卖血上网的博客

路由器密码恢复步骤
 
第一步：重启路由器，在开机60秒内按住Ctrl+Break。
第二步：输入字母O或e/s 2000002 命令读取配置的原始密码值。
>o/r 0x2142
第三步：使用i命令，>i.
第四步：进入路由器特权模式，使用命令
copy startup-config running-config将NVRAM中的配置装入活跃内存中。
第五步：使用下面命令启用应该启用的接口。
Interface e0
no shutdown
第六步：恢复原始值命令
config-register  0x2102 
第七步：使用命令show running-config 查看ram中的配置。
第八步：使用命令copy running-config startup-config 将新的配置存储到NVRAM中。

GRE隧道技术
 
实现目的：
仅在r1与r3间的配置，而不在r2上作任何配置完成r1与r3间的通信。使用技术GRE隧道。在r1与r3间建立GRE隧道，完成路由协议的封装传送，一道道通信的目的。
拓扑图：


R1上的基本配置
Router(config)#no ip do lo
Router(config)#line con 0
Router(config-line)#no exec-t    
Router(config-line)#logg  s
Router(config-line)# exit
Router(config)#ho r1
r1(config)#int e0/0
r1(config-if)#ip add 200.1.1.1 255.255.255.0  
r1(config-if)#no sh
r1(config-if)#int lo 0
r1(config-if)#ip ad 1.1.1.1 255.255.255.0
r1(config-if)#no sh
r1(config)#ip route 0.0.0.0  0.0.0.0  e0/0    默认路由
r2上的基本配置
Router(config)#no ip do lo
Router(config)#line con 0
Router(config-line)#no exec-t
Router(config-line)#logg  s
Router(config-line)# exit
Router(config)#ho r2
r2(config)#int e0/0
r2(config-if)#ip ad 200.1.1.2 255.255.255.0
r2(config-if)#no sh
r2(config-if)#int e2/0
r2(config-if)#ip ad 114.1.1.2 255.255.255.0
r2(config-if)#no sh
r3上的基本配置
Router(config)#no ip do lo
Router(config)#line con 0
Router(config-line)#no exec-t
Router(config-line)#logg  s
Router(config-line)# exit
Router(config)#ho r3
r3(config)#int e2/0
r3(config-if)#ip ad 114.1.1.3 255.255.255.0
r3(config-if)#no sh
r3(config)#ip route 0.0.0.0  0.0.0.0  e2/0      默认路由
加入r1,r3上的tunnel0 配置
r1(config)#int tunnel 0            进入tunnel0 虚拟接口配置
r1(config-if)#tunnel source e0/0       指定tunnel0 的源端口
r1(config-if)#tunnel destination 114.1.1.3        指定tunnel0 的目的端口的公网IP
r1(config-if)#ip ad 10.0.0.3 255.255.255.0         分配tunnel0 的内网网段
r1(config-if)#no sh
r1(config-if)#exit
r1(config)#ip route 3.3.3.0 255.255.255.0 10.0.0.1        配置tunnel0静态路由
r3(config)#int tunnel 0                              同上
r3(config-if)#tunnel source e2/0
r3(config-if)#tunnel destination 200.1.1.1
r3(config-if)#ip ad 10.0.0.1 255.255.255.0
r3(config-if)#no sh
r3(config)#ip route 10.0.0.0 255.255.255.0 10.0.0.3    配置tunnel0静态路由

实验说明：本实验可完成类似拓扑图的实际需要，在公司间使用GRE隧道，而且多使用与IPsec同时使用。当完成上述配置时，1.1.1.1与3.3.3.3两个内网地址是不通的，但完成GRE隧道后两者便可通信。
 
 
 [/img]..

1上的基本配置 
en
conf t
no ip do lo
line con 0
logg s
no exec-t
exi
ho r1
line vty 0 4        配置本地登录
transport input ssh telnet        指定vty线路传输协议为ssh
exit
ip http server     启用HTTP服务
ip http authentication enable     开启认证服务模式
^Z
 
conf t
int e1/0
ip ad 192.168.1.2 255.255.255.0
no sh
int e0/0
ip ad 172.16.18.101 255.255.0.0
no sh
 
int lo 0
ip ad 1.1.1.1 255.255.255.0
no sh
^Z
 r2上的基本配置
 en
conf t
no ip do lo
line con 0
logg s
no exec-t
exit
ho r2
ip http server    开启HTTP服务
ip http authentication enable     开启认证模式服务
int e1/0
ip ad 192.168.1.3 255.255.255.0
no sh
int e0/0
ip ad 172.16.18.102 255.255.0.0
no sh
int lo 0
ip ad 2.2.2.2 255.255.255.0
no sh
exit
^Z
 

 
 
 
 

 
 
 
 
 

 
 
 
 

Normal
0



7.8 磅
0
2

false
false
false

EN-US
ZH-CN
X-NONE














































































































































































拓扑图如下：



R1上的基本配置
Router(config)#no ip do lo        关闭域名解析
Router(config)#line con 0        console口配置
Router(config-line)#logg s        开启日志同步
Router(config-line)#no exec-t       关闭超时
Router(config-line)#exit
Router(config)#int lo 0           回环接口配置    
Router(config-if)#ip add 2.2.2.2
255.255.255.0
Router(config-if)#no sh
Router(config-if)#int e0/0       e0/0接口配置
Router(config-if)#ip add 192.168.1.1
255.255.255.0
Router(config-if)#no sh
Router(config-if)#^Z
Router(config)#ip route 0.0.0.0 0.0.0.0
192.168.1.2      配置默认路由，由于IPsec VPN不支持动态路由故只有使用默认或静态路由
 
Router#ping 192.168.1.2
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to
192.168.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5),
round-trip min/avg/max = 40/60/68 ms
 
