P2P GRE over IPSec(一)
Static P2P GRE over IPSec
1.拓扑
2.步骤
2.1按拓扑配置好各IP地址,默认路由为匹配路由。
2.2配置Static P2P GRE over IPSec
1.在R1上配置终点为R2的P2P GRE隧道:
R1(config)#int tunnel 1
R1(config-if)#ip
*Mar 1 00:32:01.595: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
R1(config-if)#ip add 1.1.1.1 255.255.255.0
R1(config-if)#tunnel source 16.16.16.1
R1(config-if)#tunnel destination 26.26.26.2
R1(config-if)#ex
R1(config)#
*Mar 1 00:32:57.123: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
R1(config)#
2.在R2上配置终点为R1的P2P GRE隧道:
R2(config)#int tunnel 2
R2(config-if)#ip add
*Oct 19 10:48:22.355: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel2, changed state to down
R2(config-if)#ip add 1.1.1.2 255.255.255.0
R2(config-if)#tunnel source 26.26.26.2
R2(config-if)#tunnel destination 16.16.16.1
R2(config-if)#ex
R2(config)#
*Oct 19 10:49:01.787: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel2, changed state to up
R2(config)#
3.在R1上配置普通的LAN-to-LAN ×××:
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#au p
R1(config-isakmp)#en 3
R1(config-isakmp)#ha s
R1(config-isakmp)#gr 2
R1(config-isakmp)#ex
R1(config)#cry isakmp key 0 cisco123 add 26.26.26.2
R1(config)#cry ipsec transf myset esp-3 esp-sha-h
R1(cfg-crypto-trans)#ex
R1(config)#access-list 100 permit gre
R1(config)#access-list 100 permit gre host 16.16.16.1 host 26.26.26.2
R1(config)#crypto map l2l 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#set peer 26.26.26.2
R1(config-crypto-map)#set transf myset
R1(config-crypto-map)#match add 100
R1(config-crypto-map)#ex
R1(config)#int f1/0
R1(config-if)#cry map l2l
R1(config-if)#
*Mar 1 00:39:48.803: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)#
4.同R1的方法在R2上配置IPSec:
R2(config)#cry isakmp policy 1
R2(config-isakmp)#en 3
R2(config-isakmp)#au p
R2(config-isakmp)#ha s
R2(config-isakmp)#gr 2
R2(config-isakmp)#ex
R2(config)#cry isakmp key 0 cisco123 add 16.16.16.1
R2(config)#cry ipsec transf myset esp-3 esp-sha-h
R2(cfg-crypto-trans)#ex
R2(config)#access-list 100 per gre host 26.26.26.2 host 16.16.16.1
R2(config)#cry map l2l 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R2(config-crypto-map)#set peer 16.16.16.1
R2(config-crypto-map)#set trans myset
R2(config-crypto-map)#match add 100
R2(config-crypto-map)#ex
R2(config)#int f0/0
R2(config-if)#cry map l2l
R2(config-if)#
*Oct 19 10:58:14.127: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R2(config-if)#
3.验证
3.1测试P2P GRE over IPSec:
1.从R1向R2发送流量激活隧道:
R1#ping 1.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 84/106/136 ms
R1#
2.在R1上查看IKE SA的peer:
R1#show cry isakmp peers
Peer: 26.26.26.2 Port: 500 Local: 16.16.16.1
Phase1 id: 26.26.26.2
R1#
说明:IKE SA成功建立,R1本地源地址为16.16.16.1目标地址为26.26.26.2,而不是GRE隧道的地址。
3.查看R1上的IKE SA:
R1#show cry isakmp sa
dst src state conn-id slot status
26.26.26.2 16.16.16.1 QM_IDLE 1 0 ACTIVE
4.在R1上查看IPSec SA:
R1#show cry ipsec sa
interface: FastEthernet1/0
Crypto map tag: l2l, local addr 16.16.16.1
protected vrf: (none)
local ident (addr/mask/prot/port): (16.16.16.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (26.26.26.2/255.255.255.255/47/0)
current_peer 26.26.26.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 16.16.16.1, remote crypto endpt.: 26.26.26.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
current outbound spi: 0xC181AF65(3246501733)
inbound esp sas:
spi: 0xC82371EC(3357766124)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: l2l
sa timing: remaining key lifetime (k/sec): (4558627/3351)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC181AF65(3246501733)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: l2l
sa timing: remaining key lifetime (k/sec): (4558627/3349)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1#
说明:IPSec SA显示为活动状态,加密的数据包为双方建立GRE时用到的公网地址。
5.测试上海15.15.15.0到北京23.23.23.0的双方内网通信:
R5#ping 23.23.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R5#
说明:目前的IPSec只加密了双方间GRE时用到的公网地址,而没有包含双方内网地址,所以内网通信不成功。因此需要使用动态路由协议。
3.2在双方配置动态路由协议EIGRP交换内网信息:
R1(config)#router eigrp 1
R1(config-router)#net 1.1.1.1 0.0.0.0
R1(config-router)#net 15.15.15.0 0.0.0.255
R1(config-router)#no au
R1(config-router)#ex
R1(config)#
R2(config)#router eigrp 1
R2(config-router)#net 1.1.1.2 0.0.0.0
