最近一段时间在搞ipsec,反向路由注入的那部分书上介绍的很少,而且网上的文章介绍的也不是很深入,于是就查了一下cisco的文档,总结了一下并做了实验。以下是实验过程。 RRI+HSRP+OSPF实验: 实验拓扑图如下
实验工具是dynamips, IOS为c3640-jk9s-mz.124-10.bin
在右侧的HUB这几台路由器为什么要这样连接呢?因为要启用HSRP,也应该算是IPSEC的高可用性,而HSRP又不能用于WAN接口,所以R1,R2不能用WAN口直接连接INTERNET。也许有人会问了,我直接向ISP申请IP专线,他们就能把以太口引到我的机房,没有必要必须有GW这台路由器。我这里讨论的情况是ISP不能给我以太口的时候,所以得有一台GW路由器和INTERNET连接。而且就算可行,那你也得申请两根专线阿。
net文件如下: autostart = false
model = 3640 [localhost] [[ROUTER R1]] model = 3640 image = d:/cisco/c3640-jk9s-mz.124-10.bin exec_area = 8 idlepc = 0x605914fc ram = 128 confreg = 0x2142 slot0 = NM-1FE-TX slot1 = NM-1FE-TX slot2 = NM-4T f0/0 = LAN 1 f1/0 = LAN 2 [[router R2]] model = 3640 image = d:/cisco/c3640-jk9s-mz.124-10.bin exec_area = 8 idlepc = 0x605914fc ram = 128 confreg = 0x2142 slot0 = NM-1FE-TX slot1 = NM-1FE-TX slot2 = NM-4T f0/0 = LAN 1 f1/0 = LAN 2
[[router R3]] model = 3640 image = d:/cisco/c3640-jk9s-mz.124-10.bin exec_area = 8 idlepc = 0x605914fc ram = 128 confreg = 0x2142 slot0 = NM-1FE-TX slot1 = NM-1FE-TX slot2 = NM-4T
[[router R4]] model = 3640 image = d:/cisco/c3640-jk9s-mz.124-10.bin exec_area = 8 idlepc = 0x605914fc ram = 128 confreg = 0x2142 slot0 = NM-1FE-TX slot1 = NM-1FE-TX slot2 = NM-4T f0/0 = R3 f0/0 f1/0 = LAN 1
[[router R5]] model = 3640 image = d:/cisco/c3640-jk9s-mz.124-10.bin exec_area = 8 idlepc = 0x605914fc ram = 128 confreg = 0x2142 slot0 = NM-1FE-TX slot1 = NM-1FE-TX slot2 = NM-4T f1/0 = LAN 2
各台路由器的配置: r1#show run Building configuration...
Current configuration : 1682 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname r1 ! boot-start-marker boot-end-marker ! logging buffered 4096 debugging enable password cisco ! no aaa new-model memory-size iomem 5 ip tcp selective-ack ! ! ip cef ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco address 10.1.1.1 ! ! crypto ipsec transform-set test esp-3des esp-sha-hmac ! crypto map vpn 1 ipsec-isakmp set peer 10.1.1.1 set transform-set test match address 101 reverse-route ! ! ! ! interface Loopback0 no ip address ! interface FastEthernet0/0 ip address 10.4.4.1 255.255.255.0 duplex auto speed auto standby delay minimum 30 reload 60 standby ip 10.4.4.3 standby priority 105 standby preempt standby name ipsec standby track FastEthernet1/0 crypto map vpn redundancy ipsec ! interface FastEthernet1/0 ip address 192.168.1.1 255.255.255.0 duplex auto speed auto ! interface Serial2/0 no ip address shutdown serial restart-delay 0 ! interface Serial2/1 no ip address shutdown serial restart-delay 0 ! interface Serial2/2 no ip address shutdown serial restart-delay 0 ! interface Serial2/3 no ip address shutdown serial restart-delay 0 ! router ospf 100 log-adjacency-changes redistribute static subnets network 192.168.1.1 0.0.0.0 area 0 ! no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 10.4.4.4 ! ! ! access-list 101 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 logging synchronous no exec line aux 0 line vty 0 4 password cisco login ! ! end
r1#
r2#sho run Building configuration...
