ipsec
拓扑图
r1
int e0
ip add 192.168.1.55 24
int e1
ip add 202.196.10.100
ip route 0.0.0.0 0 202.196.10.1
acl 3000
rule permit ip source 192.168.1.0 0.0.0.255 dest 192.168.3.0 0.0.0.255
rule deny ip source any dest any
quit
acl 3001
rule permit ip source 192.168.1.0 0.0.0.255 dest 192.168.2.0
0.0.0.255
rule deny ip source any dest any
quit
ipsec proposal tran1
ipsec proposal tran2
--------
创建名为tran1 的安全提议
enca tunnel
报文封装形式采用隧道模式
transform esp
安全协议采用ESP 协议
esp enc des
esp auth md5
选择认证算法和加密算法
ipsec policy policy1 10 isakmp
创建一条安全策略,协商方式为自动方式
sec acl 3000
引用访问列表
proposal tran1
引用安全提议
tunnel remote 202.196.30.100
设置本端与对端地址
sa outbound esp spi 123456
sa inbound esp spi 654321
设置SPI
sa inbound esp string-key hgfdsa
设置密钥
sa outbound esp string-key asdfgh
int e1
ipsec policy policy1
ike pre-shared-key 654321 remote 202.196.30.100
在e1上应用安全策略组
ipsec policy policy1 20 isakmp
sec acl 3001
proposal tran2
tunnel remote 202.196.20.100
int e1
ipsec policy policy1
ike pre-shared-key 123456 remote 202.196.20.100
r2
int e0
ip add 192.168.2.55 24
int e1
ip add 202.196.20.100 24
acl 3001
rule permit ip source 192.168.2.0 0.0.0.255 dest 192.168.1.0 0.0.0.255
rule deny ip source any dest any
ipsec prosal tran2
enca tunnel
transform esp
esp enc des
esp auth md5
ipsec policy policy1 20 isakmp
sec acl 3001
tunnel remote 202.196.10.100
proposal tran2
int e0
ipsec policy policy1
ike pre-shared-key 123456 remote 202.196.10.100
r3
int e0
ip add 192.168.3.55 24
int e1
ip add 202.196.30.100 24
ip route 0.0.0.0 0 202.196.30.1
acl 3000
rule permit ip source 192.168.3.0 0.0.0.255 dest 192.168.1.0 0.0.0.255
rule deny ip source any dest any
quit
ipsec prosal tran1
enca tunnel
transform esp
esp enc des
esp auth md5
ipsec policy policy1 10 isakmp
sec acl 3000
proposal tran1
tunnel remote 202.196.10.100
int e1
ipsec policy policy1
ike pre-shared-key 654321 remote 202.196.10.100
测试结果
本机ip地址:192.168.1.2 ,所ping地址:192.168.3.55
本机ip地址:192.168.1.2 ,所ping地址:192.168.2.55.
