babala 2007-3-7 08:05
华为路由器标准IPSEC配置
router A:
ike proposal 1
#
ike peer a
pre-shared-key huawei-3com
remote-address 202.0.0.2
#
ipsec proposal a
#
ipsec policy a 1 isakmp
security acl 3009
ike-peer a
proposal a
#
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
#
interface Ethernet2/0
ip address 202.0.0.1 255.255.255.0
ipsec policy a
#
acl number 3009
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 1 deny ip
#
ip route-static 0.0.0.0 0.0.0.0 202.0.0.2 preference 60
【Router B】
ike proposal 1
#
ike peer b
pre-shared-key huawei-3com
remote-address 202.0.0.1
#
ipsec proposal b
#
ipsec policy b 1 isakmp
security acl 3009
ike-peer b
proposal b
#
interface Ethernet0/0
ip address 192.168.2.1 255.255.255.0
#
interface Ethernet2/0
ip address 202.0.0.2 255.255.255.0
ipsec policy b
#
acl number 3009
rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 1 deny ip
#
ip route-static 0.0.0.0 0.0.0.0 202.0.0.1 preference 60
【注意】
1、当路由器即需要配置ipsec,又需要使用NAT的,一定要在NAT的ACL中deny掉ipsec保护的流。否则需要进行ipsec
保护的流会先会被NAT的ACL匹配,进行NAT,而无法触发ipsec的建立