一、目标
- 内网Cisco路由器与云端H3C路由器建立GRE over IPsec,最终实现Tunnel接口互通;
- 为内网与云端运行动态路由协议(RIP、OSPF、ISIS、BGP)建立基础。
二、拓扑
image.png
- 拓扑中Cisco VPN路由器为旁挂到核心交换机部署,接口IP为私网IP;
- 如拓扑所示,Cisco VPN路由器访问互联网需经过两道NAT转换;
- 云端H3C VSR1000接口配置为私网IP:172.25.25.88,公网IP为:39.98.xxx.xxx;
- 由于Cisco VPN路由器为私网IP,所以IPsecVPN需配置为野蛮模式。
三、GRE over IPsec配置
3.1 配置思路
- 创建Loopback接口,配置IPsec感兴趣流为本端Loopback接口IP至云端Loopback接口IP,云端反之同理;
- 配置IPsec野蛮模式VPN;
- 创建Tunnel接口,为Tunnel接口配置IP地址;
- 指定Tunnel接口源IP为Loopback接口的IP,目标IP为对端Loopback接口的IP;
- Tunnel接口互ping测试。
3.2 本地Cisco VPN路由器配置
创建Loopback接口:
interface Loopback10
ip address 10.195.195.2 255.255.255.255
exit
配置感兴趣流ACL:
ip access-list extended ipsecacl
permit ip host 10.195.195.2 host 10.195.195.1
exit
配置IKE阶段加密和验证方式:
crypto isakmp policy 30
encr 3des
hash md5
authentication pre-share
group 2
exit
指定IPsec VPN为野蛮模式(采用FQDN认证,FQDN配置为"1841"),指向IPsec对等体:
crypto isakmp peer address 39.98.xxx.xxx
set aggressive-mode password xxxxxxx
set aggressive-mode client-endpoint fqdn 1841
exit
配置IPsec阶段加密和验证方式(配置转换集):
crypto ipsec transform-set vsrset esp-3des esp-md5-hmac
exit
关联对等体、转换集和感兴趣流:
crypto map vsrvpn 30 ipsec-isakmp
set peer 39.98.xxx.xxx
set transform-set vsrset
match address ipsecacl
exit
接口调用IPsec策略:
interface FastEthernet0/0
crypto map vsrvpn
exit
创建Tunel接口:
interface Tunnel10
ip address 10.100.100.2 255.255.255.252
tunnel source Loopback10
tunnel destination 10.195.195.1
exit
- 出口防火墙(Cisco ASA)必须配置NAT Bypass,用于使IPsec VPN互访的流量不做NAT,即在NAT中Bypass掉VPN感兴趣流的互访流量:
object network 10.195.195.2
host 10.195.195.2
exit
object network 10.195.195.1
host 10.195.195.1
exit
通过配置Twice NAT旁路掉VPN感兴趣流的互访流量:
nat (inside,outside) source static 10.195.195.2 10.195.195.2 destination static 10.195.195.1 10.195.195.1
3.3 云端H3C vSR1000路由器配置
创建Loopback接口:
interface LoopBack10
ip address 10.195.195.1 255.255.255.255
quit
配置感兴趣流ACL:
云端为IPsec接收方,IPsec隧道的建立应由本地Cisco路由器主动发起,所以云端路由器不需配置感兴趣流ACL。
配置IKE阶段加密和验证方式:
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
quit
指定野蛮模式的本机身份:
ike identity fqdn vsr
创建IKE Keychain:
ike keychain kcvsr
pre-shared-key hostname 1841 key simple xxxxxxx
quit
创建IKE Profile,关联Keychain、配置为野蛮模式、指定对端FQDN、关联IKE Proposal:
ike profile 1841
keychain kcvsr
exchange-mode aggressive
match remote identity fqdn 1841
proposal 1
quit
配置IPsec阶段加密和验证方式(配置转换集):
ipsec transform-set ts1841
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
quit
创建IPsec策略模板(H3C、华为配置必须通过模板方式配置野蛮模式的IPsec VPN),模板关联转换集和IKE profile:
ipsec policy-template pt1841 1
transform-set ts1841
ike-profile 1841
quit
将与IPsec策略模板与IPsec VPN策略关联:
ipsec policy ipsecvsr 1 isakmp template pt1841
接口调用IPsec策略:
interface GigabitEthernet1/0
ipsec apply policy ipsecvsr
quit
创建Tunel接口:
interface Tunnel10 mode gre
ip address 10.100.100.1 255.255.255.252
source LoopBack10
destination 10.195.195.2
quit
3.4 状态验证
- 在Cisco VPN路由器上主动发起流量,以触发野蛮模式IPsec VPN隧道的建立
1841-Spoke#ping 10.195.195.1 source 10.195.195.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.195.195.1, timeout is 2 seconds:
Packet sent with a source address of 10.195.195.2
.!!!!
