CCNP(ISCW)實驗：用命令行配置GRE OVER IPSEC ***

第一步：配置基本路由：見圖
第二步：配置tunnel
R1(config)#interface tunnel 1
R1(config-if)#ip add 10.0.0.1 255.255.255.252
R1(config-if)#tu so f0/0
R1(config-if)#tu destination 23.0.0.3

R3(config)#int tunnel 1
R3(config-if)#ip add 10.0.0.2 255.255.255.252
R3(config-if)#tu so f0/1
R3(config-if)#tu de 12.0.0.1
//上面三行分別是：

1. 定義tunnel的ip地址
2. 定義隧道的源地址，可以寫接口
3. 定義隧道的目標地址

第三步：配置路由協議
R3(config)#ip route 0.0.0.0 0.0.0.0 f0/1
R1(config)#ip route 0.0.0.0 0.0.0.0 f0/0

R1(config)#router ei 1
R1(config-router)#no au
R1(config-router)#net 129.168.1.1
R1(config-router)#net 10.0.0.0

R3(config)#router ei 1
R3(config-router)#no au
R3(config-router)#net 10.0.0.0
R3(config-router)#net 172.16.1.1
//R2 爲ISP不能運行路由協議，這是因爲運營商不可能將大量的路由信息轉發到本地路由

第四步：配置IPSEC ***
R1(config)#crypto isakmp enable
R1(config)#crypto isakmp key 6 ccie address 23.0.0.3

R1(config)#crypto isakmp policy 10
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#group 2
R1(config-isakmp)#hash md5

R1(config)#crypto ipsec transform-set r1 esp-3des esp-sha-hmac
R1(cfg-crypto-trans)#mode transport

R1(config)#access-list 100 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
R1(config)#int tunnel 1
R1(config-if)#crypto map libo1

R1(config)#crypto map libo1 1 ipsec-isakmp
R1(config-crypto-map)#set peer 23.0.0.3
R1(config-crypto-map)#set transform-set r1
R1(config-crypto-map)#match add 100
//以上步驟爲IPSEC ***的全部過程

R2上的配置與之對應

第五步：測試
R1#ping 172.16.1.1 so 192.168.1.1 repeat 20

Type escape sequence to abort.
Sending 20, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
.!!!!!!!!!!!!!!!!!!!
Success rate is 95 percent (19/20), round-trip min/avg/max = 12/55/148 ms
//這裏通了19個包，我們猜想會用19個包加密

R1#sh crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt
1 Tunnel1 10.0.0.1 set HMAC_MD5+3DES_56_C 0 0
2 Tunnel1 10.0.0.1 set HMAC_MD5+3DES_56_C 0 0
2001 Tunnel1 12.0.0.1 set 3DES+SHA 19 0
2002 Tunnel1 12.0.0.1 set 3DES+SHA 0 19

//這裏看到有19個包加密

第六步：爲了使公司內部的 pc有一個良好的上網環境，我們組R1與R3做PAT
R1(config)#access-list 111 deny ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
R1(config)#access-list 111 permit ip 192.168.1.0 0.0.0.255 any

R3(config)#access-list 111 deny ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
R3(config)#access-list 111 permit ip 172.16.1.0 0.0.0.255 any

R1(config)#ip nat inside source list 111 interface f0/0 overload
//這裏注意的是，出接口要在f0/0

第七步：定義inside和outside接口
R1(config)#int f0/1
R1(config-if)#ip nat inside
R1(config-if)#int f0/0
R1(config-if)#ip nat outside

第八步：綜合測試包括PAT和***

1. 先測試PAT
   pc1#ping 2.2.2.2
   

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!! //ping正常
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/46/92 ms
pc1#2.2.2.2
Trying 2.2.2.2 ... Open

R2#exi //這裏顯示成功

[Connection to 2.2.2.2 closed by foreign host]

R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 12.0.0.1:1 192.168.1.2:1 2.2.2.2:1 2.2.2.2:1
tcp 12.0.0.1:11000 192.168.1.2:11000 2.2.2.2:23 2.2.2.2:23
//這裏表明pat成功

1. 再測試GRE OVER IPSEC ***
   pc1#ping 172.16.1.1
   

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 108/143/204 ms

R1#sh crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt
2 Tunnel1 10.0.0.1 set HMAC_MD5+3DES_56_C 0 0
2001 Tunnel1 12.0.0.1 set 3DES+SHA 24 0
2002 Tunnel1 12.0.0.1 set 3DES+SHA 0 24
//加上上面19個一共爲24個包被加密