Очень часто нас спрашивают: будет ли работать маршрутизатор Huawei AR в сети Cisco построенной с использованием технологии DMVPN ?
Пример: Есть филиальная сеть на базе оборудования Cisco. В центре установлен маршрутизатор (hub) Cisco с которым соединяются маршрутизаторы (spoke) Cisco из филиалов. Работает технология DMVPN в составе: NHRP + mGRE + IPSEC + OSFP. Можно ли включить в такую сеть маршрутизатор Huawei AR в качестве spoke ?
Ответ – да. С использованием технологии Huawei DSVPN.
В данной статье не будем описывать технологию Cisco DMVPN. Информацию можно легко найти в сети Интернет. Huawei предлагает полностью совместимую технологию с Cisco – DSVPN, которая так же состоит из: mGRE, NHRP, IPSEC и протоколов динамической маршрутизации.
Отметим особенности лицензирования Huawei AR: Для запуска функционала DSVPN потребуются лицензии Security и DSVPN
Работоспособность покажем на лабораторном стенде в LWCOM:
Схема сети
Описание
Используем маршрутизаторы Cisco 2811 IOS 12.4(24)T и Huawei AR160 V200R007
Проверку будем осуществлять, запуская ICMP echo между интерфейсами Loopback маршрутизаторов Cisco и Huawei
Начальные настройки
Настраиваем маршрутизацию между внешними интерфейсами, а также проверяем отсутствие трафика между интерфейсами loopback без туннеля.
Huawei
interface GigabitEthernet0/0/0
undo portswitch
ip address 172.16.0.1 255.255.255.252
ip route-static 0.0.0.0 0.0.0.0 172.16.0.2
interface LoopBack0
ip address 10.0.0.1 255.255.255.255
ping 10.0.0.2
PING 10.0.0.2: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 10.0.0.2 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
Cisco
interface FastEthernet0/0
ip address 172.16.1.1 255.255.255.252
ip route 0.0.0.0 0.0.0.0 172.16.1.2
interface Loopback0
ip address 10.0.0.2 255.255.255.255
ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Настраиваем mGRE + NHRP
Проверяем работоспособность туннеля без шифрования. Статическая маршрутизацияHuawei
interface Tunnel0/0/0
ip address 192.168.0.1 255.255.255.252
tunnel-protocol gre p2mp
source GigabitEthernet0/0/0
nhrp authentication simple 123
nhrp network-id 1
nhrp entry 192.168.0.2 172.16.1.1 register
ip route-static 10.0.0.2 255.255.255.255 192.168.0.2
ping 10.0.0.2
PING 10.0.0.2: 56 data bytes, press CTRL_C to break
Reply from 10.0.0.2: bytes=56 Sequence=1 ttl=255 time=1 ms
Reply from 10.0.0.2: bytes=56 Sequence=2 ttl=255 time=1 ms
Reply from 10.0.0.2: bytes=56 Sequence=3 ttl=255 time=2 ms
Reply from 10.0.0.2: bytes=56 Sequence=4 ttl=255 time=1 ms
Reply from 10.0.0.2: bytes=56 Sequence=5 ttl=255 time=1 ms
--- 10.0.0.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/2 ms
display nhrp peer all
-------------------------------------------------------------------------------
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
-------------------------------------------------------------------------------
192.168.0.2 32 172.16.1.1 192.168.0.2 static hub
-------------------------------------------------------------------------------
Tunnel interface: Tunnel0/0/0
Created time : 00:20:51
Expire time : --
Number of nhrp peers: 1
Cisco
interface Tunnel0
ip address 192.168.0.2 255.255.255.252
no ip redirects
ip nhrp authentication 123
ip nhrp map multicast dynamic
ip nhrp network-id 123
tunnel source FastEthernet0/0
tunnel mode gre multipoint
ip route 10.0.0.1 255.255.255.255 192.168.0.1
ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
sh ip nhrp
192.168.0.1/32 via 192.168.0.1
Tunnel0 created 00:19:25, expire 01:43:54
Type: dynamic, Flags: unique registered used
NBMA address: 172.16.0.1
Настраиваем IPSEC
Проверяем работоспособность туннеля с шифрованием. Статическая маршрутизация
Huawei
ipsec invalid-spi-recovery enable
ipsec proposal pro1
esp authentication-algorithm sha1
esp encryption-algorithm 3des
ike proposal 5
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
prf hmac-sha1
ike peer Cisco1 v1
pre-shared-key simple 123
ike-proposal 5
ipsec profile profile1
ike-peer Cisco1
proposal pro1
interface Tunnel0/0/0
ipsec profile profile1
ping 10.0.0.2
PING 10.0.0.2: 56 data bytes, press CTRL_C to break
Reply from 10.0.0.2: bytes=56 Sequence=1 ttl=255 time=2 ms
Reply from 10.0.0.2: bytes=56 Sequence=2 ttl=255 time=2 ms
Reply from 10.0.0.2: bytes=56 Sequence=3 ttl=255 time=3 ms
Reply from 10.0.0.2: bytes=56 Sequence=4 ttl=255 time=2 ms
Reply from 10.0.0.2: bytes=56 Sequence=5 ttl=255 time=3 ms
