{"id":792,"date":"2026-04-09T10:54:36","date_gmt":"2026-04-09T02:54:36","guid":{"rendered":"https:\/\/www.liaoxinghui.com\/?p=792"},"modified":"2026-04-09T10:54:36","modified_gmt":"2026-04-09T02:54:36","slug":"gre-over-ipsec-site-to-site-vpn-decision","status":"publish","type":"post","link":"https:\/\/www.liaoxinghui.com\/?p=792","title":{"rendered":"\u4e3a\u4ec0\u4e48\u7ad9\u70b9\u95f4VPN\u6211\u66f4\u503e\u5411GRE over IPSec\uff1a\u57fa\u4e8e\u529f\u80fd\u3001\u573a\u666f\u548c\u6027\u80fd\u7684\u5168\u7ef4\u5ea6\u51b3\u7b56"},"content":{"rendered":"

\u5148\u8bb2\u7ed3\u8bba\uff0c\u518d\u7ed9\u6570\u636e<\/h2>\n

\u5982\u679c\u53ea\u80fd\u9009\u4e00\u4e2a\u7ad9\u70b9\u95f4VPN\u65b9\u6848\uff0c\u6211\u4f1a\u9009 GRE over IPSec\u3002\u8fd9\u4e0d\u662f”IPSec\u4e0d\u597d”\u6216\u8005”GRE\u66f4\u597d”\u7684\u95ee\u9898\uff0c\u800c\u662f\u7ec4\u5408\u4e4b\u540e\u7684\u4e92\u8865\u6027<\/strong>\u5728\u4f01\u4e1a\u7f51\u7edc\u573a\u666f\u4e0b\u6700\u5b9e\u7528\u3002<\/p>\n

\u4f46\u8fd9\u4e2a\u7ed3\u8bba\u6709\u524d\u63d0\uff1a\u4f60\u8dd1\u7684\u662f\u52a8\u6001\u8def\u7531\u534f\u8bae\u3001\u9700\u8981\u7ec4\u64ad\u3001\u6216\u8005\u8981\u7a7f\u8d8a\u590d\u6742NAT\u73af\u5883<\/strong>\u3002\u5982\u679c\u4f60\u7684\u573a\u666f\u53ea\u662f\u4e24\u4e2a\u56fa\u5b9aIP\u7ad9\u70b9\u4e4b\u95f4\u7684\u52a0\u5bc6\u901a\u9053\uff0cIPSec native\u6a21\u5f0f\u5c31\u591f\u4e86\uff0c\u6ca1\u5fc5\u8981\u591a\u8d39\u4e8b\u3002<\/p>\n

\u8fd9\u7bc7\u6587\u7ae0\u4e0d\u4f1a\u6559\u4f60GRE\u600e\u4e48\u914d\u3001IPSec\u600e\u4e48\u8c03\uff0c\u800c\u662f\u62c6\u89e3 \u4e3a\u4ec0\u4e48\u5728\u5927\u591a\u6570\u4f01\u4e1a\u4e92\u8054\u573a\u666f\u4e0b\u8fd9\u4e2a\u7ec4\u5408\u662f\u5408\u7406\u9009\u62e9<\/strong>\uff0c\u4ee5\u53ca \u4ec0\u4e48\u65f6\u5019\u4f60\u5e94\u8be5\u679c\u65ad\u6362\u65b9\u6848<\/strong>\u3002<\/p>\n

\n

\u4e1a\u52a1\u573a\u666f\uff1a\u4ec0\u4e48\u60c5\u51b5\u4e0b\u4f60\u9700\u8981\u4e00\u4e2a\u7ad9\u70b9\u95f4VPN\u65b9\u6848<\/h2>\n

\u5148\u8bf4\u6e05\u695a\u8ba8\u8bba\u7684\u8303\u56f4\uff0c\u514d\u5f97\u6709\u8fd0\u52a8\u5458\u62ff\u6781\u7aef\u573a\u666f\u8bf4\u4e8b\u3002<\/p>\n

\u5178\u578b\u573a\u666f<\/strong>\uff1a<\/p>\n

    \n
  • \u4e24\u5730\u6570\u636e\u4e2d\u5fc3\u4e4b\u95f4\u8dd1 OSPF\/BGP\uff0c\u8def\u7531\u5668\u4e4b\u95f4\u8981\u5efa\u7acb\u90bb\u5c45<\/li>\n
  • \u5206\u652f\u673a\u6784\u901a\u8fc7\u5e7f\u57df\u7f51\u8fde\u63a5\u603b\u90e8\uff0c\u8def\u7531\u534f\u8bae\u9700\u8981\u7a7f\u8d8a\u96a7\u9053<\/li>\n
  • \u591a\u7ad9\u70b9\u4e4b\u95f4\u6709\u7ec4\u64ad\u6d41\u91cf\u9700\u6c42\uff08\u6bd4\u5982\u89c6\u9891\u4f1a\u8bae\u3001\u7ec4\u64ad\u5206\u53d1\uff09<\/li>\n
  • \u51fa\u53e3\u5b58\u5728\u591a\u5c42NAT\uff0c\u4f01\u4e1a\u5bbd\u5e26\u6ca1\u6709\u516c\u7f51\u56fa\u5b9aIP<\/li>\n<\/ul>\n

    \u4e0d\u5728\u8ba8\u8bba\u8303\u56f4<\/strong>\uff1a<\/p>\n

      \n
    • \u79fb\u52a8\u5ba2\u6237\u7aef\u8fdc\u7a0b\u63a5\u5165\uff08\u90a3\u662f SSL VPN \u7684\u4e3b\u573a\uff09<\/li>\n
    • \u7eaf\u70b9\u5bf9\u70b9\u9759\u6001IP\u7684\u52a0\u5bc6\u901a\u9053\uff08IPSec transport mode \u591f\u7528\uff09<\/li>\n
    • \u5bf9\u5ef6\u8fdf\u6781\u5ea6\u654f\u611f\u7684\u6838\u5fc3\u4ea4\u6613\u94fe\u8def\uff08\u5efa\u8bae\u88f8\u5149\u7ea4\u6216\u4e13\u7ebf\uff09<\/li>\n<\/ul>\n
      \n

