中国思科华为3Com微软网络技术社区 › 论坛 › 「思科技术交流区」 › 「CCNP讨论区」 › 考试资料 › 今天用DY做的GRE-VPN实验，根大家分享下

报CCNP送CCNA培训获取名企职位	誉天RHCE+CCNP班，不就业退学费	ITAA返利回归季,最高优惠25%	艾迪飞五一培训优惠进行中
泰克实验室启动CCNA免费重考活动	团购CCNA课程,仅需99元,名额有限!	武汉引航CCNP就业班	深圳思科培训首选嘉华盛世
赛贝尔计算机入侵与防范实验室	ThinkMo新盟教育天津独家CCIE培训	武汉引航CCIE包过班火热上线	武汉引航2012年“五一”思科培训优惠

返回列表

查看: 14242|回复: 10

今天用DY做的GRE-VPN实验，根大家分享下 [复制链接]

rocisky

版主

CISP,CISSP,SSCP,ISO27001,ITIL

Rank: 20

TA的每日心情

	奋斗 2012-4-5 15:56:35

签到天数: 2 天

[LV.1]初来乍到

最后登录: 2012-4-5
在线时间: 351 小时
金币: 3331
注册时间: 2007-4-25
积分: 2102
帖子: 474
主题: 69
精华: 0
UID: 84

发表于 2007-5-27 23:00:21 |显示全部楼层

R1-->R3-->R2

R1 ,R2做GRE和IPSEC，R3不做配置，假设是公网

route配置：
####R1
R1(config)#int s1/2
R1(config-if)#ip add 69.1.10.10 255.255.255.0
R1(config-if)#clock rate 64000
R1(config-if)#no shu
R1(config-if)#exit
R1(config)#int loopback 0
R1(config-if)#ip add 10.10.10.1 255.255.255.0
R1(config-if)#no shu
R1(config-if)#exit
R1(config)#router rip
R1(config-router)#ver 2
R1(config-router)#no auto
R1(config-router)#net 69.1.10.0
R1(config-router)#net 10.10.10.0
####R2
R2(config)#int s1/2
R2(config-if)#ip add 69.1.20.20 255.255.255.0
R2(config-if)#clock rate 64000
R2(config-if)#no shu
R2(config-if)#int loopback 0
R2(config-if)#ip add 10.10.20.1 255.255.255.0
R2(config-if)#no shu
R2(config-if)#exit
R2(config)#router rip
R2(config-router)#ver 2
R2(config-router)#no auto
R2(config-router)#net 69.1.20.0
R2(config-router)#net 10.10.20.0
####R3
R3(config)#int s1/0
R3(config-if)#ip add 69.1.10.11 255.255.255.0
R3(config-if)#clock rate 64000
R3(config-if)#no shu
R3(config-if)#exit
R3(config-if)#int loopback 0
R3(config-if)#ip add 10.10.30.1 255.255.255.0
R3(config-if)#exit
R3(config)#int s1/1
R3(config-if)#ip add 69.1.20.22 255.255.255.0
R3(config-if)#clock rate 64000
R3(config-if)#no shu
R3(config-if)#exit
R3(config)#router rip
R3(config-router)#ver 2
R3(config-router)#no auto
R3(config-router)#net 69.1.10.0
R3(config-router)#net 69.1.20.0
R3(config-router)#net 10.10.30.0
Gre配置：
####R1
R1(config)#int tunnel 0
R1(config-if)#ip add 12.12.12.1 255.255.255.0
R1(config-if)#tunnel source 69.1.10.10
R1(config-if)#tunnel desti 69.1.20.20
R1(config-if)#ip mtu 1400
R1(config-if)#no shu
R1(config-if)#exit
R1(config)#router rip
R1(config-router)#ver 2
R1(config-router)#no auto
R1(config-router)#net 12.12.12.0
R1(config-router)#exit
R1(config)#crypto isakmp ena
R1(config)#crypto isakmp policy 100
R1(config-isakmp)#authen pre-share
R1(config-isakmp)#encry 3des
R1(config-isakmp)#group 2
R1(config-isakmp)#hash md5
R1(config-isakmp)#lifetime 72000
R1(config-isakmp)#exit
R1(config)#crypto isakmp key cisco1234 address 69.1.20.20
R1(config)#crypto ipsec transform-set mine esp-3des
R1(cfg-crypto-trans)#mode tran
R1(cfg-crypto-trans)#exit
R1(config)#crypto ipsec secu life sec 72000
R1(config)#crypto map Map1 10 ipsec-isakmp
R1(config-crypto-map)#set peer 69.1.20.20
R1(config-crypto-map)#match address 101
R1(config-crypto-map)#set pfs group2
R1(config-crypto-map)#set secu life sec 72000
R1(config-crypto-map)#set transform-set mine
R1(config-crypto-map)#exit
R1(config-crypto-map)#int s1/2
R1(config-if)#crypto map Map1
R1(config-if)#exit
R1(config)#access-list 101  per gre host 69.1.10.10  host 69.1.20.20

