ISAKMP Profile技术应用

ISAKMP Profile技术是IKE协商的一种新型配置方式。它主要的作用是映射我们第一阶段ISAKMP参数到第

二阶段IPSec隧道，可以实现一个设备和多个站点建立多个隧道。还可以很好的消除不同VPN之间的影

响，让第一阶段策略和第二阶段策略关联的更加紧密。并且ISAKMP
Profile普遍在EZVPN和VRF-ware

IPSec VPN配置里边被采用。

Site1 ：

crypto keyring ccie

pre-shared-key address 61.128.1.1 key cisco

!

crypto isakmp policy 100

encr 3des

authentication pre-share

group 2

crypto isakmp profile isaprof

keyring ccie

match identity address 61.128.1.1 255.255.255.255

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto map ccie 10 ipsec-isakmp

set peer 61.128.1.1

set transform-set myset

set isakmp-profile isaprof

match address vpn

!

interface Loopback0

ip address 1.1.1.1 255.255.255.0

!

interface FastEthernet0/0

ip address 202.100.1.1 255.255.255.0

crypto map ccie

!

ip route 0.0.0.0 0.0.0.0 202.100.1.10

!

ip access-list extended vpn

permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

Internet：

interface FastEthernet0/0

ip address 202.100.1.10 255.255.255.0

!

interface FastEthernet0/1

ip address 61.128.1.10 255.255.255.0

！

end

Site2:

crypto keyring ccie

pre-shared-key address 202.100.1.1 key cisco

!

crypto isakmp policy 100

encr 3des

authentication pre-share

group 2

crypto isakmp profile isaprof

keyring ccie

match identity address 202.100.1.1 255.255.255.255

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto map ccie 10 ipsec-isakmp

set peer 202.100.1.1

set transform-set myset

set isakmp-profile isaprof

match address vpn

!

interface Loopback0

ip address 2.2.2.2 255.255.255.0

!

interface FastEthernet0/0

ip address 61.128.1.1 255.255.255.0

crypto map ccie

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 61.128.1.10

!

ip access-list extended vpn

permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255

!

测试：

Site1#ping 2.2.2.2 source lo0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 104/133/148 ms

Site1#show crypto ipsec sa

interface: FastEthernet0/0

Crypto map tag: ccie, local addr 202.100.1.1

protected vrf: (none)

local  ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)

current_peer 61.128.1.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9

#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 202.100.1.1, remote crypto endpt.: 61.128.1.1

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x96AB8F14(2527825684)

inbound esp sas:

spi: 0xF41D2511(4095550737)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 1, flow_id: SW:1, crypto map: ccie

sa timing: remaining key lifetime (k/sec): (4566332/2033)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x96AB8F14(2527825684)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2, flow_id: SW:2, crypto map: ccie

sa timing: remaining key lifetime (k/sec): (4566332/2031)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

Site1#show crypto session

Crypto session current status

Interface: FastEthernet0/0

Profile: isaprof

Session status: UP-ACTIVE

Peer: 61.128.1.1 port 500

IKE SA: local 202.100.1.1/500 remote 61.128.1.1/500 Active

IPSEC FLOW: permit ip 1.1.1.0/255.255.255.0 2.2.2.0/255.255.255.0

Active SAs: 2, origin: crypto map