版权声明:更多精彩请关注 http://book.opschina.org, 或者加入QQ新群648503385,或者直接加微信:zzlyzq, 让天下没有难做的运维。< https://blog.csdn.net/vbaspdelphi/article/details/79600102
Configure the interface and IP address.
Enable the interface for IPsec VPN.
Configure the peer.
Define the IKE group specified in the peer configuration.
Configure the VPN tunnel.
Define the ESP group specified in the tunnel.
Configure the local IP address specified for the peer on the VPN-enabled interface.
If NAT is configured for outbound internet Access, make sure to exclude the site-to-site VPN connection from NAT.verify origin config
set vpn ipsec ipsec-interfaces interface eth0
show vpn ipsec ipsec-interfaces
show vpn ipsec ike-groupthe first pasphrase config
set vpn ipsec ike-group IKE-1W proposal 1
set vpn ipsec ike-group IKE-1W proposal 1 encryption aes256
set vpn ipsec ike-group IKE-1W proposal 1 hash sha1
set vpn ipsec ike-group IKE-1W lifetime 3600
show vpn ipsec ike-group IKE-1W
esp
set vpn ipsec esp-group ESP-1W proposal 1
show vpn ipsec esp-group
set vpn ipsec esp-group ESP-1W proposal 1 encryption aes256
set vpn ipsec esp-group ESP-1W proposal 1 hash sha1
set vpn ipsec esp-group ESP-1W lifetime 1800
show vpn ipsec esp-group ESP-1WCreate the Connection to the Remote Site, Vyatta-ORD
edit vpn ipsec site-to-site peer 198.x.x.101
set authentication mode pre-shared-secret
set authentication pre-shared-secret SECRET
set default-esp-group ESP-1W
set ike-group IKE-1W
set local-address 64.x.x.101
set tunnel 1 local prefix 192.168.1.0/24
set tunnel 1 remote prefix 192.168.3.0/24
top
commitConfigure Vyatta-ORD
配置对端Verify the Tunnel Status
show vpn ipsec sa
show vpn ipsec statusExclude site-to-site VPN traffic from NAT
set nat source rule 5 destination address '192.168.3.0/24'
set nat source rule 5 'exclude'
set nat source rule 5 outbound-interface 'eth0'
set nat source rule 5 source address '192.168.1.0/24'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '192.168.1.0/24'
set nat source rule 10 translation address 'masquerade'
commit