GRE隧道+ipsec传输

 资源来自网络视频,我做笔记       

 

视频教程请移步此处处http://www.verycd.com/topics/2802335/    

 

 

 

IPSec ×××路由的配置----隧道模式

 

 

ipsec在默认情况下不支持组播

 

GRE隧道+ipsec传输

 

tunnel默认的封装就是GRE封装

 

 

 

实验：

 

配置GRE的基本命令对于R1：

 

en

conf t

hostname R1

no ip domain-lookup

ip classless

ip subnet-zero

 

int loopback0

ip addr 10.2.2.1 255.255.255.0

 

int s1/0

ip addr 203.0.0.1 255.255.255.0

no shut

 

int f0/0

ip addr 201.0.0.1 255.255.255.0

no shut

 

int tunnel 0

ip unnumbered s1/0

tunnel source s1/0

tunnel destination 203.0.0.2

no shut

exit

 

ip route 0.0.0.0 0.0.0.0 203.0.0.2

ip route 10.1.1.0 255.255.255.0 tunnel 0

ip route 0.0.0.0 0.0.0.0 tunnel 0

end

 

sh ip route 

 

 

 

GRE配置对于R2：

 

en

conf t

hostname R2

no ip domain-lookup

ip subnet-zero

ip classless

 

int loopback 0

ip addr 10.2.2.2 255.255.255.0

no shut

 

int s1/0

ip addr 203.0.0.2 255.255.255.0

no shut

 

int f0/0

ip addr 202.0.0.1 255.255.255.0

no shut

 

int tunnel 0

ip unnumbered s1/0

tunnel source s1/0

tunnel destination 203.0.0.1

no shut

exit

 

ip route 0.0.0.0 0.0.0.0 203.0.0.1

ip route 10.1.1.0 255.255.255.0 tunnel0

ip route 0.0.0.0 0.0.0.0 tunnel0

end

 

sh ip rout 

 

 

 

 

 

#########

sh ip rout 应该可以得到下面结果

 

C    201.0.0.0/24 is directly connected, FastEthernet0/0

C    203.0.0.0/24 is directly connected, Serial1/0

     10.0.0.0/24 is subnetted, 2 subnets

C       10.2.2.0 is directly connected, Loopback0

S       10.1.1.0 is directly connected, Tunnel0

S*   0.0.0.0/0 [1/0] via 203.0.0.2

               is directly connected, Tunnel0

##########

 

 

 

 

 

 

IPSEC命令对与R1：

 

en

conf t

crypto isakmp enable

crypto isakmp policy 10

hash md5

authentication pre-share

encryption 3des

group 2

exit

 

crypto isakmp key cisco1234 address 203.0.02

crypto ipsec transform-set ccsp esp-des esp-md5-hmac

mode transport

exit

 

access-list 101 permit gre host 203.0.0.1 host 203.0.0.2

 

crypto map cisco 10 ipsec-isakmp

set peer 203.0.0.2

set transform-set ccsp

match address 101

exi

 

int s1/0

crypto map cisco

no shut

end

 

sh ip int b

sh ip rou

 

 

 

IPSEC对于R2：

 

 

 

en

conf t

crypto isakmp enable

crypto isakmp policy 10

hash md5

authentication pre-share

encryption 3des

group 2

 

crypto isakmp key cisco1234 address 203.0.0.1

 

crypto ipsec transform-set ccsp esp-des esp-md5-hmac

mode transport

exit

 

access-list 101 permit gre host 203.0.0.2 host 203.0.0.1

 

crypto map cisco 10 ipsec-isakmp

set peer 203.0.0.1

set transform-set ccsp

match address 101

exit

 

int s1/0

crypto map cisco

no shut

end

 

sh ip int b

sh ip rou

sh int tunnel 0

sh crypto ipsec sa 

 

 

 

 

 

 

 

转载于:https://blog.51cto.com/wugai/667060