一:目的:100.1.1.1与200.1.1.2建立ipsec隧道。
二:配置基本命令
1 配置acl :
[MSR_1]acl advanced 3000
[MSR_1-acl-ipv4-adv-3000]rule permit ip source 192.168.0.1 0 destination 10.0.0.1 0
2创建IPsec安全提议
[MSR_1]ipsec transform-set tran
[MSR_1-ipsec-transform-set-tran]encapsulation-mode tunnel
[MSR_1-ipsec-transform-set-tran]protocol esp
[MSR_1-ipsec-transform-set-tran]esp encryption-algorithm aes-cbc-128
[MSR_1-ipsec-transform-set-tran]esp authentication-algorithm sha1
3创建IKE keychain
[MSR_1]ike keychain test
[MSR_1-ike-keychain-test]pre-shared-key address 200.1.1.2 255.255.255.0 key simple 123456
4创建IKE提议
[MSR_1]ike proposal 100
[MSR_1-ike-proposal-100]encryption-algorithm 3des-cbc
[MSR_1-ike-proposal-100]authentication-method pre-share
[MSR_1-ike-proposal-100]authentication-algorithm md5
[MSR_1-ike-proposal-100]dh group1
5创建IKE profile
[MSR_1]ike profile profile1
[MSR_1-ike-profile-profile1]keychain test
[MSR_1-ike-profile-profile1]local-identity address 100.1.1.1
[MSR_1-ike-profile-profile1]match remote identity address 200.1.1.2 255.255.255.0
[MSR_1-ike-profile-profile1]proposal 100
6创建一条IKE协商方式的IPsec安全策略
[MSR_1]ipsec policy test 10 isakmp
[MSR_1-ipsec-policy-isakmp-test-10]remote-address 200.1.1.2
[MSR_1-ipsec-policy-isakmp-test-10]security acl 3000
[MSR_1-ipsec-policy-isakmp-test-10]transform-set tran
[MSR_1-ipsec-policy-isakmp-test-10]ike-profile profile1
7接口应用:
[MSR_1]int g0/0
[MSR_1-GigabitEthernet0/0]ipsec apply policy test
另端设备镜像配置即可。
三:抓包:
esp数据包: