GRE over IPSec-×××
原创
©著作权归作者所有:来自51CTO博客作者foryouslg的原创作品,如需转载,请与作者联系,否则将追究法律责任
r1#sho run
!
hostname r1
!
crypto isakmp policy 1(isakmp策略里面所涉及到的都必须保持两端一致)
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ccie address 23.1.1.2(isakmp的key必须一致)
!
!
crypto ipsec transform-set ccnp ah-md5-hmac esp-3des(转换集-transform必须一致)
!
crypto map ccna 1 ipsec-isakmp
set peer 23.1.1.2
set transform-set ccnp
match address 100
!
!
interface Tunnel1
ip address 1.1.1.1 255.255.255.0
tunnel source 12.1.1.1
tunnel destination 23.1.1.2
!
!
interface Serial1/1
ip address 12.1.1.1 255.255.255.0
serial restart-delay 0
crypto map ccna
!
interface Serial1/2
ip address 10.1.1.2 255.255.255.0(本地接口)
serial restart-delay 0
!
!
router eigrp 1
network 1.1.1.0 0.0.0.255
network 10.1.1.0 0.0.0.255
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Serial1/1(指向ISP)
!
access-list 100 permit gre 12.1.1.0 0.0.0.255 23.1.1.0 0.0.0.255
!
End
本地调用名称本地有意义,与对端无关
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
r1# sho crypto isakmp sa ?
active Shows HA-enabled ISAKMP SAs in the active state
detail Show ISAKMP SA Detail
nat Show ISAKMP SA NAT Detail
standby Shows HA-enabled ISAKMP SAs in the standby state
vrf Show ISAKMP SA as per VRF
| Output modifiers
<cr>
r1# sho crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
23.1.1.2 12.1.1.1 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
r1#sho cry ipsec sa
interface: Serial1/1
Crypto map tag: ccna, local addr 12.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (12.1.1.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (23.1.1.2/255.255.255.255/47/0)
current_peer 23.1.1.2 port 500
PERMIT, flags={}
#pkts encaps: 372, #pkts encrypt: 372, #pkts digest: 372
#pkts decaps: 373, #pkts decrypt: 373, #pkts verify: 373
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 12.1.1.1, remote crypto endpt.: 23.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/1
current outbound spi: 0xC451511D(3293663517)
inbound esp sas:
spi: 0x89203D0C(2300591372)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 1, flow_id: 1, crypto map: ccna
sa timing: remaining key lifetime (k/sec): (4474150/1968)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
spi: 0x7A63559A(2053330330)
transform: ah-md5-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: 1, crypto map: ccna
sa timing: remaining key lifetime (k/sec): (4474150/1967)
replay detection support: Y
Status: ACTIVE
inbound pcp sas:
outbound esp sas:
spi: 0xC451511D(3293663517)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 2, flow_id: 2, crypto map: ccna
sa timing: remaining key lifetime (k/sec): (4474150/1967)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
spi: 0x6AA0C97F(1788922239)
transform: ah-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: 2, crypto map: ccna
sa timing: remaining key lifetime (k/sec): (4474150/1966)
replay detection support: Y
Status: ACTIVE
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (12.1.1.0/255.255.255.0/47/0)
remote ident (addr/mask/prot/port): (23.1.1.0/255.255.255.0/47/0)
current_peer 23.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 10, #recv errors 0
local crypto endpt.: 12.1.1.1, remote crypto endpt.: 23.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/1
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
r1# sho crypto session
Crypto session current status
Interface: Serial1/1
Session status: UP-ACTIVE
Peer: 23.1.1.2 port 500
IKE SA: local 12.1.1.1/500 remote 23.1.1.2/500 Active
IPSEC FLOW: permit 47 host 12.1.1.1 host 23.1.1.2
Active SAs: 4, origin: crypto map
IPSEC FLOW: permit 47 12.1.1.0/255.255.255.0 23.1.1.0/255.255.255.0
Active SAs: 0, origin: crypto map
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
r1#sho crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
r1#sho crypto isakmp key
Keyring Hostname/Address Preshared Key
default 23.1.1.2 ccie
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
internet#sho run
hostname internet
!
!
interface Serial1/0
ip address 12.1.1.2 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
ip address 23.1.1.1 255.255.255.0
serial restart-delay 0
!
End
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
r2#sho run
!
hostname r2
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ccie address 12.1.1.1
!
!
crypto ipsec transform-set ccnp ah-md5-hmac esp-3des
!
crypto map ccna 1 ipsec-isakmp
set peer 12.1.1.1
set transform-set ccnp
match address 100
!
!
interface Tunnel1
ip address 1.1.1.2 255.255.255.0
tunnel source 23.1.1.2
tunnel destination 12.1.1.1
!
!
interface Serial1/0
ip address 23.1.1.2 255.255.255.0
serial restart-delay 0
crypto map ccna
!
interface Serial1/1
ip address 192.168.1.1 255.255.255.0
serial restart-delay 0
!
!
router eigrp 1
network 1.1.1.0 0.0.0.255
network 192.168.1.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Serial1/0
!
access-list 100 permit gre host 23.1.1.2 host 12.1.1.1
!
End
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
提问和评论都可以,用心的回复会被更多人看到
评论
发布评论
相关文章
-
IPSEC vpn详解
IPSEC VPN
ci Standard Time -
gre over ipsec&ipsec over gre
一般的这种方法较为常用!ipsec over gre: GRE over IPsec&
vpn H3C ipsec 休闲 gre -
关于GRE over IPsec及IPsec over GRE
&n
职场 VPN 休闲