问:为什么我们需要用到GRE?
答:Ipsec ×××不能够支持加密二层和组播流量,这样一个限制就意味着
不能够通过Ipsec ×××运行动态路由协议。为了解决这个问题,我们采用了GRE,它能
很好的封装组播和二层协议,能够为我们的Ipsec ×××提供动态路由协议的服务。但是
这个限制到了12.4之后就消除了!Cisco在12.4引入了Ipsec Profile的技术。
若是感兴趣流不匹配,则那么之间×××不能成功。
包处理过程
1.1到4的包抵达Router <原始包 SIP:1.1.1.0 DIP:2.2.2.0>
2.查询:路由表 结果:送到Tunnel接口
3. 撞击上Tunnel口上的map <匹配上感兴趣流>
4. 触发加密
<加密后 SIP:202.100.1.1 DIP:202.100.1.2 ESP SIP:1.1.1.0 DIP:2.2.2.0>
5. 加密后的新包继续查询:路由表 结果:送出物理口Fa0/0
6.虽然物理口有crypto map,但是因为新包不能够匹配上感兴趣流,所以直接
穿出物理口,送往目的地
7.最终包结构
SIP:202.100.1.1 DIP:202.100.1.2 ESP SIP:1.1.1.0 DIP:2.2.2.0
配置
R1:
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 202.100.2.1
crypto ipsec transform-set tran esp-3des esp-md5-hmac
crypto map map 10 ipsec-isakmp
set peer 202.100.2.1
set transform-set tran
match address vpn
interface Loopback0
ip address 3.3.3.3 255.255.255.0
interface Loopback1
ip address 4.4.4.4 255.255.255.0
interface Tunnel0
ip address 10.1.1.1 255.255.255.0
tunnel source Ethernet0/0
tunnel destination 202.100.2.1
crypto map map
interface Ethernet0/0
ip address 202.100.1.1 255.255.255.0
half-duplex
(crypto map map)建议运用,能够阻止未加密的感兴趣流进入
interface Ethernet1/2
ip address 1.1.1.1 255.255.255.0
half-duplex
router ospf 1
log-adjacency-changes
network 1.1.1.0 0.0.0.255 area 0
network 3.3.3.0 0.0.0.255 area 0
network 4.4.4.0 0.0.0.255 area 0
network 10.1.1.0 0.0.0.255 area 0
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
ip access-list extended vpn
permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
permit ip 1.1.1.0 0.0.0.255 5.5.5.0 0.0.0.255
permit ip 1.1.1.0 0.0.0.255 6.6.6.0 0.0.0.255
permit ip 3.3.3.0 0.0.0.255 6.6.6.0 0.0.0.255
permit ip 4.4.4.0 0.0.0.255 6.6.6.0 0.0.0.255
R2:
interface Ethernet0/0
ip address 202.100.1.100 255.255.255.0
half-duplex
interface Ethernet0/1
ip address 202.100.2.100 255.255.255.0
half-duplex
R3:
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 202.100.1.1
crypto ipsec transform-set tran esp-3des esp-md5-hmac
crypto map map 10 ipsec-isakmp
set peer 202.100.1.1
set transform-set tran
match address vpn
interface Loopback0
ip address 5.5.5.5 255.255.255.0
interface Loopback1
ip address 6.6.6.6 255.255.255.0
interface Tunnel0
ip address 10.1.1.2 255.255.255.0
tunnel source Ethernet0/1
tunnel destination 202.100.1.1
crypto map map
interface Ethernet0/1
ip address 202.100.2.1 255.255.255.0
half-duplex
interface Ethernet1/2
ip address 2.2.2.2 255.255.255.0
router ospf 1
log-adjacency-changes
network 2.2.2.0 0.0.0.255 area 0
network 5.5.5.0 0.0.0.255 area 0
network 6.6.6.0 0.0.0.255 area 0
network 10.1.1.0 0.0.0.255 area 0
ip route 0.0.0.0 0.0.0.0 Ethernet0/1
ip access-list extended vpn
permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
permit ip 5.5.5.0 0.0.0.255 1.1.1.0 0.0.0.255
×××是根据感兴趣流匹配原则来进行传输的。如没有匹配的感兴趣流,那么他们之间是无法通信的。
r1#sh cry isa sa
dst src state conn-id slot status
202.100.1.1 202.100.2.1 QM_IDLE 1 0 ACTIVE
r3#sh cry isa sa
dst src state conn-id slot status
202.100.1.1 202.100.2.1 QM_IDLE 1 0 ACTIVE
r3#sh cry ips sa
interface: Tunnel0
Crypto map tag: map, local addr 202.100.2.1
protected vrf: (none)
local ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
current_peer 202.100.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 202.100.2.1, remote crypto endpt.: 202.100.1.1
path mtu 1476, ip mtu 1476, ip mtu idb Tunnel0
current outbound spi: 0xADBAEB5(182169269)
inbound esp sas:
spi: 0x4768DDAE(1198054830)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2005, flow_id: SW:5, crypto map: map
sa timing: remaining key lifetime (k/sec): (4577390/3317)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xADBAEB5(182169269)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2006, flow_id: SW:6, crypto map: map
