本文档说明如何配置 GRE over IPSec,实现中央站点向多个远程站点的路由。Cisco 7206 路由器为中央站点路由器,其他所有站点都通过 IPSec 与其连接。Cisco 2610、3620 及 3640 路由器为远程路由器。所有站点都能通过连接主站点的隧道到达 Cisco 7206 后的主网络及其他所有远程站点,路由更新将通过增强型内部网关路由协议 (EIGRP) 自动执行。
本文档的开发和测试采用下列软件和硬件版本。
本文档中的信息基于以下软件和硬件版本:
运行 Cisco IOS® 软件版本 12.3(1) IK9S 的 Cisco 7206 路由器
运行 Cisco IOS 软件版本 12.3(1) IK9S 的 Cisco 2621XM 路由器
运行 Cisco IOS 软件版本 12.3(1) IK9S 的 Cisco 3640 路由器
运行 Cisco IOS 软件版本 12.3(1) IK9S 的 Cisco 3640 路由器
本文档中的信息都是基于特定实验室环境中的设备创建的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您是在真实网络上操作,请确保您在使用任何命令前已经了解其潜在影响。
有关文档规则的详细信息,请参阅 Cisco 技术提示规则。
本文档使用以下网络设置:
本过程将引导您对 IPSec 隧道进行配置,以通过中央站点与多个远程站点建立路由。本过程分为以下三个主要步骤。
按照下列步骤配置 GRE 隧道:
从每个远程站点创建一个通往总部的 GRE 隧道。在 Cisco 7206 路由器上为每个远程站点设置隧道接口。
interface Tunnel0 ip address 192.168.16.2 255.255.255.0 tunnel source FastEthernet1/0 tunnel destination 14.38.88.10 ! interface Tunnel1 ip address 192.168.46.2 255.255.255.0 tunnel source FastEthernet1/0 tunnel destination 14.38.88.40 ! interface Tunnel2 ip address 192.168.26.2 255.255.255.0 tunnel source FastEthernet1/0 tunnel destination 14.38.88.20
每条隧道的隧道源为 FastEthernet1/0 接口或用于互联网连接的接口。隧道目标为远程路由器的互联网接口的 IP 地址。每条隧道都应在未使用的不同子网中拥有一个 IP 地址。
在 Cisco 2610、3620 和 3640 路由器上配置 GRE 隧道。配置类似于 Cisco 7206 路由器。
Cisco 2610 路由器
interface Tunnel0 ip address 192.168.16.1 255.255.255.0 tunnel source Ethernet0/0 tunnel destination 14.36.88.6
Cisco 3620 路由器
interface Tunnel0 ip address 192.168.26.1 255.255.255.0 tunnel source Ethernet1/0 tunnel destination 14.36.88.6
Cisco 3640 路由器
interface Tunnel0 ip address 192.168.46.1 255.255.255.0 tunnel source Ethernet0/0 tunnel destination 14.36.88.6
每个远程路由器将使用其本地接口连接到互联网作为隧道源。远程路由器对应于 Cisco 7206 路由器上配置的隧道目标 IP 地址。每个远程路由器的隧道目标 IP 地址对应于连接到互联网的 Cisco 7206 路由器接口的 IP 地址。隧道接口的 IP 地址对应于和 Cisco 7206 路由器隧道接口相同子网上的 IP 地址。
确保每个远程路由器都能对隧道目标 IP 地址及主路由器的相应隧道接口执行 ping 操作。
此外,确保每个路由器都具有从中央站点路由器执行 ping 操作的能力。
Cisco 2610 路由器
vpn2610#ping 14.36.88.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 14.36.88.6, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms vpn2610#ping 192.168.16.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.16.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/12 ms vpn2610#
Cisco 3620 路由器
vpn3620#ping 14.38.88.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 14.38.88.6, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms vpn3620#ping 192.168.26.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.26.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/8 ms vpn3620#
Cisco 3640 路由器
vpn3640#ping 14.36.88.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 14.36.88.6, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms vpn3640#ping 192.168.46.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.46.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms vpn3640#
注意: 如果不是所有路由器都能对中心(集线器)路由器执行 ping 操作,请根据需要使用下列指南对各个连接进行故障排除。
远程路由器能否从公有 IP 到公有 IP 对中心路由器执行 ping 操作?
两个路由器之间是否有阻塞 GRE 的设备?(路由器上的防火墙和访问列表)
执行 show interface 命令时会显示隧道接口的哪些内容?
请完成下列步骤,为 GRE 隧道配置加密:
如果 GRE 隧道成功建立,请继续进行加密。首先,创建访问列表以定义加密数据流。
访问列表允许各路由器上本地 IP 地址的数据流发往另一端的 IP 地址。使用 show version 命令可显示缓存引擎正在运行的软件版本。
7206: access-list 130 permit gre host 14.36.88.6 host 14.38.88.40 access-list 140 permit gre host 14.36.88.6 host 14.38.88.20 access-list 150 permit gre host 14.36.88.6 host 14.38.88.10 2610: access-list 120 permit gre host 14.38.88.10 host 14.36.88.6 3620: access-list 110 permit gre host 14.38.88.20 host 14.36.88.6 3640: access-list 100 permit gre host 14.38.88.40 host 14.36.88.6
配置 Internet 安全连接和密钥管理协议 (ISAKMP) 策略、ISAKMP 密钥及 IPSec 转换集。
单条隧道两端的 ISAKMP 策略、密钥及 IPSec 转换集必须相互匹配。不需要所有隧道都使用相同的策略、密钥或转换集。在本示例中,为简单起见,所有隧道都使用相同的策略、密钥及转换集。
Cisco 7206 路由器
crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco123 address 0.0.0.0 ! crypto ipsec transform-set strong esp-3des esp-md5-hmac mode transport
Cisco 2610 路由器
crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set strong esp-3des esp-md5-hmac mode transport
Cisco 3620 路由器
crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set strong esp-3des esp-md5-hmac mode transport
Cisco 3640 路由器
crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set strong esp-3des esp-md5-hmac mode transport
配置加密映射。中央站点对应每个连接都有一个单独的序列号。
Cisco 7206 路由器
crypto map vpn 10 ipsec-isakmp set peer 14.38.88.40 set transform-set strong match address 130 crypto map vpn 20 ipsec-isakmp set peer 14.38.88.20 set transform-set strong match address 140 crypto map vpn 30 ipsec-isakmp set peer 14.38.88.10 set transform-set strong match address 150
Cisco 2610 路由器
crypto map vpn 10 ipsec-isakmp set peer 14.36.88.6 set transform-set strong match address 120
Cisco 3620 路由器
crypto map vpn 10 ipsec-isakmp set peer 14.36.88.6 set transform-set strong match address 110
Cisco 3640 路由器
crypto map vpn 10 ipsec-isakmp set peer 14.36.88.6 set transform-set strong match address 100
应用加密映射。应将此映射应用于发送数据包的隧道接口和物理接口。
Cisco 7206 路由器
interface Tunnel0 crypto map vpn interface Tunnel1 crypto map vpn interface Tunnel2 crypto map vpn interface FastEthernet1/0 crypto map vpn
Cisco 2610 路由器
interface Tunnel0 crypto map vpn interface Ethernet0/0 crypto map vpn
Cisco 3620 路由器
interface Tunnel0 crypto map vpn interface Ethernet1/0 crypto map vpn
Cisco 3640 路由器
interface Tunnel0 crypto map vpn interface Ethernet0/0 crypto map vpn
要配置路由协议,请为所有站点配置自治系统编号,并指示路由协议 (EIGRP) 共享路由。仅 network 语句中包含的网络才可通过路由协议与其他路由器进行共享。参与路由共享的所有路由器中的自治系统编号必须相互匹配。在本示例中,为简单起见,所使用的网络可汇总为一个 network 语句。
Cisco 7206 路由器
router eigrp 60 network 192.168.0.0 0.0.255.255 auto-summary no eigrp log-neighbor-changes
Cisco 2610 路由器
router eigrp 60 network 192.168.0.0 0.0.255.255 auto-summary no eigrp log-neighbor-changes
Cisco 3620 路由器
router eigrp 60 network 192.168.0.0 0.0.255.255 auto-summary no eigrp log-neighbor-changes
Cisco 3640 路由器
router eigrp 60 network 192.168.0.0 0.0.255.255 auto-summary no eigrp log-neighbor-changes
