扫一扫
分享文章到微信
扫一扫
关注官方公众号
至顶头条
实例研究
使用预共享密钥作为认证机制的路由器到路由器的IPsec
这是IPsec VPN中最基本最常用的类型.这种类型的VPN属于LAN-to-LAN.这里使用的认证方法是预共享密钥.以后的实例研究有更安全的认证方法的例子.
在实例中我们将给出发起者路由器和响应者路由器的配置,同时也给出了DEBUG输出以及相关的SHOU命令输出,以便我们共同研究.
例1 作为IPsec协商的发起者的路由器配置
hostname Initiator
The ISAKMP policy defines the attributes which will be negotiated with peers for the IKE SA.
crypto isakmp policy 1
The encryption method defined below is used for encrypting the IKE negotiation packets using SKEYID_e
encr 3des
The hash algorithm defined below is used to generate the hashes which are used for IKE authetnication purposes.
hash sha
The line below defines the authentication method as pre-shared key authentication
authentication pre-share
The line below defines the pre-shared key for the peer at the IP address
172.16.172.20. Please note that the initiator will search through its config for this key using the source IP address of the IKE negotiation packets it is receiving.
crypto isakmp key jw4ep9846804ijl address 172.16.172.20
The following line defines the transform set for use with IPsec. This transform set !specifies the name of the transform set as 'myset'. The encapsulation method
defined !is ESP and the encryption algorithm to use is 3DES (triple DES). The last part of !this command specifies MD5 as the ESP integrity checking hash.
crypto ipsec transform-set myset esp-3des esp-md5-hmac
The following configuration is for the crypto map named 'vpn'. Crypto maps essentially bind the entire IPsec configuration together. Various elements of IPsec defined in various places in the configuration are tied together using the crypto map. 10 is the instance number for the map here. Instance numbers are used to specify the order in which multiple crypto maps are parsed in a config. The key word 'ipsec-isakmp' is used to specify that this particular crypto map is to be used for IPsec rather than CET.
crypto map vpn 10 ipsec-isakmp
The command line below defines the IP address of the IPsec peer.
set peer 172.16.172.20
The line below defines the transform set to use for this crypto map.
set transform-set myset
The line below specifies the access list which will be define traffic which will either trigger IKE negotiation or be used to verify that the proxy Ids being offered during an IKE negotiation are valid.
match address 101
interface Ethernet0/0
ip address <?xml:namespace prefix = st1 ns = "urn:schemas-microsoft-com:office:smarttags" />10.1.1.1 255.255.255.0
interface Ethernet1/0
ip address 172.16.172.10 255.255.255.0
The line below is used as a toggle switch to turn on IPsec functionality as defined by the crypto map vpn.
crypto map vpn
The access list define below is used to specify interesting traffic for IPsec.
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
例2 作为IPsec协商的响应者的路由器配置
hostname Responder
crypto isakmp policy 1
encr 3des
hash sha
authentication pre-share
crypto isakmp key jw4ep9846804ijl address 172.16.172.10
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map vpn 10 ipsec-isakmp
set peer 172.16.172.10
set transform-set myset
match address 101
interface Ethernet0/0
ip address 10.1.2.1 255.255.255.0
interface Ethernet1/0
ip address 172.16.172.20 255.255.255.0
crypto map vpn
access-list 101 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
对debug的解释紧接着该解释对应的实际debug
例3 作为IPsec协商的发起者的路由器debug
Cryptographic Subsystem:
Crypto ISAKMP debugging is on
Crypto Engine debugging is on
Crypto IPSEC debugging is on
A#ping
Protocol [ip]:
Target IP address: 10.1.2.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.1.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.1, timeout is 2 seconds:
The ping source and destination addresses matched the match address access list for the crypto map VPN. 'local' is the local tunnel endpoint, and 'remote' is the remote crypto endpoint as configured in the map. src proxy is the src interesting traffic as defined by the match address access list. dst proxy is the destination interesting traffic as defined by the match address access list.
