站点间FlexVPN试验(三):HUB和SPOKE间动态隧道

关于FlexVPNipsec vpn

之前有朋友问说FlexVPN和ipsec vpn不是一样么 ?

 

首先,请大家不要过多关注各种vpn的名字,这都是思科或者其他厂商做市场做宣传而起的,没有太多意义。大家需要关注的是用到什么协议,协议原理是什么。就比如你可以叫张三、也可以叫李四、甚至洋名James,但是你本质就是你这么个人。

 

关于这个问题。。。再次回到试验(一),flexvpn用ikev2。传统的所谓ipsec vpn是ikev1。两种协议,本质上、原理上非常不同。

 

IKEv1

IKEv1的框架包括2个阶段:第一个阶段是协商认证对等体(IKE阶段),可以选择main mode或者aggressive mode;第二个阶段是协商IPSEC有关的安全参数,比如怎么加密(IPSEC阶段)。第二阶段只有一个mode,就是quick mode。

 

IKEv1对IKE SA和IPSec SA这2个协商阶段分割的非常明确。Tourbleshooting时候,我们也会先看第一阶段IKE SA/ISAKMP SA是否协商并建立了;然后再看第二阶段IPSEC SA是否协商并建立了。

 

IKEv2

IKEv2的框架包括3个阶段:1) IKE_INIT阶段、2) IKE_AUTH阶段和3) Create_Child_SA阶段 。第一阶段建立加密通道,之后第二第三阶段的信息交换完全是在加密环境下进行,更安全;第二阶段使用指定的认证方式认证(如rsa,psk),交换包括ISAKMP和IPsec SA的信息;第三阶段相当于IKEv1的第二阶段,但是用更少的包。

 

IKEv2把IKE SA和IPsec SA协商混合在一起进行,因为写协议的人一拍脑袋突然发现没有人把IKE和IPsec分开使用,比如不配IKE只配IPsec这样情况是不存在的。。。 那么何必分成2个协议呢?

 

IKEv2不分IKE协商阶段和IPsec协商阶段,用一个包就协商了2个协议,何乐而不为?这样用更少的包交换就实现了隧道加密,如下图。包交换少的好处不言而喻,IKEv2没有main mode和aggressive mode之分,它融合了aggressive mode包交换少的优点,兼备main mode可以识别验证对等体身份的优势,防御DoS攻击。更多优点详见试验(一),缺点么就是对于习惯IKEv1的人来说,开始比较搞脑子。

 

115936-understanding-ikev2-packet-exch-debug-01

试验

 

本次试验用virtual template建立HUB和SPOKE间动态隧道。认证方式还是证书(RSA)和密钥(PSK)混合认证。最后实现HUB tunnel端地址192.168.10.1可以ping SPOKE1 tunnel端地址172.16.1.1和 SPOKE2 tunnel端地址172.16.2.1。配置后面有“验证”部分,我都有写验证方法和结果。验证不论对工作还是考试都是非常非常重要滴。

 

 

后续试验将进一步用nhrp实现SPOKE和SPOKE之间的动态隧道。

 

试验拓扑如下。 HUB1作为证书服务器(CA),SPOKE1和SPOKE2向HUB1申请并获取证书。外部NTP服务器。

FLEXVPN_SITE_Dynamic.png

 

端口配置如下:

CSR-HUB1

GigabitEthernet1       192.168.1.91 (mgmt)

GigabitEthernet2       200.1.1.1

Loopback0             192.168.10.1

Loopback1             192.168.100.1

 

CSR-SPOKE1

GigabitEthernet1      192.168.1.93 (mgmt)

GigabitEthernet3       200.1.1.3

Loopback0             172.16.1.1

Loopback1             172.16.100.1

 

CSR-SPOKE2

GigabitEthernet1       192.168.1.94 (mgmt)

GigabitEthernet3       200.1.1.4

Loopback0             172.16.2.1

 

CSRHUB1配置

 

CSR-HUB1#show run

Building configuration…

 

Current configuration : 6460 bytes

!

! Last configuration change at 00:41:21 UTC Fri Jan 29 2016 by admin

! NVRAM config last updated at 00:41:21 UTC Fri Jan 29 2016 by admin

!

version 15.5

service timestamps debug datetime msec

service timestamps log datetime msec

no platform punt-keepalive disable-kernel-core

platform console auto

!

hostname CSR-HUB1

!

boot-start-marker

boot-end-marker

!

!

enable password cisco

!

aaa new-model

!

!

aaa authorization network ike_list local

!

!

!

!

!

aaa session-id common

!

!

!

!

!

!

!

!

!

!

!

 

 

 

ip domain name mm.com

!

!

!

!

!

!

!

!

!

!

subscriber templating

!

multilink bundle-name authenticated

!

!

!

!

!

crypto pki server CA

no database archive

grant auto

eku server-auth client-auth

!

crypto pki trustpoint CA

revocation-check crl

rsakeypair CA

!

crypto pki trustpoint S2S-CA

enrollment url http://192.168.1.91:80

subject-name cn=HUB1,ou=mm.com

revocation-check crl

!

!

crypto pki certificate chain CA

certificate ca 01

308201F3 3082015C A0030201 02020101 300D0609 2A864886 F70D0101 04050030

0D310B30 09060355 04031302 4341301E 170D3136 30313236 31353036 32355A17

0D313930 31323531 35303632 355A300D 310B3009 06035504 03130243 4130819F

300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B787 5D5AA0D5

463A0E98 ABBD8437 FB8D75AE CE767C40 E352008A C1FF4DD3 0493EAAA A22DE447

3BE37B42 3FBE0642 C6FF6620 578EAEF5 80EFBF55 47B7A278 D3F4B96E C24C86B8

B0EA363E 124801AA 30C0B51D 0A3D691B CE246A3B 14C83579 ACD70B95 4ECB3F36

9E40DC30 BCE15FCF EF0A43AD BEF421F8 5D65FEDF 67769337 D2EF0203 010001A3

63306130 0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404

03020186 301F0603 551D2304 18301680 1473FC34 CCCB32C3 1A1573BB CFE858D0

FE6B468F 71301D06 03551D0E 04160414 73FC34CC CB32C31A 1573BBCF E858D0FE

6B468F71 300D0609 2A864886 F70D0101 04050003 81810029 5C847FF2 52FC86F0

07CA5E3D 1028F120 0BD97759 6C3C4D86 B5F57A3F 4EE33103 F095AC8D DB9A1B44

1AB1DD32 A32631E6 9E5B8A1A 1224D97F 348A5F3D 0C6902BB 95C04951 61F1D35B

11346869 02EF62B1 A9A4BE43 276F4BD2 301B67C2 5235956A 8FB93B25 9F508FB5

1A30D57C B9E9FA91 673B7D0E B3FF750D 2D278FB9 FF8A40

quit

crypto pki certificate chain S2S-CA

certificate 02

308201ED 30820156 A0030201 02020102 300D0609 2A864886 F70D0101 05050030

0D310B30 09060355 04031302 4341301E 170D3136 30313236 31353130 30365A17

0D313730 31323531 35313030 365A3040 310F300D 06035504 0B13066D 6D2E636F

6D310D30 0B060355 04031304 48554231 311E301C 06092A86 4886F70D 01090216

0F435352 2D485542 312E6D6D 2E636F6D 305C300D 06092A86 4886F70D 01010105

00034B00 30480241 00A161E4 8E1470FD 0599CE51 626D23E1 C89F7111 A8CC58C9

6AA6F145 237D2FBA 020B5CE7 DF0B9BFB 377BA94F FAF10B10 9B54DC95 870D0DF1

5151E45E 0E940684 AD020301 0001A36E 306C301D 0603551D 25041630 1406082B

06010505 07030106 082B0601 05050703 02300B06 03551D0F 04040302 05A0301F

0603551D 23041830 16801473 FC34CCCB 32C31A15 73BBCFE8 58D0FE6B 468F7130

1D060355 1D0E0416 0414C06F 27055188 44A99EE2 9E12290E BB7D80CD 7A33300D

06092A86 4886F70D 01010505 00038181 000A6A08 5D28C8D2 F5789E63 A7B61D13

F95A6958 684D1645 DF3E85E6 7CDFDDA6 471DD539 1B8363D1 AFB5201B 8384BC6B

4A42B8E5 73DD496D B46AE63F 987A6C36 FAFA92A1 34CA8BD2 8C1379E8 D3238ECD

CD8372E1 4C511311 AF323AD6 6C669C95 CDEC05D1 B2F6EC9B 2E368EDE 8A54D55D

457954BD AAEFCDA7 364072E1 E7204C01 0F

quit

certificate ca 01

308201F3 3082015C A0030201 02020101 300D0609 2A864886 F70D0101 04050030

0D310B30 09060355 04031302 4341301E 170D3136 30313236 31353036 32355A17