本文档使用下列示例配置:
Cisco 7206 路由器 |
---|
no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname sec-7206 ! aaa new-model aaa authentication ppp default local ! username cisco password 0 cisco ! ! ! ! ip subnet-zero ip cef ! ip audit notify log ip audit po max-events 100 vpdn enable ! vpdn-group 1 ! Default L2TP VPDN group accept-dialin protocol l2tp virtual-template 1 no l2tp tunnel authentication ! ! ! crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco123 address 0.0.0.0 ! ! crypto ipsec transform-set strong esp-3des esp-md5-hmac mode transport ! crypto map vpn 10 ipsec-isakmp set peer 14.38.88.40 set transform-set strong match address 130 crypto map vpn 20 ipsec-isakmp set peer 14.38.88.20 set transform-set strong match address 140 crypto map vpn 30 ipsec-isakmp set peer 14.38.88.10 set transform-set strong match address 150 ! ! ! ! ! ! interface Tunnel0 ip address 192.168.16.2 255.255.255.0 tunnel source FastEthernet1/0 tunnel destination 14.38.88.10 crypto map vpn ! interface Tunnel1 ip address 192.168.46.2 255.255.255.0 tunnel source FastEthernet1/0 tunnel destination 14.38.88.40 crypto map vpn ! interface Tunnel2 ip address 192.168.26.2 255.255.255.0 tunnel source FastEthernet1/0 tunnel destination 14.38.88.20 crypto map vpn ! interface FastEthernet0/0 no ip address no ip mroute-cache shutdown media-type MII half-duplex ! interface FastEthernet1/0 ip address 14.36.88.6 255.255.0.0 no ip mroute-cache half-duplex crypto map vpn ! interface Virtual-Template1 ip unnumbered FastEthernet1/0 peer default ip address pool test ppp authentication ms-chap ! router eigrp 60 network 192.168.0.0 0.0.255.255 auto-summary no eigrp log-neighbor-changes ! ip local pool test 10.0.7.1 10.0.7.254 ip default-gateway 14.36.1.1 ip classless ip route 0.0.0.0 0.0.0.0 14.36.1.1 no ip http server ! access-list 130 permit gre host 14.36.88.6 host 14.38.88.40 access-list 140 permit gre host 14.36.88.6 host 14.38.88.20 access-list 150 permit gre host 14.36.88.6 host 14.38.88.10 radius-server host 172.18.124.197 auth-port 1645 acct-port 1646 key cisco123 radius-server retransmit 3 ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 ! end sec-7206# |
Cisco 2610 路由器 |
---|
service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname vpn2610 ! ! ip subnet-zero ip cef ! ! ! ip ssh time-out 120 ip ssh authentication-retries 3 ! crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set strong esp-3des esp-md5-hmac mode transport ! crypto map vpn 10 ipsec-isakmp set peer 14.36.88.6 set transform-set strong match address 120 ! call rsvp-sync ! ! ! ! ! ! ! ! interface Loopback0 ip address 192.168.10.1 255.255.255.0 ! interface Tunnel0 ip address 192.168.16.1 255.255.255.0 tunnel source Ethernet0/0 tunnel destination 14.36.88.6 crypto map vpn ! interface Ethernet0/0 ip address 14.38.88.10 255.255.0.0 half-duplex crypto map vpn ! interface Serial0/0 no ip address shutdown no fair-queue ! interface Ethernet0/1 ip address dhcp half-duplex ! interface Serial1/0 no ip address shutdown ! interface Serial1/1 no ip address shutdown ! interface Serial1/2 no ip address shutdown ! interface Serial1/3 no ip address shutdown ! interface Serial1/4 no ip address shutdown ! interface Serial1/5 no ip address shutdown ! interface Serial1/6 no ip address shutdown ! interface Serial1/7 no ip address shutdown ! router eigrp 60 network 192.168.0.0 0.0.255.255 auto-summary no eigrp log-neighbor-changes ! ip classless ip route 0.0.0.0 0.0.0.0 14.38.1.1 ip http server ! access-list 120 permit gre host 14.38.88.10 host 14.36.88.6 ! dial-peer cor custom ! ! ! ! ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 login line vty 5 15 login ! end vpn2610# |
Cisco 3620 路由器 |
---|
service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname vpn3620 ! ! ip subnet-zero ip cef ! ! ! ip ssh time-out 120 ip ssh authentication-retries 3 ! crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set strong esp-3des esp-md5-hmac mode transport ! crypto map vpn 10 ipsec-isakmp set peer 14.36.88.6 set transform-set strong match address 110 ! call rsvp-sync ! ! ! ! ! ! ! ! interface Loopback0 ip address 192.168.20.1 255.255.255.0 ! interface Tunnel0 ip address 192.168.26.1 255.255.255.0 tunnel source Ethernet1/0 tunnel destination 14.36.88.6 crypto map vpn ! interface Ethernet1/0 ip address 14.38.88.20 255.255.0.0 half-duplex crypto map vpn ! interface TokenRing1/0 no ip address shutdown ring-speed 16 ! router eigrp 60 network 192.168.0.0 0.0.255.255 auto-summary no eigrp log-neighbor-changes ! ip classless ip route 0.0.0.0 0.0.0.0 14.38.1.1 ip http server ! access-list 110 permit gre host 14.38.88.20 host 14.36.88.6 ! dial-peer cor custom ! ! ! ! ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 login ! end vpn3620# |
Cisco 3640 路由器 |
---|
service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname vpn3640 ! ! ip subnet-zero ip cef ! ! ! ip ssh time-out 120 ip ssh authentication-retries 3 ! crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set strong esp-3des esp-md5-hmac mode transport ! crypto map vpn 10 ipsec-isakmp set peer 14.36.88.6 set transform-set strong match address 100 ! call rsvp-sync ! ! ! ! ! ! ! ! interface Loopback0 ip address 192.168.40.1 255.255.255.0 ! interface Tunnel0 ip address 192.168.46.1 255.255.255.0 tunnel source Ethernet0/0 tunnel destination 14.36.88.6 crypto map vpn ! interface Ethernet0/0 ip address 14.38.88.40 255.255.0.0 half-duplex crypto map vpn ! interface Ethernet0/1 no ip address shutdown half-duplex ! interface Ethernet1/0 no ip address shutdown half-duplex ! interface Ethernet1/1 no ip address shutdown half-duplex ! interface Ethernet1/2 no ip address shutdown half-duplex ! interface Ethernet1/3 no ip address shutdown half-duplex ! interface Ethernet3/0 no ip address shutdown half-duplex ! interface TokenRing3/0 no ip address shutdown ring-speed 16 ! router eigrp 60 network 192.168.0.0 0.0.255.255 auto-summary no eigrp log-neighbor-changes ! ip classless ip route 0.0.0.0 0.0.0.0 14.38.1.1 ip http server ! access-list 100 permit gre host 14.38.88.40 host 14.36.88.6 ! dial-peer cor custom ! ! ! ! ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 ! end vpn3640# |
本部分所提供的信息可用于确认您的配置是否正常工作。
命令输出解释程序工具(仅限注册用户)支持某些 show 命令,使用此工具可以查看对 show 命令输出的分析。
show ip route — 使用此命令可以确保通过路由协议来获知路由。
Cisco 7206 路由器
sec-7206#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is 14.36.1.1 to network 0.0.0.0 C 192.168.46.0/24 is directly connected, Tunnel1 D 192.168.10.0/24 [90/297372416] via 192.168.16.1, 05:53:23, Tunnel0 D 192.168.40.0/24 [90/297372416] via 192.168.46.1, 05:53:23, Tunnel1 C 192.168.26.0/24 is directly connected, Tunnel2 D 192.168.20.0/24 [90/297372416] via 192.168.26.1, 05:53:21, Tunnel2 C 192.168.16.0/24 is directly connected, Tunnel0 14.0.0.0/16 is subnetted, 1 subnets C 14.36.0.0 is directly connected, FastEthernet1/0 S* 0.0.0.0/0 [1/0] via 14.36.1.1 sec-7206#
Cisco 2610 路由器
vpn2610#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is 14.38.1.1 to network 0.0.0.0 D 192.168.46.0/24 [90/310044416] via 192.168.16.2, 05:53:55, Tunnel0 C 192.168.10.0/24 is directly connected, Loopback0 D 192.168.40.0/24 [90/310172416] via 192.168.16.2, 05:53:55, Tunnel0 D 192.168.26.0/24 [90/310044416] via 192.168.16.2, 05:53:55, Tunnel0 D 192.168.20.0/24 [90/310172416] via 192.168.16.2, 05:53:53, Tunnel0 C 192.168.16.0/24 is directly connected, Tunnel0 14.0.0.0/16 is subnetted, 1 subnets C 14.38.0.0 is directly connected, Ethernet0/0 S* 0.0.0.0/0 [1/0] via 14.38.1.1 vpn2610#
Cisco 3620 路由器
vpn3620#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is 14.38.1.1 to network 0.0.0.0 D 192.168.46.0/24 [90/310044416] via 192.168.26.2, 05:54:15, Tunnel0 D 192.168.10.0/24 [90/310172416] via 192.168.26.2, 05:54:15, Tunnel0 D 192.168.40.0/24 [90/310172416] via 192.168.26.2, 05:54:15, Tunnel0 C 192.168.26.0/24 is directly connected, Tunnel0 C 192.168.20.0/24 is directly connected, Loopback0 D 192.168.16.0/24 [90/310044416] via 192.168.26.2, 05:54:15, Tunnel0 14.0.0.0/16 is subnetted, 1 subnets C 14.38.0.0 is directly connected, Ethernet1/0 S* 0.0.0.0/0 [1/0] via 14.38.1.1 vpn3620#
Cisco 3640 路由器
vpn3640#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is 14.38.1.1 to network 0.0.0.0 C 192.168.46.0/24 is directly connected, Tunnel0 D 192.168.10.0/24 [90/310172416] via 192.168.46.2, 05:54:32, Tunnel0 C 192.168.40.0/24 is directly connected, Loopback0 D 192.168.26.0/24 [90/310044416] via 192.168.46.2, 05:54:32, Tunnel0 D 192.168.20.0/24 [90/310172416] via 192.168.46.2, 05:54:30, Tunnel0 D 192.168.16.0/24 [90/310044416] via 192.168.46.2, 05:54:32, Tunnel0 14.0.0.0/16 is subnetted, 1 subnets C 14.38.0.0 is directly connected, Ethernet0/0 S* 0.0.0.0/0 [1/0] via 14.38.1.1 vpn3640#
注意: Cisco 7206 路由器中装有集成服务适配器 (ISA) 卡,因此传递路由更新时可能需要禁用 Cisco 快速转发 (CEF)。
目前没有针对此配置的故障排除信息。