华为路由器标准IPSEC配置

router A:
ike proposal 1

#
  


ike peer a

pre-shared-key huawei-3com

remote-address 202.0.0.2  

#   
  


ipsec proposal a

#
  


ipsec policy a 1 isakmp

security acl 3009

ike-peer a

proposal a

#
  


interface Ethernet0/0

ip address 192.168.1.1 255.255.255.0     

#
  


interface Ethernet2/0

ip address 202.0.0.1 255.255.255.0

ipsec policy a

#
  


acl number 3009

rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

rule 1 deny ip

#
  


ip route-static 0.0.0.0 0.0.0.0 202.0.0.2 preference 60

【Router B】

ike proposal 1

#
  


ike peer b

pre-shared-key huawei-3com

remote-address 202.0.0.1  

#   
  


ipsec proposal b

#
  


ipsec policy b 1 isakmp

security acl 3009

ike-peer b

proposal b

#
  


interface Ethernet0/0

ip address 192.168.2.1 255.255.255.0     

#
  


interface Ethernet2/0

ip address 202.0.0.2 255.255.255.0

ipsec policy b

#
  


acl number 3009

rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

rule 1 deny ip

#
  


ip route-static 0.0.0.0 0.0.0.0 202.0.0.1 preference 60

【注意】

1、 当路由器即需要配置ipsec，又需要使用NAT的，一定要在NAT的ACL中deny掉ipsec保护的流。否则需要进行ipsec

保护的流会先会被NAT的ACL匹配，进行NAT，而无法触发ipsec的建立。