IPSec VPN DMVPN
介绍
在之前介绍的IPSec VPN中大多都是 Site to Site 的模型。然而在实际应用中,中心到分支的结构,来看看这种情况下会遇到哪些问题。1
星形拓扑(Star Topology,Hub and Spoke )
+-------+
| Hub |
+-------+
/ | \
/ | \
/ | \
+-----+ +-----+ +-----+
|Spoke| |Spoke| |Spoke|
+-----+ +-----+ +-----+
1. 每增加一个分支站点,在中心设备上就要多增加一份配置。
2. Spoke to Spoke时,流量会先到Hub上,第一次加密。再由Hub进行路由查找后进行二次加密发送到Spoke上,数据被两次加解密增加的处理数据包的成本。
3. 当Spoke to Spoke 的流量过大时,会占用Hub的带宽,如果前期流量规划不足,可能会影响到其他正常Spoke 的通信。
全网状拓扑(Full Match Topology)
+------+
| HUB |
+------+
/|\
/ | \
/ | \
+-----+ | +-----+
|Spoke|---+---|Spoke|
+-----+ | +-----+
\ | /
\ | /
\!/
+-----+
|Spoke|
+-----+
1. 当Spoke数量较多的时候配置量巨大,维护成本高。
2. 每一个Spoke建立的每一个连接都要产生一个新的SA(安全关联),对于设备性能有一定的要求。
3. 必须清楚知道其他站点的IP地址,如果采用动态地址需要额外的部署成本。
DMVPN(Dynamic Multipoint VPN)
· 通过虚拟网状连接,提供Full Match连通性(multipoint GRE,mGRE)
· 分支站点支持动态地址
· 增加新的分支站点,中心站点无需重新配置
· 分支站点的流量通过动态产生的隧道进行封装
DMVPN组成协议
DMVPN有很好的兼容性以及扩展性,但是DMVPN是通过不同的协议组合进行使用的,如下就要介绍DMVPN 四大组成协议。
动态多点GRE(multipoint GRE,mGRE)
相比于传统的GRE隧道,mGRE提供了典型的NBMA(Non-Broadcast Multiple Access,NBMA)网络,而NBMA网络就是一个很典型的Hub and Spoke 的网络模型。Spoke to Spoke 的流量经过Hub进行转发,这保证了底层上的连通性。2
下一跳解析协议(Next Hop Resolution Protocol,NHRP)
NHRP简介
通过mGRE保证了底层上的连通性,但是发现如果仅只有mGRE那么,当数据包要进行GRE封装的时候,发现并没有一个Destination地址去使用所以无法完成GRE封装,那么这个时候就需要NHRP解析 隧道地址和物理地址映射。
如果Spoke仅仅获取到了hub点的信息,那么Spoke to Spoke 的流量就必须通过Hub进行转发,这样无疑增加了Hub的负担。所以NHRP通过先注册,再请求的方式,不仅仅让hub点获取到Spoke点信息,还保证了Spoke to Spoke,NHRP映射关系的解析。
NHRP的本质其实就是为NBMA网络地址提供映射表信息(VPN IP to NBMA IP address mapping)
NHRP是一个“二层”缓存解析协议,这一点非常类似于 ARP 或 反向ARP(帧中继网络)(Spoke发送的广播、组播只能被Hub点收到)
NHRP is a layer two resolution protocol and cache like ARP or Reverse ARP (Frame Relay)在DMVPN中使用,将Tunnel IP地址映射到NBMA IP 地址
It is used in DMVPN to map a tunnel IP address to an NBMA address与ARP一样,NHRP也有静态和动态的区分(通常在Spoke点配置静态NHRP,在hub点配置动态NHRP)
Like ARP, NHRP can have static and dynamic entries
为什么需要NHRP?(How mGRE Uses NHRP)
如下是一个典型的mGRE配置
interface Tunnel 0
ip address 10.0.0.1 255.0.0.0
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key 1
当数据包进入到路由器之后,进行路由查找,下一跳一起传递到mGRE接口。
When a packet is routed, it is passed to the mGRE interface along with a next-hop下一跳是远程对等体的隧道地址。
The next-hop is the tunnel address of a remote peer
到此,如果仅知道对方的隧道地址,是无法获知远端Peer 的物理地址的。无法完成封装再发送的过程。所以这时候就需要NHRP将隧道上的IP地址映射到NMBA IP地址(物理接口IP地址)mGRE查找Tunnel地址所对应的 NHRP cache中的next-hop address,并查找远程对等体的NBMA地址
mGRE looks up the NHRP cache for the next-hop address and retrieves the NBMA address of the remote peermGRE将数据包封装到GRE / IP有效载荷中
