VPN
{Back to Index}  

Table of Contents

VPN 的本质还是在于 部署路由

1 IPSEC VPN 1

1.1 框架概览

ipsec_fw.png

Figure 1: IPSec 架构

IPSec 体系结构主要由 AH (Authentication Header) ,ESP (Encapsulation Security Payload) 和 IKE (Internet Key Exchange) 三大协议套件组成。

  • AH (认证头部) 数据面

    提供数据源验证,数据完整性校验和防重放,但并不加密数据, 现网中几乎不使用 (不支持 NAT)。

  • ESP (负载安全封装) 数据面

    提供 AH 协议的所有功能外,还提供 IP 数据的加密功能。

  • IKE (互联网密钥交换) 控制面

    IKE 是一种 统称 ,常见协议有 ISAKMP, SKEME, Oakly 。 IKE 用于协商 SA (即双方使用的认证,加密,完整性算法) 并负责密钥的生成与更新。

1.2 transport/tunnel mode

transport_tunnel_mode.png

  • 通信点之间沿途路由可达 -> 传输模式
  • 通信点之间沿途路由不可达(有路由黑洞) -> 隧道模式
  • IPSec 通常选用 tunnel 模式,如只需在内网中传输加密数据,可以使用 transport 模式
  • GRE over IPSec 可选 transport 模式以提高传输效率

1.3 IKE 工作原理 2

ike_modes.png

Figure 3: IPSec 几个阶段

ipsec_trigger.png

Figure 4: IPSec 触发与协商示意

IKE 需要在 Peer 之间建立一个安全通道来协商 Key ,需要 三个阶段 来协商完成。

1.3.1 Phase 1 (ISAKMP SA) 控制面

p1.png

Figure 5: 阶段一(Main Mode)

该阶段的主要目的是为了加密协商报文, 以保证后续的阶段二的协商是安全的。

该阶段需要确定加密协商报文所需要的:

  • 加密算法
  • 完整性算法
  • 认证方式
  • DH 组 (决定 P/G 值的选择)
  • 该阶段的有效期

经过该阶段的协商,会产生一个 双向 的 ISAKMP SA ,该 SA 用于保护 IKE 协商过程。 该 SA 中包含密钥 \(SKEYID_a\) , \(SKEYID_d\) , \(SKEYID_e\) (a=Authentication,d=Data, e=Encryption)。其中:

  • \(SKEYID_e\) 用来保护阶段一中的第五和第六个协商报文,以及阶段二中的所有协商报文交互
  • \(SKEYID_a\) 用来保证 Peer 之间的身份认证
  • \(SKEYID_d\) 用来产生将来实际加密数据的 Key

该阶段阶段,需要选择模式,包括:

  • Main mode

    意味着需要进入 Phase 2

  • Aggressive mode

    意味着需要进入 Phase 1.5 再进入 Phase 2

1.3.2 Phase 1.5 控制面

该阶段只用于 remote access vpn 场景 ,在该阶段中需要完成 Xauth (扩展认证) 。

1.3.3 Phase 2 (IPSec SA) 数据面

p2.png

Figure 6: 阶段二

该阶段是为了保证后续数据通信的安全。

在该阶段,主要用于确定:

  • 加密实际数据所需要的参数:
    • 用什么协议封装(ah/esp)
    • 加密算法 (3des/aes)
    • 哈希算法 (md5/sha2)
    • 认证方式 (rsa/pre-shared-key)
  • 感兴趣流 (acl)
  • 工作模式 (transport/tunnel)
  • 该阶段的有效期

1.4 ESP/AH

esp_ah_header.png

Figure 7: header 比较

1.5 SA

sa.png

spd_vs_sadb.png

Figure 9: SPD 与 SADB 示意图

1.5.1 SPD (安全策略数据库)

SPD 用于判断发送数据或接收数据是否需要加解密,如果需要则调用对应的 SADB 来完成加解密(Protect),如果不需要则直接按正常方式(Bypass)处理该数据。如果需要加解密,但是又未查询到对应的 SA ,则丢弃该数据(Drop)。即三种策略:

Protect (加密)
当匹配 ACL
Bypass (不加密)
当不匹配 ACL
Drop (丢弃)
虽然匹配了 ACL ,但是 SA 尚未建立或无法建立

1.5.2 SADB (安全关联数据库)

用于维护每个 SA 所包含的参数。SA 是要建立 IPSec 隧道的通信双方对隧道参数的约定,包括隧道两端的 IP 地址,隧道采用的验证方式,验证算法,验证密钥,加密算法,加密密钥,共享密钥以及生存周期等一系列参数。

两个对等体之间的双向通信,最少需要两个 SA 来分别对两个方向的数据流进行保护,即一对 SA 。Inbound Data 和 Outbound Data 分别由 Inbound SA 和 Outbound SA 进行处理。

SA 由三元组来标识:[SPI, 目的IP地址, 安全协议号(如 ESP)] 。

当 Inbound Data 到达,SADB 基于外层 IP 头部的目的 IP ,SPI 和封装协议(ESP) 检索数据库以获得 SA ,并用这个 SA 的相关参数处理数据包。Outbound Data 的处理也是类似的逻辑。

1.6 配置步骤

  • step0
    • 确保网络可达
    • 配置 ACL 识别兴趣流(需要做 VPN 的数据流)
    • 定义 Pre Share Key

  • step1 (phase 1)

    创建 IKE(isakmp) 策略

  • step2 (phase 2)

    创建 IPSec 策略

  • step3

    将感兴趣流量与 IPSec 进行结合,即创建 map

  • step4

    将 map 并应用到接口

ipset_conf_stage.png

Figure 10: 配置步骤示意图

ipsec_conf_ex.png

Figure 11: 实验拓扑

实验配置 
----------------- R1 ----------------------
en
conf t
 hostname R1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.15.1 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 192.168.1.1 255.255.255.0
  no sh
 exit
 router ospf 110 ! ensure rechability (step0)
  router-id 11.11.11.11
  network 10.1.15.1 0.0.0.0 area 0
 exit
 ip route 192.168.2.0 255.255.255.0 10.1.15.5
 ! below are configurations for ipsec vpn
 ip access-list extended IPSEC_ACL ! define interested flow (step0)
  permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
 exit
 crypto keyring MY_KEY_RING ! define pre-shared key (step0)
  ! can also use 0.0.0.0 0.0.0.0 which means no matter what destination it is
  pre-shared-key address 10.1.25.2 255.255.255.0 key pa55w0rd
 exit
 crypto isakmp policy 10 ! define IKE policy (step1)
  authentication pre-share
  hash sha512
  encryption 3des
  group 15 ! define DH group
  lifetime 86400 ! key-update frequency
 exit
 crypto ipsec transform-set MY_SET esp-md5-hmac esp-des ! ipsec policy (step2)
  mode tunnel
 exit
 crypto map MY_MAP 10 ipsec-isakmp ! create a map to bundle all info (step3)
  set peer 10.1.25.2
  set transform-set MY_SET
  match address IPSEC_ACL
 exit
 int e0/0
  crypto map MY_MAP ! associte map with interface (step4)
 exit
end

----------------- R2 ----------------------
en
conf t
 hostname R2
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.25.2 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 192.168.2.2 255.255.255.0
  no sh
 exit
 router ospf 110
  router-id 22.22.22.22
  network 10.1.25.2 0.0.0.0 area 0
 exit
 ip route 192.168.1.0 255.255.255.0 10.1.25.5
 !
 ip access-list extended IPSEC_ACL ! define interested flow (step0)
  permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
 exit
 crypto keyring MY_KEY_RING ! define pre-shared key (step0)
  pre-shared-key address 0.0.0.0 0.0.0.0 key pa55w0rd
 exit
 crypto isakmp policy 10 ! define IKE policy (step1)
  authentication pre-share
  hash sha512
  encryption 3des
  group 15 ! define DH group
  lifetime 86400 ! key-update frequency
 exit
 crypto ipsec transform-set MY_SET esp-md5-hmac esp-des ! ipsec policy (step2)
  mode tunnel
 exit
 crypto map MY_MAP 10 ipsec-isakmp ! create a map to bundle all info (step3)
  set peer 10.1.15.1
  set transform-set MY_SET
  match address IPSEC_ACL
 exit
 int e0/0
  crypto map MY_MAP ! associte map with interface (step4)
 exit
end

----------------- R5 ----------------------
en
conf t
 hostname R5
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.15.5 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.25.5 255.255.255.0
  no sh
 exit
 router ospf 110
  router-id 55.55.55.55
  network 10.1.15.5 0.0.0.0 area 0
  network 10.1.25.5 0.0.0.0 area 0
 exit
end

----------------- PC3 ----------------------
en
conf t
 hostname PC3
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.1.1
 int e0/0
  ip address 192.168.1.3 255.255.255.0
  no sh
 exit
end

----------------- PC4 ----------------------
en
conf t
 hostname PC4
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.2.2
 int e0/0
  ip address 192.168.2.4 255.255.255.0
  no sh
 exit
end

路由器会基于感兴趣流量 注入 一条静态路由,从而使得 vpn 流量可以撞击物理接口从而触发加密: 

R1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C        10.1.15.0/24 is directly connected, Ethernet0/0
L        10.1.15.1/32 is directly connected, Ethernet0/0
O        10.1.25.0/24 [110/20] via 10.1.15.5, 00:02:38, Ethernet0/0
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, Ethernet0/1
L        192.168.1.1/32 is directly connected, Ethernet0/1
S     192.168.2.0/24 [1/0] via 10.1.15.5

1.6.1 查看命令

查看 IKE SA 
R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.1.25.2       10.1.15.1       QM_IDLE           1001 ACTIVE

IPv6 Crypto ISAKMP SA

R1#sh crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       T - cTCP encapsulation, X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.

1001  10.1.15.1       10.1.25.2              ACTIVE 3des sha512 psk  15 23:41:47
       Engine-id:Conn-id =  SW:1

IPv6 Crypto ISAKMP SA
查看 IPSec SA 
R1#sh crypto ipsec sa

interface: Ethernet0/0
    Crypto map tag: MY_MAP, local addr 10.1.15.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   current_peer 10.1.25.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 29, #pkts encrypt: 29, #pkts digest: 29
    #pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.1.15.1, remote crypto endpt.: 10.1.25.2
     plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
     current outbound spi: 0x667ED0F3(1719587059)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x28D6217E(685121918)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, sibling_flags 80004040, crypto map: MY_MAP
        sa timing: remaining key lifetime (k/sec): (4243663/2403)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x667ED0F3(1719587059)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, sibling_flags 80004040, crypto map: MY_MAP
        sa timing: remaining key lifetime (k/sec): (4243663/2403)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

R2#sh crypto ipsec sa

interface: Ethernet0/0
    Crypto map tag: MY_MAP, local addr 10.1.25.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer 10.1.15.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 29, #pkts encrypt: 29, #pkts digest: 29
    #pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.1.25.2, remote crypto endpt.: 10.1.15.1
     plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
     current outbound spi: 0x28D6217E(685121918)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x667ED0F3(1719587059)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, sibling_flags 80000040, crypto map: MY_MAP
        sa timing: remaining key lifetime (k/sec): (4338099/2348)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x28D6217E(685121918)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, sibling_flags 80000040, crypto map: MY_MAP
        sa timing: remaining key lifetime (k/sec): (4338099/2348)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:
查看加密通道 
R1#show crypto engine connections active
Crypto Engine Connections

   ID  Type    Algorithm           Encrypt  Decrypt LastSeqN IP-Address
    1  IPsec   DES+MD5                   0       29       29 10.1.15.1
    2  IPsec   DES+MD5                  29        0        0 10.1.15.1
 1001  IKE     SHA512+3DES               0        0        0 10.1.15.1
查看会话状态 
R1#sh crypto session
Crypto session current status

Interface: Ethernet0/0
Session status: UP-ACTIVE
Peer: 10.1.25.2 port 500
  Session ID: 0
  IKEv1 SA: local 10.1.15.1/500 remote 10.1.25.2/500 Active
  IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 192.168.2.0/255.255.255.0
        Active SAs: 2, origin: crypto map
清理会话 
R1#clear crypto session
R1#sh crypto session
Crypto session current status

Interface: Ethernet0/0
Session status: DOWN-NEGOTIATING
Peer: 10.1.25.2 port 500
  Session ID: 0
  IKEv1 SA: local 10.1.15.1/500 remote 10.1.25.2/500 Inactive
  IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 192.168.2.0/255.255.255.0
        Active SAs: 0, origin: crypto map
清理 IPSec SA 
R1#clear crypto sa
R1#sh crypto session
Crypto session current status

Interface: Ethernet0/0
Session status: UP-IDLE
Peer: 10.1.25.2 port 500
  Session ID: 0
  IKEv1 SA: local 10.1.15.1/500 remote 10.1.25.2/500 Active
  IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 192.168.2.0/255.255.255.0
        Active SAs: 0, origin: crypto map

1.7 NAT-T 3

在阶段一协商过程中,M1-M4 通过检测可以判断出中间是否存在 NAT 设备,从 M5 开始到阶段二结束,后续所有协商都会加上 UDP 4500 的头部。

IPSec 通道建立后,实际数据发送时同样会加上这个 UDP 头部来掩盖 ESP 头部,从而保证 PAT 设备可以完成转换。

注意 : NAT 的场景下 Hub 上 set peer 要使用 NAT 后的地址,即收到数据包的 SRC IP ,否则隧道无法建立。

2 GRE Over IPSec

传统的 L2L IPSec VPN 只能靠 静态路由 的方式来构建所需路由条目。 GRE 隧道可以在两个内部网络之间直接运行动态路由协议,即在两个内部网络之间建立一条虚拟的链路。 在隧道建立成功以后,再通过 IPSec 加密传输的数据来保证安全,这就是 GRE over IPSec 。

GRE 的优点是形成的虚拟链路可以运行动态路由协议以及 支持组播 。( IPSec 不支持对组播和广播数据包的加密 )

GRE over IPSec 只要有 GRE 隧道则可以传输数据,IPSec 只是为了保证安全。

IPSec VPN 工作模式通常只能使用 Tunnel 模式,而 GRE over IPSec 可以选用 Tunnel 模式, 也可以使用 Transport 模式来减少不必要的 IP 包头载荷。

gre_ipsec_modes.png

2.1 配置步骤

gre+ipsec.png

Figure 13: 实验环境

2.1.1 GRE 配置

  1. 确保公网路由互通
  2. 建立 Tunnel 接口
  3. 将 Tunnel 接口通告进动态路由协议
配置清单 
----------------- R1 ----------------------
en
conf t
 hostname R1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.15.1 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 192.168.1.1 255.255.255.0
  no sh
 exit
 
 int tun0
  ip address 172.168.1.1 255.255.255.0
  tunnel source e0/0
  tunnel destination 10.1.25.2
  no sh
 exit
 
 router ospf 110
  router-id 11.11.11.11
  network 10.1.15.1 0.0.0.0 area 0
 exit
 router eigrp 90
  network 172.168.1.1 0.0.0.0 ! network tunnel ifc
  network 192.168.1.1 0.0.0.0
 exit
end

----------------- R2 ----------------------
en
conf t
 hostname R2
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.25.2 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 192.168.2.2 255.255.255.0
  no sh
 exit
 int tun0
  ip address 172.168.1.2 255.255.255.0
  tunnel source e0/0
  tunnel destination 10.1.15.1
  no sh
 exit
 router ospf 110
  router-id 22.22.22.22
  network 10.1.25.2 0.0.0.0 area 0
 exit
 router eigrp 90
  network 172.168.1.2 0.0.0.0
  network 192.168.2.2 0.0.0.0
 exit
end

----------------- R5 ----------------------
en
conf t
 hostname R5
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.15.5 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.25.5 255.255.255.0
  no sh
 exit
 router ospf 110
  router-id 55.55.55.55
  network 10.1.15.5 0.0.0.0 area 0
  network 10.1.25.5 0.0.0.0 area 0
 exit
end

----------------- PC3 ----------------------
en
conf t
 hostname PC3
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.1.1
 int e0/0
  ip address 192.168.1.3 255.255.255.0
  no sh
 exit
end

----------------- PC4 ----------------------
en
conf t
 hostname PC4
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.2.2
 int e0/0
  ip address 192.168.2.4 255.255.255.0
  no sh
 exit
end

2.1.2 在 GRE 基础上增加 IPSec 配置

2.1.2.1 常规 IPSec 配置方式
配置清单 
----------------- R1 ----------------------
en
conf t
 hostname R1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.15.1 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 192.168.1.1 255.255.255.0
  no sh
 exit
 int tun0
  ip address 172.168.1.1 255.255.255.0
  tunnel source e0/0
  tunnel destination 10.1.25.2
  no sh
 exit
 router ospf 110
  router-id 11.11.11.11
  network 10.1.15.1 0.0.0.0 area 0
 exit
 router eigrp 90
  network 172.168.1.1 0.0.0.0 ! network tunnel ifc
  network 192.168.1.1 0.0.0.0
 exit
 
 ! below are configurations for ipsec
 ip access-list extended IPSEC_ACL ! define interested flow (step0)
  permit gre host 10.1.15.1 host 10.1.25.2 ! make sure you understand the meaning of this line
 exit
 crypto keyring MY_KEY_RING ! define pre-shared key (step0)
  pre-shared-key address 10.1.25.2 255.255.255.0 key pa55w0rd
 exit
 crypto isakmp policy 10 ! define IKE policy (step1)
  authentication pre-share
  hash sha512
  encryption 3des
  group 15 ! define DH group
  lifetime 86400 ! key-update frequency
 exit
 crypto ipsec transform-set MY_SET ah-sha256-hmac ! ipsec policy, use AH in order to observe data by tcpdump (step2)
  mode transport
 exit
 crypto map MY_MAP 10 ipsec-isakmp ! create a map to bundle all info (step3)
  set peer 10.1.25.2
  set transform-set MY_SET
  match address IPSEC_ACL
 exit
 int e0/0
  crypto map MY_MAP ! associte map with interface (step4)
 exit

end

----------------- R2 ----------------------
en
conf t
 hostname R2
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.25.2 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 192.168.2.2 255.255.255.0
  no sh
 exit
 int tun0
  ip address 172.168.1.2 255.255.255.0
  tunnel source e0/0
  tunnel destination 10.1.15.1
  no sh
 exit
 router ospf 110
  router-id 22.22.22.22
  network 10.1.25.2 0.0.0.0 area 0
 exit
 router eigrp 90
  network 172.168.1.2 0.0.0.0
  network 192.168.2.2 0.0.0.0
 exit
 
 ! below are configurations for ipsec
 ip access-list extended IPSEC_ACL ! define interested flow (step0)
  permit gre host 10.1.25.2 host 10.1.15.1
 exit
 crypto keyring MY_KEY_RING ! define pre-shared key (step0)
  pre-shared-key address 10.1.15.1 255.255.255.0 key pa55w0rd
 exit
 crypto isakmp policy 10 ! define IKE policy (step1)
  authentication pre-share
  hash sha512
  encryption 3des
  group 15 ! define DH group
  lifetime 86400 ! key-update frequency
 exit
 crypto ipsec transform-set MY_SET ah-sha256-hmac
  mode transport
 exit
 crypto map MY_MAP 10 ipsec-isakmp ! create a map to bundle all info (step3)
  set peer 10.1.15.1
  set transform-set MY_SET
  match address IPSEC_ACL
 exit
 int e0/0
  crypto map MY_MAP ! associte map with interface (step4)
 exit

end

----------------- R5 ----------------------
en
conf t
 hostname R5
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.15.5 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.25.5 255.255.255.0
  no sh
 exit
 router ospf 110
  router-id 55.55.55.55
  network 10.1.15.5 0.0.0.0 area 0
  network 10.1.25.5 0.0.0.0 area 0
 exit
end

----------------- PC3 ----------------------
en
conf t
 hostname PC3
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.1.1
 int e0/0
  ip address 192.168.1.3 255.255.255.0
  no sh
 exit
end

----------------- PC4 ----------------------
en
conf t
 hostname PC4
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.2.2
 int e0/0
  ip address 192.168.2.4 255.255.255.0
  no sh
 exit
end

数据包下载

2.1.2.2 使用 profile 简化 IPSec 配置
配置清单 
----------------- R1 ----------------------
en
conf t
 hostname R1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.15.1 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 192.168.1.1 255.255.255.0
  no sh
 exit
 int tun0
  ip address 172.168.1.1 255.255.255.0
  tunnel source e0/0
  tunnel destination 10.1.25.2
  no sh
 exit
 router ospf 110
  router-id 11.11.11.11
  network 10.1.15.1 0.0.0.0 area 0
 exit
 router eigrp 90
  network 172.168.1.1 0.0.0.0 ! network tunnel ifc
  network 192.168.1.1 0.0.0.0
 exit
 
 crypto keyring MY_KEY_RING
  pre-shared-key address 10.1.25.2 255.255.255.0 key pa55w0rd
 exit
 crypto isakmp policy 10
  authentication pre-share
  hash sha512
  encryption 3des
  group 15 ! define DH group
  lifetime 86400 ! key-update frequency
 exit
 crypto ipsec transform-set MY_SET ah-sha256-hmac
  mode transport
 exit
 
 crypto ipsec profile MY_PROFILE
  set transform-set MY_SET
 exit
 
 int tun0
  tunnel protection ipsec profile MY_PROFILE
 exit

end

----------------- R2 ----------------------
en
conf t
 hostname R2
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.25.2 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 192.168.2.2 255.255.255.0
  no sh
 exit
 int tun0
  ip address 172.168.1.2 255.255.255.0
  tunnel source e0/0
  tunnel destination 10.1.15.1
  no sh
 exit
 router ospf 110
  router-id 22.22.22.22
  network 10.1.25.2 0.0.0.0 area 0
 exit
 router eigrp 90
  network 172.168.1.2 0.0.0.0
  network 192.168.2.2 0.0.0.0
 exit
 
 crypto keyring MY_KEY_RING
  pre-shared-key address 10.1.15.1 255.255.255.0 key pa55w0rd
 exit
 crypto isakmp policy 10
  authentication pre-share
  hash sha512
  encryption 3des
  group 15 ! define DH group
  lifetime 86400 ! key-update frequency
 exit
 crypto ipsec transform-set MY_SET ah-sha256-hmac
  mode transport
 exit
 crypto ipsec profile MY_PROFILE
  set transform-set MY_SET
 exit
 int tun0
  tunnel protection ipsec profile MY_PROFILE
 exit

end

----------------- R5 ----------------------
en
conf t
 hostname R5
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.15.5 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.25.5 255.255.255.0
  no sh
 exit
 router ospf 110
  router-id 55.55.55.55
  network 10.1.15.5 0.0.0.0 area 0
  network 10.1.25.5 0.0.0.0 area 0
 exit
end

----------------- PC3 ----------------------
en
conf t
 hostname PC3
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.1.1
 int e0/0
  ip address 192.168.1.3 255.255.255.0
  no sh
 exit
end

----------------- PC4 ----------------------
en
conf t
 hostname PC4
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.2.2
 int e0/0
  ip address 192.168.2.4 255.255.255.0
  no sh
 exit
end

通过定义一个 profile ,并 将其作用在 tunnel 接口上 ,表示经过 tunnel 的数据在经过实际物理网卡发送前需要进行加密处理。

另外,由于 tunnel sourcetunnel destination 实际上都是确定的,因此感兴趣流也是确定的,使用 profile 的配置方式,可以让路由器 自行 生成感兴趣流: 

R1#sh crypto session
Crypto session current status

Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 10.1.25.2 port 500
  Session ID: 0
  IKEv1 SA: local 10.1.15.1/500 remote 10.1.25.2/500 Active
  Session ID: 0
  IKEv1 SA: local 10.1.15.1/500 remote 10.1.25.2/500 Active
  IPSEC FLOW: permit 47 host 10.1.15.1 host 10.1.25.2 ! 自动生成感兴趣流,47 代表 GRE 的协议号
        Active SAs: 4, origin: crypto map

2.2 NAT 环境下的 GRE over IPSec

gre+ipsec+nat.png

Figure 14: 实验环境

2.2.1 配置 NAT

配置清单 
----------------- R1 ----------------------
en
conf t
 hostname R1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.12.1 255.255.255.0
  no sh
 exit
 int e1/0
  ip address 192.168.1.1 255.255.255.0
  no sh
 exit
 ip route 0.0.0.0 0.0.0.0 10.1.12.2 ! default route
end

----------------- R2 ----------------------
en
conf t
 hostname R2
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 100.1.23.2 255.255.255.0
  ip nat outside
  no sh
 exit
 int e1/0
  ip address 10.1.12.2 255.255.255.0
  ip nat inside
  no sh
 exit
 router ospf 110
  router-id 22.22.22.22
  network 100.1.23.2 0.0.0.0 area 0
 exit
 
 ip access-list standard NAT
  permit 10.1.12.0 0.0.0.255
 exit

 ip nat inside source list NAT interface e0/0 overload
 
end

----------------- R3 ----------------------
en
conf t
 hostname R3
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e1/0
  ip address 100.1.23.3 255.255.255.0
  no sh
 exit
 int e0/0
  ip address 200.1.34.3 255.255.255.0
  no sh
 exit
 router ospf 110
  router-id 33.33.33.33
  network 100.1.23.3 0.0.0.0 area 0
  network 200.1.34.3 0.0.0.0 area 0
 exit
end

----------------- R4 ----------------------
en
conf t
 hostname R4
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e1/0
  ip address 200.1.34.4 255.255.255.0
  no sh
 exit
 int e0/0
  ip address 192.168.2.4 255.255.255.0
  no sh
 exit
 router ospf 110
  router-id 44.44.44.44
  network 200.1.34.4 0.0.0.0 area 0
 exit
end

----------------- PC5 ----------------------
en
conf t
 hostname PC5
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.2.4
 int e0/0
  ip address 192.168.2.5 255.255.255.0
  no sh
 exit
end

----------------- PC6 ----------------------
en
conf t
 hostname PC6
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.1.1
 int e0/0
  ip address 192.168.1.6 255.255.255.0
  no sh
 exit
end

2.2.2 配置 GRE

配置清单 
----------------- R1 ----------------------
en
conf t
 hostname R1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.12.1 255.255.255.0
  no sh
 exit
 int e1/0
  ip address 192.168.1.1 255.255.255.0
  no sh
 exit
 ip route 0.0.0.0 0.0.0.0 10.1.12.2 ! default route
 
 int tun0
  ip address 172.168.1.1 255.255.255.0
  tunnel source e0/0
  tunnel destination 200.1.34.4
 exit
 router eigrp 90
  network 172.168.1.1 0.0.0.0
  network 192.168.1.1 0.0.0.0
 exit
 
end

----------------- R2 ----------------------
en
conf t
 hostname R2
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 100.1.23.2 255.255.255.0
  ip nat outside
  no sh
 exit
 int e1/0
  ip address 10.1.12.2 255.255.255.0
  ip nat inside
  no sh
 exit
 router ospf 110
  router-id 22.22.22.22
  network 100.1.23.2 0.0.0.0 area 0
 exit
 ip access-list standard NAT
  permit 10.1.12.0 0.0.0.255
 exit
 ip nat inside source list NAT interface e0/0 overload
end

----------------- R3 ----------------------
en
conf t
 hostname R3
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e1/0
  ip address 100.1.23.3 255.255.255.0
  no sh
 exit
 int e0/0
  ip address 200.1.34.3 255.255.255.0
  no sh
 exit
 router ospf 110
  router-id 33.33.33.33
  network 100.1.23.3 0.0.0.0 area 0
  network 200.1.34.3 0.0.0.0 area 0
 exit
end

----------------- R4 ----------------------
en
conf t
 hostname R4
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e1/0
  ip address 200.1.34.4 255.255.255.0
  no sh
 exit
 int e0/0
  ip address 192.168.2.4 255.255.255.0
  no sh
 exit
 router ospf 110
  router-id 44.44.44.44
  network 200.1.34.4 0.0.0.0 area 0
 exit
 
 int tun0
  ip address 172.168.1.4 255.255.255.0
  tunnel source e1/0
  tunnel destination 100.1.23.2 ! must use public ip
 exit
 router eigrp 90
  network 172.168.1.4 0.0.0.0
  network 192.168.2.4 0.0.0.0
 exit
 
end

----------------- PC5 ----------------------
en
conf t
 hostname PC5
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.2.4
 int e0/0
  ip address 192.168.2.5 255.255.255.0
  no sh
 exit
end

----------------- PC6 ----------------------
en
conf t
 hostname PC6
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.1.1
 int e0/0
  ip address 192.168.1.6 255.255.255.0
  no sh
 exit
end

R2 上会出现针对 GRE 的 NAT 映射表项: ( 这是由 R1 发出的 IGP Hello 触发的 ) 

R2#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
gre 100.1.23.2:0       10.1.12.1:0        200.1.34.4:0       200.1.34.4:0
R2#

2.2.3 配置 IPSec

GRE over IPSec 能穿越 NAT 的 必要 条件:

  1. 使用 transport 模式

    这是因为 tunnel 模式下,封包如下图所示:

    flow_match_for_tunnel.png

    红色部分的源目地址必须对称(当加密点位于 NAT 后方时,这部分必定不会对称),否则阶段二的协商会失败。
    (试想如果允许不对称,当 R1 收到 R4 的数据,由于目标地址不是本路由器源地址,数据也会被丢弃),

  2. 开启 NAT-T

    阶段二是要协商感兴趣列表的,如果列表不对称,协商也会失败。
    GRE over IPSec 的感兴趣列表为 tunnel 的源目地址,而在 NAT 环境下,两端的源目地址必定不匹配。
    在 NAT-T 开启的情况下,由于能够探测出存在 NAT ,阶段二的协商将忽略感兴趣列表,而是通过 IP 包头的源目地址来进行对称检查,如图所示:

    ip_symmetry.png

    由于 L2L IPSec VPN 中的感兴趣流是手工明确指定的(直接撞击物理网卡), 因此没有以上的问题。所以在 L2L IPSec VPN 穿越 NAT 时可以关闭 NAT-T (NAT 由 SPI Matching 来实现)。但是在 GRE over IPSec 穿越 NAT 时不可以关闭 NAT-T 。

配置清单 
----------------- R1 ----------------------
en
conf t
 hostname R1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.12.1 255.255.255.0
  no sh
 exit
 int e1/0
  ip address 192.168.1.1 255.255.255.0
  no sh
 exit
 ip route 0.0.0.0 0.0.0.0 10.1.12.2 ! default route
 int tun0
  ip address 172.168.1.1 255.255.255.0
  tunnel source e0/0
  tunnel destination 200.1.34.4
 exit
 router eigrp 90
  network 172.168.1.1 0.0.0.0
  network 192.168.1.1 0.0.0.0
 exit
 
 crypto ipsec nat-transparency udp-encapsulation ! must have this (this is default)
 crypto keyring MY_KEY_RING
  pre-shared-key address 0.0.0.0 0.0.0.0 key pa55w0rd
 exit
 crypto isakmp policy 10
  authentication pre-share
  hash sha512
  encryption 3des
  group 15 ! define DH group
  lifetime 86400 ! key-update frequency
 exit
 crypto ipsec transform-set MY_SET esp-md5-hmac esp-des ! cannot use AH in NAT
  mode transport
 exit
 crypto ipsec profile MY_PROFILE
  set transform-set MY_SET
 exit
 int tun0
  tunnel protection ipsec profile MY_PROFILE
 exit

end

----------------- R2 ----------------------
en
conf t
 hostname R2
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 100.1.23.2 255.255.255.0
  ip nat outside
  no sh
 exit
 int e1/0
  ip address 10.1.12.2 255.255.255.0
  ip nat inside
  no sh
 exit
 router ospf 110
  router-id 22.22.22.22
  network 100.1.23.2 0.0.0.0 area 0
 exit
 ip access-list standard NAT
  permit 10.1.12.0 0.0.0.255
 exit
 ip nat inside source list NAT interface e0/0 overload
end

----------------- R3 ----------------------
en
conf t
 hostname R3
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e1/0
  ip address 100.1.23.3 255.255.255.0
  no sh
 exit
 int e0/0
  ip address 200.1.34.3 255.255.255.0
  no sh
 exit
 router ospf 110
  router-id 33.33.33.33
  network 100.1.23.3 0.0.0.0 area 0
  network 200.1.34.3 0.0.0.0 area 0
 exit
end

----------------- R4 ----------------------
en
conf t
 hostname R4
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e1/0
  ip address 200.1.34.4 255.255.255.0
  no sh
 exit
 int e0/0
  ip address 192.168.2.4 255.255.255.0
  no sh
 exit
 router ospf 110
  router-id 44.44.44.44
  network 200.1.34.4 0.0.0.0 area 0
 exit
 int tun0
  ip address 172.168.1.4 255.255.255.0
  tunnel source e1/0
  tunnel destination 100.1.23.2 ! must use public ip
 exit
 router eigrp 90
  network 172.168.1.4 0.0.0.0
  network 192.168.2.4 0.0.0.0
 exit
 
 crypto ipsec nat-transparency udp-encapsulation ! must have this
 crypto keyring MY_KEY_RING
  pre-shared-key address 0.0.0.0 0.0.0.0 key pa55w0rd
 exit
 crypto isakmp policy 10
  authentication pre-share
  hash sha512
  encryption 3des
  group 15 ! define DH group
  lifetime 86400 ! key-update frequency
 exit
 crypto ipsec transform-set MY_SET esp-md5-hmac esp-des ! cannot use AH in NAT
  mode transport
 exit
 crypto ipsec profile MY_PROFILE
  set transform-set MY_SET
 exit
 int tun0
  tunnel protection ipsec profile MY_PROFILE
 exit

end

----------------- PC5 ----------------------
en
conf t
 hostname PC5
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.2.4
 int e0/0
  ip address 192.168.2.5 255.255.255.0
  no sh
 exit
end

