配置过程分解
1、配置proposal(对等体需要保持一致)
R2与R4必须保持一致
系统视图模式:ipsec proposal ipsec //红色字体的部分为协商确定的名称,R2与R4保持完全一致
2、配置感应兴趣流
R2:
acl number 3000
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
R4:
acl number 3000
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
3、配置ipsec policy
ipsec policy yeslab 10 manual
security acl 3000 //调用感应兴趣流,进程调用访问控制列表
proposal ipsec //双方协商proposal
tunnel local 10.1.1.1 //本地ip地址(公网)
tunnel remote 20.1.1.1 //远程ip地址(公网)
sa spi inbound esp 12345 //security parameter index,安全参数索引
sa string-key inbound esp cipher %$%$}H"z!S,^u*;l(AQmOU4+,.2n%$%$
sa spi outbound esp 54321
sa string-key outbound esp cipher %$%$}H"z!S,^u*;l(AQmOU4+,.2n%$%$
4、物理接口调用ipsec policy
int g0/0/1
ipsec policy yeslab