0D313930 31323531 35303632 355A300D 310B3009 06035504 03130243 4130819F

300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B787 5D5AA0D5

463A0E98 ABBD8437 FB8D75AE CE767C40 E352008A C1FF4DD3 0493EAAA A22DE447

3BE37B42 3FBE0642 C6FF6620 578EAEF5 80EFBF55 47B7A278 D3F4B96E C24C86B8

B0EA363E 124801AA 30C0B51D 0A3D691B CE246A3B 14C83579 ACD70B95 4ECB3F36

9E40DC30 BCE15FCF EF0A43AD BEF421F8 5D65FEDF 67769337 D2EF0203 010001A3

63306130 0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404

03020186 301F0603 551D2304 18301680 1473FC34 CCCB32C3 1A1573BB CFE858D0

FE6B468F 71301D06 03551D0E 04160414 73FC34CC CB32C31A 1573BBCF E858D0FE

6B468F71 300D0609 2A864886 F70D0101 04050003 81810029 5C847FF2 52FC86F0

07CA5E3D 1028F120 0BD97759 6C3C4D86 B5F57A3F 4EE33103 F095AC8D DB9A1B44

1AB1DD32 A32631E6 9E5B8A1A 1224D97F 348A5F3D 0C6902BB 95C04951 61F1D35B

11346869 02EF62B1 A9A4BE43 276F4BD2 301B67C2 5235956A 8FB93B25 9F508FB5

1A30D57C B9E9FA91 673B7D0E B3FF750D 2D278FB9 FF8A40

quit

!

!

!

!

!

!

!

license udi pid CSR1000V sn 9TR6B6610DS

!

spanning-tree extend system-id

!

username admin privilege 15 secret 5 $1$zINL$Gf.DJe6Gik9lBzwkmsmAa1

!

redundancy

crypto ikev2 authorization policy default

def-domain mm.com

route set interface

route set access-list flex_route

!

!

!

crypto ikev2 keyring mykeys

peer SPOKE

address 200.1.1.0 255.255.255.0

pre-shared-key Cisco123

!

!

!

crypto ikev2 profile FLEXVPN-Dynamic

match identity remote address 200.1.1.0 255.255.255.0

authentication remote pre-share

authentication local rsa-sig

keyring local mykeys

pki trustpoint S2S-CA

dpd 60 2 on-demand

aaa authorization group psk list ike_list default

aaa authorization group cert list ike_list default

virtual-template 1

!

!

!

!

!

!

!

!

!

!

!

!

crypto ipsec profile default

set ikev2-profile FLEXVPN-Dynamic

!

!

!

!

!

!

!

!

!

!

!

!

!

interface Loopback0

ip address 192.168.10.1 255.255.255.0

!

interface Loopback1

ip address 192.168.100.1 255.255.255.255

!

interface GigabitEthernet1

ip address 192.168.1.91 255.255.255.0

negotiation auto

!

interface GigabitEthernet2

ip address 200.1.1.1 255.255.255.0

negotiation auto

!

interface GigabitEthernet3

no ip address

negotiation auto

!

interface GigabitEthernet4

no ip address

shutdown

negotiation auto

!

interface Virtual-Template1 type tunnel

ip unnumbered Loopback0

tunnel source GigabitEthernet2

tunnel protection ipsec profile default

!

!

router eigrp 1

network 192.168.10.0

network 192.168.100.0

!

!

virtual-service csr_mgmt

!

ip local pool flex-pool 172.16.0.1 172.16.0.254

ip forward-protocol nd

!

ip http server

no ip http secure-server

ip ssh version 1

!

ip access-list standard flex-route

permit any

ip access-list standard flex_route

!

!

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

stopbits 1

line vty 0 4

password cisco

!

ntp source GigabitEthernet1

ntp server 192.168.1.8

!

end

 

 

CSRSPOKE1配置

 

CSR-SPOKE1#show run

Building configuration…

 

Current configuration : 4977 bytes

!

