思科路由器L2LVPN解决地址重叠并实现同时能上公网的配置
一.概述:
LAN-to-LAN IPSEC VPN如果两端内网地址重叠,互相不能访问,需要配置静态NAT,才能实现互相访问,参考路由器上的其他文章,地址重叠的问题解决了,但是却导致不能上公网,经过测试,借助loopback口,用策略路由,混合使用IP NAT inside/outside 和NVI (ip nat enable),可以解决地址重叠,并且内部主机还能上公网,特记录下来。
二.基本思路:
A.解决地址重叠的问题:
---配置静态NAT,两边内网对于对方来说都是另外一个网段,从而实现两边内网通过主机位地址一对一访问。
B.解决不能上公网的问题:
---混合使用两种不同方式的NAT,并通过策略路由,根据需要进行静态NAT和动态PAT上公网
C.利用的特性:
---NAT在IPSEC VPN之前进行
---路由器有两种配置NAT的方法,一种传统的接口下ip nat inside/outside方式,一种NAT Virtual Interface (NVI)方式,在接口下配置ip nat enable,两种方式可以同时并存
---能成功进行NAT首先需要存在路由,另外一个必须的条件是:从ip nat inside接口进入,从ip nat outside接口出,或者从一个ip nat enable接口进入,从另外一个ip nat enable接口出
---对于传统方式的L2L VPN配置,路由器内网口和外网口作为一对ip nat enable口,使得内网上公网的流量能够PAT上公网;PBR把VPN流量送到loopbak口,loopbak口和外网口作为一对ip nat inside/outside,在VPN之前就进行NAT。
---对于SVTI方式的L2L VPN配置,路由器内网口和外网口作为一对ip nat enable口,使得内网上公网的流量能够PAT上公网;PBR把VPN流量送到loopbak口,loopbak口和tunnel口作为一对ip nat inside/outside,在VPN之前就进行NAT。
三.测试拓扑:
四.基本配置:
A.总部Server路由器:
interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.1
B.总部Center路由器:
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
no shut
interface Ethernet0/1
ip address 202.100.1.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 202.100.1.10
C.Internet路由器:
interface Ethernet0/0
ip address 202.100.1.10 255.255.255.0
no shut
interface Ethernet0/1
ip address 202.100.2.10 255.255.255.0
no shut
C.Branch路由器:
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
no shut
interface Ethernet0/1
ip address 202.100.2.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 202.100.2.10
E.分支inside路由器:
interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.1
五.L2L IPSEC VPN配置:
A.Center路由器:
①第一阶段策略:
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.2.1
②第二阶段转换集:
crypto ipsec transform-set transet esp-des esp-md5-hmac
③感兴趣流:
ip access-list extended vpn
permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
④配置cryto map并在接口应用:
crypto map crymap 10 ipsec-isakmp
set peer 202.100.2.1
set transform-set transet
match address vpn
interface e0/1
crypto map crymap
B.Branch路由器:
①第一阶段策略:
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.1.1
②第二阶段转换集:
crypto ipsec transform-set transet esp-des esp-md5-hmac
③感兴趣流:
ip access-list extended vpn
permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
④配置cryto map并在接口应用:
crypto map crymap 10 ipsec-isakmp
set peer 202.100.1.1
set transform-set transet
match address vpn
interface e0/1
crypto map crymap
六.NAT配置:
A.上公网PAT配置:
①Center路由器:
- int e0/0
- ip nat enable
- int e0/1
- ip nat enable
- ip access-list extended Internet
- deny ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
- permit ip 10.1.1.0 0.0.0.255 any
- ip nat source list Internet interface Ethernet0/1 overload
测试:
- Server#ping 202.100.1.10
- Type escape sequence to abort.
- Sending 5, 100-byte ICMP Echos to 202.100.1.10, timeout is 2 seconds:
- ..!!!
- Success rate is 60 percent (3/5), round-trip min/avg/max = 108/141/160 ms
- Server#
- Internet#debug ip icmp
- ICMP packet debugging is on
- Internet#
- *Mar 1 02:59:13.535: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1
- *Mar 1 02:59:13.687: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1
- *Mar 1 02:59:13.831: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1
②Branch路由器:
- int e0/0
- ip nat enable
- int e0/1
- ip nat enable
- ip access-list extended Internet
- deny ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
- permit ip 10.1.1.0 0.0.0.255 any
- ip nat source list Internet interface Ethernet0/1 overload
测试:
- Inside#ping 202.100.2.10
- Type escape sequence to abort.
- Sending 5, 100-byte ICMP Echos to 202.100.2.10, timeout is 2 seconds:
- !!!!!
