二者结合的目的
GRE 支持单播、组播、广播,IPSec 仅支持单播。GRE 不支持对于数据完整性以及身份认证的验证功能,并且也不具备数据加密保护。而 IPSec 恰恰拥有强大的安全机制。达到了互补的功效!
实验拓扑
各路由器配置
R1
sysname R1
ipsec proposal lance-proposal
esp authentication-algorithm sha1
ike peer lance-peer v2
pre-shared-key cipher huawei
ipsec profile lance
ike-peer lance-peer
proposal lance-proposal
interface GigabitEthernet0/0/0
ip address 192.168.1.1 255.255.255.0
interface GigabitEthernet0/0/1
ip address 202.100.1.1 255.255.255.0
interface Tunnel0/0/0
ip address 123.1.1.1 255.255.255.0
tunnel-protocol gre
source 202.100.1.1
destination 61.128.1.1
gre key 1234
ipsec profile lance
ip route-static 61.128.1.0 255.255.255.0 202.100.1.10
R2
sysname R2
interface GigabitEthernet0/0/0
ip address 202.100.1.10 255.255.255.0
interface GigabitEthernet0/0/1
ip address 61.128.1.10 255.255.255.0
R3
sysname R3
ipsec proposal lance-proposal
esp authentication-algorithm sha1
ike peer lance-peer v2
pre-shared-key cipher huawei
ipsec profile lance
ike-peer lance-peer
proposal lance-proposal
interface GigabitEthernet0/0/0
ip address 10.0.0.1 255.255.255.0
interface GigabitEthernet0/0/1
ip address 61.128.1.1 255.255.255.0
interface Tunnel0/0/0
ip address 123.1.1.2 255.255.255.0
tunnel-protocol gre
source 61.128.1.1
destination 202.100.1.1
gre key 1234
ipsec profile lance
ip route-static 0.0.0.0 0.0.0.0 61.128.1.10
抓包结果
