- Table of Contents
-
- 08-IPsec Configuration
- 01-MER Routers Main Mode IPsec VPN Setup Configuration Examples
- 02-MER Routers Aggressive Mode IPsec VPN Setup with ERG3 Router Configuration Examples
- 03-MER Routers Main Mode IPsec VPN Setup with ERG3 Router Configuration Examples
- 04-MSR Routers Main Mode IPsec VPN Setup Configuration Examples
- 05-MSR Routers Establish Aggressive Mode IPsec VPN Between HQ and Multiple Branches
- 06-MSR Routers Main Mode IPsec VPN Setup with ERG3 Router Configuration Examples
- 07-MSR Routers Establish IKEv2-Based IPsec Tunnel for IPv4 Packets Between Phone and Gateway
- 08-MSR Routers Aggressive Mode IPsec VPN Setup with ERG3 Router Configuration Examples
- 09-MSR Routers Aggressive Mode IPsec VPN Setup Configuration Examples
- 10-MSR Routers Aggressive Mode IPsec VPN Setup with MER Router Configuration Examples
- Related Documents
-
Title | Size | Download |
---|---|---|
05-MSR Routers Establish Aggressive Mode IPsec VPN Between HQ and Multiple Branches | 158.67 KB |
MSR Routers
Establish Aggressive Mode IPsec VPN Between HQ and Multiple Branches
Copyright © 2024 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
Introduction
The following information provides an example for setting up an IPsec VPN between the headquarters (HQ) and branches by using aggressive mode IKE negotiation.
Prerequisites
The following information applies to Comware 7-based MSR router series. Procedures and information in the examples might be slightly different depending on the software or hardware version of the routers.
The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.
The following information is provided based on the assumption that you have basic knowledge of IPsec.
Example: Establishing aggressive mode IPsec VPN between HQ and multiple branches
Network configuration
As shown in Figure 1, Device A is the gateway of Branch 1, Device B is the gateway of Branch 2, and Device C is the gateway of the headquarters (HQ). Device A and Device B connect to the Internet using PPPoE dial-up, while Device C connects to the Internet with a fixed IP address of 1.1.1.1/24. The HQ and branches communicate with each other over the public network.
To ensure security, establish an IPsec VPN tunnel between each branch and the HQ. The branches access each other through the tunnels, implementing secure data communication.
Software versions used
The configuration example was created and verified on R6749P15 of the MSR3610-X1 router.
Restrictions and guidelines
Procedures
Configuring Device A
1. Configure IP addresses for interfaces.
# Configure an IP address for interface GigabitEthernet1/0/1.
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ip address 192.168.1.1 255.255.255.0
[DeviceA-GigabitEthernet1/0/1] quit
# Create ACL 3000.
[DeviceA] acl number 3000
# Define rule 0: Permit the data flow from subnet 192.168.1.0/24 of Branch 1 to subnet 192.168.2.0/24 of the HQ.
[DeviceA-acl-adv-3000] rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
# Define rule 1: Permit the data flow from subnet 192.168.1.0/24 of Branch 1 to subnet 192.168.3.0/24 of Branch 2.
[DeviceA-acl-adv-3000] rule 1 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
[DeviceA-acl-adv-3000] quit
3. Configure an IKE:
# Create IKE proposal 1.
[DeviceA] ike proposal 1
# Specify the authentication algorithm as HMAC-MD5.
[DeviceA-ike-proposal-1] authentication-algorithm md5
# Specify the encryption algorithm as 3DES-CBC.
[DeviceA-ike-proposal-1] encryption-algorithm 3des-cbc
[DeviceA-ike-proposal-1] quit
4. Configure the local identity:
# Configure the local ID as FQDN name RTA.
[DeviceA] ike identity fqdn RTA
5. Configure an IKE keychain:
# Create an IKE keychain named RTA. Specify plaintext 123456TESTplat&! as the pre-shared key for IKE negotiation with peer 1.1.1.1.
