ipsec ***

 

 

簡單需求:

上海作爲總部，分別與蘇州、成都、廣州各個分部用H3C路由設備建立IKE ***隧道，但出差的移動用戶不能訪問公司內網，想在上海總部架設***服務器供移動用戶撥入使用

總部的配置：
sys
sys R1
ike local-name zongbu
int e1/0/1
ip addr 192.168.1.1 24
quit
ike peer chengdu
exchange-mode aggressive
per-shared-key cipher chengdu
id-type name
remote-name chengdu
nat traversal 
quit
ike peer suzhou
exchange-mode aggressive
per-shared-key cipher suzhou
id-type name
remote-name suzhou
nat traversal
quit
ike peer guangzhou
exchange-mode aggressive
per-shared-key cipher guangzhou
id-type name
remote-name guangzhou
nat traversal
quit
ipsec proposal default
quit
ipsec policy-template chengd 1
ike-peer chengdu
proposal default
quit
ipsec policy-template suz 1
ike-peer suz
proposal default
quit
ipsec policy-template guangz 1
ike-peer guangz
proposal default
quit
ipsec policy zongbu 10 isakmp template chengd
ipsec policy zongbu 20 isakmp template suz
ipsec policy zongbu 30 isakmp template guangz
int loopback 0
ip addr 10.10.10.1 32
quit
int tunnel 0
ip addr 1.1.1.1 24
source loopback0
destination 20.20.20.1
quit
int tunnel 1
ip addr 2.2.2.1 24
source loopback 0
destination 30.30.30.1
quit
int tunnel 2
ip addr 3.3.3.1 24
source loopback 0
destination 40.40.40.1
quit
int e1/0/21
ip addr 212.2.2.214 24
ipsec policy zongbu
quit

成都分部
sys
ike local-name chengdu
int e1/0/1
ip addr 192.168.2.1 24
quit
ike peer zongbu
exchange-mode aggressive
per-shared-key cipher zongbu
id-type name
remote-name zongbu
remote-address 212.2.2.214
nat traversal
quit
acl number 3001
rule 0 permit ip source 20.20.20.1 0 destination 10.10.10.1 0
quit
ipsec proposal default
int loopback 0
ip addr 20.20.20.1 32
quit
ipsec policy chengdu isakmp 10
security acl 3001
ike-peer zongbu
proposal default
quit
int e1/0/21
ip addr 213.1.1.1 24
ipsec policy chengdu
quit

蘇州分部

sys
ike local-name suzhou
int e1/0/1
ip addr 192.168.2.1 24
quit
ike peer zongbu
exchange-mode aggressive
per-shared-key cipher zongbu
id-type name
remote-name zongbu
remote-address 212.2.2.214
nat traversal
quit
acl number 3001
rule 0 permit ip source 30.30.30.1 0 destination 10.10.10.1 0
quit
ipsec proposal default
ipsec policy suzhou isakmp 10
security acl 3001
ike-peer zongbu
proposal default
quit
int tunnel 0
ip addr 2.2.2.2 24
source loopback 0
destination 10.10.10.1
quit
int loopback 0
ip addr 30.30.30.1 32
quit
int e1/0/21
ip addr 213.1.1.1 24
ipsec policy suzhou
quit

廣州分部

sys
ike local-name suzhou
int e1/0/1
ip addr 192.168.2.1 24
quit
ike peer zongbu
exchange-mode aggressive
per-shared-key cipher zongbu
id-type name
remote-name zongbu
remote-address 212.2.2.214
nat traversal
quit
acl number 3001
rule 0 permit ip source 40.40.40.1 0 destination 10.10.10.1 0
quit
ipsec proposal default
ipsec policy guangzhou isakmp 10
security acl 3001
ike-peer zongbu
proposal default
quit
int e1/0/21
ip addr 214.1.1.1 24
ipsec policy guangzhou
quit
int loopback 0
ip addr 40.40.40.1 32
quit
int tunnel 0
ip addr 3.3.3.2 24
source loopback 0
destination 10.10.10.1
quit