权衡理论的英文论翻译论英语怎么说-rookie什么意思


2023年3月31日发(作者:粉色信笺)

IPSECVPN配置实验

贾博鑫

2010年3月23日

1.实验TopologyTopology

2.

实验预配置

实验预配置::

R1的配置:

R1(config)#intF0/0

R1(config-if)#ipaddress201.1.1.1255.255.255.0

R1(config-if)#nosh

R1(config)#intf0/1

R1(config-if)#ipaddress10.1.1.1255.255.255.0

R1(config-if)#nosh

R1(config)#iproute0.0.0.00.0.0.0f0/0

R2的配置:

R2(config)#intf0/0

R2(config-if)#ipaddress201.1.1.2255.255.255.0

R2(config-if)#nosh

R2(config-if)#intf0/1

R2(config-if)#ipaddress202.1.1.1255.255.255.0

R2(config-if)#nosh

R3的配置:

R3(config)#intf0/1

R3(config-if)#ipaddress202.1.1.2255.255.255.0

R3(config-if)#nosh

R3(config-if)#intf0/0

R3(config-if)#ipaddress172.16.1.1255.255.255.0

R3(config-if)#nosh

R3(config)#iproute0.0.0.00.0.0.0f0/1

配置配置::

R1(config)#access-list102denyip10.1.1.00.0.0.255172.16.1.00.0.0.255

Access

Access--list102是将

10.1.1.0

10.1.1.0访问访问172.16.1.0的流量不进行Nat

转换

转换..

R1(config)#access-list102permitip10.1.1.00.0.0.255any

去往Internet的流量进行Nat

转换

转换..

R1(config)#access-list101permitip10.1.1.00.0.0.255172.16.1.00.0.0.255

定义触发ipsec

保护的感兴趣的流量

保护的感兴趣的流量

R1(config)#intf0/0

R1(config-if)#ipnatoutside

R1(config-if)#inte1/0

R1(config-if)#ipnatinside

R1(config)#ipnatinsidesourcelist102interfacef0/0overload

R3上:

R3(config)#access-list102denyip172.16.1.00.0.0.25510.1.1.00.0.0.255

R3(config)#access-list102permitip172.16.1.00.0.0.255any

R3(config)#access-list101permitip172.16.1.00.0.0.25510.1.1.00.0.0.255

R3(config)#inte1/0

R3(config-if)#ipnatinsi

R3(config-if)#ipnatinside

R3(config-if)#intf0/1

R3(config-if)#ipnatoutside

R3(config)#ipnatinsidesourcelist102interfaceF0/1overload

预配置完毕预配置完毕!!

PSECVPNVPN配置配置

1:

1:定义定义IKE

加密策略

加密策略:IKE:IKE

用来创建使用共享密钥的安全关联

用来创建使用共享密钥的安全关联((

SA

SA).

).

).---

---

---((IKE

第一阶段

第一阶段))

R1(config)#cryptoisakmppolicy1

R1(config-isakmp)#authenticationpre-share

R1(config)#cryptoisakmpkeyciscoaddress202.1.1.2

其它没有配置的参数有一个默认配置

其它没有配置的参数有一个默认配置,,加密算法默认是

des,

des,哈希算法为哈希算法为

sha

sha--

1,

1,

Diffie

Diffie--Hellman

采用组一

采用组一的密钥交换方法

的密钥交换方法

的密钥交换方法,,安全关联的生命周期为86400秒.

R3(config)#cryptoisakmppolicy1

R3(config-isakmp)#authenticationpre-share

R3(config)#cryptoisakmpkeyciscoaddress201.1.1.1

2:

2:定义定义Ipsec

参数

参数(IKE(IKE

第二阶段安全关联的建立

第二阶段安全关联的建立))

1)

定义要保护的加密和验证转换集方法

定义要保护的加密和验证转换集方法(Transform(Transform

设置

设置))

R1(config)#cryptoipsectransform-setnttesp-3des

R3(config)#cryptoipsectransform-setnttesp-3des

2)

定义加密映射

定义加密映射::

加密映射把远程对等体

加密映射把远程对等体,Transform,Transform定义的对等流量的保护方法及感兴趣的

流量关联在一起

流量关联在一起..

