点对多点 IPsec+GRE 配置

                  点对多点 IPsec+GRE 配置

试验拓扑：

基本配置：

Hub Router

hostname Hub
! 
crypto isakmp policy 1
  authentication pre-share
crypto isakmp key cisco47 address 0.0.0.0  //0.0.0.0指定对端可为任意
!
crypto ipsec transform-set trans2 esp-des esp-md5-hmac
  mode transport
! 
crypto map ***map1 local-address Ethernet0 
crypto map ***map1 10 ipsec-isakmp 
  set peer 172.16.1.1 
  set transform-set trans2 
  match address 101 
crypto map ***map1 20 ipsec-isakmp 
  set peer 172.16.2.1 
  set transform-set trans2 
  match address 102 
. . . 
crypto map ***map1 <10*n> ipsec-isakmp 
  set peer 172.16.<n>.1 
  set transform-set trans2 
  match address <n+100> 
! 
interface Tunnel1 
  bandwidth 1000 
  ip address 10.0.0.1 255.255.255.252 
  ip mtu 1400 
  delay 1000 
  tunnel source Ethernet0 
  tunnel destination 172.16.1.1 
! 
interface Tunnel2
  bandwidth 1000 
  ip address 10.0.0.5 255.255.255.252 
  ip mtu 1400 
  delay 1000 
  tunnel source Ethernet0 
  tunnel destination 172.16.2.1 
! 
. . . 
! 
interface Tunnel<n> 
  bandwidth 1000 
  ip address 10.0.0.<4n-3> 255.255.255.252 
  ip mtu 1400 
  delay 1000 
  tunnel source Ethernet0 
  tunnel destination 172.16.<n>.1 
! 
interface Ethernet0 
  ip address 172.17.0.1 255.255.255.0 
  crypto map ***map1 
! 
interface Ethernet1 
  ip address 192.168.0.1 255.255.255.0 
! 
router eigrp 1 
  network 10.0.0.0 0.0.0.255 
  network 192.168.0.0 0.0.0.255 
  no auto-summary 
! 
access-list 101 permit gre host 172.17.0.1 host 172.16.1.1 
access-list 102 permit gre host 172.17.0.1 host 172.16.2.1 
… 
access-list <n+100> permit gre host 172.17.0.1 host 172.16.<n>.1

Spoke1 Router

hostname Spoke1 
! 
crypto isakmp policy 1 
  authentication pre-share 
crypto isakmp key cisco47 address 0.0.0.0 
! 
crypto ipsec transform-set trans2 esp-des esp-md5-hmac 
  mode transport 
! 
crypto map ***map1 local-address Ethernet0 
crypto map ***map1 10 ipsec-isakmp 
  set peer 172.17.0.1 
  set transform-set trans2 
  match address 101 
! 
interface Tunnel0 
  bandwidth 1000 
  ip address 10.0.0.2 255.255.255.252 
  ip mtu 1400 
  delay 1000 
  tunnel source Ethernet0 
  tunnel destination 172.17.0.1 
! 
interface Ethernet0 
  ip address 172.16.1.1 255.255.255.252
  crypto map ***map1 
! 
interface Ethernet1 
  ip address 192.168.1.1 255.255.255.0 
! 
router eigrp 1 
  network 10.0.0.0 0.0.0.255 
  network 192.168.1.0 0.0.0.255 
  no auto-summary 
! 
access-list 101 permit gre host 172.16.1.1 host 172.17.0.1

注意：在Cisco IOS 12.2(13)T 前crypto map ***map必须同时映射到物理接口和所有的隧道端口上，而在Cisco IOS 12.2(13)T 之后只要映射到物理接口上就可以了

转载于:https://blog.51cto.com/kwsnh/460351