使用 Crypto Map 进行 IPsec 的配置无法支持 multicast,也就意味着不能支持 dynamic routing,这样该方法在大规模实施的时候具有局限性。为了减少无法使用 dynamic routing 带来的不便我们可以使用 Reverse Route Injection (RRI) 动态的向 IPsec peer 注入路由。实验拓扑如下:
在该拓扑中 R1 作为 Hub 会自动在路由表里注入作为 Spoke 的 R2 和 R3 的路由,从而使得我们在类似的大规模部署时减少手动配置路由的工作量。
R1 的配置:
interface Loopback0 ip address 192.168.10.1 255.255.255.0 ! ip access-list extended R1_to_R2 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 ip access-list extended R1_to_R3 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 ! crypto isakmp policy 100 encr aes 256 hash sha256 authentication pre-share group 5 ! crypto isakmp key CISCO1 address 1.1.1.2 ! crypto isakmp key CISCO2 address 1.1.1.3 ! crypto ipsec transform-set VPN_TS esp-aes 256 esp-sha256-hmac ! crypto map VPN_CMAP 100 ipsec-isakmp set peer 1.1.1.2 set transform-set VPN_TS match address R1_to_R2 reverse-route static ! crypto map VPN_CMAP 200 ipsec-isakmp set peer 1.1.1.3 set transform-set VPN_TS match address R1_to_R3 reverse-route static ! interface Ethernet0/0 ip address 1.1.1.1 255.255.255.0 crypto map VPN_CMAP
注意我们在 crypto map 里使用了 reverse-route static
命令。
R2 的配置:
interface Loopback0 ip address 192.168.20.1 255.255.255.0 ! ip access-list extended R2_to_R1 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 ! crypto isakmp policy 100 encr aes 256 hash sha256 authentication pre-share group 5 ! crypto isakmp key CISCO1 address 1.1.1.1 ! crypto ipsec transform-set VPN_TS esp-aes 256 esp-sha256-hmac ! crypto map VPN_CMAP 100 ipsec-isakmp set peer 1.1.1.1 set transform-set VPN_TS match address R2_to_R1 ! interface Ethernet0/0 ip address 1.1.1.2 255.255.255.0 crypto map VPN_CMAP ! ip route 0.0.0.0 0.0.0.0 1.1.1.1
R3 的配置:
interface Loopback0 ip address 192.168.30.1 255.255.255.0 ! ip access-list extended R3_to_R1 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255 ! crypto isakmp policy 100 encr aes 256 hash sha256 authentication pre-share group 5 ! crypto isakmp key CISCO2 address 1.1.1.1 ! crypto ipsec transform-set VPN_TS esp-aes 256 esp-sha256-hmac ! crypto map VPN_CMAP 100 ipsec-isakmp set peer 1.1.1.1 set transform-set VPN_TS match address R3_to_R1 ! interface Ethernet0/0 ip address 1.1.1.3 255.255.255.0 crypto map VPN_CMAP ! ip route 0.0.0.0 0.0.0.0 1.1.1.1
R2 和 R3 使用了一条默认路由,这里模拟的是一般情况下 Spoke 会把所有的流量导向 Hub 的情况。
当 IPsec 建立以后我们可以在 R1 的路由表中发现两条自动注入的静态路由,分别指向 R2 和 R3 的 loopback:
R1#sh ip route static
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is not set
S 192.168.20.0/24 [1/0] via 1.1.1.2
S 192.168.30.0/24 [1/0] via 1.1.1.3
更进一步可以确定这些路由是由 RRI 注入的:
R1#sh crypto route
VPN Routing Table: Shows RRI and VTI created routes
Codes: RRI - Reverse-Route, VTI- Virtual Tunnel Interface
S - Static Map ACLs
Routes created in table GLOBAL DEFAULT
192.168.20.0/255.255.255.0 [1/0] via 1.1.1.2 tag 0 count 2 rtid 1
on Ethernet0/0 RRI S
192.168.30.0/255.255.255.0 [1/0] via 1.1.1.3 tag 0 count 1 rtid 2
on Ethernet0/0 RRI
R1#