R7:
interface GigabitEthernet0/0/1
ip address 8.8.8.1 255.255.255.0
ip route-static 0.0.0.0 0.0.0.0 1.1.1.1
acl number 3001
rule 1 deny ip source 8.8.8.0 0.0.0.255 destination 9.9.9.0 0.0.0.255 (把需要vpn的网段先在第一次进行过滤掉,路由出口过滤掉后再回内部再匹配vpn 3000的规则出去过行vpn访问北京)
rule 5 permit ip source 8.8.8.0 0.0.0.255
acl number 3000
rule 5 permit ip source 8.8.8.0 0.0.0.255 destination 9.9.9.0 0.0.0.255
ipsec proposal 10
ike proposal 10
ike local-name sz
ike peer sz v1
exchange-mode aggressive
pre-shared-key cipher admin
ike-proposal 10
local-id-type name
remote-name bj
nat traversal
remote-address 3.3.3.3
ipsec policy sz 1 isakmp
security acl 3000
ike-peer sz
proposal 10
出口调用:
interface GigabitEthernet0/0/0
ip address 1.1.1.2 255.255.255.0
ipsec policy sz
nat outbound 3001
R8:
interface GigabitEthernet0/0/1
ip address 9.9.9.1 255.255.255.0
interface GigabitEthernet0/0/2
ip route-static 0.0.0.0 0.0.0.0 3.3.3.1
acl number 3000
rule 5 permit ip source 9.9.9.0 0.0.0.255 destination 8.8.8.0 0.0.0.255
acl number 3001
rule 1 deny ip source 9.9.9.0 0.0.0.255 destination 8.8.8.0 0.0.0.255
rule 5 permit ip source 9.9.9.0 0.0.0.255
ipsec proposal 10
ike proposal 10
ike local-name bj
ike peer bj v1
exchange-mode aggressive
pre-shared-key cipher admin
ike-proposal 10
local-id-type name
remote-name sz
nat traversal
remote-address 1.1.1.2
ipsec policy bj 1 isakmp
security acl 3000
ike-peer bj
proposal 10
接口上调用:
interface GigabitEthernet0/0/0
ip address 3.3.3.3 255.255.255.0
ipsec policy bj
nat outbound 3001