多分支NAT穿越场景下通过POP节点实现分支间的IPsec加密互联

通过之前的几个实验，我们已经基本掌握了IPsec和IKE组合使用的基本方式，还有总部-分支场景通信的基本配置要点。
对于运营商场景，可以说是将用户对固定IP地址的依赖程度降到了最低，用户不需要固定IP地址就可以实现多分支的组网，虽然技术还是传统的IKE+IPsec技术，但是我们现在称之为“SD-WAN”（软件定义网络：从服务提供商视角看SDN、来吧！听听我对SDWAN的理解）。
今天就以用户多分支接入到同一POP下的组网为背景操作一下实验配置。

组网需求

为了贴近具体的SD-WAN使用场景，组网使用10台路由器。图中分支A的出口设备为RTA，设备不具备固定IP地址，经过ISP1与POP相连，ISP1接口G0/1下开启NAT功能；分支B的出口设备为RTB，设备不具备固定IP地址，经过ISP2与POP相连，ISP2接口G0/1下开启NAT功能；分支C的出口设备为RTC，设备不具备固定IP地址，经过ISP3与POP相连，ISP3接口G0/1下开启NAT功能。RTA、RTB、RTC分别需要和POP建立IPsec隧道，经过POP实现3个分支间的互访，并对分支之间互访的数据流进行安全保护。具体要求如下：
· 封装形式为隧道模式。
· 安全协议采用ESP协议。
· 加密算法采用128比特的AES，认证算法采用HMAC-SHA1。
· 设备之间采用IKE协商方式建立IPsec SA。
· 使用缺省的IKE提议。
· 使用缺省的预共享密钥认证方法。
· 第一阶段协商的认证方法为预共享密钥认证。

组网图

多分支NAT穿越场景下通过POP节点实现分支间的IPsec加密互联。

实验环境

Windows 10专业版（1909-18363.1556，16 GB内存）
HCL 3.0.1
MSR 36-20（Version 7.1.064, Release 0821P11）

配置步骤

配置思路
1、各分支和POP之间的互联配置参考NAT穿越配置（NAT穿越场景下采用IKE野蛮模式建立保护IPv4报文的IPsec隧道）：各分支出口设备配置IKE野蛮模式，POP设备配置IPsec模板生成策略。
2、为保证分支和POP之间正常建立IPsec隧道，在POP上起一个Loopback接口用于响应分支流量。
3、分支配置的保护流量应该同时配置分支到POP的流量以及分支之间互访的流量。结合我们才总结出来的自动触发配置（NAT穿越场景下怎么实现从总部到分支的访问？），定时任务的流量配置为分支到POP的流量，用于触发自动建立隧道。
以上就是主要配置关键点，直接上配置。

POP
#
sysname POP
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
interface GigabitEthernet0/0
ip address 11.1.1.1 255.255.255.0
ipsec apply policy pmap1
#
interface GigabitEthernet0/1
ip address 12.1.1.1 255.255.255.0
ipsec apply policy pmap2
#
interface GigabitEthernet0/2
ip address 13.1.1.1 255.255.255.0
ipsec apply policy pmap3
#
ip route-static 10.1.1.0 24 11.1.1.2
ip route-static 10.1.2.0 24 12.1.1.2
ip route-static 10.1.3.0 24 13.1.1.2
#
ipsec transform-set tran1
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec policy-template temp1 1
transform-set tran1
local-address 11.1.1.1
ike-profile pro1
#
ipsec policy-template temp2 1
transform-set tran1
local-address 12.1.1.1
ike-profile pro1
#
ipsec policy-template temp3 1
transform-set tran1
local-address 13.1.1.1
ike-profile pro1
#
ipsec policy pmap1 1 isakmp template temp1
#
ipsec policy pmap2 1 isakmp template temp2
#
ipsec policy pmap3 1 isakmp template temp3
#
ike profile pro1
keychain key1
exchange-mode aggressive
match remote identity fqdn rtb
match remote identity fqdn rta
match remote identity fqdn rtc
#
ike keychain key1
pre-shared-key hostname rta key simple qwe123
pre-shared-key hostname rtb key simple qwe123
pre-shared-key hostname rtc key simple qwe123

