GREOVERIPSECVPN配置IPSecVPN专题四:GREoverIPSec环境:1:R4/R5/R6之间通过StaticRoute来建立联通性:2:R4--R6之间建立GRETunnel3:R4--R6之间建立IPSecVPN需求:要求PC3和PC7能够互通涉及技术点:GRETunnel的建立、IPSec建立、分析数据包的流程配置环境:1:R4/R5/R6之间通过StaticRoute来建立联通性:2:R4--R6之间建立GRETunnel3:R4--R6之间建立IPSecVPN需求:要求PC3和PC7能够互通涉及技术点:GRETunnel的建立、IPSec建立、分析数据包的流程配置步骤:1:R4/R5/R6之间通过StaticRoute来互通2:内网之间的互通通过OSPF来建立:R4/R6的Loopback口通过OSPF学到3:IPSec的Peer互指对端Loopack(分析问题的原因)4:测试GREOverIPSec的特性:5:解决方法:在R4/R6之间指定Static路由到达对端的Loopback口IPSecPeer指对端的物理接口,而不是Loopback口(推荐)如果对端Peer使用Loopback那么Tunnel和IPSec均将无法建立成功:1:R4/R6配置静态路由:(互通)R4上的静态路由:iproute1.1.56.0255.255.255.01.1.45.5R6上的静态路由:iproute1.1.45.0255.255.255.01.1.56.52:R4/R6之间建立GRETunnel:==R4的配置:interfaceTunnel0ipaddress172.16.10.4255.255.255.0tunnelsource1.1.45.4tunneldestination1.1.56.6==R6的配置:interfaceTunnel0ipaddress172.16.10.6255.255.255.0tunnelsource1.1.56.6tunneldestination1.1.45.4==查看GRE状态:R4#showipintbTunnel0172.16.10.4YESmanualupupR6#showipintbTunnel0172.16.10.6YESmanualupup3:内网之间通过GRE建立OSPF连接:==R4的配置:routerospf110log-adjacency-changesnetwork4.4.4.40.0.0.0area0network172.16.10.00.0.0.255area0network192.168.1.00.0.0.255area0==R6的配置:routerospf110network6.6.6.60.0.0.0area0network172.16.10.00.0.0.255area0network172.16.1.00.0.0.255area0==查看R4/R6的路由表:内网已经互通:R4#showiprouteospfO6.6.6.6[110/11112]via172.16.10.6,00:11:38,Tunnel0O172.16.1.0[110/11112]via172.16.10.6,00:11:38,Tunnel0R6#showiprouteospfO4.4.4.4[110/11112]via172.16.10.4,00:11:23,Tunnel0O192.168.1.0/24[110/11112]via172.16.10.4,00:11:23,Tunnel0R6#==R3测试:R3#traceroute172.16.1.11192.168.1.292msec136msec48msec2172.16.10.6136msec132msec140msec:表明当前数据包是通过GRETunnel来转发的3172.16.1.1148msec*168msecR3#4:R4/R6之间建立IPSecVPN:eer指向R4/R6的环回口:4.4.4.4/6.6.6.6==R6上的配置修改:cryptoisakmpkeyciscoaddress4.4.4.4cryptomapMYMAP10ipsec-isakmpsetpeer4.4.4.4settransform-setTSmatchaddress110:指定感兴趣流量:cryptomapMYMAPlocal-addressLoopback1:这里一定要指定更新源:类似BGP的更新源:否则发送数据包的将是本地的物理接口==R4上的配置修改:cryptoisakmpkeyciscoaddress6.6.6.6cryptomapMYMAP10ipsec-isakmpsetpeer6.6.6.6settransform-setTSmatchaddress110cryptomapMYMAPlocal-addressLoopback15:由于是GREoverIPSec:于是在物理接口下调用感兴趣流量:interfaceFastEthernet0/0ipaddress1.1.1.1255.255.255.0nocdplogmismatchduplexcryptomapMYMAP此时如果指定感兴趣流量:access-list110permithost1.1.1.1host2.2.2.3:那么随后OSPF邻居将Down:*Dec1123:13:56.355:%OSPF-5-ADJCHG:Process110,Nbr6.6.6.6onTunnel0fromFULLtoDOWN,NeighborDown:Deadtimerexpired分析:1:GRETunnel的可达性是通过静态路由来实现的:通过步骤一:可知目的1.1.56.0从F1/1走:2:R4上的OSPF通过Tunnel学习到6.6.6.6的路由下一条指向Tunnel03:在IPSecVPN中指定Peer为6.6.6.6,此时下一条指向Tunnel0(如步骤三),封装GRE:【SIP:1.1.45.4DIP:1.1.56.6】,R4查看路由表到达1.1.56.0需要经过F1/1(如步骤一),此时GRE数据包被扔到F1/1,刚好匹配该接口下调用的IPSec感兴趣流,于是封装ESP,并新增IP包头【ESP|SIP:4.4.4.4DIP:6.6.6.6】4:ESP数据包查看路由表,发现到达6.6.6.6需要通过Tunnel0,于是ESP又被转到Tunnel0,并且又被封装【SIP:1.1.45.4DIP:1.1.56.6】,以此在R4上的OSPFHello包在Tunnel0和F1/1之间往复循环,而对端的OSPF在三个周期未收到Hello包,则提示DeadTimeExpired。*Mar14:43:51.743:%OSPF-5-ADJCHG:Process110,Nbr192.168.2.10onTunnel0fromFULLtoDOWN,NeighborDown:OSPF邻居Down==解决方法:(只要打破以上环路的任一环即可)在R4/R6之间指定Static路由到达对端的Loopback口IPSecPeer指对端的物理接口,而不是Loopback口(推荐)修改方法1:在R4/R6上配置StaticRoute让到R4/R6对端Loopback口的数据包从物理接口走,而不是Tunnel0:R4(config)#iproute6.6.6.6255.255.255.2551.1.45.5R6(config)#iproute4.4.4.4255.255.255.2551.1.56.5R5(config)#iproute6.6.6.6255.255.255.2551.1.56.6:R5上增加到R4/R6的路由:R5(config)#iproute4.4.4.4255.255.255.2551.1.45.4此时OSPF邻居就可以创建:而且IPSecVPN也是可以建立的:*Mar1415:21:36.395:%OSPF-5-ADJCHG:Process110,Nbr192.168.2.10onTunnel0fromLOADINGtoFULL,LoadingDoneR4#修改方法2推荐做法)在R4/R6上配置IPSecVPN时,对端Peer指向物理接口,而不是Loopback口地址:==R4的配置:cryptoisakmppolicy10authenticationpre-sharecryptoisakmpkeyciscoaddress1.1.56.6R3(config)#cryptoipsectransform-setTSesp-md5-hmacesp-null:Null不对数据包加密:用于分析数据用cryptomapMAY10ipsec-isakmpsetpeer1.1.56.6settransform-setTSmatchaddressGRE-VPNipaccess-listextendedGRE-VPNpermitiphost1.1.45.4host1.1.56.6==R6的配置:cryptoisakmppolicy10authenticationpre-sharecryptoisakmpkeyciscoaddress1.1.45.4R3(config)#cryptoipsectransform-setTSesp-md5-hmacesp-nullcryptomapMAY10ipsec-isakmpsetpeer1.1.45.4settransform-setTSmatchaddressGRE-VPNipaccess-listextendedGRE-VPNpermitiphost1.1.56.6host1.1.45.4==测试:R3pingR7:R3#ping172.16.1.1re10!!!!!!!!!!抓取R5/R6之间的通信包:如图:从中可以看出,PING先封装GRE然后再封装IPSec,确实实现了GREoverIPSec的功能:==OSPF的Hello包,是IPSec的感兴趣流量,也被加密:0000ca000f700000cc000718f001080045c000100084011f0000fe32b46201010101020232:50=ESPe70000000245c0005800934:version5:头长度=5*4=2000300000ff2fb41d010101010202020300002f:47=GRE0040080045c00040011e00000159d17e03030x0800=IP59:89=OSPF00500301e000000502020020060606060000224.0.0.56.6.6.600600000d0f30000000000000000000005c4................007052070000136cfff60003000100040000R....l..........00800001010202042003a5e42a0c237f3d87.........*.#.=.0090ebcc分析::1:R3#ping172.16.1.12:此时R4:查看路由表:得知要从Tunnel0出去看步骤1)3:数据一到Tunnel0就被封装GRE,并产生个新的IP报头:SIP:1.1.45.4DIP:1.1.56.6此时数据包的帧格式为:DATA|SIP|DIP|GRE|SIP|DIP1.1.45.4---1.1.56.64:此时GRE再次查看RT,发现到达1.1.56.6/24,必须走F1/1,可F1/1中调用了加密MAP,并且GRE数据包匹配感兴趣流量(access-listGRE-VPN),5:于是GRE就又被ESP封装,并产生一个新的报头:SIP:1.1.45.4DIP:1.1.56.6此时数据包的帧格式为:DATA|SIP|DIP|GRE|SIP|DIP|ESP