其他分享
首页 > 其他分享> > Spoke to Spoke FlexVirtualPN

Spoke to Spoke FlexVirtualPN

作者:互联网

Hub

hostname Hub
!
enable password cisco
!
aaa new-model
!
!
aaa authentication login noacs line none
aaa authorization network Qytang-Author-Network-List local 
!
clock timezone GMT 8 0
!
ip domain name qytang.com
!
crypto pki server CA
 database level complete
 no database archive
 issuer-name cn=HubCA.qytang.com,ou=qytang
 grant auto
!
crypto pki trustpoint CA
 revocation-check crl
 rsakeypair CA
!
crypto pki trustpoint HubCA
 enrollment url http://202.100.1.100:80
 subject-name cn=Hub.qytang.com,ou=qytang
 revocation-check crl
 eku request server-auth client-auth 
!
!
!
crypto pki certificate map Qytang-cert-Map 10
 subject-name co ou = qytang
!
crypto pki certificate chain CA
 certificate ca 01
  30820231 3082019A A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  2C310F30 0D060355 040B1306 71797461 6E673119 30170603 55040313 10487562 
  43412E71 7974616E 672E636F 6D301E17 0D313731 32323831 32343431 395A170D 
  32303132 32373132 34343139 5A302C31 0F300D06 0355040B 13067179 74616E67 
  31193017 06035504 03131048 75624341 2E717974 616E672E 636F6D30 819F300D 
  06092A86 4886F70D 01010105 0003818D 00308189 02818100 B7A867E0 DA6858AF 
  32D9264F 98B0FCA3 5BA5242B 8CA55FAD 27FEB1C6 C51A72B1 1EC40C35 8134982F 
  20E715B3 946333D5 705B6983 484FA71A 30798199 688A07CE 0FBBA657 5D3E9206 
  ED44F4FC 701ED0D2 FD06FA81 CA8B70F2 7EF5B058 F33D8EA4 C2307DE8 4D647EE0 
  0E06BA40 932D228F 1835EADE C5703469 026E3708 53EA91FF 02030100 01A36330 
  61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D 0F0101FF 04040302 
  0186301F 0603551D 23041830 1680146C 0B32F165 9EA2A94C F68C5EDA 5B611618 
  C1CD5030 1D060355 1D0E0416 04146C0B 32F1659E A2A94CF6 8C5EDA5B 611618C1 
  CD50300D 06092A86 4886F70D 01010405 00038181 005980B5 D374D49C 6EAB7C91 
  25980E1E DE70EF4A C6197BE4 63C90FE8 E05AEDDE DCB8D6A7 14306DCB 4BDBBEE9 
  92960211 EE3E9FE0 5ED933B7 1063A0C4 046A0D8B 5F946782 E27DEB72 130B84B5 
  B63D3894 B302A162 54D22AA3 C8B6317A 846BFC9C CCACDD5D 77234619 C1EEBD8D 
  E476FD15 724B018A 3156BB57 DED80C7D BD3C1A41 C6
        quit
crypto pki certificate chain HubCA
 certificate 02
  30820259 308201C2 A0030201 02020102 300D0609 2A864886 F70D0101 05050030 
  2C310F30 0D060355 040B1306 71797461 6E673119 30170603 55040313 10487562 
  43412E71 7974616E 672E636F 6D301E17 0D313731 32323831 32343534 395A170D 
  31383132 32383132 34353439 5A304931 0F300D06 0355040B 13067179 74616E67 
  31173015 06035504 03130E48 75622E71 7974616E 672E636F 6D311D30 1B06092A 
  864886F7 0D010902 160E4875 622E7179 74616E67 2E636F6D 30819F30 0D06092A 
  864886F7 0D010101 05000381 8D003081 89028181 00AB9915 14E23273 9F150B0B 
  368FC260 B7A5EF6C 96907C81 EF1FCF66 9FCF5636 DAFBC9C0 99CB2BB5 CD0544FC 
  5B21748A BD640C8D 618A9383 8C991FC0 B9DBF818 ECA5BD59 EE8C9B0D E93B1EE8 
  3F0D8C9C 7F4E7C44 23E9BDD5 4E3B4E30 A2CB9E0B 886217C6 2CC3E06B 7D3E584A 
  881AA869 62F0272D DB41B2F8 6D49CE34 86E3422E 13020301 0001A36E 306C301D 
  0603551D 25041630 1406082B 06010505 07030106 082B0601 05050703 02300B06 
  03551D0F 04040302 05A0301F 0603551D 23041830 1680146C 0B32F165 9EA2A94C 
  F68C5EDA 5B611618 C1CD5030 1D060355 1D0E0416 0414B29B C0C65E71 18999DC5 
  4F7EB8FD 73FEE8D9 C268300D 06092A86 4886F70D 01010505 00038181 0006A808 
  229F8AD5 27DC1915 460B1AB3 0D4D940A 7219BC29 20FA20C6 ADFFA32C 5FEEBFF0 
  5FF5D676 7D9449E0 DDF14CC7 9A8427B1 2E635291 AD729658 872098CE D6E5CB3F 
  4751E021 6CD60592 FE46B5B0 073A77F5 D285562F 96B84B09 8C483C05 AFB21A90 
  9FCD931E FE3245C8 7C6AA888 0728578D 88433903 3FA4E3BB 9C312EC8 EC
        quit
 certificate ca 01
  30820231 3082019A A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  2C310F30 0D060355 040B1306 71797461 6E673119 30170603 55040313 10487562 
  43412E71 7974616E 672E636F 6D301E17 0D313731 32323831 32343431 395A170D 
  32303132 32373132 34343139 5A302C31 0F300D06 0355040B 13067179 74616E67 
  31193017 06035504 03131048 75624341 2E717974 616E672E 636F6D30 819F300D 
  06092A86 4886F70D 01010105 0003818D 00308189 02818100 B7A867E0 DA6858AF 
  32D9264F 98B0FCA3 5BA5242B 8CA55FAD 27FEB1C6 C51A72B1 1EC40C35 8134982F 
  20E715B3 946333D5 705B6983 484FA71A 30798199 688A07CE 0FBBA657 5D3E9206 
  ED44F4FC 701ED0D2 FD06FA81 CA8B70F2 7EF5B058 F33D8EA4 C2307DE8 4D647EE0 
  0E06BA40 932D228F 1835EADE C5703469 026E3708 53EA91FF 02030100 01A36330 
  61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D 0F0101FF 04040302 
  0186301F 0603551D 23041830 1680146C 0B32F165 9EA2A94C F68C5EDA 5B611618 
  C1CD5030 1D060355 1D0E0416 04146C0B 32F1659E A2A94CF6 8C5EDA5B 611618C1 
  CD50300D 06092A86 4886F70D 01010405 00038181 005980B5 D374D49C 6EAB7C91 
  25980E1E DE70EF4A C6197BE4 63C90FE8 E05AEDDE DCB8D6A7 14306DCB 4BDBBEE9 
  92960211 EE3E9FE0 5ED933B7 1063A0C4 046A0D8B 5F946782 E27DEB72 130B84B5 
  B63D3894 B302A162 54D22AA3 C8B6317A 846BFC9C CCACDD5D 77234619 C1EEBD8D 
  E476FD15 724B018A 3156BB57 DED80C7D BD3C1A41 C6
        quit
!
username ccieadmin privilege 15 password 0 Cisc0123
username admin privilege 15 password 0 Cisc0123
!
crypto ikev2 authorization policy Qytang-IKEv2-Author-Policy 
 pool Qytang-Address-Pool
 def-domain qytang.com
 route set interface
 route set access-list Spoke-to-Spoke-Network
!
crypto ikev2 profile Qytang-IKEv2-Profile
 match certificate Qytang-cert-Map
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint HubCA
 aaa authorization group cert list Qytang-Author-Network-List Qytang-IKEv2-Author-Policy
 virtual-template 1
!
crypto ipsec profile Qytang-IPSec-Profile
 set ikev2-profile Qytang-IKEv2-Profile
!
interface Loopback0
 ip address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet1
 ip address 202.100.1.100 255.255.255.0
 negotiation auto
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 ip nhrp network-id 10
 ip nhrp redirect
 tunnel protection ipsec profile Qytang-IPSec-Profile
!
ip local pool Qytang-Address-Pool 172.16.1.1 172.16.1.100
ip http server
!
ip access-list standard Spoke-to-Spoke-Network
 permit 192.168.0.0 0.0.255.255

