传统GRE Over IPSEC(网段到网段) (1)
GRE Over IPSec,顾名思义,就是在IPSec的接口上建立GRE隧道;而IPSec的一种加密模式就是tunnel模式(加密网段到网段),本次就是在IPSec加密网段的上面建立GRE隧道。
===================================R0的配置:=====================================
crypto isakmp policy 1 //IPSec第一阶段参数配置
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key 1234 address 192.168.8.1 //配置IPSec第一阶段预共享密钥
!
!
crypto ipsec transform-set 1 esp-3des esp-md5-hmac //配置IPSec第二阶段加密策略
!
crypto map 1 1 ipsec-isakmp //配置IPSec第二阶段map
set peer 192.168.8.1
set transform-set 1
set pfs group2
match address greoveripsec //配置IPSec感兴趣流
!
interface Loopback1
ip address 192.168.88.1 255.255.255.0 //R0的回环接口,用于IPSEC感兴趣流建立
!
interface Tunnel1 //配置GRE隧道
ip address 192.168.10.1 255.255.255.0 //配置GRE隧道接口
tunnel source 192.168.88.1 //配置GRE隧道本段地址(采用IPSec本段地址)
tunnel destination 192.168.99.1 //配置GRE隧道对端地址(采用IPSec远端地址)
!
interface Serial1/0 //配置R0的物理接口
ip address 192.168.1.1 255.255.255.0
serial restart-delay 0
crypto map 1 //在map 1套用在物理接口上
!
ip access-list extended greoveripsec //配置感兴趣流
permit ip 192.168.88.0 0.0.0.255 192.168.99.0 0.0.0.255
Router#show ip route //R0的路由
C 192.168.88.0/24 is directly connected, Loopback1
C 192.168.10.0/24 is directly connected, Tunnel1
C 192.168.1.0/24 is directly connected, Serial1/0
S* 0.0.0.0/0 is directly connected, Serial1/0
=============================================================================================
===================================R2的配置:=====================================
crypto isakmp policy 1 //IPSec第一阶段参数配置
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key 1234 address 192.168.1.1 //配置IPSec第一阶段预共享密钥
!
!
crypto ipsec transform-set 1 esp-3des esp-md5-hmac //配置IPSec第二阶段加密策略
!
crypto map 1 1 ipsec-isakmp //配置IPSec第二阶段map
set peer 192.168.1.1
set transform-set 1
set pfs group2
match address greoveripsec //配置IPSec感兴趣流
!
interface Loopback1
ip address 192.168.999.1 255.255.255.0 //R2的回环接口,用于IPSEC感兴趣流建立
!
interface Tunnel1 //配置GRE隧道
ip address 192.168.10.1 255.255.255.0 //配置GRE隧道接口
tunnel source 192.168.99.1 //配置GRE隧道本段地址(采用IPSec本段地址)
tunnel destination 192.168.88.1 //配置GRE隧道对端地址(采用IPSec远端地址)
!
interface Serial1/0 //配置R0的物理接口
ip address 192.168.8.1 255.255.255.0
serial restart-delay 0
crypto map 1 //在map 1套用在物理接口上
!
ip access-list extended greoveripsec //配置感兴趣流
permit ip 192.168.99.0 0.0.0.255 192.168.88.0 0.0.0.255
Router#show ip route //R2的路由
C 192.168.88.0/24 is directly connected, Loopback1
C 192.168.10.0/24 is directly connected, Tunnel1
C 192.168.1.0/24 is directly connected, Serial1/0
S* 0.0.0.0/0 is directly connected, Serial1/0
=============================================================================================
在R0和R2路由器上配置参数后,两台路由器均不会主动与对方建立连接;此时在路由器R0上执行“ping 192.168.99.1 source 192.168.88.1”来主动发起IPSec连接(也可以在R2上执行“ping 192.168.88.1 source 192.168.99.1”主动发起连接),从ping的结果来看,R0和R2之间建立了IPSec的连接:
Router#ping 192.168.99.1 source 192.168.88.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.99.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.88.1
.!!!! //第一个丢包用于arp的解析
Success rate is 80 percent (4/5), round-trip min/avg/max = 64/84/100 ms
到这一步,我们已经建立了R0和R2之间的IPsec连接,下一步我们在ipsec上建立GRE的隧道,具体参数配置请参见上面的R0和R1的配置,这里不再赘述。
在配置玩tunnel的参数后,我们再次来检验tunnel是否建立成功(在R0上执行“ping 192.168.10.2”):
Router#ping 192.168.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/105/172 ms
从上面的ping包可以看出,R0和R2之间的隧道已经建立成功了,在gre隧道上,我们可以跑在ipsec上不能跑的动态路由等数据包。
后续将给出ipsec为站点至站点形式时的gre over ipsec。
本文出自 “网络学习点滴记录” 博客,转载请与作者联系!