IPSec over GRE

注意:这里是IPSec over GRE,而不是GRE over IPSec,仅仅是将某些经过加密的流量放到GRE中去跑,首先GRE隧道必须UP,而不是对整个隧道的流量进行加密

试验拓扑:

IPSec over GRE_IPSec

R2配置:

hostname R2
!
crypto isakmp policy 1
 authentication pre-share   //这里的认证方式使用的是预共享密钥
crypto isakmp key fuck address 192.168.34.4  //配置预共享密钥
!
crypto ipsec transform-set trans esp-des esp-sha-hmac
 mode transport   //配置为传输模式
!
crypto map mm 10 ipsec-isakmp
 set peer 192.168.34.4
 set transform-set trans
 match address toR4
!
interface Tunnel0
 ip address 192.168.24.2 255.255.255.0
 tunnel source Ethernet1/1
 tunnel destination 192.168.34.4
 crypto map mm
!
interface Ethernet1/0
 ip address 192.168.1.254 255.255.255.0
!
interface Ethernet1/1
 ip address 192.168.23.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.23.3
ip route 192.168.2.0 255.255.255.0 Tunnel0
!
ip access-list extended toR4
 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
 

R4配置:

hostname R4
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key fuck address 192.168.23.2
!
crypto ipsec transform-set trans esp-des esp-sha-hmac
!        
crypto map mm 10 ipsec-isakmp
 set peer 192.168.23.2
 set transform-set trans
 match address toR2
!
interface Tunnel0
 ip address 192.168.24.4 255.255.255.0
 tunnel source Ethernet1/2
 tunnel destination 192.168.23.2
 crypto map mm
!
interface Ethernet1/2
 ip address 192.168.34.4 255.255.255.0
!
interface Ethernet1/3
 ip address 192.168.2.254 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.34.3
ip route 192.168.1.0 255.255.255.0 Tunnel0
!
ip access-list extended toR2
 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
 

这里IPsec配置为传输模式,由于GRE会在原始数据包的外面加个自己的IP包头,所以也就没必要再去加密原包头并添加新包头了,这样可以节省20bytes的IPSec包头 

由于GRE隧道是先UP的,所以可以使用下面命令查看isakmp和IPSec安全联结有没有建立成功:
Show crypto isakmp sa
Show crypto ipsec sa
 

最后进行验证,从192.168.2.0网段去ping192.168.1.0网段,可以成功看到ISAKMP 安全联结建立成功,并且ICMP数据包已经成功被加密

IPSec over GRE_IPSec_02