此種場(chǎng)景中，IP地址固定端使用template-policy，不用指定remote-address，也可以不配置ACL（不用擔(dān)心不配就不會(huì)保護(hù)數(shù)據(jù)流量，因?yàn)锳CL是可以從對(duì)端協(xié)商過(guò)來(lái)的），如果配置了ACL，則必須要指定distination，否則協(xié)商會(huì)出問(wèn)題

無(wú)

IP地址不變端配置：

acl number 3000 
rule 5 permit ip source 172.18.1.0 0.0.0.255 destination 172.18.2.0 0.0.0.255
#
ipsec proposal 1
#
ike proposal 1
#
ike peer 189 v2
pre-shared-key huawei
ike-proposal 1
#
ipsec policy-template 1 1
security acl 3000                     ----------------可配可不配，建議不要配
ike-peer 189
proposal 1
#
ipsec policy 2 1 isakmp template 1
#  
interface GigabitEthernet0/0/1
ip address 172.18.1.189 255.255.255.0
ipsec policy 2
#


IP地址變化端：

acl number 3000 
rule 5 permit ip source 172.18.2.0 0.0.0.255 destination 172.18.1.0 0.0.0.255
#
ipsec proposal 1
#
ike proposal 1
#
ike peer 190 v2
pre-shared-key huawei                   
ike-proposal 1
remote-address 172.18.1.189
#
ipsec policy 1 1 isakmp
security acl 3000
ike-peer 190
proposal 1
#
interface Dialer0
link-protocol ppp
ip address ppp-negotiate
dialer user 190
dialer bundle 1
dialer-group 1
ipsec policy 1                         ---------------Dialer口下綁定IPSec
#


interface GigabitEthernet0/0/0

pppoe-client dial-bundle-number 1

#

dialer-rule

dialer-rule 1 ip permit

#


通過(guò)如下命令行可以查看IPsec是否成功建立：

display ike sa v2

    Conn-ID  Peer            VPN   Flag(s)                Phase 

  ---------------------------------------------------------------

        5    172.18.1.189    0     RD|ST                  2    

        3    172.18.1.189    0     RD|ST                  1    


  Flag Description:

  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT

  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP


display ipsec sa

===============================

Interface: Dialer0

Path MTU: 1492

===============================

  -----------------------------

  IPSec policy name: "1"

  Sequence number  : 1

  Mode             : ISAKMP

  -----------------------------

    Connection ID     : 5

    Encapsulation mode: Tunnel

    Tunnel local      : 172.18.2.254

    Tunnel remote     : 172.18.1.189


    [Outbound ESP SAs]

      SPI: 2804632727 (0xa72b4c97)

      Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5

      SA remaining key duration (bytes/sec): 1887436800/2877

      Max sent sequence-number: 0

      UDP encapsulation used for NAT traversal: N


    [Inbound ESP SAs]

      SPI: 3010961613 (0xb377a0cd)       

      Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5

      SA remaining key duration (bytes/sec): 1887436800/2877

      Max received sequence-number: 0

      UDP encapsulation used for NAT traversal: N


通過(guò)下面命令行可以查看流量是否入IPSec隧道：


display ipsec statistics esp

Inpacket count            : 10

Inpacket auth count       : 0

Inpacket decap count      : 0

Outpacket count           : 10

Outpacket auth count      : 0

Outpacket encap count     : 0

Inpacket drop count       : 0

Outpacket drop count      : 0

BadAuthLen count          : 0

AuthFail count            : 0

PktDuplicateDrop count    : 0

PktSeqNoTooSmallDrop count: 0

PktInSAMissDrop count     : 0

無(wú)

無(wú)