Router(config)#crypto isakmp enable   启动isakmp
Router(config)#crypto isakmp policy 10      定义isakmp策略集，以便端点之间建立isakmp对等体关系
Router(config-isakmp)#authentication
pre-share        配置对等体验证方式为预共享密钥
Router(config-isakmp)#encryption 3des            配置消息交换加密方法为3des
Router(config-isakmp)#group 5            使用diffie-hellman密钥交换参数为1536位
Router(config-isakmp)#hash sha            配置消息完整性算法sha-1
Router(config-isakmp)#lifetime 86400      isakmp建立saD 寿命
Router(config)#crypto isakmp key cisco
address 192.168.1.2        配置预共享密钥，密钥为cisco，远程对等体为ip地址192.168.1.2
A pre-shared key for address mask
192.168.1.2 255.255.255.255 already exists
 
 
r2的配置
 
 
Router(config)#no ip do lo         关闭域名
Router(config)#line console 0   console口配置
Router(config-line)#logg s          日志同步
Router(config-line)#no exec-t       关闭超时
Router(config-line)#exit
Router(config)#int lo 0    回环接口配置
Router(config-if)#ip add 1.1.1.1
255.255.255.0
Router(config-if)#no sh
 
Router(config)#int e0/0     e0/0接口配置
Router(config-if)#ip add 192.168.1.2
255.255.255.0
Router(config-if)#no sh
Router(config-if)#exit
Router(config)#ip route 0.0.0.0 0.0.0.0
192.168.1.1  配置默认路由
Router(config)#^Z
 
Router#sh ip route查看路由表
Codes: C - connected, S - static, R - RIP,
M - mobile, B - BGP
      
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
      
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
      
E1 - OSPF external type 1, E2 - OSPF external type 2
      
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
      
ia - IS-IS inter area, * - candidate default, U - per-user static route
      
o - ODR, P - periodic downloaded static route
 
Gateway of last resort is 192.168.1.1 to
network 0.0.0.0
 
    
1.0.0.0/24 is subnetted, 1 subnets
C      
1.1.1.0 is directly connected, Loopback0
C   
192.168.1.0/24 is directly connected, Ethernet0/0
S*  
0.0.0.0/0 [1/0] via 192.168.1.1
Router#ping 2.2.2.2
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2,
timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5),
round-trip min/avg/max = 44/57/76 ms
 
commands, one per line.  End with CNTL/Z.
Router(config)#crypto isakmp enable        r2上配置同r1配置同
Router(config)#crypto isakmp policy 10
Router(config-isakmp)#authentication ?        
 
pre-share  Pre-Shared Key             预共享密钥
 
rsa-encr   Rivest-Shamir-Adleman
Encryption         RSA加密
 rsa-sig   
Rivest-Shamir-Adleman Signature        
RSA签名
 
Router(config-isakmp)#authentication
pre-share
Router(config-isakmp)#encryption ?
 
3des  Three key triple DES        3des加密算法
 
aes   AES - Advanced Encryption
Standard.        高级加密标准
 
des   DES - Data Encryption
Standard (56 bit keys).  数据加密标准   
 
Router(config-isakmp)#encryption 3des
Router(config-isakmp)#group 5       可选三种
Router(config-isakmp)#group ?
 
1  Diffie-Hellman group 1
 
2  Diffie-Hellman group 2
 
5  Diffie-Hellman group 5
 
Router(config-isakmp)#hash ?     
 
md5  Message Digest 5         MD5散列算法
 
sha  Secure Hash Standard      完整性算法
 
Router(config-isakmp)#hash sha  
Router(config-isakmp)#lifetime 86400
Router(config-isakmp)#exit
Router(config)#crypto isakmp key  cisco address 192.168.1.1
A pre-shared key for address mask
192.168.1.1 255.255.255.255 already exists
 
crypto ipsec transform-set 1233 esp-3des
esp-md5-hmac      创建一个变换集1233，交换数据被MD5保护
exit
crypto map R1VPN10 ipsec-isakmp            建立IPsec加密映射，使用isakmp建立IPsec sa，以保护当前加密映射的指定数据库
set peer 192.168.1.2      指定对等体
set transform-set 1233     指定交换集
match address 100    引用扩展ACL
 
crypto ipsec transform-set 1234 esp-3des
esp-md5-hmac        同上
exit
crypto map R1VPN10 ipsec-isakmp
set peer 192.168.1.1
set transform-set 1234
match address 100
 
r1上的配置
 
Router(config)#access-list 100 permit icmp
2.2.2.2 0.0.0.0 1.1.1.1 0.0.0.0     定义保护什么样的数据流IPsec保护
Router(config)#int e0/0
Router(config-if)#crypto map R1VPN    将加密映射到应用接口
Router(config-if)#^Z
 
r2上的配置
Router(config)#access-list 100 permit icmp
1.1.1.1 0.0.0.0 2.2.2.2 0.0.0.0    同上
Router(config)#int e0/0
Router(config-if)#crypto map R2VPN
Router(config-if)#^Z
 
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1,
timeout is 2 seconds:
Packet sent with a source address of
2.2.2.2
 
*Mar 
1 01:07:18.235: IPSEC(sa_request): ,
 
(key eng. msg.) OUTBOUND local= 192.168.1.1, remote= 192.168.1.2,       
本地ip地址192.168.1.1，目标地址192.168.1.2
   
local_proxy= 2.2.2.2/255.255.255.255/1/0 (type=1),  本地代理2.2.2.2
   
remote_proxy= 1.1.1.1/255.255.255.255/1/0 (type=1),  目的代理1.1.1.1
   
protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),   传输协议esp
   
lifedur= 3600s and 4608000kb,
   
spi= 0x4D12771D(1293055773), conn_id= 0, keysize= 0, flags= 0x400A
*Mar 
1 01:07:18.239: ISAKMP: received ke message (1/1)   
*Mar 
1 01:07:18.243: ISAKMP (0:0): SA request profile is (NULL)
*Mar 
1 01:07:18.243: ISAKMP: local port 500, remote port 500
*Mar 
1 01:07:18.243: ISAKMP: set new node 0 to QM_IDLE     
*Mar 
1 01:07:18.243: ISAKMP: insert sa successfully sa = 63EA13F0
*Mar 
1 01:07:18.243: ISAKMP (0:1): Can not start Aggressive mode, trying Main
mode.
*Mar 
1 01:07:18.247: ISAKMP: Looking for a matching key for 192.168.1.2 in
default :
success
*Mar 
1 01:07:18.247: ISAKMP (0:1): found peer pre-shared key matching
192.168.1.2
*Mar 
1 01:07:18.247: ISAKMP (0:1): constructed NAT-T vendor-07 ID
*Mar 
1 01:07:18.247: ISAKMP (0:1): constructed NAT-T vendor-03 ID
*Mar 
1 01:07:18.247: ISAKMP (0:1): constructed NAT-T vendor-02 ID
*Mar 
1 01:07:18.247: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar  1 01:07:18.251: ISAKMP (0:1): Old State =
IKE_READY  New State = IKE_I_MM1
IKE协商开启，开始发送isakmp消息
*Mar 
1 01:07:18.251: ISAKMP (0:1): beginning Main Mode exchange
IKE主模式开启
*Mar 
1 01:07:18.251: ISAKMP (0:1): sending packet to 192.168.1.2 my_port 500
peer_port

