![](https://img.laitimes.com/img/9ZDMuAjOiMmIsIjOiQnIsIyZuBnLjV2NyAjZjZmZjNGOlZWMiVmYkRDN1MWO1kDOzczM4MzLc52YucWbp5GZzNmLn9Gbi1yZtl2Lc9CX6MHc0RHaiojIsJye.png)
网络拓扑和ip配置
第一步:先把上面的ip配进端口
AR1上的操作,同时给他配置一个默认路由 两边路由配置一样
[AR1]acl 3000
[AR1-acl-adv-3000]rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 192
.168.20.0 0.0.0.255
[AR1]ipsec proposal bj //ipsec proposal <name>
[AR1-ipsec-proposal-bj]transform esp
[AR1-ipsec-proposal-bj]esp authentication-algorithm md5 加密类型
[AR1-ipsec-proposal-bj]esp encryption-algorithm 3des 认证类型
[AR1]ipsec policy shanghai 10 manual
[AR1-ipsec-policy-manual-shanghai-10]security acl 3000 将acl加入进来
[AR1-ipsec-policy-manual-shanghai-10]proposal bj 应用安全提议
[AR1-ipsec-policy-manual-shanghai-10]tunnel local 100.1.1.1 本地隧道ip
[AR1-ipsec-policy-manual-shanghai-10]tunnel remote 200.1.1.1 对端隧道ip
[AR1-ipsec-policy-manual-shanghai-10]sa spi inbound esp 12345
[AR1-ipsec-policy-manual-shanghai-10]sa string-key inbound esp cipher huawei
[AR1-ipsec-policy-manual-shanghai-10]sa spi outbound esp 54321
[AR1-ipsec-policy-manual-shanghai-10]sa string-key outbound esp cipher huawei
[AR1-GigabitEthernet0/0/0]ipsec policy shanghai 应用接口上
[AR1]ip route-static 0.0.0.0 0 100.1.1.2 配置一条默认路由出去
AR2上的操作,同时给他配置一个静态路由
[AR2acl 3000
[AR2-acl-adv-3000]rule 5 permit ip source 192.168.20.0 0.0.0.255 destination 192
.168.10.0 0.0.0.255
[AR2]ipsec proposal sh
[AR2-ipsec-proposal-bj]transform esp
[AR2-ipsec-proposal-bj]esp authentication-algorithm md5
[AR2-ipsec-proposal-bj]esp encryption-algorithm 3des
[AR2]ipsec policy beijin 10 manual
[AR2-ipsec-policy-manual-beijin-10]security acl 3000
[AR2-ipsec-policy-manual-beijin-10]proposal sh
[AR2-ipsec-policy-manual-beijin-10]tunnel local 200.1.1.1
[AR2-ipsec-policy-manual-beijin-10]tunnel remote 100.1.1.1
[AR2-ipsec-policy-manual-beijin-10]sa spi inbound esp 54321 对面出的密码就是进的密码刚好相反的
[AR2-ipsec-policy-manual-beijin-10]sa string-key inbound esp cipher huawei
[AR2-ipsec-policy-manual-beijin-10]sa spi outbound esp 12345对面出的密码就是进的密码刚好相反的
[AR2-ipsec-policy-manual-beijin-10]sa string-key outbound esp cipher huawei
[AR2-GigabitEthernet0/0/0]ipsec policy beijin
[AR2]ip route-static 0.0.0.0 0 200.1.1.2 配置一条默认路由出去
最后的结果