Cisco IOS IPsec 配置专题(4) – Reverse Route Injection 配置方法

使用 Crypto Map 进行 IPsec 的配置无法支持 multicast,也就意味着不能支持 dynamic routing,这样该方法在大规模实施的时候具有局限性。为了减少无法使用 dynamic routing 带来的不便我们可以使用 Reverse Route Injection (RRI) 动态的向 IPsec peer 注入路由。实验拓扑如下:

在该拓扑中 R1 作为 Hub 会自动在路由表里注入作为 Spoke 的 R2 和 R3 的路由,从而使得我们在类似的大规模部署时减少手动配置路由的工作量。

R1 的配置:

interface Loopback0
 ip address 192.168.10.1 255.255.255.0
!
ip access-list extended R1_to_R2
 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
ip access-list extended R1_to_R3
 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
!
crypto isakmp policy 100
 encr aes 256
 hash sha256
 authentication pre-share
 group 5
! 
crypto isakmp key CISCO1 address 1.1.1.2
!
crypto isakmp key CISCO2 address 1.1.1.3
!
crypto ipsec transform-set VPN_TS esp-aes 256 esp-sha256-hmac
!
crypto map VPN_CMAP 100 ipsec-isakmp
 set peer 1.1.1.2
 set transform-set VPN_TS
 match address R1_to_R2
 reverse-route static
!
crypto map VPN_CMAP 200 ipsec-isakmp
 set peer 1.1.1.3
 set transform-set VPN_TS
 match address R1_to_R3
 reverse-route static
!
interface Ethernet0/0
 ip address 1.1.1.1 255.255.255.0
 crypto map VPN_CMAP

注意我们在 crypto map 里使用了 reverse-route static 命令。

R2 的配置:

interface Loopback0
 ip address 192.168.20.1 255.255.255.0
!
ip access-list extended R2_to_R1
 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
!
crypto isakmp policy 100
 encr aes 256
 hash sha256
 authentication pre-share
 group 5
!
crypto isakmp key CISCO1 address 1.1.1.1
!
crypto ipsec transform-set VPN_TS esp-aes 256 esp-sha256-hmac
!
crypto map VPN_CMAP 100 ipsec-isakmp
 set peer 1.1.1.1
 set transform-set VPN_TS
 match address R2_to_R1
!
interface Ethernet0/0
 ip address 1.1.1.2 255.255.255.0
 crypto map VPN_CMAP
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1

R3 的配置:

interface Loopback0
 ip address 192.168.30.1 255.255.255.0
!
ip access-list extended R3_to_R1
 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
!
crypto isakmp policy 100
 encr aes 256
 hash sha256
 authentication pre-share
 group 5
!
crypto isakmp key CISCO2 address 1.1.1.1
!
crypto ipsec transform-set VPN_TS esp-aes 256 esp-sha256-hmac
!
crypto map VPN_CMAP 100 ipsec-isakmp
 set peer 1.1.1.1
 set transform-set VPN_TS
 match address R3_to_R1
!
interface Ethernet0/0
 ip address 1.1.1.3 255.255.255.0
 crypto map VPN_CMAP
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1

R2 和 R3 使用了一条默认路由,这里模拟的是一般情况下 Spoke 会把所有的流量导向 Hub 的情况。

当 IPsec 建立以后我们可以在 R1 的路由表中发现两条自动注入的静态路由,分别指向 R2 和 R3 的 loopback:

R1#sh ip route static
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

S     192.168.20.0/24 [1/0] via 1.1.1.2
S     192.168.30.0/24 [1/0] via 1.1.1.3

更进一步可以确定这些路由是由 RRI 注入的:

R1#sh crypto route

VPN Routing Table: Shows RRI and VTI created routes
Codes: RRI - Reverse-Route, VTI- Virtual Tunnel Interface
        S - Static Map ACLs

Routes created in table GLOBAL DEFAULT
192.168.20.0/255.255.255.0 [1/0] via 1.1.1.2 tag 0 count 2 rtid 1
                                on Ethernet0/0 RRI  S
192.168.30.0/255.255.255.0 [1/0] via 1.1.1.3 tag 0 count 1 rtid 2
                                on Ethernet0/0 RRI
R1#

发表评论

电子邮件地址不会被公开。