该场景中某大型企业,总部(Hub )和两个分公司(Spoke1/2)分布在不同地域,总部和分公司子网经常变动,分公司采用动态地址接入公网。企业规划使用OSPF路由协议,实现分分公司间的VPN互联,同时为保密安全需要,总部和分公司间及分公司间的数据传输采用加密保护。
分析思路:
根据需求采用DSVPN方式构建GRE隧道,数据需要先进行GRE封装,然后采用IPSec封装。同时提供身份认证、数据完整性检查,及抗重放功能。IPSec安全策略采用安全框架方式应用在mGRE隧道接口上。
配置如下:
【Hub】
<Huawei>system-view
[Huawei]sysname Hub
[Hub-GigabitEthernet0/0/1]ip address 202.1.1.1 24
[Hub-GigabitEthernet0/0/2]ip address 172.18.3.254 24
[Hub-Tunnel0/0/0]ip address 10.1.1.1 24
[Hub]ospf 2
[Hub-ospf-2]area 1
[Hub-ospf-2-area-0.0.0.1]network 202.1.1.0 0.0.0.255
[Hub]ospf 1 router-id 10.1.1.1
[Hub-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255
[Hub-ospf-1-area-0.0.0.0]network 172.18.3.0 0.0.0.255
[Hub]ike proposal 1 //创建IKE安全提议
[Hub-ike-proposal-1]dh group5 //指定IKE第一阶段协商使用DH5组
[Hub-ike-proposal-1]authentication-algorithm aes-xcbc-mac-96 //配置认证算法
[Hub-ike-proposal-1]prf aes-xcbc-128 //指定IKE协商算法
[Hub]ike peer hub v2
[Hub-ike-peer-hub]ike-proposal 1 //引用安全提议
[Hub-ike-peer-hub]pre-shared-key cipher huawei123 //配置预共享密钥
[Hub-ike-peer-hub]dpd type periodic //配置DPD为周期性检测
[Hub-ike-peer-hub]dpd idle-time 40 //配置DPD为检测周期
[Hub]ipsec proposal pro1
[Hub-ipsec-proposal-pro1]transform ah-esp
[Hub-ipsec-proposal-pro1]ah authentication-algorithm sha2-256
[Hub-ipsec-proposal-pro1]esp authentication-algorithm sha2-256
[Hub-ipsec-proposal-pro1]esp encryption-algorithm aes-192
[Hub]ipsec profile prof1
[Hub-ipsec-profile-prof1]ike-peer hub
[Hub-ipsec-profile-prof1]proposal pro1
[Hub-Tunnel0/0/0]tunnel-protocol gre p2mp
[Hub-Tunnel0/0/0]source GigabitEthernet 0/0/1
[Hub-Tunnel0/0/0]nhrp entry multicast dynamic
[Hub-Tunnel0/0/0]ospf network-type broadcast
[Hub-Tunnel0/0/0]ospf dr-priority 100
[Hub-Tunnel0/0/0]ipsec profile prof1
【Spoke 1】
<Huawei>system-view
[Huawei]sysname Spoke 1
[Spoke 1-GigabitEthernet0/0/1]ip address 202.1.2.1 24
[Spoke 1-GigabitEthernet0/0/2]ip address 172.18.1.254 24
[Spoke 1-Tunnel0/0/0]ip address 10.1.1.2 24
[Spoke 1]ospf 2
[Spoke 1-ospf-2]area 1
[Spoke 1-ospf-2-area-0.0.0.1]network 202.1.2.0 0.0.0.255
[Spoke 1]ospf 1 router-id 10.1.1.2
[Spoke 1-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255
[Spoke 1-ospf-1-area-0.0.0.0]network 172.18.1.0 0.0.0.255
[Spoke 1]ike proposal 1
[Spoke 1-ike-proposal-1]dh group5
[Spoke 1-ike-proposal-1]authentication-algorithm aes-xcbc-mac-96
[Spoke 1-ike-proposal-1]prf aes-xcbc-128
[Spoke 1]ike peer spoke1 v2
[Spoke 1-ike-peer-spoke1]ike-proposal 1
[Spoke 1-ike-peer-spoke1]pre-shared-key cipher huawei123
[Spoke 1-ike-peer-spoke1]dpd type periodic
[Spoke 1-ike-peer-spoke1]dpd idle-time 40
[Spoke 1]ipsec proposal pro1
[Spoke 1-ipsec-proposal-pro1]transform ah-esp
[Spoke 1-ipsec-proposal-pro1]ah authentication-algorithm sha2-256
[Spoke 1-ipsec-proposal-pro1]esp authentication-algorithm sha2-256
[Spoke 1-ipsec-proposal-pro1]esp encryption-algorithm aes-192
[Spoke 1]ipsec profile prof1
[Spoke 1-ipsec-profile-prof1]ike-peer spoke1
[Spoke 1-ipsec-profile-prof1]proposal pro1
