DMVPN+GETVPN测试

R1：
interface Loopback0
ip address 192.168.1.1 255.255.255.0
interface FastEthernet0/0
ip address 202.100.1.1 255.255.255.0
no shut
R2：
interface FastEthernet0/0
ip address 202.100.1.2 255.255.255.0
no shut
R3：
interface Loopback0
ip address 192.168.3.3 255.255.255.0
interface FastEthernet0/0
ip address 202.100.1.3 255.255.255.0
no shut
R4：
interface Loopback0
ip address 192.168.4.4 255.255.255.0
interface FastEthernet0/0
ip address 202.100.1.4 255.255.255.0
no shut
3.mGRE隧道配置：
①R1(GM1-Hub）：
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
ip mtu 1400
ip nhrp map multicast dynamic
ip nhrp network-id 10
ip nhrp redirect
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
②R3(GM2-Spoke1）：
interface Tunnel0
ip address 172.16.1.3 255.255.255.0
 ip mtu 1400
ip nhrp map 172.16.1.1 202.100.1.1
ip nhrp map multicast 202.100.1.1
ip nhrp network-id 10
ip nhrp nhs 172.16.1.1
ip nhrp shortcut
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
③R4(GM3-Spoke2）：
interface Tunnel0
ip address 172.16.1.4 255.255.255.0
ip mtu 1400
ip nhrp map 172.16.1.1 202.100.1.1
ip nhrp map multicast 202.100.1.1
ip nhrp network-id 10
ip nhrp nhs 172.16.1.1
ip nhrp shortcut
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
④测试NHRP:
R4#ping 172.16.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/42/52 ms
R4#ping 172.16.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.3, timeout is 2 seconds:
!!.!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 36/95/236 ms
R4#
R1#show ip nhrp 
172.16.1.3/32 via 172.16.1.3, Tunnel0 created 00:02:58, expire 01:59:45
 Type: dynamic, Flags: router nat used 
 NBMA address: 202.100.1.3 
172.16.1.4/32 via 172.16.1.4, Tunnel0 created 00:00:36, expire 01:59:44
 Type: dynamic, Flags: router nat 
 NBMA address: 202.100.1.4 
4.静态路由配置：
R1(config)#ip route 192.168.3.0 255.255.255.0 172.16.1.3
R1(config)#ip route 192.168.4.0 255.255.255.0 172.16.1.4

R3(config)#ip route 192.168.0.0 255.255.0.0 172.16.1.1
R4(config)#ip route 192.168.0.0 255.255.0.0 172.16.1.1
5.GETVPN配置：
①密钥服务器产生密钥：
R2(KS):
ip domain name yuntian.com
crypto key generate rsa modulus 1024 label getvpnkey
②第一阶段：
R2(KS)：
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 202.100.1.1
crypto isakmp key cisco address 202.100.1.3
crypto isakmp key cisco address 202.100.1.4
R1、R3、R4（GM1、2、3）：
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 202.100.1.2
②配置感兴趣流：
R2(KS)：
ip access-list extended ALL-DMVPN-Traffic
permit gre any any 
③第二阶段策略并创建ipsec profile与其关联：
R2(KS)：
crypto ipsec transform-set getvpn-set esp-des esp-sha-hmac 
exit
crypto ipsec profile getvpn-profile
set transform-set getvpn-set
④GETVPN组配置：
R2(KS)：
crypto gdoi group getvpngroup
identity number 12345678
server local
 address ipv4 202.100.1.2
 rekey algorithm aes 256
 rekey authentication mypubkey rsa getvpnkey
 rekey transport unicast
 sa ipsec 1
  profile getvpn-profile
  match address ipv4 ALL-DMVPN-Traffic
R1、R3、R4（GM1、2、3）：
crypto gdoi group getvpngroup
identity number 12345678
server address ipv4 202.100.1.2
⑤成员服务器配置Crypto map:
R1、R3、R4（GM1、2、3）：
crypto map getvpnmap 10 gdoi 
set group getvpngroup
interface FastEthernet0/0
crypto map getvpnmap
6.验证：
①查看密钥服务器和组成员GETVPN状态
R2#show crypto gdoi group getvpngroup
   Group Name               : getvpngroup (Unicast)
   Group Identity           : 12345678
   Group Members            : 3
   IPSec SA Direction       : Both
   Active Group Server      : Local
   Group Rekey Lifetime     : 86400 secs
   Group Rekey
       Remaining Lifetime   : 86352 secs
   Rekey Retransmit Period  : 10 secs
   Rekey Retransmit Attempts: 2
   Group Retransmit
       Remaining Lifetime   : 0 secs

     IPSec SA Number        : 1
     IPSec SA Rekey Lifetime: 3600 secs
     Profile Name           : getvpn-profile
     Replay method          : Count Based
     Replay Window Size     : 64
     SA Rekey
        Remaining Lifetime  : 3553 secs
     ACL Configured         : access-list ALL-DMVPN-Traffic

   Group Server list        : Local
R1#show crypto gdoi group getvpngroup
   Group Name               : getvpngroup
   Group Identity           : 12345678
   Rekeys received          : 0
   IPSec SA Direction       : Both
   Active Group Server      : 202.100.1.2
   Group Server list        : 202.100.1.2

   GM Reregisters in        : 3473 secs
   Rekey Received           : never


   Rekeys received          
        Cumulative          : 0
        After registration  : 0
   Rekey Acks sent          : 0

ACL Downloaded From KS 202.100.1.2:
  access-list  permit gre any any

KEK POLICY:
   Rekey Transport Type     : Unicast
   Lifetime (secs)          : 86399
   Encrypt Algorithm        : AES
   Key Size                 : 256     
   Sig Hash Algorithm       : HMAC_AUTH_SHA
   Sig Key Length (bits)    : 1024    

TEK POLICY:
 FastEthernet0/0:
   IPsec SA:
       sa direction:inbound
       spi: 0x8EAF909E(2393870494)
       transform: esp-des esp-sha-hmac 
       sa timing:remaining key lifetime (sec): (3527)
       Anti-Replay : Disabled

   IPsec SA:
       sa direction:outbound
       spi: 0x8EAF909E(2393870494)
       transform: esp-des esp-sha-hmac 
       sa timing:remaining key lifetime (sec): (3527)
       Anti-Replay : Disabled
R3#show crypto gdoi group getvpngroup
   Group Name               : getvpngroup
   Group Identity           : 12345678
   Rekeys received          : 0
   IPSec SA Direction       : Both
   Active Group Server      : 202.100.1.2
   Group Server list        : 202.100.1.2

   GM Reregisters in        : 3437 secs
   Rekey Received           : never


   Rekeys received          
        Cumulative          : 0
        After registration  : 0
   Rekey Acks sent          : 0

ACL Downloaded From KS 202.100.1.2:
  access-list  permit gre any any

KEK POLICY:
   Rekey Transport Type     : Unicast
   Lifetime (secs)          : 86387
   Encrypt Algorithm        : AES
   Key Size                 : 256     
   Sig Hash Algorithm       : HMAC_AUTH_SHA
   Sig Key Length (bits)    : 1024    

TEK POLICY:
 FastEthernet0/0:
   IPsec SA:
       sa direction:inbound
       spi: 0x8EAF909E(2393870494)
       transform: esp-des esp-sha-hmac 
       sa timing:remaining key lifetime (sec): (3495)
       Anti-Replay : Disabled

   IPsec SA:
       sa direction:outbound
       spi: 0x8EAF909E(2393870494)
       transform: esp-des esp-sha-hmac 
       sa timing:remaining key lifetime (sec): (3495)
       Anti-Replay : Disabled
R4#show crypto gdoi group getvpngroup
   Group Name               : getvpngroup
   Group Identity           : 12345678
   Rekeys received          : 0
   IPSec SA Direction       : Both
   Active Group Server      : 202.100.1.2
   Group Server list        : 202.100.1.2

   GM Reregisters in        : 3408 secs
   Rekey Received           : never


   Rekeys received          
        Cumulative          : 0
        After registration  : 0
   Rekey Acks sent          : 0

ACL Downloaded From KS 202.100.1.2:
  access-list  permit gre any any

KEK POLICY:
   Rekey Transport Type     : Unicast
   Lifetime (secs)          : 86380
   Encrypt Algorithm        : AES
   Key Size                 : 256     
   Sig Hash Algorithm       : HMAC_AUTH_SHA
   Sig Key Length (bits)    : 1024    

TEK POLICY:
 FastEthernet0/0:
   IPsec SA:
       sa direction:inbound
       spi: 0x8EAF909E(2393870494)
       transform: esp-des esp-sha-hmac 
       sa timing:remaining key lifetime (sec): (3465)
       Anti-Replay : Disabled

   IPsec SA:
       sa direction:outbound
       spi: 0x8EAF909E(2393870494)
       transform: esp-des esp-sha-hmac 
       sa timing:remaining key lifetime (sec): (3465)
       Anti-Replay : Disabled
②查看密钥服务器上注册的成员：
R2#show crypto gdoi ks members

Group Member Information : 

Number of rekeys sent for group getvpngroup : 0

Group Member ID   : 202.100.1.1
Group ID          : 12345678
Group Name        : getvpngroup
Key Server ID     : 202.100.1.2
Rekeys sent       : 0
Rekey Acks Rcvd   : 0
Rekey Acks missed : 0

Sent seq num :    0    0    0    0
Rcvd seq num :    0    0    0    0

Group Member ID   : 202.100.1.3
Group ID          : 12345678
Group Name        : getvpngroup
Key Server ID     : 202.100.1.2
Rekeys sent       : 0
Rekey Acks Rcvd   : 0
Rekey Acks missed : 0

