IPSEC配置方式

admin

IPSEC配置方式

1、配置ACL定义需要IPSec保护的数据流

[r1]acl number3000

[r1-acl-adv-3000]step10

[r1-acl-adv-3000]rule permit ip source 192.168.10.0 0.0.0.255 destination 192.16

8.20.0 0.0.0.255  //假设为A路由网段至B路由网段

[r2]acl number 3000

[r2-acl-adv-3000]step10

[r2-acl-adv-3000]rule permit ip source 192.168.20.0 0.0.0.255 destination 192.16

8.10.00.0.0.255  //假设为B路由网段至A路由网段

2 、配置IPSec安全提议，定义IPSec的保护方法

[r1]ipsecproposal zurkj  //创建ipsec安全提议 名为zurkj

[r1-ipsec-proposal-zurkj]transformesp  //配置转换安全提议的认证协议为ESP（默认就是ESP可不配置）

[r1-ipsec-proposal-zurkj]espauthentication-algorithm sha1 //配置ESP身份认证算法为sha1

[r1-ipsec-proposal-zurkj]espencryption-algorithm aes-128   //配置ESP加密算法为aes-128

[r1-ipsec-proposal-zurkj]encapsulation-modetunnel   //配置封装模式为隧道模式（默认就是ESP可不配置）

[r1-ipsec-proposal-zurkj]quit

[r2]ipsec proposalzurkj

[r2-ipsec-proposal-zurkj]transformesp

[r2-ipsec-proposal-zurkj]espauthentication-algorithm sha1

[r2-ipsec-proposal-zurkj]espencryption-algorithm aes-128

[r2-ipsec-proposal-zurkj]quit

3、配置安全策略（这里需要引用前面配置的ACL和IPSec全安提议，确认对何种数据采用何种保护方法）

[r1]ipsec policyzurkj 10 manual   //创建手工方式安全策略 名为zurkj 序号为10

[r1-ipsec-policy-manual-zurkj-10]securityacl 3000   //调用前面ACL创建需要保护的数据流

[r1-ipsec-policy-manual-zurkj-10]proposalzurkj   //调用前面创建的安全提议

[r1-ipsec-policy-manual-zurkj-10]tunnellocal 200.1.1.6   //配置隧道本端公网地址（起点）

[r1-ipsec-policy-manual-zurkj-10]tunnelremote 200.1.2.6   //配置隧道对端公网地址（终点）

[r1-ipsec-policy-manual-zurkj-10]saspi outbound esp 123456   //配置本端出方向SA的SPI采用ESP协议 SPI值为123456

[r1-ipsec-policy-manual-zurkj-10]saspi inbound esp 654321    //配置本端入方向SA的SPI采用ESP协议 SPI值为123456

[r1-ipsec-policy-manual-zurkj-10]sastring-key outbound esp simple admin1234  //配置本端出方向ESP协议的认证密钥采用字符串方式

[r1-ipsec-policy-manual-zurkj-10]sastring-key inbound esp simple admin1234   //配置本端入方向ESP协议的认证密钥采用字符串方式

[r1-ipsec-policy-manual-zurkj-10]saencryption-hex inbound esp simple 1234567890

abcdef1234567890abcdef   //使用十六进制数格式配置本端入方向的ESP密钥

[r1-ipsec-policy-manual-zurkj-10]saencryption-hex outbound esp simple 123456789

0abcdef1234567890abcdef  //使用十六进制数格式配置本端出[r1-ipsec-policy-manual-zurkj-10]quit方向的ESP密钥

[r1-ipsec-policy-manual-zurkj-10]quit

[r2]ipsec policyzurkj  10 manual

[r2-ipsec-policy-manual-zurkj-10]securityacl 3000

[r2-ipsec-policy-manual-zurkj-10]proposalzurkj

[r2-ipsec-policy-manual-zurkj-10]tunnellocal 200.1.2.6

[r2-ipsec-policy-manual-zurkj-10]tunnelremote 200.1.1.6

[r2-ipsec-policy-manual-zurkj-10]saspi outbound esp 123456

[r2-ipsec-policy-manual-zurkj-10]saspi inbound esp 654321

[r2-ipsec-policy-manual-zurkj-10]sastring-key outbound esp simple admin1234

[r2-ipsec-policy-manual-zurkj-10]sastring-key inbound esp simple admin1234

[r2-ipsec-policy-manual-zurkj-10]saencryption-hex outbound esp simple 123456789

0abcdef1234567890abcdef

[r2-ipsec-policy-manual-zurkj-10]saencryption-hex inbound esp simple 1234567890

abcdef1234567890abcdef

[r2-ipsec-policy-manual-zurkj-10]quit

[r2]display ipsecpolicy name zurkj

===========================================

IPSec policy group: "zurkj"

Using interface:

===========================================

    Sequence number: 10

    Security data flow: 3000

    Tunnel local  address: 200.1.2.6

    Tunnel remote address: 200.1.1.6

    Qos pre-classify: Disable

    Proposal name:zurkj

    Inbound AH setting:

      AH SPI:

      AH string-key:

      AH authentication hex key:

    Inbound ESP setting:

      ESP SPI: 654321 (0x9fbf1)

      ESP string-key:

      ESP encryption hex key: 1234567890abcdef1234567890abcdef

      ESP authentication hex key:

    Outbound AH setting:

      AH SPI:

      AH string-key:

      AH authentication hex key:

    Outbound ESP setting:

      ESP SPI: 123456 (0x1e240)

      ESP string-key:

      ESP encryption hex key: 1234567890abcdef1234567890abcdef

      ESP authentication hex key: