两端都是固定的IP地址,两端都采用主模式去协商ike sa
首先保证两端路由器网络正常通讯,即“公网”正常通讯。
1,创建ACL,选择感兴趣的数据流
acl advanced 3000
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255
2,配置IKE
1),配置ike提议
ike proposal 1
dh group14
2),配置ike keychain
ike keychain zb
pre-shared-key address 10.10.23.3 255.255.255.0 key cipher $c$3$vP3eSxnzpgQCsewjgD0XqPt++vFK5/C1hw==
3),配置ike profile
ike profile zb
keychain zb
match remote identity address 10.10.23.3 255.255.255.0
proposal 1
3,配置ipsec 安全提议
ipsec transform-set zb
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
4,配置安全策略
ipsec policy zb 1 isakmp
transform-set zb
security acl 3000
remote-address 10.10.23.3
ike-profile zb
5,接口下应用安全策略
interface GigabitEthernet0/1
ipsec apply policy zb
前面是总部的路由器的配置。
6,在分部的路由器上也要做类似的配置。
acl advanced 3000
rule 0 permit ip source 172.16.1.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
ike proposal 1
dh group14
ike keychain fb
pre-shared-key address 10.10.12.1 255.255.255.0 key cipher $c$3$0Ciwi35dB0MfgeEJVCfMLmejFIUrrJY+Hw==
ike profile fb
keychain fb
match remote identity address 10.10.12.1 255.255.255.0
proposal 1
ipsec transform-set fb
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
ipsec policy fb 1 isakmp
transform-set fb
security acl 3000
remote-address 10.10.12.1
ike-profile fb
interface GigabitEthernet0/0
ipsec apply policy fb