Dynamic p2p GRE over IPsec

 

 

咱們下面須要以上圖的環境來演示Dynamic p2p GRE over IPsec的效果，在圖中，有上海和武漢兩個公司的網絡，上海要和武漢的網絡實現×××通訊， 而且須要經過動態路由協議EIGRP交換雙方內網的網段信息，因此咱們須要在兩地路由器之間創建p2p GRE隧道，而後再使用p2p GRE over IPsec來保護隧道中的數據，可是兩地路由器中武漢路由器鏈接Internet的接口沒有固定公網IP地址，爲DHCP動態得到的IP，這就給GRE隧道的創建帶來了必定的麻煩，因此咱們配置Dynamic p2p GRE over IPsec來解決其中的問題。

配置步驟：

R1
en
conf t
line con 0
no exec-t
exit
host R1
int f0/0
no sh
ip add 192.168.1.1 255.255.255.0
end
====================R2============================
en
conf t
line con 0
no exec-t
exit
host R2
int f0/0
no sh
ip add 192.168.1.2 255.255.255.0
int f1/0
no sh
ip add 23.23.23.2 255.255.255.0
exit
ip route 0.0.0.0 0.0.0.0 23.23.23.3
interface Tunnel2
no sh
ip address 1.1.1.2 255.255.255.0
tunnel source 23.23.23.2
tunnel destination 4.4.4.4
exit
動態***配置
R2(config)#crypto isakmp policy 10
R2(config-isakmp)#en
R2(config-isakmp)#encryption 3de
R2(config-isakmp)#encryption 3des
R2(config-isakmp)#au
R2(config-isakmp)#authentication pre
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#ha
R2(config-isakmp)#hash sha
R2(config-isakmp)#hash sha
R2(config-isakmp)#gro
R2(config-isakmp)#group 2
R2(config-isakmp)#li
R2(config-isakmp)#lifetime 864000

R2(config)#crypto isakmp key 6 d*** add 0.0.0.0 0.0.0.0
R2(config)#crypto ipsec transform-set myset esp-3des esp-sha-hmac
R2(config)#crypto dynamic-map mymap 10
R2(config-crypto-map)#set transform-set myset
R2(config)#crypto map mymap1 10 ipsec-isakmp dynamic mymap
R2(config)#crypto map mymap1 local-address f1/0
R2(config)#int f1/0
R2(config-if)#crypto map mymap1

R2(config)#router eigrp 100

R2(config-router)#no au

R2(config-router)#net 1.1.1.2 0.0.0.0
     R2(config-router)#net 192.168.1.2 0.0.0.0
     R2(config-router)#exit

=====================Internet==========================
en
conf t
line con 0
no exec-t
exit
host Internet
int f0/0
no sh
ip add 23.23.23.3 255.255.255.0
int f1/0
no sh
ip add 34.34.34.3 255.255.255.0

Internet(config)#service dhcp
Internet(config)#ip dhcp pool TEL
Internet(dhcp-config)#network 34.34.34.0 255.255.255.0
Internet(dhcp-config)#default-router 34.34.34.3
Internet(dhcp-config)#exit
Internet(config)#ip dhcp excluded-address 34.34.34.3
Internet(config)#end

======================R4================================
en
conf t
line con 0
no exec-t
exit
host R4
int f1/0
no sh
ip add dhcp
int f0/0
no sh
ip add 192.168.2.4 255.255.255.0
int lo 0
no sh
ip add 4.4.4.4 255.255.255.0
exit
ip route 0.0.0.0 0.0.0.0 34.34.34.3
interface Tunnel4
no sh
ip address 1.1.1.4 255.255.255.0
tunnel source lo 0
tunnel destination 23.23.23.2
exit
ip route 192.168.1.0 255.255.255.0 Tunnel4

