このブログを検索

2015/01/14

aggressive mode

TARO#sho running-config
Building configuration...

Current configuration : 1613 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname TARO
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
ip tcp synwait-time 5
ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key CISCO address 200.0.0.2 255.255.255.0
crypto isakmp keepalive 100
!
crypto isakmp peer address 200.0.0.2
 set aggressive-mode password CISCO
 set aggressive-mode client-endpoint fqdn TARO
!
!
crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac
!
crypto map MAP1 1 ipsec-isakmp
 set peer 200.0.0.2
 set transform-set IPSEC
 match address 101
!
!
!
!
interface FastEthernet0/0
 ip address 172.16.1.254 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet1/0
 ip address 100.0.0.1 255.255.255.0
 negotiation auto
 crypto map MAP1
!
interface GigabitEthernet2/0
 no ip address
 shutdown
 negotiation auto
!
ip route 0.0.0.0 0.0.0.0 100.0.0.2
ip route 172.16.2.0 255.255.255.0 100.0.0.2
!
no ip http server
no ip http secure-server
!
!
access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
no cdp log mismatch duplex
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
!
!
end











HANAKO#sho run
Building configuration...

Current configuration : 1552 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HANAKO
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
ip tcp synwait-time 5
ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key CISCO hostname TARO
crypto isakmp keepalive 100
!
!
crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac
!
crypto dynamic-map DYNA1 10
 set transform-set IPSEC
 match address 101
!
!
!
crypto map MAINMAP 1 ipsec-isakmp dynamic DYNA1
!
!
!
!
interface FastEthernet0/0
 ip address 172.16.2.254 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet1/0
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet2/0
 ip address 200.0.0.2 255.255.255.0
 negotiation auto
 crypto map MAINMAP
!
ip route 0.0.0.0 0.0.0.0 200.0.0.1
ip route 172.16.1.0 255.255.255.0 100.0.0.1
ip route 172.16.1.0 255.255.255.0 200.0.0.1
!
no ip http server
no ip http secure-server
!
!
access-list 101 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255
no cdp log mismatch duplex
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
!
!
end














TARO#sho cry isa sa
dst             src             state          conn-id slot status
200.0.0.2       100.0.0.1       QM_IDLE              2    0 ACTIVE

TARO#sho cry ipsec sa

interface: GigabitEthernet1/0
    Crypto map tag: MAP1, local addr 100.0.0.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0)
   current_peer 200.0.0.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
    #pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 16, #recv errors 0

     local crypto endpt.: 100.0.0.1, remote crypto endpt.: 200.0.0.2
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1/0
     current outbound spi: 0x78C3B43C(2026091580)

     inbound esp sas:
      spi: 0x9B9A8F46(2610597702)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: SW:1, crypto map: MAP1
        sa timing: remaining key lifetime (k/sec): (4554095/3565)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x78C3B43C(2026091580)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: SW:2, crypto map: MAP1
        sa timing: remaining key lifetime (k/sec): (4554095/3565)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
TARO#