目录

  • StrongSwan IKEv2 搭建Linux 与 Cisco的 GRE Tunnel over IPsec IKEv2
    • 环境
    • 效果图
    • 安装
    • 配置
    • 应用

StrongSwan IKEv2 搭建Linux 与 Cisco的 GRE Tunnel over IPsec IKEv2

环境

Linux:

cat /proc/version
Linux version 4.15.0-73-generic (buildd@lcy01-amd64-006) (gcc version 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)) #82-Ubuntu SMP Tue Dec 3 00:04:14 UTC 2019

Cisco:

show version
Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.6(3)M3, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Wed 26-Jul-17 02:21 by prod_rel_team

StrongSwan:

ipsec version
Linux strongSwan U5.6.2/K4.15.0-73-generic
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.

vlan1(192.168.1.1/24) = = = = = = = = = loopback0(192.168.2.1/24)
Linux:enp2s0(10.207.238.11/24)------(10.207.238.21/24)F4:Cisco
Tunnel100 = = = = = = = = = = = = = = = = = = Tunnel1
ip addr 192.168.100.1/24#################ip addr 192.168.100.2/24
tunnel local 192.168.1.1##################tunnel source 192.168.2.1
tunnel remote 192.168.2.1################tunnel destination 192.168.1.1

效果图


安装

apt-get install openssl libssl-dev strongswan libstrongswan
ipsec --help
ipsec command [arguments]Commands:start|restart [arguments]update|reload|stopup|down|route|unroute <connectionname>down-srcip <start> [<end>]status|statusall [<connectionname>]listalgs|listpubkeys|listcerts [--utc]listcacerts|listaacerts|listocspcerts [--utc]listacerts|listgroups|listcainfos [--utc]listcrls|listocsp|listplugins|listall [--utc]listcounters|resetcounters [name]leases [<poolname> [<address>]]rereadsecrets|rereadcacerts|rereadaacertsrereadocspcerts|rereadacerts|rereadcrls|rereadallpurgecerts|purgecrls|purgeike|purgeocspscepclient|pkistrokeversionRefer to the ipsec(8) man page for details.
Some commands have their own man pages, e.g. pki(1) or scepclient(8).

配置

  • Linux #####################################################################
/etc/ipsec.confconn %defaultikelifetime=1440mkeylife=60mrekeymargin=3mkeyingtries=3keyexchange=ikev1authby=secretconn cisco#本地公网IPleft=10.207.238.11#本地内网IP(段)leftsubnet=192.168.1.0/24#本地IKE ID,Cisco的会默认设定ID为IP,所以这里直接写本地IP。leftid=10.207.238.11leftfirewall=yes#对端公网IPright=10.207.238.21对端内网IP(段)rightsubnet=192.168.2.0/24#对端IKE IDrightid=10.207.238.21auto=addike=aes128-sha1-modp1536esp=aes128-sha1#启用IKEv2keyexchange=ikev2

/etc/ipsec.secrets10.207.238.11 : PSK "cisco"
10.207.238.21 : PSK "cisco"

ipsec restart
ipsec status

//创建GRE Tunnel100ip tunnel add tunnel100 mode gre local 192.168.1.1 remote 192.168.2.1 ttl 255 dev enp2s0
ip addr add 192.168.100.1/30 dev tunnel100 peer 192.168.100.2/30
ip link set dev tunnel100 up
  • Cisco ########################################################################
interface FastEthernet4mtu 1600ip address 10.207.237.21 255.255.255.0no ip route-cacheduplex autospeed autono cdp enable
!
interface Tunnel1ip address 192.168.100.2 255.255.255.252tunnel source 192.168.2.1tunnel destination 192.168.1.1
!
crypto ikev2 proposal ikev2Proposal encryption aes-cbc-128integrity sha1group 5
!
crypto ikev2 policy ikev2policy match fvrf anyproposal ikev2Proposal
!
crypto ikev2 keyring keyspeer strongswanaddress 10.207.238.11pre-shared-key local ciscopre-shared-key remote cisco
!
crypto ikev2 profile ikev2profilematch identity remote address 0.0.0.0 match identity remote address 10.207.238.11 255.255.255.255 authentication local pre-shareauthentication remote pre-sharekeyring local keys
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac mode tunnel
!
ip route 192.168.1.0 255.255.255.0 10.207.238.11 name IPSec
!
ip access-list extended cryptoaclpermit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
crypto map cmap 10 ipsec-isakmp set peer 10.207.238.11set transform-set TS set ikev2-profile ikev2profilematch address cryptoacl
!
interface FastEthernet4crypto map cmap
!
#建立Track去定时触发 IPSec
!
ip sla 1icmp-echo 192.168.1.1 source-ip 192.168.2.1tos 224threshold 3000timeout 3000frequency 3
ip sla schedule 1 life forever start-time now
!
track 1 ip sla 1 reachabilitydelay down 25 up 9

// 查看会话是否建立
R-test#show crypto session
Crypto session current status
Interface: FastEthernet4
Profile: ikev2profile
Session status: UP-ACTIVE
Peer: 10.207.238.11 port 500 Session ID: 1  IKEv2 SA: local 10.207.238.21/500 remote 10.207.238.11/500 Active IPSEC FLOW: permit ip 192.168.2.0/255.255.255.0 192.168.1.0/255.255.255.0 Active SAs: 2, origin: crypto map// 测试Cisco Lookback 0 与 Linux Vlan1的连通性
R-test#ping 192.168.1.1 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 msR-test#show track
Track 1IP SLA 1 reachabilityReachability is Up1 change, last change 02:23:53Delay up 9 secs, down 25 secsLatest operation return code: OKLatest RTT (millisecs) 1

!
interface Tunnel1ip address 192.168.100.2 255.255.255.252tunnel source 192.168.2.1tunnel destination 192.168.1.1
!

应用

Linux 与 Cisco 互写静态路由

  • Linux
    添加新的子网段172.16.1.0/24
  • Cisco 添加内网段 Vlan1 开启DHCP
interface Vlan1ip address 10.1.1.1 255.255.255.0pppoe enable group global
!
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool testnetwork 10.1.1.0 255.255.255.0dns-server 114.114.114.114 domain-name test.gogo.org- Linux
写入静态路由,到Cisco Vlan1(10.1.1.0/24)的路由出口为Tunnel00
```bash
ip route add 10.1.1.0/24 dev tunnel100ip route
10.1.1.0/24 dev tunnel100 scope link
10.207.238.0/24 dev enp2s0 proto kernel scope link src 10.207.238.11 metric 100
172.16.1.0/24 dev vlanif2 proto kernel scope link src 172.16.1.1 metric 401
192.168.1.0/24 dev vlanif1 proto kernel scope link src 192.168.1.1 metric 400
192.168.100.0/30 dev tunnel100 proto kernel scope link src 192.168.100.1
  • Cisco
    写入静态路由,到Linux Vlan2(172.16.1.0/24)的路由下出口为Tunnel1,下一跳为192.168.100.2
ip route 172.16.1.0 255.255.255.0 Tunnel1 192.168.100.1 name ToLinuxSubnetshow ip route 172.16.1.0
Routing entry for 172.16.1.0/24Known via "static", distance 1, metric 0Routing Descriptor Blocks:* 192.168.100.1, via Tunnel1Route metric is 0, traffic share count is 1
  • Linux Vlan2— Cisco Vlan1 互相Ping && Tracert
ping 10.1.1.1
PING 10.1.1.1 (10.1.1.1) 56(84) bytes of data.
64 bytes from 10.1.1.1: icmp_seq=1 ttl=255 time=10.0 ms
64 bytes from 10.1.1.1: icmp_seq=2 ttl=255 time=1.38 ms
64 bytes from 10.1.1.1: icmp_seq=3 ttl=255 time=1.37 ms
64 bytes from 10.1.1.1: icmp_seq=4 ttl=255 time=1.38 ms
^C
--- 10.1.1.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 1.372/3.550/10.052/3.754 ms
traceroute 10.1.1.1
traceroute to 10.1.1.1 (10.1.1.1), 30 hops max, 60 byte packets1  192.168.100.2 (192.168.100.2)  8.519 ms * *

ping  172.16.1.1 source vlan 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
traceroute 172.16.1.1 source vlan 1
Type escape sequence to abort.
Tracing the route to 172.16.1.1
VRF info: (vrf in name/id, vrf out name/id)1 172.16.1.1 0 msec 0 msec 0 msec
  • PC 接入Cisco Vlan1 测试
  • Cisco
    配置默认路由走Tunnel1
ip route 0.0.0.0 0.0.0.0 Tunnel1

StrongSwan IKEv2 搭建Linux 与 Cisco的 GRE Tunnel over IPsec IKEv2相关推荐

  1. libnet、libnids、libpcap轻松搭建Linux网络入侵检测系统

    利用三个源码包libnet.libnids.libpcap轻松搭建Linux网络入侵检测系统 如果要搭建基于Linux的网络入侵检测系统,必须要安装libnet.libnids.libpcap这三个源 ...

  2. 手把手教你搭建Linux开发环境(VMware+Ubuntu)(二)——安装VMwareTools并设置共享文件夹

    刚刚装好了Ubuntu,安装VMware Tools会让我们有更好的体验,那么为什么要安装VMware Tools?该如何安装呢?本篇博客将手把手教你安装VMware Tools,并设置共享文件夹. ...

  3. 下载服务器 linux系统,如何搭建Linux服务器

    以Linux为基础的"LAMP(Linux, Apache, MySQL, Perl/PHP/Python的组合)"经典技术组合,提供了包括操作系统.数据库.网站服务器.动态网页的 ...

  4. 空服务器安装linux,debian服务器linux服务器web建站搭建linux服务器之Debian安装

    debian服务器linux服务器web建站搭建linux服务器之Debian安装 原文来自i火吧 大家都知道linux的发行版本很多,有centos啊,debian啊,ubuntu等,下面我就用de ...

  5. vs2017搭建Linux的开发调试环境(VisualGDB)

    在Linux下调试工程是一件很苦逼的事情,不像在Windows下用Visual Studio那样简便,但是最近发现一件神器可以让Linux下的程序一样可以在Windows下的Viusal Studio ...

  6. 演示:混合配置基于Linux winows cisco环境动态路由

    演示:混合配置基于Linux winows cisco环境动态路由 (使用GNS3+VM完全可以一台物理计算机上完成所有实验) 配套演示录像:http://edu.51cto.com/course/c ...

  7. 从零开始写项目第七篇【搭建Linux环境】

    tags: 从零开发项目, title: 从零开始写项目第七篇[搭建Linux环境] 使用SSH连接Linux环境 经过十多天的时间,我的网站备案终于完成了...接下来我就收到了阿里云的邮件.它让我在 ...

  8. 阿里云服务器部署php的laravel项目,在阿里云买ECS 搭建 Linux+Nginx+Mysql+PHP环境的

    在阿里云买ECS的时候选择自己习惯的镜像系统,我一般都是使用Linux Ubuntu,所以,以下的配置都是在Ubuntu 14.04稳定支持版的环境中搭建Linux+Nginx+Mysql+PHP环境 ...

  9. linux系统安装如何设置raid,在RAID磁盘阵列下如何搭建Linux系统

    因为RAID磁盘阵列的存储速度比单个硬盘高,在安装系统的时候一般会选择搭建在RAID磁盘阵列,下面小编就给大家介绍下RAID磁盘阵列搭建Linux系统的方法. 新配了台电脑,准备装个双系统,windo ...

  10. VirtualBox+Vagrant快速搭建linux虚拟环境

    VirtualBox+Vagrant快速搭建linux虚拟环境 1.下载安装VirtualBox 下载 Virtual Box 官网: https://www.virtualbox.org/ 2.BI ...

最新文章

  1. QIIME 2用户文档. 20命令行界面q2cli(2019.7)
  2. 怎么调用获取被创建的预制体_Uber 开源 Plato:扩展性极强的开发测试会话 AI 平台,可实现多智能体并行训练...
  3. JDBC常见面试题集锦(一)
  4. LOJ#2230. 「BJOI2014」大融合
  5. C语言实现DES加解密算法
  6. 一文读懂 | 进程并发与同步
  7. SQL Server 审计功能-记录所有的操作记录
  8. Linux---信号及其使用简单讲解
  9. Atom:一些有用的Packages和插件
  10. IDM安装及使用方法快速入门
  11. Photoshop插件-删除所有亮度通道蒙板-脚本开发-PS插件
  12. android退出中国,曾经的安卓机皇宣布关闭中国社区,彻底放弃手机业务了?
  13. 【C语言】数组(详细讲解+源码展示)
  14. (一)走进Linux世界(安装Centos8,初始化生产环境,GNU bash)
  15. 二叉树非递归dfs——简单思路搞定前中后序遍历
  16. 一次完整的JVM堆外内存泄漏故障排查记录
  17. c语言switch判断星座,通过日期计算星座 - osc_d41sfzmu的个人空间 - OSCHINA - 中文开源技术交流社区...
  18. IDEA alt+ins快捷键失效问题解决方法
  19. Gnome Shell Themes 推荐 Flat-Plat-Blue
  20. 服务器怎么买,腾讯云服务器新手购买的流程方法步骤

热门文章

  1. 找规律+菊花图 - hdu6090
  2. jupyter运行环境配置
  3. esp8266基本使用 - GET|POST
  4. H5本地调试微信静默授权、授权获取用户信息
  5. 东原罗韶颖:城市深耕中的社区商业逻辑
  6. 模式识别——第3章 判别函数法
  7. [HNOI2007] 紧急疏散EVACUATE
  8. 罗马建立在水渠上:为什么需要优先建设绿色光网?
  9. c语言bcd错误数字还原,Windows10开机出现恢复界面且提示错误0xc0000034怎么办
  10. 使用wxpy实现在微信定时发送文件和消息