VPN Site-to-Site
Разновидности VPN
- L2VPN VPWS VPLS
- L3VPN MPLS
- IPSec Tunnel Transport
- GRE over IPSec, IPSec over GRE
- DMVPN
- SSL VPN
- Hybrid IPsec over L2VPN
- Software-based (OpenVPN, VipNET)
- RemoteAccess L2TP-IPSec
LAB
R1-core (cisco 2800)
212.192.88.150 10.111.0.0/24
R2-branch (cisco 2800)
212.192.88.151 10.112.0.0/24
R3-small-office (cisco 1800)
212.192.88.152 10.113.0.0/24
sh crypto session sh proc cpu hi sh crypto engine accelerator statistic | inc /sec
3754 paks/sec in 3753 paks/sec out 28097804 bits/sec in 28096509 bits/sec out
IPSec Tunnel mode
!
hostname R1-core
!
enable secret 0 cisco
!
no ip domain lookup
!
username cisco secret 0 cisco
!
ip dhcp pool LAN
network 10.111.0.0 255.255.255.0
default-route 10.111.0.1
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 120
!
crypto isakmp key CORE2ALICE address 212.192.88.151
crypto isakmp key CORE2SMALL address 212.192.88.152
!
crypto ipsec security-association lifetime seconds 512
!
crypto ipsec transform-set TRANS ah-sha-hmac esp-aes esp-sha-hmac
!
crypto map TO-LAN 1 ipsec-isakmp
set peer 212.192.88.151
set transform-set TRANS
match address TRAFIC1
crypto map TO-LAN 2 ipsec-isakmp
set peer 212.192.88.152
set transform-set TRANS
match address TRAFIC2
!
interface FastEthernet0/0
description WAN
ip address 212.192.88.150 255.255.255.0
crypto map TO-LAN
ip access-group block in
no shut
!
interface FastEthernet0/1
description LAN
ip address 10.111.0.1 255.255.255.0
no shut
!
ip route 10.112.0.0 255.255.255.0 212.192.88.151
ip route 10.113.0.0 255.255.255.0 212.192.88.152
!
ip access-list extended TRAFIC1
permit ip 10.111.0.0 0.0.0.255 10.112.0.0 0.0.0.255
permit ip 10.113.0.0 0.0.0.255 10.112.0.0 0.0.0.255
ip access-list extended TRAFIC2
permit ip 10.111.0.0 0.0.0.255 10.113.0.0 0.0.0.255
permit ip 10.112.0.0 0.0.0.255 10.113.0.0 0.0.0.255
!
ip access-list ext block
permit udp host 212.192.88.151 eq isakmp host 212.192.88.150 eq isakmp
permit udp host 212.192.88.152 eq isakmp host 212.192.88.150 eq isakmp
permit ahp host 212.192.88.151 host 212.192.88.150
deny ip any any
!
!
line con 0
logging synchronous
login local
line vty 0 4
login local
line vty 5 15
login local
!
GRE over IPSec
Добавляем OSPF между ветками на хаб.
Добавляем IPv6 в локальных сетях.
Добавляем IPv6 over GRE over IPSec over IPv4 между ветками.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! CORE - add - OSPF hub-to-spoke
! - add - IPv6 over GRE over IPSEC
!
interface Tunnel1
no ip address
ipv6 address 2001::1/64
tunnel source 212.192.88.150
tunnel destination 212.192.88.152
!
interface FastEthernet0/0
description WAN
ip address 212.192.88.150 255.255.255.0
ip access-group block in
crypto map TO-LAN
!
interface FastEthernet0/1
description LAN
ip address 10.111.0.1 255.255.255.0
ipv6 address 2003::1/64
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
!
ip access-list extended TRAFIC2
permit ip 10.111.0.0 0.0.0.255 10.113.0.0 0.0.0.255
permit ip 10.112.0.0 0.0.0.255 10.113.0.0 0.0.0.255
permit gre host 212.192.88.150 host 212.192.88.151 !!! < обязательно указывать endpoints для GRE - иначе будет матчится не тот криптомап
ip access-list extended block
permit ospf any any
permit udp host 212.192.88.151 eq isakmp host 212.192.88.150 eq isakmp
permit udp host 212.192.88.152 eq isakmp host 212.192.88.150 eq isakmp
permit ahp host 212.192.88.151 host 212.192.88.150
permit ahp host 212.192.88.152 host 212.192.88.150
deny ip any any
!
!
ipv6 route 2006::/64 2001::2
!