IKE Agressive Mode

ipsec1
Es la misma configuración del post anterior.

Simplemente he seguido los pasos de esta configuración de la web de Cisco.

Configuración R1

R1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
Serial0/0 172.16.0.1 YES manual up up
Serial0/1 unassigned YES unset administratively down down
Loopback0 1.1.1.1 YES manual up up

R1#configure terminal
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#hash md5
R1(config-isakmp)#end
R1#configure terminal

R1(config)#crypto isakmp peer address 172.16.0.2
R1(config-isakmp-peer)#set aggressive-mode password cisco123
R1(config-isakmp-peer)#set aggressive-mode client-endpoint ipv4-address 172.16.0.1
R1(config-isakmp-peer)#end
R1#configure terminal
R1(config)#crypto ipsec transform-set SET esp-aes esp-md5-hmac
R1(cfg-crypto-trans)#exit
R1(config)#crypto map ROUTER1 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#set peer 172.16.0.2
R1(config-crypto-map)#set transform-set SET
R1(config-crypto-map)#match address 101
R1(config-crypto-map)#end

R1(config)#access-list 101 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
R1(config)#end

R1(config)#interface serial0/0
R1(config-if)#crypto map ROUTER1
R1(config-if)#end

R1(config)#ip route 2.2.2.0 255.255.255.0 172.16.0.2
R1(config)#end

Configuración R2

R2#show ip interface brief
Serial0/0 172.16.0.2 YES manual up up
Serial0/1 unassigned YES unset administratively down down
Loopback0 2.2.2.2 YES manual up up
R2#configure terminal
R2(config)#crypto isakmp policy 1
R2(config-isakmp)#hash md5
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#end
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#crypto isakmp key cisco123 address 172.16.0.1
R2(config)#crypto ipsec transform-set SET esp-aes esp-md5-hmac
R2(cfg-crypto-trans)#end

R2#configure terminal
R2(config)#crypto map ROUTER2 10 ipsec-isakmp dynamic ROUTER1

R2#configure terminal

R2(config)#crypto dynamic-map ROUTER1 10
R2(config-crypto-map)#set transform-set SET
R2(config-crypto-map)#end

R2(config)#interface serial 0/0
R2(config-if)#crypto map ROUTER2
R2(config-if)#end

 

 R1#show run

R1#show run
Building configuration…

Current configuration : 1420 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!crypto isakmp policy 1
hash md5
authentication pre-share
!
crypto isakmp peer address 172.16.0.2
set aggressive-mode password cisco123
set aggressive-mode client-endpoint ipv4-address 172.16.0.1
!
crypto ipsec transform-set SET esp-aes esp-md5-hmac
!
crypto map ROUTER1 10 ipsec-isakmp
set peer 172.16.0.2
set transform-set SET
match address 101
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
ip address 172.16.0.1 255.255.255.0
clock rate 64000
crypto map ROUTER1
!
interface Serial0/1
no ip address
shutdown
!
ip forward-protocol nd
ip route 2.2.2.0 255.255.255.0 172.16.0.2
!
!
ip http server
no ip http secure-server
!
access-list 101 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
!
control-plane
!
mgcp behavior g729-variants static-pt
!
gatekeeper
shutdown
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
end

R1#

R2#show run
Building configuration…

Current configuration : 1372 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
no ip domain lookup

ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3

crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco123 address 172.16.0.1
!
crypto ipsec transform-set SET esp-aes esp-md5-hmac
!
crypto dynamic-map ROUTER1 10
set transform-set SET
!
crypto map ROUTER2 10 ipsec-isakmp dynamic ROUTER1
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
ip address 172.16.0.2 255.255.255.0
no fair-queue
crypto map ROUTER2
!
interface Serial0/1
no ip address
shutdown
!
ip forward-protocol nd
ip route 1.1.1.0 255.255.255.0 172.16.0.1
!
!
ip http server
no ip http secure-server
!
access-list 101 permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
!
control-plane
!
voice-port 1/0/0
!
voice-port 1/0/1
!
mgcp behavior g729-variants static-pt

gatekeeper
shutdown
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
end

 

