H3C GRE over IPsec配置实例

拓扑描述
站点A 路由器 RA 外网地址 192.13.2.1/24 内网地址 10.1.1.1/24
站点B 路由器 RB 外网地址 132.108.5.2/24 内网地址 10.1.3.1/24
RA配置
ip add 192.13.2.1 255.255.255.0
ip add 10.1.1.1 255.255.255.0

interface tunnle 0
ip add 10.1.2.1 255.255.255.0
source 192.13.2.1
destination 132.108.5.2
keepalive

ip route-static 10.1.3.0 255.255.255.0 tunnel 0

acl number 3001
rule permit ip source 192.13.2.1 0.0.0.0 destination 132.108.5.2 0.0.0.0
rule deny ip source any destination any

ip rout-static 132.108.5.0 255.255.255.0 s 1/0

ipsec proposal tran1
encapsulation-mode tunnel
transform esp
esp encryption-algorithm des
esp authentication-algorithm sha1
quit

ike peer peer1
pre-share-key cssl#123456
remote-address 132.108.5.2

ipsec policy map1 10 isakmp
proposal tran1
security acl 3001
ike-peer peer1
quit

interface s1/0
ipsec policy map1

RA配置
ip add 192.13.2.1 255.255.255.0
ip add 10.1.1.1 255.255.255.0

interface tunnle 0
ip add 10.1.2.1 255.255.255.0
source 192.13.2.1
destination 132.108.5.2
keepalive

ip route-static 10.1.3.0 255.255.255.0 tunnel 0

acl number 3001
rule permit ip source 192.13.2.1 0.0.0.0 destination 132.108.5.2 0.0.0.0
rule deny ip source any destination any

ip rout-static 132.108.5.0 255.255.255.0 s 1/0

ipsec proposal tran1
encapsulation-mode tunnel
transform esp
esp encryption-algorithm des
esp authentication-algorithm sha1
quit

ike peer peer1
pre-share-key cssl#123456
remote-address 132.108.5.2

ipsec policy map1 10 isakmp
proposal tran1
security acl 3001
ike-peer peer1
quit

interface s1/0
ipsec policy map1

RB配置
ip add 132.108.5.2 255.255.255.0
ip add 10.1.3.1 255.255.255.0

interface tunnle 0
ip add 10.1.2.2 255.255.255.0
source 132.108.5.2
destination 192.13.2.1
keepalive

ip route-static 10.1.1.0 255.255.255.0 tunnel 0

acl number 3001
rule permit ip source 132.108.5.2 0.0.0.0 destination 192.13.2.1 0.0.0.0
rule deny ip source any destination any

ip rout-static 192.13.2.1 0.0.0.0 255.255.255.0 s 1/0

ipsec proposal tran1
encapsulation-mode tunnel
transform esp
esp encryption-algorithm des
esp authentication-algorithm sha1
quit

ike peer peer1
pre-share-key cssl#123456
remote-address 192.13.2.1

ipsec policy map1 10 isakmp
proposal tran1
security acl 3001
ike-peer peer1
quit

interface s1/0
ipsec policy map1