GRE over IPsec VPN | Mapurple's Blog

实验拓扑：

实验需求：

某企业北京总部、上海分支、武汉分支分别通过 R1，R3，R4 接入互联网，配置默认路由连通公网
按照图示配置 IP 地址，R1，R3，R4 分别配置 Loopback0 口匹配感兴趣流，Loopback1 口模拟业务网段
北京总部拥有固定公网地址，在 R2 上配置 DHCP，对 R3 和 R4 动态分配 IP 地址，IP 地址网段如图
北京总部、上海分支、武汉分支配置 GRE over IPsec VPN 连通内网，要求北京总部使用模板来简化配置
总部和分支之间配置 RIPv2 传递内网路由

实验步骤：

1.配置IP地址

[GR R1]INT G0/0
[GR R1-GigabitEthernet0/0]IP ADD 100.1.1.1 24
[GR R1-GigabitEthernet0/0]INT L0
[GR R1-LoopBack0]IP ADD 10.10.10.1 32
[GR R1-LoopBack0]INT L1
[GR R1-LoopBack1]IP ADD 192.168.0.1 24

[GR R2]INT G0/0
[GR R2-GigabitEthernet0/0]IP ADD 100.1.1.2 24
[GR R2-GigabitEthernet0/0]INT G0/1
[GR R2-GigabitEthernet0/1]IP ADD 100.2.2.1 24
[GR R2-GigabitEthernet0/1]INT G0/2
[GR R2-GigabitEthernet0/2]IP ADD 100.3.3.1 24

[GR R3]INT L0
[GR R3-LoopBack0]IP ADD 10.10.10.3 24
[GR R3-LoopBack0]INT L1
[GR R3-LoopBack1]IP ADD 192.168.1.1 24

[GR R4]INT L0
[GR R4-LoopBack0]IP ADD 10.10.10.4 32
[GR R4-LoopBack0]INT L1
[GR R4-LoopBack1]IP ADD 192.168.2.1 24

2.在R2上配置DHCP，对 R3 和 R4 动态分配 IP 地址

[GR R2]dhcp enable
[GR R2]dhcp server ip-pool 1
[GR R2-dhcp-pool-1]network 100.2.2.0 mask 255.255.255.0
[GR R2-dhcp-pool-1]gateway-list 100.2.2.1
[GR R2-dhcp-pool-1]dhcp server ip-pool 2
[GR R2-dhcp-pool-2]network 100.3.3.0 mask 255.255.255.0
[GR R2-dhcp-pool-2]gateway-list 100.3.3.1

在R3 R4连接公网的接口开启DHCP自动获取

[GR R3-GigabitEthernet0/0]ip address dhcp-alloc

[GR R4-GigabitEthernet0/0]ip address dhcp-alloc

查看R3 R4 的所有接口状态，G0/0已经成功获取到IP地址

[GR R3]display ip interface brief
*down: administratively down
(s): spoofing  (l): loopback
Interface                Physical Protocol IP Address      Description
GE0/0                    up       up       100.2.2.2       --

[GR R4]display ip interface brief
*down: administratively down
(s): spoofing  (l): loopback
Interface                Physical Protocol IP Address      Description
GE0/0                    up       up       100.3.3.2       --

3.R1 R3 R4 配置默认路由指向公网

[GR R1]ip route-static 0.0.0.0 0 100.1.1.2

[GR R3]ip route-static 0.0.0.0 0 100.2.2.1

[GR R4]ip route-static 0.0.0.0 0 100.3.3.1

R3 ping R1

[GR R3]ping 100.1.1.1
Ping 100.1.1.1 (100.1.1.1): 56 data bytes, press CTRL_C to break
56 bytes from 100.1.1.1: icmp_seq=0 ttl=254 time=1.000 ms
56 bytes from 100.1.1.1: icmp_seq=1 ttl=254 time=1.000 ms
56 bytes from 100.1.1.1: icmp_seq=2 ttl=254 time=2.000 ms
56 bytes from 100.1.1.1: icmp_seq=3 ttl=254 time=2.000 ms
56 bytes from 100.1.1.1: icmp_seq=4 ttl=254 time=1.000 ms

