关于AR系列路由器标准ipsec的典型配置【需求】两台路由器通过internet采用ipsectunnel方式互通。【组网图】【配置脚本】RouterA配置脚本#sysnameRouterA#radiusschemesystem#domainsystem#ikeproposal1#ikepeerapre-shared-keyhuawei-3comremote-address202.0.0.2#ipsecproposala#ipsecpolicya1isakmpsecurityacl3000ike-peeraproposala#aclnumber3000rule0permitipsource192.168.1.00.0.0.255destination192.168.2.00.0.0.255#interfaceEthernet1/0/0ipaddress192.168.1.1255.255.255.0#interfaceSerial2/0/0link-protocolpppipaddress202.0.0.1255.255.255.0ipsecpolicya#interfaceNULL0#iproute-static0.0.0.00.0.0.0202.0.0.2preference60#user-interfacecon0user-interfacevty04#returnRouterB配置脚本#sysnameRouterB#radiusschemesystem#domainsystem#ikeproposal1#ikepeerbpre-shared-keyhuawei-3comremote-address202.0.0.1#ipsecproposalb#ipsecpolicyb1isakmpsecurityacl3000ike-peerbproposalb#aclnumber3000rule0permitipsource192.168.2.00.0.0.255destination192.168.1.00.0.0.255#interfaceEthernet1/0/0ipaddress192.168.2.1255.255.255.0#interfaceSerial2/0/0link-protocolpppipaddress202.0.0.2255.255.255.0ipsecpolicyb#interfaceNULL0#iproute-static0.0.0.00.0.0.0202.0.0.1preference60#user-interfacecon0user-interfacevty04#return【验证】确认RouterA上建立ikesa[RouterA]dispikesatotalphase-1SAs:1connection-idpeerflagphasedoi----------------------------------------------------------2202.0.0.2RD|ST1IPSEC3202.0.0.2RD|ST2IPSECflagmeaningRD--READYST--STAYALIVERL--REPLACEDFD--FADINGTO--TIMEOUT【提示】1、当路由器即需要配置ipsec,又需要使用NAT的,一定要在NAT的ACL中deny掉ipsec保护的流。否则需要进行ipsec保护的流会先会被NAT的ACL匹配,进行NAT,而无法触发ipsec的建立。