注意:这里是IPSec over GRE,而不是GRE over IPSec,仅仅是将某些经过加密的流量放到GRE中去跑,首先GRE隧道必须UP,而不是对整个隧道的流量进行加密
试验拓扑:
R2配置:
hostname R2
!
crypto isakmp policy 1
authentication pre-share //这里的认证方式使用的是预共享密钥
crypto isakmp key fuck address 192.168.34.4 //配置预共享密钥
!
crypto ipsec transform-set trans esp-des esp-sha-hmac
mode transport //配置为传输模式
!
crypto map mm 10 ipsec-isakmp
set peer 192.168.24.4
set transform-set trans
match address toR4
!
interface Tunnel0
ip address 192.168.24.2 255.255.255.0
tunnel source Ethernet1/1
tunnel destination 192.168.34.4
crypto map mm
!
interface Ethernet1/0
ip address 192.168.1.254 255.255.255.0
!
interface Ethernet1/1
ip address 192.168.23.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.23.3
ip route 192.168.2.0 255.255.255.0 Tunnel0
!
ip access-list extended toR4
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
R4配置:
hostname R4
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key fuck address 192.168.23.2
!
crypto ipsec transform-set trans esp-des esp-sha-hmac
!
crypto map mm 10 ipsec-isakmp
set peer 192.168.24.2
set transform-set trans
match address toR2
!
interface Tunnel0
ip address 192.168.24.4 255.255.255.0
tunnel source Ethernet1/2
tunnel destination 192.168.23.2
crypto map mm
!
interface Ethernet1/2
ip address 192.168.34.4 255.255.255.0
!
interface Ethernet1/3
ip address 192.168.2.254 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.34.3
ip route 192.168.1.0 255.255.255.0 Tunnel0
!
ip access-list extended toR2
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
这里IPsec配置为传输模式,由于GRE会在原始数据包的外面加个自己的IP包头,所以也就没必要再去加密原包头并添加新包头了,这样可以节省20bytes的IPSec包头
由于GRE隧道是先UP的,所以可以使用下面命令查看isakmp和IPSec安全联结有没有建立成功:
Show crypto isakmp sa
Show crypto ipsec sa
最后进行验证,从192.168.2.0网段去ping192.168.1.0网段,可以成功看到ISAKMP 安全联结建立成功,并且ICMP数据包已经成功被加密