OSPF on Tunnel

Tunnel VPN OSPF-- A combination of three muskeysVPN and OSPF do not seem to have much to do with each other. The former is a technology used for secure connection between a public site to a site or a business trip staff and a company, and the latter is a local area routing protocol. Today, we use Tunnel technology to make the two work together. Haha! To be honest, OSPF and VPN are still familiar, but Tunnel technology has been mastered in recent days. Now I will share with you. I hope that my friends who are strong in Tunnel can leave valuable comments. Before talking about this technology, Let me first explain why I will study Tunnel? Yes. Someone asked me a question. Why can't I enable the OSPF routing protocol after VPN is established between the two sites? Isn't there a tunnel? At that time, I thought it was quite simple and said to him with a smile: "You started OSPF here and OSPF over there. How do you enable OSPF on a telecom router ?". Afterwards, I felt that this problem was worth studying and found many methods to solve it. Tunnel is a relatively simple one. Next, let's take a look at the application of this technology. First, let's analyze the problems mentioned above. Why cannot I enable the routing protocol after VPN? In fact, this is also a misunderstanding of many people who have just come into contact with VPN. They believe that a direct connection tunnel will be generated after both parties establish a VPN. In fact, VPN encrypts data, no one knows the data on the road, so it is called its tunnel. The so-called tunnel is actually a process of encapsulation, encryption, transmission, unblocking, and decryption. It is not a real tunnel. Now let's take a look at the question: why do we need to enable the OSPF routing protocol on the public network (of course, we can also enable RIP, OSPF, and Static Routing, but this is what we will talk about today ), the company's headquarters and divisions are located in different cities. There are multiple internal CIDR blocks, which must not only unify route entries across the Internet, but also ensure secure and reliable mutual access. To put it bluntly, we want to build a LAN environment without pulling the ddnleased line. In this case, Tunnel is used. First, let's take a look at this topology, as shown below: it may not be clear. I will briefly list the information: 1. five routers, R1, R2, R3, R4, R5.2. R1 and R5 are the routers of the Headquarters and the internal networks of the subsidiaries respectively. the IP address of the interfaces of the Headquarters R1 E0/1 is 192.168.2.1/24; the E0/0 interface IP address is 192.168.1.2/24 branch R5 E0/1 interface IP address is 192.168.20.1/24; E0/0 interface IP address is 192.168.10.2/24; 3. r2 and R4 are routers connected to the Intranet and Internet by the headquarters and subsidiaries respectively. The IP address of the R2 E1/0 interface of the headquarters is 192.168.1.1/24, and the IP address of the S0/0 interface of the Wan is 61.134.1.5/24; the IP address of the R4 E1/0 interface of the Branch is 192.168.10.1/24; the IP address of the WAN Interface S0/0 is 218.30.19.52/24; 4. r3 is a router used to simulate a public network environment. Its S0/0 interface IP address is 61.134.1.4/24; S0/1 interface IP address is 218.30.19.51/24; 5. the IP address of Tunnel 0 interface on R2 is 192.168.100.1/24; the IP address of Tunnel 0 interface on R4 is 192.168.100.2/24; OK! I believe everyone is looking forward to the above demanding solution. Let's take a look at our countermeasures. My blog is still old-fashioned, so as to avoid disturbing your thoughts during reading. It can be divided into several parts.Part 1: basic configurations of A vro(There are a lot of addresses to talk about later. I am afraid that the number of words is not up to standard (Super), and I cut the configuration into a diagram. if you can see it clearly, you can open it.) The basic configuration is not very simple, the IP address and host name are the same as those in the topology. I use the default HDLC protocol on the WAN interfaces of vrouters 2 and 4. If you have higher requirements, you can use PPP.Part 2: Route Protocol ConfigurationWhen configuring the routing protocol, R1 and R5 are simple. Release the network segments on both sides. For example, on R2 and R4, R2 and R4 can only be published in the network segment where the Intranet interface is located. Why? Because OSPF is an internal gateway routing protocol, it can only make route decisions in a single autonomous system. That is to say, it can only be used in the LAN and cannot be used on the Internet. So I only published one CIDR block on R2 and R4. How can we contact the Internet? Make a default route, and other telecom companies will do it themselves. Now we may be wondering why we don't have R3? R3: We can't handle it. It's thousands of routers on the Internet. It is impossible for us to use the OSPF routing protocol. So we don't need to worry about it. After I just assigned it an IP address, I can leave it empty now! Now, you may wonder if the company and the branch can communicate with each other based on the above Routing Protocol configuration? Of course not. How can this problem be solved? This is the key technology-Tunnel.Part 3: TunnelConfigurationIt is a key technology, but it is actually very simple. We can see that we are on the R2 and R4 routers, and then enter the Tunnel 0 interface. Don't underestimate Tunnel! It supports so many 0-2147483647 interfaces (I am from CISCO ). Then, run tunnel destination to