IKEv1和IKE v2有什么区别?
1.不同的谈判程序
− IKEv1
- IKEv1 SA协商包括两个阶段。
- IKEv1阶段1协商旨在建立IKE SA。此过程支持主模式和积极模式。主模式使用六个ISAKMP消息来建立IKE SA,但主动模式仅使用三个。因此,在IKE SA建立过程中,主动模式会更快。但是,主动模式不提供对等身份保护。
- IKEv1阶段2协商旨在建立IPSec SA进行数据传输。此过程使用快速交换模式(3条ISAKMP消息)来完成协商。
− IKEv2
- 与IKEv1相比,IKEv2简化了SA协商过程。 IKEv2使用两次交换(共4条消息)来创建IKE SA和一对IPSec SA。要创建多对IPSec SA,对于每对额外的SA仅需要一个额外的交换。
2.不同的认证方式
– IKEv2支持EAP认证。 IKEv2可以使用AAA服务器对移动和PC用户进行远程身份验证,并为这些用户分配专用地址。 IKEv1不提供此功能,必须使用L2TP分配专用地址。
– IKEv2支持EAP认证。 IKEv2可以使用AAA服务器对移动和PC用户进行远程身份验证,并为这些用户分配专用地址。 IKEv1不提供此功能,必须使用L2TP分配专用地址。
3.对IKE SA完整性算法的不同支持
– IKEv2仅支持IKE SA完整性算法。
4. DPD分组重传的不同实现
–只有IKEv1支持retry-interval参数。如果NGFW发送DPD报文,但在指定的重试间隔内未收到应答,则设备会记录DPD失败事件并重新发送DPD报文。当失败事件的数量达到5时,IKE SA和IPSec SA都将被删除。当设备具有IPSec流量要处理时,将再次开始IKE SA协商。
5.对手动寿命设置的不同支持
–在IKEv2中,IKE SA软生存期是IKE SA硬生存期的9/10,加上或减去一个随机值,以降低两个端点同时发起重新协商的可能性。因此,软件生存期不需要在IKEv2中进行手动设置。
拓扑结构:
IKEv2配置步骤:
- 钥匙圈
- 提案
- 个人资料
- 政策
- 访问控制列表
- 变换集
- 加密映射(包括对等,ACL和转换集)
- 适用于界面
1.定义IKEv2密钥环
crypto ikev2 keyring customer-1
peer customer1
address 20.8.91.1
pre-shared-key cisco1234
2.定义IKEv2提案
crypto ikev2 proposal Prop-customer1 encryption aes-cbc-256 integrity sha256 group 19
3.定义IKEv2配置文件
crypto ikev2 profile PROFILE-Customer1 match identity remote address 20.8.91.1 255.255.255.255 authentication local pre-share authentication remote pre-share keyring local customer-1
4.定义IKEv2策略
crypto ikev2 policy POL-Customer1
proposal Prop-customer1
5.定义Cyrpto 访问控制列表
ip access-list extended 虚拟专用网 访问控制列表 -Customer1 permit ip host 10.8.100.210 host 19.3.157.115 permit ip host 10.8.100.211 host 19.3.157.2
6.定义IPSecTransform SET
crypto ipsec transform-set TS-Customer1 esp-aes 256 esp-sha256-hmac
7.定义加密映射(包括对等,ACL和转换集)
crypto map CMAP-Customer1 10 ipsec-isakmp set peer 20.8.91.1 set security-association lifetime seconds 3600 set transform-set TS-Customer1 set pfs group19 set ikev2-profile PROFILE-Customer1 match address 虚拟专用网 访问控制列表 -Customer1
8.通过将加密映射添加到路由器的界面来激活它
interface GigabitEthernet0/0/0 ip address 9.10.62.77 255.255.255.224 negotiation auto crypto map CMAP-Customer1
验证:
R-VPN1#sh ver Cisco IOS XE 软件 , Version 16.04.02 Cisco IOS 软件 [Everest], ISR 软件 (X86_64_LINUX_IOSD-UNIVERSALK9_IAS-M), Version 16.4.2, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2017 by 思科公司 Systems, Inc. Compiled Thu 27-Apr-17 11:56 by mcpre Cisco IOS-XE software, Copyright (c) 2005-2017 by cisco Systems, Inc. All rights reserved. Certain components of 思科公司 IOS-XE software are licensed under the GNU General Public License ("GPL") Version 2.0. The software code licensed under GPL Version 2.0 is free software that comes with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such GPL code under the terms of GPL Version 2.0. For more details, see the documentation or "License Notice" file accompanying the IOS-XE software, or the applicable URL provided 上 the flyer accompanying the IOS-XE software. ROM: IOS-XE ROMMON R-TWN1-VPN1 uptime is 4 days, 50 minutes Uptime for this control processor is 4 days, 53 minutes System returned to ROM by Reload Command System restarted at 11:32:04 EDT Thu Sep 1 2017 System image file is "bootflash:isr4200-universalk9_ias.16.04.08.SPA.bin" Last reload reason: Reload Command This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of 思科公司 cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. 通过 using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing 思科公司 cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to [email protected] Suite License Information for Module:'esg' -------------------------------------------------------------------------------- Suite Suite Current Type Suite Next reboot -------------------------------------------------------------------------------- FoundationSuiteK9 None None None securityk9 appxk9 Technology Package License Information: ----------------------------------------------------------------- Technology Technology-package Technology-package Current Type Next reboot ------------------------------------------------------------------ appxk9 None None None securityk9 securityk9 Permanent securityk9 ipbase ipbasek9 Permanent ipbasek9 cisco ISR4221/K9 (1RU) processor with 1636344K/6147K bytes of memory. Processor board ID FGL213893E9 2 Gigabit Ethernet interfaces 32768K bytes of non-volatile configuration memory. 4194304K bytes of physical memory. 7086079K bytes of flash memory at bootflash:. 0K bytes of at webui:. Configuration register is 0x2102
调试命令
deb crypto ikev2 packet
deb crypto ikev2 internal
显示命令
show crypto ikev2 sa detailed
show crypto ipsec sa
show crypto session
参考:
