CCNP實(shí)驗(yàn)：GRE隧道流量的IPSEC加密由于IPSEC只支持對(duì)單播流量的加密，所以我們使用GRE隧道可以將播送、組播包封裝在一個(gè)單播包中，再用IPSEC進(jìn)展加密。

在進(jìn)展IPSEC配置前應(yīng)首先配置好GRE隧道，下面是R1上的GRE隧道配置：

R1：

interfacetunnel0

ipaddress192.168.3.1255.255.255.0

tunnelsources1/1

tunneldestination192.1.1.20

exit

interfaces1/1

ipaddress192.1.1.40255.255.255.0

ipaccess-groupperimeterin

exit

interfacelo0

ipaddress192.168.1.1255.255.255.0

exit

iproute0.0.0.00.0.0.0192.1.1.20

!在這里我將總公司內(nèi)部的骨干網(wǎng)絡(luò)設(shè)為Area0,隧道局部和分公司內(nèi)部網(wǎng)絡(luò)設(shè)為Area1

routerospf1

network192.168.1.00.0.0.255area0

network192.168.3.00.0.0.255area1

exit

ipaccess-listextendedperimeter

permitudphost192.1.1.20host192.1.1.40eq500

permitesphost193.1.1.20host192.1.1.40

permitgrehost193.1.1.20host192.1.1.40

denyipanyany

exit

R2：

interfacetunnel0

ipaddress192.168.3.2255.255.255.0

tunnelsources1/0

tunneldestination192.1.1.40

exit

interfaces1/0

ipaddress192.1.1.20255.255.255.0

ipaccess-groupperimeterin

exit

interfacelo0

ipaddress192.168.2.1255.255.255.0

exit

iproute0.0.0.00.0.0.0192.1.1.40

routerospf1

network192.168.2.00.0.0.255area1

network192.168.3.00.0.0.255area1

exit

ipaccess-listextendedperimeter

permitudphost192.1.1.40host192.1.1.20eq500

permitesphost192.1.1.40host192.1.1.20

permitgrehost192.1.1.40host192.1.1.20

denyipanyany

exit

GRE隧道建立好后，就可以進(jìn)展IPSEC配置了：

R1上的配置：

cryptoisakmpenable

cryptoisakmpidentityaddress

cryptoisakmppolicy10

encryptionaes

authenticationpre-share

group2

hashsha

exit

cryptoisakmpkeycisco123address192.1.1.20no-xauth

!IPSEC只對(duì)進(jìn)入GRE隧道的流量進(jìn)展加密

ipaccess-listextendedToR2

permitgrehost192.1.1.40host192.1.1.20

exit

!這里的GRE隧道是點(diǎn)對(duì)點(diǎn)模式的，所以傳輸集應(yīng)使用傳輸模式

cryptoipsectransform-settransesp-aesesp-sha-hmac

modetransport

exit

cryptomapmymap10ipsec-isakmp

matchaddressToR2

settransform-settrans

setpeer192.1.1.20

exit

interfaces1/1

cryptomapmymap

exit

!最終別遺忘刪除測(cè)試隧道時(shí)建立的流量：

ipaccess-listextendedperimeter

nopermitgrehost192.1.1.20host192.1.1.40

R2上的配置：

cryptoisakmpenable

cryptoisakmpidentityaddress

cryptoisakmppolicy10

encryptionaes

authenticationpre-share

group2

hashsha

exit

cryptoisakmpkeycisco123address192.1.1.40no-xauth

ipaccess-listextendedToR1

permitgrehost192.1.1.20host192.1.1.40

exit

cryptoipsectransform-settransesp-aesesp-sha-hmac

modetransport

exit

cryptomapmymap10ipsec-isakmp

matchaddressToR1

settransform-settrans

setpeer192.1.1.40

exit

interfaces1/0

cryptomapmymap

exit

ipaccess-listextendedperimeter

nopermitgrehost192.1.1.40host192.1.1.20

測(cè)試試驗(yàn)結(jié)果：

r1#shiproute

Codes:C-connected,S-static,R-RIP,M-mobile,B-BGP

D-EIGRP,EX-EIGRPexternal,O-OSPF,IA-OSPFinterarea

N1-OSPFNSSAexternaltype1,N2-OSPFNSSAexternaltype2

E1-OSPFexternaltype1,E2-OSPFexternaltype2

i-IS-IS,su-IS-ISsummary,L1-IS-ISlevel-1,L2-IS-ISlevel-2

ia-IS-ISinterarea,*-candidatedefault,U-per-userstaticroute

o-ODR,P-periodicdownloadedstaticroute

Gatewayoflastresortis192.1.1.20tonetwork0.0.0.0

C192.1.1.0/24isdirectlyconnected,Serial1/1

C192.168.1.0/24isdirectlyconnected,Loopback0

192.168.2.0/32issubnetted,1subnets

O192.168.2.1[110/11112]via192.168.3.2,00:00:17,Tunnel0

C192.168.3.0/24isdirectlyconnected,Tunnel0

S*0.0.0.0/0[1/0]via192.1.1.20

R1上pingPC2:

r1#ping192.168.2.1

Typeescapesequencetoabort.

Sending5,100-byteICMPEchosto192.168.2.1,timeoutis2seconds:

!!!!!

Successrateis100percent(5/5),round-tripmin/avg/max=36/56/84ms

PC1上pingPC2:

r1#ping192.168.2.1sourcelo0

Typeescapesequencetoabort.

Sending5,100-byteICMPEchosto192.168.2.1,timeoutis