路由器SVTI站点到站点VPN
在IOS 12.4之前建立安全的站点间隧道只能采用GRE over IPSec,从IOS 12.4之后设计了一种全新的隧道技术,即VIT(Virtual Tunnel Interface),这种技术是直接采用IPSec来创建的一个VTI隧道接口。相比GRE over IPSec,VTI技术减少了每个包GRE头部的那4B。 VTI分类:SVTI(静态VTI)和DVTI(Dynamic VTI)动态VTI
默认基本配置完成R1的配置crypto isakmp policy 10 authentication pre-sharecrypto isakmp key cisco address 23.1.1.3!crypto ipsec transform-set trans esp-des esp-md5-hmac !crypto ipsec profile SVTI//名字是SVTI set transform-set trans !interface Loopback0 ip address 1.1.1.1 255.255.255.0 !interface Tunnel13 ip address 13.1.1.1 255.255.255.0 tunnel source 12.1.1.1 tunnel mode ipsec ipv4 tunnel destination 23.1.1.3 tunnel protection ipsec profile SVTI !interface FastEthernet1/0 ip address 12.1.1.1 255.255.255.0 duplex auto speed auto ! router ospf 1 router-id 1.1.1.1 log-adjacency-changes network 1.1.1.0 0.0.0.255 area 0 network 13.1.1.0 0.0.0.255 area 0!ip route 0.0.0.0 0.0.0.0 12.1.1.2R2的配置:interface FastEthernet1/0 ip address 12.1.1.2 255.255.255.0 duplex auto speed auto !!interface FastEthernet1/1 ip address 23.1.1.2 255.255.255.0 duplex auto speed autoR3的配置:crypto isakmp policy 10 authentication pre-sharecrypto isakmp key cisco address 12.1.1.1!crypto ipsec transform-set trans esp-des esp-md5-hmac !crypto ipsec profile SVTI set transform-set trans !interface Loopback0 ip address 3.3.3.3 255.255.255.0 !interface Tunnel13 ip address 13.1.1.3 255.255.255.0 tunnel source 23.1.1.3 tunnel mode ipsec ipv4 tunnel destination 12.1.1.1 tunnel protection ipsec profile SVTI !interface FastEthernet1/0 ip address 23.1.1.3 255.255.255.0 duplex auto speed auto !router ospf 1 router-id 3.3.3.3 log-adjacency-changes network 3.3.3.0 0.0.0.255 area 0 network 13.1.1.0 0.0.0.255 area 0!ip route 0.0.0.0 0.0.0.0 23.1.1.2R1#show crypto engine connections active Crypto Engine Connections ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address 1 IPsec DES+MD5 0 196 224 12.1.1.1 2 IPsec DES+MD5 232 0 0 12.1.1.1 1001 IKE SHA+DES 0 0 0 12.1.1.1R1#show crypto ipsec sa interface: Tunnel13 Crypto map tag: Tunnel13-head-0, local addr 12.1.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)//可以看见这里的感兴趣流为任意源到任意目的,但是注意的是不是所有加入site1的都加密,而是进入SVTI的流量才会加密 remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer 23.1.1.3 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 240, #pkts encrypt: 240, #pkts digest: 240 #pkts decaps: 201, #pkts decrypt: 201, #pkts verify: 201 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 30 local crypto endpt.: 12.1.1.1, remote crypto endpt.: 23.1.1.3 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0 current outbound spi: 0x8965E6D8(2305156824) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0xE60BC2FF(3859530495) transform: esp-des esp-md5-hmac , in use settings ={Tunnel, } conn id: 1, flow_id: SW:1, sibling_flags 80000046, crypto map: Tunnel13-head-0 sa timing: remaining key lifetime (k/sec): (4595852/1924) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x8965E6D8(2305156824) transform: esp-des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2, flow_id: SW:2, sibling_flags 80000046, crypto map: Tunnel13-head-0 sa timing: remaining key lifetime (k/sec): (4595851/1924) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: