VPP系统 配置IPSec IKEv2 远端地址any

1、配置拓扑

PS: VPP1主动发起IKEv2协商并建立IPSec隧道,VPP2被动和VPP1建立IPSec隧道。

2、VPP1配置(主动)

2.1、接口配置

1、启用GigabitEthernet2/1/0

set int state GigabitEthernet2/1/0 up

2、GigabitEthernet2/1/0口配置IP

set int ip address GigabitEthernet2/1/0 10.66.0.1/24

3、启用GigabitEthernet2/4/0

set int state GigabitEthernet2/4/0 up

4、GigabitEthernet2/4/0口配置IP

set int ip address GigabitEthernet2/4/0 10.0.0.1/24

2.2、IKEv2配置

1、创建名为pr1的IKEV2配置

ikev2 profile add pr1

配置说明:ikev2 profile [add|del] <id>

2、设置共享密钥认证方法

ikev2 profile set pr1 auth shared-key-mic string Vpp123

配置说明:ikev2 profile set <id> auth [rsa-sig|shared-key-mic] [cert-file|string|hex] <data>

3、设置本地id

ikev2 profile set pr1 id local fqdn vpp1.home

配置说明:ikev2 profile set <id> id <local|remote> <type> <data>

4、设置远端id

ikev2 profile set pr1 id remote fqdn vpp2.home

配置说明:ikev2 profile set <id> id <local|remote> <type> <data>

5、设置远端ip地址和协商是对应的网络接口

ikev2 profile set pr1 responder GigabitEthernet2/1/0 10.66.0.2

配置说明:ikev2 profile set <id> responder <interface> <addr>

6、设置IKE秘钥套件和ESP秘钥套件,可以只在请求秘钥协商方添加秘钥套件

ikev2 profile set pr1 ike-crypto-alg aes-cbc 128 ike-integ-alg sha1-96 ike-dh modp-1024

配置说明:ikev2 profile set <id> ike-crypto-alg <crypto alg> <key size> ike-integ-alg <integ alg> ike-dh <dh type>

ikev2 profile set pr1 esp-crypto-alg aes-cbc 128 esp-integ-alg sha1-96 esp-dh modp-1024

配置说明:ikev2 profile set <id> esp-crypto-alg <crypto alg> <key size> esp-integ-alg <integ alg> esp-dh <dh type>

7、设置IPSec内网IP地址和远端内网IP地址

ikev2 profile set pr1 traffic-selector local ip-range 10.0.0.0 - 10.0.0.254 port-range 0 - 65535 protocol 0

Ikev2 profile set pr1 traffic-selector remote ip-range 11.0.0.0 - 11.0.0.254 port-range 0 - 65535 protocol 0

配置说明:ikev2 profile set <id> traffic-selector <local|remote> ip-range <start-addr> - <end-addr> port-range <start-port> - <end-port> protocol <protocol-number>

8、发起IPSec协商请求

ikev2 initiate sa-init pr1

配置说明:ikev2 initiate sa-init <profile id>

2.3、查看IKEv2配置

show ikev2 profile

profile pr1
  auth-method shared-key-mic auth data Vpp123
  local id-type fqdn data vpp1.home
  remote id-type fqdn data vpp2.home
  local traffic-selector addr 10.0.0.0 - 10.0.0.254 port 0 - 65535 protocol 0
  remote traffic-selector addr 11.0.0.0 - 11.0.0.254 port 0 - 65535 protocol 0

2.4、查看IKEv2协商结果

show ikev2 sa

 iip 10.66.0.1 ispi e1bd965df0be49d rip 10.66.0.2 rspi 2c503a83ce480069
 encr:aes-cbc-128 prf:hmac-sha2-256 integ:sha1-96 dh-group:modp-1024 
  nonce i:9d78d097d4fa46dbf4d078b4f940346f312b593c9b368f0cc133de0516b19a6b
        r:9fe1386b1cd18c661ef99783936f7816914f5241c8d1bb0029c0254303fa75be
  SK_d    d2bdb93d225adbea26b71cdfd415029f6baa2bc6497f311c91b06f75f9156287
  SK_a  i:56b8ee31a1caf65540bece8c5aca86165ad76b69
        r:c0cfc2e201c8c8d1f3a86756cfda78a08e1a2a05
  SK_e  i:407c57bc5a82ed6d5f95e2923f724749
        r:b6ba1d40691b0537a0402a6ffb4fffa1
  SK_p  i:be12bb9e22c5d1972d97fca1f29f94d37deeb99c0ff7d005fa4118e95feb3d25
        r:15f2df15daac20fb288055b385996b9ee12b903bb6654c9158a27b8803e9491e
  identifier (i) fqdn vpp1.home
  identifier (r) fqdn vpp2.home
  child sa 0:
    encr:aes-cbc-128 integ:sha1-96 esn:yes 
    spi(i) c3413186 spi(r) e01f01ea
    SK_e  i:00a6544deb5ddee0ded094a35afab94e
          r:2b018822f1c250c02ff3e29c0351b332
    SK_a  i:9f3f8f2f48a15be2bfa70da238d6086d60ef209c
          r:9e7544bd5f6efb78078e98c66f23274d42b12acf
    traffic selectors (i):
      0 type 7 protocol_id 0 addr 10.0.0.0 - 10.0.0.254 port 0 - 65535
    traffic selectors (r):
      0 type 7 protocol_id 0 addr 11.0.0.0 - 11.0.0.254 port 0 - 65535
 iip 10.66.0.1 ispi e1bd965df0be49d rip 10.66.0.2 rspi 2c503a83ce480069
 iip 10.66.0.1 ispi 6bdf481a03bb986e rip 10.66.0.2 rspi b3e02e3efe27bce5
 encr:aes-cbc-128 prf:hmac-sha2-256 integ:sha1-96 dh-group:modp-1024 
  nonce i:1a8c9fb1c4190d5c7dc9c754bcbd4c465f713f9638fb1150d4534b4d84b934b4
        r:7ebeb7b7b40c46a90cc3721001f82e623d9c9b8d023543559abe5dcaaf60c97c
  SK_d    9e1a0ee4dd691fb24acb886b1091e194536cccb2a37250a7a22d963bccf72640
  SK_a  i:692e435ddc08978bfbe571281642cb80ac6dc24b
        r:6cd455930a75f57f99ded4d538b985dc0872d4d2
  SK_e  i:fbf52709abd5462cbac89aca1d9113a9
        r:f64ff82494edcb279e66a37f5502c243
  SK_p  i:7d747bde1d24e044b887d9c58403c99f25c0d4e064eb42f060f11bb4bd4d987c
        r:9ea987ed01e0d71ab0fd951b6ee70a1311665ae08703477ba3184ac66e76cc2a
  identifier (i) fqdn vpp1.home
  identifier (r) fqdn vpp2.home
  child sa 0:
    encr:aes-cbc-128 integ:sha1-96 esn:yes 
    spi(i) d9658ef spi(r) 62c03297
    SK_e  i:35857ab4e8da39ee8fe8fa5f86d174a4
          r:03b51ca07283f338b0c82c3bd53c1870
    SK_a  i:2e671df7741623b0744c1dd6f2836204645c85cb
          r:d99d4ebbaefe66e6eb277f3a075a45a761386a72
    traffic selectors (i):
      0 type 7 protocol_id 0 addr 10.0.0.0 - 10.0.0.254 port 0 - 65535
    traffic selectors (r):
      0 type 7 protocol_id 0 addr 11.0.0.0 - 11.0.0.254 port 0 - 65535                                                               
 iip 10.66.0.1 ispi e1bd965df0be49d rip 10.66.0.2 rspi 2c503a83ce480069

 

2.5、启用IPSec接口

set int state ipsec0 up

2.6、路由引到IPSec接口

ip route add 11.0.0.0/24 via ipsec0

2.7、IPSec接口绑定物理接口

set int unnumbered ipsec0 use GigabitEthernet2/1/0

3、VPP2配置(被动)

3.1、接口配置

1、启用GigabitEthernet2/2/0

set int state GigabitEthernet2/2/0 up

2、GigabitEthernet2/2/0接口配置IP

set int ip address GigabitEthernet2/2/0 11.0.0.1/24

3、启用GigabitEthernet2/3/0

set int state GigabitEthernet2/3/0 up

4、GigabitEthernet2/3/0接口配置IP

set int ip address GigabitEthernet2/3/0 10.66.0.2/24

3.2、IKEv2配置

1、创建名为pr1的IKEV2配置

ikev2 profile add pr1

配置说明:ikev2 profile [add|del] <id>

2、设置预共享密钥认证方法

ikev2 profile set pr1 auth shared-key-mic string Vpp123

配置说明:ikev2 profile set <id> auth [rsa-sig|shared-key-mic] [cert-file|string|hex] <data>

3、设置本地id

ikev2 profile set pr1 id local fqdn vpp2.home

配置说明:ikev2 profile set <id> id <local|remote> <type> <data>

4、设置远端id

ikev2 profile set pr1 id remote fqdn vpp1.home

配置说明:ikev2 profile set <id> id <local|remote> <type> <data>

5、设置IPSec内网IP地址和远端内网IP地址

ikev2 profile set pr1 traffic-selector local ip-range 11.0.0.0 - 11.0.0.254 port-range 0 - 65535 protocol 0

ikev2 profile set pr1 traffic-selector remote ip-range 10.0.0.0 - 10.0.0.254 port-range 0 - 65535 protocol 0

配置说明:ikev2 profile set <id> traffic-selector <local|remote> ip-range <start-addr> - <end-addr> port-range <start-port> - <end-port> protocol <protocol-number>

3.3、查看IKEv2配置

show ikev2 profile

profile pr1
  auth-method shared-key-mic auth data Vpp123
  local id-type fqdn data vpp2.home
  remote id-type fqdn data vpp1.home
  local traffic-selector addr 11.0.0.0 - 11.0.0.254 port 0 - 65535 protocol 0
  remote traffic-selector addr 10.0.0.0 - 10.0.0.254 port 0 - 65535 protocol 0

 

3.4、查看IKEv2协商结果

show ikev2 sa

iip 10.66.0.1 ispi e1bd965df0be49d rip 10.66.0.2 rspi 2c503a83ce480069
 encr:aes-cbc-128 prf:hmac-sha2-256 integ:sha1-96 dh-group:modp-1024 
  nonce i:9d78d097d4fa46dbf4d078b4f940346f312b593c9b368f0cc133de0516b19a6b
        r:9fe1386b1cd18c661ef99783936f7816914f5241c8d1bb0029c0254303fa75be
  SK_d    d2bdb93d225adbea26b71cdfd415029f6baa2bc6497f311c91b06f75f9156287
  SK_a  i:56b8ee31a1caf65540bece8c5aca86165ad76b69
        r:c0cfc2e201c8c8d1f3a86756cfda78a08e1a2a05
  SK_e  i:407c57bc5a82ed6d5f95e2923f724749
        r:b6ba1d40691b0537a0402a6ffb4fffa1
  SK_p  i:be12bb9e22c5d1972d97fca1f29f94d37deeb99c0ff7d005fa4118e95feb3d25
        r:15f2df15daac20fb288055b385996b9ee12b903bb6654c9158a27b8803e9491e
  identifier (i) fqdn vpp1.home
  identifier (r) fqdn vpp2.home
  child sa 0:
    encr:aes-cbc-128 integ:sha1-96 esn:yes 
    spi(i) c3413186 spi(r) e01f01ea
    SK_e  i:00a6544deb5ddee0ded094a35afab94e
          r:2b018822f1c250c02ff3e29c0351b332
    SK_a  i:9f3f8f2f48a15be2bfa70da238d6086d60ef209c
          r:9e7544bd5f6efb78078e98c66f23274d42b12acf
    traffic selectors (i):
      0 type 7 protocol_id 0 addr 10.0.0.0 - 10.0.0.254 port 0 - 65535
    traffic selectors (r):
      0 type 7 protocol_id 0 addr 11.0.0.0 - 11.0.0.254 port 0 - 65535
 iip 10.66.0.1 ispi e1bd965df0be49d rip 10.66.0.2 rspi 2c503a83ce480069
 iip 10.66.0.1 ispi 6bdf481a03bb986e rip 10.66.0.2 rspi b3e02e3efe27bce5
 encr:aes-cbc-128 prf:hmac-sha2-256 integ:sha1-96 dh-group:modp-1024 
  nonce i:1a8c9fb1c4190d5c7dc9c754bcbd4c465f713f9638fb1150d4534b4d84b934b4
        r:7ebeb7b7b40c46a90cc3721001f82e623d9c9b8d023543559abe5dcaaf60c97c
  SK_d    9e1a0ee4dd691fb24acb886b1091e194536cccb2a37250a7a22d963bccf72640
  SK_a  i:692e435ddc08978bfbe571281642cb80ac6dc24b
        r:6cd455930a75f57f99ded4d538b985dc0872d4d2
  SK_e  i:fbf52709abd5462cbac89aca1d9113a9
        r:f64ff82494edcb279e66a37f5502c243
  SK_p  i:7d747bde1d24e044b887d9c58403c99f25c0d4e064eb42f060f11bb4bd4d987c
        r:9ea987ed01e0d71ab0fd951b6ee70a1311665ae08703477ba3184ac66e76cc2a
  identifier (i) fqdn vpp1.home
  identifier (r) fqdn vpp2.home
  child sa 0:
    encr:aes-cbc-128 integ:sha1-96 esn:yes 
    spi(i) d9658ef spi(r) 62c03297
    SK_e  i:35857ab4e8da39ee8fe8fa5f86d174a4
          r:03b51ca07283f338b0c82c3bd53c1870
    SK_a  i:2e671df7741623b0744c1dd6f2836204645c85cb
          r:d99d4ebbaefe66e6eb277f3a075a45a761386a72
    traffic selectors (i):
      0 type 7 protocol_id 0 addr 10.0.0.0 - 10.0.0.254 port 0 - 65535
    traffic selectors (r):
      0 type 7 protocol_id 0 addr 11.0.0.0 - 11.0.0.254 port 0 - 65535                                                                
 iip 10.66.0.1 ispi e1bd965df0be49d rip 10.66.0.2 rspi 2c503a83ce480069

 

3.5、启用IPSec接口

set int state ipsec0 up

3.6、路由引到IPSec接口

ip route add 10.0.0.0/24 via ipsec0

3.7、IPSec接口绑定物理接口

set int unnumbered ipsec0 use GigabitEthernet2/3/0

4、结果验证

PC1 ping PC2,可以ping通,抓包可以看到报文进行封装发送。

封装报文如下:

