经典的站点到站点VPN可以和非CISCO的设备建立IPsec VPN,但存在如下的问题:
- 由于没有虚拟隧道接口,不能让两个站点的动态路由协议贯通
- 由于没有虚拟隧道接口中,所以很难对通信点之间的明文流量进行控制(ACL.NET.QOS)
- 感兴趣流过多,是两个站点网络间的组合数。两个站点各有多个子网时。
为了解决经典IPsec VPN配置存在的缺陷,提供了两种解决方案,如下所示:
- GRE Over IPSec(推荐在IOS12.4以前的路由器上配置)
- SVTI(推荐在IOS12.4以后的路由器上配置)
先说下GRE Over IPSec是如何克服经典配置的3大难题。GRE Over IPSec这个技术简单来说,就是用GRE提供虚拟隧道,然后再使用IPSec来保护这个隧道。
在上图中,我们在两个站点间配置一个GRE隧道,GRE隧道的作用就是虚拟地把两个站点连接在一起,并且两个站点内部网络和隧道网络(172.16.1.0/24)上运行动态路由协议(OSPF),这样两个站点就能够够通过隧道接口中运行的OSPF学到远端站点身后网络的路由了。
有鉴于些,在GRE 隧道接口中运行的动态路由协议,可以解决IPSec VPN经典配置的第一个难题,并且管理员还可以根据需要在GRE隧道接口上配置ACL.NAT.QOS等技术,进而对通信点之间的明文流量进行控制,这也就解决了上文提到的第二大难题。
以下图来讲解GRE over IPSec的配置
R1和R3是两个站点接入互联网的路由器。
一、基本的网络配置
R1的基本网络配置
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
!
interface Ethernet0/0
ip address 12.12.12.1 255.255.255.0
duplex auto
!
interface Ethernet0/3
ip address 10.0.0.1 255.255.255.0
duplex auto
!
ip route 0.0.0.0 0.0.0.0 12.12.12.2
interface Loopback0
R2的基本网络配置
interface Ethernet0/0
ip address 12.12.12.2 255.255.255.0
interface Ethernet0/1
ip address 23.23.23.2 255.255.255.0
R3的基本网络配置
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface Ethernet0/1
ip address 23.23.23.3 255.255.255.0
duplex auto
!
interface Ethernet0/2
no ip address
shutdown
duplex auto
!
interface Ethernet0/3
ip address 30.0.0.3 255.255.255.0
duplex auto
!
!
ip route 0.0.0.0 0.0.0.0 23.23.23.2
二、配置GRE隧道
R1上的GRE隧道配置
interface Tunnel0
ip address 123.123.123.1 255.255.255.0
tunnel source 12.12.12.1
tunnel destination 23.23.23.3
R3上的GRE隧道配置
interface Tunnel0
ip address 123.123.123.3 255.255.255.0
tunnel source 23.23.23.3
tunnel destination 12.12.12.1
测试隧道
R3(config)#do ping 12.12.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.12.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
R3(config)#
三、配置动态路由协议EIGRP
R1上的EIGRP配置
router eigrp 10
network 1.1.1.0 0.0.0.255<宣告loo接口>
network 10.0.0.0 0.0.0.255<宣告直连内部网络>
network 123.123.123.0 0.0.0.255<宣告Tunnel隧道接口网络>
R3上的EIGRP配置
router eigrp 10
network 2.2.2.0 0.0.0.255
network 30.0.0.0 0.0.0.255
network 123.123.123.0 0.0.0.255
R3上查看学习到的路由
R3(config)# do show ip route eigrp
Gateway of last resort is 23.23.23.2 to network 0.0.0.0
1.0.0.0/24 is subnetted, 1 subnets
D 1.1.1.0 [90/27008000] via 123.123.123.1, 00:42:13, Tunnel0
10.0.0.0/24 is subnetted, 1 subnets
D 10.0.0.0 [90/26905600] via 123.123.123.1, 00:42:13, Tunnel0
四、配置IPSec VPN保护站点间GRE流量
R1上的IPSec配置
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 23.23.23.3
!
!
crypto ipsec transform-set trans13 esp-des esp-md5-hmac
mode transport
!
!
!
crypto map map12 10 ipsec-isakmp
set peer 23.23.23.3
set transform-set trans13
match address vpn13
!
interface Ethernet0/0
ip address 12.12.12.1 255.255.255.0
duplex auto
crypto map map12
!
