DMVPN+GETVPN测试-阿里云开发者社区

R1：
interface Loopback0
ip address 192.168.1.1 255.255.255.0
interface FastEthernet0/0
ip address 202.100.1.1 255.255.255.0
no shut
R2：
interface FastEthernet0/0
ip address 202.100.1.2 255.255.255.0
no shut
R3：
interface Loopback0
ip address 192.168.3.3 255.255.255.0
interface FastEthernet0/0
ip address 202.100.1.3 255.255.255.0
no shut
R4：
interface Loopback0
ip address 192.168.4.4 255.255.255.0
interface FastEthernet0/0
ip address 202.100.1.4 255.255.255.0
no shut
3.mGRE隧道配置：
①R1(GM1-Hub）：
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
ip mtu 1400
ip nhrp map multicast dynamic
ip nhrp network-id 10
ip nhrp redirect
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
②R3(GM2-Spoke1）：
interface Tunnel0
ip address 172.16.1.3 255.255.255.0
ip mtu 1400
ip nhrp map 172.16.1.1 202.100.1.1
ip nhrp map multicast 202.100.1.1
ip nhrp network-id 10
ip nhrp nhs 172.16.1.1
ip nhrp shortcut
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
③R4(GM3-Spoke2）：
interface Tunnel0
ip address 172.16.1.4 255.255.255.0
ip mtu 1400
ip nhrp map 172.16.1.1 202.100.1.1
ip nhrp map multicast 202.100.1.1
ip nhrp network-id 10
ip nhrp nhs 172.16.1.1
ip nhrp shortcut
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
④测试NHRP:
R4#ping 172.16.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/42/52 ms
R4#ping 172.16.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.3, timeout is 2 seconds:
!!.!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 36/95/236 ms
R4#
R1#show ip nhrp
172.16.1.3/32 via 172.16.1.3, Tunnel0 created 00:02:58, expire 01:59:45
Type: dynamic, Flags: router nat used
NBMA address: 202.100.1.3
172.16.1.4/32 via 172.16.1.4, Tunnel0 created 00:00:36, expire 01:59:44
Type: dynamic, Flags: router nat
NBMA address: 202.100.1.4
4.静态路由配置：
R1(config)#ip route 192.168.3.0 255.255.255.0 172.16.1.3
R1(config)#ip route 192.168.4.0 255.255.255.0 172.16.1.4

R3(config)#ip route 192.168.0.0 255.255.0.0 172.16.1.1
R4(config)#ip route 192.168.0.0 255.255.0.0 172.16.1.1
5.GETVPN配置：
①密钥服务器产生密钥：
R2(KS):
ip domain name yuntian.com
crypto key generate rsa modulus 1024 label getvpnkey
②第一阶段：
R2(KS)：
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 202.100.1.1
crypto isakmp key cisco address 202.100.1.3
crypto isakmp key cisco address 202.100.1.4
R1、R3、R4（GM1、2、3）：
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 202.100.1.2
②配置感兴趣流：
R2(KS)：
ip access-list extended ALL-DMVPN-Traffic
permit gre any any
③第二阶段策略并创建ipsec profile与其关联：
R2(KS)：
crypto ipsec transform-set getvpn-set esp-des esp-sha-hmac
exit
crypto ipsec profile getvpn-profile
set transform-set getvpn-set
④GETVPN组配置：
R2(KS)：
crypto gdoi group getvpngroup
identity number 12345678
server local
address ipv4 202.100.1.2
rekey algorithm aes 256
rekey authentication mypubkey rsa getvpnkey
rekey transport unicast
sa ipsec 1
profile getvpn-profile
match address ipv4 ALL-DMVPN-Traffic
R1、R3、R4（GM1、2、3）：
crypto gdoi group getvpngroup
identity number 12345678
server address ipv4 202.100.1.2
⑤成员服务器配置Crypto map:
R1、R3、R4（GM1、2、3）：
crypto map getvpnmap 10 gdoi
set group getvpngroup
interface FastEthernet0/0
crypto map getvpnmap
6.验证：
①查看密钥服务器和组成员GETVPN状态
R2#show crypto gdoi group getvpngroup
Group Name : getvpngroup (Unicast)
Group Identity : 12345678
Group Members : 3
IPSec SA Direction : Both
Active Group Server : Local
Group Rekey Lifetime : 86400 secs
Group Rekey
Remaining Lifetime : 86352 secs
Rekey Retransmit Period : 10 secs
Rekey Retransmit Attempts: 2
Group Retransmit
Remaining Lifetime : 0 secs

