H3C MSR20系列路由器IPSEC VPN设置方法
H3C MSR20系列路由器 IPSEC VPN 设置一例(对端除IKE名称 、ACL数据流向不同外 其他一致),本端ADSL接入方式,对端固定IP接入
version 5.20, Release 2207P02, Basic #
sysname testvpn #
ike local-name testvp
n ike sa keepalive-timer timeout 28800 #
domain default enable system #
telnet server enable #
dar p2p signature-file cfa0:/p2p_default.mtd #
port-security enable #
acl number 3001 name nat
rule 0 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.0.0 0.0.0.255 (对端VPN设置 两个IP地址段对
调)
rule 20 permit ip source 192.168.2.94 0 允许内网nat 的地址(可上网的ip)
rule 30 permit ip source 192.168.2.80 0 acl number 3026
rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.0.0 0.0.0.255 定义VPN隧道数据流向(对端VPN设置 两个IP地址段对调) #
vlan 1 #
domain system
access-limit disable state active idle-cut disable self-service-url disable #
ike peer testvpn 设置IKE 对等体 exchange-mode aggressive 野蛮模式
pre-shared-key cipher nWUE29323vCRHSJ19231231hkSNpRHtg== 共享密钥
id-type name ID类型为名称
remote-name testpeer 远程IKE名称
remote-address 202.106.0.20 (因本端ADSL接入动态IP地址,对端指定本段IKE名称即可不用指定远程IP地址) local-name testvpn 本地IKE名称 nat traversal nat穿越 #
ipsec proposal testvpn #
ipsec policy testvpn 10 isakmp security acl 3026 匹配的ACL pfs dh-group1
ike-peer testvpn IKE对等体名称
proposal testvpn IPSEC 安全提议名称 #
user-group system
group-attribute allow-guest #
local-user admin
password cipher .]@QWEUSEWEW=B,53Q123=^Q`M12DAAF4<1!! authorization-attribute level 3 service-type telnet service-type web
#
interface Aux0 async mode flow link-protocol ppp #
interface Cellular0/0 async mode protocol link-protocol ppp #
interface Dialer1 设置 PPPOE拨号接口 nat outbound 3001 link-protocol ppp
ppp pap local-user 9009239392939 password cipher )^6G123G6S032316;R3Q=^Q`MAF4<1!! mtu 1450
ip address ppp-negotiate tcp mss 1024 dialer user admin dialer-group 1 dialer bundle 1 ipsec policy testvpn #
interface Ethernet0/0 port link-mode route description inside
ip address 192.168.2.1 255.255.255.0 #
interface Ethernet0/1 port link-mode route description outside
pppoe-client dial-bundle-number 1 tcp mss 1024
ip address dhcp-alloc #
interface NULL0 #
ip route-static 0.0.0.0 0.0.0.0 Dialer1 #
ssh server enable #
load xml-configuration #
user-interface con 0 user-interface tty 13
user-interface aux 0 user-interface vty 0 4 authentication-mode scheme # return