下载文档原格式
GRE over IPSEC配置一、技术简介GRE over IPSec的外层ip就是公网的路由IP,GRE over IPSec,是将整个已经封装过的GRE数据包进行加密。
由于IPSec不支持对多播和广播数据包的加密,这样的话,使用IPSec的隧道中,动态路由协议等依靠多播和广播的协议就不能进行正常通告,所以,这时候要配合GRE隧道,GRE隧道会将多播和广播数据包封装到单播包中,再经过IPSec 加密。
此外由于GRE建立的是简单的,不进行加密的VPN隧道,他通过在物理链路中使用ip地址和路由穿越普通网络。
所以很常见的方法就是使用IPSec对GRE 进行加密,提供数据安全保证。
二、设备简介在总部与两个分部的出口路由器之间实施GRE over IPSec技术。
三、基本配置总部配置:Router#conf tRouter(config)#no ip do loRouter(config)#line con 0Router(config-line)#logg syRouter(config-line)#exec-t 0 0Router(config)#ho BJ-R-001BJ-R-001(config)#int lo 0BJ-R-001(config-if)#ip add 192.168.1.1 255.255.255.0 配置loopback口地址BJ-R-001(config-if)#int s0/0BJ-R-001(config-if)#ip add 12.12.12.1 255.255.255.0 配置接口地址BJ-R-001(config-if)#no shBJ-R-001(config-if)#exitBJ-R-001(config)#ip route 0.0.0.0 0.0.0.0 12.12.12.2 配置静态路由BJ-R-001(config)#crypto isakmp policy 10 定义isakmp策略BJ-R-001(config-isakmp)#hash md5BJ-R-001(config-isakmp)#encryption desBJ-R-001(config-isakmp)#group 2BJ-R-001(config-isakmp)#authentication pre-shareBJ-R-001(config-isakmp)#exitBJ-R-001(config)#crypto isakmp key 0 cisco address 23.23.23.3BJ-R-001(config)#crypto isakmp key 0 cisco address 24.24.24.4BJ-R-001(config)#crypto ipsec transform-set beijing esp-des esp-md5-hmac 设置转换集BJ-R-001(cfg-crypto-trans)#exitBJ-R-001(config)#crypto ipsec profile cisco 定义配置文件BJ-R-001(ipsec-profile)#set transform-set beijingBJ-R-001(ipsec-profile)#exitBJ-R-001(config)#int tunnel 0 配置tunnelBJ-R-001(config-if)#ip add 172.16.1.1 255.255.255.0BJ-R-001(config-if)#tunnel source s0/0BJ-R-001(config-if)#tunnel destination 23.23.23.3BJ-R-001(config-if)#tunnel mode ipsec ipv4BJ-R-001(config-if)#tunnel protection ipsec profile ciscoBJ-R-001(config-if)#no shBJ-R-001(config)#int tunnel 1BJ-R-001(config-if)#ip add 172.16.2.1 255.255.255.0 BJ-R-001(config-if)#tunnel source s0/0BJ-R-001(config-if)#tunnel destination 24.24.24.4BJ-R-001(config-if)#tunnel mode ipsec ipv4BJ-R-001(config-if)#tunnel protection ipsec profile cisco BJ-R-001(config-if)#no shBJ-R-001(config-if)#exitBJ-R-001(config)#router ospf 1BJ-R-001(config-router)#net 172.16.1.1 0.0.0.0 a 0BJ-R-001(config-router)#net 192.168.1.1 0.0.0.0 a 0BJ-R-001(config-router)#net 172.16.2.1 0.0.0.0 a 0BJ-R-001(config-router)#exit分部配置:Router>enRouter#conf tRouter(config)#no ip do loRouter(config)#line con 0Router(config-line)#logg synRouter(config-line)#exec-t 0 0Router(config-line)#exitRouter(config)#ho DL-R-001DL-R-001(config)#int s0/1DL-R-001(config-if)#ip add 23.23.23.3 255.255.255.0 DL-R-001(config-if)#no shDL-R-001(config-if)#ip add 192.168.2.1 255.255.255.0 DL-R-001(config-if)#exitDL-R-001(config)#ip route 0.0.0.0 0.0.0.0 23.23.23.2 DL-R-001(config)#crypto isakmp policy 10DL-R-001(config-isakmp)#hash md5DL-R-001(config-isakmp)#encryption desDL-R-001(config-isakmp)#group 2DL-R-001(config-isakmp)#authentication pre-shareDL-R-001(config-isakmp)#exitDL-R-001(config)#crypto isakmp key 0 cisco address 12.12.12.1DL-R-001(config)#crypto ipsec transform-set dalian esp-des esp-md5-hmac DL-R-001(cfg-crypto-trans)#exitDL-R-001(config)#crypto ipsec profile ciscoDL-R-001(ipsec-profile)#set transform-set dalianDL-R-001(ipsec-profile)#exitDL-R-001(config)#int tunnel 0DL-R-001(config-if)#ip add 172.16.1.2 255.255.255.0DL-R-001(config-if)#no shDL-R-001(config-if)#tunnel source s0/1DL-R-001(config-if)#tunnel destination 12.12.12.1DL-R-001(config-if)#tunnel mode ipsec ipv4DL-R-001(config-if)#tunnel protection ipsec profile ciscoDL-R-001(config-if)#exitDL-R-001(config)#router ospf 1DL-R-001(config-router)#net 192.168.2.1 0.0.0.0 a 0DL-R-001(config-router)#net 172.16.1.2 0.0.0.0 a 0DL-R-001(config-router)#exitRouter>enRouter#conf tRouter(config)#no ip do loRouter(config)#line con 0Router(config-line)#logg synRouter(config-line)#exec-t 0 0Router(config-line)#exitRouter(config)#ho KS-R-001KS-R-001(config-if)#ip add 192.168.3.1 255.255.255.0KS-R-001(config-if)#int s0/2KS-R-001(config-if)#ip add 24.24.24.4 255.255.255.0KS-R-001(config-if)#no shKS-R-001(config-if)#exitKS-R-001(config)#ip route 0.0.0.0 0.0.0.0 24.24.24.2KS-R-001(config)#crypto isakmp policy 10KS-R-001(config-isakmp)#hash md5KS-R-001(config-isakmp)#encryption desKS-R-001(config-isakmp)#group 2KS-R-001(config-isakmp)#authentication pre-shareKS-R-001(config-isakmp)#exitKS-R-001(config)#crypto isakmp key 0 cisco address 12.12.12.1KS-R-001(config)#crypto ipsec transform-set kunshan esp-des esp-md5-hmac KS-R-001(cfg-crypto-trans)#exitKS-R-001(config)#cry ipsec profile ciscoKS-R-001(ipsec-profile)#set transform-set kunshanKS-R-001(ipsec-profile)#exitKS-R-001(config)#int tunnel 0KS-R-001(config-if)#ip add 172.16.2.2 255.255.255.0KS-R-001(config-if)#no shKS-R-001(config-if)#tunnel source s0/2KS-R-001(config-if)#tunnel destination 12.12.12.1KS-R-001(config-if)#tunnel mode ipsec ipv4KS-R-001(config-if)#tunnel protection ipsec profile ciscoKS-R-001(config-if)#exitKS-R-001(config)#router ospf 1KS-R-001(config-router)#net 172.16.2.2 0.0.0.0 a 0 KS-R-001(config-router)#net 192.168.3.1 0.0.0.0 a 0 KS-R-001(config-router)#exit四、验证配置。
Ipsec over gre配置RT1和RT3用环回口来模拟私网上的接口。
它们的封装方式是先封装ipsec,然后在进行gre的封装,所以在ipsec的ACL中要匹配的事两端私网的地址。
报文的封装格式:指定Tunnel口源接口地址[H3C-Tunnel0]source 10.1.1.1指定Tunnel口目的端地址[H3C-Tunnel0]destination 20.1.1.2[H3C-Tunnel0] quit创建访问控制列表[H3C]acl advanced 3000[H3C-acl-ipv4-adv-3000]rule 0 permit ip source 192.168.1.1 0.0.0.0 destination 1 92.168.2.1 0.0.0.0[H3C-acl-ipv4-adv-3000]quit创建ipsec安全提议tran1[H3C]ipsec transform-set tran1指定安全协议的工作模式为隧道模式[H3C]ike profile profile1绑定ike keychain[H3C-ike-profile-profile1]keychain ike1配置本地封装的IP地址[H3C-ike-profile-profile1]local-identity address 100.1.1.1配置对端封装的IP地址[H3C-ike-profile-profile1]match remote identity address 100.1.1.2 24 [H3C-ike-profile-profile1]quit创建一条ike协商方式的ipsec安全策略,序列号为1,名字为policy1 [H3C]ipsec policy policy1 1 isakmp指定引用ACL3000[H3C-ipsec-policy-isakmp-policy1-1]security acl 3000[H3C-rip-1]network 10.1.1.1RT2的主要配置:<H3C>system-view[H3C]interface GigabitEthernet 0/0[H3C-GigabitEthernet0/0]ip address 10.1.1.2 24[H3C-GigabitEthernet0/0]quit[H3C]interface GigabitEthernet 0/1[H3C-GigabitEthernet0/1] ip address 20.1.1.1 24 [H3C-GigabitEthernet0/1]quit配置rip路由协议[H3C]rip[H3C-rip-1]version 2[H3C-rip-1]undo summary[H3C-rip-1]network 10.1.1.2指定Tunnel口源接口地址[H3C-Tunnel0]source 20.1.1.2指定Tunnel口目的端地址[H3C-Tunnel0]destination 10.1.1.1[H3C-Tunnel0] quit创建访问控制列表[H3C]acl advanced 3000[H3C-acl-ipv4-adv-3000]rule 0 permit ip source 192.168.2.1 0.0.0.0 destination 192.168.1.1 0.0.0.0[H3C-acl-ipv4-adv-3000]quit创建ipsec安全提议tran1[H3C]ipsec transform-set tran1指定安全协议的工作模式为隧道模式[H3C]ike profile profile1绑定ike keychain[H3C-ike-profile-profile1]keychain ike1配置本地封装的IP地址[H3C-ike-profile-profile1]local-identity address 100.1.1.2配置对端封装的IP地址[H3C-ike-profile-profile1]match remote identity address 100.1.1.1 24[H3C-ike-profile-profile1]quit创建一条ike协商方式的ipsec安全策略,序列号为1,名字为policy1[H3C]ipsec policy policy1 1 isakmp指定引用ACL3000[H3C-ipsec-policy-isakmp-policy1-1]security acl 3000[H3C-rip-1]network 20.1.1.2测试从RT1的环回口来ping RT3的环回口[H3C]ping -a 192.168.1.1 192.168.2.1Ping 192.168.2.1 (192.168.2.1) from 192.168.1.1: 56 data bytes, press CTRL_C to breakRequest time out56 bytes from 192.168.2.1: icmp_seq=1 ttl=255 time=2.000 ms56 bytes from 192.168.2.1: icmp_seq=2 ttl=255 time=2.000 ms 56 bytes from 192.168.2.1: icmp_seq=3 ttl=255 time=2.000 ms 56 bytes from 192.168.2.1: icmp_seq=4 ttl=255 time=1.000 ms 说明VPN建立成功。
IPsec over GRE 和GRE over IPsec比较和区别与配置GRE over IPsec & IPsec over GREI PSec -Over-GRE是先ipsec后gre,这种我没用过。
GRE -Over-IPSec 是先gre后ipsec,也就是说ipsec是最后的承载方式。
一般常用的就是这种,解决了ipsec不支持多播的问题。
另外在mtu上也有一些相关,gre是先分段后封装,而ipsec则是先封装再分段。
个人理解。
IPsec over GRE 和GRE over IPsec在配置上的区别:GRE over IPsec IPsec over GREACL定义:GRE数据流内网数据流IKE Peer中指定的remote-address 对方公网地址对方GRE Tunnel 地址应用端口:公网出口 GRE Tunnel上GRE over IPSEC(传输模式)IPSEC封装GRE好处:可以利用GRE封装组播或广播了以及非IP流量,因为如果不使用GRE的话,IPSEC 是传不了组播或广播IP流量的IPSEC over GRE(里外)(tunel模式)IPSEC over GRE:GRE在IPSEC外面,由GRE来封装IPSEC注意!!!IPSEC over GRE的时候,路由协议流量是明文的注意!!!当指的peer是对等体物理接口地址的时候不是IPSEC over GRE,只有当peer是对等体的lookback是才是真正的IPSEC over GREipsec over gre配置:crypto isakmp policy 10authentication pre-sharecrypto isakmp key cisco address 10.1.1.2!crypto ipsec transform-set myset esp-des esp-sha-hmac!crypto map mymap 10 ipsec-isakmpset peer 10.1.1.2set transform-set mysetmatch address 102!interface Serial0ip address 10.1.1.1 255.255.255.0clockrate 64000crypto map mymap!ip route 0.0.0.0 0.0.0.0 20.1.1.2ip route 40.1.1.0 255.255.255.0 Tunnel0!access-list 102 permit ip 1.1.1.0 0.0.0.255 1.1.2.0 0.0.0.255!interface Tunnel0ip address 100.1.1.1 255.255.255.0tunnel source Serial0tunnel destination 30.1.1.2crypto map mymapGRE OVER IPSEC的配置拓朴结构:R1 F0/0(172.16.1.1/24)->R2 F0/0(172.16.1.2/24) 模拟外网连接R1 F1/0(192.168.1.1/24)模拟内网1R2 F1/0(192.168.2.1/24)模拟内网2R1://定义IKE策略,用于阶段1的SA建立,系统会按对端协商的参数去查找我们定义的policy,直到找到一个各项参数都匹配的policy并使用之,如果没找到会在阶段1失败crypto isakmp policy 10hash md5authentication pre-sharelifetime 3600crypto isakmp key qhtest address 172.16.1.2!//这里定义阶段2所使用的SA,其所使用的加密密钥为随机,并使用阶段1所建立的SA来交换crypto ipsec transform-set myset esp-3des!//定义密码映射crypto map qh 10 ipsec-isakmpset peer 172.16.1.2set transform-set mysetmatch address 102//这里注意引用了访问列表102,这里对gre包进行加密,而不是如上一篇所做的那样是对内网地址段,实际上是去往内网2的数据包先被封装到GRE包里,再从外网接口出去,并被IPSET加密!//下面在接口上应用密码映射interface FastEthernet0/0ip address 172.16.1.1 255.255.255.0duplex fullcrypto map qh!//这里定义GRE隧道接口interface Tunnel0ip address 192.168.100.1 255.255.255.0tunnel source 172.16.1.1tunnel destination 172.16.1.2//由于GRE可以传路由协议,所有我们在隧道接口上启用了路由协议router ospf 100log-adjacency-changesredistribute connected subnetsnetwork 192.168.100.0 0.0.0.255 area 0//这里的访问列表我们定义了针对GRE的包施行IPSEC加密access-list 102 permit gre host 172.16.1.1 host 172.16.1.2R2:crypto isakmp policy 10hash md5authentication pre-sharelifetime 3600crypto isakmp key qhtest address 172.16.1.1!!crypto ipsec transform-set myset esp-3des!crypto map qh 10 ipsec-isakmpset peer 172.16.1.1set transform-set mysetmatch address 102!interface Tunnel0ip address 192.168.100.2 255.255.255.0tunnel source 172.16.1.2tunnel destination 172.16.1.1!interface FastEthernet0/0ip address 172.16.1.2 255.255.255.0duplex fullcrypto map qh!router ospf 100log-adjacency-changesredistribute connected subnetsnetwork 192.168.100.0 0.0.0.255 area 0!access-list 102 permit gre host 172.16.1.2 host 172.16.1.1IPSEC Over GRE与GRE Over IPSEC的区别和好处到底是IPSEC Over GRE好呢,还是GRE Over IPSEC好?以前一直是出于一个模糊的状态,能通就行了么。
工程应用——方案二:IPSEC over GRE一、网络需求:●为缓解FW压力,在DMZ区放置一台VPN集中器●在总部边界FW上为VPN集中器做NAT转换●分部与总部业务网段需要动态路由学习,业务数据需要使用IPSEC进行保护二、拓扑图:三、配置与分析:实验分析:方案一:IPSEC over GREIP递送头部:202.103.12.10—202.103.23.3(该头部在共网上路由,做NAT转换)在FW上将GRE递送头部源IP转换成202.103.12.10;而数据返回时FW 又将GRE递送头部中的目标202.103.12.10转换成10.1.12.1该IP头部在公网上路由,必然是个公网的地址(私网地址不能再公网路由)RT1:10.1.12.1—202.103.23.3RT3:202.103.23.3—202.103.12.10新IP头部: 1.1.1.1—3.3.3.3(该头部在公网上看不到,不做NAT)用loopback接口做IPSEC对等体原IP头部:10.1.1.1—10.1.3.1通过OSPF使到达该网段的路由下一跳是Tunnel接口,撞上crypto map ACL:10.1.1.0/24—10.1.3.0/24IPSEC匹配的是原始的数据路由配置:RT1(config)#ip route 0.0.0.0 0.0.0.0 10.1.12.2RT3(config)#ip route 0.0.0.0 0.0.0.0 202.103.23.2FW(config)# route outside 0.0.0.0 0.0.0.0 202.103.12.2 1FW配置NAT,放行GRE流量:FW(config)#access-list 100 permit gre host 202.103.23.3 host 202.103.12.10 GRE流量access-group 100 in interface outsideStatic (inside,outside) 202.103.12.10 10.1.12.1 netmask 255.255.255.255GRE配置:RT1(config)#interface Tunnel0ip address 10.1.13.1 255.255.255.0tunnel source Ethernet1/0 RT1GER源,10.1.12.1tunnel destination 202.103.23.3 RT1GRE目标,公网地址RT3(config)#interface Tunnel0ip address 10.1.13.3 255.255.255.0tunnel source Serial0/0tunnel destination 202.103.12.10 RT3GRE目标,对方NAT转换后的IPRT1#ping 10.1.3.1 source 10.1.1.1 测试GRE隧道是否建立成功Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.3.1, timeout is 2 seconds:Packet sent with a source address of 10.1.1.1!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 28/63/152 msOSPF配置:●公布Tunnel接口网段,通过Tunnel接口建立OSPF邻居●公布业务网段,通过OSPF实现到达对端业务网段的下一跳是Tunnel接口,以便撞上crypto map●公布IPSEC对等体网段,下一跳是Tunnel接口,以便进行GRE封装RT1(config)#router ospf 1router-id 1.1.1.1network 1.1.1.0 0.0.0.255 area 0 IPSEC对等体network 10.1.1.0 0.0.0.255 area 0 业务网段network 10.1.13.0 0.0.0.255 area 0 Tunnel接口RT3(config)#router ospf 1router-id 3.3.3.3network 3.3.3.0 0.0.0.255 area 0network 10.1.3.0 0.0.0.255 area 0network 10.1.13.0 0.0.0.255 area 0RT1#show ip route1.0.0.0/24 is subnetted, 1 subnetsC 1.1.1.0 is directly connected, Loopback13.0.0.0/32 is subnetted, 1 subnetsO 3.3.3.3 [110/11112] via 10.1.13.3, 01:09:55, Tunnel0 IPSEC对等体路由10.0.0.0/8 is variably subnetted, 4 subnets, 2 masksC 10.1.13.0/24 is directly connected, Tunnel0C 10.1.12.0/24 is directly connected, Ethernet1/0O 10.1.3.1/32 [110/11112] via 10.1.13.3, 01:09:55, Tunnel0 业务网段路由C 10.1.1.0/24 is directly connected, Loopback0S* 0.0.0.0/0 [1/0] via 10.1.12.2RT3#show ip routeC 202.103.23.0/24 is directly connected, Serial0/01.0.0.0/32 is subnetted, 1 subnetsO 1.1.1.1 [110/11112] via 10.1.13.1, 01:10:26, Tunnel03.0.0.0/24 is subnetted, 1 subnetsC 3.3.3.0 is directly connected, Loopback110.0.0.0/8 is variably subnetted, 3 subnets, 2 masksC 10.1.13.0/24 is directly connected, Tunnel0C 10.1.3.0/24 is directly connected, Loopback0O 10.1.1.1/32 [110/11112] via 10.1.13.1, 01:10:26, Tunnel0S* 0.0.0.0/0 [1/0] via 202.103.23.2RT1#ping 3.3.3.3 source 1.1.1.1 测试IPSEC对等体路由可达Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:Packet sent with a source address of 1.1.1.1!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 24/61/100 msIPSEC配置RT1(config)#crypto isakmp policy 10 IKE阶段传输集encryption deshash md5authentication pre-sharegroup 2crypto isakmp key 6 allen address 3.3.3.3 共享密钥crypto ipsec transform-set laodong esp-des esp-md5-hmac IPSEC阶段传输集access-list 100 permit ip host 10.1.1.1 host 10.1.3.1 IPSEC流量crypto map bluefox local-address Loopback1 loopback接口作为IPSEC源crypto map bluefox 10 ipsec-isakmpset peer 3.3.3.3 对等体IP为对端的loopback接口set transform-set laodongmatch address 100interface Tunnel0crypto map bluefox crypto map应用于Tunnel接口RT3(config)#crypto isakmp policy 10encryption deshash md5authentication pre-sharegroup 2crypto isakmp key 6 allen address 1.1.1.1crypto ipsec transform-set laodong esp-des esp-md5-hmacaccess-list 100 permit ip host 10.1.3.1 host 10.1.1.1crypto map bluefox local-address Loopback1crypto map bluefox 10 ipsec-isakmpset peer 1.1.1.1set transform-set laodongmatch address 100interface Tunnel0crypto map bluefox测试:RT1#ping 10.1.3.1 source 10.1.1.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.3.1, timeout is 2 seconds:Packet sent with a source address of 10.1.1.1.!!!!Success rate is 80 percent (4/5), round-trip min/avg/max = 68/93/128 msFW# show xlate1 in use,2 most usedPAT Global 202.103.12.10(1024) Local 10.1.12.1(4500)RT1#show crypto isakmp sadst src state conn-id slot status3.3.3.3 1.1.1.1 QM_IDLE 1 0 ACTIVE RT1#show crypto ipsec sainterface: Tunnel0Crypto map tag: bluefox, local addr 1.1.1.1protected vrf: (none)local ident (addr/mask/prot/port): (10.1.1.1/255.255.255.255/0/0)remote ident (addr/mask/prot/port): (10.1.3.1/255.255.255.255/0/0)current_peer 3.3.3.3 port 500PERMIT, flags={origin_is_acl,}#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 0, #pkts compr. failed: 0#pkts not decompressed: 0, #pkts decompress failed: 0#send errors 1, #recv errors 0local crypto endpt.: 1.1.1.1, remote crypto endpt.: 3.3.3.3path mtu 1476, ip mtu 1476, ip mtu idb Tunnel0current outbound spi: 0x2043C509(541312265)inbound esp sas:spi: 0x1B1667DD(454453213)transform: esp-des esp-md5-hmac ,in use settings ={Tunnel, }conn id: 2002, flow_id: SW:2, crypto map: bluefoxsa timing: remaining key lifetime (k/sec): (4417317/2393)IV size: 8 bytesreplay detection support: YStatus: ACTIVEoutbound esp sas:spi: 0x2043C509(541312265)transform: esp-des esp-md5-hmac ,in use settings ={Tunnel, }conn id: 2001, flow_id: SW:1, crypto map: bluefoxsa timing: remaining key lifetime (k/sec): (4417317/2392)IV size: 8 bytesreplay detection support: YStatus: ACTIVE四、总结:由数据包的封装结构分析,IPSEC对等体,GRE源目,IPSEC流量是什么CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 3.3.3.3快速模式协商失败可能的原因:set peer 对等体错误已经建立数据连接后再次建立,SPI可能错误。
H3C路由器gre over ipsec和ipsec over gre的差别与配置方法概念区分IPSEC Over GRE即IPSEC在里,GRE在外。
先把需要加密的数据包封装成IPSEC包,然后再扔到GRE隧道里。
作法是把IPSEC的加密图作用在Tunnel口上的,即在Tunnel口上监控(访问控制列表监控本地ip网段-源ip和远端ip 网段-目的地),是否有需要加密的数据流,有则先加密封装为IPSEC包,然后封装成GRE包进入隧道(这里显而易见的是,GRE隧道始终无论如何都是存在的,即GRE隧道的建立过程并没有被加密),同时,未在访问控制列表里的数据流将以不加密的状态直接走GRE隧道,即存在有些数据可能被不安全地传递的状况。
GRE Over IPSEC是指,先把数据分装成GRE包,然后再分装成IPSEC包。
做法是在物理接口上监控,是否有需要加密的GRE流量(访问控制列表针对GRE 两端的设备ip),所有的这两个端点的GRE数据流将被加密分装为IPSEC包再进行传递,这样保证的是所有的数据包都会被加密,包括隧道的建立和路由的建立和传递。
无论是哪种数据流,若一方进行了加密,而另一方没有配,则无法通讯,对于GRE则,路由邻居都无法建立。
另一个概念是隧道模式和传输模式。
所谓的隧道模式还是传输模式,是针对如ESP如何封装数据包的,前提是ESP在最外面,如果都被Over到了GRE里,自然谈不上什么隧道模式和传输模式(都为隧道模式)。
只有当GRE Over IPSEC 的时候,才可以将模式改为传输模式。
IPSEC不支持组播,即不能传递路由协议,而GRE支持。
配置方法两者配置方法上差别不大,注意定义访问控制列表的流量、配置过程中的对端地址以及策略应用位置即可。
总结一下就是:gre ove ipsec在配置访问控制列表时应配置为物理端口地址,而IPSEC Over GRE中则应配置为兴趣流量网段地址。
在gre ove ipsec配置对端地址过程中全都配置为相应物理地址,而IPSEC Over GRE中则全都配置为对端tunnel口虚拟地址。
GRE over IPsec一、试验背景:总部与分部间运行动态路由协议,需用VPN承载。
由于IPsec不支持组播、广播;而GRE支持(但GRE明文传输,不安全)。
故需将IPsec与GRE结合使用以完成上述需求。
二、试验拓扑:三、试验配置:R1:1、基本配置:R1(config)#interface loopback 0R1(config-if)#ip add 192.168.1.1 255.255.255.0R1(config-if)#no shR1(config-if)#exitR1(config)#interface e0/0R1(config-if)#ip add 10.10.1.1 255.255.255.0R1(config-if)#no shR1(config-if)#exitR1(config)#interface tunnel 0R1(config-if)#ip add 192.168.12.1 255.255.255.0R1(config-if)#tunnel source 10.10.1.1R1(config-if)#tunnel destination 10.10.2.1R1(config-if)#no shR1(config-if)#exitR1(config)#interface tunnel 1R1(config-if)#ip add 192.168.13.1 255.255.255.0R1(config-if)#no shR1(config-if)#tunnel source 10.10.1.1R1(config-if)#tunnel destination 10.10.3.1R1(config-if)#exitR1(config)#ip route 0.0.0.0 0.0.0.0 10.10.1.2OSPF配置:R1(config)# router ospf 10R1(config-router)#router-id 1.1.1.1R1(config-router)#network 192.168.1.1 255.255.255.0 area 0R1(config-router)#network 192.168.13.1 255.255.255.0 area 0R1(config-router)#network 192.168.12.1 255.255.255.0 area 0R1(config-router)#exitIpsec 配置:R1(config)#crypto isakmp policy 10R1(config-isakmp)#encryption desR1(config-isakmp)#group 2R1(config-isakmp)#hash md5R1(config-isakmp)#authentication pre-shareR1(config-isakmp)#exitR1(config)#crypto isakmp key 0 bluefox address 0.0.0.0 0.0.0.0R1(config)#crypto ipsec transform-set bluefox esp-des esp-md5-hmac R1(cfg-crypto-trans)#mode transportR1(cfg-crypto-trans)#exitR1(config)#crypto dynamic-map cisco 10R1(config-crypto-map)#set transform-set bluefoxR1(config-crypto-map)#exitR1(config)#crypto map bluefox 10 ipsec-isakmp dynamic ciscoR1(config)#interface e0/0R1(config-if)#crypto map bluefox (map用在物理接口)R1(config-if)#exitR1#sh ip ospf neighborNeighbor ID Pri State Dead Time Address Interface2.2.2.2 0 FULL/ - 00:00:35 192.168.12.2 Tunnel03.3.3.3 0 FULL/ - 00:00:35 192.168.13.2 Tunnel1R1#sh ip routeCodes: C - connected, S - static, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2ia - IS-IS inter area, * - candidate default, U - per-user static routeo - ODR, P - periodic downloaded static routeGateway of last resort is 10.10.1.2 to network 0.0.0.0C 192.168.12.0/24 is directly connected, Tunnel0C 192.168.13.0/24 is directly connected, Tunnel110.0.0.0/24 is subnetted, 1 subnetsC 10.10.1.0 is directly connected, Ethernet0/0C 192.168.1.0/24 is directly connected, Loopback0192.168.2.0/32 is subnetted, 1 subnetsO 192.168.2.1 [110/11112] via 192.168.12.2, 00:00:47, Tunnel0192.168.3.0/32 is subnetted, 1 subnetsO 192.168.3.1 [110/11112] via 192.168.13.2, 00:00:47, Tunnel1S* 0.0.0.0/0 [1/0] via 10.10.1.2R1#sh crypto engine connections activeID Interface IP-Address State Algorithm Encrypt Decrypt1 Ethernet0/0 10.10.1.1 set HMAC_MD5+DES_56_CB 02 Ethernet0/0 10.10.1.1 set HMAC_MD5+DES_56_CB 0 02001 Ethernet0/0 10.10.1.1 set DES+MD5 0 322002 Ethernet0/0 10.10.1.1 set DES+MD5 0 122003 Ethernet0/0 10.10.1.1 set DES+MD5 35 02004 Ethernet0/0 10.10.1.1 set DES+MD5 13 0R2:1、基本配置:R2(config)#interface loopback 0R2(config-if)#ip add 192.168.2.1 255.255.255.0R2(config-if)#no shR2(config-if)#exitR2(config)#interface tunnel 0R2(config-if)#ip add 192.168.12.2 255.255.255.0R2(config-if)#tunnel source 10.10.2.1R2(config-if)#tunnel destination 10.10.1.1R2(config-if)#no shR2(config-if)#exitR2(config)#interface e0/0R2(config-if)#ip add 10.10.2.1 255.255.255.0R2(config-if)#no shR2(config-if)#exitR2(config)#ip route 0.0.0.0 0.0.0.0 10.10.2.2OSPF配置:R2(config)#router ospf 10R2(config-router)#router-id 2.2.2.2R2(config-router)#network 192.168.2.1 255.255.255.0 area 0R2(config-router)#network 192.168.12.2 255.255.255.0 area 0R2(config-router)#exitIpsec 配置:R2(config)#crypto isakmp policy 10R2(config-isakmp)#encryption desR2(config-isakmp)#hash md5R2(config-isakmp)#group 2R2(config-isakmp)#authentication pre-shareR2(config-isakmp)#exitR2(config)#crypto isakmp key 0 bluefox address 10.10.1.1R2(config)#crypto ipsec transform-set bluefox esp-des esp-md5-hmac R2(cfg-crypto-trans)#mode transportR2(cfg-crypto-trans)#exitR2(config)#access-list 100 permit ip 10.10.2.1 0.0.0.0 10.10.1.1 0.0.0.0R2(config)#crypto map bluefox 10 ipsec-isakmpR2(config-crypto-map)#set peer 10.10.1.1R2(config-crypto-map)#set transform-set bluefoxR2(config-crypto-map)#match address 100R2(config-crypto-map)#exitR2(config)#interface e0/0R2(config-if)#crypto map bluefoxR2#sh ip ospf neighborNeighbor ID Pri State Dead Time Address Interface1.1.1.1 0 FULL/ - 00:00:31 192.168.12.1 Tunnel0R2#sh ip routeCodes: C - connected, S - static, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2ia - IS-IS inter area, * - candidate default, U - per-user static routeo - ODR, P - periodic downloaded static routeGateway of last resort is 10.10.2.2 to network 0.0.0.0C 192.168.12.0/24 is directly connected, Tunnel0O 192.168.13.0/24 [110/22222] via 192.168.12.1, 00:08:16, Tunnel010.0.0.0/24 is subnetted, 1 subnetsC 10.10.2.0 is directly connected, Ethernet0/0192.168.1.0/32 is subnetted, 1 subnetsO 192.168.1.1 [110/11112] via 192.168.12.1, 00:08:16, Tunnel0 C 192.168.2.0/24 is directly connected, Loopback0192.168.3.0/32 is subnetted, 1 subnetsO 192.168.3.1 [110/22223] via 192.168.12.1, 00:08:16, Tunnel0 S* 0.0.0.0/0 [1/0] via 10.10.2.2R3:1、基本配置:R3(config)#interface loopback 0R3(config-if)#ip add 192.168.3.1 255.255.255.0R3(config-if)#no shR3(config-if)#exitR3(config)#interface tunnel 0R3(config-if)#ip add 192.168.13.2 255.255.255.0R3(config-if)#tunnel source 10.10.3.1R3(config-if)#tunnel destination 10.10.1.1R3(config-if)#no shR3(config-if)#exitR3(config)#interface e0/0R3(config-if)#ip add 10.10.3.1 255.255.255.0R3(config-if)#no shR3(config-if)#exitR3(config)#ip route 0.0.0.0 0.0.0.0 10.10.3.2OSPF配置:R3(config)# router ospf 10R3(config-router)#router-id 3.3.3.3R3(config-router)#network 192.168.3.1 255.255.255.0 area 0R3(config-router)#network 192.168.13.2 255.255.255.0 area 0R3(config-router)#exitIpsec 配置:R3(config)#crypto isakmp policy 10R3(config-isakmp)#encryption desR3(config-isakmp)#hash md5R3(config-isakmp)#group 2R3(config-isakmp)#authentication pre-shareR3(config-isakmp)#exitR3(config)#crypto isakmp key 0 bluefox address 10.10.1.1R3(config)#crypto ipsec transform-set bluefox esp-des esp-md5-hmac R3(cfg-crypto-trans)#mode transportR3(cfg-crypto-trans)#exitR3(config)#access-list 100 permit ip(也可用GRE) 10.10.3.1 0.0.0.0 10.10.1.1 0.0.0.0R3(config)#crypto