R1有固定IP
R1:
#
acl advanced name IPSEC12
rule 2 permit ip source 1.1.1.1 0 destination 2.2.2.2 0
#
acl advanced name NAT
rule 2 deny ip source 1.1.1.1 0 destination 2.2.2.2 0
rule 5 permit ip
#
interface GigabitEthernet0/1
port link-mode route
combo enable copper
ip address 10.10.12.2 255.255.255.252
nat outbound name NAT
ipsec apply policy 1
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
ip route-static 0.0.0.0 0 GigabitEthernet0/1 10.10.12.1
#
ipsec transform-set 12
esp encryption-algorithm 3des-cbc aes-cbc-128
esp authentication-algorithm md5
#
ipsec policy-template 1 1
transform-set 12
security acl name IPSEC12
local-address 10.10.12.2
ike-profile 12
#
ipsec policy 1 1 isakmp template 1
#
ike identity fqdn R1
#
ike profile 12
keychain 12
exchange-mode aggressive
local-identity fqdn R1
match remote identity fqdn R2
match local address GigabitEthernet0/1
proposal 1
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
#
ike keychain 12
match local address 10.10.12.2
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$15I1sJQZilIbSRI0rxoELx9QAjJiCw==
#
interface Tunnel1 mode gre
ip address 192.168.12.1 255.255.255.0
ospf 1 area 0.0.0.0
source 1.1.1.1
destination 2.2.2.2
#
R2:
#
acl advanced name IPSEC21
rule 1 permit ip source 192.168.20.0 0.0.0.255 destination 192.1 68.10.0 0.0.0.255
rule 2 permit ip source 2.2.2.2 0 destination 1.1.1.1 0
#
acl advanced name NAT
rule 1 deny ip source 192.168.20.0 0.0.0.255 destination 192.168 .10.0 0.0.0.255
rule 2 deny ip source 2.2.2.2 0 destination 1.1.1.1 0
rule 5 permit ip
#
ipsec transform-set 21
esp encryption-algorithm 3des-cbc aes-cbc-128
esp authentication-algorithm md5
#
ipsec policy 2 1 isakmp
transform-set 21
security acl name IPSEC21
remote-address 10.10.12.2
ike-profile 21
#
ike identity fqdn R2
#
ike profile 21
keychain 21
exchange-mode aggressive
local-identity fqdn R2
match remote identity address 10.10.12.2 255.255.255.252
match local address Dialer1
proposal 1
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
#
ike keychain 21
match local address 20.20.12.2
pre-shared-key address 10.10.12.2 255.255.255.252 key cipher $c$ 3$B0MzOjTZ40lSqvNRs9ff7QW0s/UBCA==
#
interface Tunnel1 mode gre
ip address 192.168.12.2 255.255.255.0
ospf 1 area 0.0.0.0
source 2.2.2.2
destination 1.1.1.1
#
1、正常的GRE over ipsec组网是两端有公网IP,GRE的底层地址使用两端公网的IP
PC1(192.168.1.1)——R1(11.11.11.11)——ISP——(22.22.22.22)R2——PC2(192.168.2.1)
PC1访问PC2
2、如果一端是拨号,一端固定IP去实现GRE Over IPSEC,因为GRE的配置无法配置域名相关所以无法用DDNS
PC1(192.168.1.1)——R1(11.11.11.11)——ISP——(pppoe)R2——PC2(192.168.2.1)
3、无论是哪一种,都和GRE
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作