若你想在資料經過思科設備之間進行加密,思科crypto map是你的解決方案之一,基礎配置請參考如下拓樸的R1與R2,我這篇文章使用的路由器皆為7206系列、版本15.3。
當你完成R1與R2的設定,任何資料包含原生明文協定(如telnet、http)都會被路由器加密。
然而,我在設計客戶架構時發現crypto map存在嚴重的設計錯誤,即crypto map可能僅適用點對點(point to point)環境,你的介面地址不一定要/30,亦可/8,但是物理連接建議R4與R5那樣。
說到這可能有人反駁...思科不是有提供hub-spoke架構的crypto map文件嗎? 有,但實務上有此需求的路由器,可能不同版本甚至不同型號,有興趣可搜尋CSCvd40554;
也就是說如果你想徹底解決CSCvd40554衍生的IKE問題,必須為你的架構量身訂製,但對於導入已存在的架構是困難的。
第二個問題,我的hub是R1、spoke1是R2、spoke2是R4,而R1與R2必須建加密會話,R1與R4不用做加密會話,看似簡單需求,實際上受到加密會話的限制而無法實現。
由於R1有一段關鍵設定
crypto map SEC 1 ipsec-isakmp
set peer 23.0.0.2
在本範例,set peer意義是僅23.0.0.2可以與我建加密會話並傳輸數據;如果你的觀念為非其他對等體(如34.0.0.4),不能與我建加密會話但可傳輸數據,這是錯誤的。
然而在廣域網路導入crypto map是不明智的,除了上述提到量身訂製,還需要為所有公網路由器提供full mesh的crypto map設定,因為crypto map的技術架構是peer to peer;
如果不需要加密會話的節點(R4),向需要加密會話的節點(R1)傳輸數據,即R4 ping 13.0.0.1,R1會記錄如下log,大意是R1檢測到從34.0.0.4去13.0.0.1的封包沒有加密
為解決crypto map設計上的錯誤,思科提出DMVPN,即另一種hub-spoke,顯著優點是大幅降低full mesh的crypto map配置量且容易維護,並只要新增一筆網段即可。
結論,關於Cisco IOS crypto map最佳解如同我的R4、R5。
當然VRF(Virtual Routing & Forwading)不是必須配置,VRF與crypto map是不同的獨立功能,我的目的只是區分預設路由表。
If you want data pass by Cisco devices in crypto session, Cisco crypto map is your solution. The basic config you can follow R1 & R2 in my topology. My routers are 7206 model, and version is 15.3.
When you finish setting in R1, R2, all data includes native plain protocol(telnet, http), that were crypto by routers.
[topology]
However, I find big design error for Cisco crypto map. It maybe appropriate in point to point environment only. Your interface address can be /8, but physical connect, my suggestion it is like R4 and R5.
Maybe you have rebute me, Cisco has provide crypto map doc for hub-spoke, right? Yes, but actuall the routers maybe different version and model, you can search CSCvd40554.
So if you want resolve CSCvd40554 issue, you must tailor-made your environment. But it is diffcult for exist network.
Second question, my hub is R1, spoke1 is R2, and spoke2 is R4. And then R1, R2 must keep crypto session, R1, R4 not needs. It seem simple, however you can not do it.
[image]
Because R1 has the key setting
crypto map SEC 1 ipsec-isakmp
set peer 23.0.0.2
In this demo, set peer means address of 23.0.0.2, it can keep crypto session & transport data with me only. If you think non-peer address(34.0.0.4), it can not keep crypto session, but can transport data with me. It is uncorrect.
However, import crypto map is unwise in WAN. Because it need tailor-made, and provide full mesh connect on all routers. The reason is crypto map that is peer to peer;
If R1 send data to R4( R4 ping 13.0.0.1), R1 will record this log, mean R1 detected the packets were not crypto from 34.0.0.4 to 13.0.0.1.
[image]
For resolve this problem, so Cisco claimed DMVPN is best solution, it is another hub-spoke. The advantage is reduce setting of full mesh crypto map, and easy maintainence, import DMVPN needs add 1 subnet only.
In conclusion, the best solution about Cisco IOS crypto map, as my R4, R5.
Of course, VRF(Virtual Routing & Forwading) is not must setting, VRF and crypto map are difference independent functions. My purpose is distinguish default route table.
[image]
[wireshark]
