组网需求
如图1所示,RouterA和RouterB为企业分支网关,RouterC为企业总部网关,分支与总部通过公网建立通信,并且各网关的IP地址均固定。分支A子网为192.168.1.0/24,分支B子网为192.168.2.0/24,总部子网为192.168.3.0/24。
企业希望对分支子网与总部子网之间相互访问的流量进行安全保护。分支与总部通过公网建立通信,可以在分支网关与总部网关之间建立IPSec隧道来实施安全保护。由于总部网关可以指定分支网关的IP地址,在RouterC上部署安全策略组,就可以向各分支网关发起IPSec协商或接入各分支网关发起的IPSec协商,完成多条IPSec隧道的建立。
**图1 **配置总部采用安全策略方式与分支建立多条IPSec隧道组网图
配置思路
采用如下思路配置采用IKE协商方式建立多条IPSec隧道(安全策略组):
配置接口的IP地址和到对端的静态路由,保证两端路由可达。
配置ACL,以定义需要IPSec保护的数据流。
配置IPSec安全提议,定义IPSec的保护方法。
配置IKE对等体,定义对等体间IKE协商时的属性。
分别在RouterA和RouterB上创建安全策略,确定对何种数据流采取何种保护方法。在RouterC上创建安全策略组,分别确定对RouterA与RouterC、RouterB与RouterC之间的数据流采取何种保护方法。
在接口上应用安全策略组,使接口具有IPSec的保护功能。
操作步骤
-
分别在RouterA、RouterB和RouterC上配置各接口的IP地址和到对端的静态路由,使RouterA、RouterB和RouterC之间路由可达
在RouterA上配置接口的IP地址。
<Huawei> **system-view**
[Huawei] **sysname RouterA**
[RouterA] **interface gigabitethernet 0/0/1**
[RouterA-GigabitEthernet0/0/1] **undo portswitch** [RouterA-GigabitEthernet0/0/1] **ip address 60.1.1.1 255.255.255.0**
[RouterA-GigabitEthernet0/0/1] **quit**
[RouterA] **interface gigabitethernet 0/0/2**
[RouterA-GigabitEthernet0/0/2] **undo portswitch** [RouterA-GigabitEthernet0/0/2] **ip address 192.168.1.2 255.255.255.0**
[RouterA-GigabitEthernet0/0/2] **quit**
在RouterA上配置到对端的静态路由,此处假设到达总部子网的下一跳地址为60.1.1.2。
<pre class="screen" style="zoom: 1; font-family: 新宋体; font-size: 10pt; font-weight: normal; margin: 2px 0px; padding: 5px; border: 0px; background-color: rgb(221, 221, 221); white-space: pre;">[RouterA] **ip route-static 60.1.3.0 255.255.255.0 60.1.1.2**
[RouterA] **ip route-static 192.168.3.0 255.255.255.0 60.1.1.2**</pre>
# 在RouterB上配置接口的IP地址。
<pre class="screen" style="zoom: 1; font-family: 新宋体; font-size: 10pt; font-weight: normal; margin: 2px 0px; padding: 5px; border: 0px; background-color: rgb(221, 221, 221); white-space: pre;"><Huawei> **system-view**
[Huawei] **sysname RouterB**
[RouterB] **interface gigabitethernet 0/0/1**
[RouterB-GigabitEthernet0/0/1] **undo portswitch** [RouterB-GigabitEthernet0/0/1] **ip address 60.1.2.1 255.255.255.0**
[RouterB-GigabitEthernet0/0/1] **quit**
[RouterB] **interface gigabitethernet 0/0/2**
[RouterB-GigabitEthernet0/0/2] **undo portswitch** [RouterB-GigabitEthernet0/0/2] **ip address 192.168.2.2 255.255.255.0**
[RouterB-GigabitEthernet0/0/2] **quit**
</pre>
# 在RouterB上配置到对端的静态路由,此处假设到达总部子网的下一跳地址为60.1.2.2。
<pre class="screen" style="zoom: 1; font-family: 新宋体; font-size: 10pt; font-weight: normal; margin: 2px 0px; padding: 5px; border: 0px; background-color: rgb(221, 221, 221); white-space: pre;">[RouterB] **ip route-static 60.1.3.0 255.255.255.0 60.1.2.2**
[RouterB] **ip route-static 192.168.3.0 255.255.255.0 60.1.2.2**</pre>
# 在RouterC上配置接口的IP地址。
<pre class="screen" style="zoom: 1; font-family: 新宋体; font-size: 10pt; font-weight: normal; margin: 2px 0px; padding: 5px; border: 0px; background-color: rgb(221, 221, 221); white-space: pre;"><Huawei> **system-view**
