VPP系统 配置IPSec IKEv2 远端地址any
1、配置拓扑
PS: VPP1主动发起IKEv2协商并建立IPSec隧道,VPP2被动和VPP1建立IPSec隧道。
2、VPP1配置(主动)
2.1、接口配置
1、启用GigabitEthernet2/1/0
set int state GigabitEthernet2/1/0 up
2、GigabitEthernet2/1/0口配置IP
set int ip address GigabitEthernet2/1/0 10.66.0.1/24
3、启用GigabitEthernet2/4/0
set int state GigabitEthernet2/4/0 up
4、GigabitEthernet2/4/0口配置IP
set int ip address GigabitEthernet2/4/0 10.0.0.1/24
2.2、IKEv2配置
1、创建名为pr1的IKEV2配置
ikev2 profile add pr1
配置说明:ikev2 profile [add|del] <id>
2、设置共享密钥认证方法
ikev2 profile set pr1 auth shared-key-mic string Vpp123
配置说明:ikev2 profile set <id> auth [rsa-sig|shared-key-mic] [cert-file|string|hex] <data>
3、设置本地id
ikev2 profile set pr1 id local fqdn vpp1.home
配置说明:ikev2 profile set <id> id <local|remote> <type> <data>
4、设置远端id
ikev2 profile set pr1 id remote fqdn vpp2.home
配置说明:ikev2 profile set <id> id <local|remote> <type> <data>
5、设置远端ip地址和协商是对应的网络接口
ikev2 profile set pr1 responder GigabitEthernet2/1/0 10.66.0.2
配置说明:ikev2 profile set <id> responder <interface> <addr>
6、设置IKE秘钥套件和ESP秘钥套件,可以只在请求秘钥协商方添加秘钥套件
ikev2 profile set pr1 ike-crypto-alg aes-cbc 128 ike-integ-alg sha1-96 ike-dh modp-1024
配置说明:ikev2 profile set <id> ike-crypto-alg <crypto alg> <key size> ike-integ-alg <integ alg> ike-dh <dh type>
ikev2 profile set pr1 esp-crypto-alg aes-cbc 128 esp-integ-alg sha1-96 esp-dh modp-1024
配置说明:ikev2 profile set <id> esp-crypto-alg <crypto alg> <key size> esp-integ-alg <integ alg> esp-dh <dh type>
7、设置IPSec内网IP地址和远端内网IP地址
ikev2 profile set pr1 traffic-selector local ip-range 10.0.0.0 - 10.0.0.254 port-range 0 - 65535 protocol 0
Ikev2 profile set pr1 traffic-selector remote ip-range 11.0.0.0 - 11.0.0.254 port-range 0 - 65535 protocol 0
配置说明:ikev2 profile set <id> traffic-selector <local|remote> ip-range <start-addr> - <end-addr> port-range <start-port> - <end-port> protocol <protocol-number>
8、发起IPSec协商请求
ikev2 initiate sa-init pr1
配置说明:ikev2 initiate sa-init <profile id>
2.3、查看IKEv2配置
show ikev2 profile
profile pr1
auth-method shared-key-mic auth data Vpp123
local id-type fqdn data vpp1.home
remote id-type fqdn data vpp2.home
local traffic-selector addr 10.0.0.0 - 10.0.0.254 port 0 - 65535 protocol 0
remote traffic-selector addr 11.0.0.0 - 11.0.0.254 port 0 - 65535 protocol 0
2.4、查看IKEv2协商结果
show ikev2 sa
iip 10.66.0.1 ispi e1bd965df0be49d rip 10.66.0.2 rspi 2c503a83ce480069
encr:aes-cbc-128 prf:hmac-sha2-256 integ:sha1-96 dh-group:modp-1024
nonce i:9d78d097d4fa46dbf4d078b4f940346f312b593c9b368f0cc133de0516b19a6b
r:9fe1386b1cd18c661ef99783936f7816914f5241c8d1bb0029c0254303fa75be
SK_d d2bdb93d225adbea26b71cdfd415029f6baa2bc6497f311c91b06f75f9156287
SK_a i:56b8ee31a1caf65540bece8c5aca86165ad76b69
r:c0cfc2e201c8c8d1f3a86756cfda78a08e1a2a05
SK_e i:407c57bc5a82ed6d5f95e2923f724749
r:b6ba1d40691b0537a0402a6ffb4fffa1
SK_p i:be12bb9e22c5d1972d97fca1f29f94d37deeb99c0ff7d005fa4118e95feb3d25
r:15f2df15daac20fb288055b385996b9ee12b903bb6654c9158a27b8803e9491e
identifier (i) fqdn vpp1.home
identifier (r) fqdn vpp2.home
child sa 0:
encr:aes-cbc-128 integ:sha1-96 esn:yes
spi(i) c3413186 spi(r) e01f01ea
SK_e i:00a6544deb5ddee0ded094a35afab94e
r:2b018822f1c250c02ff3e29c0351b332
SK_a i:9f3f8f2f48a15be2bfa70da238d6086d60ef209c
r:9e7544bd5f6efb78078e98c66f23274d42b12acf
traffic selectors (i):
0 type 7 protocol_id 0 addr 10.0.0.0 - 10.0.0.254 port 0 - 65535
traffic selectors (r):
0 type 7 protocol_id 0 addr 11.0.0.0 - 11.0.0.254 port 0 - 65535
iip 10.66.0.1 ispi e1bd965df0be49d rip 10.66.0.2 rspi 2c503a83ce480069
iip 10.66.0.1 ispi 6bdf481a03bb986e rip 10.66.0.2 rspi b3e02e3efe27bce5
encr:aes-cbc-128 prf:hmac-sha2-256 integ:sha1-96 dh-group:modp-1024
nonce i:1a8c9fb1c4190d5c7dc9c754bcbd4c465f713f9638fb1150d4534b4d84b934b4
r:7ebeb7b7b40c46a90cc3721001f82e623d9c9b8d023543559abe5dcaaf60c97c
SK_d 9e1a0ee4dd691fb24acb886b1091e194536cccb2a37250a7a22d963bccf72640
SK_a i:692e435ddc08978bfbe571281642cb80ac6dc24b
r:6cd455930a75f57f99ded4d538b985dc0872d4d2
SK_e i:fbf52709abd5462cbac89aca1d9113a9
r:f64ff82494edcb279e66a37f5502c243
SK_p i:7d747bde1d24e044b887d9c58403c99f25c0d4e064eb42f060f11bb4bd4d987c
r:9ea987ed01e0d71ab0fd951b6ee70a1311665ae08703477ba3184ac66e76cc2a
identifier (i) fqdn vpp1.home
identifier (r) fqdn vpp2.home
child sa 0:
encr:aes-cbc-128 integ:sha1-96 esn:yes
spi(i) d9658ef spi(r) 62c03297
SK_e i:35857ab4e8da39ee8fe8fa5f86d174a4
r:03b51ca07283f338b0c82c3bd53c1870
SK_a i:2e671df7741623b0744c1dd6f2836204645c85cb
r:d99d4ebbaefe66e6eb277f3a075a45a761386a72
traffic selectors (i):
0 type 7 protocol_id 0 addr 10.0.0.0 - 10.0.0.254 port 0 - 65535
traffic selectors (r):
0 type 7 protocol_id 0 addr 11.0.0.0 - 11.0.0.254 port 0 - 65535
iip 10.66.0.1 ispi e1bd965df0be49d rip 10.66.0.2 rspi 2c503a83ce480069
2.5、启用IPSec接口
set int state ipsec0 up
2.6、路由引到IPSec接口
ip route add 11.0.0.0/24 via ipsec0
2.7、IPSec接口绑定物理接口
set int unnumbered ipsec0 use GigabitEthernet2/1/0
3、VPP2配置(被动)
3.1、接口配置
1、启用GigabitEthernet2/2/0
set int state GigabitEthernet2/2/0 up
2、GigabitEthernet2/2/0接口配置IP
set int ip address GigabitEthernet2/2/0 11.0.0.1/24
3、启用GigabitEthernet2/3/0
set int state GigabitEthernet2/3/0 up
4、GigabitEthernet2/3/0接口配置IP
set int ip address GigabitEthernet2/3/0 10.66.0.2/24
3.2、IKEv2配置
1、创建名为pr1的IKEV2配置
ikev2 profile add pr1
配置说明:ikev2 profile [add|del] <id>
2、设置预共享密钥认证方法
ikev2 profile set pr1 auth shared-key-mic string Vpp123
配置说明:ikev2 profile set <id> auth [rsa-sig|shared-key-mic] [cert-file|string|hex] <data>
3、设置本地id
ikev2 profile set pr1 id local fqdn vpp2.home
配置说明:ikev2 profile set <id> id <local|remote> <type> <data>
4、设置远端id
ikev2 profile set pr1 id remote fqdn vpp1.home
配置说明:ikev2 profile set <id> id <local|remote> <type> <data>
5、设置IPSec内网IP地址和远端内网IP地址
ikev2 profile set pr1 traffic-selector local ip-range 11.0.0.0 - 11.0.0.254 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector remote ip-range 10.0.0.0 - 10.0.0.254 port-range 0 - 65535 protocol 0
配置说明:ikev2 profile set <id> traffic-selector <local|remote> ip-range <start-addr> - <end-addr> port-range <start-port> - <end-port> protocol <protocol-number>