----------------- PC6 ----------------------
en
conf t
 hostname PC6
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.1.1
 int e0/0
  ip address 192.168.1.6 255.255.255.0
  no sh
 exit
end

3 Easy VPN 4

3.1 流程

ezvpn_process.png

数据包下载

3.2 配置解析 5

ezvpn.png

Figure 18: 实验拓扑

配置清单 
------------ R1 ----------
en
conf t
 hostname R1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 !
 aaa new-model
 aaa authentication login EZVPN_XAUTH local
 aaa authorization network EZVPN_ISAKMP_AUTH local
 !
 username cisco password 0 cisco123
 !
 crypto isakmp policy 10
  hash md5
  authentication pre-share
  group 2
 exit
 !
 crypto isakmp keepalive 20 periodic
 !
 ip local pool POOL_TECH 100.100.100.1 100.100.100.100
 ip local pool POOL_SALE 200.200.200.1 200.200.200.100
 !
 crypto isakmp client configuration group tech.cisco.com
  key pa55w0rd ! pre-share key
  dns 8.8.8.8 114.114.114.114
  pool POOL_TECH
 exit
 !
 crypto isakmp client configuration group sale.cisco.com
  key pa55w0rd ! pre-share key
  dns 6.6.6.6
  pool POOL_SALE
 exit
 !
 crypto isakmp profile PROFILE_TECH
  match identity group tech.cisco.com
  client authentication list EZVPN_XAUTH
  isakmp authorization list EZVPN_ISAKMP_AUTH
  client configuration address respond
 exit
 !
 crypto isakmp profile PROFILE_SALE
  match identity group sale.cisco.com
  client authentication list EZVPN_XAUTH
  isakmp authorization list EZVPN_ISAKMP_AUTH
  client configuration address respond
 exit
 !
 crypto ipsec transform-set TS esp-des esp-md5-hmac
 !
 crypto dynamic-map MY_DYN_MAP 10
  set transform-set TS
  set isakmp-profile PROFILE_TECH
  reverse-route
 exit
 crypto dynamic-map MY_DYN_MAP 20
  set transform-set TS
  set isakmp-profile PROFILE_SALE
  reverse-route
 exit
 !
 crypto map MY_MAP 10 ipsec-isakmp dynamic MY_DYN_MAP
 !
 interface lo0
  ip address 1.1.1.1 255.255.255.255
 exit
 !
 interface e0/0
  ip address 10.1.12.1 255.255.255.0
  no sh
  crypto map MY_MAP
 exit
 !
 ip route 0.0.0.0 0.0.0.0 10.1.12.2
!
end
------------ R2 ----------
en
conf t
 hostname R2
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 interface e0/0
  ip address 10.1.12.2 255.255.255.0
  no sh
 exit
 interface e0/1
  ip address 10.1.23.2 255.255.255.0
  no sh
 exit
 interface e0/2
  ip address 10.1.24.2 255.255.255.0
  no sh
 exit
end

------------ R3 (tech client) ----------
en
debug crypto ipsec client ezvpn
conf t
 hostname R3
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 crypto ipsec client ezvpn MY_EZVPN
  connect manual
  group tech.cisco.com key pa55w0rd
  mode client
  peer 10.1.12.1
  xauth userid mode interactive
 !
 interface e0/0
  ip address 10.1.23.3 255.255.255.0
  no sh
  crypto ipsec client ezvpn MY_EZVPN
 !
 interface e0/1
  ip address 192.168.35.3 255.255.255.0
  no sh
  crypto ipsec client ezvpn MY_EZVPN inside ! must have inside interface otherwise will not issue vpn negociation
 !
 ip route 0.0.0.0 0.0.0.0 10.1.23.2
!
end

------------ R4 (sale client) ----------
en
debug crypto ipsec client ezvpn
conf t
 hostname R4
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 crypto ipsec client ezvpn MY_EZVPN
  connect auto
  group sale.cisco.com key pa55w0rd
  mode client
  peer 10.1.12.1
  username cisco password cisco123
 exit
 !
 interface e0/0
  ip address 10.1.24.4 255.255.255.0
  no sh
  crypto ipsec client ezvpn MY_EZVPN
 !
  interface e0/1
  ip address 192.168.2.4 255.255.255.0
  no sh
  crypto ipsec client ezvpn MY_EZVPN inside ! must have inside interface
 !
 ip route 0.0.0.0 0.0.0.0 10.1.24.2
!
end

------------ PC5 ----------
en
conf t
 hostname PC5
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.35.3
 interface e0/0
  ip address 192.168.35.5 255.255.255.0
  no sh
 exit
end

3.2.1 Authentication

aaa new-model ! 开启 AAA 认证
aaa authentication login EZVPN_XAUTH local  ! 使用本地数据库进行登录认证
                                            ! login 表示为登陆做认证,local 表示使用本地数据库查找用户名密码
username cisco password 0 cisco123          ! 设置本地用户名和密码,client 端设置 VPN 使用的登陆凭证要和这里定义的保持一致

3.2.2 Authorization

aaa authorization network EZVPN_ISAKMP_AUTH local
! 使用本地数据库进行网络授权
! network 指的是所授权的服务,表示从别处过来的流量 穿越 本台路由器去访问路由器后面的流量
! local 表示在本地数据库查找授权策略(授权策略就是给客户端推送的参数,会在 1.5 阶段配置)

3.2.3 Phase 1.5

 crypto isakmp client configuration group tech.cisco.com ! 定义用户组,当客户端匹配该组后,会把下面的配置推送给客户端(跟上面配置的授权策略相作用)
  key pa55w0rd ! pre-share key
  dns 8.8.8.8 114.114.114.114
  pool POOL_TECH
 exit
 !
 crypto isakmp profile PROFILE_TECH
  match identity group tech.cisco.com
  client authentication list EZVPN_XAUTH
  isakmp authorization list EZVPN_ISAKMP_AUTH
  client configuration address respond ! 选择用什么方式来推送 IP 地址,如果是 respond 则是当客户端请求时才推送,如果是 initiate 则直接推送给客户端
 exit
 !
 crypto ipsec transform-set TS esp-des esp-md5-hmac
 !
 crypto dynamic-map MY_DYN_MAP 10 ! 由于 EzVPN 用户都是远程连接,没有固定的地址,需使用动态映射表
  set transform-set TS
  set isakmp-profile PROFILE_TECH
  reverse-route ! 注入反向路由,配置此命令后,EzVPN Server 上会自动生成一条去往客户端的静态路由,保证内网的可访问性
 exit
 !
 crypto map MY_MAP 10 ipsec-isakmp dynamic MY_DYN_MAP ! 动态 map 不能直接绑定到接口,需设一个静态 map 来关联动态 map ,再将静态 map 绑定到接口
 !
 interface e0/0
  ip address 10.1.12.1 255.255.255.0
  no sh
  crypto map MY_MAP
 exit

3.2.4 客户端配置

 crypto ipsec client ezvpn MY_EZVPN ! 类似于新建宽带连接
  connect manual
  group tech.cisco.com key pa55w0rd ! 定义属于哪个用户组和这个组的预共享密钥
  mode client
  peer 10.1.12.1
  xauth userid mode interactive
 !
 interface e0/0
  ip address 10.1.23.3 255.255.255.0
  no sh
  crypto ipsec client ezvpn MY_EZVPN ! 从这个接口出去的流量作为 VPN 流量
 !
 interface e0/1
  ip address 192.168.35.3 255.255.255.0
  no sh
  crypto ipsec client ezvpn MY_EZVPN inside ! inside 表示在这个接口下的网段的流量作为 VPN 流量

3.3 建立连接

3.3.1 Router

手动触发 client 连接 
R3#crypto ipsec client ezvpn connect
R3#
*Aug  2 14:25:28.442: EZVPN(MY_EZVPN): Current State: CONNECT_REQUIRED
*Aug  2 14:25:28.442: EZVPN(MY_EZVPN): Event: CONNECT
*Aug  2 14:25:28.442: EZVPN(MY_EZVPN): ezvpn_connect_request
*Aug  2 14:25:28.442: EZVPN(MY_EZVPN): Found valid peer 10.1.12.1
*Aug  2 14:25:28.442: EZVPN(MY_EZVPN): Added PSK for address 10.1.12.1

*Aug  2 14:25:28.442: EzVPN(MY_EZVPN): sleep jitter delay 1809
R3#
*Aug  2 14:25:30.256: EZVPN(MY_EZVPN): New State: READY
*Aug  2 14:25:30.280: EZVPN(MY_EZVPN): Current State: READY
*Aug  2 14:25:30.280: EZVPN(MY_EZVPN): Event: IKE_PFS
*Aug  2 14:25:30.280: EZVPN(MY_EZVPN): No state change
*Aug  2 14:25:30.285: EZVPN(MY_EZVPN): Current State: READY
*Aug  2 14:25:30.285: EZVPN(MY_EZVPN): Event: CONN_UP
*Aug  2 14:25:30.285: EZVPN(MY_EZVPN): ezvpn_conn_up 420E2DCB 8DC1E8C3 6431F144 A560DA74
*Aug  2 14:25:30.285: EZVPN(MY_EZVPN): No state change
*Aug  2 14:25:30.294: EZVPN(MY_EZVPN): Current State: READY
*Aug  2 14:25:30.294: EZVPN(MY_EZVPN): Event: XAUTH_REQUEST
*Aug  2 14:25:30.294: EZVPN(MY_EZVPN): ezvpn_xauth_request
R3#
*Aug  2 14:25:30.294: EZVPN(MY_EZVPN): ezvpn_parse_xauth_msg
*Aug  2 14:25:30.294: EZVPN: Attributes sent in xauth request message:
*Aug  2 14:25:30.294:         XAUTH_USER_NAME_V2(MY_EZVPN):
*Aug  2 14:25:30.294:         XAUTH_USER_PASSWORD_V2(MY_EZVPN):
*Aug  2 14:25:30.294: EZVPN(MY_EZVPN): New State: XAUTH_REQ

*Aug  2 14:25:31.298: EZVPN(MY_EZVPN): Pending XAuth Request, Please enter the following command:
*Aug  2 14:25:31.298: EZVPN: crypto ipsec client ezvpn xauth


R3#crypto ipsec client ezvpn xauth
Username: cisco
Password:
*Aug  2 14:25:40.129: EZVPN(MY_EZVPN): Current State: XAUTH_REQ
*Aug  2 14:25:40.129: EZVPN(MY_EZVPN): Event: XAUTH_PROMPTING
*Aug  2 14:25:40.129: EZVPN(MY_EZVPN): New State: XAUTH_PROMPT
R3#
*Aug  2 14:25:47.535: EZVPN(MY_EZVPN): Current State: XAUTH_PROMPT
*Aug  2 14:25:47.535: EZVPN(MY_EZVPN): Event: XAUTH_REQ_INFO_READY
*Aug  2 14:25:47.535: EZVPN(MY_EZVPN): ezvpn_xauth_reply
*Aug  2 14:25:47.535:         XAUTH_USER_NAME_V2(MY_EZVPN): cisco
*Aug  2 14:25:47.535:         XAUTH_USER_PASSWORD_V2(MY_EZVPN): 
*Aug  2 14:25:47.535: EZVPN(MY_EZVPN): New State: XAUTH_REPLIED
*Aug  2 14:25:47.537: EZVPN(MY_EZVPN): Current State: XAUTH_REPLIED
*Aug  2 14:25:47.537: EZVPN(MY_EZVPN): Event: XAUTH_STATUS
*Aug  2 14:25:47.537: EZVPN(MY_EZVPN): xauth status received: Success
*Aug  2 14:25:47.537: EZVPN(MY_EZVPN): New State: READY
*Aug  2 14:25:47.539: EZVPN(MY_EZVPN): Current State: READY
*Aug  2 14:25:47.539: EZVPN(MY_EZVPN): Event: MODE_CONFIG_REPLY
*Aug  2 14:25:47.539: EZVPN: Resetting NAT
*Aug  2 14:25:47.539: EZVPN(MY_EZVPN): ezvpn_parse_mode_config_msg
*Aug  2 14:25:47.539: EZVPN: Attributes sent in message:
*Aug  2 14:25:47.539:         Address: 100.100.100.1
*Aug  2 14:25:47.539:         Peer has No IPsec Interface support
*Aug  2 14:25:47.539:         DNS Primary: 8.8.8.8
*Aug  2 14:25:47.539:         DNS Secondary: 114.114.114.114
*Aug  2 14:25:47.539:         Savepwd off
*Aug  2 14:25:47.539: EZVPN: Unknown/Unsupported Attr: APPLICATION_VERSION (0x7)
*Aug  2 14:25:47.539: EZVPN(MY_EZVPN): ezvpn_mode_config
*Aug  2 14:25:47.545: EZVPN(MY_EZVPN): ezvpn_nat_config
*Aug  2 14:25:47.570: EZVPN(MY_EZVPN): New State: SS_OPEN
*Aug  2 14:25:47.579: EZVPN(MY_EZVPN): Current State: SS_OPEN
*Aug  2 14:25:47.579: EZVPN(MY_EZVPN): Event: SOCKET_READY
*Aug  2 14:25:47.579: EZVPN(MY_EZVPN): No state change
*Aug  2 14:25:47.585: EZVPN(MY_EZVPN): Current State: SS_OPEN
*Aug  2 14:25:47.585: EZVPN(MY_EZVPN): Event: MTU_CHANGED
*Aug  2 14:25:47.585: EZVPN(MY_EZVPN): No state change
*Aug  2 14:25:47.593: EZVPN(MY_EZVPN): Current State: SS_OPEN
*Aug  2 14:25:47.593: EZVPN(MY_EZVPN): Event: SOCKET_UP
*Aug  2 14:25:47.593: ezvpn_socket_up
*Aug  2 14:25:47.593: ezvpn_process_socket_up
*Aug  2 14:25:47.593: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client)  User=  Group=tech.cisco.com  Client_public_addr=10.1.23.3  Server_public_addr=10.1.12.1  Assigned_client_addr=100.100.100.1
R3#
*Aug  2 14:25:47.593: EZVPN(MY_EZVPN): Tunnel UP! Letting user know about it
*Aug  2 14:25:47.594: EzVPN: No Split-DNS names specified
*Aug  2 14:25:47.594: EZVPN(MY_EZVPN): New State: IPSEC_ACTIVE
*Aug  2 14:25:48.100: EzVPN(MY_EZVPN): No URL available to configure
R3#
*Aug  2 14:25:48.547: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback10000, changed state to up
*Aug  2 14:25:48.556: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up

3.3.2 Linux 6

root@cisco:/home/cisco# cat /etc/vpnc/default.conf
IPSec gateway 10.1.17.1
IPSec ID tech.cisco.com
IPSec secret pa55w0rd
#IKE Authmode hybrid
Xauth username cisco
Xauth password cisco123
root@cisco:/home/cisco# vpnc-connect --enable-1des
VPNC started in background (pid: 3131)...
root@cisco:/home/cisco# ip a
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:50:00:00:06:00 brd ff:ff:ff:ff:ff:ff
    inet 10.1.17.7/24 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::250:ff:fe00:600/64 scope link
       valid_lft forever preferred_lft forever
15: tun0:  mtu 1412 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none
    inet 100.100.100.6/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::8acd:b549:f074:618b/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

3.4 查看状态

R3 ezvpn client 状态 
R3#sh crypto ipsec client ezvpn
Easy VPN Remote Phase: 8

Tunnel name : MY_EZVPN
Inside interface list: Ethernet0/1
Outside interface: Ethernet0/0
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Address: 100.100.100.1 (applied on Loopback10000)
Mask: 255.255.255.255
DNS Primary: 8.8.8.8
DNS Secondary: 114.114.114.114
Save Password: Disallowed
Current EzVPN Peer: 10.1.12.1
R4 ezvpn client 状态 
R4#sh crypto ipsec client ezvpn
Easy VPN Remote Phase: 8

Tunnel name : MY_EZVPN
Inside interface list: Ethernet0/1
Outside interface: Ethernet0/0
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Address: 200.200.200.1 (applied on Loopback10000)
Mask: 255.255.255.255
DNS Primary: 6.6.6.6
Save Password: Disallowed
Current EzVPN Peer: 10.1.12.1
R1 路由表 注入以分配的 IP 为目标的静态路由: 
R1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 10.1.12.2 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.1.12.2
      1.0.0.0/32 is subnetted, 1 subnets
C        1.1.1.1 is directly connected, Loopback0
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.1.12.0/24 is directly connected, Ethernet0/0
L        10.1.12.1/32 is directly connected, Ethernet0/0
      100.0.0.0/32 is subnetted, 1 subnets
S        100.100.100.1 [1/0] via 10.1.23.3
      200.200.200.0/32 is subnetted, 1 subnets
S        200.200.200.1 [1/0] via 10.1.24.4
R1 crypto session 自动使用已分配的地址来创建感兴趣流: 
R1#sh crypto session
Crypto session current status

