跳转至

IPSEC配置

  • internet模拟互联网,没有到10.1.1.0/24和10.1.2.0/24的路由

img

  • 配置acl

[R1] acl advance 3000

[R1] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255

  • 配置默认路由

[R1] ip route-static 0.0.0.0 0.0.0.0 2.2.2.3

  • 创建安全提议(ipsec transform-set)

    • 创建安全提议tran1

[R1] ipsec transform-set tran1

  • 配置安全协议对IP报文的封装形式为隧道模式

[R1-ipsec-transform-set-tran1] encapsulation-mode tunnel

  • 配置采用的安全协议为ESP

[R1-ipsec-transform-set-tran1] protocol esp

  • 配置ESP协议采用的加密算法为采用128比特的AES,认证算法为HMAC-SHA1

[R1-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128

[R1-ipsec-transform-set-tran1] esp authentication-algorithm sha1

[R1-ipsec-transform-set-tran1] quit

  • 创建安全策略:

    • 手工:
    • 手工安全策略,名称为map1,序列号为10

[R1] ipsec policy map1 10 manual

  • 指定引用ACL 3000

[R1-ipsec-policy-manual-map1-10] security acl 3000

  • 指定引用的IPsec安全提议为tran1

[R1A-ipsec-policy-manual-map1-10] transform-set tran1

  • 指定IPsec隧道对端IP地址为2.2.3.1

[R1-ipsec-policy-manual-map1-10] remote-address 2.2.3.1

  • 配置ESP协议的出方向SPI为12345,入方向SPI为54321

[R1-ipsec-policy-manual-map1-10] sa spi outbound esp 12345

[R1-ipsec-policy-manual-map1-10] sa spi inbound esp 54321

  • 配置ESP协议的出方向SA的密钥为明文字符串abcdefg,入方向SA的密钥为明文字符串gfedcba

[R1-ipsec-policy-manual-map1-10] sa string-key outbound esp simple abcdefg

[R1-ipsec-policy-manual-map1-10] sa string-key inbound esp simple gfedcba

[R1-ipsec-policy-manual-map1-10] quit

  • IKE:

    • 创建IKE keychain
    • 创建并配置IKE keychain,名称为keychain1

[R1] ike keychain keychain1

  • 配置与IP地址为2.2.3.1的对端使用的预共享密钥为明文123456TESTplat&!。

[R1-ike-keychain-keychain1] pre-shared-key address 2.2.3.1 255.255.255.0 key simple 123456TESTplat&!

[R1-ike-keychain-keychain1] quit

  • 创建并配置IKE profile,名称为profile1

[R1] ike profile profile1

[R1-ike-profile-profile1] keychain keychain1

[R1-ike-profile-profile1] match remote identity address 2.2.3.1 255.255.255.0

[R1-ike-profile-profile1] quit

  • 创建安全策略

    • ike安全策略,名称为map1,序列号为10

[R1] ipsec policy map1 10 isakmp

  • 指定引用ACL 3000。

[R1-ipsec-policy-isakmp-map1-10] security acl 3000

  • 指定引用的安全提议为tran1。

[R1-ipsec-policy-isakmp-map1-10] transform-set tran1

  • 指定IPsec隧道的本端IP地址为2.2.2.1,对端IP地址为2.2.3.1

[R1-ipsec-policy-isakmp-map1-10] local-address 2.2.2.1

[R1-ipsec-policy-isakmp-map1-10] remote-address 2.2.3.1

  • 指定引用的IKE profile为profile1

[R1-ipsec-policy-isakmp-map1-10] ike-profile profile1

[R1-ipsec-policy-isakmp-map1-10] quit

  • 应用安全策略

    • 在接口GigabitEthernet2/½上应用IPsec安全策略map1

[R1] interface gigabitethernet 2/½

[R1-GigabitEthernet2/½] ip address 2.2.2.1 255.255.255.0

[R1-GigabitEthernet2/½] ipsec apply policy map1

[R1-GigabitEthernet2/½] quit