00:30:49.959: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode.
Mar 1 00:30:49.959: ISAKMP: Looking for a matching key for 192.168.1.2 in default : success
Mar 1 00:30:49.959: ISAKMP (0:1): found peer pre-shared key matching 192.168.1.2
Mar 1 00:30:49.963: ISAKMP (0:1): constructed NAT-T vendor-07 ID
Mar 1 00:30:49.963: ISAKMP (0:1): constructed NAT-T vendor-03 ID
Mar 1 00:30:49.963: ISAKMP (0:1): constructed NAT-T vendor-02 ID
Mar 1 00:30:49.963: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Mar 1 00:30:49.963: ISAKMP (0:1): Old State = IKE_READY New State = IKE_I_MM1
//这里表明IKE协商已经被发启,主模式中的第一条isakmp消息即将被发送,I表示为发起方,如果为应答方则为R.
Mar 1 00:30:49.963: ISAKMP (0:1): beginning Main Mode exchange
//这里表示IKE主模式协商即将开始
Mar 1 00:30:49.963: ISAKMP (0:1): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 1 00:30:50.163: ISAKMP (0:1): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_NO_STATE
//主模式协商以R1为发起方向R2发送IKE sa提议开始,这些提议对应R1上的配置(crypto isakmp policy)
Mar 1 00:30:50.167: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 1 00:30:50.167: ISAKMP (0:1): Old State = IKE_I_MM1 New State = IKE_I_MM2
//IKE交换中的第二第消息
Mar 1 00:30:50.167: ISAKMP (0:1): processing SA payload. message ID = 0
//开始处理SA有效负载,其中包括被接受的提议,这里的消息ID用于被phase1各phase2中交换的消息区分开来,因此在整个主模式协商期间消息ID始终为0
Mar 1 00:30:50.171: ISAKMP (0:1): processing vendor id payload
Mar 1 00:30:50.171: ISAKMP (0:1): vendor ID seems U
Success rate is 80 percent (4/5), round-trip min/avg/max = 32/40/52 ms
R1#nity/DPD but major 245 mismatch
Mar 1 00:30:50.171: ISAKMP (0:1): vendor ID is NAT-T v7
Mar 1 00:30:50.171: ISAKMP: Looking for a matching key for 192.168.1.2 in default : success
Mar 1 00:30:50.171: ISAKMP (0:1): found peer pre-shared key matching 192.168.1.2
Mar 1 00:30:50.171: ISAKMP (0:1) local preshared key found
Mar 1 00:30:50.171: ISAKMP : Scanning profiles for xauth ...
Mar 1 00:30:50.175: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy
//两个对等体交换了它们的IKE阶段1策略,路由器正在比较远程对等体的策略和本地策略10
Mar 1 00:30:50.175: ISAKMP: encryption 3DES-CBC
Mar 1 00:30:50.175: ISAKMP: hash SHA
Mar 1 00:30:50.175: ISAKMP: default group 5
Mar 1 00:30:50.175: ISAKMP: auth pre-share
Mar 1 00:30:50.175: ISAKMP: life type in seconds
Mar 1 00:30:50.175: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Mar 1 00:30:50.179: ISAKMP (0:1): atts are acceptable. Next payload is 0
//策略已经匹配了,atts代表就可接受的,现在可以开始交换hiffice-hellman公开密钥值和临时值(随机数)
Mar 1 00:30:50.271: ISAKMP (0:1): processing vendor id payload
Mar 1 00:30:50.271: ISAKMP
R1# (0:1): vendor ID seems Unity/DPD but major 245 mismatch
Mar 1 00:30:50.271: ISAKMP (0:1): vendor ID is NAT-T v7
Mar 1 00:30:50.271: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 1 00:30:50.275: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM2