mGRE encapsulates the packet into a GRE/IP payload新的数据包目的地址是NMBA的地址
The new packet destination is the NMBA address
nhrp如何工作?(How NHRP Works)
NHRP本质目的是需产生NHRP Cache,产生 NHRP Cache有如下三种方式。3
- 手动添加静态条目
- Hub通过注册请求(Registration requests)学习
- Spokes通过决议请求(Resolution requests)学习
“Resolution” is for spoke to spoke
如下是NHRP工作流程图,简述如下,具体报文交互情况,请参见附录。
NHRP Registration Stage
当Spoke NHRP接口被UP起来的时候,Spoke 会向NHS发送注册报文,以通告自己的NBMA网络地址映射关系。即对于Hub来说采用的是动态学习的方式(Registration)来更新自己的NHRP表项,对于Spoke 来说在Registration Stage(注册阶段)()
NHRP Registration Request
NHRP注册请求用于向其NHS(Next Hop Server)注册NHC(Next Hop Resolution Protocol client )的NHRP(Next Hop Resolution Protocol)信息。
Spokes设备Tunnel接口启用的时候,Spokes设备向Hub设备发送注册消息。以向Hub通知该站的NBMA信息。这样机制可以保证Hub节点动态的学习到client NBMA表项。
HRP注册请求报文发送到NHS(Next Hop Server),用于通知NHS站点的NBMA信息。NHRP Packet Type: NHRP Registration Request (3)。
在NHRP协议报文中需要注意的是Request id 字段,Request id是请求消息中唯一的标识符。该值直接从请求数据包(NHRP Registration Request)复制到回复的数据包(NHRP Registration Reply)中。当请求者收到 回复(Registration Reply)的时候,会将回复中的 request id和本地上未完成的请求列表中进行比较,当发现匹配时,请求被确认。(来自RFC 2332)
NHRP Registration Reply
NHRP Registration Reply是NHS(Next Hop Server)发送给client以响应 NHRP Registration Request。NHRP Packet Type: NHRP Registration Reply (4)。
当Hub收到注册消息之后将回复Registration Reply消息,以示确认。并回复自己的NBMA网络地址信息。
NHRP Resolution Stage
NHRP决议阶段主要用于解决Spoke to Spoke 通信的情况。当完成Registration(注册)之后,Spoke to Spoke没有NHRP表项,所以 Spoke to Spoke 必须经过Hub,但是NHRP有Resolution 机制,可以优化流量路径,使得Spoke to Spoke不需要经由Hub转发,Resolution Request和Resolution Reply就是完成这一功能的。
NHRP Resolution Request and NHRP Resolution Reply
SpokeA,需要访问SpokeB,SpokeA先查询本地NHRP映射表,未发现SpokeB
SpokeA发送Resolution Request到Hub节点。
如果请求的节点在Hub上有NHRP映射表,则Hub发送Resolution Request,到此请求节点上(SpokeB),并声明请求源节点(SpokeA)。
如果请求的节点在Hub上没有映射表,则回复 NHRP Error Indication,终止请求。当SpokeB收到了Hub发送过来的Resolution Request之后无误,学习SpokeA的NBMA地址信息,然后直接向SpokeA回复 Resolution Reply消息
当SpokeA收到了Resolution Reply消息之后学习SpokeB NBMA地址信息,此时双方均已学习到了NBMA地址映射关系,后续的所有流量将直接遵循路由转发,不再经过Hub进行流量转发。
有关这一部分的debug信息,请参加附录。
配置(关键配置)
拓扑,如下配置命令有疑问的地方请参考Cisco配置手册或附录。
+-------+
| Hub |
+-------+
|S1/0
|
|
|S1/0
+-------+
+-------------|Switch |-------------+
| S1/1+-------+S1/3 |
| |S1/2 |
| | |
| | |
|S1/0 |S1/0 |S1/0
+-------+ +-------+ +-------+
|Spoke-A| |Spoke-B| |Spoke-C|
+-------+ +-------+ +-------+
接口ip地址配置,NHRP配置
Hub
!Hub
interface Serial1/0
ip address 192.168.78.8 255.255.255.0
ip ospf 1 area 0
!
