image.png
Cisco 3945 与ASR1002 直连建立flexvpn, flexvpn可以理解为DMVPN增强版

我比较倾向于先建立隧道,然后配置flexvpn,这样后期在排查问题时候可以针对是tunnel问题和vpn问题进行分别排查。

Cisco 3945 Spoke tunnel

interface Loopback100 ip address 172.16.1.99 255.255.255.0

interface Tunnel1 ip unnumbered Loopback100 ip mtu 1400 ip nhrp network-id 2 ip nhrp shortcut virtual-template 1 ip nhrp redirect ip tcp adjust-mss 1360 tunnel source GigabitEthernet0/0 tunnel destination 192.168.1.1 tunnel path-mtu-discovery

tunnel protection ipsec profile default

interface Virtual-Template1 type tunnel no ip address ip mtu 1400 ip nhrp network-id 2 ip nhrp shortcut virtual-template 1 ip nhrp redirect ip tcp adjust-mss 1360 tunnel path-mtu-discovery

tunnel protection ipsec profile default、

router ospf 1 network 172.16.1.0 0.0.0.255 area 0

除了两行tunnel protection 不要配,其余都是tunnel配置,不涉及加密。tunnel1 可以配置ip,可以配置从hub获取。后续配置会说明。

interface tun1 ip address negotiated

ASR1002 Hub

interface Loopback100 description DMVPN termination ip address 172.16.1.1 255.255.255.0

interface Virtual-Template1 type tunnel description FLEXVPN_SINGAPORE_HUB ip unnumbered Loopback100 ip mtu 1400 ip nhrp network-id 1 ip nhrp redirect ip tcp adjust-mss 1360 keepalive 5 5 tunnel source GigabitEthernet0/0/2 tunnel path-mtu-discovery

tunnel protection ipsec profile default

router ospf 1 network 172.16.1.0 0.0.0.255 area 0

配完这几行,我们的ospf 邻居就应该up,否则就应该停下来检查tunnel配置。

spoke(config)#do show ip os neighbor Neighbor ID Pri State Dead Time Address Interface 172.16.1.1 0 FULL/ - 00:00:32 172.16.1.1 Tunnel1 spoke(config)#do ping 172.16.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

Cisco 3945 Spoke flexvpn配置

aaa new-model aaa authorization network default local aaa session-id common

crypto ikev2 proposal default

encryption aes-cbc-256 aes-cbc-192 aes-cbc-128

prf sha512

integrity sha512 sha384 sha256 sha1 md5

group 24

!

crypto ikev2 policy default

proposal default

!

crypto ikev2 keyring test

peer test

address 192.168.1.1 255.255.255.255

pre-shared-key local cisco

pre-shared-key remote cisco

crypto ikev2 profile default

match identity remote address 192.168.1.1

authentication remote pre-share

authentication local pre-share

keyring local test

aaa authorization group psk list default default

virtual-template 1

!

crypto ikev2 dpd 30 5 on-demand

!

crypto ipsec transform-set ESP_AES_256_GCM esp-gcm 256

mode tunnel

no crypto ipsec transform-set default

!

crypto ipsec profile default

set transform-set ESP_AES_256_GCM

set ikev2-profile default

ASR 1k hub flexvpn配置

aaa new-model

aaa authorization network default local

aaa session-id common !

crypto ikev2 authorization policy default

pool FlexSpokes

route set interface

!

crypto ikev2 proposal default

encryption aes-cbc-256 aes-cbc-192 aes-cbc-128

prf sha512

integrity sha512 sha384 sha256 sha1 md5

group 24

!

crypto ikev2 policy default

proposal default

!

crypto ikev2 keyring test

peer test

address 192.168.1.2 255.255.255.255

pre-shared-key local cisco

pre-shared-key remote cisco

! !

crypto ikev2 profile default

match identity remote address 192.168.1.2

authentication remote pre-share

authentication local pre-share

keyring local test

aaa authorization group psk list default default

virtual-template 1

!

crypto ikev2 dpd 30 5 on-demand ! crypto ipsec transform-set ESP_AES_256_GCM esp-gcm 256

mode tunnel

no crypto ipsec transform-set default

!

crypto ipsec profile default

set transform-set ESP_AES_256_GCM

set pfs group24

set ikev2-profile default ip local pool FlexSpokes 172.16.1.100 172.16.1.150

这里配置得地址池就是可以从flexvpn下发的地址池。

附上两份配置供参考
spoke-3945.txthub-ASR1K.txt

Flex VPN datasheet
https://www.cisco.com/c/en/us/products/collateral/routers/asr-1000-series-aggregation-services-routers/data_sheet_c78-704277.html
配置文档
https://www.cisco.com/c/en/us/support/security/flexvpn/series.html
https://www.cisco.com/c/en/us/support/docs/security/flexvpn/115727-flexvpn-hard-hub-00.html