GRE over IPSEC路由配置 r1(0/0)---r2--(1/1)r3 GRE over IPSEC先ipsec在gre解决了ipsec无法传递多播流量问题,即可以在ipsec中跑路由协议,而且协议是通过加密的!!R1:crypto isakmp policy 10 hash md5 authentication
GRE over IPSEC路由配置 r1(0/0)---r2--(1/1)r3 GRE over IPSEC 先ipsec在gre 解决了ipsec无法传递多播流量问题,即可以在ipsec中跑路由协议,而且协议是通过加密的!! R1: crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key zaq address 2.3.0.1 ! ! crypto ipsec transform-set vpn esp-des ! crypto map vpn 10 ipsec-isakmp set peer 2.3.0.1 set transform-set vpn match address 101 ! ! ! ! interface Tunnel0 ip address 1.3.0.1 255.255.255.0 tunnel source FastEthernet0/0 tunnel destination 2.3.0.1 ! interface Loopback0 ip address 1.1.1.1 255.255.255.255 ! interface Loopback1 ip address 10.0.0.1 255.255.255.0 ! interface FastEthernet0/0 ip address 1.2.0.1 255.255.255.0 duplex full crypto map vpn ! router ospf 1 log-adjacency-changes ! ip route 0.0.0.0 0.0.0.0 1.2.0.2 ! ! access-list 101 permit gre host 1.2.0.1 host 2.3.0.1 R2: interface FastEthernet0/0 ip address 1.2.0.2 255.255.255.0 duplex full ! interface FastEthernet1/1 ip address 2.3.0.2 255.255.255.0 duplex full speed auto R3: crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key zaq address 1.2.0.1 ! crypto ipsec transform-set vpn esp-des ! crypto map vpn 10 ipsec-isakmp set peer 1.2.0.1 set transform-set vpn match address 101 ! interface Tunnel0 ip address 1.3.0.2 255.255.255.0 tunnel source FastEthernet1/1 tunnel destination 1.2.0.1 ! interface Loopback0 ip address 3.3.3.3 255.255.255.255 ! interface Loopback1 ip address 30.0.0.1 255.255.255.0 ! interface FastEthernet1/1 ip address 2.3.0.1 255.255.255.0 duplex full speed auto crypto map vpn ! ip route 0.0.0.0 0.0.0.0 2.3.0.2 ! access-list 101 permit gre host 2.3.0.1 host 1.2.0.1 Router#show crypto engine connections active ID Interface IP-Address State Algorithm Encrypt Decrypt 1 FastEthernet1/1 2.3.0.1 set HMAC_MD5+DES_56_CB 0 0 2001 FastEthernet1/1 2.3.0.1 set DES 0 27 2002 FastEthernet1/1 2.3.0.1 set DES 27 0 Router#show crypto isakmp sa dst src state conn-id slot status 1.2.0.1 2.3.0.1 QM_IDLE 1 0 ACTIVE Router#show crypto isakmp peers Peer: 1.2.0.1 Port: 500 Local: 2.3.0.1 Phase1 id: 1.2.0.1 Router#show crypto ipsec sa interface: FastEthernet1/1 Crypto map tag: vpn, local addr 2.3.0.1 protected vrf: (none) local ident (addr/mask/prot/port): (2.3.0.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (1.2.0.1/255.255.255.255/47/0) current_peer 1.2.0.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 44, #pkts encrypt: 44, #pkts digest: 44 #pkts decaps: 44, #pkts decrypt: 44, #pkts verify: 44 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 2.3.0.1, remote crypto endpt.: 1.2.0.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/1 current outbound spi: 0xEAA8551D(3936900381) inbound esp sas: spi: 0x323BE771(842786673) transform: esp-des , in use settings ={Tunnel, } conn id: 2001, flow_id: 1, crypto map: vpn sa timing: remaining key lifetime (k/sec): (4493451/2885) IV size: 8 bytes replay detection support: N Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xEAA8551D(3936900381) transform: esp-des , in use settings ={Tunnel, } conn id: 2002, flow_id: 2, crypto map: vpn sa timing: remaining key lifetime (k/sec): (4493451/2884) IV size: 8 bytes replay detection support: N Status: ACTIVE outbound ah sas: outbound pcp sas: 还有一种是ipsec over gre 个人认为没有意义,因为虽然解决了多播问题,但是多播是明文传输,所以ipsec就没有意义了,还不如直接用gre就好了!!
(免责声明:文章内容如涉及作品内容、版权和其它问题,请及时与我们联系,我们将在第一时间删除内容,文章内容仅供参考)
