Tweet
Cấu hình VPN Router-To-PIX
Mô tả:
Xem hình
Dựa vào sơ đồ trên ta thấy, bài lab thực hiện tạo một tunnel private giữa 2 LAN qua một môi trường truyền public, ta sử dụng một router RI làm ISP router, để các PC trong LAN ra được internet, ta sử dụng NAT overload để ra ngoài, trừ những traffic trong nội bộ tunnel. Bài lab không đi sâu vào cách cấu hỉnh PIX như thế nào.
Cấu hình:
RA:
Building configuration...
*Mar 1 00:34:25.701: %SYS-5-CONFIG_I: Configured from console by console
Current configuration : 1205 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RA
!
!
memory-size iomem 10
ip subnet-zero
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco address 172.17.63.213
!
!
crypto ipsec transform-set vnpro esp-des
!
crypto map lee 10 ipsec-isakmp
set peer 172.17.63.213
set transform-set vnpro
match address 115
!
!
!
voice call carrier capacity active
!
!
!
!
!
!
!
!
!
mta receive maximum-recipients 0
!
!
!
!
interface Ethernet0/0
ip address 10.2.2.1 255.255.255.0
ip nat inside
half-duplex
!
interface Serial0/0
ip address 172.17.63.230 255.255.255.240
ip nat outside
no fair-queue
crypto map lee
!
ip nat inside source route-map nonat interface Serial0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 172.17.63.225
ip http server
!
!
access-list 110 deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 110 permit ip any any
access-list 115 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
!
route-map nonat permit 10
match ip address 110
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
PIX:
PIX Version 6.3(1)
interface ethernet0 auto ßup interface lên
interface ethernet1 auto
nameif ethernet0 outside security0 ßđặt tên cho interface, mặc định e0 là outside
nameif ethernet1 inside security100 ße1 là inside
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list ipsec permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0 ß cấu hình ACL để xác định traffic được mã hoá bảo vệ
access-list nonat permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0 ßxác định traffic được miễn NAT
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 172.17.63.213 255.255.255.240 ßcấu hình địa chỉ IP cho interface
ip address inside 10.1.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 172.17.63.210 ßxác định tầm IP được NAT
nat (inside) 0 access-list nonat ßxác định là traffic trong tunnel được miễn NAT
nat (inside) 1 10.1.1.0 255.255.255.0 0 0 ßxác định các IP được NAT
conduit permit icmp any any ßcho phép ping ra ngoài mạng
route outside 0.0.0.0 0.0.0.0 172.17.63.209 1 ßcấu hình default gateway ra ngoài internet
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set vnpro esp-des ßcấu hình VPN như bên router
crypto map lee 10 ipsec-isakmp
crypto map lee 10 match address ipsec
crypto map lee 10 set peer 172.17.63.230
crypto map lee 10 set transform-set vnpro
crypto map lee interface outside
isakmp enable outside
isakmp key ******** address 172.17.63.230 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:e52c775e9c04687097ae170f546a111b
: end
RI(gateway):
Building configuration...
Current configuration : 841 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RI
!
!
memory-size iomem 10
ip subnet-zero
!
!
!
!
!
!
voice call carrier capacity active
!
!
!
!
!
!
!
!
!
mta receive maximum-recipients 0
!
!
!
!
interface FastEthernet0/0
ip address 172.17.63.209 255.255.255.240
duplex auto
speed auto
!
interface Serial0/0
ip address 172.17.63.225 255.255.255.240
no fair-queue
clockrate 64000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
!
ip classless
ip route 10.1.1.0 255.255.255.0 172.17.63.213
ip route 10.2.2.0 255.255.255.0 172.17.63.230
ip http server
!
!
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
Thực hiện:
Trước hết, ta phải cấu hình cho PIX hoạt động được, do PIX ở bài lab này được thiết kế có 2 cổng Ethernet để kết nối mạng nội bộ với mạng public, nên ta phải cấu hình cho 2 cổng này hoạt động được:
pixfirewall# conf t
pixfirewall(config)# ho PIX
PIX(config)# nameif ethernet0 outside security0
PIX(config)# nameif ethernet1 inside security100
PIX(config)# ip address outside 172.17.63.213 255.255.255.240
PIX(config)# ip address inside 10.1.1.1 255.255.255.0
PIX(config)# interface e0 auto
PIX(config)# interface e1 auto
PIX(config)# conduit permit icmp any any
PIX(config)# route outside 0.0.0.0 0.0.0.0 172.17.63.209
Sau khi đã cấu hình cho các interface của PIX up lên, ta thực hiện NAT và cấu hình VPN:
PIX(config)# access-list ipsec permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
PIX(config)# access-list nonat permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
PIX(config)# global (outside) 1 172.17.63.210
Global 172.17.63.210 will be Port Address Translated
PIX(config)# nat (inside) 0 access-list nonat
PIX(config)# nat (inside) 1 10.1.1.0 255.255.255.0 0 0
PIX(config)# sysopt connection permit-ipsec
PIX(config)# crypto ipsec transform-set vnpro esp-des
PIX(config)# crypto map lee 10 ipsec-isakmp
PIX(config)# crypto map lee 10 match address ipsec
PIX(config)# crypto map lee 10 set peer 172.17.63.230
PIX(config)# crypto map lee 10 set transform-set vnpro
PIX(config)# crypto map lee interface outside
PIX(config)# isakmp enable outside
PIX(config)# isakmp key cisco address 172.17.63.230 netmask 255.255.255.255
PIX(config)# isakmp identity address
PIX(config)# isakmp policy 10 authentication pre-share
PIX(config)# isakmp policy 10 hash md5
PIX(config)#
Chú ý: khi cấu hình ACL trên PIX, ta sử dụng Subnet mask chứ không sử dụng wildcard mask, và trên PIX chỉ có thể cấu hình mọi thứ trên mode global config.
