R1发静态路由
[R1]ip route-static 222.2.2.0 30 211.1.1.2
R3发静态路由
[R3]ip route-static 211.1.1.0 30 222.2.2.1
R1配置
配置ACL 指定要保护的数据流,通常采用的扩展访问控制列表
[R1]acl advanced 3000
[R1-acl-ipv4-adv-3000]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[R1-acl-ipv4-adv-3000]exit
配置ipsec安全提议,指定安全协议,认证算法,加密算法,封装模式等
[R1]ipsec transform-set bj
[R1-ipsec-transform-set-bj]esp authentication-algorithm md5
[R1-ipsec-transform-set-bj]esp encryption-algorithm 3des-cbc
[R1-ipsec-transform-set-bj]encapsulation-mode tunnel
[R1-ipsec-transform-set-bj]exit
配置ipsec安全策略:将acl,安全提议进行关联,指定ipsec SA的生成方式(手工生成),对等体IP地址,SA的SPL参数等
[R1]ipsec policy bjp 1 manual
[R1-ipsec-policy-manual-bjp-1]security acl 3000
[R1-ipsec-policy-manual-bjp-1]transform-set bj
[R1-ipsec-policy-manual-bjp-1]remote-address 222.2.2.2
[R1-ipsec-policy-manual-bjp-1]sa spi inbound esp 12345
[R1-ipsec-policy-manual-bjp-1]sa spi outbound esp 54321
[R1-ipsec-policy-manual-bjp-1]sa string-key inbound esp simple abcde
[R1-ipsec-policy-manual-bjp-1]sa string-key outbound esp simple edcba
[R1-ipsec-policy-manual-bjp-1]exit
配置进入隧道流量的静态路由
[R1]ip route-static 192.168.2.0 24 222.2.2.2
ipsec安全策略应用于接口
[R1]interface GigabitEthernet 0/1
[R1-GigabitEthernet0/1]ipsec apply policy bjp
R3配置
[R3]acl advanced 3000
[R3-acl-ipv4-adv-3000]rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[R3-acl-ipv4-adv-3000]exit
[R3]ipsec transform-set sh
[R3-ipsec-transform-set-sh]protocol esp
[R3-ipsec-transform-set-sh]esp authentication-algorithm md5
[R3-ipsec-transform-set-sh]esp encryption-algorithm 3des-cbc
[R3-ipsec-transform-set-sh]encapsulation-mode tunnel
[R3-ipsec-transform-set-sh]exit
[R3]ipsec policy shp 1 manual
[R3-ipsec-policy-manual-shp-1]remote-address 211.1.1.1
[R3-ipsec-policy-manual-shp-1]security acl 3000
[R3-ipsec-policy-manual-shp-1]transform-set sh
[R3-ipsec-policy-manual-shp-1]sa spi inbound esp 54321
[R3-ipsec-policy-manual-shp-1]sa spi outbound esp 12345
[R3-ipsec-policy-manual-shp-1]sa string-key inbound esp simple edcba
[R3-ipsec-policy-manual-shp-1]sa string-key outbound esp simple abcde
[R3-ipsec-policy-manual-shp-1]exit
[R3]ip route-static 192.168.1.0 24 211.1.1.1
[R3]interface GigabitEthernet 0/0
[R3-GigabitEthernet0/0]ipsec apply policy shp
测试相互ping通,并检查配置结果。
查看IKE提议:display ike proposal(手工方式生成IPsec SA,不会有IKE提议)
查看IKE安全联盟: display ike sa(手工方式生成IPsec SA,不会有IKE安全联盟)
查看IPsec安全提议:display ipsec transform-set
查看IPsec安全策略: display ipsec policy
查看IPsec安全联盟:display ipsec sa display ipsec sa brief