拓扑

实验01 - GRE over IPsec - 图1

步骤

IPsec

  1. !!!!!!!!R1
  2. crypto isakmp policy 1
  3.  encr aes 256
  4.  hash sha256
  5.  authentication pre-share
  6.  group 5
  7. crypto isakmp key CISCO address 10.23.1.3      
  8. crypto ipsec transform-set VPN_TS esp-aes 256 esp-sha256-hmac 
  9.  mode tunnel
  10. crypto map MY_CRYPTO 10 ipsec-isakmp 
  11.  set peer 10.23.1.3
  12.  set transform-set VPN_TS 
  13.  match address VPN_TRAFFIC
  14.  crypto map MY_CRYPTO
  17. !!!!!!!!!R3
  18. crypto isakmp policy 1
  19.  encr aes 256
  20.  hash sha256
  21.  authentication pre-share
  22.  group 5
  24. crypto isakmp key CISCO address 10.12.1.1  
  26. crypto ipsec transform-set VPN_TS esp-aes 256 esp-sha256-hmac 
  29. crypto map MY_CRYPTO 10 ipsec-isakmp 
  30.  set peer 10.12.1.1
  31.  set transform-set VPN_TS 
  32.  match address VPN_TRAFFIC
  35. !!!!!
  36. ip access-list extended VPN_TRAFFIC
  37.  permit ip host 10.23.1.3 host 10.12.1.1
  40. !!!!!
  41. interface GigabitEthernet0/0
  42.  crypto map MY_CRYPTO

GRE Tunnel

  1. interface Tunnel0
  2.  ip address 192.168.100.2 255.255.255.0
  3.  tunnel source GigabitEthernet0/0
  4.  tunnel destination 10.12.1.1
  5. end
  • 验证Tunnel 连通性

实验01 - GRE over IPsec - 图2

整体验证

  • 查看Ipsec Session:show crypto session

实验01 - GRE over IPsec - 图3

  • 查看ipsec sa :show crypto ipsec sa
    • 可以看到9个数据包被加密—— 执行了2次ping,第1次5个包,第2次4个包。这样就证明GRE 经过了IPsec

实验01 - GRE over IPsec - 图4

  • 将R1、R3 的 Tunnel 端口 ,以及和终端相连的接口开启OSPF。可以看到R1 和R3之间通过Tunnel 建立了OSPF,并且通过Tunnel 学到了和终端连接的网络路由

实验01 - GRE over IPsec - 图5

  • 此时可以在PC1 上 Ping PC2,并在R1上查看 ipsec sa