IPsec ***:(命令截图见QQ收藏)

R1上的配置:

定义保护的流量

[R1]acl advanced 3001

[R1-acl-ipv4-adv-3001]rule permit ip source 192.168.1.1 0 destination 172.16.1.1 0

定义参数IKE阶段,可以选择默认参数

[R1]ike proposal 1

[R1-ike-proposal-1]encryption-algorithm 3des-cbc

[R1-ike-proposal-1]authentication-algorithm md5

[R1-ike-proposal-1]authentication-method pre-share(默认就有)

[R1-ike-proposal-1]dh group2

[R1-ike-proposal-1]quit

定义对端地址。共享密钥

[R1]ike keychain 1

[R1-ike-keychain-1]pre-shared-key address 23.1.1.3 24 key simple 123

[R1-ike-keychain-1]quit

将密钥加入profile

[R1]ike profile 1

[R1-ike-profile-1]keychain 1

[R1-ike-profile-1]match remote identity address 23.1.1.3 24

[R1-ike-profile-1]proposal 1

[R1-ike-profile-1]quit

定义IKE第二阶段

[R1]ipsec transform-set 1

[R1-ipsec-transform-set-1]encapsulation-mode tunnel

[R1-ipsec-transform-set-1]protocol esp

[R1-ipsec-transform-set-1]esp encryption-algorithm 3des-cbc

[R1-ipsec-transform-set-1]esp authentication-algorithm md5

[R1-ipsec-transform-set-1]quit

注意:

当使用协议为ah-esp时,还需要多指定一条命令 ah authentication-algorithm  md5

定义安全策略

[R1]ipsec policy H3C 10 isakmp

[R1-ipsec-policy-isakmp-map1-10]transform-set 1

[R1-ipsec-policy-isakmp-map1-10]security acl 3001

[R1-ipsec-policy-isakmp-map1-10]local-address 12.1.1.1

[R1-ipsec-policy-isakmp-map1-10]remote-address 23.1.1.3

[R1-ipsec-policy-isakmp-map1-10]ike-profile 1

[R1-ipsec-policy-isakmp-map1-10]quit

接口应用

[R1]int g0/0

[R1-GigabitEthernet0/0]ipsec apply policy H3C

查看命令:

<R1>dis ipsec sa brief

IPsec over GRE ***:

R3上配置:

[R3]acl advanced 3001

[R3-acl-ipv4-adv-3001]rule permit ip source 192.168.1.1 0 destination 172.16.1.1 0

[R3]int Tunnel 1 mode gre

[R3-Tunnel1]ip add 13.1.1.3 24

[R3-Tunnel1]source  23.1.1.3

[R3-Tunnel1]destination 12.1.1.1

[R3]ike proposal 1

[R3-ike-proposal-1]encryption-algorithm 3des-cbc

[R3-ike-proposal-1]authentication-algorithm md5

[R3-ike-proposal-1]authentication-method pre-share(默认就有)

[R3-ike-proposal-1]dh group2

[R3-ike-proposal-1]quit

[R3]ike keychain 1

[R3-ike-keychain-1]pre-shared-key address 13.1.1.1 24 key simple 123

[R3-ike-keychain-1]quit

[R3]ike profile 1

[R3-ike-profile-1]keychain 1

[R3-ike-profile-1]match remote identity address 13.1.1.1 24

[R3-ike-profile-1]proposal 1

[R3-ike-profile-1]quit

[R3]ipsec transform-set 1

[R3-ipsec-transform-set-1]encapsulation-mode tunnel

[R3-ipsec-transform-set-1]protocol esp

[R3-ipsec-transform-set-1]esp encryption-algorithm 3des-cbc

[R3-ipsec-transform-set-1]esp authentication-algorithm md5

[R3-ipsec-transform-set-1]quit

[R3]ipsec policy H3C 10 isakmp

[R3-ipsec-policy-isakmp-map1-10]transform-set 1

[R3-ipsec-policy-isakmp-map1-10]security acl 3001

[R3-ipsec-policy-isakmp-map1-10]local-address 13.1.1.3 

[R3-ipsec-policy-isakmp-map1-10]remote-address 13.1.1.1

[R3-ipsec-policy-isakmp-map1-10]ike-profile 1

[R3-ipsec-policy-isakmp-map1-10]quit

[R3]int Tunnel 1

[R3-Tunnel1]ipsec apply policy  1

[R3-Tunnel1]quit

[R3]ip route-static 192.168.1.1 32 Tunnel 1

[R3]ip route-static 0.0.0.0 0 23.1.1.2

查看命令:

<R1>dis ipsec sa brief

L2TP: