在IOS12.4之前,建立安全的站点间隧道只能使用GRE Over IPSec,但是从IOS 12.4 这个版本开始,Cisco设计了一个全新的隧道技术,这个技术被称为Virtual Tunnel Interface(VTI)。其实这就是一个IPsec的隧道技术,使用户无需再依托GRE,可以直接使用IPsec来建立一个隧道接口。
因此,相比GRE Over IPSec技术,VTI技术减少了每个馒中GRE的头部的4个字节。由于VTI也是一个隧道接口,因此它也能够解决普通IPSec ×××存在的三大问题。
VTI技术分为两种:
静态VTI(Static VTI,SVTI)
动态VTI(Dynamic VTI,DVTI)
下面来使用SVTI技术实现两个站点的×××互联(同GRE一样两个站点需要都是静态IP地址。)
实验环境:
实验拓扑:
实验配置:
基础配置如下:
R1配置:
en
conf t
host R1
int f0/0
ip add 12.1.1.1 255.255.255.0
no shut
int lo 0
ip add 1.1.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 12.1.1.2
R2配置:
en
conf t
host R2
int f0/0
ip add 12.1.1.2 255.255.255.0
no shut
int f1/0
ip add 23.1.1.2 255.255.255.0
no shut
R3配置:
en
conf t
host R3
int f1/0
ip add 23.1.1.3 255.255.255.0
no shut
int lo 0
ip add 3.3.3.3 255.255.255.0
ip route 0.0.0.0 0.0.0.0 23.1.1.2
配置完成后,检测R1和R3的连通性:
在R1上pingR3的公网IP地址:
R1#ping 23.1.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.1.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/67/80 ms
可以ping通,说明公网通信正常。
R1配置:
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco address 23.1.1.3
crypto ipsec transform-set trans esp-des esp-md5-hmac
crypto ipsec profile ipsec-profile
set transform-set trans
R3配置:
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco address 12.1.1.1
crypto ipsec transform-set trans esp-des esp-md5-hmac
crypto ipsec profile ipsec-profile
set transform-set trans
配置SVTI:
R1:
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 23.1.1.3
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec-profile
R3:
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
tunnel source FastEthernet1/0
tunnel destination 12.1.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec-profile
验证:
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
12.1.1.1 23.1.1.3 QM_IDLE 1001 0 ACTIVE
ping测试
R1#ping 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 124/144/168 ms