Cấu hình GRE cho phép giữa hai site có thể trao đổi thông tin định tuyến và đảm bảo việc giao giao tiếp giữa hai site được bảo vệ với IPSec.
Cấu hình chính sách ipsec:
SAIGON(config)#crypto ipsec transform-set MYSET esp-md5-hmac esp-des
SAIGON(cfg-crypto-trans)#mode transport
Xác định dữ liệu được bảo vệ. Vì quá trình đóng gói GRE xảy ra trước nên khi định nghĩa dữ liệu được mã hóa phải là GRE:
SAIGON(config)#access-list 100 permit gre host 150.1.1.1 host 151.1.1.1
Cấu hình giao thức định tuyến. Lưu ý không kích hoạt cổng bên ngoài (cổng nối với Internet) tham gia quá trình định tuyến:
SAIGON(config)#router ospf 1
SAIGON(config-router)#network 192.168.1.0 0.0.0.255 area 0
SAIGON(config-router)#network 10.1.1.0 0.0.0.255 area 0
Thực hiện cấu hình tương tự trên VUNGTAU
SAIGON
Building configuration...
Current configuration : 1763 bytes
!
hostname SAIGON
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key vnpro address 151.1.1.1
!
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
mode transport
!
crypto map MYMAP 10 ipsec-isakmp
set peer 151.1.1.1
set transform-set MYSET
match address 100
!
interface Tunnel1
ip address 10.1.1.1 255.255.255.0
tunnel source Serial0/0
tunnel destination 151.1.1.1
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
ip address 150.1.1.1 255.255.255.0
clockrate 2000000
crypto map MYMAP
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
!
router ospf 1
log-adjacency-changes
network 10.1.1.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 150.1.1.2
!
!
access-list 100 permit gre host 150.1.1.1 host 151.1.1.1
!
!
end
VUNGTAU
Building configuration...
Current configuration : 1500 bytes
!
hostname VUNGTAU
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key vnpro address 150.1.1.1
!
!
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
mode transport
!
crypto map MYMAP 10 ipsec-isakmp
set peer 150.1.1.1
set transform-set MYSET
match address 100
!
!
interface Tunnel1
ip address 10.1.1.2 255.255.255.0
tunnel source Serial0/0
tunnel destination 150.1.1.1
!
interface Loopback0
ip address 192.168.2.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
ip address 151.1.1.1 255.255.255.0
clockrate 2000000
crypto map MYMAP
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clockrate 2000000
!
router ospf 1
log-adjacency-changes
network 10.1.1.0 0.0.0.255 area 0
network 192.168.2.0 0.0.0.255 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 151.1.1.2
!
access-list 100 permit gre host 151.1.1.1 host 150.1.1.1
!
!
end
ISP
Building configuration...
Current configuration : 980 bytes
!
hostname ISP
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
ip address 150.1.1.2 255.255.255.0
clockrate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
ip address 151.1.1.2 255.255.255.0
clockrate 2000000
!
!
end
ISP#
ws
Kiểm tra thông tin sự hội tụ của OSPF
SAIGON#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
192.168.2.1 0 FULL/ - 00:00:38 10.1.1.2 Tunnel1
SAIGON#sh ip ospf interface
Tunnel1 is up, line protocol is up
Internet Address 10.1.1.1/24, Area 0
Process ID 1, Router ID 192.168.1.1, Network Type POINT_TO_POINT, Cost: 11111
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:02
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 4 msec, maximum is 4 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 192.168.2.1
Suppress hello for 0 neighbor(s)
Loopback0 is up, line protocol is up
Internet Address 192.168.1.1/24, Area 0
Process ID 1, Router ID 192.168.1.1, Network Type LOOPBACK, Cost: 1
Loopback interface is treated as a stub Host
SAIGON#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 150.1.1.2 to network 0.0.0.0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, Tunnel1
C 192.168.1.0/24 is directly connected, Loopback0
192.168.2.0/32 is subnetted, 1 subnets
O 192.168.2.1 [110/11112] via 10.1.1.2, 00:00:38, Tunnel1
150.1.0.0/24 is subnetted, 1 subnets
C 150.1.1.0 is directly connected, Serial0/0
S* 0.0.0.0/0 [1/0] via 150.1.1.2
Giao tiếp thành công giữa hai site
SAIGON#ping 192.168.2.1 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/81/152 ms
Trạng thái ISAKMP SA và IPSec SA
SAIGON#sh crypto isakmp sa
dst src state conn-id slot
151.1.1.1 150.1.1.1 QM_IDLE 1 0
SAIGON#sh crypto ipsec sa
interface: Serial0/0
Crypto map tag: MYMAP, local addr. 150.1.1.1
protected vrf:
local ident (addr/mask/prot/port): (150.1.1.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (151.1.1.1/255.255.255.255/47/0)
current_peer: 151.1.1.1:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 31, #pkts encrypt: 31, #pkts digest: 31
#pkts decaps: 23, #pkts decrypt: 23, #pkts verify: 23
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 3, #recv errors 0
local crypto endpt.: 150.1.1.1, remote crypto endpt.: 151.1.1.1
path mtu 1500, media mtu 1500
current outbound spi: 3D82FBF2
inbound esp sas:
spi: 0xE782E811(3884115985)
transform: esp-des esp-md5-hmac ,
in use settings ={Transport, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: MYMAP
crypto engine type: Software, engine_id: 1
sa timing: remaining key lifetime (k/sec): (4452455/3561)
ike_cookies: 6346F52E 948175CB C36662EF 99F42E48
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3D82FBF2(1031994354)
transform: esp-des esp-md5-hmac ,
in use settings ={Transport, }
slot: 0, conn id: 2001, flow_id: 2, crypto map: MYMAP
crypto engine type: Software, engine_id: 1
sa timing: remaining key lifetime (k/sec): (4452455/3561)
ike_cookies: 6346F52E 948175CB C36662EF 99F42E48
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
Dữ liệu được bảo vệ với IPSec
SAIGON# sh crypto session
Crypto session current status
Interface: Serial0/0
Session status: UP-ACTIVE
Peer: 151.1.1.1/500
IKE SA: local 150.1.1.1/500 remote 151.1.1.1/500 Active
IPSEC FLOW: permit 47 host 150.1.1.1 host 151.1.1.1
Active SAs: 2, origin: crypto map
