GRE over IPsec 实验
配置思路: 一、创建IKE提议 [ar1]ike proposal 1 [ar1-ike-proposal-1]encryption-algorithm 3des-cbc [ar1-ike-proposal-1]authentication-algorithm md5 //默认 [ar1-ike-proposal-1]authentication-method pre-share //默认可以不敲(认证方式) 二、配置IKE对等体 [ar1]ike peer R3 v2 //对等他 R3 [ar1-ike-peer-R3]pre-shared-key simple test //预共享秘钥 test [ar1-ike-peer-R3]ike-proposal 1 //调用ike提议 三、配置IPsec提议 [ar1]ipsec proposal 1 [ar1-ipsec-proposal-1]transform esp //封装协议 esp [ar1-ipsec-proposal-1]esp authentication-algorithm md5 //默认(认证类型) [ar1-ipsec-proposal-1]esp encryption-algorithm 3des //加密类型 四、配置IPsec的配置文件 [ar1]ipsec profile STRING<1-12> Profile name, up to 12 characters [ar1]ipsec profile gre //创建profile 文件名为 gre [ar1-ipsec-profile-gre]proposal 1 //调用安全提议 [ar1-ipsec-profile-gre]ike-peer R3 //绑定IKE对等体 五、对GRE隧道进行保护(注意在这个模式下,千万不能配置gre key) [ar1]interface Tunnel 0/0/0 [ar1-Tunnel0/0/0]ip add 10.1.1.1 24 [ar1-Tunnel0/0/0]tunnel-protocol gre [ar1-Tunnel0/0/0]source 200.1.12.1 [ar1-Tunnel0/0/0]destination 200.1.23.3 [ar1-Tunnel0/0/0]ipsec profile gre //调用profile 文件 gre check;也建议配置keepalive) 六、配置路由(可以配置动态路由,或者静态路由指向隧道) [ar1]rip [ar1-rip-1]version 2 [ar1-rip-1]undo summary [ar1-rip-1]network 192.168.1.0 [ar1-rip-1]network 10.0.0.0 R3配置相同 测试:pc1和pc2相互ping通