IPSec SA Number : 1
IPSec SA Rekey Lifetime: 3600 secs
Profile Name : getvpn-profile
Replay method : Count Based
Replay Window Size : 64
SA Rekey
Remaining Lifetime : 3553 secs
ACL Configured : access-list ALL-DMVPN-Traffic

Group Server list : Local
R1#show crypto gdoi group getvpngroup
Group Name : getvpngroup
Group Identity : 12345678
Rekeys received : 0
IPSec SA Direction : Both
Active Group Server : 202.100.1.2
Group Server list : 202.100.1.2

GM Reregisters in : 3473 secs
Rekey Received : never

Rekeys received
Cumulative : 0
After registration : 0
Rekey Acks sent : 0

ACL Downloaded From KS 202.100.1.2:
access-list permit gre any any

KEK POLICY:
Rekey Transport Type : Unicast
Lifetime (secs) : 86399
Encrypt Algorithm : AES
Key Size : 256
Sig Hash Algorithm : HMAC_AUTH_SHA
Sig Key Length (bits) : 1024

TEK POLICY:
FastEthernet0/0:
IPsec SA:
sa direction:inbound
spi: 0x8EAF909E(2393870494)
transform: esp-des esp-sha-hmac
sa timing:remaining key lifetime (sec): (3527)
Anti-Replay : Disabled

IPsec SA:
sa direction:outbound
spi: 0x8EAF909E(2393870494)
transform: esp-des esp-sha-hmac
sa timing:remaining key lifetime (sec): (3527)
Anti-Replay : Disabled
R3#show crypto gdoi group getvpngroup
Group Name : getvpngroup
Group Identity : 12345678
Rekeys received : 0
IPSec SA Direction : Both
Active Group Server : 202.100.1.2
Group Server list : 202.100.1.2

GM Reregisters in : 3437 secs
Rekey Received : never

Rekeys received
Cumulative : 0
After registration : 0
Rekey Acks sent : 0

ACL Downloaded From KS 202.100.1.2:
access-list permit gre any any

KEK POLICY:
Rekey Transport Type : Unicast
Lifetime (secs) : 86387
Encrypt Algorithm : AES
Key Size : 256
Sig Hash Algorithm : HMAC_AUTH_SHA
Sig Key Length (bits) : 1024

TEK POLICY:
FastEthernet0/0:
IPsec SA:
sa direction:inbound
spi: 0x8EAF909E(2393870494)
transform: esp-des esp-sha-hmac
sa timing:remaining key lifetime (sec): (3495)
Anti-Replay : Disabled

IPsec SA:
sa direction:outbound
spi: 0x8EAF909E(2393870494)
transform: esp-des esp-sha-hmac
sa timing:remaining key lifetime (sec): (3495)
Anti-Replay : Disabled
R4#show crypto gdoi group getvpngroup
Group Name : getvpngroup
Group Identity : 12345678
Rekeys received : 0
IPSec SA Direction : Both
Active Group Server : 202.100.1.2
Group Server list : 202.100.1.2

GM Reregisters in : 3408 secs
Rekey Received : never

Rekeys received
Cumulative : 0
After registration : 0
Rekey Acks sent : 0

ACL Downloaded From KS 202.100.1.2:
access-list permit gre any any

KEK POLICY:
Rekey Transport Type : Unicast
Lifetime (secs) : 86380
Encrypt Algorithm : AES
Key Size : 256
Sig Hash Algorithm : HMAC_AUTH_SHA
Sig Key Length (bits) : 1024

TEK POLICY:
FastEthernet0/0:
IPsec SA:
sa direction:inbound
spi: 0x8EAF909E(2393870494)
transform: esp-des esp-sha-hmac
sa timing:remaining key lifetime (sec): (3465)
Anti-Replay : Disabled

IPsec SA:
sa direction:outbound
spi: 0x8EAF909E(2393870494)
transform: esp-des esp-sha-hmac
sa timing:remaining key lifetime (sec): (3465)
Anti-Replay : Disabled
②查看密钥服务器上注册的成员：
R2#show crypto gdoi ks members

Group Member Information :

Number of rekeys sent for group getvpngroup : 0

Group Member ID : 202.100.1.1
Group ID : 12345678
Group Name : getvpngroup
Key Server ID : 202.100.1.2
Rekeys sent : 0
Rekey Acks Rcvd : 0
Rekey Acks missed : 0

Sent seq num : 0 0 0 0
Rcvd seq num : 0 0 0 0

Group Member ID : 202.100.1.3
Group ID : 12345678
Group Name : getvpngroup
Key Server ID : 202.100.1.2
Rekeys sent : 0
Rekey Acks Rcvd : 0
Rekey Acks missed : 0

