实验一:
R1#sh run
hostname R1
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco address 202.100.2.1
!
!
crypto ipsec transform-set Trans esp-des esp-md5-hmac
!
crypto map MAP 10 ipsec-isakmp
set peer 202.100.2.1
set transform-set Trans
match address ×××
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 202.100.1.1 255.255.255.0
duplex auto
speed auto
crypto map MAP
!
ip route 2.2.2.2 255.255.255.255 202.100.1.10
ip route 202.100.2.1 255.255.255.255 202.100.1.10
!
ip access-list extended ×××
permit ip host 1.1.1.1 host 2.2.2.2
-------------------------------------------------------------------------------------------------------------------
internet#sh run
!
hostname internet
!
interface FastEthernet0/0
ip address 202.100.1.10 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 202.100.2.10 255.255.255.0
duplex auto
speed auto
-------------------------------------------------------------------------------------------------------------------------
R3#sh run
hostname R3
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco address 202.100.1.1
!
!
crypto ipsec transform-set Trans esp-des esp-md5-hmac
!
crypto map MAP 10 ipsec-isakmp
set peer 202.100.1.1
set transform-set Trans
match address ×××
!
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet1/0
ip address 202.100.2.1 255.255.255.0
duplex auto
speed auto
crypto map MAP
!
ip route 1.1.1.1 255.255.255.255 202.100.2.10
ip route 202.100.1.1 255.255.255.255 202.100.2.10
!
ip access-list extended ×××
permit ip host 2.2.2.2 host 1.1.1.1
----------------------------------------------------------------------------------------------------------------------
internet路由器不允许学习到1.1.1.1/32和2.2.2.2/32,因为这是内部网络的路由是不能让公网学习到的。所以internet路由器只需要知道直路由就可以了。
而加密设备需要知道对端加密点的路由和感兴趣流目的的路由,不管多少路由,下一跳终归是internet路由器,所以只需要写一条静态默认路由,下一跳指向internet路由器就可以了。
IPSec ×××不支持加密二层和组播流量,这样一个限制就意味着不能通过IPsec ×××运行动态路由协议。
大多数的常规的IPsec ×××实验都只有静态路由或直连,加上上面的一句话,容易让人误解,常规的IPSec ×××的实施方案是不能运行动态路由协议。
但哪个地方不能运行动态路由协议?我以前就误以为哪个地方都不能运行动态路由协议。
internet网络是否可以运行动态路由协议?
实验二:
R1#sh run
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco address 34.1.1.4
!
!
crypto ipsec transform-set Trans esp-des esp-md5-hmac
!
crypto map MAP 10 ipsec-isakmp
set peer 34.1.1.4
set transform-set Trans
match address ×××
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 12.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map MAP
!
ip route 0.0.0.0 0.0.0.0 12.1.1.2
!
!
!
!
ip access-list extended ×××
permit ip host 1.1.1.1 host 4.4.4.4
==================================================================
R2#sh run
!
interface FastEthernet0/0
ip address 12.1.1.2 255.255.255.0
duplex auto
speed auto
!
interface Serial1/1
ip address 23.1.1.2 255.255.255.0
serial restart-delay 0
!
router ospf 10
log-adjacency-changes
redistribute connected subnets
network 23.1.1.2 0.0.0.0 area 0
======================================================================
R3#sh run
!
interface FastEthernet0/0
ip address 34.1.1.3 255.255.255.0
duplex auto
speed auto
!
interface Serial1/0
ip address 23.1.1.3 255.255.255.0
serial restart-delay 0
!
router ospf 10
log-adjacency-changes
redistribute connected subnets
network 23.1.1.3 0.0.0.0 area 0
=========================================================
R4#sh run
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco address 12.1.1.1
!
!
crypto ipsec transform-set Trans esp-des esp-md5-hmac
!
crypto map MAP 10 ipsec-isakmp
set peer 12.1.1.1
set transform-set Trans
match address ×××
!
!
!
!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
!
interface FastEthernet0/0
ip address 34.1.1.4 255.255.255.0
duplex auto
speed auto
crypto map MAP
ip route 0.0.0.0 0.0.0.0 34.1.1.3
!
ip access-list extended ×××
permit ip host 4.4.4.4 host 1.1.1.1
--------------------------------------------------------------------------------------------------------
验证
R1
ping 4.4.4.4 source 1.1.1.1
测试可以ping通
总结:
加密设备需要的路由(以实验一为例)
1.对端加密点的路由
ip route 202.100.2.1 255.255.255.255 202.100.1.10 (对R1而言)
2.感兴趣流目的的路由(也就是对端通讯点)
ip route 2.2.2.2 255.255.255.255 202.100.1.10 (对R1而言)
加密设备需要知道感兴趣流目的的路由,如果没有是不能通的,内部网络也需要学习对端通讯点的路由(也就是对端的内部网络)
而这条路由是不能通过动态路由协议学习的,只能使用静态路由。
为了解决这个问题,我们可以使用GRE,它能很好的封装组播和二层协议,能够为我们的IPSec ×××提供动态路由协议的服务。
也就是说,一个内部网络可以通过动态路由协议学习到远程内部网络的路由。
转载于:https://blog.51cto.com/somejunbao/532011