ENSP ipsec isakmp（自动）

小啊菜

已于 2022-05-24 09:59:43 修改

阅读量643

点赞数 1

分类专栏： ensp 文章标签：运维网络

于 2022-05-22 11:17:20 首次发布

本文链接：https://blog.youkuaiyun.com/weixin_57193107/article/details/124907888

版权

ensp 专栏收录该内容

5 篇文章

订阅专栏

该博客介绍了如何配置IPSec IKE安全隧道，包括六步：IKE安全提议、IKE对等体、定义安全流量、IPSec安全提议、IPSec安全策略和端口应用。在AR6和AR7设备上分别进行配置，通过ACL定义安全流量，设置预共享密钥和安全提议，最后应用IPSec策略，确保两端能建立安全连接。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

一共六步

自动isakmp

1.ike安全提议

2.ike对等体

3.定义安全流量

4.定义ipsec 安全提议

5.ipsec 安全策略

6.端口应用

先搭建好拓扑图然后配置ip

[AR6]interface GigabitEthernet0/0/0 
[AR6-GigabitEthernet0/0/0]ip add 100.1.1.1 30
[AR6-GigabitEthernet0/0/0]int GigabitEthernet0/0/01
[AR6-GigabitEthernet0/0/1]ip address 192.168.10.254 24
May 22 2022 10:44:59-08:00 AR6 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
 on the interface GigabitEthernet0/0/0 has entered the UP state. 

[AR7]interface GigabitEthernet0/0/0 
[AR7-GigabitEthernet0/0/0]ip address 200.1.1.1 30
[AR7-GigabitEthernet0/0/0]interface GigabitEthernet0/0/01
[AR7-GigabitEthernet0/0/1]ip address 192.168.20.254 24
May 22 2022 10:46:02-08:00 AR7 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
 on the interface GigabitEthernet0/0/0 has entered the UP state. 
 

[AR5]interface GigabitEthernet0/0/0
[AR5-GigabitEthernet0/0/0]ip address 100.1.1.2 30
[AR5-GigabitEthernet0/0/0]interface g0/0/01
[AR5-GigabitEthernet0/0/1]ip address 200.1.1.2 30

开始配置ike（isakmp 他要一个一个控制端，另外一个端做个对等体就行）

[AR6]acl 3000  定义一个安全流量
[AR6-acl-adv-3000]rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 192
.168.20.0 0.0.0.255


[AR6]ipsec proposal sh	
[AR6-ipsec-proposal-sh]transform esp 
[AR6-ipsec-proposal-sh]esp authentication-algorithm md5
[AR6-ipsec-proposal-sh]es encryption-algorithm 3des 

[AR6]ike proposal 10
[AR6-ike-proposal-10]authentication-algorithm md5 
[AR6-ike-proposal-10]encryption-algorithm 3des-cbc 
[AR6-ike-proposal-10]dh group1 数值越大安全系数越高

[AR6]ike peer 2 v1 有分两个版本
[AR6-ike-peer-2]pre-shared-key cipher 123456 密钥对
[AR6-ike-peer-2]ike-proposal 10  应用刚刚配置ike的安全提议
[AR6-ike-peer-2]local-address 100.1.1.1 
[AR6-ike-peer-2]remote-address 200.1.1.1
 
[AR6]ipsec policy shanghai 10 isakmp 
[AR6-ipsec-policy-isakmp-shanghai-10]security acl 3000
[AR6-ipsec-policy-isakmp-shanghai-10]ike-peer 2
[AR6-ipsec-policy-isakmp-shanghai-10]proposal sh

[AR6]ip route-static 0.0.0.0 0 100.1.1.2 要配置一条默认路由出去

[AR6]int GigabitEthernet0/0/0
[AR6-GigabitEthernet0/0/0]ipsec policy shanghai

配置对端

[AR7]acl 3000
[AR7-acl-adv-3000]rule 5 permit  ip source 192.168.20.0 0.0.0.255 destination 19
2.168.10.0 0.0.0.255

[AR7]ipsec proposal bj
[AR7-ipsec-proposal-bj]transform esp
[AR7-ipsec-proposal-bj]esp authentication-algorithm md5 
[AR7-ipsec-proposal-bj]esp encryption-algorithm 3des 

[AR7]ike proposal 10
[AR7-ike-proposal-10]authentication-algorithm md5 
[AR7-ike-proposal-10]authentication-method pre-share 
[AR7-ike-proposal-10]encryption-algorithm 3des-cbc 

[AR7]ike peer 1 v1
[AR7-ike-peer-1]pre-shared-key cipher 123456
[AR7-ike-peer-1]ike-proposal 10
[AR7-ike-peer-1]local-address 200.1.1.1
[AR7-ike-peer-1]remote-address 100.1.1.1

[AR7]ipsec policy beijin 10 isakmp 
[AR7-ipsec-policy-isakmp-beijin-10]security acl 3000
[AR7-ipsec-policy-isakmp-beijin-10]proposal bj
[AR7-ipsec-policy-isakmp-beijin-10]ike-peer 1

[AR7]int GigabitEthernet0/0/0
[AR7-GigabitEthernet0/0/0]ipsec policy beijin 记得应用

[AR7]ip route-static 0.0.0.0 0 200.1.1.2 加一条默认路由

结果