关于ar系列路由器标准ipsec的典型配置

《关于ar系列路由器标准ipsec的典型配置》由会员上传分享，免费在线阅读，更多相关内容在工程资料-天天文库。

1、关于AR系列路由器标准ipsec的典型配置【需求】两台路由器通过internet采用ipsectunnel方式立通。【组网图】【配置脚木】RouterA配置脚本#sysnameRouterA#radiusschemesystem#domainsystem#ikeproposal1#ikepeerapre-shared-keyhuawei-3comremote-address202.0.0.2#ipsecproposala#ipsecpolicya1isakmpsecurityacl3000ike-peeraproposala

2、#aclnumber3000rule0permitipsource192.168.1.00.0.0.255destination192.168.2.00.0.0.255#interfaceEthernetl/0/0ipaddress192.168.1.1255.255.255.0interfaceSerial2/0/0link-protocolpppipaddress202.0.0.1255.255.255.0ipsecpolicyainterfaceNULLO#iproute-static0.0.0.00.0.0.0202

3、.0.0.2preference60user-interfacecon0user-interfacevty04#returnRouterB配置脚本sysnameRouterB#radiusschemesystem#domainsystem#ikeproposal1#ikepeerbpre-shared-keyhuawei-3comremote-address202.0.0.1#ipsecproposalb#ipsecpolicyb1isakmpsecurityacl3000ike-peerbproposalb#aclnumb

4、er3000rule0permitipsource192.168.2.00.0.0.255destination192.168.1.00.0.0.255#interfaceEthernetl/0/0ipaddress192.168.2.1255.255.255•0#interfaceSerial2/0/0link-protocolpppipaddress202.0.0.2255.255.255.0ipsecpolicybinterfaceNULLO#iproute-static0.0.0.00.0.0.0202.0.0.1p

5、reference60#user-interfacecon0user-interfacevty04#return【验证】确认RouterA上建立ikesa[RouterA]dispikesatotalphase-1SAs:1flagphasedoiconnection-idpeer2202.0.0.2RD

6、ST1工PSEC3202.0.0.2RD

7、ST2工PSECflagmeaningRD--READYST--STAYAL工VERL--REPLACEDFD--FAD工NGTO--TIMEOUT【提示】1、当路由器即需耍配置i

8、psec,又需耍使用NAT的，一定耍在NAT的ACL中deny棹ipsec保护的流。否则需要进行ipsec保护的流会先会被NAT的ACL匹配，进行NAT,而无法触发ipsec的建立。