GRE上的IPSec 表示外部标头是GRE。换句话说,IPSec依靠GRE。

请参考:

GRE上IPsec的顺序是IPsec第一,GRE第二。此命令将导致以下操作:

1.)原始标题|有效负载!在IPsec之前
2.)原始标题| ESP |加密(有效负载)! IPsec在传输模式后
3.)外页眉| GRE |原始标头| ESP |加密(有效负载)! GRE之后
原始标头被混淆,但未加密。


IPSec上的GRE 表示外部标头是IPSec。

请参考:

基于IPsec的GRE GRE的顺序是GRE第一,IPsec第二。顺序为:

1.)原始标题|有效负载! GRE之前
2.)外页眉| GRE |原始标头|有效负载! GRE之后
3.)外页眉| ESP |加密(GRE |原始标头|有效负载)! IPsec传输模式之后
此处,原始标头已加密。

隧道模式下的GRE over IPSec
传输模式下的GRE over IPSec

1. GRE上的IPSec

范例1:

Router1#show run
Building configuration...

Current configuration : 2063 bytes
!
! Last configuration change at 08:26:21 UTC Thu May 12 2011 by hari
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
!
!
!
ip source-route
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
license udi pid CISCO892-K9 sn FGL151325XQ
!
!
username temp privilege 15 secret 5 $1$bTf6$BoInpDJHbBC1drvgr356h0
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 172.19.0.2
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
mode transport
!
crypto map cmap 10 ipsec-isakmp
set peer 172.19.0.2
set transform-set myset
match address 101
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
!
interface Tunnel0
ip address 172.25.0.1 255.255.255.252
tunnel source FastEthernet8
tunnel destination 172.19.0.2
隧道路径mtu发现
crypto map cmap
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
!
interface FastEthernet0
!
!
interface FastEthernet1
!

.......
!
interface FastEthernet8
ip address 172.19.0.1 255.255.255.0
duplex auto
speed auto
!
!
interface GigabitEthernet0
no ip address
shutdown
duplex auto
speed auto
!
!
interface Vlan1
no ip address
!
!
router ospf 1
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 172.25.0.0 0.0.0.255 area 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
access-list 101 permit ip host 1.1.1.1 host 2.2.2.2
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
transport input telnet
line vty 5 193
transport input telnet
!
scheduler max-task-time 5000
end

Router2#show run
Building configuration...

Current configuration : 1958 bytes
!
! Last configuration change at 02:44:36 UTC Mon May 2 2011
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
ip source-route
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO892-K9 sn FGL151324Y0
!
!
username hari privilege 15 secret 5 $1$JARP$69Wl2bZWX4fqfnoOIIFZn/
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 172.19.0.1
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
mode transport
!
crypto map cmap 10 ipsec-isakmp
set peer 172.19.0.1
set transform-set myset
match address 101
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
!
interface Tunnel0
ip address 172.25.0.2 255.255.255.252
tunnel source FastEthernet8
tunnel destination 172.19.0.1
隧道路径mtu发现
crypto map cmap
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
!
interface FastEthernet0
!
!.....
!
interface FastEthernet7
!
!
interface FastEthernet8
ip address 172.19.0.2 255.255.255.0
duplex auto
speed auto
!
!
interface GigabitEthernet0
no ip address
shutdown
duplex auto
speed auto
!
!
interface Vlan1
no ip address
!
!
router ospf 1
log-adjacency-changes
network 2.2.2.2 0.0.0.0 area 0
network 172.25.0.0 0.0.0.255 area 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
access-list 101 permit ip host 2.2.2.2 host 1.1.1.1
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
login
transport input telnet
line vty 5 193
login
transport input telnet
!
scheduler max-task-time 5000
end

//supportforums.cisco.com/discussion/11190806/gre-over-ipsec

尝试在2个Cisco 892 / k9路由器之间建立vpn会话。但是当我在GRE隧道接口中应用加密映射时,这种消息会消失。

 注意:在隧道接口上配置了加密映射。
       当前,隧道接口仅支持GDOI加密映射。

意见建议:

如果您尝试通过IPSec配置GRE,则可以使用以下两个配置选项之一进行操作, 
1)使用加密映射并将加密映射应用于GRE封装的隧道数据包的物理出口接口, 

2)使用具有隧道保护的ipsec配置文件。在隧道接口上使用加密映射时,封装的顺序与您尝试执行的操作相反–首先加密,然后进行隧道封装,换句话说,将是IPSec over GRE。目前,我们仅支持GETVPN,因此您将看到警告。

解:

如果有理由不能在物理接口上放置加密映射,那么我同意Wen的最初建议,并且Tod再次建议您使用隧道保护配置文件,该配置文件将允许隧道执行受IPSec保护的GRE,并且不需要加密映射。

您是否正在配置具有IP安全性的虚拟隧道接口?
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ******** address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
set transform-set TSET
!
!
interface Tunnel0
ip address 192.168.10.2 255.255.255.0
tunnel source 10.0.149.220
tunnel destination 10.0.149.221
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI

================================================== ======================

范例2:

地点A:
本地局域网:192.168.1.254/255.255.255.0
隧道64:10.0.64.1/255.255.255.0

interface Tunnel64
description testing tunnel
ip address 10.0.64.1 255.255.255.0
ip mtu 1352
ip tcp adjust-mss 1312
tunnel source FastEthernet4
tunnel destination (SITE B Public IP)
隧道路径mtu发现
tunnel protection ipsec profile (VPN-PROFILE)
ip route 0.0.0.0 0.0.0.0 (ROUTER IP ADDRESS)
ip route 192.168.64.0 255.255.255.0 10.0.64.254
网站B:
本地局域网:192.168.64.254/255.255.255.0
隧道1:10.0.64.254/255.255.255.0

interface Tunnel1
ip address 10.0.64.254 255.255.255.0
ip mtu 1352
ip tcp adjust-mss 1312
tunnel source FastEthernet4
tunnel destination (SITE A Public IP)
隧道路径mtu发现
tunnel protection ipsec profile (VPN PROFILE)
ip route 0.0.0.0 0.0.0.0 (PUBLIC IP GATEWAY)
ip route 192.168.1.0 255.255.255.0 10.0.64.1
//supportforums.cisco.com/discussion/12345601/gre-over-ipsec-can-ping-tunnel-interface-not-remote-lan

================================================== =====================

2. IPSec上的GRE

方案9

IPsec部署在GRE之上。传出物理MTU为1500,IPsec PMTU为1500,GRE IP MTU为1476(1500 – 24 = 1476)。因此,TCP / IP数据包将被分段两次,一次在GRE之前,一次在IPsec之后。数据包将在GRE封装之前被分段,而这些GRE数据包之一将在IPsec加密后再次被分段。
在GRE隧道上配置“ ip mtu 1440”(IPsec传输模式)或“ ip mtu 1420”(IPsec隧道模式)将消除在这种情况下出现双重碎片的可能性。
  1. 路由器收到1500字节的数据报。
  2. 在封装之前,GRE将1500字节的数据包分为两部分:1476(1500 – 24 = 1476)和44(24数据+ 20 IP报头)字节。
  3. GRE封装了IP片段,每个片段增加了24个字节。这导致两个GRE + IPsec数据包,每个1500(1476 + 24 = 1500)和68(44 + 24)个字节。
  4. IPsec加密这两个数据包,为每个数据包增加52字节的封装开销(IPsec隧道模式),以提供1552字节和120字节的数据包。
  5. 路由器将1552字节的IPsec数据包分段,因为它大于出站MTU(1500)。 1552字节的数据包分为几部分,一个1500字节的数据包和一个72字节的数据包(52字节“有效载荷”,外加第二个片段的20字节IP标头)。将这三个1500字节,72字节和120字节的数据包转发到IPsec + GRE对等体。
  6. 接收路由器重组两个IPsec片段(1500字节和72字节),以获取原始的1552字节IPsec + GRE数据包。 120字节的IPsec + GRE数据包无需执行任何操作。
  7. IPsec解密1552字节和120字节的IPsec + GRE数据包,以获得1500字节和68字节的GRE数据包。
  8. GRE对1500字节和68字节GRE数据包进行解封装,以获取1476字节和44字节IP数据包片段。这些IP数据包片段将转发到目标主机。
  9. 主机2重组这些IP片段,以获得原始的1500字节IP数据报。
方案10与方案8相似,只是隧道路径中的MTU链接较低。对于从主机1发送到主机2的第一个数据包,这是“最坏情况”。 2.主机1与其他主机之间的TCP流(可通过IPsec + GRE隧道访问)仅需经过方案10的最后三个步骤。
在这种情况下, 隧道路径mtu发现 在GRE隧道上配置命令,并且在源自主机1的TCP / IP数据包上设置DF位。

