IPsec ××× L2L
实现上网同时与分机站点互通!
IPsec ××× L2L_第1张图片

to1

[to1]dis cu
[V200R003C00]
#
sysname to1
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
set cpu-usage threshold 80 restore 75
#
dhcp enable
#
acl number 3000
rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 172.16.10.0 0.0.0.255
acl number 3500 //拒绝10.0网络匹配到ipsec感兴趣流;再放行上网的流量!
rule 5 deny ip source 192.168.10.0 0.0.0.255 destination 172.16.10.0 0.0.0.255
rule 10 permit ip source 192.168.10.0 0.0.0.255
#
ipsec proposal 10

ike proposal 10
#
ike peer 10 v1
pre-shared-key simple 1
ike-proposal 10
remote-address 23.23.23.3
#
ipsec policy 10 10 isakmp
security acl 3000
ike-peer 10
proposal 10
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15

interface Ethernet0/0/0
#
interface Ethernet0/0/1
#
interface Ethernet0/0/2
#
interface Ethernet0/0/3
#
interface Ethernet0/0/4
#
interface Ethernet0/0/5
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface GigabitEthernet0/0/0
ip address 12.12.12.1 255.255.255.0
ipsec policy 10
nat outbound 3500
#
interface GigabitEthernet0/0/1
ip address 192.168.10.254 255.255.255.0
dhcp select interface
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 12.12.12.2
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
[to1]

intenet

dis cu
[V200R003C00]

interface GigabitEthernet0/0/0
ip address 12.12.12.2 255.255.255.0

interface GigabitEthernet0/0/1
ip address 23.23.23.2 255.255.255.0

to2

[to2] dis cu
[V200R003C00]
#
sysname to2
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
set cpu-usage threshold 80 restore 75
#
dhcp enable
#
acl number 3000
rule 5 permit ip source 172.16.10.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
acl number 3500
rule 5 deny ip source 172.16.10.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
rule 10 permit ip source 172.16.10.0 0.0.0.255
#
ipsec proposal 10

ike proposal 10
#
ike peer 10 v1
pre-shared-key simple 1
ike-proposal 10
remote-address 12.12.12.1
#
ipsec policy 10 10 isakmp
security acl 3000
ike-peer 10
proposal 10
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15

interface Ethernet0/0/0
#
interface Ethernet0/0/1
#
interface Ethernet0/0/2
#
interface Ethernet0/0/3
#
interface Ethernet0/0/4
#
interface Ethernet0/0/5
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface GigabitEthernet0/0/0
ip address 172.16.10.254 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
ip address 23.23.23.3 255.255.255.0
ipsec policy 10
nat outbound 3500
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 23.23.23.2
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
[to2]

验证

IPsec ××× L2L_第2张图片