[localhost]
[[7200]]
image =c:\\Program Files\\Dynamips\\images\\c7200-jk9o3s-mz.124-7a.bin
# On Linux /Unix use forward slashes:
# image =/opt/7200-images/c7200-jk9o3s-mz.124-7a.bin
ram =128# Amount of Virtual RAM to allocate to each router instance.
nvram =64# Size of NVRAM
disk0 =64# Set size of PCMCIA ATA disk0
disk1 =64# Set size of PCMCIA ATA disk1
cnfg =None# Configuration file to import. This is the fully qualified pathrelative to the system running dynamips.
confreg =0x2102 # Set the configuration register
npe =npe-400
idlepc =0x6083ca6c # Set the Idle PC value
exec_area =64 # Set the exec area size
[[ROUTERR1]]
s1/0= R2 s1/0
idlepc =0x6083ca6c
[[routerR2]]
idlepc= 0x6083ca6c
R1配置文件:
Router#show run
Building configuration...
Current configuration : 1762 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 6 dongbao address 12.1.1.2
!
crypto isakmp peer address 12.1.1.2
crypto isakmp profile 1
! This profile is incomplete (no match identity statement)
!
!
crypto ipsec transform-set 1 esp-3des esp-md5-hmac
mode transport
!
crypto map 1 1 ipsec-isakmp
set peer 12.1.1.2
set transform-set 1
match address 100
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Serial1/0
ip address 12.1.1.1 255.255.255.0
serial restart-delay 0
fair-queue
crypto map 1
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/4
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/5
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/6
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/7
no ip address
shutdown
serial restart-delay 0
!
ip classless
ip route 1.1.2.0 255.255.255.0 Serial1/0
ip route 1.1.2.0 255.255.255.0 12.1.1.2
!
no ip http server
no ip http secure-server
!
!
access-list 100 permit ip any any
access-list 100 permit udp any any
!
!
!
!
control-plane
gatekeeper
shutdown
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
end
R2配置:
Router#showrun
Building configuration...
Current configuration : 1638 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 6 dongbao address 12.1.1.1
!
crypto isakmp peer address 12.1.1.1
!
!
crypto ipsec transform-set 1 esp-3des esp-md5-hmac
mode transport
!
crypto map 1 1 ipsec-isakmp
set peer 12.1.1.1
set transform-set 1
match address 100
interface Loopback0
ip address 1.1.2.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Serial1/0
ip address 12.1.1.2 255.255.255.0
serial restart-delay 0
fair-queue
crypto map 1
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/4
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/5
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/6
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/7
no ip address
shutdown
serial restart-delay 0
!
ip classless
ip route 1.1.1.0 255.255.255.0 12.1.1.1
!
no ip http server
no ip http secure-server
!
!
access-list 100 permit ip any any
access-list 100 permit udp any any
control-plane
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
end
调试信息:
Router#show cry isa sa
dstsrcstateconn-id slot status
12.1.1.212.1.1.1QM_IDLE1 0ACTIVE
Router#show cryptoo map
^
% Invalid input detected at \'^\' marker.
Router#show crypto map
Crypto Map \"1\" 1 ipsec-isakmp
Peer = 12.1.1.2
Extended IP access list 100
access-list 100 permit ip any any
access-list 100 permit udp any any
Current peer: 12.1.1.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
1,
}
Interfaces using crypto map 1:
Serial1/0
Router#show crypto isa
Router#show crypto isakmp ?
keyShow ISAKMP preshared keys
peers ShowISAKMP peer structures
policy ShowISAKMP protection suite policy
profile Show ISAKMPprofiles
saShow ISAKMP Security Associations
Router#show crypto isakmp po
Global IKE policy
Protection suite of priority 1
encryption algorithm: Three keytriple DES
algorithm:Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024bit)
lifetime:86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES -Data Encryption Standard (56 bit keys).
algorithm:Secure Hash Standard
authentication method: Rivest-Shamir-AdlemanSignature
Diffie-Hellman group: #1 (768bit)
lifetime:86400 seconds, no volume limit
Router#show crypto isakmp key
KeyringHostname/AddressPreshared Key
Router#show cry isa
Router#show cry isakmp pro
Router#show cry isakmp profile
ISAKMP PROFILE 1
Identities matched are:
Certificate maps matchedare:
keyring(s): none
trustpoint(s): all
Router#show cry
Router#show crypto ipsec sa
interface: Serial1/0
Crypto maptag: 1, local addr 12.1.1.1
protected vrf: (none)
local ident(addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident(addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 12.1.1.2 port500
PERMIT, flags={origin_is_acl,}
#pktsencaps: 29, #pkts encrypt: 29, #pkts digest: 29
#pktsdecaps: 29, #pkts decrypt: 29, #pkts verify: 29
#pktscompressed: 0, #pkts decompressed: 0
#pkts notcompressed: 0, #pkts compr. failed: 0
#pkts notdecompressed: 0, #pkts decompress failed: 0
#send errors16, #recv errors 0
path mtu 1500, ip mtu 1500
current outbound spi: 0xD0965AFD(3499514621)inbound esp sas:
spi: 0x874EBCEA(2270084330)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: 1
sa timing: remaining key lifetime (k/sec): (4399251/3190)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVEinbound ah sas:inbound pcp sas:outbound esp sas:
spi: 0xD0965AFD(3499514621)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: 1
sa timing: remaining key lifetime (k/sec): (4399251/3189)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVEoutbound ah sas:outbound pcp sas:
protected vrf: (none)
local ident(addr/mask/prot/port): (0.0.0.0/0.0.0.0/17/0)
remote ident(addr/mask/prot/port): (0.0.0.0/0.0.0.0/17/0)
current_peer 12.1.1.2 port500
PERMIT, flags={origin_is_acl,}
#pktsencaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pktsdecaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pktscompressed: 0, #pkts decompressed: 0
#pkts notcompressed: 0, #pkts compr. failed: 0
#pkts notdecompressed: 0, #pkts decompress failed: 0
#send errors0, #recv errors 0
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)inbound esp sas:inbound ah sas:inbound pcp sas:
outbound esp sas:outbound ah sas:outbound pcp sas:
Router#show cry ipse tr
Transform set 1: { esp-3des esp-md5-hmac }
will negotiate = {Transport, },
Router#show cry ipsec ?
policyShow IPSEC client policies
profileShow ipsec profile information
saIPSEC SA table
security-association Showparameters for IPSec security associations
transform-setCrypto transform sets
Router#show cry ipsec pol
No policy exists
Router#show cry ipsec p
Router#show cry ipsec p
% Ambiguous command: \"show cry ipsec p\"
Router#show cry se
Router#show cry session
Crypto session current status
Interface: Serial1/0
Session status:UP-ACTIVE
Peer: 12.1.1.2 port 500
IKE SA: local 12.1.1.1/500 remote 12.1.1.2/500Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.00.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit 17 0.0.0.0/0.0.0.00.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map
Router#ping 12.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.1.1.1, timeout is 2seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =52/121/292 ms
Router#ping 12.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =8/62/108 ms
Router#exit
本文链接: http://ike62.immuno-online.com/view-704064.html