网站1:


Building configuration...

Current configuration : 12325 bytes
!
! Last configuration change at 21:03:48 EST Tue Nov 29 2016 by admin
version 15.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
no service dhcp
!
hostname Site1
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 16384
no logging console
enable secret 5 $1$Au7T$y0eMjqCcQuGPFAT58fiWM.
enable password 7 06360E325F1F5B4A51
!
aaa new-model
!
!
aaa authentication login default local group radius group tacacs+
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication enable default enable group radius group tacacs+
aaa authorization console
aaa authorization exec default local group radius group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 5 default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting system default start-stop group tacacs+
!
!
!
!
!
aaa session-id common
no process cpu extended history
no process cpu autoprofile hog
clock timezone EST -5 0
clock summer-time EDT recurring
errdisable recovery cause bpduguard
!
crypto pki trustpoint TP-self-signed-397309841
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-397309841
revocation-check none
rsakeypair TP-self-signed-397309841
!
!
crypto pki certificate chain TP-self-signed-397309841
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33393733 30393834 31301E17 0D313630 39323430 31353634
355A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3339 37333039
38343130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
D99CE812 CAAAEBE1 289B7967 9887E203 31E74611 9A9DFF84 696FDF93 1DEAE087
369D82D5 1434E0FE B1231C84 B619173A 9D324F18 0BF666A9 ABC72356 C5665043
699F33E2 669F3842 AB54BC4F 472E400A 3E70F33C 0EFF6374 114EAA3B FB83A3A6
1758945F D2733774 53F10849 0B4E5B92 D3C6A414 9C2AAEFE 88E1140B 8E8D9D6F
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 16801425 DEA3E9A9 B98BAD6C D802B2F6 DD8E82EB 734D8430 1D060355
1D0E0416 041425DE A3E9A9B9 8BAD6CD8 02B2F6DD 8E82EB73 4D84300D 06092A86
4886F70D 01010505 00038181 00D5E7B1 4E8F4902 311BF1CB 88ED6E9B 5EF20197
AFDBA6A5 EF0378B4 B93E7703 B5EC0E35 023091A8 A84EEAD3 6186847F E3A6F350
8F6FBD94 113FB5EA B630D030 035C953B 39AB1763 5AF20F38 9BEBAA4B AA6B2395
CCCFC776 7F9CE290 888A3452 FB4F9916 F86D1E4A F51727D9 47842AE6 843F5BE9
E7225CBD F70D934F 740FF234 A9
quit
no ip source-route
no ip gratuitous-arps
!
ip dhcp bootp ignore
ip dhcp excluded-address 19.16.5.1 19.16.5.35
!
ip dhcp pool local-pool-1
import all
network 19.16.5.0 255.255.255.0
default-router 192.168.5.1
dns-server 8.8.8.8 8.8.4.4
lease 0 8
!
no ip bootp server
no ip domain lookup
ip domain name test.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
login block-for 120 attempts 3 within 60
login 上 -failure log
login 上 -success log
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid C881-K9 sn FJC1950E2C6
!
archive
log config
logging enable
logging size 200
notify syslog contenttype plaintext
hidekeys
path flash:backup-
maximum 8
write-memory
!
no spanning-tree optimize bpdu transmission
spanning-tree uplinkfast
spanning-tree backbonefast
vtp domain gd
vtp mode transparent
username admin privilege 15 secret 5 $1$4Aja$XwY/5peZXMOYH9Vs8Fqr1
username test secret 5 $1$Vlfg$Sjn.GLyoElKHLryT/ZlY1

!
crypto vpn anyconnect flash:/webvpn/anyconnect-win-4.3.02039-k9.pkg sequence 1
!
vlan 10
name EXT
!
vlan 20
name LAN
!
ip ftp username rooter
ip ftp password 7 03165404120A33
ip ssh time-out 10
ip ssh logging events
ip ssh version 2
!
class-map type port-filter match-any TCP23
match port tcp 23
!
policy-map type port-filter FILTERTCP23
class TCP23
drop
log
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 5
crypto isakmp key [email protected] address 19.18.76.90
!
!
crypto ipsec transform-set TEST-BUR esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ASE-MD5 esp-aes esp-md5-hmac
mode tunnel
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to19.18.76.90
set peer 19.18.76.90
set transform-set TEST-BUR
match address 100
!
interface Loopback0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Tunnel0
ip address 10.1.1.1 255.255.255.252
ip mtu 1380
ip tcp adjust-mss 1340
keepalive 10 3
tunnel source Vlan10
tunnel destination 19.18.76.90
隧道路径mtu发现
!
interface Null0
no ip unreachables
!
interface FastEthernet0
description External
switchport access vlan 10
no ip address
!
interface FastEthernet1
description internal
switchport access vlan 20
no ip address
!
interface FastEthernet2
no ip address
no cdp enable
!.....
!
interface Virtual-Template1
no ip address
!
interface Virtual-Template2
ip unnumbered Vlan10
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
description ext
ip address 19.8.241.126 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip flow ingress
ip multicast boundary 30
ip nat outside
ip virtual-reassembly in
no ip route-cache
crypto map SDM_CMAP_1
!
interface Vlan20
description LAN
ip address 19.16.5.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip flow ingress
ip multicast boundary 30
ip nat inside
ip virtual-reassembly in
no ip route-cache
!
ip local pool camvpn 10.10.10.100 10.10.10.200
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-export source Loopback0
ip flow-export version 5 origin-as
ip flow-export destination 192.0.2.34 2055
!
ip nat inside source route-map INTERNET1 interface Vlan10 overload
ip nat inside source static 19.16.5.10 19.8.241.125
ip nat inside source static tcp 19.16.5.5 25 19.8.241.126 25 extendable
ip nat inside source static tcp 19.16.5.5 80 19.8.241.126 80 extendable
ip nat inside source static tcp 19.16.5.5 443 19.8.241.126 443 extendable
ip nat inside source static tcp 19.16.5.5 3389 19.8.241.126 3389 extendable
ip route 0.0.0.0 0.0.0.0 19.8.241.121
ip route 172.21.1.0 255.255.255.0 Tunnel0
!
ip access-list extended BUR-TEST-LIST
remark CCP_ACL Category=16
permit ip 19.16.5.0 0.0.0.255 172.21.1.0 0.0.0.255
ip access-list extended inside-out
permit ip 19.16.5.0 0.0.0.255 any
!
no service-routing capabilities-manager
logging trap debugging
logging facility local5
logging source-interface Loopback0
logging host 10.2.2.3
!
route-map INTERNET1 permit 10
match ip address 108
!
snmp-server group SNMPv3-RO v3 priv read ReadView-All access snmp-Allow
snmp-server group SNMPv3-RW v3 priv read ReadView-All write WriteView-All access snmp-Allow
snmp-server view ReadView-All iso included
snmp-server view ReadView-All internet included
snmp-server view ReadView-All system included
snmp-server view ReadView-All interfaces included
snmp-server view ReadView-All internet.6.3.15 excluded
snmp-server view ReadView-All internet.6.3.16 excluded
snmp-server view ReadView-All internet.6.3.18 excluded
snmp-server view ReadView-All ip.21 excluded
snmp-server view ReadView-All ip.22 excluded
snmp-server view ReadView-All chassis included
snmp-server view WriteView-All iso included
snmp-server view WriteView-All internet included
snmp-server view WriteView-All system included
snmp-server view WriteView-All interfaces included
snmp-server view WriteView-All internet.6.3.15 excluded
snmp-server view WriteView-All internet.6.3.16 excluded
snmp-server view WriteView-All internet.6.3.18 excluded
snmp-server view WriteView-All ip.21 excluded
snmp-server view WriteView-All ip.22 excluded
snmp-server view WriteView-All chassis included
snmp-server location TORONTO
snmp-server contact NetSec-OP
access-list 20 remark SNMP ACL
access-list 20 permit 192.0.2.34
access-list 20 deny any log
access-list 23 permit 172.21.1.0 0.0.0.255
access-list 23 permit 19.16.5.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 permit gre host 19.8.241.126 host 19.18.76.90
access-list 101 permit ip 172.21.1.0 0.0.0.255 any
access-list 101 permit ip 19.16.5.0 0.0.0.255 any
access-list 101 permit ip 19.24.116.0 0.0.0.255 any
access-list 101 permit ip 6.16.0.0 0.0.255.255 any
access-list 108 remark CCP_ACL Category=18
access-list 108 permit ip 19.16.5.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
privilege exec level 7 show configuration
privilege exec level 7 show
banner motd ^C
****************************************************************
* This is a private computing facility. *
* Unauthorized use of this device is strictly prohibited. *
* Violators will be prosecuted to the maximum extent possible. * *
****************************************************************
^C
!
line con 0
exec-timeout 4 30
logging synchronous
login authentication CONAUTH
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 101 in
exec-timeout 4 30
privilege level 15
password 7 107E080A1646405858
logging synchronous
login authentication VTYAUTH
transport input ssh
line vty 5 15
access-class 101 in
exec-timeout 4 30
privilege level 15
absolute-timeout 15
logging synchronous
login authentication VTYAUTH
transport input ssh
!
exception core-file secure-router01-core
exception protocol ftp
exception dump 10.2.2.3
scheduler allocate 20000 1000
ntp authentication-key 6767 md5 10123A3C2625373F27211375 7
ntp authenticate
ntp update-calendar
ntp server 3.ca.pool.ntp.org
ntp server 2.ca.pool.ntp.org
ntp server 0.ca.pool.ntp.org
ntp server 1.ca.pool.ntp.org
!
!
webvpn gateway gateway_1
ip address 199.87.241.126 port 4443
http-redirect port 8080
ssl trustpoint TP-self-signed-397309841
inservice
!
webvpn context camsslvpn
secondary-color white
title-color #CCCC66
text-color black
virtual-template 2
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_1
max-users 5
!
ssl authenticate verify all
inservice
!
policy group policy_1
functions svc-enabled
svc address-pool "camvpn" netmask 255.255.255.255
svc keep-client-installed
svc split include 19.16.5.0 255.255.255.0
svc split include 172.21.1.0 255.255.255.0
default-group-policy policy_1
!
end



