IPsec VPN综合实验
在传统的IPsecVPN的组网中,会遇到nat策略和IPsec感兴趣流冲突的问题
这里我们总部网络和发布网络将另外使用IPsecVPN网关进行旁挂式组网,在nat网关上配置策略路由将nat访问外网的流量和IPsecVPN的流量分开.
使用总部IPsecVPN网关对接分部的IPsecVPN网关达到两个流量互不冲突,可以让远程分支机构的局域网互访
总公司网络
网络规划
设备名称 | IP地址 | Destination |
AR1(nat网关) | g0/0/1 (10.0.12.1/24) | 通往ISP(承载日常访问互联网的流量业务) |
g0/0/2 (172.17.26.1/24) | 通往IPsecVPN网关(将IPsec流量从nat流量剥离) | |
g0/0/0 (172.17.1.1/24) | 连接三层交换和路由器AR1之间的流量 | |
AR4(IPsecVPN网关) | g0/0/1 (10.0.24.4/24) | 通过ISP(承载IPsecVPN流量业务) |
g0/0/2 (172.17.26.4/24) | 连接nat网关(承载从nat网络中剥离出来的IPsec流量) | |
g0/0/0 (172.16.1.254/24) | 连接三层交换和路由器AR4之间的流量 | |
LSW2 | vlanif17: 172.17.1.254/24 | 连接三层交换机LSW2和路由器AR1之间的流量 |
vlanif16: 172.17.1.254/24 | 连接三层交换机LSW2和路由器AR4之间的流量 | |
vlanif1: 192.168.1.254/24 | 终端设备的vlanif接口 | |
g0/0/1 | 连接PC1 | |
g0/0/2 | 连接服务器 |
Vlanif-OSPF
LSW2:
[LSW2]display ip int brief
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 4
The number of interface that is DOWN in Physical is 1
The number of interface that is UP in Protocol is 4
The number of interface that is DOWN in Protocol is 1
Interface IP Address/Mask Physical Protocol
MEth0/0/1 unassigned down down
NULL0 unassigned up up(s)
Vlanif1 192.168.1.254/24 up up
Vlanif17 172.17.1.254/24 up up[LSW2]display current-configuration
#
interface Vlanif1
ip address 192.168.1.254 255.255.255.0
ospf enable 1 area 0.0.0.0
dhcp select interface
#
interface Vlanif17
ip address 172.17.1.254 255.255.255.0
ospf enable 1 area 0.0.0.0
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type access
#
interface GigabitEthernet0/0/2
port link-type access
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 17
#
ospf 1
area 0.0.0.0
#Route-OSPF-NAT
AR1:
[AR1]display ip int brief
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 4
The number of interface that is DOWN in Physical is 0
The number of interface that is UP in Protocol is 4
The number of interface that is DOWN in Protocol is 0
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 172.17.1.1/24 up up
GigabitEthernet0/0/1 10.0.12.1/24 up up
GigabitEthernet0/0/2 172.17.26.1/24 up up
NULL0 unassigned up up(s)
[AR1]display current-configuration
#
interface GigabitEthernet0/0/0
ip address 172.17.1.1 255.255.255.0
ospf enable 1 area 0.0.0.0
#
interface GigabitEthernet0/0/1
ip address 10.0.12.1 255.255.255.0
ospf enable 1 area 0.0.0.0
nat outbound 2000
#
interface GigabitEthernet0/0/2
ip address 172.17.26.1 255.255.255.0
ospf enable 1 area 0.0.0.0
#
ospf 1
default-route-advertise
area 0.0.0.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.12.2
#
# nat策略
[AR1]display acl 2000
Basic ACL 2000, 1 rule
Acl's step is 5
rule 5 permitAR4:
[AR4]display ip int brief
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 4
The number of interface that is DOWN in Physical is 0
The number of interface that is UP in Protocol is 4
The number of interface that is DOWN in Protocol is 0
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 unassigned up up
GigabitEthernet0/0/1 10.0.24.4/24 up up
GigabitEthernet0/0/2 172.17.26.4/24 up up
NULL0 unassigned up up(s)
[AR4]display current-configuration
#
interface GigabitEthernet0/0/0
#
interface GigabitEthernet0/0/1
ip address 10.0.24.4 255.255.255.0
ospf enable 1 area 0.0.0.0
#
interface GigabitEthernet0/0/2
ip address 172.17.26.4 255.255.255.0
ospf enable 1 area 0.0.0.0
#
ospf 1
area 0.0.0.0
#NAT网关中剥离IPsec流量
AR1:
[AR1]display current-configuration
#
acl number 3000
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
traffic classifier 1.0 operator or
if-match acl 3000
#
traffic behavior ipsec
redirect ip-nexthop 172.17.26.4
#
traffic policy ipsec
classifier 1.0 behavior ipsec
# 入接口调用这条策略
interface GigabitEthernet0/0/0
ip address 172.17.1.1 255.255.255.0
traffic-policy ipsec inbound
ospf enable 1 area 0.0.0.0
#配置IPsecVPN
AR4:
# 配置IPsec感兴趣流
[AR4]acl 3000
[AR4-acl-adv-3000]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
# 配置ike提案
[AR4]ike proposal 1
[AR4-ike-proposal-1]encryption-algorithm aes-cbc-256
[AR4-ike-proposal-1]authentication-algorithm sha1
[AR4-ike-proposal-1]authentication-method pre-share
[AR4-ike-proposal-1]dh group14
[AR4-ike-proposal-1]sa duration 1200
# 配置ike邻居
[AR4]ike peer 1 v2
[AR4-ike-peer-1]remote-address 10.0.23.3
[AR4-ike-peer-1]pre-shared-key simple 123456789
[AR4-ike-peer-1]ike-proposal 1
[AR4-ike-peer-1]quit
# 定义IPsec提案
[AR4]ipsec proposal 1
[AR4-ipsec-proposal-1]encapsulation-mode tunnel
[AR4-ipsec-proposal-1]esp authentication-algorithm sha1
[AR4-ipsec-proposal-1]esp encryption-algorithm aes-256
# 配置IPsec策略
[AR4]ipsec policy 1 1 isakmp
[AR4-ipsec-policy-isakmp-1-1]security acl 3000
[AR4-ipsec-policy-isakmp-1-1]proposal 1
[AR4-ipsec-policy-isakmp-1-1]ike-peer 1
# 出接口调用
[AR4]int g0/0/1
[AR4-GigabitEthernet0/0/1]ipsec policy 1验证:
是否成功获取IP地址,访问互联网
- ping外网
ISP网络
网络规划
设备名称 | IP地址 | Destination |
AR2 | g0/0/0 (10.0.12.1/24) | AR1 |
g0/0/2 (10.0.24.2/24) | AR4 | |
g0/0/1 (10.0.23.2/24) | LSW4 | |
LSW4(仅作为扩大网络接入点,无配置) |
Static-Route
AR2:
[AR2]display ip int brief
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 4
The number of interface that is DOWN in Physical is 0
The number of interface that is UP in Protocol is 4
The number of interface that is DOWN in Protocol is 0
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 10.0.12.2/24 up up
GigabitEthernet0/0/1 10.0.23.2/24 up up
GigabitEthernet0/0/2 10.0.24.2/24 up up
NULL0 unassigned up up(s)
# 配置静态路由保证两个分支网络可以互通
[AR2]display this
[V200R003C00]
#
ip route-static 10.0.12.0 255.255.255.0 10.0.12.1
ip route-static 10.0.23.0 255.255.255.0 10.0.23.3
ip route-static 10.0.24.0 255.255.255.0 10.0.24.4
#验证:
分公司网络
网络规划
设备名称 | IP地址 | Destination |
AR5(nat网关) | g0/0/1 (10.0.23.5/24) | 通往运营商 |
g0/0/2 (172.26.1.0/24) | 连接IPsecVPN网关 | |
g0/0/0 (192.168.3.1/24) | 连接LSW1 | |
AR3(IPsecVPN网关) | g0/0/0 (10.0.23.3/24) | 通往运营商 |
g0/0/1 (192.168.4.1/24) | 连接LSW1 | |
g0/0/2 (172.26.1.3/24) | 连接nat网关 | |
LSW1 | vlanif3: 192.168.3.254/24 | 连接AR5 |
vlanif4: 192.168.4.254/24 | 连接AR3 | |
vlanif2: 192.168.2.254/24 | 分公司终端设备vlanif网关 |
Vlanif-OSPF
LSW1:
[LSW1]display ip int brief
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 4
The number of interface that is DOWN in Physical is 2
The number of interface that is UP in Protocol is 4
The number of interface that is DOWN in Protocol is 2
Interface IP Address/Mask Physical Protocol
MEth0/0/1 unassigned down down
NULL0 unassigned up up(s)
Vlanif1 unassigned down down
Vlanif2 192.168.2.254/24 up up
Vlanif3 192.168.3.254/24 up up
[LSW1]display current-configuration
#
interface Vlanif2
ip address 192.168.2.254 255.255.255.0
ospf enable 1 area 0.0.0.0
dhcp select interface
#
interface Vlanif3
ip address 192.168.3.254 255.255.255.0
ospf enable 1 area 0.0.0.0