interface Tunnel1
ip address 172.168.1.8 255.255.255.0
no ip redirects
ip nhrp authentication 43413
ip nhrp map multicast dynamic
ip nhrp network-id 10
tunnel source 192.168.78.8
tunnel mode gre multipoint
tunnel key 43413
SpokeA
!SpokeA
interface Serial1/0
ip address 192.168.17.1 255.255.255.0
ip ospf 1 area 0
!
interface Tunnel1
ip address 172.168.1.1 255.255.255.0
no ip redirects
ip nhrp authentication 43413
ip nhrp map 172.168.1.8 192.168.78.8
ip nhrp map multicast 192.168.78.8
ip nhrp network-id 10
ip nhrp nhs 172.168.1.8
tunnel source 192.168.17.1
tunnel mode gre multipoint
tunnel key 43413
end
SpokeB
!SpokeB
interface Serial1/0
ip address 192.168.27.2 255.255.255.0
ip ospf 1 area 0
!
interface Tunnel1
ip address 172.168.1.2 255.255.255.0
no ip redirects
ip nhrp authentication 43413
ip nhrp map 172.168.1.8 192.168.78.8
ip nhrp map multicast 192.168.78.8
ip nhrp network-id 10
ip nhrp nhs 172.168.1.8
tunnel source 192.168.27.2
tunnel mode gre multipoint
tunnel key 43413
end
SpokeC
!SpokeC
interface Serial1/0
ip address 192.168.37.3 255.255.255.0
ip ospf 1 area 0
!
interface Tunnel1
ip address 172.168.1.3 255.255.255.0
no ip redirects
ip nhrp authentication 43413
ip nhrp map 172.168.1.8 192.168.78.8
ip nhrp map multicast 192.168.78.8
ip nhrp network-id 10
ip nhrp nhs 172.168.1.8
tunnel source 192.168.37.3
tunnel mode gre multipoint
tunnel key 43413
end
Switch
!Switch
interface Serial1/0
description To-Hub
ip address 192.168.78.7 255.255.255.0
ip ospf 1 area 0
!
interface Serial1/1
description To-SpokeA
ip address 192.168.17.7 255.255.255.0
ip ospf 1 area 0
!
interface Serial1/2
description To-SpokeB
ip address 192.168.27.7 255.255.255.0
ip ospf 1 area 0
!
interface Serial1/3
description To-SpokeC
ip address 192.168.37.7 255.255.255.0
ip ospf 1 area 0
end
IPsec VPN 配置
对于IPSec VPN配置部分HuB、SpokeA,B,C配置均一致,直接使用即可。
crypto ikev2 keyring cisco-ikev2-keyring
peer dmvpn-node
description symmetric pre-shared key for the hub/spoke
address 0.0.0.0 0.0.0.0
pre-shared-key cisco123
!
!
crypto ikev2 profile cisco-ikev2-profile
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local cisco-ikev2-keyring
!
crypto ipsec transform-set cisco-ts esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile cisco-ipsec-ikev2
set transform-set cisco-ts
set ikev2-profile cisco-ikev2-profile
!
interface Tunnel1
tunnel protection ipsec profile cisco-ipsec-ikev2
附录
NHRP工作过程报文收发
+-------+
| Hub | 172.168.1.8 tunnel
+-------+ 192.168.78.8 interface
/ \
/ \
172.168.1.1 tunnel / \ 172.168.1.2 tunnel
192.168.17.1 interface / \ 192.168.27.2 interface
+-------+ +-------+
|Spoke-A| |Spoke-B|
+-------+ +-------+
===========================================Registration=========================================================
Internet Protocol Version 4, Src: 192.168.17.1, Dst: 192.168.78.8【NHRP Registration Request】
Generic Routing Encapsulation (NHRP)
Next Hop Resolution Protocol (NHRP Registration Request)
NHRP Fixed Header 【NHRP报文固定信息 RFC2332 "5.1 NHRP Fixed Header"】
Address Family Number: IPv4 (0x0001) 【RFC2332 "ar$afn"】
Protocol Type (short form): IPv4 (0x0800) 【RFC2332 "ar$pro.type"】
Protocol Type (long form): 0000000000 【RFC2332 "ar$pro.type"】
Hop Count: 255 【RFC2332 "ar$hopcnt"】
Packet Length: 105 【RFC2332 "ar$pktsz"】
NHRP Packet Checksum: 0xab06 [correct] 【RFC2332 "ar$chksum"】
Extension Offset: 52 【RFC2332 "ar$extoff"】
