目录

前言
Hub-to-spoke Topology
Routing Protocol
Fully Mesh Topology
IPSec over GRE Tunnel
总结

前言

Generic Routing Encapsulation (GRE) 可以在两个 Physical Interface 之间建立点对点 Tunnel,多用於设置 Virtual Private Network (VPN) 去保护资讯。本文会先介绍 GRE Tunnel 的设定方法,最後在 GRE 上加上 IPSec 设定去做认证和加密。

Hub-to-spoke Topology

请看下图,现在要为 Hong Kong丶Taiwan 和 Beijing 三地建立 GRE Tunnel。假设 R1 e1/0丶R2 e1/0 和 R3 e1/0 已经能够互相 Ping 通。

gre-tunnel

首先,在 R1 和 R2 之间建立 Tunnel。

R1(config)#int tunnel 12
R1(config-if)#ip address 172.16.12.1 255.255.255.0
R1(config-if)#tunnel source ethernet 1/0
R1(config-if)#tunnel destination 10.0.24.2
R2(config)#int tunnel 12
R2(config-if)#ip address 172.16.12.2 255.255.255.0
R2(config-if)#tunnel source ethernet 1/0
R2(config-if)#tunnel destination 10.0.14.1

同样地,在 R1 与 R3 之间建立 Tunnel。

R1(config)#int tunnel 13
R1(config-if)#ip address 172.16.13.1 255.255.255.0
R1(config-if)#tunnel source ethernet 1/0
R1(config-if)#tunnel destination 10.0.34.3
R2(config)#int tunnel 13
R2(config-if)#ip address 172.16.13.3 255.255.255.0
R2(config-if)#tunnel source ethernet 1/0
R2(config-if)#tunnel destination 10.0.14.1

确认一下,R1 已经可以 Ping 通 R2 和 R3 的 Tunnel Interface 了。

R1#ping 172.16.12.2 source 172.16.12.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.12.2, timeout is 2 seconds:
Packet sent with a source address of 172.16.12.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/22/32 ms
R1# R1#ping 172.16.13.3 source 172.16.12.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.13.3, timeout is 2 seconds: Packet sent with a source address of 172.16.12.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/19/24 ms

R2 的 Interface Tunnel 同样可以 Ping 通 R3 的 Tunnel Interface,但留意路径是 R2 > R1 > R3,因为这是 Hub-to-spoke Topology。

R2#ping 172.16.13.3 source 172.16.12.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.13.3, timeout is 2 seconds:
Packet sent with a source address of 172.16.12.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/64/104 ms
R2#
R2#traceroute 172.16.13.3 source 172.16.12.2

Type escape sequence to abort.
Tracing the route to 172.16.13.3

  1 172.16.12.1 8 msec 40 msec 36 msec
  2 172.16.13.3 60 msec 32 msec 72 msec

Routing Protocol

然後,我们可以用 Routing Protocol 把各 Router 背後的网络互相发布,例如使用 EIGRP。

R1(config)#router eigrp 1
R1(config-router)network 172.16.12.0 0.0.0.255
R1(config-router)network 172.16.13.0 0.0.0.255
R1(config-router)network 192.168.1.0
R1(config-router)#no auto-summary
R2(config)#router eigrp 1
R2(config-router)network 172.16.12.0 0.0.0.255
R2(config-router)network 192.168.2.0
R2(config-router)#no auto-summary
R3(config)#router eigrp 1
R3(config-router)network 172.16.13.0 0.0.0.255
R3(config-router)network 192.168.3.0
R3(config-router)#no auto-summary

Route Table 已经可以看到 EIGRP 成功交换 Route。

R1#show ip route eigrp 1
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

D     192.168.2.0/24 [90/27008000] via 172.16.12.2, 00:12:30, Tunnel12
D     192.168.3.0/24 [90/27008000] via 172.16.13.3, 00:12:53, Tunnel13
R1#
R1#ping 192.168.2.2 source 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds: Packet sent with a source address of 192.168.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/19/24 ms R1#
R1#ping 192.168.3.3 source 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds: Packet sent with a source address of 192.168.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/28/40 ms

留意 R2 的 192.168.2.0/24 要到达 192.168.3.0/24,仍要途经 R1。

R2#show ip route eigrp 1
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

      172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
D        172.16.13.0/24 [90/28160000] via 172.16.12.1, 00:15:07, Tunnel0
D     192.168.1.0/24 [90/27008000] via 172.16.12.1, 00:15:07, Tunnel0
D     192.168.3.0/24 [90/28288000] via 172.16.12.1, 00:15:07, Tunnel0
R2#
R2#traceroute 172.16.13.3 source 172.16.12.2 Type escape sequence to abort. Tracing the route to 172.16.13.3 1 172.16.12.1 12 msec 36 msec 40 msec 2 172.16.13.3 64 msec 44 msec 48 msec

Fully Mesh Topology

Hub-to-spoke Topology 设定较简单,问题在於 Spoke 连接 Spoke 需要透过 Hub,这样会造成浪费 Bandwidth 及延长回应时间。要解决这个问题,可改用 Fully Mesh Topology。以刚才的网络为例,只要在 R2 与 R3 之间增加一条 Tunnel 即可。

gre-tunnel

R2(config)#int tunnel 23
R2(config-if)#ip address 172.16.23.2 255.255.255.0
R2(config-if)#tunnel source ethernet 1/0
R2(config-if)#tunnel destination 10.0.34.3
R3(config)#int tunnel 23
R3(config-if)#ip address 172.16.23.3 255.255.255.0
R3(config-if)#tunnel source ethernet 1/0
R3(config-if)#tunnel destination 10.0.24.2

当然我们要分别在 R2 和 R3 的 EIGRP 设定加入新的 Network,让 R2 和 R3 建立 EIGRP Adjacency。

R2(config)#router eigrp 1
R2(config-router)#network 172.16.23.0 0.0.0.255
R3(config)#router eigrp 1
R3(config-router)#network 172.16.23.0 0.0.0.255

於是 R2 便能直接到达 R3 而不需途经 R1。

R2#show ip route eigrp 1
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

      172.16.0.0/16 is variably subnetted, 5 subnets, 2 masks
D        172.16.13.0/24 [90/28160000] via 172.16.23.3, 00:00:44, Tunnel23
                        [90/28160000] via 172.16.12.1, 00:00:44, Tunnel12
D     192.168.1.0/24 [90/27008000] via 172.16.12.1, 00:00:44, Tunnel12
D     192.168.3.0/24 [90/27008000] via 172.16.23.3, 00:00:44, Tunnel23
R2#
R2#traceroute 192.168.3.3 source 192.168.2.2

Type escape sequence to abort.
Tracing the route to 192.168.3.3

  1 172.16.23.3 28 msec 40 msec 20 msec

IPSec over GRE Tunnel

最後我们尝试在所有 Tunnel 之间用 IPSec 加密。

首先在 R1丶R2 和 R3 都设定 IKE Phase 1 参数,详细说明请参考这里

R1(config)#crypto isakmp policy 10
R1(config-isakmp)#authentication pre-share

然後分别在 R1丶R2 和 R3 设定 Phase 2 参数,详细说明请参考这里

R1(config)#crypto ipsec transform-set TS esp-3des esp-sha-hmac
R1(cfg-crypto-trans)#exit

然後设定 Pre-share Key,留意目标 address 是 Physical Interface 的 address,而不是 Tunnel Interface 的 address。

R1(config)#crypto isakmp key ccie address 10.0.24.2
R1(config)#crypto isakmp key ccie address 10.0.34.3
R2(config)#crypto isakmp key ccie address 10.0.12.1
R2(config)#crypto isakmp key ccie address 10.0.34.3
R3(config)#crypto isakmp key ccie address 10.0.12.1
R3(config)#crypto isakmp key ccie address 10.0.24.2

跟着,分别在 R1丶R2 和 R3 定义 IPSec Profile。

R1(config)#crypto ipsec profile PF
R1(ipsec-profile)#set transform-set TS

最後在所有 Tunnel 都设定使用 IPSec Profile。

R1(config)#interface tunnel 12
R1(config-if)#tunnel protection ipsec PRofile PF

总结

虽然 Fully Mesh Topology 让 Spoke Site 之间可以直接连线,但问题在於需要建立的 Tunnel 数量太多。数学告诉我们,点对点数量等於 n(n-1)/2,即是说如果我们有 20 个 Site,Tunnel 数量将会是 190,设定和维护这些 Tunnel 将会是一场恶梦。因此,如果 Spoke Site 数量多的话,还是建议使用 mGRE (或称 DMVPN) 会比较方便。