点到点
ikev1主模式:
1、acl
acl number 3000
rule 15 permit ip source 1.1.1.1 0 destination 2.2.2.2 0
2、ike安全提议
ike proposal 1
encryption-algorithm aes-cbc-128
authentication-algorithm md5
3、ipsec安全提议
ipsec transform-set tran1
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
4、ike keychain
ike keychain key1
pre-shared-key address 2.2.2.2 255.255.255.0 key simple h3c
5、ike profile
ike profile pro1
keychain key1
local-identity address 1.1.1.1
match remote identity address 2.2.2.2 255.255.255.0
proposal 1
6、ipsec策略
ipsec policy map1 10 isakmp
transform-set tran1
security acl 3000
local-address 1.1.1.1
remote-address 2.2.2.2
ike-profile pro1
7、在接口下应用
interface GigabitEthernet1/0/3
port link-mode route
combo enable copper
ip address 1.1.1.1 255.255.255.0
ipsec apply policy map1
ikev1野蛮模式:
1、acl
2、ike proposal
3、ike身份信息:
[FW1]ike identity fqdn fwa
4、ike keychain
5、ike profile
ike profile pro1
keychain key1
exchange-mode aggressive
local-identity fqdn fwa
match remote identity fqdn fwb
proposal 1
6、ipsec transform-set
7、ipsec policy
8、接口下应用
ikev2:
1、acl
2、ike proposal
3、ikev2 keychain
ikev2 keychain key2
peer p1
address 2.2.2.254 255.255.255.0
identity address 2.2.2.254
pre-shared-key plaintext h3c
4、ikev2 profile
ikev2 profile pro2
authentication-method local pre-share
authentication-method remote pre-share
keychain key2
match remote identity address 2.2.2.254 255.255.255.0
5、ipsec transform-set
6、ipsec policy
7、在接口下应用
注意区别即可