interface Loopback0
ip address 172.16.100.1 255.255.255.0
ip ospf network point-to-point
no shutdown
interface Ethernet0/0
ip address 202.100.1.1 255.255.255.0
no shutdown
router ospf 1
network 172.16.100.0 0.0.0.255 area 0
network 202.100.1.0 0.0.0.255 area 0
interface Ethernet0/0
ip address 202.100.1.2 255.255.255.0
no shutdown
router ospf 1
network 202.100.1.0 0.0.0.255 area 0
interface Loopback0
ip address 172.16.1.1 255.255.255.0
ip ospf network point-to-point
no shutdown
interface Ethernet0/0
ip address 202.100.2.1 255.255.255.0
no shutdown
router ospf 1
network 172.16.1.0 0.0.0.255 area 0
network 202.100.2.0 0.0.0.255 area 0
interface Loopback0
ip address 172.16.2.1 255.255.255.0
ip ospf network point-to-point
no shutdown
interface Ethernet0/0
ip address 202.100.2.2 255.255.255.0
no shutdown
router ospf 1
network 172.16.2.0 0.0.0.255 area 0
network 202.100.2.0 0.0.0.255 area 0
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 202.100.1.10 255.255.255.0
no shutdown
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 202.100.2.10 255.255.255.0
no shutdown
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 202.100.3.10 255.255.255.0
no shutdown
!
router ospf 1
network 202.100.1.0 255.255.255.0 area 0
network 202.100.2.0 255.255.255.0 area 0
access-list out extended permit icmp any any
access-list out extended permit udp any any eq 848
access-group out in interface outside
ip multicast-routing
!
ip pim rp-address 202.100.1.2
!
interface Ethernet0/0
ip address 202.100.1.1 255.255.255.0
ip pim sparse-mode
!
ip multicast-routing
!
ip pim rp-address 202.100.1.2
!
interface Ethernet0/0
ip address 202.100.1.2 255.255.255.0
ip pim sparse-mode
!
ip multicast-routing
!
ip pim rp-address 202.100.1.2
!
interface Ethernet0/0
ip address 202.100.2.1 255.255.255.0
ip pim sparse-mode
!
ip multicast-routing
!
ip pim rp-address 202.100.1.2
!
interface Ethernet0/0
ip address 202.100.2.2 255.255.255.0
ip pim sparse-mode
!
multicast-routing
!
pim rp-address 202.100.1.2
!
no ip igmp snooping
ip domain name liu.com
KS-1(config)#crypto key generate rsa label GETV**-KEY modulus 1024 exportable
KS-1#show crypto key mypubkey rsa
% Key pair was generated at: 10:18:39 UTC Oct 11 2018
Key name: GETV**-KEY
Key type: RSA KEYS
Storage Device: not specified
Usage: General Purpose Key
Key is exportable. Redundancy enabled.
Key Data:
crypto isakmp policy 10
authentication pre-share
crypto isakmp key ccie address 202.100.1.2
crypto isakmp key ccie address 202.100.2.1
crypto isakmp key ccie address 202.100.2.2
!
ip access-list extended GETV**-Traffic
permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
ip access-list extended Multicast
permit udp host 202.100.1.1 eq 848 host 239.0.1.2 eq 848
crypto ipsec transform-set QYT-Trans esp-des esp-md5-hmac
mode tunnel
!
IPsec Profile(IPSec SA Policy 只在KS上配置)
crypto ipsec transform-set QYT-Trans esp-des esp-md5-hmac
!
crypto ipsec profile ipsecprof
set transform-set QYT-Trans
!
创建 gdoi group
crypto gdoi group mygroup
//配置gdoi group(所有的KS和GM的ID必须一致)
identity number 66666
//配置本地路由器为KS服务器
server local
//定义本地服务器地址
address ipv4 202.100.1.1
//Rekey基本配置
//配置对Rekey message进行签名的RSA密钥
rekey authentication mypubkey rsa GETV**-KEY
//配置对Rekey message进行加密的算法,默认的HASH算法为SHA-1
rekey algorithm aes 256
//定义组播Rekey message的流量,注意默认为组播更新
rekey address ipv4 Multicast
//配置第一个IPSec SA策略(可以配置多个)
sa ipsec 1
//匹配感兴趣流
match address ipv4 GETV**-Traffic
//配置处理感兴趣的策略
profile ipsecprof
crypto isakmp policy 10
authentication pre-share
//只需要配置所有KS的"isakmp keys"
crypto isakmp key ccie address 202.100.1.1
crypto isakmp key ccie address 202.100.1.2
crypto gdoi group mygroup
identity number 66666 (所有的KS和GM的Key必须相同)
server address ipv4 202.100.1.1(Primary KS)
server address ipv4 202.100.1.2(Secondary KS)
GDOI为crypto map提供密钥资源TEK
crypto map cisco 10 gdoi
调用GDOI Group
set group mygroup
调用在感兴趣流进出的接口上
interface Ethernet0/0
调用crypto map直接触发注册
crypto map cisco
GM-1(config-if)#
*Oct 11 10:29:21.811: %CRYPTO-5-GM_REGSTER: Start registration to KS 202.100.1.1 for group mygroup using address 202.100.2.1
*Oct 11 10:29:21.819: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON
*Oct 11 10:29:22.087: %GDOI-5-SA_KEK_UPDATED: SA KEK was updated
*Oct 11 10:29:22.087: %GDOI-5-SA_TEK_UPDATED: SA TEK was updated
*Oct 11 10:29:22.135: %GDOI-5-GM_REGS_COMPL: Registration to KS 202.100.1.1 complete for group mygroup using address 202.100.2.1
*Oct 11 10:29:22.147: %GDOI-5-GM_INSTALL_POLICIES_SUCCESS: SUCCESS: Installation of Reg/Rekey policies from KS 202.100.1.1 for group mygroup & gm identity 202.100.2.1
GM-1(config-if)#
由于KS不能够加解密,所以当GM身后网络对KS身后网络访问时候,触发感兴趣流,从而被加密,但是KS无法解密,所以流量会被KS drop掉,导致不同的现象
ip access-list extended GM_ACL
deny ip 172.16.1.0 0.0.0.255 172.16.100.0 0.0.0.255
crypto map cisco 10 gdoi
match address GM_ACL
GM ACL只允许Deny条目,主要用于旁路流量,Deny即为不匹配、不加密
KS-1(config)#crypto key export rsa GETV**-KEY pem terminal 3des cisco123
KS-2(config)#crypto key import rsa GETV**-KEY pem terminal cisco123
crypto isakmp policy 10
authentication pre-share
crypto isakmp key ccie address 202.100.1.1
crypto isakmp key ccie address 202.100.2.1
crypto isakmp key ccie address 202.100.2.2
crypto ipsec transform-set cisco esp-des esp-md5-hmac
mode tunnel
crypto ipsec profile ipsecprof
set transform-set cisco
ip access-list extended Multicast
permit udp host 202.100.1.2 eq 848 host 239.0.1.2 eq 848
ip access-list extended GETV**-Traffic
permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
crypto gdoi group mygroup
identity number 66666
server local
address ipv4 202.100.1.2
rekey algorithm aes 256
rekey address ipv4 Multicast
rekey authentication mypubkey rsa GETV**-KEY
sa ipsec 1
profile ipsecprof
match address ipv4 GETV**-Traffic
replay time window-size 3
KS-1(config)#crypto gdoi group mygroup
KS-1(config-gdoi-group)#server local
KS-1(gdoi-local-server)#redundancy
配置备用KS地址
KS-1(gdoi-coop-ks-config)#peer address ipv4 202.100.1.2
KS-1(gdoi-coop-ks-config)#local priority 100
KS-2(config)#crypto gdoi group mygroup
KS-2(config-gdoi-group)#server local
KS-2(gdoi-local-server)#redundancy
配置备用KS地址
KS-2(gdoi-coop-ks-config)#peer address ipv4 202.100.1.1
KS-2(gdoi-coop-ks-config)#local priority 75
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 202.100.3.10 255.255.255.0
no shutdown
router ospf 1
network 202.100.3.0 255.255.255.0 area 0
access-list DMZ extended permit icmp any any
access-list DMZ extended permit udp 202.100.3.0 255.255.255.0 202.100.1.0 255.255.255.0 eq 848
access-group DMZ in interface DMZ
vtp mode transparent
!
vlan 10-11,22
!
interface Ethernet0/0
switchport access vlan 10
spanning-tree portfast edge
!
interface Ethernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Ethernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
ip vrf MGMT
rd 10:10
!
