基本思路與前一篇思科環境下的配置一致(http://ciscowu.blog.51cto.com/2602251/1394879),主要注意點還是要禁止***的興趣流量從NAT轉發出去。命令略有不同,直接上配置了。
<R1>
nat address-group 1 172.20.5.1 172.20.5.1
ike peer key
pre-shared-key cipher UXbCHBX4Rsw=
remote-address 172.20.4.1
#
ipsec proposal tran
esp encryption-algorithm 3des
#
ipsec policy *** 1 isakmp
security acl 3002
ike-peer key
proposal tran
#
acl number 3001
rule 0 deny ip source 10.5.0.0 0.0.255.255 destination 10.4.0.0 0.0.255.255
rule 5 permit ip
acl number 3002
rule 10 permit ip source 10.5.0.0 0.0.255.255 destination 10.4.0.0 0.0.255.255
rule 20 deny ip
#
interface Serial0/2/0
link-protocol ppp
nat outbound 3001 address-group 1
ip address 172.20.5.1 255.255.255.0
ipsec policy ***
interface Serial0/2/2
link-protocol ppp
ip address 10.5.1.254 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 172.20.5.2
ip route-static 10.5.0.0 255.255.0.0 10.5.1.1
<R2>
interface Serial0/2/0
ip address 172.20.5.2 255.255.255.0
interface Serial0/2/2
ip address 172.20.4.2 255.255.255.0
<R3>
nat address-group 1 172.20.4.1 172.20.4.1
#
ike peer key
pre-shared-key cipher UXbCHBX4Rsw=
remote-address 172.20.5.1
#
ipsec proposal tran
esp encryption-algorithm 3des
#
ipsec policy *** 1 isakmp
security acl 3002
ike-peer key
proposal tran
#
acl number 3001
rule 0 deny ip source 10.4.0.0 0.0.255.255 destination 10.5.0.0 0.0.255.255
rule 5 permit ip
acl number 3002
rule 10 permit ip source 10.4.0.0 0.0.255.255 destination 10.5.0.0 0.0.255.255
rule 20 deny ip
#
interface Serial0/2/0
link-protocol ppp
ip address 10.4.1.254 255.255.255.0
#
interface Serial0/2/2
link-protocol ppp
nat outbound 3001 address-group 1
ip address 172.20.4.1 255.255.255.0
ipsec policy ***
ip route-static 0.0.0.0 0.0.0.0 172.20.4.2
ip route-static 10.4.0.0 255.255.0.0 10.4.1.1