Схема:
Задача:
Настроить NHRP-туннели между маршрутизатором ESR-Spoke и маршрутизаторами Cisco-HUB и Cisco-Spoke. В качестве динамической маршрутизации необходимо настроить OSPF.
Cisco-HUB:
1) Конфигурация:
interface Tunnel1 ip address 10.10.10.1 255.255.255.0 no ip redirects ip mtu 1472 ip nhrp authentication <password> ip nhrp map multicast dynamic ip nhrp network-id 60 ip nhrp holdtime 360 ip nhrp registration no-unique ip nhrp registration timeout 60 ip tcp adjust-mss 1432 ip ospf network broadcast ip ospf priority 255 tunnel source Ethernet0/0 tunnel mode gre multipoint tunnel key 60 ! ! interface Ethernet0/0 ip address 192.0.2.2 255.255.255.0 ! ! router ospf 1 router-id 10.10.10.1 log-adjacency-changes auto-cost reference-bandwidth 10000 network 10.10.10.1 0.0.0.0 area 0 ! ip route 192.0.4.0 255.255.255.0 192.0.2.1 ip route 192.168.32.0 255.255.240.0 192.0.2.1
2) Информация о состоянии протоколов OSPF и NHRP:
Router#show ip nhrp 10.10.10.2/32 via 10.10.10.2 Tunnel1 created 01:18:10, expire 00:05:14 Type: dynamic, Flags: registered NBMA address: 192.0.4.2 10.10.10.3/32 via 10.10.10.3 Tunnel1 created 01:04:52, expire 00:05:44 Type: dynamic, Flags: unique registered NBMA address: 192.168.39.216 Router#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.10.10.2 1 FULL/DROTHER 00:00:34 10.10.10.2 Tunnel1 10.10.10.3 128 FULL/DR 00:00:31 10.10.10.3 Tunnel1
ESR-Spoke:
1) Конфигурация
esr# show running-config router ospf log-adjacency-changes router ospf 1 router-id 10.10.10.3 area 0.0.0.0 enable exit enable exit interface gigabitethernet 1/0/1 ip firewall disable ip address 192.168.39.216/20 exit tunnel gre 1 key 60 ttl 30 mtu 1472 multipoint ip firewall disable local interface gigabitethernet 1/0/1 ip address 10.10.10.3/24 ip ospf instance 1 ip ospf ip tcp adjust-mss 1432 ip nhrp authentication <password> ip nhrp holding-time 360 ip nhrp map 10.10.10.1 192.0.2.2 ip nhrp nhs 10.10.10.1/24 ip nhrp multicast nhs ip nhrp enable enable exit ip route 192.0.2.0/24 192.168.39.1 ip route 192.0.4.0/24 192.168.39.1
2) Информация о состоянии протоколов OSPF и NHRP:
esr# show ip ospf neighbors
Router ID Pri State DTime Interface Router IP
--------- --- ----- ----- ----------------- ---------
10.10.10.1 255 Full/BDR 00:36 gre 1 10.10.10.1
esr# show ip nhrp
Tunnel address NBMA address Interface Peer type Expire Created Flags
---------------- ---------------- --------- --------------- --------- ---------- ---------
10.10.10.1 192.0.2.2 gre 1 static -- -- register,
lower-up,
up
10.10.10.2 192.0.4.2 gre 1 cached 0:05:49 00:00:10 used,
lower-up,
up
Cisco-Spoke:
1) Конфигурация:
interface Tunnel1 ip address 10.10.10.2 255.255.255.0 no ip redirects ip mtu 1472 ip nhrp authentication <password> ip nhrp map 10.10.10.1 192.0.2.2 ip nhrp map multicast 192.0.2.2 ip nhrp network-id 60 ip nhrp holdtime 360 ip nhrp nhs 10.10.10.1 ip nhrp registration no-unique ip nhrp registration timeout 60 ip tcp adjust-mss 1432 ip ospf network broadcast tunnel source Ethernet0/0 tunnel mode gre multipoint tunnel key 60 ! ! interface Ethernet0/0 ip address 192.0.4.2 255.255.255.0 ! ! router ospf 1 router-id 10.10.10.2 log-adjacency-changes auto-cost reference-bandwidth 10000 network 10.10.10.2 0.0.0.0 area 0 ! ! ip route 192.0.2.0 255.255.255.0 192.0.4.1 ip route 192.168.32.0 255.255.240.0 192.0.4.1
2) Информация о состоянии протоколов OSPF и NHRP:
Router#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.10.10.1 255 FULL/DR 00:00:31 10.10.10.1 Tunnel1 Router#show ip nhrp 10.10.10.1/32 via 10.10.10.1 Tunnel1 created 01:36:26, never expire Type: static, Flags: used NBMA address: 192.0.2.2 10.10.10.2/32 via 10.10.10.2 Tunnel1 created 00:01:00, expire 00:04:59 Type: dynamic, Flags: router unique local NBMA address: 192.0.4.2 (no-socket) 10.10.10.3/32 via 10.10.10.3 Tunnel1 created 00:01:00, expire 00:04:59 Type: dynamic, Flags: router NBMA address: 192.168.39.216
DMVPN over IPSEC (Cisco-HUB, ESR-Spoke, Cisco-Spoke)
Задача:
Организовать шифрованные NHRP-туннели между маршрутизатором ESR-Spoke и маршрутизаторами Cisco-HUB и Cisco-Spoke в режиме transport . В качестве механизма шифрования используется IPSEC. В качестве динамической маршрутизации используется протокол OSPF. В качестве локальных сетей маршрутизаторов используются интерфейсы Loopback.
HUB(Cisco):
1) Конфигурация
crypto isakmp policy 10 encr aes 192 authentication pre-share group 2 crypto isakmp key password address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set DMVPN-TR esp-aes 192 esp-sha-hmac mode transport ! crypto ipsec profile DMVPN set transform-set DMVPN-TR ! interface Loopback1 ip address 1.1.1.1 255.255.255.255 ! interface Tunnel0 bandwidth 10000 ip address 10.10.10.1 255.255.255.0 no ip redirects ip mtu 1472 ip nhrp authentication <password> ip nhrp map multicast dynamic ip nhrp network-id 60 ip nhrp holdtime 360 ip tcp adjust-mss 1432 ip ospf network broadcast ip ospf cost 25 ip ospf priority 255 ip ospf mtu-ignore load-interval 30 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 60 tunnel ttl 250 tunnel protection ipsec profile DMVPN shared ! interface FastEthernet0/0 ip address 192.0.2.2 255.255.255.0 duplex auto speed auto ! router ospf 1 router-id 10.10.10.1 log-adjacency-changes auto-cost reference-bandwidth 10000 network 1.1.1.1 0.0.0.0 area 0.0.0.0 network 10.10.10.0 0.0.0.255 area 0.0.0.0 distance 200 ! ip route 192.0.4.2 255.255.255.255 192.0.2.1 ip route 192.168.39.216 255.255.255.255 192.0.2.1
2) Диагностика
Router#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.0.2.2 192.168.39.216 QM_IDLE 1002 ACTIVE
192.0.2.2 192.0.4.2 QM_IDLE 1004 ACTIVE
IPv6 Crypto ISAKMP SA
Router#sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: DMVPN-head-1, local addr 192.0.2.2
protected vrf: (none)
local ident (addr/mask/prot/port): (192.0.2.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (192.168.39.216/255.255.255.255/47/0)
current_peer 192.168.39.216 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5623, #pkts encrypt: 5623, #pkts digest: 5623
#pkts decaps: 5412, #pkts decrypt: 5412, #pkts verify: 5412
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.0.2.2, remote crypto endpt.: 192.168.39.216
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xCD1A3CBE(3441048766)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x1096A95(17394325)
transform: esp-192-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2007, flow_id: FPGA:7, sibling_flags 80000046, crypto map: DMVPN-head-1
sa timing: remaining key lifetime (k/sec): (4518380/1494)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xCD1A3CBE(3441048766)
transform: esp-192-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2008, flow_id: FPGA:8, sibling_flags 80000046, crypto map: DMVPN-head-1
sa timing: remaining key lifetime (k/sec): (4518365/1494)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.0.2.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (192.0.4.2/255.255.255.255/47/0)
current_peer 192.0.4.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 609, #pkts encrypt: 609, #pkts digest: 609
#pkts decaps: 453, #pkts decrypt: 453, #pkts verify: 453
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
Router#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
10.10.10.2 2 FULL/DROTHER 00:00:39 10.10.10.2 Tunnel0
10.238.70.250 128 FULL/BDR 00:00:30 10.10.10.3 Tunnel0
Router#
Router#sh ip ro
Router#sh ip route os
Router#sh ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
2.0.0.0/32 is subnetted, 1 subnets
O E2 2.2.2.2 [200/10000] via 10.10.10.3, 01:19:34, Tunnel0
3.0.0.0/32 is subnetted, 1 subnets
O 3.3.3.3 [200/26] via 10.10.10.2, 00:52:46, Tunnel0
Spoke(ESR)
1) Конфигурация
router ospf log-adjacency-changes
router ospf 1
router-id 10.10.10.3
area 0.0.0.0
