VPN Site-to-Site

Материал из wiki
Перейти к: навигация, поиск

Разновидности VPN

  • L2VPN VPWS VPLS
  • L3VPN MPLS
  • IPSec Tunnel Transport
  • GRE over IPSec, IPSec over GRE
  • DMVPN
  • SSL VPN
  • Hybrid IPsec over L2VPN
  • Software-based (OpenVPN, VipNET)
  • RemoteAccess L2TP-IPSec

LAB

R1-core (cisco 2800)

 212.192.88.150
 10.111.0.0/24

R2-branch (cisco 2800)

 212.192.88.151
 10.112.0.0/24

R3-small-office (cisco 1800)

 212.192.88.152
 10.113.0.0/24

sh crypto session sh proc cpu hi sh crypto engine accelerator statistic | inc /sec

           3754 paks/sec in                     3753 paks/sec out
         28097804 bits/sec in                 28096509 bits/sec out

IPSec Tunnel mode

!
hostname R1-core
!
enable secret 0 cisco
!
no ip domain lookup
!
username cisco secret 0 cisco
!
ip dhcp pool LAN
 network 10.111.0.0 255.255.255.0
 default-route 10.111.0.1
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
 lifetime 120
!
crypto isakmp key CORE2ALICE address 212.192.88.151
crypto isakmp key CORE2SMALL address 212.192.88.152
!
crypto ipsec security-association lifetime seconds 512
!
crypto ipsec transform-set TRANS ah-sha-hmac esp-aes esp-sha-hmac 
!
crypto map TO-LAN 1 ipsec-isakmp 
 set peer 212.192.88.151
 set transform-set TRANS 
 match address TRAFIC1
crypto map TO-LAN 2 ipsec-isakmp 
 set peer 212.192.88.152
 set transform-set TRANS 
 match address TRAFIC2
!
interface FastEthernet0/0
 description WAN
 ip address 212.192.88.150 255.255.255.0
 crypto map TO-LAN
 ip access-group block in
 no shut
!
interface FastEthernet0/1
 description LAN
 ip address 10.111.0.1 255.255.255.0
 no shut
!
ip route 10.112.0.0 255.255.255.0 212.192.88.151
ip route 10.113.0.0 255.255.255.0 212.192.88.152
!
ip access-list extended TRAFIC1
 permit ip 10.111.0.0 0.0.0.255 10.112.0.0 0.0.0.255
 permit ip 10.113.0.0 0.0.0.255 10.112.0.0 0.0.0.255
ip access-list extended TRAFIC2
 permit ip 10.111.0.0 0.0.0.255 10.113.0.0 0.0.0.255
 permit ip 10.112.0.0 0.0.0.255 10.113.0.0 0.0.0.255
!
ip access-list ext block
    permit udp host 212.192.88.151 eq isakmp host 212.192.88.150 eq isakmp
    permit udp host 212.192.88.152 eq isakmp host 212.192.88.150 eq isakmp
    permit ahp host 212.192.88.151 host 212.192.88.150
    deny ip any any
!
!
line con 0
 logging synchronous
 login local
line vty 0 4
 login local
line vty 5 15
 login local
!

GRE over IPSec

Добавляем OSPF между ветками на хаб.

Добавляем IPv6 в локальных сетях.

Добавляем IPv6 over GRE over IPSec over IPv4 между ветками.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! CORE - add - OSPF hub-to-spoke
!      - add - IPv6 over GRE over IPSEC
!
interface Tunnel1
 no ip address
 ipv6 address 2001::1/64
 tunnel source 212.192.88.150
 tunnel destination 212.192.88.152
!
interface FastEthernet0/0
 description WAN
 ip address 212.192.88.150 255.255.255.0
 ip access-group block in
 crypto map TO-LAN
!
interface FastEthernet0/1
 description LAN
 ip address 10.111.0.1 255.255.255.0
 ipv6 address 2003::1/64
!
router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0
!
!
ip access-list extended TRAFIC2
 permit ip 10.111.0.0 0.0.0.255 10.113.0.0 0.0.0.255
 permit ip 10.112.0.0 0.0.0.255 10.113.0.0 0.0.0.255
 permit gre host 212.192.88.150 host 212.192.88.151 !!! < обязательно указывать endpoints для GRE - иначе будет матчится не тот криптомап
ip access-list extended block
 permit ospf any any
 permit udp host 212.192.88.151 eq isakmp host 212.192.88.150 eq isakmp
 permit udp host 212.192.88.152 eq isakmp host 212.192.88.150 eq isakmp
 permit ahp host 212.192.88.151 host 212.192.88.150
 permit ahp host 212.192.88.152 host 212.192.88.150
 deny   ip any any
!
!
ipv6 route 2006::/64 2001::2
!