华为路由器配置ip-sec隧道VPN配置
1、配置对等体和remote
[RouterA]ike peer spub #---配置对等体名称为spub
[RouterA-ike-peer-spub]undo version 2 #---取消对IKEv2版本的支持
[RouterA-ike-peer-spub] pre-shared-key simple huawei #---配置预共享密钥认证方法的共享密钥为huawei,两端的密钥必须一致
[RouterA-ike-peer-spub] remote-address 202.138.162.1 #---配置对端IPSec端点IP地址为202.138.162.1
[RouterA-ike-peer-spub] quit[RouterB] ike peer spua
[RouterB-ike-peer-spub] undo version 2
[RouterB-ike-peer-spua] pre-shared-key simple huawei
[RouterB-ike-peer-spua] remote-address 202.138.163.1
[RouterB-ike-peer-spua] quit
2、建立安全策略
[RouterA]ipsec policy client 10 isakmp #---创建名为client,序号为10的安全策略
[RouterA-ipsec-policy-isakmp-client-10]ike-peer spub #---指定对等体名称为spub
[RouterA-ipsec-policy-isakmp-client-10]proposal pro1 #---引用前面已创建的IPSec安全提议pro1
[RouterA-ipsec-policy-isakmp-client-10]security acl 3100 #---引用前面已定义的用于指定需要保护数据流的ACL 3100
[RouterA-ipsec-policy-isakmp-client-10] quit
[RouterB] ipsec policy server 10 isakmp
[RouterB-ipsec-policy-isakmp-server-10] ike-peer spua
[RouterB-ipsec-policy-isakmp-server-10] proposal pro1
[RouterB-ipsec-policy-isakmp-server-10] security acl 3100
[RouterB-ipsec-policy-isakmp-server-10] quit
3、接口上启用安全策略
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] ipsec policy client
[RouterA-GigabitEthernet1/0/0] quit
[RouterB] interface gigabitethernet 1/0/0
[RouterB-GigabitEthernet1/0/0] ipsec policy server
[RouterB-GigabitEthernet1/0/0] quit