上海:
公网:192.168.11.10
内网:172.16.10.0/24,172.16.20.0/24
北京:
公网:192.168.11.20
内网:10.10.10.0/24,10.10.20.0/24
打通了ipsec ikev2 版本 无法协商
配置:
上海:
ipsec transform-set To-BJ-ipsec-transform-set
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
pfs dh-group2
#
ipsec policy To-BJ-ipsec-policy 1 isakmp
transform-set To-BJ-ipsec-transform-set
security acl name ipsec-lan-to-lan-bj
local-address 192.168.11.10
remote-address 192.168.11.20
ikev2-profile To-BJ-ike-profile
sa trigger-mode auto
#
ip http enable
ip https enable
#
ikev2 keychain To_BJ_ikev2_keychain
peer peer-BJ
address 192.168.11.20 255.255.255.255
identity address 192.168.11.20
pre-shared-key ciphertext $c$3$mTt4+uuD+WfC1rQny9K6yKou/h4LrN8+j2klVfQ=
#
ikev2 profile To-BJ-ike-profile
authentication-method local pre-share
authentication-method remote pre-share
keychain To_BJ_ikev2_keychain
identity local address 192.168.11.10
match remote identity address 192.168.11.20 255.255.255.255
#
ikev2 proposal 1
encryption 3des-cbc
integrity md5
dh group2
prf sha1
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 192.168.11.10 255.255.255.0
nat outbound name nat-ip-list address-group name isp-ip-pool
ipsec apply policy To-BJ-ipsec-policy
[SH-FW]dis acl all
Advanced IPv4 ACL named nat-ip-list, 5 rules,
ACL's step is 5
rule 0 deny ip source 172.16.10.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
rule 5 deny ip source 172.16.10.0 0.0.0.255 destination 10.10.20.0 0.0.0.255
rule 10 deny ip source 172.16.20.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
rule 15 deny ip source 172.16.20.0 0.0.0.255 destination 10.10.20.0 0.0.0.255
rule 1000 permit ip
Advanced IPv4 ACL named ipsec-lan-to-lan-bj, 4 rules,
ACL's step is 5
rule 0 permit ip source 172.16.10.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
rule 5 permit ip source 172.16.10.0 0.0.0.255 destination 10.10.20.0 0.0.0.255
rule 10 permit ip source 172.16.20.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
rule 15 permit ip source 172.16.20.0 0.0.0.255 destination 10.10.20.0 0.0.0.255
北京:
ipsec transform-set To-SH-ipsec-transform-set
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
pfs dh-group2
#
ipsec policy To-SH-ipsec-policy 1 isakmp
transform-set To-SH-ipsec-transform-set
security acl name ipsec-lan-to-lan-sh
local-address 192.168.11.20
remote-address 192.168.11.10
ikev2-profile To-SH-ike-profile
sa trigger-mode auto
#
ip http enable
ip https enable
#
ikev2 keychain To_SH_ikev2_keychain
peer peer-SH
address 192.168.11.10 255.255.255.255
identity address 192.168.11.10
pre-shared-key ciphertext $c$3$Hhxwlq50xCiksql8opFaimtXnd/GsfXrhcN9G9o=
#
ikev2 profile To-SH-ike-profile
authentication-method local pre-share
authentication-method remote pre-share
keychain To_SH_ikev2_keychain
identity local address 192.168.11.20
match remote identity address 192.168.11.10 255.255.255.255
#
ikev2 proposal 1
encryption 3des-cbc
integrity md5
dh group2
prf sha1
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 192.168.11.20 255.255.255.0
nat outbound name nat-ip-list address-group name isp-ip-pool
ipsec apply policy To-BJ-ipsec-policy
[BJ-FW]dis acl all
Advanced IPv4 ACL named nat-ip-list, 5 rules,
ACL's step is 5
rule 0 deny ip source 10.10.10.0 0.0.0.255 destination 172.16.10.0 0.0.0.255
rule 5 deny ip source 10.10.10.0 0.0.0.255 destination 172.16.20.0 0.0.0.255
rule 10 deny ip source 10.10.20.0 0.0.0.255 destination 172.16.10.0 0.0.0.255
rule 15 deny ip source 10.10.20.0 0.0.0.255 destination 172.16.20.0 0.0.0.255
rule 1000 permit ip
Advanced IPv4 ACL named ipsec-lan-to-lan-sh, 4 rules,
ACL's step is 5
rule 0 permit ip source 10.10.10.0 0.0.0.255 destination 172.16.10.0 0.0.0.255
rule 5 permit ip source 10.10.10.0 0.0.0.255 destination 172.16.20.0 0.0.0.255
rule 10 permit ip source 10.10.20.0 0.0.0.255 destination 172.16.10.0 0.0.0.255
rule 15 permit ip source 10.10.20.0 0.0.0.255 destination 172.16.20.0 0.0.0.255
(0)
最佳答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论