锐捷nat+gre over ipsec组网

一 网络拓扑1.总部和分支都是单链路连接互联网通过nat和gre over ipsec vpn实现内网互通二 设备配置2.1 R11设备配置hostname R11!interface GigabitEthernet 0/0ip address 1.1.1.1 255.255.255.0!interface Loopback 0ip address 192.168.1.1 255.255.255.255!ip route 0.0.0.0 0.0.0.0 1.1.1.2!2.2 R12设备配置-NAT和GREIPSEC配置hostname R12!ip access-list extended 100//IPSEC感兴趣流5 permit ip host 202.1.1.1 host 203.1.1.2!ip access-list extended 110//NAT配置10 deny ip host 192.168.1.1 host 192.168.10.115 permit ip host 192.168.1.1 any!ip nat inside source list 110 interface GigabitEthernet 0/1 overload!crypto isakmp policy 1encryption 3desauthentication pre-sharehash md5group 2!crypto isakmp keepalive 5 periodic!crypto isakmp key 7 151b5f72 address 203.1.1.2crypto ipsec transform-set 1 esp-3des esp-md5-hmac!crypto map 1 1 ipsec-isakmpset peer 203.1.1.2set transform-set 1match address 100!interface GigabitEthernet 0/0ip address 1.1.1.2 255.255.255.0ip nat inside!interface GigabitEthernet 0/1ip address 202.1.1.1 255.255.255.0crypto map 1ip nat outside!interface Tunnel 1ip address 10.1.1.1 255.255.255.0tunnel source 202.1.1.1tunnel destination 203.1.1.2!ip route 0.0.0.0 0.0.0.0 202.1.1.2ip route 192.168.1.1 255.255.255.255 1.1.1.1!2.3 ISP设备配置hostname ISP!interface GigabitEthernet 0/0ip address 203.1.1.1 255.255.255.0!interface GigabitEthernet 0/1ip address 202.1.1.2 255.255.255.0!interface Loopback 0ip address 8.8.8.8 255.255.255.255!2.4 R14设备配置-NAT和GREIPSEC配置hostname R14!ip access-list extended 100//IPSEC感兴趣流10 permit ip host 192.168.10.1 host 192.168.1.1!ip access-list extended 110//NAT10 deny ip host 192.168.10.1 host 192.168.1.115 permit ip host 192.168.10.1 any!ip nat inside source list 110 interface GigabitEthernet 0/0 overload!crypto isakmp policy 1encryption 3desauthentication pre-sharegroup 2!crypto isakmp keepalive 5 periodic!crypto isakmp key 7 06576c50 address 202.1.1.1crypto ipsec transform-set 1 esp-3des esp-md5-hmac!crypto map 1 1 ipsec-isakmpset peer 202.1.1.1set transform-set 1match address 100!interface GigabitEthernet 0/0ip address 203.1.1.2 255.255.255.0crypto map 1ip nat outside!interface GigabitEthernet 0/1ip address 2.2.2.2 255.255.255.0ip nat inside!interface Tunnel 1ip address 10.1.1.2 255.255.255.0tunnel source 203.1.1.2tunnel destination 202.1.1.1!ip route 0.0.0.0 0.0.0.0 203.1.1.1ip route 192.168.10.1 255.255.255.255 2.2.2.1!2.5 R15设备配置hostname R15!interface GigabitEthernet 0/0!interface GigabitEthernet 0/1ip address 2.2.2.1 255.255.255.0!interface Loopback 0ip address 192.168.10.1 255.255.255.255!ip route 0.0.0.0 0.0.0.0 2.2.2.2!三 业务测试3.1 R11业务测试R11#R11#ping 192.168.10.1 source 192.168.1.1Sending 5, 100-byte ICMP Echoes to 192.168.10.1, timeout is 2 seconds: press CtrlC to break !!!!!Success rate is 100 percent (5/5), round-trip min/avg/max 4/5/8 ms.R11#3.2 R15业务测试R15#ping 192.168.1.1 source 192.168.10.1Sending 5, 100-byte ICMP Echoes to 192.168.1.1, timeout is 2 seconds: press CtrlC to break !!!!!Success rate is 100 percent (5/5), round-trip min/avg/max 4/7/11 ms.R15#四 设备状态4.1 R12-NAT和IPSEC状态查看R12#show crypto isakmp sadestination source state conn-id lifetime(second)203.1.1.2 202.1.1.1 IKE_IDLE 1 86101R12#show crypto ipsec saCrypto map tag:1local ipv4 addr 202.1.1.1media mtu 1500sub_map type:static, seqno:1, id1local ident (addr/mask/prot/port): (202.1.1.1/0.0.0.0/0/0))remote ident (addr/mask/prot/port): (203.1.1.2/0.0.0.0/0/0))PERMIT#pkts encaps: 2490, #pkts encrypt: 2490, #pkts digest 2490#pkts decaps: 2490, #pkts decrypt: 2490, #pkts verify 2490#send errors 0, #recv errors 0pkts encaps errors:#negoitate pkt drop: 0, #sab useless: 0, encap data fail: 0, compute hash fail: 0pkts decypto errors:#check reply wind fail: 0, #compute hash fail: 0, verify hash fail: 0#pkts detect send req: 0, recv reply: 0, recv req: 0, send reply: 0Inbound esp sas:spi:0x7046a103 (1883676931)transform: esp-3des esp-md5-hmacin use settings{Tunnel Encaps,}crypto map 1 1sa timing: remaining key lifetime (k/sec): (4605988/3301)IV size: 0 bytesReplay detection support:YOutbound esp sas:spi:0xed941edf (3985907423)transform: esp-3des esp-md5-hmacin use settings{Tunnel Encaps,}crypto map 1 1sa timing: remaining key lifetime (k/sec): (4605988/3301)IV size: 0 bytesReplay detection support:YR12#show crypto isakmp policyProtection suite of priority 1encryption algorithm: Three key triple DES.hash algorithm: Message Digest 5authentication method: Pre-Shared KeyDiffie-Hellman group: #2 (1024 bit)lifetime: 86400 secondsDefault protection suiteencryption algorithm: DES - Data Encryption Standard (56 bit keys).hash algorithm: Secure Hash Standardauthentication method: Pre-Shared KeyDiffie-Hellman group: #1 (768 bit)lifetime: 86400 secondsR12#4.2 R14-NAT和IPSEC状态查看R14#show crypto isakmp sadestination source state conn-id lifetime(second)202.1.1.1 203.1.1.2 IKE_IDLE 1 86019R14#show crypto ipsec saCrypto map tag:1local ipv4 addr 203.1.1.2media mtu 1500sub_map type:static, seqno:1, id1local ident (addr/mask/prot/port): (203.1.1.2/0.0.0.0/0/0))remote ident (addr/mask/prot/port): (202.1.1.1/0.0.0.0/0/0))PERMIT#pkts encaps: 3239, #pkts encrypt: 3239, #pkts digest 3239#pkts decaps: 3239, #pkts decrypt: 3239, #pkts verify 3239#send errors 0, #recv errors 0pkts encaps errors:#negoitate pkt drop: 0, #sab useless: 0, encap data fail: 0, compute hash fail: 0pkts decypto errors:#check reply wind fail: 0, #compute hash fail: 0, verify hash fail: 0#pkts detect send req: 0, recv reply: 0, recv req: 0, send reply: 0Inbound esp sas:spi:0xed941edf (3985907423)transform: esp-3des esp-md5-hmacin use settings{Tunnel Encaps,}crypto map 1 1sa timing: remaining key lifetime (k/sec): (4606684/3220)IV size: 0 bytesReplay detection support:YOutbound esp sas:spi:0x7046a103 (1883676931)transform: esp-3des esp-md5-hmacin use settings{Tunnel Encaps,}crypto map 1 1sa timing: remaining key lifetime (k/sec): (4606684/3220)IV size: 0 bytesReplay detection support:YR14#show crypto isakmp policyProtection suite of priority 1encryption algorithm: Three key triple DES.hash algorithm: Secure Hash Standardauthentication method: Pre-Shared KeyDiffie-Hellman group: #2 (1024 bit)lifetime: 86400 secondsDefault protection suiteencryption algorithm: DES - Data Encryption Standard (56 bit keys).hash algorithm: Secure Hash Standardauthentication method: Pre-Shared KeyDiffie-Hellman group: #1 (768 bit)lifetime: 86400 secondsR14#