天天看點
傳回

Cisco 路由器 GRE over IPSEC ×××

由于IPSEC ×××不能支援多點傳播和廣播,是以不能運作動态路由協定,由于我們需要把一條×××鍊路作為一條專線使用,還必須建立GRE tunnel隧道,以支援動态路由協定.

實驗拓撲:

Cisco 路由器 GRE over IPSEC ×××

基本配置步驟如下:

1:配置基本路由和需保護流量的感興趣通路清單(注意這裡感興趣流量設為GRE隧道流量)

2:配置GRE Tunnel隧道.

3:配置IPSEC ×××.

4 :配置動态路由協定.

配置如下 :

R1#sho run

crypto isakmp policy 10

authentication pre-share

crypto isakmp key cisco address 202.1.1.2

!

crypto ipsec transform-set mytrans esp-3des

crypto map mymap 1 ipsec-isakmp

set peer 202.1.1.2

set transform-set mytrans

match address 101

interface Loopback0

ip address 10.1.1.1 255.255.255.0

interface Tunnel0

ip address 192.168.1.1 255.255.255.0

tunnel source Ethernet0/0

tunnel destination 202.1.1.2

interface Ethernet0/0

ip address 201.1.1.1 255.255.255.0

crypto map mymap

router ospf 1

log-adjacency-changes

network 10.1.1.0 0.0.0.255 area 0

network 192.168.1.0 0.0.0.255 area 0

ip route 0.0.0.0 0.0.0.0 Ethernet0/0

access-list 101 permit gre host 201.1.1.1 host 202.1.1.2

//注意通路清單所定義的IPSEC所保護的感興趣流量為GRE流量.

R2#

ip address 201.1.1.2 255.255.255.0

interface Ethernet2/0

ip address 202.1.1.1 255.255.255.0

R3#

crypto isakmp key cisco address 201.1.1.1

crypto map mymap 10 ipsec-isakmp

set peer 201.1.1.1

ip address 172.16.1.1 255.255.255.0

ip address 192.168.1.2 255.255.255.0

tunnel source Ethernet2/0

tunnel destination 201.1.1.1

ip address 202.1.1.2 255.255.255.0

half-duplex

network 172.16.1.0 0.0.0.255 area 0

ip route 0.0.0.0 0.0.0.0 Ethernet2/0

access-list 101 permit gre host 202.1.1.2 host 201.1.1.1

測試:

R1#show ip os nei

Neighbor ID     Pri   State           Dead Time   Address         Interface

172.16.1.1        0   FULL/ -        00:00:37    192.168.1.2     Tunnel0

R1#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

C    201.1.1.0/24 is directly connected, Ethernet0/0

     172.16.0.0/32 is subnetted, 1 subnets

O       172.16.1.1 [110/11112] via 192.168.1.2, 00:41:22, Tunnel0

     10.0.0.0/24 is subnetted, 1 subnets

C       10.1.1.0 is directly connected, Loopback0

C    192.168.1.0/24 is directly connected, Tunnel0

S*   0.0.0.0/0 is directly connected, Ethernet0/0

R1#show crypto isakmp sa

dst             src             state          conn-id slot

202.1.1.2       201.1.1.1       QM_IDLE              8    0

cisco 路由 流量 動态 policy
上一篇: Hive解析Json數組超全講解
下一篇: 記錄寫作理念

繼續閱讀