[Huawei] **sysname RouterC**
[RouterC] **interface gigabitethernet 0/0/1**
[RouterC-GigabitEthernet0/0/1] **undo portswitch** [RouterC-GigabitEthernet0/0/1] **ip address 60.1.3.1 255.255.255.0**
[RouterC-GigabitEthernet0/0/1] **quit**
[RouterC] **interface gigabitethernet 0/0/2**
[RouterC-GigabitEthernet0/0/2] **undo portswitch** [RouterC-GigabitEthernet0/0/2] **ip address 192.168.3.2 255.255.255.0**
[RouterC-GigabitEthernet0/0/2] **quit**
</pre>
# 在RouterC上配置到对端的静态路由,此处假设到达分支A子网和分支B子网的下一跳地址均为60.1.3.2。
<pre class="screen" style="zoom: 1; font-family: 新宋体; font-size: 10pt; font-weight: normal; margin: 2px 0px; padding: 5px; border: 0px; background-color: rgb(221, 221, 221); white-space: pre;">[RouterC] **ip route-static 60.1.1.0 255.255.255.0 60.1.3.2**
[RouterC] **ip route-static 60.1.2.0 255.255.255.0 60.1.3.2**
[RouterC] **ip route-static 192.168.1.0 255.255.255.0 60.1.3.2**
[RouterC] **ip route-static 192.168.2.0 255.255.255.0 60.1.3.2**</pre>
-
分别在RouterA、RouterB和RouterC上配置ACL,定义各自要保护的数据流。
在RouterA上配置ACL,定义由子网192.168.1.0/24去子网192.168.3.0/24的数据流。
<pre class="screen" style="zoom: 1; font-family: 新宋体; font-size: 10pt; font-weight: normal; margin: 2px 0px; padding: 5px; border: 0px; background-color: rgb(221, 221, 221); white-space: pre;">[RouterA] acl number 3002
[RouterA-acl-adv-3002] rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
[RouterA-acl-adv-3002] quit</pre>在RouterB上配置ACL,定义由子网192.168.2.0/24去子网192.168.3.0/24的数据流。
<pre class="screen" style="zoom: 1; font-family: 新宋体; font-size: 10pt; font-weight: normal; margin: 2px 0px; padding: 5px; border: 0px; background-color: rgb(221, 221, 221); white-space: pre;">[RouterB] acl number 3002
[RouterB-acl-adv-3002] rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
[RouterB-acl-adv-3002] quit</pre>在RouterC上配置ACL,定义由子网192.168.3.0/24分别去子网192.168.1.0/24和子网192.168.2.0/24的数据流。
<pre class="screen" style="zoom: 1; font-family: 新宋体; font-size: 10pt; font-weight: normal; margin: 2px 0px; padding: 5px; border: 0px; background-color: rgb(221, 221, 221); white-space: pre;">[RouterC] acl number 3002
[RouterC-acl-adv-3002] rule permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[RouterC-acl-adv-3002] quit
[RouterC] acl number 3003
[RouterC-acl-adv-3003] rule permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[RouterC-acl-adv-3003] quit</pre> -
分别在RouterA、RouterB和RouterC上创建IPSec安全提议
在RouterA上配置IPSec安全提议。
<pre class="screen" style="zoom: 1; font-family: 新宋体; font-size: 10pt; font-weight: normal; margin: 2px 0px; padding: 5px; border: 0px; background-color: rgb(221, 221, 221); white-space: pre;">[RouterA] ipsec proposal tran1
[RouterA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[RouterA-ipsec-proposal-tran1] esp encryption-algorithm aes-128
[RouterA-ipsec-proposal-tran1] quit</pre>在RouterB上配置IPSec安全提议。
<pre class="screen" style="zoom: 1; font-family: 新宋体; font-size: 10pt; font-weight: normal; margin: 2px 0px; padding: 5px; border: 0px; background-color: rgb(221, 221, 221); white-space: pre;">[RouterB] ipsec proposal tran1
[RouterB-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[RouterB-ipsec-proposal-tran1] esp encryption-algorithm aes-128
[RouterB-ipsec-proposal-tran1] quit</pre>在RouterC上配置IPSec安全提议。
<pre class="screen" style="zoom: 1; font-family: 新宋体; font-size: 10pt; font-weight: normal; margin: 2px 0px; padding: 5px; border: 0px; background-color: rgb(221, 221, 221); white-space: pre;">[RouterC] ipsec proposal tran1
[RouterC-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[RouterC-ipsec-proposal-tran1] esp encryption-algorithm aes-128
[RouterC-ipsec-proposal-tran1] quit</pre>此时分别在RouterA、RouterB和RouterC上执行display ipsec proposal会显示所配置的信息,以RouterA为例。
<pre class="screen" style="zoom: 1; font-family: 新宋体; font-size: 10pt; font-weight: normal; margin: 2px 0px; padding: 5px; border: 0px; background-color: rgb(221, 221, 221); white-space: pre;">[RouterA] display ipsec proposal name tran1
IPSec proposal name: tran1
Encapsulation mode: Tunnel
Transform : esp-new
ESP protocol : Authentication SHA2-HMAC-256
Encryption AES-128
</pre> -
分别在RouterA、RouterB和RouterC上配置IKE对等体
在RouterA上配置IKE安全提议。
<pre class="screen" style="zoom: 1; font-family: 新宋体; font-size: 10pt; font-weight: normal; margin: 2px 0px; padding: 5px; border: 0px; background-color: rgb(221, 221, 221); white-space: pre;">[RouterA] ike proposal 5
[RouterA-ike-proposal-5] encryption-algorithm aes-128
[RouterA-ike-proposal-5] authentication-algorithm sha2-256
[RouterA-ike-proposal-5] dh group14
[RouterA-ike-proposal-5] quit</pre>在RouterA上配置IKE对等体。
<pre class="screen" style="zoom: 1; font-family: 新宋体; font-size: 10pt; font-weight: normal; margin: 2px 0px; padding: 5px; border: 0px; background-color: rgb(221, 221, 221); white-space: pre;">[RouterA] ike peer rut1
[RouterA-ike-peer-rut1] undo version 2
[RouterA-ike-peer-rut1] ike-proposal 5
[RouterA-ike-peer-rut1] pre-shared-key cipher huawei@123
[RouterA-ike-peer-rut1] remote-address 60.1.3.1
[RouterA-ike-peer-rut1] quit</pre>在RouterB上配置IKE安全提议。
<pre class="screen" style="zoom: 1; font-family: 新宋体; font-size: 10pt; font-weight: normal; margin: 2px 0px; padding: 5px; border: 0px; background-color: rgb(221, 221, 221); white-space: pre;">[RouterB] ike proposal 5
[RouterB-ike-proposal-5] encryption-algorithm aes-128
[RouterB-ike-proposal-5] authentication-algorithm sha2-256
[RouterB-ike-proposal-5] dh group14
[RouterB-ike-proposal-5] quit</pre>在RouterB上配置IKE对等体。
<pre class="screen" style="zoom: 1; font-family: 新宋体; font-size: 10pt; font-weight: normal; margin: 2px 0px; padding: 5px; border: 0px; background-color: rgb(221, 221, 221); white-space: pre;">[RouterB] ike peer rut1
[RouterB-ike-peer-rut1] undo version 2
