底层
RA:
interface GigabitEthernet0/0/0
ip address 192.168.1.254 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 1.1.1.1 255.255.255.0
ip route-static 0.0.0.0 0.0.0.0 1.1.1.100
RB:
interface GigabitEthernet0/0/0
ip address 2.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 192.168.2.254 255.255.255.0
ip route-static 0.0.0.0 0.0.0.0 2.1.1.100
INTERNET:
vlan batch 10 20
interface Vlanif10
ip address 1.1.1.100 255.255.255.0
#
interface Vlanif20
ip address 2.1.1.100 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 20
IKE自动协商
RA:
设置感兴趣流
acl 3001
rule permit ip sour 192.168.1.0 0.0.0.255 des 192.168.2.0 0.0.0.255
设置ipsec安全提议
ipsec proposal TRAN
esp au sha2-256
esp en aes-128
q
设置IKE安全提议
ike proposal 5
enc aes-cbc-128
au md5
dh groupl4
q
设置对等体,根据上方配置,配置预共享密钥和对端ID
ike peer PER v1
pre-shared-key cipher huawei@123
ike-proposal 5
remote-address 2.1.1.1
设置IKE动态协商方式安全策略
ipsec policy MAP 10 isakmp
ike-peer PER
proposal TRAN
security acl 3001
q
端口引用
int g0/0/1
ipsec policy MAP
q
RB:
设置感兴趣流
acl 3001
rule permit ip sour 192.168.2.0 0.0.0.255 des 192.168.1.0 0.0.0.255
设置ipsec安全提议
ipsec proposal TRAN
esp au sha2-256
esp en aes-128
q
设置IKE安全提议
ike proposal 5
enc aes-cbc-128
au md5
dh groupl4
q
设置对等体,根据上方配置,配置预共享密钥和对端ID
ike peer PER v1
pre-shared-key cipher huawei@123
ike-proposal 5
remote-address 1.1.1.1
设置IKE动态协商方式安全策略
ipsec policy MAP 10 isakmp
ike-peer PER
proposal TRAN
security acl 3001
q
端口引用
int g0/0/1
ipsec policy MAP
q
测试结果