前言
Generic Routing Encapsulation (GRE) 可以在两个 Physical Interface 之间建立点对点 Tunnel,多用於设置 Virtual Private Network (VPN) 去保护资讯。本文会先介绍 GRE Tunnel 的设定方法,最後在 GRE 上加上 IPSec 设定去做认证和加密。
Hub-to-spoke Topology
请看下图,现在要为 Hong Kong丶Taiwan 和 Beijing 三地建立 GRE Tunnel。假设 R1 e1/0丶R2 e1/0 和 R3 e1/0 已经能够互相 Ping 通。
首先,在 R1 和 R2 之间建立 Tunnel。
R1(config)#int tunnel 12 R1(config-if)#ip address 172.16.12.1 255.255.255.0 R1(config-if)#tunnel source ethernet 1/0 R1(config-if)#tunnel destination 10.0.24.2
R2(config)#int tunnel 12 R2(config-if)#ip address 172.16.12.2 255.255.255.0 R2(config-if)#tunnel source ethernet 1/0 R2(config-if)#tunnel destination 10.0.14.1
同样地,在 R1 与 R3 之间建立 Tunnel。
R1(config)#int tunnel 13 R1(config-if)#ip address 172.16.13.1 255.255.255.0 R1(config-if)#tunnel source ethernet 1/0 R1(config-if)#tunnel destination 10.0.34.3
R3(config)#int tunnel 13 R3(config-if)#ip address 172.16.13.3 255.255.255.0 R3(config-if)#tunnel source ethernet 1/0 R3(config-if)#tunnel destination 10.0.14.1
确认一下,R1 已经可以 Ping 通 R2 和 R3 的 Tunnel Interface 了。
R1#ping 172.16.12.2 source 172.16.12.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.12.2, timeout is 2 seconds: Packet sent with a source address of 172.16.12.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/22/32 ms R1# R1#ping 172.16.13.3 source 172.16.12.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.13.3, timeout is 2 seconds: Packet sent with a source address of 172.16.12.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/19/24 ms
R2 的 Interface Tunnel 同样可以 Ping 通 R3 的 Tunnel Interface,但留意路径是 R2 > R1 > R3,因为这是 Hub-to-spoke Topology。
R2#ping 172.16.13.3 source 172.16.12.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.13.3, timeout is 2 seconds:
Packet sent with a source address of 172.16.12.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/64/104 ms
R2#
R2#traceroute 172.16.13.3 source 172.16.12.2
Type escape sequence to abort.
Tracing the route to 172.16.13.3
1 172.16.12.1 8 msec 40 msec 36 msec
2 172.16.13.3 60 msec 32 msec 72 msec
Routing Protocol
然後,我们可以用 Routing Protocol 把各 Router 背後的网络互相发布,例如使用 EIGRP。
R1(config)#router eigrp 1 R1(config-router)network 172.16.12.0 0.0.0.255 R1(config-router)network 172.16.13.0 0.0.0.255 R1(config-router)network 192.168.1.0 R1(config-router)#no auto-summary
R2(config)#router eigrp 1 R2(config-router)network 172.16.12.0 0.0.0.255 R2(config-router)network 192.168.2.0 R2(config-router)#no auto-summary
R3(config)#router eigrp 1 R3(config-router)network 172.16.13.0 0.0.0.255 R3(config-router)network 192.168.3.0 R3(config-router)#no auto-summary
Route Table 已经可以看到 EIGRP 成功交换 Route。
R1#show ip route eigrp 1
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
D 192.168.2.0/24 [90/27008000] via 172.16.12.2, 00:12:30, Tunnel12
D 192.168.3.0/24 [90/27008000] via 172.16.13.3, 00:12:53, Tunnel13
R1#
R1#ping 192.168.2.2 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/19/24 ms
R1#
R1#ping 192.168.3.3 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/28/40 ms
留意 R2 的 192.168.2.0/24 要到达 192.168.3.0/24,仍要途经 R1。
R2#show ip route eigrp 1
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
D 172.16.13.0/24 [90/28160000] via 172.16.12.1, 00:15:07, Tunnel0
D 192.168.1.0/24 [90/27008000] via 172.16.12.1, 00:15:07, Tunnel0
D 192.168.3.0/24 [90/28288000] via 172.16.12.1, 00:15:07, Tunnel0
R2#
R2#traceroute 172.16.13.3 source 172.16.12.2
Type escape sequence to abort.
