1、配置拓扑图
2、FW1配置(主动)
2.1、配置接口IP
set int state GigabitEthernet2/1/0 up
set int ip address GigabitEthernet2/1/0 20.20.20.1/24
set int state GigabitEthernet2/2/0 up
set int ip address GigabitEthernet2/2/0 30.30.30.1/24
2.2、配置IPSec IKEv2
1、创建名为pr1的IKEV2配置
ikev2 profile add pr1
配置说明:ikev2 profile [add|del] <id>
2、设置共享密钥认证方法
ikev2 profile set pr1 auth shared-key-mic string Vpp123
配置说明:ikev2 profile set <id> auth [rsa-sig|shared-key-mic] [cert-file|string|hex] <data>
3、设置本地id
ikev2 profile set pr1 id local fqdn vpp1.home
配置说明:ikev2 profile set <id> id <local|remote> <type> <data>
4、设置远端id
ikev2 profile set pr1 id remote fqdn vpp2.home
配置说明:ikev2 profile set <id> id <local|remote> <type> <data>
5、设置远端ip地址和协商是对应的网络接口
ikev2 profile set pr1 responder GigabitEthernet2/1/0 20.20.20.2
配置说明:ikev2 profile set <id> responder <interface> <addr>
6、设置IKE秘钥套件和ESP秘钥套件,可以只在请求秘钥协商方添加秘钥套件
ikev2 profile set pr1 ike-crypto-alg aes-cbc 128 ike-integ-alg sha1-96 ike-dh modp-1024
配置说明:ikev2 profile set <id> ike-crypto-alg <crypto alg> <key size> ike-integ-alg <integ alg> ike-dh <dh type>
ikev2 profile set pr1 esp-crypto-alg aes-cbc 128 esp-integ-alg sha1-96 esp-dh modp-1024
配置说明:ikev2 profile set <id> esp-crypto-alg <crypto alg> <key size> esp-integ-alg <integ alg> esp-dh <dh type>
7、设置IPSec内网IP地址和远端内网IP地址
ikev2 profile set pr1 traffic-selector local ip-range 40.40.40.0 - 40.40.40.254 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector remote ip-range 40.40.40.0 - 40.40.40.254 port-range 0 - 65535 protocol 0
配置说明:ikev2 profile set <id> traffic-selector <local|remote> ip-range <start-addr> - <end-addr> port-range <start-port> - <end-port> protocol <protocol-number>
PS:Ikev2感兴趣流是ike协商时候的必选项,实际流量必须引路由到IPSec口,流量不会匹配感兴趣流到IPSec接口
8、发起IPSec协商请求
ikev2 initiate sa-init pr1
配置说明:ikev2 initiate sa-init <profile id>
PS:主动端必须手动发起IPSec协商
2.3、查看IKEv2 sa
show ikev2 sa
iip 20.20.20.1 ispi ad981dd6f3680601 rip 20.20.20.2 rspi cea2684dc017581e
encr:aes-cbc-128 prf:hmac-sha2-256 integ:sha1-96 dh-group:modp-1024
nonce i:b43f85f9e7b4b98a314d42931d1b1db7c97a7ae83a6f828f4a95c2cc96b9ff4e
r:58213ddc27da8b2e54a7cac8f1beee95a4d2354f37f30e7217e02c18605d8689
SK_d 2d9efeacab094d150723eb6f08ef68c876a27b428d9ed483a9ba3a89886990d4
SK_a i:bea08006860ea77fa73ae5bb37fa71caa13e4dce
r:f0f776c668b5b6dbd4264f35e9b5200b93bf96f9
SK_e i:dc3c57b1b9e4aa6013805cf632e0ea70
r:d21037f2904e4c1c46671e587d9a7e11
SK_p i:a836debbd009f69a4af5f5d159ebeceb960e23f98cfb5e8d4c400b6d5560df28
r:943eebb758913c8876c6ead8dc2cabf03cb68b827fad7e2d386624f2a7c3b624
identifier (i) fqdn vpp1.home
identifier (r) fqdn vpp2.home
child sa 0:
encr:aes-cbc-128 integ:sha1-96 esn:yes
spi(i) 18c7f7b spi(r) 363b88a8
SK_e i:45b674cfd333f65081a64bad970be404
r:054435bd38f68758d91bbe13a44c57ec
SK_a i:3a612a2ed4edf9b2de8c5fa5f1d3fdd9846faebe
r:6669c2481d360dc6ca85e981f792924ebd4ceaa7
traffic selectors (i):
0 type 7 protocol_id 0 addr 40.40.40.0 - 40.40.40.254 port 0 - 65535
traffic selectors (r):
0 type 7 protocol_id 0 addr 40.40.40.0 - 40.40.40.254 port 0 - 65535
iip 20.20.20.1 ispi ad981dd6f3680601 rip 20.20.20.2 rspi cea2684dc017581e2.4、IPSec口配置IP
set int state ipsec0 up
set int ip address ipsec0 40.40.40.1/24