R1(config)#cryptomapnttcsc1ipsec-isakmp

%NOTE:Thisnewcryptomapwillremaindisableduntilapeer

andavalidaccesslisthavebeenconfigured.

R1(config-crypto-map)#setpeer202.1.1.2

//

//设置设置IPSECVPN

对幽兰小说 等体地址

对等体地址

R1(config-crypto-map)#settransform-setntt

//

//将前面的将前面的Transform设置关联起来

R1(config-crypto-map)#matchaddress101

//

//与第与第1

步所定义的感兴趣的流量关联

步所定义的感兴趣的流量关联

R3(config)#cryptomapnttcsc1ipsec-isakmp

%NOTE:Thisnewcryptomapwillremaindisableduntilapeer

andavalidaccesslisthavebeenconfigured.

R3(config-crypto-map)#setpeer201.1.1.1

R3(config-crypto-map)#settransform-setntt

R3(config-crypto-map)#matchaddress101

3:

3:将加密映射应用到接口

将加密映射应用到接口

将加密映射应用到接口..

R1(config)#intf0/0

R1(config-if)#cryptomapnttcsc

R3(config)#intf0/1

R3(config-if)#cryptomapnttcsc

5.

IPSEC

IPSECVPNVPN

验证配置命令

验证配置命令

批注[M1]:将建立好的vpn

策略应用到相关接口上

R1#ping172.16.1.1sou

ping172.16.1.1source

rce

rcef0/1f0/1

Typeescapesequencetoabort.

Sending5,100-byteICMPEchosto172.16.1.1,timeoutis2seconds:

Packetsentwithasourceaddressof10.1.1.1

.!!!!

Successrateis80percent(4/5),round-tripmin/avg/max=24/42/64ms

R1#双方站点内网通信连通性

OK

OK

R3#shcryptoengineconnectionsactive

CryptoEngineConnections

IDInterfaceTypeAlgorithmEncryptDecryptIP-Address

1Fa0/1IPsec3DES04202.1.1.2

2Fa0/1IP春风十里不如你的全诗 sec3DES40202.1.1.2

1001Fa0/1IKEMD5+DES00202.1.1.2

R3

#已经为加密的流量建立了安全关联

已经为加密的流量建立了安全关联..

R3#shcr

shcryptoisakmpsayptoisakmpsa

IPv4CryptoISAKMPSA

dstsrcstateconn-idslotstatus

202.1.1.2201.1.1.1QM_IDLE10010ACTIVE

第一阶段安全关联已经建立成功

第一阶段安全关联已经建立成功..

R3#shcryptoipsecsa

interface:FastEthernet0/1

Cryptomaptag:cisco,localaddr202.1.1.2

protectedvrf:(none)

批注[M2]:注意第一个丢包

是IPSECVPN建立连接,所

需协商过程,为正常现象

批注[M3]:第二阶段加密算

批注[M4]:第一阶段加密算

localident(addr/mask/prot/port):(172.16.1.0/255.255.255.0/0/0)

remoteident(addr/mask/prot/port):(10.1.1.0/255.255.255.0/0/0)

current_peer201.1.1.1port500

PERMIT,flags={origin_is_acl,}

#pktsencaps:4,(

指示封装

指示封装,,即TUNNEL

模式

模式))##pktsencrypt:4,(

指示

指示被加密

被加密

被加密))#pktsdigest:4(指

示被HASH

处理

处理))