Version: 1 (NHRP - rfc2332) 【RFC2332 "ar$op.version"】
NHRP Packet Type: NHRP Registration Request (3) 【RFC2332 "ar$op.type"】
Source Address Type/Len: NSAP format/4 【RFC2332 "ar$shtl"】
Source SubAddress Type/Len: NSAP format/0 【RFC2332 "ar$sstl"】
NHRP Mandatory Part 【NHRP报文必须携带的 特定信息 RFC2332 "5.2.0 Mandatory Part"】
Source Protocol Len: 4 【RFC2332 "Src Proto Len"】
Destination Protocol Len: 4 【RFC2332 "Dst Proto Len"】
Flags: 0x8002, Uniqueness Bit, Cisco NAT Supported 【RFC2332 "Flags"】
Request ID: 0x00010007 (65543) 【RFC2332 "Request ID"】*
Source NBMA Address: 192.168.17.1 【RFC2332 "Source NBMA Address"】(SpokeA,interface IP Address)
Source Protocol Address: 172.168.1.1 【RFC2332 "Source Protocol Address"】(SpokeA,Tunnel IP Address)
Destination Protocol Address: 172.168.1.8 【RFC2332 "Destination Protocol Address"】(向Hub进行注册)
Client Information Entry
Responder Address Extension
Forward Transit NHS Record Extension
Reverse Transit NHS Record Extension
NHRP Authentication Extension
Cisco NAT Address Extension
End of Extension
Internet Protocol Version 4, Src: 192.168.78.8, Dst: 192.168.17.1【NHRP Registration Reply】
Generic Routing Encapsulation (NHRP)
Next Hop Resolution Protocol (NHRP Registration Reply)
NHRP Fixed Header
Address Family Number: IPv4 (0x0001)
Protocol Type (short form): IPv4 (0x0800)
Protocol Type (long form): 0000000000
Hop Count: 255
Packet Length: 125
NHRP Packet Checksum: 0x8443 [correct]
Extension Offset: 52
Version: 1 (NHRP - rfc2332)
NHRP Packet Type: NHRP Registration Reply (4) 【标识 NHRP Packet Type】
Source Address Type/Len: NSAP format/4
Source SubAddress Type/Len: NSAP format/0
NHRP Mandatory Part
Source Protocol Len: 4
Destination Protocol Len: 4
Flags: 0x8002, Uniqueness Bit, Cisco NAT Supported
Request ID: 0x00010007 (65543) 【与Registration Request信息一致】
Source NBMA Address: 192.168.17.1 【与Registration Request信息一致】
Source Protocol Address: 172.168.1.1 【与Registration Request信息一致】
Destination Protocol Address: 172.168.1.8 【与Registration Request信息一致】
Client Information Entry
Responder Address Extension
Forward Transit NHS Record Extension
Reverse Transit NHS Record Extension
NHRP Authentication Extension
Cisco NAT Address Extension
End of Extension
===========================================Registration=========================================================
===========================================Resolution=========================================================
Internet Protocol Version 4, Src: 192.168.17.1, Dst: 192.168.78.8【NHRP Resolution Request】【SpokeA to NHS】
Generic Routing Encapsulation (NHRP)
Next Hop Resolution Protocol (NHRP Resolution Request)
NHRP Fixed Header
Address Family Number: IPv4 (0x0001)
Protocol Type (short form): IPv4 (0x0800)
Protocol Type (long form): 0000000000
Hop Count: 255
Packet Length: 85
NHRP Packet Checksum: 0xf12e [correct]
Extension Offset: 52
Version: 1 (NHRP - rfc2332)
NHRP Packet Type: NHRP Resolution Request (1)
Source Address Type/Len: NSAP format/4
Source SubAddress Type/Len: NSAP format/0
NHRP Mandatory Part
Source Protocol Len: 4
Destination Protocol Len: 4
Flags: 0xc802, Is Router, Authoritative, Stable Binding, Cisco NAT Supported
Request ID: 0x00000006 (6)
Source NBMA Address: 192.168.17.1 【SpokeA,interface IP Address】
Source Protocol Address: 172.168.1.1 【SpokeA,Tunnel IP Address】
Destination Protocol Address: 172.168.1.2 【SpokeB,Tunnel IP Address】
