09-26-2016 01:46 PM - editado 03-21-2019 06:22 PM
Buenas a todos,
Necesito una ayuda, estoy queriendo realizar una configuración ipsec y tunnel gre entre dos equipos distantes, me podrían indicar como puedo realizar las configuraciones por favor estaria muy agradecido por la ayuda que me brinden o una buena explicacion de como hacer.
Gracias de ante mano.
el 10-20-2016 02:54 PM
Alejandro;
Que dispositivos son?
Saludos;
Mike.
el 12-27-2016 05:28 PM
Hola, aqui te dejo un excelente ejemplo extraido de la pagina de Cisco que podra ayudarte a configurar Gre over Ipsec, espero te ayude
This document uses these configurations.
Daphne Configuration |
---|
version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname daphne ! boot-start-marker boot-end-marker ! enable secret 5 $1$r2sh$XKZR118vcId11ZGzhbz5C/ ! no aaa new-model ip subnet-zero ! ! !--- This is the Cisco IOS Firewall configuration and what to inspect. !--- This is applied outbound on the external interface. ip inspect name myfw tcp ip inspect name myfw udp ip inspect name myfw ftp ip inspect name myfw realaudio ip inspect name myfw smtp ip inspect name myfw streamworks ip inspect name myfw vdolive ip inspect name myfw tftp ip inspect name myfw rcmd ip inspect name myfw http ip telnet source-interface FastEthernet0/0 ! ip audit notify log ip audit po max-events 100 no ftp-server write-enable ! !--- This is the IPsec configuration. ! crypto isakmp policy 10 authentication pre-share crypto isakmp key ciscokey address 192.168.2.2 ! ! crypto ipsec transform-set to_fred esp-des esp-md5-hmac ! crypto map myvpn 10 ipsec-isakmp set peer 192.168.2.2 set transform-set to_fred match address 101 ! ! ! ! ! !--- This is one end of the GRE tunnel. ! interface Tunnel0 ip address 192.168.3.1 255.255.255.0 !--- Associate the tunnel with the physical interface. tunnel source FastEthernet0/1 tunnel destination 192.168.2.2 !--- This is the internal network. interface FastEthernet0/0 ip address 10.0.0.2 255.255.255.0 ip nat inside speed 100 full-duplex ! !--- This is the external interface and one end of the GRE tunnel. interface FastEthernet0/1 ip address 192.168.1.1 255.255.255.0 ip access-group 103 in ip nat outside ip inspect myfw out speed 100 full-duplex crypto map myvpn ! !--- Define the NAT pool. ip nat pool ourpool 192.168.1.10 192.168.1.20 netmask 255.255.255.0 ip nat inside source route-map nonat pool ourpool overload ip classless ip route 0.0.0.0 0.0.0.0 192.168.1.2 !--- Force the private network traffic into the tunnel. - ip route 172.16.1.0 255.255.255.0 192.168.3.2 ip http server no ip http secure-server ! ! !--- All traffic that enters the GRE tunnel is encrypted by IPsec. !--- Other ACE statements are not necessary. access-list 101 permit gre host 192.168.1.1 host 192.168.2.2 !--- Access list for security reasons. Allow !--- IPsec and GRE traffic between the private networks. access-list 103 permit gre host 192.168.2.2 host 192.168.1.1 access-list 103 permit esp host 192.168.2.2 host 192.168.1.1 access-list 103 permit udp host 192.168.2.2 eq isakmp host 192.168.1.1 access-list 103 deny ip any any log !--- See the Background Information section if you use !--- a Cisco IOS Software release earlier than 12.1.4 for access list 103. access-list 175 deny ip 10.0.0.0 0.0.0.255 172.16.1.0 0.0.0.255 access-list 175 permit ip 10.0.0.0 0.0.0.255 any !--- Use access list in route-map to address what to NAT. route-map nonat permit 10 match ip address 175 ! ! ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 password ww login ! ! end |
Fred Configuration |
---|
version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname fred ! enable secret 5 $1$AtxD$MycLGaJvF/tAIFXkikCes1 ! ip subnet-zero ! ! ip telnet source-interface FastEthernet0/0 ! ip inspect name myfw tcp ip inspect name myfw udp ip inspect name myfw ftp ip inspect name myfw realaudio ip inspect name myfw smtp ip inspect name myfw streamworks ip inspect name myfw vdolive ip inspect name myfw tftp ip inspect name myfw rcmd ip inspect name myfw http ip audit notify log ip audit po max-events 100 ! crypto isakmp policy 10 authentication pre-share - crypto isakmp key ciscokey address 192.168.1.1 ! ! crypto ipsec transform-set to_daphne esp-des esp-md5-hmac ! crypto map myvpn 10 ipsec-isakmp set peer 192.168.1.1 set transform-set to_daphne match address 101 ! call rsvp-sync ! ! ! ! ! ! ! ! interface Tunnel0 - ip address 192.168.3.2 255.255.255.0 tunnel source FastEthernet0/1 - tunnel destination 192.168.1.1 ! interface FastEthernet0/0 ip address 172.16.1.1 255.255.255.0 ip nat inside speed 100 full-duplex ! interface Serial0/0 no ip address clockrate 2000000 ! interface FastEthernet0/1 ip address 192.168.2.2 255.255.255.0 ip access-group 103 in ip nat outside ip inspect myfw out speed 100 full-duplex crypto map myvpn ! !--- Output is supressed. ! ip nat pool ourpool 192.168.2.10 192.168.2.20 netmask 255.255.255.0 ip nat inside source route-map nonat pool ourpool overload ip classless ip route 0.0.0.0 0.0.0.0 192.168.2.1 ip route 10.0.0.0 255.255.255.0 192.168.3.1 ip http server ! access-list 101 permit gre host 192.168.2.2 host 192.168.1.1 access-list 103 permit gre host 192.168.1.1 host 192.168.2.2 access-list 103 permit udp host 192.168.1.1 eq isakmp host 192.168.2.2 access-list 103 permit esp host 192.168.1.1 host 192.168.2.2 access-list 175 deny ip 172.16.1.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 175 permit ip 172.16.1.0 0.0.0.255 any route-map nonat permit 10 match ip address 175 ! ! ! dial-peer cor custom ! ! ! ! ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 password ww login ! end |
Descubra y salve sus notas favoritas. Vuelva a encontrar las respuestas de los expertos, guías paso a paso, temas recientes y mucho más.
¿Es nuevo por aquí? Empiece con estos tips. Cómo usar la comunidad Guía para nuevos miembros
Navegue y encuentre contenido personalizado de la comunidad