#pktsdecaps:4,#pktsdecrypt:4,#pktsverify:4

#pktsco宁可枝头抱香死后一句 mpressed:0,#pktsdecompressed:0

#pktsnotcompressed:0,#:0

#pktsnotdecompressed:0,#pktsdecompressfailed:0

#senderrors0,#recverrors0

localcryptoendpt.:202.1.1.2,remotecryptoendpt.:201.1.1.1

pathmtu1500,ipmtu1500,ipmtuidbFastEthernet0/1

currentoutboundspi:0x25712F55(628174677)

inboundespsas:

spi:0x7F073ECC(2131181260)

transform:esp-3des,

inusesettings={Tunnel,}

connid:1,flow_id:1,cryptomap:cis却组词 co

satiming:remainingkeylifetime(k/sec):(4566488/1831)

IVsize:8bytes

replaydetectionsupport:N

Status:ACTIVE

inboundahsas:

inboundpcpsas:

outboundespsas:

spi:0x25712F55(628174677)

transform:esp-3des,

inusesettings={Tunnel,}

connid:2,flow_id:2,cryptomap:cisco

satiming:remainingkeylifetime(k/sec):(4566488/1831)

IVsize:8bytes

replaydetectionsupport:N

Status:ACTIVE

outboundahsas:

outboundpcpsas:

R3

#R3#shcryptosession

Cryptosessioncurrentstatus

批注[M5]:本地和远端VPN

内网段

批注[M6]:对端VPN公网ip

和端口

批注[M7]:Ipsecvpn通道被

加密和解密的数据包数量

批注[M8]:IPSECVPN状态

Interface:FastEthernet0/1

Sessionstatus:UP-ACTIVE

Peer:201.1.1.1port500

IKESA:local202.1.1.2/500remote201.1.1.1/500Active

IPSECFLOW:permitip172.16.1.0/255.255.255.010.1.1.0/255.255.255.0

ActiveSAs:2,origin:cryptomap

R3#shcryptoisakmpkey

KeyringHostname/AddressPresharedKey

default201.1.1.1cisco

R3

#显示

ipsecvpnpreshare

ipsecvpnpreshare--key

信息

信息

R3

#shcry

shcrypto

pto

ptomapmap

CryptoMap\"cisco\"1ipsec-isakmp

Peer=201.1.1.1

ExtendedIPaccesslist101

access-list101permitip172.16.1.00.0.0.25510.1.1.00.0.0.255

Currentpeer:201.1.1.1

Securityassociationlifetime:4608000kilobytes/3600seconds

PFS(Y/N):N

Transformsets={

cisco,

}

Interfacesusingcryptomapcisco:

FastEthernet0/1

显示ipsecvpn变换集信息和映射

ACL

ACL

R3#shcryptoisakmpsa

IPv4CryptoISAKMPSA

dstsrcstateconn-idslotstatus

202.1.1.2201.1.1.1QM_IDLE10010ACTIVE

ACTIVE

R3#clearcryptoisakmp?

<1-1000000>connectionidofSA

R3

#clear

clearcryptoisakmpcryptoisakmp

批注[M9]:Isakmp使用端口

批注[M10]:基于策略vpn的

ACL

批注[M11]:清除某一个vpn

通道

批注[M12]:清除全部ipsec

vpn通道

R3#debugcryptoisakmp

*Dec404:47:48.455:ISAKMP:(0):SArequestprofileis(NULL)

*Dec404:47:48.459:ISAKMP:Createdapeerstructfor201.1.1.1,peerport500

*Dec404:47:48.459:ISAKMP:Newpeercreatedpeer=0x65D3BBB8peer_handle=0x80000005

*Dec404:47:48.463:ISAKMP:Lockingpeerstruct0x65D3BBB8,refcount1forisakmp_initiator

*Dec404:47:48.463:ISAKMP:localport500,remoteport500

*Dec404:47:48.467:ISAKMP:setnewnode0toQM_IDLE

*Dec404:47:48.471:insertsasuccessfullysa=65568BD8crypto_isadb_stuff_vrf_instance,

isakmp_initiator:sa->f_vrf=0sa->i_vrf=0sa=0x65568BD8

*Dec404:47:48.475:ISAKMP:(0):CannotstartAggressivemode,tryingMainmode.