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 2
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 2
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 3
#Route-OSPF-NAT
AR5:
[AR5]display ip int brief
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 4
The number of interface that is DOWN in Physical is 0
The number of interface that is UP in Protocol is 4
The number of interface that is DOWN in Protocol is 0
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 192.168.3.1/24 up up
GigabitEthernet0/0/1 10.0.23.5/24 up up
GigabitEthernet0/0/2 172.26.1.5/24 up up
NULL0 unassigned up up(s)
# nat和ospf
[AR5]display current-configuration
#
acl number 2000
rule 5 permit
#
interface GigabitEthernet0/0/0
ip address 192.168.3.1 255.255.255.0
ospf enable 1 area 0.0.0.0
#
interface GigabitEthernet0/0/1
ip address 10.0.23.5 255.255.255.0
nat outbound 2000
#
interface GigabitEthernet0/0/2
ip address 172.26.1.5 255.255.255.0
ospf enable 1 area 0.0.0.0
#
interface NULL0
#
ospf 1
default-route-advertise
area 0.0.0.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.23.2
#AR3:
[AR3]display ip int brief
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 4
The number of interface that is DOWN in Physical is 0
The number of interface that is UP in Protocol is 4
The number of interface that is DOWN in Protocol is 0
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 10.0.23.3/24 up up
GigabitEthernet0/0/1 unassigned up up
GigabitEthernet0/0/2 172.26.1.3/24 up up
NULL0 unassigned up up(s)
# 配置ospf
[AR3]display current-configuration
#
interface GigabitEthernet0/0/0
ip address 10.0.23.3 255.255.255.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
ip address 172.26.1.3 255.255.255.0
ospf enable 1 area 0.0.0.0
#
ospf 1
area 0.0.0.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.23.2
#NAT网关中剥离IPsec流量
AR5:
[AR5]display current-configuration
#
acl number 3000
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
traffic classifier 1.0 operator or
if-match acl 3000
#
traffic behavior ipsec
redirect ip-nexthop 172.26.1.3
#
traffic policy ipsec
classifier 1.0 behavior ipsec
#
interface GigabitEthernet0/0/0
ip address 192.168.3.1 255.255.255.0
traffic-policy ipsec inbound
ospf enable 1 area 0.0.0.0配置IPsecVPN
AR3:
# 定义ike提案
[AR3]ike proposal 1
[AR3-ike-proposal-1]encryption-algorithm aes-cbc-256
[AR3-ike-proposal-1]authentication-algorithm sha1
[AR3-ike-proposal-1]authentication-method pre-share
[AR3-ike-proposal-1]dh group14
[AR3-ike-proposal-1]sa duration 1400
# 定义ike邻居
[AR3]ike peer 1 v2
[AR3-ike-peer-1]remote-address 10.0.24.4
[AR3-ike-peer-1]pre-shared-key simple 123456789
[AR3-ike-peer-1]ike-proposal 1
# 配置IPsec感兴趣流
[AR3]acl 3000
[AR3-acl-adv-3000]rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
# 定义IPsec提案
[AR3]ipsec proposal 1
[AR3-ipsec-proposal-1]encapsulation-mode tunnel
[AR3-ipsec-proposal-1]esp encryption-algorithm aes-256
[AR3-ipsec-proposal-1]esp authentication-algorithm sha1
# 配置IPsec策略
[AR3]ipsec policy 1 1 isakmp
[AR3-ipsec-policy-isakmp-1-1]security acl 3000
[AR3-ipsec-policy-isakmp-1-1]proposal 1
[AR3-ipsec-policy-isakmp-1-1]ike-peer 1
# 出接口调用
[AR3]int g0/0/0
[AR3-GigabitEthernet0/0/0]ipsec policy 1验证:
PC2:
总公司PC2访问分公司PC1
PC1:
分公司PC1访问总公司PC2
分公司访问总公司服务器:
抓包:
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
