拓扑:

R1:

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key root address 3.3.3.3
!
!
crypto ipsec transform-set r1set esp-3des esp-md5-hmac
!
crypto map r1map local-address Loopback1
crypto map r1map 10 ipsec-isakmp
 set peer 3.3.3.3
 set transform-set r1set
 match address r1***
!
!
!
!
interface Loopback0
 ip address 192.168.1.1 255.255.255.0
!
interface Loopback1
 ip address 1.1.1.1 255.255.255.0
!
interface Tunnel1
 ip address 172.16.13.1 255.255.255.0
 tunnel source Serial0/0
 tunnel destination 192.168.23.3
 tunnel key 120314
 crypto map r1map
!
interface Serial0/0
 ip address 192.168.12.1 255.255.255.0
 serial restart-delay 0
!
interface Serial0/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial0/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial0/3
 no ip address
 shutdown
 serial restart-delay 0
!        
router ospf 100
 router-id 1.1.1.1
 log-adjacency-changes
 network 1.1.1.0 0.0.0.255 area 0
 network 172.16.13.0 0.0.0.255 area 0
 network 192.168.1.0 0.0.0.255 area 0
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.12.2
!
!
!
!
ip access-list extended r1***
 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

R2:

interface Serial0/0
 ip address 192.168.12.2 255.255.255.0
 serial restart-delay 0
!
interface Serial0/1
 ip address 192.168.23.2 255.255.255.0
 serial restart-delay 0

R3:

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key root address 1.1.1.1
!
!
crypto ipsec transform-set r3set esp-3des esp-md5-hmac
!
crypto map r3map local-address Loopback1
crypto map r3map 10 ipsec-isakmp
 set peer 1.1.1.1
 set transform-set r3set
 match address r3***
!
!
!
!
interface Loopback0
 ip address 192.168.3.3 255.255.255.0
!
interface Loopback1
 ip address 3.3.3.3 255.255.255.0
!
interface Tunnel1
 ip address 172.16.13.3 255.255.255.0
 tunnel source Serial0/1
 tunnel destination 192.168.12.1
 tunnel key 120314
 crypto map r3map
!
interface Serial0/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial0/1
 ip address 192.168.23.3 255.255.255.0
 serial restart-delay 0
!
interface Serial0/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial0/3
 no ip address
 shutdown
 serial restart-delay 0
!        
router ospf 100
 router-id 3.3.3.3
 log-adjacency-changes
 network 3.3.3.0 0.0.0.255 area 0
 network 172.16.13.0 0.0.0.255 area 0
 network 192.168.3.0 0.0.0.255 area 0
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.23.2
!
!
!
!
ip access-list extended r3***
 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

测试:

 

分析:

从R1 PING R3 目的IP:192.168.3.3 源IP:192.168.1.1,查路由表

 

下一跳是TUNNEL1 并且满足tunnel1的感兴趣流,封装ESP 目的IP :3.3.3.3 源IP:1.1.1.1,继续查路由表,下一跳还是TUNNEL1 但是这是已经不满足感兴趣流了,于是封装GRE ,目的IP:192.168.23.3 源IP :192.168.12.1 然后从S0/0发出,这才是真真的IPSEC OVER GRE,但是这种模式在实际生产环境中用的很少,原因是不安全。