IV size: 8 bytes
Replay detection support:Y
Outbound esp sas:
spi:0x6e729d63 (1853005155) transform: esp-3des esp-sha-hmac in use settings={Transport,} !传输模式
crypto map to_r1 1
sa timing: remaining key lifetime (k/sec): (4607984/896) IV size: 8 bytes
Replay detection support:Y
通过以上状态信息可以看出,R1 与 R2 成功协商了一个 IKE SA 和两个 IPsec SA(每 个方向各一个)。
【注意事项】 ? GRE 隧道两端的密
钥要一致。
? 隧道两端的源和目的相互对应,即 R1 的源地址为 R2 的目的地址,R2 的源地址
为 R1 的目的地址。 ? 需要在 Tunnel 接口启用路由,而非连接 Internet 的接口。 ? 确保 IPsec 隧道两端之间的连通性正常。
? 双方的 IKE 策略和 IPsec 转换集要一致,且双方的预共享密钥要一致。 ? 当配
置了多个 IKE 策略和 IPsec 转换集时,请确保双方能够协商出一个相同的策略和转换集。
? 双方的加密访问列表要互为镜像。
【参考配置】
R1#show running-config
Building configuration...
Current configuration : 1268 bytes !
hostname R1 ! !
access-list 100 permit 47 host 1.1.1.1 host 2.2.2.1 !
no service password-encryption ! !
crypto isakmp policy 1
encryption 3des authentication pre-share
18
hash sha group 2 ! !
crypto isakmp key 7 076f517c41477152 address 2.2.2.1
crypto ipsec transform-set 3des_sha esp-3des esp-sha-hmac mode transport crypto map to_r2 1 ipsec-isakmp set peer 2.2.2.1 set transform-set 3des_sha match address 100 ! !
interface serial 1/2 clock rate 64000 !
interface serial 1/3 clock rate 64000 !
interface FastEthernet 1/0
ip address 1.1.1.1 255.255.255.252 crypto map to_r2 duplex auto speed auto !
interface FastEthernet 1/1
ip address 192.168.1.1 255.255.255.0 duplex auto speed auto !
interface Tunnel 1 no ip route-cache no ip route-cache policy ip address 10.1.1.1 255.255.255.0 tunnel source FastEthernet 1/0 tunnel destination 2.2.2.1 tunnel key 1234567 no keepalive !
interface Null 0 ! !
router rip
no auto-summary version 2 network 10.0.0.0 network 192.168.1.0 !
ip route 0.0.0.0 0.0.0.0 1.1.1.2 !
19 !
line con 0 line aux 0 line vty 0 4 login ! ! end
R2#show running-config
Building configuration...
Current configuration : 1268 bytes !
hostname R2 ! !
access-list 100 permit 47 host 2.2.2.1 host 1.1.1.1 ! ! !
no service password-encryption ! !
crypto isakmp policy 1 encryption 3des
authentication pre-share hash sha group 2 ! !
crypto isakmp key 7 076f517c41477152 address 1.1.1.1
crypto ipsec transform-set 3des_sha esp-3des esp-sha-hmac mode transport crypto map to_r1 1 ipsec-isakmp set peer 1.1.1.1 set transform-set 3des_sha match address 100 ! !
interface serial 1/2 clock rate 64000 !
interface serial 1/3 clock rate 64000 !
interface FastEthernet 1/0
ip address 192.168.2.1 255.255.255.0
20
duplex auto speed auto !
interface FastEthernet 1/1
ip address 2.2.2.1 255.255.255.252 crypto map to_r1 duplex auto speed auto !
interface Tunnel 1 no ip route-cache no ip route-cache policy ip address 10.1.1.2 255.255.255.0 tunnel source FastEthernet 1/1 tunnel destination 1.1.1.1 tunnel key 1234567 no keepalive !
interface Null 0 ! !
router rip
no auto-summary version 2 network 10.0.0.0 network 192.168.2.0 !
ip route 0.0.0.0 0.0.0.0 2.2.2.2 ! !
line con 0 line aux 0 line vty 0 4 login ! ! end
R3#show running-config
Building configuration...
Current configuration : 489 bytes !
hostname R3 ! !
no service password-encryption !
21
interface serial 1/2 clock rate 64000 !
interface serial 1/3 clock rate 64000 !
interface FastEthernet 1/0 ip
address 1.1.1.2 255.255.255.252 duplex auto speed auto !
interface FastEthernet 1/1 ip
address 2.2.2.2 255.255.255.252 duplex auto speed auto !
interface Null 0 !
line con 0 line aux 0 line vty 0 4 login ! ! end
22
相关推荐:
loading