动态到动态IPsec隧道配置示例

简介

本文档介绍当思科路由器两端均具有动态IP地址但配置了动态域名系统(DDNS)时，如何在路由器之间构建LAN到LAN IPsec隧道。

先决条件

要求

Cisco 建议您了解以下主题：

• 具有IPSec隧道和通用路由封装(GRE)的站点到站点VPN
• IPsec虚拟隧道接口(VTI)
• Cisco IOS软件的动态DNS支持

提示：有关详细信息，请参阅Cisco 3900系列、2900系列和1900系列软件配置指南的配置VPN部分以及使用IP安全配置虚拟隧道接口文章。

使用的组件

本文档中的信息基于运行版本15.2(4)M6a的Cisco 2911集成多业务路由器。

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始（默认）配置。如果您使用的是真实网络，请确保您已经了解所有命令的潜在影响。

背景信息

当需要建立LAN到LAN隧道时，必须知道两个IPSec对等体的IP地址。如果其中一个IP地址因为动态（例如通过DHCP获取的IP地址）而不知道，则另一种选择是使用动态加密映射。这是有效的，但隧道只能由具有动态IP地址的对等体启动，因为其他对等体不知道在哪里找到其对等体。

有关动态到静态的详细信息，请参阅使用NAT配置路由器到路由器动态到静态IPSec。

配置

IPsec隧道对等体的实时解析

Cisco IOS^®在版本12.3(4)T中引入了一项新功能，允许指定IPSec对等体的完全限定域名(FQDN)。当存在与加密访问列表匹配的流量时，Cisco IOS会解析FQDN并获取对等体的IP地址，然后尝试启用隧道。

注意：此功能有一个限制：只有将远程IPsec对等体用作启动器时，其DNS名称解析才能工作。要加密的第一个数据包将触发DNS查找；在DNS查找完成后，后续数据包将触发Internet密钥交换(IKE)。实时解析在响应方上不起作用。

为了解决限制并能够从每个站点启动隧道，您将在两台路由器上都有一个动态加密映射条目，以便您可以将传入的IKE连接映射到动态加密。这是必需的，因为具有实时分辨率功能的静态条目在用作响应器时不起作用。 

Router A

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
!
ip access-list extended crypto-ACL
 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
!
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto dynamic-map dyn 10
 set transform-set myset
!
crypto map mymap 10 ipsec-isakmp
  match address 140
  set peer example-b.cisco.com dynamic
  set transform-set myset
crypto map mymap 65535 ipsec-isakmp dynamic dyn
!
interface fastethernet0/0
  ip address dhcp
  crypto map secure_b

Router B

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
!
ip access-list extended crypto-ACL
 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
!
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto dynamic-map dyn 10
 set transform-set myset
!
crypto map mymap 10 ipsec-isakmp
  match address 140
  set peer example-a.cisco.com dynamic 
  set transform-set myset
crypto map mymap 65535 ipsec-isakmp dynamic dyn
!
interface fastethernet0/0
  ip address dhcp
  crypto map secure_b

注意：由于您不知道FQDN将使用哪个IP地址，因此需要使用通配符预共享密钥：0.0.0.0 0.0.0.0

使用嵌入式事件管理器(EEM)进行隧道目标更新

您也可以使用VTI来完成此任务。基本配置如下所示：

Router A

crypto isakmp policy 10
 encryption aes
 authentication pre-share
 group 2

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 no-xauth 

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
!
crypto ipsec profile ipsec-profile
 set transform-set ESP-AES-SHA
!
interface Tunnel1
 ip address 172.16.12.1 255.255.255.0
 tunnel source fastethernet0/0
 tunnel destination example-b.cisco.com
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ipsec-profile
 

Router B

crypto isakmp policy 10
 encryption aes
 authentication pre-share
 group 2

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 no-xauth 

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
!
crypto ipsec profile ipsec-profile
 set transform-set ESP-AES-SHA
!
interface Tunnel1
 ip address 172.16.12.2 255.255.255.0
 tunnel source fastethernet0/0
 tunnel destination example-a.cisco.com
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ipsec-profile

在以前的配置中，FQDN作为隧道目标后，show run命令将显示IP地址而不是名称。这是因为解决方案只发生一次：

RouterA(config)#do show run int tunn 1
Building configuration...