Tracing the route to 172.16.13.3
1 172.16.12.1 12 msec 36 msec 40 msec
2 172.16.13.3 64 msec 44 msec 48 msec
Fully Mesh Topology
Hub-to-spoke Topology 设定较简单,问题在於 Spoke 连接 Spoke 需要透过 Hub,这样会造成浪费 Bandwidth 及延长回应时间。要解决这个问题,可改用 Fully Mesh Topology。以刚才的网络为例,只要在 R2 与 R3 之间增加一条 Tunnel 即可。
R2(config)#int tunnel 23 R2(config-if)#ip address 172.16.23.2 255.255.255.0 R2(config-if)#tunnel source ethernet 1/0 R2(config-if)#tunnel destination 10.0.34.3
R3(config)#int tunnel 23 R3(config-if)#ip address 172.16.23.3 255.255.255.0 R3(config-if)#tunnel source ethernet 1/0 R3(config-if)#tunnel destination 10.0.24.2
当然我们要分别在 R2 和 R3 的 EIGRP 设定加入新的 Network,让 R2 和 R3 建立 EIGRP Adjacency。
R2(config)#router eigrp 1 R2(config-router)#network 172.16.23.0 0.0.0.255
R3(config)#router eigrp 1 R3(config-router)#network 172.16.23.0 0.0.0.255
於是 R2 便能直接到达 R3 而不需途经 R1。
R2#show ip route eigrp 1
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 5 subnets, 2 masks
D 172.16.13.0/24 [90/28160000] via 172.16.23.3, 00:00:44, Tunnel23
[90/28160000] via 172.16.12.1, 00:00:44, Tunnel12
D 192.168.1.0/24 [90/27008000] via 172.16.12.1, 00:00:44, Tunnel12
D 192.168.3.0/24 [90/27008000] via 172.16.23.3, 00:00:44, Tunnel23
R2#
R2#traceroute 192.168.3.3 source 192.168.2.2
Type escape sequence to abort.
Tracing the route to 192.168.3.3
1 172.16.23.3 28 msec 40 msec 20 msec
IPSec over GRE Tunnel
最後我们尝试在所有 Tunnel 之间用 IPSec 加密。
首先在 R1丶R2 和 R3 都设定 IKE Phase 1 参数,详细说明请参考这里。
R1(config)#crypto isakmp policy 10 R1(config-isakmp)#authentication pre-share
然後分别在 R1丶R2 和 R3 设定 Phase 2 参数,详细说明请参考这里。
R1(config)#crypto ipsec transform-set TS esp-3des esp-sha-hmac R1(cfg-crypto-trans)#exit
然後设定 Pre-share Key,留意目标 address 是 Physical Interface 的 address,而不是 Tunnel Interface 的 address。
R1(config)#crypto isakmp key ccie address 10.0.24.2 R1(config)#crypto isakmp key ccie address 10.0.34.3
R2(config)#crypto isakmp key ccie address 10.0.12.1 R2(config)#crypto isakmp key ccie address 10.0.34.3
R3(config)#crypto isakmp key ccie address 10.0.12.1 R3(config)#crypto isakmp key ccie address 10.0.24.2
跟着,分别在 R1丶R2 和 R3 定义 IPSec Profile。
R1(config)#crypto ipsec profile PF R1(ipsec-profile)#set transform-set TS
最後在所有 Tunnel 都设定使用 IPSec Profile。
R1(config)#interface tunnel 12 R1(config-if)#tunnel protection ipsec PRofile PF
总结
虽然 Fully Mesh Topology 让 Spoke Site 之间可以直接连线,但问题在於需要建立的 Tunnel 数量太多。数学告诉我们,点对点数量等於 n(n-1)/2,即是说如果我们有 20 个 Site,Tunnel 数量将会是 190,设定和维护这些 Tunnel 将会是一场恶梦。因此,如果 Spoke Site 数量多的话,还是建议使用 mGRE (或称 DMVPN) 会比较方便。
相關主題
Jan Ho 2021-07-22
Posted In: 虚拟私人网路 VPN
发表回复