Static P2P GRE over IPSec-秋月博客

P2PGREoverIPSec（一）StaticP2PGREoverIPSec1.拓扑2.步骤2.1按拓扑配置好各IP地址，默认路由为匹配路由。2.2配置StaticP2PGREoverIPSec1.

P2P GRE over IPSec（一）

..Static P2P GRE over IPSec..1.拓扑.. .

.2.步骤..2.1按拓扑配置好各IP地址，默认路由为匹配路由。..2.2配置Static P2P GRE over IPSec..1.在R1上配置终点为R2的P2P GRE隧道：..R1(config)#int tunnel 1..R1(config-if)#ip..*Mar 1 00:32:01.595: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down..R1(config-if)#ip add 1.1.1.1 255.255.255.0..R1(config-if)#tunnel source 16.16.16.1..R1(config-if)#tunnel destination 26.26.26.2..R1(config-if)#ex..R1(config)#..*Mar 1 00:32:57.123: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up..R1(config)#..2.在R2上配置终点为R1的P2P GRE隧道：..R2(config)#int tunnel 2..R2(config-if)#ip add..*Oct 19 10:48:22.355: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel2, changed state to down..R2(config-if)#ip add 1.1.1.2 255.255.255.0..R2(config-if)#tunnel source 26.26.26.2..R2(config-if)#tunnel destination 16.16.16.1..R2(config-if)#ex..R2(config)#..*Oct 19 10:49:01.787: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel2, changed state to up..R2(config)#..3.在R1上配置普通的LAN-to-LAN ×××：..R1(config)#crypto isakmp policy 1..R1(config-isakmp)#au p..R1(config-isakmp)#en 3..R1(config-isakmp)#ha s..R1(config-isakmp)#gr 2..R1(config-isakmp)#ex..R1(config)#cry isakmp key 0 cisco123 add 26.26.26.2..R1(config)#cry ipsec transf myset esp-3 esp-sha-h..R1(cfg-crypto-trans)#ex..R1(config)#access-list 100 permit gre..R1(config)#access-list 100 permit gre host 16.16.16.1 host 26.26.26.2..R1(config)#crypto map l2l 1 ipsec-isakmp..% NOTE: This new crypto map will remain disabled until a peer.. and a valid access list have been configured...R1(config-crypto-map)#set peer 26.26.26.2..R1(config-crypto-map)#set transf myset..R1(config-crypto-map)#match add 100..R1(config-crypto-map)#ex..R1(config)#int f1/0..R1(config-if)#cry map l2l..R1(config-if)#..*Mar 1 00:39:48.803: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON..R1(config-if)#..4.同R1的方法在R2上配置IPSec：..R2(config)#cry isakmp policy 1..R2(config-isakmp)#en 3..R2(config-isakmp)#au p..R2(config-isakmp)#ha s..R2(config-isakmp)#gr 2..R2(config-isakmp)#ex..R2(config)#cry isakmp key 0 cisco123 add 16.16.16.1..R2(config)#cry ipsec transf myset esp-3 esp-sha-h..R2(cfg-crypto-trans)#ex..R2(config)#access-list 100 per gre host 26.26.26.2 host 16.16.16.1..R2(config)#cry map l2l 1 ipsec-isakmp..% NOTE: This new crypto map will remain disabled until a peer.. and a valid access list have been configured...R2(config-crypto-map)#set peer 16.16.16.1..R2(config-crypto-map)#set trans myset..R2(config-crypto-map)#match add 100..R2(config-crypto-map)#ex..R2(config)#int f0/0..R2(config-if)#cry map l2l..R2(config-if)#..*Oct 19 10:58:14.127: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON..R2(config-if)#..3.验证..3.1测试P2P GRE over IPSec:..1.从R1向R2发送流量激活隧道：..R1#ping 1.1.1.2..Type escape sequence to abort...Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:...!!!!..Success rate is 80 percent (4/5), round-trip min/avg/max = 84/106/136 ms..R1#..2.在R1上查看IKE SA的peer：..R1#show cry isakmp peers..Peer: 26.26.26.2 Port: 500 Local: 16.16.16.1.. Phase1 id: 26.26.26.2..R1#..