无聊之余研究了下GRE over IPsec,由于IPsec ×××不支持路由协议,所以只能通过GRE封装后才能走路由协议,配置如下:
本地端配置
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key cisco address 118.21.31.2 255.255.255.252
!
!
crypto ipsec transform-set ccsp esp-3des esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 118.21.31.2
set transform-set ccsp
match address 110
!
!
!
!
interface Tunnel1
ip address 12.12.12.1 255.255.255.252
tunnel source 215.123.2.2
tunnel destination 118.21.31.2
!
interface FastEthernet0/0
ip address 215.123.2.2 255.255.255.252
duplex auto
speed auto
crypto map mymap
!
interface FastEthernet1/0
ip address 10.11.100.1 255.255.255.0
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 10.11.100.0 0.0.0.255 area 0
network 12.12.12.0 0.0.0.3 area 0
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 215.123.2.1
!
!
access-list 110 permit gre host 215.123.2.2 host 118.21.31.2
对端配置
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key cisco address 215.123.2.2 255.255.255.252
!
!
crypto ipsec transform-set ccsp esp-3des esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 215.123.2.2
set transform-set ccsp
match address 110
!
!
!
!
interface Tunnel1
ip address 12.12.12.2 255.255.255.252
tunnel source 118.21.31.2
tunnel destination 215.123.2.2
!
interface FastEthernet0/0
ip address 118.21.31.2 255.255.255.252
duplex auto
speed auto
crypto map mymap
!
interface FastEthernet1/0
ip address 10.100.200.1 255.255.255.0
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 10.100.200.0 0.0.0.255 area 0
network 12.12.12.0 0.0.0.255 area 0
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 118.21.31.1
!
!
access-list 110 permit gre host 118.21.31.2 host 215.123.2.2
