Конфигурация cisco-like:
version 12.4
no service password-encryption
!
crypto ipsec df-bit copy
crypto isakmp identity dn
crypto isakmp fragmentation
crypto isakmp security-association lifetime delta 50
crypto isakmp initiator-sessions-max 100
crypto isakmp responder-sessions-max 100
crypto isakmp keepalive 3
crypto isakmp keepalive retry-count 5
username cscons privilege 15 secret 5 $6$tHtq8SR6$t3CWE6udI6L/ARr9jQowUYR7wEbOWZlx61OvLi7goonOFUYhNSGV49BA.RDGEZ7oKXBA1aTRi20ElR4wtMXTl0
aaa new-model
!
!
hostname Spoke1
enable secret 5 PC9d7N5HlAyLrzuA3qRJvQ==
!
!
!
!
!
crypto isakmp policy 1
encr gost
hash gost341112-256-tc26
authentication gost-sig
group vko2
!
crypto ipsec transform-set GOST_ENCRYPT_AND_INTEGRITY esp-gost28147-4m-imit
!
ip access-list extended IPSEC_GRE_TUNNEL_1
permit gre host 10.10.1.1 host 10.10.100.1
!
!
crypto map VPN 1 ipsec-isakmp
match address IPSEC_GRE_TUNNEL_1
set transform-set GOST_ENCRYPT_AND_INTEGRITY
set peer 172.16.100.10
set dead-connection history off
!
interface GigabitEthernet0/0
ip address 172.16.1.10 255.255.255.0
crypto map VPN
!
interface GigabitEthernet0/1
ip address 192.168.253.10 255.255.255.0
!
!
ip route 0.0.0.0 0.0.0.0 172.16.1.1
ip route 10.10.1.1 255.255.255.255 192.168.253.1
!
crypto pki trustpoint s-terra_technological_trustpoint
revocation-check crl
crl download group ROOTCA http://172.16.101.15/certcrl.crl
crl download time 60
crypto pki certificate chain s-terra_technological_trustpoint
certificate 58E026BFD6D625BE4582C16C6189C183
...
AD4F8901771632E0A0AF83
quit
!
End
Конфигурация LSP:
GlobalParameters(
Title = "This LSP was automatically generated by CSP Converter"
Version = LSP_4_3
CRLHandlingMode = ENABLE
PreserveIPsecSA = FALSE
)
RoutingTable(
Routes =
Route(
Destination = 0.0.0.0/0
Gateway = 172.16.1.1
),
Route(
Destination = 10.10.1.1
Gateway = 192.168.253.1
)
)
FirewallParameters(
TCPSynSentTimeout = 30
TCPFinTimeout = 5
TCPClosedTimeout = 30
TCPSynRcvdTimeout = 30
TCPEstablishedTimeout = 3600
TCPHalfOpenLow = 400
TCPHalfOpenMax = 500
TCPSessionRateLow = 400
TCPSessionRateMax = 500
)
IKETransform crypto:isakmp:policy:1
(
CipherAlg = "G2814789CPRO1-K256-CBC-65534"
HashAlg = "GR341112_256TC26-65128"
GroupID = VKO2_1B
RestrictAuthenticationTo = GOST_SIGN
LifetimeSeconds = 86400
)
ESPProposal GOST_ENCRYPT_AND_INTEGRITY:ESP
(
Transform* = ESPTransform
(
CipherAlg* = "G2814789CPRO2-K288-CNTMAC-253"
LifetimeSeconds = 3600
LifetimeKilobytes = 4608000
)
)
IKEParameters(
FragmentSize = 576
SALifetimeDelta = 50
InitiatorSessionsMax = 100
ResponderSessionsMax = 100
)
AuthMethodGOSTSign GOST:Sign
(
LocalID = IdentityEntry( DistinguishedName* = USER_SPECIFIC_DATA )
SendRequestMode = ALWAYS
SendCertMode = ALWAYS
)
IKERule IKERule:VPN:1
(
IKEPeerIPFilter = 172.16.100.10
Transform = crypto:isakmp:policy:1
AggrModeAuthMethod = GOST:Sign
MainModeAuthMethod = GOST:Sign
DPDIdleDuration = 3
DPDResponseDuration = 2
DPDRetries = 5
Priority = 10
)
IPsecAction IPsecAction:VPN:1
(
TunnelingParameters = TunnelEntry(
PeerAddress = 172.16.100.10
DFHandling=COPY
Assemble=TRUE
)
ContainedProposals = ( GOST_ENCRYPT_AND_INTEGRITY:ESP )
NoDeadConnectionHistory = TRUE
IKERule = IKERule:VPN:1
)
FilterChain IPsecPolicy:VPN (
Filters = Filter (
ProtocolID = 17
SourcePort = 500, 4500
Action = PASS
PacketType = LOCAL_UNICAST, LOCAL_MISDIRECTED
),
Filter (
SourceIP = 10.10.1.1
DestinationIP = 10.10.100.1
ProtocolID = 47
Action = PASS
ExtendedAction = ipsec< sa = IPsecAction:VPN:1 >
LogEventID = "IPsec:Protect:VPN:1:IPSEC_GRE_TUNNEL_1"
)
)
NetworkInterface (
LogicalName = "GigabitEthernet0/0"
IPsecPolicy = IPsecPolicy:VPN
)