FD.IO-VPP研究及使用五 (隧道环境搭建)

于 2019-01-25 15:43:36 发布
阅读量4.4k 收藏 15
点赞数 1
分类专栏: VPP
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_40815457/article/details/86526415
版权
本文详细介绍如何使用VPP通过两种方式搭建IPSec隧道:使用IKEv2和静态配置。此外,还介绍了如何搭建VXLAN隧道及在IPSec之上构建VXLAN_over_IPSec隧道,为网络隔离和数据加密提供解决方案。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

目录

搭建IPSEC vpn

vpp搭建IPSEC 有两种方式:
1,使用create ipsec tunnel方式
2,使用发起者响应者模式(ikev2)

1、使用ikev2配置ipsec

拓扑如下:
在这里插入图片描述

//#发起者配置:           
set int state GigabitEthernet4/0/2 up 
set int ip address GigabitEthernet4/0/2 90.10.10.1/24        
set int state GigabitEthernet4/0/3 up 
set int ip address GigabitEthernet4/0/3 10.10.10.1/24 
ikev2 profile add pr1  
ikev2 profile set pr1 auth shared-key-mic string Vpp123 
ikev2 profile set pr1 id local fqdn vpp1.home 
ikev2 profile set pr1 id remote fqdn vpp2.home
ikev2 profile set pr1 responder GigabitEthernet4/0/3 90.10.20.5
ikev2 profile set pr1 ike-crypto-alg aes-cbc 128 ike-integ-alg sha1-96 ike-dh modp-1024 
ikev2 profile set pr1 esp-crypto-alg aes-cbc 128 esp-integ-alg sha1-96 esp-dh modp-1024
ikev2 profile set pr1 traffic-selector local ip-range 90.10.10.0 - 90.10.10.200 port-range 0 - 65535 protocol 0 
ikev2 profile set pr1 traffic-selector remote ip-range 90.10.40.0 - 90.10.40.200 port-range 0 - 65535 protocol 0
set int state ipsec0 up 
ip route add 90.10.40.0/24 via ipsec0 
set int unnumbered ipsec0 use GigabitEthernet4/0/3
ikev2 initiate sa-init pr1   //发起协商,需要发起者和响应者网络可达且配好了IKE策略之后执行

//响应者配置
set int state GigabitEthernet4/0/2 up 
set int ip address GigabitEthernet4/0/2 90.10.40.1/24 
set int state GigabitEthernet4/0/3 up
set int ip address GigabitEthernet4/0/3 10.10.10.2/24
ikev2 profile add pr1
ikev2 profile set pr1 auth shared-key-mic string Vpp123 
ikev2 profile set pr1 id local fqdn vpp2.home 
ikev2 profile set pr1 id remote fqdn vpp1.home
ikev2 profile set pr1 traffic-selector local ip-range 90.10.40.0 - 90.10.40.200 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector remote ip-range 90.10.10.0 - 90.10.10.200 port-range 0 - 65535 protocol 0
set int state ipsec0 up 
ip route add 90.10.10.0/24 via ipsec0
set int unnumbered ipsec0 use GigabitEthernet4/0/3

2、静态配置ipsec

拓扑如下:
在这里插入图片描述

#配置左边vpp
set int ip address GigabitEthernet4/0/2 90.10.30.1/24
set int promiscuous on GigabitEthernet4/0/2
set int ip address GigabitEthernet4/0/3 10.10.10.1/24
set int promiscuous on GigabitEthernet4/0/3
 
create ipsec tunnel local-ip 10.10.10.1 local-spi 1031 remote-ip 10.10.10.2 remote-spi 1030
set interface ipsec key ipsec0 local crypto aes-cbc-128 4339314b55523947594d6d3547666b45
set interface ipsec key ipsec0 remote crypto aes-cbc-128 4339314b55523947594d6d3547666b45
set interface ipsec key ipsec0 local integ sha1-96 4339314b55523947594d6d3547666b45
set interface ipsec key ipsec0 remote integ sha1-96 4339314b55523947594d6d3547666b45
 
ip route add 90.10.40.0/24 via 10.10.10.2 ipsec0
set interface unnumbered ipsec0 use GigabitEthernet4/0/3
set ip arp GigabitEthernet4/0/3 10.10.10.2 00:0b:ab:f6:b3:66
 
set ip arp GigabitEthernet4/0/2 90.10.10.100 00:0b:ab:f5:a9:70
ip route add 90.10.10.0/24 via GigabitEthernet4/0/2
 
set int state GigabitEthernet4/0/2 up
set int state GigabitEthernet4/0/3 up
set int state ipsec0 up
 
