mso-hansi-font-family:"Times New Roman"">不能穿过路由器</span> <span style="font-family:
宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">一般在</span><span lang="EN-US">2</span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">层设备交换机上配置</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal" style="text-indent:21.0pt;mso-char-indent-count:2.0"><span lang="EN-US">vpn</span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">的地域范围相对更广</span> <span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">在</span><span lang="EN-US">3</span><span style="font-family:
宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">层上划分</span>
<span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">路由器防火墙均可配</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">Vpn</span><span style="font-family:宋体;
mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">的类别：多标签交换机</span><span lang="EN-US"> IPSEC</span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">交换机</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">什么是</span><span lang="EN-US">IPSEC </span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">；</span><span lang="EN-US"> IPSEC</span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">安全协议</span> <span style="font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">；</span><span lang="EN-US"> IKE </span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">；</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">IPSEC</span><span style="font-family:宋体;
mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">框架：</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:18.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo1;
tab-stops:list 18.0pt"><span lang="EN-US">1．<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: "Times New Roman";">
</span></span><span lang="EN-US">Ipsec</span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">协议</span> <span style="font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">：</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal" style="text-indent:26.25pt;mso-char-indent-count:2.5"><span lang="EN-US">AH(</span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">认证头</span><span lang="EN-US">) <o:p></o:p></span></p>

<p class="MsoNormal" style="text-indent:21.0pt;mso-char-indent-count:2.0"><span lang="EN-US">esp(</span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">对头部和用户数据一起加密</span><span lang="EN-US">) </span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">需要封装新的</span><span lang="EN-US">IP</span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">首部保证正确传输叫隧道模式</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:18.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo1;
tab-stops:list 18.0pt"><span lang="EN-US">2．<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: "Times New Roman";">
</span></span><span style="font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">加密算法</span><span lang="EN-US">: DES 3DES AES
SEAL<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:18.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo1;
tab-stops:list 18.0pt"><span lang="EN-US">3．<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: "Times New Roman";">
</span></span><span style="font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">完整性防窜改：</span><span lang="EN-US">Md5 SHA<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:18.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo1;
tab-stops:list 18.0pt"><span lang="EN-US">4．<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: "Times New Roman";">
</span></span><span style="font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">认证身份</span> <span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">：</span><span lang="EN-US">pre-share RSAsignature<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:18.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo1;
tab-stops:list 18.0pt"><span lang="EN-US">5．<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: "Times New Roman";">
</span></span><span style="font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">加密算法加密传输的密钥</span> <span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">：</span><span lang="EN-US">DH1
DH2 DH5<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US"> </span></p>

<p class="MsoNormal"><span lang="EN-US">IKE</span><span style="font-family:宋体;
mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">：</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">1</span><span style="font-family:宋体;
mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">．（</span><span lang="EN-US">1</span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">）</span><span lang="EN-US">IKE <o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">(2) DH Key<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">(3)</span><span style="font-family:宋体;
mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">认证</span>
<span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">2</span><span style="font-family:宋体;
mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">．</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US"> </span></p>

<p class="MsoNormal"><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">在防火墙上的</span><span lang="EN-US">VPN</span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">配置：</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">Five steps of ipsec:<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">(1) interesting traffic<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">创建</span><span lang="EN-US">VPN</span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">隧道后定义哪些数据经过</span><span lang="EN-US">VPN<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">(2)IKE PHASE 1<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">(3) IKE PHASE 2<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">(4) IPSEC transform sets<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">关联</span><span lang="EN-US">IP</span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">地址、</span> <span style="font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">协议、</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">(5)SA
lifetime<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">(6)session<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">(7)</span><span style="font-family:宋体;
mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">中止</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US"> </span></p>

<p class="MsoNormal"><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">如何在防火墙上配置</span><span lang="EN-US">VPN</span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">：</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">(1)Tunnel-group name
type type</span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">站点到站点</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">Tunnel-group name <o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">Isakmp (</span><span style="font-family:
宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">启用</span><span lang="EN-US">IKE</span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">功能</span><span lang="EN-US">)<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US"> </span></p>

<p class="MsoNormal"><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">配置预存密钥</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">(2)</span><span style="font-family:宋体;
mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">配置感兴趣的流量</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">Access-list 101 permit </span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">源</span><span lang="EN-US">ip </span><span style="font-family:
宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">掩码</span>
<span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">目的</span><span lang="EN-US">ip </span><span style="font-family:
宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">掩码</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">Nat(inside) </span><span style="font-family:
宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">符合的就不做地址转换</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">Crypto ipse transform-set<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">Crypto map </span><span style="font-family:
宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">映射的名字</span>
<span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">创建的策略</span><span lang="EN-US"> match address 101<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">Crypto map </span><span style="font-family:
宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">映射的名字</span>
<span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">创建的策略</span><span lang="EN-US"> set peer ip</span><span style="font-family:宋体;
mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">地址</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">Crypto map </span><span style="font-family:
宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">映射的名字</span><span lang="EN-US"> interface outside ;</span><span style="font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">映射到接口上</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">查看配置：</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">Show run<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">Show ipsec<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">Show run isakmp<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">Show run crypto map<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">Clear ipsec sa and ike sa: clear<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US"> </span></p>

<p class="MsoNormal"><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">一个接口接外网</span> <span style="font-family:
宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">一个接内网</span><span lang="EN-US"><o:p></o:p></span></p>"/> mso-hansi-font-family:"Times New Roman"">不能穿过路由器</span> <span style="font-family:
宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">一般在</span><span lang="EN-US">2</span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">层设备交换机上配置</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal" style="text-indent:21.0pt;mso-char-indent-count:2.0"><span lang="EN-US">vpn</span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">的地域范围相对更广</span> <span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">在</span><span lang="EN-US">3</span><span style="font-family:
宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">层上划分</span>
<span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">路由器防火墙均可配</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">Vpn</span><span style="font-family:宋体;
mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">的类别：多标签交换机</span><span lang="EN-US"> IPSEC</span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">交换机</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">什么是</span><span lang="EN-US">IPSEC </span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">；</span><span lang="EN-US"> IPSEC</span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">安全协议</span> <span style="font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">；</span><span lang="EN-US"> IKE </span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">；</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">IPSEC</span><span style="font-family:宋体;
mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">框架：</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:18.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo1;
tab-stops:list 18.0pt"><span lang="EN-US">1．<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: "Times New Roman";">
</span></span><span lang="EN-US">Ipsec</span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">协议</span> <span style="font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">：</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal" style="text-indent:26.25pt;mso-char-indent-count:2.5"><span lang="EN-US">AH(</span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">认证头</span><span lang="EN-US">) <o:p></o:p></span></p>

<p class="MsoNormal" style="text-indent:21.0pt;mso-char-indent-count:2.0"><span lang="EN-US">esp(</span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">对头部和用户数据一起加密</span><span lang="EN-US">) </span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">需要封装新的</span><span lang="EN-US">IP</span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">首部保证正确传输叫隧道模式</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:18.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo1;
tab-stops:list 18.0pt"><span lang="EN-US">2．<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: "Times New Roman";">
</span></span><span style="font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">加密算法</span><span lang="EN-US">: DES 3DES AES
SEAL<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:18.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo1;
tab-stops:list 18.0pt"><span lang="EN-US">3．<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: "Times New Roman";">
</span></span><span style="font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">完整性防窜改：</span><span lang="EN-US">Md5 SHA<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:18.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo1;
tab-stops:list 18.0pt"><span lang="EN-US">4．<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: "Times New Roman";">
</span></span><span style="font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">认证身份</span> <span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">：</span><span lang="EN-US">pre-share RSAsignature<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:18.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo1;
tab-stops:list 18.0pt"><span lang="EN-US">5．<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: "Times New Roman";">
</span></span><span style="font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">加密算法加密传输的密钥</span> <span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">：</span><span lang="EN-US">DH1
DH2 DH5<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US"> </span></p>

<p class="MsoNormal"><span lang="EN-US">IKE</span><span style="font-family:宋体;
mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">：</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">1</span><span style="font-family:宋体;
mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">．（</span><span lang="EN-US">1</span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">）</span><span lang="EN-US">IKE <o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">(2) DH Key<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">(3)</span><span style="font-family:宋体;
mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">认证</span>
<span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">2</span><span style="font-family:宋体;
mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">．</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US"> </span></p>

<p class="MsoNormal"><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">在防火墙上的</span><span lang="EN-US">VPN</span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">配置：</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">Five steps of ipsec:<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">(1) interesting traffic<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">创建</span><span lang="EN-US">VPN</span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">隧道后定义哪些数据经过</span><span lang="EN-US">VPN<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">(2)IKE PHASE 1<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">(3) IKE PHASE 2<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">(4) IPSEC transform sets<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">关联</span><span lang="EN-US">IP</span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">地址、</span> <span style="font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">协议、</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">(5)SA
lifetime<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">(6)session<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">(7)</span><span style="font-family:宋体;
mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">中止</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US"> </span></p>

<p class="MsoNormal"><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">如何在防火墙上配置</span><span lang="EN-US">VPN</span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">：</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">(1)Tunnel-group name
type type</span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">站点到站点</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">Tunnel-group name <o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">Isakmp (</span><span style="font-family:
宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">启用</span><span lang="EN-US">IKE</span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">功能</span><span lang="EN-US">)<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US"> </span></p>

<p class="MsoNormal"><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">配置预存密钥</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">(2)</span><span style="font-family:宋体;
mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">配置感兴趣的流量</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">Access-list 101 permit </span><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">源</span><span lang="EN-US">ip </span><span style="font-family:
宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">掩码</span>
<span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">目的</span><span lang="EN-US">ip </span><span style="font-family:
宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">掩码</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">Nat(inside) </span><span style="font-family:
宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">符合的就不做地址转换</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">Crypto ipse transform-set<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">Crypto map </span><span style="font-family:
宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">映射的名字</span>
<span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">创建的策略</span><span lang="EN-US"> match address 101<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">Crypto map </span><span style="font-family:
宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">映射的名字</span>
<span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:
"Times New Roman"">创建的策略</span><span lang="EN-US"> set peer ip</span><span style="font-family:宋体;
mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">地址</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">Crypto map </span><span style="font-family:
宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">映射的名字</span><span lang="EN-US"> interface outside ;</span><span style="font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">映射到接口上</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">查看配置：</span><span lang="EN-US"><o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">Show run<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">Show ipsec<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">Show run isakmp<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">Show run crypto map<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US">Clear ipsec sa and ike sa: clear<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US"> </span></p>

<p class="MsoNormal"><span style="font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">一个接口接外网</span> <span style="font-family:
宋体;mso-ascii-font-family:"Times New Roman";mso-hansi-font-family:"Times New Roman"">一个接内网</span><span lang="EN-US"><o:p></o:p></span></p>"/>

拖拽LOGO到书签栏收藏网站

我要上传豆丁书房

Vlan vpn的区别

jinxin7610 小学一年级: 1 楼; Vlan vpn的区别：
Vlan不能穿过路由器一般在2层设备交换机上配置

vpn的地域范围相对更广在3层上划分路由器防火墙均可配

Vpn的类别：多标签交换机 IPSEC交换机

什么是IPSEC ； IPSEC安全协议； IKE ；

IPSEC框架：

1． Ipsec协议：

AH(认证头)

esp(对头部和用户数据一起加密) 需要封装新的IP首部保证正确传输叫隧道模式

2．加密算法: DES 3DES AES SEAL

3．完整性防窜改：Md5 SHA

4．认证身份：pre-share RSAsignature

5．加密算法加密传输的密钥：DH1 DH2 DH5

IKE：

1．（1）IKE

(2) DH Key

(3)认证

2．

在防火墙上的VPN配置：

Five steps of ipsec:

(1) interesting traffic

创建VPN隧道后定义哪些数据经过VPN

(2)IKE PHASE 1

(3) IKE PHASE 2

(4) IPSEC transform sets

关联IP地址、协议、

(5)SA lifetime

(6)session

(7)中止

如何在防火墙上配置VPN：

(1)Tunnel-group name type type站点到站点

Tunnel-group name

Isakmp (启用IKE功能)

配置预存密钥

(2)配置感兴趣的流量

Access-list 101 permit 源ip 掩码目的ip 掩码

Nat(inside) 符合的就不做地址转换

Crypto ipse transform-set

Crypto map 映射的名字创建的策略 match address 101

Crypto map 映射的名字创建的策略 set peer ip地址

Crypto map 映射的名字 interface outside ;映射到接口上

查看配置：

Show run

Show ipsec

Show run isakmp

Show run crypto map

Clear ipsec sa and ike sa: clear

一个接口接外网一个接内网; 2018-10-18 08:29:45

加入团队

> 返回光网络时代团队

最新加入成员 ··· ···

: zhangsd2

: 2247557..

: 豆大点事

: Jason

: cityhun..

: 陆刘军

: dian789..

: 齐牛追妞

> 浏览全部团员 (1605)

这个团队的成员也喜欢去 ··· ···

: 网络&通信 (2000)

: 3G移动通信.. (1571)

: 通信图书馆 (1756)

: 监守自盗 (1580)

: 4G及新技术.. (1931)

: 网优达人 (1682)

: 通信会议厅 (1571)

: 3G核心网技.. (1570)

社区团队公告 ··· ···

推荐阅读

©开云手机版登录入口 DocIn.com Inc. 京公海网安备:11010802021341 京ICP证 080280号京ICP备 08006815号-2

豆丁书房

扫码下载书房App

微信号：doudingwang

扫码关注开云手机版登录入口

开云网页版-开云（中国）官方 | KY.COM-开元(中国) | 开云足球_开云(中国) | 开云足球(中国)官方网站 | 欧宝网页版-欧宝(中国) | 欧宝官方-（中国）网站首页 | 九州体育-九州中国有限公司 | 开云足球体育（中国）官方网站 | 开云手机版登录入口-开云(中国)官方 |