华三H3C MSR20系列路由器IPSEC VPN设置方法

# 
acl number 3001 name nat 
rule 0 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.0.0 0.0.0.255 （对端VPN设置 两个IP地址段对调） 
rule 20 permit ip source 192.168.2.94 0 允许内网nat 的地址（可上网的ip） 
rule 30 permit ip source 192.168.2.80 0 
acl number 3026 
rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.0.0 0.0.0.255 定义VPN隧道数据流向（对端VPN设置 两个IP地址段对调） 
# 

ike peer testvpn 设置IKE 对等体 
exchange-mode aggressive 野蛮模式 
pre-shared-key cipher nWUE29323vCRHSJ19231231hkSNpRHtg== 共享密钥 
id-type name ID类型为名称 
remote-name testpeer 远程IKE名称 
remote-address 202.106.0.20 （因本端ADSL接入动态IP地址，对端指定本段IKE名称即可不用指定远程IP地址） 
local-name testvpn 本地IKE名称 
nat traversal nat穿越 
# 
ipsec proposal testvpn 
# 
ipsec policy testvpn 10 isakmp 
security acl 3026 匹配的ACL 
pfs dh-group1 
ike-peer testvpn IKE对等体名称 
proposal testvpn IPSEC 安全提议名称 
#

# 
interface Dialer1 设置 PPPOE拨号接口 
nat outbound 3001 
link-protocol ppp 
ppp pap local-user 9009239392939 password cipher )^6G123G6S032316;R3Q=^Q`MAF4<1!! 
mtu 1450 
ip address ppp-negotiate 
tcp mss 1024 
dialer user admin 
dialer-group 1 
dialer bundle 1 
ipsec policy testvpn 

#

interface Ethernet0/0 
port link-mode route 
description inside 
ip address 192.168.2.1 255.255.255.0 
# 
interface Ethernet0/1 
port link-mode route 
description outside 
pppoe-client dial-bundle-number 1 
tcp mss 1024 
ip address dhcp-alloc 
# 

ip route-static 0.0.0.0 0.0.0.0 Dialer1 
#