####R2
R2(config)#int tunnel 0
R2(config-if)#ip add 12.12.12.2 255.255.255.0
R2(config-if)#no shu
R2(config-if)#ip mtu 1400
R2(config-if)#tunnel source 69.1.20.20
R2(config-if)#tunnel desti 69.1.10.10
R2(config-if)#router rip
R2(config-router)#ver 2
R2(config-router)#no auto
R2(config-router)#net 12.12.12.0
R2(config-router)#exit
R2(config)#crypto isakmp ena
R2(config)#crypto isakmp poli 100
R2(config-isakmp)#authen pre-share
R2(config-isakmp)#encryption 3des
R2(config-isakmp)#hash md5
R2(config-isakmp)#group 2
R2(config-isakmp)#lifetime 72000
R2(config)#crypto isakmp key cisco1234 address 69.1.10.10
R2(config)#crypto ipsec transform-set mine esp-3des
R2(cfg-crypto-trans)#mode tran
R2(cfg-crypto-trans)#exit
R2(config)#crypto ipsec secu life sec 72000
R2(config)#crypto map Map1 10 ipsec-isakmp
R2(config-crypto-map)#set peer 69.1.10.10
R2(config-crypto-map)#match address 102
R2(config-crypto-map)#set pfs group2
R2(config-crypto-map)#set secu life sec 72000
R2(config-crypto-map)#set transform-set mine
R2(config-crypto-map)#exit
R2(config)#int s1/2
R2(config-if)#crypto map Map1
R2(config-if)#exit
R2(config)#access-list 102  per gre host  69.1.20.20 host 69.1.10.10
============================================
R3#sh run
Building configuration...
Current configuration : 1095 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 10.10.30.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Serial1/0
ip address 69.1.10.11 255.255.255.0
serial restart-delay 0
clock rate 64000
!
interface Serial1/1
ip address 69.1.20.22 255.255.255.0
serial restart-delay 0
clock rate 64000
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet2/0
no ip address
shutdown
duplex half
!
router rip
version 2
network 10.0.0.0
network 69.0.0.0
no auto-summary
!
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
line vty 0 4
!
!
end
R3#