Trên router A ta cũng cấu hình VPN như sau:
RA(config)#crypto isakmp policy 10
RA(config-isakmp)#hash md5
RA(config-isakmp)#authentication pre-share
RA(config-isakmp)#exit
RA(config)#crypto isakmp key cisco address 172.17.63.213
RA(config)#crypto ipsec transform-set vnpro esp-des
RA(cfg-crypto-trans)#exit
RA(config)#crypto map lee 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
RA(config-crypto-map)#set peer 172.17.63.213
RA(config-crypto-map)#set transform-set vnpro
RA(config-crypto-map)#match address 115
RA(config-crypto-map)#exit
RA(config)#int s0/0
RA(config-if)#ip nat out
RA(config-if)#ip nat outside
RA(config-if)#crypto map lee
RA(config-if)#exit
RA(config)#int e0/0
RA(config-if)#ip nat in
RA(config-if)#ip nat inside
RA(config-if)#exit
RA(config)#ip nat inside source route-map nonat interface s0/0 overload
RA(config)#access-list 110 deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
RA(config)#access-list 110 permit ip any any
RA(config)#access-list 115 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
RA(config)#route-map nonat permit 10
RA(config-route-map)#match ip address 110
Kiểm tra:
Ta thực hiện các lệnh show ở 2 bên và thực hiện debug:
RA#sh crypto map
Crypto Map "lee" 10 ipsec-isakmp
Peer = 172.17.63.213
Extended IP access list 115
access-list 115 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
Current peer: 172.17.63.213
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ vnpro, }
Interfaces using crypto map lee:
Serial0/0
RA#sh crypto isakmp policy
Protection suite of priority 10
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
RA#sh crypto ipsec transform-set
Transform set vnpro: { esp-des }
will negotiate = { Tunnel, },
PIX# sh crypto map
Crypto Map: "lee" interfaces: { outside }
Crypto Map "lee" 10 ipsec-isakmp
Peer = 172.17.63.230
access-list ipsec; 1 elements
access-list ipsec line 1 permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0 hitcnt=0)
Current peer: 172.17.63.230
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ vnpro, }
PIX# sh isakmp policy
Protection suite of priority 10
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
RA#debug ip nat
IP NAT debugging is on
RA#debug crypto ipsec
Crypto IPSEC debugging is on
RA#debug crypto isakmp
Crypto ISAKMP debugging is on
Sau khi bật debug, ta thực hiện ping thử ra các địa chỉ ở ngoài, và các địa chỉ trong mang LAN bên kia:
RA#
*Mar 1 00:37:43.910: NAT: s=10.2.2.2->172.17.63.230, d=172.17.63.225 [1888]
*Mar 1 00:37:43.930: NAT*: s=172.17.63.225, d=172.17.63.230->10.2.2.2 [1888]
*Mar 1 00:37:44.916: NAT*: s=10.2.2.2->172.17.63.230, d=172.17.63.225 [1891]
*Mar 1 00:37:44.932: NAT*: s=172.17.63.225, d=172.17.63.230->10.2.2.2 [1891]
*Mar 1 00:37:45.913: NAT*: s=10.2.2.2->172.17.63.230, d=172.17.63.225 [1894]
*Mar 1 00:37:45.933: NAT*: s=172.17.63.225, d=172.17.63.230->10.2.2.2 [1894]
*Mar 1 00:37:46.915: NAT*: s=10.2.2.2->172.17.63.230, d=172.17.63.225 [1898]
*Mar 1 00:37:46.935: NAT*: s=172.17.63.225, d=172.17.63.230->10.2.2.2 [1898]
*Mar 1 00:37:55.597: NAT: s=10.2.2.2->172.17.63.230, d=172.17.63.213 [1917]
*Mar 1 00:37:55.617: NAT*: s=172.17.63.213, d=172.17.63.230->10.2.2.2 [9077]
*Mar 1 00:37:56.603: NAT*: s=10.2.2.2->172.17.63.230, d=172.17.63.213 [1918]
*Mar 1 00:37:56.619: NAT*: s=172.17.63.213, d=172.17.63.230->10.2.2.2 [9078]
*Mar 1 00:37:57.600: NAT*: s=10.2.2.2->172.17.63.230, d=172.17.63.213 [1920]
*Mar 1 00:37:57.620: NAT*: s=172.17.63.213, d=172.17.63.230->10.2.2.2 [9079]
*Mar 1 00:37:58.602: NAT*: s=10.2.2.2->172.17.63.230, d=172.17.63.213 [1922]
*Mar 1 00:37:58.622: NAT*: s=172.17.63.213, d=172.17.63.230->10.2.2.2 [9080]
*Mar 1 00:38:12.789: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 172.17.63.230, remote= 172.17.63.213,
local_proxy= 10.2.2.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des ,
lifedur= 3600s and 4608000kb,
spi= 0x3E3F5095(1044336789), conn_id= 0, keysize= 0, flags= 0x400C
*Mar 1 00:38:12.789: ISAKMP: received ke message (1/1)
