GRE - IPSEC e VRF

Tutto ciò che ha a che fare con la configurazione di apparati Cisco (e non rientra nelle altre categorie)

Moderators: Federico.Lagni, TheIrish, Wizard, tonycimo, andrewp

GRE - IPSEC e VRF

Postby davide0522 » Mon 24 Jun , 2019 11:04 pm

Ciao a tutti.
Ho una configurazione con una sede centrale e due succursali collegate tramite tunnel GRE
Funziona tutto ma essendo GRE non cifrato vorrei implementare un po' di sicurezza,
pertanto ho seguito questa guida qua
http://www.firewall.cx/cisco-technical- ... ipsec.html
(ma ce ne sono altre) ma non mi funziona.
Il problema è che in sede centrale ho il router con configurato il VRF

Sapete aiutarmi su come far funzionare GRE su IPSEC in uno scenario in cui in un endpoint c'è VRF ?
Premetto che su questa parte sono abbastanza acerbo per cui qualche help passo passo è molto apprezzato !
Ringrazio anticipatamente, se serve qualche conf posso postarla
User avatar
davide0522
Cisco fan
 
Posts: 44
Joined: Wed 31 Mar , 2010 4:22 pm

Re: GRE - IPSEC e VRF

Postby paolomat75 » Wed 26 Jun , 2019 8:33 am

Ciao.
Postami la configurazione del hub.

Paolo
CCNA R&S and CCNP Route Pass - Studing....
Non cade foglia che l'inconscio non voglia (S.B.)
paolomat75
Messianic Network master
 
Posts: 2921
Joined: Fri 29 Jan , 2010 10:25 am
Location: Prov di GE

Re: GRE - IPSEC e VRF

Postby davide0522 » Wed 26 Jun , 2019 9:05 am

Ciao, allora te la riporto di seguito dove per ragioni di privacy ho mascherato IP e nomi....
Quidi non è proprio cosi :-)
Mi fai sapere se ci capisci qualcosa ?
Se necessario possiamo sentirci anche in privato
Grazie mille


Code: Select all
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service password-recovery
!
hostname C1803
!
boot-start-marker
boot-end-marker
!
logging buffered 1024000
enable secret 5 ******
!
no aaa new-model
!
!
!
dot11 syslog
ip source-route
!
!
!
!
ip vrf pippo
 rd 253:1
!
ip vrf pluto
 rd 240:1
!
ip vrf paperino
 rd 100:1
 route-target export 100:1
 route-target import 100:1
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1803/K9 sn ******
archive
 log config
  hidekeys
username ****** password 0 **********
!
!
!
!
!
!
interface Tunnel1
 description * pippo SPA ** TUNNEL SEDE 1
 ip vrf forwarding pippo
 ip address 10.253.1.1 255.255.255.252
 ip tcp adjust-mss 1436
 tunnel source 1.1.1.1
 tunnel destination 10.10.10.10
 tunnel vrf pippo
!
interface Tunnel2
 description * pippo SPA ** TUNNEL SEDE 2
 ip vrf forwarding pippo
 ip address 10.253.129.1 255.255.255.252
 ip flow ingress
 ip tcp adjust-mss 1436
 tunnel source 1.1.1.1
 tunnel destination 10.20.20.20
!
interface Tunnel3
 description * pippo SPA ** TUNNEL SEDE 3
 ip vrf forwarding pippo
 ip address 10.253.130.1 255.255.255.252
 ip flow ingress
 ip tcp adjust-mss 1436
 tunnel source 1.1.1.1
 tunnel destination 10.30.30.30
!
interface Tunnel100
 description * pluto SRL *** TUNNEL TO pluto-sede1
 ip vrf forwarding pluto
 ip address 10.240.0.1 255.255.255.252
 ip mtu 1436
 ip tcp adjust-mss 1436
 tunnel source 1.1.1.1
 tunnel destination 20.10.10.10
!
interface Tunnel101
 description * pluto SRL *** TUNNEL TO pluto-sede2
 ip vrf forwarding pluto
 ip address 10.240.1.1 255.255.255.252
 tunnel source 1.1.1.1
 tunnel destination 20.20.20.20
!
interface Tunnel114
 description * PAPERINO SRL * TUNNEL 114
 ip vrf forwarding paperino
 ip address 4.4.4.45 255.255.255.252
 ip flow ingress
 tunnel source 1.1.1.1
 tunnel destination 30.10.10.10.
!
interface Tunnel115
 description * PAPERINO SRL * TUNNEL 115
 ip vrf forwarding pluto
 ip address 4.4.4.49 255.255.255.252
 tunnel source 1.1.1.1
 tunnel destination 30.20.20.20
!
interface FastEthernet0
 ip address 1.1.1.1 255.255.255.240
 ip nat outside
 ip virtual-reassembly
 speed 100
 full-duplex
!
!
interface FastEthernet3
 description LINK VERSO INFRASTRUTTURA pippo (Switch)
 switchport access vlan 200
 duplex full
 speed 100
!
interface FastEthernet4
 duplex full
!
interface FastEthernet5
 duplex full
 speed 100
!
interface FastEthernet6
 description LINK VMWARE
 switchport access vlan 81
!
interface FastEthernet7
 description RETE pluto
 switchport access vlan 240
!
!
!
!
interface Vlan81
 description CONNESSIONE-A-paperino-VMWARE
 ip vrf forwarding paperino
 ip address 100.200.200.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan200
 description CONNESSIONE-LOCALE-INFRASTRUTTURA-pippo
 ip vrf forwarding pippo
 ip address 10.0.30.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly

!
interface Vlan240
 ip vrf forwarding pluto
 ip address 10.1.1.254 255.255.255.0
!
!
router eigrp 253
 !
 address-family ipv4 vrf pippo
  redistribute connected
  network 10.253.1.0 0.0.0.3
  network 10.253.4.0 0.0.0.3
  network 10.253.127.0 0.0.0.3
  network 10.253.129.0 0.0.0.3
  network 10.253.130.0 0.0.0.3
  network 10.253.131.0 0.0.0.3
  network 10.253.131.4 0.0.0.3
  network 10.253.140.0 0.0.0.3
  passive-interface default
  no passive-interface Tunnel1
  no passive-interface Tunnel4
  no passive-interface Tunnel2
  no passive-interface Tunnel3
  no passive-interface Tunnel5
  no passive-interface Tunnel6
  no passive-interface Tunnel7
  autonomous-system 253
 exit-address-family
 network 10.253.131.0 0.0.0.3
!
!
router eigrp 240
 !
 address-family ipv4 vrf pluto
  redistribute connected
  network 10.1.1.0 0.0.0.255
  network 10.240.1.0 0.0.0.3
  passive-interface default
  no passive-interface Tunnel101
  autonomous-system 240
 exit-address-family
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip flow-export source Vlan200
ip flow-export version 9
ip flow-export destination 10.0.30.17 2055 vrf pippo
ip flow-export destination 10.0.30.17 2055
!
ip nat inside source list 101 interface Vlan203 vrf pippo overload
ip nat inside source list 102 interface FastEthernet0 vrf paperino overload
ip nat inside source static tcp 100.200.200.1 23 1.1.1.1 23 vrf paperino extendable
ip nat inside source static tcp 10.0.30.77 3389 1.1.1.1 3389 vrf pippo extendable
ip route 0.0.0.0 0.0.0.0 1.1.1.2
!
ip access-list extended pippoWIFI
 permit ip 10.10.1.0 0.0.0.255 any
!
access-list 101 permit ip any any
access-list 102 permit ip any any
!
!
!
!
!
snmp-server community public RO 11
snmp-server enable traps entity
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 login local
 transport input all
!
end
User avatar
davide0522
Cisco fan
 
Posts: 44
Joined: Wed 31 Mar , 2010 4:22 pm

Re: GRE - IPSEC e VRF

Postby paolomat75 » Wed 26 Jun , 2019 11:03 am

A prima vista non mi sembra un problema.
Stasera faccio una prova con GNS3.

Paolo

P.s. Se non mi senti contattami che mi sono dimenticato :D
CCNA R&S and CCNP Route Pass - Studing....
Non cade foglia che l'inconscio non voglia (S.B.)
paolomat75
Messianic Network master
 
Posts: 2921
Joined: Fri 29 Jan , 2010 10:25 am
Location: Prov di GE

Re: GRE - IPSEC e VRF

Postby davide0522 » Wed 17 Jul , 2019 3:55 pm

Ciao, ti sei dimenticato !
:D :D :D :D

Se vuoi ci possiamo sentire in MP. Grazie
User avatar
davide0522
Cisco fan
 
Posts: 44
Joined: Wed 31 Mar , 2010 4:22 pm


Return to Configurazioni

Who is online

Users browsing this forum: No registered users and 5 guests