GRE over IPSec配置（DCR--H3C）

1.DCR配置

//设置loopback地址，防止接入端为动态地址R-config#show runBuilding configuration...Current configuration:!hostname R!isdn switch-type basic-5ess!!aaa authentication login default localaaa authentication enable default noneaaa authorization exec default localaaa authorization network default local!         username admin password 0 12345!enable password 0 smarteye level 15!!crypto isakmp key 0 12345 address 10.170.3.0 255.255.255.0 crypto isakmp key 0 12345 address 10.217.250.0 255.255.255.0 crypto isakmp nat keepalive 20crypto isakmp policy 1 authentication pre-share lifetime 86400!crypto ipsec transform-set TS_TP0_1 esp-3des esp-md5-hmac!crypto dynamic-map DYN_TP0_1 1 set security-association lifetime seconds 86400 set transform-set TS_TP0_1 Insert access-list extended NAT_WAN0_LIST rule deny!crypto map IPSEC_TUNNEL_TP0 1 ipsec-isakmp dynamic DYN_TP0_1!!crypto key load-keyconf end!!interface Null0!interface Tunnel0 mtu 1376 ip address 192.200.254.1 255.255.255.252 no ip directed-broadcast tunnel source GigaEthernet0/0 tunnel destination 128.8.8.8 keepalive period 10 tunnel speed-up!interface GigaEthernet0/0 mtu 1400 ip address 192.200.253.2 255.255.255.0 ip tcp adjust-mss 1200 no ip directed-broadcast ip http firewalltype 0 crypto map IPSEC_TUNNEL_TP0!interface GigaEthernet0/1 ip address 172.200.253.1 255.255.255.0 ip address 192.168.2.1 255.255.255.0 secondary no ip directed-broadcast ip http firewalltype 0!interface Async0/0 no ip address no ip directed-broadcast!interface Async20/0 no ip address no ip directed-broadcast!!!!!!!!ip route cache ip route default 192.200.253.1 ip route 192.168.1.0 255.255.255.0 Tunnel0 !!dial-peer terminator #dial-peer auto-terminated 3!dsp-kernel-ver g729!!sipua-cfg sipua keepAlive 60 shutdown!!!gbsc app-ctrl priority onlinegames allno gbsc app-ctrl drop onlinegames allgbsc group default!gbsc pushto mode textno gbsc filter-url enablegbsc filter-url mode forbidno gbsc filter-key enablegbsc record-filter-url enable!!ip access-list extended NAT_WAN0_LIST!ip access-list extended vpn1!!!!ip http ispmode 1ip http serverip http language chineseip http timeout 10ip http set-name-value 0!no ip proxy enableip proxy redirect !!!!

2.H3C配置

//设置loopback为gre地址，因为动态地址<H3C>dis cu  # version 5.20, Release 2514P14# sysname H3C# domain default enable system# telnet server enable# dar p2p signature-file flash:/p2p_default.mtd# port-security enable# password-recovery enable#acl number 3000 rule 5 permit ip source 128.8.8.8 0 destination 192.200.253.2 0acl number 3001 rule 5 deny ip destination 172.200.253.0 0.0.0.255 rule 10 permit ip#vlan 1#domain system    access-limit disable state active idle-cut disable self-service-url disable ip pool 1 192.168.1.2 192.168.1.100#ike proposal 1#ike peer vpn proposal 1 pre-shared-key cipher $c$3$Uzit1ieJJ+tyj/xwj4gxbYWdXSoT3thPOyry remote-address 192.200.253.2 nat traversal#ipsec transform-set vpn encapsulation-mode tunnel transform esp esp authentication-algorithm md5 esp encryption-algorithm 3des#ipsec policy vpn 1 isakmp connection-name vpn security acl 3000 ike-peer vpn    transform-set vpn#dhcp server ip-pool 1 network 192.168.1.0 mask 255.255.255.0 gateway-list 192.168.1.1#user-group system group-attribute allow-guest#local-user admin password cipher $c$3$40gC1cxf/wIJNa1ufFPJsjKAof+QP5aV authorization-attribute level 3 service-type telnet service-type web#wlan rrm dot11b mandatory-rate 1 2 dot11b supported-rate 5.5 11 dot11g mandatory-rate 1 2 5.5 11 dot11g supported-rate 6 9 12 18 24 36 48 54#wlan service-template 1 crypto ssid ChinaNet-wlan cipher-suite ccmp security-ie rsn service-template enable#cwmp undo cwmp enable#interface Aux0 async mode flow link-protocol ppp#interface Cellular0/0 async mode protocol link-protocol ppp#interface NULL0#interface LoopBack0 ip address 128.8.8.8 255.255.255.255#interface Vlan-interface1 ip address 192.168.1.1 255.255.255.0#               interface GigabitEthernet0/0 port link-mode route#interface GigabitEthernet0/1 port link-mode bridge#interface GigabitEthernet0/2 port link-mode bridge#interface GigabitEthernet0/3 port link-mode bridge#interface GigabitEthernet0/4 port link-mode bridge#interface Cellular-Ethernet2/0 mtu 1400 ip address cellular-allocated tcp mss 1200 dialer enable-circular dialer-group 1 dialer timer idle 0 dialer timer autodial 5 dialer number *99# autodial nat outbound 3001 ipsec policy vpn#interface Tunnel0 ip address 192.200.254.2 255.255.255.252 source LoopBack0 destination 192.200.253.2 keepalive 10 3#interface WLAN-BSS31 port link-type hybrid port hybrid vlan 1 untagged port-security port-mode psk port-security tx-key-type 11key port-security preshared-key pass-phrase cipher $c$3$HifQCK1SwKYALDZ+IzsznpHZ0IwrS7sCob5B#interface WLAN-BSS32 port link-type hybrid port hybrid vlan 1 untagged port-security port-mode psk port-security tx-key-type 11key port-security preshared-key pass-phrase cipher $c$3$HifQCK1SwKYALDZ+IzsznpHZ0IwrS7sCob5B#interface WLAN-Radio3/0 service-template 1 interface wlan-bss 31# ip route-static 0.0.0.0 0.0.0.0 Cellular-Ethernet2/0 ip route-static 172.200.253.0 255.255.255.0 Tunnel0# dhcp enable# load xml-configuration# load tr069-configuration#user-interface tty 12user-interface aux 0user-interface vty 0 4 authentication-mode scheme#return<H3C>