CCNP (ISCW) experiment: Use SDM to configure Site-to-Site IPSEC ***

Experiment description:

1. Use Fast Ethernet to connect between R1 and R2.
2. 1.1.1.1/24 on R1 hopes to communicate with the 2.2.2.2/24 network on R2 through ipsec ***
3. Use pre-shared key configuration
4. Configure using SDM

experiment procedure:

第一步：配置R1支持SDM
R1(config)#username admin privilege 15 password admin
R1(config)#line vty 0 4
R1(config-line)#login local
R1(config-line)#exi
R1(config)#ip http server
R1(config)#ip http secure-server
R1(config)#ip http authentication local
R1(config)#int e1/0
R1(config-if)#ip add 192.168.1.2 255.255.255.0
R1(config-if)#no sh
R1(config-if)#int e0/0
R1(config-if)#ip add 200.1.1.1 255.255.255.0

第二步：配置R2支持SDM
R2(config)#username admin pri 15 pass admin
R2(config)#ip http server
R2(config)#ip http secure-server
R2(config)#ip http authentication local
R2(config-if)#int e0/0
R2(config-if)#ip add 200.1.1.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#int e1/0
R2(config-if)#ip add 192.168.1.3 255.255.255.0

Step 3: Use SDM to log in to R1 and start configuration

Step 4: Enter the http authentication password

Step 5: The icon is as follows after login

Step 6: Create a loopback address

Step 7: Enter the loopback address

Step 8: Select ***—point-to-point***—create point-to-point***---start the selected task

Step 9: Step by step guide

Step 10: Select the interface to which VPN is connected, enter the ip address of the VPN peer, and the shared key.

Step 11: Here IKE policy selects the default policy

Step 12: Select the default transform set in the transform set

Step 13: Define in the stream of interest, select

Step 14: Select Add in Add Rule

Step 15: In the Add extension rule item,

Step 16: After confirming that it is correct, click Finish

Step 17: show run can see the information just configured
access-list 100 remark *** icmp
access-list 100 remark SDM_ACL Category=4
access-list 100 remark icmp
access-list 100 permit icmp host 1.1.1.1 host 2.2. 2.2 conversion-error log

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 200.1.1.2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to200.1.1.2
set peer 200.1.1.2
set transform-set ESP-3DES-SHA
match address 100

Step 18: Add a static route on R1

Step 19: Configure R2 in the same way
. Step 20: Test the effect
R1#ping 2.2.2.2 sou 1.1.1.1
//You can ping
Type escape sequence to abort on SDM here .
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1

Mar 1 00:10:33.971: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 200.1.1.1, remote= 200.1.1.2,
local_proxy= 1.1.1.1/255.255.255.255/1/0 (type=1),
remote_proxy= 2.2.2.2/255.255.255.255/1/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x6577E2C8(1702355656), conn_id= 0, keysize= 0, flags= 0x400A
Mar 1 00:10:33.975: ISAKMP: received ke message (1/1)
Mar 1 00:10:33.975: ISAKMP (0:0): SA request profile is (NULL)
Mar 1 00:10:33.975: ISAKMP: local port 500, remote port 500
Mar 1 00:10:33.979: ISAKMP: set new node 0 to QM_IDLE
Mar 1 00:10:33.979: ISAKMP: insert sa successfully sa = 63A8BC8C
Mar 1 00:10:33.979: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode.
Mar 1 00:10:33.979: ISAKMP: Looking for a matching key for 200.1.1.2 in default : success
Mar 1 00:10:33.979: ISAKMP (0:1): found peer pre-shared key matching 200.1.1.2
Mar 1 00:10:33.983: ISAKMP (0:1): constructed NAT-T vendor-07 ID
Mar 1 00:10:33.983: ISAKMP (0:1): constructed NAT-T vendor-03 ID
Mar 1 00:10:33.983: ISAKMP (0:1): constructed NAT-T vendor-02 ID
Mar 1 00:10:33.983: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Mar 1 00:10:33.983: ISAKMP (0:1): Old State = IKE_READY New State = IKE_I_MM1

Mar 1 00:10:33.983: ISAKMP (0:1): beginning Main Mode exchange
Mar 1 00:10:33.983: ISAKMP (0:1): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 1 00:10:34.183: ISAKMP (0:1): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_NO_STATE
Mar 1 00:10:34.187: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 00:10:34.187: ISAKMP (0:1): Old State = IKE_I_MM1 New State = IKE_I_MM2

