发布时间 : 星期三 文章[网络安全]使用路由器构建GRE over IPsec VPN更新完毕开始阅读
第十一步:配置 PC1 和 PC2
PC1 的 IP 地址为 192.168.1.2,网关为 192.168.1.1 PC2 的 IP 地址为 192.168.2.2,网关为 192.168.2.1
第十二步:验证测试在 PC1 上 Ping
PC2,可以 ping 通。
测试成功!GRE over IPsec VPN 隧道建立成功!
第十三步:验证测试
在 R1 与 R2 上验证 GRE 隧道状态及路由表信息,分别通过 tunnel 接口学习到对端局
域网的路由:
R1#show interface tunnel 1
Tunnel 1 is UP , line protocol is UP !隧道状态为 UP Hardware is Tunnel
Interface address is: 10.1.1.1/24 MTU 1472 bytes, BW 9 Kbit
Encapsulation protocol is Tunnel, loopback not set Keepalive interval is 0 sec , no set Carrier delay is 0 sec RXload is 1 ,Txload is 1
Tunnel source 1.1.1.1 (FastEthernet 1/0), destination 2.2.2.1
Tunnel protocol/transport GRE/IP, key 0x12d687, sequencing disabled Checksumming of packets disabled Queueing strategy: WFQ 5 minutes input rate 13 bits/sec, 0 packets/sec
14
5 minutes output rate 13 bits/sec, 0 packets/sec 49 packets input, 2580 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 abort 70 packets output, 3756 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
R1#show ip route
Codes: C - connected, S - static, R - RIP O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 * - candidate default
Gateway of last resort is 1.1.1.2 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 1.1.1.2
C 1.1.1.0/30 is directly connected, FastEthernet 1/0 C 1.1.1.1/32 is local host.
C 10.1.1.0/24 is directly connected, Tunnel 1 C 10.1.1.1/32 is local host.
C 192.168.1.0/24 is directly connected, FastEthernet 1/1 C 192.168.1.1/32 is local host.
R 192.168.2.0/24 [120/1] via 10.1.1.2, 00:00:16, Tunnel 1
R2#show interface tunnel 1
Tunnel 1 is UP , line protocol is UP !隧道状态为 UP Hardware is Tunnel
Interface address is: 10.1.1.2/24 MTU 1472 bytes, BW 9 Kbit
Encapsulation protocol is Tunnel, loopback not set Keepalive interval is 0 sec , no set Carrier delay is 0 sec RXload is 1 ,Txload is 1
Tunnel source 2.2.2.1 (FastEthernet 1/1), destination 1.1.1.1
Tunnel protocol/transport GRE/IP, key 0x12d687, sequencing disabled Checksumming of packets disabled Queueing strategy: WFQ 5 minutes input rate 11 bits/sec, 0 packets/sec 5 minutes output rate 11 bits/sec, 0 packets/sec 85 packets input, 4452 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 abort 65 packets output, 3496 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets
15
R2#show ip route
Codes: C - connected, S - static, R - RIP O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 * - candidate default
Gateway of last resort is 2.2.2.2 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 2.2.2.2
C 2.2.2.0/30 is directly connected, FastEthernet 1/1 C 2.2.2.1/32 is local host.
C 10.1.1.0/24 is directly connected, Tunnel 1 C 10.1.1.2/32 is local host.
R 192.168.1.0/24 [120/1] via 10.1.1.1, 00:00:15, Tunnel 1 C 192.168.2.0/24 is directly connected, FastEthernet 1/0 C 192.168.2.1/32 is local host.
第十四步:验证测试查看 R1 的 IKE SA,可以看到 IKE SA 协商成功,
状态为 QM_IDLE:
R1#show crypto isakmp sa
destination source state conn-id lifetime(second) 2.2.2.1 1.1.1.1 QM_IDLE 33 84170 e3e0dddad7d4d1ce 0e6cc92784e23f9d
查看 R1 的 IPsec SA,可以看到两个 IPsec SA 协商成功,一个用于入站报文,一个用
于出站报文:
R1#show crypto ipsec sa
Interface: FastEthernet 1/0
Crypto map tag:to_r2, local addr 1.1.1.1 media mtu 1500
================================== item type:static, seqno:1, id=32 local ident
(addr/mask/prot/port): (1.1.1.1/0.0.0.0/47/0)) remote ident (addr/mask/prot/port): (2.2.2.1/0.0.0.0/47/0)) PERMIT
#pkts encaps: 81, #pkts encrypt: 81, #pkts digest 81 #pkts decaps: 61, #pkts decrypt: 61, #pkts verify 61 #send errors 0, #recv errors 0
16
Inbound esp sas: spi:0x6e729d63 (1853005155) transform: esp-3des esp-sha-hmac
in use settings={Transport,} !传输模式 crypto map to_r2 1
sa timing: remaining key lifetime (k/sec): (4606986/1315) IV size: 8 bytes
Replay detection support:Y
Outbound esp sas:
spi:0x2ebb461 (49001569) transform: esp-3des esp-sha-hmac in use settings={Transport,} !传输模式 crypto map to_r2 1
sa timing: remaining key lifetime (k/sec): (4606986/1315) IV size: 8 bytes
Replay detection support:Y
查看 R2 的 IKE SA,可以看到 IKE SA 协商成功,状态为 QM_IDLE: R2#sh crypto isakmp sa
destination source state conn-id lifetime(second) 2.2.2.1 1.1.1.1 QM_IDLE 33 83798 e3e0dddad7d4d1ce 0e6cc92784e23f9d
查看 R2 的 IPsec SA,可以看到两个 IPsec SA 协商成功,一个用于入站报文,一个用于出站报文:
R2#sh crypto ipsec sa
Interface: FastEthernet 1/1
Crypto map tag:to_r1, local addr 2.2.2.1 media mtu 1500
================================== item type:static, seqno:1, id=32 local ident
(addr/mask/prot/port): (2.2.2.1/0.0.0.0/47/0)) remote ident (addr/mask/prot/port): (1.1.1.1/0.0.0.0/47/0)) PERMIT
#pkts encaps: 75, #pkts encrypt: 75, #pkts digest 75 #pkts decaps: 95, #pkts decrypt: 95, #pkts verify 95 #send errors 0, #recv errors 0
Inbound esp sas:
spi:0x2ebb461 (49001569) transform: esp-3des esp-sha-hmac in use settings={Transport,} !传输模式 crypto map to_r1 1
sa timing: remaining key lifetime (k/sec): (4607984/896)
17