配置比较复杂,可能刚开始不是很好记忆,这里提供一下模板:
ip access-list extended access-list-name //建立ACL,指定哪些数据包需要保护
crypto isakmp policy priority //第一阶段,IKE方式的认证,加密,完整验证等
authentication { pre-share|rsa-sig|rsa-encr}
encryption {des|3des}
group {1|2}
hash {sha|md5}
lifetime seconds
crypto isakmp key keystring peer-address //IKE阶段的预共享key
crypto ipsec transform-set transform-set-name //第二阶段ipsec开始
transform-type transfor-type //指定对上层数据的加密、认证方式
mode {tunnel | transport} //ipsec工作模式,默认为tunnel
crypto map map-name seq-num ipsec-isakmp //建立ipsec的映射关系,主要是调用前面的策略
set peer ip-address
match address access-list-name
set transform-set transform-set-name1 [transform-set-name2...transform-set-name6]
set pfs [group1|group2]
set security-association lifetime [seconds seconds | kilobytes kilobytes] RT1#show run
Building configuration...
Current configuration:
! !version 1.3.2C
service timestamps log date
service timestamps debug date
no service password-encryption
! hostname RT1
! crypto isakmp key 123456 10.0.0.2 255.255.255.255 //ISAKMP的密钥,与对端一致
! crypto isakmp policy 100 //建立ISAKMP策略
hash md5 //哈希算法,保障数据完整性
! crypto ipsec transform-set 100 //建立变换集合
transform-type ah-md5-hmac esp-des //md5认证和des加密,可自定,但要与对端一致
! //前面是第一阶段的配置;从这里开始第二阶段的协商
crypto map bdcom 100 ipsec-isakmp //建立ipsec映射
set peer 10.0.0.2 //指定对端路由器(运行ipsec)ip
set transform-set 100 //调用变换集合
match address ACL //调用访问控制列表,指定哪些数据流量需要ipsec保护
! interface Loopback0 //建立loopback端口,模拟本地局域网网段
ip address 192.168.0.1 255.255.255.0
no ip directed-broadcast
! !
interface Ethernet1/2 //路由器外网口
ip address 10.0.0.1 255.255.255.0
no ip directed-broadcast
crypto map bdcom //将ipsec应用到物理端口上,生效
duplex half
! interface Serial1/0
no ip address
no ip directed-broadcast
! interface Serial1/1
no ip address
no ip directed-broadcast
! interface Serial2/0
no ip address
no ip directed-broadcast
! interface Serial2/1
no ip address
no ip directed-broadcast
! interface Serial2/2
no ip address
no ip directed-broadcast
! interface Serial2/3
no ip address
no ip directed-broadcast
! interface Async0/0
no ip address
no ip directed-broadcast
! !
ip route 172.16.0.0 255.255.255.0 10.0.0.2 //静态路由,下一跳ip为ipsec隧道端口地址
! gateway-cfg
Gateway keepAlive 60
shutdown
! !
ip access-list extended ACL //扩展型访问列表,定义哪些ip数据要被保护
permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0 //这里只能配置一条,即使有多条,也只能是第一条生效
! !
ivr-cfg
! !
BD1710#show run
Building configuration...
Current configuration:
! !version 1.3.1S
service timestamps log date
service timestamps debug date
service password-encryption
! hostname BD1710 //网点接入路由器
! aaa authentication login default enable
enable password 7 123233445E28 level 15
! crypto isakmp key test 211.162.108.36 255.255.255.255 //指定中心路由器的ip
! crypto isakmp policy 100 //IKE策略
hash md5
! crypto ipsec transform-set test //ipsec变化集合
transform-type ah-md5-hmac esp-3des
! crypto map bdcom 10 ipsec-isakmp //静态的ipsec映射
set peer 211.162.108.36
set pfs group1
set transform-set test
match address ipsec
! !
interface FastEthernet0/0 //接入网点的外网口,也可以是adsl等情况
ip address 220.114.196.122 255.255.255.128
no ip directed-broadcast
crypto map bdcom //ipsec应用到路由器
! interface Ethernet0/1 //网点路由器的局域网
ip address 10.1.128.10 255.255.255.0
no ip directed-broadcast
duplex full
! interface Serial0/2
no ip address
no ip directed-broadcast
! !
ip route default 220.114.196.126
! gateway-cfg
Gateway keepAlive 60
shutdown
! !
ip access-list extended ipsec
permit ip 10.1.128.0 255.255.255.0 192.166.1.0 255.255.255.0
! !
ivr-cfg
! ! |
阅读(686) | 评论(0) | 转发(0) |
