r1
interface GigabitEthernet0/0/0
ip address 10.0.12.1 255.255.255.0
interface GigabitEthernet0/0/1
ip address 10.0.13.1 255.255.255.0
R2
dhcp enable
acl number 3000 //捉取感兴趣的流,或都用虚拟隧道接口模式也可以
rule 5 permit ip source 192.168.0.0 0.0.0.255 destination 172.16.0.0 0.0.0.255
ipsec proposal ipp //定义IPSEC安全提义
ike proposal 1 //定义IKE安全提义
ike peer r3 v1 //定义IKE对等体
pre-shared-key cipher huawei
ike-proposal 1 //关联IKE安全提义
dpd type on-demand //对端存活检测
remote-address 10.0.13.3
ipsec policy r3 1 isakmp //定义ipsec安全策略
security acl 3000 //关联感兴趣流
ike-peer r3 //关联IKE对等体
proposal ipp //关联ipsec 安全提义
interface GigabitEthernet0/0/0
ip address 10.0.12.2 255.255.255.0
ipsec policy r3 //接口上应用安全ipsec安全策略
interface GigabitEthernet0/0/1
ip address 192.168.0.1 255.255.255.0
dhcp select interface
ip route-static 0.0.0.0 0.0.0.0 10.0.12.1
R3
acl number 3000
rule 5 permit ip source 172.16.0.0 0.0.0.255 destination 192.168.0.0 0.0.0.255
ipsec proposal ipp
ike proposal 1
ike peer r2 v1
pre-shared-key cipher huawei
ike-proposal 1
dpd type on-demand
remote-address 10.0.12.2
ipsec policy r2 1 isakmp
security acl 3000
ike-peer r2
proposal ipp
interface GigabitEthernet0/0/0
ip address 10.0.13.3 255.255.255.0
ipsec policy r2
interface GigabitEthernet0/0/1
ip address 172.16.0.1 255.255.255.0
dhcp select interface
ip route-static 0.0.0.0 0.0.0.0 10.0.13.1
查看
dis ipsec proposal
dis ike proposal number 1
dis ike peer name r2 verbose
dis ike sa
ping测试