Site-to-Site IPsec VPN

一、Site-to-Site实验需求&拓扑

实验需求：上海及北京两地架构如图，当前流量均走DCI链路，为了减轻DCI链路的负载，现有需求上海VLAN 411与VLAN 511通信走IPsec VPN隧道；上海VLAN 412与VLAN 512通信走DCI，DCI之间采用OSPF动态路由协议发布路由，DCI采用L3链路。

实验步骤及参考：

1. 打通路由

2. 建立&测试IPsec VPN

3. 流量调度

实验镜像：

二、实验思路及过程

1、规划

核心交换机内网路由交换通过OSPF，所以需要在SVI下通告路由，外网路由则采用静态路由的方式指向防火墙。防火墙回指明细静态路由至核心交换机，防火墙默认路由指向ISP即可。

1）实验节点命名

内网设备命名规范：地域[城市地区]-设备类型-机房编号-机柜编号|设备编号

2）实验互联表

3）实验IP规划

参考拓扑图

4）实验VLAN规划

5）基础配置脚本及测试

ISP#
hostname ISP

interface GigabitEthernet0/0
 description To_SHZJ-FW55-201A-A101_G0/1
 ip address 20.1.1.1 255.255.255.252

interface GigabitEthernet0/1
 description To_BJCY-FW55-101A-A101
 ip address 30.1.1.1 255.255.255.252

SHZJ-FW55-201A-A101#
hostname SHZJ-FW55-201A-A101

interface GigabitEthernet0/0
 description To_SHZJ-SW93-201A-B101_E1/1
 nameif Inside
 security-level 100
 ip address 192.165.1.1 255.255.255.252 

interface GigabitEthernet0/1
 description To_ISP_G0/0
 nameif Outside
 security-level 0
 ip address 20.1.1.2 255.255.255.252

BJCY-FW55-101A-A101#
hostname BJCY-FW55-101A-A101
interface GigabitEthernet0/0
 description To_BJCY-SW93-101A-B101_E1/1
 nameif Inside
 security-level 100
 ip address 192.165.2.1 255.255.255.252 
!
interface GigabitEthernet0/1
 description To_ISP_G0/1
 nameif Outside
 security-level 0
 ip address 30.1.1.2 255.255.255.252

SHZJ-SW93-201A-B101#
hostname SHZJ-SW93-201A-B101

feature interface-vlan

vlan 411-412
vlan 411
  name 165.4.11.0/24
vlan 412
  name 165.4.12.0/24

interface Vlan411
  no shutdown
  ip address 165.4.11.254/24

interface Vlan412
  no shutdown
  ip address 165.4.12.254/24

interface Ethernet1/1
  description To_SHZJ-FW55-201A-A101_G0/0
  no switchport
  ip address 192.165.1.2/30
  no shutdown

interface Ethernet1/2
  description To_BJCY-SW93-101A-B101_E1/2
  no switchport
  ip address 192.165.3.1/30
  no shutdown

interface Ethernet1/3
 switchport mode trunk

interface loopback0
  ip address 172.1.1.1/32

BJCY-SW93-101A-B101#
hostname BJCY-SW93-101A-B101

feature interface-vlan

vlan 511-512
vlan 511
  name 165.5.11.0/24
vlan 512
  name 165.5.12.0/24

interface Vlan511
  no shutdown
  ip address 165.5.11.254/24

interface Vlan512
  no shutdown
  ip address 165.5.12.254/24

interface Ethernet1/1
  description To_BJCY-FW55-101A-A101_G0/0
  no switchport
  ip address 192.165.2.2/30
  no shutdown

interface Ethernet1/2
  description To_SHZJ-SW93-201A-B101_E1/2
  no switchport
  ip address 192.165.3.2/30
  no shutdown

interface Ethernet1/3
 switchport mode trunk

interface loopback0
  ip address 172.1.1.2/32

连通性测试&接口检查

2、全网路由配置脚本

SHZJ-FW55-201A-A101#
route Outside 0.0.0.0 0.0.0.0 20.1.1.1 1
route Inside 165.4.11.0 255.255.255.0 192.165.1.2 1
route Inside 165.4.12.0 255.255.255.0 192.165.1.2 1

