1.拓撲圖:
GETVPN保留原始IP頭資訊,是以需要全網可路由。
2.基本接口配置:
①KS1:
Interface Loopback0
ip address 10.1.101.1 255.255.255.0
interface FastEthernet0/0
ip address 172.16.1.101 255.255.255.0
②KS2:
ip address 172.16.1.102 255.255.255.0
③GM1:
nterface Loopback0
ip address 10.1.1.1 255.255.255.0
ip address 172.16.1.1 255.255.255.0
④GM2:
interface Loopback0
ip address 10.1.2.1 255.255.255.0
ip address 172.16.1.2 255.255.255.0
3.動态路由配置:
router ospf 10
network 10.1.101.0 0.0.0.255 area 0
network 172.16.1.0 0.0.0.255 area 0
network 10.1.1.0 0.0.0.255 area 0
network 10.1.2.0 0.0.0.255 area 0
4.KS1和KS2同步密鑰:
①KS1建立密鑰,并在終端界面導出:
ip domain name yuntian.com
crypto key generate rsa modulus 1024 getvpnkey ex
crypto key generate rsa modulus 1024 label getvpnkey exportable
crypto key export rsa getvpnkey pem terminal 3des 1234qwer,
KS1(config)#crypto key export rsa getvpnkey pem terminal 3des 1234qwer,
% Key name: getvpnkey
Usage: General Purpose Key
Key data:
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCn0O68W7RLtq7RmL3aSc0nneKQ
TQnUHyOEbD+gZnJJdijsmXb4fJs9k+aXnIvlr8M3UERKnV6TnTlGcD/lrrdH9qkg
IgFFrR9AkuV+R/W+iY4Ty1cbTB1ML+CkQESRpS/Rxcn8dRt+9q8rsqPQYwMjZNgM
l4wq9tJtD0AZIcdztwIDAQAB
-----END PUBLIC KEY-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,23724F120A63ACFB
gMtL6Osu6BqsuxTWvGTTC25MG7mNKIRe4Y9gRgjvb33DTg2dWzdf1MycpFUkspQl
k0EEncoHsnnvMrzSo3YarDOZx0zvtps8AYs4vWFsGg6MI4QQfsxZ9qCwxIRLFLuu
jcpbrTyqU+ALEg34TYb/T85nIudbU++vn/e3309iUTSGDHtnGcHgiEeshWGzFZ4t
yO1U+tbwqyccnDHHVCMQLDGCP13LuNQOyhMC3hGLqx0IfO5+8My0DLkxyCKuksWO
gDutk8GPjsyLUQhXxJG+afadfRtLnrdNtl5RPvtB9186nJGZsvCxHk3kGj2kjwqO
d9EcNT7k1gp6n2IuqxvR04DG/7wIpe8JucDS/ejoc0iysF+4sal/SWMW13TVOkGY
/taikJKzJ9pDgnOAlq4e5o74tmRpcLG6bK2hwsn/ctiHNfqSJ0ID/wvnIEmYecTW
NBrnPl/97vk+Ehk0kCXBZ1zeZ+zzWrzyrA0Gxw7dDDfg6RQZ63Ww3ffWodOdC6fO
tP6pvmOM+bzLiDD5A70wsGGuaWFhwR7LZLPrrkViRedroECqojyv1UkBLR9le6l3
LQwJUrRBacTzjyhIJfiys5VeYBivlnyaoYYaI57Hkry20RHzHRIrVqLIgtJxQch/
gZjshiNFpHkCN6zBmqqnb/m8MEMjSZNzjRzX5rk/eQZliweXskWm65ZnXw+8E6Wi
fBf7qAqSOnSTzL61Snc0yHPKZIRULLjSZbbqKnmMAl5T8HR2v1FpbxmF5hFTsGWb
J8whcD2AqFJh6Ts+0BXrzmgdRwVQrfYPRofXo2ZND3o=
-----END RSA PRIVATE KEY-----
②KS2将KS1螢幕上列印的密碼導入:
KS2(config)#crypto key import rsa getvpnkey terminal 1234qwer,
% Enter PEM-formatted public General Purpose key or certificate.
% End with a blank line or "quit" on a line by itself.
<回車>
% Enter PEM-formatted encrypted private General Purpose key.
% End with "quit" on a line by itself.
quit
% Key pair import succeeded.