Interface: Ethernet0/0
Username: cisco
Profile: PROFILE_TECH
Group: tech.cisco.com
Assigned address: 100.100.100.1
Session status: UP-ACTIVE
Peer: 10.1.23.3 port 500
  Session ID: 0
  IKEv1 SA: local 10.1.12.1/500 remote 10.1.23.3/500 Active
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 100.100.100.1
        Active SAs: 2, origin: dynamic crypto map

Interface: Ethernet0/0
Username: cisco
Profile: PROFILE_SALE
Group: sale.cisco.com
Assigned address: 200.200.200.1
Session status: UP-ACTIVE
Peer: 10.1.24.4 port 500
  Session ID: 0
  IKEv1 SA: local 10.1.12.1/500 remote 10.1.24.4/500 Active
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 200.200.200.1
        Active SAs: 2, origin: dynamic crypto map

PC5 访问 server 背后的私网地址,会在 client 上创建 NAT 映射表项: 

PC5#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/202/1008 ms

R3#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 100.100.100.1:0   192.168.35.5:0     1.1.1.1:0          1.1.1.1:0
R3#

4 Handle IPSec Failures

  • HA 7
  • Failover 8
  • Backup 9

5 DMVPN 10

5.1 涉及知识点

5.1.1 mGRE (多点GRE隧道)

对传统点到点 GRE 隧道的一种扩展,报文封装过程和原理与 GRE 完全相同。

5.1.1.1 静态隧道

建立在 Spoke 与 Hub 之间,无论是否有流量,隧道一直存在。

5.1.1.2 动态隧道

建立在 Spoke 与 Spoke 之间,当有流量通过时,隧道才被自动创建,一定周期后若没有流量经过,则自动拆除隧道。

5.1.2 NHRP (下一跳解析协议)

源 Spoke (隧道发起方) 以到达目的 Spoke (隧道响应方) 路由的下一跳地址作为索引,向目的 Spoke 发送 NHRP 地址解析请求,目的 Spoke 收到后将向源 Spoke 返回其 公网地址 。源 Spoke 获悉目的公网地址后,两者将建立动态 mGRE 隧道。

因此,该协议的作用是动态收集,维护和发布分支节点的公网地址信息,解决分支节点公网 IP 动态变化的问题, 即实现分支私网地址到公网地址的映射。

5.1.2.1 NHRP 映射表

Tunnel 地址和公网地址的关系映射表。

5.1.2.1.1 静态表项

当 Spoke 需要与 Hub 建立 mGRE 隧道,需要在 Spoke 上手工配置 Hub 的 Tunnel 地址和公网地址。

5.1.2.1.2 动态表项

源 Spoke 通过 NHRP 解析到目的 Spoke 的公网地址后,自动更新到映射表中。

5.1.2.2 NHRP 协商
5.1.2.2.1 Spoke 与 Hub 间建立 mGRE 隧道

nhrp_neg_1.png

  • 在 Spoke 上手工配置 Hub 的 Tunnel 地址和公网地址后,Spoke 将向 Hub 发送 注册消息 ,包含 Spoke 节点的 Tunnel 地址和公网地址信息。
  • Hub 从注册信息中提取 Spoke 的 Tunnel 地址和公网地址,生成 NHRP 映射表,然后与 Spoke 之间建立 mGRE 隧道。
  • Spoke 与 Hub 建立隧道后,Spoke 将按照网络中部署的路由方案学习路由。
5.1.2.2.2 Spoke 间建立 mGRE 隧道

Spoke 与 Hub 间的隧道建立后,Spoke 间将通过该隧道发送 NHRP 地址解析给对方,以获取对端的公网地址,并在本地生成 NHRP 映射表,随之建立 Spoke 间的 mGRE 隧道。

Spoke 间建立隧道的方式分为两种:

  • 虚拟网络拓扑设计(阶段2: 用于小规模网络)
  • 层次化拓扑设计(阶段3: 用于大规模网络)

5.2 通用配置思路

  1. 保证公网可达
  2. 使用 P2MP 模式创建 tunnel 接口
  3. 配置 NHRP 确保 Hub 与 Spoke 间 tunnel 接口互通
  4. 配置动态路由协议
  5. 配置 IPSec 加密数据

5.3 发展阶段一

5.3.1 阶段要求

  • 采用 Hub to Spoke 模式,Spoke 只与 Hub 建立隧道,Spoke 之间没有隧道
  • Spoke 间的流量 必须经过 Hub 中转
  • Hub 端 GRE Tunnel 采用 multipoint 模式, Spoke 采用默认的 p2p 模式
  • Hub 端可以进行路由汇总
  • 不关心 Spoke 端学到的对端 Spoke 路由下一跳是 Hub 还是目标 Spoke (反正总是要经过 Hub 中转的)

5.4 发展阶段二

5.4.1 阶段要求

  • 采用 Spoke to Spoke 模式
  • Spoke 到Spoke 流量 初始 要经过 Hub ,后续直接在 Spoke 之间直接转发
  • Hub,Spoke 端 GRE Tunnel 均为 Multipoint 模式
  • Spoke 端学到的对端 Spoke 路由 下一跳必须指向 Spoke (否则数据永远要先经过 Hub 中转)
  • Hub 端 不可以 进行路由汇总 (如果汇总了,上一条要求就不满足了)

5.4.2 NHRP 消息流程

phase2_seq.png

5.4.3 配置

dmvpn_p2_ex.png

Figure 21: 实验环境

5.4.3.1 初始配置(确保公网可达)
初始配置清单 
----------------- R1 ----------------------
en
conf t
 hostname R1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.14.1 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 192.168.1.254 255.255.255.0
  no sh
 exit
 ip route 0.0.0.0 0.0.0.0 10.1.14.4
end

----------------- R2 ----------------------
en
conf t
 hostname R2
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.24.2 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 192.168.2.254 255.255.255.0
  no sh
 exit
 ip route 0.0.0.0 0.0.0.0 10.1.24.4
end

----------------- R3 ----------------------
en
conf t
 hostname R3
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.34.3 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 192.168.3.254 255.255.255.0
  no sh
 exit
 ip route 0.0.0.0 0.0.0.0 10.1.34.4
end

----------------- R4 ----------------------
en
conf t
 hostname R4
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.14.4 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.24.4 255.255.255.0
  no sh
 exit
 int e0/2
  ip address 10.1.34.4 255.255.255.0
  no sh
 exit
end

----------------- PC1 ----------------------
en
conf t
 hostname PC1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.1.254
 int e0/0
  ip address 192.168.1.1 255.255.255.0
  no sh
 exit
end

----------------- PC2 ----------------------
en
conf t
 hostname PC2
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.2.254
 int e0/0
  ip address 192.168.2.1 255.255.255.0
  no sh
 exit
end

----------------- PC3 ----------------------
en
conf t
 hostname PC3
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.3.254
 int e0/0
  ip address 192.168.3.1 255.255.255.0
  no sh
 exit
end
5.4.3.2 配置 tunnel 接口
配置清单 
----------------- R1 ----------------------
en
conf t
 hostname R1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.14.1 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 192.168.1.254 255.255.255.0
  no sh
 exit
 ip route 0.0.0.0 0.0.0.0 10.1.14.4
 
 int tun0
  ip address 123.0.0.1 255.255.255.0
  tunnel mode gre multipoint
  tunnel source e0/0
  ip nhrp network-id 123
 exit
 
end

----------------- R2 ----------------------
en
conf t
 hostname R2
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.24.2 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 192.168.2.254 255.255.255.0
  no sh
 exit
 ip route 0.0.0.0 0.0.0.0 10.1.24.4
 
 int tun0
  ip address 123.0.0.2 255.255.255.0
  tunnel mode gre multipoint
  tunnel source e0/0
  ip nhrp network-id 123
  ip nhrp nhs 123.0.0.1
  ip nhrp map 123.0.0.1 10.1.14.1
 exit
 
end

----------------- R3 ----------------------
en
conf t
 hostname R3
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.34.3 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 192.168.3.254 255.255.255.0
  no sh
 exit
 ip route 0.0.0.0 0.0.0.0 10.1.34.4
 
 int tun0
  ip address 123.0.0.3 255.255.255.0
  tunnel mode gre multipoint
  tunnel source e0/0
  ip nhrp network-id 123
  ip nhrp nhs 123.0.0.1
  ip nhrp map 123.0.0.1 10.1.14.1
 exit
 
end

----------------- R4 ----------------------
en
conf t
 hostname R4
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.14.4 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.24.4 255.255.255.0
  no sh
 exit
 int e0/2
  ip address 10.1.34.4 255.255.255.0
  no sh
 exit
end

----------------- PC1 ----------------------
en
conf t
 hostname PC1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.1.254
 int e0/0
  ip address 192.168.1.1 255.255.255.0
  no sh
 exit
end

----------------- PC2 ----------------------
en
conf t
 hostname PC2
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.2.254
 int e0/0
  ip address 192.168.2.1 255.255.255.0
  no sh
 exit
end

----------------- PC3 ----------------------
en
conf t
 hostname PC3
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.3.254
 int e0/0
  ip address 192.168.3.1 255.255.255.0
  no sh
 exit
end

  • R1 

     int tun0
  ip address 123.0.0.1 255.255.255.0
  tunnel mode gre multipoint
  tunnel source e0/0
  ip nhrp network-id 123 ! 执行该行配置后,当收到 NHRP Request ,就会立即回应 Reply
 exit

  • R2 

     int tun0
  ip address 123.0.0.2 255.255.255.0
  tunnel mode gre multipoint
  tunnel source e0/0
  ip nhrp network-id 123 ! 该配置一下发就会周期性发送 NHRP Request ,直到收到 Hub 回复的 Reply
  ip nhrp nhs 123.0.0.1 ! 指定 HUB
  ip nhrp map 123.0.0.1 10.1.14.1 ! 手工映射 HUB 的 NBMA 地址
 exit

  • R3 

     int tun0
  ip address 123.0.0.3 255.255.255.0
  tunnel mode gre multipoint
  tunnel source e0/0
  ip nhrp network-id 123
  ip nhrp nhs 123.0.0.1
  ip nhrp map 123.0.0.1 10.1.14.1
 exit

观察数据传输路径: 

R2#traceroute 192.168.3.254 source 192.168.2.254
Type escape sequence to abort.
Tracing the route to 192.168.3.254
VRF info: (vrf in name/id, vrf out name/id)
  1 123.0.0.1 0 msec 0 msec 1 msec ! 一开始先经由 Hub
  2 123.0.0.3 1 msec *  6 msec
R2#traceroute 192.168.3.254 source 192.168.2.254
Type escape sequence to abort.
Tracing the route to 192.168.3.254
VRF info: (vrf in name/id, vrf out name/id)
  1 123.0.0.3 2 msec *  2 msec ! 后续数据直接发向 Spoke
R2#sh ip nhrp
123.0.0.1/32 via 123.0.0.1
   Tunnel0 created 00:14:42, never expire
   Type: static, Flags: used
   NBMA address: 10.1.14.1
123.0.0.3/32 via 123.0.0.3
   Tunnel0 created 00:00:12, expire 00:09:47
   Type: dynamic, Flags: router used nhop
   NBMA address: 10.1.34.3
5.4.3.3 配置动态路由
5.4.3.3.1 OSPF
配置清单 
----------------- R1 ----------------------
en
conf t
 hostname R1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.14.1 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 192.168.1.254 255.255.255.0
  no sh
 exit
 ip route 0.0.0.0 0.0.0.0 10.1.14.4
 int tun0
  ip address 123.0.0.1 255.255.255.0
  tunnel mode gre multipoint
  tunnel source e0/0
  ip nhrp network-id 123
 exit
 
 router ospf 110
  router-id 1.1.1.1
  network 192.168.1.254 0.0.0.0 area 0
  network 123.0.0.1 0.0.0.0 area 0
 exit
 int tun0
  ip nhrp map multicast dynamic
  ip ospf network broadcast
 exit
 
end

----------------- R2 ----------------------
en
conf t
 hostname R2
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.24.2 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 192.168.2.254 255.255.255.0
  no sh
 exit
 ip route 0.0.0.0 0.0.0.0 10.1.24.4
 int tun0
  ip address 123.0.0.2 255.255.255.0
  tunnel mode gre multipoint
  tunnel source e0/0
  ip nhrp network-id 123
  ip nhrp nhs 123.0.0.1
  ip nhrp map 123.0.0.1 10.1.14.1
 exit
 
 router ospf 110
  router-id 2.2.2.2
  network 192.168.2.254 0.0.0.0 area 0
  network 123.0.0.2 0.0.0.0 area 0
 exit
 int tun0
  ip nhrp map multicast 10.1.14.1
  ip ospf network broadcast
  ip ospf priority 0
 exit
 
end

----------------- R3 ----------------------
en
conf t
 hostname R3
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.34.3 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 192.168.3.254 255.255.255.0
  no sh
 exit
 ip route 0.0.0.0 0.0.0.0 10.1.34.4
 int tun0
  ip address 123.0.0.3 255.255.255.0
  tunnel mode gre multipoint
  tunnel source e0/0
  ip nhrp network-id 123
  ip nhrp nhs 123.0.0.1
  ip nhrp map 123.0.0.1 10.1.14.1
 exit
 
 router ospf 110
  router-id 3.3.3.3
  network 192.168.3.254 0.0.0.0 area 0
  network 123.0.0.3 0.0.0.0 area 0
 exit
 int tun0
  ip nhrp map multicast 10.1.14.1
  ip ospf network broadcast
  ip ospf priority 0
 exit
 
end

----------------- R4 ----------------------
en
conf t
 hostname R4
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.14.4 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.24.4 255.255.255.0
  no sh
 exit
 int e0/2
  ip address 10.1.34.4 255.255.255.0
  no sh
 exit
end

----------------- PC1 ----------------------
en
conf t
 hostname PC1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.1.254
 int e0/0
  ip address 192.168.1.1 255.255.255.0
  no sh
 exit
end

----------------- PC2 ----------------------
en
conf t
 hostname PC2
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.2.254
 int e0/0
  ip address 192.168.2.1 255.255.255.0
  no sh
 exit
end

----------------- PC3 ----------------------
en
conf t
 hostname PC3
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.3.254
 int e0/0
  ip address 192.168.3.1 255.255.255.0
  no sh
 exit
end

  • R1 

    router ospf 110
 router-id 1.1.1.1
 network 192.168.1.254 0.0.0.0 area 0
 network 123.0.0.1 0.0.0.0 area 0
exit
int tun0
 ip nhrp map multicast dynamic
 ! 需开启组播映射,否则发向组播地址消息将不会以单播形式发出
 ip ospf network broadcast
 ! 网络类型需改为 broadcast (默认是 p2p),如果沿用默认,R1 的 OSPF 邻居会在 R2 和 R3 之间发生翻滚
 ! 因为 OSPF 邻居间的网络类型必须保持一致,因此其余路由器的 OSPF 网络类型也要设为 broadcast
exit

    所谓的 组播映射全局的不关心具体的组播地址是什么 ,只要收到的数据包内层目的地址是组播地址,则使用单播形式将数据包发向映射组中的所有成员。
    假设 R1,R2,R3 直接建立了 EIGRP ,组播映射为: 

    R1#sh ip nhrp multicast
  I/F     NBMA address
Tunnel0    10.1.34.3       Flags: dynamic          (Enabled)
Tunnel0    10.1.24.2       Flags: dynamic          (Enabled)

    若此时 R1 和 R2 间建立 OSPF ,由于组播映射中存在 R3 的单播地址,当 R1 发送组播数据时(224.0.0.5),不仅会发往 R2 ,同时也会发往 R3 ,即使 R3 并不需要。

  • R2 

    router ospf 110
 router-id 2.2.2.2
 network 192.168.2.254 0.0.0.0 area 0
 network 123.0.0.2 0.0.0.0 area 0
exit
int tun0
 ip nhrp map multicast 10.1.14.1
 ! 如果如果 OSPF 网络类型配置成 p2mp ,则去往 192.168.3.0/24 的路由下一跳变为 Hub ,这样流量都要先经过 Hub (退化为阶段一)
 ip ospf network broadcast
 ! Spoke 必须不参与 DR 的选举,否则路由不会传递至全网,假设 R3 成为 DR ,则 R3 背后的私网路由不会传递到 R2
 ip ospf priority 0
exit

  • R3 

    router ospf 110
 router-id 3.3.3.3
 network 192.168.3.254 0.0.0.0 area 0
 network 123.0.0.3 0.0.0.0 area 0
exit
int tun0
 ip nhrp map multicast 10.1.14.1
 ip ospf network broadcast
 ip ospf priority 0
exit
5.4.3.3.2 EIGRP
配置清单 
----------------- R1 ----------------------
en
conf t
 hostname R1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.14.1 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 192.168.1.254 255.255.255.0
  no sh
 exit
 ip route 0.0.0.0 0.0.0.0 10.1.14.4
 int tun0
  ip address 123.0.0.1 255.255.255.0
  tunnel mode gre multipoint
  tunnel source e0/0
  ip nhrp network-id 123
 exit
 
 router eigrp 90
  network 123.0.0.1 0.0.0.0
  network 192.168.1.254 0.0.0.0
 exit
 int tun0
  ip nhrp map multicast dynamic
  no ip next-hop-self eigrp 90
  no ip split-horizon eigrp 90
 exit
 
end

----------------- R2 ----------------------
en
conf t
 hostname R2
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.24.2 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 192.168.2.254 255.255.255.0
  no sh
 exit
 ip route 0.0.0.0 0.0.0.0 10.1.24.4
 int tun0
  ip address 123.0.0.2 255.255.255.0
  tunnel mode gre multipoint
  tunnel source e0/0
  ip nhrp network-id 123
  ip nhrp nhs 123.0.0.1
  ip nhrp map 123.0.0.1 10.1.14.1
 exit
 
 router eigrp 90
  network 123.0.0.2 0.0.0.0
  network 192.168.2.254 0.0.0.0
 exit
 int tun0
  ip nhrp map multicast 10.1.14.1
 exit
 
end

----------------- R3 ----------------------
en
conf t
 hostname R3
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.34.3 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 192.168.3.254 255.255.255.0
  no sh
 exit
 ip route 0.0.0.0 0.0.0.0 10.1.34.4
 int tun0
  ip address 123.0.0.3 255.255.255.0
  tunnel mode gre multipoint
  tunnel source e0/0
  ip nhrp network-id 123
  ip nhrp nhs 123.0.0.1
  ip nhrp map 123.0.0.1 10.1.14.1
 exit
 
 router eigrp 90
  network 123.0.0.3 0.0.0.0
  network 192.168.3.254 0.0.0.0
 exit
 int tun0
  ip nhrp map multicast 10.1.14.1
 exit
 
end

----------------- R4 ----------------------
en
conf t
 hostname R4
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.14.4 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.24.4 255.255.255.0
  no sh
 exit
 int e0/2
  ip address 10.1.34.4 255.255.255.0
  no sh
 exit
end

----------------- PC1 ----------------------
en
conf t
 hostname PC1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.1.254
 int e0/0
  ip address 192.168.1.1 255.255.255.0
  no sh
 exit
end

----------------- PC2 ----------------------
en
conf t
 hostname PC2
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.2.254
 int e0/0
  ip address 192.168.2.1 255.255.255.0
  no sh
 exit
end

----------------- PC3 ----------------------
en
conf t
 hostname PC3
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.3.254
 int e0/0
  ip address 192.168.3.1 255.255.255.0
  no sh
 exit
end

  • R1 

     router eigrp 90
  network 123.0.0.1 0.0.0.0
  network 192.168.1.254 0.0.0.0
 exit
 int tun0
  no ip next-hop-self eigrp 100 ! EIGRP 特性,如果没有此项配置,则 R2 上去往 192.168.3.0/24 的路由下一跳地址为 Hub 
  no ip split-horizon eigrp 100
  ! 必须针对距离矢量型关闭水平分割
  ! 否则 R1 通过 tun0 从 R2 学到的路由信息,不会再通过 tun0 发往 R3
 exit

  • R2 

     router eigrp 90
  network 123.0.0.2 0.0.0.0
  network 192.168.2.254 0.0.0.0
 exit
 int tun0
  ip nhrp map multicast 10.1.14.1
 exit

  • R3 

     router eigrp 90
  network 123.0.0.3 0.0.0.0
  network 192.168.3.254 0.0.0.0
 exit
 int tun0
  ip nhrp map multicast 10.1.14.1
 exit
5.4.3.4 配置 IPSec
配置清单 (OSPF) 
----------------- R1 ----------------------
en
conf t
 hostname R1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.14.1 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 192.168.1.254 255.255.255.0
  no sh
 exit
 ip route 0.0.0.0 0.0.0.0 10.1.14.4
 int tun0
  ip address 123.0.0.1 255.255.255.0
  tunnel mode gre multipoint
  tunnel source e0/0
  ip nhrp network-id 123
 exit
 router ospf 110
  router-id 1.1.1.1
  network 192.168.1.254 0.0.0.0 area 0
  network 123.0.0.1 0.0.0.0 area 0
 exit
 int tun0
  ip nhrp map multicast dynamic
  ip ospf network broadcast
 exit
 
 crypto keyring MY_KEY_RING
  pre-shared-key address 0.0.0.0 0.0.0.0 key pa55w0rd
 exit
 crypto isakmp policy 10
  authentication pre-share
  hash sha512
  encryption 3des
  group 15 ! define DH group
  lifetime 86400 ! key-update frequency
 exit
 crypto ipsec transform-set MY_SET esp-md5-hmac esp-des
  mode transport
 exit
 crypto ipsec profile MY_PROFILE
  set transform-set MY_SET
 exit
 int tun0
  tunnel protection ipsec profile MY_PROFILE
 exit
end

----------------- R2 ----------------------
en
conf t
 hostname R2
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.24.2 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 192.168.2.254 255.255.255.0
  no sh
 exit
 ip route 0.0.0.0 0.0.0.0 10.1.24.4
 int tun0
  ip address 123.0.0.2 255.255.255.0
  tunnel mode gre multipoint
  tunnel source e0/0
  ip nhrp network-id 123
  ip nhrp nhs 123.0.0.1
  ip nhrp map 123.0.0.1 10.1.14.1
 exit
 router ospf 110
  router-id 2.2.2.2
  network 192.168.2.254 0.0.0.0 area 0
  network 123.0.0.2 0.0.0.0 area 0
 exit
 int tun0
  ip nhrp map multicast 10.1.14.1
  ip ospf network broadcast
  ip ospf priority 0
 exit
 
 crypto keyring MY_KEY_RING
  pre-shared-key address 0.0.0.0 0.0.0.0 key pa55w0rd
 exit
 crypto isakmp policy 10
  authentication pre-share
  hash sha512
  encryption 3des
  group 15 ! define DH group
  lifetime 86400 ! key-update frequency
 exit
 crypto ipsec transform-set MY_SET esp-md5-hmac esp-des
  mode transport
 exit
 crypto ipsec profile MY_PROFILE
  set transform-set MY_SET
 exit
 int tun0
  tunnel protection ipsec profile MY_PROFILE
 exit
end

----------------- R3 ----------------------
en
conf t
 hostname R3
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.34.3 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 192.168.3.254 255.255.255.0
  no sh
 exit
 ip route 0.0.0.0 0.0.0.0 10.1.34.4
 int tun0
  ip address 123.0.0.3 255.255.255.0
  tunnel mode gre multipoint
  tunnel source e0/0
  ip nhrp network-id 123
  ip nhrp nhs 123.0.0.1
  ip nhrp map 123.0.0.1 10.1.14.1
 exit
 router ospf 110
  router-id 3.3.3.3
  network 192.168.3.254 0.0.0.0 area 0
  network 123.0.0.3 0.0.0.0 area 0
 exit
 int tun0
  ip nhrp map multicast 10.1.14.1
  ip ospf network broadcast
  ip ospf priority 0
 exit
 
 crypto keyring MY_KEY_RING
  pre-shared-key address 0.0.0.0 0.0.0.0 key pa55w0rd
 exit
 crypto isakmp policy 10
  authentication pre-share
  hash sha512
  encryption 3des
  group 15 ! define DH group
  lifetime 86400 ! key-update frequency
 exit
 crypto ipsec transform-set MY_SET esp-md5-hmac esp-des
  mode transport
 exit
 crypto ipsec profile MY_PROFILE
  set transform-set MY_SET
 exit
 int tun0
  tunnel protection ipsec profile MY_PROFILE
 exit
end

----------------- R4 ----------------------
en
conf t
 hostname R4
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.14.4 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.24.4 255.255.255.0
  no sh
 exit
 int e0/2
  ip address 10.1.34.4 255.255.255.0
  no sh
 exit
end

----------------- PC1 ----------------------
en
conf t
 hostname PC1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.1.254
 int e0/0
  ip address 192.168.1.1 255.255.255.0
  no sh
 exit
end

----------------- PC2 ----------------------
en
conf t
 hostname PC2
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.2.254
 int e0/0
  ip address 192.168.2.1 255.255.255.0
  no sh
 exit
end

----------------- PC3 ----------------------
en
conf t
 hostname PC3
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.3.254
 int e0/0
  ip address 192.168.3.1 255.255.255.0
  no sh
 exit
end
配置清单 (EIGRP) 
----------------- R1 ----------------------
en
conf t
 hostname R1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.14.1 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 192.168.1.254 255.255.255.0
  no sh
 exit
 ip route 0.0.0.0 0.0.0.0 10.1.14.4
 int tun0
  ip address 123.0.0.1 255.255.255.0
  tunnel mode gre multipoint
  tunnel source e0/0
  ip nhrp network-id 123
 exit
 router eigrp 90
  network 123.0.0.1 0.0.0.0
  network 192.168.1.254 0.0.0.0
 exit
 int tun0
  ip nhrp map multicast dynamic
  no ip next-hop-self eigrp 90
  no ip split-horizon eigrp 90
 exit
 
 crypto keyring MY_KEY_RING
  pre-shared-key address 0.0.0.0 0.0.0.0 key pa55w0rd
 exit
 crypto isakmp policy 10
  authentication pre-share
  hash sha512
  encryption 3des
  group 15
 exit
 crypto ipsec transform-set MY_SET ah-sha256-hmac
  mode transport
 exit
 crypto ipsec profile MY_PROFILE
  set transform-set MY_SET
 exit
 int tun0
  tunnel protection ipsec profile MY_PROFILE
 exit
 
end

----------------- R2 ----------------------
en
conf t
 hostname R2
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.24.2 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 192.168.2.254 255.255.255.0
  no sh
 exit
 ip route 0.0.0.0 0.0.0.0 10.1.24.4
 int tun0
  ip address 123.0.0.2 255.255.255.0
  tunnel mode gre multipoint
  tunnel source e0/0
  ip nhrp network-id 123
  ip nhrp nhs 123.0.0.1
  ip nhrp map 123.0.0.1 10.1.14.1
 exit
 router eigrp 90
  network 123.0.0.2 0.0.0.0
  network 192.168.2.254 0.0.0.0
 exit
 int tun0
  ip nhrp map multicast 10.1.14.1
 exit
 
 crypto keyring MY_KEY_RING
  pre-shared-key address 0.0.0.0 0.0.0.0 key pa55w0rd
 exit
 crypto isakmp policy 10
  authentication pre-share
  hash sha512
  encryption 3des
  group 15
 exit
 crypto ipsec transform-set MY_SET ah-sha256-hmac
  mode transport
 exit
 crypto ipsec profile MY_PROFILE
  set transform-set MY_SET
 exit
 int tun0
  tunnel protection ipsec profile MY_PROFILE
 exit
 
end

----------------- R3 ----------------------
en
conf t
 hostname R3
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.34.3 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 192.168.3.254 255.255.255.0
  no sh
 exit
 ip route 0.0.0.0 0.0.0.0 10.1.34.4
 int tun0
  ip address 123.0.0.3 255.255.255.0
  tunnel mode gre multipoint
  tunnel source e0/0
  ip nhrp network-id 123
  ip nhrp nhs 123.0.0.1
  ip nhrp map 123.0.0.1 10.1.14.1
 exit
 router eigrp 90
  network 123.0.0.3 0.0.0.0
  network 192.168.3.254 0.0.0.0
 exit
 int tun0
  ip nhrp map multicast 10.1.14.1
 exit
 
 crypto keyring MY_KEY_RING
  pre-shared-key address 0.0.0.0 0.0.0.0 key pa55w0rd
 exit
 crypto isakmp policy 10
  authentication pre-share
  hash sha512
  encryption 3des
  group 15
 exit
 crypto ipsec transform-set MY_SET ah-sha256-hmac
  mode transport
 exit
 crypto ipsec profile MY_PROFILE
  set transform-set MY_SET
 exit
 int tun0
  tunnel protection ipsec profile MY_PROFILE
 exit
 
end

----------------- R4 ----------------------
en
conf t
 hostname R4
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.14.4 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.24.4 255.255.255.0
  no sh
 exit
 int e0/2
  ip address 10.1.34.4 255.255.255.0
  no sh
 exit
end

----------------- PC1 ----------------------
en
conf t
 hostname PC1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.1.254
 int e0/0
  ip address 192.168.1.1 255.255.255.0
  no sh
 exit
end

----------------- PC2 ----------------------
en
conf t
 hostname PC2
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.2.254
 int e0/0
  ip address 192.168.2.1 255.255.255.0
  no sh
 exit
end

----------------- PC3 ----------------------
en
conf t
 hostname PC3
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.3.254
 int e0/0
  ip address 192.168.3.1 255.255.255.0
  no sh
 exit
end

5.5 发展阶段三

5.5.1 阶段要求

  • 支持层次化模型(Hierarchical)
  • 支持相同域或者不同域之间的通信
  • Spoke 端学到的对端 Spoke 路由下一跳 必须 指向 HUB 11
  • Hub 端可以进行路由汇总

5.5.2 NHRP 消息流程

phase3_seq.png

5.5.3 配置

实验拓扑同阶段二21

5.5.3.1 初始配置

同阶段二。

5.5.3.2 配置 tunnel 接口

NHRP 的配置相比阶段二要注意两点:

  1. 所有 Hub 设备(层级环境下)在阶段二的基础上,增加配置 ip nhrp redirect ,该配置作用在于向 Spoke 传递 NHRP Traffic Indication 消息
  2. 所有 Spoke 设备在阶段二的基础上,增加配置 ip nhrp shortcut ,该配置作用在于当收到 NHRP Traffic Indication 消息时响应 NHRP Resolution Request
5.5.3.3 配置动态路由

动态路由的配置相比阶段二要注意:

  • EIGRP

    Hub 上要开启 ip next-hop-self eigrp AS (默认就是开启)

  • OSPF

    网络类型要设为 P2MP (目的是为了满足阶段三的要求,即下一跳路由必须指向 Hub)

5.5.3.4 配置清单
配置清单 (OSPF) 
----------------- R1 ----------------------
en
conf t
 hostname R1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.14.1 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 192.168.1.254 255.255.255.0
  no sh
 exit
 ip route 0.0.0.0 0.0.0.0 10.1.14.4
 int tun0
  ip address 123.0.0.1 255.255.255.0
  tunnel mode gre multipoint
  tunnel source e0/0
  ip nhrp network-id 123
 exit
 router ospf 110
  router-id 1.1.1.1
  network 192.168.1.254 0.0.0.0 area 0
  network 123.0.0.1 0.0.0.0 area 0
 exit
 int tun0
  ip nhrp map multicast dynamic
  
  ip nhrp redirect
  ip ospf network point-to-multipoint
  
 exit
 crypto keyring MY_KEY_RING
  pre-shared-key address 0.0.0.0 0.0.0.0 key pa55w0rd
 exit
 crypto isakmp policy 10
  authentication pre-share
  hash sha512
  encryption 3des
  group 15 ! define DH group
  lifetime 86400 ! key-update frequency
 exit
 crypto ipsec transform-set MY_SET esp-md5-hmac esp-des
  mode transport
 exit
 crypto ipsec profile MY_PROFILE
  set transform-set MY_SET
 exit
 int tun0
  tunnel protection ipsec profile MY_PROFILE
 exit
end

----------------- R2 ----------------------
en
conf t
 hostname R2
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.24.2 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 192.168.2.254 255.255.255.0
  no sh
 exit
 ip route 0.0.0.0 0.0.0.0 10.1.24.4
 int tun0
  ip address 123.0.0.2 255.255.255.0
  tunnel mode gre multipoint
  tunnel source e0/0
  ip nhrp network-id 123
  ip nhrp nhs 123.0.0.1
  ip nhrp map 123.0.0.1 10.1.14.1
 exit
 router ospf 110
  router-id 2.2.2.2
  network 192.168.2.254 0.0.0.0 area 0
  network 123.0.0.2 0.0.0.0 area 0
 exit
 int tun0
  ip nhrp map multicast 10.1.14.1
  
  ip nhrp shortcut
  ip ospf network point-to-multipoint
  ! ip ospf priority 0 ! no DR in p2mp
  
 exit
 crypto keyring MY_KEY_RING
  pre-shared-key address 0.0.0.0 0.0.0.0 key pa55w0rd
 exit
 crypto isakmp policy 10
  authentication pre-share
  hash sha512
  encryption 3des
  group 15 ! define DH group
  lifetime 86400 ! key-update frequency
 exit
 crypto ipsec transform-set MY_SET esp-md5-hmac esp-des
  mode transport
 exit
 crypto ipsec profile MY_PROFILE
  set transform-set MY_SET
 exit
 int tun0
  tunnel protection ipsec profile MY_PROFILE
 exit
end

----------------- R3 ----------------------
en
conf t
 hostname R3
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.34.3 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 192.168.3.254 255.255.255.0
  no sh
 exit
 ip route 0.0.0.0 0.0.0.0 10.1.34.4
 int tun0
  ip address 123.0.0.3 255.255.255.0
  tunnel mode gre multipoint
  tunnel source e0/0
  ip nhrp network-id 123
  ip nhrp nhs 123.0.0.1
  ip nhrp map 123.0.0.1 10.1.14.1
 exit
 router ospf 110
  router-id 3.3.3.3
  network 192.168.3.254 0.0.0.0 area 0
  network 123.0.0.3 0.0.0.0 area 0
 exit
 int tun0
  ip nhrp map multicast 10.1.14.1
  
  ip nhrp shortcut
  ip ospf network point-to-multipoint
  ! ip ospf priority 0
  
 exit
 crypto keyring MY_KEY_RING
  pre-shared-key address 0.0.0.0 0.0.0.0 key pa55w0rd
 exit
 crypto isakmp policy 10
  authentication pre-share
  hash sha512
  encryption 3des
  group 15 ! define DH group
  lifetime 86400 ! key-update frequency
 exit
 crypto ipsec transform-set MY_SET esp-md5-hmac esp-des
  mode transport
 exit
 crypto ipsec profile MY_PROFILE
  set transform-set MY_SET
 exit
 int tun0
  tunnel protection ipsec profile MY_PROFILE
 exit
end

----------------- R4 ----------------------
en
conf t
 hostname R4
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.14.4 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.24.4 255.255.255.0
  no sh
 exit
 int e0/2
  ip address 10.1.34.4 255.255.255.0
  no sh
 exit
end

----------------- PC1 ----------------------
en
conf t
 hostname PC1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.1.254
 int e0/0
  ip address 192.168.1.1 255.255.255.0
  no sh
 exit
end

----------------- PC2 ----------------------
en
conf t
 hostname PC2
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.2.254
 int e0/0
  ip address 192.168.2.1 255.255.255.0
  no sh
 exit
end

----------------- PC3 ----------------------
en
conf t
 hostname PC3
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.3.254
 int e0/0
  ip address 192.168.3.1 255.255.255.0
  no sh
 exit
end
配置清单 (EIGRP) 
----------------- R1 ----------------------
en
conf t
 hostname R1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.14.1 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 192.168.1.254 255.255.255.0
  no sh
 exit
 ip route 0.0.0.0 0.0.0.0 10.1.14.4
 int tun0
  ip address 123.0.0.1 255.255.255.0
  tunnel mode gre multipoint
  tunnel source e0/0
  ip nhrp network-id 123
 exit
 router eigrp 90
  network 123.0.0.1 0.0.0.0
  network 192.168.1.254 0.0.0.0
 exit
 int tun0
  ip nhrp map multicast dynamic
  
  ip nhrp redirect
  ! no ip next-hop-self eigrp 90
  
  no ip split-horizon eigrp 90
 exit
 crypto keyring MY_KEY_RING
  pre-shared-key address 0.0.0.0 0.0.0.0 key pa55w0rd
 exit
 crypto isakmp policy 10
  authentication pre-share
  hash sha512
  encryption 3des
  group 15
 exit
 crypto ipsec transform-set MY_SET ah-sha256-hmac
  mode transport
 exit
 crypto ipsec profile MY_PROFILE
  set transform-set MY_SET
 exit
 int tun0
  tunnel protection ipsec profile MY_PROFILE
 exit
end

----------------- R2 ----------------------
en
conf t
 hostname R2
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.24.2 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 192.168.2.254 255.255.255.0
  no sh
 exit
 ip route 0.0.0.0 0.0.0.0 10.1.24.4
 int tun0
  ip address 123.0.0.2 255.255.255.0
  tunnel mode gre multipoint
  tunnel source e0/0
  ip nhrp network-id 123
  ip nhrp nhs 123.0.0.1
  ip nhrp map 123.0.0.1 10.1.14.1
 exit
 router eigrp 90
  network 123.0.0.2 0.0.0.0
  network 192.168.2.254 0.0.0.0
 exit
 int tun0
  ip nhrp map multicast 10.1.14.1
  ip nhrp shortcut
 exit
 crypto keyring MY_KEY_RING
  pre-shared-key address 0.0.0.0 0.0.0.0 key pa55w0rd
 exit
 crypto isakmp policy 10
  authentication pre-share
  hash sha512
  encryption 3des
  group 15
 exit
 crypto ipsec transform-set MY_SET ah-sha256-hmac
  mode transport
 exit
 crypto ipsec profile MY_PROFILE
  set transform-set MY_SET
 exit
 int tun0
  tunnel protection ipsec profile MY_PROFILE
 exit
end

----------------- R3 ----------------------
en
conf t
 hostname R3
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.34.3 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 192.168.3.254 255.255.255.0
  no sh
 exit
 ip route 0.0.0.0 0.0.0.0 10.1.34.4
 int tun0
  ip address 123.0.0.3 255.255.255.0
  tunnel mode gre multipoint
  tunnel source e0/0
  ip nhrp network-id 123
  ip nhrp nhs 123.0.0.1
  ip nhrp map 123.0.0.1 10.1.14.1
 exit
 router eigrp 90
  network 123.0.0.3 0.0.0.0
  network 192.168.3.254 0.0.0.0
 exit
 int tun0
  ip nhrp map multicast 10.1.14.1
  ip nhrp shortcut
 exit
 crypto keyring MY_KEY_RING
  pre-shared-key address 0.0.0.0 0.0.0.0 key pa55w0rd
 exit
 crypto isakmp policy 10
  authentication pre-share
  hash sha512
  encryption 3des
  group 15
 exit
 crypto ipsec transform-set MY_SET ah-sha256-hmac
  mode transport
 exit
 crypto ipsec profile MY_PROFILE
  set transform-set MY_SET
 exit
 int tun0
  tunnel protection ipsec profile MY_PROFILE
 exit
end

----------------- R4 ----------------------
en
conf t
 hostname R4
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int e0/0
  ip address 10.1.14.4 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.24.4 255.255.255.0
  no sh
 exit
 int e0/2
  ip address 10.1.34.4 255.255.255.0
  no sh
 exit
end

----------------- PC1 ----------------------
en
conf t
 hostname PC1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.1.254
 int e0/0
  ip address 192.168.1.1 255.255.255.0
  no sh
 exit
end

----------------- PC2 ----------------------
en
conf t
 hostname PC2
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.2.254
 int e0/0
  ip address 192.168.2.1 255.255.255.0
  no sh
 exit
end

----------------- PC3 ----------------------
en
conf t
 hostname PC3
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip default-gateway 192.168.3.254
 int e0/0
  ip address 192.168.3.1 255.255.255.0
  no sh
 exit
end
查看状态 
R2#sh ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 10.1.24.4 to network 0.0.0.0

      123.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O        123.0.0.1/32 [110/1000] via 123.0.0.1, 00:04:54, Tunnel0
O        123.0.0.3/32 [110/2000] via 123.0.0.1, 00:04:16, Tunnel0
O     192.168.1.0/24 [110/1010] via 123.0.0.1, 00:04:54, Tunnel0
O     192.168.3.0/24 [110/2010] via 123.0.0.1, 00:04:16, Tunnel0
R2#sh ip nhrp
123.0.0.1/32 via 123.0.0.1
   Tunnel0 created 00:00:38, never expire
   Type: static, Flags: used
   NBMA address: 10.1.14.1 ! 最初只有 Hub 信息
R2#traceroute 192.168.3.1 source 192.168.2.254
Type escape sequence to abort.
Tracing the route to 192.168.3.1
VRF info: (vrf in name/id, vrf out name/id)
  1  *  *
    123.0.0.1 5 msec ! 第一条消息发向 Hub
  2 123.0.0.3 5 msec 5 msec 5 msec
  3 192.168.3.1 14 msec *  6 msec
R2#traceroute 192.168.3.1 source 192.168.2.254
Type escape sequence to abort.
Tracing the route to 192.168.3.1
VRF info: (vrf in name/id, vrf out name/id)
  1 123.0.0.3 5 msec 5 msec 5 msec ! 后续消息直接发向 Spoke (spoke 间隧道已建立)
  2 192.168.3.1 5 msec *  6 msec
R2#sh ip nhrp
123.0.0.1/32 via 123.0.0.1
   Tunnel0 created 00:01:18, never expire
   Type: static, Flags: used
   NBMA address: 10.1.14.1
123.0.0.3/32 via 123.0.0.3
   Tunnel0 created 00:00:17, expire 00:09:42
   Type: dynamic, Flags: router nhop rib nho
   NBMA address: 10.1.34.3
192.168.2.0/24 via 123.0.0.2
   Tunnel0 created 00:00:17, expire 00:09:42
   Type: dynamic, Flags: router unique local
   NBMA address: 10.1.24.2
    (no-socket)
192.168.3.0/24 via 123.0.0.3
   Tunnel0 created 00:00:17, expire 00:09:42
   Type: dynamic, Flags: router used rib nho
   NBMA address: 10.1.34.3
R2#sh ip nhrp shortcut
123.0.0.3/32 via 123.0.0.3
   Tunnel0 created 00:04:08, expire 00:05:50
   Type: dynamic, Flags: router nhop rib nho
   NBMA address: 10.1.34.3
192.168.3.0/24 via 123.0.0.3
   Tunnel0 created 00:04:08, expire 00:05:50
   Type: dynamic, Flags: router used rib nho
   NBMA address: 10.1.34.3
R2#sh ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 10.1.24.4 to network 0.0.0.0

      123.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O        123.0.0.1/32 [110/1000] via 123.0.0.1, 00:05:20, Tunnel0
O   %    123.0.0.3/32 [110/2000] via 123.0.0.1, 00:04:42, Tunnel0
O     192.168.1.0/24 [110/1010] via 123.0.0.1, 00:05:20, Tunnel0
O   % 192.168.3.0/24 [110/2010] via 123.0.0.1, 00:04:42, Tunnel0
R2#sh ip route next-hop-override
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 10.1.24.4 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.1.24.4
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.1.24.0/24 is directly connected, Ethernet0/0
L        10.1.24.2/32 is directly connected, Ethernet0/0
      123.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        123.0.0.0/24 is directly connected, Tunnel0
O        123.0.0.1/32 [110/1000] via 123.0.0.1, 01:01:06, Tunnel0
L        123.0.0.2/32 is directly connected, Tunnel0
O   %    123.0.0.3/32 [110/2000] via 123.0.0.1, 01:00:28, Tunnel0
                      [NHO][110/255] via 123.0.0.3, 00:00:24, Tunnel0
O     192.168.1.0/24 [110/1010] via 123.0.0.1, 01:01:06, Tunnel0
      192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.2.0/24 is directly connected, Ethernet0/1
L        192.168.2.254/32 is directly connected, Ethernet0/1
O   % 192.168.3.0/24 [110/2010] via 123.0.0.1, 01:00:28, Tunnel0
                     [NHO][110/255] via 123.0.0.3, 00:00:24, Tunnel0
R2#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        T1 - Route Installed, T2 - Nexthop-override
        C - CTS Capable, I2 - Temporary
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 10.1.14.1             123.0.0.1    UP 01:05:23     S
     2 10.1.34.3             123.0.0.3    UP 00:04:34   DT2
                             123.0.0.3    UP 00:04:34   DT2

5.5.4 多 HUB 冗余(phase 3)

cloud_hubs.png

Figure 23: 实验拓扑

  • HUB1 

    interface Tunnel0
 ip address 10.74.68.1 255.255.255.0
 !
 ip nhrp redirect phrase 3
 !
 no ip split-horizon eigrp 100 ! 使用 EIGRP 需要的配置
 ip next-hop-self eigrp 100 ! 使用 EIGRP 需要的配置
 !
 ip nhrp map 10.74.68.5 10.1.45.5 ! 手工指一下另一个 HUB ,否则HUB间建立不起邻居关系(在 phase3 中不写其实也没什么关系)
 ip nhrp map multicast 10.1.45.5
 !
 ip ospf network point-to-multipoint  ! 使用 OSPF 需要的配置
 !
 ip nhrp map multicast dynamic
 !
 ip nhrp network-id 123
 tunnel source Ethernet0/1
 tunnel mode gre multipoint
end

  • HUB2 

    interface Tunnel0
 ip address 10.74.68.5 255.255.255.0
 ip nhrp redirect
 no ip split-horizon eigrp 100
 ip next-hop-self eigrp 100
 ip nhrp map 10.74.68.1 10.1.14.1
 ip nhrp map multicast 10.1.14.1
 ip ospf network point-to-multipoint
 ip nhrp map multicast dynamic
 ip nhrp network-id 123
 tunnel source Ethernet0/1
 tunnel mode gre multipoint
end

  • Spoke2 

    interface Tunnel0
 ip address 10.74.68.2 255.255.255.0
 ip nhrp shortcut ! phase 3
 ip nhrp nhs 10.74.68.1 ! 指定多个 HUB
 ip nhrp nhs 10.74.68.5
 ip nhrp map 10.74.68.5 10.1.45.5 ! 单播映射
 ip nhrp map multicast 10.1.45.5 ! 组播映射
 ip nhrp map 10.74.68.1 10.1.14.1
 ip nhrp map multicast 10.1.14.1
 ip nhrp network-id 123
 ip ospf network point-to-multipoint ! 使用 OSPF 需要的配置
 tunnel source Ethernet0/0
 tunnel mode gre multipoint ! phase 3
end

5.5.5 层次化结构(phase 3) 12

这种结构中通常有多组不同网段的 Tunnel 接口,即有些路由器即使 Hub ,又是 Spoke 。

这种配置下,通常会 在相同的物理口建立多个 Tunnel ,为了区分流量,可以使用 tunnel key Num 为 Tunnel 编个号。

hierarchy.png

Figure 24: 实验环境

  • R1(Hub) 

    interface Tunnel0
 ip address 1.0.0.1 255.255.255.0
 no ip split-horizon eigrp 90
 ip next-hop-self eigrp 90
 ip nhrp network-id 123nn
 ip nhrp redirect
 ip nhrp map multicast dynamic
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 123
end

  • R2(Hub/Spoke) 

    interface Tunnel0
 ip address 1.0.0.2 255.255.255.0
 ip nhrp map 1.0.0.1 10.1.15.1
 ip nhrp map multicast 10.1.15.1
 ip nhrp network-id 123
 ip nhrp nhs 1.0.0.1
 ip nhrp shortcut
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 123
end
!
interface Tunnel1
 ip address 2.0.0.2 255.255.255.0
 no ip split-horizon eigrp 91
 ip next-hop-self eigrp 91
 ip nhrp network-id 321
 ip nhrp redirect
 ip nhrp map multicast dynamic
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 321
end

  • R3(Spoke) 

    interface Tunnel0
 ip address 2.0.0.3 255.255.255.0
 ip nhrp map 2.0.0.2 10.1.25.2
 ip nhrp map multicast 10.1.25.2
 ip nhrp network-id 321
 ip nhrp nhs 2.0.0.2
 ip nhrp shortcut
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 321
end

tunnel_key.png

Figure 25: Tunnel Key

6 MPLS VPN 13 , 14 , 15

6.1 Route Distinguisher (RD)

  • RD 是一个 96bits 的值,格式为 AS:anyNumberIP:anyNumber
  • RD 会加在 IP 前,帮助路由器 区分不同来源的相同路由。 RD+IP 即为 vpnv4 地址
  • 每一个 VRF 分配一个 RD ,根据不同的 RD 值生成不一样的 内层标签 (相当于每一个 VRF 分配一个内层标签) 用以区分不同的 VPN (当 PE 收到只有内层标签的数据包时,就知道往哪个 vrf 接口去送)

6.2 Route Target

RT 是一个 64bits 的值,是 BGP 的 Extended Community 值,可以理解为是给 CE 的路由打上标记,接收和发送的标记一致,就可以收了。

6.3 实验

mpls_vpn.png

Figure 26: 实验环境

初始基本配置 
----------------- R1 ----------------------
en
conf t
hostname R1
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
int lo0
 ip address 1.1.1.1 255.255.255.255
 exit
int lo1
 ip address 172.16.1.1 255.255.255.255
 exit
int e0/0
 ip address 192.168.12.1 255.255.255.0
 no sh
 exit
end

