运维开发网

CCNP(ISCW)实验:用命令行配置GRE OVER IPSEC ***

运维开发网 https://www.qedev.com 2021-01-18 10:22 出处:51CTO 作者:starshomes
用命令行配置GRE OVER IPSEC ***

CCNP(ISCW)实验:用命令行配置GRE OVER IPSEC ***

第一步:配置基本路由:见图

第二步:配置tunnel

R1(config)#interface tunnel 1

R1(config-if)#ip add 10.0.0.1 255.255.255.252

R1(config-if)#tu so f0/0

R1(config-if)#tu destination 23.0.0.3

R3(config)#int tunnel 1

R3(config-if)#ip add 10.0.0.2 255.255.255.252

R3(config-if)#tu so f0/1

R3(config-if)#tu de 12.0.0.1

//上面三行分别是:

  1. 定义tunnel的ip地址
  2. 定义隧道的源地址,可以写接口
  3. 定义隧道的目标地址

第三步:配置路由协议

R3(config)#ip route 0.0.0.0 0.0.0.0 f0/1

R1(config)#ip route 0.0.0.0 0.0.0.0 f0/0

R1(config)#router ei 1

R1(config-router)#no au

R1(config-router)#net 129.168.1.1

R1(config-router)#net 10.0.0.0

R3(config)#router ei 1

R3(config-router)#no au

R3(config-router)#net 10.0.0.0

R3(config-router)#net 172.16.1.1

//R2 为ISP不能运行路由协议,这是因为运营商不可能将大量的路由信息转发到本地路由

第四步:配置IPSEC ***

R1(config)#crypto isakmp enable

R1(config)#crypto isakmp key 6 ccie address 23.0.0.3

R1(config)#crypto isakmp policy 10

R1(config-isakmp)#authentication pre-share

R1(config-isakmp)#encryption 3des

R1(config-isakmp)#group 2

R1(config-isakmp)#hash md5

R1(config)#crypto ipsec transform-set r1 esp-3des esp-sha-hmac

R1(cfg-crypto-trans)#mode transport

R1(config)#access-list 100 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255

R1(config)#int tunnel 1

R1(config-if)#crypto map libo1

R1(config)#crypto map libo1 1 ipsec-isakmp

R1(config-crypto-map)#set peer 23.0.0.3

R1(config-crypto-map)#set transform-set r1

R1(config-crypto-map)#match add 100

//以上步骤为IPSEC ***的全部过程

R2上的配置与之对应

第五步:测试

R1#ping 172.16.1.1 so 192.168.1.1 repeat 20

Type escape sequence to abort.

Sending 20, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

.!!!!!!!!!!!!!!!!!!!

Success rate is 95 percent (19/20), round-trip min/avg/max = 12/55/148 ms

//这里通了19个包,我们猜想会用19个包加密

R1#sh crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt

1 Tunnel1 10.0.0.1 set HMAC_MD5+3DES_56_C 0 0

2 Tunnel1 10.0.0.1 set HMAC_MD5+3DES_56_C 0 0

2001 Tunnel1 12.0.0.1 set 3DES+SHA 19 0

2002 Tunnel1 12.0.0.1 set 3DES+SHA 0 19

//这里看到有19个包加密

第六步:为了使公司内部的 pc有一个良好的上网环境,我们组R1与R3做PAT

R1(config)#access-list 111 deny ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255

R1(config)#access-list 111 permit ip 192.168.1.0 0.0.0.255 any

R3(config)#access-list 111 deny ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255

R3(config)#access-list 111 permit ip 172.16.1.0 0.0.0.255 any

R1(config)#ip nat inside source list 111 interface f0/0 overload

//这里注意的是,出接口要在f0/0

第七步:定义inside和outside接口

R1(config)#int f0/1

R1(config-if)#ip nat inside

R1(config-if)#int f0/0

R1(config-if)#ip nat outside

第八步:综合测试包括PAT和***

  1. 先测试PAT

    pc1#ping 2.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

!!!!! //ping正常

Success rate is 100 percent (5/5), round-trip min/avg/max = 32/46/92 ms

pc1#2.2.2.2

Trying 2.2.2.2 ... Open

R2#exi //这里显示成功

[Connection to 2.2.2.2 closed by foreign host]

R1#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 12.0.0.1:1 192.168.1.2:1 2.2.2.2:1 2.2.2.2:1

tcp 12.0.0.1:11000 192.168.1.2:11000 2.2.2.2:23 2.2.2.2:23

//这里表明pat成功

  1. 再测试GRE OVER IPSEC ***

    pc1#ping 172.16.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 108/143/204 ms

R1#sh crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt

2 Tunnel1 10.0.0.1 set HMAC_MD5+3DES_56_C 0 0

2001 Tunnel1 12.0.0.1 set 3DES+SHA 24 0

2002 Tunnel1 12.0.0.1 set 3DES+SHA 0 24

//加上上面19个一共为24个包被加密

扫码领视频副本.gif

0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号