VPP系统 配置IPSec IKEv1

配置拓扑图

1、VPP1 IKEv1配置

1.1、配置接口

1、配置2/1/0口

set interface state GigabitEthernet2/1/0 up

set interface ip address GigabitEthernet2/1/0 10.66.0.1/24

set interface promiscuous on GigabitEthernet2/1/0

2、配置2/4/0口

set interface state GigabitEthernet2/4/0 up

set interface ip address GigabitEthernet2/4/0 10.0.0.1/24

set interface promiscuous on GigabitEthernet2/4/0

1.2、配置IPSec隧道

create ipsec tunnel local-ip 10.66.0.1 local-spi 1031 remote-ip 10.66.0.2 remote-spi 1030

1.3、配置本端加密算法和密钥

set interface ipsec key ipsec0 local crypto aes-cbc-128 123456

1.4、配置对端加密算法和密钥

set interface ipsec key ipsec0 remote crypto aes-cbc-128 123456

1.5、配置本端认证算法和密钥

set interface ipsec key ipsec0 local integ sha1-96 123456

1.6、配置对端认证算法和密钥

set interface ipsec key ipsec0 remote integ sha1-96 123456

1.7、启用IPSec接口

set int state ipsec0 up

1.8、添加IPSec路由

ip route add 11.0.0.0/24 via ipsec0

1.9、IPSec接口绑定到物理口

set interface unnumbered ipsec0 use GigabitEthernet2/1/0

2、VPP2 IKEv1配置

2.1、配置接口

1、配置2/2/0口

set int state GigabitEthernet2/2/0 up

set int ip address GigabitEthernet2/2/0 11.0.0.1/24

set int promiscuous on GigabitEthernet2/2/0

2、配置2/3/0口

set int state GigabitEthernet2/3/0 up

set int ip address GigabitEthernet2/3/0 10.66.0.2/24

set int promiscuous on GigabitEthernet2/3/0

2.2、配置IPSec隧道

create ipsec tunnel local-ip 10.66.0.2 local-spi 1030 remote-ip 10.66.0.1 remote-spi 1031

2.3、配置本端加密算法和密钥

set interface ipsec key ipsec0 local crypto aes-cbc-128 123456

2.4、配置对端加密算法和密钥

set interface ipsec key ipsec0 remote crypto aes-cbc-128 123456

2.5、配置本端认证算法和密钥

set interface ipsec key ipsec0 local integ sha1-96 123456

2.6、配置对端认证算法和密钥

set interface ipsec key ipsec0 remote integ sha1-96 123456

2.7、启用IPSec接口

set int state ipsec0 up

2.8、添加IPSec路由

ip route add 10.0.0.0/24 via ipsec0

2.9、IPSec接口绑定到物理口

set interface unnumbered ipsec0 use GigabitEthernet2/3/0