FD.io/VPP — GRE over IPSec

转载

云物互联 2022-03-22 09:52:03 博主文章分类：SDN/NFV 网络技术专栏

文章标签 其他 文章分类 代码人生

3# 目录

文章目录

GRE over IPSec
VPP Responder（被动）
VPP Initiator（主动）

GRE over IPSec

FD.io/VPP — GRE over IPSec_其他

PC1 ping PC2，可以 ping 通。

VPP Responder（被动）

配置接口

set int state GigabitEthernet2/1/0 up

set int ip address GigabitEthernet2/1/0 20.20.20.2/24

set int state GigabitEthernet2/2/0 up

set int ip address GigabitEthernet2/2/0 10.10.10.1/24

配置 IPSec IKEv2

ikev2 profile add pr1

ikev2 profile set pr1 auth shared-key-mic string Vpp123

ikev2 profile set pr1 id local fqdn vpp1.home
ikev2 profile set pr1 id remote fqdn vpp2.home

ikev2 profile set pr1 traffic-selector local ip-range 40.40.40.0 - 40.40.40.254 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector remote ip-range 40.40.40.0 - 40.40.40.254 port-range 0 - 65535 protocol 0

show ikev2 sa

配置 GRE 隧道

使用 IPSec 接口 IP 地址创建 GRE。

set int state ipsec0 up
set int ip address ipsec0 40.40.40.2/24

create gre tunnel src 40.40.40.2 dst 40.40.40.1 instance 0

set int state gre0 up
set int ip address gre0 50.50.50.2/24

ip route 30.30.30.0/24 via gre0

VPP Initiator（主动）

配置接口

set int state GigabitEthernet2/1/0 up

set int ip address GigabitEthernet2/1/0 20.20.20.1/24

set int state GigabitEthernet2/2/0 up

set int ip address GigabitEthernet2/2/0 30.30.30.1/24

配置 IPSec IKEv2

ikev2 profile add pr1

ikev2 profile set pr1 auth shared-key-mic string Vpp123

ikev2 profile set pr1 id local fqdn vpp1.home
ikev2 profile set pr1 id remote fqdn vpp2.home

ikev2 profile set pr1 responder GigabitEthernet2/1/0 20.20.20.2

ikev2 profile set pr1 ike-crypto-alg aes-cbc 128 ike-integ-alg sha1-96 ike-dh modp-1024
ikev2 profile set pr1 esp-crypto-alg aes-cbc 128 esp-integ-alg sha1-96 esp-dh modp-1024

ikev2 profile set pr1 traffic-selector local ip-range 40.40.40.0 - 40.40.40.254 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector remote ip-range 40.40.40.0 - 40.40.40.254 port-range 0 - 65535 protocol 0

ikev2 initiate sa-init pr1

show ikev2 sa

配置 GRE 隧道

使用 IPSec 接口 IP 地址创建 GRE。

set int state ipsec0 up
set int ip address ipsec0 40.40.40.1/24

create gre tunnel src 40.40.40.1 dst 40.40.40.2 instance 0

set int state gre0 up
set int ip address gre0 50.50.50.1/24

ip route 10.10.10.0/24 via gre0