CCNP(ISCW)實驗：採用預共享金鑰的Site-to-Site IPSEC ***

語言: CN / TW / HK

時間 2021-01-13 15:02:26 osc_t0czpxet

Linux基金會Kubernetes安全專家認證上線，預約享早鳥折扣，最後三天！>>>

CCNP(ISCW)實驗：採用預共享金鑰的Site-to-Site IPSEC ***
實驗說明：

在R1、R2之間使用快速乙太網進行連線
在R1上的1.1.1.1/24 希望與R2上的2.2.2.2/24網路之間通過 ipsec ***
採用預共享金鑰配置

實驗過程：

第一步：基本介面配置
R1(config)#int lo0
R1(config-if)#ip add 1.1.1.1 255.255.255.0
R1(config-if)#int e0/0
R1(config-if)#ip add 192.168.1.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#ip route 0.0.0.0 0.0.0.0 192.168.1.2

R2(config)#int lo0
R2(config-if)#ip add 2.2.2.2 255.255.255.0
R2(config-if)#int e0/0
R2(config-if)#ip add 192.168.1.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#ip route 0.0.0.0 0.0.0.0 192.168.1.1

第二步：配置網際網路金鑰交換（IKE）
R1(config)#crypto isakmp enable
//在全域性下啟動isakmp （預設情況下被啟動）
R1(config)#crypto isakmp policy 10
//定義isakmp 策略集，以便在ipsec端點之間建立isakmp對等體關係，這裡的10是代表的優先順序，取值範圍在1-10000，1表示優先順序最高
R1(config-isakmp)#authentication pre-share
// 配置對等體身份驗證方法為預共享金鑰
R1(config-isakmp)#encryption 3des
// 配置訊息加密演算法為3des
R1(config-isakmp)#group 5
//配置金鑰交換引數為1536位的Deffie-Hellman
R1(config-isakmp)#hash sha
//配置訊息完整性（雜湊）演算法為SHA-1（160位元簽名）
R1(config-isakmp)#lifetime 86400
//配置ISAKMP建立的SA的壽命
R1(config)#crypto isakmp key cisco add 192.168.1.2
//配置預共享金鑰，金鑰為cisco，遠端對等體的IP地址為192.168.1.2

R2(config)#Cryp is en
R2(config)#Cry is pol 10
R2(config-isakmp)#Aut pre
R2(config-isakmp)#Enc 3d
R2(config-isakmp)#Gro 5
R2(config-isakmp)#Hash sha
R2(config-isakmp)#Life 86400
R2(config-isakmp)#Exit
R2(config)#Cryp isa key cisco add 192.168.1.1

第三步：配置ipsec交換集
R1(config)#cry ipsec transform-set R1set esp-3des esp-sha-hmac
//建立一個變換集名為R1set，變換集定義資料流量如何被保護。如果不配置連線模式，預設就是tunnel，即mode tunnel
R1(config)#crypto map R1*** 10 ipsec-isakmp
// 建立IPSec加密對映，使用ISAKMP建立IPSEC SA，以保護當前加密對映條目指定的資料庫
R1(config-crypto-map)#set peer 192.168.1.2
// 指定對等體IP地址
R1(config-crypto-map)#set transform-set R1set
// 指定變換集
R1(config-crypto-map)#match add 100
// 引用擴充套件ACL

R2(config)# cryp ips transform-set R2set esp-3des esp-sha-hmac
R2(cfg-crypto-trans)#exi
R2(config)#crypto map R2*** 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
//新的對映沒有啟用。
R2(config-crypto-map)#set peer 192.168.1.1
R2(config-crypto-map)#set transform-set R2set
R2(config-crypto-map)#match add 100

第四步：定義觸發流量，即ipsec連線保護何種流量
R1(config)#access-list 100 permit icmp 1.1.1.1 0.0.0.0 2.2.2.2 0.0.0.0
//定義對什麼樣的流量進行ipsec保護
R1(config)#int e0/0
R1(config-if)#crypto map R1***
//將加密對映應用到介面
*Mar 1 00:26:14.451: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

R2(config)#access-list 100 permit icmp 2.2.2.2 0.0.0.0 1.1.1.1 0.0.0.0
R2(config)#int e0/0
R2(config-if)#crypto map R2***

