GRE Over IPSec***在企業的應用

       最近根據公司網絡的實際情況，做了個GRE Over IPSec***的實驗，在這裏我只是模擬公司網絡的一部分，從Head Office到倉庫這一部分，到倉庫使用上海電信的DSL進行物理層的連接，使用GRE Over IPSec***來對數據進行保護，另外一點是GRE能夠跑路由協議，公司使用的是OSPF協議。 IP地址基本一致（因爲是私網IP，讓大家知道也無妨），有微調，密碼與公司完全不一樣，我隨意設置的！

       介紹一下拓撲情況，R1是head office的一臺路由器，R2、R3、R4都是倉庫的路由器，它們之間採用星型結構。  R1--------R2     R1--------R3      R1-----------R4      後面我會把抓到的數據包附上供參考，是我以前抓的包，IP不太一樣，主要想讓大家看一下數據包的結構、封裝方式以及使用GRE Over IPSec***是安全的，因爲應用層數據已經加密。

      在這裏我使用兩種方法來做，公司使用的是第一種方法，故第一種方法介紹的比較多一點，比較完整一點：

第一種方法：    注意隧道地址和真實接口的地址！     ( 隧道地址172.16.1.0/24、3.0/24、5.0//24           真實接口地址爲172.16.0.0/24  2.0/24  4.0/24)

R1：

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
 lifetime 600
crypto isakmp key mschina01 address 172.16.0.2
crypto isakmp key mschina02 address 172.16.2.2
crypto isakmp key mschina03 address 172.16.4.2
!
!
crypto ipsec transform-set msset1 esp-3des esp-md5-hmac
 mode transport
crypto ipsec transform-set msset2 esp-3des esp-md5-hmac
 mode transport
crypto ipsec transform-set msset3 esp-3des esp-md5-hmac
 mode transport
!
crypto map msmap 10 ipsec-isakmp
 set peer 172.16.0.2
 set transform-set msset1
 match address warehouse01
crypto map msmap 20 ipsec-isakmp
 set peer 172.16.2.2
 set transform-set msset2
 match address warehouse02
crypto map msmap 30 ipsec-isakmp
 set peer 172.16.4.2
 set transform-set msset3
 match address warehouse03
!
!
interface Loopback0
 ip address 10.1.100.1 255.255.255.0
!
interface Tunnel0
 ip address 172.16.1.1 255.255.255.0
 tunnel source FastEthernet0/0
 tunnel destination 172.16.0.2
!
interface Tunnel1
 ip address 172.16.3.1 255.255.255.0
 tunnel source FastEthernet1/0
 tunnel destination 172.16.2.2
!
interface Tunnel2
 ip address 172.16.5.1 255.255.255.0
 tunnel source 172.16.4.1
 tunnel destination 172.16.4.2
!
interface FastEthernet0/0
 ip address 172.16.0.1 255.255.255.0
 duplex auto
 speed auto
 crypto map msmap
!
interface FastEthernet1/0
 ip address 172.16.2.1 255.255.255.0
 duplex auto
 speed auto
 crypto map msmap
!
!
interface Ethernet2/2
 ip address 172.16.4.1 255.255.255.0
 full-duplex
 crypto map msmap
!
!
router ospf 100
 log-adjacency-changes
 network 10.1.100.1 0.0.0.0 area 0
 network 172.16.1.0 0.0.0.255 area 1
 network 172.16.3.0 0.0.0.255 area 1
 network 172.16.5.0 0.0.0.255 area 1
!
!
ip access-list extended warehouse01
 permit ip 172.16.0.0 0.0.0.255 172.16.0.0 0.0.0.255
 permit gre 172.16.0.0 0.0.0.255 172.16.0.0 0.0.0.255
ip access-list extended warehouse02
 permit ip 172.16.2.0 0.0.0.255 172.16.2.0 0.0.0.255
 permit gre 172.16.2.0 0.0.0.255 172.16.2.0 0.0.0.255
ip access-list extended warehouse03
 permit ip 172.16.4.0 0.0.0.255 172.16.4.0 0.0.0.255
 permit gre 172.16.4.0 0.0.0.255 172.16.4.0 0.0.0.255
!
end

