IPSEC+GRE+OSPF配置举例

拓扑

配置

# 此处为cea配置 ceb配置与之类似

# nat匹配数据流
acl advanced 3000
 rule 15 permit ip source 192.168.1.0 0.0.0.255
 rule 20 deny ip

# 创建ospf进程
ospf 1
 area 0.0.0.0

# 配置接口地址
interface LoopBack0
 ip address 172.16.1.1 255.255.255.255
 ospf 1 area 0.0.0.0
 
#
interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 ospf 1 area 0.0.0.0
 
#
interface GigabitEthernet0/2
 ip address 12.1.1.2 255.255.255.0
 nat outbound 3000
 
--------------------------------------------------------------
# 创建gre隧道
interface Tunnel0 mode gre
 ip address 192.168.0.1 255.255.255.252
 ospf 1 area 0.0.0.0
 source GigabitEthernet0/2
 destination 34.1.1.2
 
--------------------------------------------------------------
# 感兴趣流
acl advanced 3001
 rule 15 permit gre source 12.1.1.2 0 destination 34.1.1.2 0

# ipsec提议
ipsec transform-set cea
 encapsulation-mode transport
 esp encryption-algorithm aes-cbc-192 
 esp authentication-algorithm sha1

# ipsec策略
ipsec policy P1 10 manual
 transform-set cea
 security acl 3001 
 remote-address 34.1.1.2
 sa spi inbound esp 54321
 sa string-key inbound esp cipher abcdefg
 sa spi outbound esp 12345
 sa string-key outbound esp cipher gfedcba

# 应用ipsec
interface GigabitEthernet0/2
 ip address 12.1.1.2 255.255.255.0

分析

# ospf邻居已经建立
[CEA]display ospf peer 

         OSPF Process 1 with Router ID 172.16.1.1
               Neighbor Brief Information

 Area: 0.0.0.0        
 Router ID       Address         Pri Dead-Time  State             Interface
 172.16.1.2      192.168.0.2     1   36         Full/ -           Tun0
[CEA]

# 路由表已经存在对端路由
[CEA]display ip routing-table 

Destinations : 20       Routes : 20

Destination/Mask   Proto   Pre Cost        NextHop         Interface
0.0.0.0/0          Static  60  0           12.1.1.1        GE0/2
0.0.0.0/32         Direct  0   0           127.0.0.1       InLoop0
12.1.1.0/24        Direct  0   0           12.1.1.2        GE0/2
12.1.1.2/32        Direct  0   0           127.0.0.1       InLoop0
12.1.1.255/32      Direct  0   0           12.1.1.2        GE0/2
127.0.0.0/8        Direct  0   0           127.0.0.1       InLoop0
127.0.0.1/32       Direct  0   0           127.0.0.1       InLoop0
127.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0
172.16.1.1/32      Direct  0   0           127.0.0.1       InLoop0
172.16.1.2/32      O_INTRA 10  1562        192.168.0.2     Tun0
192.168.0.0/30     Direct  0   0           192.168.0.1     Tun0
192.168.0.1/32     Direct  0   0           127.0.0.1       InLoop0
192.168.0.3/32     Direct  0   0           192.168.0.1     Tun0
192.168.1.0/24     Direct  0   0           192.168.1.1     GE0/1
192.168.1.1/32     Direct  0   0           127.0.0.1       InLoop0
192.168.1.255/32   Direct  0   0           192.168.1.1     GE0/1
192.168.2.0/24     O_INTRA 10  1563        192.168.0.2     Tun0
224.0.0.0/4        Direct  0   0           0.0.0.0         NULL0
224.0.0.0/24       Direct  0   0           0.0.0.0         NULL0
255.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0
[CEA]

# 连通性测试
[CEA]ping 192.168.2.2
Ping 192.168.2.2 (192.168.2.2): 56 data bytes, press CTRL+C to break
56 bytes from 192.168.2.2: icmp_seq=0 ttl=254 time=1.571 ms
56 bytes from 192.168.2.2: icmp_seq=1 ttl=254 time=1.428 ms
56 bytes from 192.168.2.2: icmp_seq=2 ttl=254 time=1.375 ms
56 bytes from 192.168.2.2: icmp_seq=3 ttl=254 time=1.500 ms
56 bytes from 192.168.2.2: icmp_seq=4 ttl=254 time=1.674 ms

--- Ping statistics for 192.168.2.2 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.375/1.510/1.674/0.106 ms
[CEA]%Oct  5 19:41:43:843 2024 CEA PING/6/PING_STATISTICS: Ping statistics for 192.168.2.2: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 1.375/1.510/1.674/0.106 ms.

ospf的hello组播包以及ping单播包已经加密