interface GigabitEthernet0/0
ip address 10.0.2 24
#
interface GigabitEthernet 0/1
ip address 11.0.0.1 24
#
interface GigabitEthernet0/0
ip address 10.0.0.1 255.255.255.0
nat outbound 2000
#
interface GigabitEthernet0/1
ip address 192.168.1.254 255.255.255.0
#
interface Tunnel0 mode gre # 创建接口Tunnel1,指定隧道模式为GRE隧道,并进入Tunnel接口视图。
ip address 1.1.1.1 255.255.255.0
source 10.0.0.1
destination 11.0.0.2
ipsec apply policy test # 在接口上应用IPsec安全策略。
#
ip route-static 0.0.0.0 0 10.0.0.2
ip route-static 192.168.2.1 24 1.1.1.2
#
acl basic 2000
rule 0 permit
#
acl advanced 3000 # 创建一个编号为3000的IPv4高级ACL,并进入其视图。
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 # 为IPv4高级ACL 3000创建规则如下:允许192.168.1.0/24网段内的主机与192.168.2.0/24网段内主机建立连接。
#
ipsec transform-set test # 创建IPsec安全提议,并进入IPsec安全提议视图。
esp encryption-algorithm des-cbc # 配置IPsec安全提议采用的ESP加密算法为CBC模式的DES算法。
esp authentication-algorithm md5 # 配置IPsec安全提议采用的ESP认证算法为MD5算法。
#
ipsec policy test 1 isakmp # 创建名字为TEST、顺序号为1的IPsec安全策略。
transform-set test # 配置IPsec安全策略引用IPsec安全提议。
security acl 3000 # 指定IPsec安全策略/IPsec安全策略模板引用的ACL。
local-address 1.1.1.1
remote-address 1.1.1.2
ike-profile test # 指定IPsec安全策略/IPsec安全策略模板引用的IKE profile。
#
ike profile test # 创建IKE profile,并进入其视图。
keychain test # 在IKE profile中指定名称为TEST的配置的IKE keychain。
local-identity address 1.1.1.1
match remote identity address 1.1.1.2 255.255.255.0 # 指定需要匹配对端身份类型为IP地址.
match local address Tunnel0 # 限制IKE profile的使用范围,即IKE profile只能用于指定地址或指定接口的地址上的IKE协商。
proposal 1 # 配置IKE profile引用的IKE提议。
#
ike proposal 1 # 创建IKE提议,并进入IKE提议视图。
#
ike keychain test # 创建IKE keychain并进入IKE keychain视图。
match local address Tunnel0
pre-shared-key address 1.1.1.2 255.255.255.0 key simple test # 配置预共享密钥。
#
interface GigabitEthernet0/0
ip address 11.0.0.2 255.255.255.0
nat outbound 2000
#
interface GigabitEthernet0/1
ip address 192.168.2.254 255.255.255.0
#
interface Tunnel0 mode gre
ip address 1.1.1.2 255.255.255.0
source 11.0.0.2
destination 10.0.0.1
ipsec apply policy test
#
ip route-static 0.0.0.0 0 11.0.0.1
ip route-static 192.168.1.0 24 1.1.1.1
#
acl basic 2000
rule 0 permit logging counting
#
acl basic 2001
rule 0 permit counting
#
acl advanced 3000
rule 0 permit ip source 192.168.2.1 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
ipsec transform-set test
esp encryption-algorithm des-cbc
esp authentication-algorithm md5
#
ipsec policy test 1 isakmp
transform-set test
security acl 3000
remote-address 1.1.1.1
ike-profile test
#
ike profile test
keychain test
local-identity address 1.1.1.2
match remote identity address 1.1.1.1 255.255.255.0
match local address Tunnel0
proposal 1
#
ike proposal 1
#
ike keychain test
match local address Tunnel0
pre-shared-key address 123.0.0.1 255.255.255.0 key simple test
#
sa f