03-IPsec-VPN-课堂实验

老罗SPCCIE162xxQQ:87311741Mail:ljm-help@qq.comIPsecVPNLab1:LANtoLANVPNlegacyconfiguration:87311741Email:ljm-help@qq.comLab1:LANtoLANVPNlegacyconfigurationR1R3R212.1.1.0/2423.1.1.0/24.1.2.2.31.1.1.1/323.3.3.3/32iproute3.3.3.3255.255.255.25512.1.1.2!Step1:routedeachotheriproute1.1.1.1255.255.255.25523.1.1.2!:87311741Email:ljm-help@qq.comLab1:LANtoLANVPNlegacyconfiguration(cont.)R1R3R212.1.1.0/2423.1.1.0/24.1.2.2.31.1.1.1/323.3.3.3/32ipaccess-listextendedT3permitiphost1.1.1.1host3.3.3.3Step2:intrestedtrafficipaccess-listextendedT1permitiphost3.3.3.3host1.1.1.1:87311741Email:ljm-help@qq.comR1R3R212.1.1.0/2423.1.1.0/24.1.2.2.31.1.1.1/323.3.3.3/32cryptoisakmppolicy10encr3deshashmd5authenticationpre-sharegroup2!cryptoisakmpkeyciscoaddress23.1.1.3Step3:ISAKMPPolicycryptoisakmppolicy10encr3deshashmd5authenticationpre-sharegroup2!cryptoisakmpkeyciscoaddress12.1.1.1Lab1:LANtoLANVPNlegacyconfiguration(cont.):87311741Email:ljm-help@qq.comR1R3R212.1.1.0/2423.1.1.0/24.1.2.2.31.1.1.1/323.3.3.3/32cryptoipsectransform-setT3esp-3desesp-md5-hmacStep4:IPsecPolicycryptoipsectransform-setT1esp-3desesp-md5-hmacLab1:LANtoLANVPNlegacyconfiguration(cont.):87311741Email:ljm-help@qq.comR1R3R212.1.1.0/2423.1.1.0/24.1.2.2.31.1.1.1/323.3.3.3/32Step4:cryptomapandscheduleunderinterfacecryptomapVPN10ipsec-isakmpsetpeer12.1.1.1settransform-setT1matchaddressT1!interfaceFastethernet0/0cryptomapVPNcryptomapVPN10ipsec-isakmpsetpeer23.1.1.3settransform-setT3matchaddressT3!interfaceFastethernet0/0cryptomapVPN!•debugcryptoisakmp•debugcryptoipsec•ping3.3.3.3source1.1.1.1repeat100Lab1:LANtoLANVPNlegacyconfiguration(cont.):87311741Email:ljm-help@qq.com查看IPSecVPN状态1R1#showcryptoisakmpsaIPv4CryptoISAKMPSAdstsrcstateconn-idstatus12.1.1.123.1.1.3QM_IDLE1001ACTIVE查看IKESA::87311741Email:ljm-help@qq.com查看IPSecVPN状态2-1R1#showcryptoipsecsainterface:Tunnel13Cryptomaptag:Tunnel13-head-0,localaddr12.1.1.1protectedvrf:(none)localident(addr/mask/prot/port):(0.0.0.0/0.0.0.0/0/0)remoteident(addr/mask/prot/port):(0.0.0.0/0.0.0.0/0/0)current_peer23.1.1.3port500PERMIT,flags={origin_is_acl,}#pktsencaps:110,#pktsencrypt:110,#pktsdigest:110#pktsdecaps:119,#pktsdecrypt:119,#pktsverify:119localcryptoendpt.:12.1.1.1,remotecryptoendpt.:23.1.1.3pathmtu1500,ipmtu1500,ipmtuidbEthernet0/0.12currentoutboundspi:0x283AE2B8(674947768)查看IPSecSA:感兴趣流量加密解密数量加解密点:87311741Email:ljm-help@qq.com查看IPSecVPN状态2-2查看IPSecSA:R1#showcryptoipsecsa入方向ESPSA（IPSecSA1.单向2.与协议相关）inboundespsas:spi:0xDF6087B2(3747645362)//入向SPI，与对端出向SPI相同transform:esp-3desesp-md5-hmac,//IPsec的加密和认证选择inusesettings={Tunnel,}//通信模式connid:1,flow_id:SW:1,sibling_flags80000046,cryptomap:Tunnel13-head-0satiming:remainingkeylifetime(k/sec):(4506486/3098)IVsize:8bytesreplaydetectionsupport:YStatus:ACTIVE:87311741Email:ljm-help@qq.com查看IPSecVPN状态2-3查看IPSecSA:R1#showcryptoipsecsa出方向ESPSAoutboundespsas:spi:0x283AE2B8(674947768)//出向SPI，与对端入向SPI相同transform:esp-3desesp-md5-hmac,//IPsec的加密和认证选择inusesettings={Tunnel,}//通信模式connid:2,flow_id:SW:2,sibling_flags80000046,cryptomap:Tunnel13-head-0satiming:remainingkeylifetime(k/sec):(4506487/3098)IVsize:8bytesreplaydetectionsupport:YStatus:ACTIVE:87311741Email:ljm-help@qq.com查看IPSecVPN状态3R1#showcryptoengineconnectionsactiveCryptoEngineConnectionsIDTypeAlgorithmEncryptDecryptIP-Address1IPsec3DES+MD509912.1.1.12IPsec3DES+MD599012.1.1.11001IKEMD5+3DES0012.1.1.1快速查询SA的命令1::87311741Email:ljm-help@qq.com查看IPSecVPN状态4R1#showcryptosessionCryptosessioncurrentstatusInterface:Tunnel13Profile:R3Sessionstatus:UP-ACTIVEPeer:23.1.1.3port500IKESA:local12.1.1.1/500remote23.1.1.3/500ActiveIPSECFLOW:permitip0.0.0.0/0.0.0.00.0.0.0/0.0.0.0ActiveSAs:2,origin:cryptomap快速查询SA的命令2::87311741Email:ljm-help@qq.com清除SAs清除ISAKMP/IKESA:R1#clearcryptoisakmp清除IPSecSA:R1#clearcryptosa:87311741Email:ljm-help@qq.com第三天Debug查看各模式下的包交换过程启用ISAKMPDebug:R1#debugcryptoisakmp启用IPSecDebug:R1#debugcryptoipsec:87311741Email:ljm-help@qq.com第三天发送MM1*Sep1112:22:32.030:ISAKMP:(0):sendingpacketto23.1.1.3my_port500peer_port500(I)MM_NO_STATE接受MM2*Sep1112:22:32.038:ISAKMP(0:0):receivedpacketfrom23.1.1.3dport500sport500Global(I)MM_NO_STATEMM1-2交换结果:*Sep1112:22:32.050:ISAKMP:(0):CheckingISAKMPtransform1againstpriority10policy*Sep1112:22:32.050:ISAKMP:encryption3DES-CBC*Sep1112:22:32.050:ISAKMP:hashMD5*Sep1112:22:32.050:ISAKMP:defaultgroup2*Sep1112:22:32.050:ISAKMP:authpre-share*Sep1112:22:32.050:ISAKMP:lifetypeinseconds*Sep1112:22:32.050:ISAKMP:lifeduration(VPI)o