IPsec over GRE VPN 实验

实验拓扑:

image-20210605162713942

实验需求:

  1. 按照图示配置 IP 地址,R1 和 R3 配置 Loopback0 口模拟业务网段
  2. R1 和 R3 上配置默认路由连通公网
  3. R1 和 R3 上配置 IPsec over GRE VPN 来连通两端内网
  4. R1 和 R3 配置 OSPF 来传递内网路由

实验步骤:

1.配置IP地址

[GR R1]interface g0/0
[GR R1-GigabitEthernet0/0]ip address 100.1.1.1 24
[GR R1-GigabitEthernet0/0]int l0
[GR R1-LoopBack0]ip address 192.168.1.1 24

[GR R2]interface g0/0
[GR R2-GigabitEthernet0/0]ip address 100.1.1.2 24
[GR R2-GigabitEthernet0/0]int g0/1
[GR R2-GigabitEthernet0/1]ip address 100.2.2.2 24

[GR R3]interface g0/0
[GR R3-GigabitEthernet0/0]ip address 100.2.2.3 24
[GR R3-GigabitEthernet0/0]int l0
[GR R3-LoopBack0]ip add 192.168.2.1 24

2.配置默认路由连通公网

[GR R1]ip route-static 0.0.0.0 0 100.1.1.2

[GR R3]ip route-static 0.0.0.0 0 100.2.2.2

R1 ping R3

[GR R1]ping 100.2.2.3
Ping 100.2.2.3 (100.2.2.3): 56 data bytes, press CTRL_C to break
56 bytes from 100.2.2.3: icmp_seq=0 ttl=254 time=1.000 ms
56 bytes from 100.2.2.3: icmp_seq=1 ttl=254 time=0.000 ms
56 bytes from 100.2.2.3: icmp_seq=2 ttl=254 time=1.000 ms
56 bytes from 100.2.2.3: icmp_seq=3 ttl=254 time=2.000 ms
56 bytes from 100.2.2.3: icmp_seq=4 ttl=254 time=1.000 ms

3.配置GREVPN

[GR R1]interface Tunnel 0 mode gre
[GR R1-Tunnel0]ip address 10.1.1.1 24
[GR R1-Tunnel0]source 100.1.1.1
[GR R1-Tunnel0]destination 100.2.2.3

[GR R3]interface Tunnel 0 mode gre
[GR R3-Tunnel0]ip add 10.1.1.3 24
[GR R3-Tunnel0]source 100.2.2.3
[GR R3-Tunnel0]destination 100.1.1.1

4.R1和R3配置OSPF传递内网路由

宣告业务网段和Tunnel0隧道口

[GR R1]ospf 1 router-id 1.1.1.1
[GR R1-ospf-1]area 0
[GR R1-ospf-1-area-0.0.0.0]net 10.1.1.0 0.0.0.255
[GR R1-ospf-1-area-0.0.0.0]net 192.168.1.0 0.0.0.255

[GR R3]ospf 1 router-id 3.3.3.3
[GR R3-ospf-1]area 0
[GR R3-ospf-1-area-0.0.0.0]net 192.168.2.0 0.0.0.255
[GR R3-ospf-1-area-0.0.0.0]net 10.1.1.0 0.0.0.255

R1 ping R3

[GR R1]ping -a 192.168.1.1 192.168.2.1
Ping 192.168.2.1 (192.168.2.1) from 192.168.1.1: 56 data bytes, press CTRL_C to break
56 bytes from 192.168.2.1: icmp_seq=0 ttl=255 time=1.000 ms
56 bytes from 192.168.2.1: icmp_seq=1 ttl=255 time=1.000 ms
56 bytes from 192.168.2.1: icmp_seq=2 ttl=255 time=1.000 ms
56 bytes from 192.168.2.1: icmp_seq=3 ttl=255 time=1.000 ms
56 bytes from 192.168.2.1: icmp_seq=4 ttl=255 time=1.000 ms

隧道口已成功建立,业务网段已经可以互通

5.配置IPsec

1.在 R1 和 R3上分别上创建感兴趣流,源和目的是本端和对端私网地址网段
[GR R1]acl advanced 3000
[GR R1-acl-ipv4-adv-3000]rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

[GR R3]acl advanced 3000
[GR R3-acl-ipv4-adv-3000]rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
2.R1 和 R3上分别创建 IKE 提议,使用默认配置即可
[GR R1]ike proposal 1

[GR R3]ike proposal 1
3.在 R1 和 R3上分别创建 IKE 预共享密钥,使用对端 Tunnel 口地址标识身份
[GR R1]ike keychain R3
[GR R1-ike-keychain-R3]pre-shared-key address 10.1.1.3 key simple 123

[GR R3]ike keychain R1
[GR R3-ike-keychain-R1]pre-shared-key address 10.1.1.1 key simple 123
4.在 R1 和R3上分别创建 IKE 模板,匹配地址为双方 Tunnel 口地址
[GR R1]ike profile R3
[GR R1-ike-profile-R3]proposal 1
[GR R1-ike-profile-R3]keychain R3
[GR R1-ike-profile-R3]local-identity address 10.1.1.1
[GR R1-ike-profile-R3]match remote identity address 10.1.1.3

[GR R3]ike profile R1
[GR R3-ike-profile-R1]proposal 1
[GR R3-ike-profile-R1]keychain R1
[GR R3-ike-profile-R1]local-identity address 10.1.1.3
[GR R3-ike-profile-R1]match remote identity address 10.1.1.1
5.创建IPsec转换级,两端保存一致

配置的ESP协议采用HMAC-MD5认证算法,加密算法为3des-cbc

[GR R1]ipsec transform-set R3
[GR R1-ipsec-transform-set-R3]esp authentication-algorithm md5
[GR R1-ipsec-transform-set-R3]esp encryption-algorithm 3des-cbc

[GR R3]ipsec transform-set R1
[GR R3-ipsec-transform-set-R1]esp authentication-algorithm md5
[GR R3-ipsec-transform-set-R1]esp encryption-algorithm 3des-cbc
6.在 R1 和R3上分别创建 IPsec 策略,调用上述配置,配置对端地址为对端 Tunnel 口地址
[GR R1]ipsec policy R3 1 isakmp
[GR R1-ipsec-policy-isakmp-R3-1]security acl 3000
[GR R1-ipsec-policy-isakmp-R3-1]transform-set R3
[GR R1-ipsec-policy-isakmp-R3-1]ike-profile R3
[GR R1-ipsec-policy-isakmp-R3-1]remote-address 10.1.1.3

[GR R3]ipsec policy R1 1 isakmp
[GR R3-ipsec-policy-isakmp-R1-1]security acl 3000
[GR R3-ipsec-policy-isakmp-R1-1]transform-set R1
[GR R3-ipsec-policy-isakmp-R1-1]ike-profile R1
[GR R3-ipsec-policy-isakmp-R1-1]remote-address 10.1.1.1
7.分别在R1 和 R3 Tunnel 口下发 IPsec 策略
[GR R1-Tunnel0]ipsec apply policy R3

[GR R3-Tunnel0]ipsec apply policy R1

效果测试:

R1带业务网段源ping R3业务网段进行触发IPsec的隧道建立

[GR R1]ping -a 192.168.1.1 192.168.2.1
Ping 192.168.2.1 (192.168.2.1) from 192.168.1.1: 56 data bytes, press CTRL_C to break
Request time out
56 bytes from 192.168.2.1: icmp_seq=1 ttl=255 time=1.000 ms
56 bytes from 192.168.2.1: icmp_seq=2 ttl=255 time=1.000 ms
56 bytes from 192.168.2.1: icmp_seq=3 ttl=255 time=1.000 ms
56 bytes from 192.168.2.1: icmp_seq=4 ttl=255 time=1.000 ms

--- Ping statistics for 192.168.2.1 ---
5 packet(s) transmitted, 4 packet(s) received, 20.0% packet loss
round-trip min/avg/max/std-dev = 1.000/1.000/1.000/0.000 ms
[GR R1]%Jun  5 18:02:21:425 2021 GR R1 PING/6/PING_STATISTICS: Ping statistics for 192.168.2.1: 5 packet(s) transmitted, 4 packet(s) received, 20.0% packet loss, round-trip min/avg/max/std-dev = 1.000/1.000/1.000/0.000 ms.

查看IKE sa

[GR R1]display ike sa
    Connection-ID   Remote                Flag         DOI
------------------------------------------------------------------
    1               10.1.1.3              RD           IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY

查看IPsec sa

[GR R1]display ipsec sa
-------------------------------
Interface: Tunnel0
-------------------------------

  -----------------------------
  IPsec policy: R3
  Sequence number: 1
  Mode: ISAKMP
  -----------------------------
    Tunnel id: 0
    Encapsulation mode: tunnel
    Perfect Forward Secrecy:
    Inside VPN:
    Extended Sequence Numbers enable: N
    Traffic Flow Confidentiality enable: N
    Path MTU: 1420
    Tunnel:
        local  address: 10.1.1.1
        remote address: 10.1.1.3
    Flow:
        sour addr: 192.168.1.0/255.255.255.0  port: 0  protocol: ip
        dest addr: 192.168.2.0/255.255.255.0  port: 0  protocol: ip

    [Inbound ESP SAs]
      SPI: 2787993028 (0xa62d65c4)
      Connection ID: 4294967296
      Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5
      SA duration (kilobytes/sec): 1843200/3600
      SA remaining duration (kilobytes/sec): 1843198/1390
      Max received sequence-number: 14
      Anti-replay check enable: Y
      Anti-replay window size: 64
      UDP encapsulation used for NAT traversal: N
      Status: Active

    [Outbound ESP SAs]
      SPI: 2291905030 (0x889bb206)
      Connection ID: 4294967297
      Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5
      SA duration (kilobytes/sec): 1843200/3600
      SA remaining duration (kilobytes/sec): 1843198/1390
      Max sent sequence-number: 14
      UDP encapsulation used for NAT traversal: N
      Status: Active

R1和R3已经成功建立了 IKE SA 和 IPsec SA