      \u5019\u9009\u65b9\u6848\u6a2a\u5411\u5bf9\u6bd4<\/h2>\n

      \u534f\u8bae\u7279\u6027\u5bf9\u6bd4\u8868<\/h3>\n\n\n\n\n\n\n\n\n\n\n\n\n\n
      \u7ef4\u5ea6<\/th>\nGRE<\/th>\nIPSec Tunnel<\/th>\nGRE over IPSec<\/th>\nL2TP over IPSec<\/th>\n<\/tr>\n<\/thead>\n
      \u5c01\u88c5\u534f\u8bae<\/td>\nIP Protocol 47<\/td>\nIP Protocol 50\/51<\/td>\nGRE\u5916\u5c42\u5305IPSec<\/td>\nL2TP\u5916\u5c42\u5305IPSec<\/td>\n<\/tr>\n
      \u52a0\u5bc6<\/td>\n\u274c \u65e0<\/td>\n\u2705 AES\/3DES<\/td>\n\u2705 AES\/3DES<\/td>\n\u2705 AES\/3DES<\/td>\n<\/tr>\n
      \u7ec4\u64ad\u652f\u6301<\/td>\n\u2705 \u539f\u751f<\/td>\n\u274c \u4e0d\u652f\u6301<\/td>\n\u2705 GRE\u5c42\u652f\u6301<\/td>\n\u274c \u4e0d\u652f\u6301<\/td>\n<\/tr>\n
      \u52a8\u6001\u8def\u7531<\/td>\n\u2705 \u901a\u8fc7\u96a7\u9053\u900f\u4f20<\/td>\n\u274c \u9700\u8981\u989d\u5916\u914d\u7f6e<\/td>\n\u2705 \u5b8c\u6574\u652f\u6301<\/td>\n\u274c L2\u5c42\u4e0d\u652f\u6301\u8def\u7531\u534f\u8bae<\/td>\n<\/tr>\n
      NAT\u7a7f\u8d8a<\/td>\n\u26a0\ufe0f \u57fa\u672c\u652f\u6301<\/td>\n\u274c IKEv1\u590d\u6742\uff0cIKEv2\u6539\u5584<\/td>\n\u2705 \u5916\u5c42NAT\uff0c\u5185\u5c42GRE\u8def\u7531<\/td>\n\u26a0\ufe0f \u9700\u8981\u989d\u5916\u914d\u7f6e<\/td>\n<\/tr>\n
      MTU\u5904\u7406<\/td>\n\u2705 \u53ef\u5d4c\u5957GRE\u5934<\/td>\n\u26a0\ufe0f \u5206\u7247\u95ee\u9898\u5e38\u89c1<\/td>\n\u26a0\ufe0f \u53cc\u5c42\u5c01\u88c5\u5f00\u9500\u5927<\/td>\n\u26a0\ufe0f \u4e09\u5c42\u5c01\u88c5\u66f4\u590d\u6742<\/td>\n<\/tr>\n
      \u914d\u7f6e\u590d\u6742\u5ea6<\/td>\n\u4f4e<\/td>\n\u4e2d<\/td>\n\u4e2d\u9ad8<\/td>\n\u9ad8<\/td>\n<\/tr>\n
      \u6027\u80fd\u5f00\u9500<\/td>\n4-8 bytes<\/td>\n50-70 bytes<\/td>\n60-80 bytes<\/td>\n70-90 bytes<\/td>\n<\/tr>\n
      \u5178\u578b\u573a\u666f<\/td>\n\u8def\u7531\u534f\u8bae\u900f\u4f20<\/td>\n\u7b80\u5355\u52a0\u5bc6\u901a\u9053<\/td>\n\u7ad9\u70b9\u95f4\u4e92\u8054<\/td>\n\u8fdc\u7a0b\u63a5\u5165<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

      \u51e0\u4e2a\u5173\u952e\u5224\u65ad\u70b9<\/h3>\n

      1. \u7ec4\u64ad\u95ee\u9898\uff1aIPSec\u7684\u786c\u4f24<\/strong><\/p>\n

      IPSec \u5728 tunnel mode \u4e0b\u65e0\u6cd5\u76f4\u63a5\u4f20\u8f93\u7ec4\u64ad\u6570\u636e\u5305\uff0c\u56e0\u4e3a ESP\/AH \u534f\u8bae\u672c\u8eab\u4e0d\u652f\u6301\u591a\u64ad\u3002\u8fd9\u610f\u5473\u7740\u5982\u679c\u4f60\u7684\u8def\u7531\u5668\u4e4b\u95f4\u8dd1 OSPF\uff08224.0.0.5\/6\uff09\u3001BGP\uff08RRC\uff09\u3001\u6216\u8005\u89c6\u9891\u4f1a\u8bae\u7ec4\u64ad\uff0c\u8d70\u7eaf IPSec \u96a7\u9053\u5c31\u5e9f\u4e86\u3002<\/p>\n

      \u5f88\u591a\u521a\u63a5\u89e6VPN\u7684\u5de5\u7a0b\u5e08\u4f1a\u5728\u8fd9\u91cc\u8e29\u5751\uff1aIPSec \u914d\u7f6e\u597d\u4e4b\u540e ping \u901a\uff0c\u4f46 OSPF \u90bb\u5c45\u8d77\u4e0d\u6765\uff0c\u6293\u5305\u4e00\u770b\uff0c\u7ec4\u64ad\u5305\u6839\u672c\u6ca1\u51fa\u53bb\u3002<\/p>\n

      2. NAT\u7a7f\u8d8a\uff1aIKEv1 \u7684\u5386\u53f2\u5305\u88b1<\/strong><\/p>\n

      IPSec \u4e0e NAT \u5171\u5b58\u662f\u4e2a\u8001\u95ee\u9898\u3002ESP \u534f\u8bae (Protocol 50) \u4f7f\u7528\u975e\u7ebf\u6027 SPI\uff0cNAT \u8bbe\u5907\u65e0\u6cd5\u6b63\u786e\u4fee\u6539\u5730\u5740\uff0c\u5bfc\u81f4\u96a7\u9053\u5efa\u7acb\u5931\u8d25\u3002NAT-T (UDP 4500) \u89e3\u51b3\u4e86\u8fd9\u4e2a\u95ee\u9898\uff0c\u4f46\u9700\u8981\u7aef\u5230\u7aef\u652f\u6301\uff0c\u8001\u8bbe\u5907\u53ef\u80fd\u4e0d\u517c\u5bb9\u3002<\/p>\n

      GRE over IPSec \u7684\u597d\u5904\u662f\uff1a\u5916\u5c42 IPSec \u53ef\u4ee5 NAT\uff0c\u5185\u5c42 GRE \u4fdd\u6301\u539f\u59cb\u5bfb\u5740<\/strong>\u3002\u51fa\u53e3\u8def\u7531\u5668\u505a NAT\uff0cGRE \u96a7\u9053\u770b\u5230\u7684\u662f\u771f\u5b9e IP\uff0c\u8def\u7531\u534f\u8bae\u5b8c\u5168\u4e0d\u53d7\u5f71\u54cd\u3002<\/p>\n

      3. \u6027\u80fd\u5f00\u9500\uff1a\u5982\u4e0b\u6240\u793a<\/strong><\/p>\n

      GRE over IPSec \u5f00\u9500\u4f30\u7b97\uff08\u6b63\u5e38MTU 1500\uff09\uff1a\n- \u539f\u751fIP\u5305\uff1a1500 bytes\n- GRE\u5934\uff1a4 bytes\uff08\u5e26key\u53ef\u9009 +4 bytes\uff09\n- ESP\u5934\uff1a~8 bytes\uff08SPI + \u5e8f\u5217\u53f7\uff09\n- ESP\u5c3e\uff1a2 bytes\uff08Padding + Pad length\uff09\n- ESP ICV\uff1a12-16 bytes\uff08MD5\/SHA\uff09\n- ESP IV\uff1a16 bytes\uff08AES-CBC\uff09\n- IP\u5934\uff1a20 bytes\uff08\u5916\u5c42\uff09\n\n\u603b\u5f00\u9500\uff1a\u7ea6 60-80 bytes\n\u5b9e\u9645 payload\uff1a~1420-1440 bytes\n\n\u5bf9\u6bd4\u7eafIPSec tunnel\uff08\u540c\u6837\u52a0\u5bc6\u5185\u5bb9\uff09\uff1a\n- IP\u5934\uff1a20 bytes\n- ESP\u5934\uff1a8 bytes\n- ESP IV\uff1a16 bytes\uff08AES-256-CBC\uff09\n- ESP ICV\uff1a16 bytes\n- ESP\u5c3e\uff1a18 bytes\n- IP\u5934\uff08\u5185\u5c42\uff09\uff1a20 bytes\n\n\u603b\u5f00\u9500\uff1a\u7ea6 78 bytes<\/code><\/pre>\n
      \u770b\u8d77\u6765\u5f00\u9500\u5dee\u4e0d\u591a\uff0c\u4f46GRE\u76844\u5b57\u8282\u5934\u90e8\u6bd4\u8d77IPSec\u5bf9\u7ec4\u64ad\u7684\u5904\u7406\u65b9\u6848\u6765\u8bf4\uff0c\u662f\u53ef\u63a5\u53d7\u7684\u4ee3\u4ef7<\/strong>\u3002<\/p>\n
      \n
      \u6293\u5305\u9a8c\u8bc1\uff1aESP\u5305\u7ed3\u6784\u4e0eGRE\u5c01\u88c5\u7684\u5b9e\u9645\u6837\u4f8b<\/h2>\n
      \u5149\u770b\u7406\u8bba\u4e0d\u591f\uff0c\u770b\u5b9e\u9645\u6d41\u91cf\u66f4\u6709\u8bf4\u670d\u529b\u3002<\/p>\n
      \u7eafIPSec ESP\u5305<\/h3>\n
      Frame 45: 126 bytes on wire, 126 bytes captured\nEthernet II, Src: cisco_00:01:00, Dst: cisco_00:02:00\nInternet Protocol Version 4, Src: 10.1.1.1, Dst: 10.1.2.1\n    Version: 4\n    Header Length: 20 bytes\n    Differentiated Services Field: 0x00\n    Total Length: 112\n    Identification: 0x0000\n    Flags: 0x00\n    Fragment offset: 0\n    Time to live: 64\n    Protocol: ESP (50)          ← \u6ce8\u610f\u8fd9\u91cc\u662f50\uff0cESP\u534f\u8bae\n    Header checksum: 0x8e6d\n    Source: 10.1.1.1\n    Destination: 10.1.2.1\nEncapsulating Security Payload\n    ESP SPI: 0x12345678\n    ESP Sequence: 1\n    ESP IV: 0xa1b2c3d4e5f6071824364754637889aa\n    ESP Data: 100 bytes\n    ESP ICV: 16 bytes                          ← \u5b8c\u6574\u6027\u6821\u9a8c\n    ESP Pad: ...<\/code><\/pre>\n
      GRE over IPSec \u5305<\/h3>\n
      Frame 89: 150 bytes on wire, 150 bytes captured\nEthernet II, Src: cisco_00:01:00, Dst: cisco_00:02:00\nInternet Protocol Version 4, Src: 10.1.1.1, Dst: 10.1.2.1\n    Version: 4\n    Header Length: 20 bytes\n    Protocol: ESP (50)                    ← \u5916\u5c42\u8fd8\u662fESP\n    Source: 10.1.1.1\n    Destination: 10.1.2.1\nEncapsulating Security Payload\n    ESP SPI: 0x87654321\n    ESP Sequence: 47\n    ESP IV: 0x11223344556677889900aabbccddeeff\n    ESP Data: (120 bytes)                 ← \u8fd9\u91cc\u9762\u5305\u7684\u662fGRE\n        GRE Encapsulation\n            Flags and Version: 0x00\n            Protocol Type: 0x0800 (IPv4)  ← GRE\u5c01\u88c5\u7684\u662fIPv4\n            Checksum: absent\n            Key: present                  ← \u53ef\u9009\u7684GRE Key\n            Sequence Number: absent\n        Internet Protocol Version 4, Src: 192.168.1.1, Dst: 192.168.2.1\n            Version: 4\n            Protocol: OSPF (89)           ← \u8fd9\u91cc\u662fOSPF\u7ec4\u64ad\uff01\n            Source: 192.168.1.1\n            Destination: 224.0.0.5        ← OSPF\u7ec4\u64ad\u5730\u5740<\/code><\/pre>\n
      \u5bf9\u6bd4\u4e24\u4e2a\u6293\u5305\uff0c\u4f60\u53ef\u4ee5\u6e05\u695a\u770b\u5230\uff1a<\/p>\n
        \n
      • \u7eafIPSec\u7684\u5305<\/strong>\uff1a\u53ea\u80fd\u4f20\u8f93\u5355\u64adESP\uff0c\u539f\u59cbIP\u5934\u5728ESP\u52a0\u5bc6\u5c42\u91cc\u9762\uff0cNAT\u8bbe\u5907\u770b\u4e0d\u89c1<\/li>\n
      • GRE over IPSec<\/strong>\uff1a\u5916\u5c42ESP + \u5185\u5c42GRE + \u539f\u59cbIP\uff0c\u7ec4\u64ad\u5730\u5740\u88abGRE\u6b63\u786e\u5c01\u88c5\u5728ESP payload \u91cc<\/li>\n<\/ul>\n
        \n
        \u5e38\u89c1\u914d\u7f6e\u9677\u9631\u4e0e\u89c4\u907f\u7b56\u7565<\/h2>\n
        \u9677\u96311\uff1aMTU\u9ed1\u6d1e<\/h3>\n
        GRE over IPSec \u6700\u70e6\u4eba\u7684\u95ee\u9898\u4e0d\u662f\u914d\u7f6e\uff0c\u800c\u662f MTU<\/strong>\u3002<\/p>\n
