(1)在R1上配置IKE(ISAKMP)策略: R1(config)#crypto isakmp policy 1 R1(config-isakmp)#encryption 3des R1(config-isakmp)#hash sha R1(config-isakmp)#authentication pre-share R1(config-isakmp)#group 2 R1(config-isakmp)#exit 说明:定义了ISAKMP policy 1,加密方式为3des,hash算法为sha,认证方式为Pre-Shared Keys (PSK),密钥算法(Diffie-Hellman)为group 2。 (2)在R1上配置通配符认证方法: R1(config)#crypto keyring abc R1(conf-keyring)#pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123 R1(conf-keyring)#exit R1(config)#crypto isakmp profile ppp % A profile is deemed incomplete until it has match identity statements R1(conf-isa-prof)#keyring abc R1(conf-isa-prof)#match identity address 0.0.0.0 R1(conf-isa-prof)#exit 说明:配置了名为ppp的IPsec profile,并定义任何IP地址的认证密码为cisco123。 (3)在R1上配置IPsec transform: R1(config)#crypto ipsec transform-set ccie esp-3des esp-sha-hmac R1(cfg-crypto-trans)#exit 说明:配置了transform-set为ccie,其中数据封装使用esp加3des加密,并且使用esp结合sha做hash计算,默认的IPsec mode为tunnel。 (4)在R1上定义dynamic map: R1(config)#crypto dynamic-map dymap 5 R1(config-crypto-map)#set transform-set ccie R1(config-crypto-map)#set isakmp-profile ppp R1(config-crypto-map)#exit 说明:定义了名为dymap的dynamic map,并调用名为ppp的IPsec profile和名为ccie的transform-set。 (5)在R1上创建crypto map: R1(config)#crypto map mymap 10 ipsec-isakmp dynamic dymap 说明:定义了名为mymap的Crypto-map ,与常规的Crypto-map不一样,这里的Crypto-map只需要与之前的dynamic crypto map.关联即可,并且配置到这里就结束了,可以看出,Hub端是不需要定义感兴趣流量的。 (6)在R1上将crypto map应用于接口: R1(config)#int f0/0 R1(config-if)#crypto map mymap R1(config-if)# *Mar 1 00:42:19.807: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R1 (config-if)#exit 说明:将crypto map应用在出接口F0/0上。 Router-to-ASA Dynamic LAN-to-LAN ×××的配置: ciscoasa(config)# crypto isakmp policy 1 ciscoasa(config-isakmp-policy)# encryption 3des ciscoasa(config-isakmp-policy)# hash sha ciscoasa(config-isakmp-policy)# authentication pre-share ciscoasa(config-isakmp-policy)# group 2 ciscoasa(config-isakmp-policy)# exit ciscoasa(config)# ciscoasa(config)# crypto ipsec transform-set ccie esp-3des esp-sha-hmac ciscoasa(config)# crypto dynamic-map dymap 1 set transform-set ccie ciscoasa(config)# crypto dynamic-map dymap 1 set reverse-route ciscoasa(config)# crypto map mymap 10 ipsec-isakmp dynamic dymap ciscoasa(config)# crypto map mymap interface outside ciscoasa(config)# isakmp enable outside ciscoasa(config)# isakmp key cisco123 address 0.0.0.0 netmask 0.0.0.0 ciscoasa(config)# |
|