experiment procedure:
GRE OVER IPSEC ***: It can be used for the secure connection between the company and the company, and it can support the transmission of dynamic routing protocol update messages in the *** tunnel.
Step 1: Configure each router so that they can be directly connected and can log in with SDM
The problem to pay attention to is to configure http server
R1(config)#ip route 0.0.0.0 0.0.0.0 e0/0
R3(config)#ip route 0.0.0.0 0.0.0.0 e2/0
R3(config)#ip http server
R3(config)#ip http au loc
R3(config)#line vty 0 4
R3(config-line)#login local
R3(config)# username admin privilege 15 secret admin
//R1上Matches the configuration
Step 2: Use SDM software to board the router for configuration
There is a backup GRE in the next step here, we do not choose to go directly to the next step
The following figure defaults to the next step:
The following figure defaults to the next step:
The following figure shows the routing protocol between the configuration channels, which has nothing to do with the interface address of R1 connecting R2 and R2 connecting R3
The following figure is to send the configuration to the router:
//We did not configure static routing above. After passing the test, it is prompted that the routing check failed. This is considered normal.
//The reason for the channel failure is that the peer has no configuration
The figure below shows the configuration result on R3, we have configured routing, and the channel is also configured on R1, so the figure below is open
The R3 configuration matches the above
Step 3: Test
the control list here. Please note that the gre in this list can be ip
access-list 100 remark SDM_ACL Category=4
access-list 100 permit gre host 23.0.0.3 host 12.0.0.1
using SDM as The tunnel is
encapsulated as follows. 
The transmission mode is as follows: the 
packages when they are encapsulated are not the same.
Step 4: We manually modify the mode
R1(config)# crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
R1(cfg-crypto-trans)#mode transport
Step 5: Test once
R1#sh crypto engine connections active
ID Interface IP-Address State Algorithm Encrypt Decrypt
6 Ethernet0/0 12.0.0.1 set HMAC_SHA+3DES_56_C 0 0
2000 Ethernet0/0 12.0.0.1 set HMAC_SHA+3DES_56_C 0 168
2001 Ethernet0/0 12.0.0.1 set HMAC_SHA+3DES_56_C 167 0
R1#sh cry en conn active
ID Interface IP-Address State Algorithm Encrypt Decrypt
6 Ethernet0/0 12.0.0.1 set HMAC_SHA+3DES_56_C 0 0
2000 Ethernet0/0 12.0.0.1 set HMAC_SHA+3DES_56_C 0 180
Ethernet0/0 12.0.0.1 set HMAC_SHA+3DES_56_C 177 0
//Use SDM configures GRE over IPSEC *** The number of packet encryption behind is increasing, this is because the ospf packet is also encrypted.
THE END