我们下面需要以上图的环境来演示Dynamic p2p GRE over IPsec的效果,在图中,有上海和武汉两个公司的网络,上海要和武汉的网络实现×××通信, 并且需要通过动态路由协议EIGRP交换双方内网的网段信息,所以我们需要在两地路由器之间建立p2p GRE隧道,然后再使用p2p GRE over IPsec来保护隧道中的数据,但是两地路由器中武汉路由器连接Internet的接口没有固定公网IP地址,为DHCP动态获得的IP,这就给GRE隧道的建立带来了一定的麻烦,所以我们配置Dynamic p2p GRE over IPsec来解决其中的问题。
配置步骤:
R1
en
conf t
line con 0
no exec-t
exit
host R1
int f0/0
no sh
ip add 192.168.1.1 255.255.255.0
end
====================R2============================
en
conf t
line con 0
no exec-t
exit
host R2
int f0/0
no sh
ip add 192.168.1.2 255.255.255.0
int f1/0
no sh
ip add 23.23.23.2 255.255.255.0
exit
ip route 0.0.0.0 0.0.0.0 23.23.23.3
interface Tunnel2
no sh
ip address 1.1.1.2 255.255.255.0
tunnel source 23.23.23.2
tunnel destination 4.4.4.4
exit
动态***配置
R2(config)#crypto isakmp policy 10
R2(config-isakmp)#en
R2(config-isakmp)#encryption 3de
R2(config-isakmp)#encryption 3des
R2(config-isakmp)#au
R2(config-isakmp)#authentication pre
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#ha
R2(config-isakmp)#hash sha
R2(config-isakmp)#hash sha
R2(config-isakmp)#gro
R2(config-isakmp)#group 2
R2(config-isakmp)#li
R2(config-isakmp)#lifetime 864000
R2(config)#crypto isakmp key 6 d*** add 0.0.0.0 0.0.0.0
R2(config)#crypto ipsec transform-set myset esp-3des esp-sha-hmac
R2(config)#crypto dynamic-map mymap 10
R2(config-crypto-map)#set transform-set myset
R2(config)#crypto map mymap1 10 ipsec-isakmp dynamic mymap
R2(config)#crypto map mymap1 local-address f1/0
R2(config)#int f1/0
R2(config-if)#crypto map mymap1
R2(config)#router eigrp 100
R2(config-router)#no au
R2(config-router)#net 1.1.1.2 0.0.0.0
     R2(config-router)#net 192.168.1.2 0.0.0.0
     R2(config-router)#exit
=====================Internet==========================
en
conf t
line con 0
no exec-t
exit
host Internet
int f0/0
no sh
ip add 23.23.23.3 255.255.255.0
int f1/0
no sh
ip add 34.34.34.3 255.255.255.0
Internet(config)#service dhcp
Internet(config)#ip dhcp pool TEL
Internet(dhcp-config)#network 34.34.34.0 255.255.255.0
Internet(dhcp-config)#default-router 34.34.34.3
Internet(dhcp-config)#exit
Internet(config)#ip dhcp excluded-address 34.34.34.3
Internet(config)#end
======================R4================================
en
conf t
line con 0
no exec-t
exit
host R4
int f1/0
no sh
ip add dhcp
int f0/0
no sh
ip add 192.168.2.4 255.255.255.0
int lo 0
no sh
ip add 4.4.4.4 255.255.255.0
exit
ip route 0.0.0.0 0.0.0.0 34.34.34.3
interface Tunnel4
no sh
ip address 1.1.1.4 255.255.255.0
tunnel source lo 0
tunnel destination 23.23.23.2
exit
ip route 192.168.1.0 255.255.255.0 Tunnel4
静态***配置
R4(config)#crypto isakmp policy 10
R4(config-isakmp)#en
R4(config-isakmp)#encryption 3de
R4(config-isakmp)#encryption 3des
R4(config-isakmp)#au
R4(config-isakmp)#authentication pre
R4(config-isakmp)#authentication pre-share
R4(config-isakmp)#has
R4(config-isakmp)#hash sha
R4(config-isakmp)#hash sha
R4(config-isakmp)#gro
R4(config-isakmp)#group 2
R4(config-isakmp)#life
R4(config-isakmp)#lifetime 86400
R4(config-isakmp)#exit
R4(config)#
R4(config)#crypto isakmp key 6 d*** address 23.23.23.2
R4(config)#crypto ipsec transform-set myset esp-3des esp-sha-hmac
R4(cfg-crypto-trans)#exit
R4(config)#access-list 100 permit gre 3.3.3.3 0.0.0.0 host 23.23.23.2
R4(config)#crypto map mymap1 10 ipsec-isakmp
R4(config-crypto-map)#set peer 23.23.23.2
