1、實驗拓撲
2、基礎網絡配置
R1配置:
ip dhcp excluded-address 13.1.1.1 13.1.1.2
ip dhcp pool net13
network 13.1.1.0 255.255.255.0
default-router 13.1.1.1
interface FastEthernet0/0
ip address 12.1.1.1 255.255.255.0
interface FastEthernet1/0
ip address 13.1.1.1 255.255.255.0
R2配置:
ip address 12.1.1.2 255.255.255.0
ip address 172.16.1.254 255.255.255.0
ip route 0.0.0.0 0.0.0.0 12.1.1.1
R3配置:
interface Loopback0
ip address 3.3.3.3 255.255.255.0
ip address dhcp
ip address 192.168.1.254 255.255.255.0
ip route 0.0.0.0 0.0.0.0 13.1.1.1
R4配置:
ip address 172.16.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 172.16.1.254
R5配置:
ip address 192.168.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.1.254
3、配置Dynamic p2p GRE over IPsec
3.1、配置GRE
R2配置:
interface Tunnel2
ip address 1.1.1.1 255.255.255.0
tunnel source 12.1.1.2
tunnel destination 3.3.3.3
ip route 3.3.3.3 255.255.255.255 12.1.1.1
這條路由必須配置,這是配置規則要求的
R3配置:
interface Tunnel3
ip address 1.1.1.2 255.255.255.0
tunnel source Loopback0
tunnel destination 12.1.1.2
3.2、R2配置Dynamic LAN-to-LAN ×××(相對普通的Dynamic LAN-to-LAN ×××多了一條指令)
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto ipsec transform-set ccie esp-3des esp-sha-hmac
crypto dynamic-map dymap 1
set transform-set ccie
crypto map mymap 1 ipsec-isakmp dynamic dymap (經測試,這條指令可以不寫)
crypto map mymap local-address FastEthernet0/0
crypto map mymap
3.3、R3配置LAN-to-LAN ×××(與普通LAN-to-LAN ×××的ACL不同,多了一條指令)
crypto isakmp key cisco123 address 12.1.1.2
access-list 100 permit gre 3.3.3.0 0.0.0.255 12.1.1.0 0.0.0.255
crypto map mymap 1 ipsec-isakmp
set peer 12.1.1.2
match address 100
crypto map mymap local-address FastEthernet0/0(經測試,這條指令可以不寫)
3.4、配置動态路由協定(此時私網流量走的都是隧道。)
router ospf 1
network 1.1.1.0 0.0.0.255 area 0
network 172.16.1.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0