----------------- R2 ----------------------
en
conf t
hostname R2
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
int lo0
 ip address 2.2.2.2 255.255.255.255
 exit
int e0/0
 ip address 192.168.23.2 255.255.255.0
 no sh
 exit
int e0/2
 ip address 192.168.27.2 255.255.255.0
 no sh
 exit
int e0/3
 ip address 192.168.12.2 255.255.255.0
 no sh
 exit
end

----------------- R3 ----------------------

en
conf t
hostname R3
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
int lo0
 ip address 3.3.3.3 255.255.255.255
 exit
int e0/0
 ip address 192.168.23.3 255.255.255.0
 no sh
 exit
int e0/1
 ip address 192.168.34.3 255.255.255.0
 no sh
 exit

----------------- R4 ----------------------

en
conf t
hostname R4
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
int lo0
 ip address 4.4.4.4 255.255.255.255
 exit
int e0/0
 ip address 192.168.45.4 255.255.255.0
 no sh
 exit
int e0/1
 ip address 192.168.34.4 255.255.255.0
 no sh
 exit
end

----------------- R5 ----------------------
en
conf t
hostname R5
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
int lo0
 ip address 5.5.5.5 255.255.255.255
 exit
int e0/1
 ip address 192.168.45.5 255.255.255.0
 no sh
 exit
int e0/2
 ip address 192.168.58.5 255.255.255.0
 no sh
 exit
int e0/3
 ip address 192.168.56.5 255.255.255.0
 no sh
 exit
end
----------------- R6 ----------------------
en
conf t
hostname R6
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
int lo0
 ip address 6.6.6.6 255.255.255.255
 exit
int lo1
 ip address 172.16.2.1 255.255.255.255
 exit
int e0/0
 ip address 192.168.56.6 255.255.255.0
 no sh
 exit
end
----------------- R7 ----------------------
en
conf t
hostname R7
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
int lo0
 ip address 7.7.7.7 255.255.255.255
 exit
int lo1
 ip address 172.16.1.1 255.255.255.255
 exit
int e0/0
 ip address 192.168.27.7 255.255.255.0
 no sh
 exit
end
----------------- R8 ----------------------
en
conf t
hostname R8
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
int lo0
 ip address 8.8.8.8 255.255.255.255
 exit
int lo1
 ip address 172.16.2.1 255.255.255.255
 exit
int e0/0
 ip address 192.168.58.8 255.255.255.0
 no sh
 exit
end
配置 vrf 
----------------- R1 ----------------------
en
conf t
hostname R1
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
int lo0
 ip address 1.1.1.1 255.255.255.255
 exit
int lo1
 ip address 172.16.1.1 255.255.255.255
 exit
int e0/0
 ip address 192.168.12.1 255.255.255.0
 no sh
 exit
end

----------------- R2 ----------------------
en
conf t
hostname R2
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit

ip vrf RED
 rd 65000:100
 route-target export 100:100 ! routes in vrf will be sent with 100:100
 route-target import 100:100 ! this vrf will ONLY receive routes with 100:100
 exit
ip vrf BLUE
 rd 65000:200
 route-target both 200:200 ! 'both' is a shortcut for 'export/import 200:200'
 exit

int lo0
 ip address 2.2.2.2 255.255.255.255
 exit
int e0/0
 ip address 192.168.23.2 255.255.255.0
 no sh
 exit

int e0/2
 ip vrf forwarding RED
 ip address 192.168.27.2 255.255.255.0
 no sh
 exit
int e0/3
 ip vrf forwarding BLUE
 ip address 192.168.12.2 255.255.255.0
 no sh
 exit

end

----------------- R3 ----------------------

en
conf t
hostname R3
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
int lo0
 ip address 3.3.3.3 255.255.255.255
 exit
int e0/0
 ip address 192.168.23.3 255.255.255.0
 no sh
 exit
int e0/1
 ip address 192.168.34.3 255.255.255.0
 no sh
 exit

----------------- R4 ----------------------

en
conf t
hostname R4
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
int lo0
 ip address 4.4.4.4 255.255.255.255
 exit
int e0/0
 ip address 192.168.45.4 255.255.255.0
 no sh
 exit
int e0/1
 ip address 192.168.34.4 255.255.255.0
 no sh
 exit
end

----------------- R5 ----------------------
en
conf t
hostname R5
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit

ip vrf RED
 rd 65000:100
 route-target both 100:100
 exit
ip vrf BLUE
 rd 65000:200
 route-target both 200:200
 exit

int lo0
 ip address 5.5.5.5 255.255.255.255
 exit
int e0/1
 ip address 192.168.45.5 255.255.255.0
 no sh
 exit

int e0/2
 ip vrf forwarding RED
 ip address 192.168.58.5 255.255.255.0
 no sh
 exit
int e0/3
 ip vrf forwarding BLUE
 ip address 192.168.56.5 255.255.255.0
 no sh
 exit

end
----------------- R6 ----------------------
en
conf t
hostname R6
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
int lo0
 ip address 6.6.6.6 255.255.255.255
 exit
int lo1
 ip address 172.16.2.1 255.255.255.255
 exit
int e0/0
 ip address 192.168.56.6 255.255.255.0
 no sh
 exit
end
----------------- R7 ----------------------
en
conf t
hostname R7
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
int lo0
 ip address 7.7.7.7 255.255.255.255
 exit
int lo1
 ip address 172.16.1.1 255.255.255.255
 exit
int e0/0
 ip address 192.168.27.7 255.255.255.0
 no sh
 exit
end
----------------- R8 ----------------------
en
conf t
hostname R8
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
int lo0
 ip address 8.8.8.8 255.255.255.255
 exit
int lo1
 ip address 172.16.2.1 255.255.255.255
 exit
int e0/0
 ip address 192.168.58.8 255.255.255.0
 no sh
 exit
end
开启 MPLS 
----------------- R1 ----------------------
en
conf t
hostname R1
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
int lo0
 ip address 1.1.1.1 255.255.255.255
 exit
int lo1
 ip address 172.16.1.1 255.255.255.255
 exit
int e0/0
 ip address 192.168.12.1 255.255.255.0
 no sh
 exit
end

----------------- R2 ----------------------
en
conf t
hostname R2
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
ip cef
ip vrf RED
 rd 65000:100
 route-target export 100:100 ! routes in vrf will be sent with 100:100
 route-target import 100:100 ! this vrf will ONLY receive routes with 100:100
 exit
ip vrf BLUE
 rd 65000:200
 route-target both 200:200 ! 'both' is a shortcut for 'export/import 200:200'
 exit
int lo0
 ip address 2.2.2.2 255.255.255.255
 exit
int e0/0
 mpls ip
 ip address 192.168.23.2 255.255.255.0
 no sh
 exit
int e0/2
 ip vrf forwarding RED
 ip address 192.168.27.2 255.255.255.0
 no sh
 exit
int e0/3
 ip vrf forwarding BLUE
 ip address 192.168.12.2 255.255.255.0
 no sh
 exit

router ospf 110
 router-id 22.22.22.22
 network 2.2.2.2 0.0.0.0 area 0
 network 192.168.23.2 0.0.0.0 area 0
 exit

end

----------------- R3 ----------------------

en
conf t
hostname R3
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
ip cef
int lo0
 ip address 3.3.3.3 255.255.255.255
 exit
int e0/0
 mpls ip
 ip address 192.168.23.3 255.255.255.0
 no sh
 exit
int e0/1
 mpls ip
 ip address 192.168.34.3 255.255.255.0
 no sh
 exit

router ospf 110
 router-id 33.33.33.33
 network 3.3.3.3 0.0.0.0 area 0
 network 192.168.23.3 0.0.0.0 area 0
 network 192.168.34.3 0.0.0.0 area 0
 exit

end

----------------- R4 ----------------------

en
conf t
hostname R4
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
ip cef
int lo0
 ip address 4.4.4.4 255.255.255.255
 exit
int e0/0
 mpls ip
 ip address 192.168.45.4 255.255.255.0
 no sh
 exit
int e0/1
 mpls ip
 ip address 192.168.34.4 255.255.255.0
 no sh
 exit

router ospf 110
 router-id 44.44.44.44
 network 4.4.4.4 0.0.0.0 area 0
 network 192.168.45.4 0.0.0.0 area 0
 network 192.168.34.4 0.0.0.0 area 0
 exit

end

----------------- R5 ----------------------
en
conf t
hostname R5
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
ip cef
ip vrf RED
 rd 65000:100
 route-target both 100:100
 exit
ip vrf BLUE
 rd 65000:200
 route-target both 200:200
 exit
int lo0
 ip address 5.5.5.5 255.255.255.255
 exit
int e0/1
 mpls ip
 ip address 192.168.45.5 255.255.255.0
 no sh
 exit
int e0/2
 ip vrf forwarding RED
 ip address 192.168.58.5 255.255.255.0
 no sh
 exit
int e0/3
 ip vrf forwarding BLUE
 ip address 192.168.56.5 255.255.255.0
 no sh
 exit

router ospf 110
 router-id 55.55.55.55
 network 5.5.5.5 0.0.0.0 area 0
 network 192.168.45.5 0.0.0.0 area 0
 exit

end
----------------- R6 ----------------------
en
conf t
hostname R6
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
int lo0
 ip address 6.6.6.6 255.255.255.255
 exit
int lo1
 ip address 172.16.2.1 255.255.255.255
 exit
int e0/0
 ip address 192.168.56.6 255.255.255.0
 no sh
 exit
end
----------------- R7 ----------------------
en
conf t
hostname R7
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
int lo0
 ip address 7.7.7.7 255.255.255.255
 exit
int lo1
 ip address 172.16.1.1 255.255.255.255
 exit
int e0/0
 ip address 192.168.27.7 255.255.255.0
 no sh
 exit
end
----------------- R8 ----------------------
en
conf t
hostname R8
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
int lo0
 ip address 8.8.8.8 255.255.255.255
 exit
int lo1
 ip address 172.16.2.1 255.255.255.255
 exit
int e0/0
 ip address 192.168.58.8 255.255.255.0
 no sh
 exit
end
配置 MP-BGP

BGP 通常是用于 IPv4 的路由交换。 其实 BGP 除了作 IPv4 路由交换之外,还可以设置成 VPN ,用作交换 VRF 的路由

----------------- R1 ----------------------
en
conf t
hostname R1
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
int lo0
 ip address 1.1.1.1 255.255.255.255
 exit
int lo1
 ip address 172.16.1.1 255.255.255.255
 exit
int e0/0
 ip address 192.168.12.1 255.255.255.0
 no sh
 exit
end

----------------- R2 ----------------------
en
conf t
hostname R2
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
ip cef
ip vrf RED
 rd 65000:100
 route-target export 100:100 ! routes in vrf will be sent with 100:100
 route-target import 100:100 ! this vrf will ONLY receive routes with 100:100
 exit
ip vrf BLUE
 rd 65000:200
 route-target both 200:200 ! 'both' is a shortcut for 'export/import 200:200'
 exit
int lo0
 ip address 2.2.2.2 255.255.255.255
 exit
int e0/0
 mpls ip
 ip address 192.168.23.2 255.255.255.0
 no sh
 exit
int e0/2
 ip vrf forwarding RED
 ip address 192.168.27.2 255.255.255.0
 no sh
 exit
int e0/3
 ip vrf forwarding BLUE
 ip address 192.168.12.2 255.255.255.0
 no sh
 exit
router ospf 110
 router-id 22.22.22.22
 network 2.2.2.2 0.0.0.0 area 0
 network 192.168.23.2 0.0.0.0 area 0
 exit

router bgp 65000
 bgp router-id 22.22.22.22
 no bgp default ipv4-unicast
 neighbor 5.5.5.5 remote-as 65000
 neighbor 5.5.5.5 update-source lo0

 address-family vpnv4
  neighbor 5.5.5.5 activate
  neighbor 5.5.5.5 send-community
  exit-address-family
 exit

end

----------------- R3 ----------------------

en
conf t
hostname R3
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
ip cef
int lo0
 ip address 3.3.3.3 255.255.255.255
 exit
int e0/0
 mpls ip
 ip address 192.168.23.3 255.255.255.0
 no sh
 exit
int e0/1
 mpls ip
 ip address 192.168.34.3 255.255.255.0
 no sh
 exit
router ospf 110
 router-id 33.33.33.33
 network 3.3.3.3 0.0.0.0 area 0
 network 192.168.23.3 0.0.0.0 area 0
 network 192.168.34.3 0.0.0.0 area 0
 exit
end

----------------- R4 ----------------------

en
conf t
hostname R4
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
ip cef
int lo0
 ip address 4.4.4.4 255.255.255.255
 exit
int e0/0
 mpls ip
 ip address 192.168.45.4 255.255.255.0
 no sh
 exit
int e0/1
 mpls ip
 ip address 192.168.34.4 255.255.255.0
 no sh
 exit
router ospf 110
 router-id 44.44.44.44
 network 4.4.4.4 0.0.0.0 area 0
 network 192.168.45.4 0.0.0.0 area 0
 network 192.168.34.4 0.0.0.0 area 0
 exit
end

----------------- R5 ----------------------
en
conf t
hostname R5
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
ip cef
ip vrf RED
 rd 65000:100
 route-target both 100:100
 exit
ip vrf BLUE
 rd 65000:200
 route-target both 200:200
 exit
int lo0
 ip address 5.5.5.5 255.255.255.255
 exit
int e0/1
 mpls ip
 ip address 192.168.45.5 255.255.255.0
 no sh
 exit
int e0/2
 ip vrf forwarding RED
 ip address 192.168.58.5 255.255.255.0
 no sh
 exit
int e0/3
 ip vrf forwarding BLUE
 ip address 192.168.56.5 255.255.255.0
 no sh
 exit
router ospf 110
 router-id 55.55.55.55
 network 5.5.5.5 0.0.0.0 area 0
 network 192.168.45.5 0.0.0.0 area 0
 exit

router bgp 65000
 bgp router-id 55.55.55.55
 no bgp default ipv4-unicast
 neighbor 2.2.2.2 remote-as 65000
 neighbor 2.2.2.2 update-source lo0

 address-family vpnv4
  neighbor 2.2.2.2 activate
  neighbor 2.2.2.2 send-community
  exit-address-family
 exit

end
----------------- R6 ----------------------
en
conf t
hostname R6
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
int lo0
 ip address 6.6.6.6 255.255.255.255
 exit
int lo1
 ip address 172.16.2.1 255.255.255.255
 exit
int e0/0
 ip address 192.168.56.6 255.255.255.0
 no sh
 exit
end
----------------- R7 ----------------------
en
conf t
hostname R7
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
int lo0
 ip address 7.7.7.7 255.255.255.255
 exit
int lo1
 ip address 172.16.1.1 255.255.255.255
 exit
int e0/0
 ip address 192.168.27.7 255.255.255.0
 no sh
 exit
end
----------------- R8 ----------------------
en
conf t
hostname R8
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
int lo0
 ip address 8.8.8.8 255.255.255.255
 exit
int lo1
 ip address 172.16.2.1 255.255.255.255
 exit
int e0/0
 ip address 192.168.58.8 255.255.255.0
 no sh
 exit
end
VRF IGP 配置 
----------------- R1 ----------------------
en
conf t
 hostname R1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
  exit
 int lo0
  ip address 1.1.1.1 255.255.255.255
  exit
 int lo1
  ip address 172.16.1.1 255.255.255.255
  exit
 int e0/0
  ip address 192.168.12.1 255.255.255.0
  no sh
  exit
 
 router eigrp 90
  network 172.16.1.1 0.0.0.0
  network 192.168.12.1 0.0.0.0
 exit
 
end

----------------- R2 ----------------------
en
conf t
hostname R2
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
ip cef
ip vrf RED
 rd 65000:100
 route-target export 100:100 ! routes in vrf will be sent with 100:100
 route-target import 100:100 ! this vrf will ONLY receive routes with 100:100
 exit
ip vrf BLUE
 rd 65000:200
 route-target both 200:200 ! 'both' is a shortcut for 'export/import 200:200'
 exit
int lo0
 ip address 2.2.2.2 255.255.255.255
 exit
int e0/0
 mpls ip
 ip address 192.168.23.2 255.255.255.0
 no sh
 exit
int e0/2
 ip vrf forwarding RED
 ip address 192.168.27.2 255.255.255.0
 no sh
 exit
int e0/3
 ip vrf forwarding BLUE
 ip address 192.168.12.2 255.255.255.0
 no sh
 exit
router ospf 110
 router-id 22.22.22.22
 network 2.2.2.2 0.0.0.0 area 0
 network 192.168.23.2 0.0.0.0 area 0
 exit

router ospf 111 vrf RED ! configure OSPF under vrf
 router-id 22.22.22.22
 network 192.168.27.2 0.0.0.0 area 0
 exit


router eigrp 1
 address-family ipv4 vrf BLUE
  autonomous-system 90 ! must specify AS when configuring EIGRP under vrf
  network 192.168.12.2 0.0.0.0
  exit
 exit

router bgp 65000
 bgp router-id 22.22.22.22
 no bgp default ipv4-unicast
 neighbor 5.5.5.5 remote-as 65000
 neighbor 5.5.5.5 update-source lo0

 address-family vpnv4
  neighbor 5.5.5.5 activate
  neighbor 5.5.5.5 send-community
  exit-address-family
 exit
end

