�����զ���������ժ�����ÿƽ�·������h3c router����ipsec vpn����ָ���ֲ�-k8体育

һ��h3c router���ã�
<h3crouter>system-view//��������ģʽ
[h3crouter]local-user admin//���ӱ����û�
[h3crouter-luser-cisco]password simple admin//ϊ���ӵ��û���������
[h3crouter-luser-cisco]service-type web//������ҳ���ù���
[h3crouter-luser-cisco]quit
[h3crouter]ethernetinterface ethernet 0/0//����ӿ�����ģʽ
[h3crouter-ethernet0/0]ip address 123.15.36.140 255.255.255.128//���������ӿڵ�ַ
[h3crouter-ethernet0/0]quit//�˳��ӿ�����ģʽ
[h3crouter-ethernet0/1]ip address 172.18.253.1 255.255.255.0//��������ӿڵ�ַ
[h3crouter-ethernet0/0]quit//�˳��ӿ�����ģʽ
[h3crouter]ip route-static 0.0.0.0 0.0.0.0 123.15.36.129//���þ�̬·��
[h3crouter]acl number 3000//�������ʿ����б�
[h3crouter-acl-3000]rule 5 permit ip source 172.18.253.0 0.0.0.255//�����������η��ʹ���
[h3crouter-ethernet0/0]quit//�˳��ӿ�����ģʽ
[h3crouter]acl number 3001//�������ʿ����б�
[h3crouter-acl-3001]rule 0 permit ip source 172.18.253.0 0.0.0.255 destination 192.168.0.0 0.0.255.255
rule 5 deny ip//�ܾ�������������ϊ�����η���զ������
[h3crouter]ethernetinterface ethernet 0/0//����ӿ�����ģʽ
[h3crouter-ethernet0/0]nat outbound 3000//�������ӿ�������acl 3000
[h3crouter-ethernet0/0]quit//�˳��ӿ�����ģʽ
[h3crouter]ike proposal 1//����ike���飬������ike������ͼ
[h3crouter]ike peer fenzhi//����һ��ike�ե��壬������ike-peer��ͼ
[h3crouter-ike-peer-fenzhi]exchange-mode aggressive//����ike��һ�׶ε�э��ϊұ��ģʽ
[h3crouter-ike-peer-fenzhi]proposal 1//����ike�ե������õ�ike��ȫ����
[h3crouter-ike-peer-fenzhi]pre-shared-key simple abc123//���ò���Ԥ������կ��֤ʱ����ʹ�õ�Ԥ������կ
[h3crouter-ike-peer-fenzhi]id-type name//ѡ��ike��һ�׶ε�э�̹�����ʹ��id������
[h3crouter-ike-peer-fenzhi]remote-name fenzhi//���öզ˰�ȫ���ص�����
[h3crouter-ike-peer-fenzhi]remote-address fenzhi dynamic//���öզ˰�ȫ���ص�ip��ַ
[h3crouter-ike-peer-fenzhi]local-address 123.15.36.140//���ñ��˰�ȫ���ص�ip��ַ
h3crouter-ike-peer-fenzhi]local-name center//���ñ��˰�ȫ���ص�����
[h3crouter-ike-peer-fenzhi]nat traversal//����ike/ipsec��nat��խ����
[h3crouter-ike-peer-fenzhi]quit
[h3crouter]ipsec transform-set fenzhi//����ipsec��ȫ����fenzhi
[h3crouter-ipsec-transform-set-tran1]encapsulation-mode tunnel//���ķ�װ��ʽ��������ģʽ
[h3crouter-ipsec-transform-set-tran1]transform esp//��ȫэ�����espэ��
[h3crouter-ipsec-transform-set-tran1]esp encryption-algorithm 3des//ѡ��espэ����õļ����㷨
[h3crouter-ipsec-transform-set-tran1]esp authentication-algorithm md5//ѡ��espэ����õ���֤�㷨
[h3crouter-ipsec-transform-set-tran1]quit
[h3crouter]ipsec policy 983040 1 isakmp//����һ��ipsec��ȫ���ԣ�э�̷�ʽϊisakmp
[h3crouter-ipsec-policy-isakmp-use1-10]security acl 3001//���÷��ʿ����б�3001
[h3crouter-ipsec-policy-isakmp-use1-10]transform-set fenzhi//����ipsec��ȫ����
[h3crouter-ipsec-policy-isakmp-use1-10]ike-peer fenzhi//����ike�ե���
[h3crouter-ipsec-policy-isakmp-use1-10]quit
[h3crouter]interface ethernet 0/0//�����ⲿ�ӿ�
[h3crouter-ethernet0/1]ipsec policy 983040//���ⲿ�ӿ���ӧ��ipsec��ȫ������
��֤���ý��
[h3crouter]display ike proposal
priority authentication authentication encryption diffie-hellman duration
method algorithm algorithm group(seconds)
---------------------------------------------------------------------------
10 pre_shared md5 des_cbc modp_768 5000
default pre_shared sha des_cbc modp_768 86400
[h3crouter]display ike proposal
priority authentication authentication encryption diffie-hellman duration
method algorithm algorithm group(seconds)
---------------------------------------------------------------------------
default pre_shared sha des_cbc modp_768 86400
��ͨ��������ʾ��ϣ�鿴��ikeэ�̳ɹ������ɵ������׶ε�sa��
[h3crouter]display ike sa
total phase-1 sas:1
connection-id peer flag phase doi
----------------------------------------------------------
1 219.140.142.211 rd|st 1 ipsec
2 219.140.142.211 rd|st 2 ipsec
flag meaning
rd--ready st--stayalive rl--replaced fd--fading to—timeout rk-rekey
ike�ڶ��׶�э�����ɵ�ipsec sa���ڱ�������10.1.1.0/24������10.1.2.0/24֮�������������ͨ��������ʾ��ϣ�鿴��
[h3crouter]display ipsec sa
===============================
interface:ethernet0/1
path mtu:1500
===============================
-----------------------------
ipsec policy name:"map1"
sequence number:10
acl version:acl4
mode:isakmp
-----------------------------
pfs:n,dh group:none
tunnel:
local address:123.15.36.140
remote address:219.140.142.211
flow:
sour addr:172.18.253.0/255.255.255.0 port:0 protocol:ip
dest addr:192.168.2.0/255.255.255.0 port:0 protocol:ip
[inbound esp sas]
spi:0x3d6d3a62(1030568546)
transform:esp-encrypt-des esp-auth-sha1
in use setting:tunnel
connection id:1
sa duration(kilobytes/sec):1843200/3600
sa remaining duration(kilobytes/sec):1843199/3590
anti-replay detection:enabled
anti-replay window size(counter based):32
udp encapsulation used for nat traversal:n
[outbound esp sas]
spi:0x553faae(89389742)
transform:esp-encrypt-des esp-auth-sha1
in use setting:tunnel
connection id:2
sa duration(kilobytes/sec):1843200/3600
sa remaining duration(kilobytes/sec):1843199/3590
anti-replay detection:enabled
anti-replay window size(counter based):32
udp encapsulation used for nat traversal:n
�������ÿƽ�·����ipsec vpn����
�� orb305

�� orb301