R4 ping R1

[GR R4]ping 100.1.1.1
Ping 100.1.1.1 (100.1.1.1): 56 data bytes, press CTRL_C to break
56 bytes from 100.1.1.1: icmp_seq=0 ttl=254 time=1.000 ms
56 bytes from 100.1.1.1: icmp_seq=1 ttl=254 time=1.000 ms
56 bytes from 100.1.1.1: icmp_seq=2 ttl=254 time=1.000 ms
56 bytes from 100.1.1.1: icmp_seq=3 ttl=254 time=1.000 ms
56 bytes from 100.1.1.1: icmp_seq=4 ttl=254 time=1.000 ms

公网已经互通

4.北京总部、上海分支、武汉分支配置 GRE over IPsec VPN 连通内网，要求北京总部使用模板来简化配置

R1:

1.在 R1 上创建 GRE Tunnel 口，配置 IP 地址，并指定源地址和目的地址为两端 Loopback0 口地址

由于需要配置 GRE over IPsec，所以 Tunnel 口的源地址和目的地址配置为两端 Loopback0 口，且根据图示，Tunnel0 口对应 R3，Tunnel1 口对应 R4

[GR R1]interface Tunnel 0 mode gre
[GR R1-Tunnel0]ip add 10.1.1.1 24
[GR R1-Tunnel0]source LoopBack 0
[GR R1-Tunnel0]destination 10.10.10.3

[GR R1]interface Tunnel 1 mode gre
[GR R1-Tunnel1]ip add 10.2.2.1 24
[GR R1-Tunnel1]source LoopBack 0
[GR R1-Tunnel1]destination 10.10.10.4

2.在 R1 上配置 FQDN 名为 beijing

由于总部拥有固定公网 IP，但分支没有固定 IP 地址，所以必须使用野蛮模式来连接 VPN，只能通过 FQDN 名称来识别对端身份

[GR R1]ike identity fqdn beijing

3.在 R1 上创建 IKE 提议，使用默认配置即可

[GR R1]ike proposal 1

4.在 R1 上创建预共享密钥，这里连接上海和武汉分支使用同样的密钥，所以可以只配置一条 Keychain，在 Keychain 中分别对上海和武汉配置密钥

[GR R1]ike keychain fenzhi
[GR R1-ike-keychain-fenzhi]pre-shared-key hostname shanghai key simple 123
[GR R1-ike-keychain-fenzhi]pre-shared-key hostname wuhan key simple 123

5.在 R1 上创建 IKE Profile

在 IKE Profile 中配置 IKE 模式为野蛮模式，并使用 FQDN 名称来标识对端

[GR R1]ike profile shanghai
[GR R1-ike-profile-shanghai]exchange-mode aggressive 
[GR R1-ike-profile-shanghai]match remote identity fqdn shanghai
[GR R1-ike-profile-shanghai]proposal 1
[GR R1-ike-profile-shanghai]keychain fenzhi
[GR R1]ike profile wuhan
[GR R1-ike-profile-wuhan]exchange-mode aggressive 
[GR R1-ike-profile-wuhan]match remote identity fqdn wuhan
[GR R1-ike-profile-wuhan]proposal 1
[GR R1-ike-profile-wuhan]keychain fenzhi

6.在 R1 上创建 IPsec 转换集，对两个分支可以使用同一个转换集

配置ESP协议采用HMAC-MD5认证算法，加密算法为3des-cbc

[GR R1]ipsec transform-set fenzhi
[GR R1-ipsec-transform-set-fenzhi]esp authentication-algorithm md5
[GR R1-ipsec-transform-set-fenzhi]esp encryption-algorithm 3des-cbc

7.在 R1 上分别创建对上海和武汉分支的 IPsec 策略模板

[GR R1]ipsec policy-template shanghai 1
[GR R1-ipsec-policy-template-shanghai-1]transform-set fenzhi
[GR R1-ipsec-policy-template-shanghai-1]ike-profile shanghai
[GR R1]ipsec policy-template wuhan 1
[GR R1-ipsec-policy-template-wuhan-1]transform-set fenzhi
[GR R1-ipsec-policy-template-wuhan-1]ike-profile wuhan

