Cisco IPSec *** Gre over --- SVTI_第1张图片


SVTI实验简单配置Cisco IPSec *** Gre over --- SVTI_第2张图片


R2 配置:



crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2

################################

配置阶段1 policy 第 1 2个包交换的信息

################################
crypto isakmp key cisco123 address 200.1.1.4  // 配置预共享密钥   
!
!
crypto ipsec transform-set ccie esp-des esp-md5-hmac  
 mode tunnel

#################################

配置阶段2 transform  转换集

#################################
!
!
crypto ipsec profile ikeprof
 set transform-set ccie

!
!
interface Tunnel0
 ip address 1.1.1.1 255.255.255.0
 tunnel source 100.1.1.2
 tunnel destination 200.1.1.4
 tunnel protection ipsec profile ikeprof
!
interface Ethernet0/0
 ip address 10.1.1.2 255.255.255.0
!
interface Ethernet0/1
 ip address 100.1.1.2 255.255.255.0

!
router ospf 1
 network 1.1.1.0 0.0.0.255 area 0
 network 10.1.1.0 0.0.0.255 area 0

################################

将隧道口宣告ospf进程

################################
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 100.1.1.3


R2# show crypto session
Crypto session current status

Interface: Tunnel0
Session status: UP-ACTIVE    
Peer: 200.1.1.4 port 500
  Session ID: 0 
  IKEv1 SA: local 100.1.1.2/500 remote 200.1.1.4/500 Active
  Session ID: 0 
  IKEv1 SA: local 100.1.1.2/500 remote 200.1.1.4/500 Active
  IPSEC FLOW: permit 47 host 100.1.1.2 host 200.1.1.4
        Active SAs: 6, origin: crypto map


R2#show crypto engine connections active
Crypto Engine Connections

   ID  Type    Algorithm           Encrypt  Decrypt LastSeqN IP-Address
    1  IPsec   DES+MD5                   0        1        1 100.1.1.2
    2  IPsec   DES+MD5                   0        0        0 100.1.1.2
    3  IPsec   DES+MD5                   0        0        0 100.1.1.2
    4  IPsec   DES+MD5                   0        0        0 100.1.1.2
    5  IPsec   DES+MD5                   0      203      203 100.1.1.2
    6  IPsec   DES+MD5                 204        0        0 100.1.1.2
 1001  IKE     MD5+3DES                  0        0        0 100.1.1.2
 1002  IKE     MD5+3DES                  0        0        0 100.1.1.2


R2#show crypto ipsec sa | include spi
     current outbound spi: 0x214BF7A1(558626721)
      spi: 0xB86713B9(3093763001)
      spi: 0xA66B2E85(2792042117)
      spi: 0x74849EDE(1954848478)
      spi: 0xC1C0AB59(3250629465)
      spi: 0xF0B7C9F6(4038576630)
      spi: 0x214BF7A1(558626721)
R2#show crypto ipsec sa             

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 100.1.1.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (100.1.1.2/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (200.1.1.4/255.255.255.255/47/0)
   current_peer 200.1.1.4 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 212, #pkts encrypt: 212, #pkts digest: 212
    #pkts decaps: 212, #pkts decrypt: 212, #pkts verify: 212
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 100.1.1.2, remote crypto endpt.: 200.1.1.4
     plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/1
     current outbound spi: 0x214BF7A1(558626721)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xB86713B9(3093763001)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, sibling_flags 80004040, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4608000/1700)
        IV size: 8 bytes
        replay detection support: Y
        ecn bit support: Y status: off
        Status: ACTIVE(ACTIVE)
      spi: 0xA66B2E85(2792042117)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3, flow_id: SW:3, sibling_flags 80000040, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4608000/1708)
        IV size: 8 bytes
        replay detection support: Y
        ecn bit support: Y status: off
        Status: ACTIVE(ACTIVE)
      spi: 0x74849EDE(1954848478)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 5, flow_id: SW:5, sibling_flags 80000040, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4284714/1708)
        IV size: 8 bytes
        replay detection support: Y
        ecn bit support: Y status: off
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xC1C0AB59(3250629465)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, sibling_flags 80004040, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4608000/1700)
        IV size: 8 bytes
        replay detection support: Y
        ecn bit support: Y status: off
        Status: ACTIVE(ACTIVE)
      spi: 0xF0B7C9F6(4038576630)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 4, flow_id: SW:4, sibling_flags 80000040, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4608000/1708)
        IV size: 8 bytes
        replay detection support: Y
        ecn bit support: Y status: off
        Status: ACTIVE(ACTIVE)
      spi: 0x214BF7A1(558626721)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 6, flow_id: SW:6, sibling_flags 80000040, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4284714/1708)
        IV size: 8 bytes
        replay detection support: Y
        ecn bit support: Y status: off
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:
R2#