ISP1
#
sysname ISP1
#
interface GigabitEthernet0/0
ip address 20.1.1.1255.255.255.0
#
interface GigabitEthernet0/1
ip address 11.1.1.2255.255.255.0
nat outbound
#
ip route-static 0.0.0.0011.1.1.1

ISP2
#
sysname ISP2
#
interface GigabitEthernet0/0
ip address 20.1.2.1255.255.255.0
#
interface GigabitEthernet0/1
ip address 12.1.1.2255.255.255.0
nat outbound
#
ip route-static 0.0.0.0012.1.1.1

ISP3

#
sysname ISP3
#
interface GigabitEthernet0/0
ip address 20.1.3.1255.255.255.0
#
interface GigabitEthernet0/1
ip address 13.1.1.2255.255.255.0
nat outbound
#
ip route-static 0.0.0.0013.1.1.1

RTA
#
sysname RTA
#
interface GigabitEthernet0/0
ip address 10.1.1.1255.255.255.0
#
interface GigabitEthernet0/1
ip address 20.1.1.2255.255.255.0
ipsec apply policy map1
#
scheduler job ka
command 1 ping -a 10.1.1.1 -c 21.1.1.1
command 2 ping -a 10.1.1.1 -c 210.1.2.1
command 3 ping -a 10.1.1.1 -c 210.1.3.1
#
scheduler schedule keepalive
user-role network-admin
job ka
time repeating interval 1
#
ip route-static 0.0.0.0020.1.1.1
#
acl advanced 3402
rule 0 permit ip source 10.1.1.00.0.0.255 destination 10.1.2.00.0.0.255
rule 5 permit ip source 10.1.1.00.0.0.255 destination 10.1.3.00.0.0.255
rule 10 permit ip source 10.1.1.00.0.0.255 destination 1.1.1.10
#
ipsec transform-set tran1
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec policy map1 10 isakmp
transform-set tran1
security acl 3402
remote-address 11.1.1.1
ike-profile pro1
#
ike profile pro1
keychain key1
exchange-mode aggressive
local-identity fqdn rta
match remote identity address 11.1.1.1255.255.255.0
#
ike keychain key1
pre-shared-key address 11.1.1.1255.255.255.0 key simple qwe123

RTB
#
sysname RTB
#
interface GigabitEthernet0/0
ip address 10.1.2.1255.255.255.0
#
interface GigabitEthernet0/1
ip address 20.1.2.2255.255.255.0
ipsec apply policy map1
#
scheduler job ka
command 1 ping -a 10.1.2.1 -c 21.1.1.1
command 2 ping -a 10.1.2.1 -c 210.1.1.1
command 3 ping -a 10.1.2.1 -c 210.1.3.1
#
scheduler schedule keepalive
user-role network-admin
job ka
time repeating interval 1
#
ip route-static 0.0.0.0020.1.2.1
#
acl advanced 3402
rule 0 permit ip source 10.1.2.00.0.0.255 destination 10.1.1.00.0.0.255
rule 5 permit ip source 10.1.2.00.0.0.255 destination 10.1.3.00.0.0.255
rule 10 permit ip source 10.1.2.00.0.0.255 destination 1.1.1.10
#
ipsec transform-set tran1
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec policy map1 10 isakmp
transform-set tran1
security acl 3402
remote-address 12.1.1.1
ike-profile pro1
#
ike profile pro1
keychain key1
exchange-mode aggressive
local-identity fqdn rtb
match remote identity address 12.1.1.1255.255.255.0
#
ike keychain key1
pre-shared-key address 12.1.1.1255.255.255.0 key simple qwe123

