dynemic routing protocol over gre with ipsec protected
2008-06-26 11:12:05
查看( 1979 ) / 评论( 0 )
大家好,有两个问题请教:
1。引用 cisco.com上所说的:“GRE tunnels are implemented on Cisco routers by using a virtual tunnel interface (interface tunnel<#>). The GRE tunneling protocol is designed to handle IP multicast/broadcast packets so a dynamic routing protocol can be run over" a GRE tunnel. GRE tunnel packets are IP unicast packets that encapsulate the original IP multicast/unicast packet. You can then use IPsec to encrypt the GRE tunnel packet. You can also run IPsec in transport mode and save 20 bytes since GRE has already encapsulated the original data packet so you do not need IPsec to encapsulate the GRE IP packet in another IP header.
When running IPsec in transport mode, there is a restriction that the IP source and destination addresses of the packet to be encrypted must match the IPsec peer addresses (the router itself). In this case, this just means that the GRE tunnel endpoint and IPsec peer addresses must be the same.This is not a problem since the same routers are both the IPsec and GRE tunnel endpoints. By combining GRE tunnels with IPsec encryption, you can use a dynamic IP routing protocol to update the routing tables on both ends of the encrypted tunnel. The IP routing table entries for the networks that were learned through the encrypted tunnel will have the other end of the tunnel (GRE tunnel interface IP address) as the IP next hop. Thus, if the networks change on either side of the tunnel, then the other side will dynamically learn of the change and connectivity will continue without any configuration changes on the routers.”
说是如果tunnel隧道得源和目的地址与ipsec通道得源和目的地址不相同得话,必须使用隧道模式,想想也是,如果不再封装一层ip得话,包将以tunnel得源和目的地址封装,如果这些是私网地址,那么就不可能到达peer。
但是实际应用中,为何使用了传输模式,通信正常呢?
还有,是不是gre通道是在ipsec通道建立之后才进行协商得?
enable secret 5 $1$j2oA$4mOpCNUDzEAfuebt9XJMa/
!
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
no ip domain lookup
!
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco123 address 61.222.112.170
crypto isakmp key cisco123 address 221.222.59.2
!
!
crypto ipsec transform-set pix-set esp-des esp-md5-hmac
mode transport
!
crypto map pix 10 ipsec-isakmp
set peer 21.222.112.170
set peer 23.222.3.2
set transform-set pix-set
match address 100
!
!
!
!
interface Loopback0
descrīption tunnel 0 source
ip address 10.19.102.85 255.255.255.255
!
interface Loopback1
descrīption tunnel 1 source
ip address 10.19.102.84 255.255.255.255
!
interface Tunnel0
ip unnumbered FastEthernet0/1
tunnel source Loopback0
tunnel destination 10.19.100.85
!
interface Tunnel1
ip unnumbered FastEthernet0/1
tunnel source Loopback1
tunnel destination 10.19.100.84
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet0/1
ip address 10.85.254.253 255.255.255.0
ip nat inside
duplex auto
speed auto
standby 1 ip 10.85.254.254
standby 1 preempt
!
interface Dialer1
mtu 1492
bandwidth 2048
ip address negotiated
ip nat outside
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname 331603@adsla
ppp chap password 0 03332
ppp pap sent-username 33733603@adsla password 0 0723
crypto map pix
!
router eigrp 100
network 10.0.0.0
distribute-list eigrp-filter out FastEthernet0/1
distribute-list eigrp-filter out Tunnel0
distribute-list eigrp-filter out Tunnel1
no auto-summary
!
ip nat inside source route-map internet interface Dialer1 overload
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.19.100.84 255.255.255.255 Dialer1
ip route 10.19.100.85 255.255.255.255 Dialer1
!
!
!
ip access-list standard eigrp-filter
deny 10.19.100.0 0.0.3.255
permit any
!
ip access-list extended outside
deny ip 10.19.0.0 0.0.255.255 10.19.0.0 0.0.255.255
permit ip any any
access-list 1 permit any
access-list 100 permit ip 10.19.102.84 0.0.0.1 10.19.100.84 0.0.0.1
dialer-list 1 protocol ip permit
!
route-map internet permit 10
match ip address outside
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password cisco
login
transport input telnet
!
!
end
1。引用 cisco.com上所说的:“GRE tunnels are implemented on Cisco routers by using a virtual tunnel interface (interface tunnel<#>). The GRE tunneling protocol is designed to handle IP multicast/broadcast packets so a dynamic routing protocol can be run over" a GRE tunnel. GRE tunnel packets are IP unicast packets that encapsulate the original IP multicast/unicast packet. You can then use IPsec to encrypt the GRE tunnel packet. You can also run IPsec in transport mode and save 20 bytes since GRE has already encapsulated the original data packet so you do not need IPsec to encapsulate the GRE IP packet in another IP header.
When running IPsec in transport mode, there is a restriction that the IP source and destination addresses of the packet to be encrypted must match the IPsec peer addresses (the router itself). In this case, this just means that the GRE tunnel endpoint and IPsec peer addresses must be the same.This is not a problem since the same routers are both the IPsec and GRE tunnel endpoints. By combining GRE tunnels with IPsec encryption, you can use a dynamic IP routing protocol to update the routing tables on both ends of the encrypted tunnel. The IP routing table entries for the networks that were learned through the encrypted tunnel will have the other end of the tunnel (GRE tunnel interface IP address) as the IP next hop. Thus, if the networks change on either side of the tunnel, then the other side will dynamically learn of the change and connectivity will continue without any configuration changes on the routers.”
说是如果tunnel隧道得源和目的地址与ipsec通道得源和目的地址不相同得话,必须使用隧道模式,想想也是,如果不再封装一层ip得话,包将以tunnel得源和目的地址封装,如果这些是私网地址,那么就不可能到达peer。
但是实际应用中,为何使用了传输模式,通信正常呢?
还有,是不是gre通道是在ipsec通道建立之后才进行协商得?
enable secret 5 $1$j2oA$4mOpCNUDzEAfuebt9XJMa/
!
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
no ip domain lookup
!
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco123 address 61.222.112.170
crypto isakmp key cisco123 address 221.222.59.2
!
!
crypto ipsec transform-set pix-set esp-des esp-md5-hmac
mode transport
!
crypto map pix 10 ipsec-isakmp
set peer 21.222.112.170
set peer 23.222.3.2
set transform-set pix-set
match address 100
!
!
!
!
interface Loopback0
descrīption tunnel 0 source
ip address 10.19.102.85 255.255.255.255
!
interface Loopback1
descrīption tunnel 1 source
ip address 10.19.102.84 255.255.255.255
!
interface Tunnel0
ip unnumbered FastEthernet0/1
tunnel source Loopback0
tunnel destination 10.19.100.85
!
interface Tunnel1
ip unnumbered FastEthernet0/1
tunnel source Loopback1
tunnel destination 10.19.100.84
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet0/1
ip address 10.85.254.253 255.255.255.0
ip nat inside
duplex auto
speed auto
standby 1 ip 10.85.254.254
standby 1 preempt
!
interface Dialer1
mtu 1492
bandwidth 2048
ip address negotiated
ip nat outside
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname 331603@adsla
ppp chap password 0 03332
ppp pap sent-username 33733603@adsla password 0 0723
crypto map pix
!
router eigrp 100
network 10.0.0.0
distribute-list eigrp-filter out FastEthernet0/1
distribute-list eigrp-filter out Tunnel0
distribute-list eigrp-filter out Tunnel1
no auto-summary
!
ip nat inside source route-map internet interface Dialer1 overload
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.19.100.84 255.255.255.255 Dialer1
ip route 10.19.100.85 255.255.255.255 Dialer1
!
!
!
ip access-list standard eigrp-filter
deny 10.19.100.0 0.0.3.255
permit any
!
ip access-list extended outside
deny ip 10.19.0.0 0.0.255.255 10.19.0.0 0.0.255.255
permit ip any any
access-list 1 permit any
access-list 100 permit ip 10.19.102.84 0.0.0.1 10.19.100.84 0.0.0.1
dialer-list 1 protocol ip permit
!
route-map internet permit 10
match ip address outside
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password cisco
login
transport input telnet
!
!
end
I second to yours. my testing showing that:
1. if ipsec/gre end points no-match, the ipsec will set the ipsec as tunnel mode, no matter what's configured on the transform. set.
2. if ipsec/gre end points match, then:
2.1 if both ends ipsec transport mode make the in-using as transform. tunnel,
2.2 if one end configed as tunnel, both end will in-using tunnel.
3. so it seems the conclution is just as the cco document saying: first gre, then ipsec. but when doing ipsec, ios check if end-points match or not, then either 2.1 or 2.2.
1. if ipsec/gre end points no-match, the ipsec will set the ipsec as tunnel mode, no matter what's configured on the transform. set.
2. if ipsec/gre end points match, then:
2.1 if both ends ipsec transport mode make the in-using as transform. tunnel,
2.2 if one end configed as tunnel, both end will in-using tunnel.
3. so it seems the conclution is just as the cco document saying: first gre, then ipsec. but when doing ipsec, ios check if end-points match or not, then either 2.1 or 2.2.
http://blog.zdnet.com.cn/html/14/311614-1084247.html