3.3、查看IKEv2配置
show ikev2 profile
profile pr1
auth-method shared-key-mic auth data Vpp123
local id-type fqdn data vpp2.home
remote id-type fqdn data vpp1.home
local traffic-selector addr 11.0.0.0 - 11.0.0.254 port 0 - 65535 protocol 0
remote traffic-selector addr 10.0.0.0 - 10.0.0.254 port 0 - 65535 protocol 0
3.4、查看IKEv2协商结果
show ikev2 sa
iip 10.66.0.1 ispi e1bd965df0be49d rip 10.66.0.2 rspi 2c503a83ce480069
encr:aes-cbc-128 prf:hmac-sha2-256 integ:sha1-96 dh-group:modp-1024
nonce i:9d78d097d4fa46dbf4d078b4f940346f312b593c9b368f0cc133de0516b19a6b
r:9fe1386b1cd18c661ef99783936f7816914f5241c8d1bb0029c0254303fa75be
SK_d d2bdb93d225adbea26b71cdfd415029f6baa2bc6497f311c91b06f75f9156287
SK_a i:56b8ee31a1caf65540bece8c5aca86165ad76b69
r:c0cfc2e201c8c8d1f3a86756cfda78a08e1a2a05
SK_e i:407c57bc5a82ed6d5f95e2923f724749
r:b6ba1d40691b0537a0402a6ffb4fffa1
SK_p i:be12bb9e22c5d1972d97fca1f29f94d37deeb99c0ff7d005fa4118e95feb3d25
r:15f2df15daac20fb288055b385996b9ee12b903bb6654c9158a27b8803e9491e
identifier (i) fqdn vpp1.home
identifier (r) fqdn vpp2.home
child sa 0:
encr:aes-cbc-128 integ:sha1-96 esn:yes
spi(i) c3413186 spi(r) e01f01ea
SK_e i:00a6544deb5ddee0ded094a35afab94e
r:2b018822f1c250c02ff3e29c0351b332
SK_a i:9f3f8f2f48a15be2bfa70da238d6086d60ef209c
r:9e7544bd5f6efb78078e98c66f23274d42b12acf
traffic selectors (i):
0 type 7 protocol_id 0 addr 10.0.0.0 - 10.0.0.254 port 0 - 65535
traffic selectors (r):
0 type 7 protocol_id 0 addr 11.0.0.0 - 11.0.0.254 port 0 - 65535
iip 10.66.0.1 ispi e1bd965df0be49d rip 10.66.0.2 rspi 2c503a83ce480069
iip 10.66.0.1 ispi 6bdf481a03bb986e rip 10.66.0.2 rspi b3e02e3efe27bce5
encr:aes-cbc-128 prf:hmac-sha2-256 integ:sha1-96 dh-group:modp-1024
nonce i:1a8c9fb1c4190d5c7dc9c754bcbd4c465f713f9638fb1150d4534b4d84b934b4
r:7ebeb7b7b40c46a90cc3721001f82e623d9c9b8d023543559abe5dcaaf60c97c
SK_d 9e1a0ee4dd691fb24acb886b1091e194536cccb2a37250a7a22d963bccf72640
SK_a i:692e435ddc08978bfbe571281642cb80ac6dc24b
r:6cd455930a75f57f99ded4d538b985dc0872d4d2
SK_e i:fbf52709abd5462cbac89aca1d9113a9
r:f64ff82494edcb279e66a37f5502c243
SK_p i:7d747bde1d24e044b887d9c58403c99f25c0d4e064eb42f060f11bb4bd4d987c
r:9ea987ed01e0d71ab0fd951b6ee70a1311665ae08703477ba3184ac66e76cc2a
identifier (i) fqdn vpp1.home
identifier (r) fqdn vpp2.home
child sa 0:
encr:aes-cbc-128 integ:sha1-96 esn:yes
spi(i) d9658ef spi(r) 62c03297
SK_e i:35857ab4e8da39ee8fe8fa5f86d174a4
r:03b51ca07283f338b0c82c3bd53c1870
SK_a i:2e671df7741623b0744c1dd6f2836204645c85cb
r:d99d4ebbaefe66e6eb277f3a075a45a761386a72
traffic selectors (i):
0 type 7 protocol_id 0 addr 10.0.0.0 - 10.0.0.254 port 0 - 65535
traffic selectors (r):
0 type 7 protocol_id 0 addr 11.0.0.0 - 11.0.0.254 port 0 - 65535
iip 10.66.0.1 ispi e1bd965df0be49d rip 10.66.0.2 rspi 2c503a83ce480069
3.5、启用IPSec接口
set int state ipsec0 up
3.6、路由引到IPSec接口
ip route add 10.0.0.0/24 via ipsec0
3.7、IPSec接口绑定物理接口
set int unnumbered ipsec0 use GigabitEthernet2/3/0
4、结果验证
PC1 ping PC2,可以ping通,抓包可以看到报文进行封装发送。
封装报文如下:
16:15:22:373238: dpdk-input