500 (I) MM_NO_STATE
协商发起，192.168.1.1向192.168.1.2.应对于r1上的配置策略
*Mar 
1 01:07:18.419: ISAKMP (0:1): received packet from 192.168.1.2 dport 500
sport 500
r1从r2收到接受提议的回复
Global (I) MM_NO_STATE
*Mar 
1 01:07:18.423: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 
1 01:07:18.423: ISAKMP (0:1): Old State = IKE_I_MM1  New State = IKE_I_MM2
IKE开始交换第二条消息
*Mar  1 01:07:18.423: ISAKMP (0:1): processing SA
payload. message ID = 0
*Mar 
1 01:07:18.423: ISAKMP (0:1): processing vendor id payload
*Mar 
1 01:07:18.423: ISAKMP (0:1): vendor ID seems U.!!!!
Success rate is 80 percent (4/5),
round-trip min/avg/max = 28/59/112 ms
Router#nity/DPD but major 245 mismatch
*Mar 
1 01:07:18.427: ISAKMP (0:1): vendor ID is NAT-T v7
*Mar 
1 01:07:18.427: ISAKMP: Looking for a matching key for 192.168.1.2 in
default :
success
*Mar 
1 01:07:18.427: ISAKMP (0:1): found peer pre-shared key matching
192.168.1.2
*Mar 
1 01:07:18.427: ISAKMP (0:1) local preshared key found
*Mar 
1 01:07:18.427: ISAKMP : Scanning profiles for xauth ...
*Mar 
1 01:07:18.427: ISAKMP (0:1): Checking ISAKMP transform 1 against
priority 10 policy
策略核对，核对IKE阶段1，路由器与远程对等体策略核对
*Mar 
1 01:07:18.427: ISAKMP:     
encryption 3DES-CBC
*Mar 
1 01:07:18.431: ISAKMP:      hash
SHA
*Mar 
1 01:07:18.431: ISAKMP:     
default group 5
*Mar 
1 01:07:18.431: ISAKMP:      auth
pre-share
*Mar 
1 01:07:18.431: ISAKMP:      life
type in seconds
*Mar 
1 01:07:18.431: ISAKMP:      life
duration (VPI) of  0x0 0x1 0x51 0x80
*Mar 
1 01:07:18.431: ISAKMP (0:1): atts are
acceptable. Next payload is 0
策略已经匹配，显示atts。下面开始进入IKE第二阶段
*Mar 
1 01:07:18.535: ISAKMP (0:1): processing vendor id payload
*Mar 
1 01:07:18.535: ISAKMP
Router# (0:1): vendor ID seems Unity/DPD
but major 245 mismatch
*Mar 
1 01:07:18.535: ISAKMP (0:1): vendor ID is NAT-T v7
*Mar 
1 01:07:18.535: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
*Mar 
1 01:07:18.535: ISAKMP (0:1): Old State =
IKE_I_MM2  New State = IKE_I_MM2
发送协商的第二条消息
*Mar 
1 01:07:18.539: ISAKMP (0:1): sending packet to 192.168.1.2 my_port 500
peer_port
500 (I) MM_SA_SETUP
R1将diffe-heffie-hellman公开密钥值和临时值发送给r2
*Mar 
1 01:07:18.543: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE
*Mar 
1 01:07:18.543: ISAKMP (0:1): Old State = IKE_I_MM2  New State = IKE_I_MM3
发送协商的第三条消息
*Mar 
1 01:07:18.707: ISAKMP (0:1): received packet from 192.168.1.2 dport 500
sport 500
Global (I) MM_SA_SETUP
收到r2给r1的回复信息
*Mar 
1 01:07:18.711: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 
1 01:07:18.711: ISAKMP (0:1): Old State =
IKE_I_MM3  New State = IKE_I_MM4
发送协商的第四条消息
 
*Mar 
1 01:07:18.711: ISAKMP (0:1): processing KE payload. message ID = 0
*Mar 
1 01:07:18.827: ISAKMP (0:1): processing NONCE payload. message ID = 0
*Mar
Router# 
1 01:07:18.827: ISAKMP: Looking for a matching key for 192.168.1.2 in
default :

success
*Mar 
1 01:07:18.827: ISAKMP (0:1): found peer pre-shared key matching
192.168.1.2
*Mar 
1 01:07:18.835: ISAKMP (0:1): SKEYID state generated
*Mar 
1 01:07:18.835: ISAKMP (0:1): processing vendor id payload
*Mar 
1 01:07:18.835: ISAKMP (0:1): vendor ID is Unity
*Mar 
1 01:07:18.835: ISAKMP (0:1): processing vendor id payload
*Mar 
1 01:07:18.835: ISAKMP (0:1): vendor ID is DPD
*Mar 
1 01:07:18.835: ISAKMP (0:1): processing vendor id payload
*Mar 
1 01:07:18.835: ISAKMP (0:1): speaking to another IOS box!
*Mar 
1 01:07:18.835: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
*Mar 
1 01:07:18.835: ISAKMP (0:1): Old State =
IKE_I_MM4  New State = IKE_I_MM4
发送协商的第五条消息
*Mar 
1 01:07:18.839: ISAKMP (0:1): Send initial contact
*Mar 
1 01:07:18.839: ISAKMP (0:1): SA is doing pre-shared key authentication
using id

type ID_IPV4_ADDR
*Mar 
1 01:07:18.843: ISAKMP (0:1): ID payload
       
next-
Router#payload : 8
       
type         : 1
       
address      : 192.168.1.1
       
protocol     : 17
       
port         : 500
       
length       : 12
*Mar 
1 01:07:18.843: ISAKMP (1): Total payload length: 12
*Mar 
1 01:07:18.847: ISAKMP (0:1): sending packet to 192.168.1.2 my_port 500
peer_port