!
ip access-list extended vpn13
permit gre host 12.12.12.1 host 23.23.23.3
R3上的IPSec配置
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 12.12.12.1
!
!
crypto ipsec transform-set trans13 esp-des esp-md5-hmac
mode transport
!
!
!
crypto map map12 10 ipsec-isakmp
set peer 12.12.12.1
set transform-set trans13
match address vpn13
!
interface Ethernet0/1
ip address 23.23.23.3 255.255.255.0
duplex auto
crypto map map12
!
ip access-list extended vpn13
permit gre host 23.23.23.3 host 12.12.12.1
五、测试与查看GRE Over IPSec
R3上ping 1.1.1.1
R3(config-ext-nacl)#do ping 1.1.1.1 sou 2.2.2.2 re 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
R3上查看加解密状态
R3#show crypto engine connections active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
7 IPsec DES+MD5 0 150 150 23.23.23.3
8 IPsec DES+MD5 156 0 0 23.23.23.3
1001 IKE MD5+3DES 0 0 0 23.23.23.3
R3上查看加IPSec SA
R3#show crypto ipsec sa
interface: Ethernet0/1
Crypto map tag: map12, local addr 23.23.23.3
protected vrf: (none)
local ident (addr/mask/prot/port): (23.23.23.3/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (12.12.12.1/255.255.255.255/47/0)
current_peer 12.12.12.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 189, #pkts encrypt: 189, #pkts digest: 189
#pkts decaps: 185, #pkts decrypt: 185, #pkts verify: 185
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 23.23.23.3, remote crypto endpt.: 12.12.12.1
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/1
current outbound spi: 0xAB455BC5(2873449413)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x58A44962(1487161698)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 7, flow_id: SW:7, sibling_flags 80000040, crypto map: map12
sa timing: remaining key lifetime (k/sec): (4198624/3324)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xAB455BC5(2873449413)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 8, flow_id: SW:8, sibling_flags 80000040, crypto map: map12
sa timing: remaining key lifetime (k/sec): (4198623/3324)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
R1上查看IPSec SA
R1#show crypto ipsec sa
interface: Ethernet0/0
Crypto map tag: map12, local addr 12.12.12.1
protected vrf: (none)
local ident (addr/mask/prot/port): (12.12.12.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (23.23.23.3/255.255.255.255/47/0)
current_peer 23.23.23.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 202, #pkts encrypt: 202, #pkts digest: 202
#pkts decaps: 208, #pkts decrypt: 208, #pkts verify: 208
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 12.12.12.1, remote crypto endpt.: 23.23.23.3
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
current outbound spi: 0x58A44962(1487161698)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xAB455BC5(2873449413)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 7, flow_id: SW:7, sibling_flags 80004040, crypto map: map12
sa timing: remaining key lifetime (k/sec): (4311632/3158)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x58A44962(1487161698)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 8, flow_id: SW:8, sibling_flags 80004040, crypto map: map12
sa timing: remaining key lifetime (k/sec): (4311633/3158)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
R1和R3的IPSec sa的spi入和出都分别相对应,R1的入是R3的出,R1的出是R3的入。
六、其它GRE Over IPSec配置方式
在前面讲解了GRE Over IPSec的经典配置,除了上述配置方法之外,CISCO还为我们提供了另一种GRE Over IPSec的配置方式,这种配置和刚刚的配置结果完全相同,不过方法理加简单。
值得一担的是,即使在网络一侧使用经典配置,另一使用新的配置方式,GRE Over IPSec依然可以正常工作。
R1上GRE Over IPSec全新配置
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 23.23.23.3
!
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
mode transport
crypto ipsec profile ipsecprof
<创建 IPsec profile 名字为“ipsecprof”>
set transform-set cisco
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Tunnel0
ip address 123.123.123.1 255.255.255.0
tunnel source 12.12.12.1
tunnel destination 23.23.23.3
tunnel protection ipsec profile ipsecprof
!
R3上GRE Over IPSec全新配置
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 12.12.12.1
!
!
crypto ipsec transform-set trans13 esp-des esp-md5-hmac
mode transport
!
crypto ipsec profiel ipsecprof
set transform-set trans13
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface Tunnel0
ip address 123.123.123.3 255.255.255.0
tunnel source 23.23.23.3
tunnel destination 12.12.12.1
tunnel protection ipsec profile ipsecprof