通信人家园

标题: 与思科对接IPSEC V*N [查看完整版帖子] [打印本页]

时间: 2020-4-29 22:01

作者: michealtl 标题: 与思科对接IPSEC V*N

山石防火墙设备配置和 H3C 配置如下（之罗列出 V*N 的配置）：
(1) 我司 V*N 配置如下：
isakmp peer "sichuan"
mode aggressive
isakmp-proposal "psk-md5-3des-g2"
pre-share "5A7yXUMHL0KqdkC8zomvnVAfl4YBQk"
peer 119.6.56.139
local-id fqdn "hillstone"
nat-traversal
accept-all-peer-id
dpd interval 10 retry 3
interface ethernet0/0
tunnel ipsec "tunnel-sichuan" auto
isakmp-peer "sichuan"
ipsec-proposal "esp-md5-3des-g2"
id local 10.1.193.0/24 remote 192.168.0.0/21 service "Any"
auto-connect
accept-all-proxy-id
split-tunnel-route 192.168.0.0/21
interface tunnel2
zone "untrust"
ip address 2.2.2.2 255.255.255.0
manage ping
tunnel ipsec "tunnel-sichuan"
no reverse-route
ip vrouter "trust-vr"
ip route 192.168.0.0/21 tunnel2
(2) 对端 Cisco 配置如下：
ip access-list extended ACL-L2L-SPLIT-BRI
permit ip 192.168.0.0 0.0.7.255 10.1.193.0 0.0.0.255
interface GigabitEthernet0/2
description to-CUCC
ip address 119.6.56.139 255.255.255.224
crypto map MAP-CUCC
crypto map MAP-CUCC 100 ipsec-isakmp
set peer 202.107.127.15
set transform-set IPSEC-L2L-TUN
set pfs group2
set isakmp-profile PRF-IKE-L2L-AM
match address ACL-L2L-SPLIT-BRI
reverse-route
crypto ipsec transform-set IPSEC-L2L-TUN esp-3des esp-md5-hmac
mode tunnel
crypto isakmp profile PRF-IKE-L2L-AM
keyring KeyRing
match identity user-fqdn hillstone
initiate mode aggressive
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto keyring KeyRing
pre-shared-key hostname hillstone key 1234567890

通信人家园 (https://www.txrjy.com/)