1 拓扑图

2 两个PC配置

3 RouterA配置

#
 sysname RouterA
#
acl number 3101
 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-128 
#
ipsec policy map1 10 manual
 security acl 3101
 proposal tran1
 tunnel local 1.1.1.1
 tunnel remote 2.1.1.1
 sa spi inbound esp 54321
 sa string-key inbound esp cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#
 sa spi outbound esp 12345
 sa string-key outbound esp cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%#
#
interface GigabitEthernet0/0/0
 ip address 1.1.1.1 255.255.255.0
 ipsec policy map1
#
interface GigabitEthernet0/0/1
 ip address 10.1.1.1 255.255.255.0
#
ip route-static 2.1.1.0 255.255.255.0 1.1.1.2
ip route-static 10.1.2.0 255.255.255.0 1.1.1.2
#
return

4 RouterB配置

#
 sysname RouterB
#
acl number 3101
 rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-128 
#
ipsec policy use1 10 manual
 security acl 3101
 proposal tran1
 tunnel local 2.1.1.1
 tunnel remote 1.1.1.1
 sa spi inbound esp 12345
 sa string-key inbound esp cipher %^%#IRFGEiFPJ1$&a'Qy,L*XQL_+*Grq-=yMb}ULZdS6%^%#
 sa spi outbound esp 54321
 sa string-key outbound esp cipher %^%#(3fr1!&6O=)!GN#~{)n,2fq>4#4+%;lMTs5(]:c)%^%#
#
interface GigabitEthernet0/0/0
 ip address 2.1.1.1 255.255.255.0
 ipsec policy use1
#
interface GigabitEthernet0/0/1
 ip address 10.1.2.1 255.255.255.0
#
ip route-static 1.1.1.0 255.255.255.0 2.1.1.2
ip route-static 10.1.1.0 255.255.255.0 2.1.1.2
#
return

5 Internet配置

#
sysname Internet
#
interface  GigabitEthernet  0/0/1
 ip address  2.1.1.2 255.255.255.0
#
interface  GigabitEthernet  0/0/0
 ip address  1.1.1.2 255.255.255.0
#
ip route-static 10.1.2.0 255.255.255.0 2.1.1.1
ip route-static 10.1.1.0 255.255.255.0 1.1.1.1
#
return

注：本例子参照了华为的配置示例，不算全部原创，只是记录下给需要的人参考。