资源来自网络视频,我做笔记
视频教程请移步此处处http://www.verycd.com/topics/2802335/
IPSec ×××路由的配置----隧道模式
ipsec在默认情况下不支持组播
GRE隧道+ipsec传输
tunnel默认的封装就是GRE封装
实验:
配置GRE的基本命令对于R1:
en
conf t
hostname R1
no ip domain-lookup
ip classless
ip subnet-zero
int loopback0
ip addr 10.2.2.1 255.255.255.0
int s1/0
ip addr 203.0.0.1 255.255.255.0
no shut
int f0/0
ip addr 201.0.0.1 255.255.255.0
no shut
int tunnel 0
ip unnumbered s1/0
tunnel source s1/0
tunnel destination 203.0.0.2
no shut
exit
ip route 0.0.0.0 0.0.0.0 203.0.0.2
ip route 10.1.1.0 255.255.255.0 tunnel 0
ip route 0.0.0.0 0.0.0.0 tunnel 0
end
sh ip route
GRE配置对于R2:
en
conf t
hostname R2
no ip domain-lookup
ip subnet-zero
ip classless
int loopback 0
ip addr 10.2.2.2 255.255.255.0
no shut
int s1/0
ip addr 203.0.0.2 255.255.255.0
no shut
int f0/0
ip addr 202.0.0.1 255.255.255.0
no shut
int tunnel 0
ip unnumbered s1/0
tunnel source s1/0
tunnel destination 203.0.0.1
no shut
exit
ip route 0.0.0.0 0.0.0.0 203.0.0.1
ip route 10.1.1.0 255.255.255.0 tunnel0
ip route 0.0.0.0 0.0.0.0 tunnel0
end
sh ip rout
#########
sh ip rout 应该可以得到下面结果
C 201.0.0.0/24 is directly connected, FastEthernet0/0
C 203.0.0.0/24 is directly connected, Serial1/0
10.0.0.0/24 is subnetted, 2 subnets
C 10.2.2.0 is directly connected, Loopback0
S 10.1.1.0 is directly connected, Tunnel0
S* 0.0.0.0/0 [1/0] via 203.0.0.2
is directly connected, Tunnel0
##########
IPSEC命令对与R1:
en
conf t
crypto isakmp enable
crypto isakmp policy 10
hash md5
authentication pre-share
encryption 3des
group 2
exit
crypto isakmp key cisco1234 address 203.0.02
crypto ipsec transform-set ccsp esp-des esp-md5-hmac
mode transport
exit
access-list 101 permit gre host 203.0.0.1 host 203.0.0.2
crypto map cisco 10 ipsec-isakmp
set peer 203.0.0.2
set transform-set ccsp
match address 101
exi
int s1/0
crypto map cisco
no shut
end
sh ip int b
sh ip rou
IPSEC对于R2:
en
conf t
crypto isakmp enable
crypto isakmp policy 10
hash md5
authentication pre-share
encryption 3des
group 2
crypto isakmp key cisco1234 address 203.0.0.1
crypto ipsec transform-set ccsp esp-des esp-md5-hmac
mode transport
exit
access-list 101 permit gre host 203.0.0.2 host 203.0.0.1
crypto map cisco 10 ipsec-isakmp
set peer 203.0.0.1
set transform-set ccsp
match address 101
exit
int s1/0
crypto map cisco
no shut
end
sh ip int b
sh ip rou
sh int tunnel 0
sh crypto ipsec sa
转载于:https://blog.51cto.com/wugai/667060