GigabitEthernet2/2/0 rx queue 0
buffer 0x6663: current data 0, length 74, free-list 0, clone-count 0, totlen-nifb 0, trace 0x2
ext-hdr-valid
l4-cksum-computed l4-cksum-correct
PKT MBUF: port 0, nb_segs 1, pkt_len 74
buf_len 2176, data_len 74, ol_flags 0x0, data_off 128, phys_addr 0xc1799940
packet_type 0x0 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
rss 0x0 fdir.hi 0x0 fdir.lo 0x0
IP4: 00:0c:29:37:da:f3 -> 00:0c:29:2a:f6:9f
ICMP: 11.0.0.2 -> 10.0.0.2
tos 0x00, ttl 64, length 60, checksum 0xff20
fragment id 0x669d
ICMP echo_request checksum 0xb0da
16:15:22:373253: ethernet-input
frame: flags 0x3, hw-if-index 1, sw-if-index 1
IP4: 00:0c:29:37:da:f3 -> 00:0c:29:2a:f6:9f
16:15:22:373259: ip4-input-no-checksum
ICMP: 11.0.0.2 -> 10.0.0.2
tos 0x00, ttl 64, length 60, checksum 0xff20
fragment id 0x669d
ICMP echo_request checksum 0xb0da
16:15:22:373263: ip4-lookup
fib 0 dpo-idx 3 flow hash: 0x00000000
ICMP: 11.0.0.2 -> 10.0.0.2
tos 0x00, ttl 64, length 60, checksum 0xff20
fragment id 0x669d
ICMP echo_request checksum 0xb0da
16:15:22:373283: ip4-rewrite
tx_sw_if_index 3 dpo-idx 3 : ipv4 via 0.0.0.0 ipsec0: mtu:9000 flow hash: 0x00000000
00000000: 4500003c669d00003f0100210b0000020a0000020800b0da00029c7f61626364
00000020: 65666768696a6b6c6d6e6f7071727374757677616263646566676869
16:15:22:373285: ipsec0-output
ipsec0
00000000: 4500003c669d00003f0100210b0000020a0000020800b0da00029c7f61626364
00000020: 65666768696a6b6c6d6e6f707172737475767761626364656667686900000000
00000040: 0ce642bc972f6cf16dfbbf0ea77da6cbc561db707d4e81b1827e8a0334db5be5
00000060: 4b876874e85c1534895d6f7b73d94f811c6c9b987d39ef10bb504546
16:15:22:373289: ipsec0-tx
IPSec: spi 3275829638 seq 1237
16:15:22:373290: esp4-encrypt
esp: spi 3275829638 seq 1237 crypto aes-cbc-128 integrity sha1-96
16:15:22:373313: ip4-lookup
fib 0 dpo-idx 4 flow hash: 0x00000000
IPSEC_ESP: 10.66.0.2 -> 10.66.0.1
tos 0x00, ttl 254, length 120, checksum 0xa7cd
fragment id 0x0000
16:15:22:373313: ip4-rewrite
tx_sw_if_index 2 dpo-idx 4 : ipv4 via 10.66.0.1 GigabitEthernet2/3/0: mtu:9000 000c2
9c85fdb000c292af6a90800 flow hash: 0x00000000
00000000: 000c29c85fdb000c292af6a908004500007800000000fd32a8cd0a4200020a42
00000020: 0001c3413186000004d6e3f0e921da3bc3191a1bcdf8aa86e0a76d66
16:15:22:373314: GigabitEthernet2/3/0-output
GigabitEthernet2/3/0
IP4: 00:0c:29:2a:f6:a9 -> 00:0c:29:c8:5f:db
IPSEC_ESP: 10.66.0.2 -> 10.66.0.1
tos 0x00, ttl 253, length 120, checksum 0xa8cd
fragment id 0x0000
16:15:22:373315: GigabitEthernet2/3/0-tx
GigabitEthernet2/3/0 tx queue 1
buffer 0xa778: current data 0, length 134, free-list 0, clone-count 0, totlen-nifb 0
, trace 0x2
PKT MBUF: port 65535, nb_segs 1, pkt_len 134
buf_len 2176, data_len 134, ol_flags 0x0, data_off 128, phys_addr 0xc149de80
packet_type 0x0 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
rss 0x0 fdir.hi 0x0 fdir.lo 0x0
IP4: 00:0c:29:2a:f6:a9 -> 00:0c:29:c8:5f:db
IPSEC_ESP: 10.66.0.2 -> 10.66.0.1
tos 0x00, ttl 253, length 120, checksum 0xa8cd
fragment id 0x0000