GRE OVER IPSEC VPN

来源:互联网 发布:全球最大电子书软件 编辑:程序博客网 时间:2024/03/29 15:46
 GRE OVER IPSEC VPN

1、为什么要用GRE

传统ipsec-VPNiosASA上的经典配置,这种配置可以和大多数厂商的VPN设备相兼容,兼容性非常好,但是我们在配置VPN网络环境的同时,我们可能会遇到一些用经典VPN无法解决的问题,比如下图VPN

设备后有很多复杂的网络环境

 

甚至比这更为复杂的网络拓扑,那么我们不得不考虑。

首先我们先看下经典IPSEC-VPN会遇到的难题:
 

2、分析GRE Over Ipsec

在下图中,我们在两个站点之间建立了一个GRE隧道,隧道作用就是把两个站点虚拟的连接到一起,并且如果在GRE节点上启用动态路由协议,那么就可以动态进行学习每个局域网身后的复杂网络了。我们在隧道接口上配置ACLNATQos等技术,我们在匹配感兴趣的流时,只需匹配GRE host之间的流量即可。如下是拓扑图
 

3GRE OverIpsec经典配置

 

R1#show run

Building configuration...

 

Current configuration : 1956 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

no ip icmp rate-limit unreachable

!

!

ip cef

no ip domain lookup

!

!

!

!

ip tcp synwait-time 5

!

!

crypto isakmp policy 10

 encr3des

 hashmd5

 authentication pre-share

 group 2

crypto isakmp key cisco address 23.23.23.3

!

!

crypto ipsec transform-set mytrans esp-3desesp-md5-hmac

 modetransport

!

crypto ipsec profile ipsecprof

 settransform-set mytrans

!

!

crypto map mymap 100 ipsec-isakmp

 setpeer 23.23.23.3

 settransform-set mytrans

 match address VPN

!

!

!

!

interface Loopback1

 ipaddress 1.1.1.1 255.255.255.255

!

interface Loopback2

 ipaddress 1.1.2.1 255.255.255.255

!

interface Loopback3

 ipaddress 1.1.3.1 255.255.255.255

!

interface Loopback4

 ipaddress 1.1.4.1 255.255.255.255

!

interface Loopback5

 ipaddress 1.1.5.1 255.255.255.255

!

interface Tunnel0

 ipaddress 172.16.0.1 255.255.255.0

 tunnel source 12.12.12.1

 tunnel destination 23.23.23.3

!

interface FastEthernet0/0

 ipaddress 12.12.12.1 255.255.255.0

 duplex auto

 speed auto

 crypto map mymap

!

router eigrp 100

 redistribute ospf 100 metric 1000000 10 10 101500

 network 1.1.4.0 0.0.0.255

 network 1.1.5.0 0.0.0.255

 noauto-summary

!

router ospf 100

 log-adjacency-changes

 redistribute eigrp 100 subnets

 network 1.1.1.0 0.0.0.255 area 0

 network 1.1.2.0 0.0.0.255 area 0

 network 1.1.3.0 0.0.0.255 area 0

 network 172.16.0.0 0.0.255.255 area 0

!

no ip http server

no ip http secure-server

ip route 0.0.0.0 0.0.0.0 12.12.12.2

!

!

!

!

ip access-list extended VPN

 permit gre host 12.12.12.1 host 23.23.23.3

!        

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

 exec-timeout 0 0

 privilege level 15

 logging synchronous

line aux 0

 exec-timeout 0 0

 privilege level 15

 logging synchronous

line vty 0 4

 login   

!

!

End

interface FastEthernet0/0

 ipaddress 12.12.12.2 255.255.255.0

 duplex auto

 speed auto

!

interface FastEthernet1/0

 ipaddress 23.23.23.2 255.255.255.0

 duplex auto

 speed auto

!

no ip http server

no ip httpsecure-server

R3#show run

Building configuration...