16:15:22:373238: dpdk-input
  GigabitEthernet2/2/0 rx queue 0
  buffer 0x6663: current data 0, length 74, free-list 0, clone-count 0, totlen-nifb 0, trace 0x2
                 ext-hdr-valid 
                 l4-cksum-computed l4-cksum-correct 
  PKT MBUF: port 0, nb_segs 1, pkt_len 74
    buf_len 2176, data_len 74, ol_flags 0x0, data_off 128, phys_addr 0xc1799940
    packet_type 0x0 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
    rss 0x0 fdir.hi 0x0 fdir.lo 0x0
  IP4: 00:0c:29:37:da:f3 -> 00:0c:29:2a:f6:9f
  ICMP: 11.0.0.2 -> 10.0.0.2
    tos 0x00, ttl 64, length 60, checksum 0xff20
    fragment id 0x669d
  ICMP echo_request checksum 0xb0da
16:15:22:373253: ethernet-input
  frame: flags 0x3, hw-if-index 1, sw-if-index 1
  IP4: 00:0c:29:37:da:f3 -> 00:0c:29:2a:f6:9f
16:15:22:373259: ip4-input-no-checksum
  ICMP: 11.0.0.2 -> 10.0.0.2
    tos 0x00, ttl 64, length 60, checksum 0xff20
    fragment id 0x669d
  ICMP echo_request checksum 0xb0da
16:15:22:373263: ip4-lookup
  fib 0 dpo-idx 3 flow hash: 0x00000000
  ICMP: 11.0.0.2 -> 10.0.0.2
    tos 0x00, ttl 64, length 60, checksum 0xff20
    fragment id 0x669d
  ICMP echo_request checksum 0xb0da                                                  
16:15:22:373283: ip4-rewrite                                                         
  tx_sw_if_index 3 dpo-idx 3 : ipv4 via 0.0.0.0 ipsec0: mtu:9000 flow hash: 0x00000000
  00000000: 4500003c669d00003f0100210b0000020a0000020800b0da00029c7f61626364         
  00000020: 65666768696a6b6c6d6e6f7071727374757677616263646566676869                 
16:15:22:373285: ipsec0-output                                                       
  ipsec0                                                                             
  00000000: 4500003c669d00003f0100210b0000020a0000020800b0da00029c7f61626364         
  00000020: 65666768696a6b6c6d6e6f707172737475767761626364656667686900000000         
  00000040: 0ce642bc972f6cf16dfbbf0ea77da6cbc561db707d4e81b1827e8a0334db5be5         
  00000060: 4b876874e85c1534895d6f7b73d94f811c6c9b987d39ef10bb504546                 
16:15:22:373289: ipsec0-tx                                                           
  IPSec: spi 3275829638 seq 1237                                                     
16:15:22:373290: esp4-encrypt                                                        
  esp: spi 3275829638 seq 1237 crypto aes-cbc-128 integrity sha1-96                  
16:15:22:373313: ip4-lookup                                                          
  fib 0 dpo-idx 4 flow hash: 0x00000000                                              
  IPSEC_ESP: 10.66.0.2 -> 10.66.0.1                                                  
    tos 0x00, ttl 254, length 120, checksum 0xa7cd                                   
    fragment id 0x0000                                                               
16:15:22:373313: ip4-rewrite                                                         
  tx_sw_if_index 2 dpo-idx 4 : ipv4 via 10.66.0.1 GigabitEthernet2/3/0: mtu:9000 000c2
9c85fdb000c292af6a90800 flow hash: 0x00000000                                        
  00000000: 000c29c85fdb000c292af6a908004500007800000000fd32a8cd0a4200020a42         
  00000020: 0001c3413186000004d6e3f0e921da3bc3191a1bcdf8aa86e0a76d66                 
16:15:22:373314: GigabitEthernet2/3/0-output                                         
  GigabitEthernet2/3/0                                                               
  IP4: 00:0c:29:2a:f6:a9 -> 00:0c:29:c8:5f:db                                        
  IPSEC_ESP: 10.66.0.2 -> 10.66.0.1                                                  
    tos 0x00, ttl 253, length 120, checksum 0xa8cd                                   
    fragment id 0x0000                                                               
16:15:22:373315: GigabitEthernet2/3/0-tx                                             
  GigabitEthernet2/3/0 tx queue 1                                                    
  buffer 0xa778: current data 0, length 134, free-list 0, clone-count 0, totlen-nifb 0
, trace 0x2                                                                          
  PKT MBUF: port 65535, nb_segs 1, pkt_len 134                                       
    buf_len 2176, data_len 134, ol_flags 0x0, data_off 128, phys_addr 0xc149de80     
    packet_type 0x0 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0                  
    rss 0x0 fdir.hi 0x0 fdir.lo 0x0                                                  
  IP4: 00:0c:29:2a:f6:a9 -> 00:0c:29:c8:5f:db                                        
  IPSEC_ESP: 10.66.0.2 -> 10.66.0.1                                                  
    tos 0x00, ttl 253, length 120, checksum 0xa8cd                                   
    fragment id 0x0000
posted @ 2019-03-18 10:36  阿鹏2019  阅读(1681)  评论(0编辑  收藏  举报