CCNP實驗:GRE隧道流量的IPSEC加密

字號:


    由于IPSEC只支持對單播流量的加密,所以我們使用GRE隧道可以將廣播、組播包封裝在一個單播包中,再用IPSEC進行加密。
    在進行IPSEC配置前應首先配置好GRE隧道,下面是R1上的GRE隧道配置:
    R1:
    interface tunnel0
    ip address 192.168.3.1 255.255.255.0
    tunnel source s1/1
    tunnel destination 192.1.1.20
    exit
    interface s1/1
    ip address 192.1.1.40 255.255.255.0
    ip access-group perimeter in
    exit
    interface lo0
    ip address 192.168.1.1 255.255.255.0
    exit
    ip route 0.0.0.0 0.0.0.0 192.1.1.20
    !在這里我將總公司內(nèi)部的骨干網(wǎng)絡設為Area0,隧道部分和分公司內(nèi)部網(wǎng)絡設為Area1
    router ospf 1
    network 192.168.1.0 0.0.0.255 area 0
    network 192.168.3.0 0.0.0.255 area 1
    exit
    ip access-list extended perimeter
    permit udp host 192.1.1.20 host 192.1.1.40 eq 500
    permit esp host 193.1.1.20 host 192.1.1.40
    permit gre host 193.1.1.20 host 192.1.1.40
    deny ip any any
    exit
    R2:
    interface tunnel0
    ip address 192.168.3.2 255.255.255.0
    tunnel source s1/0
    tunnel destination 192.1.1.40
    exit
    interface s1/0
    ip address 192.1.1.20 255.255.255.0
    ip access-group perimeter in
    exit
    interface lo0
    ip address 192.168.2.1 255.255.255.0
    exit
    ip route 0.0.0.0 0.0.0.0 192.1.1.40
    router ospf 1
    network 192.168.2.0 0.0.0.255 area 1
    network 192.168.3.0 0.0.0.255 area 1
    exit
    ip access-list extended perimeter
    permit udp host 192.1.1.40 host 192.1.1.20 eq 500
    permit esp host 192.1.1.40 host 192.1.1.20
    permit gre host 192.1.1.40 host 192.1.1.20
    deny ip any any
    exit
    GRE隧道建立好后,就可以進行IPSEC配置了:
    R1上的配置:
    crypto isakmp enable
    crypto isakmp identity address
    crypto isakmp policy 10
    encryption aes
    authentication pre-share
    group 2
    hash sha
    exit
    crypto isakmp key cisco123 address 192.1.1.20 no-xauth
    !IPSEC只對進入GRE隧道的流量進行加密
    ip access-list extended ToR2
    permit gre host 192.1.1.40 host 192.1.1.20
    exit
    !這里的GRE隧道是點對點模式的,所以傳輸集應使用傳輸模式
    crypto ipsec transform-set trans esp-aes esp-sha-hmac
    mode transport
    exit
    crypto map mymap 10 ipsec-isakmp
    match address ToR2
    set transform-set trans
    set peer 192.1.1.20
    exit
    interface s1/1
    crypto map mymap
    exit
    !最后別忘記刪除測試隧道時建立的流量:
    ip access-list extended perimeter
    no permit gre host 192.1.1.20 host 192.1.1.40
    R2上的配置:
    crypto isakmp enable
    crypto isakmp identity address
    crypto isakmp policy 10
    encryption aes
    authentication pre-share
    group 2
    hash sha
    exit
    crypto isakmp key cisco123 address 192.1.1.40 no-xauth
    ip access-list extended ToR1
    permit gre host 192.1.1.20 host 192.1.1.40
    exit
    crypto ipsec transform-set trans esp-aes esp-sha-hmac
    mode transport
    exit
    crypto map mymap 10 ipsec-isakmp
    match address ToR1
    set transform-set trans
    set peer 192.1.1.40
    exit
    interface s1/0
    crypto map mymap
    exit
    ip access-list extended perimeter
    no permit gre host 192.1.1.40 host 192.1.1.20
    測試實驗結(jié)果:
    r1#sh ip route
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
    D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
    N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
    E1 - OSPF external type 1, E2 - OSPF external type 2
    i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
    ia - IS-IS inter area, * - candidate default, U - per-user static route
    o - ODR, P - periodic downloaded static route
    Gateway of last resort is 192.1.1.20 to network 0.0.0.0
    C 192.1.1.0/24 is directly connected, Serial1/1
    C 192.168.1.0/24 is directly connected, Loopback0
    192.168.2.0/32 is subnetted, 1 subnets
    O 192.168.2.1 [110/11112] via 192.168.3.2, 00:00:17, Tunnel0
    C 192.168.3.0/24 is directly connected, Tunnel0
    S* 0.0.0.0/0 [1/0] via 192.1.1.20
    R1上ping PC2:
    r1#ping 192.168.2.1
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 36/56/84 ms
    PC1上ping PC2:
    r1#ping 192.168.2.1 source lo0
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
    Packet sent with a source address of 192.168.1.1
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 36/55/104 ms
    可以看到不管是從PC1到PC2的流量還是R1到PC2的流量,只要通過隧道,都會被IPSEC封裝加密,所以都能PING通PC2!