SHZJ-SW93-201A-B101#
feature ospf

router ospf 100
  router-id 172.1.1.1

interface Vlan411
ip router ospf 100 area 0.0.0.0

interface Vlan412
ip router ospf 100 area 0.0.0.0

interface Ethernet1/2
ip router ospf 100 area 0.0.0.0
ip ospf network point-to-point

interface loopback0
ip router ospf 100 area 0.0.0.0

ip route 0.0.0.0/0 192.165.1.1

BJCY-FW55-101A-A101#
route Outside 0.0.0.0 0.0.0.0 30.1.1.1 1
route Inside 165.5.11.0 255.255.255.0 192.165.2.2 1
route Inside 165.5.12.0 255.255.255.0 192.165.2.2 1

BJCY-SW93-101A-B101#
feature ospf

router ospf 100
  router-id 172.1.1.2

interface Vlan511
ip router ospf 100 area 0.0.0.0

interface Vlan512
ip router ospf 100 area 0.0.0.0

interface Ethernet1/2
ip router ospf 100 area 0.0.0.0
ip ospf network point-to-point

interface loopback0
ip router ospf 100 area 0.0.0.0

ip route 0.0.0.0/0 192.165.2.1

测试邻居

检查路由

3、IPsec VPN建立脚本&测试

建立IPsec VPN并进行测试，测试完成后在核心交换机上进行流量调度。

SHZJ-FW55-201A-A101#
crypto ikev1 enable Outside

crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 14
 lifetime 86400

tunnel-group 30.1.1.2 type ipsec-l2l
tunnel-group 30.1.1.2 ipsec-attributes
 ikev1 pre-shared-key Cisco@123

access-list VPN extended permit ip 165.4.11.0 255.255.255.0 165.5.11.0 255.255.255.0

crypto ipsec ikev1 transform-set VPN_TRANS esp-aes-256 esp-sha-hmac

crypto map VPN_MAP 10 match address VPN
crypto map VPN_MAP 10 set peer 30.1.1.2 
crypto map VPN_MAP 10 set ikev1 transform-set VPN_TRANS
crypto map VPN_MAP interface Outside

BJCY-FW55-101A-A101#
crypto ikev1 enable Outside

crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 14
 lifetime 86400

tunnel-group 20.1.1.2 type ipsec-l2l
tunnel-group 20.1.1.2 ipsec-attributes
 ikev1 pre-shared-key Cisco@123

access-list VPN extended permit ip 165.5.11.0 255.255.255.0 165.4.11.0 255.255.255.0

crypto ipsec ikev1 transform-set VPN_TRANS esp-aes-256 esp-sha-hmac

crypto map VPN_MAP 10 match address VPN
crypto map VPN_MAP 10 set peer 20.1.1.2 
crypto map VPN_MAP 10 set ikev1 transform-set VPN_TRANS
crypto map VPN_MAP interface Outside

测试脚本

SHZJ-SW93-201A-B101#
interface loopback1
  ip address 1.1.1.1/32

ip route 2.2.2.2/32 192.165.1.1

BJCY-SW93-101A-B101#
interface loopback1
  ip address 2.2.2.2/32

ip route 1.1.1.1/32 192.165.2.1

SHZJ-FW55-201A-A101#
route Inside 1.1.1.1 255.255.255.255 192.165.1.2
access-list VPN extended permit ip host 1.1.1.1 host 2.2.2.2

BJCY-FW55-101A-A101#
route Inside 2.2.2.2 255.255.255.255 192.165.2.2
access-list VPN extended permit ip host 2.2.2.2 host 1.1.1.1

测试触发隧道建立

查看隧道情况

4、流量调度

确认路由

核心交换机新增路由

SHZJ-SW93-201A-B101#
ip route 165.5.11.0/24 192.165.1.1

BJCY-SW93-101A-B101#
ip route 165.4.11.0/24 192.165.2.1

触发隧道建立及感兴趣流测试

核心交换机路由检查：可以看到去往VLAN411和VLAN511的路由已经分别指向各自网络的防护墙内部接口。