Configuration - ISAKMP Policy ( Phase 1 )
en
conf t
crypto isakmp policy 10
# 加密
encryption aes
# 雜湊
hash sha
# 認證
authentication pre-share
# Diffie-Hellman Group
group 2
# Phase 1 SA 存活時間,時間到重新協商SA
lifetime 86400
Configuration - Pre-shared Key
en
conf t
# 設定PSK、Public IP是2.2.2.2
crypto isakmp key cisco123 address 2.2.2.2
en
conf t
# TS是Label可自己定義;ESP_AES:加密;ESP_SHA_HMAC:驗證
crypto ipsec transform-set "TS" esp-aes esp-sha-hmac
Configuration - ACL ( Decide which network to be encrypted )
en
conf t
ip access-list 100
permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
Configuration - Crypto Map
# 建立一個Crypto map
en
conf t
crypto map "CMAP" 10 ipsec-isakmp
# 指定對點
set peer 2.2.2.2
# 設定TS
set transform-set TS
# 設定要加密的ACL網段
match address 100
Configuration - Apply to interfaces
interface GigabitEthernet0/0
crypto map CMAP
Check
# Phase 1
show crypto isakmp sa
# Phase 2
show crypto ipsec sa
# QM_IDLE = IKE Phase 1 已完成,Phase 2(Quick Mode)已完成,SA 處於待命狀態
# pkts encaps / decaps 顯示加解密封包數量