RTC
#
sysname RTC
#
interface GigabitEthernet0/0
ip address 10.1.3.1255.255.255.0
#
interface GigabitEthernet0/1
ip address 20.1.3.2255.255.255.0
ipsec apply policy map1
#
scheduler job ka
command 1 ping -a 10.1.3.1 -c 21.1.1.1
command 2 ping -a 10.1.3.1 -c 210.1.1.1
command 3 ping -a 10.1.3.1 -c 210.1.2.1
#
scheduler schedule keepalive
user-role network-admin
job ka
time repeating interval 1
#
ip route-static 0.0.0.0020.1.3.1
#
acl advanced 3402
rule 0 permit ip source 10.1.3.00.0.0.255 destination 10.1.1.00.0.0.255
rule 5 permit ip source 10.1.3.00.0.0.255 destination 10.1.2.00.0.0.255
rule 10 permit ip source 10.1.3.00.0.0.255 destination 1.1.1.10
#
ipsec transform-set tran1
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec policy map1 10 isakmp
transform-set tran1
security acl 3402
remote-address 13.1.1.1
ike-profile pro1
#
ike profile pro1
keychain key1
exchange-mode aggressive
local-identity fqdn rtc
match remote identity address 13.1.1.1255.255.255.0
#
ike keychain key1
pre-shared-key address 13.1.1.1255.255.255.0 key simple qwe123

验证配置

以上配置完成后，从分支C的主机PCC主动向POP和其他分支的主机发起访问，结果如下：

可以看到均能正常访问，也没有出现首包丢失的情况，说明IPsec隧道已经提前建立完成。
PCC不走IPsec隧道到POP是3跳，走IPsec隧道是2跳，此处TTL=254，说明是走IPsec转发的；PCC不走IPsec隧道到PCA和PCB是6跳，走IPsec隧道是4跳，此处TTL=252，说明是走IPsec转发的。
切换到RTC的命令行，可以看到定时任务触发IKE协商和IPsec协商的报文，均有一个丢包。

通过命令查看到RTC上IKE第一阶段协商成功后生成的IKE SA信息。
disikesa

Connection-IDLocalRemoteFlagDOI

1               20.1.3.2            13.1.1.1RDIPsec

Flags:
RD–READYRL–REPLACEDFD-FADINGRK-REKEY

带上verbose，查看详细信息。
disike sa verbose

ConnectionID: 1
OutsideVPN:
InsideVPN:
Profile: pro1
Transmittingentity: Initiator
Initiatorcookie: 528b50d4bf919796

Respondercookie: 2116a8ced7631051

LocalIP/port: 20.1.3.2/4500
LocalID type: FQDN
LocalID: rtc

RemoteIP/port: 13.1.1.1/4500
RemoteID type: IPV4_ADDR
RemoteID: 13.1.1.1

Authentication-method: PRE-SHARED-KEY
Authentication-algorithm: SHA1
Encryption-algorithm: DES-CBC

Lifeduration(sec): 86400
Remainingkey duration(sec): 85768
Exchange-mode: Aggressive
Diffie-Hellmangroup: Group 1
NATtraversal: Detected

Extendauthentication: Disabled
AssignedIP address:
VendorID index:0xffffffff
VendorID sequence number:0x0
通过命令查看到协商生成的IPsec SA。

disipsec sa

Interface: GigabitEthernet0/1

IPsecpolicy: map1
Sequencenumber: 10

Mode: ISAKMP

Tunnelid: 0
Encapsulationmode: tunnel
PerfectForward Secrecy:
InsideVPN:
ExtendedSequence Numbers enable: N
TrafficFlow Confidentiality enable: N
Transmittingentity: Initiator
PathMTU: 1420
Tunnel:
localaddress: 20.1.3.2
remoteaddress: 13.1.1.1
Flow:
souraddr: 10.1.3.0/255.255.255.0 port: 0 protocol: ip
destaddr: 1.1.1.1/255.255.255.255 port: 0 protocol: ip

[InboundESP SAs]
SPI: 3365586 (0x00335ad2)
ConnectionID: 4294967296
Transformset: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SAduration (kilobytes/sec): 1843200/3600
SAremaining duration (kilobytes/sec): 1843198/3109
Maxreceived sequence-number: 20
Anti-replaycheck enable: Y
Anti-replaywindow size: 64
UDPencapsulation used for NAT traversal: Y
Status: Active

