自己之前的手记,Route-Based Site-to-Site ×××, AutoKey IKE2端都是固定IP的BO1是分公司1,HO是总公司BO1#定义隧道setinterface"tunnel
.
自己之前的手记,
Route-Based Site-to-Site ×××, AutoKey IKE
2端都是固定IP的
BO1是分公司1,HO是总公司
BO1
# 定义隧道set interface "tunnel.1" zone "Untrust"# 端口自己看着办set interface tunnel.1 ip unnumbered interface ethernetXX/XX# 定义IP组及IPset address "Untrust" "HO" XXX.XXX.XXX.XXX XXX.XXX.XXX.XXXset group address "Untrust" "HOG"set group address "Untrust" "HOG" add "HO"# 定义×××,填对端的固定IP地址set ike gateway TO_HO address XXX.XXX.XXX.XXX main outgoing-interface ethernetXX preshare XXXXX proposal pre-g2-3des-shaset *** BO1_HO gateway TO_HO sec-level compatibleset *** BO1_HO bind interface tunnel.1set *** BO1_HO monitor optimized# 定义路由set vrouter trust-vr route XXX.XXX.XXX.XXX/XX interface tunnel.1# 定义policyset policy top name "TO_HO" from trust to untrust Any HOG any permitset policy top name "FROM_HO" from untrust to trust HOG Any any permit# 保存save
HO
set interface "tunnel.1" zone "Untrust"set interface tunnel.1 ip unnumbered interface ethernetXX/XX# 总公司多了控制Trust的,所以也定义组了set address "Trust" "Trust_LAN" XXX.XXX.XXX.XXX XXX.XXX.XXX.XXXset address "Untrust" "BO1" XXX.XXX.XXX.XXX XXX.XXX.XXX.XXXset group address "Untrust" "BO1G"set group address "Untrust" "BO1G" add "BO1"set ike gateway TO_BO1 address XXX.XXX.XXX.XXX main outgoing-interface ethernetXX preshare XXXXX proposal pre-g2-3des-shaset *** HO_BO1 gateway TO_BO1 sec-level compatibleset *** HO_BO1 bind interface tunnel.1set *** HO_BO1 monitor optimizedset vrouter trust-vr route XXX.XXX.XXX.XXX/XX interface tunnel.1set policy top name "TO_BO1" from trust to untrust "Trust_LAN" "BO1G" any permitset policy top name "FROM_BO1" from untrust to trust "BO1G" "Trust_LAN" any permitsave
