扫一扫
分享文章到微信
扫一扫
关注官方公众号
至顶头条
例子:
配置TED-Initiator路由器:
TED-Initiator#show running-config
Building configuration...
Current configuration:
version 12.0
service timestamps debug uptime
service timestamps log uptime
hostname TED-Initiator
enable secret 5 <removed>
enable password <removed>
ip subnet-zero
crypto isakmp policy 10
authentication pre-share
One of the issues with using a preshared key with TED is the need to use a wildcard preshared key because the peer's address is not known beforehand. A resolution to this is to use digital certificate-based digital signatures as the authentication method.
crypto isakmp key abc123 address 0.0.0.0
crypto ipsec transform-set ted-transforms esp-des esp-md5-hmac
Note that no peer address has been configured in the crypto map below.
crypto dynamic-map ted-map 10
set transform-set ted-transforms
match address 101
The keyword discover in the crypto map below triggers the use of TED
crypto map tedtag 10 ipsec-isakmp dynamic ted-map discover
interface Ethernet0/0
ip address 13.13.13.13 255.255.255.0
no ip directed-broadcast
no mop enabled
interface Ethernet0/1
ip address 11.11.11.1 255.255.255.0
crypto map tedtag
ip classless
ip route 0.0.0.0 0.0.0.0 11.11.11.2
no ip http server
access-list 101 permit ip 13.13.13.0 0.0.0.255 12.12.12.0 0.0.0.255
access-list 101 permit icmp 13.13.13.0 0.0.0.255 12.12.12.0 0.0.0.255
line con 0
transport input none
line aux 0
line vty 0 4
password ww
login
end
配置TED-Responder路由器:
TED-Responder#show running-config
Building configuration...
Current configuration:
version 12.0
service timestamps debug uptime
service timestamps log uptime
hostname TED-Responder
enable secret 5 <removed>
enable password <removed>
crypto isakmp policy 10
authentication pre-share
crypto isakmp key abc123 address 0.0.0.0
crypto ipsec transform-set ted-transforms esp-des esp-md5-hmac
crypto dynamic-map ted-map 10
set transform-set ted-transforms
match address 101
crypto map tedtag 10 ipsec-isakmp dynamic ted-map discover
interface Ethernet0/0
ip address 12.12.12.12 255.255.255.0
no ip directed-broadcast
no mop enabled
interface Ethernet0/1
ip address 11.11.11.2 255.255.255.0
crypto map tedtag
ip classless
ip route 0.0.0.0 0.0.0.0 11.11.11.1
no ip http server
access-list 101 permit ip 12.12.12.0 0.0.0.255 13.13.13.0 0.0.0.255
access-list 101 permit icmp 12.12.12.0 0.0.0.255 13.13.13.0 0.0.0.255
line con 0
transport input none
line aux 0
line vty 0 4
password ww
login
no scheduler allocate
end
在TED-Initiator路由器中的debug:
TED-Initiator#show debug
Cryptographic Subsystem:
Crypto ISAKMP debugging is on
Crypto Engine debugging is on
Crypto IPSEC debugging is on
TED-Initiator#
The TED process has started. The proxy IDs are shown in the message below.
01:33:56: IPSEC(tunnel discover request): ,
(key eng. msg.) src= 13.13.13.14, dest= 12.12.12.13,
src_proxy= 13.13.13.0/255.255.255.0/0/0 (type=4),
dest_proxy= 11.11.11.1/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4044
01:33:56: GOT A PEER DISCOVERY MESSAGE FROM THE SA MANAGER!!!
01:33:56: src = 13.13.13.14 to 12.12.12.13, protocol 3, transform 2, hmac 1
The TED process below determines which address is the source address in the TED packet and which addresses are the proxy IDs.
01:33:56: proxy source is 13.13.13.0 /255.255.255.0 and my address (not used now) is 11.11.11.1
01:33:56: ISAKMP (1): ID payload
next-payload : 5
type : 1
protocol : 17
port : 500
length : 8
01:33:56: ISAKMP (1): Total payload length: 12
The initiator determines below that the first ID payload will be its own IP address, 11.11.11.1, and the second payload contains its source IPsec proxy:13.13.13.0/24
01:33:56: 1st ID is 11.11.11.1
01:33:56: 2nd ID is 13.13.13.0 /255.255.255.0
01:33:56: ISAKMP (0:1): beginning peer discovery exchange
The TED probe is being sent to the destination IP address found in the original packet that was received on the initiator and that matched the IPsec interesting traffic access list.
