Notes - Computer Network
  • 計算機網路
  • 期中
    • 20200916 Introduction
    • 20200923 Introduction Routing
    • 20200930 Introduction Router Setting
    • 20201007 Introduction DHCP
    • 20201014 Introduction IPV6
    • 20201021 cisco RIP
    • 20201104 cisco EIGRP (一)
    • 20201111 期中週
  • 期末
    • 20201118 cisco EIGRP (二)
    • 20201125 cisco EIGRP (三)
    • 20201202 cisco KDLinux
    • 20201209 cisco VRF & OSPF
    • 20201216 cisco VLAN
    • 20201223 cisco 單臂路由
    • 20201230 cisco STP
    • 20210106 cisco GRE
  • 參考資料
Powered by GitBook
On this page
  • 課堂資料
  • 課堂練習
  • GRE
  • IPsec
  • GRE over IPsec vs IPSec over GRE

Was this helpful?

  1. 期末

20210106 cisco GRE

Previous20201230 cisco STPNext參考資料

Last updated 4 years ago

Was this helpful?

課堂資料

課堂練習

GRE

Hub-to-spoke Topology

int lo 0
ip add 192.168.1.1 255.255.255.0
no shut
int e0/0
ip add 10.0.14.1 255.255.255.0
no shut
router rip
ver 2
no auto-summary
net 10.0.14.0
net 172.16.0.0
net 192.168.0.0

R1 與 R2 建立 Tunnel

int tunnel 12
ip add 172.16.12.1 255.255.255.0
tunnel source e0/0
tunnel destination 10.0.24.2

R1 與 R3 建立 Tunnel

int tunnel 13
ip add 172.16.13.1 255.255.255.0
tunnel source e0/0
tunnel destination 10.0.34.3

R1 Ping R2 / R3 進行 Tunnel 連線測試

do ping 172.16.12.2 source 172.16.12.1
do ping 172.16.13.3 source 172.16.12.1
int lo 0
ip add 192.168.2.2 255.255.255.0
no shut
int e0/0
ip add 10.0.24.2 255.255.255.0
no shut
router rip
ver 2
no auto-summary
net 10.0.24.0
net 172.16.0.0

R1 與 R2 建立 Tunnel

int tunnel 12
ip add 172.16.12.2 255.255.255.0
tunnel source e0/0
tunnel destination 10.0.14.1

R1 Ping R2 / R3 進行 Tunnel 連線測試

do ping 172.16.13.3 source 172.16.12.2
exit
exit
traceroute 172.16.13.3 source 172.16.12.2
int lo 0
ip add 192.168.3.3 255.255.255.0
no shut
int e0/0
ip add 10.0.34.3 255.255.255.0
no shut
router rip
ver 2
no auto-summary
net 10.0.34.0
net 172.16.0.0

R1 與 R3 建立 Tunnel

int tunnel 13
ip add 172.16.13.3 255.255.255.0
tunnel source e0/0
tunnel destination 10.0.14.1
int e0/0
ip add 10.0.14.4 255.255.255.0
no shut
int e0/1
ip add 10.0.24.4 255.255.255.0
no shut
int e0/2
ip add 10.0.34.4 255.255.255.0
no shut
router rip
ver 2
no auto-summary
net 10.0.14.0
net 10.0.24.0
net 10.0.34.0
net 172.16.0.0

Routing Protocol

router eigrp 1
net 172.16.12.0 0.0.0.255
net 172.16.13.0 0.0.0.255
net 192.168.1.0
no auto-summary
do sh ip ro eigrp 1
do ping 192.168.2.2 source 192.168.1.1
do ping 192.168.3.3 source 192.168.1.1
conf t
router eigrp 1
net 172.16.12.0 0.0.0.255
net 192.168.2.0
no auto-summary
do sh ip ro eigrp 1
exit
exit
traceroute 172.16.13.3 source 172.16.12.2
router eigrp 1
net 172.16.13.0 0.0.0.255
net 192.168.3.0
no auto-summary

