自己之前的手记,
Route-Based Site-to-Site VPN, AutoKey IKE
2端都是固定IP的
BO1是分公司1,HO是总公司
BO1
# 定义隧道 set interface "tunnel.1" zone "Untrust" # 端口自己看着办 set interface tunnel.1 ip unnumbered interface ethernetXX/XX # 定义IP组及IP set address "Untrust" "HO" XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX set group address "Untrust" "HOG" set group address "Untrust" "HOG" add "HO" # 定义VPN,填对端的固定IP地址 set ike gateway TO_HO address XXX.XXX.XXX.XXX main outgoing-interface ethernetXX preshare XXXXX proposal pre-g2-3des-sha set vpn BO1_HO gateway TO_HO sec-level compatible set vpn BO1_HO bind interface tunnel.1 set vpn BO1_HO monitor optimized # 定义路由 set vrouter trust-vr route XXX.XXX.XXX.XXX/XX interface tunnel.1 # 定义policy set policy top name "TO_HO" from trust to untrust Any HOG any permit set policy top name "FROM_HO" from untrust to trust HOG Any any permit # 保存 save
HO
set interface "tunnel.1" zone "Untrust" set interface tunnel.1 ip unnumbered interface ethernetXX/XX # 总公司多了控制Trust的,所以也定义组了 set address "Trust" "Trust_LAN" XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX set address "Untrust" "BO1" XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX set group address "Untrust" "BO1G" set group address "Untrust" "BO1G" add "BO1" set ike gateway TO_BO1 address XXX.XXX.XXX.XXX main outgoing-interface ethernetXX preshare XXXXX proposal pre-g2-3des-sha set vpn HO_BO1 gateway TO_BO1 sec-level compatible set vpn HO_BO1 bind interface tunnel.1 set vpn HO_BO1 monitor optimized set vrouter trust-vr route XXX.XXX.XXX.XXX/XX interface tunnel.1 set policy top name "TO_BO1" from trust to untrust "Trust_LAN" "BO1G" any permit set policy top name "FROM_BO1" from untrust to trust "BO1G" "Trust_LAN" any permit save
时间: 2024-10-15 11:29:49