GRE over IPSEC
解決了ipsec無法傳遞多播流量問題,即可以在ipsec中跑路由協議,而且協議是通過加密的!!
hash md5
authentication pre-share
crypto isakmp key zaq address 2.3.0.1
!
!
crypto ipsec transform-set *** esp-des
!
crypto map *** 10 ipsec-isakmp
set peer 2.3.0.1
set transform-set ***
match address 101
!
!
!
!
interface Tunnel0
ip address 1.3.0.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 2.3.0.1
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Loopback1
ip address 10.0.0.1 255.255.255.0
!
interface FastEthernet0/0
ip address 1.2.0.1 255.255.255.0
duplex full
crypto map ***
!
router ospf 1
log-adjacency-changes
!
ip route 0.0.0.0 0.0.0.0 1.2.0.2
!
!
access-list 101 permit gre host 1.2.0.1 host 2.3.0.1
interface FastEthernet0/0
ip address 1.2.0.2 255.255.255.0
duplex full
!
interface FastEthernet1/1
ip address 2.3.0.2 255.255.255.0
duplex full
speed auto
R3:
hash md5
authentication pre-share
crypto isakmp key zaq address 1.2.0.1
!
crypto ipsec transform-set *** esp-des
!
crypto map *** 10 ipsec-isakmp
set peer 1.2.0.1
set transform-set ***
match address 101
!
interface Tunnel0
ip address 1.3.0.2 255.255.255.0
tunnel source FastEthernet1/1
tunnel destination 1.2.0.1
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Loopback1
ip address 30.0.0.1 255.255.255.0
!
interface FastEthernet1/1
ip address 2.3.0.1 255.255.255.0
duplex full
speed auto
crypto map ***
!
ip route 0.0.0.0 0.0.0.0 2.3.0.2
!
access-list 101 permit gre host 2.3.0.1 host 1.2.0.1
1 FastEthernet1/1 2.3.0.1 set HMAC_MD5+DES_56_CB 0 0
2001 FastEthernet1/1 2.3.0.1 set DES 0 27
2002 FastEthernet1/1 2.3.0.1 set DES 27 0
dst src state conn-id slot status
1.2.0.1 2.3.0.1 QM_IDLE 1 0 ACTIVE
Peer: 1.2.0.1 Port: 500 Local: 2.3.0.1
Phase1 id: 1.2.0.1
Crypto map tag: ***, local addr 2.3.0.1
local ident (addr/mask/prot/port): (2.3.0.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (1.2.0.1/255.255.255.255/47/0)
current_peer 1.2.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 44, #pkts encrypt: 44, #pkts digest: 44
#pkts decaps: 44, #pkts decrypt: 44, #pkts verify: 44
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/1
current outbound spi: 0xEAA8551D(3936900381)
spi: 0x323BE771(842786673)
transform: esp-des ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: 1, crypto map: ***
sa timing: remaining key lifetime (k/sec): (4493451/2885)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE
spi: 0xEAA8551D(3936900381)
transform: esp-des ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: 2, crypto map: ***
sa timing: remaining key lifetime (k/sec): (4493451/2884)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE
還有一種是ipsec over gre 個人認爲沒有意義,因爲雖然解決了多播問題,但是多播是明文傳輸,所以ipsec就沒有意義了,還不如直接用gre就好了!!