(1)在R1上配置IKE(ISAKMP)策略:
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#hash sha
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
R1(config-isakmp)#exit
說明:定義了ISAKMP policy 1,加密方式爲3des,hash算法爲sha,認證方式爲Pre-Shared Keys (PSK),密鑰算法(Diffie-Hellman)爲group 2。
(2)在R1上配置通配符認證方法:
R1(config)#crypto keyring abc
R1(conf-keyring)#pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
R1(conf-keyring)#exit
R1(config)#crypto isakmp profile ppp
% A profile is deemed incomplete until it has match identity statements
R1(conf-isa-prof)#keyring abc
R1(conf-isa-prof)#match identity address 0.0.0.0
R1(conf-isa-prof)#exit
說明:配置了名爲ppp的IPsec profile,並定義任何IP地址的認證密碼爲cisco123。
(3)在R1上配置IPsec transform:
R1(config)#crypto ipsec transform-set ccie esp-3des esp-sha-hmac
R1(cfg-crypto-trans)#exit
說明:配置了transform-set爲ccie,其中數據封裝使用esp加3des加密,並且使用esp結合sha做hash計算,默認的IPsec mode爲tunnel。
(4)在R1上定義dynamic map:
R1(config)#crypto dynamic-map dymap 5
R1(config-crypto-map)#set transform-set ccie
R1(config-crypto-map)#set isakmp-profile ppp
R1(config-crypto-map)#exit
說明:定義了名爲dymap的dynamic map,並調用名爲ppp的IPsec profile和名爲ccie的transform-set。
(5)在R1上創建crypto map:
R1(config)#crypto map mymap 10 ipsec-isakmp dynamic dymap
說明:定義了名爲mymap的Crypto-map ,與常規的Crypto-map不一樣,這裏的Crypto-map只需要與之前的dynamic crypto map.關聯即可,並且配置到這裏就結束了,可以看出,Hub端是不需要定義感興趣流量的。
(6)在R1上將crypto map應用於接口:
R1(config)#int f0/0
R1(config-if)#crypto map mymap
R1(config-if)#
*Mar 1 00:42:19.807: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R1
(config-if)#exit
說明:將crypto map應用在出接口F0/0上。
Router-to-ASA Dynamic LAN-to-LAN ×××的配置:
ciscoasa(config)# crypto isakmp policy 1
ciscoasa(config-isakmp-policy)# encryption 3des
ciscoasa(config-isakmp-policy)# hash sha
ciscoasa(config-isakmp-policy)# authentication pre-share
ciscoasa(config-isakmp-policy)# group 2
ciscoasa(config-isakmp-policy)# exit
ciscoasa(config)#
ciscoasa(config)# crypto ipsec transform-set ccie esp-3des esp-sha-hmac
ciscoasa(config)# crypto dynamic-map dymap 1 set transform-set ccie
ciscoasa(config)# crypto dynamic-map dymap 1 set reverse-route
ciscoasa(config)# crypto map mymap 10 ipsec-isakmp dynamic dymap
ciscoasa(config)# crypto map mymap interface outside
ciscoasa(config)# isakmp enable outside
ciscoasa(config)# isakmp key cisco123 address 0.0.0.0 netmask 0.0.0.0
ciscoasa(config)#