第五步：使用ping 流量除錯ipsec配置
R1#debug crypto isakmp
Crypto ISAKMP debugging is on
R1#debug crypto ipsec
Crypto IPSEC debugging is on
R1#ping 2.2.2.2 sou 1.1.1.1

.!!!!
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1

Mar 1 00:30:49.951: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 192.168.1.1, remote= 192.168.1.2,
local_proxy= 1.1.1.1/255.255.255.255/1/0 (type=1),
remote_proxy= 2.2.2.2/255.255.255.255/1/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xDE7C1239(3732673081), conn_id= 0, keysize= 0, flags= 0x400A

Mar 1 00:30:49.955: ISAKMP: received ke message (1/1)
Mar 1 00:30:49.955: ISAKMP (0:0): SA request profile is (NULL)
Mar 1 00:30:49.955: ISAKMP: local port 500, remote port 500
Mar 1 00:30:49.959: ISAKMP: set new node 0 to QM_IDLE
Mar 1 00:30:49.959: ISAKMP: insert sa successfully sa = 63D1C4B4
Mar 1 00:30:49.959: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode.
Mar 1 00:30:49.959: ISAKMP: Looking for a matching key for 192.168.1.2 in default : success
Mar 1 00:30:49.959: ISAKMP (0:1): found peer pre-shared key matching 192.168.1.2
Mar 1 00:30:49.963: ISAKMP (0:1): constructed NAT-T vendor-07 ID
Mar 1 00:30:49.963: ISAKMP (0:1): constructed NAT-T vendor-03 ID
Mar 1 00:30:49.963: ISAKMP (0:1): constructed NAT-T vendor-02 ID
Mar 1 00:30:49.963: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Mar 1 00:30:49.963: ISAKMP (0:1): Old State = IKE_READY New State = IKE_I_MM1
//這裡表明IKE協商已經被髮啟，主模式中的第一條isakmp訊息即將被髮送，I表示為發起方，如果為應答方則為R.
Mar 1 00:30:49.963: ISAKMP (0:1): beginning Main Mode exchange
//這裡表示IKE主模式協商即將開始

Mar 1 00:30:49.963: ISAKMP (0:1): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 1 00:30:50.163: ISAKMP (0:1): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_NO_STATE
//主模式協商以R1為發起方向R2傳送IKE sa提議開始，這些提議對應R1上的配置（crypto isakmp policy）

Mar 1 00:30:50.167: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 1 00:30:50.167: ISAKMP (0:1): Old State = IKE_I_MM1 New State = IKE_I_MM2
//IKE交換中的第二第訊息

Mar 1 00:30:50.167: ISAKMP (0:1): processing SA payload. message ID = 0
//開始處理SA有效負載，其中包括被接受的提議，這裡的訊息ID用於被phase1各phase2中交換的訊息區分開來，因此在整個主模式協商期間訊息ID始終為0
Mar 1 00:30:50.171: ISAKMP (0:1): processing vendor id payload
Mar 1 00:30:50.171: ISAKMP (0:1): vendor ID seems U
Success rate is 80 percent (4/5), round-trip min/avg/max = 32/40/52 ms
R1#nity/DPD but major 245 mismatch
Mar 1 00:30:50.171: ISAKMP (0:1): vendor ID is NAT-T v7
Mar 1 00:30:50.171: ISAKMP: Looking for a matching key for 192.168.1.2 in default : success
Mar 1 00:30:50.171: ISAKMP (0:1): found peer pre-shared key matching 192.168.1.2
Mar 1 00:30:50.171: ISAKMP (0:1) local preshared key found
Mar 1 00:30:50.171: ISAKMP : Scanning profiles for xauth ...
Mar 1 00:30:50.175: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy
//兩個對等體交換了它們的IKE階段1策略，路由器正在比較遠端對等體的策略和本地策略10
Mar 1 00:30:50.175: ISAKMP: encryption 3DES-CBC
Mar 1 00:30:50.175: ISAKMP: hash SHA
Mar 1 00:30:50.175: ISAKMP: default group 5
Mar 1 00:30:50.175: ISAKMP: auth pre-share
Mar 1 00:30:50.175: ISAKMP: life type in seconds
Mar 1 00:30:50.175: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Mar 1 00:30:50.179: ISAKMP (0:1): atts are acceptable. Next payload is 0
//策略已經匹配了，atts代表就可接受的，現在可以開始交換hiffice-hellman公開金鑰值和臨時值（隨機數）

Mar 1 00:30:50.271: ISAKMP (0:1): processing vendor id payload
Mar 1 00:30:50.271: ISAKMP
R1# (0:1): vendor ID seems Unity/DPD but major 245 mismatch

Mar 1 00:30:50.271: ISAKMP (0:1): vendor ID is NAT-T v7
Mar 1 00:30:50.271: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 1 00:30:50.275: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM2
Mar 1 00:30:50.279: ISAKMP (0:1): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
/R1將期diffie-hffie-hellman公開金鑰值和臨時值傳送給R2

Mar 1 00:30:50.279: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 1 00:30:50.279: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM3
//傳送了IKE協商中第三條訊息

Mar 1 00:30:50.459: ISAKMP (0:1): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP
//R1收到了R2的響應
Mar 1 00:30:50.463: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 1 00:30:50.463: ISAKMP (0:1): Old State = IKE_I_MM3 New State = IKE_I_MM4
//狀態變為第四條，表明該響應是主模式中的第四條訊息。
Mar 1 00:30:50.463: ISAKMP (0:1): processing KE payload. message ID = 0
Mar 1 00:30:50.583: ISAKMP (0:1): processing NONCE payload. message ID = 0
Mar
R1# 1 00:30:50.583: ISAKMP: Looking for a matching key for 192.168.1.2 in default : success

Mar 1 00:30:50.587: ISAKMP (0:1): found peer pre-shared key matching 192.168.1.2
Mar 1 00:30:50.591: ISAKMP (0:1): SKEYID state generated
//這裡顯示了skeyid sate generated 這表明tlkyo 已經生成了密資料

Mar 1 00:30:50.591: ISAKMP (0:1): processing vendor id payload
Mar 1 00:30:50.595: ISAKMP (0:1): vendor ID is Unity
Mar 1 00:30:50.595: ISAKMP (0:1): processing vendor id payload
Mar 1 00:30:50.595: ISAKMP (0:1): vendor ID is DPD
Mar 1 00:30:50.595: ISAKMP (0:1): processing vendor id payload
Mar 1 00:30:50.595: ISAKMP (0:1): speaking to another IOS box!
//顯示了廠商ID有效負載，表明該訊息來自另一臺cisco路由器

Mar 1 00:30:50.595: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 1 00:30:50.595: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM4
Mar 1 00:30:50.595: ISAKMP (0:1): Send initial contact
Mar 1 00:30:50.595: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Mar 1 00:30:50.595: ISAKMP (0:1): ID payload
next-
R1#payload : 8
type : 1
address : 192.168.1.1
protocol : 17
port : 500
length : 12
Mar 1 00:30:50.595: ISAKMP (1): Total payload length: 12
Mar 1 00:30:50.595: ISAKMP (0:1): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Mar 1 00:30:50.595: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 1 00:30:50.595: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM5
//5條訊息
Mar 1 00:30:50.691: ISAKMP (0:1): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
Mar 1 00:30:50.695: ISAKMP (0:1): processing ID payload. message ID = 0
Mar 1 00:30:50.695: ISAKMP (0:1): ID payload
next-payload : 8
type : 1
address : 192.168.1.2
protocol : 17
port : 500
length : 12

Mar 1 00:30:50.695: ISAKMP (0:1): processing HASH payload. message ID = 0
Mar 1 00:30:50.699: ISAKMP (0:1): SA authentication status:
authenticated

Mar 1
R1#00:30:50.699: ISAKMP (0:1): SA has been authenticated with 192.168.1.2
Mar 1 00:30:50.699: ISAKMP (0:1): peer matches none of the profiles
Mar 1 00:30:50.699: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 00:30:50.703: ISAKMP (0:1): Old State = IKE_I_MM5 New State = IKE_I_MM6

Mar 1 00:30:50.703: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 1 00:30:50.703: ISAKMP (0:1): Old State = IKE_I_MM6 New State = IKE_I_MM6

