IPsecOverGRE

IPsecOverGRE

  图示

IPsecOverGRE

  说明:通过IPsec Over GRE 保护loopback100网段的网络,IPsec Over GRE就是走GRE隧道用IPsec加密。GRE本身可以让两内部网络通信,但是没有加密。R1公网接口为f0/0

R3的公网接口为f0/1.

 R1配置

crypto isakmp policy 10

 encr 3des

 hash md5

 authentication pre-share

 group 2

crypto isakmp key cisco address 3.3.3.3 255.255.255.0

crypto isakmp key cisco address 23.23.23.2 255.255.255.0

!

!

crypto ipsec transform-set VPNSET esp-3des esp-md5-hmac

!

crypto map VPNMAP local-address Loopback100      //必须要写

crypto map VPNMAP 10 ipsec-isakmp

 set peer 3.3.3.3                               //peer为环回口

 set transform-set VPNSET

 match address VPNACL

!

!

interface Tunnel0               //GRE配置

 ip address 192.168.1.1 255.255.255.0

 tunnel source FastEthernet0/0

 tunnel destination 23.23.23.2

 crypto map VPNMAP                         //tunnel口加密

!

router eigrp 100

 network 1.1.1.0 0.0.0.255

 network 172.16.1.0 0.0.0.255

 network 192.168.1.0

 no auto-summary

!

ip route 0.0.0.0 0.0.0.0 12.12.12.2

!

ip access-list extended VPNACL

 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255

!

 

 R1路由

IPsecOverGRE

uIPsecOverGRE封装过程

172.16.1.1 ping 172.16.2.1时,首先查找路由表,发现下一跳路由是192.168.1.2,本地的出口为Tunnel0口。所以把数据包由tunnel0转发,当转发时,有一条crypto map VPNMAP加密映射图,VPNMAP中的感兴趣流量中VPNACL正好匹配了172.16.1.1 172.16.2.1,所以要用ESP保护流量。对该数据包进行重新封装,添加新的源IP1.1.1.1)和目的IP3.3.3.3.

再有tunnel口通过GRE出去。GRE的源IP12.12.12.1,目的为3.3.3.3.再次查看路由再由物理口出去。下图是封装格式:

IPsecOverGRE

u  R3配置

crypto isakmp policy 10

 encr 3des

 hash md5

 authentication pre-share

 group 2

crypto isakmp key cisco address 1.1.1.1 255.255.255.0

crypto isakmp key cisco address 12.12.12.1 255.255.255.0  //可以不配置

!

!

crypto ipsec transform-set VPNSET esp-3des esp-md5-hmac

!

crypto map VPNMAP local-address Loopback100      //必须要写

crypto map VPNMAP 10 ipsec-isakmp

 set peer 1.1.1.1                               //peer为环回口

 set transform-set VPNSET

 match address VPNACL

!

!

interface Tunnel0               //GRE配置

 ip address 192.168.1.2 255.255.255.0

 tunnel source FastEthernet0/1

 tunnel destination 12.12.12.1

 crypto map VPNMAP                         //在环回口加密

!

router eigrp 100

 network 3.3.3.0 0 0.0.0.255

 network 172.16.2.0 0.0.0.255

 network 192.168.1.0

 no auto-summary

!

ip route 0.0.0.0 0.0.0.0 23.32.23.1

!

ip access-list extended VPNACL

 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255

!

 

 

posted on 2012-09-05 18:54  侯志清  阅读(362)  评论(0编辑  收藏  举报

导航