GNS3 配置Dynamic p2p GRE over IPsec

标签：gns3 配置dynamic p2p gre over ipsec

1、实验拓扑

2、基础网络配置

R1配置：

ip dhcp excluded-address 13.1.1.1 13.1.1.2

ip dhcp pool net13

   network 13.1.1.0 255.255.255.0

   default-router 13.1.1.1 

interface FastEthernet0/0

 ip address 12.1.1.1 255.255.255.0

interface FastEthernet1/0

 ip address 13.1.1.1 255.255.255.0

R2配置：

interface FastEthernet0/0

 ip address 12.1.1.2 255.255.255.0

interface FastEthernet1/0

 ip address 172.16.1.254 255.255.255.0

ip route 0.0.0.0 0.0.0.0 12.1.1.1

R3配置：

interface Loopback0

 ip address 3.3.3.3 255.255.255.0

interface FastEthernet0/0

 ip address dhcp

interface FastEthernet1/0

 ip address 192.168.1.254 255.255.255.0

ip route 0.0.0.0 0.0.0.0 13.1.1.1

R4配置：

interface FastEthernet0/0

 ip address 172.16.1.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 172.16.1.254

R5配置：

interface FastEthernet0/0

 ip address 192.168.1.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.1.254

3、配置Dynamic p2p GRE over IPsec

3.1、配置GRE

R2配置:

interface Tunnel2

 ip address 1.1.1.1 255.255.255.0

 tunnel source 12.1.1.2

 tunnel destination 3.3.3.3

ip route 3.3.3.3 255.255.255.255 12.1.1.1

这条路由必须配置，这是配置规则要求的

R3配置:

interface Tunnel3

 ip address 1.1.1.2 255.255.255.0

 tunnel source Loopback0

 tunnel destination 12.1.1.2

3.2、R2配置Dynamic LAN-to-LAN VPN（相对普通的Dynamic LAN-to-LAN VPN多了一条指令）

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

crypto ipsec transform-set ccie esp-3des esp-sha-hmac 

crypto dynamic-map dymap 1

 set transform-set ccie 

crypto map mymap 1 ipsec-isakmp dynamic dymap （经测试，这条指令可以不写）

crypto map mymap local-address FastEthernet0/0

interface FastEthernet0/0

 crypto map mymap

3.3、R3配置LAN-to-LAN VPN（与普通LAN-to-LAN VPN的ACL不同，多了一条指令）

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key cisco123 address 12.1.1.2

crypto ipsec transform-set ccie esp-3des esp-sha-hmac 

access-list 100 permit gre 3.3.3.0 0.0.0.255 12.1.1.0 0.0.0.255

crypto map mymap 1 ipsec-isakmp 

 set peer 12.1.1.2

 set transform-set ccie 

 match address 100

crypto map mymap local-address FastEthernet0/0（经测试，这条指令可以不写）

interface FastEthernet0/0

 crypto map mymap

3.4、配置动态路由协议（此时私网流量走的都是隧道。）

R2配置：

router ospf 1

 network 1.1.1.0 0.0.0.255 area 0

 network 172.16.1.0 0.0.0.255 area 0

R3配置：

router ospf 1

 network 1.1.1.0 0.0.0.255 area 0

 network 192.168.1.0 0.0.0.255 area 0

4、NAT对Dynamic p2p GRE over IPsec的影响与NAT对Static p2p GRE over IPsec的影响一样

本文出自 “开源殿堂” 博客，请务必保留此出处http://kaiyuandiantang.blog.51cto.com/10699754/1695742

GNS3 配置Dynamic p2p GRE over IPsec

标签：gns3 配置dynamic p2p gre over ipsec

原文地址：http://kaiyuandiantang.blog.51cto.com/10699754/1695742