9.6 IPSec -Over-GRE典型配置
【需求】
分部1和分部2通过野蛮IPSec的方式连接到中心,采用IPSec -Over-GRE的方式,在tunnel上运行OSPF协议来实现总部和分部之间的互通。
【组网图】
【配置脚本】
中心配置脚本 |
# # ike local-name center
/中心ike的local-name为:center/ # router id 1.1.1.1 # radius scheme system # domain system # ike peer branch1
/配置到分部1的ike peer/ exchange-mode aggressive
/设置IPSec为野蛮方式/ pre-shared-key abc
/预共享密钥为abc/ id-type name
/选择名字作为ike协商过程中使用的ID/ remote-name
branch1
/分部1的名字为branch1/ # ike peer branch2
/配置到分部2的ike peer/ exchange-mode aggressive pre-shared-key abc id-type name remote-name branch2 # ipsec proposal 1
/定义ipsec proposal/ # ipsec policy center 10 isakmp
/配置到分部1的ipsec policy/ security acl 3001
/指定安全策略所引用的访问控制列表号/ ike-peer
branch1
/引用ike peer/ proposal 1
/引用ipsec proposal/ # ipsec policy center 20 isakmp
/到分部2的配置和分部1的配置类似/ security acl 3002 ike-peer branch2 proposal 1 # acl number 3001
/定义从中心到分部1的内网数据流/ rule 0 permit ip source 192.168.1.0 0.0.0.255
destination 192.168.2.0 0.0.0.255 acl number 3002
/定义从中心到分部2的内网数据流/ rule 0 permit ip source 192.168.1.0 0.0.0.255
destination 192.168.2.0 0.0.0.255 # interface Serial2/0 link-protocol ppp ip address 202.101.1.2 255.255.255.252 # interface Tunnel0
/配置中心和分部1之间的GRE tunnel/ ip address 10.0.0.1 255.255.255.252 source 202.101.1.2 destination 202.101.2.2 ipsec policy branch1
/在tunnel 0上应用IPSec policy branch1/ # interface Tunnel1
/配置中心和分部2之间的GRE tunnel/ ip address 10.0.0.5 255.255.255.252 source 202.101.1.2 destination 202.101.3.2 ipsec policy branch2
/在tunnel 1上应用IPSec policy branch2/ # interface NULL0 # interface LoopBack0 ip address 1.1.1.1 255.255.255.255 # interface Ethernet0/0 ip address 192.168.1.1 255.255.255.0 /中心的内网地址/ # ospf 1 area 0.0.0.10 /分部1属于area 10/ network 10.0.0.0 0.0.0.3 # area 0.0.0.20
/分部2属于area 20/ network 10.0.0.4 0.0.0.3 # area 0.0.0.0
/总部属于area
0/ network 1.1.1.1 0.0.0.0 network 192.168.1.0 0.0.0.255 # ip route-static 0.0.0.0 0.0.0.0
202.101.1.1 preference 60 # user-interface con 0 user-interface vty 0 4 # return |
分部1配置脚本 |
# sysname Branch1 # ike local-name
branch1
/分部1的ike的local-name为:branch1/ # radius scheme system # domain system # ike peer center
/配置到中心的ike peer/ exchange-mode aggressive
/设置IPSec为野蛮方式/ pre-shared-key abc
/预共享密钥为abc/ id-type
name
/选择名字作为ike协商过程中使用的ID/ remote-name
center
/对端的名字为center/ remote-address 10.0.0.1
/对端的地址为10.0.0.1(中心的tunnel地址)/ # ipsec proposal 1
/定义ipsec proposal/ # ipsec policy branch1 10 isakmp
/配置到中心的ipsec policy/ security acl 3001
/指定安全策略所引用的访问控制列表号/ ike-peer center
/引用ike peer/ proposal 1
/引用ipsec proposal/ # acl number 3001
/定义从分部1到中心的内网数据流/ rule 0 permit ip source 192.168.2.0 0.0.0.255
destination 192.168.1.0 0.0.0.255 # interface Serial2/0 link-protocol ppp ip address 202.101.2.2 255.255.255.252 # interface Tunnel0
/配置分部1和中心之间的GRE tunnel/ ip address 10.0.0.2 255.255.255.252 source 202.101.2.2 destination 202.101.1.2 ipsec policy branch1
/在tunnel 0上应用IPSec policy branch1/ # interface NULL0 # interface LoopBack0 ip address 2.2.2.2 255.255.255.255 # interface Ethernet0/0
/配置分部1的内网地址/ ip address 192.168.2.1 255.255.255.0 # ospf 1 area 0.0.0.10
/分部1属于area 10/ network 2.2.2.2 0.0.0.0 network 10.0.0.0 0.0.0.3 network 192.168.2.0 0.0.0.255 # ip route-static 0.0.0.0 0.0.0.0
202.101.2.1 preference 60 # user-interface con 0 user-interface vty 0 4 # return |
分部2配置脚本 |
# sysname Branch2 # ike local-name branch1
/分部2的ike的local-name为:branch2/ # radius scheme system # domain system # ike peer center
/配置到中心的ike peer/ exchange-mode aggressive
/设置IPSec为野蛮方式/ pre-shared-key abc
/预共享密钥为abc/ id-type name
/选择名字作为ike协商过程中使用的ID/ remote-name
center
/对端的名字为center/ remote-address 10.0.0.5
/对端的地址为10.0.0.5(中心的tunnel地址)/ # ipsec proposal 1
/定义ipsec proposal/ # ipsec policy branch1 10 isakmp
/配置到中心的ipsec policy/ security acl 3001
/指定安全策略所引用的访问控制列表号/ ike-peer
center
/引用ike peer/ proposal 1
/引用ipsec proposal/ # acl number 3001
/定义从分部2到中心的GRE数据流/ rule 0 permit ip source 192.168.3.0 0.0.0.255
destination 192.168.1.0 0.0.0.255 # interface Serial2/0 link-protocol ppp ip address 202.101.3.2 255.255.255.252 # interface Tunnel0
/配置分部1和中心之间的GRE tunnel/ ip address 10.0.0.6 255.255.255.252 source 202.101.3.2 destination 202.101.1.2 ipsec policy branch2
/在tunnel 0上应用IPSec policy branch2/ # interface NULL0 # interface LoopBack0 ip address 3.3.3.3 255.255.255.255 # interface Ethernet0/0
/配置分部1的内网地址/ ip address 192.168.3.1 255.255.255.0 # ospf 1 area 0.0.0.20
/分部2属于area 20/ network 3.3.3.3 0.0.0.0 network 10.0.0.4 0.0.0.3 network 192.168.3.0 0.0.0.255 # ip route-static 0.0.0.0 0.0.0.0
202.101.3.1 preference 60 # user-interface con 0 user-interface vty 0 4 # return |
【验证】
1、中心上的ike sa 状态:
disp ike sa
connection-id peer flag phase doi
----------------------------------------------------------
44 10.0.0.2 RD 1 IPSEC
48 10.0.0.6 RD 2 IPSEC
47 10.0.0.6 RD 1 IPSEC
45 10.0.0.2 RD 2 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO—TIMEOUT
2、中心上的IPSec sa状态:
disp ipsec sa
===============================
Interface: Tunnel0
path MTU: 64000
===============================
-----------------------------
IPsec policy name: "branch1"
sequence number: 10
mode: isakmp
-----------------------------
connection id: 8
encapsulation mode:
tunnel
perfect forward secrecy: None
tunnel:
local address: 10.0.0.1
remote address: 10.0.0.2
flow: (4 times matched)
sour addr:
192.168.1.0/255.255.255.0 port: 0 protocol: IP
dest addr: 192.168.2.0/255.255.255.0 port: 0 protocol: IP
[inbound ESP SAs]
spi: 2701983530 (0xa10cff2a)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887436664/2136
max received sequence-number: 2
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 2132567950 (0x7f1c678e)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887436632/2136
max sent sequence-number: 3
udp encapsulation used for nat traversal: N
===============================
Interface: Tunnel1
path MTU: 64000
===============================
-----------------------------
IPsec policy name: "branch2"
sequence number: 10
mode: isakmp
-----------------------------
connection id: 9
encapsulation mode:
tunnel
perfect forward secrecy: None
tunnel:
local address: 10.0.0.5
remote address: 10.0.0.6
flow: (18 times matched)
sour addr:
192.168.1.0/255.255.255.0 port: 0 protocol: IP
dest addr: 192.168.3.0/255.255.255.0 port: 0 protocol: IP
[inbound ESP SAs]
spi: 1612204948 (0x60184b94)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887436188/2886
max received sequence-number: 9
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 3432409622 (0xcc966a16)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887436044/2886
max sent sequence-number: 10
udp encapsulation used for nat traversal: N
3、中心路由表
disp ip rout
Routing Table: public net
