@handbye
2017-11-23T16:49:01.000000Z
字数 1712
阅读 1477
vpn
IKE 协商方式建立ISPEC SA
配置IPSec安全提议。缺省参数可不配置。[FW_A] ipsec proposal tran1[FW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2-256[FW_A-ipsec-proposal-tran1] esp encryption-algorithm aes-256[FW_A-ipsec-proposal-tran1] quit配置IKE安全提议。缺省参数可不配置。[FW_A] ike proposal 10[FW_A-ike-proposal-10] authentication-method pre-share[FW_A-ike-proposal-10] prf hmac-sha2-256[FW_A-ike-proposal-10] encryption-algorithm aes-256[FW_A-ike-proposal-10] dh group2[FW_A-ike-proposal-10] integrity-algorithm hmac-sha2-256[FW_A-ike-proposal-10] quit配置IKE peer。[FW_A] ike peer b[FW_A-ike-peer-b] ike-proposal 10[FW_A-ike-peer-b] remote-address 1.1.5.1[FW_A-ike-peer-b] pre-shared-key Test!1234[FW_A-ike-peer-b] quit配置IPSec策略。[FW_A] ipsec policy map1 10 isakmp[FW_A-ipsec-policy-isakmp-map1-10] security acl 3000[FW_A-ipsec-policy-isakmp-map1-10] proposal tran1[FW_A-ipsec-policy-isakmp-map1-10] ike-peer b[FW_A-ipsec-policy-isakmp-map1-10] quit
手工方式建立IPSEC SA
配置IPSec安全提议tran1。[FW_A] ipsec proposal tran1[FW_A-ipsec-proposal-tran1] encapsulation-mode tunnel[FW_A-ipsec-proposal-tran1] transform esp[FW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2-256[FW_A-ipsec-proposal-tran1] esp encryption-algorithm aes-256[FW_A-ipsec-proposal-tran1] quit配置名称为map1,序号为10的IPSec策略。[FW_A] ipsec policy map1 10 manual[FW_A-ipsec-policy-manual-map1-10] security acl 3000[FW_A-ipsec-policy-manual-map1-10] proposal tran1[FW_A-ipsec-policy-manual-map1-10] tunnel remote 1.1.5.1[FW_A-ipsec-policy-manual-map1-10] tunnel local 1.1.3.1[FW_A-ipsec-policy-manual-map1-10] sa spi inbound esp 12345678[FW_A-ipsec-policy-manual-map1-10] sa spi outbound esp 87654321[FW_A-ipsec-policy-manual-map1-10] sa string-key inbound esp abcdefg[FW_A-ipsec-policy-manual-map1-10] sa string-key outbound esp gfedcba[FW_A-ipsec-policy-manual-map1-10] quit