?

Ipsec? over? gre

這個(gè)技術(shù)在現(xiàn)實(shí)中基本不用

?

?

R1

?

!

crypto isakmp policy 1

?encr 3des

?authentication pre-share

?group 2

?lifetime 10000

crypto isakmp key benet address 202.102.1.2

!

!

crypto ipsec transform-set benet-set esp-des esp-sha-hmac

!

crypto ipsec profile cisco

?set transform-set benet-set

!

!

interface Loopback1

?ip address 1.1.1.1 255.255.255.0

!

interface Loopback2

?ip address 2.2.2.2 255.255.255.0

!

interface Loopback3

?ip address 3.3.3.3 255.255.255.0

!

!

interface Tunnel0

?ip address 123.1.1.1 255.255.255.0

?tunnel source Serial1/1

?tunnel destination 202.102.1.2

?tunnel protection ipsec profile cisco

!

!

interface Serial1/1

?ip address 202.102.1.1 255.255.255.0

?serial restart-delay 0

!

!

router ospf 1

?log-adjacency-changes

?passive-interface Loopback1

?passive-interface Loopback2

?passive-interface Loopback3

?network 1.1.1.0 0.0.0.255 area 0

?network 2.2.2.0 0.0.0.255 area 0

?network 3.3.3.0 0.0.0.255 area 0

?network 123.1.1.0 0.0.0.255 area 0

!

跑路由協(xié)議(宣告通道的ip,宣告內(nèi)網(wǎng)的IP,絕對不可以宣告物理口的ip)

?

R2

?

!

crypto isakmp policy 1

?encr 3des

?authentication pre-share

?group 2

?lifetime 10000

crypto isakmp key benet address 202.102.1.1

!

!

crypto ipsec transform-set benet-set esp-des esp-sha-hmac

!

crypto ipsec profile cisco

?set transform-set benet-set

!

!

!

interface Loopback4

?ip address 4.4.4.4 255.255.255.0

!

interface Loopback5

?ip address 5.5.5.5 255.255.255.0

!

interface Loopback6

?ip address 6.6.6.6 255.255.255.0

!

interface Tunnel0

?ip address 123.1.1.2 255.255.255.0

?tunnel source Serial1/0

?tunnel destination 202.102.1.1

?tunnel protection ipsec profile cisco

!

!

router ospf 1

?log-adjacency-changes

?passive-interface Loopback4

?passive-interface Loopback5

?passive-interface Loopback6

?network 1.1.1.0 0.0.0.255 area 0

?network 2.2.2.0 0.0.0.255 area 0

?network 3.3.3.0 0.0.0.255 area 0

?network 4.4.4.0 0.0.0.255 area 0

?network 5.5.5.0 0.0.0.255 area 0

?network 6.6.6.0 0.0.0.255 area 0

?network 123.1.1.0 0.0.0.255 area 0

!

?

?

?

?

配置是標(biāo)準(zhǔn)的lan to lan

?

數(shù)據(jù)包結(jié)構(gòu):外網(wǎng)源和目的|gre|ip包

加密要在遂道口上,在物理接口沒有實(shí)際意義,是不會(huì)加密的

Tunnel0? up的條件,在路由表中有到Tunnel0的路由,, Tunnel0本身有源和目的,源和目的可達(dá).

?

Show? cry? en ?? conn? a

r1#show crypto engine connections active

Crypto Engine Connections

?

?? ID Interface? Type? Algorithm?????? ????Encrypt? Decrypt IP-Address

??? 1 Se1/1????? IPsec DES+SHA?????????????????? 0????? 145 202.102.1.1

??? 2 Se1/1????? IPsec DES+SHA???????????????? 154??????? 0 202.102.1.1

?1001 Se1/1????? IKE?? SHA+3DES????????????????? 0??????? 0 202.102.1.1

?

r1#

感興趣的數(shù)據(jù)包à查路由表à遂道口à撞上mapà加密(會(huì)用加密點(diǎn)(peer才是)做為一個(gè)新的頭部)à查路由表à轉(zhuǎn)發(fā)出去

?

Peer改成一個(gè)loopback

?

!

crypto map cisco local-address Loopback11

!

!

interface Loopback11

?ip address 11.1.1.1 255.255.255.0

!

network 11.1.1.0 0.0.0.255 area 0

?

?

配置:階段1+階段2+crypto? map? cisco? local-address? loopback? 0

?

兩邊的loopback作為二次封裝的源和目的

?

這種情況在物理口應(yīng)用map不起作用

?

?

?

?

?

轉(zhuǎn)載于:https://blog.51cto.com/sngyqd/624834

總結(jié)

以上是生活随笔為你收集整理的ipsec_over_gre的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。