!
line con 0
 login authentication noacs
!
ntp master
           

Spoke1

hostname Spoke1
!
enable password cisco
!
aaa new-model
!
!
aaa authentication login noacs line none
aaa authorization network Qytang-Author-Network-List local 
!
clock timezone GMT 8 0
!
ip domain name qytang.com
!
crypto pki trustpoint CA
 enrollment url http://202.100.1.100:80
 serial-number
 subject-name cn=Spoke1.qytang.com,ou=qytang
 revocation-check crl
!
!
!
crypto pki certificate map Qytang-cert-Map 10
 subject-name co ou = qytang
!
crypto pki certificate chain CA
 certificate 03
  30820254 308201BD A0030201 02020103 300D0609 2A864886 F70D0101 05050030 
  2C310F30 0D060355 040B1306 71797461 6E673119 30170603 55040313 10487562 
  43412E71 7974616E 672E636F 6D301E17 0D313731 32323831 32343834 335A170D 
  31383132 32383132 34383433 5A306331 0F300D06 0355040B 13067179 74616E67 
  311A3018 06035504 03131153 706F6B65 312E7179 74616E67 2E636F6D 31343012 
  06035504 05130B39 584A304C 45554557 4C41301E 06092A86 4886F70D 01090216 
  1153706F 6B65312E 71797461 6E672E63 6F6D3081 9F300D06 092A8648 86F70D01 
  01010500 03818D00 30818902 818100D0 9F9421B1 D754429C B4C120B3 6C7D3BE8 
  6DD8D762 DB515024 C224ABDD 705F8BD0 F7807193 DE3E7071 755C8D91 D63CA7EB 
  309898CD B66F106C 9540E406 72A981D2 AEBE40F2 20F891D9 4817A861 EC32BD05 
  D86AB309 92CA6669 F93C2898 49D6E586 28CE66B1 06765F0F 7CF0BCAB 744A5024 
  668BFC3B 5B86C110 FB4069EF E15DFB02 03010001 A34F304D 300B0603 551D0F04 
  04030205 A0301F06 03551D23 04183016 80146C0B 32F1659E A2A94CF6 8C5EDA5B 
  611618C1 CD50301D 0603551D 0E041604 141D39DE 2D8EA167 0557E7C6 A2464BFF 
  6FEBA2A8 B9300D06 092A8648 86F70D01 01050500 03818100 10911C7A 6EEE16A3 
  6AE14C55 277D94E0 D5A0B9A3 C0396F86 0CF675D4 D0C63846 E10C9BFB EA140CE3 
  F61DA575 971EDC7D FB765275 18E1D613 07E63D31 74174B1E F19662BC 85295449 
  6E8BA553 45C3A195 4B2AF35E EB8CD7CF D283C662 2C19C8B5 6A642651 53F866F2 
  BA75D479 9867BED5 3EB4FC48 810CD31A F1469E9C 7C037A5D
        quit
 certificate ca 01
  30820231 3082019A A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  2C310F30 0D060355 040B1306 71797461 6E673119 30170603 55040313 10487562 
  43412E71 7974616E 672E636F 6D301E17 0D313731 32323831 32343431 395A170D 
  32303132 32373132 34343139 5A302C31 0F300D06 0355040B 13067179 74616E67 
