《[gre] ccnp实验:gre隧道流量的ipsec加密》由会员分享,可在线阅读,更多相关《[gre] ccnp实验:gre隧道流量的ipsec加密(6页珍藏版)》请在金锄头文库上搜索。
1、由于 IPSEC 只支持对单播流量的加密,所以我们使用 GRE 隧道可以将广播、组播包封装在一个单播包中,再用 IPSEC 进行加密。在进行 IPSEC 配置前应首先配置好 GRE 隧道,下面是 R1 上的 GRE 隧道配置:R1:interface tunnel0ip address 192.168.3.1 255.255.255.0tunnel source s1/1tunnel destination 192.1.1.20exitinterface s1/1 ip address 192.1.1.40 255.255.255.0ip access-group perimeter inex
2、itinterface lo0ip address 192.168.1.1 255.255.255.0exitip route 0.0.0.0 0.0.0.0 192.1.1.20!在这里我将总公司内部的骨干网络设为 Area0,隧道部分和分公司内部网络设为 Area1router ospf 1network 192.168.1.0 0.0.0.255 area 0network 192.168.3.0 0.0.0.255 area 1exitip access-list extended perimeterpermit udp host 192.1.1.20 host 192.1.1.40
3、eq 500permit esp host 193.1.1.20 host 192.1.1.40 permit gre host 193.1.1.20 host 192.1.1.40deny ip any anyexitR2:interface tunnel0ip address 192.168.3.2 255.255.255.0tunnel source s1/0tunnel destination 192.1.1.40exitinterface s1/0 ip address 192.1.1.20 255.255.255.0ip access-group perimeter inexiti
4、nterface lo0ip address 192.168.2.1 255.255.255.0exitip route 0.0.0.0 0.0.0.0 192.1.1.40router ospf 1network 192.168.2.0 0.0.0.255 area 1network 192.168.3.0 0.0.0.255 area 1exitip access-list extended perimeterpermit udp host 192.1.1.40 host 192.1.1.20 eq 500permit esp host 192.1.1.40 host 192.1.1.20
5、 permit gre host 192.1.1.40 host 192.1.1.20deny ip any anyexit GRE 隧道建立好后,就可以进行 IPSEC 配置了:R1 上的配置:crypto isakmp enablecrypto isakmp identity addresscrypto isakmp policy 10encryption aesauthentication pre-sharegroup 2hash shaexitcrypto isakmp key cisco123 address 192.1.1.20 no-xauth!IPSEC 只对进入 GRE 隧道
6、的流量进行加密ip access-list extended ToR2permit gre host 192.1.1.40 host 192.1.1.20exit!这里的 GRE 隧道是点对点模式的,所以传输集应使用传输模式crypto ipsec transform-set trans esp-aes esp-sha-hmacmode transportexitcrypto map mymap 10 ipsec-isakmp match address ToR2set transform-set transset peer 192.1.1.20exitinterface s1/1crypto
7、 map mymapexit!最后别忘记删除测试隧道时建立的流量:ip access-list extended perimeterno permit gre host 192.1.1.20 host 192.1.1.40R2 上的配置:crypto isakmp enablecrypto isakmp identity addresscrypto isakmp policy 10encryption aesauthentication pre-sharegroup 2hash shaexitcrypto isakmp key cisco123 address 192.1.1.40 no-xa
8、uthip access-list extended ToR1permit gre host 192.1.1.20 host 192.1.1.40exitcrypto ipsec transform-set trans esp-aes esp-sha-hmacmode transportexitcrypto map mymap 10 ipsec-isakmp match address ToR1set transform-set transset peer 192.1.1.40exitinterface s1/0crypto map mymapexitip access-list extend
9、ed perimeterno permit gre host 192.1.1.40 host 192.1.1.20测试实验结果:r1#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OS
10、PF external type 2i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2ia - IS-IS inter area, * - candidate default, U - per-user static routeo - ODR, P - periodic downloaded static routeGateway of last resort is 192.1.1.20 to network 0.0.0.0C 192.1.1.0/24 is directly connected, Seri
11、al1/1C 192.168.1.0/24 is directly connected, Loopback0192.168.2.0/32 is subnetted, 1 subnetsO 192.168.2.1 110/11112 via 192.168.3.2, 00:00:17, Tunnel0C 192.168.3.0/24 is directly connected, Tunnel0S* 0.0.0.0/0 1/0 via 192.1.1.20R1 上 ping PC2:r1#ping 192.168.2.1Type escape sequence to abort.Sending 5
12、, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 36/56/84 msPC1 上 ping PC2:r1#ping 192.168.2.1 source lo0Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:Packet sent with a source address of 192.168.1.1 !Success rate is 100 percent (5/5), round-trip min/avg/max = 36/55/104 ms可以看到不管是从 PC1 到 PC2 的流量还是 R1 到 PC2 的流量,只要通过隧道,都会被 IPSEC 封装加密,所以都能 PING 通 PC2
