CISCO 3725与华为AR18路由器野蛮IPSEC配置实例

redmoon_j

思科设备是中心端，华为设备是client端。
配置时注意ar18都是做nat和ipsec的流匹配规则，看红色提示。

华为配置：
<Quidway>dis curr
#
sysname Quidway
#
ike local-name 123
#
dialer-rule 1 ip permit
#
ike proposal 1
#
ike peer peer
exchange-mode aggressive
pre-shared-key qgmhjy2004
id-type name
remote-address *.*.*.*
#
ipsec proposal hwtocisco
#
ipsec policy policy001 10 isakmp
security acl 3000
ike-peer peer
proposal hwtocisco
#
interface Dialer1
link-protocol ppp                        
ppp pap local-user * password simple *
mtu 1450
tcp mss 1024
ip address ppp-negotiate
dialer user huawei
dialer-group 1
dialer bundle 1
nat outbound 3001
ipsec policy policy001
#
interface Ethernet1/0
tcp mss 1024
ip address 172.20.2.1 255.255.255.0
#
interface Ethernet2/0
speed 10
duplex full
pppoe-client dial-bundle-number 1
#
interface NULL0
#
acl number 2100                           
rule 0 permit source 172.20.2.0 0.0.0.255
#
acl number 3000
rule 0 permit ip source 172.20.2.0 0.0.0.255 destination 172.16.0.0 0.0.255.255
acl number 3001  /* nat的流规则
rule 0 deny ip source 172.20.2.0 0.0.0.255 destination 172.16.0.0 0.0.255.255
rule 1 deny ip source 172.16.0.0 0.0.255.255 destination 172.20.2.0 0.0.0.255
rule 2 permit ip source 172.20.2.0 0.0.0.255    /*如果不在rule 2前加rule 0和rule 1的话，是不会触发ike的
#
ip route-static 0.0.0.0 0.0.0.0 Dialer 1 preference 60
ip route-static 172.16.0.0 255.255.0.0 *.*.*.* preference 60
#
user-interface con 0
user-interface vty 0 4
user privilege level 3
set authentication password simple 123456
#
return                                    
<Quidway>


思科配置：
3700#show run
Building configuration...

Current configuration : 1809 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 3700
!
enable password cisco
!
ip subnet-zero
!
!
no ip domain lookup
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
crypto isakmp policy 1
authentication pre-share
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key qgmhjy2004 hostname 123
!
!
crypto ipsec transform-set mytrans esp-des esp-md5-hmac
!
crypto dynamic-map mymap_d 10
set security-association lifetime seconds 86400
set transform-set mytrans
match address 102
!
!
crypto map mymap_s 10 ipsec-isakmp dynamic mymap_d
!
!
!
!
!
!
!         
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
!
!
controller E1 0/0
!
!
!
interface FastEthernet0/0
ip address *
ip nat outside
duplex auto
speed auto
crypto map mymap_s
!
interface FastEthernet0/1
ip address 172.16.1.100 255.255.0.0
ip nat inside
duplex auto
speed auto
!
interface Dialer0
no ip address
!
ip nat inside source list 110 interface FastEthernet0/0 overload
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 *.*.*.*
ip route 172.16.0.0 255.255.0.0 FastEthernet0/1
!
!
access-list 101 permit ip 172.20.1.0 0.0.0.255 172.20.2.0 0.0.0.255
access-list 102 permit ip 172.16.0.0 0.0.255.255 172.20.2.0 0.0.0.255
access-list 102 permit ip 172.20.2.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 110 deny   ip 172.16.0.0 0.0.255.255 172.0.0.0 0.255.255.255
access-list 110 permit ip 172.16.0.0 0.0.255.255 any
access-list 111 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
!         
!
!
!
!
!
!
!
!
line con 0
logging synchronous
line 33 40
flush-at-activation
line aux 0
line vty 0 4
  login
!
!
end

3700#