network 2.2.2.2/32
enable
exit
enable
exit
interface gigabitethernet 1/0/1
ip firewall disable
ip address 192.168.39.216/20
exit
interface loopback 1
ip address 2.2.2.2/32
exit
tunnel gre 1
key 60
ttl 250
mtu 1472
multipoint
ip firewall disable
local interface gigabitethernet 1/0/1
ip address 10.10.10.3/24
ip ospf instance 1
ip ospf
ip tcp adjust-mss 1432
ip nhrp authentication <password>
ip nhrp holding-time 360
ip nhrp map 10.10.10.1 192.0.2.2
ip nhrp nhs 10.10.10.1/24
ip nhrp ipsec IPSECVPN_HUB static
ip nhrp ipsec IPSECVPN_SPOKE dynamic
ip nhrp multicast nhs
ip nhrp enable
enable
exit
security ike proposal IKEPROP
encryption algorithm aes192
dh-group 2
exit
security ike policy IKEPOLICY
pre-shared-key ascii-text <password>
proposal IKEPROP
exit
security ike gateway IKEGW_HUB
ike-policy IKEPOLICY
local address 192.168.39.216
local network 192.168.39.216/32 protocol gre
remote address 192.0.2.2
remote network 192.0.2.2/32 protocol gre
mode policy-based
exit
security ike gateway IKEGW_SPOKE
ike-policy IKEPOLICY
local address 192.168.39.216
local network 192.168.39.216/32 protocol gre
remote address any
remote network any
mode policy-based
exit
security ipsec proposal IPSECPROP
encryption algorithm aes192
exit
security ipsec policy IPSECPOLICY
proposal IPSECPROP
exit
security ipsec vpn IPSECVPN_HUB
mode ike
type transport
ike establish-tunnel route
ike gateway IKEGW_HUB
ike ipsec-policy IPSECPOLICY
enable
exit
security ipsec vpn IPSECVPN_SPOKE
mode ike
type transport
ike establish-tunnel route
ike gateway IKEGW_SPOKE
ike ipsec-policy IPSECPOLICY
enable
exit
security passwords history 0
ip route 192.0.2.2/32 192.168.39.1
ip route 192.0.4.2/32 192.168.39.1
2) Диагностика
ESR# sh security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
IPSECVPN_HUB 192.168.39.216 192.0.2.2 0x121319af1595214c 0xa3d8bd202e50320b Established
IPSECVPN_SPOKE 192.168.39.216 192.0.4.2 0x997a2d4ddc2a3cac 0x887bd45f6a25028e Established
ESR#
ESR#
ESR# sh security ipsec vpn status IPSECVPN_HUB
Currently active IKE SA:
Name: IPSECVPN_HUB
State: Established
Version: v1-only
Unique ID: 1
Local host: 192.168.39.216
Remote host: 192.0.2.2
Role: Initiator
Initiator spi: 0x121319af1595214c
Responder spi: 0xa3d8bd202e50320b
Encryption algorithm: aes192
Authentication algorithm: sha1
Diffie-Hellman group: 2
Established: 1 hour, 27 minutes and 46 seconds ago
Rekey time: 1 hour, 27 minutes and 46 seconds
Reauthentication time: 1 hour, 15 minutes and 12 seconds
Child IPsec SAs:
Name: dmvpn_192.168.39.216_192.0.2.2-7
State: Installed
Protocol: esp
Mode: Tunnel
Encryption algorithm: aes192
Authentication algorithm: sha1
Rekey time: 2 minutes and 44 seconds
Life time: 14 minutes and 55 seconds
Established: 45 minutes and 5 seconds ago
Traffic statistics:
Input bytes: 45592
Output bytes: 32192
Input packets: 436
Output packets: 319
-------------------------------------------------------------
ESR# sh security ipsec vpn status IPSECVPN_SPOKE
Currently active IKE SA:
Name: IPSECVPN_SPOKE
State: Connecting
Version: v1-only
Unique ID: 13
Local host: 192.168.39.216
Remote host: 224.0.0.5
Role: Initiator
Initiator spi: 0x35ece26be25cec50
Responder spi: 0x0000000000000000
Currently active IKE SA:
Name: IPSECVPN_SPOKE
State: Established
Version: v1-only
Unique ID: 14
Local host: 192.168.39.216
Remote host: 192.0.4.2
Role: Initiator
Initiator spi: 0x997a2d4ddc2a3cac
Responder spi: 0x887bd45f6a25028e
Encryption algorithm: aes192
Authentication algorithm: sha1