R4(config-crypto-map)#set transform-set myset
R4(config-crypto-map)#match ip add 100
R4(config-crypto-map)#exit
R4(config)#crypto map mymap1 local-address f0/0
R4(config-if)#crypto map mymap1
R4(config)#exit
R4(config)#router eigrp 100
R4(config-router)#no au
R4(config-router)#net 1.1.1.2 0.0.0.0
R4(config-router)#net 192.168.2.4 0.0.0.0
R4(config-router)#exit
===========================R5==============================
en
conf t
line con 0
no exec-t
exit
host R5
int f0/0
no sh
ip add 192.168.2.5 255.255.255.0
 
实验调试:
R2#sh ip int tunnel 2
Tunnel2 is up, line protocol is up
  Internet address is 1.1.1.2/24
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1476 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Multicast reserved groups joined: 224.0.0.10
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF Feature Fast switching turbo vector
  IP multicast fast switching is enabled
R4#sh ip int tunnel 4
Tunnel4 is up, line protocol is up
  Internet address is 1.1.1.4/24
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1476 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Multicast reserved groups joined: 224.0.0.10
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP CEF switching is enabled
R2#sh crypto isakmp peers
Peer: 34.34.34.1 Port: 500 Local: 23.23.23.2
 Phase1 id: 34.34.34.1
R2#sh crypto ipsec sa
interface: FastEthernet1/0
    Crypto map tag: mymap1, local addr 23.23.23.2
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (23.23.23.2/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/47/0)
   current_peer 34.34.34.1 port 500
     PERMIT, flags={}
    #pkts encaps: 373, #pkts encrypt: 373, #pkts digest: 373
    #pkts decaps: 331, #pkts decrypt: 331, #pkts verify: 331
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 23.23.23.2, remote crypto endpt.: 34.34.34.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
     current outbound spi: 0x30A2273A(815933242)
     inbound esp sas:
      spi: 0xFBFBD275(4227584629)
        transform: esp-3des esp-sha-hmac ,
R4#sh crypto isakmp peers
Peer: 23.23.23.2 Port: 500 Local: 34.34.34.1
 Phase1 id: 23.23.23.2
R4#sh crypto ipsec sa
interface: FastEthernet0/0
    Crypto map tag: mymap1, local addr 34.34.34.1
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (23.23.23.2/255.255.255.255/47/0)
   current_peer 23.23.23.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 352, #pkts encrypt: 352, #pkts digest: 352
    #pkts decaps: 394, #pkts decrypt: 394, #pkts verify: 394
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0
     local crypto endpt.: 34.34.34.1, remote crypto endpt.: 23.23.23.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xFBFBD275(4227584629)
     inbound esp sas:
      spi: 0x30A2273A(815933242)
        transform: esp-3des esp-sha-hmac ,
实验分析测试:
R1#ping 192.168.2.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 152/234/340 ms
R5#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 188/264/352 ms
  • 当两地需要实现***并且是通过动态路由协议交换内网信息  时,需要采用GRE 隧道,并用GRE over IPsec来保护隧道中数据
  • 即使p2p GRE隧道接口的状态正常,也不能使用,因为当一方静态IP和一方动态IP之间建立p2p GRE接口时,如果不配置p2p GRE over Ipse,那么p2p GRE接口是不能工作的
  • Dynamic p2p GRE over IPsec环境下,必须先从动态IP方向静态IP方发送数据,否则GRE隧道无法建立,×××无法完成。自己测试即可知道
  • <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />