GRE OVER IPSEC VPN
来源:互联网 发布:全球最大电子书软件 编辑:程序博客网 时间:2024/03/29 15:46
1、为什么要用GRE?
传统ipsec-VPN在ios和ASA上的经典配置,这种配置可以和大多数厂商的VPN设备相兼容,兼容性非常好,但是我们在配置VPN网络环境的同时,我们可能会遇到一些用经典VPN无法解决的问题,比如下图VPN
设备后有很多复杂的网络环境
甚至比这更为复杂的网络拓扑,那么我们不得不考虑。
首先我们先看下经典IPSEC-VPN会遇到的难题:
2、分析GRE Over Ipsec
在下图中,我们在两个站点之间建立了一个GRE隧道,隧道作用就是把两个站点虚拟的连接到一起,并且如果在GRE节点上启用动态路由协议,那么就可以动态进行学习每个局域网身后的复杂网络了。我们在隧道接口上配置ACL、NAT、Qos等技术,我们在匹配感兴趣的流时,只需匹配GRE host之间的流量即可。如下是拓扑图
3、GRE OverIpsec经典配置
R1#show run
Building configuration...
Current configuration : 1956 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
!
!
ip cef
no ip domain lookup
!
!
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 10
encr3des
hashmd5
authentication pre-share
group 2
crypto isakmp key cisco address 23.23.23.3
!
!
crypto ipsec transform-set mytrans esp-3desesp-md5-hmac
modetransport
!
crypto ipsec profile ipsecprof
settransform-set mytrans
!
!
crypto map mymap 100 ipsec-isakmp
setpeer 23.23.23.3
settransform-set mytrans
match address VPN
!
!
!
!
interface Loopback1
ipaddress 1.1.1.1 255.255.255.255
!
interface Loopback2
ipaddress 1.1.2.1 255.255.255.255
!
interface Loopback3
ipaddress 1.1.3.1 255.255.255.255
!
interface Loopback4
ipaddress 1.1.4.1 255.255.255.255
!
interface Loopback5
ipaddress 1.1.5.1 255.255.255.255
!
interface Tunnel0
ipaddress 172.16.0.1 255.255.255.0
tunnel source 12.12.12.1
tunnel destination 23.23.23.3
!
interface FastEthernet0/0
ipaddress 12.12.12.1 255.255.255.0
duplex auto
speed auto
crypto map mymap
!
router eigrp 100
redistribute ospf 100 metric 1000000 10 10 101500
network 1.1.4.0 0.0.0.255
network 1.1.5.0 0.0.0.255
noauto-summary
!
router ospf 100
log-adjacency-changes
redistribute eigrp 100 subnets
network 1.1.1.0 0.0.0.255 area 0
network 1.1.2.0 0.0.0.255 area 0
network 1.1.3.0 0.0.0.255 area 0
network 172.16.0.0 0.0.255.255 area 0
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 12.12.12.2
!
!
!
!
ip access-list extended VPN
permit gre host 12.12.12.1 host 23.23.23.3
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
End
interface FastEthernet0/0
ipaddress 12.12.12.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ipaddress 23.23.23.2 255.255.255.0
duplex auto
speed auto
!
no ip http server
no ip httpsecure-server
R3#show run
Building configuration...
Current configuration : 1957 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
!
!
ip cef
no ip domain lookup
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 10
encr3des
hashmd5
authentication pre-share
group 2
crypto isakmp key cisco address 12.12.12.1
!
!
crypto ipsec transform-set mytrans esp-3desesp-md5-hmac
!
mode transport
crypto ipsec profile ipsecprof
settransform-set mytrans
!
!
crypto map mymap 100 ipsec-isakmp
setpeer 12.12.12.1
settransform-set mytrans
match address VPN
!
!
!
!
interface Loopback1
ipaddress 3.3.1.1 255.255.255.0
!
interface Loopback2
ipaddress 3.3.2.1 255.255.255.0
!
interface Loopback3
ipaddress 3.3.3.1 255.255.255.0
!
interface Loopback4
ipaddress 3.3.4.1 255.255.255.0
!
interface Loopback5
ipaddress 3.3.5.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.0.2255.255.255.0
tunnel source 23.23.23.3
tunnel destination 12.12.12.1
!
interface FastEthernet0/0
ipaddress 23.23.23.3 255.255.255.0
duplex auto
speed auto
crypto map mymap
!
router eigrp 100
redistribute ospf 100 metric 1000000 10 10 101500
network 3.3.4.0 0.0.0.255
network 3.3.5.0 0.0.0.255
noauto-summary
!
router ospf 100
log-adjacency-changes
redistribute eigrp 100 subnets
network 3.3.1.0 0.0.0.255 area 0
network 3.3.2.0 0.0.0.255 area 0
network 3.3.3.0 0.0.0.255 area 0
network 172.16.0.0 0.0.255.255 area 0
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 23.23.23.2
!
ip access-list extended PN
ip access-list extended VPN
permit gre host 23.23.23.3 host12.12.12.1
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
End
4、ipsec效果
R1#show ip route
Codes: C - connected, S - static, R - RIP,M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 12.12.12.2 tonetwork 0.0.0.0
1.0.0.0/32 is subnetted, 5 subnets
C 1.1.1.1 is directly connected, Loopback1
C 1.1.3.1 is directly connected, Loopback3
C 1.1.2.1 is directly connected, Loopback2
C 1.1.5.1 is directly connected, Loopback5
C 1.1.4.1 is directly connected, Loopback4
3.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
O 3.3.1.1/32 [110/11112] via 172.16.0.2, 00:57:12, Tunnel0
O 3.3.3.1/32 [110/11112] via 172.16.0.2, 00:57:12, Tunnel0
O 3.3.2.1/32 [110/11112] via 172.16.0.2,00:57:14, Tunnel0
O E2 3.3.4.0/24 [110/20] via 172.16.0.2, 00:57:14, Tunnel0
O E2 3.3.5.0/24 [110/20] via 172.16.0.2, 00:57:14, Tunnel0
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.0.0 is directly connected, Tunnel0
12.0.0.0/24 is subnetted, 1 subnets
C 12.12.12.0 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 12.12.12.2
R3#show ip route
Codes: C - connected, S - static, R - RIP,M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 23.23.23.2 tonetwork 0.0.0.0
1.0.0.0/32 is subnetted, 5 subnets
O 1.1.1.1 [110/11112] via 172.16.0.1, 00:57:04, Tunnel0
O 1.1.3.1 [110/11112] via 172.16.0.1, 00:57:04, Tunnel0
O 1.1.2.1 [110/11112] via 172.16.0.1, 00:57:04, Tunnel0
O E2 1.1.5.1 [110/20] via 172.16.0.1, 00:57:04, Tunnel0
O E2 1.1.4.1 [110/20] via 172.16.0.1, 00:57:04, Tunnel0
3.0.0.0/24 is subnetted, 5 subnets
C 3.3.1.0 is directly connected, Loopback1
C 3.3.2.0 is directly connected, Loopback2
C 3.3.3.0 is directly connected, Loopback3
C 3.3.4.0 is directly connected, Loopback4
C 3.3.5.0 is directly connected, Loopback5
23.0.0.0/24 is subnetted, 1 subnets
C 23.23.23.0 is directly connected, FastEthernet0/0
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.0.0 is directly connected, Tunnel0
S* 0.0.0.0/0 [1/0] via 23.23.23.2
查看加解密状态
R1#show crypto engine connections active
IDInterface IP-Address State Algorithm Encrypt Decryp
1 FastEthernet0/0 12.12.12.1 set HMAC_MD5+3DES_56_C 0 0
2001 FastEthernet0/0 12.12.12.1 set 3DES+MD5 0 23
2002 FastEthernet0/0 12.12.12.1 set 3DES+MD5 23 0
R3# show crypto engine connections active
IDInterface IP-Address State Algorithm Encrypt Decryp
1 FastEthernet0/0 23.23.23.3 set HMAC_MD5+3DES_56_C 0 0
2001 FastEthernet0/0 23.23.23.3 set 3DES+MD5 0 17
2002 FastEthernet0/0 23.23.23.3 set 3DES+MD5 17 0
查看ipsec sa状态
R1#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: mymap, local addr 12.12.12.1
protected vrf: (none)
local ident(addr/mask/prot/port): (12.12.12.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (23.23.23.3/255.255.255.255/47/0)
current_peer 23.23.23.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 380, #pkts encrypt: 380, #pkts digest: 380
#pkts decaps: 384, #pkts decrypt: 384, #pkts verify: 384
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 12.12.12.1, remote crypto endpt.: 23.23.23.3
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x13838BB1(327388081)
inbound esp sas:
spi: 0x2CA31996(748886422)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4524245/3496)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x13838BB1(327388081)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4524245/3495)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1#
R3#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: mymap, local addr 23.23.23.3
protected vrf: (none)
local ident(addr/mask/prot/port): (23.23.23.3/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (12.12.12.1/255.255.255.255/47/0)
current_peer 12.12.12.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 377, #pkts encrypt: 377, #pkts digest: 377
#pkts decaps: 373, #pkts decrypt: 373, #pkts verify: 373
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 23.23.23.3, remote crypto endpt.: 12.12.12.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x2CA31996(748886422)
inbound esp sas:
spi: 0xCB8925B4(3414762932)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: SW:3, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4424861/34)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x13838BB1(327388081)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4417602/3562)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xEA9839B7(3935844791)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: SW:4, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4424860/33)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x2CA31996(748886422)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4417602/3561)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
5、测试
R1#ping 3.3.3.1 source loopback 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.1,timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5),round-trip min/avg/max = 72/82/100 ms
R3#ping 1.1.3.1 source lo1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.3.1,timeout is 2 seconds:
Packet sent with a source address of3.3.1.1
!!!!!
Success rate is 100 percent (5/5),round-trip min/avg/max = 68/75/88 ms
- GRE OVER IPSEC VPN
- GRE OVER IPSEC VPN
- IPSEC OVER GRE VPN配置
- GRE over IPsec vpn vyatta vs vyatta config 1
- 在cisco路由器上配置GRE over IPsec -vpn
- GRE over IPsec
- ipsec over GRE
- GRE Over IPSec
- CISCO GRE over IPsec
- IPSEC OVER GRE的配置
- IPSec VPN Performance Over Satellite
- 搭建L2TP over IPSec VPN
- 华为路由器IPSec -Over-GRE典型配置
- GRE over IPSec配置(DCR--H3C)
- VPN隧道协议-GRE、L2TP、IPSEC
- IPSEC Over GRE与GRE Over IPSEC的区别和好处
- IPsec over GRE 和GRE over IPsec比较和区别与配置
- 使用Cisco路由器架设动态多点GRE Over IPSec
- iOS抓包
- nginx常见的启动错误
- 无 99 美金证书联机开发
- VPN简单汇总总结
- ocr文字识别软件ABBYY FineReader介绍
- GRE OVER IPSEC VPN
- 基于SDL的图像显示流程
- UVa1625 Color Length
- Android 设计模式之适配器模式
- 路由器SVTI 站点到站点VPN
- poj-3264
- JAVA学习笔记
- MySQL存储过程学习(http://zhanshenlvbu.iteye.com/blog/1162203)
- 基于ffmpeg的音视频解码原理