MPLS L2VPN OVER GRE OVER IPSEC.docx
《MPLS L2VPN OVER GRE OVER IPSEC.docx》由会员分享,可在线阅读,更多相关《MPLS L2VPN OVER GRE OVER IPSEC.docx(14页珍藏版)》请在冰豆网上搜索。
MPLSL2VPNOVERGREOVERIPSEC
客户网络有总部A和分支B分别通过MSR5660路由器接入互联网,想通过mplsl2vpn将两个网络打通,实现两个局域网互访,且需要加密流量。
客户组网拓扑图大致如下:
此需求将使用MPLSL2VPN(ldppw)之GREoverIPSEC实现,通过GREoverIPSEC公网隧道来承载PW。
PE1配置
#
sysnamepe1
#
mplslsr-id3.3.3.3
#
mplsldp
#
l2vpnenable
#
interfaceLoopBack0
descriptiongre
ipaddress1.1.1.1255.255.255.255
#
interfaceLoopBack1
descriptionldp
ipaddress3.3.3.3255.255.255.255
#
interfaceGigabitEthernet0/0
portlink-moderoute
comboenablecopper
ipaddress200.1.1.2255.255.255.252
ipsecapplypolicy1
#
interfaceGigabitEthernet0/1
portlink-moderoute
comboenablecopper
descriptionto-ce1
#
interfaceGigabitEthernet0/1.110
vlan-typedot1qvid110
#
interfaceTunnel10modegre
ipaddress5.5.5.1255.255.255.252
mplsenable
mplsldpenable
sourceLoopBack0
destination2.2.2.2
#
xconnect-groupvpn2
connectionldp
acinterfaceGigabitEthernet0/1.110
peer4.4.4.4pw-id801001111
#
iproute-static0.0.0.00200.1.1.1
iproute-static4.4.4.432Tunnel10////到ldppeer走tunnel10口
#
acladvanced3002
rule0permitipsource1.1.1.10destination2.2.2.20////封装gre的源和目的触发建立ipsec
#
ipsectransform-setcdgac
espencryption-algorithm3des-cbc
espauthentication-algorithmsha1
#
ipsecpolicy12isakmp
transform-setcdgac
securityacl3002
local-address200.1.1.2
remote-address201.1.1.2
ike-profilecdgac
#
ikeprofilecdgac
keychaincdgac
matchremoteidentityaddress201.1.1.2255.255.255.252
proposal2
#
ikeproposal2
encryption-algorithmaes-cbc-128
dhgroup2
#
ikekeychaincdgac
pre-shared-keyaddress201.1.1.2255.255.255.252keycipher$c$3$XUQhTUr370G91QQqpi2T88FDJcPtvg==
#
PE2配置
#
sysnamepe2
#
mplslsr-id4.4.4.4
#
mplsldp
#
l2vpnenable
#
interfaceLoopBack0
descriptionGRE
ipaddress2.2.2.2255.255.255.255
#
interfaceLoopBack1
descriptionLDP
ipaddress4.4.4.4255.255.255.255
#
interfaceGigabitEthernet0/0
portlink-moderoute
comboenablecopper
ipaddress201.1.1.2255.255.255.252
ipsecapplypolicycdgac
#
interfaceGigabitEthernet0/1
portlink-moderoute
comboenablecopper
descriptionto-ce2
#
interfaceGigabitEthernet0/1.110
vlan-typedot1qvid110
#
interfaceTunnel10modegre
ipaddress5.5.5.2255.255.255.252
mplsenable
mplsldpenable
sourceloopback0
destination1.1.1.1
#
xconnect-groupvpn2
connectionldp
acinterfaceGigabitEthernet0/1.110
peer3.3.3.3pw-id801001111
#
iproute-static0.0.0.00201.1.1.1
iproute-static3.3.3.332Tunnel10
#
acladvanced3002
rule0permitipsource2.2.2.20destination1.1.1.10
#
ipsectransform-setcdgac
espencryption-algorithm3des-cbc
espauthentication-algorithmsha1
#
ipsecpolicycdgac2isakmp
transform-setcdgac
securityacl3002
local-address201.1.1.2
remote-address200.1.1.2
ike-profilecdgac
#
ikeprofilecdgac
keychaincdgac
matchremoteidentityaddress200.1.1.2255.255.255.252
proposal2
#
ikeproposal2
encryption-algorithmaes-cbc-128
dhgroup2
#
ikekeychaincdgac
