鹏哥的小窝

GRE over IPsec 站点到站点VPN

发表于2023年3月6日由lipengit

经典的站点到站点VPN可以和非CISCO的设备建立IPsec VPN，但存在如下的问题：

由于没有虚拟隧道接口，不能让两个站点的动态路由协议贯通
由于没有虚拟隧道接口中，所以很难对通信点之间的明文流量进行控制（ACL.NET.QOS）
感兴趣流过多，是两个站点网络间的组合数。两个站点各有多个子网时。

为了解决经典IPsec VPN配置存在的缺陷，提供了两种解决方案，如下所示：

GRE Over IPSec(推荐在IOS12.4以前的路由器上配置)
SVTI(推荐在IOS12.4以后的路由器上配置)

继续阅读 →

发表在 cisco | 标签为 IPSec VPN | 已关闭评论

IPSec VPN主模式的抓包

发表于2023年3月2日由lipengit

Site1#
*Feb  7 08:42:03.367: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 202.100.1.1:500, remote= 61.128.1.1:500,
    local_proxy= 1.1.1.0/255.255.255.0/256/0,
    remote_proxy= 2.2.2.0/255.255.255.0/256/0,
    protocol= ESP, transform= esp-des esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Feb  7 08:42:03.367: ISAKMP: (0):SA request profile is (NULL)
*Feb  7 08:42:03.367: ISAKMP: (0):Created a peer struct for 61.128.1.1, peer port 500
*Feb  7 08:42:03.367: ISAKMP: (0):New peer created peer = 0xF6D8A3D8 peer_handle = 0x80000003
*Feb  7 08:42:03.367: ISAKMP: (0):Locking peer struct 0xF6D8A3D8, refcount 1 for isakmp_initiator
*Feb  7 08:42:03.367: ISAKMP: (0):local port 500, remote port 500
*Feb  7 08:42:03.367: ISAKMP: (0):set new node 0 to QM_IDLE
*Feb  7 08:42:03.367: ISAKMP: (0):insert sa successfully sa = F4AE6228
*Feb  7 08:42:03.367: ISAKMP: (0):Can not start Aggressive mode, trying Main mode.
*Feb  7 08:42:03.367: ISAKMP: (0):found peer pre-shared key matching 61.128.1.1
*Feb  7 08:42:03.367: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
*Feb  7 08:42:03.367: ISAKMP: (0):constructed NAT-T vendor-07 ID
*Feb  7 08:42:03.367: ISAKMP: (0):constructed NAT-T vendor-03 ID
*Feb  7 08:42:03.367: ISAKMP: (0):constructed NAT-T vendor-02 ID
*Feb  7 08:42:03.367: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Feb  7 08:42:03.367: ISAKMP: (0):Old State = IKE_READY  New State = IKE_I_MM1

继续阅读 →