- Success rate is 100 percent (5/5), round-trip min/avg/max = 60/98/184 ms
- Inside#
- Internet#debug ip icmp
- ICMP packet debugging is on
- *Mar 1 03:04:22.363: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1
- *Mar 1 03:04:22.519: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1
- *Mar 1 03:04:22.575: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1
- *Mar 1 03:04:22.659: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1
- *Mar 1 03:04:22.715: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1
B.解决地址重叠静态NAT及策略路由设置:
-----只在Center路由器上配置:
①静态NAT:
- interface loopback0
- ip add 1.1.1.1 255.255.255.252
- ip nat inside
- interface E0/1
- ip nat outside
- ip nat inside source static network 10.1.1.0 172.16.1.0 /24
- ip nat outside source static network 10.1.1.0 192.168.1.0 /24
②策略路由:
- ip access-list extended VPN
- permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
- route-map VPN permit 10
- match ip address VPN
- set interface Loopback0
③测试(既能访问互联网,又能访问VPN):
- Server#ping 202.100.1.10
- Type escape sequence to abort.
- Sending 5, 100-byte ICMP Echos to 202.100.1.10, timeout is 2 seconds:
- !!!!!
- Success rate is 100 percent (5/5), round-trip min/avg/max = 64/112/200 ms
- Server#ping 192.168.1.2
- Type escape sequence to abort.
- Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
- .!!!!
- Success rate is 80 percent (4/5), round-trip min/avg/max = 200/229/280 ms
- Server#
七.后记:
如果VPN采用的不是传统方式配置,而采用的Static VTI配置,配置的方式略微不同:
A.VPN配置:
①Center路由器:
- crypto isakmp policy 10
- hash md5
- authentication pre-share
- group 2
- crypto isakmp key cisco address 202.100.2.1
- crypto ipsec transform-set transet esp-des esp-md5-hmac
- crypto ipsec profile ipsecprofile
- set transform-set transet
- interface Tunnel0
- ip address 123.1.1.1 255.255.255.0
- tunnel source Ethernet0/1
- tunnel destination 202.100.2.1
- tunnel mode ipsec ipv4
- tunnel protection ipsec profile ipsecprofile
②Branch路由器:
- crypto isakmp policy 10
- hash md5
- authentication pre-share
- group 2
- crypto isakmp key cisco address 202.100.1.1
- crypto ipsec transform-set transet esp-des esp-md5-hmac
- crypto ipsec profile ipsecprofile
- set transform-set transet
- interface Tunnel0
- ip address 123.1.1.2 255.255.255.0
- tunnel source Ethernet0/1
- tunnel destination 202.100.1.1
- tunnel mode ipsec ipv4
- tunnel protection ipsec profile ipsecprofile
B.上公网PAT配置:
---跟前面相同
C.路由设置:
---引导VPN流量到tunnel口,可以静态路由,也可以动态路由,这里使用静态路由
①Center路由器:
ip route 192.168.1.0 255.255.255.0 123.1.1.2
②Branch路由器:
ip route 172.16.1.0 255.255.255.0 123.1.1.1
D.静态NAT及策略路由设置:
----在centter路由器上配置
①静态NAT:
- interface loopback 0
- ip nat inside
- interface tun 0
- ip nat outside
- ip nat inside source static network 10.1.1.0 172.16.1.0 /24
- ip nat outside source static network 10.1.1.0 192.168.1.0 /24
②策略路由:
- ip access-list extended VPN
- permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
- route-map VPN permit 10
- match ip address VPN
- set interface loopbak 0
- interface Ethernet0/0
- ip policy route-map VPN
E.测试(既能访问互联网,又能访问VPN):
- Server#ping 202.100.1.10
- Type escape sequence to abort.
- Sending 5, 100-byte ICMP Echos to 202.100.1.10, timeout is 2 seconds:
- !!!!!
- Success rate is 100 percent (5/5), round-trip min/avg/max = 60/104/200 ms
- Server#
- Server#ping 192.168.1.2
- Type escape sequence to abort.
- Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
- !!!!!
- Success rate is 100 percent (5/5), round-trip min/avg/max = 228/258/284 ms
- Server#
- Inside#debug ip icmp
- ICMP packet debugging is on
- Inside#
- *Mar 1 12:04:14.645: ICMP: echo reply sent, src 10.1.1.2, dst 172.16.1.2
- *Mar 1 12:04:14.949: ICMP: echo reply sent, src 10.1.1.2, dst 172.16.1.2
- *Mar 1 12:04:15.169: ICMP: echo reply sent, src 10.1.1.2, dst 172.16.1.2
- *Mar 1 12:04:15.385: ICMP: echo reply sent, src 10.1.1.2, dst 172.16.1.2
- *Mar 1 12:04:15.633: ICMP: echo reply sent, src 10.1.1.2, dst 172.16.1.2