IKE是一种混和协议,混和协议的复杂性使其不可避免地带来一些安全及性能上的缺陷,导致其成为整个IP-Sec实现中的瓶颈。为此,IETF一直对现有版本不合理部分积极征集修改意见,陆续推出了新的IKE草案,并于2005年12月26日正式推出了新的IKE协议标准--IKEv2。

拓扑:

 

ASA L2L vpn IKEV2共享密钥配置_ASA

配置:

------------------------------------------ASA1---------------------------------------------

ASA Version 8.4(2)
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 172.16.1.10 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.2.10 255.255.255.0
!
interface GigabitEthernet2
 nameif dmz
 security-level 50
 ip address 192.168.80.80 255.255.255.0
!
interface GigabitEthernet3
 shutdown    
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
access-list l2lacl extended permit ip 2.2.2.0 255.255.255.0 3.3.3.0 255.255.255.0
pager lines 24
mtu dmz 1500
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
route inside 0.0.0.0 0.0.0.0 192.168.2.2 tunneled //只对×××加密数据生效
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal l2lipsec
 protocol esp encryption des
 protocol esp integrity md5
crypto map l2lmap 10 match address l2lacl
crypto map l2lmap 10 set peer 172.16.2.10
crypto map l2lmap 10 set ikev2 ipsec-proposal l2lipsec
crypto map l2lmap interface outside
crypto ikev2 policy 10
 encryption 3des
 integrity md5 //完整性算法
 group 2
 prf md5 //伪随机算法
 lifetime seconds 86400
crypto ikev2 enable outside

telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 172.16.2.10 type ipsec-l2l
tunnel-group 172.16.2.10 ipsec-attributes
 ikev2 remote-authentication pre-shared-key 
remote-cisco

 ikev2 local-authentication pre-shared-key local-cisco

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
crashinfo save disable
Cryptochecksum:ebcb48022e2990d03283cce1e4ed839a
: end

--------------------------------------ASA2-----------------------------------

ASA Version 8.4(2)
!
hostname ASA2
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 172.16.2.10 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.3.10 255.255.255.0
!
interface GigabitEthernet2
 nameif dmz
 security-level 50
 ip address 192.168.80.80 255.255.255.0
!
interface GigabitEthernet3
 shutdown    
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
access-list l2lacl extended permit ip 3.3.3.0 255.255.255.0 2.2.2.0 255.255.255.0
pager lines 24
mtu dmz 1500
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 172.16.2.1 1
route inside 0.0.0.0 0.0.0.0 192.168.3.3 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal l2lipsec
 protocol esp encryption des
 protocol esp integrity md5
crypto map l2lmap 10 match address l2lacl
crypto map l2lmap 10 set peer 172.16.1.10
crypto map l2lmap 10 set ikev2 ipsec-proposal l2lipsec
crypto map l2lmap interface outside
crypto ikev2 policy 10
 encryption 3des
 integrity md5
 group 2
 prf md5
 lifetime seconds 86400
crypto ikev2 enable outside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 172.16.1.10 type ipsec-l2l
tunnel-group 172.16.1.10 ipsec-attributes
 ikev2 remote-authentication pre-shared-key local-cisco

 ikev2 local-authentication pre-shared-key remote-cisco

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
crashinfo save disable
Cryptochecksum:17095fbc246cd193cd330640f2836130
: end

其他配置非常简单在不在给出