Cisco IOS Cookbook 中文精简版 1223 隧道和VPN.docx
《Cisco IOS Cookbook 中文精简版 1223 隧道和VPN.docx》由会员分享,可在线阅读,更多相关《Cisco IOS Cookbook 中文精简版 1223 隧道和VPN.docx(13页珍藏版)》请在冰豆网上搜索。
![Cisco IOS Cookbook 中文精简版 1223 隧道和VPN.docx](https://file1.bdocx.com/fileroot1/2023-1/4/4daa1bdc-fab7-401a-bb56-b1bed274a033/4daa1bdc-fab7-401a-bb56-b1bed274a0331.gif)
CiscoIOSCookbook中文精简版1223隧道和VPN
CiscoIOSCookbook中文精简版12-23隧道和VPN
12.1. 创建Tunnel
提问="FONT-FAMILY:
宋体">通过隧道的方式在网络中传输IP数据
回答
Router1#configureterminal
Enterconfigurationcommands,oneperline. EndwithCNTL/Z.
Router1(config)#interfaceTunnel1
Router1(config-if)#ipaddress192.168.35.6255.255.255.252
Router1(config-if)#tunnelsource172.25.1.5
Router1(config-if)#tunneldestination172.25.1.7
Router1(config-if)#exit
Router1(config)#end
Router1#
Router5#configureterminal
Enterconfigurationcommands,oneperline. EndwithCNTL/Z.
Router5(config)#interfaceTunnel3
Router5(config-if)#ipaddress192.168.35.5255.255.255.252
Router5(config-if)#tunnelsource172.25.1.7
Router5(config-if)#tunneldestination172.25.1.5
Router5(config-if)#exit
Router5(config)#end
Router5#
注释Tunnel的配置中也可以使用tunnelsourceEthernet0的方式来捆绑到端口。
产生出来的虚拟隧道接口通常会一直UP,即使对端关机,12.2(8)T后引入了keeplive参数可以对隧道的状态进行监控,keepalive32每隔3秒一个Keeplive,如果两次没收到就认为端口当掉。
如果对数据包的完整性或者防止乱序包,可以配置tunnelchecksum,tunnelsequence-datagrams,但需要注意的是GRE不是TCP,数据包丢弃了不会重传。
缺省情况下隧道的模式GRE,也可以通过tunnelmodeipip命令来改变其模式。
由于GRE是封装IP数据包所以不可避免地产生了MTU的问题,对于TCP连接可以使用iptcppath-mtu-discovery,但对于非TCP的GRE,需要使用tunnelpath-mtu-discovery。
在12.2(13)T以后引入了tunnelpath-mtu-discoverymin-mtu500来定义最小的MTU从而保证安全
12.2. 其他协议隧道至IP
提问通过隧道的方式在IP网络中传输其他协议数据,比如IPX
回答
Router1#configureterminal
Enterconfigurationcommands,oneperline. EndwithCNTL/Z.
Router1(config)#ipxroutingAAAA.BBBB.0001
Router1(config)#interfaceTunnel1
Router1(config-if)#ipxnetworkAAA
Router1(config-if)#tunnelsource172.25.1.5
Router1(config-if)#tunneldestination172.25.1.7
Router1(config-if)#exit
Router1(config)#end
Router1#
Router5#configureterminal
Enterconfigurationcommands,oneperline. EndwithCNTL/Z.
Router2(config)#ipxroutingAAAA.BBBB.0002
Router5(config)#interfaceTunnel3
Router5(config-if)#ipxnetworkAAA
Router5(config-if)#tunnelsource172.25.1.7
Router5(config-if)#tunneldestination172.25.1.5
Router5(config-if)#exit
Router5(config)#end
Router5#
注释注意的是隧道模式里面只有GRE模式是支持IPX的。
同时可以在隧道接口下配置多个不同的协议从而支持在隧道中封装多个协议
Router1(config)#interfaceTunnel1
Router1(config-if)#ipaddress192.168.35.6255.255.255.252
Router1(config-if)#ipxnetworkAAA
Router1(config-if)#tunnelsource172.25.1.5
Router1(config-if)#tunneldestination172.25.1.7
Router1(config-if)#exit
Router1(config)#end
Router1#
12.3. 隧道和动态路由协议
提问在隧道中传递路由协议
回答
怎么解决到tunneldestination的路由不是通过tunnel接口的问题,第一种方法是静态路由
Router1#configureterminal
Enterconfigurationcommands,oneperline. EndwithCNTL/Z.
