随着internet backbone越来越大,企业不需要再把昂贵的专线当作自己公司之间的唯一选择,越来越多的企业选择用internet来跑自己的一些应用。这样就涉及到如何保证数据在internet上面的安全性。ipsec是个很好的选择。最近遇到一个客户需要把dm***和easy***放在同一台上面。虽然网上sample很多,但大都只是照抄cisco做的lab,所以自己重新研究一遍,拿出来与大家分享共同研究。
dm*** dynamic mulitpoint *** 是基于NHRP(下一跳解析协议),对MULTI GRE TUNNEL进行加密。配置他的步骤应该是:
1.配置NHRP TUNNEL ,保证MULTI GRE TUNNEL起来
2.配置IPSEC 加密 TUNNEL。
拓扑图
192.168.2.0/24--F0/0---SPOKER--210.1.1.2/30-----INTERNET----210.1.1.1/30-----HUB--F0/0--192.168.1.0/24
HUB 端
基本配置
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0------------------local lan
duplex full
interface Serial1/1
ip address 210.1.1.1 255.255.255.252------------------internet
NHRP TUNNEL
interface Tunnel1
description dynamic gre to spoke
ip address 10.0.0.1 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp authentication cisco-------------nhrp 认证
ip nhrp map multicast dynamic nhrp动态映射
ip nhrp network-id 10 用来匹配nhrp,之后调用mgre属性
ip nhrp holdtime 200
ip nhrp cache non-authoritative
no ip route-cache cef
no ip route-cache
no ip mroute-cache
load-interval 30
delay 1000
tunnel source Serial1/1
tunnel mode gre multipoint----------用mgre模式
tunnel key 99
SPOKER
interface FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
duplex full
!
interface Serial1/0
ip address 210.1.1.2 255.255.255.252
serial restart-delay 0
NHRP tunnel
interface Tunnel1
ip address 10.0.0.2 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp authentication cisco
ip nhrp map 10.0.0.1 210.1.1.1
ip nhrp map multicast 210.1.1.1
ip nhrp network-id 10
ip nhrp holdtime 200
ip nhrp nhs 10.0.0.1
ip nhrp cache non-authoritative
no ip mroute-cache
load-interval 30
delay 1000
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 99
两边的TUNNEL 建好只好。验证一下联通性
HUB 端 HUB# sh ip nhrp
10.0.0.2/32 via 10.0.0.2, Tunnel1 created 01:00:22, expire 00:02:43
Type: dynamic, Flags: unique nat registered
NBMA address: 210.1.1.2
HUB#HUB#PING 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/65/72 ms
HUB#
SPOKER 端 Spoke#sh ip nhrp
10.0.0.1/32 via 10.0.0.1, Tunnel1 created 00:58:47, never expire
Type: static, Flags: nat used
NBMA address: 210.1.1.1
Spoke#Spoke#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/71/92 ms
Spoke#
开DEBUG 观察NHRP
HUB#debug nhrp packet
NHRP activity debugging is on
HUB#
HUB#
HUB#
*Aug 4 12:17:11.183: NHRP: Receive Registration Request via Tunnel1 vrf 0, packet size: 105
*Aug 4 12:17:11.183: (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1
*Aug 4 12:17:11.183: shtl: 4(NSAP), sstl: 0(NSAP)
*Aug 4 12:17:11.183: (M) flags: "unique nat ", reqid: 60
*Aug 4 12:17:11.183: src NBMA: 210.1.1.2
*Aug 4 12:17:11.183: src protocol: 10.0.0.2, dst protocol: 10.0.0.1
*Aug 4 12:17:11.183: (C-1) code: no error(0)
*Aug 4 12:17:11.183: prefix: 255, mtu: 1514, hd_time: 200
*Aug 4 12:17:11.183: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
*Aug 4 12:17:11.183: NHRP: Send Registration Reply via Tunnel1 vrf 0
HUB#, packet size: 125----------------收到reply ,tunnel up
*Aug 4 12:17:11.183: src: 10.0.0.1, dst: 10.0.0.2
*Aug 4 12:17:11.183: (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1
*Aug 4 12:17:11.183: shtl: 4(NSAP), sstl: 0(NSAP)
*Aug 4 12:17:11.183: (M) flags: "unique nat ", reqid: 60
*Aug 4 12:17:11.183: src NBMA: 210.1.1.2
*Aug 4 12:17:11.183: src protocol: 10.0.0.2, dst protocol: 10.0.0.1
