***--第五篇(IPSEC+GRE)2
版权声明:原创作品,允许转载,转载时请务必以超链接形式标明文章
原始出处 、作者信息和本声明。否则将追究法律责任。
http://liningxiao.blog.51cto.com/925890/237406
|
在上篇呢我们做了一个相对比较简单的连个站点之间的互联!
这篇呢我就演示一个复杂点的:拓扑是星际拓扑,即一个中心与多个分支之间的互联。我们可以用上GRE,也可以用上NAT这样呢就比较综合了。
下面开始,拓扑:
步骤:
R1:
crypto isakmp policy 10 hash md5 authentication pre-share ! crypto isakmp key cisco address 202.102.101.2 crypto isakmp key cisco address 202.102.102.2 ! ! crypto ipsec transform-set tt ah-sha-hmac ! crypto map mymap 10 ipsec-isakmp set peer 202.102.102.2 set transform-set tt match address 100 ! crypto map mymap 11 ipsec-isakmp set peer 202.102.101.2 set transform-set tt match address 101
ip route 3.3.3.0 255.255.255.0 10.0.0.2
ip route 2.2.2.0 255.255.255.0 10.0.1.2 ! ! access-list 100 permit ip host 202.102.100.2 host 202.102.102.2 access-list 101 permit ip host 202.102.100.2 host 202.102.101.2
R2:
crypto isakmp policy 10
hash md5 authentication pre-share ! crypto isakmp key cisco address 202.102.100.2 crypto isakmp key cisco address 202.102.102.2 ! ! crypto ipsec transform-set tt ah-sha-hmac ! crypto map mymap 10 ipsec-isakmp set peer 202.102.102.2 set transform-set tt match address 100 ! crypto map mymap 11 ipsec-isakmp set peer 202.102.100.2 set transform-set tt match address 101
ip route 1.1.1.0 255.255.255.0 10.0.1.1
ip route 3.3.3.0 255.255.255.0 10.0.2.2 ! ! access-list 100 permit ip host 202.102.101.2 host 202.102.102.2 access-list 101 permit ip host 202.102.101.2 host 202.102.100.2
R3
crypto isakmp policy 10 hash md5 authentication pre-share ! crypto isakmp key cisco address 202.102.100.2 crypto isakmp key cisco address 202.102.101.2 ! ! crypto ipsec transform-set tt ah-sha-hmac ! crypto map mymap 10 ipsec-isakmp set peer 202.102.100.2 set transform-set tt match address 100 ! crypto map mymap 11 ipsec-isakmp set peer 202.102.101.2 set transform-set tt match address 101
ip route 1.1.1.0 255.255.255.0 10.0.0.1
ip route 2.2.2.0 255.255.255.0 10.0.2.1 ! ! access-list 100 permit ip host 202.102.102.2 host 202.102.100.2 access-list 101 permit ip host 202.102.102.2 host 202.102.101.2
大家一定注意红色的配置!
由于使用了GRE,当数据从接口送出的时候,这个数据的新IP报头里面的原和目的变为×××网关的地址,所以一定要注意,不然数据就不能引发协商,进而进行加密。
隧道的配置我没有贴出来,大家可以看图!图上很清楚!
本文出自 “
liningxiao'blog” 博客,请务必保留此出处
http://liningxiao.blog.51cto.com/925890/237406
本文出自 51CTO.COM技术博客
|
转载于:https://blog.51cto.com/wirless/273439