MyCCIE.NET

Documentation:
1. Document your IKE Phase 1 negotiation criteria (example below)
 Encryption algorithm: AES-128
 Hashing: SHA-1
 Authentication: pre-shared
 Key exchange: Diffie-Hellman Group 2
2. Document your IPSec (IKE Phase 2) negotiation criteria (example below)
 Encryption algorithm: esp-aes 128
 Authentication: esp-sha-hmac
Configuring IKE Phase 1:
1. Enable ISAKMP: Router(config)#crypto isakmp enable
2. Create ISAKMP Policy: Router(config)#crypto isakmp policy <1-10000>
 Router(config)#crypto isakmp policy 100
o Router(config-isakmp)#encryption aes 128
o Router(config-isakmp)#authentication pre-share
o Router(config-isakmp)#group 2
o Router(config-isakmp)#hash sha
3. Configure ISAKMP Identity: Router(config)#crypto isakmp identity

4. Configure pre-shared keys: Router(config)#crypto isakmp key address
Configuring IKE Phase 2:
1. Create transform sets: Router(config)#crypto ipsec transform-set
 Router(config)#crypto ipsec transform-set JEREMY esp-aes 128 esp-sha-hmac
2. (optional) Configure IPSec lifetime: : Router(config)#crypto ipsec
3. Create mirrored ACLs defining traffic to be encrypted and the traffic expected to be received encrypted
4. Set up IPSec crypto-map: Router(config)#crypto isakmp map ipsec-isakmp
 Router(config)#crypto map MAP 100 ipsec-isakmp
o Router(config-crypto-map)#match address
o Router(config-crypto-map)#set peer
o Router(config-crypto-map)#set pfs
o Router(config-crypto-map)#set transform-set
Verify:
    show crypto isakmp policy
 show crypto ipsec transform-set
 show crypto ipsec sa
 show crypto map
 debug crypto isakmp
 debug crypto ipsec

相关日志
IP Sec和SSL VPN
Cisco ASA K8升级K9（DES-3DES/AES）
Cisco ISR G2 思科第二代集成多业务路由器
华为数通配置案例集V3.0
Run Linux on your Cisco router with Cisco's new AXP module

作者：Tony Liu(admin#myccie.net)
地址：http://myccie.net/read.php?209
版权所有。转载时必须链接形式注明作者和原始出处及本声明！