 

Current configuration : 1957 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R3

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

no ip icmp rate-limit unreachable

!

!

ip cef

no ip domain lookup

!

!

ip tcp synwait-time 5

!

!

crypto isakmp policy 10

 encr3des

 hashmd5

 authentication pre-share

 group 2

crypto isakmp key cisco address 12.12.12.1

!

!

crypto ipsec transform-set mytrans esp-3desesp-md5-hmac

!
mode transport 

crypto ipsec profile ipsecprof

 settransform-set mytrans

!

!

crypto map mymap 100 ipsec-isakmp

 setpeer 12.12.12.1

 settransform-set mytrans

 match address VPN

!

!

!

!

interface Loopback1

 ipaddress 3.3.1.1 255.255.255.0

!

interface Loopback2

 ipaddress 3.3.2.1 255.255.255.0

!

interface Loopback3

 ipaddress 3.3.3.1 255.255.255.0

!

interface Loopback4

 ipaddress 3.3.4.1 255.255.255.0

!

interface Loopback5

 ipaddress 3.3.5.1 255.255.255.0

!

interface Tunnel0

 ip address 172.16.0.2255.255.255.0

 tunnel source 23.23.23.3

 tunnel destination 12.12.12.1

!

interface FastEthernet0/0

 ipaddress 23.23.23.3 255.255.255.0

 duplex auto

 speed auto

 crypto map mymap

!

router eigrp 100

 redistribute ospf 100 metric 1000000 10 10 101500

 network 3.3.4.0 0.0.0.255

 network 3.3.5.0 0.0.0.255

 noauto-summary

!

router ospf 100

 log-adjacency-changes

 redistribute eigrp 100 subnets

 network 3.3.1.0 0.0.0.255 area 0

 network 3.3.2.0 0.0.0.255 area 0

 network 3.3.3.0 0.0.0.255 area 0

 network 172.16.0.0 0.0.255.255 area 0

!

no ip http server

no ip http secure-server

ip route 0.0.0.0 0.0.0.0 23.23.23.2

!

ip access-list extended PN

ip access-list extended VPN

 permit gre host 23.23.23.3 host12.12.12.1

control-plane

!

line con 0

 exec-timeout 0 0

 privilege level 15

 logging synchronous

line aux 0

 exec-timeout 0 0

 privilege level 15

 logging synchronous

line vty 0 4

 login   

!

!

End

4ipsec效果

 

R1#show ip route

Codes: C - connected, S - static, R - RIP,M - mobile, B - BGP

      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

      E1 - OSPF external type 1, E2 - OSPF external type 2

      i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

      ia - IS-IS inter area, * - candidate default, U - per-user static route

      o - ODR, P - periodic downloaded static route

 

Gateway of last resort is 12.12.12.2 tonetwork 0.0.0.0

 

    1.0.0.0/32 is subnetted, 5 subnets

C      1.1.1.1 is directly connected, Loopback1

C      1.1.3.1 is directly connected, Loopback3

C      1.1.2.1 is directly connected, Loopback2

C      1.1.5.1 is directly connected, Loopback5

C      1.1.4.1 is directly connected, Loopback4

    3.0.0.0/8 is variably subnetted, 5 subnets, 2 masks

O      3.3.1.1/32 [110/11112] via 172.16.0.2, 00:57:12, Tunnel0

O      3.3.3.1/32 [110/11112] via 172.16.0.2, 00:57:12, Tunnel0

O       3.3.2.1/32 [110/11112] via 172.16.0.2,00:57:14, Tunnel0

O E2   3.3.4.0/24 [110/20] via 172.16.0.2, 00:57:14, Tunnel0

O E2   3.3.5.0/24 [110/20] via 172.16.0.2, 00:57:14, Tunnel0

    172.16.0.0/24 is subnetted, 1 subnets

C      172.16.0.0 is directly connected, Tunnel0

    12.0.0.0/24 is subnetted, 1 subnets

C      12.12.12.0 is directly connected, FastEthernet0/0

S*  0.0.0.0/0 [1/0] via 12.12.12.2

 

