SVTI_VPN

                               SVTI 实验

     SVTI配置被运用于站点到站点的连接（L2LVPN），对于VTI接口，可以控制明文的特性应该

被配置到VTI接口上。SVTI相对于传统crypto map配置的优势在于可以在隧道口上运用动态路由协

议，并且不需要那额外的4字节GRE头部（GRE over IPSec）,因此降低了发送加密数据的带宽。当

我们使用IPSec VTI技术，我们可以对明文和加密后的流量分开运用NAT，ACL和QoS等特性。

Site 1：

interface Loopback0

ip address 1.1.1.1 255.255.255.0

！

crypto isakmp policy 100

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco address 61.128.1.1

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto ipsec profile ipsecprof

set transform-set myset

!

interface Loopback0

ip address 1.1.1.1 255.255.255.0

!

interface Tunnel0

ip address 172.16.1.1 255.255.255.0

tunnel source FastEthernet0/0

tunnel destination 61.128.1.1

tunnel mode ipsec ipv4

tunnel protection ipsec profile ipsecprof

!

router ospf 100

log-adjacency-changes

network 1.1.1.0 0.0.0.255 area 0

network 172.16.1.0 0.0.0.255 area 0

!

ip route 0.0.0.0 0.0.0.0 202.100.1.10

Internet：

interface FastEthernet0/0

ip address 202.100.1.10 255.255.255.0

！

interface FastEthernet0/1

ip address 61.128.1.10 255.255.255.0

Site2:

interface FastEthernet0/1

ip address 61.128.1.1 255.255.255.0

!

interface Loopback0

ip address 2.2.2.2 255.255.255.0

!

crypto isakmp policy 100

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco address 202.100.1.1

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto ipsec profile ipsecprof

set transform-set myset

!

interface Tunnel0

ip address 172.16.1.2 255.255.255.0

tunnel source FastEthernet0/1

tunnel destination 202.100.1.1

tunnel mode ipsec ipv4

tunnel protection ipsec profile ipsecprof

!

router ospf 100

log-adjacency-changes

network 2.2.2.0 0.0.0.255 area 0

network 172.16.1.0 0.0.0.255 area 0

!

ip route 0.0.0.0 0.0.0.0 61.128.1.10

测试：

Site1#ping 172.16.1.2 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 156/172/204 ms

Site1#show ip route  ospf 

2.0.0.0/32 is subnetted, 1 subnets

O       2.2.2.2 [110/11112] via 172.16.1.2, 00:12:33, Tunnel0

Site1#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

61.128.1.1      202.100.1.1     QM_IDLE           1002    0 ACTIVE

Site1#show crypto engine connections active 

Crypto Engine Connections

ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address

1 Tu0        IPsec 3DES+SHA                  0      104 202.100.1.1

2 Tu0        IPsec 3DES+SHA                105        0 202.100.1.1

1002 Tu0        IKE   SHA+3DES                  0        0 202.100.1.1

Site1#ping 2.2.2.2 source lo0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1

!!!!!

Site1#show crypto session 

Crypto session current status

Interface: Tunnel0

Session status: UP-ACTIVE

Peer: 61.128.1.1 port 500

IKE SA: local 202.100.1.1/500 remote 61.128.1.1/500 Active

IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0

Active SAs: 2, origin: crypto map