我想在两个站点之间配置站点到站点 SSL VPN。
我最初在两个 Cisco 路由器之间设置了一个 IPSec VPN,但发现我只获得了 10% 的可用带宽。作为比较,我使用 pfsense 发行版设置了一个专用的 Linux 机器并设置了 IPSec VPN,我再次发现我只获得了可用带宽的 10%。然后我尝试了 OpenVPN/SSL VPN,发现我获得了 90% 的可用带宽。
两个路由器都运行 IOS 15.1(4)M12a,一个是 3825,另一个是 1841。两个 Cisco 路由器都有 ssl-vpn AIM 卡,用于全硬件加速。
整体站点到站点带宽约为 80/30 Mbit/sec。
这是路由器 A (Cisco 1841) 的配置:
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxx
!
boot-start-marker
boot system flash:c1841-adventerprisek9-mz.151-4.M12a.bin
boot-end-marker
!
aaa new-model
!
aaa authorization exec default local
!
aaa session-id common
clock timezone EDT -5
ip cef
!
no ip bootp server
ip domain name xxxx
ip name-server x.x.x.x
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
crypto pki token default removal timeout 0
!
ip tftp source-interface FastEthernet0/1
ip ssh authentication-retries 2
ip ssh version 2
ip scp server enable
!
crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 5
lifetime 28800
crypto isakmp key xxxx address x.x.x.a
crypto isakmp nat keepalive 20
!
crypto ipsec security-association lifetime kilobytes 2100000
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set rtpset esp-aes
!
crypto map rtp 1 ipsec-isakmp
set peer x.x.x.a
set transform-set rtpset
match address aaa
!
interface Loopback1
ip address 1.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Tunnel1
no ip address
!
interface FastEthernet0/0
description WAN Interface
ip address x.x.x.b m.m.m.m
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
ipv6 address autoconfig
no cdp enable
crypto map rtp
!
interface FastEthernet0/1
description LAN Interface
ip address x.x.x.x m.m.m.m
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
no ip http server
no ip http secure-server
ip nat inside source route-map nonat interface FastEthernet0/0 overload
ip nat inside source static tcp x.x.x.x 22 x.x.x.b 22 extendable
ip nat inside source static tcp x.x.x.x 25 x.x.x.b 25 extendable
ip nat inside source static tcp x.x.x.x 80 x.x.x.b 80 extendable
ip nat inside source static tcp x.x.x.x 443 x.x.x.b 443 extendable
!
ip access-list extended aaa
permit ip LOCALSUBNET LOCALNETMASK REMOTESUBNET REMOTENETMASK
!
access-list 111 deny ip LOCALSUBNET LOCALNETMASK REMOTESUBNET REMOTENETMASK
access-list 111 permit icmp any any
access-list 111 permit ip LOCALSUBNET LOCALNETMASK any
no cdp log mismatch duplex
!
route-map nonat permit 10
match ip address 111
!
control-plane
!
scheduler allocate 20000 1000
ntp clock-period 17178967
ntp server x.x.x.x
sntp server x.x.x.x
end
这是路由器 B (Cisco 3825) 的配置:
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxx
!
boot-start-marker
boot system flash flash:c3825-adventerprisek9-mz.151-4.M12a.bin
boot-end-marker
!
aaa new-model
!
aaa authorization exec default local
!
aaa session-id common
clock timezone EDT -5
no ip source-route
ip cef
!
no ip bootp server
ip domain name xxxx
ip name-server x.x.x.x
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
voice-card 0
no dspfarm
!
crypto pki token default removal timeout 0
!
ip ssh authentication-retries 2
ip ssh source-interface GigabitEthernet0/1.3
ip ssh version 2
ip scp server enable
!
class-map match-any xxxx-speed
match access-group name xxxx-speed-acl
!
policy-map qos
class xxxx-speed
shape average 1600000
!
crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 5
lifetime 28800
crypto isakmp key xxxx address x.x.x.b
crypto isakmp nat keepalive 20
!
crypto ipsec security-association lifetime kilobytes 2100000
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set rtpset esp-aes
!
crypto map rtp 1 ipsec-isakmp
set peer x.x.x.b
set transform-set rtpset
match address aaaanet
!
!
!
