取消
显示结果 
搜索替代 
您的意思是: 
cancel
公告

December 2020

VyOS GRE over IPSec IKEv1和IKEv2配置测试

344
查看次数
0
有帮助
0
评论
Enthusiast
一.测试拓扑
二.配置步骤
1.基本配置
A.PC1路由器
interface Ethernet0/0
    ip address 172.16.100.1 255.255.255.0
    no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.100.254
B.Site1(VyOS1)
set system host-name 'vyos1'
set ethernet eth0 address '202.100.1.1/24'
set ethernet eth2 address '172.16.100.254/24'
set protocols static route 0.0.0.0/0 next-hop '202.100.1.10'
set nat source rule 20 outbound-interface 'eth0'
set nat source rule 20 source address '172.16.100.0/24'
set nat source rule 20 translation address 'masquerade'
C.Internet路由器
interface Ethernet0/0
    ip address 202.100.1.10 255.255.255.0
interface Ethernet0/1
    ip address 61.128.1.10 255.255.255.0
D.Site2(VyOS2)
set system host-name 'vyos2'
set ethernet eth0 address '61.128.1.1/24'
set ethernet eth2 address '172.16.200.254/24'
set protocols static route 0.0.0.0/0 next-hop '61.128.1.1'
set nat source rule 20 outbound-interface 'eth0'
set nat source rule 20 source address '172.16.200.0/24'
set nat source rule 20 translation address 'masquerade'
E.PC2路由器
interface Ethernet0/0
    ip address 172.16.200.1 255.255.255.0
    no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.200.254
2.GRE over IPSEC IKEv1配置
A.Site1(VyOS1)
--配置GRE tunnel口
set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 local-ip 202.100.1.1
set interfaces tunnel tun0 remote-ip 61.128.1.1
set interfaces tunnel tun0 address 10.10.10.1/30
--配置第一阶段策略集
set vpn ipsec ike-group MyIKEGroup proposal 10 dh-group '2'
set vpn ipsec ike-group MyIKEGroup proposal 10 encryption 'aes128'
set vpn ipsec ike-group MyIKEGroup proposal 10 hash 'sha1'
--配置第二阶段策略集
set vpn ipsec esp-group MyESPGroup proposal 10 encryption 'aes128'
set vpn ipsec esp-group MyESPGroup proposal 10 hash 'sha1'
--配置对等体
set vpn ipsec site-to-site peer 61.128.1.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 61.128.1.1 authentication pre-shared-secret Cisc0123
set vpn ipsec site-to-site peer 61.128.1.1 ike-group MyIKEGroup
set vpn ipsec site-to-site peer 61.128.1.1 default-esp-group MyESPGroup
set vpn ipsec site-to-site peer 61.128.1.1 local-address 202.100.1.1
set vpn ipsec site-to-site peer 61.128.1.1 tunnel 0 protocol gre
--在接口启用ipsec
set vpn ipsec ipsec-interfaces interface 'eth0'
--配置动态路由OSPF
set protocols ospf area 0.0.0.0 network '172.16.100.0/24'
set protocols ospf area 0.0.0.0 network '10.10.10.0/30'
set protocols ospf parameters router-id '202.100.1.1'
set interfaces tunnel tun0 ip ospf network point-to-point
B.Site2(VyOS2)
--配置GRE tunnel口
set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 local-ip 61.128.1.1
set interfaces tunnel tun0 remote-ip 202.100.1.1
