为L2TP/IPSEC配置基本VPN
The combination of Layer-2 Tunneling Protocol and Internet Protocol Security (L2TPLayer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations./IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session.) creates a highly-secure technology that enablesVPN虚拟专用网络。VPN可以安全访问to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.connections across public networks such as the Internet.L2TPLayer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations./IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session.provides a logical transport mechanism on which to transmitPPPPoint-to-Point Protocol. PPP is a data link (layer 2) protocol used to establish a direct connection between two nodes. It can provide connection authentication, transmission encryption, and compression.帧、隧道或encapsulation, so that thePPPPoint-to-Point Protocol. PPP is a data link (layer 2) protocol used to establish a direct connection between two nodes. It can provide connection authentication, transmission encryption, and compression.frames can be sent across an IP network.L2TPLayer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations./IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session.relies on thePPPPoint-to-Point Protocol. PPP is a data link (layer 2) protocol used to establish a direct connection between two nodes. It can provide connection authentication, transmission encryption, and compression.connection process to perform user authentication and protocol configuration. WithL2TPLayer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations./IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session., the user authentication process is encrypted using the Data Encryption Standard (desData Encryption Standard. DES is a common standard for data encryption and a form of secret key cryptography, which uses only one key for encryption and decryption.) or TripledesData Encryption Standard. DES is a common standard for data encryption and a form of secret key cryptography, which uses only one key for encryption and decryption.(3DESTriple Data Encryption Standard. 3DES is a symmetric-key block cipher that applies the DES cipher algorithm three times to each data block.) algorithm.
L2TPLayer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations./IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session.usingIKEv1Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409.requires two levels of authentication:
Computer-level authentication with a pre-shared key to create theIPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session.SAs to protect theL2TPLayer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations.-encapsulated data.
User-level authentication through aPPPPoint-to-Point Protocol. PPP is a data link (layer 2) protocol used to establish a direct connection between two nodes. It can provide connection authentication, transmission encryption, and compression.-based authentication protocol using passwords, SecureID,digital certificatesA digital certificate is an electronic document that uses a digital signature to bind a public key with an identity—information such as the name of a person or an organization, address, and so forth., or smart cards after successful creation of the SAs.
Note that only Windows 7 (and later versions), StrongSwan 4.3, and通过Virtual Intranet Access. VIA provides secure remote network connectivity for Android, Apple iOS, Mac OS X, and Windows mobile devices and laptops. It automatically scans and selects the best secure connection to the corporate network.客户支持IKEv2Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306.. For additional information on the authentication types supported by these clients, seeWorking with IKEv2 Clients. |
以下过程描述了如何配置远程访问VPN虚拟专用网络。VPN可以安全访问to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.forL2TPLayer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations.IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session.for clients using pre-shared keys, certificates, orEAP可扩展的身份验证协议。无线网络的身份验证协议扩展了PPP使用的方法,PPP使用的方法是将计算机连接到Internet时经常使用的协议。EAP可以支持多种身份验证机制,例如令牌卡,智能卡,证书,一次性密码和公共密钥加密身份验证。for authentication.
Defining Authentication Method and Server Addresses
Defining Authentication Method and Server Addresses
以下过程描述了如何定义身份验证方法和服务器地址Mobility Master:
1.Define the authentication method and server addresses.
2.In thenode hierarchy, navigate to thetab.
3.Expand.
4.To enableL2TPLayer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations.,选择check box.
5.选择一种身份验证方法IKEv1Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409.clients. Currently, supported methods include:
Microsoft挑战握手身份验证协议(MSCHAP)
Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAPv2)
6.Click.
7.Click.
8.In thewindow, select the check box and click.
9.Expand. Configure the IP addresses of the,,, and推到VPN虚拟专用网络。VPN可以安全访问to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.client.
10.Click.
11.Click.
12.In thewindow, select the check box and click.
Defining Address Pools
The following procedure describes how to define the pool from which the clients are assigned addresses:
1.In thenode hierarchy, navigate to thetab.
2.Expand.
3.In thetable, clickto open thesection.
4.Specify the,, and.
5.Click.
6.Click.
7.In thewindow, select the check box and click.
RADIUS Framed-IP-Address for VPN Clients
IP addresses are usually assigned toVPN虚拟专用网络。VPN可以安全访问to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.clients from configured local address pools. However, theattribute that is returned from aRADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.server can be used to assign the address.
VPN虚拟专用网络。VPN可以安全访问to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.clients use different mechanisms to establishVPN虚拟专用网络。VPN可以安全访问to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.connections withMobility Master, such asIKEv1Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409.,IKEv2Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306.,EAP可扩展的身份验证协议。无线网络的身份验证协议扩展了PPP使用的方法,PPP使用的方法是将计算机连接到Internet时经常使用的协议。EAP可以支持多种身份验证机制,例如令牌卡,智能卡,证书,一次性密码和公共密钥加密身份验证。, or a user certificate. Regardless of how theRADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.server is contacted for authentication, theattribute is assigned the IP address as long as theRADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.server returns the attribute. Thevalue always has a higher priority than the local address pool.
Enabling Source NAT
The following procedure describes how to enablesource NATSource NAT changes the source address of the packets passing through the router. Source NAT is typically used when an internal (private) host initiates a session to an external (public) host.onMobility Master:
1.In thenode hierarchy, navigate to thetab.
2.Expand.
3.Select thecheck box if the IP addresses of clients must be translated to access the network.
4.(Optional) If you enablesource NATSource NAT changes the source address of the packets passing through the router. Source NAT is typically used when an internal (private) host initiates a session to an external (public) host., select an existingNATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.pool from thedrop-down list.
Selecting Certificates
如果您要配置VPN虚拟专用网络。VPN可以安全访问to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.支持机authentication using certificates, define theIKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard.Server certificates forVPN虚拟专用网络。VPN可以安全访问to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.clients usingIKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard.. Note that these certificates must be imported intoMobility Master,如所述Management Access. The following procedure describes how to select certificates:
1.In thenode hierarchy, navigate to thetab.
2.Expand.
3.From thedrop-down list, select the server certificate for client machines.
4.Click.
5.Click.
6.In thewindow, select the check box and click.
7.如果您要配置VPN虚拟专用网络。VPN可以安全访问to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.支持clients using certificates, you must also assign one or more trustedCACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate.certificates toVPN虚拟专用网络。VPN可以安全访问to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.clients.
一个。Expand.
b.In thetable, clickto open thesection.
c.Select afrom the drop-down list.
d.Click.
e.In thetable, clickto open thesection.
f.Select aandfrom the respective drop-down list.
g.Click.
h.Repeat stepsthroughto add more certificates.
i.Click.
j.In thewindow, select the check box and click.
Defining IKEv1 Shared Keys
如果您要配置VPN虚拟专用网络。VPN可以安全访问to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.支持IKEv1Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409.and clients using pre-shared keys, you can configure a globalIKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard.key orIKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard.key for eachsubnetSubnet is the logical division of an IP network.. Make sure that this key matches the key on the client. The following procedure describes how to defineIKEv1Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409.shared keys:
1.In thenode hierarchy, navigate to thetab.
2.Expand.
3.In thetable, clickto open thesection.
4.Enter theand. To make theIKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard.key global, enter 0.0.0.0 for both values.
5.Select thefrom the drop-down list.
6.Enterand repeat it in thefield.
7.Click.
8.Click.
9.In thewindow, select the check box and click.
Configuring IKE Policies
ArubaOScontains several predefined defaultIKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard.policies, as described in theDefault IKE Policy Settingstable. If you do not want to use any of these predefined policies, you can use the procedure below to delete a factory-default policy, edit an existing policy, or create your own customIKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard.policy instead.
1.In thenode hierarchy, navigate to thetab.
2.Expand.
3.In thetable, click an existing policy to edit it, or clickto create a new policy.
4.In, enter a priority number for this policy. Enter 1 for the configuration to take priority over the default setting.
5.Select thecheck box to enable the policy when it is saved.
6.From thedrop-down list, select one of the following encryption types:
AES128
AES192
AES256
7.From thedrop-down list, select one of the following hash types:
md5
sha
sha1-96
sha2-256-128
sha2-384-192
8.ArubaOSVPNs support client authentication using pre-shared keys,RSARivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet.digital certificatesA digital certificate is an electronic document that uses a digital signature to bind a public key with an identity—information such as the name of a person or an organization, address, and so forth., or Elliptic Curve Digital Signature Algorithm (ECDSAElliptic Curve Digital Signature Algorithm. ECDSA is a cryptographic algorithm that supports the use of public or private key pairs for encrypting and decrypting information.) certificates. To set the authentication type for theIKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard.rule, from thedrop-down list, select one of the following options:
pre-share (forIKEv1Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409.clients using pre-shared keys)
rsa-cig (for clients using certificates)
ecdsa-256 (for clients using certificates)
ecdsa-384 (for clients using certificates)
9.Diffie-Hellman is a key agreement algorithm that allows two parties to agree upon a shared secret, and is used withinIKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard.to securely establish session keys. To set the Diffie–Hellman Group for theISAKMPInternet Security Association and Key Management Protocol. ISAKMP is used for establishing Security Associations and cryptographic keys in an Internet environment.policy, from thedrop-down list, select one of the following options:
Group 1: 768-bit Diffie–Hellman prime modulus group
第2组:1024-BIT DIFFIE-HELLMAN PRIME模量小组
Group 14: 2048-bit Diffie–Hellman prime modulus group
Group 19: 256-bit random Diffie–Hellman ECP modulus group
Group 20: 384-bit random Diffie–Hellman ECP modulus group
Configuring Diffie–Hellman Group 1 and Group 2 types are not permitted ifFIPSFederal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies.mode is enabled. |
10.In, enter a value in the range of 300-86400 seconds to define the lifetime of the security association. The default value is 7200 seconds.
