拓扑说明:本次实验只是AR1-AR2之间建立IPsec VPN,手工配置协商密钥。最终达到AR1环回口可以通过加密的方式访问AR2的环回口。配置如下:
AR1:
#
sysname AR1
#
acl number 3000
rule 5 permit ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255
#
ipsec proposal AAA
esp encryption-algorithm 3des
#
ipsec policy AAA 1 manual
security acl 3000
proposal AAA
tunnel local 202.100.1.1
tunnel remote 202.100.2.2
sa spi inbound esp 12345
sa string-key inbound esp simple arssra
sa spi outbound esp 54321
sa string-key outbound esp simple huawei
#
interface GigabitEthernet0/0/0
ip address 202.100.1.1 255.255.255.0
ipsec policy AAA
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
ip route-static 0.0.0.0 0.0.0.0 202.100.1.100
#
AR2:
#
sysname AR2
#
acl number 3000 //这里是用来SDP中调用的ACL
rule 5 permit ip source 2.2.2.2 0 destination 1.1.1.1 0
#
ipsec proposal AAA
esp encryption-algorithm 3des
#
ipsec policy AAA 1 manual
security acl 3000
proposal AAA
tunnel local 202.100.2.2
tunnel remote 202.100.1.1
sa spi inbound esp 54321
sa string-key inbound esp simple huawei
sa spi outbound esp 12345
sa string-key outbound esp simple arssra
#
interface GigabitEthernet0/0/0
ip address 202.100.2.2 255.255.255.0
ipsec policy AAA
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
ip route-static 0.0.0.0 0.0.0.0 202.100.2.100
#