GRE Over IPSec配置

路由器GRE over IPSec站点到站点VPN
         问题分析:对于前面的经典的IPSec VPN的配置来说,兼容性较好,适合于多厂商操作的时候,但是这种经典的配置方式不适合在复杂的网路中配置,如下:
GRE Over IPSec配置_第1张图片

 


这样在site 1和site 2后面有很多的网络,这样出现的难题是:
           *没有虚拟隧道接口,不能让两个站点的动态路由协议贯通
           *由于没有虚拟隧道接口,所以很难对通信点之间的明文数据流进行控制(ACL、NAT、QoS)
           *感兴趣流多,是两个站点的组合数,网络多的话,感兴趣流也多
——为了解决这一缺陷,那么Cisco提供两种方案,一种是GRE(IOS 12.4之前推荐),一种是SVTI(IOS 12.4以后的路由器推荐)。
         分析GRE是如何解决经典配置的问题的:1、GRE上运行OSPF,这样可以实现内部互学路由;2、可以在GRE隧道接口配置ACL等控制;3、感兴趣流最终会是站点之间的GRE流量。GRE over IPSec 属于典型的传输模式的IPSec VPN(因为加密点=通信点)
实验拓扑:
GRE Over IPSec配置_第2张图片

 


默认基本配置完成
Site1:
R1(config)#ip route 0.0.0.0 0.0.0.0 12.1.1.2
R1(config)#in tunnel 13
R1(config-if)#ip add 13.1.1.1 255.255.255.0
R1(config-if)#tunnel source 12.1.1.1
R1(config-if)#tun destination 23.1.1.3
R1(config-if)#end
R1#ping 13.1.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 13.1.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 136/162/180 ms
R1(config)#router os 1
R1(config-router)#network  13.1.1.0 0.0.0.255 a 0
R1(config-router)#net 1.1.1.0 0.0.0.255 a 0
R1(config-router)#router-id 1.1.1.1
R1(config-router)#end
R1#sho ip ro ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 12.1.1.2 to network 0.0.0.0

      3.0.0.0/32 is subnetted, 1 subnets
O        3.3.3.3 [110/1001] via 13.1.1.3, 00:00:08, Tunnel13
R1(config)#crypto isakmp  enable
R1(config)#crypto  is policy  10
R1(config-isakmp)#authentication  pre-share
R1(config-isakmp)#exi
R1(config)#crypto isakmp key 0 cisco address 23.1.1.3
R1(config)#ip access-list extended
R1(config-ext-nacl)#permit gre 12.1.1.0 0.0.0.255 23.1.1.0 0.0.0.255
R1(config-ext-nacl)#exi
R1(config)#crypto  ipsec transform-set trans esp-des esp-md5-hmac
R1(cfg-crypto-trans)#mode transport
R1(cfg-crypto-trans)#exi
R1(config)#crypto  map cisco 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
R1(config-crypto-map)#match  address
R1(config-crypto-map)#set peer 23.1.1.3
R1(config-crypto-map)#set  transform-set trans
R1(config-crypto-map)#int f1/0
R1(config-if)#crypto  map cisco
R1#ping 3.3.3.3 so 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 208/243/264 ms
R1#sho crypto  en connections  active
Crypto Engine Connections

   ID  Type    Algorithm           Encrypt  Decrypt LastSeqN IP-Address
    1  IPsec   DES+MD5                   0       15       17 12.1.1.1
    2  IPsec   DES+MD5                   8        0        0 12.1.1.1
 1001  IKE     SHA+DES                   0        0        0 12.1.1.1
Site2
R3(config)#ip route 0.0.0.0 0.0.0.0 23.1.1.2
R3(config)#end
R3(config)#int tu 13
R3(config-if)#tun so 23.1.1.3
R3(config-if)#tun destination  12.1.1.1
R3(config-if)#ip add 13.1.1.3 255.255.255.0
R3(config)#ro
R3(config)#router os 1
R3(config-router)#router-id 3.3.3.3
R3(config-router)#net 3.3.3.0 0.0.0.255 a 0
R3(config-router)#net 13.1.1.0 0.0.0.255 a 0
R3(config-router)#end
R3(config)#crypto  is enable
R3(config)#crypto  isakmp  po 10
R3(config-isakmp)#authentication  pre-share
R3(config-isakmp)#exi
R3(config)#crypto  isakmp  key  0 cisco address 12.1.1.1
R3(config)#ip access-list extended
R3(config-ext-nacl)#permit  gre 23.1.1.0 0.0.0.255 12.1.1.0 0.0.0.255
R3(config-ext-nacl)#exi
R3(config)#crypto ipsec transform-set trans esp-des esp-md5-hmac
R3(cfg-crypto-trans)#mode transport
R3(cfg-crypto-trans)#exi
R3(config)#crypto map cisco 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
R3(config-crypto-map)#set peer 12.1.1.1
R3(config-crypto-map)#set transform-set trans
R3(config-crypto-map)#match  address
R3(config-crypto-map)#int f1/0
R3(config-if)#crypto map  cisco
除此之外,可以直接使用下面的配置来代替crypto map。解释一下,注意这个IPSec profile的运用位置,是隧道接口,并且使用的关键字是tunnel protection,显然使用这个IPSec profile来保护隧道的,那隧道中的流量自然就得以保护,而这流量就是感兴趣流,那么流量而动另一端肯定是对等体的目的地址,那么就不需要设置peer和match address了
Site1(config)#crypto ipsec profile IPSecPro //名字
Site1(ipsec-profile)#set transform-set trans
Site1(ipsec-profile)#int tun 13
Site1(config-if)#tunnel protection ipsec profile IPSecPro


Site2(config)#crypto  ipsec  profile IPSecPro
Site2(ipsec-profile)#set transform-set trans
Site2(ipsec-profile)#int tun 13
Site2(config-if)#tunnel protection ipsec profile IPSecPro

转载于:https://www.cnblogs.com/MomentsLee/p/10112636.html

你可能感兴趣的:(GRE Over IPSec配置)