底层
RA:
interface GigabitEthernet0/0/0
ip address 192.168.1.254 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 1.1.1.1 255.255.255.0
ip route-static 0.0.0.0 0.0.0.0 1.1.1.100
RB:
interface GigabitEthernet0/0/0
ip address 2.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 192.168.2.254 255.255.255.0
ip route-static 0.0.0.0 0.0.0.0 2.1.1.100
INTERNET:
vlan batch 10 20
interface Vlanif10
ip address 1.1.1.100 255.255.255.0
#
interface Vlanif20
ip address 2.1.1.100 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 20
手工建立IPSEC
RA:
建立PCA-PCB的感兴趣流
acl number 3001
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
设置ipsec安全提议,封装和认证
ipsec proposal TRAN
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
设置安全策略
ipsec policy MAP 10 manual
security acl 3001
proposal TRAN
tunnel local 1.1.1.1
tunnel remote 2.1.1.1
sa spi inbound esp 54321
sa string-key inbound esp cipher huawei
sa spi outbound esp 12345
sa string-key outbound esp cipher huawei
端口引用
interface GigabitEthernet0/0/1
ipsec policy MAP
q
RB:
建立PCB-PCA的感兴趣流
acl number 3001
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
设置ipsec安全提议,封装和认证
ipsec proposal TRAN
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
设置安全策略
ipsec policy MAP 10 manual
security acl 3001
proposal TRAN
tunnel local 2.1.1.1
tunnel remote 1.1.1.1
sa spi inbound esp 12345
sa string-key inbound esp cipher huawei
sa spi outbound esp 54321
sa string-key outbound esp cipher huawei
端口引用
interface GigabitEthernet0/0/0
ipsec policy MAP
q
注意policy中inbound和outbound对应