Mar 1 00:10:34.191: ISAKMP (0:1): processing SA payload. message ID = 0
Mar 1 00:10:34.191: ISAKMP (0:1): processing vendor id payload
Mar 1 00:10:34.191: ISAKMP (0:1): vendor ID seems Unity/DPD but.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 28/47/84 ms
R1# major 245 mismatch
Mar 1 00:10:34.191: ISAKMP (0:1): vendor ID is NAT-T v7
Mar 1 00:10:34.191: ISAKMP: Looking for a matching key for 200.1.1.2 in default : success
Mar 1 00:10:34.191: ISAKMP (0:1): found peer pre-shared key matching 200.1.1.2
Mar 1 00:10:34.191: ISAKMP (0:1) local preshared key found
Mar 1 00:10:34.195: ISAKMP : Scanning profiles for xauth ...
Mar 1 00:10:34.195: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy
Mar 1 00:10:34.195: ISAKMP: encryption 3DES-CBC
Mar 1 00:10:34.195: ISAKMP: hash SHA
Mar 1 00:10:34.195: ISAKMP: default group 2
Mar 1 00:10:34.195: ISAKMP: auth pre-share
Mar 1 00:10:34.195: ISAKMP: life type in seconds
Mar 1 00:10:34.195: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Mar 1 00:10:34.199: ISAKMP (0:1): atts are acceptable. Next payload is 0
Mar 1 00:10:34.263: ISAKMP (0:1): processing vendor id payload
Mar 1 00:10:34.263: ISAKMP (0:1): vendor ID
R1# seems Unity/DPD but major 245 mismatch
Mar 1 00:10:34.263: ISAKMP (0:1): vendor ID is NAT-T v7
Mar 1 00:10:34.263: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 00:10:34.263: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM2

Mar 1 00:10:34.267: ISAKMP (0:1): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
Mar 1 00:10:34.271: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 00:10:34.271: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM3

Mar 1 00:10:34.403: ISAKMP (0:1): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP
Mar 1 00:10:34.407: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 00:10:34.407: ISAKMP (0:1): Old State = IKE_I_MM3 New State = IKE_I_MM4

Mar 1 00:10:34.407: ISAKMP (0:1): processing KE payload. message ID = 0
Mar 1 00:10:34.475: ISAKMP (0:1): processing NONCE payload. message ID = 0
Mar 1 00:10:34.475: ISA
R1#KMP: Looking for a matching key for 200.1.1.2 in default : success
Mar 1 00:10:34.475: ISAKMP (0:1): found peer pre-shared key matching 200.1.1.2
Mar 1 00:10:34.483: ISAKMP (0:1): SKEYID state generated
Mar 1 00:10:34.483: ISAKMP (0:1): processing vendor id payload
Mar 1 00:10:34.483: ISAKMP (0:1): vendor ID is Unity
Mar 1 00:10:34.483: ISAKMP (0:1): processing vendor id payload
Mar 1 00:10:34.483: ISAKMP (0:1): vendor ID is DPD
Mar 1 00:10:34.487: ISAKMP (0:1): processing vendor id payload
Mar 1 00:10:34.487: ISAKMP (0:1): speaking to another IOS box!
Mar 1 00:10:34.487: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 00:10:34.487: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM4

Mar 1 00:10:34.487: ISAKMP (0:1): Send initial contact
Mar 1 00:10:34.487: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Mar 1 00:10:34.487: ISAKMP (0:1): ID payload
next-payload : 8
type
R1# : 1
address : 200.1.1.1
protocol : 17
port : 500
length : 12
Mar 1 00:10:34.487: ISAKMP (1): Total payload length: 12
Mar 1 00:10:34.487: ISAKMP (0:1): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Mar 1 00:10:34.487: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 00:10:34.487: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM5

Mar 1 00:10:34.575: ISAKMP (0:1): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
Mar 1 00:10:34.579: ISAKMP (0:1): processing ID payload. message ID = 0
Mar 1 00:10:34.579: ISAKMP (0:1): ID payload
next-payload : 8
type : 1
address : 200.1.1.2
protocol : 17
port : 500
length : 12
Mar 1 00:10:34.579: ISAKMP (0:1): processing HASH payload. message ID = 0
Mar 1 00:10:34.583: ISAKMP (0:1): SA authentication status:
authenticated
Mar 1 00:10:34.583: ISAKMP (0:1): SA ha
R1#s been authenticated with 200.1.1.2
Mar 1 00:10:34.583: ISAKMP (0:1): peer matches none of the profiles
Mar 1 00:10:34.583: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 00:10:34.587: ISAKMP (0:1): Old State = IKE_I_MM5 New State = IKE_I_MM6

Mar 1 00:10:34.587: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 1 00:10:34.587: ISAKMP (0:1): Old State = IKE_I_MM6 New State = IKE_I_MM6

Mar 1 00:10:34.591: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 1 00:10:34.591: ISAKMP (0:1): Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

Mar 1 00:10:34.595: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of -1228454044
Mar 1 00:10:34.599: ISAKMP (0:1): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE
Mar 1 00:10:34.599: ISAKMP (0:1): Node -1228454044, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Mar 1 00:10:34.603: ISAKMP (0:1): Old State = IKE_QM_READY New State = IKE_QM_I_QM1

R1#Mar 1 00:10:34.603: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Mar 1 00:10:34.603: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Mar 1 00:10:34.979: ISAKMP (0:1): received packet from 200.1.1.2 dport 500 sport 500 Global (I) QM_IDLE
Mar 1 00:10:34.983: ISAKMP (0:1): processing HASH payload. message ID = -1228454044
Mar 1 00:10:34.987: ISAKMP (0:1): processing SA payload. message ID = -1228454044
Mar 1 00:10:34.987: ISAKMP (0:1): Checking IPSec proposal 1
Mar 1 00:10:34.987: ISAKMP: transform 1, ESP_3DES
Mar 1 00:10:34.987: ISAKMP: attributes in transform:
Mar 1 00:10:34.987: ISAKMP: encaps is 1 (Tunnel)
Mar 1 00:10:34.987: ISAKMP: SA life type in seconds
Mar 1 00:10:34.987: ISAKMP: SA life duration (basic) of 3600
Mar 1 00:10:34.987: ISAKMP: SA life type in kilobytes
Mar 1 00:10:34.991: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
Mar 1 00:10:34.991: ISAKMP:
R1# authenticator is HMAC-SHA
Mar 1 00:10:34.991: ISAKMP (0:1): atts are acceptable.
Mar 1 00:10:34.991: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 200.1.1.1, remote= 200.1.1.2,
local_proxy= 1.1.1.1/255.255.255.255/1/0 (type=1),
remote_proxy= 2.2.2.2/255.255.255.255/1/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
Mar 1 00:10:34.995: IPSEC(kei_proxy): head = SDM_CMAP_1, map->ivrf = , kei->ivrf =
Mar 1 00:10:34.999: ISAKMP (0:1): processing NONCE payload. message ID = -1228454044
Mar 1 00:10:34.999: ISAKMP (0:1): processing ID payload. message ID = -1228454044
Mar 1 00:10:34.999: ISAKMP (0:1): processing ID payload. message ID = -1228454044
Mar 1 00:10:35.011: ISAKMP (0:1): Creating IPSec SAs
Mar 1 00:10:35.011: inbound SA from 200.1.1.2 to 200.1.1.1 (f/i) 0/ 0
(proxy 2.2.2.2 to 1
R1#.1.1.1)
Mar 1 00:10:35.011: has spi 0x6577E2C8 and conn_id 2000 and flags 2
Mar 1 00:10:35.011: lifetime of 3600 seconds
Mar 1 00:10:35.011: lifetime of 4608000 kilobytes
Mar 1 00:10:35.015: has client flags 0x0
Mar 1 00:10:35.015: outbound SA from 200.1.1.1 to 200.1.1.2 (f/i) 0/ 0 (proxy 1.1.1.1 to 2.2.2.2 )
Mar 1 00:10:35.015: has spi 561929564 and conn_id 2001 and flags A
Mar 1 00:10:35.015: lifetime of 3600 seconds
Mar 1 00:10:35.015: lifetime of 4608000 kilobytes
Mar 1 00:10:35.015: has client flags 0x0
Mar 1 00:10:35.019: ISAKMP (0:1): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE
Mar 1 00:10:35.019: ISAKMP (0:1): deleting node -1228454044 error FALSE reason ""
Mar 1 00:10:35.019: ISAKMP (0:1): Node -1228454044, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Mar 1 00:10:35.019: ISAKMP (0:1): Old State = IKE_QM_I_QM1 New St
R1#ate = IKE_QM_PHASE2_COMPLETE
Mar 1 00:10:35.023: IPSEC(key_engine): got a queue event...
Mar 1 00:10:35.023: IPSEC(initialize_sas): ,
(key eng. msg.) INBOUND local= 200.1.1.1, remote= 200.1.1.2,
local_proxy= 1.1.1.1/0.0.0.0/1/0 (type=1),
remote_proxy= 2.2.2.2/0.0.0.0/1/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x6577E2C8(1702355656), conn_id= 2000, keysize= 0, flags= 0x2
Mar 1 00:10:35.023: IPSEC(initialize_sas): ,
(key eng. msg.) OUTBOUND local= 200.1.1.1, remote= 200.1.1.2,
local_proxy= 1.1.1.1/0.0.0.0/1/0 (type=1),
remote_proxy= 2.2.2.2/0.0.0.0/1/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x217E5D5C(561929564), conn_id= 2001, keysize= 0, flags= 0xA
Mar 1 00:10:35.027: IPSEC(kei_proxy): head = SDM_CMAP_1, map->ivrf = , kei->ivrf =
Mar 1 00:10:35.031: IPSEC(crypto_ipsec_sa_find_id
R1#ent_head): reconnecting with the same proxies and 200.1.1.2
*Mar 1 00:10:35.031: IPSEC(add mtree): src 1.1.1.1, dest 2.2.2.2, dest_port 0

Mar 1 00: 10: 35.031: IPSEC (create_sa): sa created,
(sa) sa_dest = 200.1.1.1, sa_prot = 50,
sa_spi = 0x6577E2C8 (1702355656),
sa_trans = esp-3des esp-sha-hmac, sa_conn_id = 2000
Mar 1 00: 10: 35.035: IPSEC (create_sa): sa created,
(sa) sa_dest = 200.1.1.2, sa_prot = 50,
sa_spi = 0x217E5D5C (561929564),
sa_trans = esp-3des esp-sha-hmac, sa_conn_id = 2001