Client Information Entry
Responder Address Extension
Forward Transit NHS Record Extension
Reverse Transit NHS Record Extension
NHRP Authentication Extension
Cisco NAT Address Extension
End of Extension
Internet Protocol Version 4, Src: 192.168.78.8, Dst: 192.168.27.2【NHRP Resolution Request】【Hub to SpokeB】
Generic Routing Encapsulation (NHRP)
Next Hop Resolution Protocol (NHRP Resolution Request)
NHRP Fixed Header
NHRP Mandatory Part
Source Protocol Len: 4
Destination Protocol Len: 4
Flags: 0xc802, Is Router, Authoritative, Stable Binding, Cisco NAT Supported
Request ID: 0x00000006 (6)
Source NBMA Address: 192.168.17.1
Source Protocol Address: 172.168.1.1
Destination Protocol Address: 172.168.1.2
Client Information Entry
Responder Address Extension
Forward Transit NHS Record Extension
Reverse Transit NHS Record Extension
NHRP Authentication Extension
Cisco NAT Address Extension
End of Extension
Internet Protocol Version 4, Src: 192.168.27.2, Dst: 192.168.17.1【NHRP Resolution Reply】【SpokeB to SpokeA】
Generic Routing Encapsulation (NHRP)
Next Hop Resolution Protocol (NHRP Resolution Reply)
NHRP Fixed Header
Address Family Number: IPv4 (0x0001)
Protocol Type (short form): IPv4 (0x0800)
Protocol Type (long form): 0000000000
Hop Count: 255
Packet Length: 133
NHRP Packet Checksum: 0x1550 [correct]
Extension Offset: 60
Version: 1 (NHRP - rfc2332)
NHRP Packet Type: NHRP Resolution Reply (2)
Source Address Type/Len: NSAP format/4
Source SubAddress Type/Len: NSAP format/0
NHRP Mandatory Part
Source Protocol Len: 4
Destination Protocol Len: 4
Flags: 0xf802, Is Router, Authoritative, Stable Association, Uniqueness Bit, Stable Binding, Cisco NAT Supported
Request ID: 0x00000006 (6) 【与NHRP Resolution Request的值一致】
Source NBMA Address: 192.168.17.1
Source Protocol Address: 172.168.1.1
Destination Protocol Address: 172.168.1.2 【RFC2332 "Destination Protocol Address"】(向Hub进行注册)
Client Information Entry
Code: Success (0) 【RFC2332 Page 18 "Code"】
Prefix Length: 32 【RFC2332 “Prefix Length”】
Unused: 0
Max Transmission Unit: 17912 【RFC2332 “ Maximum Transmission Unit”】
Holding Time (s): 7200 【RFC2332 “Holding Time”】
Client Address Type/Len: NSAP format/4 【RFC2332 “Cli Addr T/L”】
Client Sub Address Type/Len: NSAP format/0 【RFC2332 “Cli SAddr T/L”】
Client Protocol Length: 4 【RFC2332 “Cli Proto Len”】
CIE Preference Value: 0 【RFC2332 “Preference”】
Client NBMA Address: 192.168.27.2 【RFC2332 “Client NBMA Address”】(回复了请求的NBMA address)
Client Protocol Address: 172.168.1.2 【RFC2332 “Client Protocol Address”】(回复的请求的 Tunnel IP Address)
Responder Address Extension
Forward Transit NHS Record Extension
Reverse Transit NHS Record Extension
NHRP Authentication Extension
Cisco NAT Address Extension
End of Extension
===========================================Resolution=========================================================
NHRP Resolution debug
SpokeA,需要访问SpokeB,SpokeA先查询本地NHRP映射表,未发现SpokeB
*Jul 20 15:22:43.523: NHRP: NHRP could not map 172.168.1.2 to NBMA, cache entry not found
SpokeA发送Resolution Request到Hub节点。
*Jul 20 15:22:43.527: NHRP: Sending packet to NHS 172.168.1.8 on Tunnel1如果请求的节点在Hub上有NHRP映射表,则Hub转发NHRP Resolution Request报文,到此请求节点上(SpokeB)
*Jul 20 15:23:03.479: NHRP: Receive Resolution Request via Tunnel1 vrf 0, packet size: 85
*Jul 20 15:23:03.483: NHRP: Forwarding request due to authoritative request.
