SVTI_VPN

                               SVTI 实验

技术分享

  






     SVTI配置被运用于站点到站点的连接(L2LVPN),对于VTI接口,可以控制明文的特性应该

被配置到VTI接口上。SVTI相对于传统crypto map配置的优势在于可以在隧道口上运用动态路由协

议,并且不需要那额外的4字节GRE头部(GRE over IPSec),因此降低了发送加密数据的带宽。

我们使用IPSec VTI技术,我们可以对明文和加密后的流量分开运用NAT,ACL和QoS等特性。


Site 1

interface Loopback0

 ip address 1.1.1.1 255.255.255.0

crypto isakmp policy 100

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key cisco address 61.128.1.1

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac 

!

crypto ipsec profile ipsecprof

 set transform-set myset 

!

interface Loopback0

 ip address 1.1.1.1 255.255.255.0

!

interface Tunnel0

 ip address 172.16.1.1 255.255.255.0

 tunnel source FastEthernet0/0

 tunnel destination 61.128.1.1

 tunnel mode ipsec ipv4

 tunnel protection ipsec profile ipsecprof

!

router ospf 100

 log-adjacency-changes

 network 1.1.1.0 0.0.0.255 area 0

 network 172.16.1.0 0.0.0.255 area 0

!

ip route 0.0.0.0 0.0.0.0 202.100.1.10


Internet

interface FastEthernet0/0

 ip address 202.100.1.10 255.255.255.0

interface FastEthernet0/1

 ip address 61.128.1.10 255.255.255.0


Site2:

interface FastEthernet0/1

 ip address 61.128.1.1 255.255.255.0

!

interface Loopback0

 ip address 2.2.2.2 255.255.255.0

!

crypto isakmp policy 100

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key cisco address 202.100.1.1

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac 

!

crypto ipsec profile ipsecprof

 set transform-set myset 

!

interface Tunnel0

 ip address 172.16.1.2 255.255.255.0

 tunnel source FastEthernet0/1

 tunnel destination 202.100.1.1

 tunnel mode ipsec ipv4

 tunnel protection ipsec profile ipsecprof

!

router ospf 100

 log-adjacency-changes

 network 2.2.2.0 0.0.0.255 area 0

 network 172.16.1.0 0.0.0.255 area 0

!

ip route 0.0.0.0 0.0.0.0 61.128.1.10


测试

Site1#ping 172.16.1.2 


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 156/172/204 ms

Site1#show ip route  ospf 

     2.0.0.0/32 is subnetted, 1 subnets

O       2.2.2.2 [110/11112] via 172.16.1.2, 00:12:33, Tunnel0


Site1#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

61.128.1.1      202.100.1.1     QM_IDLE           1002    0 ACTIVE

Site1#show crypto engine connections active 

Crypto Engine Connections


   ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address

    1 Tu0        IPsec 3DES+SHA                  0      104 202.100.1.1

    2 Tu0        IPsec 3DES+SHA                105        0 202.100.1.1

 1002 Tu0        IKE   SHA+3DES                  0        0 202.100.1.1

Site1#ping 2.2.2.2 source lo0


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1 

!!!!!


Site1#show crypto session 

Crypto session current status


Interface: Tunnel0

Session status: UP-ACTIVE     

Peer: 61.128.1.1 port 500 

  IKE SA: local 202.100.1.1/500 remote 61.128.1.1/500 Active 

  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 

        Active SAs: 2, origin: crypto map


本文出自 “优乐美” 博客,请务必保留此出处http://youlemei.blog.51cto.com/2294538/1654775

郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。