(key eng. msg.) OUTBOUND local= 172.16.172.10, remote= 172.16.172.20,
local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),
The protocol and the transforms are specified by the crypto map that has been hit, as are the lifetimes
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x8EAB0B22(2393574178), conn_id= 0, keysize= 0, flags= 0x400C
Begins main mode exchange. The first two packets negotiate phase I SA parameters.
00:04:10: ISAKMP: received ke message (1/1)
00:04:10: ISAKMP: local port 500, remote port 500
00:04:10: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
MM stands for main mode, and QM stands for quick mode. The IKE debugs show which stage of IKE the negotiation is in, such as MM1. As you saw in the discussion of IKE, main mode is divided into six portions or messages, and quick mode into three.
Old State = IKE_READY New State = IKE_I_MM1
00:04:10: ISAKMP (0:1): beginning Main Mode exchange
00:04:10: ISAKMP (0:1): sending packet to 172.16.172.20 (I) MM_NO_STATE
00:04:10: ISAKMP (0:1): received packet from 172.16.172.20 (I) MM_NO_STATE
00:04:10: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Old State = IKE_I_MM1 New State = IKE_I_MM2
00:04:10: ISAKMP (0:1): processing SA payload. message ID = 0
The preshared key is searched for and found based on the source IP address of IKE negotiation packets.
00:04:10: ISAKMP (0:1): found peer pre-shared key matching 172.16.172.20
00:04:10: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy
These are the parameters offered by the other side. Policy 1 is the policy set up on this router.
00:04:10: ISAKMP: encryption 3DES-CBC
00:04:10: ISAKMP: hash SHA
00:04:10: ISAKMP: default group 1
00:04:10: ISAKMP: auth pre-share
00:04:10: ISAKMP: life type in seconds
00:04:10: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
The policy 1 on this router and the attributes offered by the other side matched.
00:04:10: ISAKMP (0:1): atts are acceptable. Next payload is 0
00:04:10: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Old State = IKE_I_MM2 New State = IKE_I_MM2
The third and fourth packets complete Diffie-Hellman exchange.
00:04:10: ISAKMP (0:1): sending packet to 172.16.172.20 (I) MM_SA_SETUP
00:04:10: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Old State = IKE_I_MM2 New State = IKE_I_MM3
00:04:10: ISAKMP (0:1): received packet from 172.16.172.20 (I) MM_SA_SETUP
00:04:10: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Old State = IKE_I_MM3 New State = IKE I_MM4
00:04:10: ISAKMP (0:1): processing KE payload. message ID = 0
00:04:10: ISAKMP (0:1): processing NONCE payload. message ID = 0
00:04:10: ISAKMP (0:1): found peer pre-shared key matching 172.16.172.20
00:04:10: ISAKMP (0:1): SKEYID state generated
00:04:10: ISAKMP (0:1): processing vendor id payload
Note below that some vendor ID payloads are being exchanged. These are necessary to gauge the peer's ability to do the things described in the vendor payload. For example, below, VID payloads for Unity Protocol Support (a new protocol introduced by Cisco for its newer version of VPN clients) and dead peer discovery are received.
00:04:10: ISAKMP (0:1): vendor ID is Unity
00:04:10: ISAKMP (0:1): processing vendor id payload
00:04:10: ISAKMP (0:1): vendor ID is DPD
00:04:10: ISAKMP (0:1): processing vendor id payload
00:04:10: ISAKMP (0:1): speaking to another IOS box!
00:04:10: ISAKMP (0:1): processing vendor id payload
00:04:10: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Old State = IKE_I_MM4 New State = IKE_I_MM4
The fifth and sixth packets complete IKE authentication. Phase I SA is established.
00:04:10: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
00:04:10: ISAKMP (1): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
00:04:10: ISAKMP (1): Total payload length: 12
00:04:10: ISAKMP (0:1): sending packet to 172.16.172.20 (I) MM_KEY_EXCH
00:04:10: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Old State = IKE_I_MM4 New State = IKE_I_MM5
00:04:10: ISAKMP (0:1): received packet from 172.16.172.20 (I) MM_KEY_EXCH
00:04:10: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Old State = IKE_I_MM5 New State = IKE_I_MM6
00:04:10: ISAKMP (0:1): processing ID payload. message ID = 0
00:04:10: ISAKMP (0:1): processing HASH payload. message ID = 0
00:04:10: ISAKMP (0:1): SA has been authenticated with 172.16.172.20
00:04:10: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Old State = IKE_I_MM6 New State = IKE_I_MM6
00:04:10: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Begin quick mode exchange. IPsec SA will be negotiated in quick mode.