*Dec404:47:48.479:ISAKMP:(0):foundpeerpre-sharedkeymatching201.1.1.1

*Dec404:47:48.479:ISAKMP:(0):constructedNAT-Tvendor-07ID

*Dec404:47:48.479:ISAKMP:(0):constructedNAT-Tvendor-03ID

*Dec404:47:48.479:ISAKMP:(0):constructedNAT-Tvendor-02ID

*Dec404:47:48.479:ISAKMP:(0):Input=IKE_MESG_FROM_IPSEC,IKE_SA_REQ_MM

*Dec404:47:48.479:ISAKMP:(0):OldState=IKE_READYNewState=IKE_I_MM1

*Dec404:47:48.479:ISAKMP:(0):

beginningMainModeexchange

beginningMainModeexchange(

(开始主模式交互

开始主模式交互)

*Dec404:47:48.479:ISAKMP:(0):sendingpacketto201.1.1.1my_port500peer_port500(I)

MM_NO_STATE

*Dec404:47:48.491:ISAKMP(0:0):receivedpacketfrom201.1.1.1dport500sport500Global(I)

MM_NO_STATE

MM_NO_STATE

MM

的第一个包和第二个包

的第一个包和第二个包::用于协商PEER

地址

地址、、协商第一阶段策略

*Dec404:47:48.491:ISAKMP:(0):Input=IKE_MESG_FROM_PEER,IKE_MM_EXCH

*Dec404:47:48.491:ISAKMP:(0):OldState=IKE_I_MM1NewState=IKE_I_MM2

*Dec404:47:48.499:ISAKMP:(0):eID=0

*Dec404:47:48.499:ISAKMP:(0):processingvendoridpayload

*Dec404:47:48.499:ISAKMP:(0):vendorIDs姓名藏头诗大全集 eemsUnity/DPDbutmajor245mismatch

*Dec404:47:48.499:ISAKMP(0:0):vendorIDisNAT-Tv7

*Dec404:47:48.499:ISAKMP:(0):foundpeerpre

*Dec404:47:48.499:ISAKMP:(0):foundpeerpre--

sharedkeymatching

sharedkeymatching

201.1.1.1

201.1.1.1

*Dec404:47

*Dec404:47:48.499:ISAKMP:(0):localpresharedkeyfound

:48.499:ISAKMP:(0):localpresharedkeyfound

:48.499:ISAKMP:(0):localpresharedkeyfound

找到两端密钥

找到两端密钥,,还没有被验证

*Dec404:47:48.499:

*Dec404:47:48.499:ISAKMP:(0):CheckingISAKMPtransform1againstpriority10policy

*Dec404:47:48.499:ISAKMP:encryptionDES-CBC

*Dec404:47:48.499:ISAKMP:hashSHA

*Dec404:47:48.503:ISAKMP:defaultgroup2

*Dec404:47:48.503:ISAKMP:authpre-share

*Dec404:47:48.503:ISAKMP:lifetypeinseconds

*Dec404:47:48.503:ISAKMP:lifeduration(VPI)of0x00x10x510x80

*Dec404:47:48.503:ISAKMP:(0):

yloadis0

yloadis0(

(阶段一策略匹配

阶段一策略匹配)

*Dec404:47:48.503:ISAKMP:(0):processingvendoridpayload

*Dec404:47:48.503:ISAKMP:(0):vendorIDseemsUnity/DPDbutmajor245mismatch

*Dec404:47:48.503:ISAKMP(0:0):vendorIDisNAT-Tv7

*Dec404:47:48.503:ISAKMP:(0):Input=IKE_MESG_INTERNAL,IKE_PROCESS_MAIN_MODE

*Dec404:47:48.503:ISAKMP:(0):OldState=IKE_I_MM2NewState=IKE_I_MM2

*Dec404:47:48.503:ISAKMP:(0):sendingpacketto201.1.1.1my_port500peer_port500(I)

