C114门户论坛百科APPEN| 举报 切换到宽版

亚星游戏官网

 找回密码
 注册

只需一步,快速开始

短信验证,便捷登录

搜索
查看: 2337|回复: 0

与思科对接IPSEC V*N [复制链接]

军衔等级:

亚星游戏官网-yaxin222  新兵

注册:2013-8-13
发表于 2020-4-29 22:01:01 |显示全部楼层
山石防火墙设备配置和 H3C 配置如下(之罗列出 V*N 的配置):
(1) 我司 V*N 配置如下:
isakmp peer "sichuan"
mode aggressive
isakmp-proposal "psk-md5-3des-g2"
pre-share "5A7yXUMHL0KqdkC8zomvnVAfl4YBQk"
peer 119.6.56.139
local-id fqdn "hillstone"
nat-traversal
accept-all-peer-id
dpd interval 10 retry 3
interface ethernet0/0
tunnel ipsec "tunnel-sichuan" auto
isakmp-peer "sichuan"
ipsec-proposal "esp-md5-3des-g2"
id local 10.1.193.0/24 remote 192.168.0.0/21 service "Any"
auto-connect
accept-all-proxy-id
split-tunnel-route 192.168.0.0/21
interface tunnel2
zone "untrust"
ip address 2.2.2.2 255.255.255.0
manage ping
tunnel ipsec "tunnel-sichuan"
no reverse-route
ip vrouter "trust-vr"
ip route 192.168.0.0/21 tunnel2
(2) 对端 Cisco 配置如下:
ip access-list extended ACL-L2L-SPLIT-BRI
permit ip 192.168.0.0 0.0.7.255 10.1.193.0 0.0.0.255
interface GigabitEthernet0/2
description to-CUCC
ip address 119.6.56.139 255.255.255.224
crypto map MAP-CUCC
crypto map MAP-CUCC 100 ipsec-isakmp
set peer 202.107.127.15
set transform-set IPSEC-L2L-TUN
set pfs group2
set isakmp-profile PRF-IKE-L2L-AM
match address ACL-L2L-SPLIT-BRI
reverse-route
crypto ipsec transform-set IPSEC-L2L-TUN esp-3des esp-md5-hmac
mode tunnel
crypto isakmp profile PRF-IKE-L2L-AM
keyring KeyRing
match identity user-fqdn hillstone
initiate mode aggressive
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto keyring KeyRing
pre-shared-key hostname hillstone key 1234567890

举报本楼

您需要登录后才可以回帖 登录 | 注册 |

手机版|C114 ( 沪ICP备12002291号-1 )|联系大家 |网站地图  

GMT+8, 2024-11-15 18:32 , Processed in 0.097470 second(s), 15 queries , Gzip On.

Copyright © 1999-2023 C114 All Rights Reserved

Discuz Licensed

回顶部
XML 地图 | Sitemap 地图