R2(config-router)#net
*Oct 19 11:30:07.159: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 1.1.1.1 (Tunnel2) is up: new adjacency
R2(config-router)#net 23.23.23.0 0.0.0.255
R2(config-router)#no au
R2(config-router)#ex
R2(config)#
*Oct 19 11:30:25.295: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 1.1.1.1 (Tunnel2) is resync: summary configured
R2(config)#
在R1上查看EIGRP邻居:
R1(config)#do show ip eigrp nei
IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 1.1.1.2 Tu1 13 00:02:55 145 5000 0 8
R1(config)#
在R1上查看路由表:
R1(config)#do show ip route
Gateway of last resort is 16.16.16.6 to network 0.0.0.0
16.0.0.0/24 is subnetted, 1 subnets
C 16.16.16.0 is directly connected, FastEthernet1/0
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Tunnel1
23.0.0.0/24 is subnetted, 1 subnets
D 23.23.23.0 [90/297246976] via 1.1.1.2, 00:03:21, Tunnel1
15.0.0.0/24 is subnetted, 1 subnets
C 15.15.15.0 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 16.16.16.6
R1(config)#
说明:R1已经通过EIGRP学到北京内网的网段23.23.23.0信息,去往北京内网的入口为GRE隧道端口1.1.1.2
再次测试上海15.15.15.0到北京23.23.23.0的双方内网通信情况:
R1#ping 23.23.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 48/115/144 ms
R1#
查看上海15.15.15.0向北京23.23.23.0发送数据包的路径:
R1#traceroute 23.23.23.3
Type escape sequence to abort.
Tracing the route to 23.23.23.3
1 1.1.1.2 132 msec 140 msec 140 msec
2 23.23.23.3 144 msec * 136 msec
R1#
说明:两个内网之间的通信,中间只有一跳1.1.1.2,从GRE隧道到达目的地。
测试北京内网与上海内网的通信:
R3#ping 15.15.15.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.15.15.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 68/123/156 ms
R3#
3.3测试NAT对P2P GRE over IPsec的影响:
1.在R1上配置NAT:
R1(config)#int f0/0
R1(config-if)#ip nat inside
R1(config-if)#
*Mar 1 01:30:47.547: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
R1(config-if)#int f1/0
R1(config-if)#ip nat outside
R1(config-if)#
R1(config-if)#ex
R1(config)#access-list 111 permit ip any any
R1(config)#ip nat inside source list 111 interface f1/0 overload
R1(config)#
2.从上海向北京发送流量:
R5#ping 23.23.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 120/159/200 ms
R5#
说明:因为从上海公司到北京公司的流量都是从GRE隧道过去的而不是从物理接口f1/0过去的,在f1/0上配置的NAT对GRE隧道没有影响,所以上海到北京的流量能正常通信。
3.4在R6和R3上开放VTY线路登录:
R6(config)#line vty 0 15
R6(config-line)#no login
R6(config-line)#exit
R6(config)#
R3(config)#line vty 0 15
R3(config-line)#no login
R3(config-line)#exit
R3(config)#
1.测试从上海到北京的流量和源IP情况:
R5#telnet 23.23.23.3
Trying 23.23.23.3 ... Open
R3>en
% No password set
R3>who
Line User Host(s) Idle Location
0 con 0 idle 00:02:08
*130 vty 0 idle 00:00:00 15.15.15.5
Interface User Mode Idle Peer Address
R3>
说明:源IP没有被物理接口的NAT影响。
2.测试上海到R6的流量和源IP情况:
R5#telnet 16.16.16.6
Trying 16.16.16.6 ... Open
R6>who
Line User Host(s) Idle Location
0 con 0 idle 00:04:16
*130 vty 0 idle 00:00:00 16.16.16.1
Interface User Mode Idle Peer Address
R6>
R1#show ip nat trans
Pro Inside global Inside local Outside local Outside global
tcp 16.16.16.1:22015 15.15.15.5:22015 16.16.16.6:23 16.16.16.6:23
R1#
说明:可以看到公司内网到公网的时候,IP源地址呗物理接口的NAT转换为物理接口的IP地址。
3.5将NAT改为在GRE接口上开启:
R1(config)#no ip nat inside source list 111 interface f1/0 overload
R1(config)#int f1/0
R1(config-if)#no ip nat outside
R1(config-if)#ex
R1(config)#int tunnel 1
R1(config-if)#ip nat outside
R1(config-if)#ex
R1(config)#ip nat inside source list 111 interface tunnel 1 overload
R1(config)#
*Mar 1 02:35:39.927: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 1.1.1.2 (Tunnel1) is down: Interface Goodbye received
R1(config)#
*Mar 1 02:35:44.851: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 1.1.1.2 (Tunnel1) is up: new adjacency
查看R1和R2上的EIGRP邻居表:
R1#show ip eigrp nei
IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 1.1.1.2 Tu1 11 00:00:41 1 5000 2 0
R1#
R2(config)#do show ip eigrp nei
IP-EIGRP neighbors for process 1
R2(config)#
说明:EIGRP邻居是单向的。
改变NAT的感兴趣流量使内网流量绕过NAT:
R1(config)#no access-list 111
R1(config)#access-list 111 deny ip host 1.1.1.1 any
R1(config)#access-list 111 deny ip 15.15.15.0 0.0.0.255 any
R1(config)#access-list 111 permit ip any any
R1(config)#
再次从上海发送流量到北京,测试是否绕过NAT:
R5#ping 23.23.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/117/148 ms
R5#
说明:通过P2P GRE over IPSec通信的内网流量最然不会受到物理接口NAT的影响,但会受到GRE接口NAT的影响。
3.6测试IPSec Mode:
说明:IPsec默认的mode是tunnel mode。
1.将R2的IPSec mode改为transform mode :
R2(config)#crypto ipsec transform-set myset esp-3des esp-sha-hmac
R2(cfg-crypto-trans)#mode transport
R2(cfg-crypto-trans)#ex
清除双方的crypto sa:
R2#clear crypto sa
R1#clear crypto sa
查看R2当前的IPSec mode:
R2#show cry ipsec sa
interface: FastEthernet0/0
Crypto map tag: l2l, local addr 26.26.26.2
protected vrf: (none)
local ident (addr/mask/prot/port): (26.26.26.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (16.16.16.1/255.255.255.255/47/0)
current_peer 16.16.16.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 36, #pkts encrypt: 36, #pkts digest: 36
#pkts decaps: 36, #pkts decrypt: 36, #pkts verify: 36
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 26.26.26.2, remote crypto endpt.: 16.16.16.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x88A24152(2292334930)
inbound esp sas:
spi: 0xF0A5AC54(4037389396)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 9, flow_id: 9, crypto map: l2l
sa timing: remaining key lifetime (k/sec): (4487029/3443)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x88A24152(2292334930)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 10, flow_id: 10, crypto map: l2l
sa timing: remaining key lifetime (k/sec): (4487029/3435)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R2#
说明:虽然已经将R2的IPSec mode改为transport mode,但还是工作在tunnel mode,因为对方还没有改,只有双方都改时,才会改变最终的mode。
测试此时双方内网的通信情况:
R5#ping 23.23.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 124/148/168 ms
R5#
说明:因为双方的工作mode还是一致的,所以内网通信还正常。
2.把R1的IPSec mode也改为transport mode:
R1(config)#crypto ipsec transform-set myste esp-3des esp-sha-hmac
R1(cfg-crypto-trans)#mode transport
再次查看R1和R2的IPSec mode:
R2#show cry ipsec sa
interface: FastEthernet0/0
Crypto map tag: l2l, local addr 26.26.26.2
protected vrf: (none)
local ident (addr/mask/prot/port): (26.26.26.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (16.16.16.1/255.255.255.255/47/0)
current_peer 16.16.16.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 197, #pkts encrypt: 197, #pkts digest: 197
#pkts decaps: 196, #pkts decrypt: 196, #pkts verify: 196
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 26.26.26.2, remote crypto endpt.: 16.16.16.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x88A24152(2292334930)
inbound esp sas:
spi: 0xF0A5AC54(4037389396)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 9, flow_id: 9, crypto map: l2l
sa timing: remaining key lifetime (k/sec): (4487007/2751)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x88A24152(2292334930)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 10, flow_id: 10, crypto map: l2l
sa timing: remaining key lifetime (k/sec): (4487007/2751)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R2#
R1#show cry ipsec sa
interface: FastEthernet1/0
Crypto map tag: l2l, local addr 16.16.16.1
protected vrf: (none)
local ident (addr/mask/prot/port): (16.16.16.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (26.26.26.2/255.255.255.255/47/0)
current_peer 26.26.26.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 139, #pkts encrypt: 139, #pkts digest: 139
#pkts decaps: 141, #pkts decrypt: 141, #pkts verify: 141
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 16.16.16.1, remote crypto endpt.: 26.26.26.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
current outbound spi: 0xF0A5AC54(4037389396)
inbound esp sas:
spi: 0x88A24152(2292334930)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2002, flow_id: SW:2, crypto map: l2l
sa timing: remaining key lifetime (k/sec): (4566714/2974)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xF0A5AC54(4037389396)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2001, flow_id: SW:1, crypto map: l2l
sa timing: remaining key lifetime (k/sec): (4566714/2968)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
测试内网连通性:
R3#ping 15.15.15.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.15.15.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 116/145/200 ms
R3#
说明:现在双方的IPSec mode为transport mode,但不影响流量通过。
转载于:https://blog.51cto.com/henuxzy/1031387
826
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