#配置右边vpp
set int ip address GigabitEthernet4/0/2 90.10.30.2/24
set int promiscuous on GigabitEthernet4/0/2
set int ip address GigabitEthernet4/0/3 10.10.10.2/24
set int promiscuous on GigabitEthernet4/0/3
 
create ipsec tunnel local-ip 10.10.10.2 local-spi 1030 remote-ip 10.10.10.1 remote-spi 1031
set interface ipsec key ipsec0 local crypto aes-cbc-128 4339314b55523947594d6d3547666b45
set interface ipsec key ipsec0 remote crypto aes-cbc-128 4339314b55523947594d6d3547666b45
set interface ipsec key ipsec0 local integ sha1-96 4339314b55523947594d6d3547666b45
set interface ipsec key ipsec0 remote integ sha1-96 4339314b55523947594d6d3547666b45
 
ip route add 90.10.10.0/24 via 10.10.10.1 ipsec0
set interface unnumbered ipsec0 use GigabitEthernet4/0/3
set ip arp GigabitEthernet4/0/3 10.10.10.1 74:fe:48:09:3c:cb
 
set ip arp GigabitEthernet4/0/2 90.10.40.100 00:0b:ab:f5:a9:71
ip route add 90.10.40.0/24 via ipsec0 GigabitEthernet4/0/2
 
set int state GigabitEthernet4/0/2 up
set int state GigabitEthernet4/0/3 up
set int state ipsec0 up

搭建vxlan隧道

拓扑如下:
在这里插入图片描述

# 左边vpp配置
create vxlan tunnel src 90.10.20.3 dst 90.10.30.3 vni 13 decap-next l2
set interface l2 bridge vxlan_tunnel0 13 1
loopback create mac 11:12:13:14:15:16
set interface l2 bridge loop0 13 bvi
set interface state loop0 up
set interface ip address loop0 10.10.10.1/24
set interface state GigabitEthernetd/0/0 up
set interface ip address GigabitEthernetd/0/0 90.10.20.3/24
set interface state GigabitEthernete/0/0 up
set interface l2 bridge GigabitEthernete/0/0 13 0
ip route add 90.10.30.0/24 via 90.10.20.1


右边vpp配置
create vxlan tunnel src 90.10.30.3 dst 90.10.20.3 vni 13 decap-next l2
set interface l2 bridge vxlan_tunnel0 13 1
loopback create mac 1a:2b:3c:4d:5e:6f
set interface l2 bridge loop0 13 bvi
set interface state loop0 up
set interface ip address loop0 10.10.10.7/24
set interface state GigabitEthernetd/0/0 up
set int ip address GigabitEthernetd/0/0 90.10.30.3/24
set interface state GigabitEthernete/0/0 up
set interface l2 bridge GigabitEthernete/0/0 13 0
ip route add 90.10.20.0/24 via 90.10.30.1

搭建vxlan_over_ipsec隧道

拓扑如下:
在这里插入图片描述

vpp1:

set interface state GigabitEthernetd/0/0 up
set interface ip address GigabitEthernetd/0/0 90.10.20.3/24
ikev2 profile add pr1  
ikev2 profile set pr1 auth shared-key-mic string Vpp123 
ikev2 profile set pr1 id local fqdn vpp1.home 
ikev2 profile set pr1 id remote fqdn vpp2.home
ikev2 profile set pr1 responder GigabitEthernetd/0/0 90.10.20.5
ikev2 profile set pr1 ike-crypto-alg aes-cbc 128 ike-integ-alg sha1-96 ike-dh modp-1024 
ikev2 profile set pr1 esp-crypto-alg aes-cbc 128 esp-integ-alg sha1-96 esp-dh modp-1024
ikev2 profile set pr1 traffic-selector local ip-range 90.10.10.0 - 90.10.10.200 port-range 0 - 65535 protocol 0 
ikev2 profile set pr1 traffic-selector remote ip-range 90.10.40.0 - 90.10.40.200 port-range 0 - 65535 protocol 0
ikev2 initiate sa-init pr1

create vxlan tunnel src 90.10.10.1 dst 90.10.40.1 vni 13 decap-next l2
set interface l2 bridge vxlan_tunnel0 13
set interface state GigabitEthernete/0/0 up
set interface l2 bridge GigabitEthernete/0/0 13
loopback create mac 11:12:13:14:15:17
set interface state loop0 up
set interface ip address loop0 90.10.10.1/24

set int state ipsec0 up 
ip route add 90.10.40.0/24 via ipsec0
set int unnumbered ipsec0 use GigabitEthernetd/0/0






vpp2:
set interface state GigabitEthernetd/0/0 up
set interface ip address GigabitEthernetd/0/0 90.10.20.5/24
ikev2 profile add pr1
ikev2 profile set pr1 auth shared-key-mic string Vpp123 
ikev2 profile set pr1 id local fqdn vpp2.home 
ikev2 profile set pr1 id remote fqdn vpp1.home
ikev2 profile set pr1 traffic-selector local ip-range 90.10.40.0 - 90.10.40.200 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector remote ip-range 90.10.10.0 - 90.10.10.200 port-range 0 - 65535 protocol 0

create vxlan tunnel src 90.10.40.1 dst 90.10.10.1 vni 13 decap-next l2
set interface l2 bridge vxlan_tunnel0 13
set interface state GigabitEthernete/0/0 up
set interface l2 bridge GigabitEthernete/0/0 13
loopback create mac 1a:2b:3c:4d:5e:6g
set interface state loop0 up
set interface ip address loop0 90.10.40.1/24

set int state ipsec0 up 
ip route add 90.10.10.0/24 via ipsec0
set int unnumbered ipsec0 use GigabitEthernetd/0/0
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值