思科2911路由器GRE-OVER-IPSEC典型配置（ikev2）_思科ipsec加密配置

!IKEV2 提议1用于站点1
crypto ikev2 proposal IKEV2-PROPOSAL
encryption aes-cbc-256
integrity sha256
group 19
！IKEV2 提议2用于站点2
crypto ikev2 proposal ubi20240312
encryption aes-cbc-256
integrity sha256
group 14
!必须位于同一个policy
crypto ikev2 policy IKEV2-POLICY
match address local 60.1.1.1
proposal IKEV2-PROPOSAL
proposal ubi20240312
!创建预共享密钥 ikev2格式
crypto ikev2 keyring ubi20240312
peer ubi
address 222.2.2.2
pre-shared-key key1
!创建Ikev2 proflie 用IP地址标识对端和自己 调用keyring 认证方式使用预共享秘钥 lifetime 可以不需要配置
crypto ikev2 profile ubi20240312
match identity remote address 222.2.2.2 255.255.255.255
identity local address 60.1.1.1
authentication local pre-share
authentication remote pre-share
keyring local ubi20240312
lifetime 28800
!创建第二阶段算法 和 模式
crypto ipsec transform-set ubi20240312 esp-aes 256 esp-sha256-hmac
mode tunnel
!创建 IPSEC PROFILE 调用 transform-set 和 ikev2 profile
crypto ipsec profile ubi20240312
set transform-set ubi20240312
set ikev2-profile ubi20240312
!创建隧道口 小心 MTU 和 模式 MTU 必须是1400 模式必须是 ipsec ipv4 调用IPSEC PROFILE 隧道对端地址 10.0.0.14/31 公网出口ip 60.1.1.1 对端公网地址 222.2.2.2
interface Tunnel2
ip address 10.0.0.15 255.255.255.254
ip mtu 1400
tunnel source 60.1.1.1
tunnel mode ipsec ipv4
tunnel destination 222.2.2.2
tunnel protection ipsec profile ubi20240312
!将感兴趣流指向隧道口
ip route 1.0.0.0 255.0.0.0 Tunnel2
!常用查询命令
sho crypto ipsec profile
sho crypto ipsec proposal
sho crypto ikev2 proposal
sho crypto ikev2 profile
sho crypto ikev2 sa
sho crypto ikev2 diag
sho crypto ipse sa
sho crypto isakmp sa
!常用debug
debug crypto ikev2
debug crypto isakmp
debug crypto ipsec

logging console