ipsec(V7)
图2-3 IKE主模式及预共享密钥认证典型组网图
以上配置完成后,Device A和Device .,将触发IKE协商。
# 可通过如下显示信息查看到Device A和Device B上的IKE提议。因为没有配置任何IKE提议,则只显示缺省的IKE提议。
[DeviceA] display ike proposal
Priority Authentication Authentication Encryption Diffie-Hellman Duration
method algorithm algorithm group (seconds)
----------------------------------------------------------------------------
default PRE-SHARED-KEY SHA1 AES-CBC-128 Group 1 86400
[DeviceB] display ike proposal
Priority Authentication Authentication Encryption Diffie-Hellman Duration
method algorithm algorithm group (seconds)
----------------------------------------------------------------------------
default PRE-SHARED-KEY SHA1 AES-CBC-128 Group 1 86400
# 可通过如下显示信息查看到Device A上IKE第一阶段协商成功后生
成的IKE SA。
[DeviceA] display ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------ 1 RD IPSEC Flags:
RD--READY RL--REPLACED FD-FADING
# 可通过如下显示信息查看到IKE第二阶段协商生成的IPsec SA。
[DeviceA] display ipsec sa
-------------------------------
Interface: 2/1/1
-------------------------------
-----------------------------
IPsec policy: map1
Sequence number: 10
Mode: isakmp
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect forward secrecy:
Path MTU: 1456
Tunnel:
local address:
remote address:
Flow:
sour addr: . port: 0 protocol: IP dest addr: . port: 0 protocol: IP
[Inbound ESP SAs]
SPI: 3264152513 (0xc28f03c1)
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3484
Max received sequence-number:
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: active
[Outbound ESP SAs]
SPI: 738451674 (0x2c03e0da)
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-
ipsec(V7) 来自淘豆网m.daumloan.com转载请标明出处.