Mar 1 00:30:50.707: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 1 00:30:50.707: ISAKMP (0:1): Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
//狀態變為IKE_P1_COMPLETE，表明主模式（phase1）協商已經完成。
Mar 1 00:30:50.711: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of 174738581
//表明快速模式即將開始，R1即將傳送的第一條快速模式訊息ID（M——ID）不同於主模式中那些ID，這是一個非0值（隨機）

Mar 1 00:30:50.715: ISAKMP (0:1): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) QM_IDLE
//R1傳送了快速模式協商中的第一第訊息，該訊息中包括ip sec提議
Mar 1 00:30:50.715: ISAKMP (0:1): Node 174738581, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Mar 1 00:30:50.719: ISAKMP (0:1): Old State = IKE_QM_R
R1#EADY New State = IKE_QM_I_QM1
//表明 IKE_QM_I_QM1第一第已傳送
Mar 1 00:30:50.719: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Mar 1 00:30:50.719: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Mar 1 00:30:51.067: ISAKMP (0:1): received packet from 192.168.1.2 dport 500 sport 500 Global (I) QM_IDLE
//收到R2中迴應，該訊息包含了一系列的有效負載，其中包括了hash，sa，nonce，IE有效負載，

Mar 1 00:30:51.071: ISAKMP (0:1): processing HASH payload. message ID = 174738581
//hash有效負載用於驗證該訊息及用作存活指示。
Mar 1 00:30:51.075: ISAKMP (0:1): processing SA payload. message ID = 174738581
//sa有效負載包括ipsec提議

Mar 1 00:30:51.075: ISAKMP (0:1): Checking IPSec proposal 1
Mar 1 00:30:51.075: ISAKMP: transform 1, ESP_3DES
Mar 1 00:30:51.075: ISAKMP: attributes in transform:
Mar 1 00:30:51.075: ISAKMP: encaps is 1 (Tunnel)
Mar 1 00:30:51.075: ISAKMP: SA life type in seconds
Mar 1 00:30:51.075: ISAKMP: SA life duration (basic) of 3600
Mar 1 00:30:51.075: ISAKMP: SA life type in kilobytes
R1#r 1 00:30:51.079: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
Mar 1 00:30:51.079: ISAKMP: authenticator is HMAC-MD5
Mar 1 00:30:51.079: ISAKMP (0:1): atts are acceptable.
Mar 1 00:30:51.079: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.1.2,
local_proxy= 1.1.1.1/255.255.255.255/1/0 (type=1),
remote_proxy= 2.2.2.2/255.255.255.255/1/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

Mar 1 00:30:51.083: IPSEC(kei_proxy): head = R1***, map->ivrf = , kei->ivrf =
Mar 1 00:30:51.087: ISAKMP (0:1): processing NONCE payload. message ID = 174738581
Mar 1 00:30:51.087: ISAKMP (0:1): processing ID payload. message ID = 174738581
Mar 1 00:30:51.087: ISAKMP (0:1): processing ID payload. message ID = 174738581
Mar 1 00:30:51.095: ISAKMP (0:1): Creating IPSec SAs
Mar 1 00:30:51.095: inbound SA from 192.168.1.2 to 192.168.1.1 (f/i) 0/ 0
R1#
(proxy 2.2.2.2 to 1.1.1.1)
//這裡建立了入站ipsec sa 該sa位於ip地址，192.168.1.2和192.168.1.1 之間，代理身份為2.2.2.2和1.1.1.1

Mar 1 00:30:51.099: has spi 0xDE7C1239 and conn_id 2000 and flags 2
Mar 1 00:30:51.099: lifetime of 3600 seconds
Mar 1 00:30:51.099: lifetime of 4608000 kilobytes
Mar 1 00:30:51.099: has client flags 0x0
Mar 1 00:30:51.099: outbound SA from 192.168.1.1 to 192.168.1.2 (f/i) 0/ 0 (proxy 1.1.1.1 to 2.2.2.2 )
Mar 1 00:30:51.099: has spi 1645135704 and conn_id 2001 and flags A
Mar 1 00:30:51.099: lifetime of 3600 seconds
Mar 1 00:30:51.103: lifetime of 4608000 kilobytes
Mar 1 00:30:51.103: has client flags 0x0
Mar 1 00:30:51.103: ISAKMP (0:1): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) QM_IDLE
//R1向R2傳送快速模式協商中的最後一條訊息，該訊息用作確認在存活指示。

