lo1----Cisco sw---------|FW1|-------------|FW2|------lo2
cisco sw接口ip:119.3.149.150
FW2接口ip:10.37.240.129
lo1:172.100.109.144
lo2: 11.37.1.1
感兴趣流:11.37.1.0/24------172.100.109.144/28
使用思科三层交换机型号WS-C3650-24PD,版本16.3.7
思科配置野蛮模式fqdn主动协商
思科配置:
!第一阶段isakmp配置,加密模式和对端保持一致
crypto isakmp policy 30
encr aes 256
hash sha256
authentication pre-share
group 2
lifetime 28800
!配置对端isakmp peer和fqdn
crypto isakmp peer address 10.37.240.129
set aggressive-mode password test
set aggressive-mode client-endpoint fqdn cisco
crypto isakmp keepalive 10 periodic
!
!第二阶段ipsec配置,加密模式和对端设备保持一致
crypto ipsec transform-set dms esp-aes 256 esp-sha256-hmac
mode tunnel
no crypto ipsec nat-transparency udp-encapsulation
!
!配置感兴趣流
ip access-list extended dms
permit ip 172.100.109.144 0.0.0.15 11.37.1.0 0.0.0.255
!
!配置map,然后在接口调用
crypto map huaweicloud 30 ipsec-isakmp
set peer 10.37.240.129
set transform-set dms
match address dms
!接口配置
interface GigabitEthernet1/0/20
no switchport
ip address 119.3.149.150 255.255.255.0
crypto map huaweicloud
!
interface Loopback2
ip address 172.100.109.144 255.255.255.255
!路由
ip route 10.37.240.0 255.255.255.0 119.3.149.200
发起ipsec vpn协商
ping 11.37.1.1 source lo2
思科调试方法
show crypto isakmp sa detail 查看isakmp sa协商
show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1024 119.3.149.150 10.37.240.129 ACTIVE aes sha256 psk 2 07:59:55 D
Engine-id:Conn-id = SW:24
协商成功状态为ACTIVE
清除第一阶段协商
clear crypto isakmp 删除所有isamkp协商
clear crypto isakmp +id号 删除指定isamkp协商,如上所示id号为1024
Show crypto ipsec sa detail查看ipsec sa协商
show crypto ipsec sa detail
interface: GigabitEthernet1/0/20
Crypto map tag: huaweicloud, local addr 119.3.149.150
protected vrf: (none)
local ident (addr/mask/prot/port): (172.100.109.144/255.255.255.240/0/0)#感兴趣流
remote ident (addr/mask/prot/port): (11.37.1.0/255.255.255.0/0/0)
current_peer 10.37.240.129 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 72593599, #pkts encrypt: 72593599, #pkts digest: 72593599
#pkts decaps: 101008349, #pkts decrypt: 101008349, #pkts verify: 101008349
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 119.3.149.150, remote crypto endpt.: 10.37.240.129
plaintext mtu 1726, path mtu 1800, ip mtu 1800, ip mtu idb GigabitEthernet1/0/20
current outbound spi: 0xE4FB3B66(3841669990)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x9A73B86D(2591275117)
transform: esp-256-aes esp-sha256-hmac ,#加密方式
in use settings ={Tunnel, }
conn id: 477, flow_id: 477, sibling_flags 80004040, crypto map: huaweicloud
sa timing: remaining key lifetime (k/sec): (4336919/3442)#超时时间3442s
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE) #状态成功
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xE4FB3B66(3841669990)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 478, flow_id: 478, sibling_flags 80004040, crypto map: huaweicloud
sa timing: remaining key lifetime (k/sec): (4336919/3442)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
show crypto map 查看配置map信息
show crypto map
Interfaces using crypto map NiStTeSt1:
Crypto Map IPv4 “huaweicloud” 30 ipsec-isakmp
Peer = 10.37.240.129
Extended IP access list dms
access-list dms permit ip 172.100.109.144 0.0.0.15 11.37.1.0 0.0.0.255 #感兴趣流
Current peer: 10.37.240.129
Security association lifetime: 4608000 kilobytes/3600 seconds #两阶段超时时间
Responder-Only (Y/N): N #可以是发起者和响应者
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
dms: { esp-256-aes esp-sha256-hmac } ,
}
Interfaces using crypto map huaweicloud:
GigabitEthernet1/0/20
show crypto session ipsec vpn状态
SWLEFT2059UP#show crypto session
Crypto session current status
Interface: GigabitEthernet1/0/20
Session status: UP-ACTIVE
Peer: 10.37.240.129 port 500
Session ID: 0
IKEv1 SA: local 119.3.149.150/500 remote 10.37.240.129/500 Active
IPSEC FLOW: permit ip 172.100.109.144/255.255.255.240 11.37.1.0/255.255.255.0
Active SAs: 2, origin: crypto map
Interface: GigabitEthernet1/0/19
Session status: DOWN
Peer: 58.251.77.200 port 500
IPSEC FLOW: permit ip 27.112.8.0/255.255.255.0 192.168.3.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0 27.112.8.0/255.255.255.0
Active SAs: 0, origin: crypto map