在HOST1上创建命名空间和接口
sudo ip netns add h1ns1
sudo ip link add h1ns1_veth1 type veth peer name veth1
sudo ip link set dev h1ns1_veth1 up netns h1ns1
sudo ip netns exec h1ns1 ip addr add 192.168.5.2/24 dev h1ns1_veth1
sudo ip netns exec h1ns1 ip link set dev lo up
sudo ip link set veth1 up
sudo ip netns exec h1ns1 ip route add default gw 192.168.5.1
sudo ip netns add h1ns2
sudo ip link add h1ns2_veth2 type veth peer name veth2
sudo ip link set dev h1ns2_veth2 up netns h1ns2
sudo ip netns exec h1ns2 ip addr add 192.168.6.2/24 dev h1ns2_veth2
sudo ip netns exec h1ns2 ip link set dev lo up
sudo ip link set veth2 up
sudo ip netns exec h1ns2 ip route add default via 192.168.6.1
配置启动器
set int ip addr enp0s3 192.168.51.105/24
set int state enp0s3 up
loopback create-interface
set interface state loop0 up
set interface ip address loop0 2.2.2.2/24
create host-interface name veth1
set interface ip addr host-veth1 192.168.5.1/24
set interface state host-veth1 up
ikev2 profile add pr1
ikev2 profile set pr1 auth shared-key-mic string Vpp123
ikev2 profile set pr1 id local ip4-addr 2.2.2.2
ikev2 profile set pr1 id remote ip4-addr 6.6.6.6
ikev2 profile set pr1 traffic-selector remote ip-range 0.0.0.0 - 255.255.255.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector local ip-range 0.0.0.0 - 255.255.255.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 responder loop0 6.6.6.6
ikev2 profile set pr1 ike-crypto-alg aes-gcm-16 256 ike-dh modp-2048
ikev2 profile set pr1 esp-crypto-alg aes-gcm-16 256
create ipip tunnel src 2.2.2.2 dst 6.6.6.6
ikev2 profile set pr1 tunnel ipip0
set interface unnumbered ipip0 use enp0s3
ip route add 6.6.6.6/24 via 192.168.51.205
loopback create-interface
set interface state loop1 up
set interface ip address loop1 3.3.3.3/24
create host-interface name veth2
set interface ip addr host-veth2 192.168.6.1/24
set interface state host-veth2 up
ikev2 profile add pr2
ikev2 profile set pr2 auth shared-key-mic string Vpp123
ikev2 profile set pr2 id local ip4-addr 3.3.3.3
ikev2 profile set pr2 id remote ip4-addr 7.7.7.7
ikev2 profile set pr2 traffic-selector remote ip-range 0.0.0.0 - 255.255.255.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr2 traffic-selector local ip-range 0.0.0.0 - 255.255.255.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr2 responder loop1 7.7.7.7
ikev2 profile set pr2 ike-crypto-alg aes-gcm-16 256 ike-dh modp-2048
ikev2 profile set pr2 esp-crypto-alg aes-gcm-16 256
create ipip tunnel src 3.3.3.3 dst 7.7.7.7
ikev2 profile set pr2 tunnel ipip1
set interface unnumbered ipip1 use enp0s3
ip route add 7.7.7.7/24 via 192.168.51.205
在HOST2上创建命名空间和接口
sudo ip netns add h2ns1
sudo ip link add h2ns1_veth1 type veth peer name veth1
sudo ip link set dev h2ns1_veth1 up netns h2ns1
sudo ip netns exec h2ns1 ip addr add 192.168.3.2/24 dev h2ns1_veth1
sudo ip netns exec h2ns1 ip link set dev lo up
sudo ip link set veth1 up
sudo ip netns exec h2ns1 ip route add default via 192.168.3.1
sudo ip netns add h2ns2
sudo ip link add h2ns2_veth2 type veth peer name veth2
sudo ip link set dev h2ns2_veth2 up netns h2ns2
sudo ip netns exec h2ns2 ip addr add 192.168.4.2/24 dev h2ns2_veth2
sudo ip netns exec h2ns2 ip link set dev lo up
sudo ip link set veth2 up
sudo ip netns exec h2ns2 ip route add default via 192.168.4.1
配置响应者
set int ip addr enp0s3 192.168.51.205/24
set int state enp0s3 up
loopback create-interface
set interface state loop0 up
set interface ip address loop0 6.6.6.6/24
create host-interface name veth1
set interface ip addr host-veth1 192.168.3.1/24
set interface state host-veth1 up
ikev2 profile add pr1
ikev2 profile set pr1 auth shared-key-mic string Vpp123
ikev2 profile set pr1 id local ip4-addr 6.6.6.6
ikev2 profile set pr1 id remote ip4-addr 2.2.2.2
ikev2 profile set pr1 traffic-selector local ip-range 0.0.0.0 - 255.255.255.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector remote ip-range 0.0.0.0 - 255.255.255.255 port-range 0 - 65535 protocol 0
create ipip tunnel src 6.6.6.6 dst 2.2.2.2
ikev2 profile set pr1 tunnel ipip0
set interface unnumbered ipip0 use enp0s3
ip route add 2.2.2.2/24 via 192.168.51.105
loopback create-interface
set interface state loop1 up
set interface ip address loop1 7.7.7.7/24
create host-interface name veth2
set interface ip addr host-veth2 192.168.4.1/24
set interface state host-veth2 up
ikev2 profile add pr2
ikev2 profile set pr2 auth shared-key-mic string Vpp123
ikev2 profile set pr2 id local ip4-addr 7.7.7.7
ikev2 profile set pr2 id remote ip4-addr 3.3.3.3
ikev2 profile set pr2 traffic-selector local ip-range 0.0.0.0 - 255.255.255.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr2 traffic-selector remote ip-range 0.0.0.0 - 255.255.255.255 port-range 0 - 65535 protocol 0
create ipip tunnel src 7.7.7.7 dst 3.3.3.3
ikev2 profile set pr2 tunnel ipip1
set interface unnumbered ipip1 use enp0s3
ip route add 3.3.3.3/24 via 192.168.51.105
发起IPSec协商请求,指定需要协商的的IPSec配置
ikev2 initiate sa-init pr1
ikev2 initiate sa-init pr2
在VPP1中配置Loop2作为VXLAN隧道端口
loopback create-interface
set interface state loop2 up
set interface ip address loop2 4.4.4.4/24
ip route add 8.8.8.8/24 via 6.6.6.6
在VPP2中配置Loop2作为VXLAN隧道端口
loopback create-interface
set interface state loop2 up
set interface ip address loop2 8.8.8.8/24
ip route add 4.4.4.4/32 via 2.2.2.2
VPP1上构建VXLAN隧道
create bridge-domain 11 learn 1 forward 1 uu-flood 1 flood 1 arp-term 0
create vxlan tunnel src 4.4.4.4 dst 8.8.8.8 vni 11 decap-next l2
set interface l2 bridge vxlan_tunnel0 11
loopback create mac 1a:2b:3c:4d:5e:6f
set interface l2 bridge loop3 11 bvi
set interface state loop3 up
set interface l2 bridge host-veth1 11
VPP2上构建VXLAN隧道
create bridge-domain 11 learn 1 forward 1 uu-flood 1 flood 1 arp-term 0
create vxlan tunnel src 8.8.8.8 dst 4.4.4.4 vni 11 decap-next l2
set interface l2 bridge vxlan_tunnel0 11
loopback create mac a1:b2:c3:d4:e5:f6
set interface l2 bridge loop3 11 bvi
set interface state loop3 up
set interface l2 bridge host-veth1 11