站点间FlexVPN试验(四):SPOKE和SPOKE间动态隧道

MengMeng:今天写这个好累,丢了之前的环境、配置,为了今天这篇全部重做的。。。

试验

本次试验在试验(三)的基础上用NHRP进一步建立SPOKE和SPOKE间的动态隧道。

 

实验三:用virtual template建立HUB和SPOKE间隧道,ikev2加密保护。最后实现HUB和SPOKE可以互ping。

 

实验四:用NHRP和新建的Spoke-Spoke间的动态隧道实现SPOKE点间通信,ikev2加密保护。最后实现 HUB和SPOKE可以互ping,且SPOKE1 和SPOKE2可以互ping。

 

  • 认证方式还是证书(RSA)和密钥(PSK)混合认证。

 

  • HUB1作为证书服务器(CA),SPOKE1和SPOKE2向HUB1申请并获取证书。

 

  • 外部NTP服务器。

 

  • HUB上设立IP地址池,SPOKE 的tunnel 1与HUB协商获取地址。

 

试验拓扑

如下,验证部分在文章最后:

FLEXVPN_SITE_Dynamic_2.png

 

端口配置

CSR-HUB1

GigabitEthernet1       192.168.1.91 (mgmt)

GigabitEthernet2       200.1.1.1

Loopback0              192.168.10.1

 

CSR-SPOKE1

GigabitEthernet1       192.168.1.93 (mgmt)

GigabitEthernet3       200.1.1.3

 

CSR-SPOKE2

GigabitEthernet1       192.168.1.94 (mgmt)

GigabitEthernet3       200.1.1.4

 

FlexVPN Spoke to Spoke配置原理

 

DMVPN允许流量直接从一个SPOKE不经过HUB到达另一个SPOKE。FlexVPN也利用NHRP来达到SPOKE间通信。不同于DMVPN,FlexVPN NHRP配置要点如下:

 

  • 不用配NHS,SPOKE会通过之前的HUB-SPOKE隧道,自动找到HUB注册。虽然log里面可能会看到报错,说找不到NHS,不用理这个报错,假信息。我就遇到这个情况,是个不重要的信息bug。
  • HUB上配置nhrp network和nhrp redirect (和DMVPN概念一致)
  • SPOKE上配置nhrp network和nhrp shortcut (和DMVPN概念一致)
  • SPOKE上多配1个动态VTI(virtual-template),用于建立spoke间的动态隧道。这点非常重要!

 

实验(三)的基上,SPOKE隧道新增配置:

 

CSRHUB1新增配置

Interface virtual-template1 type tunnel

#初次配置时候一定要写type哦,不写默认是serial类型,再进interface就不用打了

ip nhrp network-id 1

ip nhrp redirect

 

#因为virtual-template 1在使用中(HUB-SPOKE),所以是锁定状态不能修改,我用过2个方法:

1)可以先shut SPOKE端tunnel, 然后HUB上clear crypto session ikev2, 修改HUB virtual-template, 再no shut SPOKE端 tunnel;

2) 在HUB的ikev2 profile下, no掉virtual-template 1, 然后clear crypto session ikev2, 修改HUB virtual-template, 再把virtual-template 1加回去

 

 

CSRSPOKE1新增配置

 

interface Virtual-Template1 type tunnel

ip unnumbered tunnel1

#实验(三)tunnel1是unnumbered interface,不能被virtual-template引用。实验(四)tunnel1是通过协商从HUB上的地址池获取IP,就可以被virtual-template引用了。

ip nhrp network-id 1

ip nhrp shortcut virtual-template 1

tunnel source g3

tunnel protection ipsec profile default

!

interface Tunnel1

ip nhrp network-id 1

ip nhrp shortcut virtual-template 1

!

crypto ikev2 keyring mykeys

peer SPOKE

address 200.1.1.0 255.255.255.0

pre-shared-key Cisco123

!

crypto ikev2 profile FLEXVPN_Dynamic

match identity remote address 200.1.1.4

virtual-template 1

 

CSRSPOKE2新增配置

interface Virtual-Template1 type tunnel

ip unnumbered tunnel1

ip nhrp network-id 1

ip nhrp shortcut virtual-template 1

tunnel source g3

tunnel protection ipsec profile default

!

interface Tunnel1

ip nhrp network-id 1

ip nhrp shortcut virtual-template 1

!

crypto ikev2 keyring mykeys

peer SPOKE

address 200.1.1.0 255.255.255.0

pre-shared-key Cisco123

!

crypto ikev2 profile FLEXVPN_Dynamic

match identity remote address 200.1.1.3

virtual-template 1

 

 

关于authorization policy (授权策略)

重点强调下authorization policy, 因为这个很有用。本次实验用HUB1本地做authorization, 工作中也可以用ACS做,根据用户组不同,推不同的参数,比如用不同地址池协商tunnel interface的IP,不同用户进不同vrf等等。实验(四)的配置如下:

 

aaa authorization network ike_list local

#这个authorization list用本地信息,不用ACS

crypto ikev2 authorization policy default

route set interface

#发送interface ip给对等体。

route set access-list flex_route

#发送在access-list中定义的静态路由给对等体。

ip access-list standard flex-route

permit any

#HUB 上配置any,或者至少包括SPOKE1和SPOKE2动态端口的地址(试验中是172.16.0.?/32)。否则SPOKE上不知道其他SPOKE动态端口的路由,不能通过NHRP建立SPOKE间隧道。总之,静态路由通过authorization policy宣告。

 

宣告结果用show crypto ikev2 sa detailedshow ip route 验证

 

CSR-SPOKE1#show crypto ikev2 sa detailed

IPv4 Crypto IKEv2 SA

 

Tunnel-id Local                 Remote               fvrf/ivrf          Status

1         200.1.1.3/500         200.1.1.1/500         none/none           READY

Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: RSA

Life/Active Time: 86400/4223 sec

CE id: 1009, Session-id: 9

Status Description: Negotiation done

Local spi: C8200BA7E6E8FB0D       Remote spi: 2B58489790D67AF1

Local id: 200.1.1.3

Remote id: 200.1.1.1

Local req msg id: 5             Remote req msg id: 1

Local next msg id: 5             Remote next msg id: 1

Local req queued: 5             Remote req queued: 1

Local window:     5             Remote window:     5

DPD configured for 60 seconds, retry 2

Fragmentation not configured.

Extended Authentication not configured.

NAT-T is not detected

Cisco Trust Security SGT is disabled

Initiator of SA : Yes

Pushed IP address: 172.16.0.18

Default Domain: mengmeng.com

Remote subnets:

192.168.10.1 255.255.255.255 #HUB宣告的interface

0.0.0.0 0.0.0.0 #HUB宣告的默认路由

 

Tunnel-id Local                 Remote               fvrf/ivrf           Status

2         200.1.1.3/500         200.1.1.4/500         none/none            READY

Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK

Life/Active Time: 86400/3794 sec

CE id: 1010, Session-id: 10

Status Description: Negotiation done

Local spi: D1F3A0345EE93D5C       Remote spi: F7D0787CD2BF1D3F

Local id: 200.1.1.3

Remote id: 200.1.1.4

Local req msg id: 3             Remote req msg id: 3

Local next msg id: 3             Remote next msg id: 3

Local req queued: 3             Remote req queued: 3

Local window:     5             Remote window:     5

DPD configured for 60 seconds, retry 2

Fragmentation not configured.

Extended Authentication not configured.

NAT-T is not detected

Cisco Trust Security SGT is disabled

Initiator of SA : Yes

Remote subnets:

172.16.0.20 255.255.255.255 #SPOKE2宣告的interface

172.16.2.0 255.255.255.0 #SPOKE2宣告的静态路由

 

CSR-SPOKE1# show ip route static

Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP

D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area

N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2

E1 – OSPF external type 1, E2 – OSPF external type 2

i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2

ia – IS-IS inter area, * – candidate default, U – per-user static route

o – ODR, P – periodic downloaded static route, H – NHRP, l – LISP

a – application route

+ – replicated route, % – next hop override, p – overrides from PfR

 

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

 

S*   0.0.0.0/0 is directly connected, Tunnel1

172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks

S   %   172.16.0.20/32 is directly connected, Virtual-Access1

S       172.16.2.0/24 is directly connected, Virtual-Access1

192.168.10.0/32 is subnetted, 1 subnets

S       192.168.10.1 is directly connected, Tunnel1

 

完整配置

CSR-HUB:

CSR-HUB1#sh run

Building configuration…

 

Current configuration : 6247 bytes

!

! Last configuration change at 09:18:01 UTC Mon Feb 1 2016

! NVRAM config last updated at 09:28:14 UTC Mon Feb 1 2016

!

version 15.5

service timestamps debug datetime msec

service timestamps log datetime msec

no platform punt-keepalive disable-kernel-core

platform console auto

!

hostname CSR-HUB1

!

boot-start-marker

boot-end-marker

!

!

enable password cisco

!

aaa new-model

!

!

aaa authorization network ike_list local

!

!

!

!

!

aaa session-id common

!

!

!

!

!

!

!

!

!

!

!

 

 

 

ip domain name mengmeng.com

!

!

!

!

!

!

!

!

!

!

subscriber templating

!

multilink bundle-name authenticated

!

!

!

!

!

crypto pki server CA

no database archive

grant auto

eku server-auth client-auth

!

crypto pki trustpoint S2S-CA

enrollment url http://192.168.1.91:80

revocation-check none

!

crypto pki trustpoint CA

revocation-check crl

rsakeypair CA

!

!

crypto pki certificate chain S2S-CA

certificate 02

308201D3 3082013C A0030201 02020102 300D0609 2A864886 F70D0101 05050030

0D310B30 09060355 04031302 4341301E 170D3136 30323031 30383436 35375A17

0D313730 31333130 38343635 375A3026 31243022 06092A86 4886F70D 01090216

15435352 2D485542 312E6D65 6E676D65 6E672E63 6F6D305C 300D0609 2A864886

F70D0101 01050003 4B003048 024100B9 31DC0059 CE47FDEE 4659E3F1 268C2AAA

5A9CA291 76997BCF 241ABADF 79430F59 1A5FA1B1 D5D72799 D2CD855F FFDC583B

481DB271 6839B344 E4BC8B0D 6907B102 03010001 A36E306C 301D0603 551D2504

16301406 082B0601 05050703 0106082B 06010505 07030230 0B060355 1D0F0404

030205A0 301F0603 551D2304 18301680 14F5C117 6FA9F3C9 B65D2F0E F5EE1EFF

F7E77420 06301D06 03551D0E 04160414 44BC78AC 81D43368 F6BF1A84 02D213D6

2D254B41 300D0609 2A864886 F70D0101 05050003 81810022 B4919090 0AD0A2FE

71F0B544 4AD2277E BA5B56F0 458028D9 645A21A9 6B2E285C 65249F72 E4F650F5

FB848610 53C1DF09 31752794 D2BD895F 19D72A4E BF38A2DD E1B6819C CA6FEBF2

790E3302 C4C88FFD B6460FC6 1C76E839 2F2420B1 A487A438 B6DD8A4C 0127C576

874190F5 E7DEF49C 93784078 6A8B5124 C6D1C702 5DD7CC

quit

certificate ca 01

308201F3 3082015C A0030201 02020101 300D0609 2A864886 F70D0101 04050030

0D310B30 09060355 04031302 4341301E 170D3136 30323031 30383433 35305A17

0D313930 31333130 38343335 305A300D 310B3009 06035504 03130243 4130819F

300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100ABDE 0BDBDFE0

C24BD908 7424DA7B 411E38AC C39595D1 FB61615D D36E295A 8C42D6EE 9BA9524E

2258F7B2 655FA12E DF1FB4D8 40871F17 8577BAFA CCE137E9 77BF39DC C06B2494

DDEBE392 1AB6E588 E53EDAA9 0D5A7ADE B6F3ACEC F50FBF51 9FB36E45 966E4B19

2EFC7465 1F72E833 53290640 C1AEDB08 8F91F442 6857EFDF 52450203 010001A3

63306130 0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404

03020186 301F0603 551D2304 18301680 14F5C117 6FA9F3C9 B65D2F0E F5EE1EFF

F7E77420 06301D06 03551D0E 04160414 F5C1176F A9F3C9B6 5D2F0EF5 EE1EFFF7

E7742006 300D0609 2A864886 F70D0101 04050003 8181006E 67FAC869 08CD9E29

B816E975 D837F3FB 3CEB5E17 3EFB78F0 02254016 882BD2FF 5FC42A62 B3A46640

6C5EC23E CF62A1F1 52762173 384D7EE1 665D7A3E 8910F1F5 9E873A78 421ADDB7

45AAB06A E351B630 1C40A9AC 78D1669D 2BA343AA 66400320 198C607E 1ABF3207

D4D7432C CD16508E 8240D5A8 B5FE49AC 2420DD9E DC70B8

quit

crypto pki certificate chain CA

certificate ca 01

308201F3 3082015C A0030201 02020101 300D0609 2A864886 F70D0101 04050030

0D310B30 09060355 04031302 4341301E 170D3136 30323031 30383433 35305A17

0D313930 31333130 38343335 305A300D 310B3009 06035504 03130243 4130819F

300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100ABDE 0BDBDFE0

C24BD908 7424DA7B 411E38AC C39595D1 FB61615D D36E295A 8C42D6EE 9BA9524E

2258F7B2 655FA12E DF1FB4D8 40871F17 8577BAFA CCE137E9 77BF39DC C06B2494

DDEBE392 1AB6E588 E53EDAA9 0D5A7ADE B6F3ACEC F50FBF51 9FB36E45 966E4B19

2EFC7465 1F72E833 53290640 C1AEDB08 8F91F442 6857EFDF 52450203 010001A3

63306130 0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404

03020186 301F0603 551D2304 18301680 14F5C117 6FA9F3C9 B65D2F0E F5EE1EFF

F7E77420 06301D06 03551D0E 04160414 F5C1176F A9F3C9B6 5D2F0EF5 EE1EFFF7

E7742006 300D0609 2A864886 F70D0101 04050003 8181006E 67FAC869 08CD9E29

B816E975 D837F3FB 3CEB5E17 3EFB78F0 02254016 882BD2FF 5FC42A62 B3A46640

6C5EC23E CF62A1F1 52762173 384D7EE1 665D7A3E 8910F1F5 9E873A78 421ADDB7

45AAB06A E351B630 1C40A9AC 78D1669D 2BA343AA 66400320 198C607E 1ABF3207

D4D7432C CD16508E 8240D5A8 B5FE49AC 2420DD9E DC70B8

quit

!

!

!

!

!

!

!

license udi pid CSR1000V sn 9DLA9F8BQTG

!

spanning-tree extend system-id

!

username admin privilege 15 secret 5 $1$jOdf$LZHyt.nQTLjm5BYpz1731/

!

redundancy

crypto ikev2 authorization policy default

pool flex-pool

def-domain mengmeng.com

route set interface

route set access-list flex-route

!

!

!

crypto ikev2 keyring mykeys

peer SPOKE

address 200.1.1.0 255.255.255.0

pre-shared-key Cisco123

!

!

!

crypto ikev2 profile FLEXVPN-Dynamic

match identity remote address 200.1.1.0 255.255.255.0

authentication remote pre-share

authentication local rsa-sig

keyring local mykeys

pki trustpoint S2S-CA

dpd 60 2 on-demand

aaa authorization group psk list ike_list default

aaa authorization group cert list ike_list default

virtual-template 1

!

!

!

!

!

!

!

!

!

!

!

!

crypto ipsec profile default

set ikev2-profile FLEXVPN-Dynamic

!

!

!

!

!

!

!

!

!

!

!

!

!

interface Loopback0

ip address 192.168.10.1 255.255.255.255

!

interface GigabitEthernet1

ip address 192.168.1.91 255.255.255.0

negotiation auto

!

interface GigabitEthernet2

ip address 200.1.1.1 255.255.255.0

negotiation auto

!

interface GigabitEthernet3

no ip address

shutdown

negotiation auto

!

interface GigabitEthernet4

no ip address

shutdown

negotiation auto

!

interface Virtual-Template1 type tunnel

ip unnumbered Loopback0

ip nhrp network-id 1

ip nhrp redirect

tunnel source GigabitEthernet2

tunnel protection ipsec profile default

!

!

virtual-service csr_mgmt

!

ip local pool flex-pool 172.16.0.1 172.16.0.254

ip forward-protocol nd

!

ip http server

no ip http secure-server

!

ip access-list standard flex-route

permit any

!

!

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

stopbits 1

line vty 0 4

password cisco

!

ntp source GigabitEthernet1

ntp server 192.168.1.8

!

end

 

CSR-SPOKE1:

 

CSR-SPOKE1#show run

Building configuration…

 

Current configuration : 5194 bytes

!

! Last configuration change at 09:53:53 UTC Mon Feb 1 2016 by admin

! NVRAM config last updated at 09:28:11 UTC Mon Feb 1 2016

!

version 15.5

service timestamps debug datetime msec

service timestamps log datetime msec

no platform punt-keepalive disable-kernel-core

platform console auto

!

hostname CSR-SPOKE1

!

boot-start-marker

boot-end-marker

!

!

enable password cisco

!

aaa new-model

!

!

aaa authorization network ike_list local

!

!

!

!

!

aaa session-id common

!

!

!

!

!

!

!

!

!

!

!

 

 

 

ip domain name mengmeng.com

!

!

!

!

!

!

!

!

!

!

subscriber templating

!

multilink bundle-name authenticated

!

!

!

!

!

crypto pki trustpoint S2S-CA

enrollment url http://192.168.1.91:80

revocation-check none

!

!

crypto pki certificate chain S2S-CA

certificate 03

308201C8 30820131 A0030201 02020103 300D0609 2A864886 F70D0101 05050030

0D310B30 09060355 04031302 4341301E 170D3136 30323031 30383439 32375A17

0D313730 31333130 38343932 375A301B 31193017 06092A86 4886F70D 01090216

0A435352 2D53504F 4B453130 5C300D06 092A8648 86F70D01 01010500 034B0030

48024100 E9710C73 20190746 7670C7C3 11058635 B8BE31E4 0CCAB07D F96D893C

58495CE9 54715624 071E346F 70998919 ADC84DF5 B329C484 05349FAF E0458A29

3647AD09 02030100 01A36E30 6C301D06 03551D25 04163014 06082B06 01050507

03010608 2B060105 05070302 300B0603 551D0F04 04030205 A0301F06 03551D23

04183016 8014F5C1 176FA9F3 C9B65D2F 0EF5EE1E FFF7E774 2006301D 0603551D

0E041604 1416C000 FA25BD19 8451DB93 11A009D8 81145D5B 54300D06 092A8648

86F70D01 01050500 03818100 9EEAA74B D1385983 4F73D2F3 6C2F8F2C 8EBF4BDA

367E262E 21AD37AA D65ACF2F 056783C6 530ED1B4 7E76ADF0 C2553054 7200C4F6

CFAC25C8 6F65F88F 3D19E340 FEA3B74E D52496D7 3F901C9C 065F58C8 52AE3124

02999A11 0C6CA8D4 D6C99201 D2E80051 FE314C7C 9734AAC6 47E3F039 E2204BD2

94AFE864 EA946BC5 3D7B582F

quit

certificate ca 01

308201F3 3082015C A0030201 02020101 300D0609 2A864886 F70D0101 04050030

0D310B30 09060355 04031302 4341301E 170D3136 30323031 30383433 35305A17

0D313930 31333130 38343335 305A300D 310B3009 06035504 03130243 4130819F

300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100ABDE 0BDBDFE0

C24BD908 7424DA7B 411E38AC C39595D1 FB61615D D36E295A 8C42D6EE 9BA9524E

2258F7B2 655FA12E DF1FB4D8 40871F17 8577BAFA CCE137E9 77BF39DC C06B2494

DDEBE392 1AB6E588 E53EDAA9 0D5A7ADE B6F3ACEC F50FBF51 9FB36E45 966E4B19

2EFC7465 1F72E833 53290640 C1AEDB08 8F91F442 6857EFDF 52450203 010001A3

63306130 0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404

03020186 301F0603 551D2304 18301680 14F5C117 6FA9F3C9 B65D2F0E F5EE1EFF

F7E77420 06301D06 03551D0E 04160414 F5C1176F A9F3C9B6 5D2F0EF5 EE1EFFF7

E7742006 300D0609 2A864886 F70D0101 04050003 8181006E 67FAC869 08CD9E29

B816E975 D837F3FB 3CEB5E17 3EFB78F0 02254016 882BD2FF 5FC42A62 B3A46640

6C5EC23E CF62A1F1 52762173 384D7EE1 665D7A3E 8910F1F5 9E873A78 421ADDB7

45AAB06A E351B630 1C40A9AC 78D1669D 2BA343AA 66400320 198C607E 1ABF3207

D4D7432C CD16508E 8240D5A8 B5FE49AC 2420DD9E DC70B8

quit

!

!

!

!

!

!

!

license udi pid CSR1000V sn 9C1LX6VGAN8

!

spanning-tree extend system-id

!

username admin privilege 15 secret 5 $1$XNVD$qkvBYEKUIkVS02ZZHBzSR0

!

redundancy

crypto ikev2 authorization policy default

route set interface

route set access-list flex_route

!

!

!

crypto ikev2 keyring mykeys

peer SPOKE

address 200.1.1.0 255.255.255.0

pre-shared-key Cisco123

!

!

!

crypto ikev2 profile FLEXVPN_Dynamic

match identity remote address 200.1.1.1 255.255.255.255

match identity remote address 200.1.1.4 255.255.255.255

authentication remote pre-share

authentication remote rsa-sig

authentication local pre-share

keyring local mykeys

pki trustpoint S2S-CA

dpd 60 2 on-demand

aaa authorization group psk list ike_list default

aaa authorization group cert list ike_list default

virtual-template 1

!

crypto ikev2 client flexvpn FLEXVPN_CLIENT

peer 1 200.1.1.1

client connect Tunnel1

!

!

!

!

!

!

!

!

!

!

!