01:33:56: ISAKMP (1): sending packet to 12.12.12.13 (I) PEER_DISCOVERY
The peer has been discovered to be 12.12.12.13, and it responds as shown below
01:33:56: ISAKMP (1): received packet from 12.12.12.13 (I) PEER_DISCOVERY
Upon processing the vendor ID payload, the initiator ascertains that the responder does indeed understand what was sent to it.
01:33:56: ISAKMP (0:1): processing vendor id payload
01:33:56: ISAKMP (0:1): speaking to another IOS box!
01:33:56: ISAKMP (0:1): processing ID payload. message ID = 0
The responder's IP address is encoded in the ID payload. It is equal to 11.11.11.2
01:33:56: ISAKMP (0:1): processing ID payload. message ID = 1168952014
Upon looking at the ID payload sent by the responder, the initiator finds that the responder's proxy ID indeed matches the proxy configured on itself.
01:33:56: ISAKMP (1): ID_IPV4_ADDR_SUBNET dst 12.12.12.0/255.255.255.0 prot 0 port 0
01:33:56: ISAKMP (1): received response to my peer discovery probe!
Normal IKE processing starts at this point to the IP address discovered through TED
01:33:56 ISAKMP: initiating IKE to 11.11.11.2 in response to probe.
01:33:56: ISAKMP (2): sending packet to 11.11.11.2 (I) MM_NO_STATE
01:33:56: ISAKMP (0:1): deleting SA
01:33:56: ISAKMP (2): received packet from 11.11.11.2 (I) MM_NO_STATE
01:33:56: ISAKMP (0:2): processing SA payload. message ID = 0
01:33:56: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 10 policy
01:33:56: ISAKMP: encryption DES-CBC
01:33:56: ISAKMP: hash SHA
01:33:56: ISAKMP: default group 1
01:33:56: ISAKMP: auth pre-share
01:33:56: ISAKMP (0:2): atts are acceptable. Next payload is 0
01:33:56: CryptoEngine0: generate alg parameter
01:33:56: CRYPTO_ENGINE: Dh phase 1 status: 0
01:33:56: CRYPTO_ENGINE: Dh phase 1 status: 0
01:33:56: ISAKMP (0:2): SA is doing pre-shared key authentication
01:33:56: ISAKMP (2): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
01:33:56: ISAKMP (2): sending packet to 11.11.11.2 (I) MM_SA_SETUP
01:33:56: ISAKMP (2): received packet from 11.11.11.2 (I) MM_SA_SETUP
01:33:56: ISAKMP (0:2): processing KE payload. message ID = 0
01:33:56: CryptoEngine0: generate alg parameter
01:33:57: ISAKMP (0:2): processing NONCE payload. message ID = 0
01:33:57: CryptoEngine0: create ISAKMP SKEYID for conn id 2
01:33:57: ISAKMP (0:2): SKEYID state generated
01:33:57: ISAKMP (0:2): processing vendor id payload
01:33:57: ISAKMP (0:2): speaking to another IOS box!
01:33:57: ISAKMP (2): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
01:33:57: ISAKMP (2): Total payload length: 12
01:33:57: CryptoEngine0: generate hmac context for conn id 2
01:33:57: ISAKMP (2): sending packet to 11.11.11.2 (I) MM_KEY_EXCH
01:33:57: ISAKMP (2): received packet from 11.11.11.2 (I) MM_KEY_EXCH
01:33:57: ISAKMP (0:2): processing ID payload. message ID = 0
01:33:57: ISAKMP (0:2): processing HASH payload. message ID = 0
01:33:57: CryptoEngine0: generate hmac context for conn id 2
01:33:57: ISAKMP (0:2): SA has been authenticated with 11.11.11.2
01:33:57: ISAKMP (0:2): beginning Quick Mode exchange, M-ID of 474637101
01:33:57: CryptoEngine0: clear dh number for conn id 1
01:33:57: IPSEC(key_engine): got a queue event...
