两年了,没有再这里写点东西了哈,人都变赖了!
配置的环境,总部USG6550 ,分厂USG63XX
分厂需要访问总部,两个厂都要自己的IP地址
分厂配置:
#
acl number 3000
rule 5 permit ip source 10.50.0.0 0.0.255.255 destination 10.10.0.0 0.0.255.255
#
ike proposal 1
authentication-algorithm sha2-256
integrity-algorithm hmac-sha2-256
#
ike peer ike13411238449
exchange-mode aggressive
pre-shared-key %$%$)NQe=
ike-proposal 1
remote-id-type none
remote-address 0.0.0.0(总部的IP地址)
#
ipsec proposal prop13411238449
encapsulation-mode auto
esp authentication-algorithm sha2-256
#
ipsec policy ipsec1341123855 1 isakmp
security acl 3000
ike-peer ike13411238449
alias feicheng
proposal prop13411238449
local-address 0.0.0.0(分厂自己的IP地址)
sa duration traffic-based 1843200
sa duration time-based 3600
#
interface GigabitEthernet0/0/1(分厂外网端口)
ip address 0.0.0.0 255.255.255.128
ipsec policy ipsec1341123855 auto-neg
#
ip route-static 10.10.0.0 255.255.0.0 GigabitEthernet0/0/1
--------------------------
总部配置:
acl number 3003
rule 5 permit ip source 10.10.0.0 0.0.255.255 destination 10.50.0.0 0.0.255.255
#
ike proposal 1
authentication-algorithm sha2-256
integrity-algorithm hmac-sha2-256
#
ike peer ike16618495487
exchange-mode aggressive
pre-shared-key %$%$CF(_Ci*N+LC)AA7Y.bF!Rd[R%$%$
ike-proposal 1
remote-id-type none
remote-address 0.0.0.0(分厂的IP地址)
#
ipsec proposal prop16618495487
encapsulation-mode auto
esp authentication-algorithm sha2-256
#
ipsec policy ipsec1661849541 1 isakmp
security acl 3003
ike-peer ike16618495487
alias natfc
proposal prop16618495487
local-address 0.0.0.0(总部的IP地址)
sa duration traffic-based 1843200
sa duration time-based 3600
#
interface GigabitEthernet1/0/9(总部外网端口)
ip address 0.0.0.0 255.255.255.252
ipsec policy ipsec1661849541 auto-neg
#
ip route-static 10.50.0.0 255.255.0.0 GigabitEthernet1/0/9
(这个静态路由一定要加上哈!!!)
都做好了,在分厂设备上加源地址PING一下总部的一个地址,有的时候PING一下才会通!!