@handbye
2017-11-23T16:49:01.000000Z
字数 1712
阅读 1490
vpn
IKE 协商方式建立ISPEC SA
配置IPSec安全提议。缺省参数可不配置。
[FW_A] ipsec proposal tran1
[FW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[FW_A-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[FW_A-ipsec-proposal-tran1] quit
配置IKE安全提议。缺省参数可不配置。
[FW_A] ike proposal 10
[FW_A-ike-proposal-10] authentication-method pre-share
[FW_A-ike-proposal-10] prf hmac-sha2-256
[FW_A-ike-proposal-10] encryption-algorithm aes-256
[FW_A-ike-proposal-10] dh group2
[FW_A-ike-proposal-10] integrity-algorithm hmac-sha2-256
[FW_A-ike-proposal-10] quit
配置IKE peer。
[FW_A] ike peer b
[FW_A-ike-peer-b] ike-proposal 10
[FW_A-ike-peer-b] remote-address 1.1.5.1
[FW_A-ike-peer-b] pre-shared-key Test!1234
[FW_A-ike-peer-b] quit
配置IPSec策略。
[FW_A] ipsec policy map1 10 isakmp
[FW_A-ipsec-policy-isakmp-map1-10] security acl 3000
[FW_A-ipsec-policy-isakmp-map1-10] proposal tran1
[FW_A-ipsec-policy-isakmp-map1-10] ike-peer b
[FW_A-ipsec-policy-isakmp-map1-10] quit
手工方式建立IPSEC SA
配置IPSec安全提议tran1。
[FW_A] ipsec proposal tran1
[FW_A-ipsec-proposal-tran1] encapsulation-mode tunnel
[FW_A-ipsec-proposal-tran1] transform esp
[FW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[FW_A-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[FW_A-ipsec-proposal-tran1] quit
配置名称为map1,序号为10的IPSec策略。
[FW_A] ipsec policy map1 10 manual
[FW_A-ipsec-policy-manual-map1-10] security acl 3000
[FW_A-ipsec-policy-manual-map1-10] proposal tran1
[FW_A-ipsec-policy-manual-map1-10] tunnel remote 1.1.5.1
[FW_A-ipsec-policy-manual-map1-10] tunnel local 1.1.3.1
[FW_A-ipsec-policy-manual-map1-10] sa spi inbound esp 12345678
[FW_A-ipsec-policy-manual-map1-10] sa spi outbound esp 87654321
[FW_A-ipsec-policy-manual-map1-10] sa string-key inbound esp abcdefg
[FW_A-ipsec-policy-manual-map1-10] sa string-key outbound esp gfedcba
[FW_A-ipsec-policy-manual-map1-10] quit