*Mar 1 00:38:12.789: ISAKMP: local port 500, remote port 500
*Mar 1 00:38:12.793: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 1 00:38:12.793: ISAKMP (0:1): Old State = IKE_READY New State = IKE_I_MM1
*Mar 1 00:38:12.793: ISAKMP (0:1): beginning Main Mode exchange
*Mar 1 00:38:12.797: ISAKMP (0:1): sending packet to 172.17.63.213 (I) MM_NO_STATE
*Mar 1 00:38:12.873: ISAKMP (0:1): received packet from 172.17.63.213 (I) MM_NO_STATE
*Mar 1 00:38:12.877: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 00:38:12.877: ISAKMP (0:1): Old State = IKE_I_MM1 New State = IKE_I_MM2
*Mar 1 00:38:12.877: ISAKMP (0:1): processing SA payload. message ID = 0
*Mar 1 00:38:12.877: ISAKMP (0:1): found peer pre-shared key matching 172.17.63.213
*Mar 1 00:38:12.877: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy
*Mar 1 00:38:12.882: ISAKMP: encryption DES-CBC
*Mar 1 00:38:12.882: ISAKMP: hash MD5
*Mar 1 00:38:12.882: ISAKMP: default group 1
*Mar 1 00:38:12.882: ISAKMP: auth pre-share
*Mar 1 00:38:12.882: ISAKMP: life type in seconds
*Mar 1 00:38:12.882: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Mar 1 00:38:12.882: ISAKMP (0:1): atts are acceptable. Next payload is 0
*Mar 1 00:38:13.050: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 00:38:13.050: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM2
*Mar 1 00:38:13.054: ISAKMP (0:1): sending packet to 172.17.63.213 (I) MM_SA_SETUP
*Mar 1 00:38:13.058: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 00:38:13.058: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM3
*Mar 1 00:38:13.170: ISAKMP (0:1): received packet from 172.17.63.213 (I) MM_SA_SETUP
*Mar 1 00:38:13.170: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 00:38:13.174: ISAKMP (0:1): Old State = IKE_I_MM3 New State = IKE_I_MM4
*Mar 1 00:38:13.174: ISAKMP (0:1): processing KE payload. message ID = 0
*Mar 1 00:38:13.382: ISAKMP (0:1): processing NONCE payload. message ID = 0
*Mar 1 00:38:13.382: ISAKMP (0:1): found peer pre-shared key matching 172.17.63.213
*Mar 1 00:38:13.386: ISAKMP (0:1): SKEYID state generated
*Mar 1 00:38:13.386: ISAKMP (0:1): processing vendor id payload
*Mar 1 00:38:13.386: ISAKMP (0:1): vendor ID seems Unity/DPD but bad major
*Mar 1 00:38:13.386: ISAKMP (0:1): vendor ID is XAUTH
*Mar 1 00:38:13.386: ISAKMP (0:1): processing vendor id payload
*Mar 1 00:38:13.386: ISAKMP (0:1): vendor ID is DPD
*Mar 1 00:38:13.390: ISAKMP (0:1): processing vendor id payload
*Mar 1 00:38:13.390: ISAKMP (0:1): vendor ID is Unity
*Mar 1 00:38:13.390: ISAKMP (0:1): processing vendor id payload
*Mar 1 00:38:13.390: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 00:38:13.390: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM4
*Mar 1 00:38:13.394: ISAKMP (0:1): Send initial contact
*Mar 1 00:38:13.394: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar 1 00:38:13.394: ISAKMP (1): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
*Mar 1 00:38:13.394: ISAKMP (1): Total payload length: 12
*Mar 1 00:38:13.398: ISAKMP (0:1): sending packet to 172.17.63.213 (I) MM_KEY_EXCH
*Mar 1 00:38:13.398: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 00:38:13.402: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM5
*Mar 1 00:38:13.430: ISAKMP (0:1): received packet from 172.17.63.213 (I) MM_KEY_EXCH
*Mar 1 00:38:13.434: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 00:38:13.434: ISAKMP (0:1): Old State = IKE_I_MM5 New State = IKE_I_MM6
*Mar 1 00:38:13.434: ISAKMP (0:1): processing ID payload. message ID = 0
*Mar 1 00:38:13.438: ISAKMP (0:1): processing HASH payload. message ID = 0
*Mar 1 00:38:13.438: ISAKMP (0:1): SA has been authenticated with 172.17.63.213
*Mar 1 00:38:13.438: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 00:38:13.438: ISAKMP (0:1): Old State = IKE_I_MM6 New State = IKE_I_MM6
*Mar 1 00:38:13.442: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 00:38:13.442: ISAKMP (0:1): Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
