取消
显示结果 
搜索替代 
您的意思是: 
cancel
8174
查看次数
0
有帮助
10
评论
wuhao0015
Spotlight
Spotlight
趁着年底就多发点东西给大家拜早年。
一直都有这么个想法:把新家、老家和老婆家这三地的网络给打通。因为有些访问的需求,监控和文件之类的。
IPSEC点到点VPN,Full Mesh配置麻烦不灵活。所有想到了dmvpn这么个好的解决方案。
公司有思科设备,有公网地址。解决了Hub端的问题。这次介绍的重点不是IOS的Hub配置。
Spoke端选用思科大而贵又费电的思科设备显然是不切实际的。
想到了可刷Openwrt的家用路由器。经过长时间的研究(1年左右),成功实现用openwrt和思科做DMVPN的需求。
需求:
可刷Openwrt的路由器,版本15.05.1
我使用的是网件3700v4小路由器。
这次重点不是IOS的配置。IOS部分Hub端配置:
crypto keyring dmvpn-key
pre-shared-key address 0.0.0.0 0.0.0.0 key Cisco*123
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 10 periodic
crypto isakmp profile dmvpn-profile
keyring dmvpn-key
match identity address 0.0.0.0
!
crypto ipsec transform-set dmvpn esp-des esp-md5-hmac
mode transport
!
crypto ipsec profile dmvpn
set transform-set dmvpn
set isakmp-profile dmvpn-profile
!
interface Tunnel100
description pT:Tunnel-For-DMVPN
ip address 172.16.100.254 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 100
ip nhrp holdtime 360
ip nhrp redirect
ip tcp adjust-mss 1360
ip ospf network broadcast
ip ospf cost 50
ip ospf priority 255
load-interval 30
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile dmvpn
router ospf 100
router-id 172.16.100.254
network 172.16.100.254 0.0.0.0 area 0
network 192.168.0.0 0.0.255.255 area 0
重点配置:
1,安装软件包
opkg install opennhrp
opkg install kmod-ipsec4
opkg install quagga quagga-ospfd
opkg install gre
opkg install iptables-mod-nat-extra
opkg install kmod-natsemi
opkg install kmod-nf-nathelper-extra
2,配置GRE接口
vi /etc/config/network
添加如下内容:
config interface 'gre'
option proto 'gre' ##协议为gre
option zone 'vpn' ##防火墙的区域为vpn
option peeraddr '0.0.0.0'##GRE对端地址为0.0.0.0
option mtu '1400'
option ttl '64'
option ikey '100' ##GRE的KEY
option okey '100' ##GRE的KEY
config interface 'gre1'
option proto 'static'
option ifname '@gre'
option ipaddr '172.16.100.3' ##隧道地址
option netmask '255.255.255.0' ##隧道掩码
==配置完成需要在页面下激活,或者使用命令‘/ect/init.d/network restart’激活接口。
查看接口:
root@openwrt:~# ifconfig gre-gre
gre-gre Link encap:UNSPEC HWaddr 75-59-45-52-00-00-7F-A2-00-00-00-00-00-00-00-00
inet addr:172.16.100.3 Mask:255.255.255.0
inet6 addr: fe80::200:5efe:7559:4552/64 Scope:Link
UP RUNNING MTU:1400 Metric:1
RX packets:10265 errors:0 dropped:0 overruns:0 frame:0
TX packets:19404 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:921632 (900.0 KiB) TX bytes:1489669 (1.4 MiB)
root@openwrt:~# ip link show gre-gre
13: gre-gre@NONE: mtu 1400 qdisc noqueue state UNKNOWN mode DEFAULT group default
link/gre 117.89.69.82 brd 0.0.0.0
root@openwrt:~#
root@openwrt:~# ip tunnel show gre-gre
gre-gre: gre/ip remote any local 117.89.69.82 ttl 64 key 100
root@openwrt:~#
3,配置IPSEC
3.1,配置共享密钥:
vi /etc/racoon/psk.txt
添加如下内容:
* Cisco*123 ##IPSEC任意地址预共享密钥为Cisco
3.2,配置IPSEC流量(感兴趣流)
vi /etc/ipsec.conf
添加如下内容:
#!/usr/sbin/setkey -f
spdflush;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec esp/transport//require;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in ipsec esp/transport//require;
3.3,配置IPSEC策略:
vi /etc/racoon.conf
配置成如下内容(根据具体实际情况调整):
log notify;
path pre_shared_key "/etc/racoon/psk.txt";
remote anonymous {
exchange_mode main,aggressive;
lifetime time 24 hour;
nat_traversal on;
dpd_delay 10;
script "/etc/opennhrp/racoon-ph1down.sh" phase1_down;
script "/etc/opennhrp/racoon-ph1dead.sh" phase1_dead;
proposal {
encryption_algorithm des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous {
lifetime time 1 hour;
encryption_algorithm des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
3.4,启动IPSEC
/ect/init.d/racoon restart
3.5,查看IPSEC状态
root@openwrt:~# setkey -D
117.89.69.82 224.0.0.5
esp mode=transport spi=0(0x00000000) reqid=0(0x00000000)
seq=0x00000000 replay=0 flags=0x00000000 state=larval
created: Feb 22 11:37:49 2017 current: Feb 22 11:38:02 2017
diff: 13(s) hard: 30(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=12642 refcnt=0
117.89.69.82 218.94.26.96
esp mode=transport spi=3303143295(0xc4e1f77f) reqid=0(0x00000000)
E: des-cbc 7eabfcea 8eba315b
A: hmac-md5 8d10c4ea f7816b72 1702caf0 57233852
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Feb 22 10:54:00 2017 current: Feb 22 11:38:02 2017
diff: 2642(s) hard: 3600(s) soft: 2880(s)
last: Feb 22 10:54:09 2017 hard: 0(s) soft: 0(s)
current: 21001(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 276 hard: 0 soft: 0
sadb_seq=2 pid=12642 refcnt=0
218.94.26.96 117.89.69.82
esp mode=transport spi=191219007(0x0b65c53f) reqid=0(0x00000000)
E: des-cbc 5ec7e525 321b699d
A: hmac-md5 564059d1 e3b92639 aefa88fb 21a3303b
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Feb 22 10:54:00 2017 current: Feb 22 11:38:02 2017
diff: 2642(s) hard: 3600(s) soft: 2880(s)
last: Feb 22 10:54:01 2017 hard: 0(s) soft: 0(s)
current: 28005(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 290 hard: 0 soft: 0
sadb_seq=0 pid=12642 refcnt=0
4,配置opennhrp
vi /etc/opennhrp/opennhrp.conf
配置成如下内容:
interface gre-gre ##接口填写实际端口
map 172.16.100.254/24 218.94.26.96 register cisco ##兼容思科NHRP
cisco-authentication cisco ##nhrp密钥为cisco
shortcut
redirect
multicast dynamic ##组播地址动态映射
启动opennhrp
/ect/init.d/opennhrp restart
查看opennhrp状态:
root@openwrt:~# opennhrpctl show
Status: ok
Interface: gre-gre
Type: local
Protocol-Address: 172.16.100.255/32
Alias-Address: 172.16.100.3
Flags: up
Interface: gre-gre
Type: local
Protocol-Address: 172.16.100.3/32
Flags: up
Interface: gre-gre
Type: static
Protocol-Address: 172.16.100.254/24
NBMA-Address: 218.94.26.96
Flags: up
5,配置动态路由协议:
vi /etc/quagga/ospfd.conf
添加如下内容:
interface gre-gre
ip ospf priority 0 ##分支为OSPF的DROTHER
!
router ospf
ospf router-id 172.16.100.3 ##OSPF协议的router-id
network 172.16.100.0/24 area 0.0.0.0 ##宣告gre接口
network 192.168.1.0/24 area 0.0.0.0 ##宣告内网网段
启动OSPF进程
/ect/init.d/quagga restart
查看OSPF:
telnet 127.0.0.1 2604
密码默认为zebra
相关命令为
show ip ospf neigher
show ip ospf database
show ip ospf route
状态如下:
openwrt# show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
172.16.100.254 255 Full/DR 33.452s 172.16.100.254 gre-gre:172.16.100.3 0 0 0
openwrt#
openwrt# show ip ospf route
============ OSPF network routing table ============
N 172.16.0.0/24 [110] area: 0.0.0.0
via 172.16.100.1, gre-gre
via 172.16.100.2, gre-gre
N 172.16.100.0/24 [10] area: 0.0.0.0
directly attached to gre-gre
N 192.2.10.0/24 [12] area: 0.0.0.0
via 172.16.100.254, gre-gre
N 192.168.1.0/24 [10] area: 0.0.0.0
directly attached to br-lan
N 192.168.49.0/24 [11] area: 0.0.0.0
via 172.16.100.1, gre-gre
N 192.168.50.0/24 [11] area: 0.0.0.0
via 172.16.100.1, gre-gre
N 192.168.100.0/24 [11] area: 0.0.0.0
via 172.16.100.2, gre-gre
============ OSPF router routing table =============
R 172.16.0.1 [10] area: 0.0.0.0, ASBR
via 172.16.100.1, gre-gre
R 172.16.0.2 [10] area: 0.0.0.0, ASBR
via 172.16.100.2, gre-gre
============ OSPF external routing table ===========
N E2 192.168.51.0/24 [10/20] tag: 51
via 172.16.100.1, gre-gre
N E2 192.168.102.0/24 [10/20] tag: 102
via 172.16.100.2, gre-gre
openwrt#
openwrt# show ip ospf database
OSPF Router with ID (172.16.100.3)
Router Link States (Area 0.0.0.0)
Link ID ADV Router Age Seq# CkSum Link count
172.16.0.1 172.16.0.1 1605 0x80000853 0x950d 4
172.16.0.2 172.16.0.2 1947 0x8000070b 0xfe62 3
172.16.0.254 172.16.0.254 95 0x80000f39 0xed68 2
172.16.100.3 172.16.100.3 497 0x8000006e 0xbb10 2
172.16.100.254 172.16.100.254 1996 0x800002bf 0x3339 3
192.168.254.253 192.168.254.253 628 0x800002b9 0x885f 6
Net Link States (Area 0.0.0.0)
Link ID ADV Router Age Seq# CkSum
172.16.0.254 172.16.0.254 1368 0x80000dd8 0x752c
172.16.100.254 172.16.100.254 1490 0x8000060e 0x31ec
AS External Link States
Link ID ADV Router Age Seq# CkSum Route
192.168.51.0 172.16.0.1 1851 0x80000e07 0xcd31 E2 192.168.51.0/24 [0x33]
192.168.102.0 172.16.0.2 153 0x800003e4 0x9331 E2 192.168.102.0/24 [0x66]
openwrt#
6,配置防火墙
vi /etc/config/firewall
添加如下内容:
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option name 'vpn'
option forward 'ACCEPT'
option network 'gre1'
config forwarding
option dest 'lan'
option src 'vpn'
config forwarding
option dest 'wan'
option src 'vpn'
config forwarding
option dest 'vpn'
option src 'lan'
重启防火墙
/ect/init.d/firewall restart
7,测试:
netstat -r 查看路由
ping 172.16.10.254
设备重启,包括wan地址改变,dmvpn都能正常建立。
root@openwrt:~# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default 117.89.68.1 0.0.0.0 UG 0 0 0 pppoe-wan
117.89.68.1 * 255.255.255.255 UH 0 0 0 pppoe-wan
172.16.0.0 172.16.100.1 255.255.255.0 UG 0 0 0 gre-gre
172.16.100.0 * 255.255.255.0 U 0 0 0 gre-gre
192.2.10.0 172.16.100.254 255.255.255.0 UG 0 0 0 gre-gre
192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.49.0 172.16.100.1 255.255.255.0 UG 0 0 0 gre-gre
192.168.50.0 172.16.100.1 255.255.255.0 UG 0 0 0 gre-gre
192.168.51.0 172.16.100.1 255.255.255.0 UG 0 0 0 gre-gre
192.168.100.0 172.16.100.2 255.255.255.0 UG 0 0 0 gre-gre
192.168.102.0 172.16.100.2 255.255.255.0 UG 0 0 0 gre-gre
192.168.200.0 172.16.100.1 255.255.255.0 UG 0 0 0 gre-gre
root@openwrt:~# ping 172.16.100.254
PING 172.16.100.254 (172.16.100.254): 56 data bytes
64 bytes from 172.16.100.254: seq=0 ttl=255 time=5.116 ms
64 bytes from 172.16.100.254: seq=1 ttl=255 time=5.165 ms
64 bytes from 172.16.100.254: seq=2 ttl=255 time=4.921 ms
64 bytes from 172.16.100.254: seq=3 ttl=255 time=4.971 ms
^C
--- 172.16.100.254 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max
至目前所有工作完成,已经稳定运行了一年。
相关链接:

【原创】IOS-XE远程连接之一SSLVPN
【原创】IOS-XE远程连接之二Anyconnect-EAP
【原创】IOS-XE远程连接之三Anyconnect证书认证
评论
wuhao0015
Spotlight
Spotlight
本帖最后由 wuhao0015 于 2018-12-28 21:08 编辑
整天在论坛里面发关于VPN的主题会不会被和谐?我可是正儿八经的谈技术啊。
yuhao
Level 1
Level 1
厉害了:lol
one-time
Level 13
Level 13
wuhao0015 发表于 2018-12-28 16:54
整天在论坛里面发关于VPN的主题会不会被和谐?我可是正儿八经的谈技术啊。

感谢楼主分享,和谐是什么,跟我们不搭边嘛:lol
18653465190
Spotlight
Spotlight
感谢楼主分享,:lol
avicairbus
Level 10
Level 10
感谢楼主分享
moxiuli
Level 9
Level 9

赞--楼主分享
olpolp63067
Community Member
博主,在执行完setkey -D后显示no SAD entried
wuhao0015
Spotlight
Spotlight
olpolp63067 发表于 2020-12-23 09:51
博主,在执行完setkey -D后显示no SAD entried

这个原因很多,需要慢慢排查和调试,里面参数很多需要慢慢匹配,我之前也是化了很多时间。
olpolp63067
Community Member
wuhao0015 发表于 2020-12-23 10:34
这个原因很多,需要慢慢排查和调试,里面参数很多需要慢慢匹配,我之前也是化了很多时间。

我的路由器和openwrt是完全按照您的教程配置的 就卡到setkey -D这一步了,有什么可能的原因吗
wuhao0015
Spotlight
Spotlight
olpolp63067 发表于 2020-12-23 15:30
我的路由器和openwrt是完全按照您的教程配置的 就卡到setkey -D这一步了,有什么可能的原因吗

没有流量产生或者第一阶段协商没有通过。试着在hub端debug下看下。
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接