IPsec VPN 标准配置 R1-----R2-----R3

R1--R2：12.1.1.1/2 R2--R3：23.1.1.2/3 R1 lo 0：1.1.1.1 R3 lo 0：3.3.3.3

1.开启crypto isakmp crypto isakmp enable

2.定义第一阶段策略 cry isakmp po 10 默认策略为

R1#show crypto isakmp policy Default protection suite

encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard

authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit

只有当配置和默认策略不相同是才会显示出啦

3.定义预共享密钥和peer

cry isa key 0 cisco add 23.1.1.3

（这里的key仅用于认证，加密使用的是DH产生的随机数）

4.定义感兴趣流 ip access-l EX VPN

per ip ho 1.1.1.1 ho 3.3.3.3

5.定义转换集（第二阶段策略）

cry ipsec transform-set trans esp-3des esp-sha-hmac mode tunnel/transport

(这里的模式可以不用设置，因为只有条件（加密点=通信点）达到是才会使用传输模式) 6.汇总

cry map VPN-1 10 ipsec-isakmp match add vpn

set transform-set trans

set peer 23.1.1.3

7.在接口上调用 int f0/0 cry map vpn-1

8.检查

show cry engine connections acticve Crypto Engine Connections

ID Interface Type Algorithm Encrypt Decrypt IP-Address 1 Fa0/1 IPsec 3DES+SHA 0 4 23.1.1.3 2 Fa0/1 IPsec 3DES+SHA 4 0 23.1.1.

show cry isakmp sa show cry ipsec sa

9.清除（两边都要清除） clear cry isa 默认1天 clear cry sa 默认1小时

Debug IPsec VPN建立过程

---------------------------------------------------------------------------------------------------

Apr 14 10:27:00.923: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 12.1.1.1, remote= 23.1.1.3, local_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1), remote_proxy= 3.3.3.3/255.255.255.255/0/0 (type=1), protocol= ESP, transform= NONE (Tunnel), lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

Apr 14 10:27:00.931: ISAKMP:(0): SA request profile is (NULL)

Apr 14 10:27:00.935: ISAKMP: Created a peer struct for 23.1.1.3, peer port 500 Apr 14 10:27:00.935: ISAKMP: New peer created peer = 0x63F335E8 peer_handle = 0x80000003

Apr 14 10:27:00.935: ISAKMP: Locking peer struct 0x63F335E8, refcount 1 for isakmp_initiator

Apr 14 10:27:00.935: ISAKMP: local port 500, remote port 500 Apr 14 10:27:00.939: ISAKMP: set new node 0 to QM_IDLE

Apr 14 10:27:00.939: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 63F38D24

Apr 14 10:27:00.939: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. Apr 14 10:27:00.939: ISAKMP:(0):found peer pre-shared key matching 23.1.1.3 Apr 14 10:27:00.943: ISAKMP:(0): constructed NAT-T vendor-07 ID