Sent seq num : 0 0 0 0
Rcvd seq num : 0 0 0 0

Group Member ID : 202.100.1.4
Group ID : 12345678
Group Name : getvpngroup
Key Server ID : 202.100.1.2
Rekeys sent : 0
Rekey Acks Rcvd : 0
Rekey Acks missed : 0

Sent seq num : 0 0 0 0
Rcvd seq num : 0 0 0 0

④组成员上测试GETVPN的加解密：

第一步:在R1(GM1)测试前查看加解密状况
R1#show crypto engine connections active
Crypto Engine Connections

ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Fa0/0 IPsec DES+SHA 0 0 0.0.0.0
2 Fa0/0 IPsec DES+SHA 0 0 0.0.0.0
1001 Fa0/0 IKE SHA+DES 0 0 202.100.1.1
1002 <none> IKE SHA+AES256 0 0

第二步:R1(GM1)上通过Ping产生加密的感兴趣流
R1#ping 192.168.3.3 source 192.168.1.1 repeat 100

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 68/101/344 ms
第三步:在R1(GM1)查看加解密状况
R1#show crypto engine connections active
Crypto Engine Connections

ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Fa0/0 IPsec DES+SHA 0 100 0.0.0.0
2 Fa0/0 IPsec DES+SHA 100 0 0.0.0.0
1001 Fa0/0 IKE SHA+DES 0 0 202.100.1.1
1002 <none> IKE SHA+AES256 0 0

⑤第一阶段的安全关联：
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
202.100.1.1 202.100.1.2 GDOI_REKEY 1002 0 ACTIVE
202.100.1.2 202.100.1.1 GDOI_IDLE 1001 0 ACTIVE

IPv6 Crypto ISAKMP SA

R2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
202.100.1.2 202.100.1.4 GDOI_IDLE 1003 0 ACTIVE
202.100.1.2 202.100.1.1 GDOI_IDLE 1001 0 ACTIVE
202.100.1.2 202.100.1.3 GDOI_IDLE 1002 0 ACTIVE

IPv6 Crypto ISAKMP SA
R3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
202.100.1.3 202.100.1.2 GDOI_REKEY 1002 0 ACTIVE
202.100.1.2 202.100.1.3 GDOI_IDLE 1001 0 ACTIVE

IPv6 Crypto ISAKMP SA
R4#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
202.100.1.2 202.100.1.4 GDOI_IDLE 1001 0 ACTIVE
202.100.1.4 202.100.1.2 GDOI_REKEY 1002 0 ACTIVE

IPv6 Crypto ISAKMP SA

⑤第二阶段的安全关联：
R1#show crypto engine connections active
Crypto Engine Connections

ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Fa0/0 IPsec DES+SHA 0 100 0.0.0.0
2 Fa0/0 IPsec DES+SHA 100 0 0.0.0.0
1001 Fa0/0 IKE SHA+DES 0 0 202.100.1.1
1002 <none> IKE SHA+AES256 0 0

R2#show crypto engine connections active
Crypto Engine Connections

ID Interface Type Algorithm Encrypt Decrypt IP-Address
1001 Fa0/0 IKE SHA+DES 0 0 202.100.1.2
1002 Fa0/0 IKE SHA+DES 0 0 202.100.1.2
1003 Fa0/0 IKE SHA+DES 0 0 202.100.1.2
R3#show crypto engine connections active
Crypto Engine Connections

ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Fa0/0 IPsec DES+SHA 0 100 0.0.0.0
2 Fa0/0 IPsec DES+SHA 100 0 0.0.0.0
1001 Fa0/0 IKE SHA+DES 0 0 202.100.1.3
1002 <none> IKE SHA+AES256 0 0

R4#ping 192.168.3.3 source 192.168.4.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.4.4
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 88/94/112 ms
R4#show crypto engine connections active
Crypto Engine Connections

ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Fa0/0 IPsec DES+SHA 0 10 0.0.0.0
2 Fa0/0 IPsec DES+SHA 10 0 0.0.0.0
1001 Fa0/0 IKE SHA+DES 0 0 202.100.1.4
1002 <none> IKE SHA+AES256 0 0
R4#ping 192.168.3.3 source 192.168.4.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.4.4
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/96/116 ms
R4#show crypto engine connections active
Crypto Engine Connections

ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Fa0/0 IPsec DES+SHA 0 15 0.0.0.0
2 Fa0/0 IPsec DES+SHA 15 0 0.0.0.0
1001 Fa0/0 IKE SHA+DES 0 0 202.100.1.4
1002 <none> IKE SHA+AES256 0 0

本文转自碧云天 51CTO博客，原文链接：http://blog.51cto.com/333234/847163，如需转载请自行联系原作者

DMVPN+GETVPN测试

热门文章

最新文章

相关电子书