CiscoASA5505 ipsec l2l配置
Cisco ASA5505配置
ASA(config)# crypto isakmp policy 10 #建立IKE策略,优先级为10
ASA(config-isakmp-policy)# encryption 3des #使用3des加密
ASA(config-isakmp-policy)# authentication pre-share #使用预共享的密码进行身份认证
ASA(config-isakmp-policy)# hash md5 #指定hash算法为md5(其他sha、rsa)
ASA(config-isakmp-policy)# lifetime 28800 #指定SA有效期时间。默认86400秒,两端要一致
ASA(config-isakmp-policy)# group 1 #指定密钥位数,1表示768位,2表示1024为,2更安全,更耗cpu资源
ASA(config-isakmp-policy)# exit
ASA(config)# crypto isakmp key bj2legend add 210.82.111.121 #预共享密码,远程网关ip
ASA(config)# crypto ipsec transform-set bjicpark esp-3des esp-md5-hmac
#定义一个IPSEC交换集,两端要一样
ASA(config)# access-list bjparkvpn permit ip 172.18.5.0 255.255.255.128 192.168.3.0 255.255.255.0 #定义加密通道
ASA(config)# access-list bjparkvpn permit ip 172.18.5.0 255.255.255.128 192.168.2.0 255.255.255.0
ASA(config)# crypto map bjparkmap 20 match address bjparkvpn #创建加密图
ASA(config)# crypto map bjparkmap 20 set peer 210.82.111.121 #目标地址
ASA(config)# crypto map bjparkmap 20 set transform-set bjpark #指定加密图使用的IPSEC交换集
ASA(config)# crypto map bjparkmap interface outside #应用加密图到接口
ASA(config)# crypto isakmp identity address #网关ID,默认IP地址,两端要一致
ASA(config)# crypto isakmp enable outside #接口上开启ike
ASA(config)# crypto isakmp nat-traversal 20 #支持nat穿越
方正方御FG3000E防火墙配置:
IKE协商模式:主动模式
IKE算法:自动协商
认证方式:预共享
本地网关ID:无
远程网关ID:无
IPSec算法:自动协商
高级选项:
生存周期:
ISAKMP SA:8小时0分0秒
IPSec SA:24小时0分0秒
支持DPD(Dead Peer Detection):选择打勾
DPD探测频率:30秒
DPD探测超时:10秒
DPD超时操作:重新启动连接
支持IP载荷压缩:不选择
支持完美向前加密(PFS):不选择
支持密钥重建(Rekeying):选择打勾
重试次数:0
相关知识点:
对称加密或私有密钥加密:加密解密使用相同的私钥
DES--数据加密标准 data encryption standard
3DES--3倍数据加密标准 triple data encryption standard
AES--高级加密标准 advanced encryption standard
一些技术提供验证:
MAC梷消息验证码 message authentication code
HMAC梷散列消息验证码 hash-based message authentication code
MD5和SHA是提供验证的散列函数
对称加密被用于大容量数据,因为非对称加密站用大量cpu资源
非对称或公共密钥加密:
RSA rivest-shamir-adelman
用公钥加密,私钥解密。公钥是公开的,但只有私钥的拥有者才能解密
两个散列常用算法:
HMAC-MD5 使用128位的共享私有密钥
HMAC-SHA-I 使用160位的私有密钥
ESP协议:用来提供机密性,数据源验证,无连接完整性和反重放服务,并且通过防止流量分析来限制流量的机密性,这些服务以来于SA建立和实现时的选择。
加密是有DES或3DES算法完成。可选的验证和数据完整性由HMAC,keyed SHA-I或MD5提供
IKE--internet密钥交换:他提供IPSEC对等体验证,协商IPSEC密钥和协商IPSEC安全关联
实现IKE的组件
1:des,3des 用来加密的方式
2:Diffie-Hellman 基于公共密钥的加密协议允许对方在不安全的信道上建立公共密钥,在IKE中被用来建立会话密钥。group 1表示768位,group 2表示1024位
3:MD5,SHA--验证数据包的散列算法。RAS签名--基于公钥加密系统
ASA5505完整配置实例:
CiscoASA5505# show run
: Saved
:
ASA Version 7.2(4)
!
hostname CiscoASA5505
domain-name default.domain.invalid
enable password PVSASRJovmamnVkD encrypted
passwd PVSASRJovmamnVkD encrypted
names
!
interface Vlan1
description lan
nameif inside
security-level 100
ip address 192.168.17.1 255.255.255.0
!
interface Vlan2
description wan
nameif outside
security-level 0
ip address 221.221.221.222 255.255.255.252
!
interface Ethernet0/0
description Link-wan
switchport access vlan 2
!
interface Ethernet0/1
description Link-lan
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list tjiccparkvpn extended permit ip 192.168.17.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list tjiccparkvpn extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list test extended permit ip any any
access-list test extended permit icmp any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group test in interface outside
route outside 0.0.0.0 0.0.0.0 221.221.221.221 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set tjicc esp-3des esp-md5-hmac
crypto map tjicc2frankmap 20 match address tjiccparkvpn
crypto map tjicc2frankmap 20 set peer 60.60.60.122
crypto map tjicc2frankmap 20 set transform-set tjicc
crypto map tjicc2frankmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
ssh version 1
console timeout 0
dhcpd lease 36000
!
dhcpd address 192.168.17.100-192.168.17.131 inside
dhcpd dns 202.106.0.20 202.106.196.115 interface inside
dhcpd enable inside
!
username admin password eY/fQXw7Ure8Qrz7 encrypted
tunnel-group 60.60.60.122 type ipsec-l2l
tunnel-group 60.60.60.122 ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:2c343a46e4a6eda64512791239624f9d
: end
本文来源:https://www.2haoxitong.net/k/doc/65de786c011ca300a6c390f5.html
文档为doc格式