网站2:



Building configuration...

Current configuration : 10365 bytes
!
! Last configuration change at 21:11:11 EST Tue Nov 29 2016 by admin
version 15.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Site2
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 16384
no logging console
enable secret 5 $1$Au7T$y0eMjqCcQuGPFAT58fiWM.
!
aaa new-model
!
aaa authentication login default local group radius group tacacs+
aaa authentication enable default enable group radius group tacacs+
aaa authorization console
aaa authorization exec default local group radius group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 5 default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting system default start-stop group tacacs+
!
aaa session-id common
clock timezone EST -5 0
clock summer-time EDT recurring
errdisable recovery cause bpduguard
!
crypto pki trustpoint TP-self-signed-103227904
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-103227904
revocation-check none
rsakeypair TP-self-signed-103227904
!
crypto pki certificate chain TP-self-signed-103227904
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31303332 32373930 34301E17 0D313630 39323430 31353634
375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3130 33323237
39303430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
9C48F515 D36758BD 77CF74D5 4F2C3FB6 A687CF45 825AAE0B 367CC4F1 F2630CBC
80E185FB E9CB948A 15A0B637 0E625245 A9B4DE3C 80B63CBB E5049B08 3104C167
D7062F27 12045C11 7EED8340 69F8C49D DA6C9338 34EEEF28 B361CBED E8F2173E
3023AE81 B75683D6 02CD6600 AD5A7181 220DADEC 841743A8 50931AAE 1AE95039
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 16801431 5ADB9FC3 3B3505C1 BB7FF656 712C5341 BD436E30 1D060355
1D0E0416 0414315A DB9FC33B 3505C1BB 7FF65671 2C5341BD 436E300D 06092A86
4886F70D 01010505 00038181 002226E8 F788CD21 E6F33781 C1146D4B A2F506F7
7FEAEB7B B55967B4 967FED0E 8312E2D5 DFE28921 8B941BA1 60B3AAC9 B78E10A2
4EAF7793 8A55354A 4475DBFF 922CA2C1 F97455E6 AA895A4A 00665990 2C4D667B
3C84CA0E 54437C2E F80E48B3 16ABB5AC 81EC2BAC 5C0CB465 22ABB1F2 122514E5
9A2900C6 AADA9B96 41339D1B 58
quit
no ip source-route
no ip gratuitous-arps
!
ip dhcp bootp ignore
ip dhcp excluded-address 172.21.1.1 172.21.1.99
!
ip dhcp pool local-pool-1
import all
network 172.21.1.0 255.255.255.0
default-router 172.21.1.1
dns-server 8.8.8.8 8.8.4.4
lease 0 8
!
no ip bootp server
no ip domain lookup
ip domain name test.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
login block-for 120 attempts 3 within 60
login 上 -failure log
login 上 -success log
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid C881-K9 sn FJC1950E2C7
!
archive
log config
logging enable
logging size 200
notify syslog contenttype plaintext
hidekeys
path flash:backup-
maximum 8
write-memory
!
no spanning-tree optimize bpdu transmission
spanning-tree uplinkfast
spanning-tree backbonefast
vtp domain gd
vtp mode transparent
username admin privilege 15 secret 5 $1$4Aja$XwY/5peZXMOYH9Vs8Fqr1
username temp secret 5 $1$Vlfg$Sjn.GLyoEKHKLryT/ZlY1
!
vlan 10
name EXT
!
vlan 20
name LAN
!
ip ftp username rooter
ip ftp password 7 03165404120A33
ip ssh time-out 10
ip ssh logging events
ip ssh version 2
!
class-map type port-filter match-any TCP23
match port tcp 23
!
policy-map type port-filter FILTERTCP23
class TCP23
drop
log
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 5
crypto isakmp key [email protected] address 19.8.241.126
!
!
crypto ipsec transform-set TEST-BUR esp-3des esp-sha-hmac
mode tunnel
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Apply the crypto map 上 the peer router's interface having IP address 19.18.76.90 that connects to this router.
set peer 19.8.241.126
set transform-set TEST-BUR
match address SDM_1
!
interface Loopback0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Tunnel0
ip address 10.1.1.2 255.255.255.252
ip mtu 1380
ip tcp adjust-mss 1340
keepalive 10 3
tunnel source Vlan10
tunnel destination 199.87.241.126
隧道路径mtu发现
!
interface Null0
no ip unreachables
!
interface FastEthernet0
description External
switchport access vlan 10
no ip address
!
interface FastEthernet1
description Internal
switchport access vlan 20
no ip address
!......
!
interface Virtual-Template1
ip unnumbered Vlan10
!
interface Vlan1
no ip address
!
interface Vlan10
description EXT
ip address 19.18.76.90 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip flow ingress
ip multicast boundary 30
ip nat outside
ip virtual-reassembly in
no ip route-cache
crypto map SDM_CMAP_1
!
interface Vlan20
description LAN
ip address 172.21.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip flow ingress
ip multicast boundary 30
ip nat inside
ip virtual-reassembly in
no ip route-cache
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-export source Loopback0
ip flow-export version 5 origin-as
ip flow-export destination 192.0.2.34 2055
!
ip nat inside source route-map INTERNET1 interface Vlan10 overload
ip nat inside source static tcp 172.21.1.4 3389 192.186.76.90 3389 extendable
ip route 0.0.0.0 0.0.0.0 192.186.76.89
ip route 10.10.10.0 255.255.255.0 Tunnel0
ip route 19.16.5.0 255.255.255.0 Tunnel0
!
ip access-list extended BUR-TEST-LIST
permit ip 172.21.1.0 0.0.0.255 192.168.5.0 0.0.0.255
ip access-list extended SDM_1
remark CCP_ACL Category=4
permit gre host 19.18.76.90 host 199.87.241.126
!
logging trap debugging
logging facility local5
logging source-interface Loopback0
logging host 10.2.2.3
!
route-map INTERNET1 permit 10
match ip address 108
!
snmp-server group SNMPv3-RO v3 priv read ReadView-All access snmp-Allow
snmp-server group SNMPv3-RW v3 priv read ReadView-All write WriteView-All access snmp-Allow
snmp-server view ReadView-All iso included
snmp-server view ReadView-All internet included
snmp-server view ReadView-All system included
snmp-server view ReadView-All interfaces included
snmp-server view ReadView-All internet.6.3.15 excluded
snmp-server view ReadView-All internet.6.3.16 excluded
snmp-server view ReadView-All internet.6.3.18 excluded
snmp-server view ReadView-All ip.21 excluded
snmp-server view ReadView-All ip.22 excluded
snmp-server view ReadView-All chassis included
snmp-server view WriteView-All iso included
snmp-server view WriteView-All internet included
snmp-server view WriteView-All system included
snmp-server view WriteView-All interfaces included
snmp-server view WriteView-All internet.6.3.15 excluded
snmp-server view WriteView-All internet.6.3.16 excluded
snmp-server view WriteView-All internet.6.3.18 excluded
snmp-server view WriteView-All ip.21 excluded
snmp-server view WriteView-All ip.22 excluded
snmp-server view WriteView-All chassis included
snmp-server location Markham
snmp-server contact NetSec-OP
access-list 20 remark SNMP ACL
access-list 20 permit 192.0.2.34
access-list 20 deny any log
access-list 23 permit 172.21.1.0 0.0.0.255
access-list 23 permit 19.16.5.0 0.0.0.255
access-list 101 permit ip 172.21.1.0 0.0.0.255 any
access-list 101 permit ip 19.16.5.0 0.0.0.255 any
access-list 101 permit ip 19.24.116.0 0.0.0.255 any
access-list 108 deny ip 172.21.1.0 0.0.0.255 19.16.5.0 0.0.0.255
access-list 108 permit ip 172.21.1.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
privilege exec level 7 show configuration
privilege exec level 7 show
banner motd ^CC
****************************************************************
* This is a private computing facility. *
* Unauthorized use of this device is strictly prohibited. *
* Violators will be prosecuted to the maximum extent possible. *
* *
* TACACS+/RADIUS Authentication and Authorization are in place.*
* All actions/commands are monitored and recorded. *
* 通过 using the network you expressly consent to such *
* monitoring and recording. *
****************************************************************
^C
!
line con 0
exec-timeout 4 30
logging synchronous
login authentication CONAUTH
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 101 in
exec-timeout 4 30
privilege level 15
logging synchronous
login authentication VTYAUTH
transport input ssh
line vty 5 15
access-class 101 in
exec-timeout 4 30
privilege level 15
absolute-timeout 15
logging synchronous
login authentication VTYAUTH
transport input ssh
!
exception core-file secure-router01-core
exception protocol ftp
exception dump 10.2.2.3
scheduler allocate 20000 1000
ntp authentication-key 6767 md5 10123A3C2625373F27211375 7
ntp authenticate
ntp update-calendar
ntp server 3.ca.pool.ntp.org
ntp server 2.ca.pool.ntp.org
ntp server 0.ca.pool.ntp.org
ntp server 1.ca.pool.ntp.org
!
end