pre-shared-keyaddress200.1.1.2255.255.255.252keycipher$c$3$uVIpwExz145rpaEPkx8RrzB0qNwktg==
#
Ce1配置
#
sysnamece1
#
vlan110
#
interfaceVlan-interface110
ipaddress10.1.1.1255.255.255.0
#
interfaceGigabitEthernet1/0/1
portlink-modebridge
portlink-typetrunk
porttrunkpermitvlan1110
comboenablefiber
#
Ce2配置
#
sysnamece2
#
vlan110
#
interfaceVlan-interface110
ipaddress10.1.1.2255.255.255.0
#
interfaceGigabitEthernet1/0/1
portlink-modebridge
portlink-typetrunk
porttrunkpermitvlan1110
comboenablefiber
#
测试结果
pe1侧gre触发ipsec建立成功,ldppeer地址流量走gre隧道,l2vpnpw状态up
disikesa
Connection-IDRemoteFlagDOI
------------------------------------------------------------------
1201.1.1.2RDIPsec
Flags:
RD--READYRL--REPLACEDFD-FADING
disipsecsa
-------------------------------
Interface:
GigabitEthernet0/0
-------------------------------
-----------------------------
IPsecpolicy:
1
Sequencenumber:
2
Mode:
ISAKMP
-----------------------------
Tunnelid:
0
Encapsulationmode:
tunnel
Perfectforwardsecrecy:
PathMTU:
1443
Tunnel:
localaddress:
200.1.1.2
remoteaddress:
201.1.1.2
Flow:
souraddr:
1.1.1.1/255.255.255.255port:
0protocol:
ip
destaddr:
2.2.2.2/255.255.255.255port:
0protocol:
ip
[InboundESPSAs]
SPI:
2495663367(0x94c0cd07)
ConnectionID:
4294967296
Transformset:
ESP-ENCRYPT-3DES-CBCESP-AUTH-SHA1
SAduration(kilobytes/sec):
1843200/3600
SAremainingduration(kilobytes/sec):
1843137/1966
Maxreceivedsequence-number:
709
Anti-replaycheckenable:
Y
Anti-replaywindowsize:
64
UDPencapsulationusedforNATtraversal:
N
Status:
Active
[OutboundESPSAs]
SPI:
2673009478(0x9f52e346)
ConnectionID:
4294967297
Transformset:
ESP-ENCRYPT-3DES-CBCESP-AUTH-SHA1
SAduration(kilobytes/sec):
1843200/3600
SAremainingduration(kilobytes/sec):
1843137/1966
Maxsentsequence-number:
711
UDPencapsulationusedforNATtraversal:
N
Status:
Active
disipintb
*down:
administrativelydown
(s):
spoofing(l):
loopback
InterfacePhysicalProtocolIPAddressDescription
GE0/0upup200.1.1.2--
GE0/1upup--to-ce1
GE0/1.110upup----
GE0/2downdown192.168.3.1--
GE5/0downdown----
GE5/1downdown----
GE6/0downdown----
GE6/1downdown----
Loop0upup(s)1.1.1.1gre
Loop1upup(s)3.3.3.3ldp
Ser1/0downdown----
Ser2/0downdown----
Ser3/0downdown----
Ser4/0downdown----
Tun10upup5.5.5.1--
ping-a5.5.5.15.5.5.2
Ping5.5.5.2(5.5.5.2)from5.5.5.1:
56databytes,pressCTRL_Ctobreak
56bytesfrom5.5.5.2:
icmp_seq=0ttl=255time=7.244ms
56bytesfrom5.5.5.2:
icmp_seq=1ttl=255time=2.576ms
56bytesfrom5.5.5.2:
icmp_seq=2ttl=255time=2.429ms
56bytesfrom5.5.5.2:
icmp_seq=3ttl=255time=2.397ms
56bytesfrom5.5.5.2:
icmp_seq=4ttl=255time=2.826ms
---Pingstatisticsfor5.5.5.2---
5packetstransmitted,5packetsreceived,0.0%packetloss
round-tripmin/avg/max/std-dev=2.397/3.494/7.244/1.881ms
%Jul2208:
59:
53:
8712015pe1PING/6/PING_STATISTICS:
Pingstatisticsfor5.5.5.2:
5packetstransmitted,5packetsreceived,0.0%packetloss,round-trip
min/avg/max/std-dev=2.397/3.494/7.244/1.881ms.
