ipsecvpn NAT GRE配置.docx
《ipsecvpn NAT GRE配置.docx》由会员分享,可在线阅读,更多相关《ipsecvpn NAT GRE配置.docx(14页珍藏版)》请在冰豆网上搜索。
ipsecvpnNATGRE配置
ipsec-vpn配置实例
本文将介绍ipsec--vpn的几种形式:
1.不考虑公网私网问题建立IPSEC-VPN
2.考虑公网私网问题,ipsec和nat的无穿越nat配置
3.考虑公网私网问题,ipsec和nat的穿越nat配置
一、先不考虑公网私网问题建立IPSEC-VPN
R1:
showrun
r1#showrunning-config
Buildingconfiguration...
Currentconfiguration:
1353bytes
!
version12.3
servicetimestampsdebugdatetimemsec
servicetimestampslogdatetimemsec
noservicepassword-encryption
!
hostnamer1
!
boot-start-marker
boot-end-marker
!
enablepasswordccit
!
nonetwork-clock-participateslot1
nonetwork-clock-participatewic0
noaaanew-model
ipsubnet-zero
ipcef
!
!
!
ipauditpomax-events100
!
!
cryptoisakmppolicy100
hashmd5
authenticationpre-share
cryptoisakmpkeyccitaddress19.1.2.2
!
!
cryptoipsectransform-setccitesp-desesp-md5-hmac
!
cryptomapmymap100ipsec-isakmp
setpeer19.1.2.2
setsecurity-associationlifetimeseconds86400
settransform-setccit
setpfsgroup1
matchaddress110
!
!
!
!
interfaceFastEthernet0/0
ipaddress19.1.1.1255.255.255.0
duplexauto
speedauto
cryptomapmymap
!
interfaceSerial0/0
noipaddress
shutdown
nofair-queue
!
interfaceFastEthernet0/1
ipaddress192.168.20.1255.255.255.0
duplexauto
speedauto
!
interfaceSerial0/1
noipaddress
shutdown
!
routerospf10
log-adjacency-changes
network19.1.1.00.0.0.255area0
network192.168.20.00.0.0.255area9
!
iphttpserver
noiphttpsecure-server
ipclassless
!
!
access-list110permiticmp192.168.20.00.0.0.255192.168.10.00.0.0.255
!
!
linecon0
lineaux0
linevty0
passwordccit
login
linevty14
login
!
!
end
r1#
R2:
r2#showrunning-config
Buildingconfiguration...
Currentconfiguration:
729bytes
!
version12.3
servicetimestampsdebugdatetimemsec
servicetimestampslogdatetimemsec
noservicepassword-encryption
!
hostnamer2
!
boot-start-marker
boot-end-marker
!
enablepasswordccit
!
nonetwork-clock-participateslot1
nonetwork-clock-participatewic0
noaaanew-model
ipsubnet-zero
ipcef
!
!
interfaceFastEthernet0/0
ipaddress19.1.1.2255.255.255.0
duplexauto
speedauto
!
interfaceFastEthernet0/1
ipaddress19.1.2.1255.255.255.0
duplexauto
speedauto
!
routerospf10
log-adjacency-changes
network19.1.1.00.0.0.255area0
network19.1.2.00.0.0.255area0
!
iphttpserver
ipclassless
!
!
!
linecon0
lineaux0
linevty0
passwordccit
login
linevty14
login
!
!
!
end
r2#
R3:
r3#showrunning-config
Buildingconfiguration...
Currentconfiguration:
1184bytes
!
version12.3
servicetimestampsdebugdatetimemsec
servicetimestampslogdatetimemsec
noservicepassword-encryption
!
hostnamer3
!
boot-start-marker
boot-end-marker
!
!
nonetwork-clock-participateslot1
nonetwork-clock-participatewic0
noaaanew-model
ipsubnet-zero
ipcef
!
!
!
ipauditpomax-events100
!
!
cryptoisakmppolicy100
hashmd5
authenticationpre-share
cryptoisakmpkeyccitaddress19.1.1.1
!
