GETV**配置
实验拓扑图
基本路由KS-1
interface Loopback0
ip address 172.16.100.1 255.255.255.0
ip ospf network point-to-point
no shutdown
interface Ethernet0/0
ip address 202.100.1.1 255.255.255.0
no shutdown
router ospf 1
network 172.16.100.0 0.0.0.255 area 0
network 202.100.1.0 0.0.0.255 area 0
基本路由KS-2
interface Ethernet0/0
ip address 202.100.1.2 255.255.255.0
no shutdown
router ospf 1
network 202.100.1.0 0.0.0.255 area 0
基本路由GM-1
interface Loopback0
ip address 172.16.1.1 255.255.255.0
ip ospf network point-to-point
no shutdown
interface Ethernet0/0
ip address 202.100.2.1 255.255.255.0
no shutdown
router ospf 1
network 172.16.1.0 0.0.0.255 area 0
network 202.100.2.0 0.0.0.255 area 0
基本路由GM-2
interface Loopback0
ip address 172.16.2.1 255.255.255.0
ip ospf network point-to-point
no shutdown
interface Ethernet0/0
ip address 202.100.2.2 255.255.255.0
no shutdown
router ospf 1
network 172.16.2.0 0.0.0.255 area 0
network 202.100.2.0 0.0.0.255 area 0
基本路由ASA-1
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 202.100.1.10 255.255.255.0
no shutdown
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 202.100.2.10 255.255.255.0
no shutdown
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 202.100.3.10 255.255.255.0
no shutdown
!
router ospf 1
network 202.100.1.0 255.255.255.0 area 0
network 202.100.2.0 255.255.255.0 area 0
access-list out extended permit icmp any any
access-list out extended permit udp any any eq 848
access-group out in interface outside
组播配置KS-1
ip multicast-routing
!
ip pim rp-address 202.100.1.2
!
interface Ethernet0/0
ip address 202.100.1.1 255.255.255.0
ip pim sparse-mode
!
组播配置KS-2
ip multicast-routing
!
ip pim rp-address 202.100.1.2
!
interface Ethernet0/0
ip address 202.100.1.2 255.255.255.0
ip pim sparse-mode
!
组播配置GM-1
ip multicast-routing
!
ip pim rp-address 202.100.1.2
!
interface Ethernet0/0
ip address 202.100.2.1 255.255.255.0
ip pim sparse-mode
!
组播配置GM-2
ip multicast-routing
!
ip pim rp-address 202.100.1.2
!
interface Ethernet0/0
ip address 202.100.2.2 255.255.255.0
ip pim sparse-mode
!
组播配置ASA-1
multicast-routing
!
pim rp-address 202.100.1.2
!
交换机7和8
no ip igmp snooping
产生和查看密钥
产生密钥
ip domain name liu.com
KS-1(config)#crypto key generate rsa label GETV**-KEY modulus 1024 exportable
查看密钥
KS-1#show crypto key mypubkey rsa
% Key pair was generated at: 10:18:39 UTC Oct 11 2018
Key name: GETV**-KEY
Key type: RSA KEYS
Storage Device: not specified
Usage: General Purpose Key
Key is exportable. Redundancy enabled.
Key Data:
配置ISAKMP POlicy(KS-1)
crypto isakmp policy 10
authentication pre-share
需要配置所有KS和GM的"isakmp key"
crypto isakmp key ccie address 202.100.1.2
crypto isakmp key ccie address 202.100.2.1
crypto isakmp key ccie address 202.100.2.2
!
配置感兴趣流:
ip access-list extended GETV**-Traffic
permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
定义组播流量:
ip access-list extended Multicast
permit udp host 202.100.1.1 eq 848 host 239.0.1.2 eq 848
crypto ipsec transform-set QYT-Trans esp-des esp-md5-hmac
mode tunnel
!
IPsec Profile(IPSec SA Policy 只在KS上配置)
crypto ipsec transform-set QYT-Trans esp-des esp-md5-hmac
!
crypto ipsec profile ipsecprof
set transform-set QYT-Trans
!