3. MTU与MSS

MTU是给定链接的最大IP数据包大小。大于MTU的数据包在找到较低MTU的位置被分段,并在链的更下方进行重组。 MTU始终是第1层,代表物理链路的容量。但是在某些情况下,协议/软件需要手动定义MTU,例如IP MTU或MPLS MTU。

MSS是最大TCP段大小。与MTU不同,超过MSS的数据包不会被分段,只会被丢弃。 MSS通常在TCP三向握手中决定,但是某些设置可能会产生路径,其中所决定的MSS仍然太大,从而导致数据包丢失。 MSS不是每个数据包协商的数据包,而是用于完整的TCP会话,也不考虑TCP / IP标头。MSS始终从MTU计算得出,以避免任何进一步的分段。如果未找到MTU值,将发送具有最小大小(576)的MSS(您知道MSS = MTU –第3层报头+第2层报头)。 MTU是接口可以支持的最大数据包大小。

TCP最大段大小(MSS)定义主机愿意在单个TCP / IP数据报中接受的最大数据量。此TCP / IP数据报可能在IP层被分段。 MSS值仅在TCP SYN段中作为TCP头选项发送。 TCP连接的每一端都将其MSS值报告给另一端。与普遍的看法相反,MSS值不是在主机之间协商的。需要发送主机将单个TCP段中的数据大小限制为小于或等于接收主机报告的MSS的值。
最初,MSS意味着在接收站上分配了多大的缓冲区(大于或等于65496K),以便能够存储单个IP数据报中包含的TCP数据。 MSS是TCP接收器愿意接受的最大数据段(块)。这个TCP段可能高达64K(最大IP数据报大小),并且可以在IP层上进行分段,以便通过网络传输到接收主机。接收主机在将完整的TCP段交给TCP层之前将重新组合IP数据报。

例如,当使用PPPoE时,所有开销意味着您需要在途中减少MSS,通常是在找到阻塞点的路由器上指定它,然后将经过三路握手的MSS替换为正确的较低值,如果更高。 PPPoE只是在所有内容(IP + TCP)之上添加了8个字节(6个字节的PPPoE + 2个字节的PPP),并且旨在通过以太网以1500字节的MTU运行,因此通常配置1492 MSS使其通过。

您的IP堆栈会先截取要发送到MSS的数据,将其放入TCP段中,然后再将其放入一个或多个IP数据包中(具体取决于它是否大于本地MTU设置),然后再发送。如果中间路由器的MTU较低,则可以将其进一步削减,但它们只会影响IP数据包本身,而不会影响TCP段/报头。

MTU和MSS的配置:

Tunnel xxxx
ip mtu 1372
ip tpc adjust-mss 1332
思科建议GRE MTU为1400,这很酷。 GRE隧道封装需要24/28字节-正如您所说(我总是选择28,包括一些软糖)。因此,GRE可以发送的MTU为1400 – 28 = MTU 1372 –不包括GRE封装。不要忘记,最大段大小是可以无碎片发送的最大可传输数据量。因此IP标头需要20个字节。 TCP标头需要20个字节= 40个字节。
太好了-现在我们有了:-
28个字节– GRE
20字节– IP
20字节– TCP
总共68个字节,1400 – 68 = 1332,这是MSS,客户端和上游设备应在TCP握手中将其设置为MSS。
这是Cisco TechNotes的示例: 

使用GRE和IPSEC解决IP碎片,MTU,MSS和PMTUD问题

  1. 主机A比较其MSS缓冲区(16K)和其MTU(1500 – 40 = 1460),并使用较低的值作为MSS(1460)发送给主机B。
  2. 主机B接收主机A的发送MSS(1460),并将其与其出站接口MTU – 40(4422)的值进行比较。
  3. 主机B将较低的值(1460)设置为用于向主机A发送IP数据报的MSS。
  4. 主机B比较其MSS缓冲区(8K)和其MTU(4462-40 = 4422),并使用4422作为MSS发送到主机A。
  5. 主机A接收主机B的发送MSS(4422),并将其与其出站接口MTU -40(1460)的值进行比较。
  6. 主机A将较低的值(1460)设置为用于向主机B发送IP数据报的MSS。
两个主机选择的值1460作为彼此的发送MSS。通常,TCP连接两端的发送MSS值都相同。
在方案2中,因为主机将两个传出接口MTU都考虑在内,所以在TCP连接的端点上不会发生分段。如果数据包遇到的MTU低于任何一个主机的出站接口的MTU,它们仍然可以在路由器A和路由器B之间的网络中变成碎片。

参考:

通过 约翰

发表评论