×××（GRE over IPSEC ×××）

實驗拓撲:

   由於IPSEC ×××不能支持組播和廣播,因此不能運行動態路由協議,由於我們需要把一條×××鏈路作爲一條專線使用,還必須建立GRE tunnel隧道,以支持動態路由協議.基本配置步驟如下:
        1:配置基本路由和需保護流量的感興趣訪問列表           (注意這裏感興趣流量設爲GRE隧道流量)
        2:配置GRE Tunnel隧道.
        3:配置IPSEC ×××.
         4 :配置動態路由協議

具體配置文件如下，不做過多解釋！

VPCS 1 >ip 10.1.1.2 10.1.1.1 /24

PC1 : 10.1.1.2 255.255.255.0 gateway 10.1.1.1

 

VPCS 1 >2

VPCS 2 >ip 192.168.1.2 192.168.1.1 /24

PC2 : 192.168.1.2 255.255.255.0 gateway 192.168.1.1

 

VPCS 2 >ping 192.168.1.1

192.168.1.1 icmp_seq=1 time=31.000 ms

192.168.1.1 icmp_seq=2 time=47.000 ms

192.168.1.1 icmp_seq=3 time=47.000 ms

192.168.1.1 icmp_seq=4 time=47.000 ms

192.168.1.1 icmp_seq=5 time=31.000 ms

 

VPCS 2 >1

VPCS 1 >ping 10.1.1.1

10.1.1.1 icmp_seq=1 time=47.000 ms

10.1.1.1 icmp_seq=2 time=46.000 ms

10.1.1.1 icmp_seq=3 time=31.000 ms

10.1.1.1 icmp_seq=4 time=47.000 ms

10.1.1.1 icmp_seq=5 time=31.000 ms

 

r1#show run

Building configuration...

 

Current configuration : 1511 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname r1

!

boot-start-marker

boot-end-marker

!

!

memory-size iomem 5

no aaa new-model

ip subnet-zero

!

!

no ip domain lookup

!

!

ip cef

ip ips po max-events 100

no ftp-server write-enable

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key cisco address 193.1.1.2

!

!

crypto ipsec transform-set set esp-3des esp-sha-hmac

 mode transport

!

crypto map map 10 ipsec-isakmp

 set peer 193.1.1.2

 set transform-set set

 match address list

!

!

!

!

interface Tunnel0

 ip address 172.16.1.1 255.255.255.0

 tunnel source Serial1/0

 tunnel destination 193.1.1.2

!

interface FastEthernet0/0

 ip address 10.1.1.1 255.255.255.0

 duplex auto

 speed auto

!

interface Serial1/0

 ip address 192.1.1.1 255.255.255.0

 serial restart-delay 0

 crypto map map

!

interface Serial1/1

 no ip address

 shutdown

 serial restart-delay 0

!

interface Serial1/2

 no ip address

 shutdown

 serial restart-delay 0

!

interface Serial1/3

 no ip address

 shutdown

 serial restart-delay 0

!

router eigrp 100

 network 10.0.0.0

 network 172.16.0.0

 no auto-summary

!

ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 Serial1/0

!

!

!

ip access-list extended list

 permit ip host 192.1.1.1 host 193.1.1.2

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

line con 0

 exec-timeout 0 0

 logging synchronous

line aux 0

line vty 0 4

!

!

end

 

r1#   show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

 

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

 

     172.16.0.0/24 is subnetted, 1 subnets

C       172.16.1.0 is directly connected, Tunnel0

     10.0.0.0/24 is subnetted, 1 subnets

C       10.1.1.0 is directly connected, FastEthernet0/0

C    192.1.1.0/24 is directly connected, Serial1/0

D    192.168.1.0/24 [90/297246976] via 172.16.1.2, 00:54:41, Tunnel0

S*   0.0.0.0/0 is directly connected, Serial1/0

 

 

 

r2#show run

Building configuration...

 

Current configuration : 842 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname r2

!

boot-start-marker

boot-end-marker

!

!

memory-size iomem 5

no aaa new-model

ip subnet-zero

!

!

no ip domain lookup

!

!

ip cef

ip ips po max-events 100

no ftp-server write-enable

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

interface Serial0/0

 ip address 192.1.1.2 255.255.255.0

 serial restart-delay 0

!

interface Serial0/1

 ip address 193.1.1.1 255.255.255.0

 serial restart-delay 0

!

interface Serial0/2

 no ip address

 shutdown

 serial restart-delay 0

!

interface Serial0/3

 no ip address

 shutdown

 serial restart-delay 0

!

ip http server

no ip http secure-server

ip classless

!

!

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

line con 0

 exec-timeout 0 0

 logging synchronous

line aux 0

line vty 0 4

!

!

end

 

r2#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

 

Gateway of last resort is not set

 

C    193.1.1.0/24 is directly connected, Serial0/1

C    192.1.1.0/24 is directly connected, Serial0/0

 

 

 

 

r3#show run

Building configuration...

 

Current configuration : 1517 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname r3

!

boot-start-marker

boot-end-marker

!

!

memory-size iomem 5

no aaa new-model

ip subnet-zero

!

!

no ip domain lookup

!

!

ip cef

ip ips po max-events 100

no ftp-server write-enable

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key cisco address 192.1.1.1

!

!

crypto ipsec transform-set set esp-3des esp-sha-hmac

 mode transport

!

crypto map map 10 ipsec-isakmp

 set peer 192.1.1.1

 set transform-set set

 match address list

!

!

!

!

interface Tunnel0

 ip address 172.16.1.2 255.255.255.0

 tunnel source Serial1/0

 tunnel destination 192.1.1.1

!

interface FastEthernet0/0

 ip address 192.168.1.1 255.255.255.0

 duplex auto

 speed auto

!

interface Serial1/0

 ip address 193.1.1.2 255.255.255.0

 serial restart-delay 0

 crypto map map

!

interface Serial1/1

 no ip address

 shutdown

 serial restart-delay 0

!

interface Serial1/2

 no ip address

 shutdown

 serial restart-delay 0

!

interface Serial1/3

 no ip address

 shutdown

 serial restart-delay 0

!

router eigrp 100

 network 172.16.0.0

 network 192.168.1.0

 no auto-summary

!

ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 Serial1/0

!

!

!

ip access-list extended list

 permit ip host 193.1.1.2 host 192.1.1.1

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

line con 0

 exec-timeout 0 0

 logging synchronous

line aux 0

line vty 0 4

!

!

end

 

r3#

r3#

r3#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

 

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

 

     172.16.0.0/24 is subnetted, 1 subnets

C       172.16.1.0 is directly connected, Tunnel0

     10.0.0.0/24 is subnetted, 1 subnets

D       10.1.1.0 [90/297246976] via 172.16.1.1, 00:54:37, Tunnel0

C    193.1.1.0/24 is directly connected, Serial1/0

C    192.168.1.0/24 is directly connected, FastEthernet0/0

S*   0.0.0.0/0 is directly connected, Serial1/0