IPSEC -配置方式

手动建立sa

1.配置双方流量可达

2.配置感兴趣流

3.配置ipsec proposal(包含加密算法及认证算法)

4.配置ipsecpolicy 跟上手动模式manual （关联acl ipsecproposal 本地对端 sa spi string-key）

A设备

Basic ACL 2000, 2 rules
Acl's step is 5
rule 1 deny source 192.168.1.0 0.0.0.255
rule 5 permit source 192.168.1.0 0.0.0.255

ACL 3000

rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

#
ipsec proposal 1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128

ipsec policy MAP1 10 manual
security acl 3000
proposal 1
tunnel local 10.0.12.1
tunnel remote 10.0.23.1
sa spi inbound esp 54321
sa string-key inbound esp cipher 1
sa spi outbound esp 12345
sa string-key outbound esp cipher 1

interface GigabitEthernet0/0/0
ip address 10.0.12.1 255.255.255.0
ipsec policy MAP1
nat outbound 2000

 

ike方式建立sa

ike proposal 2 创建并配置ike提议
authentication-algorithm md5 配置数据认证算法
encryption-algorithm 3DES 配置加密算法
DH group 2 配置秘钥交换算法

ike peer sh v1 创建并配置ike对等体
exchange-mode main/aggressive
pre-shared-key cipher huawei

ike-proposal 2

local address 10.0.12.1
remote-address 10.0.23.1

ipsec proposal 1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128

ipsec policy 1 1 isakmp
security acl 3000
ike-peer sh
proposal 1

interface g0/0/0
ipsec policy 1