來這邊工作2個月。一直沒有什麼大的case做,每天基本都是不知道在做什麼,終於有一個Case,就是和mexico對接×××.
這兩個月也看了不少的×××方面的書籍,一直等待實踐的機會。機會來了。我就小心翼翼完成這case。
這篇文章只是心裏總結。
我配置的時候也是分兩個階段配置的,根據×××對接表來操作的,設備是HUAWEI EUDEMON 1000.
有的是默認的配置,用display curr 命令看不到你配置過的命令。
1 配置IKE,其中要配置Ike proposal 和ike peer.
1.1 配置 ike proposal(各種加密算法,驗證算法都是在這個裏面)
ike proposal 6
encryption-algorithm 3des-cbc
dh group2
sa duration 28800
1.2 配置ike peer
ike peer mexico_morales
pre-shared-key 123456!AaFW
ike-proposal 6
remote-address *.*.*.*
2 配置ipse,其中要配置ipsec proposal ,ACL和ipsec policy
2.1 配置 ipsec proposal(各種加密算法,驗證算法都是在這個裏面)
ipsec proposal 6
esp authentication-algorithm sha1
esp encryption-algorithm 3des
2.2 配置ACL(雙方的ACL要相互對稱)
acl number 3600
rule 15 permit ip source *.*.*.* 0 destination *.*.*.* 0
2.3配置ipsec policy (配置這個之前要斷了出口×××組)
ipsec policy 1 60 isakmp
security acl 3600
pfs dh-group2
ike-peer mexico_morales
proposal 6
local-address *.*.*.*
sa duration time-based 3600
| ××× Configuration |
| Phase 1 |
| Authentication Method |
|
Pre-Shared Key |
| Encryption Scheme |
|
IKE |
| Diffie-Hellman Group |
|
|
| Encryption Algorithm |
|
|
| Hashing Algorithm |
|
|
| Main or Aggressive Mode |
|
Main |
| Lifetime (for renegotiation) |
|
86400 |
| Pre-Shared Key |
|
| Phase 2 |
| Encapsulation (ESP or AH) |
|
ESP |
| Encryption Algorithm |
|
|
| Authentication Algorithm |
|
|
| Perfect Forward Secrecy |
|
|
| Lifetime (for renegotiation) |
|
3600 |
| Lifesize in KB (for renegotiation) |
|
|
| Tunnel Configuration |
| Local IP address |
|
|
| Peer IP address |
|
|
| Expire Date(at most 1 year) |
|
這篇文章,等我忘記的時候,我在做這種case的時候對我要幫組。希望對正在對接IPSEC ×××的同行有幫組。
