#基本配置
1、防火墙FW1配置
[FW1-GigabitEthernet1/0/0] ip address 100.1.1.1 255.255.255.0
[FW1-GigabitEthernet1/0/0] ip address 192.100.1.1 255.255.255.0
[FW1]security-zone name Trust
[FW1-security-zone-Trust] import interface GigabitEthernet1/0/1
[FW1]security-zone name Untrust
[FW1-security-zone-Untrust] import interface GigabitEthernet1/0/0
[FW1]security-policy ip
[FW1-security-policy-ip] rule 1 name a-a
[FW1-security-policy-ip] action pass
[FW1] ip route-static 0.0.0.0 0 100.1.1.2
2、防火墙FW2配置
[FW2-GigabitEthernet1/0/0] ip address 200.1.1.2 255.255.255.0
[FW2-GigabitEthernet1/0/0] ip address 192.200.1.1 255.255.255.0
[FW2]security-zone name Trust
[FW2-security-zone-Trust] import interface GigabitEthernet1/0/1
[FW2]security-zone name Untrust
[FW2-security-zone-Untrust] import interface GigabitEthernet1/0/0
[FW2]security-policy ip
[FW2-security-policy-ip] rule 1 name a-a
[FW2-security-policy-ip] action pass
[FW2] ip route-static 0.0.0.0 0 200.1.1.1
3、ISP配置
[isp-GigabitEthernet0/0] ip address 100.1.1.2 255.255.255.0
[isp-GigabitEthernet0/1] ip address 200.1.1.1 255.255.255.0
#高级配置IPSEC
1、防火墙FW1 IPSEC配置
#配置ACL
[FW1]acl advanced 3003
[FW1-acl-ipv4-adv-3003] rule 0 permit ip source 192.100.1.0 0.0.0.255 destination 192.200.1.0 0.0.0.255
#
[FW1]ipsec transform-set 1
[FW1-ipsec-transform-set-1] esp encryption-algorithm 3des-cbc
[FW1-ipsec-transform-set-1] esp authentication-algorithm md5
#
[FW1]ike proposal 1
[FW1-ike-proposal-1] dh group2
#
[FW1]ike keychain 1
[FW1-ike-keychain-1pre-shared-key address 200.1.1.2 255.255.255.255 key simple 12345
#
[FW1] ike profile 1
[FW1-ike-profile-1] proposal 1
[FW1-ike-profile-1] ike keychain 1
[FW1-ike-profile-1] match remote identity address 200.1.1.2 255.255.255.255
#
[FW1]ipsec policy mymap 10 isakmp
[FW1-ipsec-policy-isakmp-mymap-10] transform-set 1
[FW1-ipsec-policy-isakmp-mymap-10] security acl 3003
[FW1-ipsec-policy-isakmp-mymap-10] ike-profile 1
[FW1-ipsec-policy-isakmp-mymap-10] remote-address 200.1.1.2
#
[FW1-GigabitEthernet1/0/0] ipsec apply policy mymap
2、防火墙FW2 IPSEC配置
[FW2]acl advanced 3003
[FW2-acl-ipv4-adv-3003] rule 0 permit ip source 192.200.1.0 0.0.0.255 destination 192.100.1.0 0.0.0.255
#
[FW2]ipsec transform-set 1
[FW2-ipsec-transform-set-1] esp encryption-algorithm 3des-cbc
[FW2-ipsec-transform-set-1] esp authentication-algorithm md5
#
[FW2]ike proposal 1
[FW2-ike-proposal-1] dh group2
#
[FW2]ike keychain 1
[FW2-ike-keychain-1pre-shared-key address 100.1.1.1 255.255.255.255 key simple 12345
#
[FW2] ike profile 1
[FW2-ike-profile-1] proposal 1
[FW2-ike-profile-1] ike keychain 1
[FW2-ike-profile-1] match remote identity address 100.1.1.1 255.255.255.255
#
[FW2]ipsec policy mymap 10 isakmp
[FW2-ipsec-policy-isakmp-mymap-10] transform-set 1
[FW2-ipsec-policy-isakmp-mymap-10] security acl 3003
[FW2-ipsec-policy-isakmp-mymap-10] ike-profile 1
[FW2-ipsec-policy-isakmp-mymap-10] remote-address 100.1.1.1
#
[FW2-GigabitEthernet1/0/0] ipsec apply policy mymap
3、测试
