配置比较复杂,可能刚开始不是很好记忆,这里提供一下模板:
ip access-list extended access-list-name //建立ACL,指定哪些数据包需要保护
crypto isakmp policy priority //第一阶段,IKE方式的认证,加密,完整验证等
authentication { pre-share|rsa-sig|rsa-encr}
encryption {des|3des}
group {1|2}
hash {sha|md5}
lifetime seconds
crypto isakmp key keystring peer-address //IKE阶段的预共享key
crypto ipsec transform-set transform-set-name //第二阶段ipsec开始
transform-type transfor-type //指定对上层数据的加密、认证方式
mode {tunnel | transport} //ipsec工作模式,默认为tunnel
crypto map map-name seq-num ipsec-isakmp //建立ipsec的映射关系,主要是调用前面的策略
set peer ip-address
match address access-list-name
set transform-set transform-set-name1 [transform-set-name2...transform-set-name6]
set pfs [group1|group2]
set security-association lifetime [seconds seconds | kilobytes kilobytes] RT1#show run Building configuration... Current configuration: ! !version 1.3.2C service timestamps log date service timestamps debug date no service password-encryption ! hostname RT1 ! crypto isakmp key 123456 10.0.0.2 255.255.255.255 //ISAKMP的密钥,与对端一致 ! crypto isakmp policy 100 //建立ISAKMP策略 hash md5 //哈希算法,保障数据完整性 ! crypto ipsec transform-set 100 //建立变换集合 transform-type ah-md5-hmac esp-des //md5认证和des加密,可自定,但要与对端一致 ! //前面是第一阶段的配置;从这里开始第二阶段的协商 crypto map bdcom 100 ipsec-isakmp //建立ipsec映射 set peer 10.0.0.2 //指定对端路由器(运行ipsec)ip set transform-set 100 //调用变换集合 match address ACL //调用访问控制列表,指定哪些数据流量需要ipsec保护 ! interface Loopback0 //建立loopback端口,模拟本地局域网网段 ip address 192.168.0.1 255.255.255.0 no ip directed-broadcast ! ! interface Ethernet1/2 //路由器外网口 ip address 10.0.0.1 255.255.255.0 no ip directed-broadcast crypto map bdcom //将ipsec应用到物理端口上,生效 duplex half ! interface Serial1/0 no ip address no ip directed-broadcast ! interface Serial1/1 no ip address no ip directed-broadcast ! interface Serial2/0 no ip address no ip directed-broadcast ! interface Serial2/1 no ip address no ip directed-broadcast ! interface Serial2/2 no ip address no ip directed-broadcast ! interface Serial2/3 no ip address no ip directed-broadcast ! interface Async0/0 no ip address no ip directed-broadcast ! ! ip route 172.16.0.0 255.255.255.0 10.0.0.2 //静态路由,下一跳ip为ipsec隧道端口地址 ! gateway-cfg Gateway keepAlive 60 shutdown ! ! ip access-list extended ACL //扩展型访问列表,定义哪些ip数据要被保护 permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0 //这里只能配置一条,即使有多条,也只能是第一条生效 ! ! ivr-cfg ! !
BD1710#show run Building configuration... Current configuration: ! !version 1.3.1S service timestamps log date service timestamps debug date service password-encryption ! hostname BD1710 //网点接入路由器 ! aaa authentication login default enable enable password 7 123233445E28 level 15 ! crypto isakmp key test 211.162.108.36 255.255.255.255 //指定中心路由器的ip ! crypto isakmp policy 100 //IKE策略 hash md5 ! crypto ipsec transform-set test //ipsec变化集合 transform-type ah-md5-hmac esp-3des ! crypto map bdcom 10 ipsec-isakmp //静态的ipsec映射 set peer 211.162.108.36 set pfs group1 set transform-set test match address ipsec ! ! interface FastEthernet0/0 //接入网点的外网口,也可以是adsl等情况 ip address 220.114.196.122 255.255.255.128 no ip directed-broadcast crypto map bdcom //ipsec应用到路由器 ! interface Ethernet0/1 //网点路由器的局域网 ip address 10.1.128.10 255.255.255.0 no ip directed-broadcast duplex full ! interface Serial0/2 no ip address no ip directed-broadcast ! ! ip route default 220.114.196.126 ! gateway-cfg Gateway keepAlive 60 shutdown ! ! ip access-list extended ipsec permit ip 10.1.128.0 255.255.255.0 192.166.1.0 255.255.255.0 ! ! ivr-cfg ! ! |
阅读(686) | 评论(0) | 转发(0) |