一.
1.加密数据流
acl number 3113
description VPN
rule 21 permit ip source 172.0.0.0 0.255.255.255 destination 192.168.0.0 0.0.255.255
rule 22 permit ip source 172.0.0.0 0.255.255.255 destination 172.16.0.0 0.1.255.255
rule 23 permit ip source 172.0.0.0 0.255.255.255 destination 172.26.0.0 0.1.255.255
rule 24 permit ip source 172.0.0.0 0.255.255.255 destination 172.30.0.0 0.0.255.255
2.ipsec配置
ipsec proposal zyb1
esp authentication-algorithm sha2-256
esp encryption-algorithm 3des
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm sha2-256
ike peer zyb55 v1
pre-shared-key cipher %@%@!$nELLObv#0Dw&._vjPHa`(7%@%@
ike-proposal 1
remote-address 180.76.140.189
ipsec policy zyb 1 isakmp
security acl 3113
ike-peer zyb1
proposal zyb1
3.接口调用策略
interface GigabitEthernet0/0/0
ipsec policy zyb
*****加密的数据流需要和对端路由器的完全是镜像;
2.加密的数据流需要在NAT出接口ACL里deny;
3.掩码需要计算好;
4.指向下一跳为对端站点接口的私网路由
(1)私网路由:下一跳必须为对端站点的接口IP
(2)默认路由:下一跳为对端站点的接口IP活本身设备的下一跳接口IP
二.查看:
1、 display ike sa ver
2、 display ike proposal
3、 display ipsec proposal
4、 display ip routing-table x.x.x.x //查询对端私网路由
5、 display diag