EIGRP GRE over IPSec 通过中心和多个远程站点路由配置示例

简介

本文档说明如何配置 GRE over IPSec，实现中央站点向多个远程站点的路由。Cisco 7206 路由器为中央站点路由器，其他所有站点都通过 IPSec 与其连接。Cisco 2610、3620 及 3640 路由器为远程路由器。所有站点都能通过连接主站点的隧道到达 Cisco 7206 后的主网络及其他所有远程站点，路由更新将通过增强型内部网关路由协议 (EIGRP) 自动执行。

先决条件

先决条件

本文档的开发和测试采用下列软件和硬件版本。

使用的组件

本文档中的信息基于以下软件和硬件版本：

• 运行 Cisco IOS® 软件版本 12.3(1) IK9S 的 Cisco 7206 路由器

• 运行 Cisco IOS 软件版本 12.3(1) IK9S 的 Cisco 2621XM 路由器

• 运行 Cisco IOS 软件版本 12.3(1) IK9S 的 Cisco 3640 路由器

• 运行 Cisco IOS 软件版本 12.3(1) IK9S 的 Cisco 3640 路由器

本文档中的信息都是基于特定实验室环境中的设备创建的。本文档中使用的所有设备最初均采用原始（默认）配置。如果您是在真实网络上操作，请确保您在使用任何命令前已经了解其潜在影响。

规则

有关文档规则的详细信息，请参阅 Cisco 技术提示规则。

网络图

本文档使用以下网络设置：

配置

本过程将引导您对 IPSec 隧道进行配置，以通过中央站点与多个远程站点建立路由。本过程分为以下三个主要步骤。

• 配置通用路由封装 (GRE) 隧道

• 为 GRE 隧道配置加密

• 配置路由协议

配置 GRE 隧道

按照下列步骤配置 GRE 隧道：

1. 从每个远程站点创建一个通往总部的 GRE 隧道。在 Cisco 7206 路由器上为每个远程站点设置隧道接口。

   interface Tunnel0
    ip address 192.168.16.2 255.255.255.0
    tunnel source FastEthernet1/0
    tunnel destination 14.38.88.10
   !
   interface Tunnel1
    ip address 192.168.46.2 255.255.255.0
    tunnel source FastEthernet1/0
    tunnel destination 14.38.88.40
   !
   interface Tunnel2
    ip address 192.168.26.2 255.255.255.0
    tunnel source FastEthernet1/0
    tunnel destination 14.38.88.20

   每条隧道的隧道源为 FastEthernet1/0 接口或用于互联网连接的接口。隧道目标为远程路由器的互联网接口的 IP 地址。每条隧道都应在未使用的不同子网中拥有一个 IP 地址。

2. 在 Cisco 2610、3620 和 3640 路由器上配置 GRE 隧道。配置类似于 Cisco 7206 路由器。

   Cisco 2610 路由器

   interface Tunnel0
    ip address 192.168.16.1 255.255.255.0
    tunnel source Ethernet0/0
    tunnel destination 14.36.88.6

   Cisco 3620 路由器

   interface Tunnel0
    ip address 192.168.26.1 255.255.255.0
    tunnel source Ethernet1/0
    tunnel destination 14.36.88.6

   Cisco 3640 路由器

   interface Tunnel0
    ip address 192.168.46.1 255.255.255.0
    tunnel source Ethernet0/0
    tunnel destination 14.36.88.6

   每个远程路由器将使用其本地接口连接到互联网作为隧道源。远程路由器对应于 Cisco 7206 路由器上配置的隧道目标 IP 地址。每个远程路由器的隧道目标 IP 地址对应于连接到互联网的 Cisco 7206 路由器接口的 IP 地址。隧道接口的 IP 地址对应于和 Cisco 7206 路由器隧道接口相同子网上的 IP 地址。

3. 确保每个远程路由器都能对隧道目标 IP 地址及主路由器的相应隧道接口执行 ping 操作。

   此外，确保每个路由器都具有从中央站点路由器执行 ping 操作的能力。

   Cisco 2610 路由器

   vpn2610#ping 14.36.88.6
   Type escape sequence to abort.
   Sending 5, 100-byte ICMP Echos to 14.36.88.6, timeout is 2 seconds:
   !!!!!
   Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
   vpn2610#ping 192.168.16.2
   Type escape sequence to abort.
   Sending 5, 100-byte ICMP Echos to 192.168.16.2, timeout is 2 seconds:
   !!!!!
   Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/12 ms
   vpn2610#

   Cisco 3620 路由器

   vpn3620#ping 14.38.88.6
   Type escape sequence to abort.
   Sending 5, 100-byte ICMP Echos to 14.38.88.6, timeout is 2 seconds:
   !!!!!
   Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
   vpn3620#ping 192.168.26.2
   Type escape sequence to abort.
   Sending 5, 100-byte ICMP Echos to 192.168.26.2, timeout is 2 seconds:
   !!!!!
   Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/8 ms
   vpn3620#

   Cisco 3640 路由器

   vpn3640#ping 14.36.88.6
   Type escape sequence to abort.
   Sending 5, 100-byte ICMP Echos to 14.36.88.6, timeout is 2 seconds:
   !!!!!
   Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
   vpn3640#ping 192.168.46.2
   Type escape sequence to abort.
   Sending 5, 100-byte ICMP Echos to 192.168.46.2, timeout is 2 seconds:
   !!!!!
   Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms
   vpn3640#

   注意： 如果不是所有路由器都能对中心（集线器）路由器执行 ping 操作，请根据需要使用下列指南对各个连接进行故障排除。

   • 远程路由器能否从公有 IP 到公有 IP 对中心路由器执行 ping 操作？

   • 两个路由器之间是否有阻塞 GRE 的设备？（路由器上的防火墙和访问列表）

   • 执行 show interface 命令时会显示隧道接口的哪些内容？

为 GRE 隧道配置加密

请完成下列步骤，为 GRE 隧道配置加密：

1. 如果 GRE 隧道成功建立，请继续进行加密。首先，创建访问列表以定义加密数据流。

   访问列表允许各路由器上本地 IP 地址的数据流发往另一端的 IP 地址。使用 show version 命令可显示缓存引擎正在运行的软件版本。

   7206:
   access-list 130 permit gre host 14.36.88.6 host 14.38.88.40
   access-list 140 permit gre host 14.36.88.6 host 14.38.88.20
   access-list 150 permit gre host 14.36.88.6 host 14.38.88.10
   
   2610:
   access-list 120 permit gre host 14.38.88.10 host 14.36.88.6
   
   3620:
   access-list 110 permit gre host 14.38.88.20 host 14.36.88.6
   
   3640:
   access-list 100 permit gre host 14.38.88.40 host 14.36.88.6

2. 配置 Internet 安全连接和密钥管理协议 (ISAKMP) 策略、ISAKMP 密钥及 IPSec 转换集。

   单条隧道两端的 ISAKMP 策略、密钥及 IPSec 转换集必须相互匹配。不需要所有隧道都使用相同的策略、密钥或转换集。在本示例中，为简单起见，所有隧道都使用相同的策略、密钥及转换集。

   Cisco 7206 路由器

   crypto isakmp policy 1
    authentication pre-share
   crypto isakmp key cisco123 address 0.0.0.0
   !
   crypto ipsec transform-set strong esp-3des esp-md5-hmac
    mode transport

   Cisco 2610 路由器

   crypto isakmp policy 1
    authentication pre-share
   crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
   !
   crypto ipsec transform-set strong esp-3des esp-md5-hmac
    mode transport

   Cisco 3620 路由器

   crypto isakmp policy 1
    authentication pre-share
   crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
   !
   crypto ipsec transform-set strong esp-3des esp-md5-hmac
    mode transport

   Cisco 3640 路由器

   crypto isakmp policy 1
    authentication pre-share
   crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
   !
   crypto ipsec transform-set strong esp-3des esp-md5-hmac
    mode transport

3. 配置加密映射。中央站点对应每个连接都有一个单独的序列号。

   Cisco 7206 路由器

   crypto map vpn 10 ipsec-isakmp
    set peer 14.38.88.40
    set transform-set strong
    match address 130
   crypto map vpn 20 ipsec-isakmp
    set peer 14.38.88.20
    set transform-set strong
    match address 140
   crypto map vpn 30 ipsec-isakmp
    set peer 14.38.88.10
    set transform-set strong
    match address 150

   Cisco 2610 路由器

   crypto map vpn 10 ipsec-isakmp
    set peer 14.36.88.6
    set transform-set strong
    match address 120

   Cisco 3620 路由器

   crypto map vpn 10 ipsec-isakmp
    set peer 14.36.88.6
    set transform-set strong
    match address 110

   Cisco 3640 路由器

   crypto map vpn 10 ipsec-isakmp
    set peer 14.36.88.6
    set transform-set strong
    match address 100

4. 应用加密映射。应将此映射应用于发送数据包的隧道接口和物理接口。

   Cisco 7206 路由器

   interface Tunnel0
    crypto map vpn
   interface Tunnel1
    crypto map vpn
   interface Tunnel2
    crypto map vpn
   interface FastEthernet1/0
    crypto map vpn

   Cisco 2610 路由器

   interface Tunnel0
    crypto map vpn
   interface Ethernet0/0
    crypto map vpn

   Cisco 3620 路由器

   interface Tunnel0
    crypto map vpn
   interface Ethernet1/0
    crypto map vpn

   Cisco 3640 路由器

   interface Tunnel0
    crypto map vpn
   interface Ethernet0/0
    crypto map vpn

配置路由协议

要配置路由协议，请为所有站点配置自治系统编号，并指示路由协议 (EIGRP) 共享路由。仅 network 语句中包含的网络才可通过路由协议与其他路由器进行共享。参与路由共享的所有路由器中的自治系统编号必须相互匹配。在本示例中，为简单起见，所使用的网络可汇总为一个 network 语句。

Cisco 7206 路由器

router eigrp 60
 network 192.168.0.0 0.0.255.255
 auto-summary
 no eigrp log-neighbor-changes

Cisco 2610 路由器

router eigrp 60
 network 192.168.0.0 0.0.255.255
 auto-summary
 no eigrp log-neighbor-changes

Cisco 3620 路由器

router eigrp 60
 network 192.168.0.0 0.0.255.255
 auto-summary
 no eigrp log-neighbor-changes

Cisco 3640 路由器

router eigrp 60
 network 192.168.0.0 0.0.255.255
 auto-summary
 no eigrp log-neighbor-changes

示例配置

本文档使用下列示例配置：

• Cisco 7206 路由器

• Cisco 2610 路由器

• Cisco 3620 路由器

• Cisco 3640 路由器

no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname sec-7206
!
aaa new-model
aaa authentication ppp default local
!
username cisco password 0 cisco
!
!
!
!
ip subnet-zero
ip cef
!
ip audit notify log
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication
!
!
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0        
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac 
 mode transport
!
crypto map vpn 10 ipsec-isakmp   
 set peer 14.38.88.40
 set transform-set strong 
 match address 130
crypto map vpn 20 ipsec-isakmp   
 set peer 14.38.88.20
 set transform-set strong 
 match address 140
crypto map vpn 30 ipsec-isakmp   
 set peer 14.38.88.10
 set transform-set strong 
 match address 150
!
!
!
!
!
!
interface Tunnel0
 ip address 192.168.16.2 255.255.255.0
 tunnel source FastEthernet1/0
 tunnel destination 14.38.88.10
 crypto map vpn
!
interface Tunnel1
 ip address 192.168.46.2 255.255.255.0
 tunnel source FastEthernet1/0
 tunnel destination 14.38.88.40
 crypto map vpn
!
interface Tunnel2
 ip address 192.168.26.2 255.255.255.0
 tunnel source FastEthernet1/0
 tunnel destination 14.38.88.20
 crypto map vpn
!
interface FastEthernet0/0
 no ip address
 no ip mroute-cache
 shutdown
 media-type MII
 half-duplex
!
interface FastEthernet1/0
 ip address 14.36.88.6 255.255.0.0
 no ip mroute-cache
 half-duplex
 crypto map vpn
!
interface Virtual-Template1
 ip unnumbered FastEthernet1/0
 peer default ip address pool test
 ppp authentication ms-chap
!
router eigrp 60
 network 192.168.0.0 0.0.255.255
 auto-summary
 no eigrp log-neighbor-changes
!
ip local pool test 10.0.7.1 10.0.7.254
ip default-gateway 14.36.1.1
ip classless
ip route 0.0.0.0 0.0.0.0 14.36.1.1
no ip http server
!
access-list 130 permit gre host 14.36.88.6 host 14.38.88.40
access-list 140 permit gre host 14.36.88.6 host 14.38.88.20
access-list 150 permit gre host 14.36.88.6 host 14.38.88.10
radius-server host 172.18.124.197 auth-port 1645 acct-port 
1646 key cisco123
radius-server retransmit 3
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
!
end

