平台:cisco 1841,cisco 871

 

IOS:c1841-advsecurityk9-mz.124-13b.bin,

 

 (lo0:192.168.1.254)----RTRA(f4:10.1.1.21 )-----------------------(f0/1:10.1.1.20)RTRB----(lo0:192.168.2.254)

 

 

RTRA#sh run
Building configuration...

Current configuration : 1578 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTRA
!
boot-start-marker
boot-end-marker
!
no logging console
enable password cisco
!
no aaa new-model
!
resource policy
!
ip cef
!
!        
no ip domain lookup
!
!
!
!
!
!
crypto isakmp policy 10
 encr aes
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco123 address 10.1.1.20 no-xauth
!
!
crypto ipsec transform-set RTRB esp-aes esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
 set peer 10.1.1.20
 set transform-set RTRB
 match address RTRB
!
!
interface Loopback0
 ip address 192.168.1.254 255.255.255.0
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 ip address 10.1.1.21 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip mtu 1492
 ip virtual-reassembly
 no ip mroute-cache
 load-interval 30
 duplex auto
 speed auto
 no cdp enable
 crypto map mymap
!
ip route 192.168.2.0 255.255.255.0 10.1.1.21
!
no ip http server
no ip http secure-server
!
ip access-list extended RTRB
 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended perimeter
 permit udp host 10.1.1.20 host 10.1.1.21 eq isakmp
 permit esp host 10.1.1.20 host 10.1.1.21
 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
 deny   ip any any
!
!
!
!
control-plane
!        
!
line con 0
 exec-timeout 0 0
 no modem enable
line aux 0
line vty 0 4
 password cisco
 login
!
scheduler max-task-time 5000
end

RTRA# 

RTRB#
RTRB#sh run
Building configuration...

Current configuration : 1639 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTRB
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
ip cef
!
!
!
!
no ip domain lookup
!
crypto isakmp policy 10
 encr aes
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco123 address 10.1.1.21 no-xauth
!
!
crypto ipsec transform-set RTRA esp-aes esp-md5-hmac
!
!
!
crypto map mymap 10 ipsec-isakmp
 set peer 10.1.1.21
 set transform-set RTRA
 match address RTRA
!
!
!
!
interface Loopback0
 ip address 192.168.2.254 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.1.1.20 255.255.255.0
 ip access-group perimeter in
 no ip redirects
 ip virtual-reassembly
 ip tcp adjust-mss 1300
 no ip mroute-cache
 duplex auto
 speed auto
 crypto map mymap
!
interface Serial0/0/0
 no ip address
 clock rate 2000000
!
ip route 192.168.1.0 255.255.255.0 10.1.1.21
!
no ip http server
no ip http secure-server
!
ip access-list extended RTRA
 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended perimeter
 permit udp host 10.1.1.21 host 10.1.1.20 eq isakmp
 permit esp host 10.1.1.21 host 10.1.1.20
 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
 deny   ip any any
!
!
!
control-plane
!        
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 exec-timeout 0 0
 password cisco
 login
!
scheduler allocate 20000 1000
end

 

 

RTRB#show crypto isakmp sa

dst                  src                  state                         conn-id    slot     status
193.1.1.21      193.1.1.20      QM_IDLE              1              0         ACTIVE

 

- If you can see the above entry and the state is “QM_IDLE”, then IKE phase 1 has connected
successfully.

RTRB#sh cry ip sa

interface: FastEthernet0/0
    Crypto map tag: mymap, local addr 193.1.1.20

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer 193.1.1.21 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 193.1.1.20, remote crypto endpt.: 193.1.1.21
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x874E7AAE(2270067374)

     inbound esp sas:
      spi: 0xEBF15B24(3958463268)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3001, flow_id: FPGA:1, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4391461/2784)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
         
     inbound ah sas:
         
     inbound pcp sas:

     outbound esp sas:
      spi: 0x874E7AAE(2270067374)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3002, flow_id: FPGA:2, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4391461/2750)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
RTRB#

 

 

RTRB#sh crypto engine connections active

  ID   Interface                 IP-Address     State  Algorithm                                     Encrypt  Decrypt
   1    FastEthernet0/0      193.1.1.20      set     HMAC_MD5+3DES_56_C        0        0
3001 FastEthernet0/0      193.1.1.20      set     3DES+MD5                                  0        4
3002 FastEthernet0/0      193.1.1.20      set     3DES+MD5                                  4        0

RTRB#