5.GETVPN配置:
①第一階段:
KS1:
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 172.16.1.1
crypto isakmp key cisco address 172.16.1.2
crypto isakmp key cisco address 172.16.1.102
KS2:
crypto isakmp key cisco address 172.16.1.101
GM1和GM2:
②配置感興趣流:
KS1和KS2:
ip access-list extended getvpntraffic
permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
③第二階段政策并建立ipsec profile與其關聯:
crypto ipsec transform-set getvpn-set esp-des esp-sha-hmac
exit
crypto ipsec profile getvpn-profile
set transform-set getvpn-set
④GETVPN組配置
crypto gdoi group getvpngroup
identity number 12345678
server local
rekey algorithm aes 256
rekey retransmit 10 number 2
rekey authentication mypubkey rsa getvpnkey
rekey transport unicast
sa ipsec 1
profile getvpn-profile
match address ipv4 getvpntraffic
replay time window-size 2
address ipv4 172.16.1.101
redundancy
local priority 100
peer address ipv4 172.16.1.102
KS2:
address ipv4 172.16.1.102
local priority 75
peer address ipv4 172.16.1.101
server address ipv4 172.16.1.101
server address ipv4 172.16.1.102
⑤成員伺服器配置Crypto map:
crypto map getvpnmap 10 gdoi
set group getvpngroup
crypto map getvpnmap
6.驗證:
①檢視密鑰伺服器群組成員GETVPN狀态:
KS1#show crypto gdoi group getvpngroup
Group Name : getvpngroup (Unicast)
Group Identity : 12345678
Group Members : 2
IPSec SA Direction : Both
Active Group Server : Local
Redundancy : Configured
Local Address : 172.16.1.101
Local Priority : 100
Local KS Status : Alive
Local KS Role : Primary
Group Rekey Lifetime : 86400 secs
Group Rekey
Remaining Lifetime : 85260 secs
Rekey Retransmit Period : 10 secs
Rekey Retransmit Attempts: 2
Group Retransmit
Remaining Lifetime : 0 secs
IPSec SA Number : 1
IPSec SA Rekey Lifetime: 3600 secs
Profile Name : getvpn-profile
Replay method : Time Based
Replay Window Size : 2
SA Rekey
Remaining Lifetime : 2268 secs
ACL Configured : access-list getvpntraffic
Group Server list : Local
KS2#show crypto gdoi group getvpngroup
Local Address : 172.16.1.102
Local Priority : 75
Local KS Role : Secondary
Remaining Lifetime : 85190 secs
Remaining Lifetime : 2199 secs
GM1#show crypto gdoi group getvpngroup
Group Name : getvpngroup
Rekeys received : 1
Active Group Server : 172.16.1.101
Group Server list : 172.16.1.101
172.16.1.102
GM Reregisters in : 2054 secs
Rekey Received(hh:mm:ss) : 00:24:48
Rekeys received
Cumulative : 1
After registration : 1
Rekey Acks sent : 1
ACL Downloaded From KS 172.16.1.101:
access-list permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
KEK POLICY:
Rekey Transport Type : Unicast
Lifetime (secs) : 86399
Encrypt Algorithm : AES
Key Size : 256
Sig Hash Algorithm : HMAC_AUTH_SHA
Sig Key Length (bits) : 1024
TEK POLICY:
FastEthernet0/0:
IPsec SA:
sa direction:inbound
spi: 0xFA2E31D9(4197331417)
transform: esp-des esp-sha-hmac
sa timing:remaining key lifetime (sec): (1915)
Anti-Replay(Time Based) : 2 sec interval
sa direction:outbound
spi: 0x9F280E82(2670202498)
sa timing:remaining key lifetime (sec): (2107)
GM2#show crypto gdoi group getvpngroup
*Mar 1 01:20:18.987: %SYS-5-CONFIG_I: Configured from console by console
GM Reregisters in : 2006 secs
Rekey Received(hh:mm:ss) : 00:25:33
sa timing:remaining key lifetime (sec): (1870)
sa timing:remaining key lifetime (sec): (2062)
②檢視密鑰伺服器協作狀态:
KS1#show crypto gdoi ks coop
Crypto Gdoi Group Name :getvpngroup
Group handle: 2147483650, Local Key Server handle: 2147483650
Local Address: 172.16.1.101
