拓扑说明：本次实验只是AR1-AR2之间建立IPsec VPN，手工配置协商密钥。最终达到AR1环回口可以通过加密的方式访问AR2的环回口。配置如下：

AR1：

#
 sysname AR1
#
acl number 3000  
 rule 5 permit ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255 
#
ipsec proposal AAA
 esp encryption-algorithm 3des
#
ipsec policy AAA 1 manual
 security acl 3000
 proposal AAA
 tunnel local 202.100.1.1
 tunnel remote 202.100.2.2
 sa spi inbound esp 12345
 sa string-key inbound esp simple arssra
 sa spi outbound esp 54321
 sa string-key outbound esp simple huawei
#
interface GigabitEthernet0/0/0
 ip address 202.100.1.1 255.255.255.0 
 ipsec policy AAA
#
interface LoopBack0
 ip address 1.1.1.1 255.255.255.255 
#
ip route-static 0.0.0.0 0.0.0.0 202.100.1.100
#

AR2：

#
 sysname AR2
#
acl number 3000  //这里是用来SDP中调用的ACL
 rule 5 permit ip source 2.2.2.2 0 destination 1.1.1.1 0 
#
ipsec proposal AAA
 esp encryption-algorithm 3des
#
ipsec policy AAA 1 manual
 security acl 3000
 proposal AAA
 tunnel local 202.100.2.2
 tunnel remote 202.100.1.1
 sa spi inbound esp 54321
 sa string-key inbound esp simple huawei
 sa spi outbound esp 12345
 sa string-key outbound esp simple arssra
#
interface GigabitEthernet0/0/0
 ip address 202.100.2.2 255.255.255.0 
 ipsec policy AAA
#
interface LoopBack0
 ip address 2.2.2.2 255.255.255.255 
#
ip route-static 0.0.0.0 0.0.0.0 202.100.2.100
#