*Aug 4 12:17:11.183: (C-1) code: no error(0)
*Aug 4 12:17:11.183: prefix: 255, mtu: 1514, hd_time: 200
*Aug 4 12:17:11.183: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
路由的部分你可以选择静态,rip,ospf ,is-is,eigrp,bgp...只要你愿意的话。gre tunnel的诞生就是为了解决封装协议的问题。
在具体实施的时候,ospf注意网络类型你可以在tunnel中下ip ospf network broadcast,也可以在router ospf 中下
neighbor x.x.x.x are0直接单播。 rip/eigrp有类似的水平分割问题,具体配置网上的sample太多了。
本例采用ospf
int tunnel 1
ip ospf network broadcast
ip ospf pri 10 ------------这行下在hub用来指定dr
router ospf 1
net 192.168.1.0 0.0.0.255 are0
net 10.0.0.0 0.0.0.255 are0
HUB#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Tunnel1
C 192.168.1.0/24 is directly connected, FastEthernet0/0
210.1.1.0/30 is subnetted, 1 subnets
C 210.1.1.0 is directly connected, Serial1/1
O 192.168.2.0/24 [110/11112] via 10.0.0.2, 01:30:49, Tunnel1
HUB#
很多人搞不清楚nhrp 跟 mgre ,那我们先想想为什么要用dm***。因为动态,对不对,因为会自动建tunnel。
其实你也可以手动指定nhrp的吓一跳,如果你不嫌麻烦的话,可以参考我之前的一片文章。
NHRP 在RFC 2332中定义,用于解决非广播多路访问(NBMA)网络上的源节点如何获取到达目标节点的吓一跳。
分支到总部的建立过程很简单。大家都很好理解,理解成注册就行了,这个tunnel建立之后就一直存在
Spoke#sh ip nhrp
10.0.0.1/32 via 10.0.0.1, Tunnel1 created 00:58:47, never expire
分支与分支之间tunnel的建立是建立在分支与总部的tunnel起来自后,当分支之间需要传递数据的时候,利用nhrp来动态获取目的分支的ip地址。
接下来我们把ipsec加密加上去。
crypto isakmp policy 10--------------定义isakmp policy, Phase1
hash md5
authentication pre-share
group 2
crypto isakmp key dm*** address 0.0.0.0 0.0.0.0--------------定义 preshare Key
crypto ipsec transform-set ***set esp-3des esp-sha-hmac -----定义转换集,数据的加密。Phase 2
!
crypto ipsec profile dm***----------定义ipsec profile
set transform-set ***set
!
int tunnel 1
tunnel protection ipsec profile dm***-----------ipsec over Gre
我们来开debug cry isakmp /debug cry ipsec。
*Aug 4 13:12:29.675: insert of map into mapdb AVL failed, map + ace pair already exists on the mapdb
*Aug 4 13:12:29.683: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Aug 4 13:12:29.683: IPSEC(recalculate_mtu): reset sadb_root 65A4DDA8 mtu to 1500
*Aug 4 13:12:29.683: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 210.1.1.1, remote= 210.1.1.2,
local_proxy= 210.1.1.1/255.255.255.255/47/0 (type=1),
remote_proxy= 210.1.1.2/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Aug 4 13:12:29.683: ISAKMP:(0): SA request profile is (NULL)
*Aug 4 13:12:29.683: ISAKMP: Created a peer struct for 210.1.1.2, peer port 500
*Aug 4 13:12:29.683: ISAKMP: New peer created peer = 0x657CBE1C peer_handle = 0x80000004
*Aug 4 13:12:29.683: ISAKMP: Locking peer struct 0x657CBE1C, refcount 1 for isakmp_initiator
*Aug 4 13:12:29.683: ISAKMP: local port 500, remo
HUB(config-if)#
HUB(config-if)#
HUB(config-if)#
HUB(config-if)#te port 500
*Aug 4 13:12:29.683: ISAKMP: set new node 0 to QM_IDLE
*Aug 4 13:12:29.683: insert sa successfully sa = 6645A488
*Aug 4 13:12:29.683: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Aug 4 13:12:29.683: ISAKMP:(0):found peer pre-shared key matching 210.1.1.2
*Aug 4 13:12:29.683: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Aug 4 13:12:29.683: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Aug 4 13:12:29.683: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Aug 4 13:12:29.683: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Aug 4 13:12:29.683: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Aug 4 13:12:29.683: ISAKMP:(0): beginning Main Mode exchange