Local Priority: 100
Local KS Role: Primary , Local KS Status: Alive
Primary Timers:
Primary Refresh Policy Time: 20
Remaining Time: 4
Antireplay Sequence Number: 41
Peer Sessions:
Session 1:
Server handle: 2147483651
Peer Address: 172.16.1.102
Peer Priority: 75
Peer KS Role: Secondary , Peer KS Status: Alive
Antireplay Sequence Number: 2
IKE status: Established
Counters:
Ann msgs sent: 14
Ann msgs sent with reply request: 0
Ann msgs recv: 0
Ann msgs recv with reply request: 3
Packet sent drops: 27
Packet Recv drops: 0
Total bytes sent: 8652
Total bytes recv: 3016
KS2#show crypto gdoi ks coop
Local Address: 172.16.1.102
Local Priority: 75
Local KS Role: Secondary , Local KS Status: Alive
Secondary Timers:
Sec Primary Periodic Time: 30
Remaining Time: 9, Retries: 0
Antireplay Sequence Number: 3
Peer Address: 172.16.1.101
Peer Priority: 100
Peer KS Role: Primary , Peer KS Status: Alive
Antireplay Sequence Number: 43
Ann msgs sent: 0
Ann msgs sent with reply request: 3
Ann msgs recv: 13
Ann msgs recv with reply request: 0
Packet sent drops: 0
Total bytes sent: 3016
Total bytes recv: 8034
③檢視密鑰伺服器上注冊的成員:
KS1#show crypto gdoi ks members
Group Member Information :
Number of rekeys sent for group getvpngroup : 1
Group Member ID : 172.16.1.1
Group ID : 12345678
Group Name : getvpngroup
Key Server ID : 172.16.1.101
Rekeys sent : 1
Rekey Acks Rcvd : 1
Rekey Acks missed : 0
Sent seq num : 0 0 0 0
Rcvd seq num : 0 0 0 0
Group Member ID : 172.16.1.2
KS2#show crypto gdoi ks members
Number of rekeys sent for group getvpngroup : 0
Rekeys sent : 0
Rekey Acks Rcvd : 0
④組成員上測試GETVPN的加解密:
第一步:在GM1測試前檢視加解密狀況
GM1#show crypto engine connections active
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Fa0/0 IPsec DES+SHA 0 0 10.0.0.0
2 Fa0/0 IPsec DES+SHA 0 0 10.0.0.0
5 Fa0/0 IPsec DES+SHA 0 0 10.0.0.0
6 Fa0/0 IPsec DES+SHA 0 0 10.0.0.0
1001 Fa0/0 IKE SHA+DES 0 0 172.16.1.1
1002 <none> IKE SHA+AES256 0 0
1003 <none> IKE SHA+AES256 0 0
第二步:GM1上通過Ping産生加密的感興趣流
GM1#ping 10.1.2.1 source 10.1.1.1 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 10.1.2.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 12/27/68 ms
第三步:在GM1測試後檢視加解密狀況
1 Fa0/0 IPsec DES+SHA 0 100 10.0.0.0
2 Fa0/0 IPsec DES+SHA 100 0 10.0.0.0
⑤組成員通路控制清單配置
第一步: GM1測試通路KS1身後網絡
GM1#ping 10.1.101.1 source 10.1.1.1
Sending 5, 100-byte ICMP Echos to 10.1.101.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
.....
Success rate is 0 percent (0/5)
不能通訊的原因為:源為10.1.1.1目的為10.1.101.1的流量滿足GETVPN的感興趣流,KS1會對這個流量進行加密,但是密鑰伺服器KS1,不存在IPSec SA是以不能對此流量進行解密,是以造成無法通訊。解決方案為,在組成員GM1上配置組成員通路控制清單,旁路掉從10.1.1.0/24到10.1.101.0/24的流量。
第二步:在組成員GM1上配置組成員通路控制清單
GM1(config)#ip access-list extended bypass
GM1(config-ext-nacl)#deny ip 10.1.1.0 0.0.0.255 10.1.101.0 0.0.0.255
GM1(config)#crypto map cisco 10
GM1(config-crypto-map)#match address bypass
第三步: GM1測試通路KS1身後網絡
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/120/156 ms
備注:
①也可以在KS上配置感興趣流,如下所示:
KS1#show ip access-lists
Extended IP access list getvpntraffic
5 deny ip 10.1.1.0 0.0.0.255 10.1.101.0 0.0.0.255
6 deny ip 10.1.2.0 0.0.0.255 10.1.101.0 0.0.0.255
10 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
②但是沒有找到組成員除了接口no crypto map getvpnmap 再crypto map getvpnmap其他好的方法使得KS能夠快速的下面興趣流給各個組成員。
本文轉自 碧雲天 51CTO部落格,原文連結:http://blog.51cto.com/333234/847161,如需轉載請自行聯系原作者
![高防伺服器、高防IP與高防CDN的差別[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)