三星网络: 三星ubigate系列简单vpn配置实例讲解！(2)_港湾网络科技 - HAR.BING

配置crypto ike策略密钥
ibg01/configure/crypto/ike/policy pol1 160.0.1.2# key samsung123

查看ike信息
ibg01/configure/crypto/ike/policy pol1 160.0.1.2# show crypto ike policy pol1 detail

   policy name pol1, local addr 160.0.1.1, peer addr 160.0.1.2
   main mode, initiator and responder, pfs is not enabled, shared key is *****
   local ident 160.0.1.1 (ip-address), remote ident 160.0.1.2 (ip-address)
   ngm attributes not configured
   ocsp is not enabled
   proposal of priority 1
   encryption algorithm: des
   hash algorithm: sha1
   authentication mode: pre-shared-key
   dh group: group1
   lifetime in seconds: 86400
   lifetime in kilobytes: unlimited

   配置crypto ipsec策略
   ibg01/configure# crypto
   ibg01/configure/crypto# ipsec policy pol1 160.0.1.2
   ibg01/configure/crypto/ipsec/policy pol1 160.0.1.2# match address 170.0.1.0/24 170.0.5.0/24
   ibg01/configure/crypto/ipsec/policy pol1 160.0.1.2# proposal 1

查看ipsec策略
ibg01/configure/crypto/ipsec/policy pol1 160.0.1.2# show crypto ipsec policy pol1

   policy     peer        match                 proto transform
   ------      ----          -----                   ----- ---------
   pol1    160.0.1.2     s 170.0.1.0/24/any      any p1 esp-3des-sha1-tunl
   d 170.0.5.0/24/any

   总公司端设备作同样的配置如下：
   ibg01/configure# interface ethernet 0/2
   ibg01/configure/interface/ethernet (0/2)#
   ibg01/configure/interface/ethernet (0/2)# ip address 160.0.1.2/24
   ibg01/configure/interface/ethernet (0/2)#exit
   ibg01/configure# interface ethernet 2/0
   ibg01/configure/interface/ethernet (2/0)#
   ibg01/configure/interface/ethernet (2/0)# ip address 170.0.5.1/24
   ibg01/configure/interface/ethernet (2/0)# exit
   ibg02/configure# firewall internet
   ibg02/configure/firewall internet# interface ethernet0/2
   ibg02/configure/firewall internet# policy 1022 in self
   ibg02/configure/firewall internet/policy 100 in# exit
   ibg02/configure/firewall internet#exit
   ibg02/configure# firewall corp
   ibg02/configure/firewall corp# interface ethernet2/0
   ibg02/configure/firewall corp# policy 1021 in
   ibg02/configure/firewall corp/policy 1021 in# exit 3
   ibg02/configure/firewall corp#exit
   ibg02/configure# crypto
   ibg02/configure/crypto#
   ibg02/configure/crypto# ike policy pol1 160.0.1.1
   ibg02/configure/crypto/ike/policy pol1 160.0.1.1# local-address 160.0.1.2
   ibg02/configure/crypto/ike/policy pol1 160.0.1.1# key samsung123
   ibg02/configure/crypto/ike/policy pol1 160.0.1.1#exit
   ibg02/configure# crypto
   ibg02/configure/crypto# ipsec policy pol1 160.0.1.1
   ibg02/configure/crypto/ipsec/policy pol1 160.0.1.1# match address 170.0.5.0/24 170.0.1.0/24
   ibg01/configure/crypto/ipsec/policy pol1 160.0.1.1# proposal 1

   检查ipsec vpn的详细情况
   show crypto ike policy poll detail
   show crypto ipsec policy poll
   debug crypto all

debug crypto 所有信息
ibg02# debug crypto all

（新闻稿 2008－04－03）

(责任编辑：admin)