650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/050333CX-0.png "title =" Traditional gre over ipsec ))).png "/>
This article continues to discuss gre over ipsec above. The last time we established the IPSec connection transport mode between the two sites), then we established the gre tunnel on the IPSec connection for encrypted communication; in another way, we will configure the same effect as above. Here we use a cisco router ipsec Configuration Technology: profile.
============================== R0 configuration ========== ======================================
Crypto isakmp policy 1
Encr 3des
Hash md5
Authentication pre-share
Group 2
Lifectime 3600
Crypto isakmp key 1234 address 192.168.8.1
!
!
Crypto ipsec transform-set 1 esp-3des esp-md5-hmac
Mode transport
!
Crypto ipsec profile 1 // the essence of this article, configure Profile to replace map
Set transform-set 1
Set pfs group2
!
Interface Tunnel1
Ip address 192.168.10.1 255.255.255.0
Tunnel source 192.168.1.1
Tunnel destination 192.168.8.1
Tunnel protection ipsec profile 1
!
Interface Serial1/0
Ip address 192.168.1.1 255.255.255.0
Serial restart-delay 0
R0 route:
Router # show ip route
C 192.168.10.0/24 is directly connected, Tunnel1
C 192.168.1.0/24 is directly connected, Serial1/0
S * 0.0.0.0/0 is directly connected, Serial1/0
========================================================== ==========================================
================================ R2 configuration ============ ==================================
!
Crypto isakmp policy 1
Encr 3des
Hash md5
Authentication pre-share
Group 2
Lifectime 3600
Crypto isakmp key 1234 address 192.168.1.1
!
!
Crypto ipsec transform-set 1 esp-3des esp-md5-hmac
Mode transport
!
Crypto ipsec profile 1
Set transform-set 1
Set pfs group2
!
Interface Tunnel1
Ip address 192.168.10.2 255.255.255.0
Tunnel source 192.168.8.1
Tunnel destination 192.168.1.1
Tunnel protection ipsec profile 1
!
Interface Serial1/0
Ip address 192.168.8.1 255.255.255.0
Serial restart-delay 0
R2 route:
Router # show ip route
C 192.168.8.0/24 is directly connected, Serial1/0
C 192.168.10.0/24 is directly connected, Tunnel1
S * 0.0.0.0/0 is directly connected, Serial1/0
========================================================== ======================================
We can see that map is not seen in the R0 and R2 configurations, and map loading is not seen on the interface, which is inconsistent with our traditional ipsec connection, in addition, the configurations of the streams of interest are not displayed in the configurations of R0 and R2, which is inconsistent with the traditional ipsec configurations we have configured.
Now let's look at the configuration. First, after completing a series of ipsec configurations, the first-stage parameters, pre-shared keys, and the second-stage encryption test ), map should be configured according to the process and map should be applied to the interface; in this case, it should be replaced by profile. "Profile" only has two parameters: "pfs" and "transport", but there is no interest in stream and encrypted interfaces. Let's look at the difference between the gre tunnel configuration and the previous configuration: "tunnel protection ipsec profile 1". As the name suggests, it is to configure ipsec protection on the gre tunnel. The specific protection policy is profile1.
Because we have configured ipsec protection on the gre interface, we can determine to establish two ipsec sites: tunnel source and tunnel destination, which are equivalent to configuring map on source and destination ); encrypted streams of interest are gre communication between tunnel source and tunnel destination, and only gre communication.
Through a simple profile, we have completed the entire gre overipsec. This method is currently a very popular configuration and is widely used!
After the configuration is complete, ping 192.168.10.2 on R0 to check whether pint can be passed and whether the communication between the two is encrypted.
Router # ping 192.168.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/36/96 MS
Ping is successful. Let's look at the encryption between the two:
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0503331O1-1.png "title =" 1.png "/>
The communication has been encrypted. Our gre over ipsec is successfully established!
This article is from the "Online Learning recording" blog. For more information, contact the author!