IKEv1和IKE v2有什么区别?
1.不同的谈判程序
− IKEv1

  • IKEv1 SA协商包括两个阶段。
  • IKEv1阶段1协商旨在建立IKE SA。此过程支持主模式和积极模式。主模式使用六个ISAKMP消息来建立IKE SA,但主动模式仅使用三个。因此,在IKE SA建立过程中,主动模式会更快。但是,主动模式不提供对等身份保护。
  • IKEv1阶段2协商旨在建立IPSec SA进行数据传输。此过程使用快速交换模式(3条ISAKMP消息)来完成协商。

− IKEv2

  • 与IKEv1相比,IKEv2简化了SA协商过程。 IKEv2使用两次交换(共4条消息)来创建IKE SA和一对IPSec SA。要创建多对IPSec SA,对于每对额外的SA仅需要一个额外的交换。




2.不同的认证方式
– IKEv2支持EAP认证。 IKEv2可以使用AAA服务器对移动和PC用户进行远程身份验证,并为这些用户分配专用地址。 IKEv1不提供此功能,必须使用L2TP分配专用地址。

3.对IKE SA完整性算法的不同支持
– IKEv2仅支持IKE SA完整性算法。



4. DPD分组重传的不同实现

–只有IKEv1支持retry-interval参数。如果NGFW发送DPD报文,但在指定的重试间隔内未收到应答,则设备会记录DPD失败事件并重新发送DPD报文。当失败事件的数量达到5时,IKE SA和IPSec SA都将被删除。当设备具有IPSec流量要处理时,将再次开始IKE SA协商。

5.对手动寿命设置的不同支持
–在IKEv2中,IKE SA软生存期是IKE SA硬生存期的9/10,加上或减去一个随机值,以降低两个端点同时发起重新协商的可能性。因此,软件生存期不需要在IKEv2中进行手动设置。


拓扑结构:

IKEv2配置步骤:

  1. 钥匙圈
  2. 提案
  3. 个人资料
  4. 政策
  5. 访问控制列表
  6. 变换集
  7. 加密映射(包括对等,ACL和转换集)
  8. 适用于界面

1.定义IKEv2密钥环


crypto ikev2 keyring customer-1
 peer customer1
  address 20.8.91.1
  pre-shared-key cisco1234

2.定义IKEv2提案


crypto ikev2 proposal Prop-customer1
 encryption aes-cbc-256
 integrity sha256
 group 19

3.定义IKEv2配置文件

crypto ikev2 profile PROFILE-Customer1
 match identity remote address 20.8.91.1 255.255.255.255
 authentication local pre-share
 authentication remote pre-share
 keyring local customer-1

4.定义IKEv2策略

crypto ikev2 policy POL-Customer1
 proposal Prop-customer1



5.定义Cyrpto 访问控制列表


ip access-list extended  虚拟专用网  访问控制列表 -Customer1
 permit ip host 10.8.100.210 host 19.3.157.115
 permit ip host 10.8.100.211 host 19.3.157.2



6.定义IPSecTransform SET


crypto ipsec transform-set TS-Customer1 esp-aes 256 esp-sha256-hmac



7.定义加密映射(包括对等,ACL和转换集)


crypto map CMAP-Customer1 10 ipsec-isakmp
 set peer 20.8.91.1
 set security-association lifetime seconds 3600
 set transform-set TS-Customer1
 set pfs group19
 set ikev2-profile PROFILE-Customer1
 match address  虚拟专用网  访问控制列表 -Customer1



8.通过将加密映射添加到路由器的界面来激活它 


interface GigabitEthernet0/0/0
 ip address 9.10.62.77 255.255.255.224
 negotiation auto
 crypto map CMAP-Customer1

验证:


R-VPN1#sh ver
Cisco IOS XE  软件 , Version 16.04.02
Cisco IOS  软件  [Everest], ISR  软件  (X86_64_LINUX_IOSD-UNIVERSALK9_IAS-M), Version 16.4.2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by  思科公司  Systems, Inc.
Compiled Thu 27-Apr-17 11:56 by mcpre


Cisco IOS-XE software, Copyright (c) 2005-2017 by cisco Systems, Inc.
All rights reserved.  Certain components of  思科公司  IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0.  The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0.  For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided  上  the flyer accompanying the IOS-XE
software.


ROM: IOS-XE ROMMON

R-TWN1-VPN1 uptime is 4 days, 50 minutes
Uptime for this control processor is 4 days, 53 minutes
System returned to ROM by Reload Command
System restarted at 11:32:04 EDT Thu Sep 1 2017
System image file is "bootflash:isr4200-universalk9_ias.16.04.08.SPA.bin"
Last reload reason: Reload Command



This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of  思科公司  cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws.  通过  using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing  思科公司  cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
[email protected]



Suite License Information for Module:'esg'

--------------------------------------------------------------------------------
Suite                 Suite Current         Type           Suite Next reboot
--------------------------------------------------------------------------------
FoundationSuiteK9     None                  None           None
securityk9
appxk9


Technology Package License Information:

-----------------------------------------------------------------
Technology    Technology-package           Technology-package
              Current       Type           Next reboot
------------------------------------------------------------------
appxk9           None             None             None
securityk9       securityk9       Permanent        securityk9
ipbase           ipbasek9         Permanent        ipbasek9

cisco ISR4221/K9 (1RU) processor with 1636344K/6147K bytes of memory.
Processor board ID FGL213893E9
2 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
7086079K bytes of flash memory at bootflash:.
0K bytes of  at webui:.

Configuration register is 0x2102

调试命令

deb crypto ikev2 packet
deb crypto ikev2 internal

显示命令

show crypto ikev2 sa detailed 
show crypto ipsec sa
show crypto session

参考:

通过 约翰

发表评论