You can find that a tunnel has been set up through negotiation. M-ACTIVE S-STANDBY A-ALONE NEG-NEGOTIATING display ipsec sa brief HRT-HEARTBEAT LKG-LAST KNOWN GOOD SEQ NO. RD-READY ST-STAYALIVE RL-REPLACED FD-FADING TO-TIMEOUT On the FW, run the display ike sa and display ipsec sa brief commands to view the SA establishment. # vim /etc/crets /Access crets.ģ.3.3.3 1.1.1.1: PSK a pre-shared key in the format IP address of the WAN interface on the FW IP address of the WAN interface on the server Only the part of configuration files in which parameters need to be modified is displayed. In Debian-based Linux operating systems, such as Debian, Ubuntu, and Linux Mint, run the following command: # apt-get install openswan In different versions of Linux operating systems, the installation command differs. Apply IPSec policy group map1 to GigabitEthernet 1/0/1.You do not need to set default parameters. Configure advanced ACL 3000 to allow network segment 10.1.1.0/24 to access network segment 10.2.1.0/24. Assume that the next hop of the static route is 1.1.1.2. Configure a static route to the peer server.To use the protocol type and port number as matching conditions, you must enable the ESP service and UDP port 500 (in the NAT traversal scenario, port 4500 must also be enabled). In this example, the source address and destination address are used as matching conditions. The interzone policy can use the source address and destination address as matching conditions and can use the protocol type and port number as additional matching conditions. The Local-Untrust interzone policy determines whether IKE negotiation packets can pass through the FW. destination-address 10.1.1.0 24Ĭonfigure the Local-Untrust interzone policy to allow the devices at the two ends of the IPSec tunnel to communicate for tunnel negotiation. add interface GigabitEthernet 1/0/1Ĭonfigure the Trust-Untrust interzone policy. add interface GigabitEthernet 1/0/2Īdd GigabitEthernet 1/0/1 to the Untrust zone. ip address 1.1.1.1 24Īdd GigabitEthernet 1/0/2 to the Trust zone. Set the IP address of GigabitEthernet 1/0/1. Set the IP address of GigabitEthernet 1/0/2.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |