4.GRE OVER IPSEC

gre over ipsec

site1:

int f0/0

ip add 202.100.1.1 255.255.255.0

no sh

int lo0

ip add 1.1.1.1 255.255.255.255int lo1

ip add 2.2.2.2 255.255.255.255

int lo2

ip add 3.3.3.3 255.255.255.255

site2:

inter f0/0

ip add 202.100.1.2 255.255.255.0

no sh

int lo0

ip add 4.4.4.4 255.255.255.255

int lo1

ip add 5.5.5.5 255.255.255.255

int lo2

ip add 6.6.6.6 255.255.255.255

site1:

int tunnel 0

ip add 172.16.1.1 255.255.255.0

tunnel source f0/0

tunnel destination 202.100.1.2

site2:

int tunnel 0

ip add 172.16.1.2 255.255.255.0

tunnel source f0/0

tunnel destination 202.100.1.1

site1:

router ospf 1

net 172.16.1.0 0.0.0.255 area 0

net 1.1.1.1 0.0.0.0 area 0

net 2.2.2.2 0.0.0.0 area 0

net 3.3.3.3 0.0.0.0 area 0

site2:

router ospf 1

net 172.16.1.0 0.0.0.255 area 0

net 4.4.4.4 0.0.0.0 area 0

net 5.5.5.5 0.0.0.0 area 0

net 6.6.6.6 0.0.0.0 area 0

sip:202.100.1.1 dip:202.100.1.2 gre sip 1.1.1.1 dip 4.4.4.4

                                                               2.2.2.2 dip 6.6.6.6

                                                                x.x.x.x dip y.y.y.y

site1:

cry isa pol 10

au pre

cry isa key 0 cisco address 202.100.1.2

cry ipsec transform-set cisco esp-des esp-md5-hmac

ip access-list ex vpn

permit gre host 202.100.1.1 host 202.100.1.2

cry map cisco 10 ipsec-isa

match address vpn

set ransform-set cisco

set peer 202.100.1.2

inter f0/0

cry map cisco

site2:

cry isa pol 10

au pre

cry isa key 0 cisco address 202.100.1.1

cry ipsec transform-set cisco esp-des esp-md5-hmac

ip access-list ex vpn

permit gre host 202.100.1.2 host 202.100.1.1

cry map cisco 10 ipsec-isa

match address vpn

set transform-set cisco

set peer 202.100.1.1

inter f0/0

cry map cisco

202.100.1.1 202.100.1.2 esp sif:202.100.1.1 dip:202.100.1.2 gre sip 1.1.1.1 dip 4.4.4.4 tunnel mode

202.100.1.1 202.100.1.2 esp gre sip 1.1.1.1 dip 4.4.4.4 transport

site1:

crypto ipsec transform-set cisco esp-des esp-md5-hmac

mode transport

clear cry isa

clear cry sa

site2:

cry ipsec transform-set cisco esp-des esp-md5-hmac

mode trunsport

clear cry isa

clear cry sa

新版本map的配置:

site1:

cry ipsec profile cisco

set transform-set cisco

int tunnel 0

tnnel protection ipsec profile cisco(用第二阶段的策略来保护tunnel口）

site2:

cry ipsec profile cisco

set transform-set cisco

int tunnel 0

tunnel protection ipsec profile cisco