R1(config)#int f0/0
R1(config-if)#ip add 12.1.1.1 255.255.255.0
R1( config-if)#no sh
R1(config-if)#exit
R1(config)#int f0/1
R1(config-if)#ip add 10.1.1.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#exit
R1(config)#ip route 0.0 .0.0 0.0.0.0 12.1.1.2
R3(config)#int f0/0
R3(config-if)#ip add 192.168.1.3 255.255.255.0
R3(config-if)#no sh
R3(config-if)#exit
R3(config)#int f0/1
R3(config-if) #ip address dhcp
R3(config-if)#no sh
R3(config-if)#exit
R3(config)#int loopback 0
R3(config-if)#ip add 3.3.3.3 255.255.255.255
R3(config-if)#exit
Description: On the interface F0/1 of R3 connected to the Internet Enable DHCP to obtain an address dynamically, so the IP address on F0/1 is not known in advance, and create a Loopback 0 (address 3.3.3.3/32) as the source address of the local p2p GRE tunnel.
(1) Configure a p2p GRE tunnel on R1 with the endpoint being R3:
R1(config)#interface tunnel 1
R1(config-if)#ip address 1.1.1.1 255.255.255.0
R1(config-if)#tunnel source 12.1.1.1
R1(config-if)#tunnel destination 3.3.3.3
R1( config-if)#exit
R1(config)#ip route 3.3.3.3 255.255.255.255 12.1.1.2
Description: The p2p GRE tunnel interface number from R1 to R3 is 1, and the tunnel address is 1.1.1.1, the source point of the tunnel is the external network interface address 12.1.1.1, and the end point of the tunnel is the Loopback 0 interface address of R3 3.3.3.3. Although the tunnel end address is not routable on the Internet, a static route must be written Point 3.3.3.3/32 to your own Internet exit as this is a configuration rule.
R3(config)#int tunnel 3
R3(config-if)#ip address 1.1.1.3 255.255.255.0
R3(config-if)#tunnel source loopback 0
R3(config-if)#tunnel destination 12.1.1.1
R3(config-if)#exit
Description: p2p GRE tunnel interface from R3 to R1 The number is 3, the tunnel address is 1.1.1.3, the source point of the tunnel is the Loopback 0 interface address 3.3.3.3, and the end point of the tunnel is the external network interface address of R1 12.1.1.1.
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#hash sha
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
R1(config-isakmp)#exit
R1(config )#crypto isakmp key 0 cisco123 address 0.0.0.0 0.0.0.0
R1(config)#crypto ipsec transform-set ccie esp-3des esp-sha-hmac
R1(cfg-crypto -trans)#exit
R1(config)#crypto dynamic-map ddd 10
R1(config-crypto-map)#set transform-set ccie
R1( config-crypto-map)#exit
R1(config)#crypto map mymap 10 ipsec-isakmp dynamic ddd
R1(config)#crypto map mymap local-address fastEthernet 0/0
R1(config)
#R1(config)#int f0/0
R1(config-if)#crypto map mymap
R1(config -if)#exit
*Mar 1 00:32:44.307: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config)
#Description: static The configuration of IP side R1 is slightly different from that of Dynamic LAN-to-LAN ××× in that there is an additional command "crypto map mymap local-address fastEthernet 0/0" because the IOS version used in this experimental environment is higher than 12.2 (13)T, so Crypto map can only be applied on the physical interface and does not need to be applied on the GRE tunnel interface.
R3(config)#crypto isakmp policy 1
R3(config-isakmp)#encryption 3des
R3(config-isakmp)#hash sha
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#group 2
R3(config-isakmp)#exit
R3 (config)#crypto isakmp key 0 cisco123 address 12.1.1.1
R3(config)#crypto ipsec transform-set ccie esp-3des esp-sha-hmac
R3(cfg-crypto- trans)#exit
R3(config)#access-list 100 permit gre host 3.3.3.3 host 12.1.1.1 R3(config)
#R3(config)#crypto map l2l 1 ipsec -isakmp
R3(config-crypto-map)#set peer 12.1.1.1
R3(config-crypto-map)#set transform-set ccie
R3( config-crypto-map)#match address 100
R3(config-crypto-map)#exit
R3(config)#crypto map l2l local-address f0/1
R3(config)#int f0/1
R3(config-if)#crypto map l2l
R3(config-if)
#*Mar 1 00 :32:58.907: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R3(config-if)
# Description: Dynamic IP side R3 and configuration are the same as ordinary LAN-to-LAN × The slight difference of ×× is that there is an additional command "crypto map l2l local-address f0/1". Because the IOS version used in this experimental environment is higher than 12.2(13)T, Crypto map is only under the physical interface. Just apply it and do not need to apply it under the GRE tunnel interface.
Note: No matter how traffic is sent, ISAKMP SA cannot be established because in a Dynamic p2p GRE over IPsec environment, data must be sent from the dynamic IP to the static IP side first, otherwise the GRE tunnel cannot be established, ××× can not complete.
Configuring dynamic routing protocol
The above is the detailed content of What is dynamic P2P-GRE based on IPsec?. For more information, please follow other related articles on the PHP Chinese website!