- 验证本地Cisco VPN路由器IPsec VPN隧道状态
验证IKE阶段状态:
1841-Spoke#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
39.98.xxx.xxx 172.16.101.101 QM_IDLE 1004 ACTIVE
IPv6 Crypto ISAKMP SA
验证IPsec阶段状态:
1841-Spoke#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: vsrvpn, local addr 172.16.101.101
protected vrf: (none)
local ident (addr/mask/prot/port): (10.195.195.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.195.195.1/255.255.255.255/0/0)
current_peer 39.98.xxx.xxx port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 338, #pkts encrypt: 338, #pkts digest: 338
#pkts decaps: 338, #pkts decrypt: 338, #pkts verify: 338
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 172.16.101.101, remote crypto endpt.: 39.98.xxx.xxx
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x26A607EF(648415215)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xFC90A349(4237337417)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2053, flow_id: FPGA:53, sibling_flags 80000046, crypto map: vsrvpn
sa timing: remaining key lifetime (k/sec): (1769282/204)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x3CE66A5(63858341)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2055, flow_id: FPGA:55, sibling_flags 80000046, crypto map: vsrvpn
sa timing: remaining key lifetime (k/sec): (1782998/2905)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xDAE1C959(3672230233)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2054, flow_id: FPGA:54, sibling_flags 80000046, crypto map: vsrvpn
sa timing: remaining key lifetime (k/sec): (1769282/204)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x26A607EF(648415215)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2056, flow_id: FPGA:56, sibling_flags 80000046, crypto map: vsrvpn
sa timing: remaining key lifetime (k/sec): (1782998/2905)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
- 验证云端VSR 1000路由器IPsec VPN隧道状态
验证IKE阶段状态:
[VSR1K]display ike sa
Connection-ID Local Remote Flag DOI
-------------------------------------------------------------------------
63 172.25.25.88 121.69.xxx.xxx RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
验证IPsec阶段状态:
[VSR1K]display ipsec sa
-------------------------------
Interface: GigabitEthernet1/0
-------------------------------
-----------------------------
IPsec policy: ipsecvsr
Sequence number: 1
Mode: Template
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1436
Tunnel:
local address: 172.25.25.88
remote address: 121.69.xxx.xxx
Flow:
sour addr: 10.195.195.1/255.255.255.255 port: 0 protocol: ip
dest addr: 10.195.195.2/255.255.255.255 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 648415215 (0x26a607ef)
Connection ID: 47244640256
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/2739
Max received sequence-number: 5
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: Y
Status: Active
[Outbound ESP SAs]
SPI: 63858341 (0x03ce66a5)
Connection ID: 47244640257
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/2739
Max sent sequence-number: 5
UDP encapsulation used for NAT traversal: Y
Status: Active
-----------------------------
IPsec policy: ipsecvsr
Sequence number: 1
Mode: Template
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1436
Tunnel:
local address: 172.25.25.88
remote address: 121.69.xxx.xxx
Flow:
sour addr: 10.195.195.1/255.255.255.255 port: 0 protocol: ip
dest addr: 10.195.195.2/255.255.255.255 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 3672230233 (0xdae1c959)
Connection ID: 21474836482
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/38
Max received sequence-number: 0
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: Y
Status: Active
[Outbound ESP SAs]
SPI: 4237337417 (0xfc90a349)
Connection ID: 30064771075
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/38
Max sent sequence-number: 0
UDP encapsulation used for NAT traversal: Y
Status: Active
- 验证Tunnel接口连通性:
[VSR1K]ping -a 10.100.100.1 10.100.100.2
Ping 10.100.100.2 (10.100.100.2) from 10.100.100.1: 56 data bytes, press CTRL+C to break
56 bytes from 10.100.100.2: icmp_seq=0 ttl=255 time=10.069 ms
56 bytes from 10.100.100.2: icmp_seq=1 ttl=255 time=9.780 ms
56 bytes from 10.100.100.2: icmp_seq=2 ttl=255 time=10.331 ms
56 bytes from 10.100.100.2: icmp_seq=3 ttl=255 time=9.759 ms
56 bytes from 10.100.100.2: icmp_seq=4 ttl=255 time=9.911 ms
--- Ping statistics for 10.100.100.2 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 9.759/9.970/10.331/0.212 ms
四、最后
- 如果条件允许,不建议使用野蛮模式的IPsec VPN,因为安全性较差。
