1. 需要保护的流量流经路由器,触发路由器启动相关的协商过程。
定义感兴趣流
conf t
ip access-list extended acl_vpn
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
end
定义感兴趣流
conf t
ip access-list extended acl_vpn
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
end
2. 启动IKE (Internet key exchange)阶段1,对通信双方进行身份认证,并在两端之间建立一条安全的隧道。
IKE第一阶段,SA协商
conf t
//生成iskamp policy number 1
crypto isakmp policy 1
//双方认证方式采用预共享密钥
authentication pre-share
//数据安全采用3des加密
encryption 3des
//数据完整性采用md5校验
hash md5
//指定为Diffie-Hellman组,1表示768位,2表示1024位
group 2
//指定安全关联SA的有效期,不设就为默认值
lifetime 86400
exit
//与对端23.0.0.1采用密钥cisco协商
crypto isakmp key cisco add 23.0.0.1
exit
//查看安全关联SA定义
show crypto isakmp policy
3. 启动IKE阶段2,在上述安全隧道上协商IPSec参数。
IKE第二阶段,配置及查看ipsec
conf t
//定义ipsec转换集,转换集名称为myset1,采用esp封装协议,加密用des,完整性用md5 hash
crypto ipsec transform-set myset1 esp-des esp-md5-hmac
//ipsec模式为隧道
mode tunnel
exit
crypto ipsec security-association lifetime seconds 3600
exit
//查看ipsec转换集设置
show crypto ipsec transform-set
exit
//查看ipsec转换集设置
show crypto ipsec transform-set
4. 按协商好的IPSec参数对数据流进行加密、hash等保护
建立加密映射
conf t
crypto map mymap1 1 ipsec-isakmp
set peer 23.0.0.1
match address acl_vpn
set transform-set myset1
reverse-route static
set security-association lifetime kilobytes 100000
set pfs group1
end
建立加密映射
conf t
crypto map mymap1 1 ipsec-isakmp
set peer 23.0.0.1
match address acl_vpn
set transform-set myset1
reverse-route static
set security-association lifetime kilobytes 100000
set pfs group1
end