00:04:10: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of 965273472
00:04:10: ISAKMP (0:1): sending packet to 172.16.172.20 (I) QM_IDLE
00:04:10: ISAKMP (0:1): Node 965273472, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Old State = IKE_QM_READY New State = IKE_QM_I_QM1
00:04:10: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
00:04:10: ISAKMP (0:1): received packet from 172.16.172.20 (I) QM_IDLE
The IPsec SA proposal offered by the far end is checked against the local crypto map configuration
00:04:10: ISAKMP (0:1): processing HASH payload. message ID = 965273472
00:04:10: ISAKMP (0:1): processing SA payload. message ID = 965273472
00:04:10: ISAKMP (0:1): Checking IPsec proposal 1
00:04:10: ISAKMP: transform 1, ESP_3DES
00:04:10: ISAKMP: attributes in transform:
00:04:10: ISAKMP: encaps is 1
00:04:10: ISAKMP: SA life type in seconds
00:04:10: ISAKMP: SA life duration (basic) of 3600
00:04:10: ISAKMP: SA life type in kilobytes
00:04:10: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
00:04:10: ISAKMP: authenticator is HMAC-MD5
The proposal 1 and transform 1 offered by the other end are found to be
acceptable.
00:04:10: ISAKMP (0:1): atts are acceptable.
00:04:10: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.16.172.10, remote= 172.16.172.20,
local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
00:04:10: ISAKMP (0:1): processing NONCE payload. message ID = 96527347
00:04:10: ISAKMP (0:1): processing ID payload. message ID = 965273472
00:04:10: ISAKMP (0:1): processing ID payload. message ID = 965273472
Two IPsec SAs have been negotiated--an incoming SA with the SPI generated by the
local machine, and an outbound SA with the SPIs proposed by the remote end.
00:04:10: ISAKMP (0:1): Creating IPsec SAs
00:04:10: inbound SA from 172.16.172.20 to 172.16.172.10
(proxy 10.1.2.0 to 10.1.1.0)
00:04:10: has spi 0x8EAB0B22 and conn_id 2029 and flags 4
00:04:10: lifetime of 3600 seconds
00:04:10: lifetime of 4608000 kilobytes
00:04:10: outbound SA from 172.16.172.10 to 172.16.172.20
(proxy 10.1.1.0 to 10.1.2.0 )
00:04:10: has spi -343614331 and conn_id 2030 and flags C
00:04:10: lifetime of 3600 seconds
00:04:10: lifetime of 4608000 kilobytes
The IPsec SA info negotiated by IKE is populated into the router's SADB.
00:04:10: IPSEC(key_engine): got a queue event...
00:04:10: IPSEC(initialize_sas): ,
(key eng. msg.) INBOUND local= 172.16.172.10, remote= 172.16.172.20,
local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x8EAB0B22(2393574178), conn_id= 2029, keysize= 0, flags= 0x4
00:04:10: IPSEC(initialize_sas): ,
(key eng. msg.) OUTBOUND local= 172.16.172.10, remote= 172.16.172.20,
local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0xEB84DC85(3951352965), conn_id= 2030, keysize= 0, flags= 0xC
IPsec SA created in SADB, sent out last packet with commit bit set. IPsec tunnel
established.
00:04:10: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.16.172.10, sa_prot= 50,
sa_spi= 0x8EAB0B22(2393574178),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2029
00:04:10: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.16.172.20, sa_prot= 50,
sa_spi= 0xEB84DC85(3951352965),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2030
00:04:10: ISAKMP (0:1): sending packet to 172.16.172.20 (I) QM_IDLE
00:04:10: ISAKMP (0:1): deleting node 965273472 error FALSE reason ""
00:04:10: ISAKMP (0:1): Node 965273472, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。