Current configuration : 1644 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname r2 ! boot-start-marker boot-end-marker ! logging buffered 4096 debugging enable password cisco ! no aaa new-model memory-size iomem 5 ip tcp selective-ack ! ! ip cef ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco address 10.1.1.1 ! ! crypto ipsec transform-set test esp-3des esp-sha-hmac ! crypto map vpn 1 ipsec-isakmp set peer 10.1.1.1 set transform-set test match address 101 reverse-route remote-peer 10.4.4.4 ! ! ! ! interface FastEthernet0/0 ip address 10.4.4.2 255.255.255.0 duplex auto speed auto standby delay minimum 30 reload 60 standby ip 10.4.4.3 standby preempt standby name ipsec standby track FastEthernet1/0 crypto map vpn redundancy ipsec ! interface FastEthernet1/0 ip address 192.168.1.2 255.255.255.0 duplex auto speed auto ! interface Serial2/0 no ip address shutdown serial restart-delay 0 ! interface Serial2/1 no ip address shutdown serial restart-delay 0 ! interface Serial2/2 no ip address shutdown serial restart-delay 0 ! interface Serial2/3 no ip address shutdown serial restart-delay 0 ! router ospf 100 log-adjacency-changes redistribute static subnets network 192.168.1.2 0.0.0.0 area 0 ! no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 10.4.4.4 ! ! ! access-list 101 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 logging synchronous no exec line aux 0 line vty 0 4 password cisco login ! ! end
r2#
spoke#show run Building configuration...
Current configuration : 1404 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname spoke ! boot-start-marker boot-end-marker ! logging buffered 4096 debugging enable password cisco ! no aaa new-model memory-size iomem 5 ip tcp selective-ack ! ! ip cef ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco address 10.4.4.3 ! ! crypto ipsec transform-set test esp-3des esp-sha-hmac ! crypto map vpn 1 ipsec-isakmp set peer 10.4.4.3 set transform-set test match address 101 ! ! ! ! interface Loopback0 ip address 10.0.0.1 255.255.255.0 ! interface FastEthernet0/0 ip address 10.1.1.1 255.255.255.0 duplex auto speed auto crypto map vpn ! interface FastEthernet1/0 no ip address shutdown duplex auto speed auto ! interface Serial2/0 no ip address shutdown serial restart-delay 0 ! interface Serial2/1 no ip address shutdown serial restart-delay 0 ! interface Serial2/2 no ip address shutdown serial restart-delay 0 ! interface Serial2/3 no ip address shutdown serial restart-delay 0 ! no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 10.1.1.2 ! ! ! access-list 101 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255 ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 logging synchronous no exec line aux 0 line vty 0 4 password cisco login ! ! end
spoke#
GW#show run Building configuration...
Current configuration : 1068 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname GW ! boot-start-marker boot-end-marker ! logging buffered 4096 debugging enable password cisco ! no aaa new-model memory-size iomem 5 ip tcp selective-ack ! ! ip cef ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface FastEthernet0/0 ip address 10.1.1.2 255.255.255.0 duplex auto speed auto ! interface FastEthernet1/0 ip address 10.4.4.4 255.255.255.0 duplex auto speed auto ! interface Serial2/0 no ip address shutdown serial restart-delay 0 ! interface Serial2/1 no ip address shutdown serial restart-delay 0 ! interface Serial2/2 no ip address shutdown serial restart-delay 0 ! interface Serial2/3 no ip address shutdown serial restart-delay 0 ! no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 10.1.1.1 ip route 192.168.1.0 255.255.255.0 10.4.4.3 ! ! ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 logging synchronous no exec line aux 0 line vty 0 4 password cisco login ! ! end
GW#
r5#show run Building configuration...