[Spoke 1-Tunnel0/0/0]tunnel-protocol gre p2mp
[Spoke 1-Tunnel0/0/0]source GigabitEthernet 0/0/1
[Spoke 1-Tunnel0/0/0]nhrp entry 10.1.1.1 202.1.1.1 register
[Spoke 1-Tunnel0/0/0]ospf network-type broadcast
[Spoke 1-Tunnel0/0/0]ospf dr-priority 0
[Spoke 1-Tunnel0/0/0]ipsec profile prof1
【Spoke 2】
<Huawei>system-view
[Huawei]sysname Spoke 2
[Spoke 2-GigabitEthernet0/0/1]ip address 202.1.3.1 24
[Spoke 2-GigabitEthernet0/0/2]ip address 172.18.2.254 24
[Spoke 2-Tunnel0/0/0]ip address 10.1.1.3 24
[Spoke 2]ospf 2
[Spoke 2-ospf-2]area 1
[Spoke 2-ospf-2-area-0.0.0.1]network 202.1.3.0 0.0.0.255
[Spoke 2]ospf 1 router-id 10.1.1.3
[Spoke 2-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255
[Spoke 2-ospf-1-area-0.0.0.0]network 172.18.2.0 0.0.0.255
[Spoke 2]ike proposal 1
[Spoke 2-ike-proposal-1]dh group5
[Spoke 2-ike-proposal-1]authentication-algorithm aes-xcbc-mac-96
[Spoke 2-ike-proposal-1]prf aes-xcbc-128
[Spoke 2]ike peer spoke2 v2
[Spoke 2-ike-peer-spoke2]ike-proposal 1
[Spoke 2-ike-peer-spoke2]pre-shared-key cipher huawei123
[Spoke 2-ike-peer-spoke2]dpd type periodic
[Spoke 2-ike-peer-spoke2]dpd idle-time 40
[Spoke 2]ipsec proposal pro1
[Spoke 2-ipsec-proposal-pro1]transform ah-esp
[Spoke 2-ipsec-proposal-pro1]ah authentication-algorithm sha2-256
[Spoke 2-ipsec-proposal-pro1]esp authentication-algorithm sha2-256
[Spoke 2-ipsec-proposal-pro1]esp encryption-algorithm aes-192
[Spoke 2]ipsec profile prof1
[Spoke 2-ipsec-profile-prof1]ike-peer spoke2
[Spoke 2-ipsec-profile-prof1]proposal pro1
[Spoke 2-Tunnel0/0/0]tunnel-protocol gre p2mp
[Spoke 2-Tunnel0/0/0]source GigabitEthernet 0/0/1
[Spoke 2-Tunnel0/0/0]nhrp entry 10.1.1.1 202.1.1.1 register
[Spoke 2-Tunnel0/0/0]ospf network-type broadcast
[Spoke 2-Tunnel0/0/0]ospf dr-priority 0
[Spoke 2-Tunnel0/0/0]ipsec profile prof1
【Internet】
<Huawei>system-view
[Huawei]sysname Internet
[Internet-GigabitEthernet0/0/0]ip address 202.1.1.2 24
[Internet-GigabitEthernet0/0/1]ip address 202.1.2.2 24
[Internet-GigabitEthernet0/0/2]ip address 202.1.3.2 24
[Internet]ospf 2
[Internet-ospf-2]area 1
[Internet-ospf-2-area-0.0.0.1]network 202.1.1.0 0.0.0.255
[Internet-ospf-2-area-0.0.0.1]network 202.1.2.0 0.0.0.255
[Internet-ospf-2-area-0.0.0.1]network 202.1.3.0 0.0.0.255
配置验证
<Hub>display ipsec profile
===========================================
IPSec profile : prof1
Using interface: Tunnel0/0/0
===========================================
IPSec Profile Name :prof1
Peer Name :hub
PFS Group :0 (0:Disable 1:Group1 2:Group2 5:Group5 14:Group14)
SecondsFlag :0 (0:Global 1:Local)
SA Life Time Seconds :3600
KilobytesFlag :0 (0:Global 1:Local)
SA Life Kilobytes :1843200
Anti-replay window size :32
Qos pre-classify :0 (0:Disable 1:Enable)
Number of IPSec Proposals :1
IPSec Proposals Name :pro1
<Hub>display nhrp peer all
-------------------------------------------------------------------------------
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