11.Click.
12.Click.
13.In thewindow, select the check box and click.
Setting the IPsec Dynamic Map
Dynamic maps enableIPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session.SASecurity Association. SA is the establishment of shared security attributes between two network entities to support secure communication.negotiations from dynamically addressedIPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session.peers.ArubaOShas a predefinedIPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session.dynamic map forIKEv1Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409.. If you do not want to use this predefined map, you can use the procedure below to edit an existing map or create your own customIPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session.动态地图。
1.In thenode hierarchy, navigate to thetab.
2.Expand.
3.In,单击现有的动态地图进行编辑或单击to create a new map.
4.In, enter a priority number for this map. Negotiation requests for security associations try to match the highest-priority map first. If that map does not match, the negotiation request continues down the list to the next-highest priority map until a match is made.
5.In, enter a name for the dynamic map.
6.Select thecheck box.
7.(Optional) ConfigurePFSPerfect Forward Secrecy. PFS refers to the condition in which a current session key or long-term private key does not compromise the past or subsequent keys.settings for the dynamic peer by assigning a Diffie-Hellman prime modulus group.PFSPerfect Forward Secrecy. PFS refers to the condition in which a current session key or long-term private key does not compromise the past or subsequent keys.小组通过确保IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session.SASecurity Association. SA is the establishment of shared security attributes between two network entities to support secure communication.key was not derived from any other key, and therefore, cannot be compromised if another key is broken. In thedrop-down list, select one of the following groups:
Group 1: 768-bit Diffie–Hellman prime modulus group
第2组:1024-BIT DIFFIE-HELLMAN PRIME模量小组
Group 14: 2048-bit Diffie–Hellman prime modulus group
Group 19: 256-bit random Diffie–Hellman ECP modulus group
Group 20: 384-bit random Diffie–Hellman ECP modulus group
8.In, select an existing transform to edit it, or clickto open thewindow.
To view current configuration settings for anIPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session.transform-set, access theCLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.and issue the command. |
9.Enter a name for the transform in thefield.
10.From thedrop-down list, select one of the following encryption types:
ESP-NULL
esp-des
esp-aes128
ESP-AES192
esp-aes256
11.From thealgorithm drop-down list, select one of the following hash types:
esp-md5-hmac
ESP-SHA-HMAC
ESP-NULL-hmac
12.Click.
13.In, enter a value in the range of 300-86400 seconds to define the lifetime of the security association for the dynamic peer. The default value is 7200 seconds.
14.In, enter a value in kilobytes to define the lifetime of the security association for the dynamic peer.
15.Click.
16.Click.
17.In thewindow, select the check box and click.
The followingCLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.commands configure a remote accessVPN虚拟专用网络。VPN可以安全访问to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.forL2TPLayer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations.IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session.:
1.Define the authentication method and server addresses:
(host) [mynode] (config) #vpdn group l2tp
enable
client configuration {dns|wins}
2.Enable authentication methods forIKEv1Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409.clients:
(主机)[myNode](config)VPDN组L2TP PPP身份验证{Cache-Securid | chap | eap | MSCHAP | MSCHAPV2 | PAP
3.Create address pools:
(host) [mynode] (config) #ip local pool
(主机)[myNode](config)#ip access-list会话srcnatuser任何src-nat pool
5.如果您要配置VPN虚拟专用网络。VPN可以安全访问to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.支持机authentication using certificates, define server certificates forVPN虚拟专用网络。VPN可以安全访问to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.clients usingIKEv1Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409.:
(host) [mynode] (config) #crypto-local isakmp server-certificate
6.如果您要配置VPN虚拟专用网络。VPN可以安全访问to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.支持IKEv1Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409.Clients using pre-shared keys, you can configure a globalIKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard.key by enteringfor both the address andNetMaskNetMask是一种32位掩码,用于将IP地址分离为子网。NetMask定义了IP地址的类和范围。parameters in the command below, or configure anIKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard.key for an individualsubnetSubnet is the logical division of an IP network.by specifying the IP address andNetMaskNetMask是一种32位掩码,用于将IP地址分离为子网。NetMask定义了IP地址的类和范围。for thatsubnetSubnet is the logical division of an IP network.:
(host) [mynode] (config) #crypto isakmp key <key>address <ipaddr|>NetMask<mask>
(host) [mynode] (config) #crypto isakmp policy
encryption {3des|aes128|aes192|aes256|des}
version v1|v2
authentication {pre-share|rsa-sig|ecdsa-256ecdsa-384}
组{1 | 2 | 19 | 20}
hash {md5|sha|sha1-96|sha2-256-128|sha2-384-192}
lifetime