specify the Tunnel peer IP address. Note that this IP address must be a public IP address. We must also be a public IP address. In this way, communication can be achieved. Then, run tunnel source to specify the interface of the Internet port on our side. You can also write IP addresses. Finally, assign an IP address to tunnel 0. This IP address can be configured as needed. I use R2 with 192.168.100.1/24; when R4 is configured with 192.168.100.2/24, the logic interface Tunnel 0 generates a new CIDR block between the Headquarters and the branch. We will release this CIDR Block through OSPF, the route entries on both sides are connected and interconnected. The verification diagram is not truncated for the time being. You need to analyze it later. Let's look at another more important question. That is, how can data be securely transmitted between the headquarters and its branches? This is what we will talk about next.Part 4: VPNConfigurationI have a lot to talk about before VPN. I have mentioned it on isa server, WINDOWS 2003, and WINDOWS 2008. Today I just want to talk about it on the vro. Don't think that we have created a Tunnel and OSPF. What should we do with this VPN? Tell the truth, what should we do! The only difference is that the interface used has changed. The following figure shows the details. Here we will give you a glimpse of your thoughts. The first step is to establish an IKE negotiation policy. The second step is to set the key and the IP address of the Peer end. The third step is to create an access control list to define which data will be VPN; step 4: Configure IPSec. Step 5: configure a map to include the settings in the previous steps. Step 6: Apply the map to the interface. After remembering the six steps mentioned above, it is no longer difficult to configure the VPN. You only need to enter the corresponding mode. All the way to "?" I know how to configure it! OK! That's all! If you are interested in VPN, write a VPN next time. I had such an idea. In addition, after all the strategies are completed, map is applied to the logic interface tunnel 0 instead of the physical interface s0/0. Using s0/0 does not play any role, the data goes through the tunnel established through the logical interface tunnel 0. Therefore, tunnel 0 is used. Next, let's verify it!Part 5: Verify our configurationFirst, go to R1. By pinging the e0/1 interface of the Peer Intranet router R5, you can see that the communication between the Headquarters and the branch is normal, and then through the e0/1 interface of traceroute R5, you can see that three routes are passed, the IP address is 192.168.1.1 (R1), 192.168.100.2 (R4), and 192.168.10.2 (R5 ). This proves that the data goes through the Tunnel technology. R1 does not know R3. that is to say, it does not know how the packets sent by itself go through the Internet. Let's look at the route table. We can see that the entire Internet is replaced by the network segment 192.168.100.0/24 generated by Tunnel for R1. It also learns all routing information in the branch. We will see that the value of substitution (cost) is relatively large. Here there are more than 11100, of course, because there are actually N public network routers in the middle. Now let's go to R2! By running the command sh ip OS n, you can see that the OSPF neighbor of R2 is R1 (IP: 192.168.2.1) in the intranet and R4 (IP: 218.30.19.52) in the branch ), the middle part is unknown for OSPF running on R2 because it uses Tunnel. by viewing the route table, we can see that the COST value is also very large. The next hop address learned from the peer route information is 192.168.100.2. that is, the interface of the Peer tunnel 0. Let's look at the VPN. Run the show crypto isakmp sa command to see that the key information has been synchronized. The target is 218.30.19.52, the source is 61.134.1.5, And the status is active. Run show crypto ipsce sa to check that IPSce has been synchronized. You can see the number of data packets encrypted and hashed, and the number of encapsulated and intercepted packages. It is a figure captured on R4. The display information is similar to that of R2. You can see that it also learns the route information of the headquarters. And I made a comparison here: through sh cdp n, we can see that its device neighbor is R3 and R5, then, run the command sh ip OS n to check that its OSPF neighbor is R5 (IP: 192.168.20.1) and R2 (IP: 192.168.100.1 ). The VPN Information is the same as R2. Let's take a look at R5. We can see that the internal interface E0/1 of ping R1 is correct. All routing information has been learned. The features are the same as those above-the COST of Route entries from far away is relatively large. Finally, let's take a look at R3. We have been drying it for a long time. We can see that there is no route information, and we just assigned it an IP address, just as we mentioned earlier, we don't have to worry about it. OK! The three muskeys have finally been introduced to you, and now we have solved the above requirements. At present, the company and its branches can not only unify routing information across the Internet, but also securely communicate with each other. In the end, I would like to add a lot of network segments, such as VLAN and layer-3 switching. OSPF can be divided into several areas, for example, dividing a branch into a peripheral area. Or other regions to reduce the burden on the routing brother. Today, I have only selected one region. We do not recommend that you do this!

This article is from the "Linus" blog