两台出口路由器之间GRE OVER IPSEC+NAT+OSPF.doc

两台出口路由器之间GRE OVER IPSEC+NAT+OSPF 实验拓扑： 拓扑描述： 如上图所示：在两台出口路由器上分别实现站点内部PAT上网，同时通过在R1、R3的出接口之间建立GRE隧道来传递两个站点的动态OSPF路由，同时通过在R1、R3之间建立一个传输模式的IPSEC隧道来对两个出接口的GRE感兴趣流量实施保护。 具体配置： R1： 接口和PAT配置 interface FastEthernet0/0 ip address 12.1.1.1 255.255.255.0 ip nat outside interface FastEthernet0/1 ip address 10.1.1.2 255.255.255.0 ip nat inside ip route 0.0.0.0 0.0.0.0 12.1.1.2 ip nat inside source list nat interface FastEthernet0/0 overload ip access-list extended nat 扩展访问列表-定义NAT流量 deny ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255拒绝到site B的流量（走GRE隧道） permit ip any any GRE隧道配置 interface Tunnel0 ip address 192.168.1.1 255.255.255.0 tunnel source 12.1.1.1 tunnel destination 23.1.1.2 OSPF配置 router ospf 1 启用OSPF进程1 log-adjacency-changes network 10.1.1.2 0.0.0.0 area 0 将内网接口宣告进区域0 network 192.168.1.1 0.0.0.0 area 0 将隧道接口宣告进区域0 IPSEC配置 crypto isakmp policy 1 创建一阶段策略 encr 3des authentication pre-share group 2 crypto isakmp key 6 cisco address 23.1.1.2 指定对端地址和pre-share key crypto ipsec transform-set myset esp-3des esp-sha-hmac 二阶段数据加密和完整性校验算法 mode transport 传输模式（加密连个端点的数据） crypto map mymap 1 ipsec-isakmp 创建加密映射关联感兴趣流、转换集、对端地址 set peer 23.1.1.2 set transform-set myset match address vpn interface FastEthernet0/0 crypto map mymap 在出接口下应用加密映射 ip access-list extended vpn permit gre host 12.1.1.1 host 23.1.1.2 IPSEC VPN的感兴趣流就是两个出接口间的GRE流量 R2: interface Loopback0 ip address 2.2.2.2 255.255.255.255 interface FastEthernet0/0 ip address 12.1.1.2 255.255.255.0 interface FastEthernet0/1 ip address 23.1.1.1 255.255.255.0 R3: 接口和PAT配置 interface FastEthernet0/0 ip address 10.2.2.2 255.255.255.0 ip nat inside interface FastEthernet0/1 ip address 23.1.1.2 255.255.255.0 ip nat outside ip route 0.0.0.0 0.0.0.0 23.1.1.1 ip nat inside source list nat interface FastEthernet0/1 overload ip access-list extended nat 扩展访问列表-定义NAT流量 deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255拒绝到site A的流量（走GRE隧道） permit ip any any GRE隧道配置 interface Tunnel0 ip address 192.168.1.