在Cisco路由器上配置VRF-aware IPsec VPN詳解

之前通過場景實例向大家展示了用Virtual Routing and Forwarding (VRF，虛擬路由轉(zhuǎn)發(fā))將一個路由器分割成八個虛擬路由器的方法。當時我向大家演示了如何配置VRF，在本文中我們繼續(xù)使用這個場景，并通過IPsec配置，將完全一致的拓撲結(jié)構和地址復制到八個實驗環(huán)境。整個環(huán)境能夠順利進行，首先需要帶有ASA的虛擬路由與Cisco 路由器建立VPN。這需要 VRF參與的IPsec。因此我需要一種方法能夠?qū)崿F(xiàn)完全一致的 isakmp 策略，一致的pre-shared keys, 一致的 crypto ACL, 也就是每個 VRF上的參數(shù)一致。實際的配置過程可能比我們想像的簡單一些。下面我就來舉例說明整個過程。

首先是建立ISAKMP 策略：

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

!

在配置過程中，我們可以在八個VRF中使用相同的元素，因此只需要建立一個ISAKMP 策略。接下來建立crypto ACL 以及一個 IPsec transform set。

ip access-list extended VPN

permit ip 10.0.100.0 0.0.0.255 10.0.1.0 0.0.0.255

crypto ipsec transform-set VPN-TRANS esp-aes esp-sha-hmac.

接下來是建立 pre-shared key。在本例中我曾經(jīng)使用過一個keyring 作為 預共享 key，因此我直接將其綁定到 VRF即可。

crypto keyring POD1keys vrf POD1

pre-shared-key address 192.168.1.2 key cisco123

crypto keyring POD2keys vrf POD2

pre-shared-key address 192.168.1.2 key cisco123

crypto keyring POD3keys vrf POD3

pre-shared-key address 192.168.1.2 key cisco123

crypto keyring POD4keys vrf POD4

pre-shared-key address 192.168.1.2 key cisco123

crypto keyring POD5keys vrf POD5

pre-shared-key address 192.168.1.2 key cisco123

crypto keyring POD6keys vrf POD6

pre-shared-key address 192.168.1.2 key cisco123

crypto keyring POD7keys vrf POD7

pre-shared-key address 192.168.1.2 key cisco123

crypto keyring POD8keys vrf POD7

pre-shared-key address 192.168.1.2 key cisco123

!

接下來建立 crypto-maps.

!

crypto map pod1 10 ipsec-isakmp

set peer 192.168.1.2

set transform-set VPN-TRANS

set pfs group2

match address VPN

!

crypto map pod2 10 ipsec-isakmp

set peer 192.168.1.2

set transform-set VPN-TRANS

set pfs group2

match address VPN

!

crypto map pod3 10 ipsec-isakmp

set peer 192.168.1.2

set transform-set VPN-TRANS

set pfs group2

match address VPN

!

crypto map pod4 10 ipsec-isakmp

set peer 192.168.1.2

set transform-set VPN-TRANS

set pfs group2

match address VPN

!

crypto map pod5 10 ipsec-isakmp

set peer 192.168.1.2

set transform-set VPN-TRANS

set pfs group2

match address VPN

!

crypto map pod6 10 ipsec-isakmp

set peer 192.168.1.2

set transform-set VPN-TRANS

set pfs group2

match address VPN

!

crypto map pod7 10 ipsec-isakmp

set peer 192.168.1.2

set transform-set VPN-TRANS

set pfs group2

set isakmp-profile pod7

match address VPN

!

crypto map pod8 10 ipsec-isakmp

set peer 192.168.1.2

set transform-set VPN-TRANS

set pfs group2

match address VPN

!

一旦 crypto-maps 被合并到一起，就可以應用到接口上了。

interface FastEthernet0/0.1

crypto map pod1

!

interface FastEthernet0/0.2

crypto map pod2

!

interface FastEthernet0/0.3

crypto map pod3

!

interface FastEthernet0/0.4

crypto map pod4

!

interface FastEthernet0/0.5

crypto map pod5

!

interface FastEthernet0/0.6

crypto map pod6

!

interface FastEthernet0/0.7

crypto map pod7

!

interface FastEthernet0/0.8

crypto map pod8

!