思科路由器IKEV2 L2L***预共享密码认证最简化配置

最新推荐文章于 2024-03-25 16:20:33 发布

weixin_34355715

最新推荐文章于 2024-03-25 16:20:33 发布

阅读量703

点赞数

本文链接：https://blog.csdn.net/weixin_34355715/article/details/85074141

版权

一.概述:

思科路由器对于IKEV2，是有很多预配的，因此可以很少的配置就能完成IKEV2的配置。

二.基本思路：

A.两边都用SVTI的方式配置Flex ***

B.没有用动态路由，配置静态路由,如果一边用DVTI，则需要两边配置静态路由

三.测试拓扑：

四.Flex ***的配置：

A.R2：

crypto ikev2 keyring KeyRing
peer 202.100.2.1
address 202.100.2.1
pre-shared-key cisco
crypto ikev2 profile default
match identity remote address 202.100.2.1 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local KeyRing

interface Tunnel0
ip address 10.1.1.2 255.255.255.0
tunnel source FastEthernet0/1
tunnel destination 202.100.2.1
tunnel protection ipsec profile default

ip route 192.168.1.0 255.255.255.0 Tunnel0

B.R4：

crypto ikev2 keyring KeyRing
peer 202.100.1.1
address 202.100.1.1
pre-shared-key cisco
crypto ikev2 profile default
match identity remote address 202.100.1.1 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local KeyRing

interface Tunnel0
ip address 10.1.1.4 255.255.255.0
tunnel source FastEthernet0/1
tunnel destination 202.100.1.1
tunnel protection ipsec profile default

ip route 172.16.1.0 255.255.255.0 Tunnel0

五.Flex ***的预配：

测试用的是c7200-adventerprisek9-mz.152-4.S的IOS文件，可以看到默认是有flex ***的预配的：

R1#show running-config all | sec cry
no service password-encryption
crypto pki crl cache size 64
crypto engine software ipsec
crypto ikev2 authorization policy default
route set interface
route accept any
crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256 sha1 md5
group 5 2
crypto ikev2 policy default
match fvrf any
proposal default
crypto ikev2 nat keepalive 0
crypto ikev2 diagnose error 50
crypto ikev2 dpd 0 0 periodic
crypto ikev2 limit max-in-negotation-sa 40
crypto ikev2 limit max-sa 0
crypto ikev2 window 5
crypto ikev2 fragmentation mtu 576
crypto isakmp aggressive-mode disable
crypto ipsec optional retry 300
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association lifetime seconds 3600
no crypto ipsec security-association replay disable
crypto ipsec security-association replay window-size 64
crypto ipsec transform-set default esp-aes esp-sha-hmac
mode transport
crypto ipsec nat-transparency udp-encapsulation
crypto ipsec profile default
set security-association lifetime kilobytes 4608000
set security-association lifetime seconds 3600
no set security-association idle-time
no set security-association replay window-size
crypto call admission limit ike sa 0
crypto call admission limit ike in-negotiation-sa 1000
crypto call admission limit ipsec sa 0
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
R1#