!
cryptoipsectransform-setccitesp-desesp-md5-hmac
!
cryptomapmymap100ipsec-isakmp
setpeer19.1.1.1
setsecurity-associationlifetimeseconds86400
settransform-setccit
setpfsgroup1
matchaddress110
!
interfaceFastEthernet0/0
ipaddress192.168.10.1255.255.255.0
duplexauto
speedauto
!
interfaceFastEthernet0/1
ipaddress19.1.2.2255.255.255.0
duplexauto
speedauto
cryptomapmymap
!
routerospf10
log-adjacency-changes
network19.1.2.00.0.0.255area0
network192.168.10.00.0.0.255area10
!
iphttpserver
noiphttpsecure-server
ipclassless
!
!
access-list110permiticmp192.168.10.00.0.0.255192.168.20.00.0.0.255
!
!
linecon0
lineaux0
linevty04
!
!
end
r3#
二、考虑公网私网问题,ipsec和nat的无穿越nat配置
两站点间的IPSEC-VPN加NAT,隧道两端不穿越NAT设备。
在制定ipnatacl时过滤掉ipsec的报文即可,两私网间的访问不经NAT转换
//为测试方便这以icmp协议为例,实际中根据需求选择。
RA:
access-list100denyicmp192.168.20.00.0.0.255192.168.10.00.0.0.255
access-list100pericmp192.168.20.00.0.0.255any
ipnatinsidesourcelist100intf0/1
interfacef0/0
ipnatoutside
interfacef0/1
ipnatinside
RC:
access-list100denyicmp192.168.10.00.0.0.255192.168.20.00.0.0.255
access-list100pericmp192.168.10.00.0.0.255any
ipnatinsidesourcelist100intf0/1
interfacef0/1
ipnatoutside
interfacef0/0
ipnatinside
为使两端的子网能够通信,要建立GRE隧道,GRE隧道和IPSEC的结合又分两种:
IPSECOverGRE
和GREOverIPSEC。
1.IPSECOverGRE(IPSEC报文通过GRE传送)
上面的配置过程大体相同,不同处在于增加了GRE隧道和放加密图的接口,加两条静态路由。
RA上的配置:
//建立GRE隧道Tunnel0
Inttunnel0
Ipadd192.168.4.1255.255.255.0
Tunnelsource19.1.1.1
Tunneldestination19.1.2.2
Tunnelmodegreip
cryptomapmymap//注意要把加密图map放在tunnel
iproute192.168.4.0255.255.255.0tunnel0
iproute192.168.10.0255.255.255.0192.168.4.2
(//GRE隧道支持动态路由协议,建立GRE隧道后,相当于RA的F0/0与RC的F0/1直连,并不区分公、私网,所以也可动态路由协议。
)
RC上的配置:
//建立GRE隧道Tunnel0
Inttunnel0
Ipadd192.168.4.2255.255.255.0
Tunnelsource19.1.2.2
Tunneldestination19.1.1.1
Tunnelmodegreip
cryptomapmymap//注意要把加密图map放在tunnel
iproute192.168.4.0255.255.255.0tunnel0
iproute192.168.20.0255.255.255.0192.168.4.1
2.GREOverIPSEC(GRE报文通过IPSEC传送)
和上面的配置过程相同,不同的是ACL规则变了
R1:
Ipaccess-list110grehost19.1.1.1host19.1.2.2
//建立GRE隧道Tunnel0
Inttunnel0
Ipadd192.168.4.1255.255.255.0
Tunnelsource19.1.1.1
Tunneldestination19.1.2.2
Tunnelmodegreip//隧道中无加密图,加密图应用在实体接口上,和初始的配置一样。
iproute192.168.4.0255.255.255.0tunnel0
iproute192.168.10.0255.255.255.0192.168.4.2
RC上的配置:
Ipaccess-list110grehost19.1.2.2host19.1.1.1
Inttunnel0
Ipadd192.168.4.2255.255.255.0
Tunnelsource19.1.2.2
Tunneldestination19.1.1.1
Tunnelmodegreip
iproute192.168.4.0255.255.255.0tunnel0
iproute192.168.20.0255.255.255.0192.168.4.1
不用静态路由,启用RIPv2
R1(config)#routerrip
R1(config-router)#ver2
R1(config-router)#noauto-summary
R1(config-router)#net192.168.4.0 //宣告直连的网络,这里的192.168.4.0
R1(config-router)#net192.168.20.0 是tunnel1里的路由,192.168.20.0 是内网路由
R3:
R3(config)#routerrip
R3(config-router)#ver2
R3(config-router)#noauto-summary
R3(config-router)#net192.168.4.0宣告直连的网络,这里的192.168.4.0
R3(config-router)#net192.168.10.0是tunnel1里的路由,192.168.10.0是内网里的!