!

crypto ipsec profile default

set ikev2-profile FLEXVPN_Dynamic

!

!

!

!

!

!

!

!

!

!

!

!

!

interface Loopback0

ip address 172.16.1.11 255.255.255.255

!

interface Tunnel1

ip address negotiated

ip nhrp network-id 1

ip nhrp shortcut virtual-template 1

tunnel source GigabitEthernet3

tunnel destination dynamic

tunnel protection ipsec profile default

!

interface GigabitEthernet1

ip address 192.168.1.93 255.255.255.0

negotiation auto

!

interface GigabitEthernet2

no ip address

shutdown

negotiation auto

!

interface GigabitEthernet3

ip address 200.1.1.3 255.255.255.0

negotiation auto

!

interface GigabitEthernet4

no ip address

shutdown

negotiation auto

!

interface Virtual-Template1 type tunnel

ip unnumbered Tunnel1

ip nhrp network-id 1

ip nhrp shortcut virtual-template 1

tunnel source GigabitEthernet3

tunnel protection ipsec profile default

!

!

virtual-service csr_mgmt

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

ip ssh version 1

!

ip access-list standard flex_route

permit 172.16.1.0 0.0.0.255

!

!

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

stopbits 1

line vty 0 4

password cisco

!

ntp source GigabitEthernet1

ntp server 192.168.1.8

!

end

 

CSR-SPOKE2:

CSR-SPOKE2#show run

Building configuration…

 

Current configuration : 5241 bytes

!

! Last configuration change at 10:03:49 UTC Mon Feb 1 2016 by admin

! NVRAM config last updated at 09:28:17 UTC Mon Feb 1 2016

!

version 15.5

service timestamps debug datetime msec

service timestamps log datetime msec

no platform punt-keepalive disable-kernel-core

platform console auto

!

hostname CSR-SPOKE2

!

boot-start-marker

boot-end-marker

!

!

enable password cisco

!

aaa new-model

!

!

aaa authorization network ike_list local

!

!

!

!

!

aaa session-id common

!

!

!

!

!

!

!

!

!

!

!

 

 

 

ip domain name mengmeng.com

!

!

!

!

!

!

!

!

!

!

subscriber templating

!

multilink bundle-name authenticated

!

!

!

!

!

crypto pki trustpoint S2S-CA

enrollment url http://192.168.1.91:80

revocation-check none

!

!