*Mar 1 00:38:13.442: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of 1004490084
*Mar 1 00:38:13.446: ISAKMP (0:1): sending packet to 172.17.63.213 (I) QM_IDLE
*Mar 1 00:38:13.450: ISAKMP (0:1): Node 1004490084, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar 1 00:38:13.450: ISAKMP (0:1): Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Mar 1 00:38:13.450: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar 1 00:38:13.450: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Mar 1 00:38:13.503: ISAKMP (0:1): received packet from 172.17.63.213 (I) QM_IDLE
*Mar 1 00:38:13.507: ISAKMP (0:1): processing HASH payload. message ID = 1004490084
*Mar 1 00:38:13.507: ISAKMP (0:1): processing SA payload. message ID = 1004490084
*Mar 1 00:38:13.507: ISAKMP (0:1): Checking IPSec proposal 1
*Mar 1 00:38:13.507: ISAKMP: transform 1, ESP_DES
*Mar 1 00:38:13.511: ISAKMP: attributes in transform:
*Mar 1 00:38:13.511: ISAKMP: encaps is 1
*Mar 1 00:38:13.511: ISAKMP: SA life type in seconds
*Mar 1 00:38:13.511: ISAKMP: SA life duration (basic) of 3600
*Mar 1 00:38:13.511: ISAKMP: SA life type in kilobytes
*Mar 1 00:38:13.511: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Mar 1 00:38:13.511: ISAKMP (0:1): atts are acceptable.
*Mar 1 00:38:13.515: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.17.63.230, remote= 172.17.63.213,
local_proxy= 10.2.2.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
*Mar 1 00:38:13.515: ISAKMP (0:1): processing NONCE payload. message ID = 1004490084
*Mar 1 00:38:13.519: ISAKMP (0:1): processing ID payload. message ID = 1004490084
*Mar 1 00:38:13.519: ISAKMP (0:1): processing ID payload. message ID = 1004490084
*Mar 1 00:38:13.523: ISAKMP (0:1): Creating IPSec SAs
*Mar 1 00:38:13.523: inbound SA from 172.17.63.213 to 172.17.63.230
(proxy 10.1.1.0 to 10.2.2.0)
*Mar 1 00:38:13.527: has spi 0x3E3F5095 and conn_id 2000 and flags 4
*Mar 1 00:38:13.527: lifetime of 3600 seconds
*Mar 1 00:38:13.527: lifetime of 4608000 kilobytes
*Mar 1 00:38:13.527: outbound SA from 172.17.63.230 to 172.17.63.213 (proxy 10.2.2.0 to 10.1.1.0 )
*Mar 1 00:38:13.527: has spi 1840502135 and conn_id 2001 and flags C
*Mar 1 00:38:13.527: lifetime of 3600 seconds
*Mar 1 00:38:13.527: lifetime of 4608000 kilobytes
*Mar 1 00:38:13.531: ISAKMP (0:1): sending packet to 172.17.63.213 (I) QM_IDLE
*Mar 1 00:38:13.531: ISAKMP (0:1): deleting node 1004490084 error FALSE reason ""
*Mar 1 00:38:13.531: ISAKMP (0:1): Node 1004490084, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 1 00:38:13.531: ISAKMP (0:1): Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
*Mar 1 00:38:13.531: IPSEC(key_engine): got a queue event...
*Mar 1 00:38:13.535: IPSEC(initialize_sas): ,
(key eng. msg.) INBOUND local= 172.17.63.230, remote= 172.17.63.213,
local_proxy= 10.2.2.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des ,
lifedur= 3600s and 4608000kb,
spi= 0x3E3F5095(1044336789), conn_id= 2000, keysize= 0, flags= 0x4
*Mar 1 00:38:13.535: IPSEC(initialize_sas): ,
(key eng. msg.) OUTBOUND local= 172.17.63.230, remote= 172.17.63.213,
local_proxy= 10.2.2.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des ,
lifedur= 3600s and 4608000kb,
spi= 0x6DB3D577(1840502135), conn_id= 2001, keysize= 0, flags= 0xC
*Mar 1 00:38:13.539: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.17.63.230, sa_prot= 50,
sa_spi= 0x3E3F5095(1044336789),
sa_trans= esp-des , sa_conn_id= 2000
*Mar 1 00:38:13.539: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.17.63.213, sa_prot= 50,
sa_spi= 0x6DB3D577(1840502135),
sa_trans= esp-des , sa_conn_id= 2001
Mô tả:
Xem hình
Dựa vào sơ đồ trên ta thấy, bài lab thực hiện tạo một tunnel private giữa 2 LAN qua một môi trường truyền public, ta sử dụng một router RI làm ISP router, để các PC trong LAN ra được internet, ta sử dụng NAT overload để ra ngoài, trừ những traffic trong nội bộ tunnel. Bài lab không đi sâu vào cách cấu hỉnh PIX như thế nào.
