IKE Peer中指定的remote-address
應用端口:
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 10.1.1.2
!
crypto ipsec transform-set myset esp-des esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 10.1.1.2
set transform-set myset
match address 102
!
interface Serial0
ip address 10.1.1.1 255.255.255.0
clockrate 64000
crypto map mymap
!
ip route 0.0.0.0 0.0.0.0 20.1.1.2
ip route 40.1.1.0 255.255.255.0 Tunnel0
!
access-list 102 permit ip 1.1.1.0 0.0.0.255 1.1.2.0 0.0.0.255
!
interface Tunnel0
ip address 100.1.1.1 255.255.255.0
tunnel source Serial0
tunnel destination 30.1.1.2
crypto map mymap
GRE
拓樸結構:
R1 F0/0(172.16.1.1/24)->R2 F0/0(172.16.1.2/24) 模擬外網連接
R1 F1/0(192.168.1.1/24)模擬內網1
R2 F1/0(192.168.2.1/24)模擬內網2
R1:
//定義IKE策略,用於階段1的SA建立,系統會按對端協商的參數去查找我們定義的policy,直到找到一個各項參數都匹配的policy並使用之,如果沒找到會在階段1失敗
crypto isakmp policy 10
crypto isakmp key qhtest address 172.16.1.2
!
//這裏定義階段2所使用的SA,其所使用的加密密鑰爲隨機,並使用階段1所建立的SA來交換
crypto ipsec transform-set myset esp-3des
!
//定義密碼映射
crypto map qh 10 ipsec-isakmp
!
//下面在接口上應用密碼映射
interface FastEthernet0/0
!
//這裏定義GRE隧道接口
interface Tunnel0
//由於GRE可以傳路由協議,所有我們在隧道接口上啓用了路由協議
router ospf 100
//這裏的訪問列表我們定義了針對GRE的包施行IPSEC加密
access-list 102 permit gre host 172.16.1.1 host 172.16.1.2
R2:
crypto isakmp policy 10
crypto isakmp key qhtest address 172.16.1.1
!
!
crypto ipsec transform-set myset esp-3des
!
crypto map qh 10 ipsec-isakmp
!
interface Tunnel0
!
interface FastEthernet0/0
!
router ospf 100
!
access-list 102 permit gre host 172.16.1.2 host 172.16.1.1