实验TOP:

 

RT1的配置:

==============================

<H3C>sy
[H3C]int g0/1/0
[H3C-GigabitEthernet0/1/0]ip add 192.168.1.2 255.255.255.0
[H3C-GigabitEthernet0/1/0]un shu
[H3C-GigabitEthernet0/1/0]quit
[H3C]int g0/1/1
[H3C-GigabitEthernet0/1/1]ip add 192.168.2.1 255.255.255.0
[H3C-GigabitEthernet0/1/1]un shu
[H3C-GigabitEthernet0/1/1]quit
[H3C]ip route-static 0.0.0.0 0.0.0.0 192.168.2.2
[H3C]acl number 3001
[H3C-acl-adv-3001]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.4.0 0.0.0.255
[H3C-acl-adv-3001]quit
[H3C]ipsec proposal kalng
[H3C-ipsec-proposal-kalng]encapsulation-mode tunnel
[H3C-ipsec-proposal-kalng]transform esp
[H3C-ipsec-proposal-kalng]esp authentication-algorithm md5
[H3C-ipsec-proposal-kalng]esp encryption-algorithm des
[H3C-ipsec-proposal-kalng]quit
[H3C]ike peer peer1                                   (创建IKE对等体)
[H3C-ike-peer-peer1]pre-shared-key abcde         (配置预共享密钥)
[H3C-ike-peer-peer1]remote-address 192.168.3.2    (配置远端地址)
[H3C-ike-peer-peer1]quit

[H3C]ipsec policy map1 10 isakmp
[H3C-ipsec-policy-isakmp-map1-10]security acl 3001
[H3C-ipsec-policy-isakmp-map1-10]proposal kalng
[H3C-ipsec-policy-isakmp-map1-10]ike-peer peer1
[H3C-ipsec-policy-isakmp-map1-10]quit
[H3C]int g0/1/1
[H3C-GigabitEthernet0/1/1]ipsec policy map1
[H3C-GigabitEthernet0/1/1]quit

 

 

RT2配置:

<H3C>sy
[H3C]int g0/1/0
[H3C-GigabitEthernet0/1/0]ip add 192.168.3.2 255.255.255.0
[H3C-GigabitEthernet0/1/0]un shu
[H3C-GigabitEthernet0/1/0]quit
[H3C]int g0/1/1
[H3C-GigabitEthernet0/1/1]ip add 192.168.4.1 255.255.255.0
[H3C-GigabitEthernet0/1/1]un shu
[H3C-GigabitEthernet0/1/1]quit
[H3C]ip route-static 0.0.0.0 0.0.0.0 192.168.3.1
[H3C]acl number 3001
[H3C-acl-adv-3001]rule permit ip source 192.168.4.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[H3C-acl-adv-3001]quit
[H3C]ipsec proposal kalng
[H3C-ipsec-proposal-kalng]encapsulation-mode tunnel
[H3C-ipsec-proposal-kalng]transform esp
[H3C-ipsec-proposal-kalng]esp authentication-algorithm md5
[H3C-ipsec-proposal-kalng]esp encryption-algorithm des
[H3C-ipsec-proposal-kalng]quit
[H3C]ike peer peer2
[H3C-ike-peer-peer2]pre-shared-key abcde
[H3C-ike-peer-peer2]remote-address 192.168.2.1
[H3C-ike-peer-peer2]quit
[H3C]ipsec policy map1 10 isakmp
[H3C-ipsec-policy-isakmp-map1-10]security acl 3001
[H3C-ipsec-policy-isakmp-map1-10]proposal kalng
[H3C-ipsec-policy-isakmp-map1-10]ike-peer peer2
[H3C-ipsec-policy-isakmp-map1-10]quit
[H3C]int g0/1/0
[H3C-GigabitEthernet0/1/0]ipsec policy map1
[H3C-GigabitEthernet0/1/0]quit