GRE Over IPsec 顾名思义,GRE在内,IPsec在外
那么当数据进入tunnel隧道后,会先被GRE封装后再进行IPsec感兴趣流acl匹配,匹配上了则封装IPsec,没匹配上则丢包
实验:
需求:总部pc能够通过gre over ipsec隧道访问分部pc
拓扑图
首先梳理配置步骤:
- 公网部分采用OSPF实现互通
- 在RT1、RT2、RT3上运行OSPF宣告相应网段(注意该OSPF只是为了实现公网互通注意宣告网段,思考环回接口是否需要宣告)(答案是需要的)
- 配置静态路由,将访问私网的路由引入到隧道,让其被gre给封装
- 在RT1和RT3上配置静态路由
- RT1和RT3之间建立gre隧道
- 注意gre封装的应该是ipsec的感兴趣流地址(1.1.1.1和3.3.3.3)
- 只有这样被gre封装后的源目地址才会被ipsec感兴趣流给匹配中
- 配置ike提议和ipsec模板
- ipsec封装的就应该是公网地址
- 注意:
- 拓扑图中提到的30位掩码通常左边为小右边为大
- ipsec采用主模式,采用ESP协议,做出效果后抓包分析,再换做AH抓包分析
配置步骤:
第一步:给设备配置IP地址 略
配置tunnel接口地址
[RT1]int Tunnel 0 mode gre
[RT1-Tunnel0]ip add 10.10.10.1 24
[RT3]int Tunnel 0 mode gre
[RT3-Tunnel0]ip add 10.10.10.2 24
第二步:公网运行OSPF实现公网互通
[RT1]ospf 1 router-id 1.1.1.1
[RT1-ospf-1]area 0
[RT1-ospf-1-area-0.0.0.0]network 1.1.1.1 0.0.0.0
[RT1-ospf-1-area-0.0.0.0]network 100.1.1.1 0.0.0.0
[RT1-ospf-1-area-0.0.0.0]qu
[RT2]ospf 1
[RT2-ospf-1]area 0
[RT2-ospf-1-area-0.0.0.0]network 100.1.1.2 0.0.0.0
[RT2-ospf-1-area-0.0.0.0]network 200.1.1.1 0.0.0.0
[RT2-ospf-1-area-0.0.0.0]qu
[RT3]ospf 1 router-id 3.3.3.3
[RT3-ospf-1]area 0
[RT3-ospf-1-area-0.0.0.0]network 3.3.3.3 0.0.0.0
[RT3-ospf-1-area-0.0.0.0]network 200.1.1.2 0.0.0.0
[RT3-ospf-1-area-0.0.0.0]qu
第三步:建立gre隧道(只有环回口可达,gre隧道才能建立成功)
[RT1]int Tunnel0
[RT1-Tunnel0]so
[RT1-Tunnel0]source 1.1.1.1
[RT1-Tunnel0]dest
[RT1-Tunnel0]destination 3.3.3.3
[RT1-Tunnel0]%Oct 30 13:22:40:830 2024 RT1 IFNET/3/PHY_UPDOWN: Physical state on the interface Tunnel0 changed to up.
%Oct 30 13:22:40:830 2024 RT1 IFNET/5/LINK_UPDOWN: Line protocol state on the interface Tunnel0 changed to up.
[RT1-Tunnel0]keepalive 10 3
[RT3]int Tunnel0
[RT3-Tunnel0]source 3.3.3.3
[RT3-Tunnel0]destination 1.1.1.1
[RT3-Tunnel0]%Oct 30 13:23:22:269 2024 RT3 IFNET/3/PHY_UPDOWN: Physical state on the interface Tunnel0 changed to up.
%Oct 30 13:23:22:269 2024 RT3 IFNET/5/LINK_UPDOWN: Line protocol state on the interface Tunnel0 changed to up.