MM_SA_SETUP

*Dec404:47:48.503:ISAKMP:(0):Input=IKE_MESG_INTERNAL,IKE_PROCESS_COMPLETE

*Dec404:47:48.503:ISAKMP:(0):OldState=IKE_I_MM2NewState=IKE_I_MM3

*Dec404:47:48.523:ISAKMP(0:0):receivedpacketfrom201.1.1.1dport500sport500Global(I)

MM_SA_SETUP

MM_SA_SETUP

这是第3、4个包个包,,用于DH来分发加密密钥和HASH密钥密钥,,DH是用公钥和私钥来处理预公享的对称密钥再分发

的,事实上在DH

算法中

算法中,,现在还没有发现有DEBUG

错误信息出现

错误信息出现,,

这里是不需要检查的

这里是不需要检查的

*Dec404:47:48.527:ISAKMP:(0):Input=IKE_MESG_FROM_PEER,IKE_MM_EXCH

*Dec404:47:48.531:ISAKMP:(0):OldState=IKE_I_MM3NewState=IKE_I_MM4

*Dec404:47:48.535:ISAKMP:(0):eID=0

*Dec404:47:48.559:ISAKMP:(0):eID=0

*Dec404:47:48.559:ISAKMP:(0):foundpeerpre-sharedkeymatching201.1.1.1

*Dec404:47:48.559:ISAKMP:(1003):processingvendoridpayload

*Dec404:47:48.559:ISAKMP:(1003):vendorIDisUnity

*Dec404:47:48.559:ISAKMP:(1003):processingvendoridpayload

*Dec404:47:48.559:ISAKMP:(1003):vendorIDisDPD

*Dec404:47:48.559:ISAKMP:(1003):processingvendoridpayload

*Dec404:47:48.559:ISAKMP:(1003):speakingtoanotherIOSbox!

*Dec404:47:48.559:ISAKMP:(1003):Input=IKE_MESG_INTERNAL,IKE_PROCESS_MAIN_MODE

*Dec404:47:48.559:ISAKMP:(1003):OldState=IKE_I_MM4NewState=IKE_I_MM4

DH在这里完成在这里完成,,为管理连接建立的准备完成为管理连接建立的准备完成,,验证设备的过验证设备的过程是发生在安全的管理了解之后的程是发生在安全的管理了解之后的

*Dec404:47:48.559:ISAKMP:(1003):Sendinitialcontact

*Dec404:47:48.559:ISAKMP:(1003):SAisdoingpre-sharedkeyauthenticationusingidtype

ID_IPV4_ADDR

*Dec404:47:48.559:ISAKMP(0:1003):IDpayload

next-payload:8

type:1

address:202.1.1.2

protocol:17

port:500

length:12

将本地身份信息发送给对方

将本地身份信息发送给对方,,对方将进行HASH处理

*Dec404:47:48.559:ISAKMP:(1003):Totalpayloadlength:12

*Dec404:47:48.563:ISAKMP:(1003):send

*Dec404:47:48.563:ISAKMP:(1003):sendingpacketto

ingpacketto

ingpacketto201.1.1.1

201.1.1.1

201.1.1.1my_port500peer_port500(I)my_port500peer_port500(I)

MM_KEY_EXCH

*Dec404:47:48.563:ISAKMP:(1003):Input=IKE_MESG_INTERNAL,IKE_P惟将终夜长开眼 ROCESS_COMPLETE

