一:相关的图(载图):

二:具体:

R1:

  TUNNEL OVER IPSEC 就是在TUNNEL隧道之上加了一层IPSEC,以便更好地走动态路由协议,IPSEC是不支持动态协议的.
R1#sh run
Building configuration...

Current configuration : 2189 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
memory-size iomem 5
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
!
!
ip cef
 --More--
*Mar  1 00:33:20.871: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.1.1.3 (Tunnel1) is down: holding tiip ips po max-events 100
no ftp-server write-enable
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2 
crypto isakmp key cisco1 address 2.2.2.2
crypto isakmp key cisco2 address 3.3.3.3
!
!
crypto ipsec transform-set trans esp-3des esp-md5-hmac
 mode transport
!
crypto map map 10 ipsec-isakmp
 set peer 2.2.2.2
 set transform-set trans
 match address 101
crypto map map 20 ipsec-isakmp
 set peer 3.3.3.3
 set transform-set trans
 match address 103
!
interface Tunnel0 //TUNNEL地址两端必须要在一个网段.
 ip address 10.0.0.1 255.255.255.0
 tunnel source 1.1.1.1
 tunnel destination 2.2.2.2
!
interface Tunnel1
 ip address 10.1.1.1 255.255.255.0
 tunnel source 1.1.1.1
 tunnel destination 3.3.3.3
!
interface Loopback0
 ip address 172.16.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial1/0
 ip address 1.1.1.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 serial restart-delay 0
 crypto map map
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router eigrp 100
 network 1.0.0.0 //可以不加公网地址.
 network 10.0.0.0 0.0.0.255 //TUNNEL网段地址
 network 10.1.1.0 0.0.0.255//TUNNEL网段地址
 network 172.16.1.0 0.0.0.255//内网地址
 no auto-summary
!        
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Serial1/0
!
ip nat inside source list 100 interface Serial1/0 overload
!
!
access-list 100 deny   ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255//内网连INTERNET时防止对VPN造成干扰,上网时拒绝私网到私网.
access-list 100 deny   ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255
access-list 100 permit ip 172.16.1.0 0.0.0.255 any
access-list 101 permit gre host 1.1.1.1 host 2.2.2.2 //重点:当私网走公网时进行IPSEC加密,解决了TUNNEL隧道不加密的情况.
access-list 103 permit gre host 1.1.1.1 host 3.3.3.3
!
!
!
control-plane
!
!
!
!
!
!        
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end

R2:

R2#sh run
Building configuration...

Current configuration : 1781 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
memory-size iomem 5
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
!
!
ip cef
 --More--
*Mar  1 00:33:47.723: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Mar  1 00:33:56.315: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.0.0.1 (Tunnel0) is up: newip ips po max-events 100
no ftp-server write-enabl
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2 
crypto isakmp key cisco1 address 1.1.1.1
!        
!        
crypto ipsec transform-set trans esp-3des esp-md5-hmac
 mode transport
!
crypto map map 10 ipsec-isakmp
 set peer 1.1.1.1
 set transform-set trans
 match address 101
!
interface Tunnel0
 ip address 10.0.0.2 255.255.255.0
 tunnel source 2.2.2.2
 tunnel destination 1.1.1.1
!
interface Loopback0
 ip address 172.16.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial1/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/1
 ip address 2.2.2.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 serial restart-delay 0
 crypto map map
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router eigrp 100
 network 10.0.0.0 0.0.0.255
 network 172.16.2.0 0.0.0.255
 no auto-summary
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Serial1/1 gre over ipsec要能过物理接口走默认路由的.
!
ip nat inside source list 100 interface Serial1/1 overload
!
!
access-list 100 deny   ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 100 permit ip 172.16.2.0 0.0.0.255 any
access-list 101 permit gre host 2.2.2.2 host 1.1.1.1
!
!
!
control-plane
!        
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
R3:

R3#
R3#sh run
Building configuration...

Current configuration : 1781 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
memory-size iomem 5
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
!
!
ip cef
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2 
crypto isakmp key cisco2 address 1.1.1.1
!
!
crypto ipsec transform-set trans esp-3des esp-md5-hmac
 mode transport
!
crypto map map 10 ipsec-isakmp
 set peer 1.1.1.1
 set transform-set trans
 match address 103
!
!
!
!
interface Tunnel0
 ip address 10.1.1.3 255.255.255.0
 tunnel source 3.3.3.3
 tunnel destination 1.1.1.1
!
interface Loopback0
 ip address 172.16.3.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial1/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 ip address 3.3.3.3 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 serial restart-delay 0
 crypto map map
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router eigrp 100
 network 10.1.1.0 0.0.0.255
 network 172.16.3.0 0.0.0.255
 no auto-summary
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Serial1/2
!
ip nat inside source list 100 interface Serial1/2 overload
!
!
access-list 100 deny   ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 100 permit ip 172.16.3.0 0.0.0.255 any
access-list 103 permit gre host 3.3.3.3 host 1.1.1.1
!        
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end

R4:

interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial1/0
 ip address 1.1.1.4 255.255.255.0
 serial restart-delay 0
!
interface Serial1/1
 ip address 2.2.2.4 255.255.255.0
 serial restart-delay 0
!
interface Serial1/2
 ip address 3.3.3.4 255.255.255.0
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
ip http server
no ip http secure-server
ip classless
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end      
(1)
R2#sh ip i
*Mar  1 00:36:37.723: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Mar  1 00:36:38.359: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.0.0.1 (Tunnel0) is up: new adjacencynt brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES unset  administratively down down   
Serial1/0                  unassigned      YES unset  administratively down down   
Serial1/1                  2.2.2.2         YES manual up                    up     
Serial1/2                  unassigned      YES unset  administratively down down   
Serial1/3                  unassigned      YES unset  administratively down down   
Loopback0                  172.16.2.1      YES manual up                    up     
Tunnel0                    10.0.0.2        YES manual up                    up 
(2):R2#ping 172.16.1.1 source 172.16.2.1 即可可抓包通过WRESHARK.