20210106 cisco GRE

課堂資料

GRE 通用路由封裝 - Jan Ho 的網絡世界Jan Ho 的網絡世界

IPsec 網際網路安全協定- Jan Ho 的網絡世界Jan Ho 的網絡世界

GRE over IPSec vs IPSec over GRE - Jan Ho 的網絡世界Jan Ho 的網絡世界

課堂練習

GRE

Hub-to-spoke Topology

R1

int lo 0

ip add 192.168.1.1 255.255.255.0

no shut

int e0/0

ip add 10.0.14.1 255.255.255.0

no shut

router rip

ver 2

no auto-summary

net 10.0.14.0

net 172.16.0.0

net 192.168.0.0

R1 與 R2 建立 Tunnel

int tunnel 12

ip add 172.16.12.1 255.255.255.0

tunnel source e0/0

tunnel destination 10.0.24.2

R1 與 R3 建立 Tunnel

int tunnel 13

ip add 172.16.13.1 255.255.255.0

tunnel source e0/0

tunnel destination 10.0.34.3

R1 Ping R2 / R3 進行 Tunnel 連線測試

do ping 172.16.12.2 source 172.16.12.1

do ping 172.16.13.3 source 172.16.12.1

R2

R3

R4

Routing Protocol

R1

router eigrp 1

net 172.16.12.0 0.0.0.255

net 172.16.13.0 0.0.0.255

net 192.168.1.0

no auto-summary

do sh ip ro eigrp 1

do ping 192.168.2.2 source 192.168.1.1

do ping 192.168.3.3 source 192.168.1.1

R2

R3

IPSec over GRE Tunnel

R1

crypto isakmp policy 10

authentication pre-share

crypto ipsec transform-set TS esp-3des ah-sha-hmac

exit

crypto isakmp key  ccie add 10.0.24.2

crypto isakmp key  ccie add 10.0.34.3

crypto ipsec profile PF

set transform-set TS

int tunnel 12

tunnel protection ipsec PRofile PF

R2

R3

R4

IPsec

設定

R1

int e0/0

ip add 192.168.13.1 255.255.255.0

no shut

int e0/1

ip add 192.168.10.1 255.255.255.0

no shut

exit

ip route 0.0.0.0 0.0.0.0 192.168.13.3

do ping 192.168.23.2

do ping 192.168.20.1

R2

R3

設定 Interesting Traffic

R1

ip access-list extended VPN-Traffic

Permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

exit

R2

設定 IKE Phase 1 參數

R1

crypto isakmp policy 1

encryption aes

hash md5

authentication pre-share

group 2

lifetime 30000

R2

設定 IKE Phase 2參數

R1

exit

crypto ipsec transform-set TS esp-3des ah-sha-hmac

R2

設定 Pre-share Key

R1

crypto isakmp key 6 ccie add 192.168.23.2

R2

定義 Crypto Map

R1

crypto map CMAP 1 ipsec-isakmp

set peer 192.168.23.2

set transform-set TS

match add VPN-Traffic

int e0/0

crypto map CMAP

R2

測試

R1

do ping 192.168.20.1 source 192.168.10.1

GRE over IPsec vs IPSec over GRE

GRE over IPsec設定

R1

網路設定

int lo 0

ip add 1.1.1.1 255.255.255.0

no shut

int e0/0

ip add 192.168.13.1 255.255.255.0

no shut

exit

ip route 192.168.23.0 255.255.255.0 192.168.13.3

do ping 192.168.23.2 source 192.168.13.1

do ping 2.2.2.2 source 1.1.1.1

設定 Interesting Traffic

ip access-list extended IPSEC_TUNNEL

Permit ip host 192.168.13.1 host 192.168.23.2

設定 IPSec

crypto isakmp key ccie add 192.168.23.2

crypto isakmp policy 10

encryption aes

authentication pre-share

group 2

exit

crypto ipsec transform-set TS esp-3des

exit

crypto map GRE_OVER_IPSEC 10 ipsec-isakmp

set peer 192.168.23.2

set transform-set TS

match add IPSEC_TUNNEL

在 Interface 應用Crypto Map

int e0/0

crypto map GRE_OVER_IPSEC

設定 GRE Tunnel

int tunnel 0

ip add 172.16.12.1 255.255.255.0

tunnel source e0/0

tunnel destination 192.168.23.2

測試

do ping 172.16.12.2 source 172.16.12.1

do sh crypto ipsec sa

設定 Routing Protocol

router eigrp 1

no auto-summary

net 172.16.12.0 0.0.0.255

net 1.1.1.0 0.0.0.255

查看 Neighbor

do sh ip eigrp nei

do ping 2.2.2.2 source 1.1.1.1

R2

R3

IPSec over GRE 設定

R4

網路設定

int lo 0

ip add 1.1.1.1 255.255.255.0

no shut

int e0/0

ip add 192.168.13.1 255.255.255.0

no shut

exit

ip route 192.168.23.0 255.255.255.0 192.168.13.3

設定 GRE Tunnel

int tunnel 0

ip add 172.16.12.1 255.255.255.0

tunnel source e0/0

tunnel destination 192.168.23.2

測試

do ping 172.16.12.2 source 172.16.12.1

設定 Routing Protocol

router eigrp 1

no auto-summary

net 172.16.12.0 0.0.0.255

net 1.1.1.0 0.0.0.255

測試

do sh ip eigrp nei

do ping 2.2.2.2 source 1.1.1.1

設定 Interesting Traffic

ip access-list extended IPSEC_TUNNEL

Permit ip host 1.1.1.1 host 2.2.2.2

設定 IPSec

crypto isakmp key ccie add 172.16.12.2

crypto isakmp policy 10

encryption aes

authentication pre-share

group 2

exit

crypto ipsec transform-set TS esp-3des

exit

crypto map IPSEC_OVER_GRE 10 ipsec-isakmp

set peer 172.16.12.2

set transform-set TS

match add IPSEC_TUNNEL

在 Tunnel Interface 應用 Crypto Map

int tunnel 0

crypto map IPSEC_OVER_GRE

測試

do ping 2.2.2.2 source 1.1.1.1

do sh crypto ipsec sa

R5

R6