GRE隧道流量的IPSEC加密

由于IPSEC只支持对单播流量的加密，所以我们使用GRE隧道可以将广播、组播包封装在一个单播包中，再用IPSEC进行加密。在进行IPSEC配置前应首先配置好GRE隧道，下面是R1上的GRE隧道配置：R1：interfacetunnel0ipaddress192.168.3.1255.255.255.0tunnelsources1/1tunneldestination192.1.1.20exitinterfaces1/1ipaddress192.1.1.40255.255.255.0ipaccess-groupperimeterinexitinterfacelo0ipaddress192.168.1.1255.255.255.0exitiproute0.0.0.00.0.0.0192.1.1.20!在这里我将总公司内部的骨干网络设为Area0,隧道部分和分公司内部网络设为Area1routerospf1network192.168.1.00.0.0.255area0network192.168.3.00.0.0.255area1exitipaccess-listextendedperimeterpermitudphost192.1.1.20host192.1.1.40eq500permitesphost192.1.1.20host192.1.1.40permitgrehost192.1.1.20host192.1.1.40denyipanyanyexitR2：interfacetunnel0ipaddress192.168.3.2255.255.255.0tunnelsources1/0tunneldestination192.1.1.40exitinterfaces1/0ipaddress192.1.1.20255.255.255.0ipaccess-groupperimeterinexitinterfacelo0ipaddress192.168.2.1255.255.255.0exitiproute0.0.0.00.0.0.0192.1.1.40routerospf1network192.168.2.00.0.0.255area1network192.168.3.00.0.0.255area1exitipaccess-listextendedperimeterpermitudphost192.1.1.40host192.1.1.20eq500permitesphost192.1.1.40host192.1.1.20permitgrehost192.1.1.40host192.1.1.20denyipanyanyexitGRE隧道建立好后，就可以进行IPSEC配置了：R1上的配置：cryptoisakmpenablecryptoisakmpidentityaddresscryptoisakmppolicy10encryptionaesauthenticationpre-sharegroup2hashshaexitcryptoisakmpkeycisco123address192.1.1.20no-xauth!IPSEC只对进入GRE隧道的流量进行加密ipaccess-listextendedToR2permitgrehost192.1.1.40host192.1.1.20exit!这里的GRE隧道是点对点模式的，所以传输集应使用传输模式cryptoipsectransform-settransesp-aesesp-sha-hmacmodetransportexitcryptomapmymap10ipsec-isakmpmatchaddressToR2settransform-settranssetpeer192.1.1.20exitinterfaces1/1cryptomapmymapexit!最后别忘记删除测试隧道时建立的流量：ipaccess-listextendedperimeternopermitgrehost192.1.1.20host192.1.1.40R2上的配置：cryptoisakmpenablecryptoisakmpidentityaddresscryptoisakmppolicy10encryptionaesauthenticationpre-sharegroup2hashshaexitcryptoisakmpkeycisco123address192.1.1.40no-xauthipaccess-listextendedToR1permitgrehost192.1.1.20host192.1.1.40exitcryptoipsectransform-settransesp-aesesp-sha-hmacmodetransportexitcryptomapmymap10ipsec-isakmpmatchaddressToR1settransform-settranssetpeer192.1.1.40exitinterfaces1/0cryptomapmymapexitipaccess-listextendedperimeternopermitgrehost192.1.1.40host192.1.1.20测试实验结果：r1#shiprouteCodes:C-connected,S-static,R-RIP,M-mobile,B-BGPD-EIGRP,EX-EIGRPexternal,O-OSPF,IA-OSPFinterareaN1-OSPFNSSAexternaltype1,N2-OSPFNSSAexternaltype2E1-OSPFexternaltype1,E2-OSPFexternaltype2i-IS-IS,su-IS-ISsummary,L1-IS-ISlevel-1,L2-IS-ISlevel-2ia-IS-ISinterarea,*-candidatedefault,U-per-userstaticrouteo-ODR,P-periodicdownloadedstaticrouteGatewayoflastresortis192.1.1.20tonetwork0.0.0.0C192.1.1.0/24isdirectlyconnected,Serial1/1C192.168.1.0/24isdirectlyconnected,Loopback0192.168.2.0/32issubnetted,1subnetsO192.168.2.1[110/11112]via192.168.3.2,00:00:17,Tunnel0C192.168.3.0/24isdirectlyconnected,Tunnel0S*0.0.0.0/0[1/0]via192.1.1.20R1上pingPC2:r1#ping192.168.2.1Typeescapesequencetoabort.Sending5,100-byteICMPEchosto192.168.2.1,timeoutis2seconds:!!!!!Successrateis100percent(5/5),round-tripmin/avg/max=36/56/84msPC1上pingPC2:r1#ping192.168.2.1sourcelo0Typeescapesequencetoabort.Sending5,100-byteICMPEchosto192.168.2.1,timeoutis2seconds:Packetsentwithasourceaddressof192.168.1.1!!!!!Successrateis100percent(5/5),round-tripmin/avg/max=36/55/104ms