1.DCR配置
//设置loopback地址,防止接入端为动态地址
R-config#show run
Building configuration...
Current configuration:
!
hostname R
!
isdn switch-type basic-5ess
!
!
aaa authentication login default local
aaa authentication enable default none
aaa authorization exec default local
aaa authorization network default local
!
username admin password 0 12345
!
enable password 0 smarteye level 15
!
!
crypto isakmp key 0 12345 address 10.170.3.0 255.255.255.0
crypto isakmp key 0 12345 address 10.217.250.0 255.255.255.0
crypto isakmp nat keepalive 20
crypto isakmp policy 1
authentication pre-share
lifetime 86400
!
crypto ipsec transform-set TS_TP0_1 esp-3des esp-md5-hmac
!
crypto dynamic-map DYN_TP0_1 1
set security-association lifetime seconds 86400
set transform-set TS_TP0_1
Insert access-list extended NAT_WAN0_LIST rule deny
!
crypto map IPSEC_TUNNEL_TP0 1 ipsec-isakmp dynamic DYN_TP0_1
!
!
crypto key load-keyconf end
!
!
interface Null0
!
interface Tunnel0
mtu 1376
ip address 192.200.254.1 255.255.255.252
no ip directed-broadcast
tunnel source GigaEthernet0/0
tunnel destination 128.8.8.8
keepalive period 10
tunnel speed-up
!
interface GigaEthernet0/0
mtu 1400
ip address 192.200.253.2 255.255.255.0
ip tcp adjust-mss 1200
no ip directed-broadcast
ip http firewalltype 0
crypto map IPSEC_TUNNEL_TP0
!
interface GigaEthernet0/1
ip address 172.200.253.1 255.255.255.0
ip address 192.168.2.1 255.255.255.0 secondary
no ip directed-broadcast
ip http firewalltype 0
!
interface Async0/0
no ip address
no ip directed-broadcast
!
interface Async20/0
no ip address
no ip directed-broadcast
!
!
!
!
!
!
!
!
ip route cache
ip route default 192.200.253.1
ip route 192.168.1.0 255.255.255.0 Tunnel0
!
!
dial-peer terminator #
dial-peer auto-terminated 3
!
dsp-kernel-ver g729
!
!
sipua-cfg
sipua keepAlive 60
shutdown
!
!
!
gbsc app-ctrl priority onlinegames all
no gbsc app-ctrl drop onlinegames all
gbsc group default
!
gbsc pushto mode text
no gbsc filter-url enable
gbsc filter-url mode forbid
no gbsc filter-key enable
gbsc record-filter-url enable
!
!
ip access-list extended NAT_WAN0_LIST
!
ip access-list extended vpn1
!
!
!
!
ip http ispmode 1
ip http server
ip http language chinese
ip http timeout 10
ip http set-name-value 0
!
no ip proxy enable
ip proxy redirect
!
!
!
!
2.H3C配置
//设置loopback为gre地址,因为动态地址
<H3C>dis cu
#
version 5.20, Release 2514P14
#
sysname H3C
#
domain default enable system
#
telnet server enable
#
dar p2p signature-file flash:/p2p_default.mtd
#
port-security enable
#
password-recovery enable
#
acl number 3000
rule 5 permit ip source 128.8.8.8 0 destination 192.200.253.2 0
acl number 3001
rule 5 deny ip destination 172.200.253.0 0.0.0.255
rule 10 permit ip
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
ip pool 1 192.168.1.2 192.168.1.100
#
ike proposal 1
#
ike peer vpn
proposal 1
pre-shared-key cipher $c$3$Uzit1ieJJ+tyj/xwj4gxbYWdXSoT3thPOyry
remote-address 192.200.253.2
nat traversal
#
ipsec transform-set vpn
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm 3des
#
ipsec policy vpn 1 isakmp
connection-name vpn
security acl 3000
ike-peer vpn
transform-set vpn
#
dhcp server ip-pool 1
network 192.168.1.0 mask 255.255.255.0
gateway-list 192.168.1.1
#
user-group system
group-attribute allow-guest
#
local-user admin
password cipher $c$3$40gC1cxf/wIJNa1ufFPJsjKAof+QP5aV
authorization-attribute level 3
service-type telnet
service-type web
#
wlan rrm
dot11b mandatory-rate 1 2
dot11b supported-rate 5.5 11
dot11g mandatory-rate 1 2 5.5 11
dot11g supported-rate 6 9 12 18 24 36 48 54
#
wlan service-template 1 crypto
ssid ChinaNet-wlan
cipher-suite ccmp
security-ie rsn
service-template enable
#
cwmp
undo cwmp enable
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Cellular0/0
async mode protocol
link-protocol ppp
#
interface NULL0
#
interface LoopBack0
ip address 128.8.8.8 255.255.255.255
#
interface Vlan-interface1
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet0/0
port link-mode route
#
interface GigabitEthernet0/1
port link-mode bridge
#
interface GigabitEthernet0/2
port link-mode bridge
#
interface GigabitEthernet0/3
port link-mode bridge
#
interface GigabitEthernet0/4
port link-mode bridge
#
interface Cellular-Ethernet2/0
mtu 1400
ip address cellular-allocated
tcp mss 1200
dialer enable-circular
dialer-group 1
dialer timer idle 0
dialer timer autodial 5
dialer number *99# autodial
nat outbound 3001
ipsec policy vpn
#
interface Tunnel0
ip address 192.200.254.2 255.255.255.252
source LoopBack0
destination 192.200.253.2
keepalive 10 3
#
interface WLAN-BSS31
port link-type hybrid
port hybrid vlan 1 untagged
port-security port-mode psk
port-security tx-key-type 11key
port-security preshared-key pass-phrase cipher $c$3$HifQCK1SwKYALDZ+IzsznpHZ0IwrS7sCob5B
#
interface WLAN-BSS32
port link-type hybrid
port hybrid vlan 1 untagged
port-security port-mode psk
port-security tx-key-type 11key
port-security preshared-key pass-phrase cipher $c$3$HifQCK1SwKYALDZ+IzsznpHZ0IwrS7sCob5B
#
interface WLAN-Radio3/0
service-template 1 interface wlan-bss 31
#
ip route-static 0.0.0.0 0.0.0.0 Cellular-Ethernet2/0
ip route-static 172.200.253.0 255.255.255.0 Tunnel0
#
dhcp enable
#
load xml-configuration
#
load tr069-configuration
#
user-interface tty 12
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
<H3C>