GRE over IPSEC configuration

First, Environment construction

Router A Intranet address 10.1.1.1/24 through the public address 1.1.1.1/24 package and then walk the tunnel 10.1.2.1/24
Router B Intranet address 10.1.3.1/24 through the public address 2.2.2.2/24 package and then walk the tunnel 10.1.2.2/24

If the experiment in GNS3 can be loopback port as the intranet address, the Internet with the route simulation but can not afford to route only Ip,router A and Router B are the default route to the Internet, so that the public netcom intranet, And then do GRE to make the intranet interoperable and communicate with each other within the network by the information

Second, GRE configuration

(1) Router A configuration

RouterA (config) # int tunnel 0 //Up a tunnel interface, 0 is the sequence number of the tunnel, can have multiple tunnels
RouterA (config-if) # IP add 10.1.2.1 255.255.255.0 //tunnel with IP, both sides of the tunnel to the same network segment
RouterA (config-if) # tunnel Source 1.1.1.1 //Specifies the origin of the tunnel (public IP) and can also be written as an interface
RouterA (config-if) # tunnel destination 2.2.2.2 //Specify the destination of the tunnel (public IP)
RouterA (config-if) # tunnel mode GRE IP //Configure tunnel encapsulation pattern, where the IP-based GRE mode encapsulation is used
RouterA (config) # IP route 10.1.3.0 255.255.255.0 10.1.2.2 //write a static route, the target network segment is to the far end of the intranet address, the next hop is the address of the Terminal tunnel interface, So that when we go to the remote intranet, we can take the tunnel,can also play other routing protocols, such as OSPF,EIGRP, but to the tunnel of the network segment in the declaration, do not put the public network address of the line in the declaration, can be tunnel understood as a direct link

Note: 1. After the configuration can show ip int brief to see if the tunnel interface is up, if the network is through the tunnel will rise; 2. Configuration is bi-directional

(2) Router B configuration

Routerb (config) # int tunnel 0 //Up a tunnel interface, 0 is the sequence number of the tunnel, can have multiple tunnels
Routerb (config-if) # IP add 10.1.2.2 255.255.255.0 //tunnel with IP, both sides of the tunnel to the same network segment
Routerb (config-if) # tunnel source 2.2.2.2 //Specifies the origin of the tunnel (public IP) and can also be written as an interface
Routerb (config-if) # tunnel Destination 1.1.1.1 //Specify the destination of the tunnel (public IP)
Routerb (config-if) # tunnel mode GRE IP //Configure tunnel encapsulation pattern, where the IP-based GRE mode encapsulation is used
Routerb (config) # IP route 10.1.1.0 255.255.255.0 10.1.2.1 //write a static route, the target network segment is to the far end of the intranet address, the next hop is the address of the Terminal tunnel interface, So that when we go to the remote intranet, we can take the tunnel,can also play other routing protocols, such as OSPF,EIGRP, but to the tunnel of the network segment in the declaration, do not put the public network address of the line in the declaration, can be tunnel understood as a direct link

(3) test

Intranet access to the end of the intranet can not see through
This side show ip route to see if there is a route to the end intranet

Third, IPsec configuration

(1) Router A configuration

crypto ISAKMP enable
" Span style= "font-family:"courier New", Courier; Color: #800080 ">crypto ISAKMP policy
  Group 2
Authentication pre-share
Encryption3des
hash sha
  lifetime86400
crypto ISAKMP key 0 ABC address 2.2.2.2                  //-to-end public IP

Crypto IPSec Transform-set CCIE Esp-aes Esp-sha-hmac
Mode transport

Access-list Permit GRE host1.1.1.1 host 2.2.2.2 //Note Here is the IP of the public interface, meaning that all traffic to my interface goes out as GRE traffic, both as a stream of interest

Crypto map Cisco10 IPSEC-ISAKMP
Set Peer 2.2.2.2 //Peer public network interface address
Set Transform-set CCIE
Match Address 100
int f0/0
Crypto Mapcisco

(2) Router B configuration

crypto ISAKMP enable
" Span style= "font-family:"courier New", Courier; Color: #800080 ">crypto ISAKMP policy
  Group 2
Authentication pre-share
Encryption3des
hash sha
  lifetime86400
crypto ISAKMP key 0 ABC address 1.1.1.1                //peer-to-peer public IP

Crypto IPSec Transform-set CCIE Esp-aes Esp-sha-hmac
Mode transport

access-list Permit GRE Host2.2.2.2host 1.1.1.1 //Note Here is the IP of the public interface, meaning that all data flow to my interface out of all as GRE traffic, all as an interest stream

Crypto map Cisco10 IPSEC-ISAKMP
Set Peer 1.1.1.1 //Peer public network interface address
Set Transform-set CCIE
Match Address 100
int F0/1
Crypto Mapcisco

GRE over IPSEC configuration