注意:这里是IPSec over GRE,而不是GRE over IPSec,仅仅是将某些经过加密的流量放到GRE中去跑,首先GRE隧道必须UP,而不是对整个隧道的流量进行加密

试验拓扑:

IPSec over GRE(CISCO命令)_休闲

R2配置:

 

hostname R2

!

crypto isakmp policy 1

 authentication pre-share   //这里的认证方式使用的是预共享密钥

crypto isakmp key fuck address 192.168.34.4  //配置预共享密钥

!

crypto ipsec transform-set trans esp-des esp-sha-hmac

 mode transport   //配置为传输模式

!

crypto map mm 10 ipsec-isakmp

 set peer 192.168.24.4

 set transform-set trans

 match address toR4

!

interface Tunnel0

 ip address 192.168.24.2 255.255.255.0

 tunnel source Ethernet1/1

 tunnel destination 192.168.34.4

 crypto map mm

!

interface Ethernet1/0

 ip address 192.168.1.254 255.255.255.0

!

interface Ethernet1/1

 ip address 192.168.23.2 255.255.255.0

!

ip route 0.0.0.0 0.0.0.0 192.168.23.3

ip route 192.168.2.0 255.255.255.0 Tunnel0

!

ip access-list extended toR4

 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

!

 

 

R4配置:

 

hostname R4

!

crypto isakmp policy 1

 authentication pre-share

crypto isakmp key fuck address 192.168.23.2

!

crypto ipsec transform-set trans esp-des esp-sha-hmac

!        

crypto map mm 10 ipsec-isakmp

 set peer 192.168.24.2

 set transform-set trans

 match address toR2

!

interface Tunnel0

 ip address 192.168.24.4 255.255.255.0

 tunnel source Ethernet1/2

 tunnel destination 192.168.23.2

 crypto map mm

!

interface Ethernet1/2

 ip address 192.168.34.4 255.255.255.0

!

interface Ethernet1/3

 ip address 192.168.2.254 255.255.255.0

!

ip route 0.0.0.0 0.0.0.0 192.168.34.3

ip route 192.168.1.0 255.255.255.0 Tunnel0

!

ip access-list extended toR2

 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

!

 

 

这里IPsec配置为传输模式,由于GRE会在原始数据包的外面加个自己的IP包头,所以也就没必要再去加密原包头并添加新包头了,这样可以节省20bytes的IPSec包头 

由于GRE隧道是先UP的,所以可以使用下面命令查看isakmp和IPSec安全联结有没有建立成功:

Show crypto isakmp sa

Show crypto ipsec sa

 

最后进行验证,从192.168.2.0网段去ping192.168.1.0网段,可以成功看到ISAKMP 安全联结建立成功,并且ICMP数据包已经成功被加密

IPSec over GRE(CISCO命令)_GRE_02