sec-7206#

service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname vpn2610
!
!
ip subnet-zero
ip cef
!
!
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac 
 mode transport
!
crypto map vpn 10 ipsec-isakmp   
 set peer 14.36.88.6
 set transform-set strong 
 match address 120
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 192.168.10.1 255.255.255.0
!
interface Tunnel0
 ip address 192.168.16.1 255.255.255.0
 tunnel source Ethernet0/0
 tunnel destination 14.36.88.6
 crypto map vpn
!
interface Ethernet0/0
 ip address 14.38.88.10 255.255.0.0
 half-duplex
 crypto map vpn
!
interface Serial0/0
 no ip address
 shutdown
 no fair-queue
!
interface Ethernet0/1
 ip address dhcp
 half-duplex
!
interface Serial1/0
 no ip address
 shutdown
!
interface Serial1/1
 no ip address
 shutdown
!
interface Serial1/2
 no ip address
 shutdown
!
interface Serial1/3
 no ip address
 shutdown
!
interface Serial1/4
 no ip address
 shutdown
!
interface Serial1/5
 no ip address
 shutdown
!
interface Serial1/6
 no ip address
 shutdown
!
interface Serial1/7
 no ip address
 shutdown
!
router eigrp 60
 network 192.168.0.0 0.0.255.255
 auto-summary
 no eigrp log-neighbor-changes
!
ip classless
ip route 0.0.0.0 0.0.0.0 14.38.1.1
ip http server
!
access-list 120 permit gre host 14.38.88.10 host 14.36.88.6
!
dial-peer cor custom
!
!
!
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 login
line vty 5 15
 login
!
end

vpn2610#

service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname vpn3620
!
!
ip subnet-zero
ip cef
!
!
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac 
 mode transport
!
crypto map vpn 10 ipsec-isakmp   
 set peer 14.36.88.6
 set transform-set strong 
 match address 110
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 192.168.20.1 255.255.255.0
!
interface Tunnel0
 ip address 192.168.26.1 255.255.255.0
 tunnel source Ethernet1/0
 tunnel destination 14.36.88.6
 crypto map vpn
!
interface Ethernet1/0
 ip address 14.38.88.20 255.255.0.0
 half-duplex
 crypto map vpn
!
interface TokenRing1/0
 no ip address
 shutdown
 ring-speed 16
!
router eigrp 60
 network 192.168.0.0 0.0.255.255
 auto-summary
 no eigrp log-neighbor-changes
!
ip classless
ip route 0.0.0.0 0.0.0.0 14.38.1.1
ip http server
!
access-list 110 permit gre host 14.38.88.20 host 14.36.88.6
!
dial-peer cor custom
!
!
!
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 login
!
end

vpn3620#

service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname vpn3640
!
!
ip subnet-zero
ip cef
!
!
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac 
 mode transport
!
crypto map vpn 10 ipsec-isakmp   
 set peer 14.36.88.6
 set transform-set strong 
 match address 100
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 192.168.40.1 255.255.255.0
!
interface Tunnel0
 ip address 192.168.46.1 255.255.255.0
 tunnel source Ethernet0/0
 tunnel destination 14.36.88.6
 crypto map vpn
!
interface Ethernet0/0
 ip address 14.38.88.40 255.255.0.0
 half-duplex
 crypto map vpn
!
interface Ethernet0/1
 no ip address
 shutdown
 half-duplex
!
interface Ethernet1/0
 no ip address
 shutdown
 half-duplex
!
interface Ethernet1/1
 no ip address
 shutdown
 half-duplex
!
interface Ethernet1/2
 no ip address
 shutdown
 half-duplex
!
interface Ethernet1/3
 no ip address
 shutdown
 half-duplex
!
interface Ethernet3/0
 no ip address
 shutdown
 half-duplex
!
interface TokenRing3/0
 no ip address
 shutdown
 ring-speed 16
!
router eigrp 60
 network 192.168.0.0 0.0.255.255
 auto-summary
 no eigrp log-neighbor-changes
!
ip classless
ip route 0.0.0.0 0.0.0.0 14.38.1.1
ip http server
!
access-list 100 permit gre host 14.38.88.40 host 14.36.88.6
!
dial-peer cor custom
!
!
!
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
!
end

