9.3 标准IPSEC配置
9.3.1 标准的ipsec配置
【需求】
两台路由器通过internet采用ipsec tunnel方式互通
【组网图】
【配置脚本】
RouterA配置脚本 |
# sysname RouterA # radius scheme system # domain system # ike proposal 1 # ike peer a pre-shared-key huawei-3com remote-address 202.0.0.2 # ipsec proposal a # ipsec policy a 1 isakmp security acl 3000 ike-peer a proposal a # acl number 3000 rule 0 permit ip source 192.168.1.0 0.0.0.255
destination 192.168.2.0 0.0.0.255 # interface Ethernet1/0/0 ip address 192.168.1.1 255.255.255.0 # interface Serial2/0/0 link-protocol ppp ip address 202.0.0.1 255.255.255.0 ipsec policy a # interface NULL0 # ip route-static 0.0.0.0 0.0.0.0
202.0.0.2 preference 60 # user-interface con 0 user-interface vty 0 4 # return |
RouterB配置脚本 |
# sysname RouterB # radius scheme system # domain system # ike proposal 1 # ike peer b pre-shared-key huawei-3com remote-address 202.0.0.1 # ipsec proposal b # ipsec policy b 1 isakmp security acl
3000 ike-peer b proposal b # acl number 3000 rule 0 permit ip source 192.168.2.0 0.0.0.255
destination 192.168.1.0 0.0.0.255 # interface Ethernet1/0/0 ip address 192.168.2.1 255.255.255.0 # interface Serial2/0/0 link-protocol ppp ip address 202.0.0.2 255.255.255.0 ipsec policy b # interface NULL0 # ip route-static 0.0.0.0 0.0.0.0 202.0.0.1 preference 60 # user-interface con 0 user-interface vty
0 4 # return |
【验证】
确认RouterA上建立ike sa
[RouterA]disp ike
sa
total phase-1 SAs:
1
connection-id peer flag phase doi
----------------------------------------------------------
2 202.0.0.2 RD|ST 1 IPSEC
3 202.0.0.2 RD|ST 2 IPSEC
flag meaning
RD--
【提示】
1、 当路由器即需要配置ipsec,又需要使用NAT的,一定要在NAT的ACL中deny掉ipsec保护的流。否则需要进行ipsec
保护的流会先会被NAT的ACL匹配,进行NAT,而无法触发ipsec的建立。