set interfaces tunnel tun0 address 10.10.10.2/30
--配置第一阶段策略集
set vpn ipsec ike-group MyIKEGroup proposal 10 dh-group '2'
set vpn ipsec ike-group MyIKEGroup proposal 10 encryption 'aes128'
set vpn ipsec ike-group MyIKEGroup proposal 10 hash 'sha1'
--配置第二阶段策略集
set vpn ipsec esp-group MyESPGroup proposal 10 encryption 'aes128'
set vpn ipsec esp-group MyESPGroup proposal 10 hash 'sha1'
--配置对等体
set vpn ipsec site-to-site peer 202.100.1.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 202.100.1.1 authentication pre-shared-secret Cisc0123
set vpn ipsec site-to-site peer 202.100.1.1 ike-group MyIKEGroup
set vpn ipsec site-to-site peer 202.100.1.1 default-esp-group MyESPGroup
set vpn ipsec site-to-site peer 202.100.1.1 local-address 61.128.1.1
set vpn ipsec site-to-site peer 202.100.1.1 tunnel 0 protocol gre
--在接口启用ipsec
set vpn ipsec ipsec-interfaces interface 'eth0'
--配置动态路由OSPF
set protocols ospf area 0.0.0.0 network '172.16.200.0/24'
set protocols ospf area 0.0.0.0 network '10.10.10.0/30'
set protocols ospf parameters router-id '61.128.1.1'
set interfaces tunnel tun0 ip ospf network point-to-point
3.GRE over IPSEC IKEv2配置
A.Site1(VyOS1)
总结:主要区别就增加一句,set vpn ipsec ike-group MyIKEGroup key-exchange 'ikev2'
--配置GRE tunnel口 
备注:与前面配置相同
--配置第一阶段策略集
set vpn ipsec ike-group MyIKEGroup dead-peer-detection action 'hold'
set vpn ipsec ike-group MyIKEGroup dead-peer-detection interval '30'
set vpn ipsec ike-group MyIKEGroup dead-peer-detection timeout '120'
set vpn ipsec ike-group MyIKEGroup key-exchange 'ikev2'
set vpn ipsec ike-group MyIKEGroup proposal 10 dh-group '2'
set vpn ipsec ike-group MyIKEGroup proposal 10 encryption 'aes128'
set vpn ipsec ike-group MyIKEGroup proposal 10 hash 'sha1'
备注:与前面配置不同点是增加了DPD,以及key-exchange设置为ikev2,默认为ikev1
--配置第二阶段策略集
备注:与前面配置相同
--配置对等体
备注:与前面配置相同,也可以增加认证的id
--在接口启用ipsec
备注:与前面配置相同
--配置动态路由OSPF
备注:与前面配置相同
B.Site2(VyOS2)
--配置GRE tunnel口 
备注:与前面配置相同
--配置第一阶段策略集
set vpn ipsec ike-group MyIKEGroup dead-peer-detection action 'hold'
set vpn ipsec ike-group MyIKEGroup dead-peer-detection interval '30'
set vpn ipsec ike-group MyIKEGroup dead-peer-detection timeout '120'
set vpn ipsec ike-group MyIKEGroup key-exchange 'ikev2'
set vpn ipsec ike-group MyIKEGroup proposal 10 dh-group '2'
set vpn ipsec ike-group MyIKEGroup proposal 10 encryption 'aes128'
set vpn ipsec ike-group MyIKEGroup proposal 10 hash 'sha1'
--配置第二阶段策略集
备注:与前面配置相同
--配置对等体
备注:与前面配置相同,也可以增加认证的id
--在接口启用ipsec
备注:与前面配置相同
--配置动态路由OSPF
备注:与前面配置相同
三.验证
1.验证GRE over IPSEC IKEv1配置
A.查看ike sa
vyos@vyos1:~$ show vpn ike sa
Peer ID / IP                            Local ID / IP               
------------                            -------------
61.128.1.1                              202.100.1.1                            

