GNS3 配置Dynamic p2p GRE over IPsec

1、實驗拓撲

2、基礎網絡配置

R1配置：

ip dhcp excluded-address 13.1.1.1 13.1.1.2

ip dhcp pool net13

   network 13.1.1.0 255.255.255.0

   default-router 13.1.1.1 

interface FastEthernet0/0

 ip address 12.1.1.1 255.255.255.0

interface FastEthernet1/0

 ip address 13.1.1.1 255.255.255.0

R2配置：

interface FastEthernet0/0

 ip address 12.1.1.2 255.255.255.0

interface FastEthernet1/0

 ip address 172.16.1.254 255.255.255.0

ip route 0.0.0.0 0.0.0.0 12.1.1.1

R3配置：

interface Loopback0

 ip address 3.3.3.3 255.255.255.0

interface FastEthernet0/0

 ip address dhcp

interface FastEthernet1/0

 ip address 192.168.1.254 255.255.255.0

ip route 0.0.0.0 0.0.0.0 13.1.1.1

R4配置：

interface FastEthernet0/0

 ip address 172.16.1.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 172.16.1.254

R5配置：

interface FastEthernet0/0

 ip address 192.168.1.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.1.254

3、配置Dynamic p2p GRE over IPsec

3.1、配置GRE

R2配置:

interface Tunnel2

 ip address 1.1.1.1 255.255.255.0

 tunnel source 12.1.1.2

 tunnel destination 3.3.3.3

ip route 3.3.3.3 255.255.255.255 12.1.1.1

這條路由必須配置，這是配置規則要求的

R3配置:

interface Tunnel3

 ip address 1.1.1.2 255.255.255.0

 tunnel source Loopback0

 tunnel destination 12.1.1.2

3.2、R2配置Dynamic LAN-to-LAN ×××（相對普通的Dynamic LAN-to-LAN ×××多了一條指令）

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

crypto ipsec transform-set ccie esp-3des esp-sha-hmac 

crypto dynamic-map dymap 1

 set transform-set ccie 

crypto map mymap 1 ipsec-isakmp dynamic dymap （經測試，這條指令可以不寫）

crypto map mymap local-address FastEthernet0/0

interface FastEthernet0/0

 crypto map mymap

3.3、R3配置LAN-to-LAN ×××（與普通LAN-to-LAN ×××的ACL不同，多了一條指令）

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key cisco123 address 12.1.1.2

crypto ipsec transform-set ccie esp-3des esp-sha-hmac 

access-list 100 permit gre 3.3.3.0 0.0.0.255 12.1.1.0 0.0.0.255

crypto map mymap 1 ipsec-isakmp 

 set peer 12.1.1.2

 set transform-set ccie 

 match address 100

crypto map mymap local-address FastEthernet0/0（經測試，這條指令可以不寫）

interface FastEthernet0/0

 crypto map mymap

3.4、配置動態路由協議（此時私網流量走的都是隧道。）

R2配置：

router ospf 1

 network 1.1.1.0 0.0.0.255 area 0

 network 172.16.1.0 0.0.0.255 area 0

R3配置：

router ospf 1

 network 1.1.1.0 0.0.0.255 area 0

 network 192.168.1.0 0.0.0.255 area 0

4、NAT對Dynamic p2p GRE over IPsec的影響與NAT對Static p2p GRE over IPsec的影響一樣