拓扑：

具体配置：（路由器连接配置省略）

前期
配置通可以访问
Switch_A:
dhcp enable
vlan batch 8 9 16 to 18

interface Vlanif1
ip address 192.168.0.2 255.255.255.0
interface Vlanif18
ip address 192.168.18.1 255.255.255.0
dhcp select global

ip pool 18
gateway-list 192.168.18.1
network 192.168.18.0 mask 255.255.255.0
excluded-ip-address 192.168.18.2 192.168.18.100
dns-list 202.96.128.86

interface GigabitEthernet0/0/2
port link-type access
port default vlan 18
ip route-static 0.0.0.0 0.0.0.0 192.168.0.1

Switch_B:
dhcp enable
vlan batch 8 9 16 to 18

interface Vlanif1
ip address 192.168.9.10 255.255.255.0
dhcp select global

ip pool 9
gateway-list 192.168.9.10
network 192.168.9.0 mask 255.255.255.0
excluded-ip-address 192.168.9.2 192.168.9.9
excluded-ip-address 192.168.9.10 192.168.9.50
dns-list 202.96.128.86

ip route-static 0.0.0.0 0.0.0.0 192.168.9.1

配置阶段一
ike:

ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm md5
authentication-method pre-share
sa duration 1200

ike邻居:
AR1:
ike peer 1 v2
pre-shared-key simple khb123456
ike-proposal 1
remote-address 172.10.100.1

AR2:
ike peer 1 v2
pre-shared-key simple khb123456
ike-proposal 1
remote-address 10.10.100.1

配置阶段二
匹配流量

R_总部
acl number 3000
rule 1 permit ip source 192.168.18.0 0.0.0.255 destination 192.168.9.0 0.0.0.255

R_分部
acl number 3000
rule 1 permit ip source 192.168.9.0 0.0.0.255 destination 192.168.18.0 0.0.0.255


IPSec提案
AR1:
ipsec proposal 1
encapsulation-mode tunnel
esp authentication-algorithm md5
esp encryption-algorithm 3des

AR2:
ipsec proposal 1
encapsulation-mode tunnel
esp authentication-algorithm md5
esp encryption-algorithm 3des

IPsec 策略
AR1:
ipsec policy 1 1 isakmp
security acl 3000
ike-peer 1
proposal 1

AR2:
ipsec policy 1 1 isakmp
security acl 3000
ike-peer 1
proposal 1

ipsec策略应用到接口
AR1:
interface GigabitEthernet0/0/1
ipsec policy 1

AR2:
interface GigabitEthernet0/0/1
ipsec policy 1

查询阶段一
dis ike sa v2

查询阶段二
dis ipsec sa brief

 抓包图：