-------------------------------------------------------------------------------
10.1.1.3 32 202.1.3.1 10.1.1.3 dynamic route tunnel
-------------------------------------------------------------------------------
Tunnel interface: Tunnel0/0/0
Created time : 02:13:52
Expire time : 01:46:08
-------------------------------------------------------------------------------
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
-------------------------------------------------------------------------------
10.1.1.2 32 202.1.2.1 10.1.1.2 dynamic route tunnel
-------------------------------------------------------------------------------
Tunnel interface: Tunnel0/0/0
Created time : 02:13:51
Expire time : 01:46:09
Number of nhrp peers: 2
<Spoke 1>display nhrp peer all
-------------------------------------------------------------------------------
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
-------------------------------------------------------------------------------
10.1.1.1 32 202.1.1.1 10.1.1.1 static hub
-------------------------------------------------------------------------------
Tunnel interface: Tunnel0/0/0
Created time : 04:10:34
Expire time : --
Number of nhrp peers: 1
<Spoke 2>display nhrp peer all
-------------------------------------------------------------------------------
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
-------------------------------------------------------------------------------
10.1.1.1 32 202.1.1.1 10.1.1.1 static hub
-------------------------------------------------------------------------------
Tunnel interface: Tunnel0/0/0
Created time : 02:18:15
Expire time : --
Number of nhrp peers: 1
<Hub>display ipsec sa
===============================
Interface: Tunnel0/0/0
Path MTU: 1500
===============================
-----------------------------
IPSec profile name: "prof1"
Mode : PROF-Template
-----------------------------
Connection ID : 9
Encapsulation mode: Tunnel
Tunnel local : 202.1.1.1
Tunnel remote : 202.1.2.1
Qos pre-classify : Disable
[Outbound ESP SAs]
SPI: 1246749103 (0x4a4fe1af)
Proposal: ESP-ENCRYPT-AES-192 SHA2-256-128
SA remaining key duration (bytes/sec): 1887431136/3024
Max sent sequence-number: 59
UDP encapsulation used for NAT traversal: N
[Outbound AH SAs]
SPI: 3641500733 (0xd90ce43d)
Proposal: SHA2-256-128
SA remaining key duration (bytes/sec): 1887436800/3024
Max sent sequence-number: 59
UDP encapsulation used for NAT traversal: N
[Inbound AH SAs]
SPI: 2151232364 (0x8039336c)
Proposal: SHA2-256-128
SA remaining key duration (bytes/sec): 1887436800/3024
Max received sequence-number: 53
Anti-replay window size: 32
UDP encapsulation used for NAT traversal: N
[Inbound ESP SAs]
SPI: 3445580004 (0xcd5f60e4)
Proposal: ESP-ENCRYPT-AES-192 SHA2-256-128
SA remaining key duration (bytes/sec): 1887431924/3024
Max received sequence-number: 53
Anti-replay window size: 32
UDP encapsulation used for NAT traversal: N