*Aug 4 13:12:29.683: ISAKMP:(0): sending packet to 210.1.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Aug 4 13:12:29.767: ISAKMP (0:0): received packet from 210.1.1.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Aug 4 13:12:29.775: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE
HUB#_MM_EXCH
*Aug 4 13:12:29.775: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Aug 4 13:12:29.779: ISAKMP:(0): processing SA payload. message ID = 0
*Aug 4 13:12:29.779: ISAKMP:(0): processing vendor id payload
*Aug 4 13:12:29.779: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Aug 4 13:12:29.779: ISAKMP (0:0): vendor ID is NAT-T v7
*Aug 4 13:12:29.779: ISAKMP:(0):found peer pre-shared key matching 210.1.1.2
*Aug 4 13:12:29.779: ISAKMP:(0): local preshared key found
*Aug 4 13:12:29.779: ISAKMP : Scanning profiles for xauth ... dailup
*Aug 4 13:12:29.779: ISAKMP:(0): Authentication by xauth preshared
*Aug 4 13:12:29.779: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Aug 4 13:12:29.779: ISAKMP: encryption DES-CBC
*Aug 4 13:12:29.779: ISAKMP: hash MD5
*Aug 4 13:12:29.779: ISAKMP: default group 2
*Aug 4 13:12:29.779: ISAKMP: auth pre-share
*Aug 4 13:12:29.779: ISAKMP: life type in seconds
*Aug 4 13:12:29.779: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Aug 4 13:12:29.779: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Aug 4 13:12:29.779: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Aug 4 13:12:29.779: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Aug 4 13:12:29.779: ISAKMP: encryption DES-CBC
*Aug 4 13:12:29.779: ISAKMP: hash MD5
*Aug 4 13:12:29.779: ISAKMP: default group 2
*Aug 4 13:12:29.779: ISAKMP: auth pre-share
*Aug 4 13:12:29.779: ISAKMP: life type in seconds
*Aug 4 13:12:29.779: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Aug 4 13:12:29.779: ISAKMP:(0):atts are acceptable. Next payload is 0
*Aug 4 13:12:29.779: ISAKMP:(0): processing vendor id payload
*Aug 4 13:12:29.779: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Aug 4 13:12:29.779: ISAKMP (0:0): vendor ID is NAT-T v7
*Aug 4 13:12:29.779: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Aug 4 13:12:29.779: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Aug 4 13:12:29.779: ISAKMP:(0): sending packet to 210.1.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Aug 4 13:12:29.779: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Aug 4 13:12:29.779: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Aug 4 13:12:29.939: ISAKMP (0:0): received packet from 210.1.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*Aug 4 13:12:29.943: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Aug 4 13:12:29.947: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Aug 4 13:12:29.947: ISAKMP:(0): processing KE payload. message ID = 0
*Aug 4 13:12:29.975: ISAKMP:(0): processing NONCE payload. message ID = 0
*Aug 4 13:12:29.975: ISAKMP:(0):found peer pre-shared key matching 210.1.1.2
*Aug 4 13:12:29.983: ISAKMP:(1002): processing vendor id payload
*Aug 4 13:12:29.987: ISAKMP:(1002): vendor ID is Unity
*Aug 4 13:12:29.987: ISAKMP:(1002): processing vendor id payload
*Aug 4 13:12:29.991: ISAKMP:(1002): vendor ID is DPD
*Aug 4 13:12:29.995: ISAKMP:(1002): processing vendor id payload
*Aug 4 13:12:29.995: ISAKMP:(1002): speaking to another IOS box!
