CCIE CISCO LIFE

VRF-lite IPSec

by |Published

Adott az alábbi topológia:

IPSec

Kezdő konfigok:

---
R1
---

!
ip vrf A
 rd 1:1
!
ip vrf B
 rd 1:2
!
!
interface Loopback1
 ip vrf forwarding A
 ip address 192.168.100.1 255.255.255.255
 ip ospf 1 area 0
!
interface Loopback2
 ip vrf forwarding B
 ip address 192.168.101.1 255.255.255.255
 ip ospf 2 area 0
!
interface Tunnel1
 ip vrf forwarding A
 ip address 192.168.1.1 255.255.255.0
 ip ospf 1 area 0
 tunnel source Ethernet0/0
 tunnel destination 10.0.0.2
 tunnel key 1
!
interface Tunnel2
 ip vrf forwarding B
 ip address 192.168.2.1 255.255.255.0
 ip ospf 2 area 0
 tunnel source Ethernet0/0
 tunnel destination 10.0.0.2
 tunnel key 2
!
interface Ethernet0/0
 ip address 10.0.0.1 255.255.255.0
!
!
router ospf 1 vrf A
 router-id 1.1.1.1
 network 192.168.1.0 0.0.0.255 area 0
!
router ospf 2 vrf B
 router-id 2.2.2.2
 network 192.168.2.0 0.0.0.255 area 0
!
---
R2
---

!
ip vrf A
 rd 1:1
!
ip vrf B
 rd 1:2
!
!
!
interface Loopback1
 ip vrf forwarding A
 ip address 192.168.100.2 255.255.255.255
 ip ospf 1 area 0
!
interface Loopback2
 ip vrf forwarding B
 ip address 192.168.101.2 255.255.255.255
 ip ospf 2 area 0
!
interface Tunnel1
 ip vrf forwarding A
 ip address 192.168.1.2 255.255.255.0
 ip ospf 1 area 0
 tunnel source Ethernet0/0
 tunnel destination 10.0.0.1
 tunnel key 1
!
interface Tunnel2
 ip vrf forwarding B
 ip address 192.168.2.2 255.255.255.0
 ip ospf 2 area 0
 tunnel source Ethernet0/0
 tunnel destination 10.0.0.1
 tunnel key 2
!
interface Ethernet0/0
 ip address 10.0.0.2 255.255.255.0
!
!
router ospf 1 vrf A
 router-id 11.11.11.11
 network 192.168.1.0 0.0.0.255 area 0
!
router ospf 2 vrf B
 router-id 22.22.22.22
 network 192.168.2.0 0.0.0.255 area 0
!

Fontos megjegyzések:
– Ha több tunnel source interface-e ugyanaz az interface, akkor “Tunnel key” parancsot kell használnunk. Ha ez kimarad, a Tunnel nem jön fel.
– VRF-lite OSPF: router ospf X vrf Y paranccsal konfigurálható.
– Tu1 és Lo1 VRF A-ban, Tu2 és Lo2 VRF B-ben van
– A source interface-k a GLOBAL routing táblában vannak!

OSPF neighborship-ek megvannak:

R1#sh ip ospf ne
Neighbor ID Pri State Dead Time Address Interface
22.22.22.22 0 FULL/ - 00:00:34 192.168.2.2 Tunnel2
11.11.11.11 0 FULL/ - 00:00:31 192.168.1.2 Tunnel1
R1#

Route táblák:

R1#sh ip route vrf A
Routing Table: A
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2
 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 ia - IS-IS inter area, * - candidate default, U - per-user static route
 o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
 a - application route
 + - replicated route, % - next hop override
Gateway of last resort is not set
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Tunnel1
L 192.168.1.1/32 is directly connected, Tunnel1
 192.168.100.0/24 is variably subnetted, 3 subnets, 2 masks
C 192.168.100.0/24 is directly connected, Loopback1
L 192.168.100.1/32 is directly connected, Loopback1
O 192.168.100.2/32 [110/1001] via 192.168.1.2, 01:21:42, Tunnel1
R1#


R1#sh ip route vrf B
Routing Table: B
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2
 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 ia - IS-IS inter area, * - candidate default, U - per-user static route
 o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
 a - application route
 + - replicated route, % - next hop override
Gateway of last resort is not set
192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.2.0/24 is directly connected, Tunnel2
L 192.168.2.1/32 is directly connected, Tunnel2
 192.168.101.0/24 is variably subnetted, 3 subnets, 2 masks
C 192.168.101.0/24 is directly connected, Loopback2
L 192.168.101.1/32 is directly connected, Loopback2
O 192.168.101.2/32 [110/1001] via 192.168.2.2, 01:22:18, Tunnel2
R1#

Ping:

R1#ping vrf B 192.168.101.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
R1#

Eddig jó. Jöjjön az IPsec.
A normál Tunnel protection ipsec profile X itt nem működik, mert ugyanaz a source interface-e a két Tunnelnek, és én ugyanazt az IPSec profie-t szeretném majd használni mindkét Tunnel alá. Erre van a “shared” keyword.

Konfig:

---
R1
---

crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 14
crypto isakmp key IPSEC address 10.0.0.2
!
!
crypto ipsec transform-set trans2 esp-aes esp-sha-hmac
 mode transport
!
crypto ipsec profile IPSEC
 set transform-set trans2
!
interface Tunnel1
tunnel protection ipsec profile IPSEC shared
interface Tunnel2
tunnel protection ipsec profile IPSEC shared



---
R2
---

crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 14
crypto isakmp key IPSEC address 10.0.0.1
!
!
crypto ipsec transform-set trans2 esp-aes esp-sha-hmac
 mode transport
!
crypto ipsec profile IPSEC
 set transform-set trans2
!
interface Tunnel1
tunnel protection ipsec profile IPSEC shared
interface Tunnel2
tunnel protection ipsec profile IPSEC shared

És…

*Jul 17 16:54:34.314: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON


R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.0.0.2 10.0.0.1 QM_IDLE 1006 ACTIVE
10.0.0.1 10.0.0.2 QM_IDLE 1005 ACTIVE

IPv6 Crypto ISAKMP SA

R1#

QM_IDLE amit itt látni szeretnénk, azt jelenti, az ISAKMP rendben!

R1#sh crypto ipsec sa | i Tunnel|enc|dec
interface: Tunnel1
 #pkts encaps: 16, #pkts encrypt: 16, #pkts digest: 16
 #pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
 #pkts compressed: 0, #pkts decompressed: 0
 #pkts not decompressed: 0, #pkts decompress failed: 0
interface: Tunnel2
 #pkts encaps: 16, #pkts encrypt: 16, #pkts digest: 16
 #pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
 #pkts compressed: 0, #pkts decompressed: 0
 #pkts not decompressed: 0, #pkts decompress failed: 0
R1#

Látszik, hogy mindkét Tunnel alatt encypt és descrypt is történik, ez az, amit látni szeretnénk.

Végső teszt:

R1#ping vrf B 192.168.101.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/6 ms
R1#ping vrf A 192.168.100.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/6 ms
R1#

AUTHOR

Kuris Ferenc
Network Engineer

You may also like