欢迎来到天天文库
浏览记录
ID:20520073
大小:72.00 KB
页数:3页
时间:2018-10-13
《关于ar系列路由器标准ipsec的典型配置》由会员上传分享,免费在线阅读,更多相关内容在工程资料-天天文库。
1、关于AR系列路由器标准ipsec的典型配置【需求】两台路由器通过internet采用ipsectunnel方式立通。【组网图】【配置脚木】RouterA配置脚本#sysnameRouterA#radiusschemesystem#domainsystem#ikeproposal1#ikepeerapre-shared-keyhuawei-3comremote-address202.0.0.2#ipsecproposala#ipsecpolicya1isakmpsecurityacl3000ike-peeraproposala
2、#aclnumber3000rule0permitipsource192.168.1.00.0.0.255destination192.168.2.00.0.0.255#interfaceEthernetl/0/0ipaddress192.168.1.1255.255.255.0interfaceSerial2/0/0link-protocolpppipaddress202.0.0.1255.255.255.0ipsecpolicyainterfaceNULLO#iproute-static0.0.0.00.0.0.0202
3、.0.0.2preference60user-interfacecon0user-interfacevty04#returnRouterB配置脚本sysnameRouterB#radiusschemesystem#domainsystem#ikeproposal1#ikepeerbpre-shared-keyhuawei-3comremote-address202.0.0.1#ipsecproposalb#ipsecpolicyb1isakmpsecurityacl3000ike-peerbproposalb#aclnumb
4、er3000rule0permitipsource192.168.2.00.0.0.255destination192.168.1.00.0.0.255#interfaceEthernetl/0/0ipaddress192.168.2.1255.255.255•0#interfaceSerial2/0/0link-protocolpppipaddress202.0.0.2255.255.255.0ipsecpolicybinterfaceNULLO#iproute-static0.0.0.00.0.0.0202.0.0.1p
5、reference60#user-interfacecon0user-interfacevty04#return【验证】确认RouterA上建立ikesa[RouterA]dispikesatotalphase-1SAs:1flagphasedoiconnection-idpeer2202.0.0.2RD
6、ST1工PSEC3202.0.0.2RD
7、ST2工PSECflagmeaningRD--READYST--STAYAL工VERL--REPLACEDFD--FAD工NGTO--TIMEOUT【提示】1、当路由器即需耍配置i
8、psec,又需耍使用NAT的,一定耍在NAT的ACL中deny棹ipsec保护的流。否则需要进行ipsec保护的流会先会被NAT的ACL匹配,进行NAT,而无法触发ipsec的建立。
此文档下载收益归作者所有