实验TOP:

 

 

 

RT1的配置:

=======================================================

<H3C>sy  
[H3C]int g0/1/0
[H3C-GigabitEthernet0/1/0]ip add 192.168.1.2 255.255.255.0
[H3C-GigabitEthernet0/1/0]un shu
[H3C-GigabitEthernet0/1/0]quit
[H3C]int g0/1/1
[H3C-GigabitEthernet0/1/1]ip add 192.168.2.1 255.255.255.0
[H3C-GigabitEthernet0/1/1]un shu
[H3C-GigabitEthernet0/1/1]quit
[H3C]ip route-static 0.0.0.0 0.0.0.0 192.168.2.2          (创建一条默认路由)
[H3C]acl number 3001                                                   (创建一个ACL,定义数据流)
[H3C-acl-adv-3001]rule permit ip source 192.168.1.0 0.0.0.255 destination any
[H3C-acl-adv-3001]qui   
[H3C]ipsec proposal kalng                                             (创建所需的安全提议)
[H3C-ipsec-proposal-kalng]encapsulation-mode tunnel       (报文封装形式为隧道模式)
[H3C-ipsec-proposal-kalng]transform esp                      (安全协议为ESP协议)
[H3C-ipsec-proposal-kalng]esp encryption-algorithm des     (加密算法为des)
[H3C-ipsec-proposal-kalng]esp authentication-algorithm md5(认证算法为md5)
[H3C-ipsec-proposal-kalng]quit
[H3C]ipsec policy map1 10 manual                  (创建安全策略map1,协商方式为manual)
[H3C-ipsec-policy-manual-map1-10]security acl 3001   (引用ACL)
[H3C-ipsec-policy-manual-map1-10]proposal kalng      (引用安全提议)
[H3C-ipsec-policy-manual-map1-10]tunnel remote 192.168.3.2     (配置对端地址)
[H3C-ipsec-policy-manual-map1-10]tunnel local 192.168.2.1          (配置本端地址)
[H3C-ipsec-policy-manual-map1-10]sa spi inbound esp 123456       (入方向的ISP认证)
[H3C-ipsec-policy-manual-map1-10]sa spi outbound esp 654321      (出方向的ISP认证)
[H3C-ipsec-policy-manual-map1-10]sa string-key outbound esp abcdef (出的认证密钥)
[H3C-ipsec-policy-manual-map1-10]sa string-key inbound esp fedcba(入的认证密钥)
[H3C-ipsec-policy-manual-map1-10]quit
[H3C]int g0/1/1
[H3C-GigabitEthernet0/1/1]ipsec policy map1   (在接口上应用安全策略)
[H3C-GigabitEthernet0/1/1]quit
 

 

 

 

 

 

RT2的配置:

===========================================

<H3C>sy  
[H3C]int g0/1/0
[H3C-GigabitEthernet0/1/0]ip add 192.168.1.2 255.255.255.0
[H3C-GigabitEthernet0/1/0]un shu
[H3C-GigabitEthernet0/1/0]quit
[H3C]int g0/1/1
[H3C-GigabitEthernet0/1/1]ip add 192.168.2.1 255.255.255.0
[H3C-GigabitEthernet0/1/1]un shu
[H3C-GigabitEthernet0/1/1]quit
[H3C]ip route-static 0.0.0.0 0.0.0.0 192.168.2.2
[H3C]acl number 3001
[H3C-acl-adv-3001]rule permit ip source 192.168.4.0 0.0.0.255 destination any
[H3C-acl-adv-3001]qui   
[H3C]ipsec proposal kalng
[H3C-ipsec-proposal-kalng]encapsulation-mode tunnel
[H3C-ipsec-proposal-kalng]transform esp
[H3C-ipsec-proposal-kalng]esp encryption-algorithm des
[H3C-ipsec-proposal-kalng]esp authentication-algorithm md5
[H3C-ipsec-proposal-kalng]quit
[H3C]ipsec policy map1 10 manual
[H3C-ipsec-policy-manual-map1-10]security acl 3001
[H3C-ipsec-policy-manual-map1-10]proposal kalng
[H3C-ipsec-policy-manual-map1-10]tunnel remote 192.168.2.1
[H3C-ipsec-policy-manual-map1-10]tunnel local 192.168.3.2
[H3C-ipsec-policy-manual-map1-10]sa spi inbound esp 654321
[H3C-ipsec-policy-manual-map1-10]sa spi outbound esp 123456
[H3C-ipsec-policy-manual-map1-10]sa string-key outbound esp fedcba
[H3C-ipsec-policy-manual-map1-10]sa string-key inbound esp abcdef
[H3C-ipsec-policy-manual-map1-10]quit
[H3C]int g0/1/0
[H3C-GigabitEthernet0/1/0]ipsec policy map1
[H3C-GigabitEthernet0/1/0]quit
 

PS:在RT2上配置的入方向的spi、认证的密钥一定要与RT1上配置的出方向的spi、认证密钥对应一致,反之一样。否则安全隧道无法建立成功。