一个配置范例:
图上的IP标错了,将20.20.20.21 和20.20.20.20对调下!
Here are some implementation tips for IPSec:
Before you configure crypto, make certain that you have connectivity between the endpoints of the communication.
Make sure that either DNS works on the router, or you have entered the CA hostname (if you use a CA).
IPSec uses IP protocols 50 and 51, and IKE traffic passes on protocol 17, port 500 (UDP 500). Make sure these are permitted appropriately.
Be careful not to use the word "any" in your ACL. This causes problems. For more information, see the "Usage Guidelines" for access-list in the PIX command reference.
Recommended transform combinations are:
esp-des and esp-sha-hmac ah-sha-hmac and esp-des
Remember that AH is just an authenticated header. The actual user datastream is not encrypted. For datastream encryption, you need ESP. If you use only AH and see cleartext going across the network, do not be surprised. You if you use AH, also use ESP. Note that ESP can perform authentication also. Therefore, you can use a transform combination such as esp-des and esp-sha-hmac.
ah-rfc1828 and esp-rfc1829 are obsolete transforms included for backwards compatibility with older IPSec implementations. If the peer does not support newer transforms, try these instead.
SHA is slower and more secure than MD5, whereas MD5 is faster and less secure that SHA. In some communities, the comfort level with MD5 is very low.
When in doubt, use tunnel mode. Tunnel mode is the default and it can be used in transport mode, as well as for its VPN capabilities.
For classic crypto users who upgrade to Cisco IOS Software Release 11.3, crypto commands storage methods in the configuration has changed to allow for IPSec. Consequently, if classic crypto users ever revert to Cisco IOS Software Release 11.2, these users will have to re-enter their crypto configurations.
If you do a ping test across the encrypted link when you finish your configuration, the negotiation process can take some time (about six seconds on a Cisco 4500, and about 20 seconds on a Cisco 2500) because SAs have not yet been negotiated. Even though everything is configured correctly, your ping can initially fail. The debug crypto ipsec and debug crypto isakmp commands show you what goes on. Once your encrypted datastreams have finished their set up, the ping works fine.
If you run into trouble with your negotiation(s) and make configuration changes, use the clear crypto is and clear crypto sa commands in order to flush the databases before you retry. This forces negotiation to start anew, without any legacy negotiation getting in the way. The clear crypto is and clear cry sa commands are very useful in this manner.