!
interface GigabitEthernet0/0
ip address INTERNETIP NETMASK secondary
ip address INTERNETIP NETMASK secondary
ip address INTERNETIP NETMASK secondary
ip address INTERNETIP NETMASK secondary
ip address INTERNETIP NETMASK secondary
ip address INTERNETIP NETMASK
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
media-type rj45
crypto map rtp
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address LOCALIP LOCALMASK
ip access-group bbbb-firewall in
ip access-group cccc-firewall out
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/1.3
description xxxx vlan
encapsulation dot1Q 3
ip address LOCALIP LOCALMASK
ip access-group bbbb-firewall in
ip access-group firewall out
ip nat inside
ip virtual-reassembly
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 x.x.x.a
!
ip flow-export source GigabitEthernet0/0
ip flow-export version 5
ip flow-export destination LOCALIP 9995
!
no ip http server
no ip http secure-server
ip nat inside source list natlist interface GigabitEthernet0/0 overload
ip nat inside source static tcp x.x.x.x PORT x.x.x.a PORT extendable
ip nat inside source static tcp x.x.x.x PORT x.x.x.a PORT extendable
ip nat inside source static tcp x.x.x.x PORT x.x.x.a PORT extendable
ip nat inside source static x.x.x.x x.x.x.x no-payload
ip nat inside source static x.x.x.x x.x.x.x route-map ddddmap no-payload
ip nat inside source static x.x.x.x x.x.x.x route-map ddddmap no-payload
ip nat inside source static x.x.x.x x.x.x.x route-map ddddmap no-payload
ip nat inside source static x.x.x.x x.x.x.x route-map ddddmap no-payload
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
ip access-list extended xxxx-speed-acl
permit ip host LOCALIP any
permit ip host EXTERNALIP any
ip access-list extended firewall
permit ip REMOTENETWORK REMOTEMASK any
permit tcp any any established
permit udp any any eq ntp
permit icmp any any
permit tcp any any eq domain
permit tcp any eq domain any
permit udp any any eq domain
permit udp any eq domain any
permit tcp any any range PORT PORT
permit udp any any range PORT PORT
permit udp any any gt PORT
permit gre any any
permit tcp any host LOCALIP eq 1720
permit tcp any host LOCALIP eq 22
permit tcp any host LOCALIP eq www
permit tcp any host LOCALIP eq smtp
permit tcp any host LOCALIP eq 465
permit tcp any host LOCALIP eq 993
permit tcp any host LOCALIP eq www
permit tcp any host LOCALIP eq ftp
permit tcp any host LOCALIP gt 19999
permit tcp any host LOCALIP eq smtp
permit tcp any host LOCALIP eq www
permit tcp any host LOCALIP eq 81
permit tcp any host LOCALIP eq pop3
permit tcp any host LOCALIP eq ident
permit tcp any host LOCALIP eq nntp
permit tcp any host LOCALIP eq 465
permit tcp any host LOCALIP eq 873
permit tcp any host LOCALIP eq 993
permit tcp any host LOCALIP eq 2401
permit tcp any host LOCALIP eq 243
permit tcp any host LOCALIP eq 1243
permit tcp any host LOCALIP eq 12435
permit tcp any host LOCALIP eq 22
permit tcp any host LOCALIP eq 22
permit tcp host LOCALIP host LOCALIP eq cmd
permit tcp host LOCALIP host LOCALIP eq cmd
permit udp host LOCALIP host LOCALIP eq syslog
permit udp host LOCALIP host LOCALIP eq syslog
deny ip any any
ip access-list extended firwall
ip access-list extended cccc-firewall
permit ip host LOCALIP REMOTENETWORK REMOTEMASK
permit tcp any any established
permit ip host IP any
permit tcp any host LOCALIP eq 65
permit icmp any any
permit tcp any host LOCALIP eq domain
permit udp any any eq domain
permit udp any eq domain any
permit udp any any eq ntp
permit tcp any host LOCALIP eq ftp
permit tcp any host LOCALIP eq smtp
permit tcp any host LOCALIP eq www
permit tcp any host LOCALIP eq ident
permit tcp any host LOCALIP eq 873
permit tcp any host LOCALIP eq 2401
permit tcp any host LOCALIP eq 9418
permit tcp any any range 8000 8999
deny ip any any
ip access-list extended aaaanet
permit ip LOCALNETWORK LOCALMASK REMOTENETWORK REMOTEMASK
ip access-list extended natlist
deny ip host LOCALIP any
deny ip LOCALNETWORK LOCALMASK REMOTENETWORK REMOTEMASK
deny ip LOCALNETWORK LOCALMASK REMOTENETWORK REMOTEMASK
permit ip any any
permit icmp any any
ip access-list extended nonat
deny ip LOCALNETWORK LOCALMASK REMOTENETWORK REMOTEMASK
permit ip LOCALNETWORK LOCALMASK any
ip access-list extended aaaa-firewall
permit tcp host LOCALIP any eq smtp
permit tcp host LOCALIP any eq smtp
permit ip any any
!
route-map aaaamap permit 10
match ip address nonat
!
control-plane
!
scheduler allocate 20000 1000
!
end