全系列VPN技术集锦第二卷第2章(Site-to-Site IPsec VPN)

例子:

本实例研究中路由器NATRTR的配置

Router#write terminal

hostname NATRTR

crypto map test 10 IPsec-isakmp

 set peer 1.1.1.1

 set transform-set transform

 match address 100

This is the loopback the traffic will be routed to in order to change the order of events on the router

interface Loopback1

ip address 10.2.2.2 255.255.255.252

interface Ethernet0/0

 ip address 1.1.1.2 255.255.255.0

 ip nat outside

 crypto map test

interface Ethernet0/1

 ip address 10.1.1.1 255.255.255.0

 ip nat inside

 ip route-cache policy

The policy route map below is used to force the IPsec interesting traffic to the loopback interface.

 ip policy route-map nonat

This is the dynamic NAT configuration we are trying to bypass.

ip nat inside source access-list 1 interface Ethernet0/0 overload

access-list 1 permit 10.0.0.0 0.255.255.255

The access list below defines IPsec interesting traffic.

access-list 100 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

The access list below defines the traffic that is to be used by the route map nonat to route to the loopback interface.

access-list 120 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

Below is the route map used to route the traffic matching access list 120 to the loopback interface.

route-map nonat permit 10

 match ip address 120

 set ip next-hop 10.2.2.1

8 IPsec隧道终点发现(TED)

本实例研究包括了CISCO路由器实现中提供的特殊属性.TED允许路由器动态配置其IPsec对等体地址而不用在路由调协中手动配置.这种可扩展特性很有用,它使创建数目众多的对等体仅需定义一个它们感兴趣的流量访问列表并允许TED找出这些对等体窨是哪能些即可.重要的是,如果VPN创建在INTERNET上,那么感兴趣的流量必须使用全局可路由地址定义.这是必须的,因为TED使用一般路由以计算出IPsec对等体的位置.

TED靠发送一个分组,该探测分组的目的地址为定义感兴趣流量的访问控制列表中的目的地址.这个探测分组终止于目的IP地址前的IPsec路由器.该路由器收集关于代理ID的必须信息,并返回一个探测应答,应答中包含相同代理和自己的IP地址.发起者收到该响应消息后就开始IKE的协商.