H3C ***
IPsec ×××:(命令截圖見QQ收藏)
安全
R1上的配置:app
定義保護的流量ide
[R1]acl advanced 3001ui
[R1-acl-ipv4-adv-3001]rule permit ip source 192.168.1.1 0 destination 172.16.1.1 0spa
定義參數IKE階段,能夠選擇默認參數3d
[R1]ike proposal 1orm
[R1-ike-proposal-1]encryption-algorithm 3des-cbc接口
[R1-ike-proposal-1]authentication-algorithm md5ip
[R1-ike-proposal-1]authentication-method pre-share(默認就有)md5
[R1-ike-proposal-1]dh group2
[R1-ike-proposal-1]quit
定義對端地址。共享密鑰
[R1]ike keychain 1
[R1-ike-keychain-1]pre-shared-key address 23.1.1.3 24 key simple 123
[R1-ike-keychain-1]quit
將密鑰加入profile
[R1]ike profile 1
[R1-ike-profile-1]keychain 1
[R1-ike-profile-1]match remote identity address 23.1.1.3 24
[R1-ike-profile-1]proposal 1
[R1-ike-profile-1]quit
定義IKE第二階段
[R1]ipsec transform-set 1
[R1-ipsec-transform-set-1]encapsulation-mode tunnel
[R1-ipsec-transform-set-1]protocol esp
[R1-ipsec-transform-set-1]esp encryption-algorithm 3des-cbc
[R1-ipsec-transform-set-1]esp authentication-algorithm md5
[R1-ipsec-transform-set-1]quit
注意:
當使用協議爲ah-esp時,還須要多指定一條命令 ah authentication-algorithm md5
定義安全策略
[R1]ipsec policy H3C 10 isakmp
[R1-ipsec-policy-isakmp-map1-10]transform-set 1
[R1-ipsec-policy-isakmp-map1-10]security acl 3001
[R1-ipsec-policy-isakmp-map1-10]local-address 12.1.1.1
[R1-ipsec-policy-isakmp-map1-10]remote-address 23.1.1.3
[R1-ipsec-policy-isakmp-map1-10]ike-profile 1
[R1-ipsec-policy-isakmp-map1-10]quit
接口應用
[R1]int g0/0
[R1-GigabitEthernet0/0]ipsec apply policy H3C
查看命令:
<R1>dis ipsec sa brief
IPsec over GRE ×××:
R3上配置:
[R3]acl advanced 3001
[R3-acl-ipv4-adv-3001]rule permit ip source 192.168.1.1 0 destination 172.16.1.1 0
[R3]int Tunnel 1 mode gre
[R3-Tunnel1]ip add 13.1.1.3 24
[R3-Tunnel1]source 23.1.1.3
[R3-Tunnel1]destination 12.1.1.1
[R3]ike proposal 1
[R3-ike-proposal-1]encryption-algorithm 3des-cbc
[R3-ike-proposal-1]authentication-algorithm md5
[R3-ike-proposal-1]authentication-method pre-share(默認就有)
[R3-ike-proposal-1]dh group2
[R3-ike-proposal-1]quit
[R3]ike keychain 1
[R3-ike-keychain-1]pre-shared-key address 13.1.1.1 24 key simple 123
[R3-ike-keychain-1]quit
[R3]ike profile 1
[R3-ike-profile-1]keychain 1
[R3-ike-profile-1]match remote identity address 13.1.1.1 24
[R3-ike-profile-1]proposal 1
[R3-ike-profile-1]quit
[R3]ipsec transform-set 1
[R3-ipsec-transform-set-1]encapsulation-mode tunnel
[R3-ipsec-transform-set-1]protocol esp
[R3-ipsec-transform-set-1]esp encryption-algorithm 3des-cbc
[R3-ipsec-transform-set-1]esp authentication-algorithm md5
[R3-ipsec-transform-set-1]quit
[R3]ipsec policy H3C 10 isakmp
[R3-ipsec-policy-isakmp-map1-10]transform-set 1
[R3-ipsec-policy-isakmp-map1-10]security acl 3001
[R3-ipsec-policy-isakmp-map1-10]local-address 13.1.1.3
[R3-ipsec-policy-isakmp-map1-10]remote-address 13.1.1.1
[R3-ipsec-policy-isakmp-map1-10]ike-profile 1
[R3-ipsec-policy-isakmp-map1-10]quit
[R3]int Tunnel 1
[R3-Tunnel1]ipsec apply policy 1
[R3-Tunnel1]quit
[R3]ip route-static 192.168.1.1 32 Tunnel 1
[R3]ip route-static 0.0.0.0 0 23.1.1.2
查看命令:
<R1>dis ipsec sa brief
L2TP:
- 1. H3C
- 2. H3C STP
- 3. H3C SNMP
- 4. H3C Telnet
- 5. H3C OSPF
- 6. H3C IRF
- 7. H3C IPSec ×××
- 8. H3C Static
- 9. H3C BGP
- 10. H3C DHCP
- 更多相關文章...
-
每一个你不满意的现在,都有一个你没有努力的曾经。
- 1. H3C
- 2. H3C STP
- 3. H3C SNMP
- 4. H3C Telnet
- 5. H3C OSPF
- 6. H3C IRF
- 7. H3C IPSec ×××
- 8. H3C Static
- 9. H3C BGP
- 10. H3C DHCP