IPSEC与碎片
1、网络需求:
分析GRE碎片在哪里重组
分析IPSEC碎片在哪里重组,及解决方案
分析GRE over IPSEC的碎片过程,重组过程,及各种解决方案
Server发出的IP数据包DF位置1,解决方案
2、拓扑图:
3、配置与分析:
GRE碎片
RT1(config)#ip route 0.0.0.0 0.0.0.0 202.103.12.2
interface Tunnel0
ip address 10.1.13.1 255.255.255.0
tunnel source Serial0/1
tunnel destination 202.103.23.3
router ospf 1
router-id 1.1.1.1
passive-interface Serial0/0
network 10.1.13.0 0.0.0.255 area 0
network 10.1.17.0 0.0.0.255 area 0
RT3(config)#ip route 0.0.0.0 0.0.0.0 202.103.23.2
interface Tunnel0
ip address 10.1.13.3 255.255.255.0
tunnel source Serial0/0
tunnel destination 202.103.12.1
router ospf 1
router-id 3.3.3.3
passive-interface Serial0/1
network 10.1.13.0 0.0.0.255 area 0
network 10.1.34.0 0.0.0.255 area 0
PC1#ping 10.1.34.4 source 10.1.17.7 size 1500
Type escape sequence to abort.
Sending 5, 1500-byte ICMP Echos to 10.1.34.4, timeout is 2 seconds:
Packet sent with a source address of 10.1.17.7
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/145/316 ms
PC上收到碎片,“GRE载荷碎片”在PC终端上重组
*Mar 1 00:40:49.315: IP: tableid=0, s=10.1.17.7 (Serial0/0), d=10.1.34.4 (Serial0/0), routed via RIB
*Mar 1 00:40:49.319: IP: s=10.1.17.7 (Serial0/0), d=10.1.34.4 (Serial0/0), len 1476, rcvd 3
*Mar 1 00:40:49.323: IP: recv fragment from 10.1.17.7 offset 0 bytes
*Mar 1 00:40:49.335: IP: tableid=0, s=10.1.17.7 (Serial0/0), d=10.1.34.4 (Serial0/0), routed via RIB
*Mar 1 00:40:49.335: IP: s=10.1.17.7 (Serial0/0), d=10.1.34.4 (Serial0/0), len 44, rcvd 3
*Mar 1 00:40:49.339: IP: recv fragment from 10.1.17.7 offset 1456 bytes
*Mar 1 00:40:49.343: IP: tableid=0, s=10.1.34.4 (local), d=10.1.17.7 (Serial0/0), routed via FIB
*Mar 1 00:40:49.347: IP: s=10.1.34.4 (local), d=10.1.17.7 (Serial0/0), len 1500, sending
*Mar 1 00:40:49.567: IP: tableid=0, s=10.1.17.7 (Serial0/0), d=10.1.34.4 (Serial0/0), routed via RIB
*Mar 1 00:40:49.571: IP: s=10.1.17.7 (Serial0/0), d=10.1.34.4 (Serial0/0), len 1476, rcvd 3
*Mar 1 00:40:49.575: IP: recv fragment from 10.1.17.7 offset 0 bytes
*Mar 1 00:40:49.579: IP: tableid=0, s=10.1.17.7 (Serial0/0), d=10.1.34.4 (Serial0/0), routed via RIB
*Mar 1 00:40:49.579: IP: s=10.1.17.7 (Serial0/0), d=10.1.34.4 (Serial0/0), len 44, rcvd 3
*Mar 1 00:40:49.583: IP: recv fragment from 10.1.17.7 offset 1456 bytes
*Mar 1 00:40:49.587: IP: tableid=0, s=10.1.34.4 (local), d=10.1.17.7 (Serial0/0), routed via FIB
*Mar 1 00:40:49.591: IP: s=10.1.34.4 (local), d=10.1.17.7 (Serial0/0), len 1500, sending
DF位置1
PC1#ping 10.1.34.4 source 10.1.17.7 size 1500 df-bit
Type escape sequence to abort.
Sending 5, 1500-byte ICMP Echos to 10.1.34.4, timeout is 2 seconds:
Packet sent with a source address of 10.1.17.7
Packet sent with the DF bit set
M.M.M GRE数据包大于MTU,而DF位置1,数据被丢弃
Success rate is 0 percent (0/5)
RT1(config)# 使用route-map重置DF位
access-list 100 permit ip any any
route-map bluefox permit 10
match ip address 100
set ip df 0
interface s0/0
ip policy route-map bluefox route-map只能应用在入方向???
PC1#ping 10.1.34.4 source 10.1.17.7 size 1500 df-bit
Type escape sequence to abort.
