华为路由器标准IPSEC配置

router A:
ike proposal 1
#
 
 
 
 ike peer a
 pre-shared-key huawei-3com
 remote-address 202.0.0.2 
#   
 
 
 
 ipsec proposal a
#
 
 
 
 ipsec policy a 1 isakmp
 security acl 3009
 ike-peer a
 proposal a
#
 
 
 
 interface Ethernet0/0
 ip address 192.168.1.1 255.255.255.0    
#
 
 
 
 interface Ethernet2/0
 ip address 202.0.0.1 255.255.255.0
ipsec policy a
#
 
 
 
 acl number 3009
 rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
 rule 1 deny ip
#
 
 
 
 ip route-static 0.0.0.0 0.0.0.0 202.0.0.2 preference 60
【Router B】
ike proposal 1
#
 
 
 
 ike peer b
 pre-shared-key huawei-3com
 remote-address 202.0.0.1 
#   
 
 
 
 ipsec proposal b
#
 
 
 
 ipsec policy b 1 isakmp
 security acl 3009
 ike-peer b
 proposal b
#
 
 
 
 interface Ethernet0/0
 ip address 192.168.2.1 255.255.255.0    
#
 
 
 
 interface Ethernet2/0
 ip address 202.0.0.2 255.255.255.0
ipsec policy b
#
 
 
 
 acl number 3009
 rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
 rule 1 deny ip
#
 
 
 
 ip route-static 0.0.0.0 0.0.0.0 202.0.0.1 preference 60
【注意】
1、当路由器即需要配置ipsec,又需要使用NAT的,一定要在NAT的ACL中deny掉ipsec保护的流。否则需要进行ipsec
保护的流会先会被NAT的ACL匹配,进行NAT,而无法触发ipsec的建立
 

你可能感兴趣的:(huawei)