! Last configuration change at 01:02:48 UTC Fri Jan 29 2016 by admin

!

version 15.5

service timestamps debug datetime msec

service timestamps log datetime msec

no platform punt-keepalive disable-kernel-core

platform console auto

!

hostname CSR-SPOKE1

!

boot-start-marker

boot-end-marker

!

!

enable password cisco

!

aaa new-model

!

!

aaa authorization network ike_list local

!

!

!

!

!

aaa session-id common

!

!

!

!

!

!

!

!

!

!

!

 

 

 

ip domain name mm.com

!

!

!

!

!

!

!

!

!

!

subscriber templating

!

multilink bundle-name authenticated

!

!

!

!

!

crypto pki trustpoint S2S-CA

enrollment url http://192.168.1.91:80

revocation-check none

!

!

!

crypto pki certificate map S2S-Map 10

issuer-name eq ca

!

crypto pki certificate chain S2S-CA

certificate 04

308201CF 30820138 A0030201 02020104 300D0609 2A864886 F70D0101 05050030

0D310B30 09060355 04031302 4341301E 170D3136 30313236 31353331 31355A17

0D313730 31323531 35333131 355A3022 3120301E 06092A86 4886F70D 01090216

11435352 2D53504F 4B45312E 6D6D2E63 6F6D305C 300D0609 2A864886 F70D0101

01050003 4B003048 024100A4 492AA528 E10414AC F2B1F4E6 1ABC22DA 18925224

F7BE3346 E658A168 5D86BAC3 42F67180 45E3DB7B 908EA63D 6C25310E C33077B6

DF86D2EF 9523A5B2 6D8EB102 03010001 A36E306C 301D0603 551D2504 16301406

082B0601 05050703 0106082B 06010505 07030230 0B060355 1D0F0404 030205A0

301F0603 551D2304 18301680 1473FC34 CCCB32C3 1A1573BB CFE858D0 FE6B468F

71301D06 03551D0E 04160414 A056D10B FBCEF130 1F568D48 303421B0 0182C6E9

300D0609 2A864886 F70D0101 05050003 81810045 BE0D3211 2E7F33BC 564B5B4C

BBE76BFE 85DBAA5E 2EA779A9 9B7EB7D7 38E804BB 9F44BD4B 3F768F9A C3B56315

BE4288D2 062E1A18 30533C47 7D6B108A 7CBC9D20 D1A2927C D0A9F751 78391074

949A2FCE E8240014 59F75055 7937F740 52A2FA41 E8505DEA 657E055F 1B65D029

6979A9A6 5E4606F2 FE2DAF56 81EAC20C 9EA846

quit

certificate ca 01

308201F3 3082015C A0030201 02020101 300D0609 2A864886 F70D0101 04050030

0D310B30 09060355 04031302 4341301E 170D3136 30313236 31353036 32355A17

0D313930 31323531 35303632 355A300D 310B3009 06035504 03130243 4130819F

300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B787 5D5AA0D5

463A0E98 ABBD8437 FB8D75AE CE767C40 E352008A C1FF4DD3 0493EAAA A22DE447

3BE37B42 3FBE0642 C6FF6620 578EAEF5 80EFBF55 47B7A278 D3F4B96E C24C86B8

B0EA363E 124801AA 30C0B51D 0A3D691B CE246A3B 14C83579 ACD70B95 4ECB3F36

9E40DC30 BCE15FCF EF0A43AD BEF421F8 5D65FEDF 67769337 D2EF0203 010001A3

63306130 0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404

03020186 301F0603 551D2304 18301680 1473FC34 CCCB32C3 1A1573BB CFE858D0

FE6B468F 71301D06 03551D0E 04160414 73FC34CC CB32C31A 1573BBCF E858D0FE

6B468F71 300D0609 2A864886 F70D0101 04050003 81810029 5C847FF2 52FC86F0

07CA5E3D 1028F120 0BD97759 6C3C4D86 B5F57A3F 4EE33103 F095AC8D DB9A1B44

1AB1DD32 A32631E6 9E5B8A1A 1224D97F 348A5F3D 0C6902BB 95C04951 61F1D35B

11346869 02EF62B1 A9A4BE43 276F4BD2 301B67C2 5235956A 8FB93B25 9F508FB5

1A30D57C B9E9FA91 673B7D0E B3FF750D 2D278FB9 FF8A40

quit

!

!

!

!

!

!

