下面我们开始第一种ipsec over ger ,拓扑图如下:

 

 

配置:

R1:

  1. crypto isakmp policy 10
  2.  encr 3des
  3.  hash md5
  4.  authentication pre-share
  5.  group 2
  6.  lifetime 3600
  7. crypto isakmp key root address 192.168.23.3
  8. crypto ipsec transform-set r1set esp-3des esp-md5-hmac
  9. crypto map r1map 10 ipsec-isakmp
  10.  set peer 192.168.23.3
  11.  set transform-set r1set
  12.  match address r1***
  13. interface Loopback0
  14.  ip address 192.168.1.1 255.255.255.0
  15. interface Tunnel1
  16.  ip address 172.16.13.1 255.255.255.0
  17.  tunnel source Ethernet0/0
  18.  tunnel destination 192.168.23.3
  19.  tunnel key 120314
  20. interface Ethernet0/0
  21.  ip address 192.168.12.1 255.255.255.0
  22.  half-duplex
  23.  crypto map r1map
  24. router ospf 100
  25.  router-id 1.1.1.1
  26.  log-adjacency-changes
  27.  network 172.16.13.0 0.0.0.255 area 0
  28.  network 192.168.1.0 0.0.0.255 area 0
  29. ip route 0.0.0.0 0.0.0.0 192.168.12.2
  30. ip access-list extended r1***
  31.  permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

R2:

  1. interface Ethernet0/0
  2.  ip address 192.168.12.2 255.255.255.0
  3. interface Ethernet0/1
  4.  ip address 192.168.23.2 255.255.255.0

R3:

  1. crypto isakmp policy 10
  2.  encr 3des
  3.  hash md5
  4.  authentication pre-share
  5.  group 2
  6.  lifetime 3600
  7. crypto isakmp key root address 192.168.12.1
  8. crypto ipsec transform-set r3set esp-3des esp-md5-hmac
  9. crypto map r3map 10 ipsec-isakmp
  10.  set peer 192.168.12.1
  11.  set transform-set r3set
  12.  match address r3***
  13. interface Loopback0
  14.  ip address 192.168.3.3 255.255.255.0
  15. interface Tunnel3
  16.  ip address 172.16.13.3 255.255.255.0
  17.  tunnel source Ethernet0/1
  18.  tunnel destination 192.168.12.1
  19.  tunnel key 120314
  20. interface Ethernet0/1
  21.  ip address 192.168.23.3 255.255.255.0
  22.  half-duplex
  23.  crypto map r3map
  24. router ospf 100
  25.  router-id 3.3.3.3
  26.  log-adjacency-changes
  27.  network 172.16.13.0 0.0.0.255 area 0
  28.  network 192.168.3.0 0.0.0.255 area 0
  29. ip route 0.0.0.0 0.0.0.0 192.168.23.2
  30. ip access-list extended r3***
  31.  permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

测试:

 

分析:当从192.168.3.3 ping 192.168.1.1 时,首先查询路由表

 

去往192.168.1.1下一跳是tunnel3 ,由于tunnel3 中没有CRYPTO MAP ,所以封装GRP,

 

 

目的IP:192.168.12.1 源IP:192.168.23.3,然后在查路由表,匹配默认路由,然后从直连接口E0/1发出,这是虽然E0/1有cryptp map 但是由于源和目的IP已经不是感兴趣流了,所以不封装ESP 直接发出,根本不加密,与***没有上面关系。