[MSR20-1]dis cu
#
version 5.20, Alpha 1011
#
sysname MSR20-1
#
password-control login-attempt 3 exceed lock-time 120
#
undo voice vlan mac-address 00e0-bb00-0000
#
ipsec cpu-backup enable
#
undo cryptoengine enable
#
domain default enable system
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
ike proposal 1 //定义ike匹配
#
ike peer 1//ike对等体
pre-shared-key cipher TEzJOUGCmuE=
remote-address 23.23.23.3
#
ipsec proposal 1//ipsec提议
#
ipsec policy 1 10 isakmp//使用isakmp自动协商
security acl 3000
ike-peer 1
proposal 1
#
acl number 3000//定义acl
rule 0 permit ip source 12.12.12.1 0 destination 23.23.23.3 0
#
interface Serial0/2/0
link-protocol ppp
ip address 12.12.12.1 255.255.255.0
ipsec policy 1//安全策略应用于公网出口
#
interface NULL0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
interface Tunnel0
ip address 13.13.13.1 255.255.255.0
source 12.12.12.1//隧道源地址
destination 23.23.23.3//隧道目的地址
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 12.12.12.0 0.0.0.255
#
ip route-static 3.3.3.3 255.255.255.255 Tunnel0
#
load xml-configuration
#
user-interface con 0
user-interface vty 0 4
#
return
<INTERNET>dis cu
#
version 5.20, Alpha 1011
#
sysname INTERNET
#
password-control login-attempt 3 exceed lock-time 120
#
undo voice vlan mac-address 00e0-bb00-0000
#
ipsec cpu-backup enable
#
undo cryptoengine enable
#
domain default enable system
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
interface Serial0/2/0
link-protocol ppp
ip address 12.12.12.2 255.255.255.0
#
interface Serial0/2/1
link-protocol ppp
ip address 23.23.23.2 255.255.255.0
#
interface NULL0
#
ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 12.12.12.0 0.0.0.255
network 23.23.23.0 0.0.0.255
#
load xml-configuration
#
user-interface con 0
user-interface vty 0 4
#
Return
[MSR20-2]dis cu
#
version 5.20, Alpha 1011
#
sysname MSR20-2
#
password-control login-attempt 3 exceed lock-time 120
#
undo voice vlan mac-address 00e0-bb00-0000
#
ipsec cpu-backup enable
#
undo cryptoengine enable
#
domain default enable system
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
ike proposal 1
#
ike peer 1
pre-shared-key cipher TEzJOUGCmuE=
remote-address 12.12.12.1
#
ipsec proposal 1
#
ipsec policy 1 10 isakmp
security acl 3000
ike-peer 1
proposal 1
#
acl number 3000
rule 0 permit ip source 23.23.23.3 0 destination 12.12.12.1 0
#
interface Serial0/2/0
link-protocol ppp
ip address 23.23.23.3 255.255.255.0
ipsec policy 1
#
interface NULL0
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
interface Tunnel0
ip address 13.13.13.3 255.255.255.0
source 23.23.23.3
destination 12.12.12.1
#
ospf 1 router-id 3.3.3.3
area 0.0.0.0
network 23.23.23.0 0.0.0.255
#
ip route-static 1.1.1.1 255.255.255.255 Tunnel0
#
load xml-configuration
#
user-interface con 0
user-interface vty 0 4
#
return
此处可以看出,和单独配置gre 或者ipsec没有什么区别!只要注意acl定义匹配的是gre数据流(即ipsec接口)
