20210106 cisco GRE
課堂資料
課堂練習
GRE
Hub-to-spoke Topology
int lo 0ip add 192.168.1.1 255.255.255.0no shutint e0/0ip add 10.0.14.1 255.255.255.0no shutrouter ripver 2no auto-summarynet 10.0.14.0net 172.16.0.0net 192.168.0.0
R1 與 R2 建立 Tunnel
int tunnel 12ip add 172.16.12.1 255.255.255.0tunnel source e0/0tunnel destination 10.0.24.2
R1 與 R3 建立 Tunnel
int tunnel 13ip add 172.16.13.1 255.255.255.0tunnel source e0/0tunnel destination 10.0.34.3
R1 Ping R2 / R3 進行 Tunnel 連線測試
do ping 172.16.12.2 source 172.16.12.1do ping 172.16.13.3 source 172.16.12.1int lo 0ip add 192.168.2.2 255.255.255.0no shutint e0/0ip add 10.0.24.2 255.255.255.0no shutrouter ripver 2no auto-summarynet 10.0.24.0net 172.16.0.0
R1 與 R2 建立 Tunnel
int tunnel 12ip add 172.16.12.2 255.255.255.0tunnel source e0/0tunnel destination 10.0.14.1
R1 Ping R2 / R3 進行 Tunnel 連線測試
do ping 172.16.13.3 source 172.16.12.2exitexittraceroute 172.16.13.3 source 172.16.12.2int e0/0ip add 10.0.14.4 255.255.255.0no shutint e0/1ip add 10.0.24.4 255.255.255.0no shutint e0/2ip add 10.0.34.4 255.255.255.0no shutrouter ripver 2no auto-summarynet 10.0.14.0net 10.0.24.0net 10.0.34.0net 172.16.0.0Routing Protocol
router eigrp 1net 172.16.12.0 0.0.0.255net 172.16.13.0 0.0.0.255net 192.168.1.0no auto-summarydo sh ip ro eigrp 1do ping 192.168.2.2 source 192.168.1.1do ping 192.168.3.3 source 192.168.1.1conf trouter eigrp 1net 172.16.12.0 0.0.0.255net 192.168.2.0no auto-summarydo sh ip ro eigrp 1exitexittraceroute 172.16.13.3 source 172.16.12.2router eigrp 1net 172.16.13.0 0.0.0.255net 192.168.3.0no auto-summaryIPSec over GRE Tunnel
crypto isakmp policy 10authentication pre-sharecrypto ipsec transform-set TS esp-3des ah-sha-hmacexitcrypto isakmp key ccie add 10.0.24.2crypto isakmp key ccie add 10.0.34.3crypto ipsec profile PFset transform-set TSint tunnel 12tunnel protection ipsec PRofile PFconf tcrypto isakmp policy 10authentication pre-sharecrypto ipsec transform-set TS esp-3des ah-sha-hmacexitcrypto isakmp key ccie add 10.0.12.1crypto isakmp key ccie add 10.0.34.3crypto ipsec profile PFset transform-set TSint tunnel 12tunnel protection ipsec PRofile PFexitcrypto isakmp policy 10authentication pre-sharecrypto ipsec transform-set TS esp-3des ah-sha-hmacexitcrypto isakmp key ccie add 10.0.12.1crypto isakmp key ccie add 10.0.24.2crypto ipsec profile PFset transform-set TSint tunnel 12tunnel protection ipsec PRofile PFIPsec
設定
int e0/0ip add 192.168.13.1 255.255.255.0no shutint e0/1ip add 192.168.10.1 255.255.255.0no shutexitip route 0.0.0.0 0.0.0.0 192.168.13.3do ping 192.168.23.2do ping 192.168.20.1int e0/0ip add 192.168.23.2 255.255.255.0no shutint e0/1ip add 192.168.20.1 255.255.255.0no shutexitip route 0.0.0.0 0.0.0.0 192.168.23.3int e0/0ip add 192.168.13.3 255.255.255.0no shutint e0/1ip add 192.168.23.3 255.255.255.0no shutexit設定 Interesting Traffic
ip access-list extended VPN-TrafficPermit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255exitip access-list extended VPN-TrafficPermit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255exit設定 IKE Phase 1 參數
crypto isakmp policy 1encryption aeshash md5authentication pre-sharegroup 2lifetime 30000crypto isakmp policy 1encryption aeshash md5authentication pre-sharegroup 2lifetime 30000設定 IKE Phase 2參數
exitcrypto ipsec transform-set TS esp-3des ah-sha-hmacexitcrypto ipsec transform-set TS esp-3des ah-sha-hmac設定 Pre-share Key
crypto isakmp key 6 ccie add 192.168.23.2crypto isakmp key 6 ccie add 192.168.13.1定義 Crypto Map
crypto map CMAP 1 ipsec-isakmpset peer 192.168.23.2set transform-set TSmatch add VPN-Trafficint e0/0crypto map CMAPcrypto map CMAP 1 ipsec-isakmpset peer 192.168.13.1set transform-set TSmatch add VPN-Trafficint e0/0crypto map CMAP測試
do ping 192.168.20.1 source 192.168.10.1GRE over IPsec vs IPSec over GRE
GRE over IPsec設定
網路設定
int lo 0ip add 1.1.1.1 255.255.255.0no shutint e0/0ip add 192.168.13.1 255.255.255.0no shutexitip route 192.168.23.0 255.255.255.0 192.168.13.3do ping 192.168.23.2 source 192.168.13.1do ping 2.2.2.2 source 1.1.1.1
設定 Interesting Traffic
ip access-list extended IPSEC_TUNNELPermit ip host 192.168.13.1 host 192.168.23.2
設定 IPSec
crypto isakmp key ccie add 192.168.23.2crypto isakmp policy 10encryption aesauthentication pre-sharegroup 2exitcrypto ipsec transform-set TS esp-3desexitcrypto map GRE_OVER_IPSEC 10 ipsec-isakmpset peer 192.168.23.2set transform-set TSmatch add IPSEC_TUNNEL
在 Interface 應用Crypto Map
int e0/0crypto map GRE_OVER_IPSEC
設定 GRE Tunnel
int tunnel 0ip add 172.16.12.1 255.255.255.0tunnel source e0/0tunnel destination 192.168.23.2
測試
do ping 172.16.12.2 source 172.16.12.1do sh crypto ipsec sa
設定 Routing Protocol
router eigrp 1no auto-summarynet 172.16.12.0 0.0.0.255net 1.1.1.0 0.0.0.255
查看 Neighbor
do sh ip eigrp neido ping 2.2.2.2 source 1.1.1.1
網路設定
int lo 0ip add 2.2.2.2 255.255.255.0no shutint e0/0ip add 192.168.23.2 255.255.255.0no shutexitip route 192.168.13.0 255.255.255.0 192.168.23.3
設定 Interesting Traffic
ip access-list extended IPSEC_TUNNELPermit ip host 192.168.23.2 host 192.168.13.1
設定 IPSec
crypto isakmp key ccie add 192.168.13.1crypto isakmp policy 10encryption aesauthentication pre-sharegroup 2exitcrypto ipsec transform-set TS esp-3desexitcrypto map GRE_OVER_IPSEC 10 ipsec-isakmpset peer 192.168.13.1set transform-set TSmatch add IPSEC_TUNNEL
在 Interface 應用Crypto Map
int e0/0crypto map GRE_OVER_IPSEC
設定 GRE Tunnel
int tunnel 0ip add 172.16.12.2 255.255.255.0tunnel source e0/0tunnel destination 192.168.13.1
設定 Routing Protocol
router eigrp 1no auto-summarynet 172.16.12.0 0.0.0.255net 2.2.2.0 0.0.0.255IPSec over GRE 設定
網路設定
int lo 0ip add 1.1.1.1 255.255.255.0no shutint e0/0ip add 192.168.13.1 255.255.255.0no shutexitip route 192.168.23.0 255.255.255.0 192.168.13.3
設定 GRE Tunnel
int tunnel 0ip add 172.16.12.1 255.255.255.0tunnel source e0/0tunnel destination 192.168.23.2
測試
do ping 172.16.12.2 source 172.16.12.1
設定 Routing Protocol
router eigrp 1no auto-summarynet 172.16.12.0 0.0.0.255net 1.1.1.0 0.0.0.255
測試
do sh ip eigrp neido ping 2.2.2.2 source 1.1.1.1
設定 Interesting Traffic
ip access-list extended IPSEC_TUNNELPermit ip host 1.1.1.1 host 2.2.2.2
設定 IPSec
crypto isakmp key ccie add 172.16.12.2crypto isakmp policy 10encryption aesauthentication pre-sharegroup 2exitcrypto ipsec transform-set TS esp-3desexitcrypto map IPSEC_OVER_GRE 10 ipsec-isakmpset peer 172.16.12.2set transform-set TSmatch add IPSEC_TUNNEL
在 Tunnel Interface 應用 Crypto Map
int tunnel 0crypto map IPSEC_OVER_GRE
測試
do ping 2.2.2.2 source 1.1.1.1do sh crypto ipsec sa
網路設定
int lo 0ip add 2.2.2.2 255.255.255.0no shutint e0/0ip add 192.168.23.2 255.255.255.0no shutexitip route 192.168.13.0 255.255.255.0 192.168.23.3
設定 GRE Tunnel
int tunnel 0ip add 172.16.12.2 255.255.255.0tunnel source e0/0tunnel destination 192.168.13.1
設定 Routing Protocol
router eigrp 1no auto-summarynet 172.16.12.0 0.0.0.255net 2.2.2.0 0.0.0.255
設定 Interesting Traffic
ip access-list extended IPSEC_TUNNELPermit ip host 2.2.2.2 host 1.1.1.1
設定 IPSec
crypto isakmp key ccie add 172.16.12.1crypto isakmp policy 10encryption aesauthentication pre-sharegroup 2exitcrypto ipsec transform-set TS esp-3desexitcrypto map IPSEC_OVER_GRE 10 ipsec-isakmpset peer 172.16.12.1set transform-set TSmatch add IPSEC_TUNNEL
在 Tunnel Interface 應用 Crypto Map
int tunnel 0crypto map IPSEC_OVER_GRELast updated