crypto pki certificate chain S2S-CA

certificate 04

308201C8 30820131 A0030201 02020104 300D0609 2A864886 F70D0101 05050030

0D310B30 09060355 04031302 4341301E 170D3136 30323031 30383530 35385A17

0D313730 31333130 38353035 385A301B 31193017 06092A86 4886F70D 01090216

0A435352 2D53504F 4B453230 5C300D06 092A8648 86F70D01 01010500 034B0030

48024100 8D90D044 42797FE4 D63B6EA9 D56D6097 67C6B23D 035E49EE D7B885E5

07FCADFD 03CA51CF 01F71568 B3CAAD90 63E4CDD6 2D363175 B765EA9C A1BE5C66

1239BB7F 02030100 01A36E30 6C301D06 03551D25 04163014 06082B06 01050507

03010608 2B060105 05070302 300B0603 551D0F04 04030205 A0301F06 03551D23

04183016 8014F5C1 176FA9F3 C9B65D2F 0EF5EE1E FFF7E774 2006301D 0603551D

0E041604 14FC612E 15B00451 9CE4B068 3F86F4C2 EF0D7354 30300D06 092A8648

86F70D01 01050500 03818100 37913E4B A99E0335 4BF1127C 23412435 32A0094D

3FB1E35D 19C127F3 2C16018A 4B954CFE A100B716 DB304003 ED380532 E564EEBA

426A14B4 E3ADF073 64EAFD79 0227A2A2 EDFD2367 CAECC0EF DDD34C96 697F7731

B88DB414 219485E6 6398CD49 28C8EC74 351CA368 A08A4CFF 7294BAA1 851D7BBE

45DC7D47 0E5D23A8 D7163E6C

quit

certificate ca 01

308201F3 3082015C A0030201 02020101 300D0609 2A864886 F70D0101 04050030

0D310B30 09060355 04031302 4341301E 170D3136 30323031 30383433 35305A17

0D313930 31333130 38343335 305A300D 310B3009 06035504 03130243 4130819F

300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100ABDE 0BDBDFE0

C24BD908 7424DA7B 411E38AC C39595D1 FB61615D D36E295A 8C42D6EE 9BA9524E

2258F7B2 655FA12E DF1FB4D8 40871F17 8577BAFA CCE137E9 77BF39DC C06B2494

DDEBE392 1AB6E588 E53EDAA9 0D5A7ADE B6F3ACEC F50FBF51 9FB36E45 966E4B19

2EFC7465 1F72E833 53290640 C1AEDB08 8F91F442 6857EFDF 52450203 010001A3

63306130 0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404

03020186 301F0603 551D2304 18301680 14F5C117 6FA9F3C9 B65D2F0E F5EE1EFF

F7E77420 06301D06 03551D0E 04160414 F5C1176F A9F3C9B6 5D2F0EF5 EE1EFFF7

E7742006 300D0609 2A864886 F70D0101 04050003 8181006E 67FAC869 08CD9E29

B816E975 D837F3FB 3CEB5E17 3EFB78F0 02254016 882BD2FF 5FC42A62 B3A46640

6C5EC23E CF62A1F1 52762173 384D7EE1 665D7A3E 8910F1F5 9E873A78 421ADDB7

45AAB06A E351B630 1C40A9AC 78D1669D 2BA343AA 66400320 198C607E 1ABF3207

D4D7432C CD16508E 8240D5A8 B5FE49AC 2420DD9E DC70B8

quit

!

!

!

!

!

!

!

license udi pid CSR1000V sn 9VCQA11QETT

!

spanning-tree extend system-id

!

username admin privilege 15 secret 5 $1$NQEe$duGHoSnjS/I22EGK9EFiJ0

!

redundancy

crypto ikev2 authorization policy default

route set interface

route set access-list flex_route

!

!

!

crypto ikev2 keyring mykeys

peer SPOKE

address 200.1.1.0 255.255.255.0

pre-shared-key Cisco123

!

!

!

crypto ikev2 profile FLEXVPN_Dynamic

match identity remote address 200.1.1.1 255.255.255.255

match identity remote address 200.1.1.3 255.255.255.255

authentication remote pre-share

authentication remote rsa-sig

authentication local pre-share

keyring local mykeys

pki trustpoint S2S-CA

dpd 60 2 on-demand

aaa authorization group psk list ike_list default

aaa authorization group cert list ike_list default

virtual-template 2

!

crypto ikev2 client flexvpn FLEXVPN_CLIENT

peer 1 200.1.1.1

client connect Tunnel1

!

!

!

!

!

!

!

!

!

!

!

!

crypto ipsec profile default

set ikev2-profile FLEXVPN_Dynamic

!

!

!

!

!

!

!

!

!

!

!

!

!

interface Loopback0

ip address 172.16.200.22 255.255.255.255

!

interface Tunnel1

ip address negotiated

ip nhrp network-id 1

ip nhrp shortcut virtual-template 1

tunnel source GigabitEthernet3

tunnel destination dynamic

tunnel protection ipsec profile default

!

interface GigabitEthernet1

ip address 192.168.1.94 255.255.255.0

negotiation auto

!

interface GigabitEthernet2

no ip address

shutdown

negotiation auto

!

interface GigabitEthernet3

ip address 200.1.1.4 255.255.255.0

negotiation auto

!

interface GigabitEthernet4

no ip address

shutdown

negotiation auto

!

interface Virtual-Template1

no ip address

!

interface Virtual-Template2 type tunnel

ip unnumbered Tunnel1

ip nhrp network-id 1

ip nhrp shortcut virtual-template 2

tunnel source GigabitEthernet3

tunnel protection ipsec profile default

!

!

virtual-service csr_mgmt

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

ip ssh version 1

!

ip access-list standard flex_route

permit 172.16.2.0 0.0.0.255

!

!

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

stopbits 1

line vty 0 4

password cisco

!

ntp source GigabitEthernet1

ntp server 192.168.1.8

!

end

 

验证

如果tunnel或者加密没有协商好,可以shut/no shut tunnel interface, clear crypto session ikev2。

show crypt ikev2 sa detail 和 show ip route 结果见前文。

CSR-SPOKE1#show ip int br

Interface             IP-Address     OK? Method Status               Protocol

GigabitEthernet1       192.168.1.93   YES manual up                    up

GigabitEthernet2       unassigned     YES NVRAM administratively down down

GigabitEthernet3       200.1.1.3       YES manual up                   up

GigabitEthernet4       unassigned     YES NVRAM administratively down down

Loopback0             172.16.1.11     YES manual up                   up

Tunnel1               172.16.0.18     YES manual up                   up

Virtual-Access1       172.16.0.18     YES unset up                   up

Virtual-Template1     172.16.0.18     YES unset up                   down

 