ip vrf Site-1
rd 11:11
!
ip vrf Site-2
rd 22:22
!
key chain ccie
key 1
key-string cisco
!
interface Loopback100
ip vrf forwarding Site-1
ip address 192.168.1.1 255.255.255.0
!
interface Loopback200
ip vrf forwarding Site-2
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
no shutdown
!
interface Ethernet0/0.10
encapsulation dot1Q 10
ip vrf forwarding MGMT
ip address 202.100.3.1 255.255.255.0
!
interface Ethernet0/0.11
encapsulation dot1Q 11
ip vrf forwarding Site-1
ip address 10.1.1.1 255.255.255.0
ip authentication mode eigrp 11 md5
ip authentication key-chain eigrp 11 ccie
!
interface Ethernet0/0.22
encapsulation dot1Q 22
ip vrf forwarding Site-2
ip address 10.1.1.1 255.255.255.0
ip authentication mode eigrp 22 md5
ip authentication key-chain eigrp 22 ccie
!
router eigrp 1122
!
address-family ipv4 vrf Site-1 autonomous-system 11
network 10.1.1.0 0.0.0.255
network 192.168.1.0
exit-address-family
!
address-family ipv4 vrf Site-2 autonomous-system 22
network 10.1.1.0 0.0.0.255
network 192.168.1.0
exit-address-family
!
ip route vrf MGMT 202.100.1.0 255.255.255.0 202.100.3.10
!
ip vrf MGMT
rd 10:10
!
ip vrf Site-1
rd 11:11
!
ip vrf Site-2
rd 22:22
!
key chain ccie
key 1
key-string cisco
!
interface Loopback100
ip vrf forwarding Site-1
ip address 192.168.2.1 255.255.255.0
!
interface Loopback200
ip vrf forwarding Site-2
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
no shutdown
!
interface Ethernet0/0.10
encapsulation dot1Q 10
ip vrf forwarding MGMT
ip address 202.100.3.2 255.255.255.0
!
interface Ethernet0/0.11
encapsulation dot1Q 11
ip vrf forwarding Site-1
ip address 10.1.1.2 255.255.255.0
ip authentication mode eigrp 11 md5
ip authentication key-chain eigrp 11 ccie
!
interface Ethernet0/0.22
encapsulation dot1Q 22
ip vrf forwarding Site-2
ip address 10.1.1.2 255.255.255.0
ip authentication mode eigrp 22 md5
ip authentication key-chain eigrp 22 ccie
!
router eigrp 1122
!
address-family ipv4 vrf Site-1 autonomous-system 11
network 10.1.1.0 0.0.0.255
network 192.168.2.0
exit-address-family
!
address-family ipv4 vrf Site-2 autonomous-system 22
network 10.1.1.0 0.0.0.255
network 192.168.2.0
exit-address-family
!
ip route vrf MGMT 202.100.1.0 255.255.255.0 202.100.3.10
!
KS-1(config)#crypto isakmp key 0 ccie address 202.100.3.1
KS-1(config)#crypto isakmp key 0 ccie address 202.100.3.2
KS-1(config)#ip access-list extended GET_V**_Traffic
KS-1(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
KS-1(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
crypto gdoi group VRF_Group
identity number 88888
server local
address ipv4 202.100.1.1
rekey authentication mypubkey rsa GETV**-KEY
rekey transport unicast
sa ipsec 1
profile ipsecprof
match address ipv4 GET_V**_Traffic
replay time window-size 3
crypto isakmp policy 10
authentication pre-share
crypto keyring getV** vrf MGMT
pre-shared-key address 202.100.1.1 key ccie
crypto gdoi group VRF_Group
identity number 88888
server address ipv4 202.100.1.1
client registration interface Ethernet0/0.10
crypto map cisco 10 gdoi
set group VRF_Group
interface Ethernet0/0.11
crypto map cisco
interface Ethernet0/0.22
crypto map cisco
crypto isakmp policy 10
authentication pre-share
crypto keyring getV** vrf MGMT
pre-shared-key address 202.100.1.1 key ccie
crypto gdoi group VRF_Group
identity number 88888
server address ipv4 202.100.1.1
client registration interface Ethernet0/0.10
crypto map cisco 10 gdoi
set group VRF_Group
interface Ethernet0/0.11
crypto map cisco
interface Ethernet0/0.22
crypto map cisco