[网络安全]使用路由器构建GRE over IPsec VPN

来源：用户分享时间：2025/10/1 16:02:11 本文由

loading 分享下载这篇文档手机版

说明：文章内容仅供预览，部分内容可能不全，需要完整文档或者需要复制内容，请下载word后使用。下载word有问题请添加微信号:xxxxxxx或QQ：xxxxxx 处理（尽可能给您提供完整文档），感谢您的支持与谅解。

第十一步：配置 PC1 和 PC2

PC1 的 IP 地址为 192.168.1.2，网关为 192.168.1.1 PC2 的 IP 地址为 192.168.2.2，网关为 192.168.2.1

第十二步：验证测试在 PC1 上 Ping

PC2，可以 ping 通。

测试成功！GRE over IPsec VPN 隧道建立成功！

第十三步：验证测试

在 R1 与 R2 上验证 GRE 隧道状态及路由表信息，分别通过 tunnel 接口学习到对端局

域网的路由：

R1#show interface tunnel 1

Tunnel 1 is UP , line protocol is UP ！隧道状态为 UP Hardware is Tunnel

Interface address is: 10.1.1.1/24 MTU 1472 bytes, BW 9 Kbit

Encapsulation protocol is Tunnel, loopback not set Keepalive interval is 0 sec , no set Carrier delay is 0 sec RXload is 1 ,Txload is 1

Tunnel source 1.1.1.1 (FastEthernet 1/0), destination 2.2.2.1

Tunnel protocol/transport GRE/IP, key 0x12d687, sequencing disabled Checksumming of packets disabled Queueing strategy: WFQ 5 minutes input rate 13 bits/sec, 0 packets/sec

5 minutes output rate 13 bits/sec, 0 packets/sec 49 packets input, 2580 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 abort 70 packets output, 3756 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

R1#show ip route

Codes: C - connected, S - static, R - RIP O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 * - candidate default

Gateway of last resort is 1.1.1.2 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 1.1.1.2

C 1.1.1.0/30 is directly connected, FastEthernet 1/0 C 1.1.1.1/32 is local host.

C 10.1.1.0/24 is directly connected, Tunnel 1 C 10.1.1.1/32 is local host.

C 192.168.1.0/24 is directly connected, FastEthernet 1/1 C 192.168.1.1/32 is local host.

R 192.168.2.0/24 [120/1] via 10.1.1.2, 00:00:16, Tunnel 1

R2#show interface tunnel 1

Tunnel 1 is UP , line protocol is UP ！隧道状态为 UP Hardware is Tunnel

Interface address is: 10.1.1.2/24 MTU 1472 bytes, BW 9 Kbit

Encapsulation protocol is Tunnel, loopback not set Keepalive interval is 0 sec , no set Carrier delay is 0 sec RXload is 1 ,Txload is 1

Tunnel source 2.2.2.1 (FastEthernet 1/1), destination 1.1.1.1

Tunnel protocol/transport GRE/IP, key 0x12d687, sequencing disabled Checksumming of packets disabled Queueing strategy: WFQ 5 minutes input rate 11 bits/sec, 0 packets/sec 5 minutes output rate 11 bits/sec, 0 packets/sec 85 packets input, 4452 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 abort 65 packets output, 3496 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets

R2#show ip route

Codes: C - connected, S - static, R - RIP O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 * - candidate default

Gateway of last resort is 2.2.2.2 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 2.2.2.2

C 2.2.2.0/30 is directly connected, FastEthernet 1/1 C 2.2.2.1/32 is local host.

C 10.1.1.0/24 is directly connected, Tunnel 1 C 10.1.1.2/32 is local host.

R 192.168.1.0/24 [120/1] via 10.1.1.1, 00:00:15, Tunnel 1 C 192.168.2.0/24 is directly connected, FastEthernet 1/0 C 192.168.2.1/32 is local host.

第十四步：验证测试查看 R1 的 IKE SA，可以看到 IKE SA 协商成功，

状态为 QM_IDLE：

R1#show crypto isakmp sa

destination source state conn-id lifetime(second) 2.2.2.1 1.1.1.1 QM_IDLE 33 84170 e3e0dddad7d4d1ce 0e6cc92784e23f9d

查看 R1 的 IPsec SA，可以看到两个 IPsec SA 协商成功，一个用于入站报文，一个用

于出站报文：

R1#show crypto ipsec sa

Interface: FastEthernet 1/0

Crypto map tag:to_r2, local addr 1.1.1.1 media mtu 1500

================================== item type:static, seqno:1, id=32 local ident

(addr/mask/prot/port): (1.1.1.1/0.0.0.0/47/0)) remote ident (addr/mask/prot/port): (2.2.2.1/0.0.0.0/47/0)) PERMIT

#pkts encaps: 81, #pkts encrypt: 81, #pkts digest 81 #pkts decaps: 61, #pkts decrypt: 61, #pkts verify 61 #send errors 0, #recv errors 0

Inbound esp sas: spi:0x6e729d63 (1853005155) transform: esp-3des esp-sha-hmac

in use settings={Transport,} ！传输模式 crypto map to_r2 1

sa timing: remaining key lifetime (k/sec): (4606986/1315) IV size: 8 bytes

Replay detection support:Y

Outbound esp sas:

spi:0x2ebb461 (49001569) transform: esp-3des esp-sha-hmac in use settings={Transport,} ！传输模式 crypto map to_r2 1

sa timing: remaining key lifetime (k/sec): (4606986/1315) IV size: 8 bytes

Replay detection support:Y

查看 R2 的 IKE SA，可以看到 IKE SA 协商成功，状态为 QM_IDLE： R2#sh crypto isakmp sa

destination source state conn-id lifetime(second) 2.2.2.1 1.1.1.1 QM_IDLE 33 83798 e3e0dddad7d4d1ce 0e6cc92784e23f9d

查看 R2 的 IPsec SA，可以看到两个 IPsec SA 协商成功，一个用于入站报文，一个用于出站报文：

R2#sh crypto ipsec sa

Interface: FastEthernet 1/1

Crypto map tag:to_r1, local addr 2.2.2.1 media mtu 1500

================================== item type:static, seqno:1, id=32 local ident

(addr/mask/prot/port): (2.2.2.1/0.0.0.0/47/0)) remote ident (addr/mask/prot/port): (1.1.1.1/0.0.0.0/47/0)) PERMIT

#pkts encaps: 75, #pkts encrypt: 75, #pkts digest 75 #pkts decaps: 95, #pkts decrypt: 95, #pkts verify 95 #send errors 0, #recv errors 0

Inbound esp sas:

spi:0x2ebb461 (49001569) transform: esp-3des esp-sha-hmac in use settings={Transport,} ！传输模式 crypto map to_r1 1

sa timing: remaining key lifetime (k/sec): (4607984/896)

搜索更多关于： [网络安全]使用路由器构建GRE over IPsec VP 的文档

[网络安全]使用路由器构建GRE over IPsec VPN.doc 将本文的Word文档下载到电脑，方便复制、编辑、收藏和打印

下载这篇word文档

本文链接：https://www.diyifanwen.net/c0s6yx5ckjg4ddq3430jm4g4gh0kzl900yjp_2.html（转载请注明文章来源）