1: 配置IPSEC 

 interface Loopback20  // 定义兴趣流IP,这里用自定义的环回口来定义
  ip vrf forwarding vrf--GRE-Over-Ipsec 
  ip address 10.220.1.1 255.255.255.255
 
 crypto keyring kr--VPN vrf vrf--A-Exit  //出接口挂载在VRF下故带上VRF
   pre-shared-key hostname BT key 5hoicgomsOgurkI  //定义远端ID及共享秘钥key
 
crypto isakmp policy 1  // 第一阶段的加密方式
  encr 3des  //采用3DE,MD5加密
  authentication pre-share
  group 2 
  lifetime 28800
 
crypto isakmp profile cp---BT
   vrf vrf--1000001-GRE-Over-Ipsec
   keyring kr--VPN
   match identity host BT  vrf--A-Exit 
   keepalive 20 retry 5
   initiate mode aggressive
 
crypto ipsec transform-set ts--VPN esp-3des esp-sha-hmac   //第二阶段的加密方式
 mode transport
 
ip access-list extended al--BT //定义匹配远端的兴趣流
  permit ip any host 10.220.1.41
 
ip route vrf  vrf--GRE-Over-Ipsec   10.220.1.41 255.255.255.255 GigabitEthernet0/1.21 119.135.X.X  // 到对端兴趣流IP的路由走公网出口
 
crypto dynamic-map dm--BT 10    //定义map
 set security-association lifetime seconds 28800
 set transform-set ts--VPN
 set pfs group2
 set isakmp-profile cp---BT
 match address al--BT
 
crypto map cm--VPN-EFLY 10 ipsec-isakmp dynamic dm--BT
 
2: IPSEC 调用在公网接口上:
 
interface GigabitEthernet0/1.21
 ip vrf forwarding vrf--A-Exit 
 ip address 119.135.X.X 255.255.255.240
 crypto map cm--VPN-EFLY  //把定义的map 调用到接口上
 
3:GRE 配置
interface Tunnel10162
ip address 10.220.8.225 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1300
load-interval 30
tunnel source 10.220.1.1
tunnel destination 10.220.1.41
tunnel vrf  vrf--GRE-Over-Ipsec 
 
跟Mirotik建立建立GRE OVER IPSEC ,Mirotik端配置请参考我另外一篇文章:https://blog.51cto.com/u_13839549/2944861