网络工程 - GRE over IPsec 问题 - 吾爱随笔录

我正在尝试在两个路由器之间建立一个使用 IPSec 加密的 GRE 隧道，但我不断收到错误消息“%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet...”我立即将 ipsec 应用到隧道接口，我收到错误消息并且隧道关闭。Gre隧道有效。

R2(config-if)#tunnel protection ipsec profile myprofil

R2(config-if)#
*May 25 10:19:33.432: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*May 25 10:19:35.248: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000000734849689650 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 8.8.11.2, src_addr= 8.8.10.2, prot= 47
*May 25 10:19:39.258: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*May 25 10:19:39.263: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.1.3.1 (Tunnel0) is down: interface down

R1(config)#interface tunnel0

R1(config-if)#no tunnel mode ipsec ipv4

R1(config-if)#
*May 25 10:17:33.718: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*May 25 10:17:48.674: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.1.3.2 (Tunnel0) is up: new adjacency

R1(config-if)#tunnel protection ipsec profile myprofil

R1(config-if)#
*May 25 10:19:38.001: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*May 25 10:19:43.023: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*May 25 10:19:43.029: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.1.3.2 (Tunnel0) is down: interface down

!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key paroal1234 address 8.8.11.2
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
 mode transport
!
!
crypto ipsec profile myprofile
 set security-association lifetime seconds 86400
 set transform-set myset
!
!
!
interface Tunnel0
 ip address 10.1.3.1 255.255.255.0
 keepalive 10 3
 tunnel source GigabitEthernet1
 tunnel destination 8.8.11.2
 tunnel protection ipsec profile myprofile
!
interface GigabitEthernet1
 ip address 8.8.10.2 255.255.255.0
 ip nat outside
 negotiation auto
 no mop enabled
 no mop sysid
!
interface GigabitEthernet2
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
 negotiation auto
 no mop enabled
 no mop sysid
!
!
router eigrp 100
 network 10.0.0.0
 network 10.1.3.0 0.0.0.255
!
ip nat inside source list 1 interface GigabitEthernet1 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 8.8.10.1
!

!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key paroal1234 address 8.8.10.2
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
 mode transport
!
!
crypto ipsec profile myprofile
 set security-association lifetime seconds 86400
 set transform-set myset
!
!
!
interface Tunnel0
 ip address 10.1.3.2 255.255.255.0
 keepalive 10 3
 tunnel source GigabitEthernet1
 tunnel destination 8.8.10.2
 tunnel protection ipsec profile myprofile
!
interface GigabitEthernet1
 ip address 8.8.11.2 255.255.255.0
 ip nat outside
 negotiation auto
 no mop enabled
 no mop sysid
!
interface GigabitEthernet2
 ip address 10.1.2.1 255.255.255.0
 ip nat inside
 negotiation auto
 no mop enabled
 no mop sysid
!
!
router eigrp 100
 network 10.0.0.0
 network 10.1.3.0 0.0.0.255
!
ip nat inside source list 1 interface GigabitEthernet1 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 8.8.11.1
!