R2：

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
 lifetime 600
crypto isakmp key mschina01 address 172.16.0.1
!
!
crypto ipsec transform-set msset1 esp-3des esp-md5-hmac
 mode transport
!
crypto map msmap 10 ipsec-isakmp
 set peer 172.16.0.1
 set transform-set msset1
 match address warehouse01
!
!
interface Tunnel0
 ip address 172.16.1.2 255.255.255.0
 tunnel source FastEthernet0/0
 tunnel destination 172.16.0.1
!
interface FastEthernet0/0
 ip address 172.16.0.2 255.255.255.0
 duplex auto
 speed auto
 crypto map msmap
!
interface FastEthernet1/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet1/0.20
 encapsulation dot1Q 20
 ip address 10.1.72.254 255.255.255.0
!
interface FastEthernet1/0.100
 encapsulation dot1Q 100
 ip address 192.168.1.10 255.255.255.0
!
interface FastEthernet1/0.300
 encapsulation dot1Q 300
 ip address 10.1.224.142 255.255.255.240
!
router ospf 100
 log-adjacency-changes
 network 10.1.72.0 0.0.0.255 area 1
 network 10.1.224.0 0.0.0.255 area 1
 network 172.16.1.0 0.0.0.255 area 1
 network 192.168.1.0 0.0.0.255 area 1
!
!
ip access-list extended warehouse01
 permit ip 172.16.0.0 0.0.0.255 172.16.0.0 0.0.0.255
 permit gre 172.16.0.0 0.0.0.255 172.16.0.0 0.0.0.255
!
!
end

R3:

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
 lifetime 600
crypto isakmp key mschina02 address 172.16.2.1
!
!
crypto ipsec transform-set msset2 esp-3des esp-md5-hmac
 mode transport
!
crypto map msmap 20 ipsec-isakmp
 set peer 172.16.2.1
 set transform-set msset2
 match address warehouse02
!
!
interface Tunnel1
 ip address 172.16.3.2 255.255.255.0
 tunnel source FastEthernet0/0
 tunnel destination 172.16.2.1
!
interface FastEthernet0/0
 ip address 172.16.2.2 255.255.255.0
 duplex auto
 speed auto
 crypto map msmap
!
interface FastEthernet1/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet1/0.20
 encapsulation dot1Q 20
 ip address 10.1.74.254 255.255.255.0
!
interface FastEthernet1/0.100
 encapsulation dot1Q 100
 ip address 192.168.2.1 255.255.255.0
!
interface FastEthernet1/0.300
 encapsulation dot1Q 300
 ip address 10.1.224.174 255.255.255.240
!
router ospf 100
 log-adjacency-changes
 network 10.1.74.0 0.0.0.255 area 1
 network 10.1.224.0 0.0.0.255 area 1
 network 172.16.3.0 0.0.0.255 area 1
 network 192.168.2.0 0.0.0.255 area 1
!
!
ip access-list extended warehouse02
 permit ip 172.16.2.0 0.0.0.255 172.16.2.0 0.0.0.255
 permit gre 172.16.2.0 0.0.0.25 172.16.2.0 0.0.0.255
!
!
end

 R4:

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
 lifetime 600
crypto isakmp key mschina03 address 172.16.4.1
!
!
crypto ipsec transform-set msset3 esp-3des esp-md5-hmac
 mode transport
!
crypto map msmap 30 ipsec-isakmp
 set peer 172.16.4.1
 set transform-set msset3
 match address warehouse03
!
!
interface Tunnel2
 ip address 172.16.5.2 255.255.255.0
 tunnel source FastEthernet0/0
 tunnel destination 172.16.4.1
!
interface FastEthernet0/0
 ip address 172.16.4.2 255.255.255.0
 duplex auto
 speed auto
 crypto map msmap
!
interface FastEthernet1/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet1/0.20
 encapsulation dot1Q 20
 ip address 10.1.76.254 255.255.255.0
!
interface FastEthernet1/0.100
 encapsulation dot1Q 100
 ip address 192.168.3.1 255.255.255.0
!
interface FastEthernet1/0.300
 encapsulation dot1Q 300
 ip address 10.1.224.206 255.255.255.240
!
router ospf 100
 log-adjacency-changes
 network 10.1.76.0 0.0.0.255 area 1
 network 10.1.224.192 0.0.0.15 area 1
 network 172.16.5.0 0.0.0.255 area 1
 network 192.168.3.0 0.0.0.255 area 1
!
!
ip access-list extended warehouse03
 permit ip 172.16.4.0 0.0.0.255 172.16.4.0 0.0.0.255
 permit gre 172.16.4.0 0.0.0.255 172.16.4.0 0.0.0.255
!
!
end

第二種方法：我只在R1 和R2之間做了，至於R3、R4方法是一樣的！

R1:

crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
 lifetime 600
crypto isakmp key mschina address 172.16.2.2(接口真實地址)
!
!
crypto ipsec transform-set msset esp-3des esp-md5-hmac
 mode transport
!
crypto ipsec profile msprofile
 set transform-set msset
!
!
interface Loopback0 （測試）
 ip address 10.1.65.254 255.255.255.0
!
interface Tunnel0
 ip address 172.16.1.1 255.255.255.0（隧道地址）
 tunnel source FastEthernet1/0
 tunnel destination 172.16.2.2（接口真實地址）
 tunnel protection ipsec profile msprofile（接口真實地址）
!
interface FastEthernet0/0
 ip address 10.1.225.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 172.16.2.1 255.255.255.0
 duplex auto
 speed auto
!
router ospf 100
 log-adjacency-changes
 network 10.1.65.0 0.0.0.255 area 0
 network 10.1.225.0 0.0.0.255 area 0
 network 172.16.1.0 0.0.0.255 area 0（隧道網絡地址）
!
!
end

R2:

crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
 lifetime 600
crypto isakmp key mschina address 172.16.2.1(接口真實地址)
!
!
crypto ipsec transform-set msset esp-3des esp-md5-hmac
 mode transport
!
!
crypto map msmap 10 ipsec-isakmp
 set peer 172.16.2.1(接口真實地址)
 set transform-set msset
 match address 101
!
!
interface Tunnel0
 ip address 172.16.1.2 255.255.255.0
 tunnel source FastEthernet1/0(接口真實地址)
 tunnel destination 172.16.2.1(接口真實地址)
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.20
 encapsulation dot1Q 20
 ip address 10.1.72.254 255.255.255.0
!
interface FastEthernet0/0.100
 encapsulation dot1Q 100
 ip address 192.168.3.1 255.255.255.0
!
interface FastEthernet0/0.300
 encapsulation dot1Q 300
 ip address 10.1.224.206 255.255.255.0
!
interface FastEthernet0/0.340
 encapsulation dot1Q 340
!
interface FastEthernet1/0
 ip address 172.16.2.2 255.255.255.0
 duplex auto
 speed auto
 crypto map msmap
!
router ospf 100
 log-adjacency-changes
 network 10.1.72.0 0.0.0.255 area 0
 network 10.1.224.0 0.0.0.255 area 0
 network 172.16.1.0 0.0.0.255 area 0（OSPF通告隧道接口地址）
 network 192.168.3.0 0.0.0.255 area 0
!
!
access-list 101 permit ip 172.16.2.0 0.0.0.255 172.16.2.0 0.0.0.255(接口真實地址，ACL不寫也可，如果不寫acl，這條命令match address 101應去掉)
!
!
end