  31193017 06035504 03131048 75624341 2E717974 616E672E 636F6D30 819F300D 
  06092A86 4886F70D 01010105 0003818D 00308189 02818100 B7A867E0 DA6858AF 
  32D9264F 98B0FCA3 5BA5242B 8CA55FAD 27FEB1C6 C51A72B1 1EC40C35 8134982F 
  20E715B3 946333D5 705B6983 484FA71A 30798199 688A07CE 0FBBA657 5D3E9206 
  ED44F4FC 701ED0D2 FD06FA81 CA8B70F2 7EF5B058 F33D8EA4 C2307DE8 4D647EE0 
  0E06BA40 932D228F 1835EADE C5703469 026E3708 53EA91FF 02030100 01A36330 
  61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D 0F0101FF 04040302 
  0186301F 0603551D 23041830 1680146C 0B32F165 9EA2A94C F68C5EDA 5B611618 
  C1CD5030 1D060355 1D0E0416 04146C0B 32F1659E A2A94CF6 8C5EDA5B 611618C1 
  CD50300D 06092A86 4886F70D 01010405 00038181 005980B5 D374D49C 6EAB7C91 
  25980E1E DE70EF4A C6197BE4 63C90FE8 E05AEDDE DCB8D6A7 14306DCB 4BDBBEE9 
  92960211 EE3E9FE0 5ED933B7 1063A0C4 046A0D8B 5F946782 E27DEB72 130B84B5 
  B63D3894 B302A162 54D22AA3 C8B6317A 846BFC9C CCACDD5D 77234619 C1EEBD8D 
  E476FD15 724B018A 3156BB57 DED80C7D BD3C1A41 C6
        quit
!
username ccieadmin privilege 15 password 0 Cisc0123
!
crypto ikev2 authorization policy Qytang-IKEv2-Author-Policy 
 route set interface
 route set access-list Qytang-Spoke1-Network
!
crypto ikev2 profile Qytang-IKEv2-Profile
 match certificate Qytang-cert-Map
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint CA
 aaa authorization group cert list Qytang-Author-Network-List Qytang-IKEv2-Author-Policy
 virtual-template 1
!
crypto ipsec profile Qytang-IPSec-Profile
 set ikev2-profile Qytang-IKEv2-Profile
!
interface Loopback0
 ip address 192.168.1.1 255.255.255.0
!
interface Tunnel0
 ip address negotiated
 ip nhrp network-id 10
 ip nhrp shortcut virtual-template 1
 ip nhrp redirect
 tunnel source GigabitEthernet1
 tunnel destination 202.100.1.100
 tunnel protection ipsec profile Qytang-IPSec-Profile
!
interface GigabitEthernet1
 ip address 202.100.1.1 255.255.255.0
 negotiation auto
!
interface Virtual-Template1 type tunnel
 ip unnumbered Tunnel0
 ip nhrp network-id 10
 ip nhrp shortcut virtual-template 1
 ip nhrp redirect
 tunnel protection ipsec profile Qytang-IPSec-Profile
!
ip http server
!
ip access-list standard Qytang-Spoke1-Network
 permit 192.168.1.0 0.0.0.255
!
line con 0
 login authentication noacs
!
ntp server 202.100.1.100

