GRE & IPSEC ×××

 

 

 

實驗環境：
R1和R2之間運行OSPF
R4和R5之間運行OSPF
R2,R3和R4之間運行EIGRP

初始配置（略）

1，GRE OVER IPSEC

在R2和R4之間建立GRE通道並建立OSPF鄰居
R2：
int tunnel 0
ip add 24.24.24.2 255.255.255.0
tunnel source e0/1
tunnel destination 34.34.34.4
tunnel mode gre ip
router ospf 12
net 24.24.24.2 0.0.0.0 a 0

R4
int tunnel 0
ip add 24.24.24.4 255.255.255.0
tunnel source e0/0
tunnel destination 23.23.23.2
tunnel mode gre ip
router ospf 45
net 24.24.24.4 0.0.0.0 a 0

校驗：

R2：
*Mar  1 01:15:41.935: %OSPF-5-ADJCHG: Process 12, Nbr 4.4.4.4 on Tunnel0 from LOADING to FULL, Loading Done

R4
*Mar  1 01:15:42.143: %OSPF-5-ADJCHG: Process 45, Nbr 2.2.2.2 on Tunnel0 from LOADING to FULL, Loading Done

 

配置GRE over IPSec
R2
感興趣數據流：
access-list 100 per ip host 23.23.23.2 host 34.34.34.4
配置ISAKMP
cry isa policy 10
encry 3
authentic pre-share
group 2
hash sha
cry isa key 0 cisco address 34.34.34.4

配置IPSEC transform-set
cry ips transform-set GRE esp-3des esp-sha-hmac

配置×××映射
crypto map ××× 10 ipsec-isakmp
 set peer 34.34.34.4
 set transform-set GRE
 match address 100

應用到接口
int e0/1
cry map ×××

 

R4
感興趣數據流：
access-list 100 per ip host 34.34.34.4 host 23.23.23.2
配置ISAKMP
cry isa policy 10
encry 3
authentic pre-share
group 2
hash sha
cry isa key 0 cisco address 23.23.23.2

配置IPSEC transform-set
cry ips transform-set GRE esp-3des esp-sha-hmac

配置×××映射
crypto map ××× 10 ipsec-isakmp
 set peer 23.23.23.2
 set transform-set GRE
 match address 100

應用到接口
int e0/0
cry map ×××

 

 

驗證
r2#sh cry isa sa
dst             src             state          conn-id slot status
34.34.34.4      23.23.23.2      QM_IDLE              1    0 ACTIVE
r2#sh ip access-list 100
Extended IP access list 100
    10 permit ip host 23.23.23.2 host 34.34.34.4 (759 matches)

 

r4#sh cry isa sa
dst             src             state          conn-id slot status
34.34.34.4      23.23.23.2      QM_IDLE              1    0 ACTIVE
r4#sh ip access-list 100
Extended IP access list 100
    10 permit ip host 34.34.34.4 host 23.23.23.2 (764 matches)

 

 

2， IPSEC  OVER GRE

 

GRE配置同上

 

配置GRE over IPSec
R2
感興趣數據流：
access-list 100 per ip host 1.1.1.1 host 5.5.5.5
配置ISAKMP
cry isa policy 10
encry 3
authentic pre-share
group 2
hash sha
cry isa key 0 cisco address 34.34.34.4

配置IPSEC transform-set
cry ips transform-set GRE esp-3des esp-sha-hmac

配置×××映射
crypto map ××× 10 ipsec-isakmp
 set peer 34.34.34.4
 set transform-set GRE
 match address 100

應用到接口
int tunnel 0
cry map ×××

 

R4
感興趣數據流：
access-list 100 per ip host 5.5.5.5 host 1.1.1.1
配置ISAKMP
cry isa policy 10
encry 3
authentic pre-share
group 2
hash sha
cry isa key 0 cisco address 23.23.23.2

配置IPSEC transform-set
cry ips transform-set GRE esp-3des esp-sha-hmac

配置×××映射
crypto map ××× 10 ipsec-isakmp
 set peer 23.23.23.2
 set transform-set GRE
 match address 100

應用到接口
int tunnel 0
cry map ×××