最近根據公司網絡的實際情況,做了個GRE Over IPSec***的實驗,在這裏我只是模擬公司網絡的一部分,從Head Office到倉庫這一部分,到倉庫使用上海電信的DSL進行物理層的連接,使用GRE Over IPSec***來對數據進行保護,另外一點是GRE能夠跑路由協議,公司使用的是OSPF協議。 IP地址基本一致(因爲是私網IP,讓大家知道也無妨),有微調,密碼與公司完全不一樣,我隨意設置的!
介紹一下拓撲情況,R1是head office的一臺路由器,R2、R3、R4都是倉庫的路由器,它們之間採用星型結構。 R1--------R2 R1--------R3 R1-----------R4 後面我會把抓到的數據包附上供參考,是我以前抓的包,IP不太一樣,主要想讓大家看一下數據包的結構、封裝方式以及使用GRE Over IPSec***是安全的,因爲應用層數據已經加密。
在這裏我使用兩種方法來做,公司使用的是第一種方法,故第一種方法介紹的比較多一點,比較完整一點:
第一種方法: 注意隧道地址和真實接口的地址! ( 隧道地址172.16.1.0/24、3.0/24、5.0//24 真實接口地址爲172.16.0.0/24 2.0/24 4.0/24)
R1:
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 600
crypto isakmp key mschina01 address 172.16.0.2
crypto isakmp key mschina02 address 172.16.2.2
crypto isakmp key mschina03 address 172.16.4.2
!
!
crypto ipsec transform-set msset1 esp-3des esp-md5-hmac
mode transport
crypto ipsec transform-set msset2 esp-3des esp-md5-hmac
mode transport
crypto ipsec transform-set msset3 esp-3des esp-md5-hmac
mode transport
!
crypto map msmap 10 ipsec-isakmp
set peer 172.16.0.2
set transform-set msset1
match address warehouse01
crypto map msmap 20 ipsec-isakmp
set peer 172.16.2.2
set transform-set msset2
match address warehouse02
crypto map msmap 30 ipsec-isakmp
set peer 172.16.4.2
set transform-set msset3
match address warehouse03
!
!
interface Loopback0
ip address 10.1.100.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 172.16.0.2
!
interface Tunnel1
ip address 172.16.3.1 255.255.255.0
tunnel source FastEthernet1/0
tunnel destination 172.16.2.2
!
interface Tunnel2
ip address 172.16.5.1 255.255.255.0
tunnel source 172.16.4.1
tunnel destination 172.16.4.2
!
interface FastEthernet0/0
ip address 172.16.0.1 255.255.255.0
duplex auto
speed auto
crypto map msmap
!
interface FastEthernet1/0
ip address 172.16.2.1 255.255.255.0
duplex auto
speed auto
crypto map msmap
!
!
interface Ethernet2/2
ip address 172.16.4.1 255.255.255.0
full-duplex
crypto map msmap
!
!
router ospf 100
log-adjacency-changes
network 10.1.100.1 0.0.0.0 area 0
network 172.16.1.0 0.0.0.255 area 1
network 172.16.3.0 0.0.0.255 area 1
network 172.16.5.0 0.0.0.255 area 1
!
!
ip access-list extended warehouse01
permit ip 172.16.0.0 0.0.0.255 172.16.0.0 0.0.0.255
permit gre 172.16.0.0 0.0.0.255 172.16.0.0 0.0.0.255
ip access-list extended warehouse02
permit ip 172.16.2.0 0.0.0.255 172.16.2.0 0.0.0.255
permit gre 172.16.2.0 0.0.0.255 172.16.2.0 0.0.0.255
ip access-list extended warehouse03
permit ip 172.16.4.0 0.0.0.255 172.16.4.0 0.0.0.255
permit gre 172.16.4.0 0.0.0.255 172.16.4.0 0.0.0.255
!
end
R2:
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 600
crypto isakmp key mschina01 address 172.16.0.1
!
!
crypto ipsec transform-set msset1 esp-3des esp-md5-hmac
mode transport
!
crypto map msmap 10 ipsec-isakmp
set peer 172.16.0.1
set transform-set msset1
match address warehouse01
!
!
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 172.16.0.1
!
interface FastEthernet0/0
ip address 172.16.0.2 255.255.255.0
duplex auto
speed auto
crypto map msmap
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
!
interface FastEthernet1/0.20
encapsulation dot1Q 20
ip address 10.1.72.254 255.255.255.0
!
interface FastEthernet1/0.100
encapsulation dot1Q 100
ip address 192.168.1.10 255.255.255.0
!
interface FastEthernet1/0.300
encapsulation dot1Q 300
ip address 10.1.224.142 255.255.255.240
!
router ospf 100
log-adjacency-changes
network 10.1.72.0 0.0.0.255 area 1
network 10.1.224.0 0.0.0.255 area 1
network 172.16.1.0 0.0.0.255 area 1
network 192.168.1.0 0.0.0.255 area 1
!
!
ip access-list extended warehouse01
permit ip 172.16.0.0 0.0.0.255 172.16.0.0 0.0.0.255
permit gre 172.16.0.0 0.0.0.255 172.16.0.0 0.0.0.255
!
!
end
R3:
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 600
crypto isakmp key mschina02 address 172.16.2.1
!
!
crypto ipsec transform-set msset2 esp-3des esp-md5-hmac
mode transport
!
crypto map msmap 20 ipsec-isakmp
set peer 172.16.2.1
set transform-set msset2
match address warehouse02
!
!
interface Tunnel1
ip address 172.16.3.2 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 172.16.2.1
!
interface FastEthernet0/0
ip address 172.16.2.2 255.255.255.0
duplex auto
speed auto
crypto map msmap
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
!
interface FastEthernet1/0.20
encapsulation dot1Q 20
ip address 10.1.74.254 255.255.255.0
!
interface FastEthernet1/0.100
encapsulation dot1Q 100
ip address 192.168.2.1 255.255.255.0
!
interface FastEthernet1/0.300
encapsulation dot1Q 300
ip address 10.1.224.174 255.255.255.240
!
router ospf 100
log-adjacency-changes
network 10.1.74.0 0.0.0.255 area 1
network 10.1.224.0 0.0.0.255 area 1
network 172.16.3.0 0.0.0.255 area 1
network 192.168.2.0 0.0.0.255 area 1
!
!
ip access-list extended warehouse02
permit ip 172.16.2.0 0.0.0.255 172.16.2.0 0.0.0.255
permit gre 172.16.2.0 0.0.0.25 172.16.2.0 0.0.0.255
!
!
end
R4:
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 600
crypto isakmp key mschina03 address 172.16.4.1
!
!
crypto ipsec transform-set msset3 esp-3des esp-md5-hmac
mode transport
!
crypto map msmap 30 ipsec-isakmp
set peer 172.16.4.1
set transform-set msset3
match address warehouse03
!
!
interface Tunnel2
ip address 172.16.5.2 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 172.16.4.1
!
interface FastEthernet0/0
ip address 172.16.4.2 255.255.255.0
duplex auto
speed auto
crypto map msmap
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
!
interface FastEthernet1/0.20
encapsulation dot1Q 20
ip address 10.1.76.254 255.255.255.0
!
interface FastEthernet1/0.100
encapsulation dot1Q 100
ip address 192.168.3.1 255.255.255.0
!
interface FastEthernet1/0.300
encapsulation dot1Q 300
ip address 10.1.224.206 255.255.255.240
!
router ospf 100
log-adjacency-changes
network 10.1.76.0 0.0.0.255 area 1
network 10.1.224.192 0.0.0.15 area 1
network 172.16.5.0 0.0.0.255 area 1
network 192.168.3.0 0.0.0.255 area 1
!
!
ip access-list extended warehouse03
permit ip 172.16.4.0 0.0.0.255 172.16.4.0 0.0.0.255
permit gre 172.16.4.0 0.0.0.255 172.16.4.0 0.0.0.255
!
!
end
第二種方法:我只在R1 和R2之間做了,至於R3、R4方法是一樣的!
R1:
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 600
crypto isakmp key mschina address 172.16.2.2(接口真實地址)
!
!
crypto ipsec transform-set msset esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile msprofile
set transform-set msset
!
!
interface Loopback0 (測試)
ip address 10.1.65.254 255.255.255.0
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.0(隧道地址)
tunnel source FastEthernet1/0
tunnel destination 172.16.2.2(接口真實地址)
tunnel protection ipsec profile msprofile(接口真實地址)
!
interface FastEthernet0/0
ip address 10.1.225.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 172.16.2.1 255.255.255.0
duplex auto
speed auto
!
router ospf 100
log-adjacency-changes
network 10.1.65.0 0.0.0.255 area 0
network 10.1.225.0 0.0.0.255 area 0
network 172.16.1.0 0.0.0.255 area 0(隧道網絡地址)
!
!
end
R2:
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 600
crypto isakmp key mschina address 172.16.2.1(接口真實地址)
!
!
crypto ipsec transform-set msset esp-3des esp-md5-hmac
mode transport
!
!
crypto map msmap 10 ipsec-isakmp
set peer 172.16.2.1(接口真實地址)
set transform-set msset
match address 101
!
!
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
tunnel source FastEthernet1/0(接口真實地址)
tunnel destination 172.16.2.1(接口真實地址)
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip address 10.1.72.254 255.255.255.0
!
interface FastEthernet0/0.100
encapsulation dot1Q 100
ip address 192.168.3.1 255.255.255.0
!
interface FastEthernet0/0.300
encapsulation dot1Q 300
ip address 10.1.224.206 255.255.255.0
!
interface FastEthernet0/0.340
encapsulation dot1Q 340
!
interface FastEthernet1/0
ip address 172.16.2.2 255.255.255.0
duplex auto
speed auto
crypto map msmap
!
router ospf 100
log-adjacency-changes
network 10.1.72.0 0.0.0.255 area 0
network 10.1.224.0 0.0.0.255 area 0
network 172.16.1.0 0.0.0.255 area 0(OSPF通告隧道接口地址)
network 192.168.3.0 0.0.0.255 area 0
!
!
access-list 101 permit ip 172.16.2.0 0.0.0.255 172.16.2.0 0.0.0.255(接口真實地址,ACL不寫也可,如果不寫acl,這條命令match address 101應去掉)
!
!
end