通用路由封装协议GRE(Generic Routing Encapsulation)

GRE 简介

通用路由封装协议GRE(Generic Routing Encapsulation)可以对某些网络层协议(如IPX、ATM、IPv6、AppleTalk等)的数据报文进行封装(区别于IPsec, IPsec只能封装IP数据包),使这些被封装的数据报文能够在另一个网络层协议(如IPv4)中传输。

GRE 封装格式

GRE Tunnel 配置

interface Tunnel12
 ip address 172.16.12.1 255.255.255.0
 tunnel source Ethernet0/0
 tunnel destination 10.1.24.2

IPSEC over GRE 配置

Step 1:IKE Phase 1
R1(config)#crypto isakmp policy 1
R1(config-isakmp)# encr aes
R1(config-isakmp)# hash md5
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 2
R1(config-isakmp)# lifetime 30000
R1(config-isakmp)#?
ISAKMP commands:
  authentication  Set authentication method for protection suite
  default         Set a command to its defaults
  encryption      Set encryption algorithm for protection suite
  exit            Exit from ISAKMP protection suite configuration mode
  group           Set the Diffie-Hellman group
  hash            Set hash algorithm for protection suite
  lifetime        Set lifetime for ISAKMP security association
  no              Negate a command or set its defaults
Step 2: IKE Phase 2
R1(config)#crypto ipsec transform-set TS ah-sha-hmac esp-3des 
R1(cfg-crypto-trans)# mode tunnel                       
R1(config)#crypto ipsec transform-set TS ?
  ah-md5-hmac      AH-HMAC-MD5 transform
  ah-sha-hmac      AH-HMAC-SHA transform
  ah-sha256-hmac   AH-HMAC-SHA256 transform
  ah-sha384-hmac   AH-HMAC-SHA384 transform
  ah-sha512-hmac   AH-HMAC-SHA512 transform
  comp-lzs         IP Compression using the LZS compression algorithm
  esp-3des         ESP transform using 3DES(EDE) cipher (168 bits)
  esp-aes          ESP transform using AES cipher
  esp-des          ESP transform using DES cipher (56 bits)
  esp-gcm          ESP transform using GCM cipher
  esp-gmac         ESP transform using GMAC cipher
  esp-md5-hmac     ESP transform using HMAC-MD5 auth
  esp-null         ESP transform w/o cipher
  esp-seal         ESP transform using SEAL cipher (160 bits)
  esp-sha-hmac     ESP transform using HMAC-SHA auth
  esp-sha256-hmac  ESP transform using HMAC-SHA256 auth
  esp-sha384-hmac  ESP transform using HMAC-SHA384 auth
  esp-sha512-hmac  ESP transform using HMAC-SHA512 auth
Step 3: 配置Pre-share Key
R1(config)#crypto isakmp key 6 ccie address 10.1.24.2      
R1(config)#crypto isakmp key 6 ccie address 10.1.34.3 
Step 4: 配置IPSec Profile,并在Tunnel接口调用
R1(config)#crypto ipsec profile PF
R1(ipsec-profile)# set transform-set TS 
R1(ipsec-profile)#int tu12
R1(config-if)#tunnel protection ipsec profile PF
R1#show crypto isakmp sa 
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.1.14.1       10.1.34.3       QM_IDLE           1001 ACTIVE
10.1.24.2       10.1.14.1       QM_IDLE           1006 ACTIVE
10.1.34.3       10.1.14.1       QM_IDLE           1002 ACTIVE

IPv6 Crypto ISAKMP SA

R1#show crypto ipsec sa

interface: Tunnel13
    Crypto map tag: Tunnel13-head-0, local addr 10.1.14.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.1.14.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (10.1.34.3/255.255.255.255/47/0)
   current_peer 10.1.34.3 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1188, #pkts encrypt: 1188, #pkts digest: 1188
    #pkts decaps: 1189, #pkts decrypt: 1189, #pkts verify: 1189
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.1.14.1, remote crypto endpt.: 10.1.34.3
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
     current outbound spi: 0x4940E097(1228988567)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xFE32E1FF(4264747519)
        transform: esp-3des ,
        in use settings ={Tunnel, }
        conn id: 13, flow_id: SW:13, sibling_flags 80004070, crypto map: Tunnel13-head-0
        sa timing: remaining key lifetime (k/sec): (4177267/1704)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:
      spi: 0x56983F1B(1452818203)
        transform: ah-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 13, flow_id: SW:13, sibling_flags 80004070, crypto map: Tunnel13-head-0
        sa timing: remaining key lifetime (k/sec): (4177267/1704)
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound pcp sas:

     outbound esp sas:
      spi: 0x7AB384DD(2058585309)
        transform: esp-3des ,
        in use settings ={Tunnel, }
        conn id: 14, flow_id: SW:14, sibling_flags 80004070, crypto map: Tunnel13-head-0
        sa timing: remaining key lifetime (k/sec): (4177267/1704)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:
      spi: 0x4940E097(1228988567)
        transform: ah-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 14, flow_id: SW:14, sibling_flags 80004070, crypto map: Tunnel13-head-0
        sa timing: remaining key lifetime (k/sec): (4177267/1704)
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound pcp sas:

interface: Tunnel12
    Crypto map tag: Tunnel12-head-0, local addr 10.1.14.1
          
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.1.14.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (10.1.24.2/255.255.255.255/47/0)
   current_peer 10.1.24.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 201, #pkts encrypt: 201, #pkts digest: 201
    #pkts decaps: 200, #pkts decrypt: 200, #pkts verify: 200
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.1.14.1, remote crypto endpt.: 10.1.24.2
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
     current outbound spi: 0x44BBFF5A(1153171290)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x1659CBA9(374983593)
        transform: esp-3des ,
        in use settings ={Tunnel, }
        conn id: 17, flow_id: SW:17, sibling_flags 80000070, crypto map: Tunnel12-head-0
        sa timing: remaining key lifetime (k/sec): (4301490/2700)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:
      spi: 0xC614FC02(3323264002)
        transform: ah-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 17, flow_id: SW:17, sibling_flags 80000070, crypto map: Tunnel12-head-0
        sa timing: remaining key lifetime (k/sec): (4301490/2700)
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound pcp sas:

     outbound esp sas:
      spi: 0xEB07616B(3943129451)
        transform: esp-3des ,
        in use settings ={Tunnel, }
        conn id: 18, flow_id: SW:18, sibling_flags 80000070, crypto map: Tunnel12-head-0
        sa timing: remaining key lifetime (k/sec): (4301490/2700)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:
      spi: 0x44BBFF5A(1153171290)
        transform: ah-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 18, flow_id: SW:18, sibling_flags 80000070, crypto map: Tunnel12-head-0
        sa timing: remaining key lifetime (k/sec): (4301490/2700)
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound pcp sas:
R1#ping 192.168.2.2 source  192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/6 ms
           

No comments

Comments feed for this article

Reply

Your email address will not be published.