Ipsec  over  gre

这个技术在现实中基本不用

 

 

R1

 

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

 lifetime 10000

crypto isakmp key benet address 202.102.1.2

!

!

crypto ipsec transform-set benet-set esp-des esp-sha-hmac

!

crypto ipsec profile cisco

 set transform-set benet-set

!

!

interface Loopback1

 ip address 1.1.1.1 255.255.255.0

!

interface Loopback2

 ip address 2.2.2.2 255.255.255.0

!

interface Loopback3

 ip address 3.3.3.3 255.255.255.0

!

!

interface Tunnel0

 ip address 123.1.1.1 255.255.255.0

 tunnel source Serial1/1

 tunnel destination 202.102.1.2

 tunnel protection ipsec profile cisco

!

!

interface Serial1/1

 ip address 202.102.1.1 255.255.255.0

 serial restart-delay 0

!

!

router ospf 1

 log-adjacency-changes

 passive-interface Loopback1

 passive-interface Loopback2

 passive-interface Loopback3

 network 1.1.1.0 0.0.0.255 area 0

 network 2.2.2.0 0.0.0.255 area 0

 network 3.3.3.0 0.0.0.255 area 0

 network 123.1.1.0 0.0.0.255 area 0

!

跑路由协议(宣告通道的ip,宣告内网的IP,绝对不可以宣告物理口的ip)

 

R2

 

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

 lifetime 10000

crypto isakmp key benet address 202.102.1.1

!

!

crypto ipsec transform-set benet-set esp-des esp-sha-hmac

!

crypto ipsec profile cisco

 set transform-set benet-set

!

!

!

interface Loopback4

 ip address 4.4.4.4 255.255.255.0

!

interface Loopback5

 ip address 5.5.5.5 255.255.255.0

!

interface Loopback6

 ip address 6.6.6.6 255.255.255.0

!

interface Tunnel0

 ip address 123.1.1.2 255.255.255.0

 tunnel source Serial1/0

 tunnel destination 202.102.1.1

 tunnel protection ipsec profile cisco

!

!

router ospf 1

 log-adjacency-changes

 passive-interface Loopback4

 passive-interface Loopback5

 passive-interface Loopback6

 network 1.1.1.0 0.0.0.255 area 0

 network 2.2.2.0 0.0.0.255 area 0

 network 3.3.3.0 0.0.0.255 area 0

 network 4.4.4.0 0.0.0.255 area 0

 network 5.5.5.0 0.0.0.255 area 0

 network 6.6.6.0 0.0.0.255 area 0

 network 123.1.1.0 0.0.0.255 area 0

!

 

 

 

 

配置是标准的lan to lan

 

数据包结构:外网源和目的|gre|ip

加密要在遂道口上,在物理接口没有实际意义,是不会加密的

Tunnel0  up的条件,在路由表中有到Tunnel0的路由,, Tunnel0本身有源和目的,源和目的可达.

 

Show  cry  en    conn  a

r1#show crypto engine connections active

Crypto Engine Connections

 

   ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address

    1 Se1/1      IPsec DES+SHA                   0      145 202.102.1.1

    2 Se1/1      IPsec DES+SHA                 154        0 202.102.1.1

 1001 Se1/1      IKE   SHA+3DES                  0        0 202.102.1.1

 

r1#

感兴趣的数据包à查路由表à遂道口à撞上mapà加密(会用加密点(peer才是)做为一个新的头部)à查路由表à转发出去

 

Peer改成一个loopback

 

!

crypto map cisco local-address Loopback11

!

!

interface Loopback11

 ip address 11.1.1.1 255.255.255.0

!

network 11.1.1.0 0.0.0.255 area 0

 

 

配置:阶段1+阶段2+crypto  map  cisco  local-address  loopback  0

 

两边的loopback作为二次封装的源和目的

 

这种情况在物理口应用map不起作用