Cisco IOS GRE(隧道)+IPSec(传输模式+pre-share) 配置
1、London路由器GRE部分配置。
London(config)#interface Loopback0 London(config-if)#ip address 10.1.1.1 255.255.255.0 London(config)#interface Serial0/0 London(config-if)#ip address 173.16.1.1 255.255.255.252 London(config-if)#no shutdown London(config)#interface Tunnel0 London(config-if)#ip unnumbered Serial0/0 London(config-if)#tunnel source Serial0/0 London(config-if)#tunnel destination 173.16.1.5 London(config)#ip route 0.0.0.0 0.0.0.0 173.16.1.2 London(config)#ip route 10.2.2.0 255.255.255.0 Tunnel0 2、Denver路由器GRE部分配置。 Florence(config)#interface Loopback0 Denver(config-if)#ip address 10.2.2.1 255.255.255.0 Denver(config)#interface Serial0/0 Denver(config-if)#ip address 173.16.1.5 255.255.255.252 Denver(config-if)#no shutdown Denver(config)#interface Tunnel0 Denver(config-if)#ip unnumbered Serial0/0 Denver(config-if)#tunnel source Serial0/0 Denver(config-if)#tunnel destination 173.16.1.1 Denver(config)#ip route 0.0.0.0 0.0.0.0 173.16.1.6 Denver(config)#ip route 10.1.1.0 255.255.255.0 Tunnel0 3、London路由器IPSec部分配置。 London(config)#crypto isakmp enable London(config)#crypto isakmp policy 10 London(config-isakmp)#hash md5 London(config-isakmp)#authentication pre-share London(config-isakmp)#encryption 3des London(config-isakmp)#group 2 London(config)#crypto isakmp key cisco1234 address 173.16.1.5 London(config)#crypto ipsec transform-set ccsp esp-des esp-md5-hmac London (cfg-crypto-trans)#mode transport London(config)#crypto map cisco 10 ipsec-isakmp London(config-crypto-map)#set peer 173.16.1.5 London(config-crypto-map)#set transform-set ccsp London(config-crypto-map)#match address 101 London(config)#access-list 101 permit gre host 173.16.1.1 host 173.16.1.5 London(config)#interface Serial0/0 London(config-if)#crypto map cisco 4、Denver路由器IPSec部分配置。 Denver(config)#crypto isakmp enable Denver(config)#crypto isakmp policy 10 Denver(config-isakmp)#hash md5 Denver(config-isakmp)#authentication pre-share Denver(config-isakmp)#encryption 3des Denver(config-isakmp)#group 2 Denver(config)#crypto isakmp key cisco1234 address 173.16.1.1 Denver(config)#crypto ipsec transform-set ccsp esp-des esp-md5-hmac Denver(cfg-crypto-trans)#mode transport Denver(config)#crypto map cisco 10 ipsec-isakmp Denver(config-crypto-map)#set peer 173.16.1.1 Denver(config-crypto-map)#set transform-set ccsp Denver(config-crypto-map)#match address 101 Denver(config)#access-list 101 permit gre host 173.16.1.5 host 173.16.1.1 Denver(config)#interface Serial0/0 Denver(config-if)#crypto map cisco
注意:IPsec只支持IP单播数据流.要对多种协议的分组或IP多播进行隧道化,必须使用GRE或L2TP.
GRE封装所有的数据流,而不管它来自哪里,去往何方。
下面是GRE+IPsec&IPsec的对比:
GRE+IPsec r1#ping 255.255.255.255 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 255.255.255.255, timeout is 2 seconds: Reply to request 0 from 202.1.1.2, 64 ms Reply to request 0 from 218.1.1.1, 232 ms Reply to request 1 from 202.1.1.2, 24 ms Reply to request 1 from 218.1.1.1, 108 ms Reply to request 2 from 202.1.1.2, 52 ms Reply to request 2 from 218.1.1.1, 144 ms Reply to request 3 from 202.1.1.2, 36 ms Reply to request 3 from 218.1.1.1, 92 ms Reply to request 4 from 202.1.1.2, 56 ms Reply to request 4 from 218.1.1.1, 104 ms r1#ping 10.2.2.255 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.2.2.255, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 116/152/180 ms r1#ping 10.2.2.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 176/185/188 ms IPsec r1#ping 255.255.255.255 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 255.255.255.255, timeout is 2 seconds: Reply to request 0 from 202.1.1.2, 8 ms Reply to request 1 from 202.1.1.2, 120 ms Reply to request 2 from 202.1.1.2, 44 ms Reply to request 3 from 202.1.1.2, 40 ms Reply to request 4 from 202.1.1.2, 120 ms r1#ping Protocol [ip]: Target IP address: 10.2.2.255 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 10.1.1.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.2.2.255, timeout is 2 seconds: Packet sent with a source address of 10.1.1.1 ..... Success rate is 0 percent (0/5) r1#ping Protocol [ip]: Target IP address: 10.2.2.1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 10.1.1.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds: Packet sent with a source address of 10.1.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 76/136/212 ms |
转载于:https://blog.51cto.com/xpvista/339187