一.测试拓扑
备注:直接配置的是DMVPN第三阶段,vyos用的是1.1.8版本,用最新版的1.3配置nhrp没有成功,相同的配置1.3提交的时候,nhrp服务没有启动
二.基本配置
1.基本配置
A.PC1路由器
interface Ethernet0/0
ip address 172.16.100.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.100.254
B.hub(IOS)
host-name hub
interface Loopback0
ip address 172.16.1.1 255.255.255.0
interface Ethernet0/0
ip address 201.100.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 201.100.1.10
C.Internet路由器
interface Ethernet0/0
ip address 202.100.1.10 255.255.255.0
interface Ethernet0/1
ip address 61.128.1.10 255.255.255.0
interface Ethernet0/2
ip address 201.100.1.10 255.255.255.0
D.Spoke1(VyOS)
set system host-name 'Spoke1'
set interfaces ethernet eth1 address '202.100.1.1/24'
set interfaces ethernet eth2 address '172.16.100.254/24'
set protocols static route 0.0.0.0/0 next-hop 202.100.1.10
set nat source rule 20 outbound-interface 'eth1'
set nat source rule 20 source address '172.16.100.0/24'
set nat source rule 20 translation address 'masquerade'
E.Spoke2(VyOS)
set system host-name 'Spoke2'
set interface ethernet eth1 address '61.128.1.1/24'
set interface ethernet eth2 address '172.16.200.254/24'
set protocols static route 0.0.0.0/0 next-hop '61.128.1.10'
set nat source rule 20 outbound-interface 'eth1'
set nat source rule 20 source address '172.16.200.0/24'
set nat source rule 20 translation address 'masquerade'
F.PC2路由器
interface Ethernet0/0
ip address 172.16.200.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.200.254
2.tunnel口及nhrp配置
A.hub(IOS)
interface Tunnel0
ip address 10.1.1.100 255.255.255.0
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 10
ip nhrp redirect
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 12345
B.Spoke1(VyOS)
set interfaces tunnel tun0 address '10.1.1.1/24'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 local-ip '0.0.0.0'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 parameters ip key '12345'
set protocols nhrp tunnel tun0 cisco-authentication 'cisco'
set protocols nhrp tunnel tun0 holding-time '300'
set protocols nhrp tunnel tun0 map 10.1.1.100/24 nbma-address '201.100.1.1'
set protocols nhrp tunnel tun0 map 10.1.1.100/24 'register'
set protocols nhrp tunnel tun0 'shortcut'
C.Spoke2(VyOS)
set interfaces tunnel tun0 address '10.1.1.2/24'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 local-ip '0.0.0.0'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 parameters ip key '12345'
set protocols nhrp tunnel tun0 cisco-authentication 'cisco'
set protocols nhrp tunnel tun0 holding-time '300'
set protocols nhrp tunnel tun0 map 10.1.1.100/24 nbma-address '201.100.1.1'
set protocols nhrp tunnel tun0 map 10.1.1.100/24 'register'
set protocols nhrp tunnel tun0 'shortcut'
D.验证NHRP是否正常工作
--从hub上可以看到spoke都已经注册
Hub#show ip nhrp
10.1.1.1/32 via 10.1.1.1
Tunnel0 created 00:00:53, expire 00:04:06
Type: dynamic, Flags: unique registered used nhop
NBMA address: 202.100.1.1
10.1.1.2/32 via 10.1.1.2
Tunnel0 created 00:00:00, expire 00:04:59
Type: dynamic, Flags: unique registered used nhop
NBMA address: 61.128.1.1
Hub#
--从spoke1去ping spoke2地址,在hub路由器/0接口抓包,可以看到只有第一个包由hub代转
vyos@Spoke1:~$ ping 10.1.1.2
PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data.
64 bytes from 10.1.1.2: icmp_req=1 ttl=63 time=1.73 ms
64 bytes from 10.1.1.2: icmp_req=2 ttl=64 time=0.797 ms
64 bytes from 10.1.1.2: icmp_req=3 ttl=64 time=0.766 ms
64 bytes from 10.1.1.2: icmp_req=4 ttl=64 time=0.681 ms
^C
--- 10.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 0.681/0.995/1.738/0.431 ms
vyos@Spoke1:~$ ping 10.1.1.2 count 1000
PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data.
64 bytes from 10.1.1.2: icmp_req=1 ttl=64 time=1.07 ms
64 bytes from 10.1.1.2: icmp_req=2 ttl=64 time=1.38 ms
64 bytes from 10.1.1.2: icmp_req=3 ttl=64 time=0.978 ms
64 bytes from 10.1.1.2: icmp_req=4 ttl=64 time=0.936 ms
64 bytes from 10.1.1.2: icmp_req=5 ttl=64 time=0.965 ms
64 bytes from 10.1.1.2: icmp_req=6 ttl=64 time=0.767 ms
64 bytes from 10.1.1.2: icmp_req=7 ttl=64 time=0.937 ms
64 bytes from 10.1.1.2: icmp_req=8 ttl=64 time=0.955 ms
64 bytes from 10.1.1.2: icmp_req=9 ttl=64 time=1.51 ms
64 bytes from 10.1.1.2: icmp_req=10 ttl=64 time=1.30 ms
64 bytes from 10.1.1.2: icmp_req=11 ttl=64 time=1.02 ms
64 bytes from 10.1.1.2: icmp_req=12 ttl=64 time=0.960 ms
64 bytes from 10.1.1.2: icmp_req=13 ttl=64 time=0.977 ms
64 bytes from 10.1.1.2: icmp_req=14 ttl=64 time=1.16 ms
64 bytes from 10.1.1.2: icmp_req=15 ttl=64 time=1.04 ms
64 bytes from 10.1.1.2: icmp_req=16 ttl=64 time=1.31 ms
64 bytes from 10.1.1.2: icmp_req=17 ttl=64 time=1.10 ms
64 bytes from 10.1.1.2: icmp_req=18 ttl=64 time=1.22 ms
64 bytes from 10.1.1.2: icmp_req=19 ttl=64 time=1.15 ms
64 bytes from 10.1.1.2: icmp_req=20 ttl=64 time=1.19 ms
64 bytes from 10.1.1.2: icmp_req=21 ttl=64 time=1.43 ms
64 bytes from 10.1.1.2: icmp_req=22 ttl=64 time=1.00 ms
64 bytes from 10.1.1.2: icmp_req=23 ttl=64 time=1.07 ms
64 bytes from 10.1.1.2: icmp_req=24 ttl=64 time=1.12 ms
64 bytes from 10.1.1.2: icmp_req=25 ttl=64 time=1.19 ms
64 bytes from 10.1.1.2: icmp_req=26 ttl=64 time=1.42 ms
3.VPN配置
A.hub(IOS)
--第一阶段策略集
crypto isakmp policy 10
encr aes 256
hash md5
authentication pre-share
group 2
crypto isakmp key Cisc0123 address 0.0.0.0
crypto isakmp invalid-spi-recovery
--第二阶段策略集
crypto ipsec transform-set transet esp-aes esp-md5-hmac
mode transport
--配置ipsec profile,调用前面的策略集,并在tunel口应用
crypto ipsec profile ipsecpro
set security-association idle-time 720
set transform-set transet
set pfs group2
interface Tunnel0
tunnel protection ipsec profile ipsecpro
B.Spoke1和Spoke2(VyOS)
--第二阶段策略集
set vpn ipsec esp-group esp-vyos compression 'disable'
set vpn ipsec esp-group esp-vyos lifetime '3600'
set vpn ipsec esp-group esp-vyos mode 'tunnel'
set vpn ipsec esp-group esp-vyos pfs 'dh-group2'
set vpn ipsec esp-group esp-vyos proposal 10 encryption 'aes128'
set vpn ipsec esp-group esp-vyos proposal 10 hash 'md5'
--第一阶段策略集
set vpn ipsec ike-group ike-vyos proposal 10 dh-group '2'
set vpn ipsec ike-group ike-vyos proposal 10 encryption 'aes256'
set vpn ipsec ike-group ike-vyos proposal 10 hash 'md5'
--在公网接口启用ipsec
set vpn ipsec ipsec-interfaces interface 'eth1'
--配置ipsec profile,调用前面的策略集,并在tunel口应用
set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'Cisc0123'
set vpn ipsec profile NHRPVPN bind tunnel 'tun0'
set vpn ipsec profile NHRPVPN esp-group 'esp-vyos'
set vpn ipsec profile NHRPVPN ike-group 'ike-vyos'
4.添加静态路由
A.hub(IOS)
ip route 172.16.100.0 255.255.255.0 10.1.1.1
ip route 172.16.200.0 255.255.255.0 10.1.1.2
B.Spoke1(VyOS)
set protocols static route 172.16.1.0/24 next-hop '10.1.1.100'
set protocols static route 172.16.200.0/24 next-hop '10.1.1.2'
C.Spoke2(VyOS)
set protocols static route 172.16.100.0/24 next-hop '10.1.1.1'
set protocols static route 172.16.1.0/24 next-hop '10.1.1.100'
三.验证
1.PC1能ping通PC2
PC1#ping 172.16.200.1 repeat 20
Type escape sequence to abort.
Sending 20, 100-byte ICMP Echos to 172.16.200.1, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (20/20), round-trip min/avg/max = 1/1/2 ms
PC1#
2.通过ipsec sa的查看,可以看到两个spoke之间建立了vpn连接
vyos@Spoke1:~$ show vpn ipsec sa
Peer ID / IP Local ID / IP
------------ -------------
0.0.0.0 202.100.1.1
Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
------ ----- ------------- ------- ---- ----- ------ ------ -----
tun0 down n/a n/a n/a no 0 3600 gre
Peer ID / IP Local ID / IP
------------ -------------
61.128.1.1 202.100.1.1
Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
------ ----- ------------- ------- ---- ----- ------ ------ -----
tun0 up 15.5K/15.5K aes128 md5 no 274 3600 gre
Peer ID / IP Local ID / IP
------------ -------------
201.100.1.1 202.100.1.1
Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
------ ----- ------------- ------- ---- ----- ------ ------ -----
tun0 up 5.2K/7.8K aes128 md5 no 1603 3600 gre