Current configuration : 1113 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname r5 ! boot-start-marker boot-end-marker ! logging buffered 4096 debugging enable password cisco ! no aaa new-model memory-size iomem 5 ip tcp selective-ack ! ! ip cef ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Loopback0 ip address 5.5.5.5 255.255.255.0 ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface FastEthernet1/0 ip address 192.168.1.5 255.255.255.0 duplex auto speed auto ! interface Serial2/0 no ip address shutdown serial restart-delay 0 ! interface Serial2/1 no ip address shutdown serial restart-delay 0 ! interface Serial2/2 no ip address shutdown serial restart-delay 0 ! interface Serial2/3 no ip address shutdown serial restart-delay 0 ! router ospf 100 log-adjacency-changes network 192.168.1.5 0.0.0.0 area 0 ! ip http server no ip http secure-server ! ! ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 logging synchronous no exec line aux 0 line vty 0 4 password cisco login ! ! end
r5#
在R1上查看hsrp和加密 r1#show stand b P indicates configured to preempt. | Interface Grp Prio P State Active Standby Virtual IP Fa0/0 0 105 P Active local 10.4.4.2 10.4.4.3 r1# r1#show cry is sa dst src state conn-id slot status
r1#show cry ip sa
interface: FastEthernet0/0 Crypto map tag: vpn, local addr 10.4.4.3
protected vrf: (none) local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0) current_peer 10.1.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0
local crypto endpt.: 10.4.4.3, remote crypto endpt.: 10.1.1.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas: inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas: r1# r1#show cry en conn ac
ID Interface IP-Address State Algorithm Encrypt Decrypt
r1# 在R2上查看hsrp和加密 r2#show stand b P indicates configured to preempt. | Interface Grp Prio P State Active Standby Virtual IP Fa0/0 0 100 P Standby 10.4.4.1 local 10.4.4.3 r2# R2上加密现在和R1上相同
在R3上ping 对端被保护的网络: spoke#ping 192.168.1.1 so 10.0.0.1
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: Packet sent with a source address of 10.0.0.1 ..!!! Success rate is 60 percent (3/5), round-trip min/avg/max = 276/282/292 ms spoke#
此时在R1上 r1#show cry is sa dst src state conn-id slot status 10.4.4.3 10.1.1.1 QM_IDLE 1 0 ACTIVE
r1#show cry en conn ac
ID Interface IP-Address State Algorithm Encrypt Decrypt 1 FastEthernet0/0 10.4.4.1 set HMAC_SHA+DES_56_CB 0 0 2001 FastEthernet0/0 10.4.4.3 set 3DES+SHA 0 3 2002 FastEthernet0/0 10.4.4.3 set 3DES+SHA 3 0
r1#show ip rou Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route
Gateway of last resort is 10.4.4.4 to network 0.0.0.0
10.0.0.0/24 is subnetted, 2 subnets C 10.4.4.0 is directly connected, FastEthernet0/0 S 10.0.0.0 [1/0] via 10.1.1.1 C 192.168.1.0/24 is directly connected, FastEthernet1/0 S* 0.0.0.0/0 [1/0] via 10.4.4.4 r1#
此时的R2: r2#show cry is sa dst src state conn-id slot status
r2#show cry en conn ac
ID Interface IP-Address State Algorithm Encrypt Decrypt
r2# r2#show ip rou Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route
Gateway of last resort is 10.4.4.4 to network 0.0.0.0
10.0.0.0/24 is subnetted, 2 subnets C 10.4.4.0 is directly connected, FastEthernet0/0 O E2 10.0.0.0 [110/20] via 192.168.1.1, 00:03:18, FastEthernet1/0 C 192.168.1.0/24 is directly connected, FastEthernet1/0 S* 0.0.0.0/0 [1/0] via 10.4.4.4 r2#
r5#show ip rou Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