Router1(config)#interfaceTunnel1
Router1(config-if)#ipaddress192.168.35.6255.255.255.252
Router1(config-if)#tunnelsource172.25.1.5
Router1(config-if)#tunneldestination172.22.1.2
Router1(config-if)#exit
Router1(config)#iproute172.22.1.2255.255.255.255172.25.1.1
Router1(config)#routereigrp55
Router1(config-router)#network192.168.35.0
Router1(config-router)#exit
Router1(config)#end
Router1#
第二种对tunnel接口采用另外的路由协议,从而排除此地址在互联的路由协议中
Router1#configureterminal
Enterconfigurationcommands,oneperline. EndwithCNTL/Z.
Router1(config)#interfaceTunnel1
Router1(config-if)#ipaddress192.168.35.6255.255.255.252
Router1(config-if)#tunnelsource172.25.1.5
Router1(config-if)#tunneldestination172.22.1.2
Router1(config-if)#exit
Router1(config)#routereigrp55
Router1(config-router)#network172.22.0.0
Router1(config-router)#network172.25.0.0
Router1(config-router)#end
Router1(config)#routerrip
Router1(config-router)#network192.168.35.0
Router1(config-router)#exit
Router1(config)#end
Router1#
第三种方法路由过滤
Router1#configureterminal
Enterconfigurationcommands,oneperline. EndwithCNTL/Z.
Router1(config)#interfaceTunnel1
Router1(config-if)#ipaddress192.168.35.6255.255.255.252
Router1(config-if)#tunnelsource172.25.1.5
Router1(config-if)#tunneldestination172.22.1.2
Router1(config-if)#exit
Router11(config)#ipprefix-listTUNNELROUTESseq10permit192.168.0.0/16ge17
Router1(config)#routereigrp55
Router1(config-router)#network172.22.0.0
Router1(config-router)#network172.25.0.0
Router1(config-router)#network192.168.35.0
Router1(config-router)#distribute-listprefixTUNNELROUTESoutTunnel1
Router1(config-router)#exit
Router1(config)#end
Router1#
注释前两种很简单但是冗余性和扩展性不好,推荐第三种
12.4. 查看隧道状态
提问查看隧道状态
回答
Router1#showinterfaceTunnel5
Router1#ping192.168.66.6
Router1#ping172.22.1.4
注释
12.5. 在GRE隧道中创建一个加密的路由器到路由器的VPN
提问通过预共享密匙的方法创建互联网连接路由器的加密VPN
回答
Router1#configureterminal
Enterconfigurationcommands,oneperline. EndwithCNTL/Z.
Router1(config)#cryptoisakmppolicy10
Router1(config-isakmp)#encraes256
Router1(config-isakmp)#authenticationpre-share
Router1(config-isakmp)#group2
Router1(config-isakmp)#exit
Router1(config)#cryptoisakmpkeyTUNNELKEY01address172.16.2.1no-xauth
Router1(config)#cryptoipsectransform-setTUNNEL-TRANSFORMah-sha-hmacesp-aes256
Router1(cfg-crypto-trans)#modetransport
Router1(cfg-crypto-trans)#exit
Router1(config)#cryptomapTUNNELMAP10ipsec-isakmp
%NOTE:
Thisnewcryptomapwillremaindisableduntilapeer
andavalidaccesslisthavebeenconfigured.
Router1(config-crypto-map)#setpeer172.16.2.1
Router1(config-crypto-map)#settransform-setTUNNEL-TRANSFORM
Router1(config-crypto-map)#matchaddress102
Router1(config-crypto-map)#exit
Router1(config)#access-list102permitgrehost172.16.1.1host172.16.2.1
Router1(config)#interfaceTunnel1
Router1(config-if)#ipaddress192.168.1.1255.255.255.252
Router1(config-if)#tunnelsource172.16.1.1
Router1(config-if)#tunneldestination172.16.2.1
Router1(config-if)#exit
Router1(config)#interfaceFastEthernet0/0
Router1(config-if)#ipaddress172.16.1.1255.255.255.0
Router1(config-if)#ipaccess-group101in
Router1(config-if)#cryptomapTUNNELMAP
Router1(config-if)#exit
Router1(config)#access-list101permitgrehost172.16.2.1host172.16.1.1
Router1(config)#access-list101permitesphost172.16.2.1host172.16.1.1
Router1(config)#access-list101permitudphost172.16.2.1host172.16.1.1eqisakmp
Router1(config)#access-list101permitahphost172.16.2.1host172.16.1.1
Router1(config)#access-list101denyipanyanylog
Router1(config)#interfaceLoopback0
Router1(config-if)#ipaddress192.168.16.1255.255.255.0
Router1(config-if)#exit
Router1(config)#iproute0.0.0.00.0.0.0172.16.1.2
Router1(config)#iproute192.168.15.0255.255.255.0192.168.1.2
Router1(config)#end
Router1#
Router2#configureterminal
Enterconfigurationcommands,oneperline. EndwithCNTL/Z.
