p2p gre over ipsec
1:ipsec主要作用是对数据进行加密,因为他能提供所有有时候被单独用作实现***的一种方法!Ipsec建立的是一个逻辑隧道,并不是真正意义上的隧道!并且不能提供路由功能,因为ipsec不支持非ip流量,也不支持广播(组播)!
2:gre(通用路由封装)能很好的提供一个真正意义上的点对点的隧道,但是无法提供加密,但是能很好的支持非ip流量和广播!
3:所以把gre和ipsec结合起来,有两种组合方式(1):gre over ipsec (2):ipsec over gre!
实验如图:
说明:左边起了三个还回,中间的R1模拟广域网,并且没有路由,右边也起了三个还回!
首先配置R1,然后是R2,3起还回!然后起隧道,R2 tunnel ip为10.0.0.1 ,R3 tunnel ip 为 10.0.0.2!然后起 eigrp!最后配置ipsec!测试连通性!最后详细解释描述封装过程,和map撞击的过程!
R1:
R1(config)#int f0/0
R1(config-if)#no shut
R1(config-if)#ip address 210.45.165.2 255.255.255.0
R1(config)#int f0/1
R1(config-if)#no shut
R1(config-if)#ip address 210.45.160.2 255.255.255.0
R2的配置
Router(config)#int f0/0
Router(config-if)#no shut
Router(config-if)#ip address 210.45.165.1 255.255.255.0
Router(config)#int loopback 0
Router(config-if)#ip address
*Mar 1 00:12:06.783: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up1.1.1.1 255.255.255.0
Router(config-if)#int loopback 1
Router(config-if)#ip address 1.1.1.1 255.2
*Mar 1 00:12:18.779: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed s
Router(config-if)#ip address 2.2.2.2 255.255.255.0
Router(config-if)#int loopback 2
Router(config-if)#
*Mar 1 00:12:45.611: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback2, changed state to upip add
Router(config-if)#ip address 3.3.3.3 255.255.255.0
Router(config-if)#exit
Router(config)#int tunnel 0 (配置隧道接口,0为隧道标识号,两边可以不一样)
Router(config-if)#ip address 10.0.0.1 255.255.255.0(两边的ip 须在一个网段)
Router(config-if)#tunnel source fastEthernet 0/0 (配置隧道的源为f0/0接口)
Router(config-if)#tunnel destination 210.45.160.1(目标为R3的f0/0接口)
Router(config)#ip route 0.0.0.0 0.0.0.0 f0/0(配置缺省路由)
由于R3的配置以上步骤一样,再次不再写出!
在R3上ping R2的tunnel口:
Router#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
…!!
Success rate is 40 percent (2/5), round-trip min/avg/max = 156/174/192 ms(说明tunnel 已经建立)
两边同时起eigrp。
R2配置:
Router(config)#router eigrp 100
Router(config-router)#network 1.1.1.0
Router(config-router)#net 3.3.3.0
Router(config-router)#net 10.0.0.0(应该从tunnel口宣告tunnel ip,因为路由是从tunnel 口接受的,物理口没有去往R3还回借口的路由)
R3的配置一样,在此省略!
R2(config-router)#
*Mar 1 00:39:18.123: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.0.0.2 (Tunnel0) is up: new adjacency已经收到更新!
查看R2的路由表:
Router#sh ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
C 210.45.165.0/24 is directly connected, FastEthernet0/0
1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 1.1.1.0/24 is directly connected, Loopback0
D 1.0.0.0/8 is a summary, 00:05:52, Null0
2.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 2.2.2.0/24 is directly connected, Loopback1
D 2.0.0.0/8 is a summary, 00:05:52, Null0
3.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 3.3.3.0/24 is directly connected, Loopback2
D 3.0.0.0/8 is a summary, 00:05:45, Null0
D 4.0.0.0/8 [90/297372416] via 10.0.0.2, 00:04:45, Tunnel0
D 5.0.0.0/8 [90/297372416] via0.0.0.2, 00:04:45, Tunnel0
D 6.0.0.0/8 [90/297372416] via 10.0.0.2, 00:04:45, Tunnel0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/24 is directly connected, Tunnel0
D 10.0.0.0/8 is a summary, 00:05:35, Null0
S* 0.0.0.0/0 is directly connected, FastEthernet0/0
已经学习到路由!