Sent seq num :    0    0    0    0
Rcvd seq num :    0    0    0    0

Group Member ID   : 202.100.1.4
Group ID          : 12345678
Group Name        : getvpngroup
Key Server ID     : 202.100.1.2
Rekeys sent       : 0
Rekey Acks Rcvd   : 0
Rekey Acks missed : 0

Sent seq num :    0    0    0    0
Rcvd seq num :    0    0    0    0

④组成员上测试GETVPN的加解密：

第一步:在R1(GM1)测试前查看加解密状况
R1#show crypto engine connections active
Crypto Engine Connections

  ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
   1 Fa0/0      IPsec DES+SHA                   0        0 0.0.0.0
   2 Fa0/0      IPsec DES+SHA                   0        0 0.0.0.0
1001 Fa0/0      IKE   SHA+DES                   0        0 202.100.1.1
1002 <none>     IKE   SHA+AES256                0        0

第二步:R1(GM1)上通过Ping产生加密的感兴趣流
R1#ping 192.168.3.3 source 192.168.1.1 repeat 100

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 68/101/344 ms
第三步:在R1(GM1)查看加解密状况
R1#show crypto engine connections active
Crypto Engine Connections

  ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
   1 Fa0/0      IPsec DES+SHA                   0      100 0.0.0.0
   2 Fa0/0      IPsec DES+SHA                 100        0 0.0.0.0
1001 Fa0/0      IKE   SHA+DES                   0        0 202.100.1.1
1002 <none>     IKE   SHA+AES256                0        0

⑤第一阶段的安全关联：
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
202.100.1.1     202.100.1.2     GDOI_REKEY        1002    0 ACTIVE
202.100.1.2     202.100.1.1     GDOI_IDLE         1001    0 ACTIVE

IPv6 Crypto ISAKMP SA

R2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
202.100.1.2     202.100.1.4     GDOI_IDLE         1003    0 ACTIVE
202.100.1.2     202.100.1.1     GDOI_IDLE         1001    0 ACTIVE
202.100.1.2     202.100.1.3     GDOI_IDLE         1002    0 ACTIVE

IPv6 Crypto ISAKMP SA
R3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
202.100.1.3     202.100.1.2     GDOI_REKEY        1002    0 ACTIVE
202.100.1.2     202.100.1.3     GDOI_IDLE         1001    0 ACTIVE

IPv6 Crypto ISAKMP SA
R4#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
202.100.1.2     202.100.1.4     GDOI_IDLE         1001    0 ACTIVE
202.100.1.4     202.100.1.2     GDOI_REKEY        1002    0 ACTIVE

IPv6 Crypto ISAKMP SA

⑤第二阶段的安全关联：
R1#show crypto engine connections active
Crypto Engine Connections

  ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
   1 Fa0/0      IPsec DES+SHA                   0      100 0.0.0.0
   2 Fa0/0      IPsec DES+SHA                 100        0 0.0.0.0
1001 Fa0/0      IKE   SHA+DES                   0        0 202.100.1.1
1002 <none>     IKE   SHA+AES256                0        0 

R2#show crypto engine connections active
Crypto Engine Connections

  ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
1001 Fa0/0      IKE   SHA+DES                   0        0 202.100.1.2
1002 Fa0/0      IKE   SHA+DES                   0        0 202.100.1.2
1003 Fa0/0      IKE   SHA+DES                   0        0 202.100.1.2
R3#show crypto engine connections active
Crypto Engine Connections

  ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
   1 Fa0/0      IPsec DES+SHA                   0      100 0.0.0.0
   2 Fa0/0      IPsec DES+SHA                 100        0 0.0.0.0
1001 Fa0/0      IKE   SHA+DES                   0        0 202.100.1.3
1002 <none>     IKE   SHA+AES256                0        0 

R4#ping 192.168.3.3 source 192.168.4.4  

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.4.4 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 88/94/112 ms
R4#show crypto engine connections active
Crypto Engine Connections

  ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
   1 Fa0/0      IPsec DES+SHA                   0       10 0.0.0.0
   2 Fa0/0      IPsec DES+SHA                  10        0 0.0.0.0
1001 Fa0/0      IKE   SHA+DES                   0        0 202.100.1.4
1002 <none>     IKE   SHA+AES256                0        0 
R4#ping 192.168.3.3 source 192.168.4.4  

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.4.4 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/96/116 ms
R4#show crypto engine connections active
Crypto Engine Connections

  ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
   1 Fa0/0      IPsec DES+SHA                   0       15 0.0.0.0
   2 Fa0/0      IPsec DES+SHA                  15        0 0.0.0.0
1001 Fa0/0      IKE   SHA+DES                   0        0 202.100.1.4
1002 <none>     IKE   SHA+AES256                0        0

本文转自 碧云天 51CTO博客，原文链接：http://blog.51cto.com/333234/847163，如需转载请自行联系原作者