CCNP(ISCW)实验：用命令行配置GRE OVER IPSEC VPN

CCNP(ISCW)实验：用命令行配置GRE OVER IPSEC VPN

R3(config)#int tunnel 1R3(config-if)#ip add 10.0.0.2 255.255.255.252R3(config-if)#tu so f0/1R3(config-if)#tu de 12.0.0.1//上面三行分别是：

定义tunnel的ip地址 定义隧道的源地址，可以写接口 定义隧道的目标地址

第三步：配置路由协议R3(config)#ip route 0.0.0.0 0.0.0.0 f0/1R1(config)#ip route 0.0.0.0 0.0.0.0 f0/0

R1(config)#router ei 1R1(config-router)#no auR1(config-router)#net 129.168.1.1R1(config-router)#net 10.0.0.0

R3(config)#router ei 1R3(config-router)#no auR3(config-router)#net 10.0.0.0R3(config-router)#net 172.16.1.1//R2 为ISP不能运行路由协议，这是因为运营商不可能将大量的路由信息转发到本地路由

第四步：配置IPSEC VPNR1(config)#crypto isakmp enable R1(config)#crypto isakmp key 6 ccie address 23.0.0.3

R1(config)#crypto isakmp policy 10R1(config-isakmp)#authentication pre-share R1(config-isakmp)#encryption 3des R1(config-isakmp)#group 2R1(config-isakmp)#hash md5

R1(config)#crypto ipsec transform-set r1 esp-3des esp-sha-hmac R1(cfg-crypto-trans)#mode transport

R1(config)#access-list 100 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 R1(config)#int tunnel 1R1(config-if)#crypto map libo1

R1(config)#crypto map libo1 1 ipsec-isakmp R1(config-crypto-map)#set peer 23.0.0.3R1(config-crypto-map)#set transform-set r1R1(config-crypto-map)#match add 100//以上步骤为IPSEC VPN的全部过程

R2上的配置与之对应

第五步：测试R1#ping 172.16.1.1 so 192.168.1.1 repeat 20

Type escape sequence to abort.Sending 20, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:Packet sent with a source address of 192.168.1.1 .!!!!!!!!!!!!!!!!!!!Success rate is 95 percent (19/20), round-trip min/avg/max = 12/55/148 ms//这里通了19个包，我们猜想会用19个包加密

R1#sh crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt1 Tunnel1 10.0.0.1 set HMAC_MD5+3DES_56_C 0 02 Tunnel1 10.0.0.1 set HMAC_MD5+3DES_56_C 0 02001 Tunnel1 12.0.0.1 set 3DES+SHA 19 02002 Tunnel1 12.0.0.1 set 3DES+SHA 0 19

//这里看到有19个包加密

第六步：为了使公司内部的 pc有一个良好的上网环境，我们组R1与R3做PATR1(config)#access-list 111 deny ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255R1(config)#access-list 111 permit ip 192.168.1.0 0.0.0.255 any

R3(config)#access-list 111 deny ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255R3(config)#access-list 111 permit ip 172.16.1.0 0.0.0.255 any

R1(config)#ip nat inside source list 111 interface f0/0 overload//这里注意的是，出接口要在f0/0

第七步：定义inside和outside接口R1(config)#int f0/1R1(config-if)#ip nat inside R1(config-if)#int f0/0R1(config-if)#ip nat outside

第八步：综合测试包括PAT和VPN

先测试PATpc1#ping 2.2.2.2

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:!!!!! //ping正常Success rate is 100 percent (5/5), round-trip min/avg/max = 32/46/92 mspc1#2.2.2.2Trying 2.2.2.2 ... Open

R2#exi //这里显示成功

[Connection to 2.2.2.2 closed by foreign host]

R1#sh ip nat translations Pro Inside global Inside local Outside local Outside globalicmp 12.0.0.1:1 192.168.1.2:1 2.2.2.2:1 2.2.2.2:1tcp 12.0.0.1:11000 192.168.1.2:11000 2.2.2.2:23 2.2.2.2:23//这里表明pat成功

再测试GRE OVER IPSEC VPNpc1#ping 172.16.1.1

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 108/143/204 ms

R1#sh crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt2 Tunnel1 10.0.0.1 set HMAC_MD5+3DES_56_C 0 02001 Tunnel1 12.0.0.1 set 3DES+SHA 24 02002 Tunnel1 12.0.0.1 set 3DES+SHA 0 24//加上上面19个一共为24个包被加密

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。