2. it
  3. 思科ipsec配置野蛮模式fqdn主动协商以及调试show命令

思科ipsec配置野蛮模式fqdn主动协商以及调试show命令

mac2025-09-09  26

lo1----Cisco sw---------|FW1|-------------|FW2|------lo2 cisco sw接口ip:119.3.149.150 FW2接口ip:10.37.240.129 lo1:172.100.109.144 lo2: 11.37.1.1 感兴趣流:11.37.1.0/24------172.100.109.144/28 使用思科三层交换机型号WS-C3650-24PD,版本16.3.7 思科配置野蛮模式fqdn主动协商

思科配置: !第一阶段isakmp配置,加密模式和对端保持一致 crypto isakmp policy 30 encr aes 256 hash sha256 authentication pre-share group 2 lifetime 28800 !配置对端isakmp peer和fqdn crypto isakmp peer address 10.37.240.129 set aggressive-mode password test set aggressive-mode client-endpoint fqdn cisco crypto isakmp keepalive 10 periodic ! !第二阶段ipsec配置,加密模式和对端设备保持一致 crypto ipsec transform-set dms esp-aes 256 esp-sha256-hmac mode tunnel no crypto ipsec nat-transparency udp-encapsulation ! !配置感兴趣流 ip access-list extended dms permit ip 172.100.109.144 0.0.0.15 11.37.1.0 0.0.0.255 ! !配置map,然后在接口调用 crypto map huaweicloud 30 ipsec-isakmp set peer 10.37.240.129 set transform-set dms match address dms !接口配置 interface GigabitEthernet1/0/20 no switchport ip address 119.3.149.150 255.255.255.0 crypto map huaweicloud ! interface Loopback2 ip address 172.100.109.144 255.255.255.255 !路由 ip route 10.37.240.0 255.255.255.0 119.3.149.200

发起ipsec vpn协商 ping 11.37.1.1 source lo2

思科调试方法 show crypto isakmp sa detail 查看isakmp sa协商 show crypto isakmp sa detail Codes: C - IKE configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal T - cTCP encapsulation, X - IKE Extended Authentication psk - Preshared key, rsig - RSA signature renc - RSA encryption IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

1024 119.3.149.150 10.37.240.129 ACTIVE aes sha256 psk 2 07:59:55 D Engine-id:Conn-id = SW:24

协商成功状态为ACTIVE 清除第一阶段协商 clear crypto isakmp 删除所有isamkp协商 clear crypto isakmp +id号 删除指定isamkp协商,如上所示id号为1024

Show crypto ipsec sa detail查看ipsec sa协商 show crypto ipsec sa detail

interface: GigabitEthernet1/0/20 Crypto map tag: huaweicloud, local addr 119.3.149.150

protected vrf: (none) local ident (addr/mask/prot/port): (172.100.109.144/255.255.255.240/0/0)#感兴趣流 remote ident (addr/mask/prot/port): (11.37.1.0/255.255.255.0/0/0) current_peer 10.37.240.129 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 72593599, #pkts encrypt: 72593599, #pkts digest: 72593599 #pkts decaps: 101008349, #pkts decrypt: 101008349, #pkts verify: 101008349 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #pkts no sa (send) 0, #pkts invalid sa (rcv) 0 #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0 #pkts invalid prot (recv) 0, #pkts verify failed: 0 #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0 #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0 ##pkts replay failed (rcv): 0 #pkts tagged (send): 0, #pkts untagged (rcv): 0 #pkts not tagged (send): 0, #pkts not untagged (rcv): 0 #pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: 119.3.149.150, remote crypto endpt.: 10.37.240.129 plaintext mtu 1726, path mtu 1800, ip mtu 1800, ip mtu idb GigabitEthernet1/0/20 current outbound spi: 0xE4FB3B66(3841669990) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x9A73B86D(2591275117) transform: esp-256-aes esp-sha256-hmac ,#加密方式 in use settings ={Tunnel, } conn id: 477, flow_id: 477, sibling_flags 80004040, crypto map: huaweicloud sa timing: remaining key lifetime (k/sec): (4336919/3442)#超时时间3442s IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) #状态成功 inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xE4FB3B66(3841669990) transform: esp-256-aes esp-sha256-hmac , in use settings ={Tunnel, } conn id: 478, flow_id: 478, sibling_flags 80004040, crypto map: huaweicloud sa timing: remaining key lifetime (k/sec): (4336919/3442) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound ah sas: outbound pcp sas:

show crypto map 查看配置map信息 show crypto map Interfaces using crypto map NiStTeSt1:

Crypto Map IPv4 “huaweicloud” 30 ipsec-isakmp Peer = 10.37.240.129 Extended IP access list dms access-list dms permit ip 172.100.109.144 0.0.0.15 11.37.1.0 0.0.0.255 #感兴趣流 Current peer: 10.37.240.129 Security association lifetime: 4608000 kilobytes/3600 seconds #两阶段超时时间 Responder-Only (Y/N): N #可以是发起者和响应者 PFS (Y/N): N Mixed-mode : Disabled Transform sets={ dms: { esp-256-aes esp-sha256-hmac } , } Interfaces using crypto map huaweicloud: GigabitEthernet1/0/20

show crypto session ipsec vpn状态 SWLEFT2059UP#show crypto session Crypto session current status

Interface: GigabitEthernet1/0/20 Session status: UP-ACTIVE Peer: 10.37.240.129 port 500 Session ID: 0 IKEv1 SA: local 119.3.149.150/500 remote 10.37.240.129/500 Active IPSEC FLOW: permit ip 172.100.109.144/255.255.255.240 11.37.1.0/255.255.255.0 Active SAs: 2, origin: crypto map

Interface: GigabitEthernet1/0/19 Session status: DOWN Peer: 58.251.77.200 port 500 IPSEC FLOW: permit ip 27.112.8.0/255.255.255.0 192.168.3.0/255.255.255.0 Active SAs: 0, origin: crypto map IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0 27.112.8.0/255.255.255.0 Active SAs: 0, origin: crypto map

最新回复(0)