IPSEC配置方式
IPSEC配置方式1、配置ACL定义需要IPSec保护的数据流acl number3000step10rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255//假设为A路由网段至B路由网段
acl number 3000step10rule permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.00.0.0.255//假设为B路由网段至A路由网段
2 、配置IPSec安全提议,定义IPSec的保护方法ipsecproposal zurkj//创建ipsec安全提议 名为zurkjtransformesp//配置转换安全提议的认证协议为ESP(默认就是ESP可不配置)espauthentication-algorithm sha1 //配置ESP身份认证算法为sha1espencryption-algorithm aes-128 //配置ESP加密算法为aes-128encapsulation-modetunnel //配置封装模式为隧道模式(默认就是ESP可不配置)quitipsec proposalzurkjtransformespespauthentication-algorithm sha1espencryption-algorithm aes-128quit
3、配置安全策略(这里需要引用前面配置的ACL和IPSec全安提议,确认对何种数据采用何种保护方法)ipsec policyzurkj 10 manual //创建手工方式安全策略 名为zurkj 序号为10securityacl 3000 //调用前面ACL创建需要保护的数据流proposalzurkj //调用前面创建的安全提议tunnellocal 200.1.1.6 //配置隧道本端公网地址(起点)tunnelremote 200.1.2.6 //配置隧道对端公网地址(终点)saspi outbound esp 123456 //配置本端出方向SA的SPI采用ESP协议 SPI值为123456saspi inbound esp 654321 //配置本端入方向SA的SPI采用ESP协议 SPI值为123456sastring-key outbound esp simple admin1234//配置本端出方向ESP协议的认证密钥采用字符串方式sastring-key inbound esp simple admin1234 //配置本端入方向ESP协议的认证密钥采用字符串方式saencryption-hex inbound esp simple 1234567890abcdef1234567890abcdef //使用十六进制数格式配置本端入方向的ESP密钥saencryption-hex outbound esp simple 1234567890abcdef1234567890abcdef//使用十六进制数格式配置本端出quit方向的ESP密钥quitipsec policyzurkj10 manualsecurityacl 3000 proposalzurkj tunnellocal 200.1.2.6tunnelremote 200.1.1.6saspi outbound esp 123456saspi inbound esp 654321sastring-key outbound esp simple admin1234sastring-key inbound esp simple admin1234saencryption-hex outbound esp simple 1234567890abcdef1234567890abcdefsaencryption-hex inbound esp simple 1234567890abcdef1234567890abcdefquitdisplay ipsecpolicy name zurkj===========================================IPSec policy group: "zurkj"Using interface: =========================================== Sequence number: 10 Security data flow: 3000 Tunnel localaddress: 200.1.2.6 Tunnel remote address: 200.1.1.6 Qos pre-classify: Disable Proposal name:zurkj Inbound AH setting: AH SPI: AH string-key: AH authentication hex key: Inbound ESP setting: ESP SPI: 654321 (0x9fbf1) ESP string-key: ESP encryption hex key: 1234567890abcdef1234567890abcdef ESP authentication hex key: Outbound AH setting: AH SPI: AH string-key: AH authentication hex key: Outbound ESP setting: ESP SPI: 123456 (0x1e240) ESP string-key: ESP encryption hex key: 1234567890abcdef1234567890abcdef ESP authentication hex key:
页:
[1]