Current configuration : 130 bytes
!
interface Tunnel1
 ip address 172.16.12.1 255.255.255.250
 tunnel source fastethernet0/0
 tunnel destination 209.165.201.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ipsec-profile
end

RouterB(config)#do show run int tunn 1
Building configuration...

Current configuration : 130 bytes
!
interface Tunnel1
 ip address 172.16.12.2 255.255.255.250
 tunnel source fastethernet0/0
 tunnel destination 209.165.200.225
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ipsec-profile
end

对此的解决方法是配置小程序，以便每分钟解析隧道目标：

Router A

event manager applet change-tunnel-dest
 event timer cron name TAC cron-entry "* * * * *"
 action 1.0 cli command "enable"
 action 1.1 cli command "configure terminal"
 action 1.2 cli command "interface tunnel1"
 action 1.3 cli command "tunnel destination example-b.cisco.com"

Router B

event manager applet change-tunnel-dest
 event timer cron name TAC cron-entry "* * * * *"
 action 1.0 cli command "enable"
 action 1.1 cli command "configure terminal"
 action 1.2 cli command "interface tunnel1"
 action 1.3 cli command "tunnel destination example-a.cisco.com" 

验证

使用本部分可确认配置能否正常运行。

RouterA(config)#do show ip int brie
Interface           IP-Address         OK? Method     Status  Protocol
FastEthernet0/0     209.165.200.225    YES NVRAM      up      up
FastEthernet0/1     192.168.10.1       YES NVRAM      up      up
Tunnel1             172.16.12.1        YES manual     up      up


RouterB(config)#do show ip int brie
Interface           IP-Address          OK?   Method   Status  Protocol
FastEthernet0/0     209.165.201.1       YES   TFTP      up     up
FastEthernet0/1     192.168.20.1        YES   manual    up     up
Tunnel1             172.16.12.2         YES   manual    up     up

RouterA(config)#do show cry isa sa
dst             src             state          conn-id slot status
209.165.200.225 209.165.201.1   QM_IDLE              2    0 ACTIVE

RouterB(config)#do show cry isa sa
dst             src             state          conn-id slot status
209.165.200.225 209.165.201.1   QM_IDLE           1002    0 ACTIVE

RouterA(config)#do show cry ipsec sa

interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 209.165.200.225

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 209.165.201.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
    #pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 209.165.200.225, remote crypto endpt.: 209.165.201.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x8F1592D2(2400555730)

     inbound esp sas:
      spi: 0xF7B373C0(4155732928)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: AIM-VPN/BPII-PLUS:2, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4501866/3033)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x8F1592D2(2400555730)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: AIM-VPN/BPII-PLUS:1, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4501866/3032)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:




RouterB(config)#do show cry ipsec sa

interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 209.165.201.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 209.165.200.225 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
    #pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 209.165.201.1, remote crypto endpt.: 209.165.200.225
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xF7B373C0(4155732928)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x8F1592D2(2400555730)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2003, flow_id: NETGX:3, sibling_flags 80000046, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4424128/3016)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xF7B373C0(4155732928)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2004, flow_id: NETGX:4, sibling_flags 80000046, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4424128/3016)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

在DNS服务器上将b.cisco.com的DNS记录从209.165.201.1更改为209.165.202.129后，EEM将使路由器A实现，并且隧道将使用正确的新IP地址重新建立。

RouterB(config)#do show ip int brie
Interface           IP-Address          OK?   Method   Status  Protocol
FastEthernet0/0     209.165.202.129     YES   TFTP      up     up
FastEthernet0/1     192.168.20.1        YES   manual    up     up
Tunnel1             172.16.12.2         YES   manual    up     up

RouterA(config-if)#do show run int tunn1
Building configuration...

Current configuration : 192 bytes
!
interface Tunnel1
 ip address 172.16.12.1 255.255.255.252
 tunnel source fastethernet0/0
 tunnel destination 209.165.202.129
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ipsec-profile
end

Router1841A#show cry isa sa
dst             src             state          conn-id slot status
209.165.200.225 209.165.202.129 QM_IDLE              3    0 ACTIVE

故障排除

有关常见IKE/IPsec故障排除，请参阅IOS IPSec和IKE调试 — IKEv1主模式故障排除。

相关信息 

• IPsec隧道对等体的实时解析
• 技术支持和文档 - Cisco Systems