ASA-to-ROUTE(静态ip)上配置IPsec VPN

  ASA端的配置

  ciscoasa(config)# int e0/0

  ciscoasa(config-if)# ip address 10.100.1.1 255.255.255.0

  ciscoasa(config-if)# no shut

  ciscoasa(config-if)# nameif inside

  INFO: Security level for "inside" set to 100 by default.

  ciscoasa(config)# int e0/1

  ciscoasa(config-if)# ip add 11.11.11.11 255.255.255.0

  ciscoasa(config-if)# no shut

  ciscoasa(config-if)# nameif outside

  ciscoasa(config)# crypto isakmp policy 1

  ciscoasa(config-isakmp-policy)# encryption des

  ciscoasa(config-isakmp-policy)# hash md5

  ciscoasa(config-isakmp-policy)# authenticationpre-share

  认证方式为Pre-Shared Keys (PSK)

  ciscoasa(config-isakmp-policy)# group 2 密钥算法(Diffie-Hellman)为group 2

  ciscoasa(config-isakmp-policy)# exit

  在ASA上定义认证标识

  ciscoasa(config)# tunnel-group 12.12.12.12 type ipsec-l2l

  ciscoasa(config)# tunnel-group 12.12.12.12 ipsec-attributes

  ciscoasa(config-tunnel-ipsec)# pre-shared-key cisco

  ciscoasa(config-tunnel-ipsec)# exit

  ciscoasa(config)# access-list vpn permit ip 10.100.1.0255.255.255.0 10.1.1.0 255.255.255.0

  在ASA上配置IPsec transform:

  ciscoasa(config)# crypto ipsec transform-set quidway esp-desesp-md5-hmac

  ciscoasa(config)# crypto map mymap1 match address 102

  ciscoasa(config)# crypto map mymap1 set peer 12.12.12.12

  ciscoasa(config)# crypto map mymap1 set transform-set quidway

  在ASA上启用策略

  crypto map mymap interfaceoutside

  crypto isakmp enable outside

  路由器上的配置

  R1(config)#int f0/0

  R1(config-if)#ip add 12.12.12.12255.255.255.0

  R1(config-if)#no sh

  R1(config-if)#exit

  R1(config)#int f0/1

  R1(config-if)#ip add 10.1.1.1 255.255.255.0

  R1(config-if)#no sh

  R1(config-if)#exit

  R1(config)#access-list 102 permit ip 10.1.1.0 0.0.0.255 10.100.1.00.0.0.255

  R1(config)#crypto isakmp policy 1

  R1(config-isakmp)#encryption des

  R1(config-isakmp)#hash md5

  R1(config-isakmp)#authentication pre-share

  R1(config-isakmp)#group 2

  R1(config-isakmp)#exit

  R1(config)#crypto isakmp key 0 cisco address11.11.11.11

  R1(config)#crypto ipsec transform-set vpn esp-desesp-md5-hmac

  R1(cfg-crypto-trans)#exit

  R1(config)#crypto map mymap 1 ipsec-isakmp

  R1(config-crypto-map)#set peer 11.11.11.11

  R1(config-crypto-map)#set transform-set vpn

  R1(config-crypto-map)#match address 102

  R1(config-crypto-map)#exit

  R1(config)#int f0/1

  R1(config-if)#crypto map mymap

  R1(config-if)#exit

 

上一篇:安卓防火墙 PS DroidWall

下一篇:ASA to Route 做dynamic site-to-site VPN