GRE over IPsec
传统的site-to-site IPsec VPN的缺陷之一在于它只允许通过IP unicast!!!!
要解决IPsec VPN通过multicast和broadcast可以使用GRE over IPsec!!!
192.168.1.0 Hub ---------------------------------------Spoken1 192.168.2.0
GRE over IPsec的配置有2种,方法一:
HUB得到配置:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 200.200.2.1
!
crypto ipsec transform-set cisco esp-3des esp-md5-hmac
mode transport
!
crypto map mymap 10 ipsec-isakmp
set peer 200.200.2.1
set transform-set cisco
match address 100
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Tunnel0
ip unnumbered Serial0/0
tunnel source Serial0/0
tunnel destination 200.200.2.1
crypto map mymap (map一定要调用在tunnel口上)
!
interface Serial0/0
ip address 200.200.1.1 255.255.255.0
serial restart-delay 0
!
ip route 0.0.0.0 0.0.0.0 200.200.1.2
ip route 192.168.2.0 255.255.255.0 Tunnel0
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
Spoken1的配置与之类似就不多做介绍了,注意IP地址和ACL就可以了!!!!
做这个实验有个麻烦的地方,所谓的GRE over IPsec简单的说GRE提供隧道,IPsec对隧道进行保护,所以无论IPsec有没有问题,隧道都是通的,所以要看IPsec有没有起到保护隧道的作用看相关的SA建立起来没!!
Show crypto iskmp sa
Show crypto ipsec sa
方法2:
HUB的配置:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 200.200.2.1
!
crypto ipsec transform-set cisco esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile ccnp
set transform-set cisco
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Tunnel0
ip unnumbered Serial0/0
tunnel source Serial0/0
tunnel destination 200.200.2.1
tunnel protection ipsec profile ccnp
!
interface Serial0/0
ip address 200.200.1.1 255.255.255.0
serial restart-delay 0
!
ip route 0.0.0.0 0.0.0.0 200.200.1.2
ip route 192.168.2.0 255.255.255.0 Tunnel0
大家可以对比一下这2种配置的区别:方法一只有有流量需要保护才会建立SA,方法2没有流量也会建立SA !!!
而在GRE over IPsec里面IPsec使用trans模式,主要是为了节省20byte的IP包头,提高工作效率!!!
阅读(555) | 评论(0) | 转发(0) |
