1、定义感兴趣流量
[r1]acl number 3000
[r1-acl-adv-3000] rule 5 permit ip source 1.1.1.0 0.0.0.255 destination 3.3.3.0 0.0.0.255
[r1-acl-adv-3000] quit
2、ike配置
[r1]ike proposal 1
[r1-ike-proposal-1] encryption-algorithm 3des-cbc
[r1-ike-proposal-1] authentication-algorithm md5
[r1-ike-proposal-1] quit
[r1]ike peer r3 v1
[r1-ike-peer-r3]pre-shared-key simple huawei(设置协商密钥,两端需一致)
[r1-ike-peer-r3]ike-proposal 1(调用刚才的ike配置)
[r1-ike-peer-r3]remote-address 200.1.1.3(对端***网关公网接口地址)
3、IPsec配置
[r1]ipsec proposal 1
[r1-ipsec-proposal-1]transform ah(设置封装协议)
[r1]ipsec policy L 10 isakmp (L是自定义的名称,10是自定义的序号,isakmp是使用ike来建立ipsec SA)
[r1-ipsec-policy-isakmp-L-10] security acl 3000(调用上面的acl)
[r1-ipsec-policy-isakmp-L-10] ike-peer r3(调用上面的ike peer)
[r1-ipsec-policy-isakmp-L-10] proposal 1(调用刚才的ipsec配置)
4、接口调用策略
[r1]interface GigabitEthernet0/0/0(设备的公网接口)
[r1-GigabitEthernet0/0/0] ipsec policy L(调用上面的policy)