Доброго времени суток. Задача: соединить 2 или более хостов между 2 компаниями (сети пересекаются). Тех задание - на стыке использовать BGP и трафик должен шифроваться, организовать резервирование при помощи офисов в разных городах и разных каналов связи. Ввиду пересечения пронатить. Все задачи должны выполняться на бордерах, схема аналогична стенду (только хосту будут в глубине сети компании, не на бордере)
Я собрал стенд из 4х CISCO роутеров. Настроил BGP, IGP. Трафик между хостами ходит, резервирование отрабатывает (надо только подшаманить интервалы для быстрой сходимости). Далее хотел настроить шифрование и застрял. Трафик не идет в тунель. Возможно нужно тунельные адреса включить в BGP, может я не прав. Пробовал через route-map, все равно трафик идет через BGP линки. Сам vpn встает. Так же не понимаю как при этом всунуть NAT?
Предполагается натить с обоих сторон в общую подсеть, к примеру ХОСТ А -> 172.20.20.1/32. ХОСТ В -> 172.20.20.2/32
Подскажите куда копать? Ранее был опыт реализации только ipsec site-to-site и DMVPN с одним лучом (один спок). С BGP опыта не имел.
С точки зрения дизйна правильно ли собираюсь реализовать задачу? Можно линатить в одну общую единую подсеть (либо на конкретные ip /32)?
Так же предполагается исключить пропиетарные фишки для настройки, ввиду того, что на стороне компании А будут роутеры другого вендора.
Схему стенда прилагаю. Спасибо всем откликнувшимся.

Конфиги:
R1#sh run
Building configuration...


Current configuration : 2745 bytes
!
! Last configuration change at 13:42:39 UTC Fri Jun 5 2020
!
version 16.4
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
no aaa new-model
!
!
!
!
!
!
!
!
!

!
!
!
ipv6 unicast-routing
!
!
!
!
!
!
!
subscriber templating
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
license udi pid -*-*-*-*- sn ********
!
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
!
redundancy
mode none
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key 123456789 address 0.0.0.0
!
!
crypto ipsec transform-set AES256_TR esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile SK_VPN
set transform-set AES256_TR
!
!
!
crypto map MAP-SK 10 ipsec-isakmp
set peer 172.20.10.1
match address VPN_SK
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface Tunnel0
description SK_TUN
ip address 172.20.241.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1450
ip ospf network point-to-point
tunnel source 172.20.10.2
tunnel mode ipip
tunnel destination 172.20.10.1
tunnel protection ipsec profile SK_VPN
!
interface GigabitEthernet0/0/0
ip address 10.0.10.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet0/0/1
description link_to_R4
ip address 172.20.10.2 255.255.255.252
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
router ospf 1
passive-interface GigabitEthernet0/0/1
network 10.0.10.0 0.0.0.255 area 0
network 10.10.10.0 0.0.0.255 area 0
network 172.20.10.0 0.0.0.3 area 0
!
router bgp 65432
bgp log-neighbor-changes
network 172.20.241.0 mask 255.255.255.252
neighbor 20.20.20.1 remote-as 65432
neighbor 20.20.20.1 update-source Loopback0
neighbor 172.20.10.1 remote-as 65431
neighbor 172.20.10.1 update-source GigabitEthernet0/0/1
!
ip nat inside source static 10.0.2.2 192.168.1.2
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0
!
!
ip access-list extended VPN_SK
permit ip 10.0.2.0 0.0.0.255 10.5.1.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
!
!
!
!
end
********************************************************
R2#sh run
Building configuration...


Current configuration : 1991 bytes
!
! Last configuration change at 10:37:34 UTC Fri Jun 5 2020
!
version 16.4
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
no aaa new-model
!
!
!
!
!
!
!
!
!

!
!
!
ipv6 unicast-routing
!
!
!
!
!
!
!
subscriber templating
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
license udi pid ***** sn *******
!
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
!
redundancy
mode none
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 20.20.20.1 255.255.255.0
!
interface GigabitEthernet0/0/0
description link_R1
ip address 10.0.10.2 255.255.255.0
negotiation auto
!
interface GigabitEthernet0/0/1
description link_R3
ip address 172.20.17.254 255.255.255.252
negotiation auto
!
interface GigabitEthernet0/0/2
ip address 10.0.2.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
router ospf 1
passive-interface GigabitEthernet0/0/1
network 10.0.10.0 0.0.0.255 area 0
network 20.20.20.0 0.0.0.255 area 0
network 172.20.17.252 0.0.0.3 area 0
!
router bgp 65432
bgp log-neighbor-changes
network 10.0.2.0 mask 255.255.255.0
neighbor 10.10.10.1 remote-as 65432
neighbor 10.10.10.1 update-source Loopback0
neighbor 172.20.17.253 remote-as 65431
neighbor 172.20.17.253 update-source GigabitEthernet0/0/1
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0
!
!
!
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
!
!
!
!
end
**************************************
R3#sh run
Building configuration...


