Vous êtes sur la page 1sur 7

IOS Flex IPv4 Site-Site With Pre-Shared

R1
int l1
ip add 192.168.101.1 255.255.255.0
no shutdown
int s1/0
no shutdown
ip add 101.1.1.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 101.1.1.1
ISP
interface serial 0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int s0/1
no shutdown
ip add 102.1.1.1 255.255.255.0
no shutdown
R2
int l1
ip add 192.168.102.1 255.255.255.0
no shutdown
int s1/0
no shutdown
ip add 102.1.1.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 102.1.1.1
R1
crypto ikev2 proposal 1
encryption aes-cbc-128
integrity sha1
group 5
crypto ikev2 policy 1
proposal 1

crypto ikev2 keyring 1


peer any
address 0.0.0.0 0.0.0.0
pre-shared-key shiva

crypto ikev2 profile 1


match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local 1
crypto ipsec security-association lifetime seconds 1800
crypto ipsec transform-set t-set esp-aes esp-sha-hmac
mode tunnel
crypto map test 10 ipsec-isakmp
set peer 102.1.1.100
set transform-set t-set
set ikev2-profile 1
match address 101
access-list 101 permit ip 192.168.101.0 0.0.0.255 192.168.102.0 0.0.0.255

int s1/0
crypto map test

R2
crypto ikev2 proposal 1
encryption aes-cbc-128
integrity sha1
group 5
crypto ikev2 policy 1
proposal 1
crypto ikev2 keyring 1
peer any
address 0.0.0.0 0.0.0.0
pre-shared-key shiva
!
crypto ikev2 profile 1
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local 1
crypto ipsec security-association lifetime seconds 1800
crypto ipsec transform-set t-set esp-aes esp-sha-hmac
mode tunnel
crypto map test 10 ipsec-isakmp
set peer 101.1.1.100
set transform-set t-set
set ikev2-profile 1
match address 102
access-list 102 permit ip 192.168.102.0 0.0.0.255 192.168.101.0 0.0.0.255
int s1/0
crypto map test

R1#ping 192.168.102.1 source lo1 repeat 100


Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.101.1
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 99 percent (99/100), round-trip min/avg/max = 72/92/132 ms
R2#ping 192.168.101.1 source lo1 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.101.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.102.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 64/92/116
ms

R1#sh crypto ikev2 sa detailed

IPv4 Crypto IKEv2 SA


Tunnel-id Local Remote fvrf/ivrf
Status
1 101.1.1.100/500 102.1.1.100/500 none/none
READY
Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:5, Auth sign: PSK,
Auth verify: PSK
Life/Active Time: 86400/41 sec
CE id: 1001, Session-id: 1
Status Description: Negotiation done
Local spi: 18FBD05A59B67CF7 Remote spi: C5B45B7901514743
Local id: 101.1.1.100
Remote id: 102.1.1.100
Local req msg id: 2 Remote req msg id: 0
Local next msg id: 2 Remote next msg id: 0
Local req queued: 2 Remote req queued: 0
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : Yes
IPv6 Crypto IKEv2 SA

R2#sh crypto ikev2 sa detailed


IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf
Status
1 102.1.1.100/500 101.1.1.100/500 none/none
READY
Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:5, Auth sign: PSK,
Auth verify: PSK

ife/Active Time: 86400/55 sec


CE id: 1001, Session-id: 1
Status Description: Negotiation done
Local spi: C5B45B7901514743 Remote spi: 18FBD05A59B67CF7
Local id: 102.1.1.100
Remote id: 101.1.1.100
Local req msg id: 0 Remote req msg id: 2
Local next msg id: 0 Remote next msg id: 2
Local req queued: 0 Remote req queued: 2
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : No

IPv6 Crypto IKEv2 SA

R1# sh crypto ipsec sa


interface: Serial1/0
Crypto map tag: test, local addr 101.1.1.100
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)
current_peer 102.1.1.100 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
#pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 101.1.1.100, remote crypto endpt.: 102.1.1.100
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0
current outbound spi: 0xD1955F55(3516227413)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xFF2F426A(4281287274)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: 2, sibling_flags 80000040, crypto map: test
sa timing: remaining key lifetime (k/sec): (4332206/1736)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:
inbound pcp sas:

outbound esp sas:


spi: 0xD1955F55(3516227413)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: 1, sibling_flags 80000040, crypto map: test
sa timing: remaining key lifetime (k/sec): (4332206/1736)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:

R2#sh crypto ipsec sa


interface: Serial1/0
Crypto map tag: test, local addr 102.1.1.100
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
current_peer 101.1.1.100 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
#pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 102.1.1.100, remote crypto endpt.: 101.1.1.100
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0
current outbound spi: 0xFF2F426A(4281287274)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xD1955F55(3516227413)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: 1, sibling_flags 80000040, crypto map: test
sa timing: remaining key lifetime (k/sec): (4209977/1722)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xFF2F426A(4281287274)
transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }


conn id: 2, flow_id: 2, sibling_flags 80000040, crypto map: test
sa timing: remaining key lifetime (k/sec): (4209977/1722)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
R1# sh crypto engine connections active

Crypto Engine Connections


ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
1 IPsec AES+SHA 199 0 0 101.1.1.100
2 IPsec AES+SHA 0 199 199 101.1.1.100
1001 IKEv2 SHA+AES 0 0 0 101.1.1.100
R2#sh crypto engine connections active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
1 IPsec AES+SHA 0 199 199 102.1.1.100
2 IPsec AES+SHA 199 0 0 102.1.1.100
1001 IKEv2 SHA+AES 0 0 0 102.1.1.100