----------------IKEv1---------------------------
NAT配置忽略
//定义网络
object-group network LOCAL_CMB_***
network-object 172.29.41.0 255.255.255.0
network-object 172.29.46.0 255.255.255.0
object-group network REMOTE_CMB_***
network-object 172.16.20.0 255.255.255.0
//放行***流量
access-list ingate extended permit ip object-group LOCAL_CMB_*** object-group REMOTE_CMB_***
//定义感兴趣流
access-list 111 extended permit ip object-group LOCAL_CMB_*** object-group REMOTE_CMB_***
//拒绝***流量备NAT
nat (inside,outside) source static LOCAL_CMB_*** LOCAL_CMB_*** destination static REMOTE_CMB_*** REMOTE_CMB_***
//***配置
----IPsec第一阶段配置
crypto ikev1 policy 100
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group 120.133.238.152 type ipsec-l2l
tunnel-group 120.133.238.152 ipsec-attributes
ikev1 pre-shared-key 123456
----IPsec第二阶段配置
crypto ipsec ikev1 transform-set CMB-*** esp-3des esp-md5-hmac
----配置map
crypto map CMB-*** 100 match address 100
crypto map CMB-*** 100 set pfs
crypto map CMB-*** 100 set peer 120.133.238.152
crypto map CMB-*** 100 set ikev1 transform-set CMB_***
crypto map CMB-*** interface outside
crypto ikev1 enable outside
相关文章
- 11-12IPsec系列—使用Winserver服务器给自己颁发证书
- 11-12IPSec技术的基本原理详解及应用场景
- 11-12ros routeros ikev2 ipsec传输模式配置
- 11-12routeros ipsec ikev2的一些资料先记录下来
- 11-12CIsco路由器实现IPSec 虚拟专用网原理及配置详解
- 11-12在Cisco的ASA防火墙上实现IPSec虚拟专用网
- 11-12Cisco ASA 实现 IPSec 虚拟专用网(内附故障排查)
- 11-12Cisco的ASA防火墙和路由器上实现IPSec虚拟专用网
- 11-12神州数码路由器之间配置IPSec
- 11-12多厂商***系列之十五:华为USG防火墙实现IPSEC ***的实验【模拟器可做】