vpn3640# 

验证

本部分所提供的信息可用于确认您的配置是否正常工作。

命令输出解释程序工具（仅限注册用户）支持某些 show 命令，使用此工具可以查看对 show 命令输出的分析。

• show ip route — 使用此命令可以确保通过路由协议来获知路由。

Cisco 7206 路由器

sec-7206#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
Gateway of last resort is 14.36.1.1 to network 0.0.0.0
C    192.168.46.0/24 is directly connected, Tunnel1
D    192.168.10.0/24 [90/297372416] via 192.168.16.1, 05:53:23, Tunnel0
D    192.168.40.0/24 [90/297372416] via 192.168.46.1, 05:53:23, Tunnel1
C    192.168.26.0/24 is directly connected, Tunnel2
D    192.168.20.0/24 [90/297372416] via 192.168.26.1, 05:53:21, Tunnel2
C    192.168.16.0/24 is directly connected, Tunnel0
     14.0.0.0/16 is subnetted, 1 subnets
C       14.36.0.0 is directly connected, FastEthernet1/0
S*   0.0.0.0/0 [1/0] via 14.36.1.1
sec-7206#

Cisco 2610 路由器

vpn2610#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
Gateway of last resort is 14.38.1.1 to network 0.0.0.0
D    192.168.46.0/24 [90/310044416] via 192.168.16.2, 05:53:55, Tunnel0
C    192.168.10.0/24 is directly connected, Loopback0
D    192.168.40.0/24 [90/310172416] via 192.168.16.2, 05:53:55, Tunnel0
D    192.168.26.0/24 [90/310044416] via 192.168.16.2, 05:53:55, Tunnel0
D    192.168.20.0/24 [90/310172416] via 192.168.16.2, 05:53:53, Tunnel0
C    192.168.16.0/24 is directly connected, Tunnel0
     14.0.0.0/16 is subnetted, 1 subnets
C       14.38.0.0 is directly connected, Ethernet0/0
S*   0.0.0.0/0 [1/0] via 14.38.1.1
vpn2610#

Cisco 3620 路由器

vpn3620#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
Gateway of last resort is 14.38.1.1 to network 0.0.0.0
D    192.168.46.0/24 [90/310044416] via 192.168.26.2, 05:54:15, Tunnel0
D    192.168.10.0/24 [90/310172416] via 192.168.26.2, 05:54:15, Tunnel0
D    192.168.40.0/24 [90/310172416] via 192.168.26.2, 05:54:15, Tunnel0
C    192.168.26.0/24 is directly connected, Tunnel0
C    192.168.20.0/24 is directly connected, Loopback0
D    192.168.16.0/24 [90/310044416] via 192.168.26.2, 05:54:15, Tunnel0
     14.0.0.0/16 is subnetted, 1 subnets
C       14.38.0.0 is directly connected, Ethernet1/0
S*   0.0.0.0/0 [1/0] via 14.38.1.1
vpn3620#

Cisco 3640 路由器

vpn3640#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
Gateway of last resort is 14.38.1.1 to network 0.0.0.0
C    192.168.46.0/24 is directly connected, Tunnel0
D    192.168.10.0/24 [90/310172416] via 192.168.46.2, 05:54:32, Tunnel0
C    192.168.40.0/24 is directly connected, Loopback0
D    192.168.26.0/24 [90/310044416] via 192.168.46.2, 05:54:32, Tunnel0
D    192.168.20.0/24 [90/310172416] via 192.168.46.2, 05:54:30, Tunnel0
D    192.168.16.0/24 [90/310044416] via 192.168.46.2, 05:54:32, Tunnel0
     14.0.0.0/16 is subnetted, 1 subnets
C       14.38.0.0 is directly connected, Ethernet0/0
S*   0.0.0.0/0 [1/0] via 14.38.1.1
vpn3640#

注意： Cisco 7206 路由器中装有集成服务适配器 (ISA) 卡，因此传递路由更新时可能需要禁用 Cisco 快速转发 (CEF)。

故障排除

目前没有针对此配置的故障排除信息。

相关信息

• IPSec 支持页面
• 技术支持 - Cisco Systems