USG2000配置IPSEC vpn,其中分公司是adsl上网
USG_A配置脚本
# ike local-name client # acl number 3001 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.1 0.0.0.255 # ike proposal 1 encryption-algorithm aes-cbc dh group2 # ike peer 1 exchange-mode aggressive pre-shared-key %$%$E=6)6HJ)RLhy+2TB[Fr4jQH~%$%$ ike-proposal 1 remote-domain www.adsl.3322.org# ipsec proposal 1 esp authentication-algorithm sha1 esp encryption-algorithm aes # ipsec policy map 1 isakmp security acl 3001 ike-peer 1 proposal 1 # interface GigabitEthernet0/0/1 ip address 10.1.1.1 255.255.255.0 # interface GigabitEthernet0/0/2 ip address 202.10.12.1 255.255.255.0 ipsec policy map# firewall zone trust set priority 85 add interface GigabitEthernet0/0/1 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/2 # ip route-static 0.0.0.0 0.0.0.0 202.10.12.2# policy interzone local untrust inbound policy 1 action permit # policy interzone local untrust outbound policy 1 action permit policy source 202.10.12.0 0.0.0.255# policy interzone trust untrust inbound policy 1 action permit policy source 10.1.3.0 0.0.0.255 policy destination 10.1.3.0 0.0.0.255 # policy interzone trust untrust outbound policy 1 action permit policy source 10.1.1.0 0.0.0.255 policy destination 10.1.3.0 0.0.0.255# nat-policy interzone trust untrust outbound policy 1 policy source 10.1.1.0 0.0.0.255 policy destination 10.1.3.0 0.0.0.255 action no-nat policy 2 policy source 10.1.1.0 0.0.0.255 action source-nat easy-ip GigabitEthernet 0/0/2 #return
USG_B配置脚本
# dialer-rule 10 ip permit # dns resolve dns server 200.1.1.1 # ddns client enable # acl number 3001 rule 5 permit ip source 10.1.3.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 # ike proposal 1 encryption-algorithm aes-cbc dh group2 # ike peer 1 exchange-mode aggressive pre-shared-key %$%$E=6)6HJ)RLhy+2TB[Fr4jQH~%$%$ ike-proposal 1 remote-address 202.10.12.1 # ipsec proposal 1 esp authentication-algorithm sha1 esp encryption-algorithm aes # ipsec policy map 1 isakmp security acl 3001 ike-peer 1 proposal 1 # interface Dialer1 link-protocol ppp ppp chap user adsluser ppp chap password cipher %$%$Gal~X`28S/.m]\*fuO|',{ri%$%$ ppp pap local-user adsluser password cipher %$%$Gal~X`28S/.m]\*fuO|',{ri%$%$ ip address ppp-negotiate dialer user adsluser dialer-group 10 dialer bundle 5 ipsec policy map ddns apply policy abc # interface GigabitEthernet0/0/1 ip address 10.1.3.1 255.255.255.0 dhcp select interface # interface Atm2/0/0 pppoe-client dial-bundle-number 5# firewall zone trust set priority 85 add interface GigabitEthernet0/0/1 # firewall zone untrust set priority 5 add interface Dialer1 # ip route-static 0.0.0.0 0.0.0.0 Dialer1# ddns policy abc ddns username abc123 password %$%$F\seVlS7YVU8DT"wpee,kYPG%$%$ ddns client www.adsl.3322.org ddns server www.3322.org ddns apply policy Dialer1 # policy interzone local untrust inbound policy 1 action permit policy source 202.10.12.0 0.0.0.255# policy interzone local untrust outbound policy 1 action permit # policy interzone trust untrust inbound policy 1 action permit policy source 10.1.1.0 0.0.0.255 policy destination 10.1.3.0 0.0.0.255# policy interzone trust untrust outbound policy 1 action permit policy source 10.1.3.0 0.0.0.255 policy destination 10.1.1.0 0.0.0.255#return