[RouterB-ike-peer-rut1] ike-proposal 5
[RouterB-ike-peer-rut1] pre-shared-key cipher huawei@123
[RouterB-ike-peer-rut1] remote-address 60.1.3.1
[RouterB-ike-peer-rut1] quit</pre>在RouterC上配置IKE安全提议。
<pre class="screen" style="zoom: 1; font-family: 新宋体; font-size: 10pt; font-weight: normal; margin: 2px 0px; padding: 5px; border: 0px; background-color: rgb(221, 221, 221); white-space: pre;">[RouterC] ike proposal 5
[RouterC-ike-proposal-5] encryption-algorithm aes-128
[RouterC-ike-proposal-5] authentication-algorithm sha2-256
[RouterC-ike-proposal-5] dh group14
[RouterC-ike-proposal-5] quit</pre>在RouterC上配置IKE对等体。
<pre class="screen" style="zoom: 1; font-family: 新宋体; font-size: 10pt; font-weight: normal; margin: 2px 0px; padding: 5px; border: 0px; background-color: rgb(221, 221, 221); white-space: pre;">[RouterC] ike peer rut1
[RouterC-ike-peer-rut1] undo version 2
[RouterC-ike-peer-rut1] ike-proposal 5
[RouterC-ike-peer-rut1] pre-shared-key cipher huawei@123
[RouterC-ike-peer-rut1] remote-address 60.1.1.1
[RouterC-ike-peer-rut1] quit
[RouterC] ike peer rut2
[RouterC-ike-peer-rut2] undo version 2
[RouterC-ike-peer-rut2] ike-proposal 5
[RouterC-ike-peer-rut2] pre-shared-key cipher huawei@123
[RouterC-ike-peer-rut2] remote-address 60.1.2.1
[RouterC-ike-peer-rut2] quit</pre> -
分别在RouterA和RouterB上创建安全策略,在RouterC上创建安全策略组
在RouterA上配置安全策略。
<pre class="screen" style="zoom: 1; font-family: 新宋体; font-size: 10pt; font-weight: normal; margin: 2px 0px; padding: 5px; border: 0px; background-color: rgb(221, 221, 221); white-space: pre;">[RouterA] ipsec policy policy1 10 isakmp
[RouterA-ipsec-policy-isakmp-policy1-10] ike-peer rut1
[RouterA-ipsec-policy-isakmp-policy1-10] proposal tran1
[RouterA-ipsec-policy-isakmp-policy1-10] security acl 3002
[RouterA-ipsec-policy-isakmp-policy1-10] quit</pre>在RouterB上配置安全策略。
<pre class="screen" style="zoom: 1; font-family: 新宋体; font-size: 10pt; font-weight: normal; margin: 2px 0px; padding: 5px; border: 0px; background-color: rgb(221, 221, 221); white-space: pre;">[RouterB] ipsec policy policy1 10 isakmp
[RouterB-ipsec-policy-isakmp-policy1-10] ike-peer rut1
[RouterB-ipsec-policy-isakmp-policy1-10] proposal tran1
[RouterB-ipsec-policy-isakmp-policy1-10] security acl 3002
[RouterB-ipsec-policy-isakmp-policy1-10] quit</pre>在RouterC上配置安全策略组。
<pre class="screen" style="zoom: 1; font-family: 新宋体; font-size: 10pt; font-weight: normal; margin: 2px 0px; padding: 5px; border: 0px; background-color: rgb(221, 221, 221); white-space: pre;">[RouterC] ipsec policy policy1 10 isakmp
[RouterC-ipsec-policy-isakmp-policy1-10] ike-peer rut1
[RouterC-ipsec-policy-isakmp-policy1-10] proposal tran1
[RouterC-ipsec-policy-isakmp-policy1-10] security acl 3002
[RouterC-ipsec-policy-isakmp-policy1-10] quit
[RouterC] ipsec policy policy1 11 isakmp
[RouterC-ipsec-policy-isakmp-policy1-11] ike-peer rut2
