Схема:
Задача: Настроить GRE over IPSec туннель между ESR и Huawei. Также необходимо настроить протокол динамической маршрутизации BGP между туннельными адресами для анонсирования локальных подсетей.
1. Конфигурации устройств
Пример конфигурации ESR:
ESR# show running-config
hostname ESR
router bgp log-neighbor-changes
router bgp 65000
router-id 198.51.100.1
neighbor 198.51.100.2
remote-as 65000
address-family ipv4 unicast
enable
exit
enable
exit
address-family ipv4 unicast
network 192.0.2.0/26
exit
enable
exit
interface gigabitethernet 1/0/1
ip firewall disable
ip address 203.0.113.2/30
exit
interface gigabitethernet 1/0/2
ip firewall disable
ip address 192.0.2.1/26
exit
tunnel gre 1
ttl 255
mtu 1400
ip firewall disable
local address 203.0.113.2
remote address 203.0.113.6
ip address 198.51.100.1/30
enable
exit
security ike proposal ike_proposal
authentication algorithm sha1
encryption algorithm aes128
dh-group 2
exit
security ike policy ike_policy
pre-shared-key ascii-text Password_123
proposal ike_proposal
exit
security ike gateway ike_gateway
ike-policy ike_policy
local address 203.0.113.2
local network 203.0.113.2/32 protocol gre
remote address 203.0.113.6
remote network 203.0.113.6/32 protocol gre
mode policy-based
exit
security ipsec proposal ipsec_proposal
authentication algorithm sha1
encryption algorithm aes128
protocol esp
exit
security ipsec policy ipsec_policy
proposal ipsec_proposal
exit
security ipsec vpn ipsec_vpn
mode ike
type transport
ike establish-tunnel route
ike gateway ike_gateway
ike ipsec-policy ipsec_policy
enable
exit
ip route 203.0.113.4/30 203.0.113.1
Пример конфигурации Huawei:
[Huawei]display current-configuration
...
#
ipsec proposal 1
encapsulation-mode transport
esp authentication-algorithm sha1
esp encryption-algorithm aes-128
#
...
ike proposal 1
encryption-algorithm aes-128
dh group2
authentication-algorithm sha1
sa duration 10800
authentication-method pre-share
integrity-algorithm hmac-sha1-96
prf hmac-sha1
#
ike peer ike_peer
pre-shared-key simple Password_123
ike-proposal 1
local-address 203.0.113.6
remote-address authentication-address 203.0.113.2
ikev1 phase1-phase2 sa dependent#
ipsec profile ipsec_profile
ike-peer ike_peer
proposal 1
sa duration traffic-based 0
sa duration time-based 3600
#
...
#
interface GigabitEthernet0/0/0
ip address 203.0.113.6 255.255.255.252
#
interface GigabitEthernet0/0/1
ip address 192.0.2.129 255.255.255.192
#
interface Tunnel0/0/0
mtu 1400
tcp adjust-mss 1360
ip address 198.51.100.2 255.255.255.252
tunnel-protocol gre
source 203.0.113.6
destination 203.0.113.2
ipsec profile ipsec_profile
#
bgp 65000
router-id 198.51.100.2
peer 198.51.100.1 as-number 65000
#
ipv4-family unicast
undo synchronization
network 192.0.2.128 255.255.255.192
peer 198.51.100.1 enable
#
...
#
ip route-static 203.0.113.2 255.255.255.255 203.0.113.5
...
2. Оперативный вывод команд статуса IPsec-туннеля, BGP-сессии, полученной от BGP-соседа маршрутной информации, а также проверка IP-связанности с удаленными локальными подсетями.
Оперативный вывод команд с ESR:
ESR# show security ipsec vpn status ipsec_vpn
Currently active IKE SA:
Name: ipsec_vpn
State: Established
Version: v1-only
Unique ID: 2
Local host: 203.0.113.2
Remote host: 203.0.113.6
Role: Initiator
Initiator spi: 0xa7c8949a175d688c
Responder spi: 0x083da58456a8aeee
Encryption algorithm: aes128
Authentication algorithm: sha1
Diffie-Hellman group: 2
Established: 1 minute and 22 seconds ago
Rekey time: 1 minute and 22 seconds
Reauthentication time: 2 hours, 49 minutes and 8 seconds
Child IPsec SAs:
Name: ipsec_vpn-2
State: Installed
Protocol: esp
Mode: Transport
Encryption algorithm: aes128
Authentication algorithm: sha1
Rekey time: 47 minutes and 11 seconds
Life time: 58 minutes and 38 seconds
Established: 1 minute and 22 seconds ago
Traffic statistics:
Input bytes: 994
Output bytes: 1127
Input packets: 13
Output packets: 16
-------------------------------------------------------------
ESR# show bgp neighbors
BGP neighbor is 198.51.100.2
BGP state: Established
Type: Static neighbor
Neighbor address: 198.51.100.2
Neighbor AS: 65000
Neighbor ID: 198.51.100.2
Neighbor caps: refresh AS4
Session: internal multihop AS4
Source address: 198.51.100.1
Weight: 0
Hold timer: 109/180
Keepalive timer: 15/60
Address family ipv4 unicast:
Send-label: No
Default originate: No
Default information originate: No
Uptime: 87 s
ESR# show ip route bgp
Status codes: u - unicast, b - broadcast, m - multicast, a - anycast
* - valid, > - best
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> u 192.0.2.128/26 198.51.100.2 0 100 0 i
ESR# ping 192.0.2.129
PING 192.0.2.129 (192.0.2.129) 56 bytes of data.
!!!!!
--- 192.0.2.129 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 0.829/1.387/2.785/0.723 ms
Оперативный вывод команд с Huawei:
[Huawei]display ipsec sa
ipsec sa information:
===============================
Interface: Tunnel0/0/0
===============================
-----------------------------
IPSec profile name: "ipsec_profile"
Mode : PROF-ISAKMP
-----------------------------
Connection ID : 65
Encapsulation mode: Transport
Holding time : 0d 0h 2m 35s
Tunnel local : 203.0.113.6/500
Tunnel remote : 203.0.113.2/500
Flow source : 203.0.113.6/255.255.255.255 47/0-65535
Flow destination : 203.0.113.2/255.255.255.255 47/0-65535
[Outbound ESP SAs]
SPI: 3315963714 (0xc5a59742)
Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1
SA remaining soft duration (kilobytes/sec): 0/685
SA remaining hard duration (kilobytes/sec): 0/1045
Outpacket count : 20
Outpacket encap count : 20
Outpacket drop count : 0
Max sent sequence-number: 20
UDP encapsulation used for NAT traversal: N
[Inbound ESP SAs]
SPI: 5425586 (0x52c9b2)
Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1
SA remaining soft duration (kilobytes/sec): 0/685
SA remaining hard duration (kilobytes/sec): 0/1045
Inpacket count : 22
Inpacket decap count : 22
Inpacket drop count : 0
Max received sequence-number: 23
UDP encapsulation used for NAT traversal: N
Anti-replay : Enable
Anti-replay window size: 1024
[Huawei]display bgp peer
Status codes: * - Dynamic
BGP local router ID : 198.51.100.2
Local AS number : 65000
Total number of peers : 1 Peers in established state : 1
Total number of dynamic peers : 0
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
198.51.100.1 4 65000 7 7 0 00:03:10 Established 1
[Huawei]display bgp routing-table
BGP Local router ID is 198.51.100.2
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 2
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 192.0.2.0/26 198.51.100.1 100 0 i
*> 192.0.2.128/26 0.0.0.0 0 0 i
[Huawei]ping 192.0.2.1
PING 192.0.2.1: 56 data bytes, press CTRL_C to break
Reply from 192.0.2.1: bytes=56 Sequence=1 ttl=64 time=1 ms
Reply from 192.0.2.1: bytes=56 Sequence=2 ttl=64 time=1 ms
Reply from 192.0.2.1: bytes=56 Sequence=3 ttl=64 time=1 ms
Reply from 192.0.2.1: bytes=56 Sequence=4 ttl=64 time=1 ms
Reply from 192.0.2.1: bytes=56 Sequence=5 ttl=64 time=1 ms
--- 192.0.2.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/1 ms