--Internet協議的 安全 體系結構
--IKE(Internet密鑰交換)
--DES(數據加密標準)
--MD5
--SHA
--AH(Authentication Header,認證首部)數據認證和反重演(anti-reply)服務
--ESP(Encapsulation Security Payload,封裝安全淨荷)數據隱私、數據驗證以及反重演(anti-reply)服務
(global)crypto ipsec security-association lifetime seconds seconds
(global)crypto ipsec security-association lifetime killobytes kilobytes
(global)access-list access-list-number ....
或者
(global)ip access-list extended name
擴展的訪問列表必須定義由IPSec保護哪種IP流量。保密圖(crypto map)援引這個訪問列表來確定在接口上要保護的流量。
(1)創建變換集
(global)crypto ipsec transform-set name [transform1 | transform2 | transform3]
可以在一個保密圖(crypto map)中定義多個變換集。如果沒有使用IKE,那麼只能定義一種變換集。用戶能夠選擇多達三種變換。
(可選)選擇一種AH變換
--ah-md5-hmac
--ah-sha-hmac
--ah-rfc-1828
(可選)選擇一種ESP加密編號
--esp-des
--esp-3des
--esp-rfc-1829
--esp-null
以及這些驗證方法之一
--esp-md5-hmac
--esp-sha-hmac
(可選)選擇IP壓縮變換
--comp-lzs
(crypto-transform)mode {tunnel | transport}
保密圖(crypto map)連接了保密訪問列表,確定了遠程對等端、本地地址、變換集和協商方法。
--創建保密圖
(global)crypto map map-name sequence ipsec-manual
(crypto-map)match address access-list
(crypto-map)set peer {hostname | ip_addr}
(crypto-map)set transform-set name
變換集必須和遠程對等端上使用的相同
(crypto-map)set session-key inbound ah spi hex-key-data
(crypto-map)set session-key outbound ah spi hex-key-data
(crypto-map)set session-key inbound ah spi hex-key-data [authenticator hex-key-data]
(crypto-map)set session-key outbound ah spi hex-key-data [authenticator hex-key-data]
--創建保密圖
(global)crypto map map-name sequence ipsec-isakmp
(crypto-map)match address access-list
(crypto-map)set peer {hostname | ip_addr}
(crypto-map)set transform-set name
變換集必須和遠程對等端上使用的相同
(crypto-map)set security-association lifetime seconds seconds
(crypto-map)set security-association lifetime kilobytes kilobytes
(crypto-map)set security-association level per-host
(crypto-map)set pfs [group1 | group2]
--創建動態的保密圖
(global)crypto dynamic-map dyn-map-name dyn-seq-num
(crypto-map)match address access-list
(crypto-map)set peer {hostname | ip_addr}
(crypto-map)set transform-set tranform-set-name
(crypto-map)set security-association lifetime seconds seconds
(crypto-map)set security-association lifetime kilobytes kilobytes
(crypto-map)set pfs [group1 | group2]
(global)crypto map map-name sequence ipsec-isakmp dynamic dyn-map-name [discover]
(global)crypto map map-name client configuration address [initiate | respond]
(global)crypto map map-name isakmp authorization list list-name
(interface)crypto map map-name
(global)crypto map map-name local-address interface-id