Схема:
Задача: Построить Route-based IPsec VPN туннель между ESR и Cisco-2811.
Пример конфигурации ESR-30:
esr# show running-config
interface gigabitethernet 1/0/2
ip firewall disable
ip address 203.0.113.2/30
exit
tunnel vti 1
ip firewall disable
local address 203.0.113.2
remote address 203.0.113.6
ip address 192.0.2.1/30
enable
exit
security ike proposal IKE_proposal
encryption algorithm aes128
dh-group 2
exit
security ike policy IKE_policy
pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
proposal IKE_proposal
exit
security ike gateway IKE_gateway
ike-policy IKE_policy
mode route-based
bind-interface vti 1
exit
security ipsec proposal IPsec_proposal
encryption algorithm aes128
exit
security ipsec policy IPsec_policy
proposal IPsec_proposal
exit
security ipsec vpn IPsec_VPN
mode ike
ike establish-tunnel route
ike gateway IKE_gateway
ike ipsec-policy IPsec_policy
enable
exit
ip route 203.0.113.4/30 203.0.113.1
Пример конфигурации Cisco-2811:
Конфиг:
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key password address 203.0.113.2
!
crypto ipsec transform-set ESR esp-aes esp-sha-hmac
!
crypto ipsec profile IPsec_profile
set transform-set ESR
!
interface Tunnel2
ip address 192.0.2.2 255.255.255.252
ip ospf network broadcast
ip ospf 1 area 0
tunnel source 203.0.113.6
tunnel mode ipsec ipv4
tunnel destination 203.0.113.2
tunnel protection ipsec profile IPsec_profile
!
interface FastEthernet0/0
ip address 203.0.113.6 255.255.255.252
speed auto
full-duplex
!
ip route 203.0.113.0 255.255.255.252 203.0.113.5
Поскольку для ESR-30 используется режим ike establish-tunnel route, то IPsec-туннель построится при наличии транзитного трафика через tunnel vti.
Вывод оперативной информации со стороны ESR при построении IPsec-туннеля:
esr# show security ipsec vpn status
esr#
esr# ping 192.0.2.2
PING 192.0.2.2 (192.0.2.2) 56 bytes of data.
!!
--- 192.0.2.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 1.890/1.927/1.964/0.037 ms
esr# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
IPsec_VPN 203.0.113.2 203.0.113.6 0x2ee3c5540c679db3 0x2dce49bead105d73 Established
esr# show security ipsec vpn status IPsec_VPN
Currently active IKE SA:
Name: IPsec_VPN
State: Established
Version: v1-only
Unique ID: 1
Local host: 203.0.113.2
Remote host: 203.0.113.6
Role: Responder
Initiator spi: 0x2ee3c5540c679db3
Responder spi: 0x2dce49bead105d73
Encryption algorithm: aes128
Authentication algorithm: sha1
Diffie-Hellman group: 2
Established: 3 minutes and 25 seconds ago
Rekey time: 3 minutes and 25 seconds
Reauthentication time: 2 hours, 45 minutes and 8 seconds
Child IPsec SAs:
Name: IPsec_VPN-2
State: Installed
Protocol: esp
Mode: Tunnel
Encryption algorithm: aes128
Authentication algorithm: sha1
Rekey time: 45 minutes and 44 seconds
Life time: 56 minutes and 35 seconds
Established: 3 minutes and 25 seconds ago
Traffic statistics:
Input bytes: 168
Output bytes: 168
Input packets: 2
Output packets: 2
-------------------------------------------------------------
Вывод оперативной информации с Cisco о IPsec-туннеле:
Router#show crypto ipsec sa
interface: Tunnel2
Crypto map tag: Tunnel2-head-0, local addr 203.0.113.6
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 203.0.113.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2
#pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 203.0.113.6, remote crypto endpt.: 203.0.113.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xCEFAA52B(3472532779)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xAAF7EDE3(2868375011)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: FPGA:1, sibling_flags 80000046, crypto map: Tunnel2-head-0
sa timing: remaining key lifetime (k/sec): (4500460/3560)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xCEFAA52B(3472532779)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: FPGA:2, sibling_flags 80000046, crypto map: Tunnel2-head-0
sa timing: remaining key lifetime (k/sec): (4500460/3560)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas: