Router VPN

r1(config)#crypto isakmp policy 1

(定义IPsec策略框架)

r1(config-isakmp)#encryption 3des

(加密方式为3des)

r1(config-isakmp)#hash sha

(哈希值函数为sha)

r1(config-isakmp)#group 2

(密钥长度group1为76位，group2为1024位)

r1(config-isakmp)#lifetime 28800

(生存时间，即密钥的有效期/秒)

r1(config-isakmp)#authentication pre-share

(认证方式为预共享密钥，/VPN两端预认证字段)

r1(config-isakmp)#exit

r1(config)#crypto isakmp identity address

r1(config)#crypto isakmp key huayu address 218.56.57.59

(标识对端IP地址及预共享密钥内容）

r1(config)#crypto ipsec transform-set huayuipsec esp-3des esp-md5-hmac

(定义IPsec转换集，名为huayuipsec)

r1(cfg-crypto-trans)#exit

配置感兴趣流量

r1(config)#access-list 101  101 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

配置map

r1(config)#crypto map huayumap 10 ipsec-isakmp

(定义map图，优先级为10，优先级VPN两端匹配)

% NOTE: This new crypto map will remain disabled until a peer

        and a valid access list have been configured.

r1(config-crypto-map)#set peer 218.56.57.59

(设置对等地址)

r1(config-crypto-map)#set transform-set huayuipsec

(调用定义的转换集)

r1(config-crypto-map)#match address 101

(匹配感兴趣流量)

r1(config-crypto-map)#exit

应用到端口

r1(config)#interface e0/0

r1(config-if)#crypto map huayumap

r1(config-if)#end

*Mar  1 00:29:32.051: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

show cryto ipsec sa