Cisco设备上配置GRE+IPSec

一、GREVPN（Generic Routing Encapsulation）通用路由封装，配合IPSec（加密数据）一起使用

GRE配置命令

interface tunnel 0  //创建tunnel（虚拟）接口（GRE隧道）

tunnel source 11.1.1.2   //指定本地的公网IP地址

tunnel destination 21.1.1.3   //指定对端的公网IP地址

ip address 192.168.1.2 255.255.255.0 //为本虚拟接口配置IP（内网）地址

 

二、配置案例

1、R1配置：

R1(config)# interface FastEthernet0/0

R1(config-if)# ip address 11.1.1.1 255.255.255.0

R1(config-if)# no shutdown

R1(config)# interface FastEthernet0/1

R1(config-if)# ip address 21.1.1.1 255.255.255.0

R1(config-if)# no shutdown

R1(config)# interface FastEthernet1/0

R1(config-if)# ip address 25.1.1.1 255.255.255.0

R1(config-if)# no shutdown

2、R2配置：

R2(config)# crypto isakmp policy 10

R2(config-isakmp)# encr aes

R2(config-isakmp)# hash md5

R2(config-isakmp)# authentication pre-share

R2(config-isakmp)# group 2

R2(config-isakmp)# lifetime 3600

R2(config-isakmp)# crypto isakmp key 6 CISCO20 address 0.0.0.0 0.0.0.0

R2(config)# crypto ipsec transform-set CISCO esp-aes esp-md5-hmac

R2(cfg-crypto-trans)# mode transport

R2(cfg-crypto-trans)# crypto ipsec profile MYPROFILE

R2(ipsec-profile)# set transform-set CISCO

 

R2(config)# interface Loopback0

R2(config-if)# ip address 2.2.2.2 255.255.255.255

R2(config-if)# ip ospf 1 area 0

R2(config)# interface FastEthernet0/0

R2(config-if)# ip address 11.1.1.2 255.255.255.0

R2(config-if)# no shutdown

R2(config)# ip route 0.0.0.0 0.0.0.0 11.1.1.1

R2(config)# interface tunnel 0

R2(config-if)# tunnel source 11.1.1.2

R2(config-if)# tunnel destination 21.1.1.3

R2(config-if)# ip address 192.168.1.2 255.255.255.0

R2(config-if)# tunnel protection ipsec profile MYPROFILE

R2(config-if)# ip ospf 1 area 0

 

3、R3配置：

R3(config)# crypto isakmp policy 10

R3(config-isakmp)# encr aes

R3(config-isakmp)# hash md5

R3(config-isakmp)# authentication pre-share

R3(config-isakmp)# group 2

R3(config-isakmp)# lifetime 3600

R3(config-isakmp)# crypto isakmp key 6 CISCO20 address 0.0.0.0 0.0.0.0

R3(config)# crypto ipsec transform-set CISCO esp-aes esp-md5-hmac

R3(cfg-crypto-trans)# mode transport

R3(cfg-crypto-trans)# crypto ipsec profile MYPROFILE

R3(ipsec-profile)# set transform-set CISCO

 

R3(config)# interface Loopback0

R3(config-if)# ip address 3.3.3.3 255.255.255.255

R3(config-if)# ip ospf 1 area 0

R3(config)# interface FastEthernet0/1

R3(config-if)# ip address 21.1.1.3 255.255.255.0

R3(config-if)# no shutdown

R3(config)# ip route 0.0.0.0 0.0.0.0 21.1.1.1

R3(config)# interface Tunnel0

R3(config-if)# ip address 192.168.1.3 255.255.255.0

R3(config-if)# tunnel source 21.1.1.3

R3(config-if)# tunnel destination 11.1.1.2

R3(config-if)# tunnel protection ipsec profile MYPROFILE

R3(config-if)# ip ospf 1 area 0

4、R4配置：

crypto isakmp policy 10

 encr aes

 hash md5

 authentication pre-share

 group 2

 lifetime 3600

crypto isakmp key 6 CISCO20 address 0.0.0.0 0.0.0.0

crypto ipsec transform-set CISCO esp-aes esp-md5-hmac

 mode transport

crypto ipsec profile MYPROFILE

 set transform-set CISCO

 

interface Loopback0

 ip address 4.4.4.4 255.255.255.255

 ip ospf 1 area 0

interface FastEthernet1/0

 ip address 25.1.1.4 255.255.255.0

no shutdown

interface Tunnel0

 ip address 192.168.2.4 255.255.255.0

 ip ospf 1 area 0

 tunnel source 25.1.1.4

 tunnel destination 11.1.1.2

 tunnel protection ipsec profile MYPROFILE

route 0.0.0.0 0.0.0.0 25.1.1.1

 

三、验证

R2# ping 192.168.1.3

R2# traceroute 3.3.3.3 source loopback 0

抓包查看，数据已成功被加密