GRE over IPSec vs IPSec over GRE

前言

當企業需要透過 Internet 使用 Routing Protocol 進行 Route 交換時,通常會在 Site 與 Site 之間建立 GRE Tunnel。但 GRE Tunnel 並無加密功能,流經 Internet 的資訊變得不安全,這時候 GRE 可與 IPSec 一起應用。本文會介紹兩種非常相似的技術,分別是:GRE over IPSec 及 IPSec over GRE。閱讀本文前讀者需掌握 IPSec VPN 設定,及對 EIGRP 有基本認識。

基本理論

假設兩地 Router 已連接 Internet 並有 Static IP Address,能互相 Ping 通,現想透過 EIGRP 交換 LAN Subnet 的 Route。然而要建立 EIGRP Neighbor,兩隻 Router 需要擁有位於相同 Subnet 的 Interface,此時網管人員必然想到要做 GRE Tunnel。餘下的問題是先做 GRE Tunnel 再在裡面做 IPSec Tunnel 加密?還是相反,先做 IPSec Tunnel 加密後再在裡面做 GRE Tunnel?

ipsec-gre

GRE over IPSec

第一個方法是 GRE over IPSec,即 IPSec 在最外層(或稱最底層)。意思是先在 R1 與 R2 之間建立 IPSec Tunnel,把裡面的 GRE Tunnel 整個進行加密,Routing Protocol 在 GRE Tunnel 裡面完成 Route 交換,最後 Data 在 GRE Tunnel 裡面傳送。從下圖所見,因整個 GRE Tunnel 被加密,所以裡面的 Routing Protocol 及 Data 都會被加密。

ipsec-gre

IPSec over GRE

另一個方法是 IPSec over GRE,即 GRE 在最外層(或稱最底層)。在 R1 與 R2 之間先建立 GRE Tunnel,在 GRE Tunnel 裡面再建 IPSec Tunnel,有趣的是:由於 IPSec 並不支緩 Multicast,因此通常把 Routing Protocol 建在 GRE Tunnel 進行 Route 交換,並無加密,只有 Data 在 IPSec Tunnel 裡面被加密。如堅持把 Routing Protocol 也放在 IPSec Tunnel 中,可以透過設定 Unicast IP Address 建立 Neighbor,但這樣做 Router 就無法自動建立 Neighbor 關係,如果 Router 數量多起來,設定方面肯定比較痛苦。如想了解關於 Unicast 設定,可參考本網關於 OSPF 或 EIGRP 的文章。

ipsec-gre

實驗網絡設定

以下網絡中,假設 R1 和 R2 需要建立 Routing Protocol (本文使用 EIGRP作例子) 交換其 L0 Network,R3 則當成 Internet 上的 Router,只負責 Route 通 192.168.13.0/24 和 192.168.23.0/24。

ipsec-gre

Router 原設定如下:

hostname R1
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
!
interface Ethernet1/0
 ip address 192.168.13.1 255.255.255.0
!
ip route 192.168.23.0 255.255.255.0 192.168.13.3
hostname R2
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.0
!
interface Ethernet1/0
 ip address 192.168.23.2 255.255.255.0
!
ip route 192.168.13.0 255.255.255.0 192.168.23.3
hostname R3
!
interface Ethernet1/0
 ip address 192.168.13.3 255.255.255.0
!
interface Ethernet1/1
 ip address 192.168.23.3 255.255.255.0

確定只有 192.168.13.1 能 Ping 通 192.168.23.2。

R1#ping 192.168.23.2 source 192.168.13.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.23.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.13.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/40 ms
R1#
R1#ping 2.2.2.2 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1 
.....
Success rate is 0 percent (0/5)

GRE over IPSec 設定

現在嘗試設定 GRE over IPSec,讓 R1 及 R2 交換 L0 Network,並使 1.1.1.1 Ping 通 2.2.2.2。

ipsec-gre

Step 1: 設定 Interesting Traffic

由於目標是把整個 Interface 加密,因此設定以下 ACL。

R1(config)#ip access-list extended IPSEC_TUNNEL 
R1(config-ext-nacl)#permit ip host 192.168.13.1 host 192.168.23.2
R2(config)#ip access-list extended IPSEC_TUNNEL 
R2(config-ext-nacl)#permit ip host 192.168.23.2 host 192.168.13.1

Step 2: 設定 IPSec

包括 Phase 1 及 Phase 2 在內的參數已在 IPSec VPN 一文中詳述過,不在此重覆。

R1(config)#crypto isakmp key ccie address 192.168.23.2
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#encryption aes 
R1(config-isakmp)#authentication pre-share 
R1(config-isakmp)#group 2
R1(config-isakmp)#exit
R1(config)#crypto ipsec transform-set TS esp-3des 
R1(cfg-crypto-trans)#exit
R1(config)#crypto map GRE_OVER_IPSEC 10 ipsec-isakmp 
R1(config-crypto-map)#set peer 192.168.23.2
R1(config-crypto-map)#set transform-set TS
R1(config-crypto-map)#match address IPSEC_TUNNEL
R2(config)#crypto isakmp key ccie address 192.168.13.1
R2(config)#crypto isakmp policy 10
R2(config-isakmp)#encryption aes 
R2(config-isakmp)#authentication pre-share 
R2(config-isakmp)#group 2
R2(config-isakmp)#exit
R2(config)#crypto ipsec transform-set TS esp-3des 
R2(cfg-crypto-trans)#exit
R2(config)#crypto map GRE_OVER_IPSEC 10 ipsec-isakmp 
R2(config-crypto-map)#set peer 192.168.13.1
R2(config-crypto-map)#set transform-set TS
R2(config-crypto-map)#match address IPSEC_TUNNEL

Step 3: 在 Interface 應用 Crypto Map

把以上 IPSec 設定應用到 Interface 之上。

R1(config)#int ethernet 1/0
R1(config-if)#crypto map GRE_OVER_IPSEC
R2(config)#int ethernet 1/0
R2(config-if)#crypto map GRE_OVER_IPSEC

Step 4: 設定 GRE Tunnel

然後在 R1 與 R2 之間開設 GRE Tunnel。

R1(config)#int tunnel 0
R1(config-if)#ip address 172.16.12.1 255.255.255.0
R1(config-if)#tunnel source ethernet 1/0
R1(config-if)#tunnel destination 192.168.23.2
R2(config)#int tunnel 0
R2(config-if)#ip address 172.16.12.2 255.255.255.0
R2(config-if)#tunnel source ethernet 1/0
R2(config-if)#tunnel destination 192.168.13.1

試一下從 172.16.12.1 Ping 到 172.16.12.2,而且成功建立了 IPSec Tunnel。

R1#ping 172.16.12.2 source 172.16.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.12.2, timeout is 2 seconds:
Packet sent with a source address of 172.16.12.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/36 ms
R1#
R1#show crypto ipsec sa

interface: Ethernet1/0
    Crypto map tag: GRE_OVER_IPSEC, local addr 192.168.13.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.13.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (192.168.23.2/255.255.255.255/0/0)
   current_peer 192.168.23.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 47, #pkts encrypt: 47, #pkts digest: 47
    #pkts decaps: 48, #pkts decrypt: 48, #pkts verify: 48
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.13.1, remote crypto endpt.: 192.168.23.2
     path mtu 1500, ip mtu 1500, ip mtu idb Ethernet1/0
     current outbound spi: 0x330E2A3(53535395)
     PFS (Y/N): N, DH group: none

<--Output Omitted-->

Step 5: 設定 Routing Protocol

最後只需設定 EIGRP 便可。

R1(config)#router eigrp 1
R1(config-router)#no auto-summary
R1(config-router)#network 172.16.12.0 0.0.0.255
R1(config-router)#network 1.1.1.0 0.0.0.255
R2(config)#router eigrp 1
R2(config-router)#no auto-summary
R2(config-router)#network 172.16.12.0 0.0.0.255
R2(config-router)#network 2.2.2.0 0.0.0.255

這樣應可成功建立 Neighbor 並 Ping 通。

R1#show ip eigrp neighbors 
EIGRP-IPv4 Neighbors for AS(1)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
0   172.16.12.2             Tu0                      12 00:00:48   34  1470  0  4
R1#
R1#ping 2.2.2.2 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/22/32 ms

IPSec over GRE 設定

現在把設定回復至實驗初始狀態,今次嘗試設定 IPSec over GRE,讓 R1 及 R2 交換 L0 Network,並使 1.1.1.1 Ping 通 2.2.2.2。

ipsec-gre

Step 1: 設定 GRE Tunnel

先建立 GRE Tunnel。

R1(config)#int tunnel 0
R1(config-if)#ip address 172.16.12.1 255.255.255.0
R1(config-if)#tunnel source ethernet 1/0
R1(config-if)#tunnel destination 192.168.23.2
R2(config)#int tunnel 0
R2(config-if)#ip address 172.16.12.2 255.255.255.0
R2(config-if)#tunnel source ethernet 1/0
R2(config-if)#tunnel destination 192.168.13.1

