Site A: ADSL
Site B: 固定IP
##### Route A ################################### interface GigabitEthernet1/0/0 port link-mode route combo enable copper ip address 2.2.2.2255.255.255.248 nat outbound 3000 ipsec apply policy 7 # acl advanced 3000 rule 0 deny ip source 172.21.0.00.0.255.255 destination 192.168.0.00.0.255.255 rule 100 permit ip # acl advanced 3001 rule 0 permit ip source 172.21.0.00.0.255.255 destination 192.168.0.00.0.255.255 # ipsec transform-set 7 esp encryption-algorithm 3des-cbc esp authentication-algorithm md5 # ipsec policy-template 1231 transform-set 7 ike-profile 7 sa duration time-based 3600 sa duration traffic-based 1843200 # ipsec policy 71 isakmp transform-set 7 security acl 3001 remote-address 6.6.6.6 ike-profile 7 # ike identity fqdn zhongmu # ike profile 7 keychain 7 exchange-mode aggressive local-identity fqdn zhongmu match remote identity address 6.6.6.6255.255.255.252 proposal 7 # ike proposal 7 # ike keychain 7 pre-shared-key address 6.6.6.6255.255.255.252 key simple 1sEDC3sqoI # ##### Route B ################################### # interface GigabitEthernet1/0/0 port link-mode route ip address 6.6.6.6255.255.255.252 nat outbound 3001 ipsec apply policy 3001 # acl advanced 3001 description vpn-nat rule 4 deny ip source 192.168.0.00.0.255.255 destination 172.21.0.00.0.255.255 rule 100 permit ip # acl advanced 3010 description ipsec-VPN rule 4 permit ip source 192.168.0.00.0.255.255 destination 172.21.0.00.0.255.255 rule 100 deny ip # ipsec transform-set 3001 esp encryption-algorithm 3des-cbc esp authentication-algorithm md5 # ipsec policy 30011 isakmp transform-set 3001 ike-profile 3001 security acl 3010 # ike identity fqdn zhongmu # ike profile 3001 keychain 3001 exchange-mode aggressive match remote identity fqdn zhongmu proposal 3001 # ike proposal 3001 # ike keychain 3001 pre-shared-key hostname zhongmu keysimple 1sEDC3sqoI #
原文地址:http://abian.blog.51cto.com/751059/1974319