500 (I) MM_KEY_EXCH
*Mar 
1 01:07:18.847: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE
*Mar 
1 01:07:18.847: ISAKMP (0:1): Old State = IKE_I_MM4  New State = IKE_I_MM5
 
*Mar 
1 01:07:18.915: ISAKMP (0:1): received packet from 192.168.1.2 dport 500
sport 500

Global (I) MM_KEY_EXCH
r1收到r2的响应，IKE中的第六条信息
*Mar 
1 01:07:18.919: ISAKMP (0:1): processing ID payload. message ID = 0
*Mar 
1 01:07:18.919: ISAKMP (0:1): ID payload
       
next-payload : 8
       
type         : 1
       
address      : 192.168.1.2
       
protocol     : 17
       
port         : 500
       
length       : 12
*Mar 
1 01:07:18.919: ISAKMP (0:1): processing HASH payload. message ID = 0
*Mar 
1 01:07:18.923: ISAKMP (0:1): SA authentication status:
       
authenticated
*Mar 
1
Router#01:07:18.923: ISAKMP (0:1): SA has
been authenticated with 192.168.1.2
*Mar 
1 01:07:18.923: ISAKMP (0:1): peer matches *none* of the profiles
*Mar 
1 01:07:18.923: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 
1 01:07:18.927: ISAKMP (0:1): Old State = IKE_I_MM5  New State = IKE_I_MM6
 
*Mar 
1 01:07:18.927: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
*Mar 
1 01:07:18.927: ISAKMP (0:1): Old State = IKE_I_MM6  New State = IKE_I_MM6
 
*Mar 
1 01:07:18.931: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE
*Mar 
1 01:07:18.931: ISAKMP (0:1): Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE
主模式协商完成
*Mar 
1 01:07:18.931: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of 1537451169
*Mar 
1 01:07:18.939: ISAKMP (0:1): sending packet to 192.168.1.2 my_port 500
peer_port

500 (I) QM_IDLE     
*Mar 
1 01:07:18.939: ISAKMP (0:1): Node 1537451169, Input =
IKE_MESG_INTERNAL,

IKE_INIT_QM
*Mar 
1 01:07:18.939: ISAKMP (0:1): Old State = IKE_QM
Router#_READY  New State = IKE_QM_I_QM1
R1发送快速协商的第一条消息，包含IPsec提议
*Mar 
1 01:07:18.943: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
IKE_PHASE1_COMPLETE
*Mar 
1 01:07:18.943: ISAKMP (0:1): Old State = IKE_P1_COMPLETE  New State =
IKE_P1_COMPLETE
 
*Mar 
1 01:07:19.291: ISAKMP (0:1): received packet from 192.168.1.2 dport 500
sport 500

Global (I) QM_IDLE     
*Mar 
1 01:07:19.295: ISAKMP (0:1): processing HASH payload. message ID =
1537451169
*Mar 
1 01:07:19.299: ISAKMP (0:1): processing SA payload. message ID =
1537451169
*Mar 
1 01:07:19.299: ISAKMP (0:1): Checking IPSec proposal 1
*Mar 
1 01:07:19.299: ISAKMP: transform 1, ESP_3DES
*Mar 
1 01:07:19.299: ISAKMP:  
attributes in transform:
*Mar 
1 01:07:19.299: ISAKMP:     
encaps is 1 (Tunnel)
*Mar 
1 01:07:19.299: ISAKMP:      SA
life type in seconds
*Mar 
1 01:07:19.299: ISAKMP:      SA
life duration (basic) of 3600
*Mar 
1 01:07:19.299: ISAKMP:      SA
life type in kilobytes
*Mar 
1 01:07:19.303: ISAKMP:      SA
life duration (VPI) of  0x0 0x46 0x50 0
Router#x0
*Mar 
1 01:07:19.303: ISAKMP:     
authenticator is HMAC-MD5
*Mar 
1 01:07:19.303: ISAKMP (0:1): atts are acceptable.
*Mar 
1 01:07:19.303: IPSEC(validate_proposal_request): proposal part #1,
 
(key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.1.2,
   
local_proxy= 2.2.2.2/255.255.255.255/1/0 (type=1),
   
remote_proxy= 1.1.1.1/255.255.255.255/1/0 (type=1),
   
protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),
   
lifedur= 0s and 0kb,
   
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
*Mar 
1 01:07:19.307: IPSEC(kei_proxy): head = R1VPN, map->ivrf = ,
kei->ivrf =
*Mar 
1 01:07:19.311: ISAKMP (0:1): processing NONCE payload. message ID =
1537451169
*Mar 
1 01:07:19.311: ISAKMP (0:1): processing ID payload. message ID =
1537451169
*Mar 
1 01:07:19.311: ISAKMP (0:1): processing ID payload. message ID =
1537451169
*Mar 
1 01:07:19.319: ISAKMP (0:1): Creating IPSec SAs
*Mar 
1 01:07:19.323:         inbound SA
from 192.168.1.2 to 192.168.1.1 (f/i)
Router# 
0/ 0
       
(proxy 1.1.1.1 to 2.2.2.2)
*Mar 
1 01:07:19.323:         has spi
0x4D12771D and conn_id 2000 and flags 2
*Mar 
1 01:07:19.323:         lifetime
of 3600 seconds
*Mar 
1 01:07:19.323:         lifetime
of 4608000 kilobytes
*Mar 
1 01:07:19.323:         has client flags 0x0
*Mar 
1 01:07:19.323:         outbound
SA from 192.168.1.1     to
192.168.1.2     (f/i) 

0/ 0 (proxy 2.2.2.2         to 1.1.1.1        )
*Mar 
1 01:07:19.323:         has spi
984465209 and conn_id 2001 and flags A
*Mar 
1 01:07:19.327:         lifetime
of 3600 seconds
*Mar 
1 01:07:19.327:         lifetime
of 4608000 kilobytes
*Mar 
1 01:07:19.327:         has client
flags 0x0
*Mar 
1 01:07:19.327: ISAKMP (0:1): sending packet to 192.168.1.2 my_port 500
peer_port

