江阴网站建设,江阴网站制作,江阴网站设计,江阴SEO优化,江阴小程序开发-江阴雨辰互联

  1. JustNews 首页
  2. 小程序

Ipsec配置

admin小程序阅读44

Ipsec配置

2023年7月4日发(作者:)

Ipsec配置Ipsec⽤于在数据传输过程中的加密协议1. 搭建环境拓扑拓扑2. 配置第⼀阶段:isakmp协商mp协商需要配置的有isakmp协商的加密算法、验证算法、验证⽅式和共享密钥及可选的group值和⽣存时间LifetimeR1配置:R1(config)#crypto isakmp policy 1 定义策略R1(config-isakmp)#encryption 3des 加密算法为3desR1(config-isakmp)#hash md5 验证算法为md5R1(config-isakmp)#authentication pre-share 验证⽅式为预共享密钥R1(config-isakmp)#group 5 组值R1(config-isakmp)#lifetime 120 ⽣存时间R1(config)#crypto isakmp key 0 ruijie address 172.16.50.2 配置共享密钥ruijieR2配置:R2的isakmp配置与R1完全⼀致。R2(config)#crypto isakmp key 0 ruijie address 172.16.50.1 配置共享密钥ruijie3. 第⼆阶段:ipsec配置R1配置:定义IP数据的保护策略,主要是ESP还是AH、加密算法、验证算法、传输模式还是隧道模式,定义需要被Ipsec保护的数据,即感兴趣流R1(config)#crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac 定义策略的名称为IPSEC,加密算法为esp-3des,验证算法为esp-sha-hmacR1(cfg-crypto-trans)#mode tunnel 隧道模式R1(config)#access-list 100 permit ip host 1.1.1.1 host 2.2.2.2 需要被保护的数据,即感兴趣流R2配置:此处配置与R1完全⼀致R2(config)#access-list 100 permit ip host 2.2.2.2 host 1.1.1.1 需要被保护的数据,即感兴趣流4. 定义crypto map定义IPsec SA对段通信实体,调⽤配置的第⼆阶段IPsec SA策略、感兴趣流R1配置:R1(config)#crypto map MAP 1 ipsec-isakmp 定义map% NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.R1(config-crypto-map)#set peer 172.16.50.2 对端体ipR1(config-crypto-map)#set transform-set IPSEC 调⽤第⼆阶段的ipsec策略R1(config-crypto-map)#match address 100 匹配感兴趣流R2配置:与R1配置完全⼀致R2(config-crypto-map)#set peer 172.16.50.1 对端体ip5. 将ma5. 将map应⽤在接⼝上使需要被保护的数据流通过出⼝接⼝出去,则需要配置路由R1配置:R1(config)#ip route 2.2.2.2 255.255.255.255 172.16.50.2R1(config)#int f0/0R1(config-if)#crypto map MAPR2配置:R2(config)#ip route 1.1.1.1 255.255.255.255 172.16.50.1R2(config)#int f0/0R2(config-if)#crypto map MAP6. 验证使⽤扩展ping,分别查看isakmp sa和ipsec sa是否正常show crypto isakmp sashow crypto ipsec saR1#ping 2.2.2.2 source 1.1.1.1Type escape sequence to g 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:Packet sent with a source address of 1.1.1.1

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/22/32 mR1#show crypto isakmp sa 协商正常dst src state conn-id slot status172.16.50.2 172.16.50.1 QM_IDLE 1 0 ACTIVER1#show crypto ipsec sa

interface: FastEthernet0/0 Crypto map tag: MAP, local addr 172.16.50.1 protected vrf: (none) local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0) current_peer 172.16.50.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 6, #pkts encrypt: 6, #pkts digest: 6 #pkts decaps: 6, #pkts decrypt: 6, #pkts verify: 6 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 4, #recv errors 0 local crypto endpt.: 172.16.50.1, remote crypto endpt.: 172.16.50.2 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0xEB9A4D72(3952758130) inbound esp sas: spi: 0xEE99A619(4003046937) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 2001, flow_id: SW:1, crypto map: MAP sa timing: remaining key lifetime (k/sec): (4467890/3527) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xEB9A4D72(3952758130) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 2002, flow_id: SW:2, crypto map: MAP sa timing: remaining key lifetime (k/sec): (4467890/3526) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:

发布者:admin,转转请注明出处:http://www.yc00.com/xiaochengxu/1688421111a135865.html

adminadmin
0

相关推荐

发表回复

评论列表(0条)

  • 暂无评论

联系我们

400-800-8888

在线咨询: QQ交谈

邮件:admin@example.com

工作时间:周一至周五,9:30-18:30,节假日休息

关注微信