一.
1.加密數據流
acl number 3113
description VPN
rule 21 permit ip source 172.0.0.0 0.255.255.255 destination 192.168.0.0 0.0.255.255
rule 22 permit ip source 172.0.0.0 0.255.255.255 destination 172.16.0.0 0.1.255.255
rule 23 permit ip source 172.0.0.0 0.255.255.255 destination 172.26.0.0 0.1.255.255
rule 24 permit ip source 172.0.0.0 0.255.255.255 destination 172.30.0.0 0.0.255.255
2.ipsec配置
ipsec proposal zyb1
esp authentication-algorithm sha2-256
esp encryption-algorithm 3des
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm sha2-256
ike peer zyb55 v1
pre-shared-key cipher %@%@!$nELLObv#0Dw&._vjPHa`(7%@%@
ike-proposal 1
remote-address 180.76.140.189
ipsec policy zyb 1 isakmp
security acl 3113
ike-peer zyb1
proposal zyb1
3.接口調用策略
interface GigabitEthernet0/0/0
ipsec policy zyb
*****加密的數據流需要和對端路由器的完全是鏡像;
2.加密的數據流需要在NAT出接口ACL裏deny;
3.掩碼需要計算好;
4.指向下一跳爲對端站點接口的私網路由
(1)私網路由:下一跳必須爲對端站點的接口IP
(2)默認路由:下一跳爲對端站點的接口IP活本身設備的下一跳接口IP
二.查看:
1、 display ike sa ver
2、 display ike proposal
3、 display ipsec proposal
4、 display ip routing-table x.x.x.x //查詢對端私網路由
5、 display diag