一、手动模式:
Site1:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | # acl number 3000 rule 5 permit ip source 172.16.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 # ipsec proposal daupon-proposal esp authentication-algorithm sha2-512 esp encryption-algorithm aes-256 # ipsec policy daupon-policy 10 manual security acl 3000 proposal daupon-proposal tunnel local 61.128.1.1 tunnel remote 202.100.1.1 sa spi inbound esp 12345 sa string-key inbound esp simple daupon123 sa spi outbound esp 54321 sa string-key outbound esp simple daupon321 interface GigabitEthernet0/0/0 ip address 172.16.1.254 255.255.255.0 # interface GigabitEthernet0/0/1 ip address 61.128.1.1 255.255.255.0 ipsec policy daupon-policy # ip route-static 0.0.0.0 0.0.0.0 61.128.1.10 |
Site2:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | # acl number 3000 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255 # ipsec proposal daupon-proposal esp authentication-algorithm sha2-512 esp encryption-algorithm aes-256 # ipsec policy daupon-policy 10 manual security acl 3000 proposal daupon-proposal tunnel local 202.100.1.1 tunnel remote 61.128.1.1 sa spi inbound esp 54321 sa string-key inbound esp simple daupon321 sa spi outbound esp 12345 sa string-key outbound esp simple daupon123 # interface GigabitEthernet0/0/0 ip address 202.100.1.1 255.255.255.0 ipsec policy daupon-policy # interface GigabitEthernet0/0/1 ip address 10.1.1.254 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 202.100.1.10 |
二、自动模式
Site1:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | # acl number 3000 rule 5 permit ip source 172.16.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 # ipsec proposal daupon-proposal # ike proposal 10 encryption-algorithm aes-cbc-256 dh group14 authentication-algorithm aes-xcbc-mac-96 prf aes-xcbc-128 # ike peer Site2 v2 pre-shared-key simple daupon ike-proposal 10 remote-address 202.100.1.1 # ipsec policy daupon-policy 10 isakmp security acl 3000 ike-peer Site2 proposal daupon-proposal # interface GigabitEthernet0/0/0 ip address 172.16.1.254 255.255.255.0 # interface GigabitEthernet0/0/1 ip address 61.128.1.1 255.255.255.0 ipsec policy daupon-policy # ip route-static 0.0.0.0 0.0.0.0 61.128.1.10 |
Site2:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | # acl number 3000 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255 # ipsec proposal daupon-proposal # ike proposal 10 encryption-algorithm aes-cbc-256 dh group14 authentication-algorithm aes-xcbc-mac-96 prf aes-xcbc-128 # ike peer Site1 v2 pre-shared-key simple daupon ike-proposal 10 remote-address 61.128.1.1 # ipsec policy daupon-policy 10 isakmp security acl 3000 ike-peer Site1 proposal daupon-proposal # interface GigabitEthernet0/0/0 ip address 202.100.1.1 255.255.255.0 ipsec policy daupon-policy # interface GigabitEthernet0/0/1 ip address 10.1.1.254 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 202.100.1.10 |