8.在 R1 上创建 IPsec 策略，绑定两个模板

[GR R1]ipsec policy fenzhi 1 isakmp template shanghai
[GR R1]ipsec policy fenzhi 2 isakmp template wuhan

9.在 R1 的公网接口上下发 IPsec 策略

[GR R1-GigabitEthernet0/0]ipsec apply policy fenzhi

R3:

10.在 R3 上创建 GRE Tunnel 口

[GR R3]interface Tunnel0 mode gre
[GR R3-Tunnel0]ip add 10.1.1.3 24
[GR R3-Tunnel0]source LoopBack 0
[GR R3-Tunnel0]destination 10.10.10.1

11.在 R3 上配置 IPsec 感兴趣流，目的和源为两端 Loopback0 口地址

由于上海和武汉分支没有固定公网 IP 地址，所以需要配置感兴趣流，来作为建立隧道的主动发起方；但是北京总部由于拥有固定公网 IP，所以无需配置感兴趣流

[GR R3]acl advanced 3000
[GR R3-acl-ipv4-adv-3000]rule permit ip source 10.10.10.3 0 destination 10.10.10.1 0

12.在 R3 上配置 FQDN 名为 shanghai

[GR R3]ike identity fqdn shanghai

13.在 R3 上创建 IKE 提议，默认配置即可

[GR R1]ike proposal 1

14.在 R3 上创建 IKE 预共享密钥，匹配对端公网地址

[GR R3]ike keychain beijing
[GR R3-ike-keychain-beijing]pre-shared-key address 100.1.1.1 key simple 123

15.在 R3 上创建 IKE Profile

[GR R3]ike profile beijing
[GR R3-ike-profile-beijing]exchange-mode aggressive 
[GR R3-ike-profile-beijing]match remote identity fqdn beijing
[GR R3-ike-profile-beijing]proposal 1
[GR R3-ike-profile-beijing]keychain beijing

16.在 R3 上创建 IPsec 转换集，加密和验证算法需要与 R1 上一致

[GR R3]ipsec transform-set beijing
[GR R3-ipsec-transform-set-beijing]esp authentication-algorithm md5
[GR R3-ipsec-transform-set-beijing]esp encryption-algorithm 3des-cbc

17.在 R3 上创建 IPsec 策略，调用上述配置

[GR R3]ipsec policy beijing 1 isakmp 
[GR R3-ipsec-policy-isakmp-beijing-1]security acl 3000
[GR R3-ipsec-policy-isakmp-beijing-1]remote-address 100.1.1.1
[GR R3-ipsec-policy-isakmp-beijing-1]ike-profile beijing
[GR R3-ipsec-policy-isakmp-beijing-1]transform-set beijing

18.在 R3 的公网接口上下发 IPsec 策略

[GR R3-GigabitEthernet0/0]ipsec apply policy beijing

R4:

19.在 R4 上配置 IPsec 感兴趣流，目的和源为两端 Loopback0 口地址

使用高级ACL

[GR R4]acl advanced 3000
[GR R4-acl-ipv4-adv-3000]rule permit ip source 10.10.10.4 0 destination 10.10.10.1 0

20.在 R4 上创建 GRE Tunnel 口

[GR R4]interface Tunnel0 mode gre
[GR R4-Tunnel0]ip add 10.2.2.4 24
[GR R4-Tunnel0]source LoopBack 0
[GR R4-Tunnel0]destination 10.10.10.1

21.在 R4 上配置 FQDN 名为 wuhan

[GR R4]ike identity fqdn wuhan

22.在 R4 上创建 IKE 提议，默认配置即可

[GR R4]ike proposal 1

23.在 R4 上创建 IKE 预共享密钥，匹配对端公网地址

[GR R4]ike keychain beijing
[GR R4-ike-keychain-beijing]pre-shared-key address 100.1.1.1 key simple 123

24.在 R4 上创建 IKE Profile

[GR R4]ike profile beijing
[GR R4-ike-profile-beijing]exchange-mode aggressive 
[GR R4-ike-profile-beijing]match remote identity fqdn beijing
[GR R4-ike-profile-beijing]proposal 1
[GR R4-ike-profile-beijing]keychain beijing

