GRE over IPSEC route Configuration

GRE over IPSEC route configuration r1 (0/0) --- r2 -- (1/1) r3 GRE over IPSEC first ipsec solves the problem that ipsec cannot transmit multicast traffic in gre, that is, you can run the Routing Protocol in ipsec, and the protocol is encrypted !! R1: crypto isakmp policy 10 hash md5 authentication pre-encryption crypto isakmp key zaq address 2.3.0.1 !! Crypto ipsec transform-set vpn esp-des! Crypto map vpn 10 ipsec-isakmp set peer 2.3.0.1 set transform-set vpn match address 101 !!!! Interface Tunnel0 ip address 1.3.0.1 255.255.255.0 tunnel source FastEthernet0/0 tunnel destination 2.3.0.1! Interface Loopback0 ip address 1.1.1.1 255.255.255.255! Interface Loopback1 ip address 10.0.0.1 255.255.255.0! Interface FastEthernet0/0 ip address 1.2.0.1 255.255.255.0 duplex full crypto map vpn! Router ospf 1 log-adjacency-changes! Ip route 0.0.0.0 0.0.0.0 1.2.0.2 !! Access-list 101 permit gre host 1.2.0.1 host 2.3.0.1 R2: interface FastEthernet0/0 ip address 1.2.0.2 255.255.255.0 duplex full! Interface FastEthernet1/1 ip address 2.3.0.2 255.255.255.0 duplex full speed auto R3: crypto isakmp policy 10 hash md5 authentication pre-encryption crypto isakmp key zaq address 1.2.0.1! Crypto ipsec transform-set vpn esp-des! Crypto map vpn 10 ipsec-isakmp set peer 1.2.0.1 set transform-set vpn match address 101! Interface Tunnel0 ip address 1.3.0.2 255.255.255.0 tunnel source FastEthernet1/1 tunnel destination 1.2.0.1! Interface Loopback0 ip address 3.3.3.3 255.255.255.255! Interface Loopback1 ip address 30.0.0.1 255.255.255.0! Interface FastEthernet1/1 ip address 2.3.0.1 255.255.0 duplex full speed auto crypto map vpn! Ip route 0.0.0.0 0.0.0.0 2.3.0.2! Access-list 101 permit gre host 2.3.0.1 host 1.2.0.1 Router # show crypto engine connections active ID Interface IP-Address State Algorithm Encrypt Decrypt 1 FastEthernet1/1 2.3.0.1 set HMAC_MD5 + limit 0 02001 FastEthernet1/1 2.3.0.1 set DES 0 272002 FastEthernet1/1 2.3.0.1 set DES 27 0 Router # show crypto isakmp sadst src state conn-id slot status1.2.0.1 2.3.0.1 QM_IDLE 1 0 ACTIVERouter # show crypto Isakmp peers Peer: 1.2.0.1 Port: 500 Local: 2.3.0.1 Phase1 id: 1.2.0.1Router # show crypto ipsec sainterface: FastEthernet1/1 Crypto map tag: vpn, local addr 2.3.0.1 protected vrf: (none) local ident (addr/mask/prot/port): (2.3.0.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (1.2.0.1/255.255.255.255/47/0) current_peer 1.2.0.1 port 500 PERMIT, flags = {origin_is_acl, }# pkts encaps: 44 ,# Pkts encrypt: 44, # pkts digest: 44 # pkts decaps: 44, # pkts decrypt: 44, # pkts verify: 44 # pkts compressed: 0, # pkts decompressed: 0 # pkts not compressed: 0, # pkts compr. failed: 0 # pkts not decompressed: 0, # pkts decompress failed: 0 # send errors 1, # recv errors 0 local crypto endpt.: 2.3.0.1, remote crypto endpt.: 1.2.0.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/1 current outbound spi: 0xEAA8551D (3936900381) inbound esp sas: spi: 0x323BE771 (842786673) transform: esp-des, in use settings = {Tunnel,} conn id: 2001, flow_id: 1, crypto map: vpn sa timing: remaining key lifetime (k/sec): (4493451/2885) IV size: 8 bytes replay detection support: N Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xEAA8551D (3936900381) transform: esp-des, in use settings = {Tun Nel,} conn id: 2002, flow_id: 2, crypto map: vpn sa timing: remaining key lifetime (k/sec): (4493451/2884) IV size: 8 bytes replay detection support: N Status: ACTIVE outbound ah sas: outbound pcp sas: there is also an ipsec over gre which I personally think is meaningless because although the multicast problem is solved, multicast is transmitted in plaintext, so ipsec is meaningless. It's better to use gre directly !!