GRE over IPSec-×××

 

r1#sho run

!

hostname r1

 

!

crypto isakmp policy 1（isakmp策略里面所涉及到的都必须保持两端一致）

 encr 3des

 hash md5

 authentication pre-share

 group 2

crypto isakmp key ccie address 23.1.1.2（isakmp的key必须一致）

!        

!

crypto ipsec transform-set ccnp ah-md5-hmac esp-3des（转换集-transform必须一致）

!

crypto map ccna 1 ipsec-isakmp

 set peer 23.1.1.2

 set transform-set ccnp

 match address 100

!

!

interface Tunnel1

 ip address 1.1.1.1 255.255.255.0

 tunnel source 12.1.1.1

 tunnel destination 23.1.1.2

!

!

interface Serial1/1

 ip address 12.1.1.1 255.255.255.0

 serial restart-delay 0

 crypto map ccna

!

interface Serial1/2

 ip address 10.1.1.2 255.255.255.0（本地接口）

 serial restart-delay 0

!

!        

router eigrp 1

 network 1.1.1.0 0.0.0.255

 network 10.1.1.0 0.0.0.255

 no auto-summary

!

ip route 0.0.0.0 0.0.0.0 Serial1/1（指向ISP）

!

access-list 100 permit gre 12.1.1.0 0.0.0.255 23.1.1.0 0.0.0.255

!

End

本地调用名称本地有意义，与对端无关

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

r1# sho crypto isakmp sa ?

 active   Shows HA-enabled ISAKMP SAs in the active state

 detail   Show ISAKMP SA Detail

 nat      Show ISAKMP SA NAT Detail

 standby Shows HA-enabled ISAKMP SAs in the standby state

 vrf      Show ISAKMP SA as per VRF

 |        Output modifiers

 <cr>

 

r1# sho crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

23.1.1.2        12.1.1.1        QM_IDLE           1001    0 ACTIVE

 

IPv6 Crypto ISAKMP SA

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

r1#sho cry ipsec sa

 

interface: Serial1/1

    Crypto map tag: ccna, local addr 12.1.1.1

 

   protected vrf: (none)

   local ident (addr/mask/prot/port): (12.1.1.1/255.255.255.255/47/0)

   remote ident (addr/mask/prot/port): (23.1.1.2/255.255.255.255/47/0)

   current_peer 23.1.1.2 port 500

     PERMIT, flags={}

    #pkts encaps: 372, #pkts encrypt: 372, #pkts digest: 372

    #pkts decaps: 373, #pkts decrypt: 373, #pkts verify: 373

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 1, #recv errors 0

 

     local crypto endpt.: 12.1.1.1, remote crypto endpt.: 23.1.1.2

     path mtu 1500, ip mtu 1500, ip mtu idb Serial1/1

     current outbound spi: 0xC451511D(3293663517)

 

     inbound esp sas:

      spi: 0x89203D0C(2300591372)

        transform: esp-3des ,

        in use settings ={Tunnel, }

        conn id: 1, flow_id: 1, crypto map: ccna

        sa timing: remaining key lifetime (k/sec): (4474150/1968)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

 

     inbound ah sas:

      spi: 0x7A63559A(2053330330)

        transform: ah-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 1, flow_id: 1, crypto map: ccna

        sa timing: remaining key lifetime (k/sec): (4474150/1967)

        replay detection support: Y

        Status: ACTIVE

 

     inbound pcp sas:

 

     outbound esp sas:

      spi: 0xC451511D(3293663517)

        transform: esp-3des ,

        in use settings ={Tunnel, }

        conn id: 2, flow_id: 2, crypto map: ccna

        sa timing: remaining key lifetime (k/sec): (4474150/1967)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

 

     outbound ah sas:

      spi: 0x6AA0C97F(1788922239)

        transform: ah-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 2, flow_id: 2, crypto map: ccna

        sa timing: remaining key lifetime (k/sec): (4474150/1966)

        replay detection support: Y

        Status: ACTIVE

 

     outbound pcp sas:

 

   protected vrf: (none)

   local ident (addr/mask/prot/port): (12.1.1.0/255.255.255.0/47/0)

   remote ident (addr/mask/prot/port): (23.1.1.0/255.255.255.0/47/0)

   current_peer 23.1.1.2 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 10, #recv errors 0

 

     local crypto endpt.: 12.1.1.1, remote crypto endpt.: 23.1.1.2

     path mtu 1500, ip mtu 1500, ip mtu idb Serial1/1

     current outbound spi: 0x0(0)

 

     inbound esp sas:

 

     inbound ah sas:

 

     inbound pcp sas:

 

     outbound esp sas:

 

     outbound ah sas:

 

     outbound pcp sas:

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

r1# sho crypto session

Crypto session current status

 

Interface: Serial1/1

Session status: UP-ACTIVE    

Peer: 23.1.1.2 port 500

 IKE SA: local 12.1.1.1/500 remote 23.1.1.2/500 Active

 IPSEC FLOW: permit 47 host 12.1.1.1 host 23.1.1.2

        Active SAs: 4, origin: crypto map

 IPSEC FLOW: permit 47 12.1.1.0/255.255.255.0 23.1.1.0/255.255.255.0

        Active SAs: 0, origin: crypto map

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

r1#sho crypto isakmp policy

 

Global IKE policy

Protection suite of priority 1

        encryption algorithm:   Three key triple DES

        hash algorithm:         Message Digest 5

        authentication method: Pre-Shared Key

        Diffie-Hellman group:   #2 (1024 bit)

        lifetime:               86400 seconds, no volume limit

Default protection suite

        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).

        hash algorithm:         Secure Hash Standard

        authentication method: Rivest-Shamir-Adleman Signature

        Diffie-Hellman group:   #1 (768 bit)

        lifetime:               86400 seconds, no volume limit

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

r1#sho crypto isakmp key

Keyring      Hostname/Address                            Preshared Key

 

default      23.1.1.2                                    ccie

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

 

internet#sho run

 

hostname internet

!

!

interface Serial1/0

 ip address 12.1.1.2 255.255.255.0

 serial restart-delay 0

!

interface Serial1/1

 ip address 23.1.1.1 255.255.255.0

 serial restart-delay 0

!

End

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

r2#sho run

!

hostname r2

!

!

!

crypto isakmp policy 1

 encr 3des

 hash md5

 authentication pre-share

 group 2

crypto isakmp key ccie address 12.1.1.1

!         

!

crypto ipsec transform-set ccnp ah-md5-hmac esp-3des

!

crypto map ccna 1 ipsec-isakmp

 set peer 12.1.1.1

 set transform-set ccnp

 match address 100

!

!

interface Tunnel1

 ip address 1.1.1.2 255.255.255.0

 tunnel source 23.1.1.2

 tunnel destination 12.1.1.1

!

!

interface Serial1/0

 ip address 23.1.1.2 255.255.255.0

 serial restart-delay 0

 crypto map ccna

!

interface Serial1/1

 ip address 192.168.1.1 255.255.255.0

 serial restart-delay 0

!

!        

router eigrp 1

 network 1.1.1.0 0.0.0.255

 network 192.168.1.0

 no auto-summary

!

ip route 0.0.0.0 0.0.0.0 Serial1/0

!

access-list 100 permit gre host 23.1.1.2 host 12.1.1.1

!

End

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =