一、实验拓扑:
二、实验要求:
还是用上个实验拓扑来做
三、命令部署:
R1(config)#crypto isakmp policy 100
R1(config-isakmp)#authentication pre-share
R1(config)#crypto keyring abc
R1(conf-keyring)#pre-shared-key address 202.100.2.3 key cisco
R1(config)#cry isakmp profile aa //isakmp profile调用 keyring(轮廓、配置文件)
R1(conf-isa-prof)#match identity address 202.100.2.3 //通过match identity这种方式
R1(conf-isa-prof)#keyring abc //只要是202.100.2.3的IP地址,就跟你用秘钥来做验证,然后建立×××
总结:相当于多了isakmp profile替代了R1#crypto isakmp key 0 cisco address 202.100.2.3
转换集等还是照做:
R1(config)#crypto ipsec transform-set cisco esp-aes esp-md5-hmac //默认就是隧道模式,所以下边不写了
配置Map:
R1(config)#crypto map ccie 10 ipsec-isakmp
R1(config-crypto-map)#set transform-set cisco
R1(config-crypto-map)#set isakmp-profile aa
R1(config-crypto-map)#set peer 202.100.2.3
R1(config-crypto-map)#set peer 202.100.2.4 //如果有多个peer,还可以增加;但是2.3、2.4、2.5验证方式可能不一样,因为可以在上边配置多个keyring。
R1(config-crypto-map)#set peer 202.100.2.5
R1(config-crypto-map)#match address ***
验证查看:
R1#show run | s crypto
crypto keyring abc
pre-shared-key address 202.100.2.3 key cisco
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
crypto isakmp policy 100
authentication pre-share
crypto isakmp key cisco address 202.100.2.3
crypto isakmp profile aa
keyring abc
match identity address 202.100.2.3 255.255.255.255
crypto ipsec transform-set cisco esp-aes esp-md5-hmac
crypto map aa 10 ipsec-isakmp
set peer 202.100.2.3
set transform-set cisco
set pfs group1
match address ***
crypto map ccie 10 ipsec-isakmp
set peer 202.100.2.3
set peer 202.100.2.4
set peer 202.100.2.5
set transform-set cisco
set isakmp-profile aa
match address ***
crypto map aa
结论:可以配置多个keyring,然后在isakmp profile中调用多个keyring,感觉老师讲的不对啊;
老师不建议这种方式,他觉得写原来的多条比较好;