!

license udi pid CSR1000V sn 9QKHH15ZASW

!

spanning-tree extend system-id

!

username admin privilege 15 secret 5 $1$hpO9$iuvo4QXwaYNATueef.jMc0

!

redundancy

crypto ikev2 authorization policy default

route set interface

route set access-list flex_route

!

!

!

crypto ikev2 keyring mykeys

peer HUB

address 200.1.1.1

pre-shared-key Cisco123

!

!

!

crypto ikev2 profile FLEXVPN_Dynamic

match identity remote address 200.1.1.1 255.255.255.255

authentication remote pre-share

authentication remote rsa-sig

authentication local pre-share

keyring local mykeys

pki trustpoint S2S-CA

dpd 60 2 on-demand

aaa authorization group psk list ike_list default

aaa authorization group cert list ike_list default

!

crypto ikev2 client flexvpn FLEXVPN_CLIENT

peer 1 200.1.1.1

client connect Tunnel1

!

!

!

!

!

!

!

!

!

!

!

!

crypto ipsec profile default

set ikev2-profile FLEXVPN_Dynamic

!

!

!

!

!

!

!

!

!

!

!

!

!

interface Loopback0

ip address 172.16.1.1 255.255.255.0

!

interface Loopback1

ip address 172.16.100.1 255.255.255.255

!

interface Tunnel1

description to hub1

ip unnumbered Loopback0

delay 500

tunnel source GigabitEthernet3

tunnel destination dynamic

tunnel protection ipsec profile default

!

interface GigabitEthernet1

ip address 192.168.1.93 255.255.255.0

negotiation auto

!

interface GigabitEthernet2

no ip address

negotiation auto

!

interface GigabitEthernet3

ip address 200.1.1.3 255.255.255.0

negotiation auto

!

interface GigabitEthernet4

no ip address

negotiation auto

!

!

router eigrp 1

network 172.16.0.0

network 172.16.100.0 0.0.0.255

!

!

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

ip ssh version 1

!

ip access-list standard flex_route

permit 172.16.1.0 0.0.0.255

!

!

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

stopbits 1

line vty 0 4

password cisco

!

ntp source GigabitEthernet1

ntp server 192.168.1.8

!

end

 

CSRSPOKE2配置

CSR-SPOKE2#show run

Building configuration…

 

Current configuration : 4757 bytes

!

! Last configuration change at 00:06:48 UTC Fri Jan 29 2016 by admin

!

version 15.5

service timestamps debug datetime msec

service timestamps log datetime msec

no platform punt-keepalive disable-kernel-core

platform console auto

!

hostname CSR-SPOKE2

!

boot-start-marker

boot-end-marker

!

!

enable password cisco

!

aaa new-model

!

!

aaa authorization network ike_list local

!

!

!

!

!

aaa session-id common

!

!

!

!

!

!

!

!

!

!

!

 

 

 

ip domain name mm.com

!

!

!

!

!

!

!

!

!

!

subscriber templating

!

multilink bundle-name authenticated

!

!

!

!

!

crypto pki trustpoint S2S-CA

enrollment url http://192.168.1.91:80

revocation-check none

!

!