r1查看结果:
IPsecVPN配置的检查
Router#showcryptoisakmppolicy显示所有尝试协商策略以及最后默认策略设置
Router#showcryptoipsectransform-set显示路由器上设置的transform-set
Router#showcryptoipsecsa显示当前安全联盟使用的设置
Router#showcryptomap显示所有配置在路由器上的cryptomap
r1#showcryptoipsecsa
interface:
FastEthernet0/0
Cryptomaptag:
mymap,localaddr.19.1.1.1
protectedvrf:
localident(addr/mask/prot/port):
(192.168.20.0/255.255.255.0/1/0)
remoteident(addr/mask/prot/port):
(192.168.10.0/255.255.255.0/1/0)
current_peer:
19.1.2.2:
500
PERMIT,flags={origin_is_acl,}
#pktsencaps:
3,#pktsencrypt:
3,#pktsdigest3//加密数据包的个数
#pktsdecaps:
3,#pktsdecrypt:
3,#pktsverify3//解密数据包的个数
#pktscompressed:
0,#pktsdecompressed:
0
#pktsnotcompressed:
0,#pktscompr.failed:
0
#pktsnotdecompressed:
0,#pktsdecompressfailed:
0
#senderrors1,#recverrors0
localcryptoendpt.:
19.1.1.1,remotecryptoendpt.:
19.1.2.2
pathmtu1500,ipmtu1500,ipmtuidbFastEthernet0/0
currentoutboundspi:
80FC8678//出站用esp包头的spi号打上80FC8678
inboundespsas:
spi:
0xE32CDDF1(3811368433)入站spi号,用于匹配esp包
transform:
esp-desesp-md5-hmac,
inusesettings={Tunnel,}
slot:
0,connid:
2000,flow_id:
1,cryptomap:
mymap
satiming:
remainingkeylifetime(k/sec):
(4439118/86329)
IVsize:
8bytes
replaydetectionsupport:
Y
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:
0x80FC8678(2164033144)
transform:
esp-desesp-md5-hmac,
inusesettings={Tunnel,}
slot:
0,connid:
2001,flow_id:
2,cryptomap:
mymap
satiming:
remainingkeylifetime(k/sec):
(4439118/86308)
IVsize:
8bytes
replaydetectionsupport:
Y
outboundahsas:
outboundpcpsas:
r1#showcryptoengineconnectionsactive
IDInterfaceIP-AddressStateAlgorithmEncryptDe
crypt
1FastEthernet0/019.1.1.1setHMAC_MD5+DES_56_CB0
0
2000FastEthernet0/019.1.1.1setHMAC_MD5+DES_56_CB0
7
2001FastEthernet0/019.1.1.1setHMAC_MD5+DES_56_CB7
0
//如果解密成对出现,表明ipsec已建立完成且通信正常。
三、考虑公网私网问题,ipsec和nat的穿越nat配置
IPSEC的NAT穿越是指,建立IPSEC隧道的两端,有个或者两个,端口在NAT设备之后。
如下图:
关键步骤:
1.ipnatinsidesourcelist100interfaceSerial0/1overload
2.
3.
4.ipnatinsidesourcestaticudp12.1.1.1500interfaceSerial0/1500
5.
6.
7.ipnatinsidesourcestaticudp12.1.1.14500interfaceSerial0/14500
8.
9.
10.ipnatinsidesourcestaticesp12.1.1.1interfaceSerial0/1
11.
12.
13.!
14.
15.
16.上面三条命令是建立vpn隧道的协商用的。
这在nat穿越中是关键。
17.
18.
19.access-list100permitip192.168.1.00.0.0.255any
原文参考资料:
IPSEC的NAT穿越
升级会员 