*Aug 4 13:12:29.995: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Aug 4 13:12:29.995: ISAKMP:(1002):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Aug 4 13:12:29.995: ISAKMP:(1002):Send initial contact
*Aug 4 13:12:29.995: ISAKMP:(1002):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Aug 4 13:12:29.995: ISAKMP (0:1002): ID payload
next-payload : 8
type : 1
address : 210.1.1.1
protocol : 17
port : 500
length : 12
*Aug 4 13:12:29.995: ISAKMP:(1002):Total payload length: 12
*Aug 4 13:12:29.995: ISAKMP:(1002): sending packet to 210.1.1.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Aug 4 13:12:29.995: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Aug 4 13:12:29.995: ISAKMP:(1002):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Aug 4 13:12:30.227: ISAKMP (0:1002): received packet from 210.1.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Aug 4 13:12:30.231: ISAKMP:(1002): processing ID payload. message ID = 0
*Aug 4 13:12:30.235: ISAKMP (0:1002): ID payload
next-payload : 8
type : 1
address : 210.1.1.2
protocol : 17
port : 500
length : 12
*Aug 4 13:12:30.235: ISAKMP:(0):: peer matches *none* of the profiles
*Aug 4 13:12:30.235: ISAKMP:(1002): processing HASH payload. message ID = 0
*Aug 4 13:12:30.235: ISAKMP:(1002):SA authentication status:
authenticated
*Aug 4 13:12:30.235: ISAKMP:(1002):SA has been authenticated with 210.1.1.2
*Aug 4 13:12:30.235: ISAKMP: Trying to insert a peer 210.1.1.1/210.1.1.2/500/, and inserted successfully 657CBE1C.
*Aug 4 13:12:30.235: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Aug 4 13:12:30.235: ISAKMP:(1002):Old State = IKE_I_MM5 New State = IKE_I_MM6
*Aug 4 13:12:30.235: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Aug 4 13:12:30.235: ISAKMP:(1002):Old State = IKE_I_MM6 New State = IKE_I_MM6
*Aug 4 13:12:30.235: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Aug 4 13:12:30.235: ISAKMP:(1002):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
*Aug 4 13:12:30.235: ISAKMP:(1002):beginning Quick Mode exchange, M-ID of 2100610170
*Aug 4 13:12:30.235: ISAKMP:(1002):QM Initiator gets spi
*Aug 4 13:12:30.251: ISAKMP:(1002): sending packet to 210.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE
*Aug 4 13:12:30.255: ISAKMP:(1002):Node 2100610170, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Aug 4 13:12:30.255: ISAKMP:(1002):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Aug 4 13:12:30.259: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Aug 4 13:12:30.259: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Aug 4 13:12:30.323: ISAKMP (0:1002): received packet from 210.1.1.2 dport 500 sport 500 Global (I) QM_IDLE
*Aug 4 13:12:30.327: ISAKMP:(1002): processing HASH payload. message ID = 2100610170
*Aug 4 13:12:30.331: ISAKMP:(1002): processing SA payload. message ID = 2100610170
*Aug 4 13:12:30.335: ISAKMP:(1002):Checking IPSec proposal 1
*Aug 4 13:12:30.335: ISAKMP: transform 1, ESP_3DES
*Aug 4 13:12:30.335: ISAKMP: attributes in transform:
*Aug 4 13:12:30.339: ISAKMP: encaps is 1 (Tunnel)
*Aug 4 13:12:30.339: ISAKMP: SA life type in seconds
*Aug 4 13:12:30.339: ISAKMP: SA life duration (basic) of 3600
*Aug 4 13:12:30.343: ISAKMP: SA life type in kilobytes
*Aug 4 13:12:30.343: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Aug 4 13:12:30.347: ISAKMP: authenticator is HMAC-SHA
*Aug 4 13:12:30.351: ISAKMP:(1002):atts are acceptable.
