配置基于VTI的IPsecVPN
配置基于VTI的IPsecVPN上次请教耿叔关于IPsecVPN的组播数据穿越问题,当时使用的解决方案是配置GRE Over IPsec ,效果不错,后来听耿叔提到VTI技术,晚上去查阅了相关的文档,学习了一下相关的配置,现在贴出来,和大家分享一下,希望能帮助有需要的同学:
VTI技术简介:
SVTI配置被运用于站点到站点的连接(L2LVPN),在两个站点间的隧道式“always-on”的,SVTI相对于传统crypto map配置的优势在于可以在隧道口上运用动态路由选择协议,并且不需要那额外的4字节GRE头部(GRE Over IPsec),因此降低了发送加密数据的带宽;多重Cisco IOS特性能够被直接配置在隧道接口上和物理接口上,这种直接的配置提供用户对加密前和加密后的流量更加强大的控制;
实验拓扑:
实验步骤:R2:定义crypto policy: 定义预共享密钥:定义转换集:定义IPsec Profile:配置Tunnel0:配置OSPF:将Tunnel口宣告进OSPF:测试:
R4:
R4#show runBuilding configuration... Current configuration : 2042 bytes!! Last configuration change at 21:35:17 UTC Sat Apr 13 2013!version 15.2service timestamps debug datetime msecservice timestamps log datetime msec!hostname R4!boot-start-markerboot-end-marker!!!no aaa new-modelno ip icmp rate-limit unreachable!!!!!! no ip domain lookupip cefipv6 multicast rpf use-bgpno ipv6 cef!!multilink bundle-name authenticated!!!!!!!!!!!!ip tcp synwait-time 5! !crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2crypto isakmp key cisco address 23.1.1.2 !!crypto ipsec transform-set cisco esp-3des esp-md5-hmac mode tunnel!!crypto ipsec profile pro set transform-set cisco !!!!!!interface Loopback0 ip address 4.4.4.4 255.255.255.0!interface Tunnel0 ip address 24.1.1.4 255.255.255.0 tunnel source 34.1.1.4 tunnel mode ipsec ipv4 tunnel destination 23.1.1.2 tunnel protection ipsec profile pro!interface FastEthernet0/0 no ip address shutdown duplex full!interface Serial1/0 ip address 34.1.1.4 255.255.255.0 serial restart-delay 0!interface Serial1/1 ip address 45.1.1.4 255.255.255.0 serial restart-delay 0!interface Serial1/2 no ip address shutdown serial restart-delay 0!interface Serial1/3 no ip address shutdown serial restart-delay 0!interface Serial1/4 no ip address shutdown serial restart-delay 0!interface Serial1/5 no ip address shutdown serial restart-delay 0!interface Serial1/6 no ip address shutdown serial restart-delay 0!interface Serial1/7 no ip address shutdown serial restart-delay 0!router ospf 1 router-id 3.3.3.3 network 4.4.4.4 0.0.0.0 area 0 network 24.1.1.4 0.0.0.0 area 0 network 45.1.1.4 0.0.0.0 area 0!ip forward-protocol nd!!no ip http serverno ip http secure-serverip route 23.1.1.2 255.255.255.255 Serial1/0!!!!control-plane!!line con 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1line vty 0 4 login!!end
R1、R3、R5配置 略!!!
http://bbs.spoto.net/xwb/images/bgimg/icon_logo.png 该贴已经同步到 songjiaqi的微博 沙发,相当不错的技术分享,感谢楼主 :) -woniu3--woniu3--woniu3-在GRE的隧道上使用了IPsec协议来封装数据报 学习学习!!!-woniu3- VTI其实就是一个隧道。相当于一个虚拟的专线。 不懂技术的来捧个场了。。。 仔细看了下你的GRE IPSECVPN 和这个VTI IPSECVPN的配置,没有发现配置的不同点在哪里
tunnel mode ipsec ipv4?这句?它的作用是什么啊?
页:
[1]