Router2(config)#cryptoisakmppolicy10
Router2(config-isakmp)#encraes256
Router2(config-isakmp)#authenticationpre-share
Router2(config-isakmp)#group2
Router2(config-isakmp)#exit
Router2(config)#cryptoisakmpkeyTUNNELKEY01address172.16.1.1
Router2(config)#cryptoipsectransform-setTUNNEL-TRANSFORMah-sha-hmacesp-aes256
Router2(cfg-crypto-trans)#modetransport
Router2(cfg-crypto-trans)#exit
Router2(config)#cryptomapTUNNELMAP10ipsec-isakmp
%NOTE:
Thisnewcryptomapwillremaindisableduntilapeer
andavalidaccesslisthavebeenconfigured.
Router2(config-crypto-map)#setpeer172.16.1.1
Router2(config-crypto-map)#settransform-setTUNNEL-TRANSFORM
Router2(config-crypto-map)#matchaddress102
Router2(config-crypto-map)#exit
Router2(config)#access-list102permitgrehost172.16.2.1host172.16.1.1
Router2(config)#interfaceTunnel1
Router2(config-if)#ipaddress192.168.1.2255.255.255.252
Router2(config-if)#tunnelsource172.16.2.1
Router2(config-if)#tunneldestination172.16.1.1
Router2(config-if)#exit
Router2(config)#interfaceFastEthernet0/0
Router2(config-if)#ipaddress172.16.2.1255.255.255.0
Router2(config-if)#ipaccess-group101in
Router2(config-if)#cryptomapTUNNELMAP
Router2(config-if)#exit
Router2(config)#access-list101permitgrehost172.16.1.1host172.16.2.1
Router2(config)#access-list101permitesphost172.16.1.1host172.16.2.1
Router2(config)#access-list101permitudphost172.16.1.1host172.16.2.1eqisakmp
Router2(config)#access-list101permitahphost172.16.1.1host172.16.2.1
Router2(config)#access-list101denyipanyanylog
Router2(config)#interfaceLoopback0
Router2(config-if)#ipaddress192.168.15.1255.255.255.0
Router2(config-if)#exit
Router2(config)#iproute0.0.0.00.0.0.0172.16.2.2
Router2(config)#iproute192.168.16.0255.255.255.0192.168.1.1
Router2(config)#end
Router2#
注释第一步首先使用ISAKMP来生成合适的密匙交换策略,当双方协商SA参数时,先从优先级低的策略开始,使用showcryptoisakmppolicy来查看当前策略。
然后定义初始的密匙cryptoisakmpkey,这里可以基于IP地址也可以基于主机名,如果基于主机名对端要配置cryptoisakmpidentityhostname,用showcryptoisakmpkey来验证。
showcryptoisakmpsa用来查看协商的ISAKMPSA状态,而最后的IPSecSA通过showcryptoipsecsa来查看。
下一步是定义IPSec的transformset,是定义如何处理符合的数据包,并且要定义Ipsec的透明模式,缺省使用隧道模式,对于GRE使用透明模式,GRE隧道比传统的IPSec隧道好在更简单和更灵活,比如可以传递动态路由协议等。
最后使用cryptomap命令整合。
最后要注意的是cryptomap应用于接收GRE数据包的接口而不是tunnel接口。
showcryptoengineconnectionsactive显示当前连接情况
12.6. 在两个路由器的Lan接口之间创建加密VPN
提问使用预共享密匙的方式创建加密VPN通过互联网连接的两个LAN接口
回答
R1
Router1#configureterminal
Enterconfigurationcommands,oneperline. EndwithCNTL/Z.
Router1(config)#cryptoisakmppolicy10
Router1(config-isakmp)#encraes256
Router1(config-isakmp)#authenticationpre-share
Router1(config-isakmp)#group2
Router1(config-isakmp)#exit
Router1(config)#cryptoisakmpkeyTUNNELKEY01address172.16.2.1no-xauth
Router1(config)#cryptoipsectransform-setLAN2LAN-TRANSFORMah-sha-hmacesp-aes256
Router1(cfg-crypto-trans)#exit
Router1(config)#access-list102permitgrehost172.16.1.1host172.16.2.1
Router1(config)#cryptomapLAN2LANMAP10ipsec-isakmp
%NOTE:
Thisnewcryptomapwillremaindisableduntilapeer
andavalidaccesslisthavebeenconfigured.
Router1(config-crypto-map)#setpeer172.16.2.1
Router1(config-crypto-map)#settransform-setLAN2LAN-TRANSFORM
Router1(config-crypt