• 冒险村物语
  • 英雄无敌3塔防
  • 驾考家园手游

GRE over IPSEC路由配置

2015-06-17

GRE over IPSEC路由配置
 
r1(0/0)---r2--(1/1)r3
 
GRE over IPSEC
先ipsec在gre
解决了ipsec无法传递多播流量问题,即可以在ipsec中跑路由协议,而且协议是通过加密的!!
R1:
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key zaq address 2.3.0.1
!
!
crypto ipsec transform-set vpn esp-des 
!
crypto map vpn 10 ipsec-isakmp 
 set peer 2.3.0.1
 set transform-set vpn 
 match address 101
!
!
!
!
interface Tunnel0
 ip address 1.3.0.1 255.255.255.0
 tunnel source FastEthernet0/0
 tunnel destination 2.3.0.1
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Loopback1
 ip address 10.0.0.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 1.2.0.1 255.255.255.0
 duplex full
 crypto map vpn
!
router ospf 1
 log-adjacency-changes
!
ip route 0.0.0.0 0.0.0.0 1.2.0.2
!
!
access-list 101 permit gre host 1.2.0.1 host 2.3.0.1
 
R2:
interface FastEthernet0/0
 ip address 1.2.0.2 255.255.255.0
 duplex full
!         
interface FastEthernet1/1
 ip address 2.3.0.2 255.255.255.0
 duplex full
 speed auto
 
R3:
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key zaq address 1.2.0.1
!
crypto ipsec transform-set vpn esp-des 
!
crypto map vpn 10 ipsec-isakmp 
 set peer 1.2.0.1
 set transform-set vpn 
 match address 101
!
interface Tunnel0
 ip address 1.3.0.2 255.255.255.0
 tunnel source FastEthernet1/1
 tunnel destination 1.2.0.1
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface Loopback1
 ip address 30.0.0.1 255.255.255.0
!
interface FastEthernet1/1
 ip address 2.3.0.1 255.255.255.0
 duplex full
 speed auto
 crypto map vpn
!
ip route 0.0.0.0 0.0.0.0 2.3.0.2
!
access-list 101 permit gre host 2.3.0.1 host 1.2.0.1
 
Router#show crypto engine connections active
  ID Interface            IP-Address      State  Algorithm           Encrypt  Decrypt
   1 FastEthernet1/1      2.3.0.1         set    HMAC_MD5+DES_56_CB        0        0
2001 FastEthernet1/1      2.3.0.1         set    DES                       0       27
2002 FastEthernet1/1      2.3.0.1         set    DES                      27        0
Router#show crypto isakmp sa
dst             src             state          conn-id slot status
1.2.0.1         2.3.0.1         QM_IDLE              1    0 ACTIVE
Router#show crypto isakmp peers    
Peer: 1.2.0.1 Port: 500 Local: 2.3.0.1
 Phase1 id: 1.2.0.1
Router#show crypto ipsec sa
interface: FastEthernet1/1
    Crypto map tag: vpn, local addr 2.3.0.1
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (2.3.0.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (1.2.0.1/255.255.255.255/47/0)
   current_peer 1.2.0.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 44, #pkts encrypt: 44, #pkts digest: 44
    #pkts decaps: 44, #pkts decrypt: 44, #pkts verify: 44
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0
     local crypto endpt.: 2.3.0.1, remote crypto endpt.: 1.2.0.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/1
     current outbound spi: 0xEAA8551D(3936900381)
     inbound esp sas:
      spi: 0x323BE771(842786673)
        transform: esp-des ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: 1, crypto map: vpn
        sa timing: remaining key lifetime (k/sec): (4493451/2885)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xEAA8551D(3936900381)
        transform: esp-des ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: 2, crypto map: vpn
        sa timing: remaining key lifetime (k/sec): (4493451/2884)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:
 
还有一种是ipsec over gre 个人认为没有意义,因为虽然解决了多播问题,但是多播是明文传输,所以ipsec就没有意义了,还不如直接用gre就好了!!
 
(免责声明:文章内容如涉及作品内容、版权和其它问题,请及时与我们联系,我们将在第一时间删除内容,文章内容仅供参考)

人气推荐

知识阅读

精彩推荐

  • 游戏
  • 软件
查看更多>>