[DeviceA] ike keychain RTA
[DeviceA-ike-keychain-RTA] pre-shared-key address 1.1.1.1 key simple 123456TESTplat&!
[DeviceA-ike-keychain-RTA] quit
6. Configure an IKE profile:
# Create an IKE profile named RTA.
[DeviceA] ike profile RTA
# Specify IKE keychain RTA for the IKE profile.
[DeviceA-ike-profile-RTA] keychain RTA
# Specify the IKE negotiation mode in phase 1 as the aggressive mode.
[DeviceA-ike-profile-RTA] exchange-mode aggressive
# Configure the local ID as FQDN name RTA.
[DeviceA-ike-profile-RTA] local-identity fqdn RTA
# Configure the peer ID as FQDN name zongbu.
[DeviceA-ike-profile-RTA] match remote identity fqdn zongbu
# Specify IKE proposal 1 for the IKE profile.
[DeviceA-ike-profile-RTA] proposal 1
[DeviceA-ike-profile-RTA] quit
7. Configure an IPsec transform set:
# Create IPsec transform set 1.
[DeviceA] ipsec transform-set 1
# Set the packet encapsulation mode to tunnel.
[DeviceA-ipsec-transform-set-1] encapsulation-mode tunnel
# Use the ESP protocol for the IPsec transform set.
[DeviceA-ipsec-transform-set-1] protocol esp
# Specify the encryption and authentication algorithms used by ESP.
[DeviceA-ipsec-transform-set-1] esp encryption-algorithm 3des-cbc
[DeviceA-ipsec-transform-set-1] esp authentication-algorithm md5
[DeviceA-ipsec-transform-set-1] quit
8. Configure an IPsec policy:
# Create an IKE-based IPsec policy entry. Specify the policy name as RTA and set the sequence number to 1.
[DeviceA] ipsec policy RTA 1 isakmp
[DeviceA-ipsec-policy-isakmp-RTA-1] security acl 3000
[DeviceA-ipsec-policy-isakmp-RTA-1] remote-address 1.1.1.1
[DeviceA-ipsec-policy-isakmp-RTA-1] ike-profile RTA
[DeviceA-ipsec-policy-isakmp-RTA-1] transform-set 1
[DeviceA-ipsec-policy-isakmp-RTA-1] quit
9. Apply the IPsec policy to an interface:
# Apply IPsec policy RTA to interface Dialer10. (Dialer10 here is only an example. Choose a proper interface in your network to apply the IPsec policy.)
[DeviceA] interface Dialer 10
[DeviceA-Dialer10] ipsec apply policy RTA
[DeviceA-Dialer10] quit
Configuring Device B
1. Configure IP addresses for interfaces.
# Configure an IP address for interface GigabitEthernet1/0/1.
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ip address 192.168.3.1 255.255.255.0
[DeviceB-GigabitEthernet1/0/1] quit
2. Configure an ACL:
Create ACL 3000.
[DeviceB] acl number 3000
# Define rule 0: Permit the data flow from subnet 192.168.3.0/24 of Branch 2 to subnet 192.168.2.0/24 of the HQ.
[DeviceB-acl-adv-3000] rule 0 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
# Define rule 1: Permit the data flow from subnet 192.168.3.0/24 of Branch 2 to subnet 192.168.1.0/24 of Branch 1.
[DeviceB-acl-adv-3000] rule 1 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[DeviceB-acl-adv-3000] quit
3. Configure an IKE:
# Create IKE proposal 1.
[DeviceB] ike proposal 1
# Specify the authentication algorithm as HMAC-MD5.
[DeviceB-ike-proposal-1] authentication-algorithm md5
# Specify the encryption algorithm as 3DES-CBC.
[DeviceB-ike-proposal-1] encryption-algorithm 3des-cbc
[DeviceB-ike-proposal-1] quit
4. Configure the local identity:
# Configure the local ID as FQDN name RTB.
[DeviceB] ike identity fqdn RTB
5. Configure an IKE keychain:
# Create an IKE keychain named RTB. Specify plaintext 123456TESTplat&! as the preshared key for IKE negotiation with peer 1.1.1.1.
