原文作者: Mansur

原文链接: http://nbma.info/ipsec-ikev2-config/

IOS配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
crypto ikev2 proposal IKE_PROP
encryption 3des aes-cbc-256
integrity sha256 sha512
group 2 5 14
prf sha256 sha(对随机数加密之后得到新的‘随机值’)

crypto ikev2 policy IKE_PROL
proposal IKE_PROP

crypto ikev2 keyring IKE_KEY
peer PEER_B
address 23.1.1.3
pre-shared-key IPSECKEY


crypto ikev2 profile IKE_PROF
match identity remote address 23.1.1.3 255.255.255.255
identity local address 12.1.1.1
authentication local pre-share
authentication remote pre-share
keyring local IKE_KEY

crypto ipsec transform-set TRANS1 esp-des esp-md5-hmac
mode tunnel
crypto ipsec transform-set TRANS2 esp-3des esp-sha256-hmac
mode tunnel

ip access-list extended VPN
permit ip 14.1.1.0 0.0.0.255 35.1.1.0 0.0.0.255

crypto map IKE_MAP 10 ipsec-isakmp
set peer 23.1.1.3
set transform-set TRANS1 TRANS2
set ikev2-profile IKE_PROF
match address VPN

interface e0/0
crypto map IKE_MAP

ASA配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
crypto ikev2 enable outside

crypto ikev2 policy 10
encryption aes-256 3des
integrity sha512 sha256
group 5 2 1
prf sha256 sha
lifetime seconds 86400

tunnel-group 12.1.1.1 type ipsec-l2l
tunnel-group 12.1.1.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key IPSECKEY
ikev2 local-authentication pre-shared-key IPSECKEY

crypto ipsec ikev2 ipsec-proposal TRANS
protocol esp encryption aes-192 des
protocol esp integrity sha-1 md5

access-list VPN extended permit ip 35.1.1.0 255.255.255.0 14.1.1.0 255.255.255.0

crypto map IKE_VPN 10 match address VPN
crypto map IKE_VPN 10 set peer 12.1.1.1
crypto map IKE_VPN 10 set ikev2 ipsec-proposal TRANS
crypto map IKE_VPN interface outside