Shulou(Shulou.com)06/01 Report--

ISAKMP Profile technology is a new configuration mode of IKE negotiation. Its main function is to map our first stage ISAKMP parameters to

Two-stage IPSec tunnel, which can realize the establishment of multiple tunnels for one device and multiple sites. It can also eliminate the shadow between different × × ×.

Ring, so that the first phase strategy and the second phase strategy are more closely related. And ISAKMP Profile is commonly found in EZ × × and VRF-ware.

IPSec is used in the configuration.

Site1:

Crypto keyring ccie

Pre-shared-key address 61.128.1.1 key cisco

!

Crypto isakmp policy 100

Encr 3des

Authentication pre-share

Group 2

Crypto isakmp profile isaprof

Keyring ccie

Match identity address 61.128.1.1 255.255.255.255

!

!

Crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

Crypto map ccie 10 ipsec-isakmp

Set peer 61.128.1.1

Set transform-set myset

Set isakmp-profile isaprof

Match address *

!

Interface Loopback0

Ip address 1.1.1.1 255.255.255.0

!

Interface FastEthernet0/0

Ip address 202.100.1.1 255.255.255.0

Crypto map ccie

!

Ip route 0.0.0.0 0.0.0.0 202.100.1.10

!

Ip access-list extended *

Permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

Internet:

Interface FastEthernet0/0

Ip address 202.100.1.10 255.255.255.0

!

Interface FastEthernet0/1

Ip address 61.128.1.10 255.255.255.0

!

End

Site2:

Crypto keyring ccie

Pre-shared-key address 202.100.1.1 key cisco

!

Crypto isakmp policy 100

Encr 3des

Authentication pre-share

Group 2

Crypto isakmp profile isaprof

Keyring ccie

Match identity address 202.100.1.1 255.255.255.255

!

!

Crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

Crypto map ccie 10 ipsec-isakmp

Set peer 202.100.1.1

Set transform-set myset

Set isakmp-profile isaprof

Match address *

!

Interface Loopback0

Ip address 2.2.2.2 255.255.255.0

!

Interface FastEthernet0/0

Ip address 61.128.1.1 255.255.255.0

Crypto map ccie

!

Ip forward-protocol nd

Ip route 0.0.0.0 0.0.0.0 61.128.1.10

!

Ip access-list extended *

Permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255

!

Test:

Site1#ping 2.2.2.2 source lo0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1

!

Success rate is 100 percent (5Compact 5), round-trip min/avg/max = 104 Universe 133 Swiss 148 ms

Site1#show crypto ipsec sa

Interface: FastEthernet0/0

Crypto map tag: ccie, local addr 202.100.1.1

Protected vrf: (none)

Local ident (addr/mask/prot/port): (1.1.1.0 to 255.255.255.0)

Remote ident (addr/mask/prot/port): (2.2.2.0Universe 255.255.255.0Uniplet0)

Current_peer 61.128.1.1 port 500

PERMIT, flags= {origin_is_acl,}

# pkts encaps: 9, # pkts encrypt: 9, # pkts digest: 9

# pkts decaps: 9, # pkts decrypt: 9, # pkts verify: 9

# pkts compressed: 0, # pkts decompressed: 0

# pkts not compressed: 0, # pkts compr. Failed: 0

# pkts not decompressed: 0, # pkts decompress failed: 0

# send errors 1, # recv errors 0

Local crypto endpt.: 202.100.1.1, remote crypto endpt.: 61.128.1.1

Path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

Current outbound spi: 0x96AB8F14 (2527825684)

Inbound esp sas:

Spi: 0xF41D2511 (4095550737)

Transform: esp-3des esp-sha-hmac

In use settings = {Tunnel,}

Conn id: 1, flow_id: SW:1, crypto map: ccie

Sa timing: remaining key lifetime (k/sec): (4566332 Universe 2033)

IV size: 8 bytes

Replay detection support: Y

Status: ACTIVE

Inbound ah sas:

Inbound pcp sas:

Outbound esp sas:

Spi: 0x96AB8F14 (2527825684)

Transform: esp-3des esp-sha-hmac

In use settings = {Tunnel,}

Conn id: 2, flow_id: SW:2, crypto map: ccie

Sa timing: remaining key lifetime (k/sec): (4566332 Universe 2031)

IV size: 8 bytes

Replay detection support: Y

Status: ACTIVE

Outbound ah sas:

Outbound pcp sas:

Site1#show crypto session

Crypto session current status

Interface: FastEthernet0/0

Profile: isaprof

Session status: UP-ACTIVE

Peer: 61.128.1.1 port 500

IKE SA: local 202.100.1.1/500 remote 61.128.1.1/500 Active

IPSEC FLOW: permit ip 1.1.1.0/255.255.255.0 2.2.2.0/255.255.255.0

Active SAs: 2, origin: crypto map

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.