IPSec VPN承载组播业务的配置
一、 组网需求:
传统IPSec安全策略不支持组播业务,以前通常是使用IPSec over GRE解决,不仅配置复杂,而且经过层层封装,开销比较大,使用IPSec虚拟隧道接口可以完美地满足该需求。IPsec虚拟隧道接口是一种支持路由的三层逻辑接口,它可以支持动态路由协议,所有路由到IPsec虚拟隧道接口的报文都将进行IPsec保护。
二、 组网图:
PC1和PC2互传组播数据,网关设备对组播业务提供IPSec加密传输服务。两台PC之间组播数据的发送与接收使用“超限组播测试工具2.0”。
三、 配置步骤:
F100-S-G配置:
#
ike peer 1
pre-shared-key cipher $c$3$tC9CH63BPBhvDmICydooawpYXp0hnPm7GQ==
remote-address 192.168.2.2
local-address 192.168.2.1
#
ipsec transform-set 1
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm des
#
ipsec profile 1 //必须使用IPSec安全框架
ike-peer 1
transform-set 1
#
#
interface GigabitEthernet0/1
port link-mode route
ip address 192.168.1.1 255.255.255.0
igmp enable
pim dm
#
interface GigabitEthernet0/2
port link-mode route
ip address 192.168.2.1 255.255.255.0
#
#
interface Tunnel0
ip address 10.1.1.1 255.255.255.0
tunnel-protocol ipsec ipv4 //封装协议改为IPSec
source 192.168.2.1
destination 192.168.2.2
ipsec profile 1
pim dm
#
#
ip route-static 0.0.0.0 0.0.0.0 Tunnel0
#
F1000-E的配置与之类似。
四、 结果查看:
查看F100-S-G的接口统计信息:
[H3C]dis interface g0/1
GigabitEthernet0/1 current state: UP
Line protocol current state: UP
Description: GigabitEthernet0/1 Interface
The Maximum Transmit Unit is 1500
Internet Address is 192.168.1.1/24 Primary
IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 3ce5-a613-fa1b
IPv6 Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 3ce5-a613-fa1b
Media type is twisted pair, loopback not set, promiscuous mode not set
1000Mb/s, Full-duplex, link type is autonegotiation
Output flow-control is disabled, input flow-control is disabled
Output queue : (Urgent queuing : Size/Length/Discards) 0/100/0
Output queue : (Protocol queuing : Size/Length/Discards) 0/500/0
Output queue : (FIFO queuing : Size/Length/Discards) 0/75/0
Last clearing of counters: Never
Peak value of input: 87287 bytes/sec, at 2013-8-26 6:41:40
Peak value of output: 142470 bytes/sec, at 2013-8-26 6:24:5
Last 300 seconds input rate 68733 bytes/sec, 549864 bits/sec, 72 packets/sec
Last 300 seconds output rate 304 bytes/sec, 2432 bits/sec, 2 packets/sec
Input: 88624 packets, 0 jumboes, 77021075 bytes, 88624 buffers
1134 broadcasts, 70735 multicasts, 0 pauses
0 errors, 0 runts, 0 giants
0 crc, 0 align errors, 0 overruns
0 dribbles, 0 drops, 0 no buffers
Output:16947 packets, 14151157 bytes, 16947 buffers
2 broadcasts, 11911 multicasts, 0 pauses
0 errors, 0 underruns, 0 collisions
0 deferred, 0 drops, 0 lost carriers
[H3C]dis interface g0/2
GigabitEthernet0/2 current state: UP
Line protocol current state: UP
Description: GigabitEthernet0/2 Interface
The Maximum Transmit Unit is 1500
Internet Address is 192.168.2.1/24 Primary
IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 3ce5-a613-fa1c
IPv6 Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 3ce5-a613-fa1c
Media type is twisted pair, loopback not set, promiscuous mode not set
1000Mb/s, Full-duplex, link type is autonegotiation
Output flow-control is disabled, input flow-control is disabled
Output queue : (Urgent queuing : Size/Length/Discards) 0/100/0
Output queue : (Protocol queuing : Size/Length/Discards) 0/500/0
Output queue : (FIFO queuing : Size/Length/Discards) 0/75/0
Last clearing of counters: Never
Peak value of input: 152635 bytes/sec, at 2013-8-26 6:24:5
Peak value of output: 94470 bytes/sec, at 2013-8-26 6:41:40
Last 300 seconds input rate 10 bytes/sec, 80 bits/sec, 0 packets/sec
Last 300 seconds output rate 71859 bytes/sec, 574872 bits/sec, 70 packets/sec
Input: 14008 packets, 0 jumboes, 14852600 bytes, 14008 buffers
5 broadcasts, 0 multicasts, 0 pauses
0 errors, 0 runts, 0 giants
0 crc, 0 align errors, 0 overruns
0 dribbles, 0 drops, 0 no buffers
Output:66790 packets, 63479074 bytes, 66790 buffers
12 broadcasts, 0 multicasts, 0 pauses
0 errors, 0 underruns, 0 collisions
0 deferred, 0 drops, 0 lost carriers
由于对组播流量进行了IPSec封装,所以设备接口统计信息中,只有和PC1相连的接口G0/1能看到组播报文的统计,而在G0/2看到的都是IPSec加密封装后的单播报文。这样,中间设备不需要支持组播协议,也可以实现了组播报文的传输。