disl2vpnpw
Flags:
M-main,B-backup,H-hublink,S-spokelink,N-nosplithorizon
TotalnumberofPWs:
1
1up,0blocked,0down,0defect,0idle,0duplicate
Xconnect-groupName:
vpn2
PeerPWID/RmtSiteIn/OutLabelProtoFlagLinkIDState
4.4.4.4801001111917631/917631LDPM1Up
Pe2侧测试结果同pe1
disikesa
Connection-IDRemoteFlagDOI
------------------------------------------------------------------
1200.1.1.2RDIPsec
Flags:
RD--READYRL--REPLACEDFD-FADING
disipsecsa
-------------------------------
Interface:
GigabitEthernet0/0
-------------------------------
-----------------------------
IPsecpolicy:
cdgac
Sequencenumber:
2
Mode:
ISAKMP
-----------------------------
Tunnelid:
0
Encapsulationmode:
tunnel
Perfectforwardsecrecy:
PathMTU:
1443
Tunnel:
localaddress:
201.1.1.2
remoteaddress:
200.1.1.2
Flow:
souraddr:
2.2.2.2/255.255.255.255port:
0protocol:
ip
destaddr:
1.1.1.1/255.255.255.255port:
0protocol:
ip
[InboundESPSAs]
SPI:
2673009478(0x9f52e346)
ConnectionID:
4294967296
Transformset:
ESP-ENCRYPT-3DES-CBCESP-AUTH-SHA1
SAduration(kilobytes/sec):
1843200/3600
SAremainingduration(kilobytes/sec):
1843136/1896
Maxreceivedsequence-number:
735
Anti-replaycheckenable:
Y
Anti-replaywindowsize:
64
UDPencapsulationusedforNATtraversal:
N
Status:
Active
[OutboundESPSAs]
SPI:
2495663367(0x94c0cd07)
ConnectionID:
4294967297
Transformset:
ESP-ENCRYPT-3DES-CBCESP-AUTH-SHA1
SAduration(kilobytes/sec):
1843200/3600
SAremainingduration(kilobytes/sec):
1843135/1896
Maxsentsequence-number:
733
UDPencapsulationusedforNATtraversal:
N
Status:
Active
disipintb
*down:
administrativelydown
(s):
spoofing(l):
loopback
InterfacePhysicalProtocolIPAddressDescription
GE0/0upup201.1.1.2--
GE0/1upup----
GE0/1.110upup----
GE0/2downdown192.168.2.1--
GE5/0downdown----
GE5/1downdown----
GE6/0downdown----
GE6/1downdown----
Loop0upup(s)2.2.2.2GRE
Loop1upup(s)4.4.4.4LDP
Ser1/0downdown----
Ser2/0downdown----
Ser3/0downdown----
Ser4/0downdown----
Tun10upup5.5.5.2--
ping-a5.5.5.25.5.5.1
Ping5.5.5.1(5.5.5.1)from5.5.5.2:
56databytes,pressCTRL_Ctobreak
56bytesfrom5.5.5.1:
icmp_seq=0ttl=255time=5.598ms
56bytesfrom5.5.5.1:
icmp_seq=1ttl=255time=3.794ms
56bytesfrom5.5.5.1:
icmp_seq=2ttl=255time=3.066ms
56bytesfrom5.5.5.1:
icmp_seq=3ttl=255time=2.787ms
56bytesfrom5.5.5.1:
icmp_seq=4ttl=255time=3.242ms
---Pingstatisticsfor5.5.5.1---
5packetstransmitted,5packetsreceived,0.0%packetloss
round-tripmin/avg/max/std-dev=2.787/3.697/5.598/1.006ms
%Jul2208:
59:
24:
8162015pe2PING/6/PING_STATISTICS:
Pingstatisticsfor5.5.5.1:
5packetstransmitted,5packetsreceived,0.0%packetloss,round-tripmin/avg/max/std-dev=2.787/3.697/5.598/1.006ms.
disl2vpnpw
Flags:
M-main,B-backup,H-hublink,S-spokelink,N-nosplithorizon
TotalnumberofPWs:
1
1up,0blocked,0down,0defect,0idle,0duplicate
Xconnect-groupName:
vpn2
PeerPWID/RmtSiteIn/OutLabelProtoFlagLinkIDState
3.3.3.3801001111917631/917631LDPM1Up
最终需求,两个ce网络可达
[ce1]ping-a10.1.1.110.1.1.2
Ping10.1.1.2(10.1.1.2)from10.1.1.1:
56databytes,pressCTRL_Ctobreak
56bytesfrom10.1.1.2:
icmp_seq=0ttl=255time=12.646ms
56bytesfrom10.1.1.2:
icmp_seq=1ttl=255time=7.242ms
56bytesfrom10.1.1.2:
icmp_s
升级会员 