</p> ip access-list extended perimeter
) ~8 I6 q: I8 M4 \3 l7 Z) L0 U: S permit udp host 192.1.1.20 host 192.1.1.40 eq 500
: c' m1 u3 C, s2 t$ U. @$ o permit esp host 193.1.1.20 host 192.1.1.40
7 H R' R! J4 Z7 P- G5 }/ m9 h permit gre host 193.1.1.20 host 192.1.1.40
- Z, M" N3 b$ G deny ip any any
& c- n0 D3 P- j# X. ? exit
9 |; [4 s1 Q' T R2:
" d% m- b# E, d+ m; @% X interface tunnel0
1 c( O# v% T- I$ i, G8 I! {1 F' ~+ B ip address 192.168.3.2 255.255.255.0
8 J! N l5 S' }" n% \ tunnel source s1/0
+ M. k2 ^! i# k9 k tunnel destination 192.1.1.40
" o" |3 n* s* l, b, f exit2 L( w' U4 ]* F% A9 j0 F, y
interface s1/0
7 Q. q% [8 B# k# k/ d; j8 I ip address 192.1.1.20 255.255.255.05 x$ H0 Z7 K* M% |, ~
ip access-group perimeter in! E) S2 @" @' Q1 W! U) h
exit: k" Q* y! }. M+ H
interface lo0
+ `6 `7 y5 [( C ip address 192.168.2.1 255.255.255.0
; H+ g0 Q' W( O3 a" R, ] exit5 T4 {) ^0 g/ D9 `5 y
ip route 0.0.0.0 0.0.0.0 192.1.1.40
- i: E+ T) F9 t8 x1 y: h" T router ospf 13 {# z2 z! Z( r& T, o, y
network 192.168.2.0 0.0.0.255 area 1
3 P1 {. l4 r& T: ]; t network 192.168.3.0 0.0.0.255 area 1
o5 f% V" o- r! d8 k* M7 E exit
8 Q. y; n8 W) d! l& T: I4 ], n1 [& X ip access-list extended perimeter+ I% F; g' T- z
permit udp host 192.1.1.40 host 192.1.1.20 eq 500
: f: r! V1 g* o8 F9 |& g0 x/ S permit esp host 192.1.1.40 host 192.1.1.20! ^! w; x3 o& l. V/ s
permit gre host 192.1.1.40 host 192.1.1.209 O, {; M& _ N8 c
deny ip any any5 F8 l8 X0 q/ B8 z" x8 }
exit
* F* v% J, i' I! ^2 @ GRE隧道建立好后,就可以进行IPSEC配置了:' }$ W; q8 \9 n0 \7 K
R1上的配置:$ g9 z4 W/ a# |2 i
crypto isakmp enable
" V1 Q) A$ N {/ p ~# W2 t crypto isakmp identity address
4 R' m( Y O' `! I" m. T9 J) Q crypto isakmp policy 10
8 J" U: Z t, M0 p2 W1 k0 M o/ z1 q8 @9 j: w2 K! y
encryption aes |