网络规划
目标:部署一个 HUB + 两个 Spoke(SITE1、SITE2)环境,实现分支间互通和 Hub-Spoke 私网路由传递。
| 节点 | Loopback | Tunnel IP | 公网/HUB IP |
|---|---|---|---|
| HUB | 172.16.100.1/32 | 10.10.10.1/24 | 15.1.1.1 |
| SITE1 | 172.16.100.11/32 | 10.10.10.2/24 | NAT/15.1.1.2 |
| SITE2 | 172.16.100.12/32 | 10.10.10.3/24 | NAT/15.1.1.3 |
ADVPN 一定程度缓解了多站点IPSECVPN 的实施难度
拓扑示意:
实施步骤
1 VAM Server 配置(HUB)
# 静态路由到 HUB 公网出口
ip route-static 0.0.0.0 0 15.1.1.2
# ADVPN Domain 配置
domain advpn
authentication advpn local
domain default enable advpn
# 用户配置
local-user HUB class network
password simple HUB
service-type advpn
local-user SITE1 class network
password simple SITE1
service-type advpn
local-user SITE2 class network
password simple SITE2
service-type advpn
# VAM Server Hub/Spoke 配置
vam server advpn-domain ADVPN id 1
hub-group HUB
hub private-address 10.10.10.1
#hub private-address 10.10.10.2
#hub private-address 10.10.10.3
spoke private-address range 10.10.10.0 10.10.10.255
vam server advpn-domain ADVPN id 1
pre-shared-key simple ADVPN
authentication-method chap
server enable
说明:Hub Group 中 Hub Tunnel IP 可多地址,形成 Full-Mesh;Spoke 使用 私有IP 范围配置。
2 HUB Client 配置
# Loopback 配置
interface Loopback0
ip address 172.16.100.1 32
# VAM Client
vam client name HUB
advpn-domain ADVPN
server primary ip-address 15.1.1.1
pre-shared-key simple ADVPN
user HUB password simple HUB
client enable
# IKE 配置
ike keychain ADVPN
pre-shared-key address 0.0.0.0 0.0.0.0 key simple ADVPN
ike profile ADVPN
keychain ADVPN
# IPsec 配置
ipsec transform-set ADVPN
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
ipsec profile ADVPN isakmp
transform-set ADVPN
ike-profile ADVPN
# OSPF 配置
ospf 1 router-id 172.16.100.1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.10.10.0 0.0.0.255
network 172.16.100.1 0.0.0.0
# Tunnel 接口配置
interface Tunnel1 mode advpn gre
ip address 10.10.10.1 255.255.255.0
ospf network-type p2mp
source GigabitEthernet0/0
tunnel protection ipsec profile ADVPN
vam client HUB
# 可替换为udp封装 效果类似
interface Tunnel1 mode advpn udp
ip address 10.10.10.1 255.255.255.0
ospf network-type p2mp
source GigabitEthernet0/0
tunnel protection ipsec profile ADVPN
vam client HUB
3 Spoke 配置(SITE1 & SITE2)
# Loopback
interface Loopback0
ip address 172.16.100.11 32
# VAM Client
vam client name SITE1
advpn-domain ADVPN
server primary ip-address 15.1.1.1
pre-shared-key simple ADVPN
user SITE1 password simple SITE1
client enable
# IKE/IPsec
ike keychain ADVPN
pre-shared-key address 0.0.0.0 0.0.0.0 key simple ADVPN
ike profile ADVPN
keychain ADVPN
ipsec transform-set ADVPN
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
ipsec profile ADVPN isakmp
transform-set ADVPN
ike-profile ADVPN
# OSPF
ospf 1 router-id 172.16.100.11
area 0.0.0.0
network 10.10.10.0 0.0.0.255
network 172.16.100.11 0.0.0.0
# Tunnel 接口
interface Tunnel1 mode advpn gre
ip address 10.10.10.2 255.255.255.0
ospf network-type p2mp
source GigabitEthernet0/0
tunnel protection ipsec profile ADVPN
vam client SITE1
# 可替换为udp封装 效果类似
interface Tunnel1 mode advpn udp
ip address 10.10.10.2 255.255.255.0
ospf network-type p2mp
source GigabitEthernet0/0
tunnel protection ipsec profile ADVPN
vam client SITE1
SITE2 配置同理,Loopback 172.16.100.12,Tunnel 10.10.10.3。
4 测试与验证
- 查看 ADVPN 客户端状态:
- 查看 VAM 注册情况:
- 验证 OSPF 邻居与路由:
- 测试 HUB-Spoke 连通性:
5 小知识
Q1:为什么 IPsec 隧道采用传输模式而非隧道模式?
A:
ADVPN 中隧道头由 GRE/UDP 承担,IPsec 仅负责数据加密,因此选用传输模式即可,既能保障安全,又避免性能损失与路由问题。
Q2:OSPF 网络类型为什么选择 P2MP?
A:
ADVPN 中选用 P2MP 而不是 Broadcast/P2P ,是因为 Broadcast 存在 DR/BDR 选举问题,P2P 只支持单邻居,都无法适应 Spoke-Spoke 动态隧道拓扑。P2MP 无选举、支持多邻居,才是最佳选择。
Q3:Hub 节点是否必须具备公网地址?
A:
为保证 ADVPN 正常工作(Spoke 注册、动态隧道建立、多 Hub 互联),Hub 节点必须能够从公网侧被访问,拥有公网地址或稳定的 NAT 映射是基本要求。
