两边都使用 crypto map 的方式配置 IPsec,省略 IP 地址和路由预配。
Phase 1 配置
IOS Phase 1 Policy
R1(config)#crypto isakmp policy 1 R1(config-isakmp)#authentication pre-share R1(config-isakmp)#encryption aes 256 R1(config-isakmp)#hash sha R1(config-isakmp)#group 5
ASA Phase 1 Policy
ASA-1(config)# crypto ikev1 enable OUT ASA-1(config)# crypto ikev1 policy 1 ASA-1(config-ikev1-policy)# authentication pre-share ASA-1(config-ikev1-policy)# encryption aes-256 ASA-1(config-ikev1-policy)# hash sha ASA-1(config-ikev1-policy)# group 5
IOS PSK
R1(config)#crypto isakmp key CISCO address 1.1.1.2
ASA PSK
ASA-1(config)# tunnel-group 1.1.1.1 type ipsec-l2l ASA-1(config)# tunnel-group 1.1.1.1 ipsec-attributes ASA-1(config-tunnel-ipsec)# ikev1 pre-shared-key CISCO
Phase 2 配置
IOS Proxy-ID
R1(config)#ip access-list extended ACL_VPN R1(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
ASA Proxy-ID
ASA-1(config)# access-list ACL_VPN extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
IOS Transform Set
R1(config)#crypto ipsec transform-set IPsec_TS esp-sha-hmac esp-aes 256
ASA Transform Set
ASA-1(config)# crypto ipsec ikev1 transform-set IPsec_TS esp-sha-hmac esp-aes-256
IOS Crypto Map
R1(config)#crypto map IOS_Crypto_Map 10 ipsec-isakmp R1(config-crypto-map)#set peer 1.1.1.2 R1(config-crypto-map)#set transform-set IPsec_TS R1(config-crypto-map)#match address ACL_VPN R1(config)#int e0/0 R1(config-if)#crypto map IOS_Crypto_Map
ASA Crypto Map
ASA-1(config)# crypto map ASA_Crypto_Map 10 set peer 1.1.1.1 ASA-1(config)# crypto map ASA_Crypto_Map 10 set ikev1 transform-set IPsec_TS ASA-1(config)# crypto map ASA_Crypto_Map 10 match address ACL_VPN ASA-1(config)# crypto map ASA_Crypto_Map interface OUT
测试
VPCS> ping 172.16.1.2 172.16.1.2 icmp_seq=1 timeout 84 bytes from 172.16.1.2 icmp_seq=2 ttl=63 time=13.427 ms 84 bytes from 172.16.1.2 icmp_seq=3 ttl=63 time=4.285 ms 84 bytes from 172.16.1.2 icmp_seq=4 ttl=63 time=13.803 ms 84 bytes from 172.16.1.2 icmp_seq=5 ttl=63 time=6.772 ms ASA-1(config)# sh vpn-sessiondb l2l Session Type: LAN-to-LAN Connection : 1.1.1.1 Index : 1 IP Addr : 1.1.1.1 Protocol : IKEv1 IPsec Encryption : IKEv1: (1)AES256 IPsec: (1)AES256 Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1 Bytes Tx : 168 Bytes Rx : 168 Login Time : 13:31:40 UTC Wed Dec 4 2019 Duration : 0h:00m:03s ASA-1(config)#