gre_over_ipsec

 

R1 的配置如下:

 

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

 lifetime 10000

crypto isakmp key cisco address 202.102.1.2

!

!

crypto ipsec transform-set benet-set esp-des esp-sha-hmac

!

crypto map benet-map 1 ipsec-isakmp

 set peer 202.102.1.2

 set transform-set benet-set

 match address 100

!

 

!

interface Tunnel0

 ip address 123.1.1.1 255.255.255.0

 tunnel source Ethernet0/1

 tunnel destination 202.102.1.2

!

Tunnel0  up的条件,在路由表中有到Tunnel0的路由,, Tunnel0本身有源和目的,源和目的可达.

interface Ethernet0/1

 ip address 202.102.1.1 255.255.255.0

 half-duplex

 crypto map benet-map

!

!

router rip

 version 2

 network 1.0.0.0

 network 2.0.0.0

 network 3.0.0.0

 network 123.0.0.0

no auto-summary

!

Network要宣告Tunnel0的IP和内网的IP,一定不要宣告物理口的IP

ip classless

ip route 0.0.0.0 0.0.0.0 202.102.1.2

ip http server

!

access-list 100 permit gre host 202.102.1.1 host 202.102.1.2

!

 

在这里加密202.102.1.1到202.102.1.2的GRE的流量,路由协议也加密了

加密图要用物理口,在这里用在Tunnel0口无任何意义

Peer是物理口,所有经过Tunnel0流量自动加解密,包括路由协议

 

r1#show crypto ipsec sa

 

interface: Ethernet0/1

    Crypto map tag: benet-map, local addr. 202.102.1.1

 

local  ident (addr/mask/prot/port): (202.102.1.1/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (202.102.1.2/255.255.255.255/47/0)

current_peer: 202.102.1.2

  PERMIT, flags={origin_is_acl,parent_is_transport,}

 #pkts encaps: 50, #pkts encrypt: 50, #pkts digest 50

 #pkts decaps: 51, #pkts decrypt: 51, #pkts verify 51

 #pkts compressed: 0, #pkts decompressed: 0

 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

 #send errors 1, #recv errors 0

 

  local crypto endpt.: 202.102.1.1, remote crypto endpt.: 202.102.1.2

  path mtu 1500, ip mtu 1500, ip mtu interface Ethernet0/1

  current outbound spi: A531DDF7

 

  inbound esp sas:

   spi: 0x677E1AFE(1736317694)

     transform: esp-des esp-sha-hmac ,

     in use settings ={Tunnel, }

     slot: 0, conn id: 2000, flow_id: 1, crypto map: benet-map

     sa timing: remaining key lifetime (k/sec): (4607991/2594)

     IV size: 8 bytes

     replay detection support: Y

在这里可以用传输模式(双方都要做),改变模式后并不是马上生效,需要(双方都要做)clear  cry  sa和clear  cry  sa

 

r1#clear crypto sa

r1#clear crypto sa

 

 

r1#show crypto ipsec sa

interface: Ethernet0/1

Crypto map tag: benet-map, local addr. 202.102.1.1

 

local  ident (addr/mask/prot/port): (202.102.1.1/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (202.102.1.2/255.255.255.255/47/0)

current_peer: 202.102.1.2

  PERMIT, flags={origin_is_acl,transport_parent,parent_is_transport,}

 #pkts encaps: 3, #pkts encrypt: 3, #pkts digest 3

 #pkts decaps: 3, #pkts decrypt: 3, #pkts verify 3

 #pkts compressed: 0, #pkts decompressed: 0

 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

 #send errors 1, #recv errors 0

 

  local crypto endpt.: 202.102.1.1, remote crypto endpt.: 202.102.1.2

  path mtu 1500, ip mtu 1500, ip mtu interface Ethernet0/1

  current outbound spi: 1BFA91B5

 

  inbound esp sas:

   spi: 0x13845588(327439752)

     transform: esp-des esp-sha-hmac ,

     in use settings ={Transport, }

     slot: 0, conn id: 2000, flow_id: 1, crypto map: benet-map

     sa timing: remaining key lifetime (k/sec): (4607999/3455)

     IV size: 8 bytes

     replay detection support: Y

 

 

 

r1#show crypto engine connections active

 

Over谁谁就在外边