|
最近一段时间在搞ipsec,反向路由注入的那部分书上介绍的很少,而且网上的文章介绍的也不是很深入,于是就查了一下cisco的文档,总结了一下并做了实验。以下是实验过程。
RRI+HSRP+OSPF实验:
实验拓扑图如下
实验工具是dynamips, IOS为c3640-jk9s-mz.124-10.bin
在右侧的HUB这几台路由器为什么要这样连接呢?因为要启用HSRP,也应该算是IPSEC的高可用性,而HSRP又不能用于WAN接口,所以R1,R2不能用WAN口直接连接INTERNET。也许有人会问了,我直接向ISP申请IP专线,他们就能把以太口引到我的机房,没有必要必须有GW这台路由器。我这里讨论的情况是ISP不能给我以太口的时候,所以得有一台GW路由器和INTERNET连接。而且就算可行,那你也得申请两根专线阿。
net文件如下:
autostart = false
model = 3640
[localhost]
[[ROUTER R1]]
model = 3640
image = d:/cisco/c3640-jk9s-mz.124-10.bin
exec_area = 8
idlepc = 0x605914fc
ram = 128
confreg = 0x2142
slot0 = NM-1FE-TX
slot1 = NM-1FE-TX
slot2 = NM-4T
f0/0 = LAN 1
f1/0 = LAN 2
[[router R2]]
model = 3640
image = d:/cisco/c3640-jk9s-mz.124-10.bin
exec_area = 8
idlepc = 0x605914fc
ram = 128
confreg = 0x2142
slot0 = NM-1FE-TX
slot1 = NM-1FE-TX
slot2 = NM-4T
f0/0 = LAN 1
f1/0 = LAN 2
[[router R3]]
model = 3640
image = d:/cisco/c3640-jk9s-mz.124-10.bin
exec_area = 8
idlepc = 0x605914fc
ram = 128
confreg = 0x2142
slot0 = NM-1FE-TX
slot1 = NM-1FE-TX
slot2 = NM-4T
[[router R4]]
model = 3640
image = d:/cisco/c3640-jk9s-mz.124-10.bin
exec_area = 8
idlepc = 0x605914fc
ram = 128
confreg = 0x2142
slot0 = NM-1FE-TX
slot1 = NM-1FE-TX
slot2 = NM-4T
f0/0 = R3 f0/0
f1/0 = LAN 1
[[router R5]]
model = 3640
image = d:/cisco/c3640-jk9s-mz.124-10.bin
exec_area = 8
idlepc = 0x605914fc
ram = 128
confreg = 0x2142
slot0 = NM-1FE-TX
slot1 = NM-1FE-TX
slot2 = NM-4T
f1/0 = LAN 2
各台路由器的配置:
r1#show run
Building configuration...
Current configuration : 1682 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r1
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable password cisco
!
no aaa new-model
memory-size iomem 5
ip tcp selective-ack
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 10.1.1.1
!
!
crypto ipsec transform-set test esp-3des esp-sha-hmac
!
crypto map vpn 1 ipsec-isakmp
set peer 10.1.1.1
set transform-set test
match address 101
reverse-route
!
!
!
!
interface Loopback0
no ip address
!
interface FastEthernet0/0
ip address 10.4.4.1 255.255.255.0
duplex auto
speed auto
standby delay minimum 30 reload 60
standby ip 10.4.4.3
standby priority 105
standby preempt
standby name ipsec
standby track FastEthernet1/0
crypto map vpn redundancy ipsec
!
interface FastEthernet1/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
router ospf 100
log-adjacency-changes
redistribute static subnets
network 192.168.1.1 0.0.0.0 area 0
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.4.4.4
!
!
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
logging synchronous
no exec
line aux 0
line vty 0 4
password cisco
login
!
!
end
r1#
r2#sho run
Building configuration...
Current configuration : 1644 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r2
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable password cisco
!
no aaa new-model
memory-size iomem 5
ip tcp selective-ack
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 10.1.1.1
!
!
crypto ipsec transform-set test esp-3des esp-sha-hmac
!
crypto map vpn 1 ipsec-isakmp
set peer 10.1.1.1
set transform-set test
match address 101
reverse-route remote-peer 10.4.4.4
!
!
!
!
interface FastEthernet0/0
ip address 10.4.4.2 255.255.255.0
duplex auto
speed auto
standby delay minimum 30 reload 60
standby ip 10.4.4.3
standby preempt
standby name ipsec
standby track FastEthernet1/0
crypto map vpn redundancy ipsec
!
interface FastEthernet1/0
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
router ospf 100
log-adjacency-changes
redistribute static subnets
network 192.168.1.2 0.0.0.0 area 0
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.4.4.4
!
!
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
logging synchronous
no exec
line aux 0
line vty 0 4
password cisco
login
!
!
end
r2#
spoke#show run
Building configuration...
Current configuration : 1404 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname spoke
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable password cisco
!
no aaa new-model
memory-size iomem 5
ip tcp selective-ack
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 10.4.4.3
!
!
crypto ipsec transform-set test esp-3des esp-sha-hmac
!
crypto map vpn 1 ipsec-isakmp
set peer 10.4.4.3
set transform-set test
match address 101
!
!
!
!
interface Loopback0
ip address 10.0.0.1 255.255.255.0
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map vpn
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.1.1.2
!
!
!
access-list 101 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
logging synchronous
no exec
line aux 0
line vty 0 4
password cisco
login
!
!
end
spoke#
GW#show run
Building configuration...
Current configuration : 1068 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GW
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable password cisco
!
no aaa new-model
memory-size iomem 5
ip tcp selective-ack
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 10.4.4.4 255.255.255.0
duplex auto
speed auto
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.1.1.1
ip route 192.168.1.0 255.255.255.0 10.4.4.3
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
logging synchronous
no exec
line aux 0
line vty 0 4
password cisco
login
!
!
end
GW#
r5#show run
Building configuration...
Current configuration : 1113 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r5
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable password cisco
!
no aaa new-model
memory-size iomem 5
ip tcp selective-ack
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 5.5.5.5 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 192.168.1.5 255.255.255.0
duplex auto
speed auto
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
router ospf 100
log-adjacency-changes
network 192.168.1.5 0.0.0.0 area 0
!
ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
logging synchronous
no exec
line aux 0
line vty 0 4
password cisco
login
!
!
end
r5#
在R1上查看hsrp和加密
r1#show stand b
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Fa0/0 0 105 P Active local 10.4.4.2 10.4.4.3
r1#
r1#show cry is sa
dst src state conn-id slot status
r1#show cry ip sa
interface: FastEthernet0/0
Crypto map tag: vpn, local addr 10.4.4.3
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
current_peer 10.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.4.4.3, remote crypto endpt.: 10.1.1.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
r1#
r1#show cry en conn ac
ID Interface IP-Address State Algorithm Encrypt Decrypt
r1#
在R2上查看hsrp和加密
r2#show stand b
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Fa0/0 0 100 P Standby 10.4.4.1 local 10.4.4.3
r2#
R2上加密现在和R1上相同
在R3上ping 对端被保护的网络:
spoke#ping 192.168.1.1 so 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.1
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 276/282/292 ms
spoke#
此时在R1上
r1#show cry is sa
dst src state conn-id slot status
10.4.4.3 10.1.1.1 QM_IDLE 1 0 ACTIVE
r1#show cry en conn ac
ID Interface IP-Address State Algorithm Encrypt Decrypt
1 FastEthernet0/0 10.4.4.1 set HMAC_SHA+DES_56_CB 0 0
2001 FastEthernet0/0 10.4.4.3 set 3DES+SHA 0 3
2002 FastEthernet0/0 10.4.4.3 set 3DES+SHA 3 0
r1#show ip rou
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 10.4.4.4 to network 0.0.0.0
10.0.0.0/24 is subnetted, 2 subnets
C 10.4.4.0 is directly connected, FastEthernet0/0
S 10.0.0.0 [1/0] via 10.1.1.1
C 192.168.1.0/24 is directly connected, FastEthernet1/0
S* 0.0.0.0/0 [1/0] via 10.4.4.4
r1#
此时的R2:
r2#show cry is sa
dst src state conn-id slot status
r2#show cry en conn ac
ID Interface IP-Address State Algorithm Encrypt Decrypt
r2#
r2#show ip rou
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 10.4.4.4 to network 0.0.0.0
10.0.0.0/24 is subnetted, 2 subnets
C 10.4.4.0 is directly connected, FastEthernet0/0
O E2 10.0.0.0 [110/20] via 192.168.1.1, 00:03:18, FastEthernet1/0
C 192.168.1.0/24 is directly connected, FastEthernet1/0
S* 0.0.0.0/0 [1/0] via 10.4.4.4
r2#
r5#show ip rou
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
5.0.0.0/24 is subnetted, 1 subnets
C 5.5.5.0 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 1 subnets
O E2 10.0.0.0 [110/20] via 192.168.1.1, 00:03:44, FastEthernet1/0
C 192.168.1.0/24 is directly connected, FastEthernet1/0
r5#
spoke#ping 192.168.1.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
spoke#ping 192.168.1.5 so 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 284/315/352 ms
spoke#
之后做切换测试,在R1上将F1/0接口sh down
r1(config)#int fa1/0
r1(config-if)#sh
r1(config-if)#
r1(config-if)#
r1(config-if)#
*Mar 1 00:34:46.595: %OSPF-5-ADJCHG: Process 100, Nbr 5.5.5.5 on FastEthernet1/0 from FULL to DOWN, Neighbor Down: Interface down or detached
*Mar 1 00:34:46.599: %OSPF-5-ADJCHG: Process 100, Nbr 10.4.4.2 on FastEthernet1/0 from FULL to DOWN, Neighbor Down: Interface down or detached
r1(config-if)#
*Mar 1 00:34:48.583: %LINK-5-CHANGED: Interface FastEthernet1/0, changed state to administratively down
*Mar 1 00:34:49.303: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 0 state Active -> Speak
*Mar 1 00:34:49.583: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to down
r1(config-if)#
*Mar 1 00:34:59.303: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 0 state Speak -> Standby
r1(config-if)#
r1(config)#int fa1/0
r1(config-if)#sh
r1(config-if)#
r1(config-if)#
r1(config-if)#
*Mar 1 00:34:46.595: %OSPF-5-ADJCHG: Process 100, Nbr 5.5.5.5 on FastEthernet1/0 from FULL to DOWN, Neighbor Down: Interface down or detached
*Mar 1 00:34:46.599: %OSPF-5-ADJCHG: Process 100, Nbr 10.4.4.2 on FastEthernet1/0 from FULL to DOWN, Neighbor Down: Interface down or detached
r1(config-if)#
*Mar 1 00:34:48.583: %LINK-5-CHANGED: Interface FastEthernet1/0, changed state to administratively down
*Mar 1 00:34:49.303: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 0 state Active -> Speak
*Mar 1 00:34:49.583: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to down
r1(config-if)#
*Mar 1 00:34:59.303: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 0 state Speak -> Standby
r1(config-if)#
r1(config-if)#end
r1#show
*Mar 1 00:35:27.367: %SYS-5-CONFIG_I: Configured from console by console
r1#show st
r1#show stand b
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Fa0/0 0 95 P Standby 10.4.4.2 local 10.4.4.3
r2#
*Mar 1 00:35:16.047: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 0 state Standby -> Active
r2#
*Mar 1 00:35:51.275: %OSPF-5-ADJCHG: Process 100, Nbr 10.4.4.1 on FastEthernet1/0 from FULL to DOWN, Neighbor Down: Dead timer expired
r2#show stand bri
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Fa0/0 0 100 P Active local 10.4.4.1 10.4.4.3
在R1上RRI注入的静态路由没有了
r1#show ip rou
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 10.4.4.4 to network 0.0.0.0
10.0.0.0/24 is subnetted, 1 subnets
C 10.4.4.0 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 10.4.4.4
r1#
r1#show cry is sa
dst src state conn-id slot status
10.4.4.3 10.1.1.1 QM_IDLE 1 0 ACTIVE
r1#show cry en conn ac
ID Interface IP-Address State Algorithm Encrypt Decrypt
1 FastEthernet0/0 10.4.4.1 set HMAC_SHA+DES_56_CB 0 0
r1#
r2#show crypto is sa
dst src state conn-id slot status
r2#show cry en conn ac
ID Interface IP-Address State Algorithm Encrypt Decrypt
(27.58 KB) 2009-2-14 21:46
|