KS基本配置:
创建 gdoi group
crypto gdoi group mygroup
//配置gdoi group(所有的KS和GM的ID必须一致)
identity number 66666
//配置本地路由器为KS服务器
server local
//定义本地服务器地址
address ipv4 202.100.1.1
//Rekey基本配置
//配置对Rekey message进行签名的RSA密钥
rekey authentication mypubkey rsa GETV**-KEY
//配置对Rekey message进行加密的算法,默认的HASH算法为SHA-1
rekey algorithm aes 256
//定义组播Rekey message的流量,注意默认为组播更新
rekey address ipv4 Multicast
//配置第一个IPSec SA策略(可以配置多个)
sa ipsec 1
//匹配感兴趣流
match address ipv4 GETV**-Traffic
//配置处理感兴趣的策略
profile ipsecprof
所有GM配置
配置IKE Phase1 Policy
crypto isakmp policy 10
authentication pre-share
//只需要配置所有KS的"isakmp keys"
crypto isakmp key ccie address 202.100.1.1
crypto isakmp key ccie address 202.100.1.2
crypto gdoi group mygroup
identity number 66666 (所有的KS和GM的Key必须相同)
server address ipv4 202.100.1.1(Primary KS)
server address ipv4 202.100.1.2(Secondary KS)
GDOI为crypto map提供密钥资源TEK
crypto map cisco 10 gdoi
调用GDOI Group
set group mygroup
调用在感兴趣流进出的接口上
interface Ethernet0/0
调用crypto map直接触发注册
crypto map cisco
GM成功注册
GM-1(config-if)#
*Oct 11 10:29:21.811: %CRYPTO-5-GM_REGSTER: Start registration to KS 202.100.1.1 for group mygroup using address 202.100.2.1
*Oct 11 10:29:21.819: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON
*Oct 11 10:29:22.087: %GDOI-5-SA_KEK_UPDATED: SA KEK was updated
*Oct 11 10:29:22.087: %GDOI-5-SA_TEK_UPDATED: SA TEK was updated
*Oct 11 10:29:22.135: %GDOI-5-GM_REGS_COMPL: Registration to KS 202.100.1.1 complete for group mygroup using address 202.100.2.1
*Oct 11 10:29:22.147: %GDOI-5-GM_INSTALL_POLICIES_SUCCESS: SUCCESS: Installation of Reg/Rekey policies from KS 202.100.1.1 for group mygroup & gm identity 202.100.2.1
GM-1(config-if)#
KS信息查询
GM信息查询
GM互访测试
GM ACL配置
由于KS不能够加解密,所以当GM身后网络对KS身后网络访问时候,触发感兴趣流,从而被加密,但是KS无法解密,所以流量会被KS drop掉,导致不同的现象
ip access-list extended GM_ACL
deny ip 172.16.1.0 0.0.0.255 172.16.100.0 0.0.0.255
crypto map cisco 10 gdoi
match address GM_ACL
GM ACL只允许Deny条目,主要用于旁路流量,Deny即为不匹配、不加密
KS-1(config)#crypto key export rsa GETV**-KEY pem terminal 3des cisco123
KS-2(config)#crypto key import rsa GETV**-KEY pem terminal cisco123
KS-2基本配置
crypto isakmp policy 10
authentication pre-share
crypto isakmp key ccie address 202.100.1.1
crypto isakmp key ccie address 202.100.2.1
crypto isakmp key ccie address 202.100.2.2
crypto ipsec transform-set cisco esp-des esp-md5-hmac
mode tunnel
crypto ipsec profile ipsecprof
set transform-set cisco
ip access-list extended Multicast
permit udp host 202.100.1.2 eq 848 host 239.0.1.2 eq 848
ip access-list extended GETV**-Traffic
permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
crypto gdoi group mygroup
identity number 66666
server local
address ipv4 202.100.1.2
rekey algorithm aes 256
rekey address ipv4 Multicast
rekey authentication mypubkey rsa GETV**-KEY
sa ipsec 1
profile ipsecprof
match address ipv4 GETV**-Traffic
replay time window-size 3
配置Coop Key Server(KS-1)
KS-1(config)#crypto gdoi group mygroup
KS-1(config-gdoi-group)#server local
KS-1(gdoi-local-server)#redundancy
配置备用KS地址
KS-1(gdoi-coop-ks-config)#peer address ipv4 202.100.1.2
KS-1(gdoi-coop-ks-config)#local priority 100
配置Coop Key Server(KS-2)
KS-2(config)#crypto gdoi group mygroup
KS-2(config-gdoi-group)#server local
KS-2(gdoi-local-server)#redundancy
配置备用KS地址
KS-2(gdoi-coop-ks-config)#peer address ipv4 202.100.1.1
KS-2(gdoi-coop-ks-config)#local priority 75
查看Coop Key Server状态
GETV**单播更新在VRF环境中的应用
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 202.100.3.10 255.255.255.0
no shutdown
router ospf 1
network 202.100.3.0 255.255.255.0 area 0
access-list DMZ extended permit icmp any any
access-list DMZ extended permit udp 202.100.3.0 255.255.255.0 202.100.1.0 255.255.255.0 eq 848
access-group DMZ in interface DMZ
交换机9配置
vtp mode transparent
!
vlan 10-11,22
!
interface Ethernet0/0
switchport access vlan 10
spanning-tree portfast edge
!
interface Ethernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Ethernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
VRF-GMT-1配置
ip vrf MGMT
rd 10:10
!
ip vrf Site-1
rd 11:11
!
ip vrf Site-2
rd 22:22
!
key chain ccie
key 1
key-string cisco
!
interface Loopback100
ip vrf forwarding Site-1
ip address 192.168.1.1 255.255.255.0
!
interface Loopback200
ip vrf forwarding Site-2
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
no shutdown
!
interface Ethernet0/0.10
encapsulation dot1Q 10
ip vrf forwarding MGMT
ip address 202.100.3.1 255.255.255.0
!
interface Ethernet0/0.11
encapsulation dot1Q 11
ip vrf forwarding Site-1
ip address 10.1.1.1 255.255.255.0
ip authentication mode eigrp 11 md5
ip authentication key-chain eigrp 11 ccie
!
interface Ethernet0/0.22
encapsulation dot1Q 22
ip vrf forwarding Site-2
ip address 10.1.1.1 255.255.255.0
ip authentication mode eigrp 22 md5
ip authentication key-chain eigrp 22 ccie
!
router eigrp 1122
!
address-family ipv4 vrf Site-1 autonomous-system 11
network 10.1.1.0 0.0.0.255
network 192.168.1.0
exit-address-family
!
address-family ipv4 vrf Site-2 autonomous-system 22
network 10.1.1.0 0.0.0.255
network 192.168.1.0
exit-address-family
!
ip route vrf MGMT 202.100.1.0 255.255.255.0 202.100.3.10
!
VRF-GMT-2配置
ip vrf MGMT
rd 10:10
!
ip vrf Site-1
rd 11:11
!
ip vrf Site-2
rd 22:22
!
key chain ccie
key 1
key-string cisco
!
interface Loopback100
ip vrf forwarding Site-1
ip address 192.168.2.1 255.255.255.0
!
interface Loopback200
ip vrf forwarding Site-2
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
no shutdown
!
interface Ethernet0/0.10
encapsulation dot1Q 10
ip vrf forwarding MGMT
ip address 202.100.3.2 255.255.255.0
!
interface Ethernet0/0.11
encapsulation dot1Q 11
ip vrf forwarding Site-1
ip address 10.1.1.2 255.255.255.0
ip authentication mode eigrp 11 md5
ip authentication key-chain eigrp 11 ccie
!
interface Ethernet0/0.22
encapsulation dot1Q 22
ip vrf forwarding Site-2
ip address 10.1.1.2 255.255.255.0
ip authentication mode eigrp 22 md5
ip authentication key-chain eigrp 22 ccie
!
router eigrp 1122
!
address-family ipv4 vrf Site-1 autonomous-system 11
network 10.1.1.0 0.0.0.255
network 192.168.2.0
exit-address-family
!
address-family ipv4 vrf Site-2 autonomous-system 22
network 10.1.1.0 0.0.0.255
network 192.168.2.0
exit-address-family
!
ip route vrf MGMT 202.100.1.0 255.255.255.0 202.100.3.10
!
ISAKMP Policy配置(KS-1)
KS-1(config)#crypto isakmp key 0 ccie address 202.100.3.1
KS-1(config)#crypto isakmp key 0 ccie address 202.100.3.2
配置感兴趣流
KS-1(config)#ip access-list extended GET_V**_Traffic
KS-1(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
KS-1(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
VRF_GM_1路由
KS Gdoi Group配置(KS-1)
crypto gdoi group VRF_Group
identity number 88888
server local
address ipv4 202.100.1.1
rekey authentication mypubkey rsa GETV**-KEY
rekey transport unicast
sa ipsec 1
profile ipsecprof
match address ipv4 GET_V**_Traffic
replay time window-size 3
VRF-GMT-1配置
crypto isakmp policy 10
authentication pre-share
crypto keyring getV** vrf MGMT
pre-shared-key address 202.100.1.1 key ccie
crypto gdoi group VRF_Group
identity number 88888
server address ipv4 202.100.1.1
client registration interface Ethernet0/0.10
crypto map cisco 10 gdoi
set group VRF_Group
interface Ethernet0/0.11
crypto map cisco
interface Ethernet0/0.22
crypto map cisco
VRF-GMT-2配置
crypto isakmp policy 10
authentication pre-share
crypto keyring getV** vrf MGMT
pre-shared-key address 202.100.1.1 key ccie
crypto gdoi group VRF_Group
identity number 88888
server address ipv4 202.100.1.1
client registration interface Ethernet0/0.10
crypto map cisco 10 gdoi
set group VRF_Group
interface Ethernet0/0.11
crypto map cisco
interface Ethernet0/0.22
crypto map cisco
VRF_GM_1测试
KS注册信息
本文参与 腾讯云自媒体分享计划,分享自微信公众号。
原始发表:2018-10-11,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录