Ushbu bob Dinamik ko'p nuqtali virtual nuqta tarmog'ini (dmvpn) o'z ichiga oladi va bir nechta joylarni ulash uchun undan foydalanadigan korxonalarning afzalliklarini ko'rsatadi

Download 2,48 Mb.

bet	5/6
Sana	18.07.2022
Hajmi	2,48 Mb.
	#821578

1 2 3 4 5 6

Bog'liq
DMVPN

OSPF bilan 3-bosqich

Phase 3 with IPSec
IPSec bilan 3-bosqich
Endi bizda GRE tunnellari sozlangan, maʼlumotlar maxfiyligini taʼminlash uchun ularni IPSec yordamida shifrlash imkoniyati mavjud. Biz joriy DMVPN 3-bosqich konfiguratsiyasidan foydalanmoqchimiz. IPSec tunnelini sozlash uchun kripto isakmp siyosat buyrug'i yordamida siyosatni aniqlashimiz kerak. Tunnel interfeyslaridagi tunnel manba buyrug'i IP manzili o'rniga interfeys turi va raqamidan foydalanishi kerak. Biz IPSec konfiguratsiyasini ko'rib chiqmoqchi emasmiz, chunki bu 14-bobda yoritilgan. Biz GRE tunnellarini himoya qilishga tegishli buyruqni eslatib o'tamiz. Tunnelni himoya qilish buyrug'i ipsec profili [nomi] tunnel interfeysini IPSec profili bilan bog'lash uchun ishlatiladi. Shuni ta'kidlash kerakki, IPSec inkapsulyatsiyasini hisobga olish uchun MTU tunnelini 1400 ga o'rnatish kerak.
Keling, uya va spikerlarga kripto konfiguratsiyasini qo'shamiz:
Headquarter(config)#crypto isakmp policy 1
Headquarter(config-isakmp)#authentication pre-share
Headquarter(config-isakmp)#crypto isakmp key cisco address 0.0.0.0 0.0.0.0 Headquarter(config)#crypto IPsec transform-set SecureVPN esp-des esp-md5-hmac
Headquarter(cfg-crypto-trans)#mode transport
Headquarter(cfg-crypto-trans)#crypto IPsec profile DMVPN
Headquarter(ipsec-profile)#set transform-set SecureVPN
Headquarter(ipsec-profile)#int tunnel 0
Headquarter(config-if)#tunnel protection IPsec profile DMVPN Headquarter(config-if)#ip mtu 1400
Ushbu konfiguratsiya barcha routerlarga joylashtiriladi.
Keling, kripto seanslarimiz markazda ekanligini bilib olaylik:

Oldingi ma'lumotlardan ko'rinib turibdiki, biz markazda IPSec tunnellarini o'rnatdik. DMVPN ni ko'rib chiqaylik:

Ko'rib turganimizdek, bizning DMVPN tunnelimiz yaratilgan va IPSec bilan himoyalangan.
OSPF bilan 3-bosqich
DMVPN-ni to'ldirish uchun bizda marshrutlash protokoli yo'qligi sababli, keling, tunnelimizda OSPF quraylik, shunda har bir filial boshqasining LAN tarmog'iga kira oladi. Biz nuqtadan ko'p nuqtaga OSPFni sozlaymiz. Biz DMVPN tunnel IP-manzilini va har bir joyning LAN quyi tarmog'ini OSPF-ga qo'shamiz. Tunnel interfeysida ip ospf tarmoq nuqtasidan ko'p nuqtaga buyrug'idan foydalanamiz:
Headquarter(config)#router ospf 1
Headquarter(config-router)#network 10.10.10.0 0.0.0.255 area 1 Headquarter(config-router)#network 192.168.1.0 0.0.0.255 area 1 Headquarter(config-router)#interface Tunnel 0
Headquarter(config-if)#ip ospf network point-to-multipoint
*May 16 04:39:07.695: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.2.1 on Tunnel0 from LOADING to
FULL, Loading Done
*May 16 04:39:21.770: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.3.1 on Tunnel0 from LOADING to
FULL, Loading Done
*May 16 04:39:35.925: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.4.1 on Tunnel0 from LOADING to
FULL, Loading Done
Bizning OSPF qo'shnilarimiz shakllanganligini ko'rishimiz mumkin. Bu erda tel konfiguratsiyasi:
Branch1(config)#router ospf 1
Branch1(config-router)#network 10.10.10.0 0.0.0.255 area 1
Branch1(config-router)#network 192.168.2.0 0.0.0.255 area 1
Branch1(config-router)#interface Tunnel 0
Branch1(config-if)#ip ospf network point-to-multipoint
Branch2(config)#router ospf 1
Branch2(config-router)#network 10.10.10.0 0.0.0.255 area 1
Branch2(config-router)#network 192.168.3.0 0.0.0.255 area 1
Branch2(config-router)#interface Tunnel 0
Branch2(config-if)#ip ospf network point-to-multipoint
Branch3(config)#router ospf 1
Branch3(config-router)#network 10.10.10.0 0.0.0.255 area 1
Branch3(config-router)#network 192.168.4.0 0.0.0.255 area 1
Branch3(config-router)#interface Tunnel 0
Branch3(config-if)#ip ospf network point-to-multipoint

Barcha LAN manzillari OSPF orqali o'rganilayotganini ko'rishimiz mumkin. Natijadan ko'ramiz, spiker marshrutizatorlari bir-birining tarmoqlarini o'rgangan.
FlexVPN
Endi biz DMVPN-ni qamrab oldik, keling, IPSec-ni xuddi DMVPN kabi ishlatadigan, lekin DMVPN-da ishlatiladigan IKEv2 va IKEv1-dan foydalanadigan FlexVPN-ga o'taylik. IKEv2 - bu IKE protokolining yangi avlodi. 24-6-rasmdan foydalanib, BGP bilan FlexVPNni marshrutlash protokoli sifatida sozlaymiz. Men IPSec konfiguratsiyasidagi o'zgarishlarni ta'kidlayman. IKEv2 o'zining IPSec tunnelini o'rnatish uchun kamroq xabarlardan foydalanadi. FlexVPN konfiguratsiyalarida spikerlar hubda ro'yxatdan o'tmaydi va NHRP spikerli trafik uchun ishlatiladi. Odatda, FlexVPN-dagi hub tunnel interfeysiga ega bo'lmaydi, chunki u faqat dinamik dinamik tunnellarni tugatadi. Shuning uchun har bir ulanish uchun virtual interfeys yaratadigan virtual shablon ishlatiladi. Shuningdek, siz markazda spikerlarga tayinlanadigan manzillar to'plamini ko'rasiz. Ushbu manzillar spikerlarga tayinlanganligi sababli, ular marshrutlash jadvaliga /32 manzil sifatida o'rnatiladi.
FlexVPN quyidagilardan iborat: IKEv2 siyosati IKEv2 taklifini tengdosh bilan bog'laydi. Kalitlar assimetrik bo'lish imkoniyatiga ega bo'lgan oldindan umumiy kalitlarni aniqlash imkonini beradi. IKEv2 profili VPN-ning tengdosh manzili va autentifikatsiya usulini o'z ichiga olishi uchun parametrlarni taqdim etadi. Transformatsiya to'plami IPSec tunneli yordamida yaratiladigan xavfsizlik protokollari va algoritmlarini belgilaydi. IPSec profili FlexVPN-ning qisqacha mazmuni bo'lib, u interfeysga bitta profil sifatida qo'llaniladi.

24-6-rasm. FlexVPN
24-6-rasm yordamida FlexVPN-ni sozlaymiz. Biz marshrutlash uchun VPN va BGP xavfsizligini ta'minlash uchun IKEv2 ni sozlaymiz. Birinchidan, biz AAA-ni yoqamiz, mahalliy quyi tarmoqlarimizni aniqlaymiz, Filial routeriga Bosh ofisdan IP-manzil olish imkonini beruvchi manzillar hovuzimizni yaratamiz, IKEv2 kalitlarini sozlaymiz, IKEv2 avtorizatsiya siyosatini sozlaymiz, IKEv2 profilini aniqlaymiz va interfeys shablonini yaratamiz. . Keling, konfiguratsiyaga o'taylik:
Hub
Headquarters(config)#aaa new-model
Headquarters(config)#aaa authorization network IKE local
Headquarters(config)#crypto ikev2 authorization policy default
Headquarters(config-ikev2-author-policy)#pool FlexVPNSpokes
Headquarters(config-ikev2-author-policy)#crypto ikev2 keyring Flex
Headquarters(config-ikev2-keyring)#peer Spokes
Headquarters(config-ikev2-keyring-peer)#address 0.0.0.0 0.0.0.0
Headquarters(config-ikev2-keyring-peer)#pre-shared-key local flexvpn
Headquarters(config-ikev2-keyring-peer)#pre-shared-key remote flexvpn
Headquarters(config-ikev2-keyring-peer)#crypto ikev2 profile DMVPN
IKEv2 profile MUST have:
1. A local and a remote authentication method.
2. A match identity or a match certificate or match any statement.
1. Mahalliy va masofaviy autentifikatsiya usuli.
2. Moslik identifikatori yoki moslik sertifikati yoki har qanday bayonotga mos keladi.
Headquarters(config-ikev2-profile)#match identity remote address 0.0.0.0 Headquarters(config-ikev2-profile)#authentication remote pre-share
Headquarters(config-ikev2-profile)#authentication local pre-share
Headquarters(config-ikev2-profile)#keyring local Flex
Headquarters(config-ikev2-profile)#aaa authorization group psk list IKE default Headquarters(config-ikev2-profile)#virtual-template 1
Headquarters(config-ikev2-profile)#crypto ipsec profile IKEv2
Headquarters(ipsec-profile)#set ikev2-profile DMVPN
Headquarters(ipsec-profile)#interface Loopback100
Headquarters(config-if)#ip address 172.31.1.1 255.255.255.0
Headquarters(config-if)#interface Virtual-Template1 type tunnel
Headquarters(config-if)#ip unnumbered lo100
Headquarters(config-if)#tunnel source e0/0
Headquarters(config-if)#tunnel path-mtu-discovery
Headquarters(config-if)#tunnel protection ipsec profile IKEv2
Headquarters(config-if)#ip local pool FlexVPNSpokes 172.31.1.2 172.31.1.6
Endi nutqni ko'rib chiqaylik:
Branch2(config)#aaa new-model
Branch2(config)#aaa authorization network IKE local
Branch2(config)#crypto ikev2 authorization policy default
Branch2(config-ikev2-author-policy)#crypto ikev2 keyring Flex
Branch2(config-ikev2-keyring)#peer Spokes
Branch2(config-ikev2-keyring-peer)#address 0.0.0.0 0.0.0.0
Branch2(config-ikev2-keyring-peer)#pre-shared-key local flexvpn
Branch2(config-ikev2-keyring-peer)#pre-shared-key remote flexvpn
Branch2(config-ikev2-keyring-peer)#crypto ikev2 profile DMVPN
Branch2(config-ikev2-profile)#match identity remote address 0.0.0.0
Branch2(config-ikev2-profile)#authentication remote pre-share
Branch2(config-ikev2-profile)#authentication local pre-share
Branch2(config-ikev2-profile)#keyring local Flex
Branch2(config-ikev2-profile)#aaa authorization group psk list IKE default
Branch2(config-ikev2-profile)#virtual-template 1
Branch2(config-ikev2-profile)#crypto ipsec profile IKEv2
Branch2(ipsec-profile)#set ikev2-profile DMVPN
Branch2(ipsec-profile)#interface Tunnel0
Branch2(config-if)#ip address negotiated
Branch2(config-if)#ip mtu 1400
Branch2(config-if)#ip tcp adjust-mss 1360
Branch2(config-if)#tunnel source Ethernet0/0
Branch2(config-if)#tunnel destination 172.1.1.1
Branch2(config-if)#tunnel path-mtu-discovery
Branch2(config-if)#tunnel protection ipsec profile IKEv2
Branch2(config-if)#router bgp 1
Branch2(config-router)#bgp log-neighbor-changes
Branch2(config-router)#network 192.168.2.0 mask 255.255.255.0
Branch2(config-router)#network 172.31.1.0 mask 255.255.255.0
Branch2(config-router)#neighbor 172.31.1.1 remote-as 1
Branch2(config-router)#interface Virtual-Template1 type tunnel
Branch2(config-if)#ip unnumbered Tunnel0
Branch2(config-if)#ip mtu 1400
Branch2(config-if)#ip tcp adjust-mss 1360
Branch2(config-if)#tunnel path-mtu-discovery
Branch2(config-if)#tunnel protection ipsec profile IKEv2
Endi tunnel faolligini tekshiramiz:

Biz kripto tunnelimiz faol ekanligini ko'rishimiz mumkin. Agar biz show ip interfeysi brief buyrug'ini bajarsak, dinamikda Tunnel0 ga 172.31.1.2 tayinlanganligini ko'rishimiz mumkin:

Endi marshrutlash jadvalimizni tekshiramiz:

Chiqishdan ko'rinib turibdiki, biz BGP orqali kutilgan barcha marshrutlarni ko'ramiz

Download 2,48 Mb.

Do'stlaringiz bilan baham:

1 2 3 4 5 6