在Cisco路由器上配置VRF-aware IPsec VPN詳解

之前通過(guò)場(chǎng)景實(shí)例向大家展示了用Virtual Routing and Forwarding (VRF，虛擬路由轉(zhuǎn)發(fā))將一個(gè)路由器分割成八個(gè)虛擬路由器的方法。當(dāng)時(shí)我向大家演示了如何配置VRF，在本文中我們繼續(xù)使用這個(gè)場(chǎng)景，并通過(guò)IPsec配置，將完全一致的拓?fù)浣Y(jié)構(gòu)和地址復(fù)制到八個(gè)實(shí)驗(yàn)環(huán)境。整個(gè)環(huán)境能夠順利進(jìn)行，首先需要帶有ASA的虛擬路由與Cisco 路由器建立VPN。這需要 VRF參與的IPsec。因此我需要一種方法能夠?qū)崿F(xiàn)完全一致的 isakmp 策略，一致的pre-shared keys, 一致的 crypto ACL, 也就是每個(gè) VRF上的參數(shù)一致。實(shí)際的配置過(guò)程可能比我們想像的簡(jiǎn)單一些。下面我就來(lái)舉例說(shuō)明整個(gè)過(guò)程。

首先是建立ISAKMP 策略：

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

!

在配置過(guò)程中，我們可以在八個(gè)VRF中使用相同的元素，因此只需要建立一個(gè)ISAKMP 策略。接下來(lái)建立crypto ACL 以及一個(gè) IPsec transform set。

ip access-list extended VPN

permit ip 10.0.100.0 0.0.0.255 10.0.1.0 0.0.0.255

crypto ipsec transform-set VPN-TRANS esp-aes esp-sha-hmac.

接下來(lái)是建立 pre-shared key。在本例中我曾經(jīng)使用過(guò)一個(gè)keyring 作為 預(yù)共享 key，因此我直接將其綁定到 VRF即可。

crypto keyring POD1keys vrf POD1

pre-shared-key address 192.168.1.2 key cisco123

crypto keyring POD2keys vrf POD2

pre-shared-key address 192.168.1.2 key cisco123

crypto keyring POD3keys vrf POD3

pre-shared-key address 192.168.1.2 key cisco123

crypto keyring POD4keys vrf POD4

pre-shared-key address 192.168.1.2 key cisco123

crypto keyring POD5keys vrf POD5

pre-shared-key address 192.168.1.2 key cisco123

crypto keyring POD6keys vrf POD6

pre-shared-key address 192.168.1.2 key cisco123

crypto keyring POD7keys vrf POD7

pre-shared-key address 192.168.1.2 key cisco123

crypto keyring POD8keys vrf POD7

pre-shared-key address 192.168.1.2 key cisco123

!

接下來(lái)建立 crypto-maps.

!

crypto map pod1 10 ipsec-isakmp

set peer 192.168.1.2

set transform-set VPN-TRANS

set pfs group2

match address VPN

!

crypto map pod2 10 ipsec-isakmp

set peer 192.168.1.2

set transform-set VPN-TRANS

set pfs group2

match address VPN

!

crypto map pod3 10 ipsec-isakmp

set peer 192.168.1.2

set transform-set VPN-TRANS

set pfs group2

match address VPN

!

crypto map pod4 10 ipsec-isakmp

set peer 192.168.1.2

set transform-set VPN-TRANS

set pfs group2

match address VPN

!

crypto map pod5 10 ipsec-isakmp

set peer 192.168.1.2

set transform-set VPN-TRANS

set pfs group2

match address VPN

!

crypto map pod6 10 ipsec-isakmp

set peer 192.168.1.2

set transform-set VPN-TRANS

set pfs group2

match address VPN

!

crypto map pod7 10 ipsec-isakmp

set peer 192.168.1.2

set transform-set VPN-TRANS

set pfs group2

set isakmp-profile pod7

match address VPN

!

crypto map pod8 10 ipsec-isakmp

set peer 192.168.1.2

set transform-set VPN-TRANS

set pfs group2

match address VPN

!

一旦 crypto-maps 被合并到一起，就可以應(yīng)用到接口上了。

interface FastEthernet0/0.1

crypto map pod1

!

interface FastEthernet0/0.2

crypto map pod2

!

interface FastEthernet0/0.3

crypto map pod3

!

interface FastEthernet0/0.4

crypto map pod4

!

interface FastEthernet0/0.5

crypto map pod5

!

interface FastEthernet0/0.6

crypto map pod6

!

interface FastEthernet0/0.7

crypto map pod7

!

interface FastEthernet0/0.8

crypto map pod8

!