Diffie-Hellman group: 2
Established: 1 minute and 37 seconds ago
Rekey time: 1 minute and 37 seconds
Reauthentication time: 2 hours, 48 minutes and 34 seconds
Child IPsec SAs:
Name: dmvpn_192.168.39.216_192.0.4.2-9
State: Installed
Protocol: esp
Mode: Tunnel
Encryption algorithm: aes192
Authentication algorithm: sha1
Rekey time: 46 minutes and 1 second
Life time: 58 minutes and 23 seconds
Established: 1 minute and 37 seconds ago
Traffic statistics:
Input bytes: 1396
Output bytes: 1344
Input packets: 12
Output packets: 12
-------------------------------------------------------------
ESR#
ESR# sh ip ospf neighbors
Router ID Pri State DTime Interface Router IP
--------- --- ----- ----- ----------------- ---------
10.10.10.1 255 Full/DR 00:31 gre 1 10.10.10.1
ESR#
ESR# sh ip route ospf
O * 1.1.1.1/32 [150/11] via 10.10.10.1 on gre 1 [ospf1 13:58:42] (10.10.10.1)
O 10.10.10.0/24 [150/10] dev gre 1 [ospf1 13:58:37] (10.10.10.1)
O * 3.3.3.3/32 [150/11] via 10.10.10.2 on gre 1 [ospf1 14:25:24] (10.10.10.2)
Spoke(Cisco)
1) Конфигурация
crypto isakmp policy 10 encr aes 192 authentication pre-share group 2 crypto isakmp key password address 0.0.0.0 ! ! crypto ipsec transform-set DMVPN-TR esp-aes 192 esp-sha-hmac mode transport ! crypto ipsec profile DMVPN set transform-set DMVPN-TR ! ! interface Loopback1 ip address 3.3.3.3 255.255.255.255 ! interface Tunnel0 bandwidth 10000 ip address 10.10.10.2 255.255.255.0 no ip redirects ip mtu 1472 ip nhrp authentication <password> ip nhrp network-id 60 ip nhrp holdtime 360 ip nhrp nhs 10.10.10.1 nbma 192.0.2.2 multicast ip tcp adjust-mss 1432 ip ospf network broadcast ip ospf priority 2 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 60 tunnel ttl 250 tunnel protection ipsec profile DMVPN shared ! interface FastEthernet0/0 ip address 192.0.4.2 255.255.255.0 duplex full ! router ospf 1 router-id 10.10.10.2 auto-cost reference-bandwidth 10000 network 3.3.3.3 0.0.0.0 area 0.0.0.0 network 10.10.10.0 0.0.0.255 area 0.0.0.0 ! ! ip route 192.0.2.2 255.255.255.255 192.0.4.1 ip route 192.168.39.216 255.255.255.255 192.0.4.1
2) Диагностика
Router#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.0.4.2 192.168.39.216 QM_IDLE 1004 ACTIVE
192.0.2.2 192.0.4.2 QM_IDLE 1002 ACTIVE
IPv6 Crypto ISAKMP SA
Router#
Router#sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: DMVPN-head-1, local addr 192.0.4.2
protected vrf: (none)
local ident (addr/mask/prot/port): (192.0.4.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (192.0.2.2/255.255.255.255/47/0)
current_peer 192.0.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 577, #pkts encrypt: 577, #pkts digest: 577
#pkts decaps: 739, #pkts decrypt: 739, #pkts verify: 739
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
protected vrf: (none)
local ident (addr/mask/prot/port): (192.0.4.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (192.168.39.216/255.255.255.255/47/0)
current_peer 192.168.39.216 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 992, #pkts encrypt: 992, #pkts digest: 992
#pkts decaps: 988, #pkts decrypt: 988, #pkts verify: 988
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
Router#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
10.10.10.1 255 FULL/DR 00:00:36 10.10.10.1 Tunnel0
Router#
Router#sh ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/1001] via 10.10.10.1, 01:12:35, Tunnel0
2.0.0.0/32 is subnetted, 1 subnets
O E2 2.2.2.2 [110/10000] via 10.10.10.3, 01:12:35, Tunnel0