IPSec over GRE Tunnel

crypto isakmp policy 10
authentication pre-share
crypto ipsec transform-set TS esp-3des ah-sha-hmac
exit
crypto isakmp key  ccie add 10.0.24.2
crypto isakmp key  ccie add 10.0.34.3
crypto ipsec profile PF
set transform-set TS
int tunnel 12
tunnel protection ipsec PRofile PF
conf t
crypto isakmp policy 10
authentication pre-share
crypto ipsec transform-set TS esp-3des ah-sha-hmac
exit
crypto isakmp key  ccie add 10.0.12.1
crypto isakmp key  ccie add 10.0.34.3
crypto ipsec profile PF
set transform-set TS
int tunnel 12
tunnel protection ipsec PRofile PF
exit
crypto isakmp policy 10
authentication pre-share
crypto ipsec transform-set TS esp-3des ah-sha-hmac
exit
crypto isakmp key  ccie add 10.0.12.1
crypto isakmp key  ccie add 10.0.24.2
crypto ipsec profile PF
set transform-set TS
int tunnel 12
tunnel protection ipsec PRofile PF

IPsec

設定

int e0/0
ip add 192.168.13.1 255.255.255.0
no shut
int e0/1
ip add 192.168.10.1 255.255.255.0
no shut
exit
ip route 0.0.0.0 0.0.0.0 192.168.13.3
do ping 192.168.23.2
do ping 192.168.20.1
int e0/0
ip add 192.168.23.2 255.255.255.0
no shut
int e0/1
ip add 192.168.20.1 255.255.255.0
no shut
exit
ip route 0.0.0.0 0.0.0.0 192.168.23.3
int e0/0
ip add 192.168.13.3 255.255.255.0
no shut
int e0/1
ip add 192.168.23.3 255.255.255.0
no shut
exit

設定 Interesting Traffic

ip access-list extended VPN-Traffic
Permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
exit
ip access-list extended VPN-Traffic
Permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
exit

設定 IKE Phase 1 參數

crypto isakmp policy 1
encryption aes
hash md5
authentication pre-share
group 2
lifetime 30000
crypto isakmp policy 1
encryption aes
hash md5
authentication pre-share
group 2
lifetime 30000

設定 IKE Phase 2參數

exit
crypto ipsec transform-set TS esp-3des ah-sha-hmac
exit
crypto ipsec transform-set TS esp-3des ah-sha-hmac

設定 Pre-share Key

crypto isakmp key 6 ccie add 192.168.23.2
crypto isakmp key 6 ccie add 192.168.13.1

定義 Crypto Map

crypto map CMAP 1 ipsec-isakmp
set peer 192.168.23.2
set transform-set TS
match add VPN-Traffic
int e0/0
crypto map CMAP
crypto map CMAP 1 ipsec-isakmp
set peer 192.168.13.1
set transform-set TS
match add VPN-Traffic
int e0/0
crypto map CMAP

測試

do ping 192.168.20.1 source 192.168.10.1

GRE over IPsec vs IPSec over GRE

GRE over IPsec設定

網路設定

int lo 0
ip add 1.1.1.1 255.255.255.0
no shut
int e0/0
ip add 192.168.13.1 255.255.255.0
no shut
exit
ip route 192.168.23.0 255.255.255.0 192.168.13.3
do ping 192.168.23.2 source 192.168.13.1
do ping 2.2.2.2 source 1.1.1.1

設定 Interesting Traffic

ip access-list extended IPSEC_TUNNEL
Permit ip host 192.168.13.1 host 192.168.23.2

設定 IPSec

crypto isakmp key ccie add 192.168.23.2
crypto isakmp policy 10
encryption aes
authentication pre-share
group 2
exit
crypto ipsec transform-set TS esp-3des
exit
crypto map GRE_OVER_IPSEC 10 ipsec-isakmp
set peer 192.168.23.2
set transform-set TS
match add IPSEC_TUNNEL

在 Interface 應用Crypto Map

int e0/0
crypto map GRE_OVER_IPSEC

設定 GRE Tunnel

int tunnel 0
ip add 172.16.12.1 255.255.255.0
tunnel source e0/0
tunnel destination 192.168.23.2

測試

do ping 172.16.12.2 source 172.16.12.1
do sh crypto ipsec sa

設定 Routing Protocol

router eigrp 1
no auto-summary
net 172.16.12.0 0.0.0.255
net 1.1.1.0 0.0.0.255

查看 Neighbor

do sh ip eigrp nei
do ping 2.2.2.2 source 1.1.1.1

網路設定

int lo 0
ip add 2.2.2.2 255.255.255.0
no shut
int e0/0
ip add 192.168.23.2 255.255.255.0
no shut
exit
ip route 192.168.13.0 255.255.255.0 192.168.23.3