Mar 1 00:30:51.103: ISAKMP (0:1): deleting node 174738581 error FALSE reason ""
Mar 1 00:30:51.107: ISAKMP (0:1): Node 174738581, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Mar 1 00:30:51.107: ISAKMP (0:1): Old
R1#State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
//狀態變為上示，表明phase2完成
Mar 1 00:30:51.107: IPSEC(key_engine): got a queue event...
Mar 1 00:30:51.107: IPSEC(initialize_sas): ,
(key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.1.2,
local_proxy= 1.1.1.1/0.0.0.0/1/0 (type=1),
remote_proxy= 2.2.2.2/0.0.0.0/1/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xDE7C1239(3732673081), conn_id= 2000, keysize= 0, flags= 0x2
Mar 1 00:30:51.111: IPSEC(initialize_sas): ,
(key eng. msg.) OUTBOUND local= 192.168.1.1, remote= 192.168.1.2,
local_proxy= 1.1.1.1/0.0.0.0/1/0 (type=1),
remote_proxy= 2.2.2.2/0.0.0.0/1/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x620EC758(1645135704), conn_id= 2001, keysize= 0, flags= 0xA

Mar 1 00:30:51.115: IPSEC(kei_proxy): head = R1***, map->ivrf = , kei->ivrf =
Mar 1 00:30:51.11
R1#5: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and 192.168.1.2

Mar 1 00:30:51.119: IPSEC(add mtree): src 1.1.1.1, dest 2.2.2.2, dest_port 0

Mar 1 00:30:51.119: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.1.1, sa_prot= 50,
sa_spi= 0xDE7C1239(3732673081),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2000

Mar 1 00:30:51.119: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.1.2, sa_prot= 50,
sa_spi= 0x620EC758(1645135704),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2001
R1#u all
All possible debugging has been turned off
R1#

第六步：其它測試
R1#sh crypto isakmp sa
//檢視關聯
dst src state conn-id slot
192.168.1.2 192.168.1.1 QM_IDLE 1 0

R1#sh crypto ipsec sa
//安全庫
interface: Ethernet0/0
Crypto map tag: R1***, local addr. 192.168.1.1
//在e0/0上激活了R1***的加密對映，用於IPsec通訊的路由器ip地址是192.168.1.1
protected vrf:
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/1/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/1/0)
current_peer: 192.168.1.2:500
PERMIT, flags={origin_is_acl,}
//這裡顯示了參與連線的對等體的本地和遠端標識
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
//這裡可以看到被封裝各加密的資料包數目
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.1.2
path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
//IPsec連線的本地和遠端端點，以及使用的MTU
current outbound spi: 620EC758

 inbound esp sas:
  spi: 0xDE7C1239(3732673081)

//這裡是輸入（遠端到本地路由器）esp sa，每個連線都有一個唯一的spi號
transform: esp-3des esp-md5-hmac ,
//用來保護連線的變換引數是esp-3des esp-md5-hmac
in use settings ={Tunnel, }
//連線模式是隧道模式
slot: 0, conn id: 2000, flow_id: 1, crypto map: R1***
sa timing: remaining key lifetime (k/sec): (4532812/315)
IV size: 8 bytes
replay detection support: Y

 inbound ah sas:

//AH下沒有任何輸出，說明ah沒有用來保護連線
inbound pcp sas:

 outbound esp sas:
  spi: 0x620EC758(1645135704)
    transform: esp-3des esp-md5-hmac ,
    in use settings ={Tunnel, }
    slot: 0, conn id: 2001, flow_id: 2, crypto map: R1***
    sa timing: remaining key lifetime (k/sec): (4532812/314)
    IV size: 8 bytes
    replay detection support: Y

 outbound ah sas:

 outbound pcp sas:

Sh crypto enginee connections active
//檢視當前啟用的連線。幾個包加密，幾個解密了

「其他文章」