ikev2 版本只能在ikev2 policy调用proposal
但是也没有地方单独可以调用 ikev2 policy策略 引起其他所有站点同意在用了下面的 ikev2 policy To-BJ-ikev2-policy
没法每个站点配置独立的不一样加密参数的proposal
IKE 阶段
** 配置预共享密钥
[SH-FW]ikev2 keychain To_BJ_ikev2_keychain
[SH-FW-ikev2-keychain-To_BJ_ikev2_keychain]peer peer-BJ
[SH-FW-ikev2-keychain-To_BJ_ikev2_keychain-peer-peer-BJ]address 192.168.11.20
[SH-FW-ikev2-keychain-To_BJ_ikev2_keychain-peer-peer-BJ]identity address 192.168.11.20
[SH-FW-ikev2-keychain-To_BJ_ikev2_keychain-peer-peer-BJ]pre-shared-key plaintext ***.***
[SH-FW-ikev2-keychain-To_BJ_ikev2_keychain-peer-peer-BJ]quit
[SH-FW-ikev2-keychain-To_BJ_ikev2_keychain]quit
** 创建ike proposal 设置加解密类型
[SH-FW]ikev2 proposal 1
[SH-FW-ikev2-proposal-1]encryption 3des-cbc
[SH-FW-ikev2-proposal-1]integrity md5
[SH-FW-ikev2-proposal-1]prf sha1
[SH-FW-ikev2-proposal-1]dh group2
[SH-FW-ikev2-proposal-1]quit
[SH-FW]ikev2 policy To-BJ-ikev2-policy
[SH-FW-ikev2-policy-To-BJ-ikev2-policy]match vrf any
[SH-FW-ikev2-policy-To-BJ-ikev2-policy]proposal 1
[SH-FW-ikev2-policy-To-BJ-ikev2-policy]match local address 192.168.11.10
[SH-FW-ikev2-policy-To-BJ-ikev2-policy]quit
[SH-FW]ikev2 profile To-BJ-ikev2-profile
[SH-FW-ikev2-profile-To-BJ-ikev2-profile]authentication-method local pre-share
[SH-FW-ikev2-profile-To-BJ-ikev2-profile]authentication-method remote pre-share
[SH-FW-ikev2-profile-To-BJ-ikev2-profile]keychain To_BJ_ikev2_keychain
[SH-FW-ikev2-profile-To-BJ-ikev2-profile]identity local address 192.168.11.10
[SH-FW-ikev2-profile-To-BJ-ikev2-profile]match remote identity address 192.168.11.20
[SH-FW-ikev2-profile-To-BJ-ikev2-profile]match local address GigabitEthernet 1/0/0
[SH-FW-ikev2-profile-To-BJ-ikev2-profile]sa duration 86400
[SH-FW-ikev2-profile-To-BJ-ikev2-profile]quit
IPSEC 阶段:
** 配置transform 加解密 [SH-FW]ipsec transform-set To-BJ-ipsec-transform-set
[SH-FW-ipsec-transform-set-To-BJ-ipsec-transform-set]protocol esp
[SH-FW-ipsec-transform-set-To-BJ-ipsec-transform-set]encapsulation-mode tunnel
[SH-FW-ipsec-transform-set-To-BJ-ipsec-transform-set]esp encryption-algorithm 3des-cbc
[SH-FW-ipsec-transform-set-To-BJ-ipsec-transform-set]esp authentication-algorithm md5
[SH-FW-ipsec-transform-set-To-BJ-ipsec-transform-set]pfs dh-group2
[SH-FW]ipsec policy To-ipsec-policy 1 isakmp
[SH-FW-ipsec-policy-isakmp-To-ipsec-policy-1]transform-set To-BJ-ipsec-transform-set
[SH-FW-ipsec-policy-isakmp-To-ipsec-policy-1]security acl name ipsec-lan-to-lan-bj
[SH-FW-ipsec-policy-isakmp-To-ipsec-policy-1]local-address 192.168.11.10
[SH-FW-ipsec-policy-isakmp-To-ipsec-policy-1]remote-address 192.168.11.20
[SH-FW-ipsec-policy-isakmp-To-ipsec-policy-1]ikev2-profile To-BJ-ikev2-profile
[SH-FW-ipsec-policy-isakmp-To-ipsec-policy-1]sa trigger-mode auto
[SH-FW-ipsec-policy-isakmp-To-ipsec-policy-1]sa duration time-based 3600
[SH-FW-ipsec-policy-isakmp-To-ipsec-policy-1]quit
在接口调用策略和nat
[SH-FW]interface GigabitEthernet 1/0/0
[SH-FW-GigabitEthernet1/0/0]nat outbound name nat-ip-list address-group 1
[SH-FW-GigabitEthernet1/0/0]ipsec apply policy To-ipsec-policy
下文配置中我在创建一个 新的不一样加密参数的 proposal的话怎么调用呢? 2个各自用不一样的 proposal
不然呢