GRE over IPSEC Configuration
The difference between the configuration of IPSec-Over-GRE and GRE-Over-IPSec is:
GRE-Over-IPSec IPSec-Over-GRE
ACL definition GRE data flow Intranet data flow
The remote-address specified in IKE peer The other party ’s public address The other party GRE tunnel address
Application port Public network egress GRE tunnel
技术特点:
IPSec (ESP) tunnel only IP unicast traffic
GRE encryption non-ip and ip multicast or broadcast packets into ip unicast packets
Using a GRE tunnel inside an ipsec tunnel uses only three SA (at maximum)
GRE --- Generic Routing Encapsulation
GRE is a three-layer protocol with no connection and no security. Supported protocols: IP / IPX / Apple Talk
Tunnel Mode Packet structure: | IP | ESP | IP | GRE | IP | TCP | Data | ESP |
| <=== Encrypted Payload ===> |
Transport Mode 包结构: | IP | ESP | GRE | IP | TCP | Data | ESP |
|<=== Encrypted Payload ===>|
Experiment 1:
The packet structure of Tunnel Mode in this experiment:
.. | Peer source Peer destination | ESP | GRE source address GRE target address | GRE | source IP target IP | data | ESP | ..
This experiment Transport Mode packet structure:
Since "Peer source Peer destination" (encryption point) is equal to "GRE's source address GRE's destination address" (communication point), the packet structure is changed to: ... | GRE's source address GRE's destination address | ESP | GRE | Source IP Destination IP | data | ESP | ...
Old command:
起Tunnel:
R2(config)#interface tunnel 23
R2(config-if)#ip address 23.1.1.2 255.255.255.0 <===起tunnel地址
R2(config-if)#tunnel source 12.1.1.2
R2(config-if)#tunnel destination 13.1.1.3
--------------------------------------------
R3(config)#interface tunnel 23
R3(config-if)#ip address 23.1.1.3 255.255.255.0
R3(config-if)#tunnel source 13.1.1.3
R3(config-if)#tunnel destination 12.1.1.2
Announcement:
R2 (config-if) # router eigrp 90 <=== Without announcing the interface to the Internet
R2 (config-router) #no auto-summary
R2 (config-router) #network 100.2.2.0 0.0.0.255 <== == Announce internal network
R2 (config-router) #network 23.1.1.0 0.0.0.255 <==== Announce tunnel address
----------------------- ------------------------
R3 (config-if) #router eigrp 90
R3 (config-router) #no auto-summary
R3 (config-router ) #network 100.3.3.0 0.0.0.255
R3 (config-router) #network 23.1.1.0 0.0.0.255
IKE Phase I Policy:
R2(config)#crypto isakmp policy 1
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#hash md5
R2(config-isakmp)#encryption 3des
R2(config-isakmp)#group 2
R2(config)#crypto isakmp key 0 wolf address 13.1.1.3 <===使用物理口地址
-----------------------------------------------------
R3(config)#crypto isakmp policy 1
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#hash md5
R3(config-isakmp)#encryption 3des
R3(config-isakmp)#group 2
R3(config)#crypto isakmp key 0 wolf address 12.1.1.2
IPSec Phase II Policy:
R2 (config) #crypto ipsec transform-set cisco esp-des esp-sha-hmac
mode:
R2 (cfg-crypto-trans) #mode tunnel <=== use "tunnel" mode
or: R2 ( cfg-crypto-trans) #mode transport <=== Use "transport" mode. (Only in the special case where "Peer source Peer destination" is equal to "GRE source address GRE target address", can it be used, and can only be used at 25 Series routers)
R2 (config) #ip access-list extended gre
R2 (config-ext-nacl) #permit gre any any <=== The conditions can be caught more finely (any: can be replaced by GRE's SOURCE / DESTINATION)
R2 (config) #crypto map huawei 10 ipsec-isakmp
R2 (config-crypto-map) #set peer 13.1.1.3 <=== Use physical port address
R2 (config-crypto-map) #set transform-set cisco
R2 (config-crypto-map) #set pfs
R2 (config-crypto-map) #match address gre
-----------------------------------------------
R3(config)#crypto ipsec transform-set cisco esp-des esp-sha-hmac
R3(cfg-crypto-trans)#mode tunnel
R3(config)#ip access-list extended gre
R3(config-ext-nacl)#permit gre any any <===对条件可以抓的更细
R3(config)#crypto map huawei 10 ipsec-isakmp
R3(config-crypto-map)#set peer 12.1.1.2
R3(config-crypto-map)#set transform-set cisco
R3(config-crypto-map)#set pfs
R3(config-crypto-map)#match address gre
Apply VPN Configuration
R2(config)#interface ethernet 0/0
R2(config-if)#crypto map huawei
------------------------------------
R3(config)#interface ethernet 0/0
R3(config-if)#crypto map huawei
New command: No need for interested streams, no MAP, no need for set peer
... <=== Same as before
IPSec Phase II Policy:
R2 (config) #crypto ipsec transform-set cisco esp-des esp-sha -hmac
R2 (config) #crypto ipsec profile GREPRO <=== Only routers above 26 series support
R2 (ipsec-profile) #set transform-set cisco
Apply VPN Configuration
R2(config)#interface tunnel 23
R2(config-if)#tunnel protection ipsec profile GREPRO
R2 # show crypto ipsec sa <=== You can view the negotiation into "transport" mode