1、Cisco IOS Cookbook 中文精简版 1223 隧道和VPNCisco IOS Cookbook 中文精简版 12-23 隧道和VPN12.1.创建Tunnel 提问 =FONT-FAMILY: 宋体通过隧道的方式在网络中传输IP数据回答 Router1#configure terminal Enter configuration commands, one per line.End with CNTL/Z.Router1(config)#interface Tunnel1Router1(config-if)#ip address 192.168.35.6 255.255.255.
2、252Router1(config-if)#tunnel source 172.25.1.5Router1(config-if)#tunnel destination 172.25.1.7Router1(config-if)#exitRouter1(config)#endRouter1#Router5#configure terminal Enter configuration commands, one per line.End with CNTL/Z.Router5(config)#interface Tunnel3Router5(config-if)#ip address 192.168
3、.35.5 255.255.255.252Router5(config-if)#tunnel source 172.25.1.7Router5(config-if)#tunnel destination 172.25.1.5Router5(config-if)#exitRouter5(config)#endRouter5#注释 Tunnel的配置中也可以使用tunnel source Ethernet0 的方式来捆绑到端口。产生出来的虚拟隧道接口通常会一直UP,即使对端关机,12.2(8)T后引入了keeplive参数可以对隧道的状态进行监控,keepalive 3 2 每隔3秒一个Keepl
4、ive,如果两次没收到就认为端口当掉。如果对数据包的完整性或者防止乱序包,可以配置tunnel checksum,tunnel sequence-datagrams,但需要注意的是GRE不是TCP,数据包丢弃了不会重传。缺省情况下隧道的模式GRE,也可以通过tunnel mode ipip 命令来改变其模式。由于GRE是封装IP数据包所以不可避免地产生了MTU的问题,对于TCP连接可以使用ip tcp path-mtu-discovery,但对于非TCP的GRE,需要使用tunnel path-mtu-discovery。在12.2(13)T以后引入了tunnel path-mtu-disco
5、very min-mtu 500 来定义最小的MTU从而保证安全12.2.其他协议隧道至IP 提问 通过隧道的方式在IP网络中传输其他协议数据,比如IPX回答Router1#configure terminal Enter configuration commands, one per line.End with CNTL/Z.Router1(config)#ipx routing AAAA.BBBB.0001Router1(config)#interface Tunnel1Router1(config-if)#ipx network AAARouter1(config-if)#tunnel
6、source 172.25.1.5Router1(config-if)#tunnel destination 172.25.1.7Router1(config-if)#exitRouter1(config)#endRouter1#Router5#configure terminal Enter configuration commands, one per line.End with CNTL/Z.Router2(config)#ipx routing AAAA.BBBB.0002Router5(config)#interface Tunnel3Router5(config-if)#ipx n
7、etwork AAARouter5(config-if)#tunnel source 172.25.1.7Router5(config-if)#tunnel destination 172.25.1.5Router5(config-if)#exitRouter5(config)#endRouter5#注释 注意的是隧道模式里面只有GRE模式是支持IPX的。同时可以在隧道接口下配置多个不同的协议从而支持在隧道中封装多个协议Router1(config)#interface Tunnel1Router1(config-if)#ip address 192.168.35.6 255.255.255.
8、252Router1(config-if)#ipx network AAARouter1(config-if)#tunnel source 172.25.1.5Router1(config-if)#tunnel destination 172.25.1.7Router1(config-if)#exitRouter1(config)#endRouter1#12.3.隧道和动态路由协议 提问 在隧道中传递路由协议回答怎么解决到tunnel destination的路由不是通过tunnel接口的问题,第一种方法是静态路由Router1#configure terminal Enter configu
9、ration commands, one per line.End with CNTL/Z.Router1(config)#interface Tunnel1Router1(config-if)#ip address 192.168.35.6 255.255.255.252Router1(config-if)#tunnel source 172.25.1.5Router1(config-if)#tunnel destination 172.22.1.2Router1(config-if)#exitRouter1(config)#ip route 172.22.1.2 255.255.255.2
10、55 172.25.1.1Router1(config)#router eigrp 55Router1(config-router)#network 192.168.35.0Router1(config-router)#exitRouter1(config)#endRouter1#第二种对tunnel接口采用另外的路由协议,从而排除此地址在互联的路由协议中Router1#configure terminal Enter configuration commands, one per line.End with CNTL/Z.Router1(config)#interface Tunnel1Ro
11、uter1(config-if)#ip address 192.168.35.6 255.255.255.252Router1(config-if)#tunnel source 172.25.1.5Router1(config-if)#tunnel destination 172.22.1.2Router1(config-if)#exitRouter1(config)#router eigrp 55Router1(config-router)#network 172.22.0.0Router1(config-router)#network 172.25.0.0Router1(config-ro
12、uter)#endRouter1(config)#router ripRouter1(config-router)#network 192.168.35.0Router1(config-router)#exitRouter1(config)#endRouter1#第三种方法路由过滤Router1#configure terminal Enter configuration commands, one per line.End with CNTL/Z.Router1(config)#interface Tunnel1Router1(config-if)#ip address 192.168.35
13、.6 255.255.255.252Router1(config-if)#tunnel source 172.25.1.5Router1(config-if)#tunnel destination 172.22.1.2Router1(config-if)#exitRouter11(config)#ip prefix-list TUNNELROUTES seq 10 permit 192.168.0.0/16 ge 17Router1(config)#router eigrp 55Router1(config-router)#network 172.22.0.0Router1(config-ro
14、uter)#network 172.25.0.0Router1(config-router)#network 192.168.35.0Router1(config-router)#distribute-list prefix TUNNELROUTES out Tunnel1Router1(config-router)#exitRouter1(config)#endRouter1#注释 前两种很简单但是冗余性和扩展性不好,推荐第三种12.4.查看隧道状态 提问 查看隧道状态回答Router1#show interface Tunnel5Router1#ping 192.168.66.6Route
15、r1#ping 172.22.1.4注释 12.5.在GRE隧道中创建一个加密的路由器到路由器的VPN 提问 通过预共享密匙的方法创建互联网连接路由器的加密VPN回答Router1#configure terminalEnter configuration commands, one per line.End with CNTL/Z.Router1(config)#crypto isakmp policy 10Router1(config-isakmp)#encr aes 256Router1(config-isakmp)#authentication pre-shareRouter1(con
16、fig-isakmp)#group 2Router1(config-isakmp)#exitRouter1(config)#crypto isakmp key TUNNELKEY01 address 172.16.2.1 no-xauthRouter1(config)#crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-aes 256 Router1(cfg-crypto-trans)#mode transportRouter1(cfg-crypto-trans)#exitRouter1(config)#crypto map
17、TUNNELMAP 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.Router1(config-crypto-map)#set peer 172.16.2.1Router1(config-crypto-map)#set transform-set TUNNEL-TRANSFORM Router1(config-crypto-map)#match address 102Router1(config-
18、crypto-map)#exitRouter1(config)#access-list 102 permit gre host 172.16.1.1 host 172.16.2.1Router1(config)#interface Tunnel1Router1(config-if)#ip address 192.168.1.1 255.255.255.252Router1(config-if)#tunnel source 172.16.1.1Router1(config-if)#tunnel destination 172.16.2.1Router1(config-if)#exitRouter
19、1(config)#interface FastEthernet0/0Router1(config-if)#ip address 172.16.1.1 255.255.255.0Router1(config-if)#ip access-group 101 inRouter1(config-if)#crypto map TUNNELMAPRouter1(config-if)#exitRouter1(config)#access-list 101 permit gre host 172.16.2.1 host 172.16.1.1Router1(config)#access-list 101 pe
20、rmit esp host 172.16.2.1 host 172.16.1.1Router1(config)#access-list 101 permit udp host 172.16.2.1 host 172.16.1.1 eq isakmpRouter1(config)#access-list 101 permit ahp host 172.16.2.1 host 172.16.1.1Router1(config)#access-list 101 deny ip any any logRouter1(config)#interface Loopback0Router1(config-i
21、f)#ip address 192.168.16.1 255.255.255.0Router1(config-if)#exitRouter1(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.2Router1(config)#ip route 192.168.15.0 255.255.255.0 192.168.1.2Router1(config)#endRouter1#Router2#configure terminalEnter configuration commands, one per line.End with CNTL/Z.Router2(con
22、fig)#crypto isakmp policy 10Router2(config-isakmp)#encr aes 256Router2(config-isakmp)#authentication pre-shareRouter2(config-isakmp)#group 2Router2(config-isakmp)#exitRouter2(config)#crypto isakmp key TUNNELKEY01 address 172.16.1.1Router2(config)#crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hm
23、ac esp-aes 256 Router2(cfg-crypto-trans)#mode transportRouter2(cfg-crypto-trans)#exitRouter2(config)#crypto map TUNNELMAP 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.Router2(config-crypto-map)#set peer 172.16.1.1Router2(c
24、onfig-crypto-map)#set transform-set TUNNEL-TRANSFORM Router2(config-crypto-map)#match address 102Router2(config-crypto-map)#exitRouter2(config)#access-list 102 permit gre host 172.16.2.1 host 172.16.1.1Router2(config)#interface Tunnel1Router2(config-if)#ip address 192.168.1.2 255.255.255.252Router2(
25、config-if)#tunnel source 172.16.2.1Router2(config-if)#tunnel destination 172.16.1.1Router2(config-if)#exitRouter2(config)#interface FastEthernet0/0Router2(config-if)#ip address 172.16.2.1 255.255.255.0Router2(config-if)#ip access-group 101 inRouter2(config-if)#crypto map TUNNELMAPRouter2(config-if)#
26、exitRouter2(config)#access-list 101 permit gre host 172.16.1.1 host 172.16.2.1Router2(config)#access-list 101 permit esp host 172.16.1.1 host 172.16.2.1Router2(config)#access-list 101 permit udp host 172.16.1.1 host 172.16.2.1 eq isakmpRouter2(config)#access-list 101 permit ahp host 172.16.1.1 host
27、172.16.2.1Router2(config)#access-list 101 deny ip any any logRouter2(config)#interface Loopback0Router2(config-if)#ip address 192.168.15.1 255.255.255.0Router2(config-if)#exitRouter2(config)#ip route 0.0.0.0 0.0.0.0 172.16.2.2Router2(config)#ip route 192.168.16.0 255.255.255.0 192.168.1.1Router2(con
28、fig)#endRouter2#注释 第一步首先使用ISAKMP来生成合适的密匙交换策略,当双方协商SA参数时,先从优先级低的策略开始,使用show crypto isakmp policy来查看当前策略。然后定义初始的密匙crypto isakmp key,这里可以基于IP地址也可以基于主机名,如果基于主机名对端要配置crypto isakmp identity hostname,用show crypto isakmp key来验证。show crypto isakmp sa 用来查看协商的ISAKMP SA状态,而最后的IPSec SA通过show crypto ipsec sa 来查看。
29、下一步是定义IPSec的transform set,是定义如何处理符合的数据包,并且要定义Ipsec的透明模式,缺省使用隧道模式,对于GRE使用透明模式,GRE隧道比传统的IPSec隧道好在更简单和更灵活,比如可以传递动态路由协议等。最后使用crypto map命令整合。最后要注意的是crypto map应用于接收GRE数据包的接口而不是tunnel接口。show crypto engine connections active 显示当前连接情况12.6.在两个路由器的Lan接口之间创建加密VPN 提问 使用预共享密匙的方式创建加密VPN通过互联网连接的两个LAN接口回答R1Router1#c
30、onfigure terminalEnter configuration commands, one per line.End with CNTL/Z.Router1(config)#crypto isakmp policy 10Router1(config-isakmp)#encr aes 256Router1(config-isakmp)#authentication pre-shareRouter1(config-isakmp)#group 2Router1(config-isakmp)#exitRouter1(config)#crypto isakmp key TUNNELKEY01
31、address 172.16.2.1 no-xauthRouter1(config)#crypto ipsec transform-set LAN2LAN-TRANSFORM ah-sha-hmac esp-aes 256 Router1(cfg-crypto-trans)#exitRouter1(config)#access-list 102 permit gre host 172.16.1.1 host 172.16.2.1Router1(config)#crypto map LAN2LANMAP 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.Router1(config-crypto-map)#set peer 172.16.2.1Router1(config-crypto-map)#set transform-set LAN2LAN-TRANSFORM Router1(config-crypt
copyright@ 2008-2022 冰豆网网站版权所有
经营许可证编号:鄂ICP备2022015515号-1
升级会员 