Cấu hình:
RA:
Building configuration...
*Mar 1 00:34:25.701: %SYS-5-CONFIG_I: Configured from console by console
Current configuration : 1205 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RA
!
!
memory-size iomem 10
ip subnet-zero
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco address 172.17.63.213
!
!
crypto ipsec transform-set vnpro esp-des
!
crypto map lee 10 ipsec-isakmp
set peer 172.17.63.213
set transform-set vnpro
match address 115
!
!
!
voice call carrier capacity active
!
!
!
!
!
!
!
!
!
mta receive maximum-recipients 0
!
!
!
!
interface Ethernet0/0
ip address 10.2.2.1 255.255.255.0
ip nat inside
half-duplex
!
interface Serial0/0
ip address 172.17.63.230 255.255.255.240
ip nat outside
no fair-queue
crypto map lee
!
ip nat inside source route-map nonat interface Serial0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 172.17.63.225
ip http server
!
!
access-list 110 deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 110 permit ip any any
access-list 115 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
!
route-map nonat permit 10
match ip address 110
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
PIX:
PIX Version 6.3(1)
interface ethernet0 auto ßup interface lên
interface ethernet1 auto
nameif ethernet0 outside security0 ßđặt tên cho interface, mặc định e0 là outside
nameif ethernet1 inside security100 ße1 là inside
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list ipsec permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0 ß cấu hình ACL để xác định traffic được mã hoá bảo vệ
access-list nonat permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0 ßxác định traffic được miễn NAT
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 172.17.63.213 255.255.255.240 ßcấu hình địa chỉ IP cho interface
ip address inside 10.1.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 172.17.63.210 ßxác định tầm IP được NAT
nat (inside) 0 access-list nonat ßxác định là traffic trong tunnel được miễn NAT
nat (inside) 1 10.1.1.0 255.255.255.0 0 0 ßxác định các IP được NAT
conduit permit icmp any any ßcho phép ping ra ngoài mạng
route outside 0.0.0.0 0.0.0.0 172.17.63.209 1 ßcấu hình default gateway ra ngoài internet
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set vnpro esp-des ßcấu hình VPN như bên router
crypto map lee 10 ipsec-isakmp
crypto map lee 10 match address ipsec
crypto map lee 10 set peer 172.17.63.230
crypto map lee 10 set transform-set vnpro
crypto map lee interface outside
isakmp enable outside
isakmp key ******** address 172.17.63.230 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:e52c775e9c04687097ae170f546a111b
: end
RI(gateway):
Building configuration...
Current configuration : 841 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RI
!
!
memory-size iomem 10
ip subnet-zero
!
!
!
!
!
!
voice call carrier capacity active
!
!
!
!
!
!
!
!
!
mta receive maximum-recipients 0
!
!
!
!
interface FastEthernet0/0
ip address 172.17.63.209 255.255.255.240
duplex auto
speed auto
!
interface Serial0/0
ip address 172.17.63.225 255.255.255.240
no fair-queue
clockrate 64000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
!
ip classless
ip route 10.1.1.0 255.255.255.0 172.17.63.213
ip route 10.2.2.0 255.255.255.0 172.17.63.230
ip http server
!
!
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
Thực hiện:
Trước hết, ta phải cấu hình cho PIX hoạt động được, do PIX ở bài lab này được thiết kế có 2 cổng Ethernet để kết nối mạng nội bộ với mạng public, nên ta phải cấu hình cho 2 cổng này hoạt động được:
pixfirewall# conf t
pixfirewall(config)# ho PIX
PIX(config)# nameif ethernet0 outside security0
PIX(config)# nameif ethernet1 inside security100
PIX(config)# ip address outside 172.17.63.213 255.255.255.240
PIX(config)# ip address inside 10.1.1.1 255.255.255.0
PIX(config)# interface e0 auto
PIX(config)# interface e1 auto
PIX(config)# conduit permit icmp any any
PIX(config)# route outside 0.0.0.0 0.0.0.0 172.17.63.209
Sau khi đã cấu hình cho các interface của PIX up lên, ta thực hiện NAT và cấu hình VPN:
PIX(config)# access-list ipsec permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
PIX(config)# access-list nonat permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
PIX(config)# global (outside) 1 172.17.63.210
Global 172.17.63.210 will be Port Address Translated
PIX(config)# nat (inside) 0 access-list nonat
PIX(config)# nat (inside) 1 10.1.1.0 255.255.255.0 0 0
PIX(config)# sysopt connection permit-ipsec
PIX(config)# crypto ipsec transform-set vnpro esp-des
PIX(config)# crypto map lee 10 ipsec-isakmp
PIX(config)# crypto map lee 10 match address ipsec
PIX(config)# crypto map lee 10 set peer 172.17.63.230
PIX(config)# crypto map lee 10 set transform-set vnpro
PIX(config)# crypto map lee interface outside
PIX(config)# isakmp enable outside
PIX(config)# isakmp key cisco address 172.17.63.230 netmask 255.255.255.255
PIX(config)# isakmp identity address
PIX(config)# isakmp policy 10 authentication pre-share
PIX(config)# isakmp policy 10 hash md5
PIX(config)#
Chú ý: khi cấu hình ACL trên PIX, ta sử dụng Subnet mask chứ không sử dụng wildcard mask, và trên PIX chỉ có thể cấu hình mọi thứ trên mode global config.
