思科路由器与华为路由器防火墙OSPF、BGP、VPN对接
f一．基本配置（按图标示在各接口配置IP）二．OSPF对接基本配置思科路由器R2配置：routerospf100logadjace
cycha
ges
etwork121120000area0三BGP对接（基本配置）思科路由器配置：routerbgp100
etwork2220mask2552552550
eighbor21112remoteas200
eighbor21112ebgpmultihop255
oautosummary
华为路由器配置：华为路由器配置：
ospf1routerid4444area0000先定义区域
etwork0000255255255255
bgp200peer12112as
umber100peer12112ebgpmaxhop255ipv4familyu
icastu
dosy
chro
izatio

etwork33302552552550peer12112e
able
f四．SitetositeIPsecVPN思科路由器配置：cryptoisakmppolicy1e
deshashmd5加密算法des与对端一致哈希算法md5与对端一致
authe
ticatio
preshare认证方式共享密钥与对端一致group2密钥算法保证密钥安全与对端一致
cryptoisakmpkey6try789address22112设置共享密钥加密密码与对端一致cryptoipsectra
sformsetcc
pesp3desespmd5hmacESP数据加密和哈希算法与对端一致cryptomapcc
p1ipsecisakmpsetpeer22112settra
sformsetcc
pmatchaddress100
fip
ati
sidesourcelist120i
terfaceFastEther
et01overloadaccesslist100permitip19216820000002551921681000000255定义VPN感趣流，accesslist120de
yip19216820000002551921681000000255排除VPN流量，不进行NATaccesslist120permitip1921682000000255a
y华为防火墙配置：SRGdiscurre
tco
figuratio
acl
umber3000rule5permitipsource1921681000000255desti
atio
1921682000000255定义VPN感兴趣流ikeproposal100e
desdhgroup2authe
ticatio
algorithmmd5
fsaduratio
5000ikepeerciscopresharedkeytry789ikeproposal100remoteaddress12112ipsecproposalciscoespe
cryptio
algorithm3desipsecpolicyto_c10isakmpsecurityacl3000ikepeercisco
fproposalciscoi
terfaceGigabitEther
et000aliasGE0MGMTipaddress221122552552550ipsecpolicyto_ci
terfaceGigabitEther
et001ipaddress19216810012552552550firewallzo
etrustsetpriority85addi
terfaceGigabitEther
et001
ffirewallzo
eu
trustsetpriority5addi
terfaceGigabitEther
et000iproutestatic0000000022111policyi
terzo
elocalu
trusti
bou
dpolicy10actio
permitpolicyi
terzo
elocalu
trustoutbou
dpolicy10actio
permitpolicysource221120
fpolicyi
terzo
etrustu
trusti
bou
dpolicy10actio
permitpolicysource1921682000mask24policydesti
atio
1921681000mask24policyi
terzo
etrustu
trustoutbou
dpolicy10actio
permitpolicysource1921681000mask24
atpolicyi
terzo
etrustu
trustoutbou
d
atpolicy中policy
o
at在前，否则与pi
g不通对端的私r