现在配置ipsec,同lan-to-lan配置基本一样,在此不在具体说明每条命令的作用和解释,详细见http://011010.blog.51cto.com/1168887/511684
!
在此举R3配置:
Router(config)#crypto isakmp policy 10
Router(config-isakmp)#
*Mar 1 00:54:44.623: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.0.0.1 (Tunnel0) is down: holding time expired
Router(config-isakmp)#group 2
Router(config-isakmp)#hash md5
Router(config-isakmp)#authentication pre-share
Router(config-isakmp)#encryption des
Router(config-isakmp)#exit
Router(config)#crypto isakmp key 0 gaoshan address 210.45.165.1
Router(config)#crypto ipsec transform-set ipsec esp-des esp-sha-hmac
Router(cfg-crypto-trans)#exit
Router(config)#access-list 101 permit gre host 210.45.160.1 host 210.45.165.1 (在此的感兴趣流为gre 和两个 tunnel口的地址,原因在最后的封装过程中给出)
Router(config)#crypto map smap 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router(config-crypto-map)#set peer 210.45.165.1
Router(config-crypto-map)#set transform-set ipsec
Router(config-crypto-map)#match address 101
Router(config-crypto-map)#exit
Router(config)#int f0/0
Router(config-if)#crypto map smap
Router(config-if)#
*Mar 1 00:56:51.219: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Mar 1 00:56:58.351: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.0.0.1 (Tunnel0) is up: new adjacency(在此不要主动流量触发,因为已经配置动态路由器协议)
Router(config-if)#end
Router#sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: smap, local addr 210.45.160.1
protected vrf: (none)
local ident (addr/mask/prot/port): (210.45.160.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (210.45.165.1/255.255.255.255/47/0)
current_peer 210.45.165.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 18, #pkts encrypt: 18, #pkts digest: 18
#pkts decaps: 17, #pkts decrypt: 17, #pkts verify: 17(已经有封装和解封装)
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 210.45.160.1, remote crypto endpt.: 210.45.165.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x97610A20(2539719200)
inbound esp sas:
spi: 0xE277E9DF(3799509471)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }(此时是隧道模式,可以在配置转换级的时候配置为传输模式,只有当传输点等于加密点的时候才能配置为传输模式,而gre over ipsec 正好符合,传输模式和隧道模式的区别将在最后给予阐述)
conn id: 1, flow_id: 1, crypto map: smap
sa timing: remaining key lifetime (k/sec): (4567444/3537)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x97610A20(2539719200)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: 2, crypto map: smap
sa timing: remaining key lifetime (k/sec): (4567444/3536)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
在R3上ping R2
Router#ping 1.1.1.1 source 4.4.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 4.4.4.4
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 124/174/216 ms
首先封装过程:
Sip 4.4.4.4 dip 1.1.1.1
首先查看路由表,是从tunnel口学到的路由,所以把这个包送到tunnel口,因为tunnel口没有map,所以要从tunnel口送出这个包,这就要有个gre的封装,封装为:
Sip 210.45.160.1 dip 210.45.165.1 GRE sip 4.4.4.4 dip 1.1.1.1
这样就有一个新的包,在此查询路由表,发现是从物理口送出,把包送至物理口(只要有新的包出现就要从新查询路由表),发现物理口有map,撞击map:感兴趣流匹不匹配,发现正好是从210.45.160.1 到210.45.165.1 的流量和定义的感兴趣流匹配,引发一个esp的封装,封装后为:
sip 210.45.160.1 dip 210.45.165.1 ESP sip210.45.160.1 dip 210.45.165.1 GRE sip 4.4.4.4 dip 1.1.1.1,最后从物理口送出!这个就完成了一个封装和查询过程!这个模式为隧道模式,可以看出有两个完全一样的ip头部,这个就是加密点等于传输点!当为透明模式的时候,sip 210.45.160.1 dip 210.45.165.1 ESP GRE sip 4.4.4.4 dip 1.1.1.1!省去了一个ip头部节省了包头大小!
最后:为什么要使用gre over ipsec ?因为他不需要定义过多的感兴趣流量,所有的包的格式都为:transporte:
sip 210.45.165.1 dip 210.45.160.1 ESP GRE x.x.x.x y.y.y.y
,这样可以看出来前面的部分是一样的,这样就可以以此包头的源和目的ip来定义感兴趣流量!
结束!!谢谢!(关于ipsec over gre 将在后续文章中写出)
转载于:https://blog.51cto.com/011010/558729