設定 Interesting Traffic

ip access-list extended IPSEC_TUNNEL
Permit ip host 192.168.23.2 host 192.168.13.1

設定 IPSec

crypto isakmp key ccie add 192.168.13.1
crypto isakmp policy 10
encryption aes
authentication pre-share
group 2
exit
crypto ipsec transform-set TS esp-3des
exit
crypto map GRE_OVER_IPSEC 10 ipsec-isakmp
set peer 192.168.13.1
set transform-set TS
match add IPSEC_TUNNEL

在 Interface 應用Crypto Map

int e0/0
crypto map GRE_OVER_IPSEC

設定 GRE Tunnel

int tunnel 0
ip add 172.16.12.2 255.255.255.0
tunnel source e0/0
tunnel destination 192.168.13.1

設定 Routing Protocol

router eigrp 1
no auto-summary
net 172.16.12.0 0.0.0.255
net 2.2.2.0 0.0.0.255

網路設定

int e0/0
ip add 192.168.13.3 255.255.255.0
no shut
int e0/1
ip add 192.168.23.3 255.255.255.0
no shut
exit

IPSec over GRE 設定

網路設定

int lo 0
ip add 1.1.1.1 255.255.255.0
no shut
int e0/0
ip add 192.168.13.1 255.255.255.0
no shut
exit
ip route 192.168.23.0 255.255.255.0 192.168.13.3

設定 GRE Tunnel

int tunnel 0
ip add 172.16.12.1 255.255.255.0
tunnel source e0/0
tunnel destination 192.168.23.2

測試

do ping 172.16.12.2 source 172.16.12.1

設定 Routing Protocol

router eigrp 1
no auto-summary
net 172.16.12.0 0.0.0.255
net 1.1.1.0 0.0.0.255

測試

do sh ip eigrp nei
do ping 2.2.2.2 source 1.1.1.1

設定 Interesting Traffic

ip access-list extended IPSEC_TUNNEL
Permit ip host 1.1.1.1 host 2.2.2.2

設定 IPSec

crypto isakmp key ccie add 172.16.12.2
crypto isakmp policy 10
encryption aes
authentication pre-share
group 2
exit
crypto ipsec transform-set TS esp-3des
exit
crypto map IPSEC_OVER_GRE 10 ipsec-isakmp
set peer 172.16.12.2
set transform-set TS
match add IPSEC_TUNNEL

在 Tunnel Interface 應用 Crypto Map

int tunnel 0
crypto map IPSEC_OVER_GRE

測試

do ping 2.2.2.2 source 1.1.1.1
do sh crypto ipsec sa

網路設定

int lo 0
ip add 2.2.2.2 255.255.255.0
no shut
int e0/0
ip add 192.168.23.2 255.255.255.0
no shut
exit
ip route 192.168.13.0 255.255.255.0 192.168.23.3

設定 GRE Tunnel

int tunnel 0
ip add 172.16.12.2 255.255.255.0
tunnel source e0/0
tunnel destination 192.168.13.1

設定 Routing Protocol

router eigrp 1
no auto-summary
net 172.16.12.0 0.0.0.255
net 2.2.2.0 0.0.0.255

設定 Interesting Traffic

ip access-list extended IPSEC_TUNNEL
Permit ip host 2.2.2.2 host 1.1.1.1

設定 IPSec

crypto isakmp key ccie add 172.16.12.1
crypto isakmp policy 10
encryption aes
authentication pre-share
group 2
exit
crypto ipsec transform-set TS esp-3des
exit
crypto map IPSEC_OVER_GRE 10 ipsec-isakmp
set peer 172.16.12.1
set transform-set TS
match add IPSEC_TUNNEL

在 Tunnel Interface 應用 Crypto Map

int tunnel 0
crypto map IPSEC_OVER_GRE

網路設定

int e0/0
ip add 192.168.13.3 255.255.255.0
no shut
int e0/1
ip add 192.168.23.3 255.255.255.0
no shut
exit
GRE 通用路由封裝 - Jan Ho 的網絡世界Jan Ho 的網絡世界
IPsec 網際網路安全協定- Jan Ho 的網絡世界Jan Ho 的網絡世界
GRE over IPSec vs IPSec over GRE - Jan Ho 的網絡世界Jan Ho 的網絡世界
Logo
Logo
Logo