[RouterC-ipsec-policy-isakmp-policy1-11] proposal tran1
[RouterC-ipsec-policy-isakmp-policy1-11] security acl 3003
[RouterC-ipsec-policy-isakmp-policy1-11] quit</pre>此时分别在RouterA和RouterB上执行display ipsec policy会显示所配置的信息。
此时在RouterC上执行display ipsec policy会显示所配置的信息。
-
分别在RouterA、RouterB和RouterC的接口上应用各自的安全策略组,使接口具有IPSec的保护功能
在RouterA的接口上引用安全策略组。
<pre class="screen" style="zoom: 1; font-family: 新宋体; font-size: 10pt; font-weight: normal; margin: 2px 0px; padding: 5px; border: 0px; background-color: rgb(221, 221, 221); white-space: pre;">[RouterA] interface gigabitethernet 0/0/1
[RouterA-GigabitEthernet0/0/1] ipsec policy policy1
[RouterA-GigabitEthernet0/0/1] quit</pre>在RouterB的接口上引用安全策略组。
<pre class="screen" style="zoom: 1; font-family: 新宋体; font-size: 10pt; font-weight: normal; margin: 2px 0px; padding: 5px; border: 0px; background-color: rgb(221, 221, 221); white-space: pre;">[RouterB] interface gigabitethernet 0/0/1
[RouterB-GigabitEthernet0/0/1] ipsec policy policy1
[RouterB-GigabitEthernet0/0/1] quit</pre>在RouterC的接口上引用安全策略组。
<pre class="screen" style="zoom: 1; font-family: 新宋体; font-size: 10pt; font-weight: normal; margin: 2px 0px; padding: 5px; border: 0px; background-color: rgb(221, 221, 221); white-space: pre;">[RouterC] interface gigabitethernet 0/0/1
[RouterC-GigabitEthernet0/0/1] ipsec policy policy1
[RouterC-GigabitEthernet0/0/1] quit</pre> -
检查配置结果
配置成功后,分别在主机PC A和主机PC B执行ping操作仍然可以ping通主机PC C,它们之间的数据传输将被加密。
分别在RouterA和RouterB上执行display ike sa操作,会显示相应信息,以RouterA为例。
<pre class="screen" id="dc_cfg_ipsec_0047__cfg_47_dis01" style="zoom: 1; font-family: 新宋体; font-size: 10pt; font-weight: normal; margin: 2px 0px; padding: 5px; border: 0px; background-color: rgb(221, 221, 221); white-space: pre;">[RouterA] display ike sa
IKE SA information :
Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
24366 60.1.3.1:500 RD|ST v1:2 IP 60.1.3.1
24274 60.1.3.1:500 RD|ST v1:1 IP 60.1.3.1Number of IKE SA : 2
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING </pre>在RouterC上执行display ike sa操作,结果如下。
<pre class="screen" id="dc_cfg_ipsec_0047__cfg_47_dis02" style="zoom: 1; font-family: 新宋体; font-size: 10pt; font-weight: normal; margin: 2px 0px; padding: 5px; border: 0px; background-color: rgb(221, 221, 221); white-space: pre;">[RouterC] display ike sa
IKE SA information :
Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
961 60.1.2.1:500 RD v1:2 IP 60.1.2.1
933 60.1.2.1:500 RD v1:1 IP 60.1.2.1
937 60.1.1.1:500 RD v1:2 IP 60.1.1.1
936 60.1.1.1:500 RD v1:1 IP 60.1.1.1Number of IKE SA : 4
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING </pre>
配置文件
-
RouterA的配置文件
<pre class="screen" style="zoom: 1; font-family: 新宋体; font-size: 10pt; font-weight: normal; margin: 2px 0px; padding: 5px; border: 0px; background-color: rgb(221, 221, 221); white-space: pre;">#
sysname RouterAacl number 3002
