EIGRP GRE over IPSec 通过中心和多个远程站点路由配置示例

下载选项

PDF (212.7 KB)
在各种设备上使用 Adobe Reader 查看
ePub (77.5 KB)
在 iPhone、iPad、Android、Sony Reader 或 Windows Phone 上使用各种应用查看
Mobi (Kindle) (78.7 KB)
在 Kindle 设备上查看或在多个设备上使用 Kindle 应用查看

已更新: 2008 年 1 月 14 日

文档 ID:17868

关于翻译

关于此翻译

思科采用人工翻译与机器翻译相结合的方式将此文档翻译成不同语言，希望全球的用户都能通过各自的语言得到支持性的内容。请注意：即使是最好的机器翻译，其准确度也不及专业翻译人员的水平。 Cisco Systems, Inc. 对于翻译的准确性不承担任何责任，并建议您总是参考英文原始文档（已提供链接）。

简介

本文档说明如何配置 GRE over IPSec，实现中央站点向多个远程站点的路由。Cisco 7206 路由器为中央站点路由器，其他所有站点都通过 IPSec 与其连接。Cisco 2610、3620 及 3640 路由器为远程路由器。所有站点都能通过连接主站点的隧道到达 Cisco 7206 后的主网络及其他所有远程站点，路由更新将通过增强型内部网关路由协议 (EIGRP) 自动执行。

先决条件

本文档的开发和测试采用下列软件和硬件版本。

使用的组件

本文档中的信息基于以下软件和硬件版本：

运行 Cisco IOS® 软件版本 12.3(1) IK9S 的 Cisco 7206 路由器
运行 Cisco IOS 软件版本 12.3(1) IK9S 的 Cisco 2621XM 路由器
运行 Cisco IOS 软件版本 12.3(1) IK9S 的 Cisco 3640 路由器
运行 Cisco IOS 软件版本 12.3(1) IK9S 的 Cisco 3640 路由器

本文档中的信息都是基于特定实验室环境中的设备创建的。本文档中使用的所有设备最初均采用原始（默认）配置。如果您是在真实网络上操作，请确保您在使用任何命令前已经了解其潜在影响。

规则

有关文档规则的详细信息，请参阅 Cisco 技术提示规则。

网络图

本文档使用以下网络设置：

配置

本过程将引导您对 IPSec 隧道进行配置，以通过中央站点与多个远程站点建立路由。本过程分为以下三个主要步骤。

配置通用路由封装 (GRE) 隧道
为 GRE 隧道配置加密
配置路由协议

配置 GRE 隧道

按照下列步骤配置 GRE 隧道：

从每个远程站点创建一个通往总部的 GRE 隧道。在 Cisco 7206 路由器上为每个远程站点设置隧道接口。

interface Tunnel0
 ip address 192.168.16.2 255.255.255.0
 tunnel source FastEthernet1/0
 tunnel destination 14.38.88.10
!
interface Tunnel1
 ip address 192.168.46.2 255.255.255.0
 tunnel source FastEthernet1/0
 tunnel destination 14.38.88.40
!
interface Tunnel2
 ip address 192.168.26.2 255.255.255.0
 tunnel source FastEthernet1/0
 tunnel destination 14.38.88.20

每条隧道的隧道源为 FastEthernet1/0 接口或用于互联网连接的接口。隧道目标为远程路由器的互联网接口的 IP 地址。每条隧道都应在未使用的不同子网中拥有一个 IP 地址。

在 Cisco 2610、3620 和 3640 路由器上配置 GRE 隧道。配置类似于 Cisco 7206 路由器。

Cisco 2610 路由器
```
interface Tunnel0
 ip address 192.168.16.1 255.255.255.0
 tunnel source Ethernet0/0
 tunnel destination 14.36.88.6
```
Cisco 3620 路由器
```
interface Tunnel0
 ip address 192.168.26.1 255.255.255.0
 tunnel source Ethernet1/0
 tunnel destination 14.36.88.6
```
Cisco 3640 路由器
```
interface Tunnel0
 ip address 192.168.46.1 255.255.255.0
 tunnel source Ethernet0/0
 tunnel destination 14.36.88.6
```
每个远程路由器将使用其本地接口连接到互联网作为隧道源。远程路由器对应于 Cisco 7206 路由器上配置的隧道目标 IP 地址。每个远程路由器的隧道目标 IP 地址对应于连接到互联网的 Cisco 7206 路由器接口的 IP 地址。隧道接口的 IP 地址对应于和 Cisco 7206 路由器隧道接口相同子网上的 IP 地址。

