分类: 系统运维
2013-07-02 12:09:30
TOP
看来与单纯的sec配置改动不大,但GRE可以支持广播与组播。
R1配置:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key cisco address 211.1.1.2
!
!
crypto ipsec transform-set esp-tunnel esp-3des esp-md5-hmac
mode transport
!
crypto map vpn 10 ipsec-isakmp
set peer 211.1.1.2
set transform-set esp-tunnel
match address router1
!
!
!
!
interface Tunnel0
ip unnumbered FastEthernet0/1
tunnel source 211.1.1.1
tunnel destination 211.1.1.2
!
interface FastEthernet0/0
ip address 211.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map vpn
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface Ethernet1/0
no ip address
shutdown
half-duplex
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip route 192.168.2.0 255.255.255.0 Tunnel0
!
!
!
ip access-list extended router1
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit gre host 211.1.1.1 host 211.1.1.2
!
R2配置:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key cisco address 211.1.1.1
!
!
crypto ipsec transform-set esp-tunnel esp-3des esp-md5-hmac
mode transport
!
crypto map vpn 10 ipsec-isakmp
set peer 211.1.1.1
set transform-set esp-tunnel
match address router2
!
!
!
!
interface Tunnel0
ip unnumbered FastEthernet0/1
tunnel source 211.1.1.2
tunnel destination 211.1.1.1
!
interface FastEthernet0/0
ip address 211.1.1.2 255.255.255.0
duplex auto
speed auto
crypto map vpn
!
interface FastEthernet0/1
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
interface Ethernet1/0
no ip address
shutdown
half-duplex
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip route 192.168.1.0 255.255.255.0 Tunnel0
!
!
!
ip access-list extended router2
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
permit gre host 211.1.1.2 host 211.1.1.1
