GRE over IPSEC 配置

r1(0/0)---r2--(1/1)r3

GRE over IPSEC

先ipsec在gre
解決了ipsec無法傳遞多播流量問題，即可以在ipsec中跑路由協議，而且協議是通過加密的！！

R1:

crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key zaq address 2.3.0.1
!
!
crypto ipsec transform-set *** esp-des
!
crypto map *** 10 ipsec-isakmp
 set peer 2.3.0.1
 set transform-set ***
 match address 101
!
!
!
!
interface Tunnel0
 ip address 1.3.0.1 255.255.255.0
 tunnel source FastEthernet0/0
 tunnel destination 2.3.0.1
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Loopback1
 ip address 10.0.0.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 1.2.0.1 255.255.255.0
 duplex full
 crypto map ***
!
router ospf 1
 log-adjacency-changes
!
ip route 0.0.0.0 0.0.0.0 1.2.0.2
!
!
access-list 101 permit gre host 1.2.0.1 host 2.3.0.1

 

R2:
interface FastEthernet0/0
 ip address 1.2.0.2 255.255.255.0
 duplex full
!        
interface FastEthernet1/1
 ip address 2.3.0.2 255.255.255.0
 duplex full
 speed auto

R3:

crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key zaq address 1.2.0.1
!
crypto ipsec transform-set *** esp-des
!
crypto map *** 10 ipsec-isakmp
 set peer 1.2.0.1
 set transform-set ***
 match address 101
!
interface Tunnel0
 ip address 1.3.0.2 255.255.255.0
 tunnel source FastEthernet1/1
 tunnel destination 1.2.0.1
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface Loopback1
 ip address 30.0.0.1 255.255.255.0
!
interface FastEthernet1/1
 ip address 2.3.0.1 255.255.255.0
 duplex full
 speed auto
 crypto map ***
!
ip route 0.0.0.0 0.0.0.0 2.3.0.2
!
access-list 101 permit gre host 2.3.0.1 host 1.2.0.1

 

Router#show crypto engine connections active

  ID Interface            IP-Address      State  Algorithm           Encrypt  Decrypt
   1 FastEthernet1/1      2.3.0.1         set    HMAC_MD5+DES_56_CB        0        0
2001 FastEthernet1/1      2.3.0.1         set    DES                       0       27
2002 FastEthernet1/1      2.3.0.1         set    DES                      27        0

Router#show crypto isakmp sa
dst             src             state          conn-id slot status
1.2.0.1         2.3.0.1         QM_IDLE              1    0 ACTIVE

Router#show crypto isakmp peers   
Peer: 1.2.0.1 Port: 500 Local: 2.3.0.1
 Phase1 id: 1.2.0.1

Router#show crypto ipsec sa

interface: FastEthernet1/1
    Crypto map tag: ***, local addr 2.3.0.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (2.3.0.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (1.2.0.1/255.255.255.255/47/0)
   current_peer 1.2.0.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 44, #pkts encrypt: 44, #pkts digest: 44
    #pkts decaps: 44, #pkts decrypt: 44, #pkts verify: 44
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 2.3.0.1, remote crypto endpt.: 1.2.0.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/1
     current outbound spi: 0xEAA8551D(3936900381)

     inbound esp sas:
      spi: 0x323BE771(842786673)
        transform: esp-des ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: 1, crypto map: ***
        sa timing: remaining key lifetime (k/sec): (4493451/2885)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xEAA8551D(3936900381)
        transform: esp-des ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: 2, crypto map: ***
        sa timing: remaining key lifetime (k/sec): (4493451/2884)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

 

還有一種是ipsec over gre 個人認爲沒有意義，因爲雖然解決了多播問題，但是多播是明文傳輸，所以ipsec就沒有意義了，還不如直接用gre就好了！！