确保每个远程路由器都能对隧道目标 IP 地址及主路由器的相应隧道接口执行 ping 操作。

此外，确保每个路由器都具有从中央站点路由器执行 ping 操作的能力。

Cisco 2610 路由器

vpn2610#ping 14.36.88.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 14.36.88.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
vpn2610#ping 192.168.16.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.16.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/12 ms
vpn2610#

Cisco 3620 路由器

vpn3620#ping 14.38.88.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 14.38.88.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
vpn3620#ping 192.168.26.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.26.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/8 ms
vpn3620#

Cisco 3640 路由器

vpn3640#ping 14.36.88.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 14.36.88.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
vpn3640#ping 192.168.46.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.46.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms
vpn3640#

注意： 如果不是所有路由器都能对中心（集线器）路由器执行 ping 操作，请根据需要使用下列指南对各个连接进行故障排除。

远程路由器能否从公有 IP 到公有 IP 对中心路由器执行 ping 操作？
两个路由器之间是否有阻塞 GRE 的设备？（路由器上的防火墙和访问列表）
执行 show interface 命令时会显示隧道接口的哪些内容？

为 GRE 隧道配置加密

请完成下列步骤，为 GRE 隧道配置加密：

如果 GRE 隧道成功建立，请继续进行加密。首先，创建访问列表以定义加密数据流。

访问列表允许各路由器上本地 IP 地址的数据流发往另一端的 IP 地址。使用 show version 命令可显示缓存引擎正在运行的软件版本。

7206:
access-list 130 permit gre host 14.36.88.6 host 14.38.88.40
access-list 140 permit gre host 14.36.88.6 host 14.38.88.20
access-list 150 permit gre host 14.36.88.6 host 14.38.88.10

2610:
access-list 120 permit gre host 14.38.88.10 host 14.36.88.6

3620:
access-list 110 permit gre host 14.38.88.20 host 14.36.88.6

3640:
access-list 100 permit gre host 14.38.88.40 host 14.36.88.6

配置 Internet 安全连接和密钥管理协议 (ISAKMP) 策略、ISAKMP 密钥及 IPSec 转换集。

单条隧道两端的 ISAKMP 策略、密钥及 IPSec 转换集必须相互匹配。不需要所有隧道都使用相同的策略、密钥或转换集。在本示例中，为简单起见，所有隧道都使用相同的策略、密钥及转换集。

Cisco 7206 路由器

crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
 mode transport

Cisco 2610 路由器

crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
 mode transport

Cisco 3620 路由器

crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
 mode transport

Cisco 3640 路由器

crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
 mode transport

配置加密映射。中央站点对应每个连接都有一个单独的序列号。

Cisco 7206 路由器

crypto map vpn 10 ipsec-isakmp
 set peer 14.38.88.40
 set transform-set strong
 match address 130
crypto map vpn 20 ipsec-isakmp
 set peer 14.38.88.20
 set transform-set strong
 match address 140
crypto map vpn 30 ipsec-isakmp
 set peer 14.38.88.10
 set transform-set strong
 match address 150

Cisco 2610 路由器

crypto map vpn 10 ipsec-isakmp
 set peer 14.36.88.6
 set transform-set strong
 match address 120

Cisco 3620 路由器

crypto map vpn 10 ipsec-isakmp
 set peer 14.36.88.6
 set transform-set strong
 match address 110

Cisco 3640 路由器

crypto map vpn 10 ipsec-isakmp
 set peer 14.36.88.6
 set transform-set strong
 match address 100

