[Huawei]ipsec proposal a1 //创建IPSec安全提议并进入安全提议视图 [Huawei-ipsec-proposal-a1]transform ah //配置安全提议采用的安全协议,默认是esp [Huawei-ipsec-proposal-a1]ah authentication-algorithm sha2-256 //配置AH采用的认证算法 [Huawei-ipsec-proposal-a1]transform esp [Huawei-ipsec-proposal-a1]esp authentication-algorithm sha2-256 //配置esp采用的认证算法 [Huawei-ipsec-proposal-a1]esp encryption-algorithm aes-256 //配置esp采用的加密算法 [Huawei-ipsec-proposal-a1]encapsulation-mode transport //配置安全协议对数据的封装模式,默认为隧道模式 [Huawei-ipsec-proposal-a1]encapsulation-mode tunnel [Huawei]ipsec proposal a1 //引用IPSec安全提议 [Huawei]display ipsec proposal //查看安全提议相关信息 [Huawei]ipsec efficient-vpn c1 mode client //创建IPSec VPN策略,并进入efficient VPN策略视图 [Huawei]ipsec efficient-vpn c3 mode network-plus [Huawei]ipsec efficient-vpn c2 mode network [Huawei-ipsec-efficient-vpn-c1]security acl 3000 //在efficient VPN策略中引用ACL [Huawei-ipsec-efficient-vpn-c1]remote-address 10.1.1.1 v1 //配置IKE协商时的对端IP地址 [Huawei-ipsec-efficient-vpn-c1]remote-address 10.1.1.1 v2 [Huawei-ipsec-efficient-vpn-c1]pre-shared-key cipher abc@1234 //配置采用预共享秘钥认证时的秘钥 [Huawei-ipsec-efficient-vpn-c1]local-id-type ip //配置IKE协商时本端ID类型,默认为IP [Huawei-ipsec-efficient-vpn-c1]pfs dh-group14 //配置本端发起IKE协商时的pfs特性 [Huawei]ipsec sa global-duration time-based 3600 //配置全局SA的生存周期,分为时间为基准和以流量为基准 [Huawei]ipsec sa global-duration traffic-based 1843200 [Huawei-GigabitEthernet0/0/1]ipsec efficient-vpn c1 //在街口上应用efficient VPN策略 [Huawei]display ipsec efficient-vpn //查看efficient VPN策略信息 [Huawei]display ike sa //查看IKE协商建议的安全联盟摘要信息 [Huawei]display ipsec sa efficient-vpn //查看IPSec安全联盟的配置信息 [Huawei]display ipsec interface brief //查看接口下引用IPSec安全策略信息 [Huawei]display ike global config //查看IKE的全局配置信息 [Huawei]display ipsec global config //查看IPSec的全局配置信息 reset ipsec sa //清除已建立的sa reset ike statistics all //清除ike报文统计信息
|