下面是F100-a的配置:
1.
[R1]acl num 3000 //acl3000目前用于nat,那这个序号要修改么,比如3111
[R1-acl-adv-3000]rule 0 permit ip source 172.168.10.0 0.0.0.0 destination 192.168.0.0 0.0.0.0
2.
[R1]ike proposal 10
[R1-ike-proposal-10]encryption-algorithm 3des-cbc
[R1-ike-proposal-10]authentication-method pre-share
[R1-ike-proposal-10]authentication-algorithm md5
[R1-ike-proposal-10]dh group2
[R1-ike-proposal-10]sa duration 86400
[R1-ike-proposal-10]
3.
[R1]ike peer R3 //msr2600那一端名称也要写成R3么
[R1-ike-peer-r3]exchange-mode main
[R1-ike-peer-r3]pre-shared-key 123456
[R1-ike-peer-r3]local-address 180.166.250.158
[R1-ike-peer-r3]remote-address 218.106.155.102
[R1-ike-peer-r3]remote-name R3
[R1-ike-peer-r3]quit
[R1]ike local-name R1
[R1]quit
4.
[R1]ipsec proposal r1
[R1-ipsec-proposal-r1]transform esp
[R1-ipsec-proposal-r1]esp encryption-algorithm 3des
[R1-ipsec-proposal-r1]esp authentication-algorithm md5
[R1-ipsec-proposal-r1]encapsulation-mode tunnel
[R1-ipsec-proposal-r1]
5.
[R1]ipsec policy 1 10 isakmp
[R1-ipsec-policy-isakmp-1-10]security acl 3000
[R1-ipsec-policy-isakmp-1-10]proposal r1
[R1-ipsec-policy-isakmp-1-10]ike-peer r3
[R1-ipsec-policy-isakmp-1-10]pfs dh-group5
[R1-ipsec-policy-isakmp-1-10]sa duration time-based 86400
[R1-ipsec-policy-isakmp-1-10]quit
6.
int g 0/0
ipsec policy 1
quit
7. 配置完成后是不是要配置静态路由,下面写的正确么
ip route-static 192.168.0.0 255.255.255.0 192.168.0.1
(0)
最佳答案
Acl的反掩码写成0.0.0.255,ike peer后边的名字无所谓,本地概念,主要里面的参数要和对面一致,地址写对就可以
(0)
好的,谢谢,静态路由有没要修改的呢
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明
静态路由写错了吧?目的是对端的私网IP地址段,从wan口送出去