crypto pki certificate chain S2S-CA

certificate 05

308201CF 30820138 A0030201 02020105 300D0609 2A864886 F70D0101 05050030

0D310B30 09060355 04031302 4341301E 170D3136 30313238 32333034 33355A17

0D313730 31323732 33303433 355A3022 3120301E 06092A86 4886F70D 01090216

11435352 2D53504F 4B45322E 6D6D2E63 6F6D305C 300D0609 2A864886 F70D0101

01050003 4B003048 02410089 BD4258B7 6F5D7BCD 6D054F08 5D7540CA 84FD8832

81C7294A 086F1244 D4408FD7 B5C584FB 384BB858 B8D0CAAC D3341757 DBC70FE9

6DAFF0A8 72DE3101 50D35D02 03010001 A36E306C 301D0603 551D2504 16301406

082B0601 05050703 0106082B 06010505 07030230 0B060355 1D0F0404 030205A0

301F0603 551D2304 18301680 1473FC34 CCCB32C3 1A1573BB CFE858D0 FE6B468F

71301D06 03551D0E 04160414 C35F3701 1BF005FB 2C363F30 D122D536 DA949088

300D0609 2A864886 F70D0101 05050003 818100A4 016A404E A63DEE56 DBE61ABC

25F4FF27 D023FBEA DCC6C240 B9A465DE 7F7F33AF 6FCD4DC1 04509A5D 9D81C3E5

6DE93C52 DD8B6D74 957E88F5 05F70D75 9B7738FE BACFB31D AF3FE606 D79F6C8C

8BBA15DF 28915BC2 35010C25 C002965F 89CD3232 792BAA9A B3256742 09DC63BF

356570A9 C9269155 E2032F18 9E58653D 5BE210

quit

certificate ca 01

308201F3 3082015C A0030201 02020101 300D0609 2A864886 F70D0101 04050030

0D310B30 09060355 04031302 4341301E 170D3136 30313236 31353036 32355A17

0D313930 31323531 35303632 355A300D 310B3009 06035504 03130243 4130819F

300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B787 5D5AA0D5

463A0E98 ABBD8437 FB8D75AE CE767C40 E352008A C1FF4DD3 0493EAAA A22DE447

3BE37B42 3FBE0642 C6FF6620 578EAEF5 80EFBF55 47B7A278 D3F4B96E C24C86B8

B0EA363E 124801AA 30C0B51D 0A3D691B CE246A3B 14C83579 ACD70B95 4ECB3F36

9E40DC30 BCE15FCF EF0A43AD BEF421F8 5D65FEDF 67769337 D2EF0203 010001A3

63306130 0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404

03020186 301F0603 551D2304 18301680 1473FC34 CCCB32C3 1A1573BB CFE858D0

FE6B468F 71301D06 03551D0E 04160414 73FC34CC CB32C31A 1573BBCF E858D0FE

6B468F71 300D0609 2A864886 F70D0101 04050003 81810029 5C847FF2 52FC86F0

07CA5E3D 1028F120 0BD97759 6C3C4D86 B5F57A3F 4EE33103 F095AC8D DB9A1B44

1AB1DD32 A32631E6 9E5B8A1A 1224D97F 348A5F3D 0C6902BB 95C04951 61F1D35B

11346869 02EF62B1 A9A4BE43 276F4BD2 301B67C2 5235956A 8FB93B25 9F508FB5

1A30D57C B9E9FA91 673B7D0E B3FF750D 2D278FB9 FF8A40

quit

!

!

!

!

!

!

!

license udi pid CSR1000V sn 99RWKS44J5X

!

spanning-tree extend system-id

!

username admin privilege 15 secret 5 $1$JiwR$8bSDjrkmXRi0VVhMbGSat0

!

redundancy

crypto ikev2 authorization policy default

route set interface

route set access-list flex_route

!

!

!

crypto ikev2 keyring mykeys

peer HUB

address 200.1.1.1

pre-shared-key Cisco123

!

!

!

crypto ikev2 profile FLEXVPN_Dynamic

match identity remote address 200.1.1.1 255.255.255.255

authentication remote pre-share

authentication remote rsa-sig

authentication local pre-share

keyring local mykeys

pki trustpoint S2S-CA

dpd 60 2 on-demand

aaa authorization group psk list ike_list default

aaa authorization group cert list ike_list default

!

crypto ikev2 client flexvpn FLEXVPN_CLIENT

peer 1 200.1.1.1

client connect Tunnel1

!

!

!

!

!

!

!

!

!

!

!

!

crypto ipsec profile default

set ikev2-profile FLEXVPN_Dynamic

!

!

!

!

!

!

!

!

!

!

!

!

!

interface Loopback0

ip address 172.16.2.1 255.255.255.0

!

interface Tunnel1

ip unnumbered Loopback0

tunnel source GigabitEthernet3

tunnel destination dynamic

tunnel protection ipsec profile default

!

interface GigabitEthernet1

ip address 192.168.1.94 255.255.255.0

negotiation auto

!

interface GigabitEthernet2

no ip address

negotiation auto

!

interface GigabitEthernet3

ip address 200.1.1.4 255.255.255.0

negotiation auto

!

interface GigabitEthernet4

no ip address

shutdown

negotiation auto

!

!

virtual-service csr_mgmt

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

ip ssh version 1

!

ip access-list standard flex_route

permit 172.16.2.0 0.0.0.255

!

!

