上次请教耿叔关于IPsecVPN的组播数据穿越问题,当时使用的解决方案是配置GRE Over IPsec ,效果不错,后来听耿叔提到VTI技术,晚上去查阅了相关的文档,学习了一下相关的配置,现在贴出来,和大家分享一下,希望能帮助有需要的同学:
VTI技术简介:
SVTI配置被运用于站点到站点的连接(L2LVPN),在两个站点间的隧道式“always-on”的,SVTI相对于传统crypto map配置的优势在于可以在隧道口上运用动态路由选择协议,并且不需要那额外的4字节GRE头部(GRE Over IPsec),因此降低了发送加密数据的带宽;
多重Cisco IOS特性能够被直接配置在隧道接口上和物理接口上,这种直接的配置提供用户对加密前和加密后的流量更加强大的控制;
实验拓扑:
实验步骤:
R2:
定义crypto policy:
定义预共享密钥:
定义转换集:
定义IPsec Profile:
配置Tunnel0:
配置OSPF:将Tunnel口宣告进OSPF:
测试:
R4:
R4#show run
Building configuration...
Current configuration : 2042 bytes
!
! Last configuration change at 21:35:17 UTC Sat Apr 13 2013
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
ipv6 multicast rpf use-bgp
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 23.1.1.2
!
!
crypto ipsec transform-set cisco esp-3des esp-md5-hmac
mode tunnel
!
!
crypto ipsec profile pro
set transform-set cisco
!
!
!
!
!
!
interface Loopback0
ip address 4.4.4.4 255.255.255.0
!
interface Tunnel0
ip address 24.1.1.4 255.255.255.0
tunnel source 34.1.1.4
tunnel mode ipsec ipv4
tunnel destination 23.1.1.2
tunnel protection ipsec profile pro
!
interface FastEthernet0/0
no ip address
shutdown
duplex full
!
interface Serial1/0
ip address 34.1.1.4 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
ip address 45.1.1.4 255.255.255.0
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/4
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/5
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/6
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/7
no ip address
shutdown
serial restart-delay 0
!
router ospf 1
router-id 3.3.3.3
network 4.4.4.4 0.0.0.0 area 0
network 24.1.1.4 0.0.0.0 area 0
network 45.1.1.4 0.0.0.0 area 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 23.1.1.2 255.255.255.255 Serial1/0
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
R1、R3、R5配置 略!!!