Cisco GRE Over IPSec配置_Cisco

R1 

interface tunnel 0

tunnel source serial0/0/0

tunnel destination 61.0.0.4

ip address 172.16.14.1 255.255.255.0

tunnel key 123456

exit

 

ip route 0.0.0.0 0.0.0.0 serial 

 

route eigrp 1

no auto-summary

network 172.16.1.1 0.0.0.0

network 172.16.14.1 0.0.0.0

passive-interface fastethernet 0/0

 

crypto isakmp policy 10

       encryption aes

       authentication pre-share

       hash sha

       group 5 

       lifetime 1800

 

crypto isakmp key cisco address 61.0.0.4

 

crypto ipsec transform-set TRAN esp-aes esp-sha-hmac 

       mode transport 

 

ip access-list extended ×××

       permit gre host 202.96.134.1 host 61.0.0.4 

 

crypto map MAP 10 ipsec-isakmp

       set peer 61.0.0.4

       set transform-set TRAN

       set pfs group 5 

       match address ×××

interface serial0/0/0

      crypto map MAP

 

interface serial 0/0/0

      ip nat outside

  

interface f0/0

      ip nat inside 

access-list 100 deny ip 172.16.1.0 0.0.0.255 172.16.4.0 0.0.0.255

access-list 100 permit ip 172.16.1.0 0.0.0.255 any 

ip nat inside source list 100 interface serial0/0/0 overload 

 

R2

ip route 61.0.0.0 255.255.255.0 serial 0/0/1

 

R3

ip route 202.96.134.0 255.255.255.0 serial0/0/1

 

R4

interface tunnel 0

tunnel source serial 0/0/0

tunnel destination 202.96.134.1

ip address 172.16.14.4 255.255.255.0

tunnel key 123456

exit

ip route 0.0.0.0 0.0.0.0 serial 0/0/0

route eigrp 1

no auto-summary

network 172.16.4.4 0.0.0.0

network 172.16.14.4 0.0.0.0

passive-interface fastethernet 0/0

 

crypto isakmp policy 10 

       encryption aes

       authentication pre-share

       hash sha 

       group 5

       lifetime 1800

 

crypto isakmp key cisco address 202.96.134.1

 

crypto ipsec transform-set TRAN esp-aes esp-sha-hmac

       mode transport

 

ip access-list extended ×××

       permit gre host 61.0.0.4 host 202.96.134.1

      

crypto map MAP 10 ipsec-isakmp

 

       set peer  202.96.134.1 

       set transform-set TRAN

       set pfs group 5

       reverse-route static

       match address ×××

 

interface serial0/0/0

       crypto map MAP

 

interface serial0/0/0

       ip nat outsie 

interface f0/0

       ip nat inside 

 

access-list 100 deny ip 172.16.4.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 100 permit ip  172.16.4.0 0.0.0.255 any 

ip nat inside source list 100 interface serial0/0/0 overload 

 

实验调试部分

R1 

show crypto ipsec transform-set 

show crypto ipsec sa