*Dec404:47:48.563:ISAKMP:(1003):OldState=IKE_I_MM4NewState=IKE_I_MM5

*Dec404:47:48.571:ISAKMP

*Dec404:47:48.571:ISAKMP(0:1003):receivedpacketfrom

(0:1003):receivedpacketfrom

(0:1003):receivedpacketfrom201.1.1.1

201.1.1.1

201.1.1.1dport500sport500Globaldport500sport500Global

(I)MM_KEY_EXCH

(I)MM_KEY_EXCH

第5、6

个包

个包,,

用于验证设备

用于验证设备,,

记得设备的验证是身份信息

记得设备的验证是身份信息+HASH+HASH密钥来完成的

*Dec404:47:48.571:ISAKMP:(1003):eID=0

*Dec404:47:48.571:ISAKMP蒲松龄狼三则 (0:1003):IDpayload

next-payload:8

type:1

address:201.1.1.1

protocol:17

port:500

length:12

收到对方身份信息

*Dec404:47:48.571:ISAKMP:(0)::peermatches*none*ofthe

profilescrypto_isadb_stuff_vrf_instance,crypto_isakmp_assign_profile:sa->f_vrf=0sa->i_vrf=

0sa=0x65568BD8

*Dec404:47:48.571:ISAKMP:(1003):eID=0

*Dec404:47:48.571:ISAKMP:(1003):eID=0

取出对方身份信息

取出对方身份信息,,执行HASH

算法

算法,,

“ID=0”

“ID=0”表示表示HASH

处理没有发现错误

处理没有发现错误,,对方身份验证成功

*Dec404:47:48.571:ISAKMP:(1003):SAauthentication

*Dec404:47:48.571:ISAKMP:(1003):SAauthenticationstatus:

status:

status:

authenticated

authenticated

设备验证完成了

*Dec404:47:48.571:ISAKMP:(1003):SAhasbeenauthenticatedwith

*Dec404:47:48.571:ISAKMP:(1003):SAhasbeenauthenticatedwith201.1.1.1201.1.1.1

*Dec404:47:48.571:ISAKMP:Tryingtoinsertapeer202.1.1.2/201.1.1.1/500/,andinserted

successfully65D3BBB8.

*Dec404:47:48.571:ISAKMP:(1003):Input=IKE_MESG_FROM_PEER,IKE_MM_EXCH

*Dec404:47:48.575:ISAKMP:(1003):OldState=IKE_I_MM5NewState=IKE_I_MM6

*Dec404:47:48.583:ISAKMP:(1003):Input=IKE_MESG_INTERNAL,IKE_PROCESS_MAIN_MODE

*Dec404:47:48.583:ISAKMP:(1003):OldState=IKE_I_MM6NewState=IKE_I_MM6

*Dec404:47:48.583:ISAKMP:(1003):Input=IKE_MESG_INTERNAL,IKE_PROCESS_COMPLETE

*Dec404:47:48.583:ISAKMP:(1003):Input=IKE_MESG_INTERNAL,IKE_PROCESS_COMPLETE

*Dec404:47:48.583:ISAKMP:(1003):OldState=IKE_I_MM6NewState=IKE_P1_COMPLETE*Dec404:47:48.583:ISAKMP:(1003):OldState=IKE_I_MM6NewState=IKE_P1_COMPLETE((阶段一完

成,

转入第二阶段

转入第二阶段))

scmIkeTunnelCreateikeidx:3

*Dec404:47:48.583:scmIkeTunnelCreated:Defaultcontext,vdi_ptr=gdi_ptr=1714916048/1714916048

*Dec404:47:48.583:ISAKMP:(1003):beginningQuickModeexchange,M-IDof1301997138

第二阶段进行的是快速模式

*Dec404:47:48.583:ISAKMP:(1003):QMInitiatorgetsspi

*Dec404:47:48.583:ISAKMP:(1003):sendingpacketto201.1.1.1my_port500peer_port500(I)QM_IDLE

*Dec404:47:48.587:ISAKMP:(1003):Node1301997138,Input=IKE_MESG_INTERNAL,IKE_INIT_QM

*Dec404:47:48.587:ISAKMP:(1003):OldState=IKE_QM_READYNewState=IKE_QM_I_QM1

*Dec404:47:48.587:ISAKMP:(1003):Input=IKE_MESG_INTERNAL,IKE_PHASE1_COMPLETE

*Dec404:47:48.587:ISAKMP:(1003):OldState=IKE_P1_COMPLETENewState=IKE_P1_COMPLETE

*Dec404:47:48.599:ISAKMP(0:1003):receivedpacketfrom201.1.1.1dport500sport500Global

