networking: July 2009

7200MCP --------------------- CALLGEN1
1.1.1.1 3.3.3.3

show run of both

CALLGEN1#sh run
CALLGEN1#sh running-config
Building configuration...

Current configuration : 1773 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CALLGEN1
!
boot-start-marker
boot system disk0:c7200-adventerprisek9-mz.124-22.4.T
boot-end-marker
!
logging message-counter syslog
logging buffered emergencies
!
no aaa new-model
ip source-route
ip cef
!
!
!
!
no ip domain lookup
ip host CALLGEN-SECURITY-V2 81.15.16.49 78.10.0.0
ip vrf GREEN
rd 213:112
!
ip vrf RED
rd 1:1
!
ip vrf abc
!
ip vrf xyz
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
memory-size iomem 0
archive
log config
hidekeys
!
no crypto xauth FastEthernet6/0
!
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key abc address 1.1.1.1
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set myset
match address 101
!
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.2.1 255.255.255.0
!
interface Loopback2
no ip address
!
interface FastEthernet0/0
no ip address
duplex half
!
interface GigabitEthernet1/0
no ip address
negotiation auto
!
interface FastEthernet6/0
ip address 3.3.3.3 255.255.255.0
duplex half
speed auto
crypto map vpn
!
interface FastEthernet6/1
ip address 2.2.2.1 255.255.255.0
duplex auto
speed auto
!
router rip
network 209.168.0.0
!
ip forward-protocol nd
ip route 1.1.1.0 255.255.255.0 FastEthernet6/0
no ip http server
no ip http secure-server
!
!
!
access-list 101 permit ip any any
access-list 105 permit ip any any
!
!
!
!
!
!
!
control-plane
!
!
!
mgcp fax t38 ecm
!
!
dial-peer cor custom
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
end

CALLGEN1#

7200 MCP configs
=======================
72MCP#sh running-config
Building configuration...

Current configuration : 1999 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
!
hostname 72MCP
!
boot-start-marker
boot system disk1:c7200-adventerprisek9-mz.124-22.4.T
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
clock timezone IST 5
ip source-route
ip cef
!
!
!
!
no ip domain lookup
ip vrf GREEN
!
ip vrf RED
rd 1:1
!
ip vrf VPN1
rd 1:12
!
ip vrf vpn1-out
rd 100:1
!
ip multicast-routing
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
memory-size iomem 0
archive
log config
hidekeys
!
no crypto xauth FastEthernet6/0
!
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key abc address 3.3.3.3
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 3.3.3.3
set transform-set myset
match address 101
!
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Loopback12
ip address 2.2.2.4 255.255.255.0
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex full
speed 1000
media-type gbic
negotiation auto
!
interface FastEthernet3/0
no ip address
duplex auto
speed auto
!
interface FastEthernet3/1
no ip address
duplex auto
speed auto
!
interface FastEthernet6/0
ip address 1.1.1.1 255.255.255.0
duplex half
crypto map vpn
!
router rip
network 209.165.0.0
!
ip forward-protocol nd
ip route 3.3.3.0 255.255.255.0 FastEthernet6/0
no ip http server
no ip http secure-server
!
!
!
access-list 101 permit ip any any
access-list 105 permit ip any any
!
!
!
!
!
!
tftp-server disk1:c7200-adventerprisek9-mz.124-22.4.T
!
control-plane
!
!
!
mgcp fax t38 ecm
!
!
dial-peer cor custom
!
!
!
gateway
timer receive-rtp 1200
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
end

72MCP#

LOGS:

72MCP#
*Jul 29 05:14:16.419 IST: ISAKMP (0): received packet from 3.3.3.3 dport 500 sport 500 Global (N) NEW SA
*Jul 29 05:14:16.419 IST: ISAKMP: Created a peer struct for 3.3.3.3, peer port 500
*Jul 29 05:14:16.419 IST: ISAKMP: New peer created peer = 0x67F3103C peer_handle = 0x80000027
*Jul 29 05:14:16.419 IST: ISAKMP: Locking peer struct 0x67F3103C, refcount 1 for crypto_isakmp_process_block
*Jul 29 05:14:16.419 IST: ISAKMP: local port 500, remote port 500
*Jul 29 05:14:16.419 IST: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 67F2E6D8
*Jul 29 05:14:16.423 IST: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 29 05:14:16.423 IST: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

*Jul 29 05:14:16.423 IST: ISAKMP:(0): processing SA payload. message ID = 0
*Jul 29 05:14:16.423 IST: ISAKMP:(0): processing vendor id payload
*Jul 29 05:14:16.423 IST: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jul 29 05:14:16.423 IST: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jul 29 05:14:16.423 IST: ISAKMP:(0): processing vendor id payload
*Jul 29 05:14:16.423 IST: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Jul 29 05:14:16.423 IST: ISAKMP (0): vendor ID is NAT-T v7
*Jul 29 05:14:16.423 IST: ISAKMP:(0): processing vendor id payload
*Jul 29 05:14:16.423 IST: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jul 29 05:14:16.423 IST: ISAKMP:(0): vendor ID is NAT-T v3
*Jul 29 05:14:16.423 IST: ISAKMP:(0): processing vendor id payload
*Jul 29 05:14:16.423 IST: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jul 29 05:14:16.423 IST: ISAKMP:(0): vendor ID is NAT-T v2
*Jul 29 05:14:16.423 IST: ISAKMP:(0):found peer pre-shared key matching 3.3.3.3
*Jul 29 05:14:16.423 IST: ISAKMP:(0): local preshared key found
*Jul 29 05:14:16.423 IST: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy -----> Here is the exchanged info.
*Jul 29 05:14:16.423 IST: ISAKMP: encryption 3DES-CBC
*Jul 29 05:14:16.423 IST: ISAKMP: hash SHA
*Jul 29 05:14:16.423 IST: ISAKMP: default group 1
*Jul 29 05:14:16.423 IST: ISAKMP: auth pre-share
*Jul 29 05:14:16.423 IST: ISAKMP: life type in seconds
*Jul 29 05:14:16.423 IST: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Jul 29 05:14:16.423 IST: ISAKMP:(0):atts are acceptable. Next payload is 0 ------------> here it's saying it's acceptable.
*Jul 29 05:14:16.423 IST: ISAKMP:(0):Acceptable atts:actual life: 0
*Jul 29 05:14:16.423 IST: ISAKMP:(0):Acceptable atts:life: 0
*Jul 29 05:14:16.423 IST: ISAKMP:(0):Fill atts in sa vpi_length:4
*Jul 29 05:14:16.423 IST: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Jul 29 05:14:16.423 IST: ISAKMP:(0):Returning Actual lifetime: 86400
*Jul 29 05:14:16.423 IST: ISAKMP:(0)::Started lifetime timer: 86400.

*Jul 29 05:14:16.423 IST: ISAKMP:(0): processing vendor id payload
*Jul 29 05:14:16.423 IST: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jul 29 05:14:16.423 IST: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jul 29 05:14:16.423 IST: ISAKMP:(0): processing vendor id payload
*Jul 29 05:14:16.423 IST: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Jul 29 05:14:16.423 IST: ISAKMP (0): vendor ID is NAT-T v7
*Jul 29 05:14:16.423 IST: ISAKMP:(0): processing vendor id payload
*Jul 29 05:14:16.423 IST: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jul 29 05:14:16.423 IST: ISAKMP:(0): vendor ID is NAT-T v3
*Jul 29 05:14:16.423 IST: ISAKMP:(0): processing vendor id payload
*Jul 29 05:14:16.423 IST: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jul 29 05:14:16.423 IST: ISAKMP:(0): vendor ID is NAT-T v2
*Jul 29 05:14:16.423 IST: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul 29 05:14:16.423 IST: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

*Jul 29 05:14:16.423 IST: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jul 29 05:14:16.423 IST: ISAKMP:(0): sending packet to 3.3.3.3 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Jul 29 05:14:16.427 IST: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jul 29 05:14:16.427 IST: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul 29 05:14:16.427 IST: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2

*Jul 29 05:14:16.431 IST: ISAKMP (0): received packet from 3.3.3.3 dport 500 sport 500 Global (R) MM_SA_SETUP
*Jul 29 05:14:16.431 IST: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 29 05:14:16.431 IST: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3

*Jul 29 05:14:16.431 IST: ISAKMP:(0): processing KE payload. message ID = 0 -------1
*Jul 29 05:14:16.447 IST: ISAKMP:(0): processing NONCE payload. message ID = 0-------------->2
*Jul 29 05:14:16.447 IST: ISAKMP:(0):found peer pre-shared key matching 3.3.3.3------------->3
*Jul 29 05:14:16.451 IST: ISAKMP:(1014): processing vendor id payload
*Jul 29 05:14:16.451 IST: ISAKMP:(1014): vendor ID is DPD
*Jul 29 05:14:16.451 IST: ISAKMP:(1014): processing vendor id payload
*Jul 29 05:14:16.451 IST: ISAKMP:(1014): speaking to another IOS box!
*Jul 29 05:14:16.451 IST: ISAKMP:(1014): processing vendor id payload
*Jul 29 05:14:16.451 IST: ISAKMP:(1014): vendor ID seems Unity/DPD but major 202 mismatch
*Jul 29 05:14:16.451 IST: ISAKMP:(1014): vendor ID is XAUTH
*Jul 29 05:14:16.451 IST: ISAKMP:received payload type 20
*Jul 29 05:14:16.451 IST: ISAKMP (1014): His hash no match - this node outside NAT
*Jul 29 05:14:16.451 IST: ISAKMP:received payload type 20
*Jul 29 05:14:16.451 IST: ISAKMP (1014): No NAT Found for self or peer
*Jul 29 05:14:16.451 IST: ISAKMP:(1014):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul 29 05:14:16.451 IST: ISAKMP:(1014):Old State = IKE_R_MM3 New State = IKE_R_MM3

*Jul 29 05:14:16.451 IST: ISAKMP:(1014): sending packet to 3.3.3.3 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jul 29 05:14:16.451 IST: ISAKMP:(1014):Sending an IKE IPv4 Packet.
*Jul 29 05:14:16.451 IST: ISAKMP:(1014):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul 29 05:14:16.451 IST: ISAKMP:(1014):Old State = IKE_R_MM3 New State = IKE_R_MM4

*Jul 29 05:14:16.475 IST: ISAKMP (1014): received packet from 3.3.3.3 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Jul 29 05:14:16.475 IST: ISAKMP:(1014):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 29 05:14:16.475 IST: ISAKMP:(1014):Old State = IKE_R_MM4 New State = IKE_R_MM5

*Jul 29 05:14:16.475 IST: ISAKMP:(1014): processing ID payload. message ID = 0
*Jul 29 05:14:16.475 IST: ISAKMP (1014): ID payload
next-payload : 8
type : 1
address : 3.3.3.3
protocol : 17
port : 500
length : 12
*Jul 29 05:14:16.475 IST: ISAKMP:(0):: peer matches *none* of the profiles
*Jul 29 05:14:16.475 IST: ISAKMP:(1014): processing HASH payload. message ID = 0
*Jul 29 05:14:16.475 IST: ISAKMP:(1014): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 67F2E6D8
*Jul 29 05:14:16.475 IST: ISAKMP:(1014):SA authentication status:
authenticated
*Jul 29 05:14:16.475 IST: ISAKMP:(1014):SA has been authenticated with 3.3.3.3
*Jul 29 05:14:16.475 IST: ISAKMP:(1014):SA authentication status:
authenticated
*Jul 29 05:14:16.475 IST: ISAKMP:(1014): Process initial contact,
bring down existing phase 1 and 2 SA's with local 1.1.1.1 remote 3.3.3.3 remote port 500
*Jul 29 05:14:16.475 IST: ISAKMP: Trying to insert a peer 1.1.1.1/3.3.3.3/500/, and inserted successfully 67F3103C.
*Jul 29 05:14:16.475 IST: ISAKMP:(1014):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul 29 05:14:16.475 IST: ISAKMP:(1014):Old State = IKE_R_MM5 New State = IKE_R_MM5

*Jul 29 05:14:16.475 IST: ISAKMP:(1014):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Jul 29 05:14:16.475 IST: ISAKMP (1014): ID payload
next-payload : 8
type : 1
address : 1.1.1.1
protocol : 17
port : 500
length : 12
*Jul 29 05:14:16.475 IST: ISAKMP:(1014):Total payload length: 12
*Jul 29 05:14:16.475 IST: ISAKMP:(1014): sending packet to 3.3.3.3 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jul 29 05:14:16.475 IST: ISAKMP:(1014):Sending an IKE IPv4 Packet.
*Jul 29 05:14:16.479 IST: ISAKMP:(1014):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul 29 05:14:16.479 IST: ISAKMP:(1014):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

*Jul 29 05:14:16.479 IST: ISAKMP:(1014):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jul 29 05:14:16.479 IST: ISAKMP:(1014):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Jul 29 05:14:16.483 IST: ISAKMP (1014): received packet from 3.3.3.3 dport 500 sport 500 Global (R) QM_IDLE
*Jul 29 05:14:16.483 IST: ISAKMP: set new node 1209569574 to QM_IDLE
*Jul 29 05:14:16.483 IST: ISAKMP:(1014): processing HASH payload. message ID = 1209569574
*Jul 29 05:14:16.483 IST: ISAKMP:(1014): processing SA payload. message ID = 1209569574
*Jul 29 05:14:16.483 IST: ISAKMP:(1014):Checking IPSec proposal 1
*Jul 29 05:14:16.483 IST: ISAKMP: transform 1, ESP_3DES
*Jul 29 05:14:16.483 IST: ISAKMP: attributes in transform:
*Jul 29 05:14:16.483 IST: ISAKMP: encaps is 1 (Tunnel)
*Jul 29 05:14:16.483 IST: ISAKMP: SA life type in seconds
*Jul 29 05:14:16.483 IST: ISAKMP: SA life duration (basic) of 3600
*Jul 29 05:14:16.483 IST: ISAKMP: SA life type in kilobytes
*Jul 29 05:14:16.483 IST: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jul 29 05:14:16.483 IST: ISAKMP: authenticator is HMAC-MD5
*Jul 29 05:14:16.483 IST: ISAKMP:(1014):atts are acceptable.
*Jul 29 05:14:16.483 IST: ISAKMP:(1014): processing NONCE payload. message ID = 1209569574
*Jul 29 05:14:16.483 IST: ISAKMP:(1014): processing ID payload. message ID = 1209569574
*Jul 29 05:14:16.483 IST: ISAKMP:(1014): processing ID payload. message ID = 1209569574
*Jul 29 05:14:16.483 IST: ISAKMP:(1014):QM Responder gets spi
*Jul 29 05:14:16.483 IST: ISAKMP:(1014):Node 1209569574, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 29 05:14:16.483 IST: ISAKMP:(1014):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
*Jul 29 05:14:16.483 IST: ISAKMP:(1014): Creating IPSec SAs --------------------------------------------->1
*Jul 29 05:14:16.483 IST: inbound SA from 3.3.3.3 to 1.1.1.1 (f/i) 0/ 0
(proxy 0.0.0.0 to 0.0.0.0)
*Jul 29 05:14:16.483 IST: has spi 0x755AF835 and conn_id 0
*Jul 29 05:14:16.483 IST: lifetime of 3600 seconds
*Jul 29 05:14:16.483 IST: lifetime of 4608000 kilobytes
*Jul 29 05:14:16.483 IST: outbound SA from 1.1.1.1 to 3.3.3.3 (f/i) 0/0---------------------->2
(proxy 0.0.0.0 to 0.0.0.0)
*Jul 29 05:14:16.487 IST: has spi 0x259DA62E and conn_id 0
*Jul 29 05:14:16.487 IST: lifetime of 3600 seconds
*Jul 29 05:14:16.487 IST: lifetime of 4608000 kilobytes
*Jul 29 05:14:16.487 IST: ISAKMP:(1014): sending packet to 3.3.3.3 my_port 500 peer_port 500 (R) QM_IDLE
*Jul 29 05:14:16.487 IST: ISAKMP:(1014):Sending an IKE IPv4 Packet.
*Jul 29 05:14:16.487 IST: ISAKMP:(1014):Node 1209569574, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
*Jul 29 05:14:16.487 IST: ISAKMP:(1014):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
*Jul 29 05:14:16.491 IST: ISAKMP (1014): received packet from 3.3.3.3 dport 500 sport 500 Global (R) QM_IDLE
*Jul 29 05:14:16.491 IST: ISAKMP:(1014):deleting node 1209569574 error FALSE reason "QM done (await)"
*Jul 29 05:14:16.491 IST: ISAKMP:(1014):Node 1209569574, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 29 05:14:16.491 IST: ISAKMP:(1014):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
72MCP#
72MCP#
72MCP#show crypto map
Crypto Map "vpn" 10 ipsec-isakmp
Peer = 3.3.3.3
Extended IP access list 101
access-list 101 permit ip any any
Current peer: 3.3.3.3
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
myset: { esp-3des esp-md5-hmac } ,
}
Interfaces using crypto map vpn:
FastEthernet6/0

Interfaces using crypto map vpnmap:

72MCP#
72MCP#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

1014 1.1.1.1 3.3.3.3 ACTIVE 3des sha psk 1 23:46:12
Engine-id:Conn-id = SW:14

IPv6 Crypto ISAKMP SA

72MCP#
72MCP#show crypto isakmp peer
Peer: 3.3.3.3 Port: 500 Local: 1.1.1.1
Phase1 id: 3.3.3.3
72MCP#
72MCP#show crypto ipsec sa detail
PFS (Y/N): N, DH group: none

interface: FastEthernet6/0
Crypto map tag: vpn, local addr 1.1.1.1

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 3.3.3.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
#pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 3.3.3.3
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet6/0
current outbound spi: 0x259DA62E(631088686)

inbound esp sas:
spi: 0x755AF835(1968896053)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 427, flow_id: SW:427, sibling_flags 80000046, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4557478/2717)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x259DA62E(631088686)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 428, flow_id: SW:428, sibling_flags 80000046, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4557478/2717)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:
72MCP#
72MCP#show crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: FastEthernet6/0
Uptime: 00:15:10
Session status: UP-ACTIVE
Peer: 3.3.3.3 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 3.3.3.3
Desc: (none)
IKE SA: local 1.1.1.1/500 remote 3.3.3.3/500 Active
Capabilities:(none) connid:1014 lifetime:23:44:49
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 8 drop 0 life (KB/Sec) 4557478/2689
Outbound: #pkts enc'ed 8 drop 0 life (KB/Sec) 4557478/2689

72MCP#
72MCP#show crypto engine connection active
Crypto Engine Connections

ID Type Algorithm Encrypt Decrypt IP-Address
427 IPsec 3DES+MD5 0 8 1.1.1.1
428 IPsec 3DES+MD5 8 0 1.1.1.1
1014 IKE SHA+3DES 0 0 1.1.1.1

72MCP#

networking

Wednesday, July 29, 2009

how to setup ipsec tunnel.