map bluefox 10 ipsec-isakmpR3(config-crypto-map)#set transform-set bluefoxR3(config-crypto-map)#set peer 10.10.1.1R3(config-crypto-map)#match address 100R3(config-crypto-map)#exitR3(config)#interface e0/0R3(config-if)#crypto map bluefoxR3(config-if)#exitR3#sh ip ospf neighborNeighbor ID Pri State Dead Time Address Interface1.1.1.1 0 FULL/ - 00:00:30 192.168.13.1 Tunnel0R3#sh ip routeCodes: C - connected, S - static, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static routeGateway of last resort is 10.10.3.2 to network 0.0.0.0O 192.168.12.0/24 [110/22222] via 192.168.13.1, 00:09:39, Tunnel0C 192.168.13.0/24 is directly connected, Tunnel010.0.0.0/24 is subnetted, 1 subnetsC 10.10.3.0 is directly connected, Ethernet0/0192.168.1.0/32 is subnetted, 1 subnetsO 192.168.1.1 [110/11112] via 192.168.13.1, 00:09:39, Tunnel0192.168.2.0/32 is subnetted, 1 subnetsO 192.168.2.1 [110/22223] via 192.168.13.1, 00:09:39, Tunnel0C 192.168.3.0/24 is directly connected, Loopback0S* 0.0.0.0/0 [1/0] via 10.10.3.2InetR:InetR(config)#interface e0/1InetR(config-if)#ip add 10.10.1.2 255.255.255.0InetR(config-if)#no shInetR(config-if)#exitInetR(config)#interface e0/2InetR(config-if)#ip add 10.10.2.2 255.255.255.0InetR(config-if)#no shInetR(config-if)#exitInetR(config)#interface e0/3InetR(config-if)#ip add 10.10.3.2 255.255.255.0InetR(config-if)#no shInetR(config-if)#exit四、试验总结:1、问题分析:由于OSPF回定时(10S)发送Hello包,从而协商IPsec。
ipsec over gre步骤:1.创建tunnel口,配置ip,source,destination2.默认路由指向出口下一跳3.使用路由协议,把路由ping通(环回口,要加密的数据的ip)4.建立vpn,并在tunnel口上绑定map废话不多说,直接上配置:R1配置:hostname R1!crypto isakmp policy 10hash md5authentication pre-sharegroup 2crypto isakmp key zhang address 3.3.3.3!!crypto ipsec transform-set mytrans esp-3des esp-md5-hmac !crypto map mymap local-address Loopback0crypto map mymap 10 ipsec-isakmpset peer 3.3.3.3set transform-set mytransmatch address VPN!interface Tunnel0ip address 172.16.1.1 255.255.255.0tunnel source FastEthernet0/0tunnel destination 23.1.1.2tunnel key 123crypto map mymap!interface Loopback0ip address 1.1.1.1 255.255.255.0!interface Loopback10ip address 192.168.1.1 255.255.255.0!interface FastEthernet0/0ip address 12.1.1.1 255.255.255.0duplex autospeed auto!router ospf 1router-id 1.1.1.1log-adjacency-changesnetwork 1.1.1.0 0.0.0.255 area 0network 172.16.1.0 0.0.0.255 area 0network 192.168.1.0 0.0.0.255 area 0neighbor 3.3.3.3!no ip http serverno ip http secure-serverip route 0.0.0.0 0.0.0.0 12.1.1.2!ip access-list extended VPNpermit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255 !endR2配置:hostname R2interface FastEthernet0/0ip address 12.1.1.2 255.255.255.0 duplex autospeed auto!interface FastEthernet1/0ip address 23.1.1.1 255.255.255.0 duplex autospeed auto!endR3配置:hostname R3!crypto isakmp policy 10hash md5authentication pre-sharegroup 2crypto isakmp key zhang address 1.1.1.1!crypto ipsec transform-set mytrans esp-3des esp-md5-hmac !crypto map mymap local-address Loopback0crypto map mymap 10 ipsec-isakmpset peer 1.1.1.1set transform-set mytransmatch address VPN!interface Tunnel0ip address 172.16.1.2 255.255.255.0tunnel source FastEthernet0/0tunnel destination 12.1.1.1tunnel key 123crypto map mymap!interface Loopback0ip address 3.3.3.3 255.255.255.0!interface Loopback10ip address 192.168.3.1 255.255.255.0!interface FastEthernet0/0ip address 23.1.1.2 255.255.255.0duplex autospeed auto!router ospf 1router-id 3.3.3.3log-adjacency-changesnetwork 3.3.3.0 0.0.0.255 area 0network 172.16.1.0 0.0.0.255 area 0network 192.168.3.0 0.0.0.255 area 0neighbor 1.1.1.1!ip route 0.0.0.0 0.0.0.0 23.1.1.1!ip access-list extended VPNpermit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 !end实验效果:IPSec Over GRE 路由原理下图是R1的路由表当我们ping 192.168.3.1 source loopback 10,其实就是从192.168.1.1 Ping 192.168.3.11.要从192.168.1.1到192.168.3.1,看到是通过ospf通过tunnel0学到的,因此路由发往tunnel0.2.由于tunnel0上存在mymap,mymap上有ip access-list,判断是否满足。
GRE Over IPSec VPN+NAT配置
试验拓扑
试验要求
Site1和Site2分别模拟需要建立VPN通讯的两个站点,其中202.100.1.1和61.128.1.1 这两个地址分别为Site1和Site2的VPN加密点,1.1.1.0/24和2.2.2.0/24分别是Site1和Site2的内网地址,用来模拟VPN的通讯点。
要求Site1和Site2之间配置GRE Over IPSec VPN,使两个站点的内网之间通过VPN的方式加密传输,同时要求内网也可以访问互联网上的任何站点。
在配置GRE Over IPSec VPN时采用ISAKMP Profile+IPSEC Profile配置方法
在Site1上发起VPN流量:
在Sit2上查看VPN建立的情况:
以上测试说明现在两个站点之间的内网已经可以通过VPN的方式进行传输。
测试Site1访问互联网的情况:
可以看到内网目前无法访问互联网,原因是没有在Site1上配置NAT。
测试
再次测试两个站点之间内网通讯情况:
测试Site1访问Internet的通讯情况:
通过测试Site1和Site2内网之间可以通过VPN方式传输,同时也可以访问互联网,试验成功!。
路由器-IPSec-Over-GRE典型配置【需求】分部1和分部2通过野蛮IPSec的方式连接到中心,采用IPSec-Over-GRE的方式,在tunnel上运行OSPF协议来实现总部和分部之间的互通。