(I)QM_IDLE

*Dec404:47:48.599:ISAKMP:(1003):eID=1301997138

*Dec404:47:48.599:ISAKMP:(1003):eID=1301997138

*Dec404:47:48.599:ISAKMP:(1003):CheckingIPSecproposal1

*Dec404:47:48.599:ISAKMP:transform1,ESP_DES

*Dec404:47:48.599:ISAKMP:attributesintransform:

*Dec404:47:48.599:ISAKMP:encap五经 sis1(Tunnel)

*Dec404:47:48.599:ISAKMP:SAlifetypeinseconds

*Dec404:47:48.599:ISAKMP:SAlifeduration(basic)of3600

*Dec404:47:48.599:ISAKMP:SAlifetypeinkilobytes

*Dec404:47:48.599:ISAKMP:SAlifeduration(VPI)of0x00x460x500x0

*Dec404:47:48.599:ISAKMP:

authenticatorisHMAC

authenticatorisHMAC-

-SHA

*Dec404:47:48.599:

*Dec404:47:48.599:ISAKMP:(1003):attsareacceptable.

ISAKMP:(1003):attsareacceptable.

ISAKMP:(1003):attsareacceptable.((

传输集匹配

传输集匹配))

*Dec404:47:48.599:ISAKMP:(1003):eID=1301997138

*Dec404:47:48.599:ISAKMP:(1003):eID=1301997138

*Dec404:47:48.599:ISAKMP:(1003):eID=1301997138

*Dec404:47:48.599:ISAKMP:(1003):

CreatingIPSecSAs

CreatingIPSecSAs((创建

SA

SA))

*Dec404:47:48.599:

*Dec404:47:48.599:

inboundSAfrom

inboundSAfrom201.1.1.1

201.1.1.1

201.1.1.1to

to

to202.1.1.2

202.1.1.2

202.1.1.2(f/i)0/0

(f/i)0/0

(f/i)0/0

(proxy

(proxy10.1.1.0to172.16.1.0

10.1.1.0to172.16.1.0

10.1.1.0to172.16.1.0))

*Dec404:47:48.599:hasspi0x18879411andconn_id0

*Dec404:47:48.599:lifetimeof3600seconds

*Dec404:47:48.599:lifetimeof4608000kilobytes

*Dec404:47:48.599:

*Dec404:47:48.599:

outboundSAfrom

outboundSAfrom202.1.1.2

202.1.1.2

202.1.1.2to

to

to201.1.1.1

201.1.1.1

201.1.1.1(f/i)0/0

(f/i)0/0

(f/i)0/0

(proxy

(proxy172.16.1.0to10.1.1.0

172.16.1.0to10.1.1.0

172.16.1.0to10.1.1.0))

CRYPTOACL协商成功协商成功

*Dec404:47:48.599:hasspi0xDE9946A9andconn_id0

*Dec404:47:48.599:lifetimeof3600seconds

*Dec404:47:48.599:lifetimeof4608000kilobytes

*Dec404:47:48.599:ISAKMP:(1003):sendingpacketto201.1.1.1my_port500peer_port500(I)QM_IDLE

*Dec404:47:48.603:ISAKMP:(1003):deletingnode1301997138errorFALSEreason\"NoError\"

*Dec404:47:48.603:ISAKMP:(1003):Node1301997138,Input=IKE_MESG_FROM_PEER,IKE_QM_EXCH

*Dec404:47:48.603:ISAKMP:(1003):OldState=IKE_QM_I_QM1NewState=

IKE_QM_P

IKE_QM_PHASE2_COMPLETEHASE2_COMPLETEnotify_mib_ipsec_tunnel_activation:peerhasvdiptrset0x66378AD0

scmIpSecTunnelCreated(IKESA:3)

第二阶段协商

第二阶段协商完成完成

更多推荐

spaced是什么意思ced的用法读音典