神州数码防火墙和路由器之间的gre over ipsec（保姆级教学）

RT2所需配置：

interface loopback 4

IP address 10.20.5.4 255.255.255.255

interface tunnel4

IP address 10.20.255.50 255.255.255.252

interface G0/3

IP address 200.200.200.6 255.255.255.252 

crypto isakmp key 0 12345 address 200.200.200.2 255.255.255.255

crypto isakmp policy 10

authentication pre-share

encryption 3des

group 2

hash md5

lifetime 86400

exit

crypto ipsec transform-set p2 esp-3des esp-md5-hmac

exit

crypto map ipsecacl 10 ipsec-isakmp

match address ipsec

set peer 200.200.200.2

set transform-set p2

exit

crypto key load-keyconf end

interface tunnel4

tunnel source 200.200.200.6

tunnel destination 200.200.200.2

tunnel speed-up

exit

interface G0/3

crypto map ipsecacl

exit

ip route cache

ip route default 200.200.200.5

IProute 10.20.6.4 255.255.255.255 tunnel4

ip access-list extended ipsec

permit gre 200.200.200.6 255.255.255.252 200.200.200.2 255.255.255.252 sequence 10

deny ip any any sequence 20

FW1所需配置：

interface e0/3

zone untrust 

IP address 200.200.200.2 255.255.255.252 

manage ssh

manage ping

manage snmp 

manage https

exit

interface loopback4

zone trust

IP address 10.20.6.4 255.255.255.255

manage ssh

manage ping

manage snmp 

manage https

exit

interface tunnel4

zone VPNHub

IP address 10.20.255.46 255.255.255.252

manage ssh

manage ping

manage snmp 

manage https

tunnel gre gre 

source 200.200.200.2

destination 200.200.200.6

interface e0/3

next-tunnel ipsec ipsecacl

exit

interface e0/3

shutdown track track

exit

interface tunnel4

tunnel gre gre 

exit

ip vrouter trust-vr

IP route 0.0.0.0/0 200.200.200.1

IP route 10.20.5.4/32 tunnel4