原文地址:https://blog.csdn.net/u010827484/article/details/79390166
1、 配置网络接口地址:
cli:
set int state GigabitEthernet2/6/0 up
set int ip address GigabitEthernet2/6/0 192.168.10.10/24
2、 创建IKEV2配置
cli:
ikev2 profile add pr1 //创建名为pr1的IKEV2配置
ikev2 profile set pr1 auth shared-key-mic string Vpp123 //设置认证方法
ikev2 profile set pr1 id local fqdn vpp1.home //设置本地id
ikev2 profile set pr1 id remote fqdn vpp2.home //设置远端id
ikev2 profile set pr1 responder GigabitEthernet2/6/0 192.168.10.20 //设置远端ip地址和协商是对应的网络接口
3、 设置IKE秘钥套件和ESP秘钥套件
可以只在请求秘钥协商方添加秘钥套件
cli:
ikev2 profile set pr1 ike-crypto-alg aes-cbc 128 ike-integ-alg sha1-96 ike-dh modp-1024
ikev2 profile set pr1 esp-crypto-alg aes-cbc 128 esp-integ-alg sha1-96 esp-dh modp-1024
IPSEC/IKE秘钥套件说明表:
VPP IKEV2 IPSEC认证算法表:
VPP IKEV2 IPSEC秘钥交换算法表:
4、 设置IPSec内网IP地址和远端内网IP地址
cli:
ikev2 profile set pr1 traffic-selector local ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector remote ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0
5、 发起IPSec协商请求
cli:ikev2 initiate sa-init pr1 //指定需要协商的的IPSec配置
IPSEC协商:
发起方LOG:
响应方LOG: