Ò»¡¢×éÍøÐèÇó
±£»¤×ܲ¿Óë·ÖÖ§×ÓÍøÖ®¼äµÄIPÊý¾ÝͨÐÅ£¬Í¨¹ýËíµÀ½¨Á¢Á¬½Ó£¬²¢¶ÔÊý¾Ý½øÐмÓÃÜ£¬±£Ö¤°²È«£¬GRE ovre IPSEC µÄÔÀíÊÇÓû§ÒµÎñÊý¾Ý·â±Õµ½GREËíµÀ£¬GREËíµÀµÄÊý¾ÝÔÙ±»ipsec¼ÓÃÜ£¬ËùÒÔÅäÖÃipsec¸ÐÐËȤÁ÷ʱ£¬Ô´µØÖ·ºÍÄ¿±êµØַΪÁ½¶Ë·ÓÉÆ÷µÄÍâÍø½Ó¿ÚµÄIPµØÖ·£»
¶þ¡¢×éÍøÍØÆË
Èý¡¢¹¦ÄÜÔÀí
²ÉÓÃGRE½¨Á¢ËíµÀ£¬ÊµÏÖÄÚÍø¼äµÄͨÐÅ£¬Ê¹ÓÃipsec¶Ô×ܲ¿Óë·ÖÖ§¼äµÄËíµÀÁ÷Á¿½øÐмÓÃÜ
ËÄ¡¢ÅäÖÃÒªµã
1¡¢±¾ÅäÖÃÊǽ¨Á¢ÔÚNBR-EÒѾÕýÈ·Íê³ÉÁË¿ìËÙÅäÖõĻù´¡Ö®Éϵģ»
2¡¢ÅäÖÃrouteA£¨×ܲ¿£©ÎªGRE over ipsec·þÎñÆ÷¶Ë£»
3¡¢ÅäÖÃrouteB£¨·ÖÖ§£©ÎªGRE over ipsec¿Í»§¶Ë£»
4¡¢Á½¶ËµÄ²ÎÊýÒª±£³ÖÒ»ÖÂ
GRE TunnelµÄËíµÀµÄÔ´Ä¿µÄµØÖ·ÒªÏ໥¶ÔÓ¦
ÈÏÖ¤·½Ê½£ºÔ¤¹²ÏíÃÜÔ¿£¬ÃÜԿΪruijie
IKEËã·¨£º3DES-MD5£¬DH2
IPSecÐÉ̽»»¥·½°¸£ºesp(3des-md5)
Îå¡¢ÅäÖò½Öè
WebÉÏ»¹²»Ö§³ÖGREËíµÀµÄÅäÖã¬Ö»ÄÜÔÚCLIÏÂÅäÖÃ
1.×ܲ¿
1)¡¢ÅäÖÃipsecµÚÒ»½×¶Î
crypto isakmp enable
crypto isakmp policy 1
encryption 3des
authentication pre-share
hash md5
group 2
2)¡¢ÅäÖÃÔ¤¹²ÏíÃÜÔ¿ºÍ±ä»»¼¯ºÏ
crypto isakmp key 0 ruijie address 192.168.33.235
crypto ipsec transform-set myset esp-3des esp-md5-hmac
mode transport
3)¡¢ÅäÖøÐÐËÁ÷
ip access-list extended 199
10 permit gre host 192.168.33.56 host 192.168.33.235
4)¡¢¶¨ÒåÒ»¸ö¼ÓÃÜÓ³É伯ºÏ
crypto map mymap 1 ipsec-isakmp
set peer 192.168.33.235
set transform-set myset
match address 199
5)¡¢ÔÚ½Ó¿ÚÉϵ÷ÓüÓÃÜͼ
interface GigabitEthernet 0/5
ip address 192.168.33.56 255.255.255.0
crypto map mymap
6)¡¢ÅäÖÃGREµÄTunnel½Ó¿Ú
interface tunnel 1
tunnel source 192.168.33.56
tunnel destination 192.168.33.235
ip address 2.2.2.1 255.255.255.0
7)¡¢ÅäÖ÷ÓÉ
ip route 192.168.1.0 255.255.255.0 tunnel 1
ip route 0.0.0.0 0.0.0.0 192.168.33.1 #192.168.33.1ΪÍâÍøÍø¹Ø
2.·ÖÖ§
1)¡¢ÅäÖÃipsecµÚÒ»½×¶Î
crypto isakmp policy 1
encryption 3des
authentication pre-share
hash md5
group 2
2)¡¢ÅäÖÃÔ¤¹²ÏíÃÜÔ¿ºÍ±ä»»¼¯ºÏ
crypto isakmp key 0 ruijie address 192.168.33.56
crypto ipsec transform-set myset esp-3des esp-md5-hmac
mode transport
3)¡¢ÅäÖøÐÐËÁ÷
ip access-list extended 199
10 permit gre host 192.168.33.235 host 192.168.33.56
4)¡¢¶¨Òå¼ÓÃÜÓ³Éä
crypto map mymap 1 ipsec-isakmp
set peer 192.168.33.56
set transform-set myset
match address 199
5)¡¢ÔÚ½Ó¿ÚÉϵ÷ÓüÓÃÜͼ
interface GigabitEthernet 0/5
ip address 192.168.33.235 255.255.255.0
crypto map mymap
6)¡¢ÅäÖÃGREµÄTunnel½Ó¿Ú
interface tunnel 1
tunnel source 192.168.33.235
tunnel destination 192.168.33.56
ip address 2.2.2.2 255.255.255.0
7)¡¢ÅäÖ÷ÓÉ
ip route 192.168.2.0 255.255.255.0 tunnel 1
ip route 0.0.0.0 0.0.0.0 192.168.33.1 #192.168.33.1ΪÍâÍøÍø¹Ø
Áù¡¢ÅäÖÃÑéÖ¤
1.²é¿´ipsec״̬
zongbu#show crypto state
destination source state st-id pa-st mapid mode ir lifetime
192.168.33.235 192.168.33.56 IKE_IDLE 1 0 1 9 1 85948
2.²é¿´ËíµÀÁ÷Á¿
zongbu#show crypto ipsec sa
Interface: Tunnel 1
Profile map tag:profile-map
==================================
sub_map type:profile, seqno:0, id=1
local ident (addr/mask/prot/port): (192.168.33.56/0.0.0.0/47/0))
remote ident (addr/mask/prot/port): (192.168.33.235/0.0.0.0/47/0))
PERMIT
#pkts encaps: 4861, #pkts encrypt: 4861, #pkts digest 4861
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#send errors 235, #recv errors 0
Inbound esp sas:
spi:0x34ef2301 (888087297)
transform: esp-3des esp-md5-hmac
in use settings={Transport Encaps,}
crypto map profile-map 0
sa timing: remaining key lifetime (k/sec): (4606445/3143)
IV size: 0 bytes
Replay detection support:Y
Outbound esp sas:
spi:0x10c2d27a (281203322)
transform: esp-3des esp-md5-hmac
in use settings={Transport Encaps,}
crypto map profile-map 0
sa timing: remaining key lifetime (k/sec): (4606445/3143)
IV size: 0 bytes
Replay detection support:Y