Spoke2

hostname Spoke2
!
enable password cisco
!
aaa new-model
!
!
aaa authentication login noacs line none
aaa authorization network Qytang-Author-Network-List local 
!
clock timezone GMT 8 0
!
ip domain name qytang.com
!
crypto pki trustpoint CA
 enrollment url http://202.100.1.100:80
 serial-number
 subject-name cn=Spoke2.qytang.com,ou=qytang
 revocation-check crl
!
crypto pki certificate map Qytang-cert-Map 10
 subject-name co ou = qytang
!
crypto pki certificate chain CA
 certificate 04
  30820254 308201BD A0030201 02020104 300D0609 2A864886 F70D0101 05050030 
  2C310F30 0D060355 040B1306 71797461 6E673119 30170603 55040313 10487562 
  43412E71 7974616E 672E636F 6D301E17 0D313731 32323831 32353130 355A170D 
  31383132 32383132 35313035 5A306331 0F300D06 0355040B 13067179 74616E67 
  311A3018 06035504 03131153 706F6B65 322E7179 74616E67 2E636F6D 31343012 
  06035504 05130B39 42335631 46444446 3537301E 06092A86 4886F70D 01090216 
  1153706F 6B65322E 71797461 6E672E63 6F6D3081 9F300D06 092A8648 86F70D01 
  01010500 03818D00 30818902 818100A3 940867B4 336B7A9A 3535E14A 42856132 
  163C0FDD 2819EC44 1206D9CD 4A02E891 4E5BBCEE 4D7153A8 A41E6849 DBDBF90F 
  FA2AB649 EBCFA3AA 25F09C1A F7AAC85F FD36005A CA807F3A BAE145D2 29EC0277 
  9129CE51 FCD641A1 37B35545 39336568 5E9C8D94 6729BD71 D2F48718 17BFB56D 
  C9C7B00D E421FF36 F85FBE0B B5B71102 03010001 A34F304D 300B0603 551D0F04 
  04030205 A0301F06 03551D23 04183016 80146C0B 32F1659E A2A94CF6 8C5EDA5B 
  611618C1 CD50301D 0603551D 0E041604 143D5FFE 6C2FFB8C BD4400E8 ED8D34DF 
  A31E6D86 D4300D06 092A8648 86F70D01 01050500 03818100 47DED7D2 98D4718B 
  DB7DBDFE 3B07A028 9469ACBF A4512185 05DEF5B7 17C59319 B751D3DB 2F980BEE 
  3707AC12 C627CA81 797622E1 D987A7B7 E609CB78 53B8C314 E206C773 38F25AF4 
  5C4E4D4F 27F3605B 61503BE2 0DCA40B0 7AABC5D1 66B89556 60D4919E 12D207A4 
  0DEB0DAD 84181E83 03EDC9F1 F7538911 539636C2 ED2DFCFF
        quit
 certificate ca 01
  30820231 3082019A A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  2C310F30 0D060355 040B1306 71797461 6E673119 30170603 55040313 10487562 
  43412E71 7974616E 672E636F 6D301E17 0D313731 32323831 32343431 395A170D 
  32303132 32373132 34343139 5A302C31 0F300D06 0355040B 13067179 74616E67 
  31193017 06035504 03131048 75624341 2E717974 616E672E 636F6D30 819F300D 
  06092A86 4886F70D 01010105 0003818D 00308189 02818100 B7A867E0 DA6858AF 
  32D9264F 98B0FCA3 5BA5242B 8CA55FAD 27FEB1C6 C51A72B1 1EC40C35 8134982F 
  20E715B3 946333D5 705B6983 484FA71A 30798199 688A07CE 0FBBA657 5D3E9206 
  ED44F4FC 701ED0D2 FD06FA81 CA8B70F2 7EF5B058 F33D8EA4 C2307DE8 4D647EE0 
  0E06BA40 932D228F 1835EADE C5703469 026E3708 53EA91FF 02030100 01A36330 
  61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D 0F0101FF 04040302 
  0186301F 0603551D 23041830 1680146C 0B32F165 9EA2A94C F68C5EDA 5B611618 
  C1CD5030 1D060355 1D0E0416 04146C0B 32F1659E A2A94CF6 8C5EDA5B 611618C1 
  CD50300D 06092A86 4886F70D 01010405 00038181 005980B5 D374D49C 6EAB7C91 
  25980E1E DE70EF4A C6197BE4 63C90FE8 E05AEDDE DCB8D6A7 14306DCB 4BDBBEE9 
  92960211 EE3E9FE0 5ED933B7 1063A0C4 046A0D8B 5F946782 E27DEB72 130B84B5 
  B63D3894 B302A162 54D22AA3 C8B6317A 846BFC9C CCACDD5D 77234619 C1EEBD8D 
  E476FD15 724B018A 3156BB57 DED80C7D BD3C1A41 C6
        quit
!
username ccieadmin privilege 15 password 0 Cisc0123
!
crypto ikev2 authorization policy Qytang-IKEv2-Author-Policy 
 route set interface
 route set access-list Qytang-Spoke2-Network
!
crypto ikev2 profile Qytang-IKEv2-Profile
 match certificate Qytang-cert-Map
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint CA
 aaa authorization group cert list Qytang-Author-Network-List Qytang-IKEv2-Author-Policy
 virtual-template 1
!
crypto ipsec profile Qytang-IPSec-Profile
 set ikev2-profile Qytang-IKEv2-Profile
!
interface Loopback0
 ip address 192.168.2.1 255.255.255.0
!
interface Tunnel0
 ip address negotiated
 ip nhrp network-id 10
 ip nhrp shortcut virtual-template 1
 ip nhrp redirect
 tunnel source GigabitEthernet1
 tunnel destination 202.100.1.100
 tunnel protection ipsec profile Qytang-IPSec-Profile
!
interface GigabitEthernet1
 ip address 202.100.1.2 255.255.255.0
 negotiation auto
!
interface Virtual-Template1 type tunnel
 ip unnumbered Tunnel0
 ip nhrp network-id 10
 ip nhrp shortcut virtual-template 1
 ip nhrp redirect
 tunnel protection ipsec profile Qytang-IPSec-Profile
!
ip forward-protocol nd
!
ip access-list standard Qytang-Spoke2-Network
 permit 192.168.2.0 0.0.0.255
!
line con 0
 login authentication noacs
!
ntp server 202.100.1.100

验证

 

HUB#sh crypto ipsec sa 

interface: Virtual-Access1
    Crypto map tag: Virtual-Access1-head-0, local addr 202.100.1.100

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (202.100.1.100/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (202.100.1.2/255.255.255.255/47/0)
   current_peer 202.100.1.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13
    #pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 202.100.1.100, remote crypto endpt.: 202.100.1.2
     plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
     current outbound spi: 0xFEE858CD(4276639949)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x81CFFC2(136118210)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 2001, flow_id: CSR:1, sibling_flags FFFFFFFF80000008, crypto map: Virtual-Access1-head-0
        sa timing: remaining key lifetime (k/sec): (4607998/3380)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xFEE858CD(4276639949)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 2002, flow_id: CSR:2, sibling_flags FFFFFFFF80000008, crypto map: Virtual-Access1-head-0
        sa timing: remaining key lifetime (k/sec): (4607998/3380)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access2
    Crypto map tag: Virtual-Access2-head-0, local addr 202.100.1.100

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (202.100.1.100/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (202.100.1.1/255.255.255.255/47/0)
   current_peer 202.100.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13
    #pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 202.100.1.100, remote crypto endpt.: 202.100.1.1
     plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
     current outbound spi: 0x3689C213(914997779)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xB790FF78(3079733112)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 2003, flow_id: CSR:3, sibling_flags FFFFFFFF80000008, crypto map: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4607998/3411)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
          
     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x3689C213(914997779)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 2004, flow_id: CSR:4, sibling_flags FFFFFFFF80000008, crypto map: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4607998/3411)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

 排错:

 有些信号IOS 认证算法不一致 

确保IOS的clock在证书的有效期在里

 
###申请根证书##crypto pki authenticate CA 
###申请个人证书##crypto pki enroll  CA
 

标签:Spoke,certificate,ip,crypto,pkts,202.100,Qytang,FlexVirtualPN
来源: https://blog.csdn.net/u012391293/article/details/122490035