Mar 1 00:30:50.279: ISAKMP (0:1): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
/R1将期diffie-hffie-hellman公开密钥值和临时值发送给R2
Mar 1 00:30:50.279: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 1 00:30:50.279: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM3
//发送了IKE协商中第三条消息
Mar 1 00:30:50.459: ISAKMP (0:1): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP
//R1收到 了R2的响应
Mar 1 00:30:50.463: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 1 00:30:50.463: ISAKMP (0:1): Old State = IKE_I_MM3 New State = IKE_I_MM4
//状态变为第四条,表明该响应是主模式中的第四条消息。
Mar 1 00:30:50.463: ISAKMP (0:1): processing KE payload. message ID = 0
Mar 1 00:30:50.583: ISAKMP (0:1): processing NONCE payload. message ID = 0
Mar
R1# 1 00:30:50.583: ISAKMP: Looking for a matching key for 192.168.1.2 in default : success
Mar 1 00:30:50.587: ISAKMP (0:1): found peer pre-shared key matching 192.168.1.2
Mar 1 00:30:50.591: ISAKMP (0:1): SKEYID state generated
//这里显示了skeyid sate generated 这表明tlkyo 已经生成了密资料
Mar 1 00:30:50.591: ISAKMP (0:1): processing vendor id payload
Mar 1 00:30:50.595: ISAKMP (0:1): vendor ID is Unity
Mar 1 00:30:50.595: ISAKMP (0:1): processing vendor id payload
Mar 1 00:30:50.595: ISAKMP (0:1): vendor ID is DPD
Mar 1 00:30:50.595: ISAKMP (0:1): processing vendor id payload
Mar 1 00:30:50.595: ISAKMP (0:1): speaking to another IOS box!
//显示了厂商ID有效负载,表明该消息来自另一台cisco路由器
Mar 1 00:30:50.595: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 1 00:30:50.595: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM4
Mar 1 00:30:50.595: ISAKMP (0:1): Send initial contact
Mar 1 00:30:50.595: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Mar 1 00:30:50.595: ISAKMP (0:1): ID payload
next-
R1#payload : 8
type : 1
address : 192.168.1.1
protocol : 17
port : 500
length : 12
Mar 1 00:30:50.595: ISAKMP (1): Total payload length: 12
Mar 1 00:30:50.595: ISAKMP (0:1): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Mar 1 00:30:50.595: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 1 00:30:50.595: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM5
//5条消息
Mar 1 00:30:50.691: ISAKMP (0:1): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
Mar 1 00:30:50.695: ISAKMP (0:1): processing ID payload. message ID = 0
Mar 1 00:30:50.695: ISAKMP (0:1): ID payload
next-payload : 8
type : 1
address : 192.168.1.2
protocol : 17
port : 500
length : 12
Mar 1 00:30:50.695: ISAKMP (0:1): processing HASH payload. message ID = 0
Mar 1 00:30:50.699: ISAKMP (0:1): SA authentication status:
authenticated
Mar 1
R1#00:30:50.699: ISAKMP (0:1): SA has been authenticated with 192.168.1.2
Mar 1 00:30:50.699: ISAKMP (0:1): peer matches none of the profiles
Mar 1 00:30:50.699: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 00:30:50.703: ISAKMP (0:1): Old State = IKE_I_MM5 New State = IKE_I_MM6

