[CCNP认证实验之二]Configuring GRE Tunnels Over IPsec Site-to-Site With Preshare-key

版权声明：原创作品，允许转载，转载时请务必以超链接形式标明文章 原始出处 、作者信息和本声明。否则将追究法律责任。http://im9527.blog.51cto.com/61250/73113

根据瑞工大发布的实验拓扑所做的实验.   网络拓扑如图.   实验目标: 1.       掌握基于预共享密钥的IPsec传输模式和GRE隧道配置方法。 2.       通过GRE的隧道解决了IPsec仅支持IP协议和单播的特性。 3.       IPsec的隧道模式会破坏GRE的报头，因此必须配置为传输模式。   本次实验使用设备R1、R5、R2，R5模拟ISP。   配置:   R5： interface Serial1/0  ip address 202.1.1.2 255.255.255.252  serial restart-delay 0  clock rate 64000 ! interface Serial1/1  ip address 202.2.2.2 255.255.255.252  serial restart-delay 0  clock rate 64000 !   R1： ! crypto isakmp policy 1  hash md5  authentication pre-share crypto isakmp key ciscovpn address 202.2.2.1 ! ! crypto ipsec transform-set VPN-R2 esp-des  mode transport ! crypto map GRE-R2 10 ipsec-isakmp  set peer 202.2.2.1  set transform-set VPN-R2  match address 100 ! interface Tunnel1  ip unnumbered Serial1/2  tunnel source Serial1/2  tunnel destination 202.2.2.1 ! interface Loopback0  ip address 1.1.1.1 255.255.255.0 ! interface FastEthernet0/0  ip address 192.168.1.1 255.255.255.0  duplex half ! interface Serial1/2  ip address 202.1.1.1 255.255.255.252  serial restart-delay 0  crypto map GRE-R2 ! interface Serial1/3  no ip address  shutdown  serial restart-delay 0 ! interface FastEthernet2/0  ip address 10.1.1.11 255.255.255.0  duplex auto  speed auto ! ip classless ip route 0.0.0.0 0.0.0.0 202.1.1.2 ip route 192.168.2.0 255.255.255.0 Tunnel1 ! ! access-list 100 permit gre host 202.1.1.1 host 202.2.2.1 !   R2: ! crypto isakmp policy 1  hash md5  authentication pre-share crypto isakmp key ciscovpn address 202.1.1.1 ! ! crypto ipsec transform-set VPN-R1 esp-des  mode transport ! crypto map GRE-R1 10 ipsec-isakmp  set peer 202.1.1.1  set transform-set VPN-R1  match address 100 ! ! ! ! interface Tunnel1  ip unnumbered Serial1/2  tunnel source Serial1/2  tunnel destination 202.1.1.1 ! interface Loopback0  ip address 2.2.2.2 255.255.255.0 ! interface FastEthernet0/0  ip address 192.168.2.1 255.255.255.0  duplex half ! interface Serial1/2  ip address 202.2.2.1 255.255.255.252  serial restart-delay 0  crypto map GRE-R1 ! interface Serial1/3  no ip address  shutdown  serial restart-delay 0 ! interface FastEthernet2/0  ip address 10.1.1.12 255.255.255.0  duplex auto  speed auto ! ip classless ip route 0.0.0.0 0.0.0.0 202.2.2.2 ip route 192.168.1.0 255.255.255.0 Tunnel1 ! no ip http server no ip http secure-server ! ! access-list 100 permit gre host 202.2.2.1 host 202.1.1.1 !   调试 R1#sh crypto isakmp policy    Global IKE policy Protection suite of priority 1         encryption algorithm:   DES - Data Encryption Standard (56 bit keys).         hash algorithm:         Message Digest 5         authentication method:  Pre-Shared Key         Diffie-Hellman group:   #1 (768 bit)         lifetime:               86400 seconds, no volume limit Default protection suite         encryption algorithm:   DES - Data Encryption Standard (56 bit keys).         hash algorithm:         Secure Hash Standard         authentication method:  Rivest-Shamir-Adleman Signature         Diffie-Hellman group:   #1 (768 bit)         lifetime:               86400 seconds, no volume limit   R1#sh crypto ipsec sa   interface: Serial1/2     Crypto map tag: GRE-R2, local addr 202.1.1.1      protected vrf: (none)    local  ident (addr/mask/prot/port): (202.1.1.1/255.255.255.255/47/0)    remote ident (addr/mask/prot/port): (202.2.2.1/255.255.255.255/47/0)    current_peer 202.2.2.1 port 500      PERMIT, flags={origin_is_acl,}     #pkts encaps: 22, #pkts encrypt: 22, #pkts digest: 22     #pkts decaps: 22, #pkts decrypt: 22, #pkts verify: 22     #pkts compressed: 0, #pkts decompressed: 0     #pkts not compressed: 0, #pkts compr. failed: 0     #pkts not decompressed: 0, #pkts decompress failed: 0     #send errors 0, #recv errors 0        local crypto endpt.: 202.1.1.1, remote crypto endpt.: 202.2.2.1      path mtu 1500, ip mtu 1500      current outbound spi: 0x6616BAE8(1712765672)        inbound esp sas:       spi: 0x94F0A49D(2498798749)         transform: esp-des ,         in use settings ={Transport, }         conn id: 2003, flow_id: SW:3, crypto map: GRE-R2         sa timing: remaining key lifetime (k/sec): (4530748/986)         IV size: 8 bytes         replay detection support: N         Status: ACTIVE        inbound ah sas:        inbound pcp sas:        outbound esp sas:       spi: 0x6616BAE8(1712765672)         transform: esp-des ,         in use settings ={Transport, }         conn id: 2004, flow_id: SW:4, crypto map: GRE-R2         sa timing: remaining key lifetime (k/sec): (4530748/984)         IV size: 8 bytes         replay detection support: N         Status: ACTIVE        outbound ah sas:        outbound pcp sas: R1#         本文出自 “永不停息的脚步” 博客，请务必保留此出处http://im9527.blog.51cto.com/61250/73113 本文出自 51CTO.COM技术博客

附件下载：
　　topo