网络防御之VPN

 配置IKE 

第一阶段

[r1]ike proposal 1
[r1-ike-proposal-1]encryption-algorithm aes-cbc-128  
[r1-ike-proposal-1]authentication-algorithm sha1 

[r1-ike-proposal-1]dh group2

[r1-ike-proposal-1]authentication-method pre-share
[r1]ike peer aaa v1
[r1-ike-peer-aaa]pre-shared-key cipher key123 密文密码 
[r1-ike-peer-aaa]exchange-mode main              选择主模式   
[r1-ike-peer-aaa]remote-address 200.1.1.1       对方的地址（r3 g0/0/0）
[r1-ike-peer-aaa]ike-proposal 1 

第二阶段

[r1]ipsec proposal bbb  
[r1-ipsec-proposal-bbb]encapsulation-mode ?
  transport  Only the payload of IP packet is protected(transport mode)
  tunnel     The entire IP packet is protected(tunnel mode)
[r1-ipsec-proposal-bbb]encapsulation-mode tunnel
[r1-ipsec-proposal-bbb]esp encryption-algorithm aes-128
[r1-ipsec-proposal-bbb]esp authentication-algorithm sha1

acl

[r1]acl 3000
[r1-acl-adv-3000]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[r1]ipsec policy ccc 1 isakmp 
[r1-ipsec-policy-isakmp-ccc-1]proposal bbb

[r1-ipsec-policy-isakmp-ccc-1]ike-peer aaa

[r1-ipsec-policy-isakmp-ccc-1]security acl 3000

[r1-ipsec-policy-isakmp-ccc-1]pfs dh-group2  

调用

[r1]interface g0/0/0
[r1-GigabitEthernet0/0/0]ipsec policy aaa 
Error:This ipsec policy does not exist.
[r1-GigabitEthernet0/0/0]ipsec policy bbb
Error:This ipsec policy does not exist.
[r1-GigabitEthernet0/0/0]ipsec policy ccc

当然配置错误要删除policy ccc 1 

[r1]undo ipsec policy ccc 1 
Info:All IPSec configurations with this policy are deleted.

同理R3也要配置

测试：