阿里云端配置
1、在阿里云控制台专有网络VPC界面找到IPSec连接菜单;
2、创建IPsec连接,输入需要填写的信息;
3、配置完成后,可以看到已经创建了一条IPSec隧道条目,点击下载对端配置,然后根据对端配置配置对端的设备;
4、找到路由表,添加对应的路由条目。
思科路由器端
1、根据下载的配置,调整为对应路由器端配置;
注意:阿里云底层ipsec用的strongswan和思科ikev2不兼容,有bug。因此建议采用ikev1,但ikev1建议只写1条感兴趣流。
配置样本:
{
"LocalSubnet": "10.1.5.0/24",
"RemoteSubnet": "172.16.0.0/24",
"IpsecConfig": {
"IpsecPfs": "group2",
"IpsecEncAlg": "aes",
"IpsecAuthAlg": "sha1",
"IpsecLifetime": 86400
},
"Local": "12.7.10.17",
"Remote": "13.22.15.3",
"IkeConfig": {
"IkeAuthAlg": "md5",
"LocalId": "12.7.10.17",
"IkeEncAlg": "aes",
"IkeVersion": "ikev1",
"IkeMode": "main",
"IkeLifetime": 86400,
"RemoteId": "13.22.15.3",
"Psk": "8r6znxxxxxxyi",
"IkePfs": "group2"
}
}
2、ikev1版配置参考:
crypto isakmp policy 1
encr aes
authentication pre-share
hash md5
group 2
lifetime 86400
crypto isakmp key 8rXXXXX8mii address 13.22.15.3
ip access ex ZX
per ip 10.1.5.0 0.0.0.255 172.16.0.0 0.0.0.255
crypto ipsec transform-set ZX esp-aes esp-sha-hmac
mode tunnel
crypto map ZX 10 ipsec-isakmp
set peer 13.22.15.3
set transform-set ZX
match address ZX
interface G0/1
crypto map ZX
3、配置完成后,使用流量触发隧道建立。
排错命令
show crypto isa sa
show crypto ips sa peer 13.22.15.3
转载于:https://blog.51cto.com/juispan/2317393