# Configure IP addresses for interfaces. (Details not shown.)
Interface GigabitEthernet2/0
Port link-mode route
Ip address 172.17.77.1 255.255.255.0
exit
Interface GigabitEthernet0/1
Port link-mode route
Ip address 31.X.Y.78 255.255.255.252
# route to ISP
ip route-static 0.0.0.0 0.0.0.0 31.X.Y.77
# Create an ISP domain named dm.
<Device> system-view
[Device] domain dm
# Configure the device to perform IKE local authentication.
[Device-isp-dm] authentication ike local
# Configure the device to perform IKE local authorization.
[Device-isp-dm] authorization ike local
[Device-isp-dm] quit
# Create an IKE IPv4 address pool named pool with an IPv4 address range of 172.20.33.1 to 172.20.33.100.
[Device] ike address-group pool 172.20.33.1 172.20.33.100
# Add a network user named ike.
[Device] local-user ike class network
# Authorize user ike to use the IKE service.
[Device-luser-network-ike] service-type ike
# Specify IPv4 address pool pool as the authorized IPv4 address pool for user ike.
[Device-luser-network-ike] authorization-attribute ip-pool pool
[Device-luser-network-ike] quit
# Add a network user named test.
[Device] local-user test class network
# Authorize user test to use the IKE service.
[Device-luser-network-test] service-type ike
# Configure a password for user test.
[Device-luser-network-test] password simple abc
[Device-luser-network-test] quit
# Create an IKE keychain named keychain1.
[Device] ike keychain keychain1
# Set the preshared key used for IKE negotiation with the remote peer at 1.1.1.1.
[Device-ike-keychain-keychain1] pre-shared-key address 172.20.XX.YY 255.255.255.255 key simple 123456TESTplat&!
[Device-ike-keychain-keychain1] quit
# Create an IKE profile named profile1.
[Device] ike profile profile1
# Specify IKE keychain keychain1 for IKE profile profile1.
[Device-ike-profile-profile1] keychain keychain1
# Specify IP address 2.2.2.2 as the local ID.
[Device-ike-profile-profile1] local-identity address 31.X.Y.78
# Configure the peer ID for IKE profile matching.
[Device-ike-profile-profile1] match remote identity address 92.43.XXX.YYY 255.255.255.0
# Enable XAUTH authentication for clients.
[Device-ike-profile-profile1] client-authentication xauth
# Enable AAA authorization. Specify ISP domain dm and username ike.
[Device-ike-profile-profile1] aaa authorization domain dm username ike
[Device-ike-profile-profile1] quit
# Created an IPsec transform set named tran1.
[Device] ipsec transform-set tran1
# Specify the transport encapsulation mode.
[Device-ipsec-transform-set-tran1] encapsulation-mode transport
# Specify the ESP security protocol.
[Device-ipsec-transform-set-tran1] protocol esp
# Specify the ESP authentication algorithm and encryption algorithm.
[Device-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-256
[Device-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[Device-ipsec-transform-set-tran1] quit
# Create an IPsec policy template entry. Specify the template name as pt and set the sequence number to 1.
[Device] ipsec policy-template pt 1
# Specify IPsec transform set tran1.
[Device-ipsec-policy-template-pt-1] transform-set tran1
# Specify IKE profile profile1.
[Device-ipsec-policy-template-pt-1] ike-profile profile1
# Enable IPsec RRI.
[Device-ipsec-policy-template-pt-1] reverse-route dynamic
[Device-ipsec-policy-template-pt-1] quit
# Use IPsec policy template pt to create an IKE-based IPsec policy entry. Specify the policy name as map1 and set the sequence number to 1.
[Device] ipsec policy map1 1 isakmp template pt
# Apply the IPsec policy to GigabitEthernet 0/1.
[Device] interface gigabitethernet 0/1
[Device-GigabitEthernet1/0/1] ipsec apply policy map1
[Device-GigabitEthernet1/0/1] quit