5.0.0.0/24 is subnetted, 1 subnets C 5.5.5.0 is directly connected, Loopback0 10.0.0.0/24 is subnetted, 1 subnets O E2 10.0.0.0 [110/20] via 192.168.1.1, 00:03:44, FastEthernet1/0 C 192.168.1.0/24 is directly connected, FastEthernet1/0 r5#
spoke#ping 192.168.1.5
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) spoke#ping 192.168.1.5 so 10.0.0.1
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds: Packet sent with a source address of 10.0.0.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 284/315/352 ms spoke#
之后做切换测试,在R1上将F1/0接口sh down r1(config)#int fa1/0 r1(config-if)#sh r1(config-if)# r1(config-if)# r1(config-if)# *Mar 1 00:34:46.595: %OSPF-5-ADJCHG: Process 100, Nbr 5.5.5.5 on FastEthernet1/0 from FULL to DOWN, Neighbor Down: Interface down or detached *Mar 1 00:34:46.599: %OSPF-5-ADJCHG: Process 100, Nbr 10.4.4.2 on FastEthernet1/0 from FULL to DOWN, Neighbor Down: Interface down or detached r1(config-if)# *Mar 1 00:34:48.583: %LINK-5-CHANGED: Interface FastEthernet1/0, changed state to administratively down *Mar 1 00:34:49.303: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 0 state Active -> Speak *Mar 1 00:34:49.583: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to down r1(config-if)# *Mar 1 00:34:59.303: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 0 state Speak -> Standby r1(config-if)#
r1(config)#int fa1/0 r1(config-if)#sh r1(config-if)# r1(config-if)# r1(config-if)# *Mar 1 00:34:46.595: %OSPF-5-ADJCHG: Process 100, Nbr 5.5.5.5 on FastEthernet1/0 from FULL to DOWN, Neighbor Down: Interface down or detached *Mar 1 00:34:46.599: %OSPF-5-ADJCHG: Process 100, Nbr 10.4.4.2 on FastEthernet1/0 from FULL to DOWN, Neighbor Down: Interface down or detached r1(config-if)# *Mar 1 00:34:48.583: %LINK-5-CHANGED: Interface FastEthernet1/0, changed state to administratively down *Mar 1 00:34:49.303: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 0 state Active -> Speak *Mar 1 00:34:49.583: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to down r1(config-if)# *Mar 1 00:34:59.303: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 0 state Speak -> Standby r1(config-if)# r1(config-if)#end r1#show *Mar 1 00:35:27.367: %SYS-5-CONFIG_I: Configured from console by console r1#show st r1#show stand b P indicates configured to preempt. | Interface Grp Prio P State Active Standby Virtual IP Fa0/0 0 95 P Standby 10.4.4.2 local 10.4.4.3
r2# *Mar 1 00:35:16.047: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 0 state Standby -> Active r2# *Mar 1 00:35:51.275: %OSPF-5-ADJCHG: Process 100, Nbr 10.4.4.1 on FastEthernet1/0 from FULL to DOWN, Neighbor Down: Dead timer expired r2#show stand bri P indicates configured to preempt. | Interface Grp Prio P State Active Standby Virtual IP Fa0/0 0 100 P Active local 10.4.4.1 10.4.4.3
在R1上RRI注入的静态路由没有了 r1#show ip rou Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route
Gateway of last resort is 10.4.4.4 to network 0.0.0.0
10.0.0.0/24 is subnetted, 1 subnets C 10.4.4.0 is directly connected, FastEthernet0/0 S* 0.0.0.0/0 [1/0] via 10.4.4.4 r1# r1#show cry is sa dst src state conn-id slot status 10.4.4.3 10.1.1.1 QM_IDLE 1 0 ACTIVE
r1#show cry en conn ac
ID Interface IP-Address State Algorithm Encrypt Decrypt 1 FastEthernet0/0 10.4.4.1 set HMAC_SHA+DES_56_CB 0 0
r1#
r2#show crypto is sa dst src state conn-id slot status
r2#show cry en conn ac
ID Interface IP-Address State Algorithm Encrypt Decrypt
(27.58 KB) 2009-2-14 21:46
|