Current configuration : 1986 bytes
!
! Last configuration change at 10:45:22 UTC Fri Jun 5 2020
!
version 16.4
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
no aaa new-model
!
!
!
!
!
!
!
!
!

!
!
!
ipv6 unicast-routing
!
!
!
!
!
!
!
subscriber templating
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
license udi pid ******** sn **********
!
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
!
redundancy
mode none
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 30.30.30.1 255.255.255.0
!
interface GigabitEthernet0/0/0
description link_to_R4
ip address 172.20.20.2 255.255.255.0
negotiation auto
!
interface GigabitEthernet0/0/1
description link_to_R2
ip address 172.20.17.253 255.255.255.252
negotiation auto
!
interface GigabitEthernet0/0/2
description LAN_test
ip address 10.3.1.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
router ospf 1
passive-interface GigabitEthernet0/0/1
network 30.30.30.0 0.0.0.255 area 0
network 172.20.17.252 0.0.0.3 area 0
network 172.20.20.0 0.0.0.255 area 0
!
router bgp 65431
bgp log-neighbor-changes
neighbor 40.40.40.1 remote-as 65431
neighbor 40.40.40.1 update-source Loopback0
neighbor 172.20.17.254 remote-as 65432
neighbor 172.20.17.254 update-source GigabitEthernet0/0/1
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0
!
!
!
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
!
!
!
!
end
******************************************************
R4#sh run
Building configuration...

Current configuration : 3316 bytes
!
! Last configuration change at 14:06:04 UTC Fri Jun 5 2020
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
no logging console
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!


!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid **** sn ****
!
!
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key 123456789 address 0.0.0.0
!
!
crypto ipsec transform-set AES256_TR esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile SK_VPN
set transform-set AES256_TR
!
!
!
crypto map MAP-SK-KAZ 10 ipsec-isakmp
set peer 172.20.10.2
set transform-set AES256_TR
match address VPN_SK
!
!
!
!
!
!
interface Loopback0
ip address 40.40.40.1 255.255.255.0
!
interface Tunnel0
description SK_TUN
ip address 172.20.241.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1450
ip ospf network point-to-point
tunnel source 172.20.10.1
tunnel mode ipip
tunnel destination 172.20.10.2
tunnel protection ipsec profile SK_VPN
!
interface GigabitEthernet0
switchport access vlan 2
switchport mode access
no ip address
!
interface GigabitEthernet1
switchport access vlan 3
switchport mode access
no ip address
!
interface GigabitEthernet2
description LAN_SERV
switchport access vlan 4
switchport mode access
no ip address
!
interface GigabitEthernet3
switchport mode trunk
no ip address
!
interface GigabitEthernet4
switchport mode trunk
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet9
no ip address
shutdown
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
ip address 172.20.20.1 255.255.255.0
!
interface Vlan3
ip address 172.20.10.1 255.255.255.252
!
interface Vlan4
description LAN
ip address 10.5.1.1 255.255.255.0
no ip proxy-arp
ip policy route-map BGP-SK_1
!
router ospf 1
passive-interface GigabitEthernet1
network 40.40.40.0 0.0.0.255 area 0
network 172.20.10.0 0.0.0.3 area 0
network 172.20.20.0 0.0.0.255 area 0
!
router bgp 65431
bgp log-neighbor-changes
network 10.5.1.0 mask 255.255.255.0
network 172.20.241.0 mask 255.255.255.252
neighbor 30.30.30.1 remote-as 65431
neighbor 30.30.30.1 update-source Loopback0
neighbor 172.20.10.2 remote-as 65432
neighbor 172.20.10.2 update-source Vlan3
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
ip access-list extended VPN_SK
permit ip 10.5.1.0 0.0.0.255 10.0.2.0 0.0.0.255
!
ipv6 ioam timestamp
!
route-map BGP-SK_1 permit 10
match ip address VPN_SK
set ip next-hop 172.20.241.2
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login
transport input none
!
scheduler allocate 20000 1000
!
!
!
!
!
!
!
end

Забыл отметить, что на стенде я временно отключил верхний канал, и переключился на настройку нижнего ipsec туннеля. Настройка тунеля у меня не верная, ввиду незнания, как это реализовать. т.к. например в ДМВПН можно внутри туннеля настроить ospf (строка которого красуется в туннеле). А как поступить с BGP?

VTI+BGP+Google

FlexVPN + BGP