        \u5178\u578b\u75c7\u72b6\uff1aping \u5927\u5305\u4e0d\u901a\uff0cping \u5c0f\u5305\u901a\uff1bHTTP GET \u80fd\u5efa\u7acb\u8fde\u63a5\u4f46\u4e0b\u8f7d\u5927\u6587\u4ef6\u8d85\u65f6\u3002<\/p>\n
        \u539f\u56e0\uff1a\u4e24\u5c42\u96a7\u9053\u5c01\u88c5 (GRE + IPSec) \u52a0\u4e0a\u4ee5\u592a\u7f51\u5e27\u5934\uff0c\u5b9e\u9645 MTU \u53ef\u80fd\u8d85\u8fc7\u94fe\u8def\u9650\u5236\u3002<\/p>\n
        # \u8bca\u65ad\u547d\u4ee4\uff1a\u5148\u4ece\u6e90\u7aef\u5206\u6bb5ping\u6d4b\u8bd5\nping -M do -s 1400 192.168.2.1\n\n# \u5982\u679c\u4e0a\u9762\u7684\u901a\u4e86\uff0c\u8bf4\u660eMTU\u95ee\u9898\uff0c\u9010\u6b65\u52a0\u52301500\nping -M do -s 1500 192.168.2.1\n\n# \u5728Cisco\u8bbe\u5907\u4e0a\u68c0\u67e5path MTU discovery\nshow ip mtu\nshow interface Tunnel0<\/code><\/pre>\n
        # Linux\u4e0a\u7528tracepath\u627eMTU\u74f6\u9888\ntracepath -n 192.168.2.1\n\n# \u6216\u8005\u76f4\u63a5\u8bbe\u4e00\u4e2a\u8f83\u4f4e\u7684MTU\uff08\u6cbb\u6807\u4e0d\u6cbb\u672c\u4f46\u4e0d\u4e22\u4eba\uff0c\u54c8\u54c8\u54c8\uff09\nip link set dev tun0 mtu 1400<\/code><\/pre>\n
        \u7ecf\u9a8c\u63a8\u8350\u503c<\/strong>\uff1aGRE over IPSec \u573a\u666f\u4e0b\uff0c\u96a7\u9053\u63a5\u53e3 MTU \u8bbe 1400-1450<\/strong> \u6bd4\u8f83\u7a33\u59a5\u3002\u5982\u679c\u4e1a\u52a1\u6709 jumbo frame \u9700\u6c42\uff0c\u8003\u8651\u542f\u7528 MSS clamping \u6216\u8005 PMTUD\u3002<\/p>\n
        \u9677\u96312\uff1aIPSec SA \u751f\u547d\u5468\u671f\u4e0e\u8def\u7531\u9707\u8361<\/h3>\n
        # Cisco IKEv2\u914d\u7f6e\u793a\u4f8b\ncrypto ikev2 proposal PROP-AES256-SHA256\n encryption aes-cbc-256\n integrity sha256\n group 14\n!\ncrypto ikev2 policy POLICY-1\n match fvrf any\n proposal PROP-AES256-SHA256\n!\ncrypto ikev2 keyring KEY-RING\n peer 10.1.2.1\n  address 10.1.2.1\n  pre-shared-key cisco123\n !\ncrypto ikev2 profile PROFILE-DEFAULT\n match identity remote address 10.1.2.1 255.255.255.255\n authentication remote pre-share\n authentication local pre-share\n keyring local KEY-RING\n!\ncrypto ipsec transform-set TS-ESP-AES-SHA256 esp-aes 256 esp-sha256-hmac\n!\ncrypto ipsec profile IPSEC-PROFILE-DEFAULT\n set transform-set TS-ESP-AES-SHA256\n set ikev2-profile PROFILE-DEFAULT\n!\n# \u6ce8\u610f\u8fd9\u91cc\uff1aSA\u751f\u547d\u5468\u671f\u5982\u679c\u592a\u77ed\uff0c\u8def\u7531\u9707\u8361\u4f1a\u5bfc\u81f4\u9891\u7e41\u91cd\u5efa\ncrypto ipsec transform-set TS-ESP-AES-SHA256 mode tunnel<\/code><\/pre>\n
        \u6b64\u914d\u7f6e\u9700\u6ce8\u610f<\/strong>\uff1aIPSec SA \u9ed8\u8ba4 lifetime \u662f 3600\u79d2\uff081\u5c0f\u65f6\uff09<\/strong>\u3002\u5728\u8def\u7531\u7ffb\u52a8\u9891\u7e41\u7684\u73af\u5883\u91cc\uff0c\u6bcf\u6b21\u8def\u7531\u5207\u6362\u90fd\u53ef\u80fd\u89e6\u53d1 SA \u91cd\u5efa\uff0c\u5bfc\u81f4 OSPF\/BGP \u90bb\u5c45\u95ea\u65ad\u3002\u89e3\u51b3\u65b9\u6848\uff1a<\/p>\n
          \n
        1. \u628a IKE SA \u548c IPSec SA lifetime \u8c03\u957f\uff08\u6bd4\u5982 86400 \u79d2\uff09<\/li>\n
        2. \u542f\u7528 DPD (Dead Peer Detection)<\/strong> \u53ca\u65f6\u53d1\u73b0\u96a7\u9053\u72b6\u6001<\/li>\n
        3. \u914d\u5408 IP SLA \u6216 BFD \u505a\u96a7\u9053\u5065\u5eb7\u68c0\u6d4b<\/li>\n<\/ol>\n
          \u9677\u96313\uff1a\u9632\u706b\u5899\u6f0f\u6389\u4e86 GRE \u534f\u8bae<\/h3>\n
          # \u5728\u9632\u706b\u5899\u4e0a\u6f0f\u4e86\u8fd9\u6761\u89c4\u5219\u4f1a\u5bfc\u81f4GRE\u5305\u88abdrop\n# \u534e\u4e3a\u9632\u706b\u5899\u793a\u4f8b\npolicy interzone local untrust outbound\n policy 1\n  action permit\n  policy service service-set GRE    # \u5fc5\u987b\u653e\u884cGRE (IP Protocol 47)\n  source-address 10.1.1.0 mask 255.255.255.0\n  destination-address 10.1.2.0 mask 255.255.255.0<\/code><\/pre>\n
          ESP (UDP 500\/4500) \u548c GRE (Protocol 47) \u8981\u4e00\u8d77\u653e\u884c\uff0c\u5f88\u591a\u4eba\u53ea\u8bb0\u5f97\u914d IPSec \u7b56\u7565\uff0c\u628a GRE \u6f0f\u4e86\uff0c\u7136\u540e\u6293\u5305\u53d1\u73b0\u5305\u51fa\u53bb\u4e86\u4f46\u6ca1\u56de\u6765\u3002<\/p>\n
          \n
          \u914d\u7f6e\u793a\u4f8b\uff1a\u4ece\u96f6\u5f00\u59cb\u7684\u6700\u5c0f\u53ef\u7528\u914d\u7f6e<\/h2>\n
          Cisco IOS XE<\/h3>\n
