ipsecvpn路由器配置：isakmp策略-路由-交换

《ipsecvpn路由器配置：isakmp策略-路由-交换》由会员上传分享，免费在线阅读，更多相关内容在工程资料-天天文库。

1、IPsecVPN路由器配置：ISAKMP策略-路由-交换TheIPsecprotocolandbasicIPsecwerediscussedinthepreviousarticleModeloftheVPNconnection.NowwewilllearnhowtouseIKEtoimplementtheISAKMPprotocoltoensuresecureVPNconfigurstion.TheministryofAnIOSrouterusingIPsecwillstartwiththeISAKMPauthent

2、icstionkeydatathatconfigurestheISAKMPpolicyandrouter・Iftherouterisonlyinthesite-to-sitetopologyAnotherrouterconnects,sotheISAKMPconfigurationiscomplete・However,iftherouteralsosupportsclient-to-site,anadditionalIKEconfigurationisrequired.InmyBeforewedotheISAKMPp

3、olicyconfiguration,let'slookatsomesecuritytips:Forbeginners,IOScanbeexchangedbetweentheconfigurationmodelandtheEXECmodelusingISAKMPandIKE・RememberthatIKEisanISAKMPprotocol-ISAKMPistheruleandIKEexecutestherules・IKElistensfor500portsandUSESUDPtonegotiatesendingan

4、dreceivingmessages・IfyoudeployafirewallinfrontofaVPNrouter,oryouaretryingtobuildanIPsecclientconnectionacrossafirewall,thiscanbeaproblem.AndunlessyouusetheUDP500port,thetraditionalIKEwillnotworkproperly.IKEUnliketheNetworkAddressTranslation(NAT)・WhenusingNATbet

5、weentwoIPsecnodes,apre-sharedkeyauthenticationbasedontheIPaddressbindingwillnotwork・TheNATtransformmodifiesthesourceanddestinationaddresses,resultinginthekeypairThemismatchofsendingorreceivinghosts・ThePortAddressTranslationisusedinmostofthestatefulfirewalls(PAT

6、)alsodestroystheIPsecconnection.However,theupcomingversionofIOSwillusetheIPsecNattransparencyandCiscochannelcontrolprotocol(cTCP)addressestheoperationalissuesbetweenIPsecandNAT/PAT・BothsolutionsareusedduringtheIKEnegotiationphase.NATtransparencyaddsaNATdiscover

7、yduringtheIKEfirstphaseThephaseoriginalandaddedaNATtraversingtoolinthesecondphase・Inoperation,theIPsecNATtransparentlymovesIKEtoUDPport4500andencapsulatesIPsecpacketstoUDPframesasneeded・thoughNATtransparencysolvessomeproblems,butitdoesn，tsolveallproblems・Evenwi

8、thNATtransparency,IPsecdientconnectionscannotworkinenvironmentswithstrictfirewallrules・Ifabove1024TheUDPportaccessisclosedtotheoriginalconnectionandtheclientcannotconnecttot