说明：IKE SA成功建立，R1本地源地址为16.16.16.1目标地址为26.26.26.2，而不是GRE隧道的地址。..3.查看R1上的IKE SA：..R1#show cry isakmp sa..dst src state conn-id slot status..26.26.26.2 16.16.16.1 QM_IDLE 1 0 ACTIVE..4.在R1上查看IPSec SA：..R1#show cry ipsec sa..interface: FastEthernet1/0.. Crypto map tag: l2l, local addr 16.16.16.1.. protected vrf: (none).. local ident (addr/mask/prot/port): (16.16.16.1/255.255.255.255/47/0).. remote ident (addr/mask/prot/port): (26.26.26.2/255.255.255.255/47/0).. current_peer 26.26.26.2 port 500.. PERMIT, flags={origin_is_acl,}.. #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4.. #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4.. #pkts compressed: 0, #pkts decompressed: 0.. #pkts not compressed: 0, #pkts compr. failed: 0.. #pkts not decompressed: 0, #pkts decompress failed: 0.. #send errors 1, #recv errors 0.. local crypto endpt.: 16.16.16.1, remote crypto endpt.: 26.26.26.2.. path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0.. current outbound spi: 0xC181AF65(3246501733).. inbound esp sas:.. spi: 0xC82371EC(3357766124).. transform: esp-3des esp-sha-hmac ,.. in use settings ={Tunnel, }.. conn id: 2001, flow_id: SW:1, crypto map: l2l.. sa timing: remaining key lifetime (k/sec): (4558627/3351).. IV size: 8 bytes.. replay detection support: Y.. Status: ACTIVE.. inbound ah sas:.. inbound pcp sas:.. outbound esp sas:.. spi: 0xC181AF65(3246501733).. transform: esp-3des esp-sha-hmac ,.. in use settings ={Tunnel, }.. conn id: 2002, flow_id: SW:2, crypto map: l2l.. sa timing: remaining key lifetime (k/sec): (4558627/3349).. IV size: 8 bytes.. replay detection support: Y.. Status: ACTIVE.. outbound ah sas:.. outbound pcp sas:..R1#..说明：IPSec SA显示为活动状态，加密的数据包为双方建立GRE时用到的公网地址。..5.测试上海15.15.15.0到北京23.23.23.0的双方内网通信：..R5#ping 23.23.23.3..Type escape sequence to abort...Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:.........Success rate is 0 percent (0/5)..R5#..说明：目前的IPSec只加密了双方间GRE时用到的公网地址，而没有包含双方内网地址，所以内网通信不成功。因此需要使用动态路由协议。..3.2在双方配置动态路由协议EIGRP交换内网信息：..R1(config)#router eigrp 1..R1(config-router)#net 1.1.1.1 0.0.0.0..R1(config-router)#net 15.15.15.0 0.0.0.255..R1(config-router)#no au..R1(config-router)#ex..R1(config)#..R2(config)#router eigrp 1..R2(config-router)#net 1.1.1.2 0.0.0.0..R2(config-router)#net..*Oct 19 11:30:07.159: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 1.1.1.1 (Tunnel2) is up: new adjacency..R2(config-router)#net 23.23.23.0 0.0.0.255..R2(config-router)#no au..R2(config-router)#ex..R2(config)#..*Oct 19 11:30:25.295: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 1.1.1.1 (Tunnel2) is resync: summary configured..R2(config)#..在R1上查看EIGRP邻居：..R1(config)#do show ip eigrp nei..IP-EIGRP neighbors for process 1..H Address Interface Hold Uptime SRTT RTO Q Seq.. (sec) (ms) Cnt Num..0 1.1.1.2 Tu1 13 00:02:55 145 5000 0 8..R1(config)#..在R1上查看路由表：..R1(config)#do show ip route..Gateway of last resort is 16.16.16.6 to network 0.0.0.0.. 16.0.0.0/24 is subnetted, 1 subnets..C 16.16.16.0 is directly connected, FastEthernet1/0.. 1.0.0.0/24 is subnetted, 1 subnets..C 1.1.1.0 is directly connected, Tunnel1.. 23.0.0.0/24 is subnetted, 1 subnets..D 23.23.23.0 [90/297246976] via 1.1.1.2, 00:03:21, Tunnel1.. 15.0.0.0/24 is subnetted, 1 subnets..C 15.15.15.0 is directly connected, FastEthernet0/0..S* 0.0.0.0/0 [1/0] via 16.16.16.6..R1(config)#..说明：R1已经通过EIGRP学到北京内网的网段23.23.23.0信息，去往北京内网的入口为GRE隧道端口1.1.1.2..再次测试上海15.15.15.0到北京23.23.23.0的双方内网通信情况：..R1#ping 23.23.23.3..Type escape sequence to abort...Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:...!!!!..Success rate is 80 percent (4/5), round-trip min/avg/max = 48/115/144 ms..R1#..查看上海15.15.15.0向北京23.23.23.0发送数据包的路径：..R1#traceroute 23.23.23.3..Type escape sequence to abort...Tracing the route to 23.23.23.3.. 1 1.1.1.2 132 msec 140 msec 140 msec.. 2 23.23.23.3 144 msec * 136 msec..R1#..说明：两个内网之间的通信，中间只有一跳1.1.1.2，从GRE隧道到达目的地。..测试北京内网与上海内网的通信：..R3#ping 15.15.15.5..Type escape sequence to abort...Sending 5, 100-byte ICMP Echos to 15.15.15.5, timeout is 2 seconds:..!!!!!..Success rate is 100 percent (5/5), round-trip min/avg/max = 68/123/156 ms..R3#..3.3测试NAT对P2P GRE over IPsec的影响：..1.在R1上配置NAT：..R1(config)#int f0/0..R1(config-if)#ip nat inside..R1(config-if)#..*Mar 1 01:30:47.547: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up..R1(config-if)#int f1/0..R1(config-if)#ip nat outside..R1(config-if)#..R1(config-if)#ex..R1(config)#access-list 111 permit ip any any..R1(config)#ip nat inside source list 111 interface f1/0 overload..R1(config)#..2.从上海向北京发送流量：..R5#ping 23.23.23.3..Type escape sequence to abort...Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:..!!!!!..Success rate is 100 percent (5/5), round-trip min/avg/max = 120/159/200 ms..R5#..说明：因为从上海公司到北京公司的流量都是从GRE隧道过去的而不是从物理接口f1/0过去的，在f1/0上配置的NAT对GRE隧道没有影响，所以上海到北京的流量能正常通信。..3.4在R6和R3上开放VTY线路登录：..R6(config)#line vty 0 15..R6(config-line)#no login..R6(config-line)#exit..R6(config)#..R3(config)#line vty 0 15..R3(config-line)#no login..R3(config-line)#exit..R3(config)#..1.测试从上海到北京的流量和源IP情况：..R5#telnet 23.23.23.3..Trying 23.23.23.3 ... Open..R3>en..% No password set..R3>who.. Line User Host(s) Idle Location.. 0 con 0 idle 00:02:08..*130 vty 0 idle 00:00:00 15.15.15.5.. Interface User Mode Idle Peer Address..R3>..说明：源IP没有被物理接口的NAT影响。..2.测试上海到R6的流量和源IP情况：..R5#telnet 16.16.16.6..Trying 16.16.16.6 ... Open..R6>who.. Line User Host(s) Idle Location.. 0 con 0 idle 00:04:16..*130 vty 0 idle 00:00:00 16.16.16.1.. Interface User Mode Idle Peer Address..R6>..R1#show ip nat trans..Pro Inside global Inside local Outside local Outside global..tcp 16.16.16.1:22015 15.15.15.5:22015 16.16.16.6:23 16.16.16.6:23..R1#..说明：可以看到公司内网到公网的时候，IP源地址呗物理接口的NAT转换为物理接口的IP地址。..3.5将NAT改为在GRE接口上开启：..R1(config)#no ip nat inside source list 111 interface f1/0 overload..R1(config)#int f1/0..R1(config-if)#no ip nat outside..R1(config-if)#ex..R1(config)#int tunnel 1..R1(config-if)#ip nat outside..R1(config-if)#ex..R1(config)#ip nat inside source list 111 interface tunnel 1 overload..R1(config)#..*Mar 1 02:35:39.927: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 1.1.1.2 (Tunnel1) is down: Interface Goodbye received..R1(config)#..*Mar 1 02:35:44.851: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 1.1.1.2 (Tunnel1) is up: new adjacency..查看R1和R2上的EIGRP邻居表：..R1#show ip eigrp nei..IP-EIGRP neighbors for process 1..H Address Interface Hold Uptime SRTT RTO Q Seq.. (sec) (ms) Cnt Num..0 1.1.1.2 Tu1 11 00:00:41 1 5000 2 0..R1#..R2(config)#do show ip eigrp nei..IP-EIGRP neighbors for process 1..R2(config)#..说明：EIGRP邻居是单向的。..改变NAT的感兴趣流量使内网流量绕过NAT：..R1(config)#no access-list 111..R1(config)#access-list 111 deny ip host 1.1.1.1 any..R1(config)#access-list 111 deny ip 15.15.15.0 0.0.0.255 any..R1(config)#access-list 111 permit ip any any..R1(config)#..再次从上海发送流量到北京，测试是否绕过NAT：..R5#ping 23.23.23.3..Type escape sequence to abort...Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:..!!!!!..Success rate is 100 percent (5/5), round-trip min/avg/max = 100/117/148 ms..R5#..说明：通过P2P GRE over IPSec通信的内网流量最然不会受到物理接口NAT的影响，但会受到GRE接口NAT的影响。..3.6测试IPSec Mode：..说明：IPsec默认的mode是tunnel mode。..1.将R2的IPSec mode改为transform mode ：..R2(config)#crypto ipsec transform-set myset esp-3des esp-sha-hmac..R2(cfg-crypto-trans)#mode transport..R2(cfg-crypto-trans)#ex..清除双方的crypto sa：..R2#clear crypto sa..R1#clear crypto sa..查看R2当前的IPSec mode：..R2#show cry ipsec sa..interface: FastEthernet0/0.. Crypto map tag: l2l, local addr 26.26.26.2.. protected vrf: (none).. local ident (addr/mask/prot/port): (26.26.26.2/255.255.255.255/47/0).. remote ident (addr/mask/prot/port): (16.16.16.1/255.255.255.255/47/0).. current_peer 16.16.16.1 port 500.. PERMIT, flags={origin_is_acl,}.. #pkts encaps: 36, #pkts encrypt: 36, #pkts digest: 36.. #pkts decaps: 36, #pkts decrypt: 36, #pkts verify: 36.. #pkts compressed: 0, #pkts decompressed: 0.. #pkts not compressed: 0, #pkts compr. failed: 0.. #pkts not decompressed: 0, #pkts decompress failed: 0.. #send errors 2, #recv errors 0.. local crypto endpt.: 26.26.26.2, remote crypto endpt.: 16.16.16.1.. path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.. current outbound spi: 0x88A24152(2292334930).. inbound esp sas:.. spi: 0xF0A5AC54(4037389396).. transform: esp-3des esp-sha-hmac ,.. in use settings ={Tunnel, }.. conn id: 9, flow_id: 9, crypto map: l2l.. sa timing: remaining key lifetime (k/sec): (4487029/3443).. IV size: 8 bytes.. replay detection support: Y.. Status: ACTIVE.. inbound ah sas:.. inbound pcp sas:.. outbound esp sas:.. spi: 0x88A24152(2292334930).. transform: esp-3des esp-sha-hmac ,.. in use settings ={Tunnel, }.. conn id: 10, flow_id: 10, crypto map: l2l.. sa timing: remaining key lifetime (k/sec): (4487029/3435).. IV size: 8 bytes.. replay detection support: Y.. Status: ACTIVE.. outbound ah sas:.. outbound pcp sas:..R2#..说明：虽然已经将R2的IPSec mode改为transport mode，但还是工作在tunnel mode，因为对方还没有改，只有双方都改时，才会改变最终的mode。..测试此时双方内网的通信情况：..R5#ping 23.23.23.3..Type escape sequence to abort...Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:..!!!!!..Success rate is 100 percent (5/5), round-trip min/avg/max = 124/148/168 ms..R5#..说明：因为双方的工作mode还是一致的，所以内网通信还正常。..2.把R1的IPSec mode也改为transport mode：..R1(config)#crypto ipsec transform-set myste esp-3des esp-sha-hmac..R1(cfg-crypto-trans)#mode transport..再次查看R1和R2的IPSec mode：..R2#show cry ipsec sa..interface: FastEthernet0/0.. Crypto map tag: l2l, local addr 26.26.26.2.. protected vrf: (none).. local ident (addr/mask/prot/port): (26.26.26.2/255.255.255.255/47/0).. remote ident (addr/mask/prot/port): (16.16.16.1/255.255.255.255/47/0).. current_peer 16.16.16.1 port 500.. PERMIT, flags={origin_is_acl,}.. #pkts encaps: 197, #pkts encrypt: 197, #pkts digest: 197.. #pkts decaps: 196, #pkts decrypt: 196, #pkts verify: 196.. #pkts compressed: 0, #pkts decompressed: 0.. #pkts not compressed: 0, #pkts compr. failed: 0.. #pkts not decompressed: 0, #pkts decompress failed: 0.. #send errors 2, #recv errors 0.. local crypto endpt.: 26.26.26.2, remote crypto endpt.: 16.16.16.1.. path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.. current outbound spi: 0x88A24152(2292334930).. inbound esp sas:.. spi: 0xF0A5AC54(4037389396).. transform: esp-3des esp-sha-hmac ,.. in use settings ={Transport, }.. conn id: 9, flow_id: 9, crypto map: l2l.. sa timing: remaining key lifetime (k/sec): (4487007/2751).. IV size: 8 bytes.. replay detection support: Y.. Status: ACTIVE.. inbound ah sas:.. inbound pcp sas:.. outbound esp sas:.. spi: 0x88A24152(2292334930).. transform: esp-3des esp-sha-hmac ,.. in use settings ={Transport, }.. conn id: 10, flow_id: 10, crypto map: l2l.. sa timing: remaining key lifetime (k/sec): (4487007/2751).. IV size: 8 bytes.. replay detection support: Y.. Status: ACTIVE.. outbound ah sas:.. outbound pcp sas:..R2#..R1#show cry ipsec sa..interface: FastEthernet1/0.. Crypto map tag: l2l, local addr 16.16.16.1.. protected vrf: (none).. local ident (addr/mask/prot/port): (16.16.16.1/255.255.255.255/47/0).. remote ident (addr/mask/prot/port): (26.26.26.2/255.255.255.255/47/0).. current_peer 26.26.26.2 port 500.. PERMIT, flags={origin_is_acl,}.. #pkts encaps: 139, #pkts encrypt: 139, #pkts digest: 139.. #pkts decaps: 141, #pkts decrypt: 141, #pkts verify: 141.. #pkts compressed: 0, #pkts decompressed: 0.. #pkts not compressed: 0, #pkts compr. failed: 0.. #pkts not decompressed: 0, #pkts decompress failed: 0.. #send errors 1, #recv errors 0.. local crypto endpt.: 16.16.16.1, remote crypto endpt.: 26.26.26.2.. path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0.. current outbound spi: 0xF0A5AC54(4037389396).. inbound esp sas:.. spi: 0x88A24152(2292334930).. transform: esp-3des esp-sha-hmac ,.. in use settings ={Transport, }.. conn id: 2002, flow_id: SW:2, crypto map: l2l.. sa timing: remaining key lifetime (k/sec): (4566714/2974).. IV size: 8 bytes.. replay detection support: Y.. Status: ACTIVE.. inbound ah sas:.. inbound pcp sas:.. outbound esp sas:.. spi: 0xF0A5AC54(4037389396).. transform: esp-3des esp-sha-hmac ,.. in use settings ={Transport, }.. conn id: 2001, flow_id: SW:1, crypto map: l2l.. sa timing: remaining key lifetime (k/sec): (4566714/2968).. IV size: 8 bytes.. replay detection support: Y.. Status: ACTIVE.. outbound ah sas:.. outbound pcp sas:..测试内网连通性：..R3#ping 15.15.15.5..Type escape sequence to abort...Sending 5, 100-byte ICMP Echos to 15.15.15.5, timeout is 2 seconds:..!!!!!..Success rate is 100 percent (5/5), round-trip min/avg/max = 116/145/200 ms..R3#..说明：现在双方的IPSec mode为transport mode，但不影响流量通过。...

目录CONTENT

Static P2P GRE over IPSec

评论区