[MSR20-1]dis cu
#
version 5.20, Alpha 1011
#
sysname MSR20-1
#
password-control login-attempt 3 exceed lock-time 120
#
undo voice vlan mac-address 00e0-bb00-0000
#
ipsec cpu-backup enable
#
undo cryptoengine enable
#
domain default enable system
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
ike proposal 1 //定義ike匹配
#
ike peer 1//ike對等體
pre-shared-key cipher TEzJOUGCmuE=
remote-address 23.23.23.3
#
ipsec proposal 1//ipsec提議
#
ipsec policy 1 10 isakmp//使用isakmp自動協商
security acl 3000
ike-peer 1
proposal 1
#
acl number 3000//定義acl
rule 0 permit ip source 12.12.12.1 0 destination 23.23.23.3 0
#
interface Serial0/2/0
link-protocol ppp
ip address 12.12.12.1 255.255.255.0
ipsec policy 1//安全策略應用於公網出口
#
interface NULL0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
interface Tunnel0
ip address 13.13.13.1 255.255.255.0
source 12.12.12.1//隧道源地址
destination 23.23.23.3//隧道目的地址
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 12.12.12.0 0.0.0.255
#
ip route-static 3.3.3.3 255.255.255.255 Tunnel0
#
load xml-configuration
#
user-interface con 0
user-interface vty 0 4
#
return
<INTERNET>dis cu
#
version 5.20, Alpha 1011
#
sysname INTERNET
#
password-control login-attempt 3 exceed lock-time 120
#
undo voice vlan mac-address 00e0-bb00-0000
#
ipsec cpu-backup enable
#
undo cryptoengine enable
#
domain default enable system
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
interface Serial0/2/0
link-protocol ppp
ip address 12.12.12.2 255.255.255.0
#
interface Serial0/2/1
link-protocol ppp
ip address 23.23.23.2 255.255.255.0
#
interface NULL0
#
ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 12.12.12.0 0.0.0.255
network 23.23.23.0 0.0.0.255
#
load xml-configuration
#
user-interface con 0
user-interface vty 0 4
#
Return
[MSR20-2]dis cu
#
version 5.20, Alpha 1011
#
sysname MSR20-2
#
password-control login-attempt 3 exceed lock-time 120
#
undo voice vlan mac-address 00e0-bb00-0000
#
ipsec cpu-backup enable
#
undo cryptoengine enable
#
domain default enable system
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
ike proposal 1
#
ike peer 1
pre-shared-key cipher TEzJOUGCmuE=
remote-address 12.12.12.1
#
ipsec proposal 1
#
ipsec policy 1 10 isakmp
security acl 3000
ike-peer 1
proposal 1
#
acl number 3000
rule 0 permit ip source 23.23.23.3 0 destination 12.12.12.1 0
#
interface Serial0/2/0
link-protocol ppp
ip address 23.23.23.3 255.255.255.0
ipsec policy 1
#
interface NULL0
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
interface Tunnel0
ip address 13.13.13.3 255.255.255.0
source 23.23.23.3
destination 12.12.12.1
#
ospf 1 router-id 3.3.3.3
area 0.0.0.0
network 23.23.23.0 0.0.0.255
#
ip route-static 1.1.1.1 255.255.255.255 Tunnel0
#
load xml-configuration
#
user-interface con 0
user-interface vty 0 4
#
return
此處可以看出,和單獨配置gre 或者ipsec沒有什麼區別!只要注意acl定義匹配的是gre數據流(即ipsec接口)