Mar 1 00:30:50.703: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 1 00:30:50.703: ISAKMP (0:1): Old State = IKE_I_MM6 New State = IKE_I_MM6

Mar 1 00:30:50.707: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 1 00:30:50.707: ISAKMP (0:1): Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
//状态变为IKE_P1_COMPLETE,表明主模式(phase1)协商已经完成。
Mar 1 00:30:50.711: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of 174738581
//表明快速模式即将开始,R1即将发送的第一条快速模式消息ID(M——ID)不同于主模式中那些ID,这是一个非0值(随机)
Mar 1 00:30:50.715: ISAKMP (0:1): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) QM_IDLE
//R1发送了快速模式协商中的第一第消息,该消息中包括ip sec提议
Mar 1 00:30:50.715: ISAKMP (0:1): Node 174738581, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Mar 1 00:30:50.719: ISAKMP (0:1): Old State = IKE_QM_R
R1#EADY New State = IKE_QM_I_QM1
//表明 IKE_QM_I_QM1第一第已发送
Mar 1 00:30:50.719: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Mar 1 00:30:50.719: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Mar 1 00:30:51.067: ISAKMP (0:1): received packet from 192.168.1.2 dport 500 sport 500 Global (I) QM_IDLE
//收到R2中回应,该消息包含了一系列的有效负载,其中包括了hash,sa,nonce,IE有效负载,
Mar 1 00:30:51.071: ISAKMP (0:1): processing HASH payload. message ID = 174738581
//hash有效负载用于验证该消息及用作存活指示。
Mar 1 00:30:51.075: ISAKMP (0:1): processing SA payload. message ID = 174738581
//sa有效负载包括ipsec提议
Mar 1 00:30:51.075: ISAKMP (0:1): Checking IPSec proposal 1
Mar 1 00:30:51.075: ISAKMP: transform 1, ESP_3DES
Mar 1 00:30:51.075: ISAKMP: attributes in transform:
Mar 1 00:30:51.075: ISAKMP: encaps is 1 (Tunnel)
Mar 1 00:30:51.075: ISAKMP: SA life type in seconds
Mar 1 00:30:51.075: ISAKMP: SA life duration (basic) of 3600
Mar 1 00:30:51.075: ISAKMP: SA life type in kilobytes
R1#r 1 00:30:51.079: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
Mar 1 00:30:51.079: ISAKMP: authenticator is HMAC-MD5
Mar 1 00:30:51.079: ISAKMP (0:1): atts are acceptable.
Mar 1 00:30:51.079: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.1.2,
local_proxy= 1.1.1.1/255.255.255.255/1/0 (type=1),
remote_proxy= 2.2.2.2/255.255.255.255/1/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
Mar 1 00:30:51.083: IPSEC(kei_proxy): head = R1***, map->ivrf = , kei->ivrf =
Mar 1 00:30:51.087: ISAKMP (0:1): processing NONCE payload. message ID = 174738581
Mar 1 00:30:51.087: ISAKMP (0:1): processing ID payload. message ID = 174738581
Mar 1 00:30:51.087: ISAKMP (0:1): processing ID payload. message ID = 174738581
Mar 1 00:30:51.095: ISAKMP (0:1): Creating IPSec SAs
Mar 1 00:30:51.095: inbound SA from 192.168.1.2 to 192.168.1.1 (f/i) 0/ 0
R1#
(proxy 2.2.2.2 to 1.1.1.1)
//这里创建了入站ipsec sa 该sa位于ip地址,192.168.1.2和192.168.1.1 之间,代理身份为2.2.2.2和1.1.1.1
Mar 1 00:30:51.099: has spi 0xDE7C1239 and conn_id 2000 and flags 2
Mar 1 00:30:51.099: lifetime of 3600 seconds
Mar 1 00:30:51.099: lifetime of 4608000 kilobytes
Mar 1 00:30:51.099: has client flags 0x0
Mar 1 00:30:51.099: outbound SA from 192.168.1.1 to 192.168.1.2 (f/i) 0/ 0 (proxy 1.1.1.1 to 2.2.2.2 )
Mar 1 00:30:51.099: has spi 1645135704 and conn_id 2001 and flags A
Mar 1 00:30:51.099: lifetime of 3600 seconds
Mar 1 00:30:51.103: lifetime of 4608000 kilobytes
Mar 1 00:30:51.103: has client flags 0x0
Mar 1 00:30:51.103: ISAKMP (0:1): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) QM_IDLE
//R1向R2发送快速模式协商中的最后一条消息,该消息用作确认在存活指示。
Mar 1 00:30:51.103: ISAKMP (0:1): deleting node 174738581 error FALSE reason ""
Mar 1 00:30:51.107: ISAKMP (0:1): Node 174738581, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Mar 1 00:30:51.107: ISAKMP (0:1): Old
R1#State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
//状态变为上示,表明phase2完成
Mar 1 00:30:51.107: IPSEC(key_engine): got a queue event...
Mar 1 00:30:51.107: IPSEC(initialize_sas): ,
(key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.1.2,
local_proxy= 1.1.1.1/0.0.0.0/1/0 (type=1),
remote_proxy= 2.2.2.2/0.0.0.0/1/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xDE7C1239(3732673081), conn_id= 2000, keysize= 0, flags= 0x2
Mar 1 00:30:51.111: IPSEC(initialize_sas): ,
(key eng. msg.) OUTBOUND local= 192.168.1.1, remote= 192.168.1.2,
local_proxy= 1.1.1.1/0.0.0.0/1/0 (type=1),
remote_proxy= 2.2.2.2/0.0.0.0/1/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x620EC758(1645135704), conn_id= 2001, keysize= 0, flags= 0xA
Mar 1 00:30:51.115: IPSEC(kei_proxy): head = R1***, map->ivrf = , kei->ivrf =
Mar 1 00:30:51.11
R1#5: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and 192.168.1.2
Mar 1 00:30:51.119: IPSEC(add mtree): src 1.1.1.1, dest 2.2.2.2, dest_port 0