[DeviceB] ike keychain RTB
[DeviceB-ike-keychain-RTB] pre-shared-key address 1.1.1.1 key simple 123456TESTplat&!
[DeviceB-ike-keychain-RTB] quit
6. Configure an IKE profile:
# Create an IKE profile named RTB.
[DeviceB] ike profile RTB
# Specify IKE keychain RTB for the IKE profile.
[DeviceB-ike-profile-RTB] keychain RTB
# Specify the IKE negotiation mode in phase 1 as the aggressive mode.
[DeviceB-ike-profile-RTB] exchange-mode aggressive
# Specify the FQDN name RTB as the local ID.
[DeviceB-ike-profile-RTB] local-identity fqdn RTB
# Specify the FQDN name zongbu as the peer ID.
[DeviceB-ike-profile-RTB] match remote identity fqdn zongbu
# Specify IKE proposal 1 for the IKE profile.
[DeviceB-ike-profile-RTB] proposal 1
[DeviceB-ike-profile-RTB] quit
7. Configure an IPsec transform set:
# Create IPsec transform set 1.
[DeviceB] ipsec transform-set 1
# Set the packet encapsulation mode to tunnel.
[DeviceB-ipsec-transform-set-1] encapsulation-mode tunnel
# Use the ESP protocol for the IPsec transform set.
[DeviceB-ipsec-transform-set-1] protocol esp
# Specify the encryption and authentication algorithms used by ESP.
[DeviceB-ipsec-transform-set-1] esp encryption-algorithm 3des-cbc
[DeviceB-ipsec-transform-set-1] esp authentication-algorithm md5
[DeviceB-ipsec-transform-set-1] quit
8. Configure an IPsec policy:
# Create an IKE-based IPsec policy entry. Specify the policy name as RTB and set the sequence number to 1.
[DeviceB] ipsec policy RTB 1 isakmp
[DeviceB-ipsec-policy-isakmp-RTB-1] security acl 3000
[DeviceB-ipsec-policy-isakmp-RTB-1] remote-address 1.1.1.1
[DeviceB-ipsec-policy-isakmp-RTB-1] ike-profile RTB
[DeviceB-ipsec-policy-isakmp-RTB-1] transform-set 1
[DeviceB-ipsec-policy-isakmp-RTB-1] quit
9. Apply the IPsec policy to an interface:
# Apply IPsec policy RTB to interface Dialer10. (Dialer10 here is only an example. Choose a proper interface in your network to apply the IPsec policy.)
[DeviceB] interface Dialer 10
[DeviceB-Dialer10] ipsec apply policy RTB
[DeviceB-Dialer10] quit
Configuring Device C
1. Configure IP addresses for interfaces.
# Configure an IP address for interface GigabitEthernet 1/0/1.
<DeviceC> system-view
[DeviceC] interface gigabitethernet 1/0/1
[DeviceC-GigabitEthernet1/0/1] ip address 192.168.2.1 255.255.255.0
[DeviceC-GigabitEthernet1/0/1] quit
# Configure an IP address for interface GigabitEthernet 1/0/2.
[DeviceC] interface gigabitethernet 1/0/2
[DeviceC-GigabitEthernet1/0/2] ip address 1.1.1.1 255.255.255.0
[DeviceC-GigabitEthernet1/0/2] quit
2. Configure ACL 3000:
Create ACL 3000.
[DeviceC] acl number 3000
# Define rule 0: Permit the data flow from subnet 192.168.2.0/24 of HQ to subnet 192.168.1.0/24 of Branch 1.
[DeviceC-acl-adv-3000] rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
# Define rule 1: Permit the data flow from subnet 192.168.3.0/24 of Branch 2 to subnet 192.168.1.0/24 of Branch 1.
[DeviceC-acl-adv-3000] rule 1 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[DeviceC-acl-adv-3000] quit
3. Configure ACL 3001:
# Create ACL 3001.
[DeviceC] acl number 3001
# Define rule 0: Permit the data flow from subnet 192.168.2.0/24 of HQ to subnet 192.168.3.0/24 of Branch 2.
[DeviceC-acl-adv-3000] rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
# Define rule 1: Permit the data flow from subnet 192.168.1.0/24 of Branch 1 to subnet 192.168.3.0/24 of Branch 2.
[DeviceC-acl-adv-3000] rule 1 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
[DeviceC-acl-adv-3000] quit
4. Configure an IKE:
# Create IKE proposal 1.
[DeviceC] ike proposal 1
# Specify the authentication algorithm as HMAC-MD5.
[DeviceC-ike-proposal-1] authentication-algorithm md5
# Specify the encryption algorithm as 3DES-CBC.
[DeviceC-ike-proposal-1] encryption-algorithm 3des-cbc
[DeviceC-ike-proposal-1] quit
5. Configure the local identity:
# Configure the local ID as FQDN name zongbu.
[DeviceC] ike identity fqdn zongbu
6. Configure an IKE keychain:
# Create an IKE keychain named RTA. Specify plaintext 123456TESTplat&! as the pre-shared key for IKE negotiation with the peer identified by FQDN RTA.
[DeviceC] ike keychain RTA
[DeviceC-ike-keychain-RTA] pre-shared-key hostname RTA key simple 123456TESTplat&!
[DeviceC-ike-keychain-RTA] quit
# Create an IKE keychain named RTB. Specify plaintext 123456TESTplat&! as the pre-shared key for IKE negotiation with the peer identified by FQDN RTB.
[DeviceC] ike keychain RTB
[DeviceC-ike-keychain-RTB] pre-shared-key hostname RTB key simple 123456TESTplat&!
[DeviceC-ike-keychain-RTB] quit
7. Configure IKE profile RTA:
# Create an IKE profile named RTA.
[DeviceC] ike profile RTA
# Specify IKE keychain RTA for the IKE profile.
[DeviceC-ike-profile-RTA] keychain RTA
# Specify the IKE negotiation mode in phase 1 as the aggressive mode.
[DeviceC-ike-profile-RTA] exchange-mode aggressive
# Configure the FQDN name zongbu as the local ID.
[DeviceC-ike-profile-RTA] local-identity fqdn zongbu
# Configure the peer ID as FQDN RTA.
[DeviceC-ike-profile-RTA] match remote identity fqdn RTA
# Specify IKE proposal 1 for the IKE profile.
[DeviceC-ike-profile-RTA] proposal 1
[DeviceC-ike-profile-RTA] quit
8. Configure IKE profile RTB:
# Create an IKE profile named RTB.
[DeviceC] ike profile RTB
# Specify IKE keychain RTB for the IKE profile.
[DeviceC-ike-profile-RTB] keychain RTB
# Specify the IKE negotiation mode in phase 1 as the aggressive mode.
[DeviceC-ike-profile-RTB] exchange-mode aggressive
# Configure the FQDN name zongbu as the local ID.
[DeviceC-ike-profile-RTB] local-identity fqdn zongbu
# Configure the peer ID as FQDN name RTB.
[DeviceC-ike-profile-RTB] match remote identity fqdn RTB
# Specify IKE proposal 1 for the IKE profile.
[DeviceC-ike-profile-RTB] proposal 1
[DeviceC-ike-profile-RTB] quit
9. Configure an IPsec transform set:
# Create IPsec transform set 1.
[DeviceC] ipsec transform-set 1
# Set the packet encapsulation mode to tunnel.
[DeviceC-ipsec-transform-set-1] encapsulation-mode tunnel
# Use the ESP protocol for the IPsec transform set.
[DeviceC-ipsec-transform-set-1] protocol esp
# Specify the encryption and authentication algorithms used by ESP.
[DeviceC-ipsec-transform-set-1] esp encryption-algorithm 3des-cbc
[DeviceC-ipsec-transform-set-1] esp authentication-algorithm md5
[DeviceC-ipsec-transform-set-1] quit
10. Configure an IPsec policy template:
# Create and configure an IPsec policy template named t1 with a sequence number of 1.
[DeviceC] ipsec policy-template t1 1
[DeviceC-ipsec-policy-template-t1-1] security acl 3000
[DeviceC-ipsec-policy-template-t1-1] ike-profile RTA
[DeviceC-ipsec-policy-template-t1-1] transform-set 1
[DeviceC-ipsec-policy-template-t1-1] quit
# Create and configure an IPsec policy template named t2 with a sequence number of 1.
[DeviceC] ipsec policy-template t2 1
[DeviceC-ipsec-policy-template-t2-1] security acl 3001
[DeviceC-ipsec-policy-template-t2-1] ike-profile RTB
[DeviceC-ipsec-policy-template-t2-1] transform-set 1
[DeviceC-ipsec-policy-template-t2-1] quit
11. Configure an IKE-based IPsec policy:
# Create and configure an IPsec policy named zongbu with a sequence number of 1, based on IPsec policy template t1.
[DeviceC] ipsec policy zongbu 1 isakmp template t1
# Create and configure an IPsec policy named zongbu with a sequence number of 2, based on IPsec policy template t2.
[DeviceC] ipsec policy zongbu 2 isakmp template t2
12. Apply the IPsec policy to an interface:
Apply IPsec policy zongbu to GigabitEthernet 1/0/2.
[DeviceC] interface gigabitethernet 1/0/2
[DeviceC-GigabitEthernet1/0/2] ipsec apply policy zongbu
[DeviceC-GigabitEthernet1/0/2] quit
Verifying the configuration
# Initiate a connection from Host A to Host C to trigger IKE negotiation. Verify that you can successfully ping 192.168.2.2 from 192.168.1.2 after the IPsec tunnel is successfully established.
C:\Users> ping 192.168.2.2
Pinging 192.168.2.2 with 32 bytes of data:
Request timed out.
Reply from 192.168.2.2: bytes=32 time=2ms TTL=254
Reply from 192.168.2.2: bytes=32 time=2ms TTL=254
Reply from 192.168.2.2: bytes=32 time=1ms TTL=254
Ping statistics for 192.168.2.2:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 2ms, Average = 1ms
# Device A obtains IP address 2.2.2.1 through PPPoE dialup. Use the display ike sa command on Device A to verify that the phase 1 SA is established normally.
<DeviceA> display ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
13 1.1.1.1/500 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING
<DeviceA> display ike sa verbose
-----------------------------------------------
Connection ID: 13
Outside VPN:
Inside VPN:
Profile: RTA
Transmitting entity: Initiator
Initiator cookie: 1bcf453f0a217259
Responder cookie: 5e32a74dfa66a0a4
Output interface index: 2
-----------------------------------------------
Local IP/port: 2.2.2.1/500
Local ID type: FQDN
Local ID: RTA
Remote IP/port: 1.1.1.1/500
Remote ID type: IPV4_ADDR
Remote ID: 1.1.1.1
Authentication-method: PRE-SHARED-KEY
Authentication-algorithm: MD5
Encryption-algorithm: 3DES-CBC
Life duration(sec): 86400
Remaining key duration(sec): 84565
Exchange-mode: Aggressive
Diffie-Hellman group: Group 1
NAT traversal: Detected
Extend authentication: Disabled
Assigned IP address:
