|
[Huawei]ipsec proposal a1 //创建IPSec安全提议并进入安全提议视图
[Huawei-ipsec-proposal-a1]transform ah //配置安全提议采用的安全协议,默认是esp
[Huawei-ipsec-proposal-a1]ah authentication-algorithm sha2-256 //配置AH采用的认证算法
[Huawei-ipsec-proposal-a1]transform esp
[Huawei-ipsec-proposal-a1]esp authentication-algorithm sha2-256 //配置esp采用的认证算法
[Huawei-ipsec-proposal-a1]esp encryption-algorithm aes-256 //配置esp采用的加密算法
[Huawei-ipsec-proposal-a1]encapsulation-mode transport //配置安全协议对数据的封装模式,默认为隧道模式
[Huawei-ipsec-proposal-a1]encapsulation-mode tunnel
[Huawei]ipsec proposal a1 //引用IPSec安全提议
[Huawei]display ipsec proposal //查看安全提议相关信息
[Huawei]ipsec efficient-vpn c1 mode client //创建IPSec VPN策略,并进入efficient VPN策略视图
[Huawei]ipsec efficient-vpn c3 mode network-plus
[Huawei]ipsec efficient-vpn c2 mode network
[Huawei-ipsec-efficient-vpn-c1]security acl 3000 //在efficient VPN策略中引用ACL
[Huawei-ipsec-efficient-vpn-c1]remote-address 10.1.1.1 v1 //配置IKE协商时的对端IP地址
[Huawei-ipsec-efficient-vpn-c1]remote-address 10.1.1.1 v2
[Huawei-ipsec-efficient-vpn-c1]pre-shared-key cipher abc@1234 //配置采用预共享秘钥认证时的秘钥
[Huawei-ipsec-efficient-vpn-c1]local-id-type ip //配置IKE协商时本端ID类型,默认为IP
[Huawei-ipsec-efficient-vpn-c1]pfs dh-group14 //配置本端发起IKE协商时的pfs特性
[Huawei]ipsec sa global-duration time-based 3600 //配置全局SA的生存周期,分为时间为基准和以流量为基准
[Huawei]ipsec sa global-duration traffic-based 1843200
[Huawei-GigabitEthernet0/0/1]ipsec efficient-vpn c1 //在街口上应用efficient VPN策略
[Huawei]display ipsec efficient-vpn //查看efficient VPN策略信息
[Huawei]display ike sa //查看IKE协商建议的安全联盟摘要信息
[Huawei]display ipsec sa efficient-vpn //查看IPSec安全联盟的配置信息
[Huawei]display ipsec interface brief //查看接口下引用IPSec安全策略信息
[Huawei]display ike global config //查看IKE的全局配置信息
[Huawei]display ipsec global config //查看IPSec的全局配置信息
reset ipsec sa //清除已建立的sa
reset ike statistics all //清除ike报文统计信息
|