概述
本文记录了一套基于 Cisco FlexVPN 框架的 DMVPN Phase 3 hub-and-spoke 实验环境,涵盖 Hub 与两台 Spoke 的完整配置、隧道建立过程、路由收敛状态以及 Spoke-to-Spoke 动态直连隧道的验证。
关键特征:
Underlay: IPv6(GRE over IPv6)
加密: IKEv2 + IPsec(AES-GCM-256 / DH Group 19)
认证: PSK(预共享密钥)
路由: OSPF area 0,point-to-point 模式
地址分配: Hub 通过 IKEv2 授权策略下发 IP Pool
Spoke-to-Spoke: NHRP redirect + shortcut switching(Phase 3)
实验拓扑
Internet (IPv6)
|
+--------------+--------------+
| |
+-------v--------+ +--------v-------+
| Hub | | |
| C8000V v17.9 | | IPv6 Cloud |
| Loop2: | | |
| 10.255.1.1/32 | +--------+-------+
+---+----+----+--+ |
| | | |
Virtual-Access | +-------v--------+
(dynamic per-spoke) | Spoke2 |
| | | C8000V v17.6 |
| +--------------------+ Loop2: |
| | 3.3.3.3/32 |
+----v--------+ +----------------+
| Spoke1 | |
| C8000V v17.6| Spoke-to-Spoke dynamic tunnel
| Loop2: |<-----------------------+
| 2.2.2.2/32 |
+-------------+
Hub 使用 Virtual-Template 动态接纳 Spoke(一个模板,多个 Virtual-Access 实例)
Spoke 使用静态 Tunnel200 指向 Hub,同时配置 Virtual-Template 用于接收 Spoke-to-Spoke 动态隧道
配置详解
1. IKEv2 基础
三台设备使用完全一致的 IKEv2 proposal 和 policy:
crypto ikev2 proposal IKEV2-PROPOSAL
encryption aes-gcm-256
prf sha256 sha384
group 19
crypto ikev2 policy IKEV2-POLICY
proposal IKEV2-PROPOSAL
设计要点:AES-GCM-256 同时提供加密和完整性校验,不再需要单独的 integrity 算法;DH Group 19(ECP-256)兼顾安全性与性能。
2. 预共享密钥与 Keyring
Hub 侧(匹配所有 Spoke):
crypto ikev2 keyring DMVPN-KEYRING
peer SPOKES
address ::/0
pre-shared-key Cisco123
Spoke 侧(匹配 Hub):
crypto ikev2 keyring DMVPN-KEYRING
peer HUB
address ::/0
pre-shared-key Cisco123
address ::/0 表示匹配任意 IPv6 地址。生产环境中建议使用 IKEv2 证书认证或至少限定地址范围。
3. IKEv2 Profile(Hub 关键差异)
Hub:
aaa new-model
aaa authorization network default local
ip local pool SPOKE-POOL-V6 10.255.1.100 10.255.1.200
crypto ikev2 authorization policy DMVPN-AUTH-V6
pool SPOKE-POOL-V6
route set interface
crypto ikev2 profile DMVPN-PROFILE-V6
match identity remote address ::/0
authentication remote pre-share
authentication local pre-share
keyring local DMVPN-KEYRING
aaa authorization group psk list default DMVPN-AUTH-V6
virtual-template 2
Spoke:
crypto ikev2 profile DMVPN-PROFILE-V6
match identity remote address ::/0
authentication remote pre-share
authentication local pre-share
keyring local DMVPN-KEYRING
virtual-template 2
核心区别:
Hub 通过
aaa authorization调用 DMVPN-AUTH-V6 策略,为每个 Spoke 从 SPOKE-POOL-V6(10.255.1.100–200)中分配 Tunnel IP,并通过route set interface注入直连路由Hub 的
virtual-template 2会在 IKEv2 协商成功后动态克隆出 Virtual-Access 接口
4. IPsec 配置
crypto ipsec transform-set DMVPN-TS esp-gcm 256
mode transport
crypto ipsec profile DMVPN-IPSEC-V6
set transform-set DMVPN-TS
set ikev2-profile DMVPN-PROFILE-V6
注意:GRE over IPv6 场景使用 transport 模式,因为 GRE 自身提供隧道封装,只需保护 GRE 载荷。IPsec profile 直接挂载到 tunnel 接口,无需 crypto map。
5. Hub 隧道接口
interface Virtual-Template2 type tunnel
ip unnumbered Loopback2
ip mtu 1380
ip nhrp authentication Cisco123
ip nhrp network-id 200
ip nhrp redirect
ip tcp adjust-mss 1340
ip ospf network point-to-point
ip ospf hello-interval 2
ip ospf mtu-ignore
ip ospf 1 area 0
tunnel mode gre ipv6
tunnel path-mtu-discovery
tunnel protection ipsec profile DMVPN-IPSEC-V6
要点:
ip unnumbered Loopback2— 节约地址,所有 Spoke 看到的 Hub 地址统一为 10.255.1.1ip nhrp redirect— 使能 NHRP Redirect,收到来自 Spoke 的包若发现下一跳也是 Spoke,则通知源 Spoke 建立直连隧道(Phase 3 关键)tunnel mode gre ipv6— 使用 IPv6 作为 GRE 外层封装ip tcp adjust-mss 1340— 防止 TCP 分片(MTU 1380 - IPsec overhead - GRE overhead)ip ospf mtu-ignore— 避免因 MTU 不匹配卡在 EXSTART
6. Spoke 隧道接口
interface Tunnel200
ip address negotiated
ip mtu 1380
ip nhrp authentication Cisco123
ip nhrp network-id 200
ip nhrp shortcut virtual-template 2
ip nhrp redirect
ip tcp adjust-mss 1340
ip ospf network point-to-point
ip ospf hello-interval 2
ip ospf mtu-ignore
ip ospf 1 area 0
tunnel source GigabitEthernet1
tunnel mode gre ipv6
tunnel destination 240E:3AF:872:94B0:BE24:11FF:FE6A:40BD
tunnel path-mtu-discovery
tunnel protection ipsec profile DMVPN-IPSEC-V6
要点:
ip address negotiated— 从 Hub 的 Pool 获取 Tunnel IPtunnel destination— 静态指定 Hub 的 IPv6 地址ip nhrp shortcut virtual-template 2— 当收到 NHRP Redirect 指向其他 Spoke 时,通过 Virtual-Template2 动态创建直连隧道ip nhrp redirect— Spoke 之间也能相互触发 redirect
Spoke 也配置了 Virtual-Template2(与 Tunnel200 类似的参数),用于克隆接纳 Spoke-to-Spoke shortcut 隧道:
interface Virtual-Template2 type tunnel
ip unnumbered Tunnel200
ip mtu 1380
ip nhrp authentication Cisco123
ip nhrp network-id 200
ip nhrp shortcut virtual-template 2
ip nhrp redirect
ip tcp adjust-mss 1340
ip ospf network point-to-point
ip ospf hello-interval 2
ip ospf mtu-ignore
ip ospf 1 area 0
tunnel mode gre ipv6
tunnel path-mtu-discovery
tunnel protection ipsec profile DMVPN-IPSEC-V6
7. OSPF 路由
Hub:
router ospf 1
router-id 10.255.0.1
passive-interface default
no passive-interface Virtual-Template2
Spoke1 / Spoke2:
router ospf 1
router-id 10.255.0.2 (or 10.255.0.3)
passive-interface default
no passive-interface Tunnel200
no passive-interface Virtual-Template2
passive-interface default防止在无关接口发送 OSPF HelloHub 只在 Virtual-Template2 放行 OSPF
Spoke 在 Tunnel200 和 Virtual-Template2 放行 OSPF
hello-interval 改为 2 秒以加速收敛
8. DPD 与可靠性
crypto ikev2 dpd 30 5 on-demand
空闲 30 秒后发送 DPD,每 5 秒重试
on-demand模式仅在无数据流量时发送,减少开销
验证与状态检查
阶段一:Hub-Spoke 隧道建立
Hub 上的 IKEv2 SA:
Tunnel-id fvrf/ivrf Status
2 none/none READY
Local 240E:3AF:872:94B0:BE24:11FF:FE6A:40BD/500
Remote 2408:823C:8B8D:CE4:BE24:11FF:FEC8:1064/500
Encr: AES-GCM, keysize: 256, PRF: SHA256, Hash: None, DH Grp:19,
Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/63973 sec
Tunnel-id fvrf/ivrf Status
1 none/none READY
Local 240E:3AF:872:94B0:BE24:11FF:FE6A:40BD/500
Remote 240E:3A1:620:56C3:250:56FF:FE91:FF24/500
Encr: AES-GCM, keysize: 256, PRF: SHA256, Hash: None, DH Grp:19,
Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/3574 sec
两台 Spoke 均已和 Hub 成功建立 IKEv2 SA,协商参数与 proposal 一致。
Hub 上的 OSPF 邻居:
Neighbor ID Pri State Dead Time Address Interface
10.255.0.2 0 FULL/ - 00:00:07 10.255.1.106 Virtual-Access1
10.255.0.3 0 FULL/ - 00:00:06 10.255.1.105 Virtual-Access2
OSPF 邻居状态 FULL/- 表示已完成数据库同步;Pri=0 是因为 point-to-point 网络类型不进行 DR/BDR 选举。
Hub 路由表:
S* 0.0.0.0/0 [254/0] via 192.168.50.254
2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2 [110/1001] via 10.255.1.106, 00:59:38, Virtual-Access1
3.0.0.0/32 is subnetted, 1 subnets
O 3.3.3.3 [110/1001] via 10.255.1.105, 17:45:05, Virtual-Access2
10.0.0.0/32 is subnetted, 3 subnets
C 10.255.1.1 is directly connected, Loopback2
S 10.255.1.105 is directly connected, Virtual-Access2
S 10.255.1.106 is directly connected, Virtual-Access1
关键信息:
Hub 通过 OSPF 学到了 Spoke1(2.2.2.2)和 Spoke2(3.3.3.3)的 Loopback
两条 Spoke 的 Tunnel IP 以 /32 static 路由形式出现在表中(IKEv2
route set interface的结果)Metric 1001:OSPF cost = 1000(Virtual-Access 默认带宽 100 Mbps 的 cost) + 1(Loopback)
阶段二:Spoke-to-Spoke 动态直连隧道
这是 DMVPN Phase 3 的核心特性。过程如下:
Spoke1 ping Spoke2 的 Tunnel IP(10.255.1.105)
初始数据包通过 Hub 转发(经由 Tunnel200 → Hub Virtual-Access2 → Spoke2)
Hub 发现入接口和出接口都在同一个 NHRP domain,向 Spoke1 发送 NHRP Redirect
Spoke1 收到 Redirect 后,向 Spoke2 发起 IKEv2 协商,通过 Virtual-Template2 创建直连 Virtual-Access 隧道
后续流量不再经过 Hub,直接在 Spoke1 ↔ Spoke2 之间传输
验证:Spoke1 ping Spoke2
Spoke1#ping 10.255.1.105
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.255.1.105, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/41/126 ms
Spoke1 上的 IKEv2 SA(直连隧道建立后):
Tunnel-id fvrf/ivrf Status
1 none/none READY
Local 240E:3A1:620:56C3:250:56FF:FE91:FF24/500
Remote 240E:3AF:872:94B0:BE24:11FF:FE6A:40BD/500
Encr: AES-GCM, keysize: 256, PRF: SHA256, Hash: None, DH Grp:19,
Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/3704 sec
Tunnel-id fvrf/ivrf Status
3 none/none READY
Local 240E:3A1:620:56C3:250:56FF:FE91:FF24/500
Remote 2408:823C:8B8D:CE4:BE24:11FF:FEC8:1064/500
Encr: AES-GCM, keysize: 256, PRF: SHA256, Hash: None, DH Grp:19,
Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/18 sec