----------------- R3 ----------------------

en
conf t
hostname R3
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
ip cef
int lo0
 ip address 3.3.3.3 255.255.255.255
 exit
int e0/0
 mpls ip
 ip address 192.168.23.3 255.255.255.0
 no sh
 exit
int e0/1
 mpls ip
 ip address 192.168.34.3 255.255.255.0
 no sh
 exit
router ospf 110
 router-id 33.33.33.33
 network 3.3.3.3 0.0.0.0 area 0
 network 192.168.23.3 0.0.0.0 area 0
 network 192.168.34.3 0.0.0.0 area 0
 exit
end

----------------- R4 ----------------------

en
conf t
hostname R4
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
ip cef
int lo0
 ip address 4.4.4.4 255.255.255.255
 exit
int e0/0
 mpls ip
 ip address 192.168.45.4 255.255.255.0
 no sh
 exit
int e0/1
 mpls ip
 ip address 192.168.34.4 255.255.255.0
 no sh
 exit
router ospf 110
 router-id 44.44.44.44
 network 4.4.4.4 0.0.0.0 area 0
 network 192.168.45.4 0.0.0.0 area 0
 network 192.168.34.4 0.0.0.0 area 0
 exit
end

----------------- R5 ----------------------
en
conf t
hostname R5
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
ip cef
ip vrf RED
 rd 65000:100
 route-target both 100:100
 exit
ip vrf BLUE
 rd 65000:200
 route-target both 200:200
 exit
int lo0
 ip address 5.5.5.5 255.255.255.255
 exit
int e0/1
 mpls ip
 ip address 192.168.45.5 255.255.255.0
 no sh
 exit
int e0/2
 ip vrf forwarding RED
 ip address 192.168.58.5 255.255.255.0
 no sh
 exit
int e0/3
 ip vrf forwarding BLUE
 ip address 192.168.56.5 255.255.255.0
 no sh
 exit
router ospf 110
 router-id 55.55.55.55
 network 5.5.5.5 0.0.0.0 area 0
 network 192.168.45.5 0.0.0.0 area 0
 exit

router ospf 111 vrf RED ! configure OSPF under vrf
 router-id 55.55.55.55
 network 192.168.58.5 0.0.0.0 area 0
 exit


router eigrp 1
 address-family ipv4 vrf BLUE
  autonomous-system 90 ! must specify AS when configuring EIGRP under vrf
  network 192.168.56.5 0.0.0.0
  exit
 exit

router bgp 65000
 bgp router-id 55.55.55.55
 no bgp default ipv4-unicast
 neighbor 2.2.2.2 remote-as 65000
 neighbor 2.2.2.2 update-source lo0

 address-family vpnv4
  neighbor 2.2.2.2 activate
  neighbor 2.2.2.2 send-community
  exit-address-family
 exit
end
----------------- R6 ----------------------
en
conf t
 hostname R6
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
  exit
 int lo0
  ip address 6.6.6.6 255.255.255.255
  exit
 int lo1
  ip address 172.16.2.1 255.255.255.255
  exit
 int e0/0
  ip address 192.168.56.6 255.255.255.0
  no sh
  exit
 
 router eigrp 90
  network 172.16.2.1 0.0.0.0
  network 192.168.56.6 0.0.0.0
 exit
 
end
----------------- R7 ----------------------
en
conf t
 hostname R7
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
  exit
 int lo0
  ip address 7.7.7.7 255.255.255.255
  exit
 int lo1
  ip address 172.16.1.1 255.255.255.255
  exit
 int e0/0
  ip address 192.168.27.7 255.255.255.0
  no sh
  exit
 
 router ospf 110
  router-id 77.77.77.77
  network 172.16.1.1 0.0.0.0 area 0
  network 192.168.27.7 0.0.0.0 area 0
 exit
 
end
----------------- R8 ----------------------
en
conf t
 hostname R8
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
  exit
 int lo0
  ip address 8.8.8.8 255.255.255.255
  exit
 int lo1
  ip address 172.16.2.1 255.255.255.255
  exit
 int e0/0
  ip address 192.168.58.8 255.255.255.0
  no sh
  exit
 
 router ospf 110
  router-id 88.88.88.88
  network 172.16.2.1 0.0.0.0 area 0
  network 192.168.58.8 0.0.0.0 area 0
 exit
 
end
重发布 
----------------- R1 ----------------------
en
conf t
 hostname R1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
  exit
 int lo0
  ip address 1.1.1.1 255.255.255.255
  exit
 int lo1
  ip address 172.16.1.1 255.255.255.255
  exit
 int e0/0
  ip address 192.168.12.1 255.255.255.0
  no sh
  exit
 router eigrp 90
  network 172.16.1.1 0.0.0.0
  network 192.168.12.1 0.0.0.0
 exit
end

----------------- R2 ----------------------
en
conf t
 hostname R2
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
  exit
 ip cef
 ip vrf RED
  rd 65000:100
  route-target export 100:100 ! routes in vrf will be sent with 100:100
  route-target import 100:100 ! this vrf will ONLY receive routes with 100:100
  exit
 ip vrf BLUE
  rd 65000:200
  route-target both 200:200 ! 'both' is a shortcut for 'export/import 200:200'
  exit
 int lo0
  ip address 2.2.2.2 255.255.255.255
  exit
 int e0/0
  mpls ip
  ip address 192.168.23.2 255.255.255.0
  no sh
  exit
 int e0/2
  ip vrf forwarding RED
  ip address 192.168.27.2 255.255.255.0
  no sh
  exit
 int e0/3
  ip vrf forwarding BLUE
  ip address 192.168.12.2 255.255.255.0
  no sh
  exit
 router ospf 110
  router-id 22.22.22.22
  network 2.2.2.2 0.0.0.0 area 0
  network 192.168.23.2 0.0.0.0 area 0
  exit
 router ospf 111 vrf RED ! configure OSPF under vrf
  router-id 22.22.22.22
  network 192.168.27.2 0.0.0.0 area 0
  redistribute bgp 65000 metric 1
  exit
 router eigrp 1
  address-family ipv4 vrf BLUE
   autonomous-system 90 ! must specify AS when configuring EIGRP under vrf
   network 192.168.12.2 0.0.0.0
   redistribute bgp 65000 metric 1 0 0 1 1
   exit
  exit
 router bgp 65000
  bgp router-id 22.22.22.22
  no bgp default ipv4-unicast
  neighbor 5.5.5.5 remote-as 65000
  neighbor 5.5.5.5 update-source lo0
  address-family vpnv4
   neighbor 5.5.5.5 activate
   neighbor 5.5.5.5 send-community
  exit-address-family
  
  address-family ipv4 vrf RED ! check with 'sh ip bgp vpnv4 vrf RED'
   neighbor 5.5.5.5 activate
   redistribute ospf 111 metric 1
  exit-address-family
  
  
  address-family ipv4 vrf BLUE
   neighbor 5.5.5.5 activate
   redistribute eigrp 90
  exit-address-family
  
 exit
end

----------------- R3 ----------------------

en
conf t
hostname R3
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
ip cef
int lo0
 ip address 3.3.3.3 255.255.255.255
 exit
int e0/0
 mpls ip
 ip address 192.168.23.3 255.255.255.0
 no sh
 exit
int e0/1
 mpls ip
 ip address 192.168.34.3 255.255.255.0
 no sh
 exit
router ospf 110
 router-id 33.33.33.33
 network 3.3.3.3 0.0.0.0 area 0
 network 192.168.23.3 0.0.0.0 area 0
 network 192.168.34.3 0.0.0.0 area 0
 exit
end

----------------- R4 ----------------------

en
conf t
hostname R4
no ip do lo
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
ip cef
int lo0
 ip address 4.4.4.4 255.255.255.255
 exit
int e0/0
 mpls ip
 ip address 192.168.45.4 255.255.255.0
 no sh
 exit
int e0/1
 mpls ip
 ip address 192.168.34.4 255.255.255.0
 no sh
 exit
router ospf 110
 router-id 44.44.44.44
 network 4.4.4.4 0.0.0.0 area 0
 network 192.168.45.4 0.0.0.0 area 0
 network 192.168.34.4 0.0.0.0 area 0
 exit
end

----------------- R5 ----------------------
en
conf t
 hostname R5
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
  exit
 ip cef
 ip vrf RED
  rd 65000:100
  route-target both 100:100
  exit
 ip vrf BLUE
  rd 65000:200
  route-target both 200:200
  exit
 int lo0
  ip address 5.5.5.5 255.255.255.255
  exit
 int e0/1
  mpls ip
  ip address 192.168.45.5 255.255.255.0
  no sh
  exit
 int e0/2
  ip vrf forwarding RED
  ip address 192.168.58.5 255.255.255.0
  no sh
  exit
 int e0/3
  ip vrf forwarding BLUE
  ip address 192.168.56.5 255.255.255.0
  no sh
  exit
 router ospf 110
  router-id 55.55.55.55
  network 5.5.5.5 0.0.0.0 area 0
  network 192.168.45.5 0.0.0.0 area 0
  exit
 router ospf 111 vrf RED ! configure OSPF under vrf
  router-id 55.55.55.55
  network 192.168.58.5 0.0.0.0 area 0
  redistribute bgp 65000 metric 1
  exit
 router eigrp 1
  address-family ipv4 vrf BLUE
   autonomous-system 90 ! must specify AS when configuring EIGRP under vrf
   network 192.168.56.5 0.0.0.0
   redistribute bgp 65000 metric 1 0 0 1 1
   exit
  exit
 router bgp 65000
  bgp router-id 55.55.55.55
  no bgp default ipv4-unicast
  neighbor 2.2.2.2 remote-as 65000
  neighbor 2.2.2.2 update-source lo0
  address-family vpnv4
   neighbor 2.2.2.2 activate
   neighbor 2.2.2.2 send-community
   exit-address-family
  
  address-family ipv4 vrf RED
   neighbor 2.2.2.2 activate
   redistribute ospf 111 metric 1
  exit-address-family
  
  
  address-family ipv4 vrf BLUE
   neighbor 2.2.2.2 activate
   redistribute eigrp 90
  exit-address-family
  
 exit
end
----------------- R6 ----------------------
en
conf t
 hostname R6
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
  exit
 int lo0
  ip address 6.6.6.6 255.255.255.255
  exit
 int lo1
  ip address 172.16.2.1 255.255.255.255
  exit
 int e0/0
  ip address 192.168.56.6 255.255.255.0
  no sh
  exit
 router eigrp 90
  network 172.16.2.1 0.0.0.0
  network 192.168.56.6 0.0.0.0
 exit
end
----------------- R7 ----------------------
en
conf t
 hostname R7
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
  exit
 int lo0
  ip address 7.7.7.7 255.255.255.255
  exit
 int lo1
  ip address 172.16.1.1 255.255.255.255
  exit
 int e0/0
  ip address 192.168.27.7 255.255.255.0
  no sh
  exit
 router ospf 110
  router-id 77.77.77.77
  network 172.16.1.1 0.0.0.0 area 0
  network 192.168.27.7 0.0.0.0 area 0
 exit
end
----------------- R8 ----------------------
en
conf t
 hostname R8
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
  exit
 int lo0
  ip address 8.8.8.8 255.255.255.255
  exit
 int lo1
  ip address 172.16.2.1 255.255.255.255
  exit
 int e0/0
  ip address 192.168.58.8 255.255.255.0
  no sh
  exit
 router ospf 110
  router-id 88.88.88.88
  network 172.16.2.1 0.0.0.0 area 0
  network 192.168.58.8 0.0.0.0 area 0
 exit
end

6.3.1 分析

R2 LFIB 与 FIB 
R2#sh mpls forwarding-table ! LFIB,当数据方向为 PE=>CE 时,查询此表 
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
16         16         4.4.4.4/32       0             Et0/0      192.168.23.3
17         Pop Label  3.3.3.3/32       0             Et0/0      192.168.23.3
18         17         192.168.45.0/24  0             Et0/0      192.168.23.3
19         Pop Label  192.168.34.0/24  0             Et0/0      192.168.23.3
20         18         5.5.5.5/32       0             Et0/0      192.168.23.3
21         No Label   172.16.1.1/32[V] 0             Et0/2      192.168.27.7
22         No Label   192.168.27.0/24[V]   \
                                       0             aggregate/RED
23         No Label   172.16.1.1/32[V] 0             Et0/3      192.168.12.1
24         No Label   192.168.12.0/24[V]   \
                                       0             aggregate/BLUE
R2#sh ip cef vrf RED 172.16.2.1 ! FIB ,当数据方向为 CE=>PE 时,查询此表用以压入标签
172.16.2.1/32
  nexthop 192.168.23.3 Ethernet0/0 label 18-(local:20) 22 ! 外层标签18,内层标签22,22是R5本地分配给去往172.16.2.1/32的标签 (外层标签是给 ISP 的 mpls router 所使用的)
R2#sh ip cef vrf BLUE 172.16.2.1
172.16.2.1/32
  nexthop 192.168.23.3 Ethernet0/0 label 18-(local:20) 24
R5 LFIB 与 FIB 
R5#sh mpls forwarding-table
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
17         Pop Label  4.4.4.4/32       0             Et0/1      192.168.45.4
18         16         3.3.3.3/32       0             Et0/1      192.168.45.4
19         19         2.2.2.2/32       0             Et0/1      192.168.45.4
20         17         192.168.23.0/24  0             Et0/1      192.168.45.4
21         Pop Label  192.168.34.0/24  0             Et0/1      192.168.45.4
22         No Label   172.16.2.1/32[V] 114           Et0/2      192.168.58.8
23         No Label   192.168.58.0/24[V]   \
                                       0             aggregate/RED
24         No Label   172.16.2.1/32[V] 0             Et0/3      192.168.56.6
25         No Label   192.168.56.0/24[V]   \
                                       0             aggregate/BLUE
R5#sh ip cef vrf RED 172.16.1.1
172.16.1.1/32
  nexthop 192.168.45.4 Ethernet0/1 label 19-(local:19) 21
R5#sh ip cef vrf BLUE 172.16.1.1
172.16.1.1/32
  nexthop 192.168.45.4 Ethernet0/1 label 19-(local:19) 23
R5#
抓包分析

R7#ping 172.16.2.1 source 172.16.1.1 repeat 1

pcap 文件: R2/e0/0 , R3/e0/0 , R3/e0/1

  • R2 e0/0

    • ICMP Request

      数据帧

      r2e00_send.png

    • ICMP Reply

      数据帧

      r2e00_recv.png

  • R3 e0/0

    • ICMP Request

      数据帧

      r3e00_request.png

    • ICMP Reply

      数据帧

      r3e00_reply.png

  • R3 e0/1

    • ICMP Request

      数据帧

      r3e01_request.png

    • ICMP Reply

      数据帧

      r3e01_reply.png

Footnotes:

1

缺点是通常需要配置静态路由,不能使用动态路由协议,GRE Over IPsec 就可以解决这个问题

2

第一阶段6个消息与第二阶段3个消息的抓包下载

3

仅针对 ESP ,AH 封装不支持 NAT ,该功能默认开启

4

RemoteVPN 和 EzVPN 的 Isakmp-Profile 简单配置

5

https://www.biecuoliao.com/pa/MDyBv70.html

6

https://askubuntu.com/a/488446

7

https://youtu.be/giJYyu8b2cc?list=PLwLfEC5vHvKex1Z90_qz3fYXHGVmrnVFA&t=4105

8

https://youtu.be/giJYyu8b2cc?list=PLwLfEC5vHvKex1Z90_qz3fYXHGVmrnVFA&t=4730

9

https://youtu.be/giJYyu8b2cc?list=PLwLfEC5vHvKex1Z90_qz3fYXHGVmrnVFA&t=4934

10

有些实验为了便于抓包观察并没有配置 IPSec

11

必须 指的是只有达到这些要求才能充分发挥到该阶段的优势,如果不满足,网络也能通信,但是意味着实际网络退化到较低的阶段

12

即多云多 Hub 环境,所谓的云指的是 tunnel 口所在的网段,也可以理解为 mGRE 网络/网段

13

需要运营商参与私网路由的搭建,有 QoS 保证,同时 CE 端配置简单

14

https://www.jannet.hk/zh-Hant/post/multi-protocol-label-switching-mpls/#vpn

15

http://blog.ruanhao.cc/blog/mpls_vpn.html

Author: Hao Ruan (ruanhao1116@gmail.com)

Created: 2021-05-29 Sat 17:00

Updated: 2022-05-03 Tue 11:40

Emacs 27.2 (Org mode 9.4.4)