一.概述:
思科路由器对于IKEV2,是有很多预配的,因此可以很少的配置就能完成IKEV2的配置。
二.基本思路:
A.两边都用SVTI的方式配置Flex ***
B.没有用动态路由,配置静态路由,如果一边用DVTI,则需要两边配置静态路由
三.测试拓扑:
四.Flex ***的配置:
A.R2:
crypto ikev2 keyring KeyRing
peer 202.100.2.1
address 202.100.2.1
pre-shared-key cisco
crypto ikev2 profile default
match identity remote address 202.100.2.1 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local KeyRing
interface Tunnel0
ip address 10.1.1.2 255.255.255.0
tunnel source FastEthernet0/1
tunnel destination 202.100.2.1
tunnel protection ipsec profile default
ip route 192.168.1.0 255.255.255.0 Tunnel0
B.R4:
crypto ikev2 keyring KeyRing
peer 202.100.1.1
address 202.100.1.1
pre-shared-key cisco
crypto ikev2 profile default
match identity remote address 202.100.1.1 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local KeyRing
interface Tunnel0
ip address 10.1.1.4 255.255.255.0
tunnel source FastEthernet0/1
tunnel destination 202.100.1.1
tunnel protection ipsec profile default
ip route 172.16.1.0 255.255.255.0 Tunnel0
五.Flex ***的预配:
测试用的是c7200-adventerprisek9-mz.152-4.S的IOS文件,可以看到默认是有flex ***的预配的:
R1#show running-config all | sec cry
no service password-encryption
crypto pki crl cache size 64
crypto engine software ipsec
crypto ikev2 authorization policy default
route set interface
route accept any
crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256 sha1 md5
group 5 2
crypto ikev2 policy default
match fvrf any
proposal default
crypto ikev2 nat keepalive 0
crypto ikev2 diagnose error 50
crypto ikev2 dpd 0 0 periodic
crypto ikev2 limit max-in-negotation-sa 40
crypto ikev2 limit max-sa 0
crypto ikev2 window 5
crypto ikev2 fragmentation mtu 576
crypto isakmp aggressive-mode disable
crypto ipsec optional retry 300
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association lifetime seconds 3600
no crypto ipsec security-association replay disable
crypto ipsec security-association replay window-size 64
crypto ipsec transform-set default esp-aes esp-sha-hmac
mode transport
crypto ipsec nat-transparency udp-encapsulation
crypto ipsec profile default
set security-association lifetime kilobytes 4608000
set security-association lifetime seconds 3600
no set security-association idle-time
no set security-association replay window-size
crypto call admission limit ike sa 0
crypto call admission limit ike in-negotiation-sa 1000
crypto call admission limit ipsec sa 0
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
R1#
![排序算法[转]](https://p-blog.csdn.net/images/p_blog_csdn_net/kingwolfofsky/EntryImages/20090731/%E4%BF%9D%E6%8C%81%E5%A0%86.png)
![惊人体积,无码改造,黑月V1.7.4增强版[20110810]](https://s1.51cto.com/attachment/201108/094900499.jpg)