GRE over IPSEC

前提:路由可达,相互可通信。
GRE提供通道,IPSEC保护通道数据。
GRE over IPSEC与IPSEC over GRE 哪个好?肯定是前者。
GRE over IPSEC_第1张图片
在R2与R4之间建立tunnel,ipsec为tunnel数据加密,即GRE over IPSEC
起接口IP规则依旧是老样子:R1-R2,那么就是12.1.1.1-12.1.1.2,其余类似。
R2配置如下:
R2#sh run
Building configuration…
Current configuration : 1378 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R2
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip domain lookup
multilink bundle-name authenticated
archive
log config
hidekeys
!

crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 34.1.1.4
!
crypto ipsec transform-set ikaros esp-des esp-md5-hmac
mode transport
!
crypto ipsec profile test
set transform-set ikaros
!
ip tcp synwait-time 5
!

interface Tunnel24
ip unnumbered FastEthernet0/1
tunnel source 23.1.1.2
tunnel destination 34.1.1.4
tunnel protection ipsec profile test
!
interface FastEthernet0/0
ip address 12.1.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 23.1.1.2 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
ip route 34.1.1.0 255.255.255.0 FastEthernet0/1 23.1.1.3
ip route 45.1.1.0 255.255.255.0 FastEthernet0/1 23.1.1.3
!
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
end

R4配置如下:
R4#sh run
Building configuration…

Current configuration : 1378 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
no ip domain lookup
!
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 23.1.1.2
!
crypto ipsec transform-set ikaros esp-des esp-md5-hmac
mode transport
!
crypto ipsec profile test
set transform-set ikaros
!
ip tcp synwait-time 5
!
interface Tunnel42
ip unnumbered FastEthernet0/0
tunnel source 34.1.1.4
tunnel destination 23.1.1.2
tunnel protection ipsec profile test
!
interface FastEthernet0/0
ip address 34.1.1.4 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 45.1.1.4 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
ip route 12.1.1.0 255.255.255.0 FastEthernet0/0 34.1.1.3
ip route 23.1.1.0 255.255.255.0 FastEthernet0/0 34.1.1.3
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
end
在这里插入图片描述
其他查看方法不赘述。
另,这是一种相对于之前的IPsec配置方式,这是一种全新的IPsec Profile的配置方式,仅仅在ipsec profile下配置了转换集,而没有设置对等体和感兴趣的内容。但需要注意的是,这个配置是被运用在接口下的,因此用来保护的是这个tunnel接口下的流量,所以感兴趣流是有的。对等体也不缺少,因为保护隧道,隧道的目的自然是IPSEC的对等体。这种配置方式在DMVPN中也有使用。

你可能感兴趣的:(GRE over IPSEC)