IOS配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
| crypto ikev2 proposal IKE_PROP
encryption 3des aes-cbc-256
integrity sha256 sha512
group 2 5 14
prf sha256 sha(对随机数加密之后得到新的‘随机值’)
crypto ikev2 policy IKE_PROL
proposal IKE_PROP
crypto ikev2 keyring IKE_KEY
peer PEER_B
address 23.1.1.3
pre-shared-key IPSECKEY
crypto ikev2 profile IKE_PROF
match identity remote address 23.1.1.3 255.255.255.255
identity local address 12.1.1.1
authentication local pre-share
authentication remote pre-share
keyring local IKE_KEY
crypto ipsec transform-set TRANS1 esp-des esp-md5-hmac
mode tunnel
crypto ipsec transform-set TRANS2 esp-3des esp-sha256-hmac
mode tunnel
ip access-list extended VPN
permit ip 14.1.1.0 0.0.0.255 35.1.1.0 0.0.0.255
crypto map IKE_MAP 10 ipsec-isakmp
set peer 23.1.1.3
set transform-set TRANS1 TRANS2
set ikev2-profile IKE_PROF
match address VPN
interface e0/0
crypto map IKE_MAP
|
ASA配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| crypto ikev2 enable outside
crypto ikev2 policy 10
encryption aes-256 3des
integrity sha512 sha256
group 5 2 1
prf sha256 sha
lifetime seconds 86400
tunnel-group 12.1.1.1 type ipsec-l2l
tunnel-group 12.1.1.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key IPSECKEY
ikev2 local-authentication pre-shared-key IPSECKEY
crypto ipsec ikev2 ipsec-proposal TRANS
protocol esp encryption aes-192 des
protocol esp integrity sha-1 md5
access-list VPN extended permit ip 35.1.1.0 255.255.255.0 14.1.1.0 255.255.255.0
crypto map IKE_VPN 10 match address VPN
crypto map IKE_VPN 10 set peer 12.1.1.1
crypto map IKE_VPN 10 set ikev2 ipsec-proposal TRANS
crypto map IKE_VPN interface outside
|