配置IKE
第一阶段
[r1]ike proposal 1
[r1-ike-proposal-1]encryption-algorithm aes-cbc-128
[r1-ike-proposal-1]authentication-algorithm sha1[r1-ike-proposal-1]dh group2
[r1-ike-proposal-1]authentication-method pre-share
[r1]ike peer aaa v1
[r1-ike-peer-aaa]pre-shared-key cipher key123 密文密码
[r1-ike-peer-aaa]exchange-mode main 选择主模式
[r1-ike-peer-aaa]remote-address 200.1.1.1 对方的地址(r3 g0/0/0)
[r1-ike-peer-aaa]ike-proposal 1第二阶段
[r1]ipsec proposal bbb
[r1-ipsec-proposal-bbb]encapsulation-mode ?
transport Only the payload of IP packet is protected(transport mode)
tunnel The entire IP packet is protected(tunnel mode)
[r1-ipsec-proposal-bbb]encapsulation-mode tunnel
[r1-ipsec-proposal-bbb]esp encryption-algorithm aes-128
[r1-ipsec-proposal-bbb]esp authentication-algorithm sha1acl
[r1]acl 3000
[r1-acl-adv-3000]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[r1]ipsec policy ccc 1 isakmp
[r1-ipsec-policy-isakmp-ccc-1]proposal bbb[r1-ipsec-policy-isakmp-ccc-1]ike-peer aaa
[r1-ipsec-policy-isakmp-ccc-1]security acl 3000
[r1-ipsec-policy-isakmp-ccc-1]pfs dh-group2
调用
[r1]interface g0/0/0
[r1-GigabitEthernet0/0/0]ipsec policy aaa
Error:This ipsec policy does not exist.
[r1-GigabitEthernet0/0/0]ipsec policy bbb
Error:This ipsec policy does not exist.
[r1-GigabitEthernet0/0/0]ipsec policy ccc
当然配置错误要删除policy ccc 1
[r1]undo ipsec policy ccc 1
Info:All IPSec configurations with this policy are deleted.
同理R3也要配置
测试:
