在Cisco路由器上配置VRF-aware IPsec VPN詳解
之前通過場景實(shí)例向大家展示了用Virtual Routing and Forwarding (VRF,虛擬路由轉(zhuǎn)發(fā))將一個路由器分割成八個虛擬路由器的方法。當(dāng)時我向大家演示了如何配置VRF,在本文中我們繼續(xù)使用這個場景,并通過IPsec配置,將完全一致的拓?fù)浣Y(jié)構(gòu)和地址復(fù)制到八個實(shí)驗環(huán)境。整個環(huán)境能夠順利進(jìn)行,首先需要帶有ASA的虛擬路由與Cisco 路由器建立VPN。這需要 VRF參與的IPsec。因此我需要一種方法能夠?qū)崿F(xiàn)完全一致的 isakmp 策略,一致的pre-shared keys, 一致的 crypto ACL, 也就是每個 VRF上的參數(shù)一致。實(shí)際的配置過程可能比我們想像的簡單一些。下面我就來舉例說明整個過程。
本文引用地址:http://www.ex-cimer.com/article/154891.htm首先是建立ISAKMP 策略:
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
在配置過程中,我們可以在八個VRF中使用相同的元素,因此只需要建立一個ISAKMP 策略。接下來建立crypto ACL 以及一個 IPsec transform set。
ip access-list extended VPN
permit ip 10.0.100.0 0.0.0.255 10.0.1.0 0.0.0.255
crypto ipsec transform-set VPN-TRANS esp-aes esp-sha-hmac.
接下來是建立 pre-shared key。在本例中我曾經(jīng)使用過一個keyring 作為 預(yù)共享 key,因此我直接將其綁定到 VRF即可。
crypto keyring POD1keys vrf POD1
pre-shared-key address 192.168.1.2 key cisco123
crypto keyring POD2keys vrf POD2
pre-shared-key address 192.168.1.2 key cisco123
crypto keyring POD3keys vrf POD3
pre-shared-key address 192.168.1.2 key cisco123
crypto keyring POD4keys vrf POD4
pre-shared-key address 192.168.1.2 key cisco123
crypto keyring POD5keys vrf POD5
pre-shared-key address 192.168.1.2 key cisco123
crypto keyring POD6keys vrf POD6
pre-shared-key address 192.168.1.2 key cisco123
crypto keyring POD7keys vrf POD7
pre-shared-key address 192.168.1.2 key cisco123
crypto keyring POD8keys vrf POD7
pre-shared-key address 192.168.1.2 key cisco123
!
接下來建立 crypto-maps.
!
crypto map pod1 10 ipsec-isakmp
set peer 192.168.1.2
set transform-set VPN-TRANS
set pfs group2
match address VPN
!
crypto map pod2 10 ipsec-isakmp
set peer 192.168.1.2
set transform-set VPN-TRANS
set pfs group2
match address VPN
!
crypto map pod3 10 ipsec-isakmp
set peer 192.168.1.2
set transform-set VPN-TRANS
set pfs group2
match address VPN
!
crypto map pod4 10 ipsec-isakmp
set peer 192.168.1.2
set transform-set VPN-TRANS
set pfs group2
match address VPN
!
crypto map pod5 10 ipsec-isakmp
set peer 192.168.1.2
set transform-set VPN-TRANS
set pfs group2
match address VPN
!
crypto map pod6 10 ipsec-isakmp
set peer 192.168.1.2
set transform-set VPN-TRANS
set pfs group2
match address VPN
!
crypto map pod7 10 ipsec-isakmp
set peer 192.168.1.2
set transform-set VPN-TRANS
set pfs group2
set isakmp-profile pod7
match address VPN
!
crypto map pod8 10 ipsec-isakmp
set peer 192.168.1.2
set transform-set VPN-TRANS
set pfs group2
match address VPN
!
一旦 crypto-maps 被合并到一起,就可以應(yīng)用到接口上了。
interface FastEthernet0/0.1
crypto map pod1
!
interface FastEthernet0/0.2
crypto map pod2
!
interface FastEthernet0/0.3
crypto map pod3
!
interface FastEthernet0/0.4
crypto map pod4
!
interface FastEthernet0/0.5
crypto map pod5
!
interface FastEthernet0/0.6
crypto map pod6
!
interface FastEthernet0/0.7
crypto map pod7
!
interface FastEthernet0/0.8
crypto map pod8
!
路由器相關(guān)文章:路由器工作原理
路由器相關(guān)文章:路由器工作原理
評論