应用加密映射。应将此映射应用于发送数据包的隧道接口和物理接口。

Cisco 7206 路由器

interface Tunnel0
 crypto map vpn
interface Tunnel1
 crypto map vpn
interface Tunnel2
 crypto map vpn
interface FastEthernet1/0
 crypto map vpn

Cisco 2610 路由器

interface Tunnel0
 crypto map vpn
interface Ethernet0/0
 crypto map vpn

Cisco 3620 路由器

interface Tunnel0
 crypto map vpn
interface Ethernet1/0
 crypto map vpn

Cisco 3640 路由器

interface Tunnel0
 crypto map vpn
interface Ethernet0/0
 crypto map vpn

配置路由协议

要配置路由协议，请为所有站点配置自治系统编号，并指示路由协议 (EIGRP) 共享路由。仅 network 语句中包含的网络才可通过路由协议与其他路由器进行共享。参与路由共享的所有路由器中的自治系统编号必须相互匹配。在本示例中，为简单起见，所使用的网络可汇总为一个 network 语句。

Cisco 7206 路由器

router eigrp 60
 network 192.168.0.0 0.0.255.255
 auto-summary
 no eigrp log-neighbor-changes

Cisco 2610 路由器

router eigrp 60
 network 192.168.0.0 0.0.255.255
 auto-summary
 no eigrp log-neighbor-changes

Cisco 3620 路由器

router eigrp 60
 network 192.168.0.0 0.0.255.255
 auto-summary
 no eigrp log-neighbor-changes

Cisco 3640 路由器

router eigrp 60
 network 192.168.0.0 0.0.255.255
 auto-summary
 no eigrp log-neighbor-changes

示例配置

本文档使用下列示例配置：

Cisco 7206 路由器
Cisco 2610 路由器
Cisco 3620 路由器
Cisco 3640 路由器

Cisco 7206 路由器
no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname sec-7206 ! aaa new-model aaa authentication ppp default local ! username cisco password 0 cisco ! ! ! ! ip subnet-zero ip cef ! ip audit notify log ip audit po max-events 100 vpdn enable ! vpdn-group 1 ! Default L2TP VPDN group accept-dialin protocol l2tp virtual-template 1 no l2tp tunnel authentication ! ! ! crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco123 address 0.0.0.0 ! ! crypto ipsec transform-set strong esp-3des esp-md5-hmac mode transport ! crypto map vpn 10 ipsec-isakmp set peer 14.38.88.40 set transform-set strong match address 130 crypto map vpn 20 ipsec-isakmp set peer 14.38.88.20 set transform-set strong match address 140 crypto map vpn 30 ipsec-isakmp set peer 14.38.88.10 set transform-set strong match address 150 ! ! ! ! ! ! interface Tunnel0 ip address 192.168.16.2 255.255.255.0 tunnel source FastEthernet1/0 tunnel destination 14.38.88.10 crypto map vpn ! interface Tunnel1 ip address 192.168.46.2 255.255.255.0 tunnel source FastEthernet1/0 tunnel destination 14.38.88.40 crypto map vpn ! interface Tunnel2 ip address 192.168.26.2 255.255.255.0 tunnel source FastEthernet1/0 tunnel destination 14.38.88.20 crypto map vpn ! interface FastEthernet0/0 no ip address no ip mroute-cache shutdown media-type MII half-duplex ! interface FastEthernet1/0 ip address 14.36.88.6 255.255.0.0 no ip mroute-cache half-duplex crypto map vpn ! interface Virtual-Template1 ip unnumbered FastEthernet1/0 peer default ip address pool test ppp authentication ms-chap ! router eigrp 60 network 192.168.0.0 0.0.255.255 auto-summary no eigrp log-neighbor-changes ! ip local pool test 10.0.7.1 10.0.7.254 ip default-gateway 14.36.1.1 ip classless ip route 0.0.0.0 0.0.0.0 14.36.1.1 no ip http server ! access-list 130 permit gre host 14.36.88.6 host 14.38.88.40 access-list 140 permit gre host 14.36.88.6 host 14.38.88.20 access-list 150 permit gre host 14.36.88.6 host 14.38.88.10 radius-server host 172.18.124.197 auth-port 1645 acct-port 1646 key cisco123 radius-server retransmit 3 ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 ! end sec-7206#

