扫一扫
分享文章到微信
扫一扫
关注官方公众号
至顶头条
例4 作为IPsec协商的发起者的路由器show命令输出
The command below shows the state of the crypto ISAKMP SA. It is shown here in QM IDLE, meaning that quick mode has completed successfully.
Initiator#show crypto isakmp sa
dst src state conn-id slot
172.16.172.20 172.16.172.10 QM_IDLE 1 0
The command below gives details on both the incoming and outgoing IPsec SAs. It gives information on the attributes negotiated during the exchange as well as statistics for how many packets have been exchanged via each of these SAs.
Initiator#show crypto ipsec sa
interface: Ethernet1/0
Crypto map tag: vpn, local addr. 172.16.172.10
local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)
current_peer: 172.16.172.20
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 6, #recv errors 0
local crypto endpt.: 172.16.172.10, remote crypto endpt.: 172.16.172.20
path mtu 1500, media mtu 1500
current outbound spi: EB84DC85
inbound esp sas:
spi: 0x8EAB0B22(2393574178)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2029, flow_id: 1, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4607998/3347)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xEB84DC85(3951352965)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2030, flow_id: 2, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4607999/3347)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
The command below basically prints the configuration of the crypto map on the router
Initiator#show crypto map
Crypto Map "vpn" 10 ipsec-isakmp
Peer = 172.16.172.20
Extended IP access list 101
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
Current peer: 172.16.172.20
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ myset, }
Interfaces using crypto map vpn:
Ethernet1/0
例5 作为IPsec协商的响应者的路由器debug
Responder#show debug
Cryptographic Subsystem:
Crypto ISAKMP debugging is on
Crypto Engine debugging is on
Crypto IPSEC debugging is on
1w1d: ISAKMP (0:0): received packet from 172.16.172.10 (N) NEW SA
1w1d: ISAKMP: local port 500, remote port 500
1w1d: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Old State = IKE_READY New State = IKE_R_MM1
1w1d: ISAKMP (0:1): processing SA payload. message ID = 0
1w1d: ISAKMP (0:1): found peer pre-shared key matching 172.16.172.10
1w1d: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy
1w1d: ISAKMP: encryption 3DES-CBC
1w1d: ISAKMP: hash SHA
1w1d: ISAKMP: default group 1
1w1d: ISAKMP: auth pre-share
1w1d: ISAKMP: life type in seconds
1w1d: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
1w1d: ISAKMP (0:1): atts are acceptable. Next payload is 0
1w1d: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Old State = IKE_R_MM1 New State = IKE_R_MM1
1w1d: ISAKMP (0:1): sending packet to 172.16.172.10 (R) MM_SA_SETUP
1w1d: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Old State = IKE_R_MM1 New State = IKE_R_MM2
1w1d: ISAKMP (0:1): received packet from 172.16.172.10 (R) MM_SA_SETUP
1w1d: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Old State = IKE_R_MM2 New State = IKE_R_MM3
1w1d: ISAKMP (0:1): processing KE payload. message ID = 0
1w1d: ISAKMP (0:1): processing NONCE payload. message ID = 0
1w1d: ISAKMP (0:1): found peer pre-shared key matching 172.16.172.10
1w1d: ISAKMP (0:1): SKEYID state generated
1w1d: ISAKMP (0:1): processing vendor id payload
1w1d: ISAKMP (0:1): vendor ID is Unity
1w1d: ISAKMP (0:1): processing vendor id payload
1w1d: ISAKMP (0:1): vendor ID is DPD
1w1d: ISAKMP (0:1): processing vendor id payload
1w1d: ISAKMP (0:1): speaking to another IOS box!
1w1d: ISAKMP (0:1): processing vendor id payload
1w1d: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Old State = IKE_R_MM3 New State = IKE_R_MM3
1w1d: ISAKMP (0:1): sending packet to 172.16.172.10 (R) MM_KEY_EXCH
1w1d: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Old State = IKE_R_MM3 New State = IKE_R_MM4
1w1d: ISAKMP (0:1): received packet from 172.16.172.10 (R) MM_KEY_EXCH
1w1d: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Old State = IKE_R_MM4 New State = IKE_R_MM5
1w1d: ISAKMP (0:1): processing ID payload. message ID = 0
1w1d: ISAKMP (0:1): processing HASH payload. message ID = 0
1w1d: ISAKMP (0:1): SA has been authenticated with 172.16.172.10
1w1d: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Old State = IKE_R_MM5 New State = IKE_R_MM5
1w1d: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
1w1d: ISAKMP (1): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
1w1d: ISAKMP (1): Total payload length: 12
1w1d: ISAKMP (0:1): sending packet to 172.16.172.10 (R) QM_IDLE
1w1d: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
1w1d: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
1w1d: ISAKMP (0:1): received packet from 172.16.172.10 (R) QM_IDLE
1w1d: ISAKMP (0:1): processing HASH payload. message ID = 965273472
1w1d: ISAKMP (0:1): processing SA payload. message ID = 965273472
1w1d: ISAKMP (0:1): Checking IPsec proposal 1
1w1d: ISAKMP: transform 1, ESP_3DES
1w1d: ISAKMP: attributes in transform:
1w1d: ISAKMP: encaps is 1
1w1d: ISAKMP: SA life type in seconds
1w1d: ISAKMP: SA life duration (basic) of 3600
1w1d: ISAKMP: SA life type in kilobytes
1w1d: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
1w1d: ISAKMP: authenticator is HMAC-MD5
1w1d: ISAKMP (0:1): atts are acceptable.