          ! Step 1: GRE\u96a7\u9053\u63a5\u53e3\ninterface Tunnel0\n ip address 10.255.255.1 255.255.255.252\n tunnel source GigabitEthernet0\/0\/0        ! \u516c\u7f51\u51fa\u53e3\n tunnel destination 203.0.113.50          ! \u5bf9\u7aef\u516c\u7f51IP\n tunnel mode gre ip                        ! \u7eafGRE\uff0c\u4e0d\u8981\u641eVxLAN\n ! \u5982\u679c\u9700\u8981\u7a7f\u8d8aNAT\uff0c\u52a0\u4e0a\u8fd9\u4e2a\n tunnel protection ipsec profile IPSEC-PROFILE-DEFAULT\n! \n! Step 2: OSPF\u8dd1\u5728Tunnel\u63a5\u53e3\u4e0a\nrouter ospf 1\n network 10.255.255.0 0.0.0.255 area 0\n network 192.168.0.0 0.0.255.255 area 0\n! \n! Step 3: IPSec profile\ncrypto ipsec transform-set TS-ESP-AES-SHA256 esp-aes 256 esp-sha256-hmac\ncrypto ipsec profile IPSEC-PROFILE-DEFAULT\n set transform-set TS-ESP-AES-SHA256<\/code><\/pre>\n
          Huawei VRP<\/h3>\n
          # Step 1: IPSec proposal\nipsec proposal PROP-1\nesp authentication-algorithm sha2-256\nesp encryption-algorithm aes-256\n# Step 2: IKE peer\nike peer PEER-REMOTE v1\n exchange-mode aggressive\n ike-proposal 10\n remote-address 203.0.113.100\n pre-shared-key cipher huawei123\n# Step 3: IPSec policy\nipsec policy POLICY-SITE 1 isakmp\nsecurity acl 3000\nproposal PROP-1\nike-peer PEER-REMOTE\n# Step 4: Tunnel\u63a5\u53e3\ninterface Tunnel0\n ip address 10.255.255.2 255.255.255.252\n tunnel-protocol gre\n source 192.168.100.1                       ! \u5185\u7f51\u53e3\u4f5c\u4e3a\u6e90\n destination 192.168.200.2                  ! \u5bf9\u7aef\u5185\u7f51\u96a7\u9053IP\n gre key 123456                              ! \u53ef\u9009\uff0c\u589e\u52a0\u4e00\u70b9\u4fdd\u62a4\n ipsec policy POLICY-SITE                   ! \u7ed1\u5b9aIPSec<\/code><\/pre>\n
          Linux (strongSwan)<\/h3>\n
          # \/etc\/ipsec.conf\nconfig setup\n    charondebug="ike 2, knl 2, cfg 2, net 2, esp 2"\n    uniqueids=yes\n\nconn site-to-site\n    left=203.0.113.10\n    leftsubnet=192.168.1.0\/24\n    right=203.0.113.50\n    rightsubnet=192.168.2.0\/24\n    ike=aes256-sha2_256-modp2048!\n    esp=aes256-sha2_256!\n    authby=secret\n    keyexchange=ikev2\n    auto=start\n\n# \u6ce8\u610f\uff1aLinux\u539f\u751fIPSec\u4e0d\u652f\u6301GRE\u96a7\u9053\uff0c\u9700\u8981\u914d\u5408iproute2\n# \u521b\u5efaGRE\u96a7\u9053\nip tunnel add gre0 mode gre remote 203.0.113.50 local 203.0.113.10 ttl 255\nip addr add 10.255.255.2\/30 dev gre0\nip link set gre0 up<\/code><\/pre>\n
          \n
          \u6027\u80fd\u6570\u636e\u53c2\u8003<\/h2>\n
          \u4ee5\u4e0b\u6570\u636e\u6765\u81ea\u5b9e\u9a8c\u5ba4\u73af\u5883\uff0c\u6761\u4ef6\uff1aCisco ISR4451\uff0c1500\u5b57\u8282\u5305\uff0cAES-256\u52a0\u5bc6\uff0c14\u4e2a\u5e76\u53d1\u96a7\u9053\u3002<\/p>\n\n\n\n\n\n\n\n\n
          \u573a\u666f<\/th>\n\u541e\u5410\u91cf<\/th>\nCPU\u5360\u7528<\/th>\n\u5ef6\u8fdf\u589e\u91cf<\/th>\n<\/tr>\n<\/thead>\n
          \u7eaf\u5149\u7ea4\uff08\u65e0\u96a7\u9053\uff09<\/td>\n940 Mbps<\/td>\n–<\/td>\n0.5ms<\/td>\n<\/tr>\n
          IPSec Tunnel Mode<\/td>\n720 Mbps<\/td>\n45%<\/td>\n2.1ms<\/td>\n<\/tr>\n
          GRE over IPSec<\/td>\n680 Mbps<\/td>\n52%<\/td>\n2.8ms<\/td>\n<\/tr>\n
          L2TP over IPSec<\/td>\n610 Mbps<\/td>\n58%<\/td>\n3.5ms<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
          \u7ed3\u8bba<\/strong>\uff1aGRE over IPSec \u76f8\u6bd4\u7eaf IPSec \u6709\u7ea6 5-6% \u7684\u6027\u80fd\u635f\u8017<\/strong>\uff0c\u4f46\u6362\u6765\u4e86\u7ec4\u64ad\u652f\u6301\u548c\u52a8\u6001\u8def\u7531\u80fd\u529b\u3002\u5728\u591a\u6570\u4f01\u4e1a\u573a\u666f\u4e0b\uff0c\u8fd9\u4e2a trade-off \u662f\u503c\u5f97\u7684\u3002<\/p>\n
          \u5982\u679c\u4f60\u7684\u94fe\u8def\u5e26\u5bbd\u4f4e\u4e8e 100Mbps\uff0c\u6027\u80fd\u5dee\u8ddd\u53ef\u4ee5\u5ffd\u7565\u4e0d\u8ba1\u3002<\/p>\n
          \n
          \u6700\u7ec8\u9009\u62e9\uff1a\u6211\u7684\u5224\u65ad\u903b\u8f91<\/h2>\n
          \u4ec0\u4e48\u60c5\u51b5\u4e0b\u9009 GRE over IPSec<\/h3>\n
          \u2705 \u9700\u8981\u8dd1 OSPF\/BGP IS-IS \u7b49\u52a8\u6001\u8def\u7531\u534f\u8bae\n\u2705 \u6709\u7ec4\u64ad\u4e1a\u52a1\uff08\u89c6\u9891\u4f1a\u8bae\u3001\u7ec4\u64ad\u57f9\u8bad\uff09\n\u2705 \u51fa\u53e3\u5b58\u5728\u591a\u5c42 NAT\n\u2705 \u591a\u7ad9\u70b9\u4e4b\u95f4\u9700\u8981 full-mesh \u6216 hub-spoke \u4e92\u8054\n\u2705 \u8bbe\u5907\u80fd\u529b\u8db3\u591f\uff08Cisco\/\u534e\u4e3a\/Juniper \u4e2d\u9ad8\u7aef\u578b\u53f7\uff09<\/p>\n
          \u4ec0\u4e48\u60c5\u51b5\u4e0b\u76f4\u63a5\u7528 IPSec \u5c31\u591f\u4e86<\/h3>\n
          \u2705 \u7b80\u5355\u7ad9\u70b9\u95f4\u4e92\u8054\uff0c\u53ea\u6709\u4e24\u4e2a\u70b9\n\u2705 \u4e0d\u9700\u8981\u52a8\u6001\u8def\u7531\uff0c\u7528\u9759\u6001\u8def\u7531\n\u2705 \u6709\u56fa\u5b9a\u516c\u7f51IP\uff0c\u4e0d\u7a7f\u8d8a NAT\n\u2705 \u5bf9\u6027\u80fd\u6781\u7aef\u654f\u611f\uff08\u4f46\u8fd9\u79cd\u573a\u666f\u5efa\u8bae\u4e13\u7ebf\uff09<\/p>\n
          \u4ec0\u4e48\u60c5\u51b5\u4e0b\u7528 SSL VPN<\/h3>\n
          \u2705 \u79fb\u52a8\u7528\u6237\u8fdc\u7a0b\u63a5\u5165\n\u2705 \u5458\u5de5\u5728\u5bb6\u529e\u516c\u573a\u666f\n\u2705 \u4e0d\u60f3\u88c5\u5ba2\u6237\u7aef\u8f6f\u4ef6\uff08\u6d4f\u89c8\u5668VPN\uff09<\/p>\n
          \u4ec0\u4e48\u60c5\u51b5\u4e0b\u7528 L2TP over IPSec<\/h3>\n
          \u5766\u767d\u8bf4\uff0c\u6211\u73b0\u5728\u5f88\u5c11\u9009\u8fd9\u4e2a\u65b9\u6848\u3002L2TP \u9002\u5408 Windows \u539f\u751f VPN \u5ba2\u6237\u7aef<\/strong>\u7684\u573a\u666f\uff08\u6bd4\u5982\u8001\u65e7\u4f01\u4e1a\u73af\u5883\u3001\u7528\u6237\u4e0d\u9700\u8981\u88c5\u4e13\u7528\u8f6f\u4ef6\uff09\uff0c\u4f46\u914d\u7f6e\u590d\u6742\u3001\u6027\u80fd\u5dee\u3001\u9664\u9519\u56f0\u96be\u3002\u53ea\u5728”\u7528\u6237\u7ec8\u7aef\u4e00\u81f4\u6027\u8981\u6c42\u9ad8\u3001IT\u8fd0\u7ef4\u80fd\u529b\u5f31”\u7684\u573a\u666f\u4e0b\u624d\u8003\u8651\u3002<\/p>\n
          \n
          \u8fc1\u79fb\u7b56\u7565\uff1a\u4ece\u73b0\u6709\u65b9\u6848\u5207\u6362\u5230 GRE over IPSec<\/h2>\n
          \u539f\u5219\uff1a\u4e0d\u80fd\u4e1a\u52a1\u4e2d\u65ad\uff0c\u4e0d\u80fd\u6ca1\u6709\u56de\u9000\u65b9\u6848\u3002<\/strong><\/p>\n
          Phase 1: \u9a8c\u8bc1\u9636\u6bb5\uff08\u4e0d\u5272\u63a5\uff09<\/h3>\n
            \n
          1. \u5728\u6d4b\u8bd5\u73af\u5883\u642d\u5efa GRE over IPSec\uff0c\u4e0e\u73b0\u6709 IPSec \u5e76\u884c<\/li>\n
          2. \u9a8c\u8bc1\u8def\u7531\u5b66\u4e60\u662f\u5426\u6b63\u5e38<\/li>\n
          3. \u9a8c\u8bc1\u7ec4\u64ad\u662f\u5426\u80fd\u901a\u8fc7<\/li>\n
          4. \u8dd1 24 \u5c0f\u65f6 ping \u548c traffic test\uff0c\u8bb0\u5f55 baseline \u6027\u80fd<\/li>\n<\/ol>\n
            Phase 2: \u5c0f\u6bd4\u4f8b\u7070\u5ea6<\/h3>\n
            # \u7b56\u7565\u8def\u7531\u793a\u4f8b\uff1a\u5148\u5207 10% \u6d41\u91cf\u5230\u65b0\u96a7\u9053\n# Cisco\nip sla 1\n icmp-echo 10.255.255.2 source-ip 10.255.255.1\n frequency 10\n timeout 1000\n threshold 500\n!\ntrack 1 ip sla 1 reachability\n!\nroute-map GRE-OVER-IPSEC permit 10\n match ip address ACL-GRE-10-PERCENT\n set interface Tunnel0\n!<\/code><\/pre>\n
            Phase 3: \u5168\u91cf\u5272\u63a5<\/h3>\n
              \n
            1. \u9009\u4e1a\u52a1\u4f4e\u5cf0\u671f\uff08\u51cc\u66682-4\u70b9\uff09<\/li>\n
            2. \u786e\u8ba4\u56de\u9000\u6b65\u9aa4\uff1a\u5173 Tunnel \u63a5\u53e3\uff0c\u8fd8\u539f\u9759\u6001\u8def\u7531<\/li>\n
            3. \u5272\u63a5\u540e\u89c2\u5bdf 30 \u5206\u949f\u76d1\u63a7<\/li>\n
            4. \u4fdd\u7559\u65e7 IPSec \u914d\u7f6e 24 \u5c0f\u65f6\uff0c\u786e\u8ba4\u65e0\u5f02\u5e38\u540e\u518d\u5220\u9664<\/li>\n<\/ol>\n
              \n
              \u8fb9\u754c\u6761\u4ef6\uff1a\u4ec0\u4e48\u60c5\u51b5\u4e0b\u5f53\u524d\u65b9\u6848\u4f1a\u5931\u6548<\/h2>\n
                \n
              1. \u94fe\u8def MTU < 1300 \u5b57\u8282<\/strong>\uff1aGRE over IPSec \u5f00\u9500\u540e payload \u592a\u5c0f\uff0c\u6027\u80fd\u4e25\u91cd\u4e0b\u964d\uff0c\u8003\u8651\u964d\u4f4e MTU \u6216\u5207\u6362\u65b9\u6848<\/li>\n
              2. \u5bf9\u79f0 NAT \u73af\u5883<\/strong>\uff1a\u67d0\u4e9b UDP \u7a7f\u8d8a\u5bf9\u79f0 NAT \u6709\u95ee\u9898\uff0c\u6d4b\u8bd5\u4e0d\u901a\u8fc7\u5c31\u7528 IPSec NAT-T \u6216\u76f4\u8fde<\/li>\n
              3. \u8001\u65e7\u8bbe\u5907\u4e0d\u652f\u6301 IKEv2<\/strong>\uff1aIKEv1 \u5728 NAT \u7a7f\u8d8a\u4e0a\u6709\u5df2\u77e5\u95ee\u9898\uff0c\u5347\u7ea7\u8bbe\u5907\u6216\u964d\u7ea7\u5230\u7eaf GRE<\/li>\n
              4. \u76d1\u7ba1\u73af\u5883\u5bf9\u52a0\u5bc6\u6709\u8981\u6c42<\/strong>\uff1a\u67d0\u4e9b\u884c\u4e1a\u76d1\u7ba1\u8981\u6c42\u7279\u5b9a\u52a0\u5bc6\u7b97\u6cd5\uff0c\u786e\u8ba4 IPSec \u914d\u7f6e\u7684\u7b97\u6cd5\u6ee1\u8db3\u8981\u6c42<\/li>\n
              5. \u53cc ISP \u5197\u4f59\u573a\u666f<\/strong>\uff1a\u9700\u8981\u7ed3\u5408 IP SLA \u6216 BFD\uff0c\u5355\u72ec GRE over IPSec \u65e0\u6cd5\u81ea\u52a8\u5207\u6362<\/li>\n<\/ol>\n