【组网图】【验证】1、中心上的ike sa 状态:disp ike saconnection-id peer flag phase doi----------------------------------------------------------44 RD 1 IPSEC48 RD 2 IPSEC47 RD 1 IPSEC45 RD 2 IPSECflag meaningRD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO—TIMEOUT2、中心上的IPSec sa状态:disp ipsec sa===============================Interface: Tunnel0path MTU: 64000===============================-----------------------------IPsec policy name: "branch1"sequence number: 10mode: isakmp-----------------------------connection id: 8encapsulation mode: tunnelperfect forward secrecy: Nonetunnel:local address: remote address: flow: (4 times matched)sour addr: port: 0 protocol: IPdest addr: port: 0 protocol: IP[inbound ESP SAs]spi: 30 (0xa10cff2a)proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5sa remaining key duration (bytes/sec): 64/2136max received sequence-number: 2udp encapsulation used for nat traversal: N[outbound ESP SAs]spi: 50 (0x7f1c678e)proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5sa remaining key duration (bytes/sec): 32/2136max sent sequence-number: 3udp encapsulation used for nat traversal: N===============================Interface: Tunnel1path MTU: 64000===============================-----------------------------IPsec policy name: "branch2"sequence number: 10mode: isakmp-----------------------------connection id: 9encapsulation mode: tunnelperfect forward secrecy: Nonetunnel:local address: remote address: flow: (18 times matched)sour addr: port: 0 protocol: IPdest addr: port: 0 protocol: IP[inbound ESP SAs]spi: 48 (0x60184b94)proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5sa remaining key duration (bytes/sec): 88/2886max received sequence-number: 9udp encapsulation used for nat traversal: N[outbound ESP SAs]spi: 22 (0xcc966a16)proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5sa remaining key duration (bytes/sec): 44/2886max sent sequence-number: 10udp encapsulation used for nat traversal: N3、中心路由表disp ip routRouting Table: public netDestination/Mask Protocol Pre Cost Nexthop InterfaceSTATIC 60 0 Serial2/0/0DIRECT 0 0 InLoopBack0OSPF 10 1563 Tunnel0OSPF 10 1563 Tunnel1DIRECT 0 0 Tunnel0DIRECT 0 0 InLoopBack0DIRECT 0 0 Tunnel1DIRECT 0 0 InLoopBack0DIRECT 0 0 InLoopBack0DIRECT 0 0 InLoopBack0DIRECT 0 0 LoopBack10DIRECT 0 0 InLoopBack0OSPF 10 1563 Tunnel0OSPF 10 1563 Tunnel1DIRECT 0 0 Serial2/0/0DIRECT 0 0 Serial2/0/0DIRECT 0 0 InLoopBack04、分部1的ike sa状态:disp ike saconnection-id peer flag phase doi----------------------------------------------------------27 RD|ST 1 IPSEC28 RD|ST 2 IPSECflag meaningRD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO—TIMEOUT5、分部1的ipsec sa状态:disp ipsec sa===============================Interface: Tunnel0path MTU: 64000===============================-----------------------------IPsec policy name: "branch1"sequence number: 10mode: isakmp-----------------------------connection id: 6encapsulation mode: tunnelperfect forward secrecy: Nonetunnel:local address: remote address: flow: (4 times matched)sour addr: port: 0 protocol: IPdest addr: port: 0 protocol: IP[inbound ESP SAs]spi: 50 (0x7f1c678e)proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5sa remaining key duration (bytes/sec): 64/2054max received sequence-number: 2udp encapsulation used for nat traversal: N[outbound ESP SAs]spi: 30 (0xa10cff2a)proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5sa remaining key duration (bytes/sec): 32/2054max sent sequence-number: 3udp encapsulation used for nat traversal: N6、分部1的路由表:disp ip routRouting Table: public netDestination/Mask Protocol Pre Cost Nexthop Interface STATIC 60 0 Serial2/0/0OSPF 10 1563 Tunnel0DIRECT 0 0 InLoopBack0OSPF 10 3125 Tunnel0DIRECT 0 0 Tunnel0DIRECT 0 0 InLoopBack0OSPF 10 3124 Tunnel0DIRECT 0 0 InLoopBack0DIRECT 0 0 InLoopBack0OSPF 10 1563 Tunnel0DIRECT 0 0 LoopBack10DIRECT 0 0 InLoopBack0OSPF 10 3125 Tunnel0DIRECT 0 0 Serial2/0/0DIRECT 0 0 Serial2/0/0DIRECT 0 0 InLoopBack0【提示】1、IPSec-Over-GRE和GRE-Over-IPSec方式配置上的区别为:2、各个分部和总部之间通过OSPF路由来实现互访,如果没有运行OSPF则必需在分部和总部配置静态路由。
路由器-IPSec-Over-GRE典型配置【需求】分部1和分部2通过野蛮IPSec的方式连接到中心,采用IPSec-Over-GRE的方式,在tunnel上运行OSPF协议来实现总部和分部之间的互通。