500 (I) QM_IDLE      
*Mar 
1 01:07:19.331: ISAKMP (0:1): deleting node 1537451169 error FALSE
reason ""
*Mar 
1 01:07:19.331: ISAKMP (0:1): Node 1537451169, Input =
IKE_MESG_FROM_PEER,

IKE_QM_EXCH
*Mar 
1 01:07:19.331: ISAKMP (0:1
Router#): Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE
*Mar 
1 01:07:19.331: IPSEC(key_engine): got a queue event...
*Mar 
1 01:07:19.331: IPSEC(initialize_sas): ,
 
(key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.1.2,
   
local_proxy= 2.2.2.2/0.0.0.0/1/0 (type=1),
   
remote_proxy= 1.1.1.1/0.0.0.0/1/0 (type=1),
   
protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),
   
lifedur= 3600s and 4608000kb,
   
spi= 0x4D12771D(1293055773), conn_id= 2000, keysize= 0, flags= 0x2
*Mar 
1 01:07:19.335: IPSEC(initialize_sas): ,
 
(key eng. msg.) OUTBOUND local= 192.168.1.1, remote= 192.168.1.2,
   
local_proxy= 2.2.2.2/0.0.0.0/1/0 (type=1),
   
remote_proxy= 1.1.1.1/0.0.0.0/1/0 (type=1),
   
protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),
   
lifedur= 3600s and 4608000kb,
   
spi= 0x3AADBF39(984465209), conn_id= 2001, keysize= 0, flags= 0xA
*Mar 
1 01:07:19.339: IPSEC(kei_proxy): head = R1VPN, map->ivrf = ,
kei->ivrf =
*Mar 
1 01:07
Router#:19.339:
IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies

and 192.168.1.2
*Mar 
1 01:07:19.343: IPSEC(add mtree): src 2.2.2.2, dest 1.1.1.1, dest_port 0
 
*Mar 
1 01:07:19.343: IPSEC(create_sa): sa created,
 
(sa) sa_dest= 192.168.1.1, sa_prot= 50,
   
sa_spi= 0x4D12771D(1293055773),
   
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2000
*Mar 
1 01:07:19.343: IPSEC(create_sa): sa created,
 
(sa) sa_dest= 192.168.1.2, sa_prot= 50,
   
sa_spi= 0x3AADBF39(984465209),
   
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2001
Router#sh crypto engine connections active     查看加密解密报文
 
  ID
Interface            IP-Address      State 
Algorithm           Encrypt  Decrypt
   1
Ethernet0/0          192.168.1.1     set   
HMAC_SHA+3DES_56_C        0        0
2000 Ethernet0/0          192.168.1.1     set   
HMAC_MD5+3DES_56_C        0       39
2001 Ethernet0/0          192.168.1.1     set   
HMAC_MD5+3DES_56_C       39        0
 
Router#sh 
crypto isakmp sa  查看IKE阶段1 的数据连接
dst             src             state          conn-id slot
192.168.1.2     192.168.1.1     QM_IDLE              1    0
 
Router#sh 
crypto ipsec sa      连接2建立的IPsec数据连接
 
interface: Ethernet0/0
   
Crypto map tag: R1VPN, local addr. 192.168.1.1
  
protected vrf:
  
local  ident
(addr/mask/prot/port): (2.2.2.2/255.255.255.255/1/0)
  
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/1/0)
  
current_peer: 192.168.1.2:500
    
PERMIT, flags={origin_is_acl,}
   
#pkts encaps: 39, #pkts encrypt: 39, #pkts digest 39
   
#pkts decaps: 39, #pkts decrypt: 39, #pkts verify 39
   
#pkts compressed: 0, #pkts decompressed: 0
   
#pkts not compressed: 0, #pkts compr. failed: 0
   
#pkts not decompressed: 0, #pkts decompress failed: 0
   
#send errors 1, #recv errors 0
    
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.1.2
    
path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
    
current outbound spi: 3AADBF39
    
inbound esp sas:
     
spi: 0x4D12771D(1293055773)
       
transform: esp-3des esp-md5-hmac ,
       
in use settings ={Tunnel, }
       
slot: 0, conn id: 2000, flow_id: 1, crypto map: R1VPN
       
sa timing: remaining key lifetime (k/sec): (4515934/2784)
       
IV size: 8 bytes
       
replay detection support: Y
    
inbound ah sas:
     inbound pcp sas:
    
outbound esp sas:
     
spi: 0x3AADBF39(984465209)
       
transform: esp-3des esp-md5-hmac ,
       
in use settings ={Tunnel, }
       
slot: 0, conn id: 2001, flow_id: 2, crypto map: R1VPN
       
sa timing: remaining key lifetime (k/sec): (4515934/2780)
       
IV size: 8 bytes
       
replay detection support: Y
    
outbound ah sas:
 
    
outbound pcp sas:[/img]..

思科                华为
show               display 
show version     disp version
no                 undo
show run          disp current-configuration
username          local-user 
end                return 
show start       disp saved-configuration
exit              quit
exit              logout 
ctrl+z            quit
router rip &n..

学习掌握ospf单区域配置
 
实验拓扑：

 

 
R1上的基本配置
 
R1(config)#int s2/1           
R1(config-if)#ip ad 12.0.0.1 255.255.255.0
R1(config-if)#no sh
R1(config)#int lo 0
R1(config-if)#ip ad 1.1.1.1 255.255.255.0 
R1(config-if)#no sh
R1(config-if)#router ospf 64
R1(config-router)#net 1.1.1.1 0.0.0.0 area 0
R1(config-router)#net 12.0.0.0 0.0.0.255 area 0
 
R1#sh ip route   查看路由信息
 
     34.0.0.0/24 is subnetted, 1 subnets
O       34.0.0.0 [110/192] via 12.0.0.2, 00:00:24, Serial2/1
     1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Loopback0
     5.0.0.0/32 is subnetted, 1 subnets
O       5.5.5.5 [110/257] via 12.0.0.2, 00:00:24, Serial2/1
     23.0.0.0/24 is subnetted, 1 subnets
O       23.0.0.0 [110/128] via 12.0.0.2, 00:00:24, Serial2/1
     12.0.0.0/24 is subnetted, 1 subnets
C       12.0.0.0 is directly connected, Serial2/1
     45.0.0.0/24 is subnetted, 1 subnets
O       45.0.0.0 [110/256] via 12.0.0.2, 00:00:24, Serial2/1
 