01:33:57: IPSEC(spi_response): getting spi 348588451 for SA from 11.11.11.2 to 11.11.11.1 for prot 3
01:33:57: CryptoEngine0: generate hmac context for conn id 2
01:33:57: ISAKMP (2): sending packet to 11.11.11.2 (I) QM_IDLE
01:33:57: ISAKMP (2): received packet from 11.11.11.2 (I) QM_IDLE
01:33:57: CryptoEngine0: generate hmac context for conn id 2
01:33:57: ISAKMP (0:2): processing SA payload. message ID = 474637101
01:33:57: ISAKMP (0:2): Checking IPsec proposal 1
01:33:57: ISAKMP: transform 1, ESP_DES
01:33:57: ISAKMP: attributes in transform:
01:33:57: ISAKMP: encaps is 1
01:33:57: ISAKMP: SA life type in seconds
01:33:57: ISAKMP: SA life duration (basic) of 3600
01:33:57: ISAKMP: SA life type in kilobytes
01:33:57: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
01:33:57: ISAKMP: authenticator is HMAC-MD5
01:33:57: validate proposal 0
01:33:57: ISAKMP (0:2): atts are acceptable.
01:33:57: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 11.11.11.2, src= 11.11.11.1,
dest_proxy= 12.12.12.0/255.255.255.0/0/0 (type=4),
src_proxy= 13.13.13.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
01:33:57: validate proposal request 0
01:33:57: ISAKMP (0:2): processing NONCE payload. message ID = 474637101
01:33:57: ISAKMP (0:2): processing ID payload. message ID = 474637101
01:33:57: ISAKMP (0:2): processing ID payload. message ID = 474637101
01:33:57: CryptoEngine0: generate hmac context for conn id 2
01:33:57: ipsec allocate flow 0
01:33:57: ipsec allocate flow 0
01:33:57: ISAKMP (0:2): Creating IPsec SAs
01:33:57: inbound SA from 11.11.11.2 to 11.11.11.1 (proxy 12.12.12.0 to 13.13.13.0)
01:33:57: has spi 348588451 and conn_id 2000 and flags 4
01:33:57: lifetime of 3600 seconds
01:33:57: lifetime of 4608000 kilobytes
01:33:57: outbound SA from 11.11.11.1 to 11.11.11.2 (proxy 13.13.13.0 to 12.12.12.0)
01:33:57: has spi 132187477 and conn_id 2001 and flags 4
01:33:57: lifetime of 3600 seconds
01:33:57: lifetime of 4608000 kilobytes
01:33:57: ISAKMP (2): sending packet to 11.11.11.2 (I) QM_IDLE
01:33:57: ISAKMP (0:2): deleting node 474637101
01:33:57: IPSEC(key_engine): got a queue event...
01:33:57: IPSEC(initialize_sas): ,
(key eng. msg.) dest= 11.11.11.1, src= 11.11.11.2,
dest_proxy= 13.13.13.0/255.255.255.0/0/0 (type=4),
src_proxy= 12.12.12.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x14C709A3(348588451), conn_id= 2000, keysize= 0, flags= 0x4
01:33:57: IPSEC(initialize_sas): ,
(key eng. msg.) src= 11.11.11.1, dest= 11.11.11.2,
src_proxy= 13.13.13.0/255.255.255.0/0/0 (type=4),
dest_proxy= 12.12.12.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x7E10555(132187477), conn_id= 2001, keysize= 0, flags= 0x4
01:33:57: IPSEC(create_sa): sa created,
(sa) sa_dest= 11.11.11.1, sa_prot= 50,
sa_spi= 0x14C709A3(348588451),
sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2000
01:33:57: IPSEC(create_sa): sa created,
(sa) sa_dest= 11.11.11.2, sa_prot= 50,
sa_spi= 0x7E10555(132187477),
sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2001
TED-Initiator路由器show命令输出:
TED-Initiator#show crypto ipsec sa
interface: Ethernet0/1
Crypto map tag: tedtag, local addr. 11.11.11.1
local ident (addr/mask/prot/port): (13.13.13.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (12.12.12.0/255.255.255.0/0/0)
current_peer: 11.11.11.2
PERMIT, flags={}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 11.11.11.1, remote crypto endpt.: 11.11.11.2
path mtu 1500, media mtu 1500
current outbound spi: 7E10555
inbound esp sas:
spi: 0x14C709A3(348588451)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: tedtag
sa timing: remaining key lifetime (k/sec): (4607998/3557)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x7E10555(132187477)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2001, flow_id: 2, crypto map: tedtag
sa timing: remaining key lifetime (k/sec): (4607998/3557)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。
京公网安备 11010802021500号