在三个路由器之间创建 IPSEC VPN?

网络工程 虚拟专用网 安全 ipsec 联网
2022-02-13 16:27:46

我试图在三个 Cisco IOSv 路由器之间建立一个 IPSEC 隧道网。我已经能够在两个直接连接的路由器之间建立一个 IPSEC 隧道,但是一旦我添加了第三个路由器,它就会变得复杂。我不确定是否需要为每个连接创建单独的加密映射,或者是否可以为所有连接使用单个加密映射。

请看下图: 在此处输入图像描述

我试图通过仅在路由器之间使用静态路由来保持简单。我认为问题在于Router2。就目前而言,PC3 可以成功 ping PC1,但无法 ping PC2。同样,PC1 可以 ping PC3,但不能 ping PC2。Router1 能ping 通Router3,但不能ping 通Router2。同样,Router 3 可以 ping Router1,但不能 ping Router2。

任何帮助都会很棒!

以下是配置:

路由器1 -

Current configuration : 3807 bytes
!
! Last configuration change at 15:37:40 UTC Tue Apr 7 2020
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
ethernet lmi ce
!
!
!
mmi polling-interval 60
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
redundancy
!
no cdp log mismatch duplex
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 10.10.10.3
crypto isakmp key cisco address 10.10.10.2
!
!
crypto ipsec transform-set TSET esp-3des esp-md5-hmac
 mode tunnel
!
!
crypto map TST 10 ipsec-isakmp
 set peer 10.10.10.3
 set peer 10.10.10.2
 set transform-set TSET
 match address 100
!
!
!
!
!
interface GigabitEthernet0/0
 ip address 172.16.31.225 255.255.255.252
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1
 ip address 10.10.10.1 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
 crypto map TST
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/3
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 172.16.32.224 255.255.255.252 10.10.10.2
ip route 172.16.33.224 255.255.255.252 10.10.10.3
!
!
!
access-list 100 permit ip host 10.10.10.1 host 10.10.10.3
access-list 100 permit ip host 10.10.10.1 host 10.10.10.2
access-list 100 permit ip any any
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
 transport input none
!
no scheduler allocate
!
end

路由器2 -

Current configuration : 3944 bytes
!
! Last configuration change at 15:42:55 UTC Tue Apr 7 2020
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
ethernet lmi ce
!
!
!
no process cpu autoprofile hog
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
no cdp log mismatch duplex
no cdp run
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 10.10.10.3
crypto isakmp key cisco address 10.10.10.1
!
!
crypto ipsec transform-set TSET esp-3des esp-md5-hmac
 mode tunnel
!
!
!
crypto map TST 10 ipsec-isakmp
 set peer 10.10.10.3
 set peer 10.10.10.1
 set transform-set TSET
 match address 100
!
!
!
!
!
interface GigabitEthernet0/0
 ip address 172.16.32.225 255.255.255.252
 duplex auto
 speed auto
 media-type rj45
 no cdp enable
!
interface GigabitEthernet0/1
 ip address 10.10.10.2 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
 no cdp enable
 crypto map TST
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
 no cdp enable
!
interface GigabitEthernet0/3
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
 no cdp enable
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 172.16.31.224 255.255.255.252 10.10.10.1
ip route 172.16.33.224 255.255.255.252 10.10.10.3
!
!
!
access-list 100 permit ip host 10.10.10.2 host 10.10.10.1
access-list 100 permit ip host 10.10.10.2 host 10.10.10.3
access-list 100 permit ip any any
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
 transport input none
!
no scheduler allocate
!
end

路由器 3 -

Current configuration : 3909 bytes
!
! Last configuration change at 15:47:48 UTC Tue Apr 7 2020
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router3
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
ethernet lmi ce
!
!
!
no process cpu autoprofile hog
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
no cdp log mismatch duplex
no cdp run
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 10.10.10.1
crypto isakmp key cisco address 10.10.10.2
!
!
crypto ipsec transform-set TSET esp-3des esp-md5-hmac
 mode tunnel
!
!
!
crypto map TST 10 ipsec-isakmp
 set peer 10.10.10.1
 set peer 10.10.10.2
 set transform-set TSET
 match address 100
!
!
!
!
!
interface GigabitEthernet0/0
 ip address 172.16.33.225 255.255.255.252
 duplex auto
 speed auto
 media-type rj45
 no cdp enable
!
interface GigabitEthernet0/1
 ip address 10.10.10.3 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
 no cdp enable
 crypto map TST
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
 no cdp enable
!
interface GigabitEthernet0/3
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
 no cdp enable
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 172.16.31.224 255.255.255.252 10.10.10.1
ip route 172.16.32.224 255.255.255.252 10.10.10.2
!
!
!
access-list 100 permit ip host 10.10.10.3 host 10.10.10.1
access-list 100 permit ip host 10.10.10.3 host 10.10.10.2
access-list 100 permit ip any any
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
!
line con 0
 exec-timeout 0 0
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
 transport input none
!
no scheduler allocate
!
end

当 Router2 尝试 ping Router1 时,我收到以下错误消息:

Router2#ping 10.10.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:

*Apr  7 16:25:52.823: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=10.10.10.1, prot=50, spi=0xC94E3260(3377345120), srcaddr=10.10.10.3, input interface=GigabitEthernet0/1
*Apr  7 16:25:52.824: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /10.10.10.1, src_addr= 10.10.10.3, prot= 50.....
Success rate is 0 percent (0/5)
1个回答

您需要一个单独的加密映射部分和每个隧道的单独访问列表。大致是这样的:

crypto map TST 10 ipsec-isakmp
set peer <router2>
set transform-set TST
match address <router1-router2>
!
crypto map TST 20 ipsec-isakmp
set peer <router3>
set transform-set TST
match address <router1-router3>

请注意,您不能在站点之间进行路由。换句话说,如果从 R1 到 R3 的隧道发生故障,您将无法通过 R2 从 R1 到 R3。这需要 GRE 或 VTI 隧道的不同配置

其它你可能感兴趣的问题
上一篇将两台 Extreme Networks 220 系列交换机连接在一起,只有一个 VLAN 的问题 下一篇SISO 和 SU-MIMO 如何为多个客户端提供服务?