【组网图】【验证】1、中心上的ike sa 状态:disp ike saconnection-id peer flag phase doi---------------------------------------------------------- 44 10.0.0.2 RD 1 IPSEC 48 10.0.0.6 RD 2 IPSEC 47 10.0.0.6 RD 1 IPSEC 45 10.0.0.2 RD 2 IPSEC flag meaningRD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO—TIMEOUT2、中心上的IPSec sa状态:disp ipsec sa===============================Interface: Tunnel0path MTU: 64000===============================-----------------------------IPsec policy name: "branch1"sequence number: 10mode: isakmp-----------------------------connection id: 8encapsulation mode: tunnelperfect forward secrecy: Nonetunnel:local address: 10.0.0.1remote address: 10.0.0.2flow: (4 times matched)sour addr: 192.168.1.0/255.255.255.0 port: 0 protocol: IP dest addr: 192.168.2.0/255.255.255.0 port: 0 protocol: IP [inbound ESP SAs]spi: 2701983530 (0xa10cff2a)proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5sa remaining key duration (bytes/sec): 1887436664/2136max received sequence-number: 2udp encapsulation used for nat traversal: N[outbound ESP SAs]spi: 2132567950 (0x7f1c678e)proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5sa remaining key duration (bytes/sec): 1887436632/2136max sent sequence-number: 3udp encapsulation used for nat traversal: N===============================Interface: Tunnel1path MTU: 64000===============================-----------------------------IPsec policy name: "branch2"sequence number: 10mode: isakmp-----------------------------connection id: 9encapsulation mode: tunnelperfect forward secrecy: Nonetunnel:local address: 10.0.0.5remote address: 10.0.0.6flow: (18 times matched)sour addr: 192.168.1.0/255.255.255.0 port: 0 protocol: IP dest addr: 192.168.3.0/255.255.255.0 port: 0 protocol: IP [inbound ESP SAs]spi: 1612204948 (0x60184b94)proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5sa remaining key duration (bytes/sec): 1887436188/2886max received sequence-number: 9udp encapsulation used for nat traversal: N[outbound ESP SAs]spi: 3432409622 (0xcc966a16)proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5sa remaining key duration (bytes/sec): 1887436044/2886max sent sequence-number: 10udp encapsulation used for nat traversal: N3、中心路由表disp ip routRouting Table: public netDestination/Mask Protocol Pre Cost Nexthop Interface0.0.0.0/0 STATIC 60 0 202.101.1.1 Serial2/0/01.1.1.1/32 DIRECT 0 0 127.0.0.1 InLoopBack02.2.2.2/32 OSPF 10 1563 10.0.0.2 Tunnel03.3.3.3/32 OSPF 10 1563 10.0.0.6 Tunnel110.0.0.0/30 DIRECT 0 0 10.0.0.1 Tunnel010.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0 10.0.0.4/30 DIRECT 0 0 10.0.0.5 Tunnel110.0.0.5/32 DIRECT 0 0 127.0.0.1 InLoopBack0 127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0 127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0 192.168.1.0/24 DIRECT 0 0 192.168.1.1 LoopBack10 192.168.1.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0 192.168.2.0/24 OSPF 10 1563 10.0.0.2 Tunnel0 192.168.3.0/24 OSPF 10 1563 10.0.0.6 Tunnel1 202.101.1.0/30 DIRECT 0 0 202.101.1.2 Serial2/0/0 202.101.1.1/32 DIRECT 0 0 202.101.1.1 Serial2/0/0 202.101.1.2/32 DIRECT 0 0 127.0.0.1 InLoopBack0 4、分部1的ike sa状态:disp ike saconnection-id peer flag phase doi----------------------------------------------------------27 10.0.0.1 RD|ST 1 IPSEC28 10.0.0.1 RD|ST 2 IPSECflag meaningRD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO—TIMEOUT5、分部1的ipsec sa状态:disp ipsec sa===============================Interface: Tunnel0path MTU: 64000===============================-----------------------------IPsec policy name: "branch1"sequence number: 10mode: isakmp-----------------------------connection id: 6encapsulation mode: tunnelperfect forward secrecy: Nonetunnel:local address: 10.0.0.2remote address: 10.0.0.1flow: (4 times matched)sour addr: 192.168.2.0/255.255.255.0 port: 0 protocol: IP dest addr: 192.168.1.0/255.255.255.0 port: 0 protocol: IP [inbound ESP SAs]spi: 2132567950 (0x7f1c678e)proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5sa remaining key duration (bytes/sec): 1887436664/2054max received sequence-number: 2udp encapsulation used for nat traversal: N[outbound ESP SAs]spi: 2701983530 (0xa10cff2a)proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5sa remaining key duration (bytes/sec): 1887436632/2054max sent sequence-number: 3udp encapsulation used for nat traversal: N6、分部1的路由表:disp ip routRouting Table: public netDestination/Mask Protocol Pre Cost Nexthop Interface0.0.0.0/0 STATIC 60 0 202.101.2.1 Serial2/0/01.1.1.1/32 OSPF 10 1563 10.0.0.1 Tunnel02.2.2.2/32 DIRECT 0 0 127.0.0.1 InLoopBack03.3.3.3/32 OSPF 10 3125 10.0.0.1 Tunnel010.0.0.0/30 DIRECT 0 0 10.0.0.2 Tunnel010.0.0.2/32 DIRECT 0 0 127.0.0.1 InLoopBack0 10.0.0.4/30 OSPF 10 3124 10.0.0.1 Tunnel0 127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0 127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0 192.168.1.0/24 OSPF 10 1563 10.0.0.1 Tunnel0 192.168.2.0/24 DIRECT 0 0 192.168.2.1 LoopBack10 192.168.2.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0 192.168.3.0/24 OSPF 10 3125 10.0.0.1 Tunnel0 202.101.2.0/30 DIRECT 0 0 202.101.2.2 Serial2/0/0 202.101.2.1/32 DIRECT 0 0 202.101.2.1 Serial2/0/0 202.101.2.2/32 DIRECT 0 0 127.0.0.1 InLoopBack0 【提示】1、IPSec-Over-GRE和GRE-Over-IPSec方式配置上的区别为:2、各个分部和总部之间通过OSPF路由来实现互访,如果没有运行OSPF则必需在分部和总部配置静态路由。
