思科路由器IKEV2 L2L***预共享密码认证最简化配置
一.概述:
?思科路由器對于IKEV2,是有很多預配的,因此可以很少的配置就能完成IKEV2的配置。
二.基本思路:
A.兩邊都用SVTI的方式配置Flex ***
B.沒有用動態路由,配置靜態路由,如果一邊用DVTI,則需要兩邊配置靜態路由
三.測試拓撲:
四.Flex ***的配置:
A.R2:
crypto ikev2 keyring KeyRing
peer 202.100.2.1
?address 202.100.2.1
?pre-shared-key cisco
crypto ikev2 profile default
match identity remote address 202.100.2.1 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local KeyRing
interface Tunnel0
ip address 10.1.1.2 255.255.255.0
tunnel source FastEthernet0/1
tunnel destination 202.100.2.1
tunnel protection ipsec profile default
ip route 192.168.1.0 255.255.255.0 Tunnel0
B.R4:
crypto ikev2 keyring KeyRing
peer 202.100.1.1
?address 202.100.1.1
?pre-shared-key cisco
crypto ikev2 profile default
match identity remote address 202.100.1.1 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local KeyRing
interface Tunnel0
ip address 10.1.1.4 255.255.255.0
tunnel source FastEthernet0/1
tunnel destination 202.100.1.1
tunnel protection ipsec profile default
ip route 172.16.1.0 255.255.255.0 Tunnel0
五.Flex ***的預配:
測試用的是c7200-adventerprisek9-mz.152-4.S的IOS文件,可以看到默認是有flex ***的預配的:
R1#show running-config all | sec cry
no service password-encryption
crypto pki crl cache size 64
crypto engine software ipsec
crypto ikev2 authorization policy default
route set interface
route accept any
crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256 sha1 md5
group 5 2
crypto ikev2 policy default
match fvrf any
proposal default
crypto ikev2 nat keepalive 0
crypto ikev2 diagnose error 50
crypto ikev2 dpd 0 0 periodic
crypto ikev2 limit max-in-negotation-sa 40
crypto ikev2 limit max-sa 0
crypto ikev2 window 5
crypto ikev2 fragmentation mtu 576
crypto isakmp aggressive-mode disable
crypto ipsec optional retry 300
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association lifetime seconds 3600
no crypto ipsec security-association replay disable
crypto ipsec security-association replay window-size 64
crypto ipsec transform-set default esp-aes esp-sha-hmac
mode transport
crypto ipsec nat-transparency udp-encapsulation
crypto ipsec profile default
set security-association lifetime kilobytes 4608000
set security-association lifetime seconds 3600
no set security-association idle-time
no set security-association replay window-size
crypto call admission limit ike sa 0
crypto call admission limit ike in-negotiation-sa 1000
crypto call admission limit ipsec sa 0
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
R1#
總結
以上是生活随笔為你收集整理的思科路由器IKEV2 L2L***预共享密码认证最简化配置的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 科技云报道:深信服桌面云,“大”不一样
- 下一篇: Android WebView Long