需求分析:
由于IPSec不支持对多播和广播数据包的加密,这样的话,使用IPSec的隧道中,动态路由协议等依靠多播和广播的协议就不能进行正常通告,所以,这时候要配合GRE隧道,GRE隧道会将多播和广播数据包封装到单播包中,再经过IPSec加密。
此外由于GRE建立的是简单的,不进行加密的×××隧道,他通过在物理链路中使用ip地址和路由穿越普通网络。所以很常见的方法就是使用IPSec对GRE进行加密,提供数据安全保证
实验需求:
总部和分部都能通过各自的边界设备访问公网,实现总部和分部间的安全通信,之间运行动态路由协议。了解GRE OVER IPSEC与IPSEC OVER GRE的区别;了解IPSEC的传输与隧道模式的区别;如果分部需通过总部访问公网怎么实现?
基本配置略,看上图!
IPSEC OVER GRE
RT1:
crypto isakmp policy 10
encr 3des
hash md5 //配置 阶段一的策略
authentication pre-share
group 2
crypto isakmp key cisco address 3.3.3.3 //使用对方的LOOPBCAK为对等体
!
crypto ipsec transform-set cisco esp-3des esp-md5-hmac
mode transport //使用传输模式,因为这里是IPSEC OVER GER,IPSEC只需用来机密性,用GRE来实现连通性,可以节省开销
!
crypto map cisco local-address Loopback0 //使用LOOPBCA作为IKE的源
crypto map cisco 10 ipsec-isakmp //把参数都绑定到加密图中
set peer 3.3.3.3
set transform-set cisco
match address 101 //匹配感兴趣流量,必须与对方的流量一致
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0 //使用GRE,建立tunnel 0
ip address 192.168.0.1 255.255.255.0
tunnel source Ethernet0/0
tunnel destination 172.1.3.2
crypto map cisco //将加密图应用到tunnel口
!
router ospf 1
passive-interface default
no passive-interface Tunnel0 //将不需要形成OSPF邻居的接口配置成被动接口,tunnel 0上需形成邻居
network 1.1.1.1 0.0.0.0 area 0
network 192.168.0.0 0.0.0.255 area 0
network 192.168.20.0 0.0.0.255 area 0 //发布私网路由,不能发布公网路由
!
ip route 0.0.0.0 0.0.0.0 192.168.1.2 //缺省路由,去往外部的路由
!
access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.44.0 0.0.0.255
//IPSEC保护的感兴趣流量
PIX:
access-list icmp extended permit icmp any any
access-list icmp extended permit esp any any //放通ICMP与IPSEC数据,实际工程中不能放通ICMP
interface Ethernet0
nameif outside
security-level 0 //定义防火墙的outside区域
ip address 172.1.1.2 255.255.255.240
!
interface Ethernet1
nameif inside
security-level 100 //定义防火墙的inside区域
ip address 192.168.1.2 255.255.255.252
!
global (outside) 1 interface //PAT
nat (inside) 1 192.168.0.0 255.255.0.0 //定义需做NAT的流量
static (inside,outside) 172.1.1.3 192.168.1.1 netmask 255.255.255.255 //静态映射IP,用来作IPSCE
access-group icmp in interface outside //将策略绑定到outside
route outside 0.0.0.0 0.0.0.0 172.1.1.2 1
route inside 192.168.0.0 255.255.0.0 192.168.1.1 1 //添加静态路由
RT3:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 1.1.1.1
!
!
crypto ipsec transform-set cisco esp-3des esp-md5-hmac
mode transport
!
crypto map cisco local-address Loopback0
crypto map cisco 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set cisco
match address 101
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0
ip address 192.168.0.2 255.255.255.0
tunnel source Ethernet0/0
tunnel destination 172.1.1.3
crypto map cisco
router ospf 1
passive-interface default
no passive-interface Tunnel0
network 3.3.3.3 0.0.0.0 area 0
network 192.168.0.0 0.0.0.255 area 0
network 192.168.44.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 172.1.3.1
access-list 101 permit ip 192.168.44.0 0.0.0.255 192.168.20.0 0.0.0.255 //必须与前面的流量一致
access-list 110 deny ip 192.168.44.0 0.0.0.255 192.168.20.0 0.0.0.255
ip nat inside source list 110 int e0/0 overload
int e0/0
ip nat outside
int e1/0 //对上公网的流量做PAT
ip nat inside
测试:
RT3# show crypto engine connections active
ID Interface IP-Address State Algorithm Encrypt Decrypt
1 Tunnel0 192.168.0.2 set HMAC_MD5+3DES_56_C 0 0
2001 Tunnel0 3.3.3.3 set 3DES+MD5 0 4
2002 Tunnel0 3.3.3.3 set 3DES+MD5 4 0
IPSEC ×××的双向IKE SA与两条单向的IPSEC SA
RT3#ping 192.168.20.1 source 192.168.44.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.44.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/88/152 ms
Router#ping 192.168.20.1 source 192.168.44.1
OSPF的报文是没被加密的
GRE OVER IPSEC
RT1:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 172.1.3.2
!
crypto ipsec transform-set cisco esp-3des esp-md5-hmac //使用tunnel模式,因为这里用IPSEC来解决私网的连通用性,必须使用隧道模式
!
crypto map cisco 10 ipsec-isakmp
set peer 172.1.3.2
set transform-set cisco
match address 101
!
interface Tunnel0
ip address 192.168.0.1 255.255.255.0
tunnel source Ethernet0/0
tunnel destination 172.1.3.2
!
router ospf 1
passive-interface default
no passive-interface Tunnel0
network 192.168.0.0 0.0.0.255 area 0
network 192.168.20.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 192.168.1.2
!
access-list 101 permit ip host 192.168.1.1 host 172.1.3.2 //这里区配的是加了GRE头部的源和目标IP
!
int e0/0
crypto map cisco
RT3:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 172.1.1.3 //使用对方的公网IP
crypto ipsec transform-set cisco esp-3des esp-md5-hmac / /使用tunnel模式
!
crypto map cisco 10 ipsec-isakmp
set peer 172.1.1.3
set transform-set cisco
match address 101
!
interface Tunnel0
ip address 192.168.0.2 255.255.255.0
tunnel source Ethernet0/0
tunnel destination 192.168.1.1 //注意这里写的是私网
!
access-list 101 permit ip host 172.1.3.2 host 192.168.1.1 //这里区配的是加了GRE头部的源和目标IP
!
router ospf 1
passive-interface default
no passive-interface Tunnel0
network 192.168.0.0 0.0.0.255 area 0
network 192.168.44.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 172.1.3.1
!
int e0/0
crypto map cisco
!
access-list 110 deny ip 192.168.44.0 0.0.0.255 192.168.20.0 0.0.0.255
ip nat inside source list 110 int e0/0 overload
int e0/0
ip nat outside
int e1/0 //对上公网的流量做PAT
ip nat inside
PIX:
access-list icmp extended permit icmp any any
access-list icmp extended permit esp any any //放通ICMP与IPSEC数据,实际工程中不能放通ICMP
interface Ethernet0
nameif outside
security-level 0 //定义防火墙的outside区域
ip address 172.1.1.2 255.255.255.240
!
interface Ethernet1
nameif inside
security-level 100 //定义防火墙的inside区域
ip address 192.168.1.2 255.255.255.252
!
global (outside) 1 interface //PAT
nat (inside) 1 192.168.0.0 255.255.0.0 / /定义需做NAT的流量
static (inside,outside) 172.1.1.3 192.168.1.1 netmask 255.255.255.255 //静态映射IP,用来作IPSCE
access-group icmp in interface outside //将策略绑定到outside
route outside 0.0.0.0 0.0.0.0 172.1.1.2 1
route inside 192.168.0.0 255.255.0.0 192.168.1.1 1 //添加静态路由
所有报文都被ESP加密的
分部需通过总部才能上公网
在RT3上去掉指向公网的缺省路由,由总部通过OSPF下发缺省路由。在RT3上写一条172.1.1.3/32的细化路由,以便IKE能够协商成功。RT3上不做NAT,只需总部防火墙上做PAT。修改总部和分部的IPSEC感兴趣流。
配置如下:
RT1:
router ospf 1
default-information originate
no access-list 101
access-list 101 permit ip any 192.168.44.0 0.0.0.255
RT3:
no ip route 0.0.0.0 0.0.0.0 172.1.3.1
ip route 172.1.1.3 255.255.255.255 172.1.3.1
no access-list 101
access-list 101 permit ip 192.168.44.0 0.0.0.255 any
清除RT3上的PAT,其它配置同上。
测试:
RT3:
Gateway of last resort is 192.168.0.1 to network 0.0.0.0
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/11112] via 192.168.0.1, 01:12:55, Tunnel0
C 192.168.44.0/24 is directly connected, Ethernet1/0
3.0.0.0/32 is subnetted, 1 subnets
C 3.3.3.3 is directly connected, Loopback0
172.1.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.1.3.0/24 is directly connected, Ethernet0/0
S 172.1.1.3/32 [1/0] via 172.1.3.1
O 192.168.20.0/24 [110/11121] via 192.168.0.1, 01:12:55, Tunnel0
C 192.168.0.0/24 is directly connected, Tunnel0
O*E2 0.0.0.0/0 [110/1] via 192.168.0.1, 01:12:55, Tunnel0
Router#ping 172.1.1.1 source 192.168.44.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.44.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/78/156 ms
Router#traceroute 172.1.1.1 source 192.168.44.1
Type escape sequence to abort.
Tracing the route to 172.1.1.1
1 192.168.0.1 128 msec 24 msec 64 msec
2 172.1.1.1 104 msec * 144 msec
从上面测试结果可以看出,分部是通过总部访问INTERNET的。
总结:IPSEC OVER GRE 是用IPSEC来完成业务数据的机密性,由GRE来承载动态路由协议及私网的连通性;GRE OVER IPSEC是用由GRE来承载动态路由协议,由IPSEC来完成数据机密性及私网连通性。当私网连通性解决了,可以用IPSEC的传输模式来实现机密性;若私网连通性没解决,则必须使用隧道模式;有防火墙时需放通 ×××的流量;穿越NAT时,需要静态映射NAT-T的端口号4500或10000;写IPSEC的感兴趣流量时,两端需一致,否则会协商不成功。
最近参加51CTO博客大赛,请大家多多支持凡人啊!请为我投上一票吧!