Sending 5, 1500-byte ICMP Echos to 10.1.34.4, timeout is 2 seconds:
Packet sent with a source address of 10.1.17.7
Packet sent with the DF bit set
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/118/192 ms
IPSEC碎片
RT1(config)#crypto ipsec fragmentation after-encryption 改成IPSEC先前版本
RT3(config)#crypto ipsec fragmentation after-encryption
PC1#debug ip packet
*Mar 1 01:39:44.715: IP: tableid=0, s=10.1.34.4 (Serial0/1), d=10.1.17.7 (Serial0/1), routed via RIB
*Mar 1 01:39:44.719: IP: s=10.1.34.4 (Serial0/1), d=10.1.17.7 (Serial0/1), len 1500, rcvd 3
*Mar 1 01:39:44.723: IP: tableid=0, s=10.1.17.7 (local), d=10.1.34.4 (Serial0/1), routed via FIB
*Mar 1 01:39:44.727: IP: s=10.1.17.7 (local), d=10.1.34.4 (Serial0/1), len 1500, sending
*Mar 1 01:39:45.019: IP: tableid=0, s=10.1.34.4 (Serial0/1), d=10.1.17.7 (Serial0/1), routed via RIB
*Mar 1 01:39:45.019: IP: s=10.1.34.4 (Serial0/1), d=10.1.17.7 (Serial0/1), len 1500, rcvd 3
*Mar 1 01:39:45.023: IP: tableid=0, s=10.1.17.7 (local), d=10.1.34.4 (Serial0/1), routed via FIB
*Mar 1 01:39:45.027: IP: s=10.1.17.7 (local), d=10.1.34.4 (Serial0/1), len 1500, sending
RT1#debug ip packet 在路由器RT1上进行重组
*Mar 1 01:55:16.319: IP: recv fragment from 202.103.23.3 offset 0 bytes
*Mar 1 01:55:16.343: IP: recv fragment from 202.103.23.3 offset 1480 bytes
*Mar 1 01:55:16.355: IP: tableid=0, s=10.1.34.4 (Serial0/1), d=10.1.17.7 (Serial0/0), routed via FIB
*Mar 1 01:55:16.355: IP: s=10.1.34.4 (Serial0/1), d=10.1.17.7 (Serial0/0), g=10.1.17.7, len 1500, forward
*Mar 1 01:55:16.391: IP: s=202.103.12.1 (Null0), d=202.103.23.3 (Serial0/1), len 1500, sending fragment
*Mar 1 01:55:16.395: IP: s=202.103.12.1 (Null0), d=202.103.23.3 (Serial0/1), len 72, sending last fragment
*Mar 1 01:55:16.563: IP: recv fragment from 202.103.23.3 offset 0 bytes
*Mar 1 01:55:16.631: IP: recv fragment from 202.103.23.3 offset 1480 bytes
*Mar 1 01:55:16.647: IP: tableid=0, s=10.1.34.4 (Serial0/1), d=10.1.17.7 (Serial0/0), routed via FIB
*Mar 1 01:55:16.647: IP: s=10.1.34.4 (Serial0/1), d=10.1.17.7 (Serial0/0), g=10.1.17.7, len 1500, forward
解决方案:配置IPSEC先碎片后封装
RT1(config)#crypto ipsec fragmentation before-encryption
RT3(config)#crypto ipsec fragmentation before-encryption
PC1# 在PC上进行重组
*Mar 1 02:00:01.707: IP: tableid=0, s=10.1.34.4 (Serial0/1), d=10.1.17.7 (Serial0/1), routed via RIB
*Mar 1 02:00:01.711: IP: s=10.1.34.4 (Serial0/1), d=10.1.17.7 (Serial0/1), len 764, rcvd 3
*Mar 1 02:00:01.715: IP: recv fragment from 10.1.34.4 offset 0 bytes
*Mar 1 02:00:01.715: IP: tableid=0, s=10.1.34.4 (Serial0/1), d=10.1.17.7 (Serial0/1), routed via RIB
*Mar 1 02:00:01.719: IP: s=10.1.34.4 (Serial0/1), d=10.1.17.7 (Serial0/1), len 756, rcvd 3
*Mar 1 02:00:01.723: IP: recv fragment from 10.1.34.4 offset 744 bytes
*Mar 1 02:00:01.727: IP: tableid=0, s=10.1.17.7 (local), d=10.1.34.4 (Serial0/1), routed via FIB
*Mar 1 02:00:01.731: IP: s=10.1.17.7 (local), d=10.1.34.4 (Serial0/1), len 1500, sending
*Mar 1 02:00:01.935: IP: tableid=0, s=10.1.34.4 (Serial0/1), d=10.1.17.7 (Serial0/1), routed via RIB
*Mar 1 02:00:01.939: IP: s=10.1.34.4 (Serial0/1), d=10.1.17.7 (Serial0/1), len 764, rcvd 3
*Mar 1 02:00:01.943: IP: recv fragment from 10.1.34.4 offset 0 bytes
*Mar 1 02:00:01.947: IP: tableid=0, s=10.1.34.4 (Serial0/1), d=10.1.17.7 (Serial0/1), routed via RIB
*Mar 1 02:00:01.951: IP: s=10.1.34.4 (Serial0/1), d=10.1.17.7 (Serial0/1), len 756, rcvd 3
*Mar 1 02:00:01.955: IP: recv fragment from 10.1.34.4 offset 744 bytes
*Mar 1 02:00:01.955: IP: tableid=0, s=10.1.17.7 (local), d=10.1.34.4 (Serial0/1), routed via FIB
*Mar 1 02:00:01.959: IP: s=10.1.17.7 (local), d=10.1.34.4 (Serial0/1), len 1500, sending
IPSEC数据,DF置位为1
PC3#ping 10.1.17.7 source 10.1.34.4 size 1500 df-bit
Type escape sequence to abort.
