总部路由1
acl number 3000 =nat的
rule 5 deny ip source 10.10.200.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
rule 10 deny ip source 10.10.200.0 0.0.0.255 destination 10.10.20.0 0.0.0.255
rule 15 permit ip source 10.10.200.0 0.0.0.255
acl number 3001 =vpn的
rule 5 permit ip source 10.10.200.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
rule 10 permit ip source 10.10.200.0 0.0.0.255 destination 10.10.20.0 0.0.0.255
ipsec proposal aa
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
ike proposal 1
encryption-algorithm aes-cbc-128
ike peer aa v1 =去分支路由1
pre-shared-key cipher admin123
ike-proposal 1
dpd type periodic
dpd idle-time 10
remote-address 202.10.1.2
ike peer bb v1 =去分支路由2
pre-shared-key cipher admin123
ike-proposal 1
dpd type periodic
dpd idle-time 10
remote-address 202.10.2.2
ipsec policy ipsec-vpn 10 isakmp =去分支路由1
security acl 3001
ike-peer aa
proposal aa
ipsec policy ipsec 20 isakmp =去分支路由2
security acl 3001
ike-peer bb
proposal aa
interface GigabitEthernet 0/0
ip address 203.10.1.2 255.255.255.0
ipsec policy ipsec-vpn
nat outbound 3000
interface GigabitEthernet 0/1
ip address 10.10.200.1 255.255.255.0
ip route-static 0.0.0.0 0.0.0.0 203.10.1.1
return
分支路由1
acl number 3000 =nat的
rule 5 deny ip source 10.10.10.0 0.0.0.255 destination 10.10.200.0 0.0.0.255
rule 10 permit ip source 10.10.10.0 0.0.0.255
acl number 3001 =vpn的
rule 5 permit ip source 10.10.10.0 0.0.0.255 destination 10.10.200.0 0.0.0.255
ipsec proposal aa
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
ike proposal 1
encryption-algorithm aes-cbc-128
ike peer aa v1
pre-shared-key cipher admin123
ike-proposal 1
dpd type periodic
dpd idle-time 10
remote-address 203.10.1.2
ipsec policy ipsec-vpn 1 isakmp
security acl 3001
ike-peer aa
proposal aa
interface GigabitEthernet 0/0
ip address 202.10.1.2 255.255.255.0
ipsec policy ipsec-vpn
nat outbound 3000
interface GigabitEthernet 0/1
ip address 10.10.10.1 255.255.255.0
ip route-static 0.0.0.0 0.0.0.0 202.10.1.1
return
分支路由2
配置跟分支路由1一样只是外网ip不同,此处省略配置。。
总部路由配置
[V200R007C00SPC900]
acl name nat 3000
rule 5 deny ip source 192.168.0.0 0.0.255.255 destination 10.0.0.0 0.0.255.255
rule 10 permit ip
acl number 3998
rule 5 permit ip source 192.168.0.0 0.0.255.255 destination 10.0.0.0 0.0.255.255
acl number 3999
rule 5 permit ip source 192.168.0.0 0.0.255.255 destination 10.0.0.0 0.0.255.255
ipsec proposal ipsec1
esp authentication-algorithm sha1
esp encryption-algorithm aes-192
ipsec proposal ipsec2
esp authentication-algorithm sha1
esp encryption-algorithm 3des
ike proposal 1
encryption-algorithm aes-cbc-192
dh group2
authentication-algorithm sha1
prf hmac-sha2-256
ike proposal 2
encryption-algorithm des-cbc
dh group2
authentication-algorithm sha1
prf hmac-sha2-256
ike peer ipsec1 v1
exchange-mode aggressive
pre-shared-key cipher admin123
ike-proposal 1
remote-address 116.62.16.200
ike peer ipsec2 v1
exchange-mode aggressive
pre-shared-key cipher admin123
ike-proposal 3
nat traversal
remote-address 120.26.9.191
ipsec policy ipsec 1 isakmp
security acl 3999
ike-peer ipsec1
proposal ipsec1
ipsec policy ipsec 2 isakmp
security acl 3998
ike-peer ipsec2
proposal ipsec2
interface GigabitEthernet0/0/0
ip address 202.127.114.250 255.255.255.248
nat outbound 3000
ipsec policy ipsec
interface GigabitEthernet0/0/1
ip address 192.168.200.1 255.255.255.0
ip route-static 0.0.0.0 0.0.0.0 202.127.114.249
ip route-static 192.168.0.0 255.255.0.0 192.168.200.2