確定 GRE 能 Ping 通,留意現時未有加密。

R1#ping 172.16.12.2 source 172.16.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.12.2, timeout is 2 seconds:
Packet sent with a source address of 172.16.12.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/22/32 ms

Step 2: 設定 Routing Protocol

R1(config)#router eigrp 1
R1(config-router)#no auto-summary
R1(config-router)#network 172.16.12.0 0.0.0.255
R1(config-router)#network 1.1.1.0 0.0.0.255
R2(config)#router eigrp 1
R2(config-router)#no auto-summary
R2(config-router)#network 172.16.12.0 0.0.0.255
R2(config-router)#network 1.1.1.0 0.0.0.255

現時 1.1.1.1 已可 Ping 通 2.2.2.2,但未被加密。

R1#show ip eigrp neighbors 
EIGRP-IPv4 Neighbors for AS(1)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
0   172.16.12.2             Tu0                      14 00:04:07   67  1470  0  6
R1#ping 2.2.2.2 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/21/28 ms

Step 3: 設定 Interesting Traffic

由於目標是把 Data 加密,即由 1.1.1.1 至 2.2.2.2,因此設定以下 ACL。

R1(config)#ip access-list extended IPSEC_TUNNEL 
R1(config-ext-nacl)#permit ip host 1.1.1.1 host 2.2.2.2
R2(config)#ip access-list extended IPSEC_TUNNEL 
R2(config-ext-nacl)#permit ip host 2.2.2.2 host 1.1.1.1

Step 4: 設定 IPSec

IPSec 設定跟之前 GRE over IPSec 相若,只是 Peer IP 不同,因現在 IPSec 建在 GRE Tunnel 之上,雙方 Peer 應該是 172.16.12.1 和 172.16.12.2。

R1(config)#crypto isakmp key ccie address 172.16.12.2
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#encryption aes 
R1(config-isakmp)#authentication pre-share 
R1(config-isakmp)#group 2
R1(config-isakmp)#exit
R1(config)#crypto ipsec transform-set TS esp-3des 
R1(cfg-crypto-trans)#exit
R1(config)#crypto map IPSEC_OVER_GRE 10 ipsec-isakmp 
R1(config-crypto-map)#set peer 172.16.12.2
R1(config-crypto-map)#set transform-set TS
R1(config-crypto-map)#match address IPSEC_TUNNEL
R2(config)#crypto isakmp key ccie address 172.16.12.1
R2(config)#crypto isakmp policy 10
R2(config-isakmp)#encryption aes 
R2(config-isakmp)#authentication pre-share 
R2(config-isakmp)#group 2
R2(config-isakmp)#exit
R2(config)#crypto ipsec transform-set TS esp-3des 
R2(cfg-crypto-trans)#exit
R2(config)#crypto map IPSEC_OVER_GRE 10 ipsec-isakmp 
R2(config-crypto-map)#set peer 172.16.12.1
R2(config-crypto-map)#set transform-set TS
R2(config-crypto-map)#match address IPSEC_TUNNEL

Step 5: 在 Tunnel Interface 應用 Crypto Map

最後把以上 IPSec 設定應用到 Tunnel Interface 之上。

R1(config)#int tunnel 0
R1(config-if)#crypto map IPSEC_OVER_GRE
R2(config)#int tunnel 0
R2(config-if)#crypto map IPSEC_OVER_GRE
R1#ping 2.2.2.2 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1 
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 40/41/44 ms
R1# 
R1#show crypto ipsec sa

interface: Tunnel0
    Crypto map tag: IPSEC_OVER_GRE, local addr 172.16.12.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
   current_peer 172.16.12.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.16.12.1, remote crypto endpt.: 172.16.12.2
     path mtu 1476, ip mtu 1476, ip mtu idb Tunnel0
     current outbound spi: 0xBC0A1C2(197173698)
     PFS (Y/N): N, DH group: none

<--Output Omitted-->

相關主題

發佈留言

2018-12-09

Posted In: menu-tall-2-zh-hant, 虛擬私人網路 VPN

Leave a Comment