WOLF-LAB沃尔夫网络实验室中国网络精英的发源地!
24小时咨询热线:173-1636-2402

技术文档

Technical documentation

您当前位置: 首页 > 技术文档 > 详情

​思科CCIE培训课程笔记-IKEv2解决方案FlexVPN(2)

发布日期:2022-07-22 浏览次数:3246 来源:杨广成

思科CCIE培训课程笔记-IKEv2解决方案FlexVPN(2)

WOLFLAB官方微信:17316362402,联系客服获取免费学习资料,CCIE培训课程循环开班中。

FlexVPN当中,一种新的Server-Client模式,包括Remote-access , Hub-Spoke,将被用于统一DMVPN和EZVPN,好处是“公有”,X-AUTH变成了EAP,这样客户端无需再使用Cisco VPN Client,而是直接用Windows 7都可以支持。

image.png

一、底层配置

R1

int lo 0

ip add 192.168.1.1 255.255.255.0

int e0/0

ip add 202.100.1.10 255.255.255.0

no shut

 

R2

int lo 0

ip add 192.168.2.1 255.255.255.0

int e0/0

ip add 202.100.1.20 255.255.255.0

no shut

 

二、Hub端配置

R1

aaa new-model

aaa authentication login NOAU line none

line con 0

login authentication NOAU

line aux 0

login authentication NOAU

 

aaa authorization network remote local

 

ip local pool P 192.168.100.1 192.168.100.100

 

crypto ikev2 authorization policy HUB-P                                //类似EZVPN服务端的Group配置

pool P

route set interface   // 除了route set interface 还可以做route set access-list XXX

 

//解释:

(1)route set interface表示将本端virtual-template/tunnel接口的IP地址路由推给对端安装为静态路由(出接口为virtual-access或Tunnel,下一跳0.0.0.0)

意义在于,virtual-template接口通常会ip unnumbered借用一个本地接口地址,而当借用的是loopback地址时,对端必然无路由。

当在virtual-access/Tunnel接口运行一个单播的动态路由协议时,neighbor指对端地址,单播无路由,就无法建立路由协议邻居关系了。

 

(2)route set access-list XXX 搭配一个ACL,将ACL描述的路由推送给对端安装为静态路由(出接口为virtual-access或Tunnel,下一跳0.0.0.0), 注意只能是标准列表, 扩展列表不生效。

CCIE培训课程试听可联系WOLFLAB网站客服

crypto ikev2 keyring KEY

peer SPOKES

address 0.0.0.0 0.0.0.0

pre-shared-key cisco123

 

crypto ipsec transform-set TS esp-3des esp-sha-hmac

 

crypto ikev2 profile V2-P

match identity remote address 0.0.0.0

authentication remote pre-share

authentication local pre-share

keyring local KEY

aaa authorization group psk list remote HUB-P   //本地拿授权(remote定义了local),授权在HUB-P中

virtual-template 1         

 

crypto ipsec profile IPSEC-P

set transform-set TS

set ikev2-profile V2-P

 

int virtual-template 1 type tunnel

ip unnumbered lo 0                //绝不可以和加密点接口相同,否则对方可能会从物理口和tunnel口学到相同的路由(route set interface情况下)

tunnel source e0/0

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSEC-P

 

三、SPOKE端配置

R2

aaa new-model

aaa authentication login NOAU line none

 

line con 0

login authentication NOAU

line aux 0

login authentication NOAU

 

aaa authorization network remote local

crypto ikev2 authorization policy SPOKE-P

route set interface                 //推送自己tunnel口获取到的地址对应路由给server

 

crypto ikev2 keyring KEY

peer HUB

address 202.100.1.10

pre-shared-key cisco123

 

crypto ikev2 profile V2-P

match identity remote address 202.100.1.10 255.255.255.255

authentication remote pre-share

authentication local pre-share

keyring local KEY

aaa authorization group override psk list remote SPOKE-P       //override参数表示组授权优先于用户授权,不打这个参数则是用户授权优于组授权。这里因为没有做用户授权,所以无所谓。

 

 

crypto ipsec transform-set TS esp-3des esp-sha-hmac

 

crypto ipsec profile IPSEC-P

set transform-set TS

set ikev2-profile V2-P

 

interface Tunnel0

ip address negotiated

tunnel source Ethernet0/0

tunnel mode ipsec ipv4

tunnel destination dynamic          //考虑到有双HUB或者backup server的情况下,便于用一套配置连多个HUB(server)

tunnel protection ipsec profile IPSEC-P

 

crypto ikev2 client flexvpn FLEX

peer 1 202.100.1.10

connect manual

client connect Tunnel0

 

 

测试:

cryp ikev2 client flexvpn connect FLEX      //手动拨号

 

R2  ping 192.168.1.1 sour 192.168.2.1  不通, 因为R2没有给R1推送 192.168.2.0的路由

 

ip access-list standard ACL

permit 192.168.2.0 0.0.0.255

 

crypto ikev2 authorization policy SPOKE-P

route set access-list ACL

 

断线重拨

R1 show ip route 可以看到192.168.2.0/24的路由了 , ping可以通。

 

 

CCIE培训课程实验二:再加入一台R3,做第二台Spoke

 

R3

int lo 0

ip add 192.168.3.1 255.255.255.0

int e0/0

ip add 202.100.1.30 255.255.255.0

no shutdown

aaa new-model

aaa authentication login NOAU line none

 

line con 0

login authentication NOAU

line aux 0

login authentication NOAU

 

aaa authorization network remote local

 

ip access-list standard ACL

permit 192.168.3.0 0.0.0.255

 

crypto ikev2 authorization policy SPOKE-P

route set interface

route set access-list ACL

 

crypto ikev2 keyring KEY

peer HUB

address 202.100.1.10

pre-shared-key cisco123

 

crypto ikev2 profile V2-P

match identity remote address 202.100.1.10 255.255.255.255

authentication remote pre-share

authentication local pre-share

keyring local KEY

aaa authorization group override psk list remote SPOKE-P

 

 

crypto ipsec transform-set TS esp-3des esp-sha-hmac

 

crypto ipsec profile IPSEC-P

set transform-set TS

set ikev2-profile V2-P

 

interface Tunnel0

ip address negotiated

tunnel source Ethernet0/0

tunnel mode ipsec ipv4

tunnel destination dynamic

        tunnel protection ipsec profile IPSEC-P

 

crypto ikev2 client flexvpn FLEX

peer 1 202.100.1.10

connect manual

client connect Tunnel0

 

测试

cryp ikev2 client flexvpn connect FLEX      //手动拨号

会看到R1多产生了一个Virtual-Access接口

R1 show ip route

S     192.168.2.0/24 [2/0] via 0.0.0.0, Virtual-Access1

S     192.168.3.0/24 [2/0] via 0.0.0.0, Virtual-Access2

 

 

问题是:

光靠route set注入的静态路由, R2和R3两个SPOKE之间是无法互访的(SPOKE没有SPOKE的路由)

R3 show ip route

      192.168.1.0/32 is subnetted, 1 subnets

S        192.168.1.1 [2/0] via 0.0.0.0, Tunnel0

      192.168.3.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.3.0/24 is directly connected, Loopback0

L        192.168.3.1/32 is directly connected, Loopback0

      192.168.100.0/32 is subnetted, 1 subnets

C        192.168.100.5 is directly connected, Tunnel0

      202.100.1.0/24 is variably subnetted, 2 subnets, 2 masks

C        202.100.1.0/24 is directly connected, Ethernet0/0

L        202.100.1.30/32 is directly connected, Ethernet0/0

 

因此可以运行动态路由协议:

R1

int lo 0

ip ospf 1 area 0

int virtual-template 1

ip ospf 1 area 0

 

R2

int lo 0

ip ospf 1 area 0

int tunnel 0

ip ospf 1 area 0

 

R3

int lo 0

ip ospf 1 area 0

int tunnel 0

ip ospf 1 area 0

 

R1#sh ip os nei

Neighbor ID     Pri   State           Dead Time   Address         Interface

192.168.2.1       0   FULL/  -        00:00:33    192.168.100.3   Virtual-Access1

192.168.3.1       0   FULL/  -        00:00:31    192.168.100.5   Virtual-Access2

 

R2#show ip route

      192.168.1.0/32 is subnetted, 1 subnets

S        192.168.1.1 [2/0] via 0.0.0.0, Tunnel0

      192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.2.0/24 is directly connected, Loopback0

L        192.168.2.1/32 is directly connected, Loopback0

      192.168.3.0/32 is subnetted, 1 subnets

O        192.168.3.1 [110/1002] via 192.168.1.1, 00:08:44, Tunnel0

      192.168.100.0/32 is subnetted, 2 subnets

C        192.168.100.3 is directly connected, Tunnel0

O        192.168.100.5 [110/2001] via 192.168.1.1, 00:08:44, Tunnel0

      202.100.1.0/24 is variably subnetted, 2 subnets, 2 masks

C        202.100.1.0/24 is directly connected, Ethernet0/0

L        202.100.1.20/32 is directly connected, Ethernet0/0

 

 

R2#ping 192.168.3.1 source 192.168.2.1

!!!!!             能通,但是是通过R1周转的。  如果希望R2能够直接向R3建立隧道,流量直达怎么做?

