博客
关于我
强烈建议你试试无所不能的chatGPT,快点击我
ASA L2L *** IKEV2共享密钥配置
阅读量:6590 次
发布时间:2019-06-24

本文共 6320 字,大约阅读时间需要 21 分钟。

IKE是一种混和协议,混和协议的复杂性使其不可避免地带来一些安全及性能上的缺陷,导致其成为整个IP-Sec实现中的瓶颈。为此,IETF一直对现有版本不合理部分积极征集修改意见,陆续推出了新的IKE草案,并于2005年12月26日正式推出了新的IKE协议标准--IKEv2。

拓扑:

 

配置:

------------------------------------------ASA1---------------------------------------------

ASA Version 8.4(2)

!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 172.16.1.10 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.2.10 255.255.255.0
!
interface GigabitEthernet2
 nameif dmz
 security-level 50
 ip address 192.168.80.80 255.255.255.0
!
interface GigabitEthernet3
 shutdown    
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
access-list l2lacl extended permit ip 2.2.2.0 255.255.255.0 3.3.3.0 255.255.255.0
pager lines 24
mtu dmz 1500
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
route inside 0.0.0.0 0.0.0.0 192.168.2.2 tunneled //只对***加密数据生效
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal l2lipsec
 protocol esp encryption des
 protocol esp integrity md5
crypto map l2lmap 10 match address l2lacl
crypto map l2lmap 10 set peer 172.16.2.10
crypto map l2lmap 10 set ikev2 ipsec-proposal l2lipsec
crypto map l2lmap interface outside
crypto ikev2 policy 10
 encryption 3des
 integrity md5 //完整性算法
 group 2
 prf md5 //伪随机算法
 lifetime seconds 86400
crypto ikev2 enable outside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 172.16.2.10 type ipsec-l2l
tunnel-group 172.16.2.10 ipsec-attributes
 ikev2 remote-authentication pre-shared-key remote-cisco

 ikev2 local-authentication pre-shared-key local-cisco

!

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
crashinfo save disable
Cryptochecksum:ebcb48022e2990d03283cce1e4ed839a
: end

--------------------------------------ASA2-----------------------------------

ASA Version 8.4(2)

!
hostname ASA2
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 172.16.2.10 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.3.10 255.255.255.0
!
interface GigabitEthernet2
 nameif dmz
 security-level 50
 ip address 192.168.80.80 255.255.255.0
!
interface GigabitEthernet3
 shutdown    
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
access-list l2lacl extended permit ip 3.3.3.0 255.255.255.0 2.2.2.0 255.255.255.0
pager lines 24
mtu dmz 1500
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 172.16.2.1 1
route inside 0.0.0.0 0.0.0.0 192.168.3.3 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal l2lipsec
 protocol esp encryption des
 protocol esp integrity md5
crypto map l2lmap 10 match address l2lacl
crypto map l2lmap 10 set peer 172.16.1.10
crypto map l2lmap 10 set ikev2 ipsec-proposal l2lipsec
crypto map l2lmap interface outside
crypto ikev2 policy 10
 encryption 3des
 integrity md5
 group 2
 prf md5
 lifetime seconds 86400
crypto ikev2 enable outside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 172.16.1.10 type ipsec-l2l
tunnel-group 172.16.1.10 ipsec-attributes
 ikev2 remote-authentication pre-shared-key local-cisco

 ikev2 local-authentication pre-shared-key remote-cisco

!

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
crashinfo save disable
Cryptochecksum:17095fbc246cd193cd330640f2836130
: end

其他配置非常简单在不在给出

转载地址:http://ptzio.baihongyu.com/

你可能感兴趣的文章
七、【应用的主要框架】
查看>>
使用Python快速获取公众号文章定制电子书(二)
查看>>
iOS下JS与OC互相调用(七)--Cordova 基础
查看>>
Three.js 关于立方体贴图产生边缘锯齿问题
查看>>
Nacos v0.7.0:对接CMDB,实现基于标签的服务发现能力
查看>>
【开发问题记录①】关于滑动CollectionView时ContentSize变化的问题
查看>>
java中GC的基本概念
查看>>
building xxx gradle project info的解决办法
查看>>
【Leetcode】98. 验证二叉搜索树
查看>>
Vagrant (一) - 基本知识
查看>>
在 CentOS 7 上搭建 Jenkins + Maven + Git 持续集成环境
查看>>
数据结构与算法 | Leetcode 19. Remove Nth Node From End of List
查看>>
一起来读you don't know javascript(一)
查看>>
[LeetCode] 862. Shortest Subarray with Sum at Least K
查看>>
【分享】终端命令工具 自动生成vue组件文件以及修改router.js
查看>>
[LeetCode] Student Attendance Record I
查看>>
PHP回顾之多进程编程
查看>>
spring boot + redis
查看>>
Ajax技术细节
查看>>
nuxt.js部署vue应用到服务端过程
查看>>
喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!-- 愿君每日到此一游!
当前时间: 2025-01-23 13:01:49   当前IP: 18.220.230.156   联系邮箱:javaeecc@qq.com     Copyright © 2020 - 2022 baihongyu.com 京ICP备2021015314号-2
强烈建议你试试无所不能的CHAT-GPT,快点击我
强烈建议你试试无所不能的CHAT-GPT,快点击我