手动建立sa
1.配置双方流量可达
2.配置感兴趣流
3.配置ipsec proposal(包含加密算法及认证算法)
4.配置ipsecpolicy 跟上手动模式manual (关联acl ipsecproposal 本地对端 sa spi string-key)
A设备
Basic ACL 2000, 2 rules
Acl's step is 5
rule 1 deny source 192.168.1.0 0.0.0.255
rule 5 permit source 192.168.1.0 0.0.0.255
ACL 3000
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
ipsec proposal 1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
ipsec policy MAP1 10 manual
security acl 3000
proposal 1
tunnel local 10.0.12.1
tunnel remote 10.0.23.1
sa spi inbound esp 54321
sa string-key inbound esp cipher 1
sa spi outbound esp 12345
sa string-key outbound esp cipher 1
interface GigabitEthernet0/0/0
ip address 10.0.12.1 255.255.255.0
ipsec policy MAP1
nat outbound 2000
ike方式建立sa
ike proposal 2 创建并配置ike提议
authentication-algorithm md5 配置数据认证算法
encryption-algorithm 3DES 配置加密算法
DH group 2 配置秘钥交换算法
ike peer sh v1 创建并配置ike对等体
exchange-mode main/aggressive
pre-shared-key cipher huawei
ike-proposal 2
local address 10.0.12.1
remote-address 10.0.23.1
ipsec proposal 1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
ipsec policy 1 1 isakmp
security acl 3000
ike-peer sh
proposal 1
interface g0/0/0
ipsec policy 1