1. 分几步设置
(1)定义ACL
(2)创建 ipsec 安全建议
(3)创建IKE keychain
(4)创建IKE profile
(5)创建一条IKE协商方式的IPsec安全策略
2.配置
(1)
配置
Device A
配置各接口的IP地址,具体略。
配置
ACL 3101,定义要保护由子网10.1.1.0/24去子网10.1.2.0/24的数据流。
<DeviceA> system-view
[DeviceA] acl number 3101
[DeviceA-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[DeviceA-acl-adv-3101] quit
创建IPsec安全提议tran1
[DeviceA] ipsec transform-set tran1
配置安全协议对IP报文的封装形式为隧道模式。
[DeviceA-ipsec-transform-set-tran1] encapsulation-mode tunnel
配置采用的安全协议为ESP
[DeviceA-ipsec-transform-set-tran1] protocol esp
配置ESP协议采用的加密算法为128比特的AES,认证算法为HMAC-SHA1
[DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-tran1] quit
创建IKE keychain,名称为keychain1
[DeviceA] ike keychain keychain1
配置与IP地址为2.2.2.2的对端使用的预共享密钥为明文123456TESTplat&!
[DeviceA-ike-keychain-keychain1] pre-shared-key address 2.2.2.2 255.255.255.0 key simple 123456TESTplat&!
[DeviceA-ike-keychain-keychain1] quit
创建IKE profile,名称为profile1
[DeviceA] ike profile profile1
指定引用的IKE keychain为keychain1
[DeviceA-ike-profile-profile1] keychain keychain1
配置本端的身份信息为IP地址1.1.1.1
[DeviceA-ike-profile-profile1] local-identity address 1.1.1.1
#配置匹配对端身份的规则为IP地址2.2.2.2/24
[DeviceA-ike-profile-profile1] match remote identity address 2.2.2.2 255.255.255.0
[DeviceA-ike-profile-profile1] quit
创建一条IKE协商方式的IPsec安全策略,名称为map1,顺序号为10
[DeviceA] ipsec policy map1 10 isakmp
配置IPsec隧道的对端IP地址为2.2.2.2
[DeviceA-ipsec-policy-isakmp-map1-10] remote-address 2.2.2.2
指定引用ACL 3101
[DeviceA-ipsec-policy-isakmp-map1-10] security acl 3101
指定引用的安全提议为tran1
[DeviceA-ipsec-policy-isakmp-map1-10] transform-set tran1
指定引用的IKE profile为profile1
[DeviceA-ipsec-policy-isakmp-map1-10] ike-profile profile1
[DeviceA-ipsec-policy-isakmp-map1-10] quit
在接口GigabitEthernet2/1/1上应用IPsec安全策略map1
[DeviceA-GigabitEthernet2/1/1] ipsec apply policy map1
[DeviceA-GigabitEthernet2/1/1] quit
B 同理