Trên router A ta cũng cấu hình VPN như sau:
RA(config)#crypto isakmp policy 10
RA(config-isakmp)#hash md5
RA(config-isakmp)#authentication pre-share
RA(config-isakmp)#exit
RA(config)#crypto isakmp key cisco address 172.17.63.213
RA(config)#crypto ipsec transform-set vnpro esp-des
RA(cfg-crypto-trans)#exit
RA(config)#crypto map lee 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
RA(config-crypto-map)#set peer 172.17.63.213
RA(config-crypto-map)#set transform-set vnpro
RA(config-crypto-map)#match address 115
RA(config-crypto-map)#exit
RA(config)#int s0/0
RA(config-if)#ip nat out
RA(config-if)#ip nat outside
RA(config-if)#crypto map lee
RA(config-if)#exit
RA(config)#int e0/0
RA(config-if)#ip nat in
RA(config-if)#ip nat inside
RA(config-if)#exit
RA(config)#ip nat inside source route-map nonat interface s0/0 overload
RA(config)#access-list 110 deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
RA(config)#access-list 110 permit ip any any
RA(config)#access-list 115 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
RA(config)#route-map nonat permit 10
RA(config-route-map)#match ip address 110
Kiểm tra:
Ta thực hiện các lệnh show ở 2 bên và thực hiện debug:
RA#sh crypto map
Crypto Map "lee" 10 ipsec-isakmp
Peer = 172.17.63.213
Extended IP access list 115
access-list 115 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
Current peer: 172.17.63.213
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ vnpro, }
Interfaces using crypto map lee:
Serial0/0
RA#sh crypto isakmp policy
Protection suite of priority 10
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
RA#sh crypto ipsec transform-set
Transform set vnpro: { esp-des }
will negotiate = { Tunnel, },
PIX# sh crypto map
Crypto Map: "lee" interfaces: { outside }
Crypto Map "lee" 10 ipsec-isakmp
Peer = 172.17.63.230
access-list ipsec; 1 elements
access-list ipsec line 1 permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0 hitcnt=0)
Current peer: 172.17.63.230
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ vnpro, }
PIX# sh isakmp policy
Protection suite of priority 10
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
RA#debug ip nat
IP NAT debugging is on
RA#debug crypto ipsec
Crypto IPSEC debugging is on
RA#debug crypto isakmp
Crypto ISAKMP debugging is on
Sau khi bật debug, ta thực hiện ping thử ra các địa chỉ ở ngoài, và các địa chỉ trong mang LAN bên kia:
RA#
*Mar 1 00:37:43.910: NAT: s=10.2.2.2->172.17.63.230, d=172.17.63.225 [1888]
*Mar 1 00:37:43.930: NAT*: s=172.17.63.225, d=172.17.63.230->10.2.2.2 [1888]
*Mar 1 00:37:44.916: NAT*: s=10.2.2.2->172.17.63.230, d=172.17.63.225 [1891]
*Mar 1 00:37:44.932: NAT*: s=172.17.63.225, d=172.17.63.230->10.2.2.2 [1891]
*Mar 1 00:37:45.913: NAT*: s=10.2.2.2->172.17.63.230, d=172.17.63.225 [1894]
*Mar 1 00:37:45.933: NAT*: s=172.17.63.225, d=172.17.63.230->10.2.2.2 [1894]
*Mar 1 00:37:46.915: NAT*: s=10.2.2.2->172.17.63.230, d=172.17.63.225 [1898]
*Mar 1 00:37:46.935: NAT*: s=172.17.63.225, d=172.17.63.230->10.2.2.2 [1898]
*Mar 1 00:37:55.597: NAT: s=10.2.2.2->172.17.63.230, d=172.17.63.213 [1917]
*Mar 1 00:37:55.617: NAT*: s=172.17.63.213, d=172.17.63.230->10.2.2.2 [9077]
*Mar 1 00:37:56.603: NAT*: s=10.2.2.2->172.17.63.230, d=172.17.63.213 [1918]
*Mar 1 00:37:56.619: NAT*: s=172.17.63.213, d=172.17.63.230->10.2.2.2 [9078]
*Mar 1 00:37:57.600: NAT*: s=10.2.2.2->172.17.63.230, d=172.17.63.213 [1920]
*Mar 1 00:37:57.620: NAT*: s=172.17.63.213, d=172.17.63.230->10.2.2.2 [9079]
*Mar 1 00:37:58.602: NAT*: s=10.2.2.2->172.17.63.230, d=172.17.63.213 [1922]
*Mar 1 00:37:58.622: NAT*: s=172.17.63.213, d=172.17.63.230->10.2.2.2 [9080]
*Mar 1 00:38:12.789: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 172.17.63.230, remote= 172.17.63.213,
local_proxy= 10.2.2.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des ,
lifedur= 3600s and 4608000kb,
spi= 0x3E3F5095(1044336789), conn_id= 0, keysize= 0, flags= 0x400C
*Mar 1 00:38:12.789: ISAKMP: received ke message (1/1)
*Mar 1 00:38:12.789: ISAKMP: local port 500, remote port 500
*Mar 1 00:38:12.793: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 1 00:38:12.793: ISAKMP (0:1): Old State = IKE_READY New State = IKE_I_MM1
*Mar 1 00:38:12.793: ISAKMP (0:1): beginning Main Mode exchange
*Mar 1 00:38:12.797: ISAKMP (0:1): sending packet to 172.17.63.213 (I) MM_NO_STATE
*Mar 1 00:38:12.873: ISAKMP (0:1): received packet from 172.17.63.213 (I) MM_NO_STATE
*Mar 1 00:38:12.877: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 00:38:12.877: ISAKMP (0:1): Old State = IKE_I_MM1 New State = IKE_I_MM2
*Mar 1 00:38:12.877: ISAKMP (0:1): processing SA payload. message ID = 0
*Mar 1 00:38:12.877: ISAKMP (0:1): found peer pre-shared key matching 172.17.63.213
*Mar 1 00:38:12.877: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy
*Mar 1 00:38:12.882: ISAKMP: encryption DES-CBC
*Mar 1 00:38:12.882: ISAKMP: hash MD5
*Mar 1 00:38:12.882: ISAKMP: default group 1
*Mar 1 00:38:12.882: ISAKMP: auth pre-share
*Mar 1 00:38:12.882: ISAKMP: life type in seconds
*Mar 1 00:38:12.882: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Mar 1 00:38:12.882: ISAKMP (0:1): atts are acceptable. Next payload is 0
*Mar 1 00:38:13.050: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 00:38:13.050: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM2
*Mar 1 00:38:13.054: ISAKMP (0:1): sending packet to 172.17.63.213 (I) MM_SA_SETUP
*Mar 1 00:38:13.058: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 00:38:13.058: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM3
*Mar 1 00:38:13.170: ISAKMP (0:1): received packet from 172.17.63.213 (I) MM_SA_SETUP
*Mar 1 00:38:13.170: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 00:38:13.174: ISAKMP (0:1): Old State = IKE_I_MM3 New State = IKE_I_MM4
*Mar 1 00:38:13.174: ISAKMP (0:1): processing KE payload. message ID = 0
*Mar 1 00:38:13.382: ISAKMP (0:1): processing NONCE payload. message ID = 0
*Mar 1 00:38:13.382: ISAKMP (0:1): found peer pre-shared key matching 172.17.63.213
*Mar 1 00:38:13.386: ISAKMP (0:1): SKEYID state generated
*Mar 1 00:38:13.386: ISAKMP (0:1): processing vendor id payload
*Mar 1 00:38:13.386: ISAKMP (0:1): vendor ID seems Unity/DPD but bad major
*Mar 1 00:38:13.386: ISAKMP (0:1): vendor ID is XAUTH
*Mar 1 00:38:13.386: ISAKMP (0:1): processing vendor id payload
*Mar 1 00:38:13.386: ISAKMP (0:1): vendor ID is DPD
*Mar 1 00:38:13.390: ISAKMP (0:1): processing vendor id payload
*Mar 1 00:38:13.390: ISAKMP (0:1): vendor ID is Unity
*Mar 1 00:38:13.390: ISAKMP (0:1): processing vendor id payload
*Mar 1 00:38:13.390: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 00:38:13.390: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM4
*Mar 1 00:38:13.394: ISAKMP (0:1): Send initial contact
*Mar 1 00:38:13.394: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar 1 00:38:13.394: ISAKMP (1): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
*Mar 1 00:38:13.394: ISAKMP (1): Total payload length: 12
*Mar 1 00:38:13.398: ISAKMP (0:1): sending packet to 172.17.63.213 (I) MM_KEY_EXCH
*Mar 1 00:38:13.398: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 00:38:13.402: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM5
*Mar 1 00:38:13.430: ISAKMP (0:1): received packet from 172.17.63.213 (I) MM_KEY_EXCH
*Mar 1 00:38:13.434: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 00:38:13.434: ISAKMP (0:1): Old State = IKE_I_MM5 New State = IKE_I_MM6
*Mar 1 00:38:13.434: ISAKMP (0:1): processing ID payload. message ID = 0
*Mar 1 00:38:13.438: ISAKMP (0:1): processing HASH payload. message ID = 0
*Mar 1 00:38:13.438: ISAKMP (0:1): SA has been authenticated with 172.17.63.213