[OutboundESP SAs]
SPI: 2525931808 (0x968ea920)
ConnectionID: 4294967297
Transformset: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SAduration (kilobytes/sec): 1843200/3600
SAremaining duration (kilobytes/sec): 1843198/3109
Maxsent sequence-number: 20
UDPencapsulation used for NAT traversal: Y
Status: Active

IPsecpolicy: map1
Sequencenumber: 10

Mode: ISAKMP

Tunnelid: 1
Encapsulationmode: tunnel
PerfectForward Secrecy:
InsideVPN:
ExtendedSequence Numbers enable: N
TrafficFlow Confidentiality enable: N
Transmittingentity: Initiator
PathMTU: 1420
Tunnel:
localaddress: 20.1.3.2
remoteaddress: 13.1.1.1
Flow:
souraddr: 10.1.3.0/255.255.255.0 port: 0 protocol: ip
destaddr: 10.1.1.0/255.255.255.0 port: 0 protocol: ip

[InboundESP SAs]
SPI: 2356718195 (0x8c78aa73)
ConnectionID: 4294967298
Transformset: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SAduration (kilobytes/sec): 1843200/3600
SAremaining duration (kilobytes/sec): 1843196/3112
Maxreceived sequence-number: 36
Anti-replaycheck enable: Y
Anti-replaywindow size: 64
UDPencapsulation used for NAT traversal: Y
Status: Active

[OutboundESP SAs]
SPI: 4082554940 (0xf356d83c)
ConnectionID: 4294967299
Transformset: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SAduration (kilobytes/sec): 1843200/3600
SAremaining duration (kilobytes/sec): 1843196/3112
Maxsent sequence-number: 36
UDPencapsulation used for NAT traversal: Y
Status: Active

IPsecpolicy: map1
Sequencenumber: 10

Mode: ISAKMP

Tunnelid: 2
Encapsulationmode: tunnel
PerfectForward Secrecy:
InsideVPN:
ExtendedSequence Numbers enable: N
TrafficFlow Confidentiality enable: N
Transmittingentity: Initiator
PathMTU: 1420
Tunnel:
localaddress: 20.1.3.2
remoteaddress: 13.1.1.1
Flow:
souraddr: 10.1.3.0/255.255.255.0 port: 0 protocol: ip
destaddr: 10.1.2.0/255.255.255.0 port: 0 protocol: ip

[InboundESP SAs]
SPI: 1216751403 (0x4886272b)
ConnectionID: 4294967300
Transformset: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SAduration (kilobytes/sec): 1843200/3600
SAremaining duration (kilobytes/sec): 1843196/3114
Maxreceived sequence-number: 34
Anti-replaycheck enable: Y
Anti-replaywindow size: 64
UDPencapsulation used for NAT traversal: Y
Status: Active

[OutboundESP SAs]
SPI: 2581733876 (0x99e221f4)
ConnectionID: 4294967301
Transformset: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SAduration (kilobytes/sec): 1843200/3600
SAremaining duration (kilobytes/sec): 1843196/3114
Maxsent sequence-number: 34
UDPencapsulation used for NAT traversal: Y
Status: Active
可以看到，一共有3个IPsec SA，分别对应到POP和另外两个分支，而且这3个IPsec SA都是基于同一个IKE SA的。
通过POP中继，实现了各分支之间无需手动触发即可通信正常，你学废了吗？

声明：来自铁军哥，仅代表创作者观点。链接：https://eyangzhen.com/2216.html

多分支NAT穿越场景下通过POP节点实现分支间的IPsec加密互联

Connection-IDLocalRemoteFlagDOI

Respondercookie: 2116a8ced7631051

disipsec sa

Interface: GigabitEthernet0/1

Mode: ISAKMP

Mode: ISAKMP

Mode: ISAKMP

相关推荐