R1#sh ip ospf int s2/1           查看接口下的信息
Serial2/1 is up, line protocol is up
  Internet Address 12.0.0.1/24, Area 0 接口在ospf区域0下
  Process ID 64, Router ID 12.0.0.1, Network Type POINT_TO_POINT, Cost: 64   ospf在S接口上Cost值默认64，网络类型为点到点型。
  Transmit Delay is 1 sec, State POINT_TO_POINT,       延迟是1秒，LSA老化时间速度
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5   hello包发送间隔10秒，死亡时间40秒等待时间40，重传5秒。
    oob-resync timeout 40
    Hello due in 00:00:09
  Index 1/1, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 12.0.0.2
  Suppress hello for 0 neighbor(s)  
 
R1#sh ip ospf neighbor    查看ospf的邻居
 
Neighbor ID     Pri   State           Dead Time   Address         Interface
12.0.0.2          0   FULL/  -        00:00:35    12.0.0.2        Serial2/1
 
R1#sh ip ospf stat              查看ospf的状态
  Area 0: SPF algorithm executed 10 times
在area 0中spf算法已经计算了10次
  SPF calculation time      计算的具体过程
Delta T   Intra D-Intra Summ    D-Summ  Ext     D-Ext   Total   Reason
00:37:12   0    0       0       0       0       0       0       R,
00:36:31   0    0       0       0       0       0       0       R,
00:35:20   0    0       0       0       0       0       0       R,
00:33:30   0    0       0       0       4       0       4       R,
00:32:55   0    0       0       0       4       0       4       R,
00:31:59   4    0       0       0       0       0       4       R,
00:31:01   4    0       0       0       0       0       4       R,
00:28:36   4    0       0       0       0       0       4       R,
00:23:08   4    0       0       0       0       0       4       R,
00:22:58   8    0       0       0       0       0       8       R,
 
R1#sh ip protocols     查看协议运行情况
Routing Protocol is "ospf 64"
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  Router ID 12.0.0.1    路由id
  Number of areas in this router is 1. 1 normal 0 stub 0 nssa  
  Maximum path: 4
  Routing for Networks:
    1.1.1.1 0.0.0.0 area 0
    12.0.0.0 0.0.0.255 area 0
  Routing Information Sources:
    Gateway         Distance      Last Update
    5.5.5.5              110      00:21:18
    12.0.0.2             110      00:21:18
    34.0.0.1             110      00:21:18
    45.0.0.1             110      00:21:18
  Distance: (default is 110)
 
R1#sh ip ospf database        查看ospf数据库
 
            OSPF Router with ID (12.0.0.1) (Process ID 64)    路由ID12.0.0.1   进程ID64
 
  Router Link States (Area 0)        查看r1的ospf数据库中router link 类型LSA
               源地址      时间         序列号         校验
Link ID         ADV Router      Age         Seq#       Checksum Link count
5.5.5.5         5.5.5.5         1759        0x80000004 0x00C8FF 3
12.0.0.1        12.0.0.1        81          0x80000005 0x0090B9 3
12.0.0.2        12.0.0.2        507         0x80000004 0x0077F5 4
34.0.0.1        34.0.0.1        366         0x80000004 0x00B951 4
45.0.0.1        45.0.0.1        1759        0x80000002 0x00626D 4
R1#sh ip ospf database da
R1#sh ip ospf database database-summary
 OSPF Router with ID (12.0.0.1) (Process ID 64)
Area 0 database summary      area 0 的汇总，在此共有有LSA类型5类               
  LSA Type      Count    Delete   Maxage
  Router        5        0        0      
  Network       0        0        0      
  Summary Net   0        0        0      
  Summary ASBR  0        0        0      
  Type-7 Ext    0        0        0      
  Opaque Link   0        0        0      
 
 
  Opaque Area   0        0        0      
  Subtotal      5        0        0      
 
Process 64 database summary           进程64的汇总，在此共有有LSA类型5类             
  LSA Type      Count    Delete   Maxage
  Router        5        0        0      
  Network       0        0        0      
  Summary Net   0        0        0      
  Summary ASBR  0        0        0      
  Type-7 Ext    0        0        0      
  Opaque Link   0        0        0      
  Opaque Area   0        0        0      
  Type-5 Ext    0        0        0      
  Opaque AS     0        0        0      
  Total         5        0        0  
 
R1#sh ip ospf database router 12.0.0.1        查看路由器ID为12.0.0.1的路由数据库信息
 
            OSPF Router with ID (12.0.0.1) (Process ID 64)       同上
 
                Router Link States (Area 0)
 
  LS age: 513
  Options: (No TOS-capability, DC)
  LS Type: Router Links        LSA
  Link State ID: 12.0.0.1
  Advertising Router: 12.0.0.1
  LS Seq Number: 80000005
  Checksum: 0x90B9
  Length: 60
  Number of Links: 3         3条链路
 
    Link connected to: a Stub Network        STUB区域
     (Link ID) Network/subnet number: 1.1.1.1     网络号1.1.1.1     
     (Link Data) Network Mask: 255.255.255.255    掩码255.255.255.255
      Number of TOS metrics: 0
       TOS 0 Metrics: 1
 
    Link connected to: another Router (point-to-point)  连接网路类型点到点
     (Link ID) Neighboring Router ID: 12.0.0.2       邻居路由ID
     (Link Data) Router Interface address: 12.0.0.1   
      Number of TOS metrics: 0  
       TOS 0 Metrics: 64
 
    Link connected to: a Stub Network            
     (Link ID) Network/subnet number: 12.0.0.0   网络号12.0.0.0
     (Link Data) Network Mask: 255.255.255.0    掩码255.255.255.0
      Number of TOS metrics: 0
       TOS 0 Metrics: 64
 
R2基本配置
            R2路由器上的基本配置
R2(config)#int s2/1
R2(config-if)#ip ad 12.0.0.2 255.255.255.0
R2(config-if)#no sh
R2(config)#int s2/2
R2(config-if)#ip ad 23.0.0.1 255.255.255.0
R2(config-if)#no sh
 
R2(config)#router ospf 64   宣告
R2(config-router)#net 12.0.0.0 0.0.0.255 area 0
R2(config-router)#net 23.0.0.0 0.0.0.255 area 0
 
 
R3的基本配置
 
R3(config)#int s2/1
R3(config-if)#ip ad 23.0.0.2 255.255.255.0
R3(config-if)#no sh
R3(config-if)#int s2/2
R3(config-if)#ip ad 34.0.0.1 255.255.255.0
R3(config-if)#no sh
R3(config-if)#router ospf 64         宣告
R3(config-router)#net 23.0.0.0 0.0.0.255 area 0
R3(config-router)#net 34.0.0.0 0.0.0.255 area 0
 
 
R4基本配置
R4(config)#int s2/1
R4(config-if)#ip ad 34.0.0.2 255.255.255.0
R4(config-if)#no sh
R4(config-if)#int s2/2
R4(config-if)#ip ad 45.0.0.1 255.255.255.0
R4(config-if)#no sh
R4(config-if)#router ospf 64     宣告
R4(config-router)#net 34.0.0.0 0.0.0.255 area 0
R4(config-router)#net 45.0.0.0 0.0.0.255 area 0
 
R5基本配置
 
R5(config-if)#int lo 0
R5(config-if)#ip ad 5.5.5.5 255.255.255.0
R5(config-if)#no sh
R5(config-router)#int s2/2
R5(config-if)#ip ad 45.0.0.3 255.255.255.0
R5(config-if)#no sh
R5(config)#router ospf 64         宣告
R5(config-router)#net 45.0.0.0 0.0.0.255 area 0
R5(config-router)#net 5.5.5.5 0.0.0.0 area 0
 [/img]..

R1基本配置
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#line console 0
Router(config-line)#logging synchronous
Router(config-line)#no exec-timeout
Router(config-line)#login
Router(config)#int lo 0
Router(config-if)#ip ad 1.1.1.1 255.255.255.0
Router(config-if)#no shutdown
Router(config)#int s1/2
Router(config-if)#ip add 12.0.0.1 255.255.255.0
Router(config-if)#no shutdown
Router(config)#router rip          启用ripv1协议
Router(config-router)#network 1.1.1.1  宣告网络1.1.1.1
Router(config-router)#network 12.0.0.0   同上
Router#show ip route                //v1版的路由表
 
Gateway of last resort is not set
 
     1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Loopback0
R    2...

 
 
掌握如何配置ospf虚链路
 
实验拓扑：
 

 
 
R1上配置
 
R1#ping 34.0.0.1
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 34.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/89/136 ms
R1#ping 34.0.0.2
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 34.0.0.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
 
R5上配置
 
R5#ping 23.0.0.1
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.0.0.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R5#ping 23.0.0.2
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/111/164 ms
 
 
配置缘由：
 
由于在不同区域间路由不能学习宣告，所以以上ping不能通信。为了使其可以通信所以在r2，r4上配置虚拟链路实现跨区域的通信
 
 
配置成功后的表现
 
R4#ping 12.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/99/156 ms
R4#ping 23.0.0.1
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/73/136 ms
R4#ping 1.1.1.1
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/420/1624 ms
 
 
 
 
 
实际的配置关键
 
R4(config)#router ospf 64
R4(config-router)#area 1 virtual-link 12.0.0.2         指定路由的ID
R2(config)#router ospf 64
R2(config-router)#area 1 virtual-link 45.0.0.1         指定路由的ID    
R2(config-router)#^Z
 
 
R4#sh ip ospf virtual-links     查看虚链路连接情况
Virtual Link OSPF_VL1 to router 12.0.0.2 is up      连接成功
  Run as demand circuit
  DoNotAge LSA allowed.
  Transit area 1, via interface Serial2/1, Cost of using 128
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:07
    Adjacency State FULL (Hello suppressed)
    Index 1/3, retransmission queue length 0, number of retransmission 1
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 1, maximum is 1
    Last retransmission scan time is 0 msec, maximum is 0 msec
Virtual Link OSPF_VL0 to router 23.0.0.1 is down
  Run as demand circuit
  DoNotAge LSA allowed.
  Transit area 1, Cost of using 65535
  Transmit Delay is 1 sec, State DOWN,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
 
 
S2/1为r2的路由id，s2/2为r4的路由id
 




R2  

R4

虚拟链路状态


S2/1

S2/1

不通


S2/1

S2/2

通


S2/2

S2/1

不通


S2/2

S2/2

不通
 [/img]..

                CHAP认证过程
 
 
同PAP一样，CHAP认证可以在一方进行，即由一方认证另一方身份，也可以进行双向身份认证。这时，要求被认证的双方都要通过对方的认证程序，否则，无法建立二者之间的链路。我们以单方认证为例分析CHAP配置过程及诊断方法。
　　当双方都封装了PPP协议且要求进行CHAP身份认证，同时它们之间的链路在物理层已激活后，认证服务器会不停地发送身份认证要求直到身份认证成功。和PAP不同的是，这时认证服务器发送的是"挑战"字符串。

 
 
当认证客户端（被认证一端）路由器RouterB发送了对"挑战"字符串的回应数据包后，认证服务器会按照摘要算法（MD5）验证对方的身份。如果正确，则身份认证成功，通信双方的链路最终成功建立。
　　如果被认证一端路由器RouterB发送了错误的"挑战"回应数据包，认证服务器将继续不断地发送身份认证要求直到收到正确的回应数据包为止。
 
 
          
           CHAP认证服务器的配置
 
 
CHAP认证服务器的配置分为两个步骤：建立本地口令数据库、要求进行CHAP认证。
　　建立本地口令数据库
　　通过全局模式下的命令username username password password来为本地口令数据库添加记录。这里请注意，此处的username应该是对端路由器的名称，即routerb.如下所示：
　　RouterA（config）#username routerb password samepass
　　要求进行CHAP认证
　　这需要在相应接口配置模式下使用命令ppp authentication chap来完成。如下所示：
　　RouterA（config）#interface serial 0/0
　　RouterA（config-if）#ppp authentication chap
　　3.2.3   CHAP认证客户端的配置
　　CHAP认证客户端的配置只需要一个步骤（命令），即建立本地口令数据库。请注意，此处的username应该是对端路由器的名称，即routera，而口令应该和CHAP认证服务器口令数据库中的口令相同。
　　RouterB（config-if）#username routera password samepass
　　3.2.4   CHAP的诊断
　　对于CHAP身份认证中出现的问题也可以利用debug ppp authentication命令进行诊断。如图5所示，它表明认证客户端发送的"挑战"回应数据包没有通过认证服务器的认证。
 