==================================
R2#sh run
Building configuration...
Current configuration : 1667 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
lifetime 72000
crypto isakmp key cisco1234 address 69.1.10.10
!
crypto ipsec security-association lifetime seconds 72000
!
crypto ipsec transform-set mine esp-3des
mode transport
!
crypto map Map1 10 ipsec-isakmp
set peer 69.1.10.10
set transform-set mine
set pfs group2
match address 102
!
!
!
!
!
interface Loopback0
ip address 10.10.20.1 255.255.255.0
!
interface Tunnel0
ip address 12.12.12.2 255.255.255.0
ip mtu 1400
tunnel source 69.1.20.20
tunnel destination 69.1.10.10
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
ip address 69.1.20.20 255.255.255.0
serial restart-delay 0
clock rate 64000
crypto map Map1
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet2/0
no ip address
shutdown
duplex half
!
router rip
version 2
network 10.0.0.0
network 12.0.0.0
network 69.0.0.0
no auto-summary
!
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
access-list 102 permit gre host 69.1.20.20 host 69.1.10.10
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
line vty 0 4
!
!
end
R2#
================================
check R1 :
R1#sh crypto ipsec sa
interface: Serial1/2
Crypto map tag: Map1, local addr 69.1.10.10
protected vrf: (none)
local  ident (addr/mask/prot/port): (69.1.10.10/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (69.1.20.20/255.255.255.255/47/0)
current_peer 69.1.20.20 port 500
   PERMIT, flags={origin_is_acl,}
#pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7
#pkts decaps: 28, #pkts decrypt: 28, #pkts verify: 28
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 27, #recv errors 0
   local crypto endpt.: 69.1.10.10, remote crypto endpt.: 69.1.20.20
   path mtu 1500, ip mtu 1500, ip mtu idb Serial1/2
   current outbound spi: 0x6DC3D8CE(1841551566)
   inbound esp sas:
   spi: 0xAC3E1D94(2889751956)
      transform: esp-3des ,
      in use settings ={Transport, }
      conn id: 1, flow_id: 1, crypto map: Map1
      sa timing: remaining key lifetime (k/sec): (4516065/71395)
      IV size: 8 bytes
      replay detection support: N
      Status: ACTIVE
   inbound ah sas:
   inbound pcp sas:
   outbound esp sas:
   spi: 0x6DC3D8CE(1841551566)
      transform: esp-3des ,
      in use settings ={Transport, }
      conn id: 2, flow_id: 2, crypto map: Map1
      sa timing: remaining key lifetime (k/sec): (4516069/71393)
      IV size: 8 bytes
      replay detection support: N
      Status: ACTIVE
   outbound ah sas:
   outbound pcp sas:

R1#
R1#ping 10.10
*May 27 22:34:25.687: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.20.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#ping 10.10.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.20.1, timeout is 2 seconds:
.
*May 27 22:34:54.687: %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing
*May 27 22:34:55.687: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down....
Success rate is 0 percent (0/5)
R1#
*May 27 22:35:55.687: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R1#ping 10.10.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.20.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#
R1#
R1#
R1#
*May 27 22:36:24.687: %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing
*May 27 22:36:25.687: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R1#
R1#ping 10.10.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.20.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/55/108 ms
R1#ping 10.10.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/64/88 ms
R1#ping 10.10.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/71/96 ms
R1#
R1#
============================================
check R2:

R2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst          src          state       conn-id slot status
69.1.20.20    69.1.10.10    QM_IDLE          1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
R2#show crypto ipsec sa
interface: Serial1/2
Crypto map tag: Map1, local addr 69.1.20.20
protected vrf: (none)
local  ident (addr/mask/prot/port): (69.1.20.20/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (69.1.10.10/255.255.255.255/47/0)
current_peer 69.1.10.10 port 500
   PERMIT, flags={origin_is_acl,}
#pkts encaps: 24, #pkts encrypt: 24, #pkts digest: 24
#pkts decaps: 6, #pkts decrypt: 6, #pkts verify: 6
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
   local crypto endpt.: 69.1.20.20, remote crypto endpt.: 69.1.10.10
   path mtu 1500, ip mtu 1500, ip mtu idb Serial1/2
   current outbound spi: 0xAC3E1D94(2889751956)
   inbound esp sas:
   spi: 0x6DC3D8CE(1841551566)
      transform: esp-3des ,
      in use settings ={Transport, }
      conn id: 1, flow_id: 1, crypto map: Map1
      sa timing: remaining key lifetime (k/sec): (4452443/71495)
      IV size: 8 bytes
      replay detection support: N
      Status: ACTIVE
   inbound ah sas:
   inbound pcp sas:
   outbound esp sas:
   spi: 0xAC3E1D94(2889751956)
      transform: esp-3des ,
      in use settings ={Transport, }
      conn id: 2, flow_id: 2, crypto map: Map1
      sa timing: remaining key lifetime (k/sec): (4452439/71492)
      IV size: 8 bytes
      replay detection support: N
      Status: ACTIVE
   outbound ah sas:
   outbound pcp sas:
R2#
======================================

[ 本帖最后由 rocisky 于 2007-5-27 23:03 编辑 ]

附件: 你需要登录才可以下载或查看附件。没有帐号？【点这里注册】

auto, config, exit, int, 实验