在cisco路由器上配置GRE over IPsec -vpn
阿新 • • 發佈:2019-01-30
crypto map r1-r3 1 ipsec-isakmp 建立crypto map關聯IKE SA、IPsec SA、對等體及PSK認證等
set peer 23.1.1.3
set transform-set r1-r3
match address 100
crypto map r1-r3
R1#
R1#show run interface f0/0
Building configuration...
Current configuration : 111 bytes
!
interface FastEthernet0/0
ip address 12.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map r1-r3 最後將crypto map應用到介面上
end
R1#
R3上的ipsec配置如下:
R3#show run | s crypto
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 12345 address 12.1.1.1
crypto ipsec transform-set r3-r1 esp-3des
R3#show access-lists 100
Extended IP access list 100
10 permit ip host 23.1.1.3 host 12.1.1.1 (10941 matches)
R3#
crypto map r3-r1 1 ipsec-isakmp
set peer 12.1.1.1
set transform-set r3-r1
match address 100
crypto map r3-r1
R3#
R3#show run interface f0/1
Building configuration...
Current configuration : 111 bytes
!
interface FastEthernet0/1
ip address 23.1.1.3 255.255.255.0
duplex auto
speed auto
crypto map r3-r1
end
R3#
R3上的配置與R1完全相同,配置完成後檢查ipsec狀態:
R1#show crypto isakmp peers
Peer: 23.1.1.3 Port: 500 Local: 12.1.1.1
Phase1 id: 23.1.1.3
R1#
R1#show crypto isakmp sa
dst src state conn-id slot status
23.1.1.3 12.1.1.1 QM_IDLE 1 0 ACTIVE
R1#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: r1-r3, local addr 12.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (12.1.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (23.1.1.3/255.255.255.255/0/0)
current_peer 23.1.1.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5245, #pkts encrypt: 5245, #pkts digest: 5245
#pkts decaps: 5553, #pkts decrypt: 5553, #pkts verify: 5553
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 16, #recv errors 0
local crypto endpt.: 12.1.1.1, remote crypto endpt.: 23.1.1.3
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xA1A490E9(2711916777)
inbound esp sas:
spi: 0xD800176E(3623884654)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: SW:4, crypto map: r1-r3
sa timing: remaining key lifetime (k/sec): (4469032/1561)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xA1A490E9(2711916777)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: SW:3, crypto map: r1-r3
sa timing: remaining key lifetime (k/sec): (4469086/1558)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1#
看到ipsec已經正常建立,測試內網連通性:
R1#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#
因為目前的 IPsec 只加密了雙方建立 GRE 時用到的公網地址,而不包含雙 方內網地址,所以雙方內網通訊不成功,但這就是我們要使用動態協議的理由。
在 R1 上配置 EIGRP,AS 號為 1,並且將內網網段 192.168.1.0 和 GRE tunel介面ip宣告進 EIGRP 程序,以便通過 GRE 隧道和北京公司建立 EIGRP 鄰居,從而交換雙方內網 網段資訊。
R1#show run | s eigrp
router eigrp 1
network 1.1.1.1 0.0.0.0
network 192.168.1.0
no auto-summary
R1#
R3#show run | s eigrp
router eigrp 1
network 1.1.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
no auto-summary
R3#
R1#show run | s eigrp
router eigrp 1
network 1.1.1.1 0.0.0.0
network 192.168.1.0
no auto-summary
R1#
最後做完eigrp後,在測試內網的連通性:
R1#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/24/44 ms
R1#traceroute 172.16.1.1
Type escape sequence to abort.
Tracing the route to 172.16.1.1
1 1.1.1.3 28 msec 16 msec 20 msec
R1#
已經通訊了,並且用tracert跟蹤發現流量從R1去往R3的內網時走的是gre over IPsec vpn的隧道。