Mar 1 00:30:51.119: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.1.1, sa_prot= 50,
sa_spi= 0xDE7C1239(3732673081),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2000
Mar 1 00:30:51.119: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.1.2, sa_prot= 50,
sa_spi= 0x620EC758(1645135704),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2001
R1#u all
All possible debugging has been turned off
R1#

第六步:其它测试
R1#sh crypto isakmp sa
//查看关联
dst src state conn-id slot
192.168.1.2 192.168.1.1 QM_IDLE 1 0

R1#sh crypto ipsec sa
//安全库
interface: Ethernet0/0
Crypto map tag: R1***, local addr. 192.168.1.1
//在e0/0上激活了R1***的加密映射,用于IPsec通信的路由器ip地址是192.168.1.1
protected vrf:
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/1/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/1/0)
current_peer: 192.168.1.2:500
PERMIT, flags={origin_is_acl,}
//这里显示了参与连接的对等体的本地和远程标识
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
//这里可以看到被封装各加密的数据包数目
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.1.2
path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
//IPsec连接的本地和远程端点,以及使用的MTU
current outbound spi: 620EC758

 inbound esp sas:
  spi: 0xDE7C1239(3732673081)

//这里是输入(远程到本地路由器)esp sa,每个连接都有一个唯一的spi号
transform: esp-3des esp-md5-hmac ,
//用来保护连接的变换参数是esp-3des esp-md5-hmac
in use settings ={Tunnel, }
//连接模式是隧道模式
slot: 0, conn id: 2000, flow_id: 1, crypto map: R1***
sa timing: remaining key lifetime (k/sec): (4532812/315)
IV size: 8 bytes
replay detection support: Y

 inbound ah sas:

//AH下没有任何输出,说明ah没有用来保护连接
inbound pcp sas:

 outbound esp sas:
  spi: 0x620EC758(1645135704)
    transform: esp-3des esp-md5-hmac ,
    in use settings ={Tunnel, }
    slot: 0, conn id: 2001, flow_id: 2, crypto map: R1***
    sa timing: remaining key lifetime (k/sec): (4532812/314)
    IV size: 8 bytes
    replay detection support: Y

 outbound ah sas:

 outbound pcp sas:

Sh crypto enginee connections active
//查看当前激活的连接。几个包加密,几个解密了

猜你喜欢

转载自blog.51cto.com/starshomes/2587055
今日推荐
中国码农的“35岁魔咒”
蘭雅 CorelDRAW 插件 2024.5.1 国际劳动节版,免费下载
Arc Browser for Windows 1.0 正式 GA
90后程序员开发视频搬运软件、不到一年获利超 700 万,结局很刑!
《美国对全球网络空间安全与发展的威胁和破坏》报告发布
周排行
Java基础复习_day13_Collection集合
2018.11.16 c语言学习经验
且看Java内置四大核心函数式接口
小程序云开发中数据库的数据分段和显示图片
python的函数
Web-JS进阶
【干货】C++常用代码积累笔记大全
Spring的ioc操作 与 IOC底层原理
构建之法20191121-11 Scrum立会报告+燃尽图 07
Spring boot之Hello World访问404
每日归档
更多
2024-05-05(0)
2024-05-04(7)
2024-05-03(19)
2024-05-02(0)
2024-05-01(4)
2024-04-30(1)
2024-04-29(40)
2024-04-28(0)
2024-04-27(56)
2024-04-26(39)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022