Cisco 7206 路由器

no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname sec-7206
!
aaa new-model
aaa authentication ppp default local
!
username cisco password 0 cisco
!
!
!
!
ip subnet-zero
ip cef
!
ip audit notify log
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication
!
!
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0        
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac 
 mode transport
!
crypto map vpn 10 ipsec-isakmp   
 set peer 14.38.88.40
 set transform-set strong 
 match address 130
crypto map vpn 20 ipsec-isakmp   
 set peer 14.38.88.20
 set transform-set strong 
 match address 140
crypto map vpn 30 ipsec-isakmp   
 set peer 14.38.88.10
 set transform-set strong 
 match address 150
!
!
!
!
!
!
interface Tunnel0
 ip address 192.168.16.2 255.255.255.0
 tunnel source FastEthernet1/0
 tunnel destination 14.38.88.10
 crypto map vpn
!
interface Tunnel1
 ip address 192.168.46.2 255.255.255.0
 tunnel source FastEthernet1/0
 tunnel destination 14.38.88.40
 crypto map vpn
!
interface Tunnel2
 ip address 192.168.26.2 255.255.255.0
 tunnel source FastEthernet1/0
 tunnel destination 14.38.88.20
 crypto map vpn
!
interface FastEthernet0/0
 no ip address
 no ip mroute-cache
 shutdown
 media-type MII
 half-duplex
!
interface FastEthernet1/0
 ip address 14.36.88.6 255.255.0.0
 no ip mroute-cache
 half-duplex
 crypto map vpn
!
interface Virtual-Template1
 ip unnumbered FastEthernet1/0
 peer default ip address pool test
 ppp authentication ms-chap
!
router eigrp 60
 network 192.168.0.0 0.0.255.255
 auto-summary
 no eigrp log-neighbor-changes
!
ip local pool test 10.0.7.1 10.0.7.254
ip default-gateway 14.36.1.1
ip classless
ip route 0.0.0.0 0.0.0.0 14.36.1.1
no ip http server
!
access-list 130 permit gre host 14.36.88.6 host 14.38.88.40
access-list 140 permit gre host 14.36.88.6 host 14.38.88.20
access-list 150 permit gre host 14.36.88.6 host 14.38.88.10
radius-server host 172.18.124.197 auth-port 1645 acct-port 
1646 key cisco123
radius-server retransmit 3
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
!
end

sec-7206#

Cisco 2610 路由器
service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname vpn2610 ! ! ip subnet-zero ip cef ! ! ! ip ssh time-out 120 ip ssh authentication-retries 3 ! crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set strong esp-3des esp-md5-hmac mode transport ! crypto map vpn 10 ipsec-isakmp set peer 14.36.88.6 set transform-set strong match address 120 ! call rsvp-sync ! ! ! ! ! ! ! ! interface Loopback0 ip address 192.168.10.1 255.255.255.0 ! interface Tunnel0 ip address 192.168.16.1 255.255.255.0 tunnel source Ethernet0/0 tunnel destination 14.36.88.6 crypto map vpn ! interface Ethernet0/0 ip address 14.38.88.10 255.255.0.0 half-duplex crypto map vpn ! interface Serial0/0 no ip address shutdown no fair-queue ! interface Ethernet0/1 ip address dhcp half-duplex ! interface Serial1/0 no ip address shutdown ! interface Serial1/1 no ip address shutdown ! interface Serial1/2 no ip address shutdown ! interface Serial1/3 no ip address shutdown ! interface Serial1/4 no ip address shutdown ! interface Serial1/5 no ip address shutdown ! interface Serial1/6 no ip address shutdown ! interface Serial1/7 no ip address shutdown ! router eigrp 60 network 192.168.0.0 0.0.255.255 auto-summary no eigrp log-neighbor-changes ! ip classless ip route 0.0.0.0 0.0.0.0 14.38.1.1 ip http server ! access-list 120 permit gre host 14.38.88.10 host 14.36.88.6 ! dial-peer cor custom ! ! ! ! ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 login line vty 5 15 login ! end vpn2610#

Cisco 2610 路由器

service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname vpn2610
!
!
ip subnet-zero
ip cef
!
!
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac 
 mode transport
!
crypto map vpn 10 ipsec-isakmp   
 set peer 14.36.88.6
 set transform-set strong 
 match address 120
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 192.168.10.1 255.255.255.0
!
interface Tunnel0
 ip address 192.168.16.1 255.255.255.0
 tunnel source Ethernet0/0
 tunnel destination 14.36.88.6
 crypto map vpn
!
interface Ethernet0/0
 ip address 14.38.88.10 255.255.0.0
 half-duplex
 crypto map vpn
!
interface Serial0/0
 no ip address
 shutdown
 no fair-queue
!
interface Ethernet0/1
 ip address dhcp
 half-duplex
!
interface Serial1/0
 no ip address
 shutdown
!
interface Serial1/1
 no ip address
 shutdown
!
interface Serial1/2
 no ip address
 shutdown
!
interface Serial1/3
 no ip address
 shutdown
!
interface Serial1/4
 no ip address
 shutdown
!
interface Serial1/5
 no ip address
 shutdown
!
interface Serial1/6
 no ip address
 shutdown
!
interface Serial1/7
 no ip address
 shutdown
!
router eigrp 60
 network 192.168.0.0 0.0.255.255
 auto-summary
 no eigrp log-neighbor-changes
!
ip classless
ip route 0.0.0.0 0.0.0.0 14.38.1.1
ip http server
!
access-list 120 permit gre host 14.38.88.10 host 14.36.88.6
!
dial-peer cor custom
!
!
!
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 login
line vty 5 15
 login
!
end

vpn2610#

Cisco 3620 路由器
service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname vpn3620 ! ! ip subnet-zero ip cef ! ! ! ip ssh time-out 120 ip ssh authentication-retries 3 ! crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set strong esp-3des esp-md5-hmac mode transport ! crypto map vpn 10 ipsec-isakmp set peer 14.36.88.6 set transform-set strong match address 110 ! call rsvp-sync ! ! ! ! ! ! ! ! interface Loopback0 ip address 192.168.20.1 255.255.255.0 ! interface Tunnel0 ip address 192.168.26.1 255.255.255.0 tunnel source Ethernet1/0 tunnel destination 14.36.88.6 crypto map vpn ! interface Ethernet1/0 ip address 14.38.88.20 255.255.0.0 half-duplex crypto map vpn ! interface TokenRing1/0 no ip address shutdown ring-speed 16 ! router eigrp 60 network 192.168.0.0 0.0.255.255 auto-summary no eigrp log-neighbor-changes ! ip classless ip route 0.0.0.0 0.0.0.0 14.38.1.1 ip http server ! access-list 110 permit gre host 14.38.88.20 host 14.36.88.6 ! dial-peer cor custom ! ! ! ! ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 login ! end vpn3620#

Cisco 3620 路由器

service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname vpn3620
!
!
ip subnet-zero
ip cef
!
!
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac 
 mode transport
!
crypto map vpn 10 ipsec-isakmp   
 set peer 14.36.88.6
 set transform-set strong 
 match address 110
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 192.168.20.1 255.255.255.0
!
interface Tunnel0
 ip address 192.168.26.1 255.255.255.0
 tunnel source Ethernet1/0
 tunnel destination 14.36.88.6
 crypto map vpn
!
interface Ethernet1/0
 ip address 14.38.88.20 255.255.0.0
 half-duplex
 crypto map vpn
!
interface TokenRing1/0
 no ip address
 shutdown
 ring-speed 16
!
router eigrp 60
 network 192.168.0.0 0.0.255.255
 auto-summary
 no eigrp log-neighbor-changes
!
ip classless
ip route 0.0.0.0 0.0.0.0 14.38.1.1
ip http server
!
access-list 110 permit gre host 14.38.88.20 host 14.36.88.6
!
dial-peer cor custom
!
!
!
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 login
!
end

vpn3620#

Cisco 3640 路由器
service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname vpn3640 ! ! ip subnet-zero ip cef ! ! ! ip ssh time-out 120 ip ssh authentication-retries 3 ! crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set strong esp-3des esp-md5-hmac mode transport ! crypto map vpn 10 ipsec-isakmp set peer 14.36.88.6 set transform-set strong match address 100 ! call rsvp-sync ! ! ! ! ! ! ! ! interface Loopback0 ip address 192.168.40.1 255.255.255.0 ! interface Tunnel0 ip address 192.168.46.1 255.255.255.0 tunnel source Ethernet0/0 tunnel destination 14.36.88.6 crypto map vpn ! interface Ethernet0/0 ip address 14.38.88.40 255.255.0.0 half-duplex crypto map vpn ! interface Ethernet0/1 no ip address shutdown half-duplex ! interface Ethernet1/0 no ip address shutdown half-duplex ! interface Ethernet1/1 no ip address shutdown half-duplex ! interface Ethernet1/2 no ip address shutdown half-duplex ! interface Ethernet1/3 no ip address shutdown half-duplex ! interface Ethernet3/0 no ip address shutdown half-duplex ! interface TokenRing3/0 no ip address shutdown ring-speed 16 ! router eigrp 60 network 192.168.0.0 0.0.255.255 auto-summary no eigrp log-neighbor-changes ! ip classless ip route 0.0.0.0 0.0.0.0 14.38.1.1 ip http server ! access-list 100 permit gre host 14.38.88.40 host 14.36.88.6 ! dial-peer cor custom ! ! ! ! ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 ! end vpn3640#

Cisco 3640 路由器

service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname vpn3640
!
!
ip subnet-zero
ip cef
!
!
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac 
 mode transport
!
crypto map vpn 10 ipsec-isakmp   
 set peer 14.36.88.6
 set transform-set strong 
 match address 100
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 192.168.40.1 255.255.255.0
!
interface Tunnel0
 ip address 192.168.46.1 255.255.255.0
 tunnel source Ethernet0/0
 tunnel destination 14.36.88.6
 crypto map vpn
!
interface Ethernet0/0
 ip address 14.38.88.40 255.255.0.0
 half-duplex
 crypto map vpn
!
interface Ethernet0/1
 no ip address
 shutdown
 half-duplex
!
interface Ethernet1/0
 no ip address
 shutdown
 half-duplex
!
interface Ethernet1/1
 no ip address
 shutdown
 half-duplex
!
interface Ethernet1/2
 no ip address
 shutdown
 half-duplex
!
interface Ethernet1/3
 no ip address
 shutdown
 half-duplex
!
interface Ethernet3/0
 no ip address
 shutdown
 half-duplex
!
interface TokenRing3/0
 no ip address
 shutdown
 ring-speed 16
!
router eigrp 60
 network 192.168.0.0 0.0.255.255
 auto-summary
 no eigrp log-neighbor-changes
!
ip classless
ip route 0.0.0.0 0.0.0.0 14.38.1.1
ip http server
!
access-list 100 permit gre host 14.38.88.40 host 14.36.88.6
!
dial-peer cor custom
!
!
!
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
!
end

vpn3640#

验证

本部分所提供的信息可用于确认您的配置是否正常工作。

命令输出解释程序工具（仅限注册用户）支持某些 show 命令，使用此工具可以查看对 show 命令输出的分析。

show ip route — 使用此命令可以确保通过路由协议来获知路由。

Cisco 7206 路由器

sec-7206#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
Gateway of last resort is 14.36.1.1 to network 0.0.0.0
C    192.168.46.0/24 is directly connected, Tunnel1
D    192.168.10.0/24 [90/297372416] via 192.168.16.1, 05:53:23, Tunnel0
D    192.168.40.0/24 [90/297372416] via 192.168.46.1, 05:53:23, Tunnel1
C    192.168.26.0/24 is directly connected, Tunnel2
D    192.168.20.0/24 [90/297372416] via 192.168.26.1, 05:53:21, Tunnel2
C    192.168.16.0/24 is directly connected, Tunnel0
     14.0.0.0/16 is subnetted, 1 subnets
C       14.36.0.0 is directly connected, FastEthernet1/0
S*   0.0.0.0/0 [1/0] via 14.36.1.1
sec-7206#

Cisco 2610 路由器

vpn2610#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
Gateway of last resort is 14.38.1.1 to network 0.0.0.0
D    192.168.46.0/24 [90/310044416] via 192.168.16.2, 05:53:55, Tunnel0
C    192.168.10.0/24 is directly connected, Loopback0
D    192.168.40.0/24 [90/310172416] via 192.168.16.2, 05:53:55, Tunnel0
D    192.168.26.0/24 [90/310044416] via 192.168.16.2, 05:53:55, Tunnel0
D    192.168.20.0/24 [90/310172416] via 192.168.16.2, 05:53:53, Tunnel0
C    192.168.16.0/24 is directly connected, Tunnel0
     14.0.0.0/16 is subnetted, 1 subnets
C       14.38.0.0 is directly connected, Ethernet0/0
S*   0.0.0.0/0 [1/0] via 14.38.1.1
vpn2610#

Cisco 3620 路由器

vpn3620#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
Gateway of last resort is 14.38.1.1 to network 0.0.0.0
D    192.168.46.0/24 [90/310044416] via 192.168.26.2, 05:54:15, Tunnel0
D    192.168.10.0/24 [90/310172416] via 192.168.26.2, 05:54:15, Tunnel0
D    192.168.40.0/24 [90/310172416] via 192.168.26.2, 05:54:15, Tunnel0
C    192.168.26.0/24 is directly connected, Tunnel0
C    192.168.20.0/24 is directly connected, Loopback0
D    192.168.16.0/24 [90/310044416] via 192.168.26.2, 05:54:15, Tunnel0
     14.0.0.0/16 is subnetted, 1 subnets
C       14.38.0.0 is directly connected, Ethernet1/0
S*   0.0.0.0/0 [1/0] via 14.38.1.1
vpn3620#

Cisco 3640 路由器

vpn3640#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
Gateway of last resort is 14.38.1.1 to network 0.0.0.0
C    192.168.46.0/24 is directly connected, Tunnel0
D    192.168.10.0/24 [90/310172416] via 192.168.46.2, 05:54:32, Tunnel0
C    192.168.40.0/24 is directly connected, Loopback0
D    192.168.26.0/24 [90/310044416] via 192.168.46.2, 05:54:32, Tunnel0
D    192.168.20.0/24 [90/310172416] via 192.168.46.2, 05:54:30, Tunnel0
D    192.168.16.0/24 [90/310044416] via 192.168.46.2, 05:54:32, Tunnel0
     14.0.0.0/16 is subnetted, 1 subnets
C       14.38.0.0 is directly connected, Ethernet0/0
S*   0.0.0.0/0 [1/0] via 14.38.1.1
vpn3640#

注意： Cisco 7206 路由器中装有集成服务适配器 (ISA) 卡，因此传递路由更新时可能需要禁用 Cisco 快速转发 (CEF)。

故障排除

目前没有针对此配置的故障排除信息。

EIGRP GRE over IPSec 通过中心和多个远程站点路由配置示例

下载选项

关于此翻译

目录

简介

先决条件

先决条件

使用的组件

规则

网络图

配置

配置 GRE 隧道

为 GRE 隧道配置加密

配置路由协议

示例配置

验证

故障排除

相关信息

此文档是否有帮助?

联系我们

相关的思科社区讨论

本文档适用于以下产品