Tunnel-id 1 是 Spoke1 ↔ Hub;Tunnel-id 3(Active Time 仅 18 秒)是刚建立的 Spoke1 ↔ Spoke2 直连隧道。
Spoke1 上的 OSPF 邻居:
Neighbor ID Pri State Dead Time Address Interface
10.255.0.3 0 FULL/ - 00:00:07 10.255.1.105 Virtual-Access1
10.255.0.1 0 FULL/ - 00:00:07 10.255.1.1 Tunnel200
Spoke2(10.255.0.3)成为了 Spoke1 的 OSPF 邻居,出接口是 Virtual-Access1(动态直连隧道)。
Spoke1 路由表变化:
3.0.0.0/32 is subnetted, 1 subnets
O 3.3.3.3 [110/1001] via 10.255.1.105, 00:00:23, Virtual-Access1
Spoke2 的 Loopback(3.3.3.3)的下一跳从原来的 Hub(10.255.1.1, Tunnel200)变成了 直连 Spoke2(10.255.1.105, Virtual-Access1),metric 也从 2001 降到了 1001。
对比:直连前路由为
[110/2001] via 10.255.1.1(经 Hub 中转两跳),直连后为[110/1001] via 10.255.1.105(直接一跳)。
Spoke1 上的 NHRP 表:
10.255.1.105/32 via 10.255.1.105
Virtual-Access1 created 00:01:12, expire 00:08:49
Type: dynamic, Flags: router nhop rib nho
NBMA address: 2408:823C:8B8D:CE4:BE24:11FF:FEC8:1064
10.255.1.106/32 via 10.255.1.106
Virtual-Access1 created 00:01:12, expire 00:08:47
Type: dynamic, Flags: router unique local
NBMA address: 240E:3A1:620:56C3:250:56FF:FE91:FF24
(no-socket)
第一条是 Spoke2(10.255.1.105)的 NHRP 条目,NBMA 地址为 Spoke2 的 IPv6 GUA,Flag
router nhop rib nho表示该条目已注入路由表第二条是本地(10.255.1.106)的条目,标记
unique local、no-socket
Spoke2 上的对应状态:
# IKEv2 SA
Tunnel-id 1: Spoke2 <-> Hub (READY, Active 64187s)
Tunnel-id 2: Spoke2 <-> Spoke1 (READY, Active 102s) # 动态建立的直连隧道
# OSPF 邻居
10.255.0.2 (Spoke1) on Virtual-Access1 # 直连邻居
10.255.0.1 (Hub) on Tunnel200 # Hub 邻居
双方状态完全对称,证实 Spoke-to-Spoke 直连隧道已成功建立。
接口摘要
Hub:
Interface IP-Address Status Protocol
GigabitEthernet1 192.168.50.215 up up
Loopback2 10.255.1.1 up up
Virtual-Access1 10.255.1.1 up up # Spoke1
Virtual-Access2 10.255.1.1 up up # Spoke2
Virtual-Template2 10.255.1.1 up down # 模板,不承载流量
Spoke1:
Interface IP-Address Status Protocol
GigabitEthernet1 192.168.188.53 up up
Loopback2 2.2.2.2 up up
Tunnel200 10.255.1.106 up up # 到 Hub 的静态隧道
Virtual-Access1 10.255.1.106 up up # 到 Spoke2 的动态隧道
Virtual-Template2 10.255.1.106 up down # 模板
Spoke2:
Interface IP-Address Status Protocol
GigabitEthernet1 192.168.100.146 up up
Loopback2 3.3.3.3 up up
Tunnel200 10.255.1.105 up up
Virtual-Access1 10.255.1.105 up up # 到 Spoke1 的动态隧道
Virtual-Template2 10.255.1.105 up down
关键设计总结
排错备忘
OSPF 卡在 EXSTART:检查 MTU 是否匹配。已通过
ip ospf mtu-ignore规避,同时ip tcp adjust-mss确保 TCP 数据流不受影响IKEv2 SA 建立失败:确认 proposal 参数完全一致(encryption / prf / group);确认 PSK 匹配;检查 IPv6 连通性
NHRP Redirect 不生效:Hub 必须在 Virtual-Template 配置
ip nhrp redirect;Spoke 必须在 Tunnel 和 Virtual-Template 配置ip nhrp shortcut virtual-template 2Spoke-to-Spoke 隧道无法建立:检查 Spoke 的 IKEv2 profile 是否也包含
virtual-template 2(需要 Virtual-Template 来动态创建 VAI);确认两端 NHRP network-id 一致