拓朴结构:
R1 F0/0(172.16.1.1/24)->R2 F0/0(172.16.1.2/24) 模拟外网连接
R1 F1/0(192.168.1.1/24)模拟内网1
R2 F1/0(192.168.2.1/24)模拟内网2
R1:
//定义IKE策略,用于阶段1的SA建立,系统会按对端协商的参数去查找我们定义的policy,直到找到一个各项参数都匹配的policy 并使用之,如果没找到会在阶段1失败
crypto isakmp policy 10
 hash md5
 authentication pre-share
 lifetime 3600
crypto isakmp key qhtest address 172.16.1.2
!
//这里定义阶段2所使用的SA,其所使用的加密密钥为随机,并使用阶段1所建立的SA来交换
crypto ipsec transform-set myset esp-3des
!
//定义密码映射
crypto map qh 10 ipsec-isakmp
 set peer 172.16.1.2
 set transform-set myset
 match address 102//这里注意引用了访问列表102,这里对gre包进行加密,而不是如上一篇所做的那样是对内网地址段,实际上是去往内网2的数据包先被封装到 GRE包里,再从外网接口出去,并被IPSET加密
!
//下面在接口上应用密码映射
interface FastEthernet0/0
 ip address 172.16.1.1 255.255.255.0
 duplex full
 crypto map qh
!
//这里定义GRE隧道接口
interface Tunnel0
 ip address 192.168.100.1 255.255.255.0
 tunnel source 172.16.1.1
 tunnel destination 172.16.1.2
//由于GRE可以传路由协议,所有我们在隧道接口上启用了路由协议
router ospf 100
 log-adjacency-changes
 redistribute connected subnets
 network 192.168.100.0 0.0.0.255 area 0
//这里的访问列表我们定义了针对GRE的包施行IPSEC加密
access-list 102 permit gre host 172.16.1.1 host 172.16.1.2
 
R2:
crypto isakmp policy 10
 hash md5
 authentication pre-share
 lifetime 3600
crypto isakmp key qhtest address 172.16.1.1
!
!
crypto ipsec transform-set myset esp-3des
!
crypto map qh 10 ipsec-isakmp
 set peer 172.16.1.1
 set transform-set myset
 match address 102
!
interface Tunnel0
 ip address 192.168.100.2 255.255.255.0
 tunnel source 172.16.1.2
 tunnel destination 172.16.1.1
!
interface FastEthernet0/0
 ip address 172.16.1.2 255.255.255.0
 duplex full
 crypto map qh
!
router ospf 100
 log-adjacency-changes
 redistribute connected subnets
 network 192.168.100.0 0.0.0.255 area 0
!
access-list 102 permit gre host 172.16.1.2 host 172.16.1.1