1. 程式人生 > >路由器GRE+IPSec實現點到多點V.P.N(基於思科)

路由器GRE+IPSec實現點到多點V.P.N(基於思科)

mac loopback 路由協議 sub watermark ffffff show color 技術分享

路由器GRE+IPSec實現點到多點V.P.N(基於思科)

技術分享圖片

案例分析:

本案例使用IPsec ×××和GRE結合,實現點到多點的×××通信,結合ospf路由協議,使兩個分部之間的通信都經過總部的R1。由RGE隧道保護路由協議的流量。

實驗步驟:

1:R1的IP地址的設置
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int f0/0
R1(config-if)#ip add 200.0.0.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#int loop0

R1(config-if)#ip add 192.168.0.1 255.255.255.0
R1(config-if)#exit
R1(config)#int tunnel 0
R1(config-if)#ip add 10.0.0.1 255.0.0.0
R1(config-if)#tunnel source 200.0.0.1
R1(config-if)#tunnel destination 110.0.0.1
R1(config-if)#exit
R1(config)#int tunnel 1
R1(config-if)#ip add 20.0.0.1 255.0.0.0
R1(config-if)#tunnel source 200.0.0.1
R1(config-if)#tunnel destination 120.0.0.1
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 200.0.0.2

2:R2的IP地址的設置
Router#conf t
Router(config)#int f1/0
Router(config-if)#ip add 200.0.0.2 255.255.255.0
Router(config-if)#no shut
Router(config-if)#int f0/0
Router(config-if)#ip add 110.0.0.2 255.255.255.0
Router(config-if)#no shut
Router(config-if)#int f0/1

Router(config-if)#ip add 120.0.0.2 255.255.255.0
Router(config-if)#no shut

3:R3的IP地址的設置
R3#conf t
R3(config)#int f0/0
R3(config-if)#ip add 110.0.0.1 255.255.255.0
R3(config-if)#no shut
R3(config-if)#int loop0
R3(config-if)#ip add 192.168.1.1 255.255.255.0
R3(config-if)#exit
R3(config)#int tunnel 0
R3(config-if)#ip add 10.0.0.2 255.0.0.0
R3(config-if)#tunnel source 110.0.0.1
R3(config-if)#tunnel destination 200.0.0.1
R3(config-if)#exit
R3(config)#ip route 0.0.0.0 0.0.0.0 110.0.0.2
R3(config)#

4:R4的IP地址的設置
R4#conf t
R4(config)#int f0/0
R4(config-if)#ip add 120.0.0.1 255.255.255.0
R4(config-if)#no shut
R4(config-if)#int loop0
R4(config-if)#ip add 192.168.2.1 255.255.255.0
R4(config-if)#exit
R4(config)#int tunnel 1
R4(config-if)#ip add 20.0.0.2 255.0.0.0
R4(config-if)#tunnel source 120.0.0.1
R4(config-if)#tunnel destination 200.0.0.1
R4(config-if)#exit
R4(config)#ip route 0.0.0.0 0.0.0.0 120.0.0.2

5:在R1上配置ospf路由
R1(config)#router ospf 1
R1(config-router)#network 10.0.0.0 0.255.255.255 area 0
R1(config-router)#network 192.168.0.0 0.0.0.255 area 0
R1(config-router)#network 20.0.0.0 0.255.255.255 area 0
R1(config-router)#exit
R1(config)#
6:在R3上配置ospf路由
R3(config)#router ospf 1
R3(config-router)#network 10.0.0.0 0.255.255.255 area 0
R3(config-router)#network 192.168.1.0 0.0.0.255 area 0
R3(config-router)#exit
R3(config)#
7:在R4上配置ospf路由
R4(config)#router ospf 1
R4(config-router)#network 20.0.0.0 0.255.255.255 area 0
R4(config-router)#network 192.168.2.0 0.0.0.255 area 0
R4(config-router)#exit
R4(config)#

8:查看三個站點的路由表
R1的路由表
R1#show ip route

C 200.0.0.0/24 is directly connected, FastEthernet0/0
C 20.0.0.0/8 is directly connected, Tunnel1
C 10.0.0.0/8 is directly connected, Tunnel0
C 192.168.0.0/24 is directly connected, Loopback0
192.168.1.0/32 is subnetted, 1 subnets
O 192.168.1.1 [110/11112] via 10.0.0.2, 00:00:38, Tunnel0
192.168.2.0/32 is subnetted, 1 subnets
O 192.168.2.1 [110/11112] via 20.0.0.2, 00:00:38, Tunnel1
S* 0.0.0.0/0 [1/0] via 200.0.0.2

R3的路由表
R3#show ip route

O 20.0.0.0/8 [110/22222] via 10.0.0.1, 00:01:45, Tunnel0
110.0.0.0/24 is subnetted, 1 subnets
C 110.0.0.0 is directly connected, FastEthernet0/0
C 10.0.0.0/8 is directly connected, Tunnel0
192.168.0.0/32 is subnetted, 1 subnets
O 192.168.0.1 [110/11112] via 10.0.0.1, 00:01:45, Tunnel0
C 192.168.1.0/24 is directly connected, Loopback0
192.168.2.0/32 is subnetted, 1 subnets
O 192.168.2.1 [110/22223] via 10.0.0.1, 00:01:45, Tunnel0
S* 0.0.0.0/0 [1/0] via 110.0.0.2

R4的路由表
R4#show ip route

C 20.0.0.0/8 is directly connected, Tunnel1
O 10.0.0.0/8 [110/22222] via 20.0.0.1, 00:02:29, Tunnel1
192.168.0.0/32 is subnetted, 1 subnets
O 192.168.0.1 [110/11112] via 20.0.0.1, 00:02:29, Tunnel1
192.168.1.0/32 is subnetted, 1 subnets
O 192.168.1.1 [110/22223] via 20.0.0.1, 00:02:29, Tunnel1
C 192.168.2.0/24 is directly connected, Loopback0
120.0.0.0/24 is subnetted, 1 subnets
C 120.0.0.0 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 120.0.0.2

9:R1的×××
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#hash md5
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
R1(config-isakmp)#exit
R1(config)#crypto isakmp key 0 cisco123 address 110.0.0.1
R1(config)#crypto isakmp key 0 cisco123 address 120.0.0.1
R1(config)#crypto ipsec transform-set myset esp-3des esp-md5-hmac
R1(cfg-crypto-trans)#mode transport
R1(cfg-crypto-trans)#exit
R1(config)#

R1(config)#access-list 101 permit gre host 200.0.0.1 host 110.0.0.1
R1(config)#access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
R1(config)#access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
R1(config)#crypto map cisco-map 10 ipsec-isakmp
R1(config-crypto-map)#set peer 110.0.0.1
R1(config-crypto-map)#set transform-set myset
R1(config-crypto-map)#match address 101
R1(config-crypto-map)#exit
R1(config)#

R1(config)#access-list 102 permit gre host 200.0.0.1 host 120.0.0.1
R1(config)#access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
R1(config)#access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
R1(config)#crypto map cisco-map 20 ipsec-isakmp
R1(config-crypto-map)#set peer 120.0.0.1
R1(config-crypto-map)#set transform-set myset
R1(config-crypto-map)#match address 102
R1(config-crypto-map)#exit
R1(config)#

R1(config)#int f0/0
R1(config-if)#crypto map cisco-map
R1(config-if)#exit
R1(config)#

8:R3的×××
R3(config)#crypto isakmp policy 1
R3(config-isakmp)#encryption 3des
R3(config-isakmp)#hash md5
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#group 2
R3(config-isakmp)#exit
R3(config)#crypto isakmp key 0 cisco123 address 200.0.0.1
R3(config)#crypto ipsec transform-set myset esp-3des esp-md5-hmac
R3(cfg-crypto-trans)#mode transport
R3(cfg-crypto-trans)#exit
R3(config)#
R3(config)#access-list 101 permit gre host 110.0.0.1 host 200.0.0.1
R3(config)#access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
R3(config)#access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
R3(config)#crypto map cisco-map 10 ipsec-isakmp
R3(config-crypto-map)#set peer 200.0.0.1
R3(config-crypto-map)#set transform-set myset
R3(config-crypto-map)#match address 101
R3(config-crypto-map)#exit
R3(config)#int f0/0
R3(config-if)#crypto map cry
R3(config-if)#crypto map cisco-map
R3(config-if)#exit
R3(config-if)#exit
R3(config)#

9:R4的×××

R4(config)#crypto isakmp policy 1
R4(config-isakmp)#encryption 3des
R4(config-isakmp)#hash md5
R4(config-isakmp)#authentication pre-share
R4(config-isakmp)#group 2
R4(config-isakmp)#exit
R4(config)#crypto isakmp key 0 cisco123 address 200.0.0.1
R4(config)#crypto ipsec transform-set myset esp-3des esp-md5-hmac
R4(cfg-crypto-trans)#mode transport
R4(cfg-crypto-trans)#exit
R4(config)#

R4(config)#access-list 101 permit gre host 120.0.0.1 host 200.0.0.1
R4(config)#access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
R4(config)#access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
R4(config)#crypto map cisco-map 10 ipsec-isakmp
R4(config-crypto-map)#set peer 200.0.0.1
R4(config-crypto-map)#set transform-set myset
R4(config-crypto-map)#match address 101
R4(config-crypto-map)#exit
R4(config)#int f0/0
R4(config-if)#crypto map cisco-map
R4(config-if)#exit
R4(config)#

10:測試
三個站點之間可以互相通信
使用各站點的192.168.0.0的網段可以ping通其他站點的IP但是無法ping運營商的IP

路由器GRE+IPSec實現點到多點V.P.N(基於思科)