ipsec和ikev2哪个好ipsec和ssl

IPSec×××基于ASA的配置实现某软件开发公司在中小城市建立了分公司，分公司开发项目小组所在网络地址为10.1.1.0/24，该网络的主机可以通过×××访问总公司开发数据服务器（192.168.1.0/24）。分公司的其他客户端（10.2.2.0/24网段）可以访问。根据上述需求，网络管理员需要在分公司的ASA1上同时配置×××和PAT。

1．分公司的ASA1路由方面的配置routeoutside0.0.0.00.0.0.0200.0.0.2配置ISAKMP策略ASA1(config)#cryptoikev1enableoutsideASA1(config)#cryptoikev1policy1ASA1(config-ikev1-policy)#encryptionaesASA1(config-ikev1-policy)#hashshaASA1(config-ikev1-policy)#authenticationpre-shareASA1(config-ikev1-policy)#group2R1(config)#cryptoisakmpkeyteduaddress200.0.0.1//之前在路由器上的这条命令在防火墙上变成以下配置：ASA1(config)#tunnel-group200.0.0.2typeipsec-l2l

ASA1(config)#tunnel-group200.0.0.2ipsec-attributesASA1(config-tunnel-ipsec)#ikev1pre-shared-keytedu配置ACLASA1(config)#ess-list100permitip10.1.1.0255.255.255.0192.168.1.0225.255.255.0配置IPSec策略（转换集）ASA1(config)#cryptoipsecikev1transform-setyf-setesp-aesesp-sha-hmac

配置加密映射集ASA1(config)#cryptomapyf-map1matchaddress100ASA1(config)#cryptomapyf-map1setpeer200.0.0.2ASA1(config)#cryptomapyf-map1setikev1transform-setyf-set

将映射集应用在接口ASA1(config)#cryptomapyf-mapinterfaceoutside

2．总公司的ASA2路由方面的配置routeoutside0.0.0.00.0.0.0200.0.0.1配置ISAKMP策略ASA2(config)#cryptoikev1enableoutsideASA2(config)#cryptoikev1policy1ASA2(config-ikev1-policy)#encryptionaesASA2(config-ikev1-policy)#hashshaASA2(config-ikev1-policy)#authenticationpre-shareASA2(config-ikev1-policy)#group2ASA2(config)#tunnel-group200.0.0.1typeipsec-l2lASA2(config)#tunnel-group200.0.0.1ipsec-attributesASA2(config-tunnel-ipsec)#ikev1pre-shared-keytedu

配置ACLASA2(config)#ess-list100permitip192.168.1.0225.255.255.010.1.1.0255.255.255.0

配置IPSec策略（转换集）ASA2(config)#cryptoipsecikev1transform-setyf-setesp-aesesp-sha-hmac

配置加密映射集ASA2(config)#cryptomapyf-map1matchaddress100ASA2(config)#cryptomapyf-map1setpeer200.0.0.1ASA2(config)#cryptomapyf-map1setikev1transform-setyf-set

将映射集应用在接口ASA2(config)#cryptomapyf-mapinterfaceoutside

IKEv1SAs:ActiveSA:1RekeySA:0(Atunnelwillreport1Activeand1RekeySAduringrekey)TotalIKESA:1

1IKEPeer:200.0.0.2Type:L2LRole:initiatorRekey:noState:MM_ACTIVE

8．PAT方面的配置ASA1(config)#workob-inside2ASA1(work-object)#10.2.2.0255.255.255.0ASA1(work-object)#nat(inside2,outside)dynamicinterfacePC1上网测试：ping200.0.0.2