GRE over IPSEC
在IPsec构建的VPN网络上传输这些数据就必须借助于GRE协议,对路由协议报文等进行封装,使其成为IPsec可以处理的IP报文,这样就可以在IPsec VPN网络中实现不同的网络的路由
使用场合
总部与分支机构跨越Internet互联。
总部与分支机构之间的路由协议为动态路由协议。
1,配置GRE
[AR1]int t0/0/0
[AR1-Tunnel0/0/0]ip add 10.1.1.1 24
[AR1-Tunnel0/0/0]tunnel-protoco gre
[AR1-Tunnel0/0/0]source g0/0/0
[AR1-Tunnel0/0/0]destination 13.1.1.3
[AR1-Tunnel0/0/0]ip route-s 0.0.0.0 0 12.1.1.2
2,配置加密
[AR1]acl name VPN 3999
[AR1-acl-adv-VPN]rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 172.168.1.0 0.0.0.255
[AR1-ike-peer-NAME]ike proposal 10
[AR1]ike peer NAME v1
[AR1-ike-peer-NAME]pre-shared-key cipher ccie
[AR1-ike-peer-NAME]ike-proposal 10
[AR1-ike-peer-NAME]remote-address 10.1.1.2
[AR1]ipsec proposal TIYI
[AR1-ipsec-proposal-TIYI] encapsulation-mode transport
[AR1-ipsec-proposal-TIYI]esp authentication-algorithm sha1
[AR1-ipsec-proposal-TIYI]esp encryption-algorithm 3des
[AR1]ipsec policy L2L 10 isakmp
[AR1-ipsec-policy-isakmp-L2L-10]security acl 3999
[AR1-ipsec-policy-isakmp-L2L-10]ike-peer NAME
[AR1-ipsec-policy-isakmp-L2L-10]proposal TIYI