    State  Encrypt  Hash    D-H Grp  NAT-T  A-Time  L-Time
    -----  -------  ----    -------  -----  ------  ------
    up     aes128   sha1    2        no     1132    28800  
B.查看IPSec sa
vyos@vyos1:~$ show vpn ipsec sa
Peer ID / IP                            Local ID / IP               
------------                            -------------
61.128.1.1                              202.100.1.1                            

    Tunnel  State  Bytes Out/In   Encrypt  Hash    NAT-T  A-Time  L-Time  Proto
    ------  -----  -------------  -------  ----    -----  ------  ------  -----
    0       up     13.8K/13.2K    aes128   sha1    no     1257    3600    gre

vyos@vyos1:~$
C.查看OSPF邻居及路由
vyos@vyos1:~$ show ip ospf neighbor

    Neighbor ID Pri State           Dead Time Address         Interface            RXmtL RqstL DBsmL
61.128.1.1        1 Full/DROther      36.750s 10.10.10.2      tun0:10.10.10.1          0     0     0
vyos@vyos1:~$
vyos@vyos1:~$ show ip route ospf
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
       I - ISIS, B - BGP, > - selected route, * - FIB route

O   10.10.10.0/30 [110/10] is directly connected, tun0, 00:17:56
O   172.16.100.0/24 [110/10] is directly connected, eth2, 00:09:25
O>* 172.16.200.0/24 [110/20] via 10.10.10.2, tun0, 00:08:41
vyos@vyos1:~$
D.ping验证
PC1#ping 172.16.200.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.200.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
PC1#
E.通过查看vpn的debug日志,可以确定为IKEv1
vyos@vyos1:~$ show vpn debug
000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:500
000 interface eth2/eth2 172.16.100.254:500
000 interface eth0/eth0 202.100.1.1:500
000 interface tun0/tun0 10.10.10.1:500
000 %myid = '%any'
000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve
000 debug options: none
000
000 "peer-61.128.1.1-tunnel-0": 202.100.1.1[202.100.1.1]:47/0...61.128.1.1[61.128.1.1]:47/0; erouted; eroute owner: #4
000 "peer-61.128.1.1-tunnel-0":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "peer-61.128.1.1-tunnel-0":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 32,32; interface: eth0;
000 "peer-61.128.1.1-tunnel-0":   newest ISAKMP SA: #3; newest IPsec SA: #4;
000 "peer-61.128.1.1-tunnel-0":   IKE proposal: AES_CBC_128/HMAC_SHA1/MODP_1024
000 "peer-61.128.1.1-tunnel-0":   ESP proposal: AES_CBC_128/HMAC_SHA1/<Phase1>
000
000 #2: "peer-61.128.1.1-tunnel-0" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1726s
000 #2: "peer-61.128.1.1-tunnel-0" esp.c57f4dda@61.128.1.1 (708 bytes) esp.cc4dbd8a@202.100.1.1 (660 bytes); tunnel
000 #1: "peer-61.128.1.1-tunnel-0" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 26685s
000 #4: "peer-61.128.1.1-tunnel-0" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 2214s; newest IPSEC; eroute owner
000 #4: "peer-61.128.1.1-tunnel-0" esp.ca9d4702@61.128.1.1 (15320 bytes, 3s ago) esp.cc1bb46e@202.100.1.1 (14752 bytes, 8s ago); tunnel
000 #3: "peer-61.128.1.1-tunnel-0" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 27414s; newest ISAKMP
000
Status of IKEv2 charon daemon (strongSwan 4.5.2):
  uptime: 18 minutes, since Dec 26 11:33:47 2019
  malloc: sbrk 270336, mmap 0, used 225984, free 44352
  worker threads: 7 idle of 16, job queue load: 0, scheduled events: 0
  loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock
Listening IP addresses:
  172.16.100.254
  202.100.1.1
  10.10.10.1
Connections:
Security Associations:
  none
vyos@vyos1:~$
2.验证GRE over IPSEC IKEv2配置
A.通过查看vpn的debug日志,可以确定为IKEv2
vyos@vyos1:~$ show vpn debug
000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:500
000 interface eth2/eth2 172.16.100.254:500
000 interface eth0/eth0 202.100.1.1:500
000 interface tun0/tun0 10.10.10.1:500
000 %myid = '%any'
000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve
000 debug options: none
000
Status of IKEv2 charon daemon (strongSwan 4.5.2):
  uptime: 25 minutes, since Dec 26 11:33:48 2019
  malloc: sbrk 401408, mmap 0, used 246752, free 154656
  worker threads: 7 idle of 16, job queue load: 0, scheduled events: 5
  loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock
Listening IP addresses:
  172.16.100.254
  202.100.1.1
  10.10.10.1
Connections:
peer-61.128.1.1-tunnel-0:  202.100.1.1...61.128.1.1
peer-61.128.1.1-tunnel-0:   local:  [202.100.1.1] uses pre-shared key authentication
peer-61.128.1.1-tunnel-0:   remote: [61.128.1.1] uses any authentication
peer-61.128.1.1-tunnel-0:   child:  dynamic[gre] === dynamic[gre]
Security Associations:
peer-61.128.1.1-tunnel-0[2]: ESTABLISHED 32 seconds ago, 202.100.1.1[202.100.1.1]...61.128.1.1[61.128.1.1]
peer-61.128.1.1-tunnel-0[2]: IKE SPIs: 0249610fc4bbc6a0_i fb36164b2ae5adeb_r*, rekeying in 7 hours
peer-61.128.1.1-tunnel-0[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
peer-61.128.1.1-tunnel-0{3}:  INSTALLED, TUNNEL, ESP SPIs: c16f2942_i cda88c3b_o
peer-61.128.1.1-tunnel-0{3}:  AES_CBC_128/HMAC_SHA1_96, 1260 bytes_i (4s ago), 1164 bytes_o (8s ago), rekeying in 42 minutes
peer-61.128.1.1-tunnel-0{3}:   202.100.1.1/32[gre] === 61.128.1.1/32[gre]
不能显示该小部件。