R3#show ip route

Codes: C - connected, S - static, R - RIP,M - mobile, B - BGP

      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

      E1 - OSPF external type 1, E2 - OSPF external type 2

      i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

      ia - IS-IS inter area, * - candidate default, U - per-user static route

      o - ODR, P - periodic downloaded static route

 

Gateway of last resort is 23.23.23.2 tonetwork 0.0.0.0

 

    1.0.0.0/32 is subnetted, 5 subnets

O      1.1.1.1 [110/11112] via 172.16.0.1, 00:57:04, Tunnel0

O      1.1.3.1 [110/11112] via 172.16.0.1, 00:57:04, Tunnel0

O      1.1.2.1 [110/11112] via 172.16.0.1, 00:57:04, Tunnel0

O E2   1.1.5.1 [110/20] via 172.16.0.1, 00:57:04, Tunnel0

O E2   1.1.4.1 [110/20] via 172.16.0.1, 00:57:04, Tunnel0

    3.0.0.0/24 is subnetted, 5 subnets

C      3.3.1.0 is directly connected, Loopback1

C      3.3.2.0 is directly connected, Loopback2

C      3.3.3.0 is directly connected, Loopback3

C      3.3.4.0 is directly connected, Loopback4

C      3.3.5.0 is directly connected, Loopback5

    23.0.0.0/24 is subnetted, 1 subnets

C      23.23.23.0 is directly connected, FastEthernet0/0

    172.16.0.0/24 is subnetted, 1 subnets

C      172.16.0.0 is directly connected, Tunnel0

S*  0.0.0.0/0 [1/0] via 23.23.23.2

 

查看加解密状态

R1#show crypto engine connections active

 

  IDInterface            IP-Address      State Algorithm          Encrypt  Decryp

1 FastEthernet0/0     12.12.12.1      set   HMAC_MD5+3DES_56_C      0       0

2001 FastEthernet0/0     12.12.12.1      set   3DES+MD5              0       23

2002 FastEthernet0/0     12.12.12.1      set   3DES+MD5              23       0

 

R3# show crypto engine connections active

 

  IDInterface            IP-Address      State Algorithm          Encrypt  Decryp

1 FastEthernet0/0     23.23.23.3      set   HMAC_MD5+3DES_56_C      0       0

2001 FastEthernet0/0     23.23.23.3      set   3DES+MD5               0      17

2002 FastEthernet0/0     23.23.23.3      set   3DES+MD5             17       0

 

查看ipsec sa状态

R1#show crypto ipsec sa

 

interface: FastEthernet0/0

   Crypto map tag: mymap, local addr 12.12.12.1

 

  protected vrf: (none)

  local ident(addr/mask/prot/port): (12.12.12.1/255.255.255.255/47/0)

  remote ident (addr/mask/prot/port): (23.23.23.3/255.255.255.255/47/0)

  current_peer 23.23.23.3 port 500

    PERMIT, flags={origin_is_acl,}

   #pkts encaps: 380, #pkts encrypt: 380, #pkts digest: 380

   #pkts decaps: 384, #pkts decrypt: 384, #pkts verify: 384

   #pkts compressed: 0, #pkts decompressed: 0

   #pkts not compressed: 0, #pkts compr. failed: 0

   #pkts not decompressed: 0, #pkts decompress failed: 0

   #send errors 0, #recv errors 0

 

    local crypto endpt.: 12.12.12.1, remote crypto endpt.: 23.23.23.3

    path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

    current outbound spi: 0x13838BB1(327388081)

 

    inbound esp sas:

     spi: 0x2CA31996(748886422)

       transform: esp-3des esp-md5-hmac ,

       in use settings ={Tunnel, }

       conn id: 2001, flow_id: SW:1, crypto map: mymap

       sa timing: remaining key lifetime (k/sec): (4524245/3496)

