模拟器连接图:
ip address 192.168.1.10 255.255.255.0
ip address 202.100.1.10 255.255.255.0
add interface GigabitEthernet0/0/0
add interface GigabitEthernet0/0/1
policy 0
action permit
policy 0
action permit
policy 0
action permit
encryption-algorithm 3des-cbc
==指定一个供 IKE 提议使用的加密算法
dh group2
===配置IKE阶段1密钥协商时所使用的参数
version 1
配置版本
pre-shared-key hcies
==配置采用预共享密钥认证时,所使用的预共享密钥
ike-proposal 10
remote-address 202.100.1.20
esp authentication-algorithm sha1
esp encryption-algorithm 3des
security acl 3000
ike-peer b
proposal mypro
ipsec policy mymap
ip address 172.16.1.1 255.255.255.0
ip address 202.100.1.20 255.255.255.0
no shut
encryption 3des
authentication pre-share
group 2
set peer 202.100.1.10
set transform-set myset
match address 110
crypto map mymap
ip address 192.168.1.1 255.255.255.0
huaweiFW1:
基本配置
interface GigabitEthernet0/0/0
quit
interface GigabitEthernet0/0/1
quit
firewall zone trust
quit
firewall zone untrust
quit
ip route-static 172.16.1.0 255.255.255.0 202.100.1.20
policy interzone local untrust inbound
quit
quit
policy interzone trust untrust inbound
quit
quit
policy interzone trust untrust outbound
quit
quit
配置IPsec策略
ike proposal 10 ==创建IKE提议,并进入IKE视图
默认使用的是IKE认证算法 cbc
authentication-method pre-share
quit
配置IKE对等体
ike peer b
quit
ipsec proposal mypro
quit
ipsec policy mymap 10 isakmp
quit
interface GigabitEthernet0/0/1
cisco7200:
interface Loopback0
exit
interface FastEthernet0/0
exit
ip route 192.168.1.0 255.255.255.0 202.100.1.10
access-list 110 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
crypto isakmp policy 10
exit
crypto isakmp key hcies address 202.100.1.10
crypto ipsec transform-set myset esp-3des esp-sha-hmac
exit
crypto map mymap 10 ipsec-isakmp
exit
interface FastEthernet0/0
exit
AR1PC:
interface GigabitEthernet0/0/0
quit
ip route-static 0.0.0.0 0.0.0.0 192.168.1.10
quit