sa timing: remaining key lifetime (k/sec): (4577390/3316)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (5.5.5.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
current_peer 202.100.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 202.100.2.1, remote crypto endpt.: 202.100.1.1
path mtu 1476, ip mtu 1476, ip mtu idb Tunnel0
current outbound spi: 0x497929B6(1232677302)
inbound esp sas:
spi: 0xBBF1BDFB(3153182203)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: map
sa timing: remaining key lifetime (k/sec): (4443853/3369)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x497929B6(1232677302)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: map
sa timing: remaining key lifetime (k/sec): (4443853/3369)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
r1#sh crypto ip sa
interface: Tunnel0
Crypto map tag: map, local addr 202.100.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)
current_peer 202.100.2.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 202.100.1.1, remote crypto endpt.: 202.100.2.1
path mtu 1476, ip mtu 1476, ip mtu idb Tunnel0
current outbound spi: 0x4768DDAE(1198054830)
inbound esp sas:
spi: 0xADBAEB5(182169269)
transform: esp-3des esp-md5-hmac ,
r1#sh cry isa sa
dst src state conn-id slot status
202.100.1.1 202.100.2.1 QM_IDLE 1 0 ACTIVE
r1#sh cry ips sa
interface: Tunnel0
Crypto map tag: map, local addr 202.100.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)
current_peer 202.100.2.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 202.100.1.1, remote crypto endpt.: 202.100.2.1
path mtu 1476, ip mtu 1476, ip mtu idb Tunnel0
current outbound spi: 0x4768DDAE(1198054830)
inbound esp sas:
spi: 0xADBAEB5(182169269)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2005, flow_id: SW:5, crypto map: map
sa timing: remaining key lifetime (k/sec): (4412184/3291)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x4768DDAE(1198054830)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2006, flow_id: SW:6, crypto map: map
sa timing: remaining key lifetime (k/sec): (4412184/3291)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (5.5.5.0/255.255.255.0/0/0)
current_peer 202.100.2.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 202.100.1.1, remote crypto endpt.: 202.100.2.1
path mtu 1476, ip mtu 1476, ip mtu idb Tunnel0
current outbound spi: 0xBBF1BDFB(3153182203)
inbound esp sas:
spi: 0x497929B6(1232677302)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: map
sa timing: remaining key lifetime (k/sec): (4473245/3344)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xBBF1BDFB(3153182203)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: map
sa timing: remaining key lifetime (k/sec): (4473245/3344)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (6.6.6.0/255.255.255.0/0/0)
current_peer 202.100.2.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 202.100.1.1, remote crypto endpt.: 202.100.2.1
path mtu 1476, ip mtu 1476, ip mtu idb Tunnel0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (3.3.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (6.6.6.0/255.255.255.0/0/0)
current_peer 202.100.2.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 202.100.1.1, remote crypto endpt.: 202.100.2.1
path mtu 1476, ip mtu 1476, ip mtu idb Tunnel0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (4.4.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (6.6.6.0/255.255.255.0/0/0)
current_peer 202.100.2.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 202.100.1.1, remote crypto endpt.: 202.100.2.1
path mtu 1476, ip mtu 1476, ip mtu idb Tunnel0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
