總部路由1
acl number 3000 ?=nat的
?rule 5 deny ip source 10.10.200.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
?rule 10 deny ip source 10.10.200.0 0.0.0.255 destination 10.10.20.0 0.0.0.255
?rule 15 permit ip source 10.10.200.0 0.0.0.255
acl number 3001 ?=vpn的
?rule 5 permit ip source 10.10.200.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
?rule 10 permit ip source 10.10.200.0 0.0.0.255 destination 10.10.20.0 0.0.0.255
ipsec proposal aa
?esp authentication-algorithm sha2-256
?esp encryption-algorithm aes-128
ike proposal 1
?encryption-algorithm aes-cbc-128
ike peer aa v1 ?=去分支路由1
?pre-shared-key cipher admin123
?ike-proposal 1
?dpd type periodic
?dpd idle-time 10
?remote-address 202.10.1.2
ike peer bb v1 ?=去分支路由2
?pre-shared-key cipher admin123
?ike-proposal 1
?dpd type periodic
?dpd idle-time 10
?remote-address 202.10.2.2
ipsec policy ipsec-vpn ?10 isakmp =去分支路由1
?security acl 3001
?ike-peer aa
?proposal aa
ipsec policy ipsec ?20 isakmp =去分支路由2
?security acl 3001
?ike-peer bb
?proposal aa
interface GigabitEthernet 0/0
?ip address 203.10.1.2 255.255.255.0
?ipsec policy ipsec-vpn
?nat outbound 3000
interface GigabitEthernet 0/1
?ip address 10.10.200.1 255.255.255.0
ip route-static 0.0.0.0 0.0.0.0 203.10.1.1
return
分支路由1
acl number 3000 ?=nat的
?rule 5 deny ip source 10.10.10.0 0.0.0.255 destination 10.10.200.0 0.0.0.255
?rule 10 permit ip source 10.10.10.0 0.0.0.255
acl number 3001 ?=vpn的
?rule 5 permit ip source 10.10.10.0 0.0.0.255 destination 10.10.200.0 0.0.0.255
ipsec proposal ?aa
?esp authentication-algorithm sha2-256
?esp encryption-algorithm aes-128
ike proposal ?1
?encryption-algorithm aes-cbc-128
ike peer ?aa v1
?pre-shared-key cipher admin123
?ike-proposal ?1
?dpd type periodic
?dpd idle-time 10
?remote-address 203.10.1.2
ipsec policy ipsec-vpn 1 isakmp
?security acl 3001
?ike-peer ?aa
?proposal ?aa
interface GigabitEthernet 0/0
?ip address 202.10.1.2 255.255.255.0
?ipsec policy ipsec-vpn
?nat outbound 3000
interface GigabitEthernet 0/1
?ip address 10.10.10.1 255.255.255.0
ip route-static 0.0.0.0 0.0.0.0 202.10.1.1
return
分支路由2
配置跟分支路由1一樣只是外網(wǎng)ip不同�,此處省略配置��。��。
總部路由配置
[V200R007C00SPC900]
acl name nat 3000
?rule ?5 deny ip source 192.168.0.0 ?0.0.255.255 destination 10.0.0.0 ?0.0.255.255
?rule 10 permit ip
acl number 3998
?rule 5 permit ip source 192.168.0.0 0.0.255.255 destination 10.0.0.0 ?0.0.255.255
acl number 3999
?rule 5 permit ip source 192.168.0.0 0.0.255.255 destination 10.0.0.0 ?0.0.255.255
ipsec proposal ?ipsec1
?esp authentication-algorithm sha1
?esp encryption-algorithm aes-192
ipsec proposal ?ipsec2
?esp authentication-algorithm sha1
?esp encryption-algorithm 3des
ike proposal 1
?encryption-algorithm aes-cbc-192
?dh group2
?authentication-algorithm sha1
?prf hmac-sha2-256
ike proposal 2
?encryption-algorithm des-cbc
?dh group2
?authentication-algorithm sha1
?prf hmac-sha2-256
ike peer ?ipsec1 v1
?exchange-mode aggressive
?pre-shared-key cipher admin123
?ike-proposal 1
?remote-address 116.62.16.200
ike peer ?ipsec2 v1
?exchange-mode aggressive
?pre-shared-key cipher admin123
?ike-proposal 3
?nat traversal
?remote-address 120.26.9.191
ipsec policy ?ipsec 1 isakmp
?security acl 3999
?ike-peer ?ipsec1
?proposal ?ipsec1
ipsec policy ?ipsec 2 isakmp
?security acl 3998
?ike-peer ?ipsec2
?proposal ?ipsec2
interface GigabitEthernet0/0/0
?ip address 202.127.114.250 255.255.255.248
?nat outbound 3000
?ipsec policy ?ipsec
interface GigabitEthernet0/0/1
?ip address 192.168.200.1 255.255.255.0
ip route-static 0.0.0.0 0.0.0.0 202.127.114.249
ip route-static 192.168.0.0 255.255.0.0 192.168.200.2