Sending 5, 1500-byte ICMP Echos to 10.1.17.7, timeout is 2 seconds:
Packet sent with a source address of 10.1.34.4
Packet sent with the DF bit set
M.M.M
Success rate is 0 percent (0/5)
RT3(config)#crypto ipsec df-bit ?
clear Clear DF bit for encapsulated packets.
copy Copy DF bit from inner for encapsulated packets.
set Set DF bit for encapsulated packets.
RT3(config)#crypto ipsec df-bit clear 清除IPSEC数据DF位
PC3#ping 10.1.17.7 source 10.1.34.4 size 1500 df-bit
Type escape sequence to abort.
Sending 5, 1500-byte ICMP Echos to 10.1.17.7, timeout is 2 seconds:
Packet sent with a source address of 10.1.34.4
Packet sent with the DF bit set
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 84/127/248 ms
IPSEC over GRE碎片
PC1# PC上进行GRE重组
*Mar 1 02:55:36.523: IP: tableid=0, s=10.1.34.4 (Serial0/1), d=10.1.17.7 (Serial0/1), routed via RIB
*Mar 1 02:55:36.527: IP: s=10.1.34.4 (Serial0/1), d=10.1.17.7 (Serial0/1), len 44, rcvd 3
*Mar 1 02:55:36.531: IP: recv fragment from 10.1.34.4 offset 1456 bytes
*Mar 1 02:55:36.535: IP: tableid=0, s=10.1.34.4 (Serial0/1), d=10.1.17.7 (Serial0/1), routed via RIB
*Mar 1 02:55:36.539: IP: s=10.1.34.4 (Serial0/1), d=10.1.17.7 (Serial0/1), len 1476, rcvd 3
*Mar 1 02:55:36.543: IP: recv fragment from 10.1.34.4 offset 0 bytes
*Mar 1 02:55:36.547: IP: tableid=0, s=10.1.17.7 (local), d=10.1.34.4 (Serial0/1), routed via FIB
*Mar 1 02:55:36.547: IP: s=10.1.17.7 (local), d=10.1.34.4 (Serial0/1), len 1500, sending
*Mar 1 02:55:36.775: IP: tableid=0, s=10.1.34.4 (Serial0/1), d=10.1.17.7 (Serial0/1), routed via RIB
*Mar 1 02:55:36.779: IP: s=10.1.34.4 (Serial0/1), d=10.1.17.7 (Serial0/1), len 1476, rcvd 3
*Mar 1 02:55:36.783: IP: recv fragment from 10.1.34.4 offset 0 bytes
*Mar 1 02:55:36.787: IP: tableid=0, s=10.1.34.4 (Serial0/1), d=10.1.17.7 (Serial0/1), routed via RIB
*Mar 1 02:55:36.791: IP: s=10.1.34.4 (Serial0/1), d=10.1.17.7 (Serial0/1), len 44, rcvd 3
*Mar 1 02:55:36.795: IP: recv fragment from 10.1.34.4 offset 1456 bytes
*Mar 1 02:55:36.795: IP: tableid=0, s=10.1.17.7 (local), d=10.1.34.4 (Serial0/1), routed via FIB
*Mar 1 02:55:36.799: IP: s=10.1.17.7 (local), d=10.1.34.4 (Serial0/1), len 1500, sending
RT1# RT上进行IPSEC重组
*Mar 1 03:14:52.207: IP: recv fragment from 202.103.23.3 offset 0 bytes
*Mar 1 03:14:52.211: IP: recv fragment from 202.103.23.3 offset 1480 bytes
*Mar 1 03:14:52.235: IP: tableid=0, s=202.103.23.3 (Serial0/1), d=202.103.12.1 (Serial0/1), routed via RIB
*Mar 1 03:14:52.239: IP: s=202.103.23.3 (Serial0/1), d=202.103.12.1 (Serial0/1), len 1500, rcvd 3
*Mar 1 03:14:52.243: IP: tableid=0, s=10.1.34.4 (Tunnel0), d=10.1.17.7 (Serial0/0), routed via FIB
*Mar 1 03:14:52.247: IP: s=10.1.34.4 (Tunnel0), d=10.1.17.7 (Serial0/0), g=10.1.17.7, len 1476, forward
*Mar 1 03:14:52.523: IP: recv fragment from 202.103.23.3 offset 0 bytes
*Mar 1 03:14:52.531: IP: recv fragment from 202.103.23.3 offset 1480 bytes
*Mar 1 03:14:52.547: IP: tableid=0, s=202.103.23.3 (Serial0/1), d=202.103.12.1 (Serial0/1), routed via RIB
*Mar 1 03:14:52.547: IP: s=202.103.23.3 (Serial0/1), d=202.103.12.1 (Serial0/1), len 1500, rcvd 3
*Mar 1 03:14:52.547: IP: tableid=0, s=10.1.34.4 (Tunnel0), d=10.1.17.7 (Serial0/0), routed via FIB
*Mar 1 03:14:52.551: IP: s=10.1.34.4 (Tunnel0), d=10.1.17.7 (Serial0/0), g=10.1.17.7, len 1476, forward
*Mar 1 03:14:52.703: IP: recv fragment from 202.103.23.3 offset 0 bytes
*Mar 1 03:14:52.731: IP: recv fragment from 202.103.23.3 offset 1480 bytes
*Mar 1 03:14:52.755: IP: tableid=0, s=202.103.23.3 (Serial0/1), d=202.103.12.1 (Serial0/1), routed via RIB
*Mar 1 03:14:52.759: IP: s=202.103.23.3 (Serial0/1), d=202.103.12.1 (Serial0/1), len 1500, rcvd 3
*Mar 1 03:14:52.763: IP: tableid=0, s=10.1.34.4 (Tunnel0), d=10.1.17.7 (Serial0/0), routed via FIB
*Mar 1 03:14:52.767: IP: s=10.1.34.4 (Tunnel0), d=10.1.17.7 (Serial0/0), g=10.1.17.7, len 1476, forward
*Mar 1 03:14:52.847: IP: recv fragment from 202.103.23.3 offset 0 bytes
*Mar 1 03:14:52.875: IP: recv fragment from 202.103.23.3 offset 1480 bytes
*Mar 1 03:14:52.899: IP: tableid=0, s=202.103.23.3 (Serial0/1), d=202.103.12.1 (Serial0/1), routed via RIB
*Mar 1 03:14:52.903: IP: s=202.103.23.3 (Serial0/1), d=202.103.12.1 (Serial0/1), len 1500, rcvd 3
*Mar 1 03:14:52.907: IP: tableid=0, s=10.1.34.4 (Tunnel0), d=10.1.17.7 (Serial0/0), routed via FIB
*Mar 1 03:14:52.911: IP: s=10.1.34.4 (Tunnel0), d=10.1.17.7 (Serial0/0), g=10.1.17.7, len 1476, forward
*Mar 1 03:14:52.987: IP: recv fragment from 202.103.23.3 offset 0 bytes
*Mar 1 03:14:53.007: IP: recv fragment from 202.103.23.3 offset 1480 bytes
*Mar 1 03:14:53.031: IP: tableid=0, s=202.103.23.3 (Serial0/1), d=202.103.12.1 (Serial0/1), routed via RIB
*Mar 1 03:14:53.035: IP: s=202.103.23.3 (Serial0/1), d=202.103.12.1 (Serial0/1), len 1500, rcvd 3
*Mar 1 03:14:53.039: IP: tableid=0, s=10.1.34.4 (Tunnel0), d=10.1.17.7 (Serial0/0), routed via FIB
*Mar 1 03:14:53.043: IP: s=10.1.34.4 (Tunnel0), d=10.1.17.7 (Serial0/0), g=10.1.17.7, len 1476, forward
方案一:
始发PC上配置最大的MTU
令MTU+IPSEC+GRE开销后小于1500B
方案二:GRE端口或物理端口,静态设置最大MTU
RT3(config)#inte tunnel 0
RT3(config-if)#ip mtu 1420 该MTU+IPSEC+GRE小于1500B
方案三:
IPSEC先碎片后封装
方案四:
TCP MSS
RT1(config)#inte s0/0
RT1(config-if)#ip tcp adjust-mss 1420
方案五:
PMTUD
RT1(config)#inte tunnel
RT1(config-if)#tunnel path-mtu-discovery
4、总结:
本文来源:https://www.2haoxitong.net/k/doc/2af5016027d3240c8447ef83.html
文档为doc格式