R1#show crypto ipsec sa

interface: Serial0/0
Crypto map tag: ROUTER1, local addr 172.16.0.1

protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)
current_peer 172.16.0.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 34, #pkts encrypt: 34, #pkts digest: 34
#pkts decaps: 15, #pkts decrypt: 15, #pkts verify: 15
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 172.16.0.1, remote crypto endpt.: 172.16.0.2
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
current outbound spi: 0xCE04334C(3456381772)

inbound esp sas:
spi: 0xB067DA7B(2959596155)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: ROUTER1
sa timing: remaining key lifetime (k/sec): (4590959/1132)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xCE04334C(3456381772)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: ROUTER1
sa timing: remaining key lifetime (k/sec): (4590956/1128)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:
R1#
R1#

R1#show crypto isakmp sa
dst src state conn-id slot status
172.16.0.2 172.16.0.1 QM_IDLE 1 0 ACTIVE

 

R2#show crypto ipsec sa

interface: Serial0/0
Crypto map tag: ROUTER2, local addr 172.16.0.2

protected vrf: (none)
local ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
current_peer 172.16.0.1 port 500
PERMIT, flags={}
#pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15
#pkts decaps: 34, #pkts decrypt: 34, #pkts verify: 34
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 172.16.0.2, remote crypto endpt.: 172.16.0.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
current outbound spi: 0xB067DA7B(2959596155)

inbound esp sas:
spi: 0xCE04334C(3456381772)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: ROUTER2
sa timing: remaining key lifetime (k/sec): (4482770/1055)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xB067DA7B(2959596155)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: ROUTER2
sa timing: remaining key lifetime (k/sec): (4482773/1049)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:
R2#

R2#show crypto isakmp sa
dst src state conn-id slot status
172.16.0.2 172.16.0.1 QM_IDLE 1 0 ACTIVE

R2#

R2#show crypto session
Crypto session current status

Interface: Serial0/0
Session status: UP-ACTIVE
Peer: 172.16.0.1 port 500
IKE SA: local 172.16.0.2/500 remote 172.16.0.1/500 Active
IPSEC FLOW: permit ip 2.2.2.0/255.255.255.0 1.1.1.0/255.255.255.0
Active SAs: 2, origin: dynamic crypto map

R2#

R2#show crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt
1 Serial0/0 172.16.0.2 set HMAC_MD5+DES_56_CB 0 0
2001 Serial0/0 172.16.0.2 set AES+MD5 0 34
2002 Serial0/0 172.16.0.2 set AES+MD5 15 0

R2#
R1#show crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt
1 Serial0/0 172.16.0.1 set HMAC_MD5+DES_56_CB 0 0
2001 Serial0/0 172.16.0.1 set AES+MD5 0 15
2002 Serial0/0 172.16.0.1 set AES+MD5 34 0

R1#

R1#show crypto session
Crypto session current status

Interface: Serial0/0
Session status: UP-ACTIVE
Peer: 172.16.0.2 port 500
IKE SA: local 172.16.0.1/500 remote 172.16.0.2/500 Active
IPSEC FLOW: permit ip 1.1.1.0/255.255.255.0 2.2.2.0/255.255.255.0
Active SAs: 2, origin: crypto map

R1#

R1#show crypto isakmp sa detail
Codes: C – IKE configuration mode, D – Dead Peer Detection
K – Keepalives, N – NAT-traversal
X – IKE Extended Authentication
psk – Preshared key, rsig – RSA signature
renc – RSA encryption

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1 172.16.0.1 172.16.0.2 ACTIVE des md5 psk 1 23:01:55
Connection-id:Engine-id = 1:1(software)
R1#

 

 

 

Un comentario

  • 3 junio, 2016 - 12:21 am | Enlace permanente

    IKE Phase 1 works in one of two modes, main mode or aggressive mode now of course both of these modes operate differently and we will cover both of these modes.

  • Comments are closed.