*Mar 1 00:38:13.438: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 00:38:13.438: ISAKMP (0:1): Old State = IKE_I_MM6 New State = IKE_I_MM6
*Mar 1 00:38:13.442: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 00:38:13.442: ISAKMP (0:1): Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
*Mar 1 00:38:13.442: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of 1004490084
*Mar 1 00:38:13.446: ISAKMP (0:1): sending packet to 172.17.63.213 (I) QM_IDLE
*Mar 1 00:38:13.450: ISAKMP (0:1): Node 1004490084, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar 1 00:38:13.450: ISAKMP (0:1): Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Mar 1 00:38:13.450: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar 1 00:38:13.450: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Mar 1 00:38:13.503: ISAKMP (0:1): received packet from 172.17.63.213 (I) QM_IDLE
*Mar 1 00:38:13.507: ISAKMP (0:1): processing HASH payload. message ID = 1004490084
*Mar 1 00:38:13.507: ISAKMP (0:1): processing SA payload. message ID = 1004490084
*Mar 1 00:38:13.507: ISAKMP (0:1): Checking IPSec proposal 1
*Mar 1 00:38:13.507: ISAKMP: transform 1, ESP_DES
*Mar 1 00:38:13.511: ISAKMP: attributes in transform:
*Mar 1 00:38:13.511: ISAKMP: encaps is 1
*Mar 1 00:38:13.511: ISAKMP: SA life type in seconds
*Mar 1 00:38:13.511: ISAKMP: SA life duration (basic) of 3600
*Mar 1 00:38:13.511: ISAKMP: SA life type in kilobytes
*Mar 1 00:38:13.511: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Mar 1 00:38:13.511: ISAKMP (0:1): atts are acceptable.
*Mar 1 00:38:13.515: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.17.63.230, remote= 172.17.63.213,
local_proxy= 10.2.2.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
*Mar 1 00:38:13.515: ISAKMP (0:1): processing NONCE payload. message ID = 1004490084
*Mar 1 00:38:13.519: ISAKMP (0:1): processing ID payload. message ID = 1004490084
*Mar 1 00:38:13.519: ISAKMP (0:1): processing ID payload. message ID = 1004490084
*Mar 1 00:38:13.523: ISAKMP (0:1): Creating IPSec SAs
*Mar 1 00:38:13.523: inbound SA from 172.17.63.213 to 172.17.63.230
(proxy 10.1.1.0 to 10.2.2.0)
*Mar 1 00:38:13.527: has spi 0x3E3F5095 and conn_id 2000 and flags 4
*Mar 1 00:38:13.527: lifetime of 3600 seconds
*Mar 1 00:38:13.527: lifetime of 4608000 kilobytes
*Mar 1 00:38:13.527: outbound SA from 172.17.63.230 to 172.17.63.213 (proxy 10.2.2.0 to 10.1.1.0 )
*Mar 1 00:38:13.527: has spi 1840502135 and conn_id 2001 and flags C
*Mar 1 00:38:13.527: lifetime of 3600 seconds
*Mar 1 00:38:13.527: lifetime of 4608000 kilobytes
*Mar 1 00:38:13.531: ISAKMP (0:1): sending packet to 172.17.63.213 (I) QM_IDLE
*Mar 1 00:38:13.531: ISAKMP (0:1): deleting node 1004490084 error FALSE reason ""
*Mar 1 00:38:13.531: ISAKMP (0:1): Node 1004490084, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 1 00:38:13.531: ISAKMP (0:1): Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
*Mar 1 00:38:13.531: IPSEC(key_engine): got a queue event...
*Mar 1 00:38:13.535: IPSEC(initialize_sas): ,
(key eng. msg.) INBOUND local= 172.17.63.230, remote= 172.17.63.213,
local_proxy= 10.2.2.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des ,
lifedur= 3600s and 4608000kb,
spi= 0x3E3F5095(1044336789), conn_id= 2000, keysize= 0, flags= 0x4
*Mar 1 00:38:13.535: IPSEC(initialize_sas): ,
(key eng. msg.) OUTBOUND local= 172.17.63.230, remote= 172.17.63.213,
local_proxy= 10.2.2.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des ,
lifedur= 3600s and 4608000kb,
spi= 0x6DB3D577(1840502135), conn_id= 2001, keysize= 0, flags= 0xC
*Mar 1 00:38:13.539: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.17.63.230, sa_prot= 50,
sa_spi= 0x3E3F5095(1044336789),
sa_trans= esp-des , sa_conn_id= 2000
*Mar 1 00:38:13.539: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.17.63.213, sa_prot= 50,
sa_spi= 0x6DB3D577(1840502135),
sa_trans= esp-des , sa_conn_id= 2001