CSR-SPOKE1#ping 172.16.0.20 so 172.16.0.18

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.0.20, timeout is 2 seconds:

Packet sent with a source address of 172.16.0.18

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 5/11/19 ms

 

CSR-SPOKE1# show ip nhrp

#在HUB上show ip nhrp是没有结果的,要在SPOKE上show

172.16.0.18/32 via 172.16.0.18

Virtual-Access1 created 01:12:48, expire 00:47:11

Type: dynamic, Flags: router unique local

NBMA address: 200.1.1.3

(no-socket)

172.16.0.20/32 via 172.16.0.20

Virtual-Access1 created 01:12:48, expire 00:47:14

Type: dynamic, Flags: router nhop rib nho

NBMA address: 200.1.1.4

 

CSR-SPOKE1#show crypto ipsec sa | section Crypto | #pkts

Crypto map tag: Tunnel1-head-0, local addr 200.1.1.3

#pkts encaps: 663, #pkts encrypt: 663, #pkts digest: 663

#pkts decaps: 660, #pkts decrypt: 660, #pkts verify: 660

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

   Crypto map tag: Virtual-Access1-head-0, local addr 200.1.1.3

#pkts encaps: 28, #pkts encrypt: 28, #pkts digest: 28

#pkts decaps: 28, #pkts decrypt: 28, #pkts verify: 28

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

 

 

CSR-SPOKE1# show crypto map

Interfaces using crypto map NiStTeSt1:

 

Crypto Map: “Tunnel1-head-0” IKEv2 profile: FLEXVPN_Dynamic

 

Crypto Map IPv4 “Tunnel1-head-0” 65536 ipsec-isakmp

IKEv2 Profile: FLEXVPN_Dynamic

Profile name: default

Security association lifetime: 4608000 kilobytes/3600 seconds

Responder-Only (Y/N): N

PFS (Y/N): N

Mixed-mode : Disabled

Transform sets={

default: { esp-aes esp-sha-hmac } ,

}

 

Crypto Map IPv4 “Tunnel1-head-0” 65537 ipsec-isakmp

Map is a PROFILE INSTANCE.

Peer = 200.1.1.1

IKEv2 Profile: FLEXVPN_Dynamic

Extended IP access list

access-list permit gre host 200.1.1.3 host 200.1.1.1

Current peer: 200.1.1.1

Security association lifetime: 4608000 kilobytes/3600 seconds

Responder-Only (Y/N): N

PFS (Y/N): N

Mixed-mode : Disabled

Transform sets={

default: { esp-aes esp-sha-hmac } ,

}

Always create SAs

Interfaces using crypto map Tunnel1-head-0:

Tunnel1

 

 

Crypto Map: “Virtual-Access1-head-0” IKEv2 profile: FLEXVPN_Dynamic

 

Crypto Map IPv4 “Virtual-Access1-head-0” 65536 ipsec-isakmp

IKEv2 Profile: FLEXVPN_Dynamic

Profile name: default

Security association lifetime: 4608000 kilobytes/3600 seconds

Responder-Only (Y/N): N

PFS (Y/N): N

Mixed-mode : Disabled

Transform sets={

default: { esp-aes esp-sha-hmac } ,

}

 

Crypto Map IPv4 “Virtual-Access1-head-0” 65537 ipsec-isakmp

Map is a PROFILE INSTANCE.

Peer = 200.1.1.4

IKEv2 Profile: FLEXVPN_Dynamic

Extended IP access list

access-list permit gre host 200.1.1.3 host 200.1.1.4

Current peer: 200.1.1.4

Security association lifetime: 4608000 kilobytes/3600 seconds

Responder-Only (Y/N): N

PFS (Y/N): N

Mixed-mode : Disabled

Transform sets={

default: { esp-aes esp-sha-hmac } ,

}

Interfaces using crypto map Virtual-Access1-head-0:

Virtual-Access1

 

 

Crypto Map: “Virtual-Template1-head-0” IKEv2 profile: FLEXVPN_Dynamic

 

Crypto Map IPv4 “Virtual-Template1-head-0” 65536 ipsec-isakmp

IKEv2 Profile: FLEXVPN_Dynamic

Profile name: default

Security association lifetime: 4608000 kilobytes/3600 seconds

Responder-Only (Y/N): N

PFS (Y/N): N

Mixed-mode : Disabled

Transform sets={

default: { esp-aes esp-sha-hmac } ,

}

Interfaces using crypto map Virtual-Template1-head-0:

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s