资源来自网络视频,我做笔记       

视频教程请移步此处处http://www.verycd.com/topics/2802335/    

 

 

IPSec ×××路由的配置

 
 
 
IPSec在路由上的启动禁用
Router(config)#crypto isakmp enable
Router(config)#no crypto isakmp enable
 
过程(初始的身份认证,并不是数据加密的方案)
Router(config)#crypto isakmp policy priority    创建ISAKMP策略并指定
 
优先级
Router(config-isakmp)#encryption{des|3des}    制定对称加密算法
Router(config)#hash{{sha|md5}                          指定消息摘要算法
Router(config)#authentication {rsasig|rsa-encr|pre-share}  指定身份验
 
证方法
Router(config)#group {1|2}                                指定DH分组编号
Router(config)#lifetime seconds                         指定SA生存期
 

变换集
 
AH transform (ah-md5-hmac ah-sha-hmac)
ESP Encryption transform(esp-des esp-3des esp-nul esp-md5-hmac 

esp-sha-hmac)
 
 
 
显示命令
router#show crypto ipsec transform-set
router#show crypto map [    ]
router#show crypto ipsec sa [map map-name|address|identity]
 
[detail]
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~
实验:
~~~~~~~~~~~~~
基本配置:
~~~~~~~~~~~~~~~~~~~~
 图:
~~~~~~~~~~~~~~~~~~~~
 
 
 
R1:
 
en
conf t
no ip domain lookup 
ip classless
ip subnet-zero
hostname R1

int s1/0
ip addr 203.0.0.1 255.255.255.0
no shut
exi
int f0/0
ip addr 201.0.0.1 255.255.255.0
no shut
exi

router rip
net 201.0.0.0
net 203.0.0.0
end

sh ip rou
 
对于R2:
 
en
conf t
no ip domain lookup
ip classless
ip subnet-zero
hostname R2

int s1/0
ip addr 203.0.0.2 255.255.255.0
no shut
exi

int f0/0
ip addr 202.0.0.1 255.255.255.0
no shut
exi

router rip
net 202.0.0.0
net 203.0.0.0
end

sh ip rou
~~~~~~~~~~~~~~~~~~
 
对于R1:
 
en
conf t
crypto isakmp enable
crypto isakmp policy 11
encryption 3des
hash sha
group 2
authentication pre-share
lifetime 5000
exi

crypto isakmp key cisco123 address 203.0.0.2

access-list 111 permit ip any any
crypto ipsec transform-set set1 ah-sha-hmac esp-3des esp-md5-

hmac
exi

crypto map map1 10 ipsec-isakmp
match address 111
set transform-set set1
set peer 203.0.0.2
exi

int s1/0
crypto map map1
end

show crypto ipsec sa
 
对于R2:
 
en
conf t
crypto isakmp enable
crypto isakmp policy 11
encryption 3des
hash sha
group 2
authentication pre-share
lifetime 5000
exi

crypto isakmp key cisco123 address 203.0.0.1

access-list 111 permit ip any any
crypto ipsec transform-set set1 ah-sha-hmac esp-3des esp-md5-

hmac
exi

crypto map map1 10 ipsec-isakmp
match address 111
set transform-set set1
set peer 203.0.0.1
exi

int s1/0
crypto map map1
end

sh crypto ipsec sa
 
 
 
 
 
 
完成。