路由器和ASA预共享密钥方式建立IKEV2的L2L ***

一. 测试拓扑

 备注：
A.Branch路由器GNS中用的IOS为c7200-adventerprisek9-mz.152-4.S，下载地址为：http://down.51cto.com/data/607191
B.CenterASA用的是ASA8.42的VMWare虚拟机
二.基本配置
A.Branch路由器
interface FastEthernet0/0
 ip address 202.100.1.1 255.255.255.0
 no shut
interface Loopback0
 ip address 172.16.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 202.100.1.10
B.Internet路由器
interface FastEthernet0/0
 ip address 202.100.1.10 255.255.255.0
 no shut
interface FastEthernet0/1
 ip address 202.100.2.10 255.255.255.0
no shut
C.Center-ASA防火墙
interface GigabitEthernet0
 nameif Outside
 security-level 0
 ip address 202.100.2.1 255.255.255.0
 no shut
interface GigabitEthernet1
 nameif Inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
 no shut
route Outside 0 0 202.100.2.10
三.L2L IKE2 ***配置
A.Branch路由器
①配置IKE2 Policy
crypto ikev2 proposal IKEV2-Proposal
 encryption 3des aes-cbc-256
 integrity sha256 sha512
 group 2 5 14
crypto ikev2 policy IKEV2-Policy
 proposal IKEV2-Proposal
②配置IKE2 Profile
crypto ikev2 keyring IKEV2-Keyring
 peer CenterASA
  address 202.100.2.1
  pre-shared-key Pre-Key
crypto ikev2 profile IKEV2-Profile
 match identity remote address 202.100.2.1 255.255.255.255
 identity local address 202.100.1.1
 authentication remote pre-share
 authentication local pre-share
 keyring local IKEV2-Keyring
③配置IPSec transform-set
crypto ipsec transform-set Trans1 esp-des esp-md5-hmac
crypto ipsec transform-set Trans2 esp-3des esp-sha256-hmac
④配置感兴趣流
ip access-list extended ***-Traffic
 permit ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255
⑤配置crypto Map并在接口上调用
crypto map Crypto-Map 10 ipsec-isakmp
 set peer 202.100.2.1
 set transform-set Trans1 Trans2
 set ikev2-profile IKEV2-Profile
 match address ***-Traffic
interface FastEthernet0/0
 crypto map Crypto-Map
B.CenterASA防火墙
①Outside接口激活IKEV2
crypto ikev2 enable Outside
②配置IKE2 Policy
crypto ikev2 policy 10
 encryption aes-256 des
 integrity sha256 sha
 group 2 1
 prf sha256 sha
③配置tunnel group
tunnel-group 202.100.1.1 type ipsec-l2l
tunnel-group 202.100.1.1 ipsec-attributes
 ikev2 remote-authentication pre-shared-key Pre-Key
 ikev2 local-authentication pre-shared-key Pre-Key
④配置IPSec transform-set
crypto ipsec ikev2 ipsec-proposal Transet
 protocol esp encryption aes-192 des
 protocol esp integrity sha-1 md5
⑤配置感兴趣流
access-list ***-Traffic extended permit ip 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
⑥配置crypto Map并在接口上调用
crypto map Crypto-Map 10 match address ***-Traffic
crypto map Crypto-Map 10 set peer 202.100.1.1
crypto map Crypto-Map 10 set ikev2 ipsec-proposal Transet
crypto map Crypto-Map interface Outside
四.测试
A.触发***
Branch#ping 10.1.1.18 source 172.16.1.1     
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.18, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1

.!!!!
B.在Branch路由器的f0/0接口抓包

 
C.查看加解密
Branch#show crypto engine connections active
Crypto Engine Connections

   ID  Type    Algorithm           Encrypt  Decrypt LastSeqN IP-Address
    1  IPsec   DES+MD5                   9        0        0 202.100.1.1
    2  IPsec   DES+MD5                   0        9        9 202.100.1.1
 1005  IKEv2   SHA256+AES256             0        0        0 202.100.1.1