Shulou(Shulou.com)06/01 Report--

Topological graph

Experimental purpose:

Through the way of CRE over IPsec to achieve the R1 network segment: 172.16.10.0amp 24 and R2 network segment: 172.17.10.0Universe 24 communication encryption.

Because IPsec × × does not support multicast, and GRE supports multiple protocols, GRE over IPsec is generally selected.

Configuration ideas:

Set up the stream of interest through ACL

Configure the first phase of IKE

Configure the second phase of IKE

Create a new MAP and apply it to the interface

Set the route, and the next hop is tunnel 0

Configuration:

R1:

Configure interface IP information

Interface Loopback0 ip address 172.16.10.1 255.255.255.0 no shuexitinterface FastEthernet0/0 ip address 200.1.1.1 255.255.255.0 no shutexitinterface Tunnel0 ip address 1.1.1.1 255.255.255.0 tunnel source 200.1.1.1 tunnel destination 200.1.1.2

Configure ACL

Ip access-list extended ipsec-acl-1 permit ip host 200.1.1.1 host 200.1.1.2 log exit

Configure the first phase of IKE

Crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 5 lifetime 86400 exit

Configure IKE Phase I password

Crypto isakmp key 6 tommy address 200.1.1.2 / / because it is operated on the simulator, the actual router may not need the 6exit behind the key

Configure the second phase of IKE

Crypto ipsec transform-set SET-1 esp-3des esp-md5-hmac mode transport / / Note that when NAT traversing, only transport mode exit can be used

Configure MAP

Crypto map MAP-1 10 ipsec-isakmp set peer 200.1.1.2 set transform-set SET-1 match address ipsec-acl-1exit

Apply MAP to an interface

Interface FastEthernet0/0 crypto map MAP-1exit

Configure routin

Ip route 172.17.10.0 255.255.255.0 1.1.1.2

R2:

Configure interface IP information

Interface Loopback0 ip address 172.17.10.1 255.255.255.0 no shuexitinterface FastEthernet0/0 ip address 200.1.1.2 255.255.255.0 no shutexitinterface Tunnel0 ip address 1.1.1.2 255.255.255.0 tunnel source 200.1.1.2 tunnel destination 200.1.1.1

Configure ACL

Ip access-list extended ipsec-acl-1 permit ip host 200.1.1.2 host 200.1.1.1 log exit

Configure the first phase of IKE

Crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 5 lifetime 86400 exit

Configure IKE Phase I password

Crypto isakmp key 6 tommy address 200.1.1.1 / / because it is operated on the simulator, the actual router may not need the 6exit behind the key

Configure the second phase of IKE

Crypto ipsec transform-set SET-1 esp-3des esp-md5-hmac mode transportexit

Configure MAP

Crypto map MAP-1 10 ipsec-isakmp set peer 200.1.1.1 set transform-set SET-1 match address ipsec-acl-1exit

Apply MAP to an interface

Interface FastEthernet0/0 crypto map MAP-1exit

Configure routin

Ip route 172.16.10.0 255.255.255.0 1.1.1.1

The configuration is complete at this time.

Verify:

Ping package

R1#ping 172.17.10.1 source 172.16.10.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.17.10.1, timeout is 2 seconds:Packet sent with a source address of 172.16.10.1.! Success rate is 80 percent (4 bank 5), round-trip min/avg/max = 62-65-72 msR1#

Grab the bag:

Route tracking:

R1#traceroute 172.17.10.1 source 172.16.10.1Type escape sequence to abort.Tracing the route to 172.17.10.1 1 1.1.1.2 72 msec 68 msec 84 msecR1#

The GRE over IPsec was configured successfully.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.