如果请求的节点在Hub上没有映射表,则回复 NHRP Error Indication,终止请求。当SpokeB收到了Hub发送过来的Resolution Request之后无误,学习SpokeA的NBMA地址信息,然后直接向SpokeA回复 Resolution Reply消息
*Jul 20 15:22:13.443: NHRP: NHRP could not map 172.168.1.1 to NBMA, cache entry not found
*Jul 20 15:22:13.459: NHRP: Updating with NHS cache for dst:172.168.1.1
*Jul 20 15:22:13.547: NHRP: Send Resolution Reply via Tunnel1 vrf 0, packet size: 133当SpokeA收到了Resolution Reply消息之后学习SpokeB NBMA地址信息,此时双方均已学习到了NBMA地址映射关系,后续的所有流量将直接遵循路由转发,不再经过Hub进行流量转发。
*Jul 20 15:22:43.727: NHRP: Receive Resolution Reply via Tunnel1 vrf 0, packet size: 133
*Jul 20 15:22:43.743: NHRP: Successfully attached NHRP subblock for Tunnel Endpoints (VPN: 172.168.1.2, NBMA: 192.168.27.2)debug部分的完整信息,请在此下载。
DMVPN配置简单说明
Hub
!Hub
interface Serial1/0
ip address 192.168.78.8 255.255.255.0
ip ospf 1 area 0
!
interface Tunnel1
ip address 172.168.1.8 255.255.255.0
no ip redirects
ip nhrp authentication 43413 !配置NHRP认证字符串,同一个NBMA网络环境中的设备必须配置相同的认证字符串。
ip nhrp map multicast dynamic !使用动态的方式(注册方式),来生成NHRP映射表项。
ip nhrp network-id 10 !定义NHRP域,此参数本地唯一。当数据包从GRE接口进入的时候需要通过NHRP域来定义到不同的DMVPN中。
tunnel source 192.168.78.8 !配置GRE隧道源地址。
tunnel mode gre multipoint !配置GRE隧道模式,mGRE。
tunnel key 43413 !配置GRE key
SpokeA
!SpokeA
interface Serial1/0
ip address 192.168.17.1 255.255.255.0
ip ospf 1 area 0
!
interface Tunnel1
ip address 172.168.1.1 255.255.255.0
no ip redirects
ip nhrp authentication 43413
ip nhrp map 172.168.1.8 192.168.78.8 !Configures static IP-to-NBMA address mapping on the station.
ip nhrp map multicast 192.168.78.8 !添加NBMA地址以接收发送报文。
ip nhrp network-id 10 !定义NHRP域,此参数本地唯一。当数据包从GRE接口进入的时候需要通过NHRP域来定义到不同的DMVPN中。
ip nhrp nhs 172.168.1.8 !配置NHS( Next Hop Server)服务器地址(发送注册报文的服务器地址)
tunnel source 192.168.17.1 !配置GRE隧道源地址。
tunnel mode gre multipoint
tunnel key 43413
end
IPsec VPN configure
crypto ikev2 keyring cisco-ikev2-keyring !配置IKEv2 keyring
peer dmvpn-node !Configure a Peer and associated keys
description symmetric pre-shared key for the hub/spoke
address 0.0.0.0 0.0.0.0 !因为是动态的方式,所以地址为0.0.0.0
pre-shared-key cisco123 !配置预共享密钥“cisco123”
!
!
crypto ikev2 profile cisco-ikev2-profile !配置ikev2 profile
match identity remote address 0.0.0.0 !因为是动态的方式,所以地址为0.0.0.0
authentication remote pre-share !均采用预共享密钥方式进行认证
authentication local pre-share !均采用预共享密钥方式进行认证
keyring local cisco-ikev2-keyring !调用之前配置的“keyring”
!
crypto ipsec transform-set cisco-ts esp-3des esp-md5-hmac !配置transform
mode tunnel
!
crypto ipsec profile cisco-ipsec-ikev2 !配置IKEv2 profile
set transform-set cisco-ts !调用之前配置的transform
set ikev2-profile cisco-ikev2-profile !调用之前的profile—>keyring
!
interface Tunnel1
tunnel protection ipsec profile cisco-ipsec-ikev2 !接口下应用,保护tunnel口上的流量。
参考文献
- 《cisco ipsec vpn实战指南》秦柯 著 P 169
DSVPN配置
Dynamic Multipoint IPsec VPNs (Using Multipoint GRE/NHRP to Scale IPsec VPNs) ↩ - DYNAMIC MULTIPOINT VPN HUB AND SPOKE INTRODUCTION NOVEMBER 2004 ↩
- RFC2332 ↩