2.5、使用IPSec接口IP创建gre
create gre tunnel src 40.40.40.1 dst 40.40.40.2 instance 0
2.6、gre口配置IP
set int state gre0 up
set int ip address gre0 50.50.50.1/24
2.7、配置静态路由
ip route 10.10.10.0/24 via gre0
3、FW2配置(被动)
3.1、配置接口IP
set int state GigabitEthernet2/1/0 up
set int ip address GigabitEthernet2/1/0 20.20.20.2/24
set int state GigabitEthernet2/2/0 up
set int ip address GigabitEthernet2/2/0 10.10.10.1/24
3.2、配置IPSec IKEv2
1、创建名为pr1的IKEV2配置
ikev2 profile add pr1
配置说明:ikev2 profile [add|del] <id>
2、设置共享密钥认证方法
ikev2 profile set pr1 auth shared-key-mic string Vpp123
配置说明:ikev2 profile set <id> auth [rsa-sig|shared-key-mic] [cert-file|string|hex] <data>
3、设置本地id
ikev2 profile set pr1 id local fqdn vpp1.home
配置说明:ikev2 profile set <id> id <local|remote> <type> <data>
4、设置远端id
ikev2 profile set pr1 id remote fqdn vpp2.home
配置说明:ikev2 profile set <id> id <local|remote> <type> <data>
5、设置IPSec内网IP地址和远端内网IP地址
ikev2 profile set pr1 traffic-selector local ip-range 40.40.40.0 - 40.40.40.254 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector remote ip-range 40.40.40.0 - 40.40.40.254 port-range 0 - 65535 protocol 0
配置说明:ikev2 profile set <id> traffic-selector <local|remote> ip-range <start-addr> - <end-addr> port-range <start-port> - <end-port> protocol <protocol-number>
PS:Ikev2感兴趣流是ike协商时候的必选项,实际流量必须引路由到IPSec口,流量不会匹配感兴趣流到IPSec接口
3.3、查看IKEv2 sa
show ikev2 sa
iip 20.20.20.1 ispi ad981dd6f3680601 rip 20.20.20.2 rspi cea2684dc017581e
encr:aes-cbc-128 prf:hmac-sha2-256 integ:sha1-96 dh-group:modp-1024
nonce i:b43f85f9e7b4b98a314d42931d1b1db7c97a7ae83a6f828f4a95c2cc96b9ff4e
r:58213ddc27da8b2e54a7cac8f1beee95a4d2354f37f30e7217e02c18605d8689
SK_d 2d9efeacab094d150723eb6f08ef68c876a27b428d9ed483a9ba3a89886990d4
SK_a i:bea08006860ea77fa73ae5bb37fa71caa13e4dce
r:f0f776c668b5b6dbd4264f35e9b5200b93bf96f9
SK_e i:dc3c57b1b9e4aa6013805cf632e0ea70
r:d21037f2904e4c1c46671e587d9a7e11
SK_p i:a836debbd009f69a4af5f5d159ebeceb960e23f98cfb5e8d4c400b6d5560df28
r:943eebb758913c8876c6ead8dc2cabf03cb68b827fad7e2d386624f2a7c3b624
identifier (i) fqdn vpp1.home
identifier (r) fqdn vpp2.home
child sa 0:
encr:aes-cbc-128 integ:sha1-96 esn:yes
spi(i) 18c7f7b spi(r) 363b88a8
SK_e i:45b674cfd333f65081a64bad970be404
r:054435bd38f68758d91bbe13a44c57ec
SK_a i:3a612a2ed4edf9b2de8c5fa5f1d3fdd9846faebe
r:6669c2481d360dc6ca85e981f792924ebd4ceaa7
traffic selectors (i):
0 type 7 protocol_id 0 addr 40.40.40.0 - 40.40.40.254 port 0 - 65535
traffic selectors (r):
0 type 7 protocol_id 0 addr 40.40.40.0 - 40.40.40.254 port 0 - 65535
iip 20.20.20.1 ispi ad981dd6f3680601 rip 20.20.20.2 rspi cea2684dc017581e3.4、IPSec口配置IP
set int state ipsec0 up
set int ip address ipsec0 40.40.40.2/24
3.5、使用IPSec接口IP创建gre
create gre tunnel src 40.40.40.2 dst 40.40.40.1 instance 0
3.6、gre口配置IP
set int state gre0 up
set int ip address gre0 50.50.50.2/24
3.7、配置静态路由
ip route 30.30.30.0/24 via gre0
4、结果验证
PC1 ping PC2,add dpdk-input 100抓包查看报文封装流程如下:
00:05:44:114105: dpdk-input
GigabitEthernet2/2/0 rx queue 0
buffer 0xba35: current data 0, length 74, free-list 0, clone-count 0, totlen-nifb 0, trace 0x2
ext-hdr-valid
l4-cksum-computed l4-cksum-correct
PKT MBUF: port 1, nb_segs 1, pkt_len 74
buf_len 2176, data_len 74, ol_flags 0x0, data_off 128, phys_addr 0x26e8dc0
packet_type 0x0 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
rss 0x0 fdir.hi 0x0 fdir.lo 0x0
IP4: 00:50:56:ac:06:c9 -> 00:50:56:ac:46:ae
ICMP: 10.10.10.2 -> 30.30.30.2
tos 0x00, ttl 64, length 60, checksum 0xeee8
fragment id 0x3bad
ICMP echo_request checksum 0x574
00:05:44:114134: ethernet-input
frame: flags 0x3, hw-if-index 2, sw-if-index 2
IP4: 00:50:56:ac:06:c9 -> 00:50:56:ac:46:ae
00:05:44:114149: ip4-input-no-checksum
ICMP: 10.10.10.2 -> 30.30.30.2
tos 0x00, ttl 64, length 60, checksum 0xeee8
fragment id 0x3bad
ICMP echo_request checksum 0x574
00:05:44:114160: ip4-lookup
fib 0 dpo-idx 5 flow hash: 0x00000000
ICMP: 10.10.10.2 -> 30.30.30.2
tos 0x00, ttl 64, length 60, checksum 0xeee8
fragment id 0x3bad
ICMP echo_request checksum 0x574
00:05:44:114170: ip4-midchain
GRE: 40.40.40.2 -> 40.40.40.1
tos 0x00, ttl 254, length 84, checksum 0x1c28
fragment id 0x0000
GRE ip4
00:05:44:114183: adj-midchain-tx
adj-midchain:[5]:ipv4 via 0.0.0.0 gre0: mtu:9000 4500000000000000fe2f1c7c282828022828280100000800
stacked-on entry:21:
[@3]: ipv4 via 0.0.0.0 ipsec0: mtu:9000
00:05:44:114189: ip4-rewrite
tx_sw_if_index 3 dpo-idx 4 : ipv4 via 0.0.0.0 ipsec0: mtu:9000 flow hash: 0x00000000
00000000: 4500005400000000fd2f1d282828280228282801000008004500003c3bad0000
00000020: 3f01efe80a0a0a021e1e1e0208000574000247e66162636465666768
00:05:44:114197: ipsec0-output
ipsec0
00000000: 4500005400000000fd2f1d282828280228282801000008004500003c3bad0000
00000020: 3f01efe80a0a0a021e1e1e0208000574000247e66162636465666768696a6b6c
00000040: 6d6e6f7071727374757677616263646566676869000000000000000000000000
00000060: 00000000000000000000000000000000000000000000000000000000
00:05:44:114205: ipsec0-tx
IPSec: spi 25984891 seq 14
00:05:44:114210: esp4-encrypt
esp: spi 25984891 seq 14 crypto aes-cbc-128 integrity sha1-96
00:05:44:114248: ip4-lookup
fib 0 dpo-idx 3 flow hash: 0x00000000
IPSEC_ESP: 20.20.20.2 -> 20.20.20.1
tos 0x00, ttl 254, length 152, checksum 0x6c09
fragment id 0x0000
00:05:44:114252: ip4-rewrite
tx_sw_if_index 1 dpo-idx 3 : ipv4 via 20.20.20.1 GigabitEthernet2/1/0: mtu:9000 000c
298185d0005056ac9f1a0800 flow hash: 0x00000000
00000000: 000c298185d0005056ac9f1a08004500009800000000fd326d09141414021414
00000020: 1401018c7f7b0000000f870dbdc2abf702a7e33e3ca1ef1ff89d073a
00:05:44:114255: GigabitEthernet2/1/0-output
GigabitEthernet2/1/0
IP4: 00:50:56:ac:9f:1a -> 00:0c:29:81:85:d0
IPSEC_ESP: 20.20.20.2 -> 20.20.20.1
tos 0x00, ttl 253, length 152, checksum 0x6d09
fragment id 0x0000
00:05:44:114263: GigabitEthernet2/1/0-tx
GigabitEthernet2/1/0 tx queue 1
buffer 0x1d073: current data 0, length 166, free-list 0, clone-count 0, totlen-nifb
0, trace 0x2
PKT MBUF: port 65535, nb_segs 1, pkt_len 166
buf_len 2176, data_len 166, ol_flags 0x0, data_off 128, phys_addr 0x2b41d40
packet_type 0x0 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
rss 0x0 fdir.hi 0x0 fdir.lo 0x0
IP4: 00:50:56:ac:9f:1a -> 00:0c:29:81:85:d0
IPSEC_ESP: 20.20.20.2 -> 20.20.20.1
tos 0x00, ttl 253, length 152, checksum 0x6d09
fragment id 0x0000