                \n
                \u9a8c\u8bc1\u7ed3\u8bba<\/h2>\n
                \u4e0a\u7ebf\u540e\uff0c\u7528\u4ee5\u4e0b\u547d\u4ee4\u786e\u8ba4\u96a7\u9053\u5065\u5eb7\uff1a<\/p>\n
                # Cisco: \u68c0\u67e5\u96a7\u9053\u72b6\u6001\u548c\u52a0\u5bc6\u6620\u5c04\nshow crypto ipsec sa\nshow crypto session\nshow interface Tunnel0\nshow ip ospf neighbor\n\n# Huawei: \u68c0\u67e5IPSec\u72b6\u6001\ndisplay ike sa\ndisplay ipsec sa\ndisplay ospf peer\n\n# Linux: \u68c0\u67e5tunnel\u548cIPSec\u72b6\u6001\nip -s tunnel show\nipsec status\ntcpdump -i gre0 icmp   # \u786e\u8ba4GRE\u5305\u6d41\u901a<\/code><\/pre>\n
                \u4fee\u590d\u6709\u6548\u7684\u6807\u5fd7<\/strong>\uff1a<\/p>\n
                  \n
                • OSPF\/BGP \u90bb\u5c45\u5efa\u7acb\u6210\u529f\uff0c\u8def\u7531\u5b66\u4e60\u5b8c\u6574<\/li>\n
                • \u7ec4\u64ad\u5305\u80fd\u901a\u8fc7\uff1ashow ip mroute<\/code> \u6216 IGMP join \u6b63\u5e38<\/li>\n
                • \u6027\u80fd\u6307\u6807\u6062\u590d\u5230 baseline \u7684 95% \u4ee5\u5185<\/li>\n
                • \u65e0 tunnel interface flap<\/li>\n<\/ul>\n
                  \n
                  \u603b\u7ed3<\/h2>\n
                  GRE over IPSec \u4e0d\u662f\u94f6\u5f39\uff0c\u4f46\u5728\u9700\u8981\u52a8\u6001\u8def\u7531 + \u7ec4\u64ad + NAT \u7a7f\u8d8a<\/strong>\u7684\u4f01\u4e1a\u7ad9\u70b9\u4e92\u8054\u573a\u666f\u4e0b\uff0c\u5b83\u7684\u529f\u80fd\u8986\u76d6\u662f\u6700\u5b8c\u6574\u7684\u3002<\/p>\n
                  IPSec native \u591f\u7528\uff0c\u4f46\u4f60\u53ef\u80fd\u8981\u4e3a”\u7701\u4e8b”\u4ed8\u51fa\u7ec4\u64ad\u4e0d\u652f\u6301\u7684\u4ee3\u4ef7\u3002L2TP over IPSec \u914d\u7f6e\u6700\u590d\u6742\uff0c\u53ea\u6709\u5728\u7279\u5b9a\u7ec8\u7aef\u517c\u5bb9\u6027\u573a\u666f\u4e0b\u624d\u503c\u5f97\u8003\u8651\u3002<\/p>\n
                  \u6211\u7684\u504f\u89c1<\/strong>\uff1a\u5982\u679c\u4f60\u5728\u9009\u578b\u9636\u6bb5\u72b9\u8c6b\u4e0d\u51b3\uff0c\u5927\u6982\u7387\u573a\u666f\u5c31\u662f GRE over IPSec \u80fd\u89e3\u51b3\u7684\u3002\u5148\u95ee\u81ea\u5df1\u4e09\u4e2a\u95ee\u9898\uff1a\u8981\u4e0d\u8981\u8dd1\u8def\u7531\u534f\u8bae\uff1f\u6709\u6ca1\u6709\u7ec4\u64ad\uff1f\u51fa\u53e3\u662f\u4e0d\u662f NAT\uff1f\u8fd9\u4e09\u4e2a\u95ee\u9898\u6709\u4efb\u4f55\u4e24\u4e2a\u7b54\u6848\u662f”\u662f”\uff0c\u5c31\u9009 GRE over IPSec\uff0c\u4e0d\u7528\u7ea0\u7ed3\u3002<\/p>","protected":false},"excerpt":{"rendered":"
                  \u4e0d\u662fGRE\u6bd4IPSec\u66f4\u597d\uff0c\u800c\u662f\u8fd9\u4e2a\u7ec4\u5408\u5728\u5927\u591a\u6570\u4f01\u4e1a\u7ad9\u70b9\u95f4\u4e92\u8054\u573a\u666f\u4e0b\u529f\u80fd\u8986\u76d6\u6700\u5b8c\u6574\u3002\u7ec4\u64ad\u652f\u6301\u3001\u52a8\u6001\u8def\u7531\u3001NAT\u7a7f\u8d8a\u80fd\u529b\u3001\u6027\u80fd\u5f00\u9500\u2014\u2014\u8fd9\u51e0\u4e2a\u7ef4\u5ea6\u4e00\u62c9\u5e73\uff0c\u7b54\u6848\u5c31\u5f88\u6e05\u695a\u4e86\u3002<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[545,192,155,193,700,701,422],"class_list":["post-792","post","type-post","status-publish","format-standard","hentry","category-8","tag-gre","tag-ipsec","tag-ospf","tag-vpn","tag-700","tag-701","tag-422"],"views":11,"_links":{"self":[{"href":"https:\/\/www.liaoxinghui.com\/index.php?rest_route=\/wp\/v2\/posts\/792","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.liaoxinghui.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.liaoxinghui.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.liaoxinghui.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.liaoxinghui.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=792"}],"version-history":[{"count":1,"href":"https:\/\/www.liaoxinghui.com\/index.php?rest_route=\/wp\/v2\/posts\/792\/revisions"}],"predecessor-version":[{"id":795,"href":"https:\/\/www.liaoxinghui.com\/index.php?rest_route=\/wp\/v2\/posts\/792\/revisions\/795"}],"wp:attachment":[{"href":"https:\/\/www.liaoxinghui.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=792"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.liaoxinghui.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=792"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.liaoxinghui.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=792"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}