欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

DMVPN Spoke穿越PAT测试

程序员文章站 2022-03-06 12:12:44
...

一.测试拓扑:

备注:因为51cto会屏蔽VPN关键字,所以把51cto原创的一些博文移到这边。

DMVPN Spoke穿越PAT测试
            
    
    博客分类: VPN ciscoVPN网络协议 

二.测试目的:

A.理解DMVPN的阶段二和阶段三

B.验证两种方式穿越PAT的不同

三.基本配置:
A.Hub:
interface Loopback0
ip address 192.168.100.1 255.255.255.0
interface FastEthernet0/0
ip address 202.100.1.100 255.255.255.0
no shut
B.Branch1:
interface FastEthernet0/0
ip address 202.100.1.1 255.255.255.0
interface FastEthernet0/1
ip address 10.1.1.10 255.255.255.0
no shut
C.Branch2:
interface FastEthernet0/0
ip address 202.100.1.2 255.255.255.0
no shut
interface FastEthernet0/1
ip address 10.1.1.10 255.255.255.0
no shut
D:Spoke1:
interface Loopback0
ip address 192.168.1.1 255.255.255.0
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.10
E:Spoke2:
interface Loopback0
ip address 192.168.2.1 255.255.255.0
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.10
三.动态PAT配置:
A.PAT配置:
ip access-list extended pat
permit ip any any
int f0/0
ip nat outside
int f0/1
ip nat inside
ip nat inside source list pat interface f0/0 overload
B.测试:
Spoke1#ping 202.100.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/89/152 ms
Spoke2#ping 202.100.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/119/280 ms
四.DMVPN阶段二配置:
A.mGRE和NHRP配置:
①.Hub:

interface Tunnel0
ip address 172.16.1.100 255.255.255.0
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
ip nhrp network-id 10
ip nhrp authentication cisco
ip nhrp map multicast dynamic
②.Spoke1:
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
ip nhrp network-id 10
ip nhrp authentication cisco
ip nhrp map 172.16.1.100 202.100.1.100
ip nhrp map multicast 202.100.1.100
ip nhrp nhs 172.16.1.100
③.Spoke2:
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
ip nhrp network-id 10
ip nhrp authentication cisco
ip nhrp map 172.16.1.100 202.100.1.100
ip nhrp map multicast 202.100.1.100
ip nhrp nhs 172.16.1.100
B.验证NHRP注册:
①Hub#show ip nhrp
172.16.1.1/32 via 172.16.1.1, Tunnel0 created 00:03:34, expire 01:56:25
 Type: dynamic, Flags: unique registered
 NBMA address: 202.100.1.1
   (Claimed NBMA address: 10.1.1.1)
172.16.1.2/32 via 172.16.1.2, Tunnel0 created 00:00:46, expire 01:59:13
 Type: dynamic, Flags: unique registered
 NBMA address: 202.100.1.2
   (Claimed NBMA address: 10.1.1.1)
②Spoke1#show ip nhrp
172.16.1.100/32 via 172.16.1.100, Tunnel0 created 00:04:16, never expire
 Type: static, Flags: used
 NBMA address: 202.100.1.100
③Spoke2#show ip  nhrp
172.16.1.100/32 via 172.16.1.100, Tunnel0 created 00:02:11, never expire
 Type: static, Flags: used
 NBMA address: 202.100.1.100
C.验证mGRE:
①Spoke1#ping 172.16.1.100 source 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.100, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
!!!!!
②Spoke2#ping 172.16.1.100 source 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.100, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.2
!!!!!
③Spoke1#ping 172.16.1.2 source 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
!!!!!
Spoke1#show ip nhrp
172.16.1.1/32 via 172.16.1.1, Tunnel0 created 00:00:04, expire 01:59:55
 Type: dynamic, Flags: router unique local
 NBMA address: 10.1.1.1
   (no-socket)
172.16.1.2/32 via 172.16.1.2, Tunnel0 created 00:00:05, expire 01:59:56
 Type: dynamic, Flags: router
 NBMA address: 202.100.1.2
   (Claimed NBMA address: 10.1.1.1)
172.16.1.100/32 via 172.16.1.100, Tunnel0 created 00:07:54, never expire
 Type: static, Flags: used
 NBMA address: 202.100.1.100
Spoke2#show ip nhrp
172.16.1.1/32 via 172.16.1.1, Tunnel0 created 00:01:04, expire 01:58:54
 Type: dynamic, Flags: router
 NBMA address: 202.100.1.1
   (Claimed NBMA address: 10.1.1.1)
172.16.1.2/32 via 172.16.1.2, Tunnel0 created 00:01:04, expire 01:58:57
 Type: dynamic, Flags: router unique local
 NBMA address: 10.1.1.1
   (no-socket)
172.16.1.100/32 via 172.16.1.100, Tunnel0 created 00:06:25, never expire
 Type: static, Flags: used
 NBMA address: 202.100.1.10
D.动态路由配置及优化:
①Hub:

router eigrp 100
network 172.16.1.0 0.0.0.255
network 192.168.100.0
no auto-summary
int tun 0
no ip next-hop-self eigrp 100
no ip split-horizon eigrp 100
②Spoke1:
router eigrp 100
network 172.16.1.0 0.0.0.255
network 192.168.1.0
no auto-summary
③Spoke2:
router eigrp 100
network 172.16.1.0 0.0.0.255
network 192.168.2.0
no auto-summary
④验证:
Hub#show ip route eigrp
D    192.168.1.0/24 [90/297372416] via 172.16.1.1, 00:01:39, Tunnel0
D    192.168.2.0/24 [90/297372416] via 172.16.1.2, 00:00:10, Tunnel0
Spoke1#show ip route eigrp
D    192.168.2.0/24 [90/310172416] via 172.16.1.2, 00:00:52, Tunnel0
D    192.168.100.0/24 [90/297372416] via 172.16.1.100, 00:02:27, Tunnel0
Spoke2#show ip route eigrp
D    192.168.1.0/24 [90/310172416] via 172.16.1.1, 00:01:25, Tunnel0
D    192.168.100.0/24 [90/297372416] via 172.16.1.100, 00:01:25, Tunnel0
E.IPSEC 配置:
①配置:

crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set transet esp-des esp-md5-hmac
mode transport
crypto ipsec profile ipsecprofile
set transform-set transet
int tun 0
ip mtu 1400
tunnel protection ipsec profile ipsecprofile
②验证:
Hub#show crypto engine conn active
Crypto Engine Connections

  ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
   1 Fa0/0      IPsec DES+MD5                   0       17 202.100.1.100
   2 Fa0/0      IPsec DES+MD5                  20        0 202.100.1.100
   3 Fa0/0      IPsec DES+MD5                   0       17 202.100.1.100
   4 Fa0/0      IPsec DES+MD5                  18        0 202.100.1.100
1001 Fa0/0      IKE   SHA+DES                   0        0 202.100.1.100
1002 Fa0/0      IKE   SHA+DES                   0        0 202.100.1.100
Spoke1#show crypto engine connections active
Crypto Engine Connections

  ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
   1 Tu0        IPsec DES+MD5                   0       25 10.1.1.1
   2 Tu0        IPsec DES+MD5                  22        0 10.1.1.1
1001 Tu0        IKE   SHA+DES                   0        0 10.1.1.1
Spoke2#show crypto engine conn active
Crypto Engine Connections

  ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
   1 Tu0        IPsec DES+MD5                   0       29 10.1.1.1
   2 Tu0        IPsec DES+MD5                  28        0 10.1.1.1
1001 Tu0        IKE   SHA+DES                   0        0 10.1.1.1
-----------spoke之间没有加密流量----------------------------------
Spoke1#ping 192.168.2.1 source 192.168.1.1 repeat 100

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 188/253/520 ms
Spoke1#show crypto engine connections active        
Crypto Engine Connections

  ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
   1 Tu0        IPsec DES+MD5                   0      154 10.1.1.1
   2 Tu0        IPsec DES+MD5                 150        0 10.1.1.1
1001 Tu0        IKE   SHA+DES                   0        0 10.1.1.1
-----------spoke之间仍然没有加密流量,都走的是hub做中转-----------------
四.DMVPN阶段三配置:
主要配置与阶段二相同,主要不同点:
①NHRP优化:

HUB:
int tun 0
 ip nhrp redirect
Spoke:
int tun 0
 ip nhrp shortcut
②hub发布汇总路由,取消印制水平分割和下一跳:
HUB:
int tun 0
ip summary-address eigrp 100 192.168.0.0 255.255.0.0
ip split-horizon eigrp 100
ip next-hop-self eigrp 100
③验证路由汇总:
Spoke1#show ip route eigrp
D    192.168.0.0/16 [90/297372416] via 172.16.1.100, 00:00:47, Tunnel0
Spoke2#show ip route eigrp
D    192.168.0.0/16 [90/297372416] via 172.16.1.100, 00:01:08, Tunnel0
④isakmp sa验证:
Hub#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
202.100.1.100   202.100.1.1     QM_IDLE           1007    0 ACTIVE
202.100.1.100   202.100.1.2     QM_IDLE           1008    0 ACTIVE
Spoke1#show crypto is
Spoke1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
202.100.1.100   10.1.1.1        QM_IDLE           1004    0 ACTIVE
Spoke2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
202.100.1.100   10.1.1.1        QM_IDLE           1004    0 ACTIVE
------------spoke之间没有建立isakmp sa--------------------------
Spoke1#ping 192.168.2.1 source 192.168.1.1 repeat 100

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 180/252/552 ms
Spoke1#show crypto isakmp sa                        
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
202.100.1.2     10.1.1.1        MM_NO_STATE          0    0 ACTIVE (deleted)
202.100.1.100   10.1.1.1        QM_IDLE           1004    0 ACTIVE

Spoke2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
202.100.1.100   10.1.1.1        QM_IDLE           1004    0 ACTIVE
202.100.1.1     10.1.1.1        MM_NO_STATE          0    0 ACTIVE
------------spoke之间main mode没有协商成功-----------------------
④Branch1更改动态PAT为静态PAT:
Branch1:
ip nat inside source list pat interface FastEthernet0/0 overload
ip nat inside source static udp
10.1.1.1 500 interface FastEthernet0/0 500
ip nat inside source static udp 10.1.1.1 4500 interface FastEthernet0/0 4500

关闭所有tunnel接口,并重新开启,由spoke1作为发起方:
发起之前:
Spoke1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
202.100.1.100   10.1.1.1        QM_IDLE          0    0 ACTIVE
发起流量:
Spoke1#ping 192.168.2.1 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Spoke1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
202.100.1.2     10.1.1.1        MM_NO_STATE          0    0 ACTIVE
202.100.1.100   10.1.1.1        QM_IDLE           1009    0 ACTIVE
10.1.1.1        202.100.1.2     QM_IDLE           1010    0 ACTIV
Spoke1#show crypto engine conn active
Crypto Engine Connections

  ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
  15 Tu0        IPsec DES+MD5                   0       43 10.1.1.1
  16 Tu0        IPsec DES+MD5                  42        0 10.1.1.1
  17 Fa0/0      IPsec DES+MD5                   0        2 10.1.1.1
  18 Fa0/0      IPsec DES+MD5                   1        0 10.1.1.1
1009 Tu0        IKE   SHA+DES                   0        0 10.1.1.1
1010 Fa0/0      IKE   SHA+DES                   0        0 10.1.1.1
Spoke1#ping 192.168.2.1 source 192.168.1.1 repeat 100

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 140/191/260 ms
Spoke1#show crypto engine conn active                
Crypto Engine Connections

  ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
  15 Tu0        IPsec DES+MD5                   0       54 10.1.1.1
  16 Tu0        IPsec DES+MD5                  53        0 10.1.1.1
  17 Fa0/0      IPsec DES+MD5                   0      102 10.1.1.1
  18 Fa0/0      IPsec DES+MD5                 101        0 10.1.1.1
1009 Tu0        IKE   SHA+DES                   0        0 10.1.1.1
1010 Fa0/0      IKE   SHA+DES                   0        0 10.1.1.1
Spoke2#show crypto ipsec sa

interface: Tunnel0
   Crypto map tag: Tunnel0-head-0, local addr 10.1.1.1

  protected vrf: (none)
  local  ident (addr/mask/prot/port): (10.1.1.1/255.255.255.255/47/0)
  remote ident (addr/mask/prot/port): (202.100.1.1/255.255.255.255/47/0)
  current_peer 202.100.1.1 port 4500
    PERMIT, flags={origin_is_acl,}
   #pkts encaps: 102, #pkts encrypt: 102, #pkts digest: 102
   #pkts decaps: 101, #pkts decrypt: 101, #pkts verify: 101
---------前面的几个包有中心代转,后面是spoke之间直接通讯-----------

关闭所有tunnel接口,并重新开启,由spoke2作为发起方:
发起之前:
Spoke2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
202.100.1.100   10.1.1.1        QM_IDLE           1010    0 ACTIVE
发起流量:
Spoke2#ping 192.168.1.1 sou
Spoke2#ping 192.168.1.1 source 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 204/368/464 ms
Spoke2#show crypto isakmp sa              
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
202.100.1.100   10.1.1.1        QM_IDLE           1010    0 ACTIVE
202.100.1.1     10.1.1.1        QM_IDLE           1011    0 ACTIVE
Spoke2#show crypto engine conn act
Crypto Engine Connections

  ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
  19 Tu0        IPsec DES+MD5                   0       56 10.1.1.1
  20 Tu0        IPsec DES+MD5                  58        0 10.1.1.1
  21 Tu0        IPsec DES+MD5                   0        1 10.1.1.1
  22 Tu0        IPsec DES+MD5                   1        0 10.1.1.1
1010 Tu0        IKE   SHA+DES                   0        0 10.1.1.1
1011 Tu0        IKE   SHA+DES                   0        0 10.1.1.1
Spoke2#show crypto engine conn act                  
Crypto Engine Connections

  ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
  19 Tu0        IPsec DES+MD5                   0       65 10.1.1.1
  20 Tu0        IPsec DES+MD5                  67        0 10.1.1.1
  21 Tu0        IPsec DES+MD5                   0      101 10.1.1.1
  22 Tu0        IPsec DES+MD5                 101        0 10.1.1.1
1010 Tu0        IKE   SHA+DES                   0        0 10.1.1.1
1011 Tu0        IKE   SHA+DES                   0        0 10.1.1.1
Spoke2#show crypto ipsec sa

interface: Tunnel0
   Crypto map tag: Tunnel0-head-0, local addr 10.1.1.1

  protected vrf: (none)
  local  ident (addr/mask/prot/port): (10.1.1.1/255.255.255.255/47/0)
  remote ident (addr/mask/prot/port): (202.100.1.1/255.255.255.255/47/0)
  current_peer 202.100.1.1 port 4500
    PERMIT, flags={origin_is_acl,}
   #pkts encaps: 101, #pkts encrypt: 101, #pkts digest: 101
   #pkts decaps: 101, #pkts decrypt: 101, #pkts verify: 101
---------前面的几个包有中心代转,后面是spoke之间直接通讯-----------
⑤保留静态PAT,恢复成阶段二进行测试:
Spoke1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
202.100.1.100   10.1.1.1        QM_IDLE           1013    0 ACTIVE
Spoke1#ping 192.168.2.1 source 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!.!
Success rate is 80 percent (4/5), round-trip min/avg/max = 180/421/624 ms
抓包看到有spoke2首先发起IPSEC连接:

DMVPN Spoke穿越PAT测试
            
    
    博客分类: VPN ciscoVPN网络协议 

Spoke1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
202.100.1.2     10.1.1.1        MM_NO_STATE          0    0 ACTIVE
202.100.1.100   10.1.1.1        QM_IDLE           1013    0 ACTIVE
10.1.1.1        202.100.1.2     QM_IDLE           1014    0 ACTIVE
Spoke1#show crypto engine conn act
Crypto Engine Connections

  ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
  23 Tu0        IPsec DES+MD5                   0       48 10.1.1.1
  24 Tu0        IPsec DES+MD5                  45        0 10.1.1.1
  25 Fa0/0      IPsec DES+MD5                   0        3 10.1.1.1
  26 Fa0/0      IPsec DES+MD5                   2        0 10.1.1.1
1013 Tu0        IKE   SHA+DES                   0        0 10.1.1.1
1014 Fa0/0      IKE   SHA+DES                   0        0 10.1.1.1
Spoke1#ping 192.168.2.1 source 192.168.1.1  repeat 100

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 144/194/276 ms
Spoke1#ping 192.168.2.1 source 192.168.1.1  repeat 100
Spoke1#show crypto engine conn act                    
Crypto Engine Connections

  ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
  23 Tu0        IPsec DES+MD5                   0       62 10.1.1.1
  24 Tu0        IPsec DES+MD5                  59        0 10.1.1.1
  25 Fa0/0      IPsec DES+MD5                   0      103 10.1.1.1
  26 Fa0/0      IPsec DES+MD5                 102        0 10.1.1.1
1013 Tu0        IKE   SHA+DES                   0        0 10.1.1.1
1014 Fa0/0      IKE   SHA+DES                   0        0 10.1.1.1
Spoke1#show crypto ipsec sa

interface: Tunnel0
   Crypto map tag: Tunnel0-head-0, local addr 10.1.1.1

  protected vrf: (none)
  local  ident (addr/mask/prot/port): (10.1.1.1/255.255.255.255/47/0)
  remote ident (addr/mask/prot/port): (202.100.1.2/255.255.255.255/47/0)
  current_peer 202.100.1.2 port 4500
    PERMIT, flags={origin_is_acl,}
   #pkts encaps: 102, #pkts encrypt: 102, #pkts digest: 102
   #pkts decaps: 103, #pkts decrypt: 103, #pkts verify: 103
五.总结:
A.当spoke都位于动态PAT设备后面,spoke之间的通讯流量都由中心代转
B.当某个spoke位于静态PAT设备后面,它能跟其他动态PAT后面的spoke直接通讯,而不管发起发是哪个
C.以上对DMVPN第二阶段和第三阶段都适用

D.测试的IOS为:
Cisco IOS Software, 3700 Software (C3725-ADVENTERPRISEK9-M), Version 12.4(15)T14, RELEASE SOFTWARE (fc2)