H3C路由器的ipsec配置
两地做***的连接,一端是H3C的utm200设备,另外一端是H3C的AR18-21设备.现在网络环境如下:
beijing是静态的地址(存在192.168.0.1、192.168.1.1和192.168.2.1网段),而tianjin是动态的地址(内网是192.168.5.1网段)。
H3C]dis cur
# ike local-name beijing # acl number 3020 rule 0 permit ip source 192.168.0.0 0.0.0.255 destination 192.168.5.0 0.0.0.255 rule 5 deny ip acl number 3030 rule 0 deny ip source 192.168.0.0 0.0.0.255 destination 192.168.5.0 0.0.0.255 rule 5 permit ip #
# ike proposal 1 authentication-algorithm md5 # ike peer firewall exchange-mode aggressive pre-shared-key cipher PUaWkI= id-type name remote-name tianjin local-address XX.XX.XX.XX ***tianji的就这里不一样 remote-address XX.XX.XX.XX**** # ipsec proposal 1 # ipsec policy 1 1 isakmp security acl 3020 ike-peer firewall proposal 1 #
interface GigabitEthernet0/4 nat outbound 3030 ipsec policy 1
两端做好后,互相访问就像是在一个局域网似的。但是对于动态获得ip的一端来说,发布服务器,做映射就比较麻烦了,因为他的外网ip是动态的。下面就看下怎么让他也动态获得动态更新。
interface Dialer0 link-protocol ppp ppp chap user adsl用户名 ppp chap password cipher adsl密码 ppp pap local-user 用户名 password cipher 密码 ppp ipcp dns request ip address ppp-negotiate dialer user liu dialer bundle 1 dialer-group 1 nat outbound 3030 nat server protocol tcp global current-interface 80 inside 192.168.5.5 80 ipsec policy 1
