DVPN Full-Mesh的组网方式实验配置案例
周五的时候,和同事说到了某客户的需求典型的总部和各个分支进行互联,说到了DVPN,于是回来搭建了模拟环境测试了下,模拟器里面完全能实现。特分享。
实验拓扑图:
拓扑说明:
1、RT1模拟总部,为DVPN的HUB节点,总部的公网地址采用静态ip地址的方式用,loopback模拟私网
2、RT2模拟公网
3、RT3为vam server接受DVPN节点向其注册信息,负责管理、维护各DVPN节点的信息
4、RT4\RT5模拟分支,为DVPN的spoke节点,分支的公网地址采用动态获取方式,用loopback模拟私网
5、公网之间的路由用ospf 1、分支间私网路由用ospf 100
配置思路:
1、配置各个路由器的接口地址,RT2上配置DHCP server ,保证RT4\RT5上行接口能自动获取IP地址
略
2、配置公网路由,ospf1,将RT1\RT2\RT3相关公网接口在ospf 1中进行network,保证RT1\RT3\RT4\RT5公网地址IP能互通。
略
3、配置VAM SERVER
1)为DVPN节点创建AAA身份认证信息,本实验采用本地认证方式,即需要在VAM server上创建三个local-user。
# local-user vpn1hub password simple vpn1hub service-type dvpn local-user vpn1spoke1 password simple vpn1spoke1 service-type dvpn local-user vpn1spoke2 password simple vpn1spoke2 service-type dvpn
2)指定VAM Server上的监听IP地址,即本接口的公网地址
vam server ip-address 10.1.23.3
3)创建VPN域、配置预共享密钥、配置对客户端进行CHAP认证、指定VPN域的Hub地址、启动VPN域的VAM Server功能
# vam server vpn 1 pre-shared-key simple 123 authentication-method chap hub private-ip 172.16.1.1 server enable
4、HUB节点配置
1)创建VPN域的客户端、配置VAM SERVER的IP地址、共享密钥、节点接入验证的用户名和密码、启用客户端
# vam client name vpn1hub vpn 1 server primary ip-address 10.1.23.3 pre-shared-key simple 123 user vpn1hub password simple vpn1hub client enable
2)配置IPsec安全提议、 配置IKE对等体、配置IPsec安全框架
# ipsec proposal vam esp authentication-algorithm sha1 #
ike peer vam pre-shared-key cipher PMEfbsX04vk= # ipsec profile vamp pfs dh-group2 ike-peer vam proposal vam sa duration time-based 600
3)配置VPN域的隧道接口Tunnel1、隧道IP、UDP封装模式、tunnel口的source接口、修改ospf的接口类型为broadcast、关联VAM client、关联IPSEC
# interface Tunnel1 ip address 172.16.1.1 255.255.255.0 tunnel-protocol dvpn udp source GigabitEthernet0/0/0 ospf network-type broadcast ipsec profile vamp vam client vpn1hub
4)配置私网路由
# ospf 100 area 0.0.0.0 network 172.16.1.1 0.0.0.0 network 192.168.1.1 0.0.0.0
5、spoke节点配置和HUB节点配置思路一致,略。
注意其中的共享密钥、用户名和密码、VAM SERVER的ip地址、tunnel口的ospf接口类型、ipsec相关配置协商参数要一致
<strong>排错思路及验证:</strong>
1、显示注册到主VAM Server的所有VAM Client的地址映射信息
<rt3-vam-server>display vam server address-map all VPN name: 1 Total address-map number: 3 Private-ip Public-ip Type Holding time 172.16.1.1 10.1.12.1 Hub 2H 26M 37S 172.16.1.2 10.1.24.1 Spoke 2H 28M 41S 172.16.1.3 10.1.25.1 Spoke 2H 28M 36S <rt3-vam-server>
注意:如果这里没有节点信息或者不完整,重点检查如下
1)每个节点的tunnel口是否UP、公网是否能ping通
2)共享密钥是否正确
3)用户名和密码是否正确、服务类型是否配置
2、显示客户端的状态信息
<RT1-hub>display vam client address-map Client name: vpn1hub VPN name: 1 Total address-map number: 1 Private-ip Public-ip Type Remaining-time(s) 172.16.1.1 10.1.12.1 Hub -- <RT1-hub>
3、显示Hub1上的DVPN隧道信息
<RT1-hub>display dvpn session all
Interface: Tunnel1 VPN name: 1 Total number: 2
Private IP: 172.16.1.2
Public IP: 10.1.24.1
Session type: <span style="color: #ff0000;">Hub-Spoke</span>
State: SUCCESS
Holding time: 2h 30m 6s
Input: 1426 packets, 1260 data packets, 166 control packets
1240 multicasts, 0 errors
Output: 1432 packets, 1247 data packets, 185 control packets
1226 multicasts, 0 errors
Private IP: 172.16.1.3
Public IP: 10.1.25.1
Session type: <span style="color: #ff0000;">Hub-Spoke</span>
State: SUCCESS
Holding time: 2h 30m 4s
Input: 1430 packets, 1256 data packets, 174 control packets
1231 multicasts, 0 errors
Output: 1431 packets, 1250 data packets, 181 control packets
1225 multicasts, 0 errors
<RT1-hub>
显示spoke上的DVPN隧道信息
<rt4-spoke1>dis dvpn session all
Interface: Tunnel1 VPN name: 1 Total number: 2
Private IP: 172.16.1.1
Public IP: 10.1.12.1
Session type: <span style="color: #ff0000;">Spoke-Hub</span>
State: SUCCESS
Holding time: 2h 33m 28s
Input: 1464 packets, 1276 data packets, 188 control packets
1254 multicasts, 0 errors
Output: 1462 packets, 1289 data packets, 173 control packets
1268 multicasts, 0 errors
Private IP: 172.16.1.3
Public IP: 10.1.25.1
Session type: <span style="color: #ff0000;">Spoke-Spoke</span>
State: SUCCESS
Holding time: 0h 0m 3s
Input: 6 packets, 4 data packets, 2 control packets
0 multicasts, 0 errors
Output: 5 packets, 4 data packets, 1 control packets
0 multicasts, 0 errors
<rt4-spoke1>
4、显示ospf peer相关信息
<RT1-hub>dis ospf peer
OSPF Process 1 with Router ID 1.1.1.1
Neighbor Brief Information
Area: 0.0.0.0
Router ID Address Pri Dead-Time Interface State
2.2.2.2 10.1.12.2 1 29 GE0/0/0 Full/DR
OSPF Process 100 with Router ID 1.1.1.1
Neighbor Brief Information
Area: 0.0.0.0
Router ID Address Pri Dead-Time Interface State
<span style="color: #ff0000;"> 4.4.4.4 172.16.1.2 0 37 Tun1 Full/DROther</span>
<span style="color: #ff0000;"> 5.5.5.5 172.16.1.3 0 40 Tun1 Full/DROther</span>
<RT1-hub>
5、显示路由相关信息
<RT1-hub>display ip routing-table
Routing Tables: Public
Destinations : 13 Routes : 13
Destination/Mask Proto Pre Cost NextHop Interface
1.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0
10.1.12.0/24 Direct 0 0 10.1.12.1 GE0/0/0
10.1.12.1/32 Direct 0 0 127.0.0.1 InLoop0
10.1.23.0/24 OSPF 10 2 10.1.12.2 GE0/0/0
10.1.24.0/24 OSPF 10 2 10.1.12.2 GE0/0/0
10.1.25.0/24 OSPF 10 2 10.1.12.2 GE0/0/0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
172.16.1.0/24 Direct 0 0 172.16.1.1 Tun1
172.16.1.1/32 Direct 0 0 127.0.0.1 InLoop0
192.168.1.1/32 Direct 0 0 127.0.0.1 InLoop0
<span style="color: #ff0000;">192.168.2.1/32 OSPF 10 1562 172.16.1.2 Tun1</span>
<span style="color: #ff0000;">192.168.3.1/32 OSPF 10 1562 172.16.1.3 Tun1</span>
<RT1-hub>