IPSEC DMVPN 实验配置
SPOKE1,SPOKE2,VPN-gateway为C网络边界路由器,loopback0接口模拟企业内部PC,C网络运行的IGP为OSPF,CE2为OSPF DR。为了防止OSPFneighbor关系不同步进而造成OSPF database不同步,因此CE1,CE2的tunnel 0接口的ospf priority配置为0。将各个分支tunnel 0接口ospf 网络类型配置为broadcast(默认ospf 网络类型为点到多点),这样分支路由器才能在前往目标前缀的路由中将合适的分支指定为下一跳,这样分支之间的数据流就可以直接进行收发而无需经由VPN gateway中转,进而可以动态建立分支与分支之间的IPSEC VPN连接。如果C网络使用距离矢量路由选择协议时,必须禁用水平分割,这样中心路由器才能将路由选择更新从收到他们的mGRE接口重新通告出去。链路状态路由选择协议将自动确定合适的下一跳(网络类型为broadcast)。VPN-gateway为NHRP NHS。
SPOKE1 configuration
SPOKE1#sh run
Building configuration...
Current configuration : 1879 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SPOKE1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key xinjialove address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set xinjialove esp-des esp-md5-hmac
mode transport
!
crypto ipsec profile xinjialove
set transform-set xinjialove
!
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip nhrp authentication cisco
ip nhrp map 192.168.1.2 172.16.2.2
ip nhrp map multicast 172.16.2.2
ip nhrp network-id 1
ip nhrp nhs 192.168.1.2
ip nhrp cache non-authoritative
ip ospf network broadcast
ip ospf priority 0
tunnel source Serial1/1
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile xinjialove
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
ip address 172.16.1.1 255.255.255.0
serial restart-delay 0
clock rate 64000
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet2/0
no ip address
shutdown
duplex half
!
router ospf 1
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 192.168.1.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 Serial1/1
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
end
SPOKE1#
SPOKE2 configuration
SPOKE2#sh run
Building configuration...
Current configuration : 1854 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SPOKE2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key xinjialove address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set xinjialove esp-des esp-md5-hmac
mode transport
!
crypto ipsec profile xinjialove
set transform-set xinjialove
!
!
!
!
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0
ip address 192.168.1.3 255.255.255.0
no ip redirects
ip nhrp authentication cisco
ip nhrp map 192.168.1.2 172.16.2.2
ip nhrp map multicast 172.16.2.2
ip nhrp network-id 1
ip nhrp nhs 192.168.1.2
ip nhrp cache non-authoritative
ip ospf network broadcast
ip ospf priority 0
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile xinjialove
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Serial1/0
ip address 172.16.3.1 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet2/0
no ip address
shutdown
duplex half
!
router ospf 1
log-adjacency-changes
network 3.3.3.3 0.0.0.0 area 0
network 192.168.1.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 Serial1/0
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
!
!
end
SPOKE2#
VPN-gateway configuration
VPN-gateway#sh run
Building configuration...
Current configuration : 1829 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VPN-gateway
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key xinjialove address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set xinjialove esp-des esp-md5-hmac
mode transport
!
crypto ipsec profile xinjialove
set transform-set xinjialove
!
!
!
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Tunnel0
ip address 192.168.1.2 255.255.255.0
no ip redirects
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp nhs 192.168.1.2
ip nhrp cache non-authoritative
ip ospf network broadcast
ip ospf priority 100
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile xinjialove
!
interface FastEthernet0/0
ip address 172.16.2.2 255.255.255.0
duplex half
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet2/0
no ip address
shutdown
duplex half
!
router ospf 1
log-adjacency-changes
network 2.2.2.2 0.0.0.0 area 0
network 192.168.1.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 172.16.2.1
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
!
!
end
VPN-gateway#
Internet configuration
Internet#sh run
Building configuration...
Current configuration : 1099 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Internet
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
interface Loopback0
no ip address
!
interface FastEthernet0/0
ip address 172.16.2.1 255.255.255.0
duplex half
!
interface Serial1/0
ip address 172.16.1.2 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
ip address 172.16.3.2 255.255.255.0
serial restart-delay 0
clock rate 64000
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet2/0
no ip address
shutdown
duplex half
!
ip route 1.1.1.1 255.255.255.255 Serial1/0
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
end
Internet#
Show信息(只展示SPOKE2 与VPN-gateway的信息,SPOKE1与SPOKE2大同小异因此忽略)
VPN-gateway#sh ip ospf nei
Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 0 FULL/DROTHER 00:00:37 192.168.1.1 Tunnel0
3.3.3.3 0 FULL/DROTHER 00:00:30 192.168.1.3 Tunnel0
VPN-gateway#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
172.16.2.2 172.16.3.1 QM_IDLE 1002 0 ACTIVE
172.16.2.2 172.16.1.1 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
VPN-gateway#sh cry ipse sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 172.16.2.2
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.2.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0)
current_peer 172.16.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 308, #pkts encrypt: 308, #pkts digest: 308
#pkts decaps: 306, #pkts decrypt: 306, #pkts verify: 306
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.2.2, remote crypto endpt.: 172.16.1.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xACC377A1(2898491297)
inbound esp sas:
spi: 0xD41C8FC5(3558641605)
transform: esp-des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 1, flow_id: 1, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4474774/1345)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xACC377A1(2898491297)
transform: esp-des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 2, flow_id: 2, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4474774/1343)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.2.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.16.3.1/255.255.255.255/47/0)
current_peer 172.16.3.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 308, #pkts encrypt: 308, #pkts digest: 308
#pkts decaps: 302, #pkts decrypt: 302, #pkts verify: 302
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.2.2, remote crypto endpt.: 172.16.3.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x10182812(270018578)
inbound esp sas:
spi: 0x34DC2EF2(886845170)
transform: esp-des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 3, flow_id: 3, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4562923/1345)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x10182812(270018578)
transform: esp-des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 4, flow_id: 4, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4562922/1344)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
VPN-gateway#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 172.16.2.1 to network 0.0.0.0
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/11112] via 192.168.1.1, 00:27:12, Tunnel0
2.0.0.0/32 is subnetted, 1 subnets
C 2.2.2.2 is directly connected, Loopback0
3.0.0.0/32 is subnetted, 1 subnets
O 3.3.3.3 [110/11112] via 192.168.1.3, 00:27:12, Tunnel0
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.2.0 is directly connected, FastEthernet0/0
C 192.168.1.0/24 is directly connected, Tunnel0
S* 0.0.0.0/0 [1/0] via 172.16.2.1
VPN-gateway#
SPOKE2#sh ip ospf nei
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 100 FULL/DR 00:00:34 192.168.1.2 Tunnel0
SPOKE2#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
172.16.3.1 172.16.1.1 QM_IDLE 1002 0 ACTIVE
172.16.2.2 172.16.3.1 QM_IDLE 1001 0 ACTIVE
172.16.1.1 172.16.3.1 QM_IDLE 1003 0 ACTIVE
IPv6 Crypto ISAKMP SA
SPOKE2#sh cry ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 172.16.3.1
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.3.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0)
current_peer 172.16.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13
#pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.3.1, remote crypto endpt.: 172.16.1.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0
current outbound spi: 0x1469C8EF(342477039)
inbound esp sas:
spi: 0x5AA55914(1520785684)
transform: esp-des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 7, flow_id: 7, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4576485/1398)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x1469C8EF(342477039)
transform: esp-des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 8, flow_id: 8, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4576485/1397)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.3.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.16.2.2/255.255.255.255/47/0)
current_peer 172.16.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 309, #pkts encrypt: 309, #pkts digest: 309
#pkts decaps: 315, #pkts decrypt: 315, #pkts verify: 315
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 76, #recv errors 0
local crypto endpt.: 172.16.3.1, remote crypto endpt.: 172.16.2.2
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0
current outbound spi: 0x34DC2EF2(886845170)
inbound esp sas:
spi: 0x10182812(270018578)
transform: esp-des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 1, flow_id: 1, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4448851/1278)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x34DC2EF2(886845170)
transform: esp-des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 2, flow_id: 2, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4448852/1277)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
SPOKE2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/11112] via 192.168.1.1, 00:28:17, Tunnel0
2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2 [110/11112] via 192.168.1.2, 00:28:17, Tunnel0
3.0.0.0/32 is subnetted, 1 subnets
C 3.3.3.3 is directly connected, Loopback0
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.3.0 is directly connected, Serial1/0
C 192.168.1.0/24 is directly connected, Tunnel0
S* 0.0.0.0/0 is directly connected, Serial1/0
SPOKE2#
DMVPN连通性测试
SPOKE1#ping 2.2.2.2 source loop 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/81/112 ms
SPOKE1#ping 3.3.3.3 source loop 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/56/72 ms