*Aug 4 13:12:30.355: IPSEC(validate_proposal_request): proposal part #1
*Aug 4 13:12:30.355: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 210.1.1.1, remote= 210.1.1.2,
local_proxy= 210.1.1.1/255.255.255.255/47/0 (type=1),
remote_proxy= 210.1.1.2/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Aug 4 13:12:30.367: Crypto mapdb : proxy_match
src addr : 210.1.1.1
dst addr : 210.1.1.2
protocol : 47
src port : 0
dst port : 0
*Aug 4 13:12:30.375: ISAKMP:(1002): processing NONCE payload. message ID = 2100610170
*Aug 4 13:12:30.379: ISAKMP:(1002): processing ID payload. message ID = 2100610170
*Aug 4 13:12:30.379: ISAKMP:(1002): processing ID payload. message ID = 2100610170
*Aug 4 13:12:30.395: ISAKMP:(1002): Creating IPSec SAs
*Aug 4 13:12:30.395: inbound SA from 210.1.1.2 to 210.1.1.1 (f/i) 0/ 0
(proxy 210.1.1.2 to 210.1.1.1)
*Aug 4 13:12:30.399: has spi 0xD475044B and conn_id 0
*Aug 4 13:12:30.399: lifetime of 3600 seconds
*Aug 4 13:12:30.403: lifetime of 4608000 kilobytes
*Aug 4 13:12:30.403: outbound SA from 210.1.1.1 to 210.1.1.2 (f/i) 0/0
(proxy 210.1.1.1 to 210.1.1.2)
*Aug 4 13:12:30.407: has spi 0xC4AB5AEE and conn_id 0
*Aug 4 13:12:30.407: lifetime of 3600 seconds
*Aug 4 13:12:30.411: lifetime of 4608000 kilobytes
*Aug 4 13:12:30.415: ISAKMP:(1002): sending packet to 210.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE
*Aug 4 13:12:30.419: ISAKMP:(1002):deleting node 2100610170 error FALSE reason "No Error"
*Aug 4 13:12:30.419: ISAKMP:(1002):Node 2100610170, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Aug 4 13:12:30.423: ISAKMP:(1002):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
*Aug 4 13:12:30.431: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Aug 4 13:12:30.431: Crypto mapdb : proxy_match
src addr : 210.1.1.1
dst addr : 210.1.1.2
protocol : 47
src port : 0
dst port : 0
*Aug 4 13:12:30.431: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 210.1.1.2
*Aug 4 13:12:30.431: IPSEC(policy_db_add_ident): src 210.1.1.1, dest 210.1.1.2, dest_port 0
*Aug 4 13:12:30.431: IPSEC(create_sa): sa created,
(sa) sa_dest= 210.1.1.1, sa_proto= 50,
sa_spi= 0xD475044B(3564438603),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 5
*Aug 4 13:12:30.431: IPSEC(create_sa): sa created,
(sa) sa_dest= 210.1.1.2, sa_proto= 50,
sa_spi= 0xC4AB5AEE(3299564270),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 6
*Aug 4 13:12:30.431: IPSEC(update_current_outbound_sa): updated peer 210.1.1.2 current outbound sa to SPI C4AB5AEE
*Aug 4 13:12:31.071: %SYS-5-CONFIG_I: Configured from console by console
*Aug 4 13:12:31.327: %OSPF-5-ADJCHG: Process 1, Nbr 210.1.
HUB#1.2 on Tunnel1 from LOADING to FULL, Loading Done
我们来观察一下ipsec的状态,show cry se
HUB#sh cry se
Crypto session current status
Interface: Tunnel1
Session status: UP-ACTIVE
Peer: 210.1.1.2 port 500
IKE SA: local 210.1.1.1/500 remote 210.1.1.2/500 Active
IPSEC FLOW: permit 47 host 210.1.1.1 host 210.1.1.2
Active SAs: 2, origin: crypto map
HUB#
到这边dm***就大功告成了。
关于分支是pppoe的还有nat的,就是多一个pppoe拨号与nat的配置,没有什么特殊的地方。
我们来总结一下dm***
dm***总的来说适合有很多分支机构(规模不大,用adsl上网)的企业,性价比还是很高的。
如果要考虑稳定和冗余,在总部可以用双hub或者总部2台路由器用hsrp/vrrp做冗余,还是看公司愿意投多少米。
Qos的问题有点困难,貌似nhrp tunnel不支持GTS ,目前没办法直接在tunnel里面应用。
另外easy***部分配置
aaa new-model
!
认证都用路由器本地
aaa authentication login locallist local
aaa authorization network group local
!
!
aaa session-id common
username cisco password 0 cisco
!
!
!
crypto isakmp policy 1-----------定义easy*** Phase 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group easy***-test------定义用户组
key cisco
dns 168.95.1.1
pool test
acl 110
crypto isakmp profile dailup-------------------------定义profile
description for remote-dailup
match identity group easy***-test------------匹配用户组
client authentication list locallist----------匹配本地用户认证
isakmp authorization list group--------匹配网络用户认证
client configuration address respond --------定义客户地址自动响应
crypto dynamic-map *** 10 -----------------定义动态加密图
description dailup
set transform-set ***set --------------匹配转换集
set isakmp-profile dailup ----------------匹配profile
reverse-route
crypto map *** 100 ipsec-isakmp dynamic ***
int s1/1
cry map *** -----------------------应用到internet接口
ip local poo test 172.16.1.1 172.16.1.100--------定义地址池给拨接用户
access-list 110 per ip 172.16.1.0 0.0.0.255 192.168.0.0 0.0.255.255 --------定义允许dailup用户访问的网段
转载于:https://blog.51cto.com/lovelili/367276
317
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