——问题关键在于:

(1)要设法让SPOKE知道想要访问的其他SPOKE公网IP

(2)要让SPOKE可以有动态发起Tunnel到其他SPOKE的能力

 

CCIE培训课程实验三: SPOKE--TO---SPOKE

image.png

在之前的实验基础上:

(1)Spoke端身份认证key的适用范围需要扩大为 0.0.0.0

(2)tunnel模式不能使用VTI,只能是GRE

(3)NHRP

 

 

(1)Spoke端身份认证key的适用范围需要扩大为 0.0.0.0

 

R2/R3

crypto ikev2 keyring KEY

peer SPOKES

address 0.0.0.0 0.0.0.0

pre-shared-key cisco123

crypto ikev2 profile V2-P

match identity remote address 0.0.0.0

 

(2)tunnel模式不能使用VTI,只能是GRE; Spoke端tunnel需明确指向Hub端

R1

int virtual-template 1

tunnel mode gre ip       //改回默认模式 ,也可以打no tunnel mode恢复默认的GRE模式

 

R2/R3

crypto ikev2 client flexvpn FLEX

no client connect Tunnel0       //必须摘掉这个调用,否则改不了tunnel模式

 

//其实已经不需要crypto ikev2 client flexvpn FLEX,因为tunnel改模式后,tunnel destination地址是明确的,不需要参考client配置中的peer地址建立了。所以直接删除后,tunnel口的路由协议流量,nhrp流量,都会触发VPN的拨号。

 

int tunnel 0

tunnel mode gre ip

no tunnel destination dynamic

tunnel destination 202.100.1.10

 

 

(3)开启NHRP

R1

int virtual-template1

ip nhrp network-id 123

ip nhrp redirect

 

R2/R3

int tunnel 0

ip nhrp network-id 123

ip nhrp shortcut virtual-template 1

 

int virtual-template 1 type tunnel

ip unnumbered tunnel 0

ip nhrp network-id 123

ip nhrp shortcut

ip ospf 1 area 0

tunnel source e0/0

tunnel protection ipsec profile IPSEC-P

 

 

测试:

R2#sh cry sess                //一开始R2只有一个VPN会话

Crypto session current status

 

Interface: Tunnel0

Session status: UP-ACTIVE    

Peer: 202.100.1.10 port 500

  IKEv2 SA: local 202.100.1.20/500 remote 202.100.1.10/500 Active

  IPSEC FLOW: permit 47 host 202.100.1.20 host 202.100.1.10

        Active SAs: 2, origin: crypto map

 

R2#ping 192.168.3.1 sour 192.168.2.1 repeat 10

Type escape sequence to abort.

Sending 10, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.2.1

.!!!!!!!!!

Success rate is 90 percent (9/10), round-trip min/avg/max = 6/14/34 ms

 

*Aug  9 10:39:52.182: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up                        //动态创建了去往R3的接口

 

R2#sh cry sess                                //R2有两个VPN会话了

Crypto session current status

 

Interface: Tunnel0

Session status: UP-ACTIVE    

Peer: 202.100.1.10 port 500

  IKEv2 SA: local 202.100.1.20/500 remote 202.100.1.10/500 Active

  IPSEC FLOW: permit 47 host 202.100.1.20 host 202.100.1.10

        Active SAs: 2, origin: crypto map

 

Interface: Virtual-Access1

Session status: UP-ACTIVE    

Peer: 202.100.1.30 port 500

  IKEv2 SA: local 202.100.1.20/500 remote 202.100.1.30/500 Active

  IPSEC FLOW: permit 47 host 202.100.1.20 host 202.100.1.30

        Active SAs: 2, origin: crypto map

 

 

R2#sh ip route

H        192.168.3.0/24 [250/1] via 192.168.100.2, 00:00:16

 

 

R2#sh ip nhrp

192.168.3.0/24 via 192.168.100.2

   Tunnel0 created 00:00:48, expire 01:59:29

   Type: dynamic, Flags: router rib

   NBMA address: 202.100.1.30


免费资料领取.gif

CCIE培训课程试听联系WOLFLAB网站客服,安排免费试听。

返回目录
在线咨询