-----------------------------
IPSec profile name: "prof1"
Mode : PROF-Template
-----------------------------
Connection ID : 10
Encapsulation mode: Tunnel
Tunnel local : 202.1.1.1
Tunnel remote : 202.1.3.1
Qos pre-classify : Disable
[Outbound ESP SAs]
SPI: 2700005914 (0xa0eed21a)
Proposal: ESP-ENCRYPT-AES-192 SHA2-256-128
SA remaining key duration (bytes/sec): 1887431232/3036
Max sent sequence-number: 58
UDP encapsulation used for NAT traversal: N
[Outbound AH SAs]
SPI: 309133145 (0x126cff59)
Proposal: SHA2-256-128
SA remaining key duration (bytes/sec): 1887436800/3036
Max sent sequence-number: 58
UDP encapsulation used for NAT traversal: N
[Inbound AH SAs]
SPI: 434393378 (0x19e45122)
Proposal: SHA2-256-128
SA remaining key duration (bytes/sec): 1887436800/3036
Max received sequence-number: 52
Anti-replay window size: 32
UDP encapsulation used for NAT traversal: N
[Inbound ESP SAs]
SPI: 2536228892 (0x972bc81c)
Proposal: ESP-ENCRYPT-AES-192 SHA2-256-128
SA remaining key duration (bytes/sec): 1887432016/3036
Max received sequence-number: 52
Anti-replay window size: 32
UDP encapsulation used for NAT traversal: N
<Hub>display ospf 1 routing
OSPF Process 1 with Router ID 10.1.1.1
Routing Tables
Routing for Network
Destination Cost Type NextHop AdvRouter Area
10.1.1.0/24 1562 Transit 10.1.1.1 10.1.1.1 0.0.0.0
172.18.3.0/24 1 Stub 172.18.3.254 10.1.1.1 0.0.0.0
172.18.1.0/24 1563 Stub 10.1.1.2 10.1.1.2 0.0.0.0
172.18.2.0/24 1563 Stub 10.1.1.3 10.1.1.3 0.0.0.0
Total Nets: 4
Intra Area: 4 Inter Area: 0 ASE: 0 NSSA: 0
可以看出各个节点NHRP PEER都已建立,IPSec sa /ospf 1 路由都已生成。
PC1 Ping PC2 用流量触发两个Spoke 的你好 nhrp peer 相互学习。
<Spoke 1>dis nhrp peer all
-------------------------------------------------------------------------------
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
-------------------------------------------------------------------------------
10.1.1.1 32 202.1.1.1 10.1.1.1 static hub
-------------------------------------------------------------------------------
Tunnel interface: Tunnel0/0/0
Created time : 00:10:09
Expire time : --
-------------------------------------------------------------------------------
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
-------------------------------------------------------------------------------
10.1.1.3 32 202.1.3.1 10.1.1.3 dynamic route tunnel
-------------------------------------------------------------------------------
Tunnel interface: Tunnel0/0/0
Created time : 00:00:22
Expire time : 01:59:38
-------------------------------------------------------------------------------
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
-------------------------------------------------------------------------------
10.1.1.2 32 202.1.2.1 10.1.1.2 dynamic local
-------------------------------------------------------------------------------
Tunnel interface: Tunnel0/0/0
Created time : 00:00:22
Expire time : 01:59:38
Number of nhrp peers: 3