![](https://img.laitimes.com/img/9ZDMuAjOiMmIsIjOiQnIsIyZuBnLjV2NyAjZjZmZjNGOlZWMiVmYkRDN1MWO1kDOzczM4MzLc52YucWbp5GZzNmLn9Gbi1yZtl2Lc9CX6MHc0RHaiojIsJye.png)
網絡拓撲和ip配置
第一步:先把上面的ip配進端口
AR1上的操作,同時給他配置一個預設路由 兩邊路由配置一樣
[AR1]acl 3000
[AR1-acl-adv-3000]rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 192
.168.20.0 0.0.0.255
[AR1]ipsec proposal bj //ipsec proposal <name>
[AR1-ipsec-proposal-bj]transform esp
[AR1-ipsec-proposal-bj]esp authentication-algorithm md5 加密類型
[AR1-ipsec-proposal-bj]esp encryption-algorithm 3des 認證類型
[AR1]ipsec policy shanghai 10 manual
[AR1-ipsec-policy-manual-shanghai-10]security acl 3000 将acl加入進來
[AR1-ipsec-policy-manual-shanghai-10]proposal bj 應用安全提議
[AR1-ipsec-policy-manual-shanghai-10]tunnel local 100.1.1.1 本地隧道ip
[AR1-ipsec-policy-manual-shanghai-10]tunnel remote 200.1.1.1 對端隧道ip
[AR1-ipsec-policy-manual-shanghai-10]sa spi inbound esp 12345
[AR1-ipsec-policy-manual-shanghai-10]sa string-key inbound esp cipher huawei
[AR1-ipsec-policy-manual-shanghai-10]sa spi outbound esp 54321
[AR1-ipsec-policy-manual-shanghai-10]sa string-key outbound esp cipher huawei
[AR1-GigabitEthernet0/0/0]ipsec policy shanghai 應用接口上
[AR1]ip route-static 0.0.0.0 0 100.1.1.2 配置一條預設路由出去
AR2上的操作,同時給他配置一個靜态路由
[AR2acl 3000
[AR2-acl-adv-3000]rule 5 permit ip source 192.168.20.0 0.0.0.255 destination 192
.168.10.0 0.0.0.255
[AR2]ipsec proposal sh
[AR2-ipsec-proposal-bj]transform esp
[AR2-ipsec-proposal-bj]esp authentication-algorithm md5
[AR2-ipsec-proposal-bj]esp encryption-algorithm 3des
[AR2]ipsec policy beijin 10 manual
[AR2-ipsec-policy-manual-beijin-10]security acl 3000
[AR2-ipsec-policy-manual-beijin-10]proposal sh
[AR2-ipsec-policy-manual-beijin-10]tunnel local 200.1.1.1
[AR2-ipsec-policy-manual-beijin-10]tunnel remote 100.1.1.1
[AR2-ipsec-policy-manual-beijin-10]sa spi inbound esp 54321 對面出的密碼就是進的密碼剛好相反的
[AR2-ipsec-policy-manual-beijin-10]sa string-key inbound esp cipher huawei
[AR2-ipsec-policy-manual-beijin-10]sa spi outbound esp 12345對面出的密碼就是進的密碼剛好相反的
[AR2-ipsec-policy-manual-beijin-10]sa string-key outbound esp cipher huawei
[AR2-GigabitEthernet0/0/0]ipsec policy beijin
[AR2]ip route-static 0.0.0.0 0 200.1.1.2 配置一條預設路由出去
最後的結果