在地址重疊環境中部署IPsec ×××

在部署IPSec ×××時，常常會遇到內網地址重疊的現象，好比一家公司將另一家收購以後，兩家公司的內網地址都是同一網段，若是使用普通的方式實現IPSec ×××，那麼工程師就須要將兼併公司的內網地址進行從新的規劃，這樣對於網絡管理增長了難度，下面須要使用NAT技術與IPSec技術，在不改變內網地址結構的狀況下，實現IPSec ×××。

本文檔經過下面的實例來說述其配置過程，具體網絡結構以下拓撲圖所示。

在這種網絡環境下，須要互聯相同地址段的內網，就須要在IPSec ×××隧道中採用NAT對地址作轉換，對於總公司來講，須要將分公司的內網網段轉換爲10.1.1.0/24，對於分公司來講，須要將總公司的內網網段轉換爲10.2.2.0/24

經過在×××隧道中啓用NAT，當總公司訪問分公司的內網資源時，目的IP網段爲10.1.1.0/24；當分公司訪問總公司的內網資源時，目的IP網段爲10.2.2.0/24。

經過在隧道內進行NAT地址轉換實現地址重疊環境下的IPSec ×××互聯，NAT轉換隻用在一臺路由器上作設置。

ip nat inside source static network 192.168.1.0 10.2.2.0 /24

ip nat outside source static network 192.168.1.0 10.1.1.0 /24

將總公司的內網換成10.2.2.0/24，分公司的內網換成10.1.1.0/24，當總公司訪問分公司時，源地址爲192.168.1.0/24，目的地址爲10.1.1.0/24；當分公司訪問分公司時，源地址爲192.168.1.0/24，目的地址爲10.2.2.0/24。

具體以下所示：

RA#sh running-config

Building configuration...

Current configuration : 1365 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname RA

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

resource policy

!

ip cef

!

!

crypto isakmp policy 110

hash md5

authentication pre-share

crypto isakmp key 123 address 99.9.9.10

!

!

crypto ipsec transform-set *** esp-des esp-md5-hmac

!

crypto map map1 10 ipsec-isakmp

set peer 99.9.9.10

set transform-set ***

match address 110

!

!

interface FastEthernet0/0

ip address 172.16.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex half

!

interface Serial1/0

ip address 99.9.9.9 255.255.255.252

ip nat outside

ip virtual-reassembly

serial restart-delay 0

crypto map map1

!

interface Serial1/1

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/2

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/3

no ip address

shutdown

serial restart-delay 0

!

ip route 10.1.1.0 255.255.255.0 Serial1/0

no ip http server

no ip http secure-server

!

!

ip nat inside source static network 172.16.1.0 10.2.2.0 /24

ip nat outside source static network 172.16.1.0 10.1.1.0 /24

!

logging alarm informational

access-list 110 permit ip 10.2.2.0 0.0.0.255 172.16.1.0 0.0.0.255

!

!

control-plane

!

!

line con 0

stopbits 1

line aux 0

line vty 0 4

!

!

end

RB#sh running-config

Building configuration...

Current configuration : 1166 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname RB

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

resource policy

!

ip cef

!

!

crypto isakmp policy 110

hash md5

authentication pre-share

crypto isakmp key 123 address 99.9.9.9

!

!

crypto ipsec transform-set *** esp-des esp-md5-hmac

!

crypto map map1 10 ipsec-isakmp

set peer 99.9.9.9

set transform-set ***

match address 110

!

!

interface FastEthernet0/0

ip address 172.16.1.1 255.255.255.0

duplex half

!

interface Serial1/0

ip address 99.9.9.10 255.255.255.252

serial restart-delay 0

crypto map map1

!

interface Serial1/1

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/2

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/3

no ip address

shutdown

serial restart-delay 0

!

ip route 10.2.2.0 255.255.255.0 Serial1/0

no ip http server

no ip http secure-server

!

!

!

logging alarm informational

access-list 110 permit ip 172.16.1.0 0.0.0.255 10.2.2.0 0.0.0.255

!

!

!

control-plane

!

!

line con 0

stopbits 1

line aux 0

line vty 0 4

!

!

end

RA#ping 10.1.1.1 source 172.16.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 172.16.1.1

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 144/211/272 ms

RA#ping 10.1.1.1 source 172.16.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 172.16.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 112/181/308 ms

RA#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

99.9.9.10 99.9.9.9 QM_IDLE 1001 0 ACTIVE

IPv6 Crypto ISAKMP SA

RA#sh crypto ipsec sa

interface: Serial1/0

Crypto map tag: map1, local addr 99.9.9.9

protected vrf: (none)

local ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)

current_peer 99.9.9.10 port 500

PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}

#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9

#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 99.9.9.9, remote crypto endpt.: 99.9.9.10

path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0

current outbound spi: 0x4E5895BC(1314428348)

inbound esp sas:

spi: 0x7110C730(1896924976)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 1, flow_id: 1, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4424986/3587)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x4E5895BC(1314428348)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 2, flow_id: 2, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4424986/3586)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

RB#ping 10.2.2.1 source 172.16.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:

Packet sent with a source address of 172.16.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 120/196/224 ms

RA#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

--- --- --- 10.1.1.1 172.16.1.1

--- --- --- 10.1.1.0 172.16.1.0

icmp 10.2.2.1:0 172.16.1.1:0 10.1.1.1:0 172.16.1.1:0

icmp 10.2.2.1:1 172.16.1.1:1 10.1.1.1:1 172.16.1.1:1

icmp 10.2.2.1:2 172.16.1.1:2 10.1.1.1:2 172.16.1.1:2

icmp 10.2.2.1:3 172.16.1.1:3 10.1.1.1:3 172.16.1.1:3

icmp 10.2.2.1:4 172.16.1.1:4 10.1.1.1:4 172.16.1.1:4

icmp 10.2.2.1:5 172.16.1.1:5 10.1.1.1:5 172.16.1.1:5

icmp 10.2.2.1:8 172.16.1.1:8 10.1.1.1:8 172.16.1.1:8

icmp 10.2.2.1:9 172.16.1.1:9 10.1.1.1:9 172.16.1.1:9

icmp10.2.2.1:10 172.16.1.1:10 10.1.1.1:10 172.16.1.1:10

--- 10.2.2.1 172.16.1.1 --- ---

--- 10.2.2.0 172.16.1.0 --- -