(1)在R1上配置IKE(ISAKMP)策略:
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#hash sha
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
R1(config-isakmp)#exit
说明:定义了ISAKMP policy 1,加密方式为3des,hash算法为sha,认证方式为Pre-Shared Keys (PSK),密钥算法(Diffie-Hellman)为group 2。
(2)在R1上配置通配符认证方法:
R1(config)#crypto keyring abc
R1(conf-keyring)#pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
R1(conf-keyring)#exit
R1(config)#crypto isakmp profile ppp
% A profile is deemed incomplete until it has match identity statements
R1(conf-isa-prof)#keyring abc
R1(conf-isa-prof)#match identity address 0.0.0.0
R1(conf-isa-prof)#exit
说明:配置了名为ppp的IPsec profile,并定义任何IP地址的认证密码为cisco123。
(3)在R1上配置IPsec transform:
R1(config)#crypto ipsec transform-set ccie esp-3des esp-sha-hmac
R1(cfg-crypto-trans)#exit
说明:配置了transform-set为ccie,其中数据封装使用esp加3des加密,并且使用esp结合sha做hash计算,默认的IPsec mode为tunnel。
(4)在R1上定义dynamic map:
R1(config)#crypto dynamic-map dymap 5
R1(config-crypto-map)#set transform-set ccie
R1(config-crypto-map)#set isakmp-profile ppp
R1(config-crypto-map)#exit
说明:定义了名为dymap的dynamic map,并调用名为ppp的IPsec profile和名为ccie的transform-set。
(5)在R1上创建crypto map:
R1(config)#crypto map mymap 10 ipsec-isakmp dynamic dymap
说明:定义了名为mymap的Crypto-map ,与常规的Crypto-map不一样,这里的Crypto-map只需要与之前的dynamic crypto map.关联即可,并且配置到这里就结束了,可以看出,Hub端是不需要定义感兴趣流量的。
(6)在R1上将crypto map应用于接口:
R1(config)#int f0/0
R1(config-if)#crypto map mymap
R1(config-if)#
*Mar 1 00:42:19.807: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R1
(config-if)#exit
说明:将crypto map应用在出接口F0/0上。
Router-to-ASA Dynamic LAN-to-LAN ×××的配置:
ciscoasa(config)# crypto isakmp policy 1
ciscoasa(config-isakmp-policy)# encryption 3des
ciscoasa(config-isakmp-policy)# hash sha
ciscoasa(config-isakmp-policy)# authentication pre-share
ciscoasa(config-isakmp-policy)# group 2
ciscoasa(config-isakmp-policy)# exit
ciscoasa(config)#
ciscoasa(config)# crypto ipsec transform-set ccie esp-3des esp-sha-hmac
ciscoasa(config)# crypto dynamic-map dymap 1 set transform-set ccie
ciscoasa(config)# crypto dynamic-map dymap 1 set reverse-route
ciscoasa(config)# crypto map mymap 10 ipsec-isakmp dynamic dymap
ciscoasa(config)# crypto map mymap interface outside
ciscoasa(config)# isakmp enable outside
ciscoasa(config)# isakmp key cisco123 address 0.0.0.0 netmask 0.0.0.0
ciscoasa(config)#
转载于:https://blog.51cto.com/370220760/1714392