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

stopbits 1

line vty 0 4

password cisco

!

ntp server 192.168.1.8

!

end

 

验证

 

CSR-HUB1#show ip int br

Interface             IP-Address     OK? Method Status               Protocol

GigabitEthernet1       192.168.1.91   YES NVRAM up                   up

GigabitEthernet2       200.1.1.1       YES manual up                  up

GigabitEthernet3       unassigned     YES manual down                 down

GigabitEthernet4       unassigned     YES NVRAM administratively down down

Loopback0             192.168.10.1   YES manual up                   up

Loopback1             192.168.100.1   YES NVRAM up                   up

Virtual-Access1       192.168.10.1   YES unset up                   up     # 用虚拟模版(virtual template)生成的隧道口, 连接SPOKE1的tu1

Virtual-Access2       192.168.10.1   YES unset up                   up     #用同一个虚拟模版生成的另外一个隧道口,连接SPOKE2的tu1

Virtual-Template1     192.168.10.1   YES unset up                   down

 

CSR-SPOKE1#show ip int br

Interface             IP-Address     OK? Method Status               Protocol

GigabitEthernet1       192.168.1.93   YES NVRAM up                   up

GigabitEthernet2       unassigned     YES manual down                 down

GigabitEthernet3       200.1.1.3       YES manual up                   up

GigabitEthernet4       unassigned     YES manual up                   up

Loopback0             172.16.1.1     YES manual up                   up

Loopback1            172.16.100.1   YES manual up                   up

Tunnel1               172.16.1.1     YES TFTP   up                   up

 

CSR-HUB1#ping 172.16.1.1 source 192.168.10.1  

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.10.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/11 ms

 

CSR-HUB1#ping 172.16.2.1 source 192.168.10.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.10.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/10 ms

 

CSR-SPOKE1# show crypto ikev2 sa detailed

IPv4 Crypto IKEv2 SA

 

Tunnel-id Local                 Remote               fvrf/ivrf           Status

1         200.1.1.3/500         200.1.1.1/500         none/none           READY

Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: RSA #认证方式

Life/Active Time: 86400/4657 sec

CE id: 1039, Session-id: 3

Status Description: Negotiation done

Local spi: 01ADA7BB4DA0E34D       Remote spi: 13A01100B375CD16

Local id: 200.1.1.3

Remote id: 200.1.1.1

Local req msg id: 6             Remote req msg id: 2

Local next msg id: 6             Remote next msg id: 2

Local req queued: 6             Remote req queued: 2

Local window:     5              Remote window:     5

DPD configured for 60 seconds, retry 2

Fragmentation not configured.

Extended Authentication not configured.

NAT-T is not detected

Cisco Trust Security SGT is disabled

Initiator of SA : Yes

Default Domain: mm.com

Remote subnets:

   192.168.10.1 255.255.255.255 # 受ikev2 authorization policy 控制。认证通过后(authentication),会执行授权(authorization)。route set interface 和route set access-list xxx命令会发送己方端口地址和静态路由至对端设备。

 

CSR-SPOKE1#show ip route static

 

   192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks

S       192.168.10.1/32 is directly connected, Tunnel1 #从HUB收到的静态路由

 

CSR-HUB1#show ip route static

 

172.16.0.0/16 is variably subnetted, 5 subnets, 2 masks

S       172.16.1.0/24 is directly connected, Virtual-Access1 #从SPOKE1收到的静态路由

S       172.16.1.1/32 is directly connected, Virtual-Access1

S       172.16.2.0/24 is directly connected, Virtual-Access2 #从SPOKE2收到的静态路由

S       172.16.2.1/32 is directly connected, Virtual-Access2

 

CSR-HUB1#show crypto ipsec sa | sec Crypto | #pkts

Crypto map tag: Virtual-Access1-head-0, local addr 200.1.1.1 #virtual-access1端口下的ipsec加密、解密流量,证明ipsec起作用了

   #pkts encaps: 853, #pkts encrypt: 853, #pkts digest: 853

   #pkts decaps: 896, #pkts decrypt: 896, #pkts verify: 896

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

Crypto map tag: Virtual-Access2-head-0, local addr 200.1.1.1#virtual-access2端口下的ipsec加密、解密流量,证明ipsec起作用了

   #pkts encaps: 843, #pkts encrypt: 843, #pkts digest: 843

   #pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

如果再配置下路由,我用EIGRP。HUB上的Lo1(192.168.100.1)可以ping SPOKE上的Lo1 (172.16.100.1)。

CSR-HUB1#ping 172.16.100.1 source lo1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.100.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.100.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/12 ms

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s