来自 科技 2020-06-28 17:44 的文章

GRE VPN和GRE over ipsec实验配置


GRE VPN和GRE over ipsec实验配置

实验topo

实验步骤:

1.配置静态路由协议,使tunnel口中源端、目的端接口IP地址实现互通。

2.配置静态路由协议,通信点之间均有去往对端的路由,下一跳为出接口tunnel口。

3.配置tunnel口修改隧道协议为GRE,配置tunnel接口IP地址,配置隧道源端物理接口IP地址、目的端接口IP地址。

4.可在隧道接口下配置keepalive报文检测机制(默认发送周期为5s),检查隧道两端通信情况。

提示:在ensp中必须选择AR系列路由器进行实验,普通路由器不支持GRE VPN和IPsec VPN。

实验步骤配置代码:

实验一 GRE VPN:

AR1:
interface Tunnel0/0/0
ip address 10.0.0.1 255.255.255.0
tunnel-protocol gre
keepalive period 3
source 12.12.12.1
destination 23.23.23.3
ip route-static 23.23.23.0 255.255.255.0 12.12.12.2

ip route-static 172.16.1.0 255.255.255.0 Tunnel0/0/0

ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 10.0.0.0 0.0.0.255
network 192.168.1.0 0.0.0.255

AR3:
interface Tunnel0/0/0
ip address 10.0.0.2 255.255.255.0
tunnel-protocol gre
keepalive period 3
source 23.23.23.3
destination 12.12.12.1
ip route-static 12.12.12.0 255.255.255.0 23.23.23.2

ip route-static 192.168.1.0 255.255.255.0 Tunnel0/0/0

ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 10.0.0.0 0.0.0.255
network 172.16.1.0 0.0.0.255
GRE over ipsec配置部分:
AR1:
acl number 3000
rule 5 permit gre source 12.12.12.0 0.0.0.255 destination 23.23.23.0 0.0.0.255
#
ipsec proposal baode
#
ike proposal 1
#
ike peer abc v2
pre-shared-key simple 123
ike-proposal 1
remote-address 23.23.23.3
#
ipsec policy ipsec-vpn 10 isakmp
security acl 3000
ike-peer abc
proposal baode
#
interface GigabitEthernet0/0/0
ip address 12.12.12.1 255.255.255.0
ipsec policy ipsec-vpn
AR3:
acl number 3000
rule 5 permit gre source 23.23.23.0 0.0.0.255 destination 12.12.12.0 0.0.0.255
#
ipsec proposal baode
#
ike proposal 1
#
ike peer abc v2
pre-shared-key simple 123
ike-proposal 1
remote-address 12.12.12.1
#
ipsec policy ipsec-vpn 10 isakmp
security acl 3000
ike-peer abc
proposal baode
#
interface GigabitEthernet0/0/0
ip address 23.23.23.3 255.255.255.0
ipsec policy ipsec-vpn