       IV size: 8 bytes

       replay detection support: Y

       Status: ACTIVE

 

    inbound ah sas:

 

    inbound pcp sas:

 

    outbound esp sas:

     spi: 0x13838BB1(327388081)

       transform: esp-3des esp-md5-hmac ,

       in use settings ={Tunnel, }

       conn id: 2002, flow_id: SW:2, crypto map: mymap

       sa timing: remaining key lifetime (k/sec): (4524245/3495)

       IV size: 8 bytes

       replay detection support: Y

       Status: ACTIVE

 

    outbound ah sas:

 

    outbound pcp sas:

R1#

 

R3#show crypto ipsec sa

 

interface: FastEthernet0/0

   Crypto map tag: mymap, local addr 23.23.23.3

 

  protected vrf: (none)

  local ident(addr/mask/prot/port): (23.23.23.3/255.255.255.255/47/0)

  remote ident (addr/mask/prot/port): (12.12.12.1/255.255.255.255/47/0)

  current_peer 12.12.12.1 port 500

    PERMIT, flags={origin_is_acl,}

   #pkts encaps: 377, #pkts encrypt: 377, #pkts digest: 377

   #pkts decaps: 373, #pkts decrypt: 373, #pkts verify: 373

   #pkts compressed: 0, #pkts decompressed: 0

   #pkts not compressed: 0, #pkts compr. failed: 0

   #pkts not decompressed: 0, #pkts decompress failed: 0

   #send errors 1, #recv errors 0

 

    local crypto endpt.: 23.23.23.3, remote crypto endpt.: 12.12.12.1

    path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

    current outbound spi: 0x2CA31996(748886422)

 

    inbound esp sas:

     spi: 0xCB8925B4(3414762932)

       transform: esp-3des esp-md5-hmac ,

       in use settings ={Tunnel, }

       conn id: 2003, flow_id: SW:3, crypto map: mymap

       sa timing: remaining key lifetime (k/sec): (4424861/34)

       IV size: 8 bytes

       replay detection support: Y

       Status: ACTIVE

     spi: 0x13838BB1(327388081)

       transform: esp-3des esp-md5-hmac ,

       in use settings ={Tunnel, }

       conn id: 2001, flow_id: SW:1, crypto map: mymap

       sa timing: remaining key lifetime (k/sec): (4417602/3562)

       IV size: 8 bytes

       replay detection support: Y

       Status: ACTIVE

 

    inbound ah sas:

 

    inbound pcp sas:

 

    outbound esp sas:

     spi: 0xEA9839B7(3935844791)

       transform: esp-3des esp-md5-hmac ,

       in use settings ={Tunnel, }

       conn id: 2004, flow_id: SW:4, crypto map: mymap

       sa timing: remaining key lifetime (k/sec): (4424860/33)

       IV size: 8 bytes

       replay detection support: Y

       Status: ACTIVE

     spi: 0x2CA31996(748886422)

       transform: esp-3des esp-md5-hmac ,

       in use settings ={Tunnel, }

       conn id: 2002, flow_id: SW:2, crypto map: mymap

       sa timing: remaining key lifetime (k/sec): (4417602/3561)

       IV size: 8 bytes

       replay detection support: Y

       Status: ACTIVE

 

    outbound ah sas:

 

    outbound pcp sas:

5、测试

R1#ping 3.3.3.1 source loopback 1

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.1,timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1

!!!!!

Success rate is 100 percent (5/5),round-trip min/avg/max = 72/82/100 ms

R3#ping 1.1.3.1 source lo1

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.3.1,timeout is 2 seconds:

Packet sent with a source address of3.3.1.1

!!!!!

Success rate is 100 percent (5/5),round-trip min/avg/max = 68/75/88 ms
 

 


0 0
原创粉丝点击