Destination/Mask Protocol Pre Cost Nexthop Interface
0.0.0.0/0 STATIC 60 0 202.101.1.1 Serial2/0/0
1.1.1.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
2.2.2.2/32 OSPF 10 1563 10.0.0.2 Tunnel0
3.3.3.3/32 OSPF 10 1563 10.0.0.6 Tunnel1
10.0.0.0/30 DIRECT 0 0 10.0.0.1 Tunnel0
10.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
10.0.0.4/30 DIRECT 0 0 10.0.0.5 Tunnel1
10.0.0.5/32 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
192.168.1.0/24 DIRECT 0 0 192.168.1.1 LoopBack10
192.168.1.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
192.168.2.0/24 OSPF 10 1563 10.0.0.2 Tunnel0
192.168.3.0/24 OSPF 10 1563 10.0.0.6 Tunnel1
202.101.1.0/30 DIRECT 0 0 202.101.1.2 Serial2/0/0
202.101.1.1/32 DIRECT 0 0 202.101.1.1 Serial2/0/0
202.101.1.2/32 DIRECT 0 0 127.0.0.1 InLoopBack0
4、分部1的ike sa状态:
disp ike sa
connection-id peer flag phase doi
----------------------------------------------------------
27 10.0.0.1 RD|ST 1 IPSEC
28 10.0.0.1 RD|ST 2 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO—TIMEOUT
5、分部1的ipsec sa状态:
disp ipsec sa
===============================
Interface: Tunnel0
path MTU: 64000
===============================
-----------------------------
IPsec policy name: "branch1"
sequence number: 10
mode: isakmp
-----------------------------
connection id: 6
encapsulation mode:
tunnel
perfect forward secrecy: None
tunnel:
local address: 10.0.0.2
remote address: 10.0.0.1
flow: (4 times matched)
sour addr:
192.168.2.0/255.255.255.0 port: 0 protocol: IP
dest addr: 192.168.1.0/255.255.255.0 port: 0 protocol: IP
[inbound ESP SAs]
spi: 2132567950 (0x7f1c678e)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887436664/2054
max received sequence-number: 2
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 2701983530 (0xa10cff2a)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887436632/2054
max sent sequence-number: 3
udp encapsulation used for nat traversal: N
6、分部1的路由表:
disp ip rout
Routing Table: public net
Destination/Mask Protocol Pre Cost Nexthop Interface
0.0.0.0/0 STATIC 60 0 202.101.2.1 Serial2/0/0
1.1.1.1/32 OSPF 10 1563 10.0.0.1 Tunnel0
2.2.2.2/32 DIRECT 0 0 127.0.0.1 InLoopBack0
3.3.3.3/32 OSPF 10 3125 10.0.0.1 Tunnel0
10.0.0.0/30 DIRECT 0 0 10.0.0.2 Tunnel0
10.0.0.2/32 DIRECT 0 0 127.0.0.1 InLoopBack0
10.0.0.4/30 OSPF 10 3124 10.0.0.1 Tunnel0
127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
192.168.1.0/24 OSPF 10 1563 10.0.0.1 Tunnel0
192.168.2.0/24 DIRECT 0 0 192.168.2.1 LoopBack10
192.168.2.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
192.168.3.0/24 OSPF 10 3125 10.0.0.1 Tunnel0
202.101.2.0/30 DIRECT 0 0 202.101.2.2 Serial2/0/0
202.101.2.1/32 DIRECT 0 0 202.101.2.1 Serial2/0/0
202.101.2.2/32 DIRECT 0 0 127.0.0.1 InLoopBack0
【提示】
1、IPSec -Over-GRE和GRE-Over-IPSec方式配置上的区别为:
|
GRE-Over-IPSec |
IPSec-Over-GRE |
ACL定义 |
GRE数据流 |
内网数据流 |
Ike peer中指定的remote-address |
对方公网地址 |
对方GRE tunnel地址 |
应用端口 |
公网出口 |
GRE tunnel上 |
2、各个分部和总部之间通过OSPF路由来实现互访,如果没有运行OSPF则必需在分部和总部配置静态路由。
【Center配置】
ip route-static 192.168.2.0 255.255.255.0 Tunnel 0 preference 60 /访问分部1内网的数据从tunnel 0走/
ip route-static 192.168.3.0 255.255.255.0 Tunnel 1 preference 60 /访问分部2内网的数据从tunnel 1走/
【分部1配置】
ip route-static 192.168.1.0 255.255.255.0 Tunnel 0 preference 60 /访问中心内网的数据从tunnel 0走/
【分部2配置】
ip route-static 192.168.1.0 255.255.255.0 Tunnel 0 preference 60 /访问中心内网的数据从tunnel 0走/