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128ike proposal 5
encryption-algorithm aes-128
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256ike peer rut1
undo version 2
pre-shared-key cipher %%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%*!%%#
ike-proposal 5
remote-address 60.1.3.1ipsec policy policy1 10 isakmp
security acl 3002
ike-peer rut1
proposal tran1interface GigabitEthernet0/0/1
undo portswitch ip address 60.1.1.1 255.255.255.0
ipsec policy policy1interface GigabitEthernet0/0/2
undo portswitch ip address 192.168.1.2 255.255.255.0ip route-static 60.1.3.0 255.255.255.0 60.1.1.2
ip route-static 192.168.3.0 255.255.255.0 60.1.1.2return
</pre> -
RouterB的配置文件
<pre class="screen" style="zoom: 1; font-family: 新宋体; font-size: 10pt; font-weight: normal; margin: 2px 0px; padding: 5px; border: 0px; background-color: rgb(221, 221, 221); white-space: pre;">#
sysname RouterBacl number 3002
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128ike proposal 5
encryption-algorithm aes-128
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256ike peer rut1
undo version 2
pre-shared-key cipher %%#K{JG:rWVHPMnf;5|,GW(Luq'qi8BT4nOj%5W5=)%%#
ike-proposal 5
remote-address 60.1.3.1ipsec policy policy1 10 isakmp
security acl 3002
ike-peer rut1
proposal tran1interface GigabitEthernet0/0/1
undo portswitch ip address 60.1.2.1 255.255.255.0
ipsec policy policy1interface GigabitEthernet0/0/2
undo portswitch ip address 192.168.2.2 255.255.255.0ip route-static 60.1.3.0 255.255.255.0 60.1.2.2
ip route-static 192.168.3.0 255.255.255.0 60.1.2.2return
</pre> -
RouterC的配置文件
<pre class="screen" style="zoom: 1; font-family: 新宋体; font-size: 10pt; font-weight: normal; margin: 2px 0px; padding: 5px; border: 0px; background-color: rgb(221, 221, 221); white-space: pre;">#
sysname RouterCacl number 3002
rule 5 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
acl number 3003
rule 5 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128ike proposal 5
encryption-algorithm aes-128
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256ike peer rut1
undo version 2
pre-shared-key cipher %%#IRFGEiFPJ1><a'Qy,L*XQL_+*Grq-=yMb}ULZdS6%%#
ike-proposal 5
remote-address 60.1.1.1ike peer rut2
undo version 2
pre-shared-key cipher %%#(3fr1!&6O=)!GN#~{)n,2fq>4#4+%;lMTs5(]:c)%%#
ike-proposal 5
remote-address 60.1.2.1ipsec policy policy1 10 isakmp
security acl 3002
ike-peer rut1
proposal tran1
ipsec policy policy1 11 isakmp
security acl 3003
ike-peer rut2
proposal tran1interface GigabitEthernet0/0/1
undo portswitch ip address 60.1.3.1 255.255.255.0
ipsec policy policy1interface GigabitEthernet0/0/2
undo portswitch ip address 192.168.3.2 255.255.255.0ip route-static 60.1.1.0 255.255.255.0 60.1.3.2
ip route-static 60.1.2.0 255.255.255.0 60.1.3.2
ip route-static 192.168.1.0 255.255.255.0 60.1.3.2
ip route-static 192.168.2.0 255.255.255.0 60.1.3.2return
</pre>