 
表明经过若干次认证要求后，认证服务器最终收到了认证客户端发送过来的正确的"挑战"回应数据包。此时，双方的链路将成功建立。
 
 

1、CHAP认证过程中，口令是大小写敏感的。
　　2、身份认证也可以双向进行，即互相认证。配置方法同单向认证类似，只不过需要将通信双方同时配置成为认证服务器和认证客户端。
　　3、口令数据库也可以存储在路由器以外的AAA或TACACS+服务器上。限于篇幅，此处不再赘述。
　　通信认证双方选择的认证方法可能不一样，如一方选择PAP，另一方选择CHAP，这时双方的认证协商将失败。为了避免身份认证协议过程中出现这样的失败，可以配置路由器使用两种认证方法。当第一种认证协商失败后，可以选择尝试用另一种身份认证方法。如下的命令配置路由器首先采用PAP身份认证方法。如果失败，再采用CHAP身份认证方法。
　　RouterA（config-if）#ppp authentication pap chap
　　如下的命令则相反，首先使用CHAP认证，协商失败后采用PAP认证。
　　RouterA（config-if）#ppp authentication chap pap
 
 [/img]..

1   PPP概述
　　点到点协议（Point to Point Protocol，PPP）是IETF（Internet Engineering Task Force，因特网工程任务组）推出的点到点类型线路的数据链路层协议。它解决了SLIP中的问题，并成为正式的因特网标准。
　　PPP协议在RFC 1661、RFC 1662和RFC 1663中进行了描述。
PPP支持在各种物理类型的点到点串行线路上传输上层协议报文。PPP有很多丰富的可选特性，如支持多协议、提供可选的身份认证服务、可以以各种方式压缩数据、支持动态地址协商、支持多链路捆绑等等。这些丰富的选项增强了PPP的功能。同时，不论是异步拨号线路还是路由器之间的同步链路均可使用。因此，应用十分广泛。
　　2   CHAP原理
　　PPP提供了两种可选的身份认证方法：口令验证协议PAP（Password Authentication Protocol，PAP）和质询握手协议（Challenge Handshake Authentication Protocol，CHAP）。如果双方协商达成一致，也可以不使用任何身份认证方法。
　　CHAP认证比PAP认证更安全，因为CHAP不在线路上发送明文密码，而是发送经过摘要算法加工过的随机序列，也被称为"挑战字符串".如图1所示。同时，身份认证可以随时进行，包括在双方正常通信过程中。因..

配置PPPOE服务器和客户端
实验目的：练习PPPOE服务器和客户端
 
实验拓扑：
 
          
 
 
 
实验过程：
在虚拟平台上实现步骤如下
 
第一步：进行MAC地址的桥接，将建立的loopback0接口的MAC地址划入ATM1平台内（在平台上右键编辑将其中的MAC地址换出即可）。
第二步：进行如下的命令配置，在ATM1上配置。
Router>en
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#no ip do lo
Router(config)#line con 0
Router(config-line)#no exec-t
Router(config-line)#logg  s
Router(config-line)# exit
Router(config)#username cisco password cisco
Router(config)#int lo 0
Router(config-if)#ip add 61.134.1.4 255.255.255.0
Router(config-if)#no sh
Router(config-if)#int FastEthernet 3/0
Router(config-if)#pppoe enable
Router(config-if)#no sh
Router(config-if)#
Router(config-if)#
Router(config-if)#vpdn enable
 
*Sep  2 15:45:30.235: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
Router(config)#vpdn-group adsl
Router(config-vpdn)#request-dialin
Router(config-vpdn-req-in)#protocol pppoe
% PPPoE config from vpdn-group is converted to pppoe-profile based config.
% Continue PPPoE configuration under 'bba-group pppoe global'
Router(config-vpdn-req-in)#exit
Router(config-vpdn)#exit
Router(config)#bba-group pppoe global                                
Router(config-bba-group)#virtual-template 1
Router(config-bba-group)#exit
Router(config)#interface virtual-template 1
Router(config-if)#ip unnumbered loopback 0
Router(config-if)#encapsulation ppp
Router(config-if)#
*Sep  2 15:45:30.407: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
*Sep  2 15:45:31.567: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
*Sep  2 15:45:32.827: %LINK-3-UPDOWN: Interface FastEthernet3/0, changed state to up
*Sep  2 15:45:32.827: %ENTITY_ALARM-6-INFO: CLEAR INFO Fa3/0 Physical Port Administrative State Down ppp authentication pap
Router(config-if)#peer default ip address pool ADSL
Router(config-if)#
*Sep  2 15:45:33.959: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3/0, changed state to upexit
Router(config)#
Router(config)#ip local pool ADSL 61.134.1.8 61.134.1.10
 
 
第三步：配置完成后，建立PPPOE连接，控制面板------网络连接------点击创建新连接，依次选择下一步，选择Internet连接，手动设置，要用用户名和密码的宽带连接来连接，输入用户名密码，完成。
第四步：使用wireshark进行抓包。如下：
 
 
 

 
出现PADI客户端发出询问请求,PADO服务器端单播回复,PADR发送连接请求,PADS确认连接。
抓包发现PAP认证
 
 
 

 
 
在pap认证中发现密码明文cisco  cisco
 

ppp协议

v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}



Normal
0



7.8 磅
0
2

false
false
false

EN-US
ZH-CN
X-NONE




















MicrosoftInternetExplorer4




















































































































































..

Normal
0



7.8 磅
0
2

false
false
false

EN-US
ZH-CN
X-NONE




















MicrosoftInternetExplorer4



























































































































































st1\:*{behavior:url(#ieooui) }





/* Style Definitions */
table.MsoNormalTable

{mso-style-name:普通表格;

mso-tstyle-..