1. IPSec 典型配置
DCR-2720/蓝箱的配置：
hostname DCR1
ip http server
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255 //定义一个加密访问控制列表，规定进行IPSec 加密的数据流 !
crypto ipsec transform-set tun1 ah-md5-hmac esp-des esp-sha-hmac //定义加密映射表引用的变换集合，即Hash 和加密算法
!
crypto map map1 10 ipsec-isakmp //定义加密映射表，名称为map1，序号为10 match address 101 //设置加密映射表引用的加密访问控制列表 set peer 192.168.1.1 //设置对等体地址
set transform-set tun1 //设置加密映射表引用的变换集合。

!
interface Ethernet0
ip address 192.168.1.2 255.255.255.0
no shutdown
crypto map map1 //在接口上应用加密映射表集合 !
interface Ethernet3/0
ip address 192.168.0.2 255.255.255.0
no shutdown
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
crypto isakmp policy 10 //创建一个IKE 策略
group 2 //选择IKE 交换过程的DH 的组标识为2 lifetime 5000 //设置IKE 协商安全联盟的生存时间为5000s
crypto isakmp enable //启动IKE
crypto isakmp key test address 192.168.1.1 255.255.255.0 //配置预共享密钥为test
DCR-3660/Cisco 路由器的配置：
E3F2/0IPSec 对等体
hostname 3600
!
crypto isakmp key test 192.168.1.2 255.255.255.0
!
crypto isakmp policy 10
group 2
hash md5
lifetime 5000
!
crypto ipsec transform-set tun1
transform-type ah-md5-hmac esp-des esp-sha-hmac
!
crypto map map1 10 ipsec-isakmp
set peer 192.168.1.2
set transform-set tun1
match address 101
!
interface FastEthernet1/0
ip address 192.168.2.1 255.255.255.0
no ip directed-broadcast
!
interface FastEthernet2/0
ip address 192.168.1.1 255.255.255.0
no ip directed-broadcast
crypto map map1
!
ip route 10.1.2.0 255.255.255.0 192.168.2.2
ip route 192.168.0.0 255.255.255.0 192.168.1.2
!
ip access-list extended 101
permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0。