Vendor ID index: 0xa1d
Vendor ID sequence number: 0x0
# On Device A, use the display ipsec sa command to view the IPsec SA created by phase 2 IKE negotiation.
<DeviceA> display ipsec sa
-------------------------------
Interface: Dialer10
-------------------------------
-----------------------------
IPsec policy: RTA
Sequence number: 1
Alias: RTA-1
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect forward secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Initiator
Path MTU: 1435
Tunnel:
local address/port: 2.2.2.1/500
remote address/port: 1.1.1.1/500
Flow:
sour addr: 192.168.1.0/255.255.255.0 port: 0 protocol: ip
dest addr: 192.168.2.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 830667426 (0x3182faa2)
Connection ID: 90194313219
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/2313
Max received sequence-number:
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: Y
Status: Active
[Outbound ESP SAs]
SPI: 3516214669 (0xd1952d8d)
Connection ID: 64424509441
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/2313
Max sent sequence-number:
UDP encapsulation used for NAT traversal: Y
Status: Active
Configuration files
· Device A:
#
interface GigabitEthernet1/0/1
ip address 192.168.1.1 255.255.255.0
#
interface Dialer10
ipsec apply policy RTA
#
acl number 3000
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 1 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
#
ipsec transform-set 1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec policy RTA 1 isakmp
ike-profile RTA
remote-address 1.1.1.1
security acl 3000
transform-set 1
#
ike identity fqdn RTA
#
ike keychain RTA
pre-shared-key address 1.1.1.1 255.255.255.0 key cipher $c$3$n6jdlYtuR+K6mijQ8
qp4hMMjV/iteA==
#
ike profile RTA
keychain RTA
exchange-mode aggressive
local-identity fqdn RTA
match remote identity fqdn zongbu
proposal 1
#
ike proposal 1
authentication-algorithm md5
encryption-algorithm 3des-cbc
#
· Device B:
#
interface GigabitEthernet1/0/1
ip address 192.168.3.1 255.255.255.0
#
interface Dialer10
ipsec apply policy RTB
#
acl number 3000
rule 0 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 1 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
ipsec transform-set 1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec policy RTB 1 isakmp
transform-set 1
security acl 3000
remote-address 1.1.1.1
ike-profile RTB
#
ike identity fqdn RTB
#
ike keychain RTB
pre-shared-key address 1.1.1.1 255.255.255.0 key cipher $c$3$n6jdlYtuR+K6mijQ8
qp4hMMjV/iteA==
#
ike profile RTB
keychain RTB
exchange-mode aggressive
local-identity fqdn RTB
match remote identity fqdn zongbu
proposal 1
#
ike proposal 1
authentication-algorithm md5
encryption-algorithm 3des-cbc
#
· Device C:
#
interface GigabitEthernet1/0/1
ip address 192.168.2.1 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address 1.1.1.1 255.255.255.0
ipsec apply policy zongbu
#
acl number 3000
rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 1 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
acl number 3001
rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule 1 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
#
ipsec transform-set 1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
#
ipsec policy-template t1 1
security acl 3000
ike-profile RTA
transform-set 1
#
#
ipsec policy-template t2 1
security acl 3001
ike-profile RTB
transform-set 1
#
ipsec policy zongbu 1 isakmp template t1
ipsec policy zongbu 2 isakmp template t2
#
#
ike identity fqdn zongbu
#
ike keychain RTA
pre-shared-key hostname RTA key cipher $c$3$7tvgEkFh6On3KIybUaywz5NDiHtwJqU=
#
ike keychain RTB
pre-shared-key hostname RTB key cipher $c$3$3ErJJ2M1lhES32CdsR3ofs5CdLvPJGk=
#
ike profile RTA
keychain RTA
exchange-mode aggressive
local-identity fqdn zongbu
match remote identity fqdn RTA
proposal 1
#
ike profile RTB
keychain RTB
exchange-mode aggressive
local-identity fqdn zongbu
match remote identity fqdn RTB
proposal 1
#
ike proposal 1
authentication-algorithm md5
encryption-algorithm 3des-cbc
#