--- 10.0.0.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 2/2/3 ms
display ike sa
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------------
15 172.16.1.1 0 RD|ST 2
14 172.16.1.1 0 RD|ST 1
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
display ipsec sa
===============================
Interface: Tunnel0/0/0
Path MTU: 1500
===============================
-----------------------------
IPSec profile name: "profile1"
Mode : PROF-ISAKMP
-----------------------------
Connection ID : 15
Encapsulation mode: Tunnel
Tunnel local : 172.16.0.1
Tunnel remote : 172.16.1.1
Qos pre-classify : Disable
Qos group : -
[Outbound ESP SAs]
SPI: 3526316683 (0xd22f528b)
Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1
SA remaining key duration (bytes/sec): 1887390829/3410
Outpacket count : 372
Outpacket encap count : 372
Outpacket drop count : 0
Max sent sequence-number: 372
UDP encapsulation used for NAT traversal: N
[Inbound ESP SAs]
SPI: 1312543024 (0x4e3bd130)
Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1
SA remaining key duration (bytes/sec): 1887390561/3410
Inpacket count : 374
Inpacket decap count : 374
Inpacket drop count : 0
Max received sequence-number: 374
Anti-replay window size: 32
UDP encapsulation used for NAT traversal: N
Cisco
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 123 address 172.16.0.1
crypto isakmp invalid-spi-recovery
crypto ipsec transform-set trans esp-3des esp-sha-hmac
mode transport
crypto ipsec profile ipsec
set transform-set trans
interface Tunnel0
tunnel protection ipsec profile ipsec
ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
172.16.1.1 172.16.0.1 QM_IDLE 1003 ACTIVE
IPv6 Crypto ISAKMP SA
sh crypto session
Crypto session current status
Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 172.16.0.1 port 500
IKE SA: local 172.16.1.1/500 remote 172.16.0.1/500 Active
IPSEC FLOW: permit 47 host 172.16.1.1 host 172.16.0.1
Active SAs: 2, origin: crypto map
sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 172.16.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.16.0.1/255.255.255.255/47/0)
current_peer 172.16.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 364, #pkts encrypt: 364, #pkts digest: 364
#pkts decaps: 362, #pkts decrypt: 362, #pkts verify: 362
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.1.1, remote crypto endpt.: 172.16.0.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x4E3BD130(1312543024)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xD22F528B(3526316683)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: NETGX:3, sibling_flags 80000046, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (1751214/3545)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x4E3BD130(1312543024)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: NETGX:4, sibling_flags 80000046, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (1751214/3545)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Настраиваем OSPF
Заменяем статическую маршрутизацию на динамическую OSPF
Huawei
interface Tunnel0/0/0
ospf network-type p2p
ospf 1
area 0.0.0.0
network 10.0.0.1 0.0.0.0
network 192.168.0.0 0.0.0.3
display ospf peer
OSPF Process 1 with Router ID 172.16.0.1
Neighbors
Area 0.0.0.0 interface 192.168.0.1(Tunnel0/0/0)'s neighbors
Router ID: 10.0.0.2 Address: 192.168.0.2
State: Full Mode:Nbr is Slave Priority: 1
DR: None BDR: None MTU: 1476
Dead timer due in 39 sec
Retrans timer interval: 5
Neighbor is up for 00:03:04
Authentication Sequence: [ 0 ]
display ip routing-table protocol ospf
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : OSPF
Destinations : 1 Routes : 1
OSPF routing table status : <Active>
Destinations : 1 Routes : 1
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.0.0.2/32 OSPF 10 1563 D 192.168.0.2 Tunnel0/0/0
OSPF routing table status : <Inactive>
Destinations : 0 Routes : 0
Cisco
interface Tunnel0
ip ospf network point-to-point
router ospf 1
log-adjacency-changes
network 10.0.0.2 0.0.0.0 area 0
network 192.168.0.0 0.0.0.3 area 0
sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
172.16.0.1 0 FULL/ - 00:00:35 192.168.0.1 Tunnel0
sh ip route ospf
10.0.0.0/32 is subnetted, 2 subnets
O 10.0.0.1 [110/1000] via 192.168.0.1, 00:01:37, Tunnel0
Выводы
Маршрутизаторы Huawei могут без проблем быть интегрированы в сеть, построенную на сетевом оборудовании Cisco.
Не верите ? Возьмите у нас маршрутизатор Huawei AR в бесплатный тест!