[RT3-Tunnel0]keepalive 10 3
第四步:配置IPsec匹配的感兴趣流
[RT1]acl number 3000
[RT1-acl-ipv4-adv-3000]rule permit ip source 1.1.1.1 0 destination 3.3.3.3 0
[RT1-acl-ipv4-adv-3000]qu
[RT3]acl number 3000
[RT3-acl-ipv4-adv-3000]rule permit ip source 3.3.3.3 0 destination 1.1.1.1 0
[RT3-acl-ipv4-adv-3000]qu
第五步:配置ike提议
[RT1]ike keychain RT3
[RT1-ike-keychain-RT3]pre-shared-key address 200.1.1.2 key simple 123456
[RT1-ike-keychain-RT3]qu
[RT3]ike keychain RT1
[RT3-ike-keychain-RT1]pre-shared-key address 100.1.1.1 key simple 123456
[RT3-ike-keychain-RT1]qu
[RT1]ike proposal 1
[RT1-ike-proposal-1]qu
[RT1]ike profile RT3
[RT1-ike-profile-RT3]proposal 1
[RT1-ike-profile-RT3]keychain RT3
[RT1-ike-profile-RT3]local-identity address 100.1.1.1
[RT1-ike-profile-RT3]match remote identity address 200.1.1.2
[RT1-ike-profile-RT3]qu
[RT3]ike proposal 1
[RT3-ike-proposal-1]qu
[RT3]ike profile RT1
[RT3-ike-profile-RT1]proposal 1
[RT3-ike-profile-RT1]keychain RT1
[RT3-ike-profile-RT1]local-identity address 200.1.1.2
[RT3-ike-profile-RT1]match remote identity address 100.1.1.1
[RT3-ike-profile-RT1]qu
第六步配置IPSec协商和策略
[RT1]ipsec transform-set RT3
[RT1-ipsec-transform-set-RT3]esp authentication-algorithm md5
[RT1-ipsec-transform-set-RT3]esp encryption-algorithm des-cbc
[RT1-ipsec-transform-set-RT3]qu
[RT3]ipsec transform-set RT1
[RT3-ipsec-transform-set-RT1]esp authentication-algorithm md5
[RT3-ipsec-transform-set-RT1]esp encryption-algorithm des-cbc
[RT3-ipsec-transform-set-RT1]qu
[RT1]ipsec policy RT3 1 isakmp
[RT1-ipsec-policy-isakmp-RT3-1]security acl 3000
[RT1-ipsec-policy-isakmp-RT3-1]ike-profile RT3
[RT1-ipsec-policy-isakmp-RT3-1]transform-set RT3
[RT1-ipsec-policy-isakmp-RT3-1]local-address 100.1.1.1
[RT1-ipsec-policy-isakmp-RT3-1]remote-address 200.1.1.2
[RT1-ipsec-policy-isakmp-RT3-1]qu
[RT3]ipsec policy RT1 1 isakmp
[RT3-ipsec-policy-isakmp-RT1-1]security acl 3000
[RT3-ipsec-policy-isakmp-RT1-1]ike-profile RT1
[RT3-ipsec-policy-isakmp-RT1-1]transform-set RT1
[RT3-ipsec-policy-isakmp-RT1-1]local-address 200.1.1.2
[RT3-ipsec-policy-isakmp-RT1-1]remote-address 100.1.1.1
[RT3-ipsec-policy-isakmp-RT1-1]qu
第七步:在出接口调用ipsec策略
[RT1]int g0/1
[RT1-GigabitEthernet0/1]ipsec apply policy RT3
[RT1-GigabitEthernet0/1]qu
[RT3]int g0/0
[RT3-GigabitEthernet0/0]ipsec apply policy RT1
[RT3-GigabitEthernet0/0]qu
第八步:分别将访问私网的路由引入到tunnel隧道中
[RT1]ip route-static 172.16.10.0 24 Tunnel 0
[RT3]ip route-static 192.168.10.0 24 Tunnel 0
思考,为什么前面两个包会丢包?
这是由于IPesc隧道的建立是触发式建立,前面的包触发了隧道的建立,只有这样后面的数据包才能正常到达
扩展:当前采用的IPsec安全模式为ESP,抓包分析与AH的区别
当总部去访问分部时,通过抓包发现只能看到ESP数据包,看不见内层数据和GRE相关信息
这是因为ESP强大的加密算法,使得数据更加的安全
将ESP修改为AH后,抓包分析
[RT1]ipsec transform-set RT3
[RT1-ipsec-transform-set-RT3]undo esp authentication-algorithm
[RT1-ipsec-transform-set-RT3]undo esp encryption-algorithm
[RT1-ipsec-transform-set-RT3]protocol ah
[RT1-ipsec-transform-set-RT3]ah authentication-algorithm md5
[RT3]ipsec transform-set RT1
[RT3-ipsec-transform-set-RT1]undo esp authentication-algorithm
[RT3-ipsec-transform-set-RT1]undo esp encryption-algorithm
[RT3-ipsec-transform-set-RT1]protocol ah
[RT3-ipsec-transform-set-RT1]ah authentication-algorithm md5
重置进程(按顺序重置)
<RT1>reset ike sa
<RT1>reset ipsec sa
<RT3>reset ike sa
<RT3>reset ipsec sa
先测试连通性再抓包分析
得出结论
ESP有加密和认证功能
而AH只有认证功能
查看路由表可以得知:
当总部想要访问分部172.16.10.0网段时,下一跳为tunnel接口,进入接口后,首先会被GRE封装,封装为源1.1.1.1,目的3.3.3.3然后从G0/1发出,因为在g0/1接口调用了ipsec策略,又会被感兴趣流匹配上,封装为公网地址源100.1.1.1,目的200.1.1.2从g0/1接口发出
