Table of contents
Features
In some cases, the source or destination addresses of the data that needs to be encrypted through IPSEC VPN are multiple different network segments. In this case, all network segments need to be defined when configuring the IPSEC flow of interest. It is the IPSEC multi-interest stream.
1. Networking requirements
Branch 1 has three network segments: 192.168.1.0/24, 172.18.0.0/24, and 172.18.1.0/24. These three network segments all need to access 192.168.0.0/24 at the headquarters, and the data for mutual access needs to pass IPSEC. VPN is encrypted.
2. Network topology
3. Configuration points
1. Configure basic IPSEC functions
2. Configure IPSEC multi-interest flows on branch 1
Notice:
The multi-interest flow configuration method for versions before RSR10/20 10.3 (5b6), RSR30 before 10.4 (3b11), and RSR50/RSR50E is different from the configuration method provided in this article. Please refer to the appendix for details.
4. Configuration steps
1. Configure basic IPSEC functions
According to the on-site environment and customer needs, select the appropriate IPSEC deployment solution. For detailed configuration, refer to the IPSEC " Basic Configuration " chapter (Typical Configuration--->Security--->IPSEC--->Basic Configuration)
2. Configure IPSEC multi-interest flows on branch 1
The only difference between the configuration of multiple interest flows and the configuration of a single interest flow is that when configuring the ACL of the interest flow, the traffic of all network segments is defined:
ip access-list extended 101
10 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
20 permit ip 172.18.0.0 0.0.0.255 192.168.0.0 0.0.0.255
30 permit ip 172.18.1.0 0.0.0.255 192.168.0.0 0.0.0.255
5. Configuration verification
After completing the configuration and initiating an interesting flow on branch 1 to trigger IPSEC negotiation successfully, you can see that multiple ipsec sas have been successfully negotiated between branch 1 and the headquarters. Each ipsec sa corresponds to a pair of interesting flows:
site1#ping 192.168.0.1 so 192.168.1.1
Sending 5, 100-byte ICMP Echoes to 192.168.0.1, timeout is 2 seconds:
< press Ctrl+C to break>
.!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/8/10 ms
site1#ping 192.168.0.1 so 172.18.0.1
Sending 5, 100-byte ICMP Echoes to 192.168.0.1, timeout is 2 seconds:
< press Ctrl+C to break>
.!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/8/10 ms
site1#ping 192.168.0.1 so 172.18.1.1
Sending 5, 100-byte ICMP Echoes to 192.168.0.1, timeout is 2 seconds:
< press Ctrl+C to break>
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 10/15/20 ms
site1# show crypto isakmp sa
destination source state conn-id lifetime(second)
10.0.0.1 10.0.0.2 IKE_IDLE 0 86192 // Generate 1 isakmp sa
site1# show crypto ipsec on
Interface: FastEthernet 0/0
Crypto map tag:mymap
local ipv4 addr 10.0.0.2
media 1500 people
==================================
sub_map type:static, seqno:10, id=3
local ident (addr/mask/prot/port): (192.168.1.0/0.0.0.255/0/0))
remote ident (addr/mask/prot/port): (192.168.0.0/0.0.0.255/0/0)) //The ipsec sa generated for the first interested flow
PERMIT
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest 0
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify 0
#send errors 1, #recv errors 0
Inbound esp sas:
spi:0x4b8e642c (1267622956)
transform: esp-3des
in use settings={Tunnel Encaps,}
crypto map mymap 10
sa timing: remaining key lifetime (k/sec): (4606997/3388)
IV size: 8 bytes
Replay detection support:N
Outbound esp sas:
spi:0x36ee6e8e (921595534)
transform: esp-3des
in use settings={Tunnel Encaps,}
crypto map mymap 10
sa timing: remaining key lifetime (k/sec): (4606997/3388)
IV size: 8 bytes
Replay detection support:N
==================================
sub_map type:static, seqno:10, id=4
local ident (addr/mask/prot/port): (172.18.0.0/0.0.0.255/0/0))
remote ident (addr/mask/prot/port): (192.168.0.0/0.0.0.255/0/0)) //The ipsec sa generated for the second interested flow
PERMIT
#pkts encaps: 14, #pkts encrypt: 14, #pkts digest 0
#pkts decaps: 14, #pkts decrypt: 14, #pkts verify 0
#send errors 1, #recv errors 0
Inbound esp sas:
spi:0x1cdd2b74 (484256628)
transform: esp-3des
in use settings={Tunnel Encaps,}
crypto map mymap 10
sa timing: remaining key lifetime (k/sec): (4606996/3437)
IV size: 8 bytes
Replay detection support:N
Outbound esp sas:
spi:0x62a1a190 (1654759824)
transform: esp-3des
in use settings={Tunnel Encaps,}
crypto map mymap 10
sa timing: remaining key lifetime (k/sec): (4606996/3437)
IV size: 8 bytes
Replay detection support:N
==================================
sub_map type:static, seqno:10, id=5
local ident (addr/mask/prot/port): (172.18.1.0/0.0.0.255/0/0))
remote ident (addr/mask/prot/port): (192.168.0.0/0.0.0.255/0/0)) //ipsec sa generated for the third flow of interest
PERMIT
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 0
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 0
#send errors 1, #recv errors 0
Inbound esp sas:
spi:0x1b614775 (459360117)
transform: esp-3des
in use settings={Tunnel Encaps,}
crypto map mymap 10
sa timing: remaining key lifetime (k/sec): (4606998/3556)
IV size: 8 bytes
Replay detection support:N
Outbound esp sas:
spi:0x390bcf20 (957075232)
transform: esp-3des
in use settings={Tunnel Encaps,}
crypto map mymap 10
sa timing: remaining key lifetime (k/sec): (4606998/3556)
IV size: 8 bytes
Replay detection support:N
6. Appendix
1. Configuration method of multiple interest streams in the old version
Note: The old version includes RSR10/20 version before 10.3(5b6), RSR30 version before 10.4(3b11), RSR50/RSR50E