1w1d: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.16.172.20, remote= 172.16.172.10,
local_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
1w1d: ISAKMP (0:1): processing NONCE payload. message ID = 965273472
1w1d: ISAKMP (0:1): processing ID payload. message ID = 965273472
1w1d: ISAKMP (0:1): processing ID payload. message ID = 965273472
1w1d: ISAKMP (0:1): asking for 1 spis from ipsec
1w1d: ISAKMP (0:1): Node 965273472, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
1w1d: IPSEC(key_engine): got a queue event...
1w1d: IPSEC(spi_response): getting spi 3951352965 for SA
from 172.16.172.20 to 172.16.172.10 for prot 3
1w1d: ISAKMP: received ke message (2/1)
1w1d: ISAKMP (0:1): sending packet to 172.16.172.10 (R) QM_IDLE
1w1d: ISAKMP (0:1): Node 965273472, Input = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY
Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
1w1d: ISAKMP (0:1): received packet from 172.16.172.10 (R) QM_IDLE
1w1d: ISAKMP (0:1): Creating IPsec SAs
1w1d: inbound SA from 172.16.172.10 to 172.16.172.20
(proxy 10.1.1.0 to 10.1.2.0)
1w1d: has spi 0xEB84DC85 and conn_id 2029 and flags 4
1w1d: lifetime of 3600 seconds
1w1d: lifetime of 4608000 kilobytes
1w1d: outbound SA from 172.16.172.20 to 172.16.172.10
(proxy 10.1.2.0 to 10.1.1.0)
1w1d: has spi -1901393118 and conn_id 2030 and flags C
1w1d: lifetime of 3600 seconds
1w1d: lifetime of 4608000 kilobytes
1w1d: ISAKMP (0:1): deleting node 965273472 error FALSE reason "quick mode done (await()"
1w1d: ISAKMP (0:1): Node 965273472, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
1w1d: IPSEC(key_engine): got a queue event...
1w1d: IPSEC(initialize_sas): ,
(key eng. msg.) INBOUND local= 172.16.172.20, remote= 172.16.172.10,
local_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0xEB84DC85(3951352965), conn_id= 2029, keysize= 0, flags= 0x4
1w1d: IPSEC(initialize_sas): ,
(key eng. msg.) OUTBOUND local= 172.16.172.20, remote= 172.16.172.10,
local_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x8EAB0B22(2393574178), conn_id= 2030, keysize= 0, flags= 0xC
1w1d: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.16.172.20, sa_prot= 50,
sa_spi= 0xEB84DC85(3951352965),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2029
1w1d: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.16.172.10, sa_prot= 50,
sa_spi= 0x8EAB0B22(2393574178),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2030
1w1d: ISAKMP (0:1): purging node 965273472
例6 作为IPsec协商的响应者的路由器show命令输出
Responder#show cry isa sa
dst src state conn-id slot
172.16.172.10 172.16.172.20 QM_IDLE 1 0
Responder#show crypto ipsec sa
interface: Ethernet1/0
Crypto map tag: vpn, local addr. 172.16.172.20
local ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
current_peer: 172.16.172.10
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.172.20, remote crypto endpt.: 172.16.172.10
path mtu 1500, media mtu 1500
current outbound spi: 8EAB0B22
inbound esp sas:
spi: 0xEB84DC85(3951352965)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2029, flow_id: 1, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4607998/3326)
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x8EAB0B22(2393574178)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2030, flow_id: 2, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4607999/3326)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
Initiator#show cry map
Crypto Map "vpn" 10 ipsec-isakmp
Peer = 172.16.172.10
Extended IP access list 101
access-list 101 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
Current peer: 172.16.172.10
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ myset, }
Interfaces using crypto map vpn:
Ethernet1/0
如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。