靜態***配置
R4(config)#crypto isakmp policy 10
R4(config-isakmp)#en
R4(config-isakmp)#encryption 3de
R4(config-isakmp)#encryption 3des
R4(config-isakmp)#au
R4(config-isakmp)#authentication pre
R4(config-isakmp)#authentication pre-share
R4(config-isakmp)#has
R4(config-isakmp)#hash sha
R4(config-isakmp)#hash sha
R4(config-isakmp)#gro
R4(config-isakmp)#group 2
R4(config-isakmp)#life
R4(config-isakmp)#lifetime 86400
R4(config-isakmp)#exit
R4(config)#
R4(config)#crypto isakmp key 6 d*** address 23.23.23.2
R4(config)#crypto ipsec transform-set myset esp-3des esp-sha-hmac
R4(cfg-crypto-trans)#exit

R4(config)#access-list 100 permit gre 3.3.3.3 0.0.0.0 host 23.23.23.2
R4(config)#crypto map mymap1 10 ipsec-isakmp
R4(config-crypto-map)#set peer 23.23.23.2
R4(config-crypto-map)#set transform-set myset
R4(config-crypto-map)#match ip add 100
R4(config-crypto-map)#exit
R4(config)#crypto map mymap1 local-address f0/0
R4(config-if)#crypto map mymap1
R4(config)#exit

R4(config)#router eigrp 100
R4(config-router)#no au
R4(config-router)#net 1.1.1.2 0.0.0.0
R4(config-router)#net 192.168.2.4 0.0.0.0
R4(config-router)#exit

===========================R5==============================
en
conf t
line con 0
no exec-t
exit
host R5
int f0/0
no sh
ip add 192.168.2.5 255.255.255.0

 

實驗調試：

R2#sh ip int tunnel 2
Tunnel2 is up, line protocol is up
  Internet address is 1.1.1.2/24
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1476 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Multicast reserved groups joined: 224.0.0.10
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF Feature Fast switching turbo vector
  IP multicast fast switching is enabled

R4#sh ip int tunnel 4
Tunnel4 is up, line protocol is up
  Internet address is 1.1.1.4/24
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1476 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Multicast reserved groups joined: 224.0.0.10
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP CEF switching is enabled

R2#sh crypto isakmp peers
Peer: 34.34.34.1 Port: 500 Local: 23.23.23.2
 Phase1 id: 34.34.34.1

R2#sh crypto ipsec sa

interface: FastEthernet1/0
    Crypto map tag: mymap1, local addr 23.23.23.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (23.23.23.2/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/47/0)
   current_peer 34.34.34.1 port 500
     PERMIT, flags={}
    #pkts encaps: 373, #pkts encrypt: 373, #pkts digest: 373
    #pkts decaps: 331, #pkts decrypt: 331, #pkts verify: 331
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 23.23.23.2, remote crypto endpt.: 34.34.34.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
     current outbound spi: 0x30A2273A(815933242)

     inbound esp sas:
      spi: 0xFBFBD275(4227584629)
        transform: esp-3des esp-sha-hmac ,

R4#sh crypto isakmp peers
Peer: 23.23.23.2 Port: 500 Local: 34.34.34.1
 Phase1 id: 23.23.23.2
R4#sh crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: mymap1, local addr 34.34.34.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (23.23.23.2/255.255.255.255/47/0)
   current_peer 23.23.23.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 352, #pkts encrypt: 352, #pkts digest: 352
    #pkts decaps: 394, #pkts decrypt: 394, #pkts verify: 394
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 34.34.34.1, remote crypto endpt.: 23.23.23.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xFBFBD275(4227584629)

     inbound esp sas:
      spi: 0x30A2273A(815933242)
        transform: esp-3des esp-sha-hmac ,

實驗分析測試：

R1#ping 192.168.2.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 152/234/340 ms
R5#ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 188/264/352 ms

• 當兩地須要實現***而且是經過動態路由協議交換內網信息  時，須要採用GRE 隧道，並用GRE over IPsec來保護隧道中數據
• 即便p2p GRE隧道接口的狀態正常，也不能使用，由於當一方靜態IP和一方動態IP之間創建p2p GRE接口時，若是不配置p2p GRE over Ipse，那麼p2p GRE接口是不能工做的
• Dynamic p2p GRE over IPsec環境下，必須先從動態IP方向靜態IP方發送數據，不然GRE隧道沒法創建，×××沒法完成。本身測試便可知道