Cisco ASA5505配置
ASA(config)# crypto isakmp policy 10 #建立IKE政策,優先級為10
ASA(config-isakmp-policy)# encryption 3des #使用3des加密
ASA(config-isakmp-policy)# authentication pre-share #使用預共享的密碼進行身份認證
ASA(config-isakmp-policy)# hash md5 #指定hash算法為md5(其他sha、rsa)
ASA(config-isakmp-policy)# lifetime 28800 #指定SA有效期時間。預設86400秒,兩端要一緻
ASA(config-isakmp-policy)# group 1 #指定密鑰位數,1表示768位,2表示1024為,2更安全,更耗cpu資源
ASA(config-isakmp-policy)# exit
ASA(config)# crypto isakmp key bj2legend add 210.82.111.121 #預共享密碼,遠端網關ip
ASA(config)# crypto ipsec transform-set bjicpark esp-3des esp-md5-hmac
#定義一個IPSEC交換集,兩端要一樣
ASA(config)# access-list bjparkvpn permit ip 172.18.5.0 255.255.255.128 192.168.3.0 255.255.255.0 #定義加密通道
ASA(config)# access-list bjparkvpn permit ip 172.18.5.0 255.255.255.128 192.168.2.0 255.255.255.0
ASA(config)# crypto map bjparkmap 20 match address bjparkvpn #建立加密圖
ASA(config)# crypto map bjparkmap 20 set peer 210.82.111.121 #目标位址
ASA(config)# crypto map bjparkmap 20 set transform-set bjpark #指定加密圖使用的IPSEC交換集
ASA(config)# crypto map bjparkmap interface outside #應用加密圖到接口
ASA(config)# crypto isakmp identity address #網關ID,預設IP位址,兩端要一緻
ASA(config)# crypto isakmp enable outside #接口上開啟ike
ASA(config)# crypto isakmp nat-traversal 20 #支援nat穿越
方正方禦FG3000E防火牆配置:
IKE協商模式:主動模式
IKE算法:自動協商
認證方式:預共享
本地網關ID:無
遠端網關ID:無
IPSec算法:自動協商
進階選項:
生存周期:
ISAKMP SA:8小時0分0秒
IPSec SA:24小時0分0秒
支援DPD(Dead Peer Detection):選擇打勾
DPD探測頻率:30秒
DPD探測逾時:10秒
DPD逾時操作:重新啟動連接配接
支援IP載荷壓縮:不選擇
支援完美向前加密(PFS):不選擇
支援密鑰重建(Rekeying):選擇打勾
重試次數:0
相關知識點:
對稱加密或私有密鑰加密:加密解密使用相同的私鑰
DES--資料加密标準 data encryption standard
3DES--3倍資料加密标準 triple data encryption standard
AES--進階加密标準 advanced encryption standard
一些技術提供驗證:
MAC梷消息驗證碼 message authentication code
HMAC梷散列消息驗證碼 hash-based message authentication code
MD5和SHA是提供驗證的散列函數
對稱加密被用于大容量資料,因為非對稱加密站用大量cpu資源
非對稱或公共密鑰加密:
RSA rivest-shamir-adelman
用公鑰加密,私鑰解密。公鑰是公開的,但隻有私鑰的擁有者才能解密
兩個散列常用算法:
HMAC-MD5 使用128位的共享私有密鑰
HMAC-SHA-I 使用160位的私有密鑰
ESP協定:用來提供機密性,資料源驗證,無連接配接完整性和反重放服務,并且通過防止流量分析來限制流量的機密性,這些服務以來于SA建立和實作時的選擇。
加密是有DES或3DES算法完成。可選的驗證和資料完整性由HMAC,keyed SHA-I或MD5提供
IKE--internet密鑰交換:他提供IPSEC對等體驗證,協商IPSEC密鑰和協商IPSEC安全關聯
實作IKE的元件
1:des,3des 用來加密的方式
2:Diffie-Hellman 基于公共密鑰的加密協定允許對方在不安全的信道上建立公共密鑰,在IKE中被用來建立會話密鑰。group 1表示768位,group 2表示1024位
3:MD5,SHA--驗證資料包的雜湊演算法。RAS簽名--基于公鑰加密系統
ASA5505完整配置執行個體:
CiscoASA5505# show run
: Saved
:
ASA Version 7.2(4)
!
hostname CiscoASA5505
domain-name default.domain.invalid
enable password PVSASRJovmamnVkD encrypted
passwd PVSASRJovmamnVkD encrypted
names
interface Vlan1
description lan
nameif inside
security-level 100
ip address 192.168.17.1 255.255.255.0
interface Vlan2
description wan
nameif outside
security-level 0
ip address 221.221.221.222 255.255.255.252
interface Ethernet0/0
description Link-wan
switchport access vlan 2
!
interface Ethernet0/1
description Link-lan
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list tjiccparkvpn extended permit ip 192.168.17.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list tjiccparkvpn extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list test extended permit ip any any
access-list test extended permit icmp any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group test in interface outside
route outside 0.0.0.0 0.0.0.0 221.221.221.221 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set tjicc esp-3des esp-md5-hmac
crypto map tjicc2frankmap 20 match address tjiccparkvpn
crypto map tjicc2frankmap 20 set peer 60.60.60.122
crypto map tjicc2frankmap 20 set transform-set tjicc
crypto map tjicc2frankmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
ssh version 1
console timeout 0
dhcpd lease 36000
dhcpd address 192.168.17.100-192.168.17.131 inside
dhcpd dns 202.106.0.20 202.106.196.115 interface inside
dhcpd enable inside
username admin password eY/fQXw7Ure8Qrz7 encrypted
tunnel-group 60.60.60.122 type ipsec-l2l
tunnel-group 60.60.60.122 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:2c343a46e4a6eda64512791239624f9d
: end
本文轉自netsword 51CTO部落格,原文連結:http://blog.51cto.com/netsword/505106
![查找算法之二分查找查找算法之二分查找[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)