25.在 R4 上创建 IPsec 转换集，加密和验证算法需要与 R1 上一致

[GR R4]ipsec transform-set beijing
[GR R4-ipsec-transform-set-beijing]esp authentication-algorithm md5
[GR R4-ipsec-transform-set-beijing]esp encryption-algorithm 3des-cbc

26.在 R4 上创建 IPsec 策略，调用上述配置

[GR R4]ipsec policy beijing 1 isakmp 
[GR R4-ipsec-policy-isakmp-beijing-1]security acl 3000
[GR R4-ipsec-policy-isakmp-beijing-1]remote-address 100.1.1.1
[GR R4-ipsec-policy-isakmp-beijing-1]ike-profile beijing
[GR R4-ipsec-policy-isakmp-beijing-1]transform-set beijing

27.在 R4 的公网接口上下发 IPsec 策略

[GR R4-GigabitEthernet0/0]ipsec apply policy beijing

28.总部和分支之间配置 RIPv2 传递内网路由

在 R1，R3，R4 上分别配置 RIPv2，宣告 Tunnel 口网段和各自业务网段

[GR R1]rip
[GR R1-rip-1]version 2
[GR R1-rip-1]un summary
[GR R1-rip-1]net 10.0.0.0
[GR R1-rip-1]net 192.168.0.0

[GR R3]rip
[GR R3-rip-1]version 2
[GR R3-rip-1]un summary
[GR R3-rip-1]net 10.0.0.0
[GR R3-rip-1]net 192.168.1.0

[GR R4]rip
[GR R4-rip-1]version 2
[GR R4-rip-1]un summary
[GR R4-rip-1]net 10.0.0.0
[GR R4-rip-1]net 192.168.2.0

29.在 R1，R3，R4 上分别配置到达其他两个站点环回口的静态路由，下一跳指向公网

由于 RIP 只能宣告主类网络，所以 GRE Tunnel 口中的源和目的地址会被迫宣告进 RIP，so R1，R3，R4 会分别学习到达对端 Loopback0 口的路由，下一跳指向 Tunnel 口，基于路由最长掩码匹配规则，数据包发往 Tunnel 口进行 GRE 封装后，不会匹配默认路由扔向公网接口进行 IPsec 封装，而是会再次发往 Tunnel 口进行重复 GRE 封装，这样将造成 Tunnel 口频繁 UP/DOWN，因此需要配置静态路由来使经过 GRE 封装之后的数据包能够正确去到公网口进行 IPsec 封装

查看路由表，已经学到了RIP路由

[GR R1]display ip routing-table

Destinations : 30       Routes : 30

Destination/Mask   Proto   Pre Cost        NextHop         Interface
0.0.0.0/0          Static  60  0           100.1.1.2       GE0/0

10.10.10.3/32      RIP     100 1           10.1.1.3        Tun0
10.10.10.4/32      RIP     100 1           10.2.2.4        Tun1

192.168.1.0/24     RIP     100 1           10.1.1.3        Tun0
192.168.2.0/24     RIP     100 1           10.2.2.4        Tun1

[GR R3]display ip routing-table

Destinations : 26       Routes : 26

Destination/Mask   Proto   Pre Cost        NextHop         Interface
0.0.0.0/0          Static  60  0           100.2.2.1       GE0/0

10.2.2.0/24        RIP     100 1           10.1.1.1        Tun0
10.10.10.1/32      RIP     100 1           10.1.1.1        Tun0

192.168.0.0/24     RIP     100 1           10.1.1.1        Tun0

192.168.2.0/24     RIP     100 2           10.1.1.1        Tun0

[GR R4]display ip routing-table

Destinations : 26       Routes : 26

Destination/Mask   Proto   Pre Cost        NextHop         Interface
0.0.0.0/0          Static  60  0           100.3.3.1       GE0/0

10.1.1.0/24        RIP     100 1           10.2.2.1        Tun0

10.10.10.1/32      RIP     100 1           10.2.2.1        Tun0

192.168.0.0/24     RIP     100 1           10.2.2.1        Tun0
192.168.1.0/24     RIP     100 2           10.2.2.1        Tun0

在 R1，R3，R4 上分别配置到达其他两个站点环回口的静态路由，下一跳指向公网

[GR R1]ip route-static 10.10.10.3 32 100.1.1.2
[GR R1]ip route-static 10.10.10.4 32 100.1.1.2

[GR R3]ip route-static 10.10.10.1 32 100.2.2.1

[GR R4]ip route-static 10.10.10.1 32 100.3.3.1

查看路由表

[GR R1]display ip routing-table

Destinations : 30       Routes : 30

Destination/Mask   Proto   Pre Cost        NextHop         Interface
0.0.0.0/0          Static  60  0           100.1.1.2       GE0/0

10.10.10.3/32      Static  60  0           100.1.1.2       GE0/0
10.10.10.4/32      Static  60  0           100.1.1.2       GE0/0

192.168.1.0/24     RIP     100 1           10.1.1.3        Tun0
192.168.2.0/24     RIP     100 1           10.2.2.4        Tun1

[GR R3]display ip routing-table

Destinations : 26       Routes : 26

Destination/Mask   Proto   Pre Cost        NextHop         Interface
0.0.0.0/0          Static  60  0           100.2.2.1       GE0/0

10.2.2.0/24        RIP     100 1           10.1.1.1        Tun0
10.10.10.1/32      Static  60  0           100.2.2.1       GE0/0

192.168.0.0/24     RIP     100 1           10.1.1.1        Tun0

192.168.2.0/24     RIP     100 2           10.1.1.1        Tun0

[GR R4]display ip routing-table

Destinations : 26       Routes : 26

Destination/Mask   Proto   Pre Cost        NextHop         Interface
0.0.0.0/0          Static  60  0           100.3.3.1       GE0/0

10.1.1.0/24        RIP     100 1           10.2.2.1        Tun0

10.10.10.1/32      Static  60  0           100.3.3.1       GE0/0

192.168.0.0/24     RIP     100 1           10.2.2.1        Tun0
192.168.1.0/24     RIP     100 2           10.2.2.1        Tun0

效果测试：

在R1上带业务网段源Ping R3 R4

[GR R1]ping -a 192.168.0.1 192.168.1.1
Ping 192.168.1.1 (192.168.1.1) from 192.168.0.1: 56 data bytes, press CTRL_C to break
56 bytes from 192.168.1.1: icmp_seq=0 ttl=255 time=0.000 ms
56 bytes from 192.168.1.1: icmp_seq=1 ttl=255 time=1.000 ms
56 bytes from 192.168.1.1: icmp_seq=2 ttl=255 time=1.000 ms
56 bytes from 192.168.1.1: icmp_seq=3 ttl=255 time=1.000 ms
56 bytes from 192.168.1.1: icmp_seq=4 ttl=255 time=1.000 ms

--- Ping statistics for 192.168.1.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.800/1.000/0.400 ms
[GR R1]%Jun  3 20:36:57:672 2021 GR R1 PING/6/PING_STATISTICS: Ping statistics for 192.168.1.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.800/1.000/0.400 ms.

[GR R1]ping -a 192.168.0.1 192.168.2.1
Ping 192.168.2.1 (192.168.2.1) from 192.168.0.1: 56 data bytes, press CTRL_C to break
56 bytes from 192.168.2.1: icmp_seq=0 ttl=255 time=0.000 ms
56 bytes from 192.168.2.1: icmp_seq=1 ttl=255 time=2.000 ms
56 bytes from 192.168.2.1: icmp_seq=2 ttl=255 time=1.000 ms
56 bytes from 192.168.2.1: icmp_seq=3 ttl=255 time=1.000 ms
56 bytes from 192.168.2.1: icmp_seq=4 ttl=255 time=0.000 ms

--- Ping statistics for 192.168.2.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.800/2.000/0.748 ms
[GR R1]%Jun  3 20:37:01:853 2021 GR R1 PING/6/PING_STATISTICS: Ping statistics for 192.168.2.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.800/2.000/0.748 ms.

Hi, Mapurple!