Задача: Зашифровать L2TPv3 туннель.
Решение: С помощью IPsec можно шифровать не только определенный протокол, но и трафик, который проходит через конкретный UDP/TCP порты. Применим это на примере шифрования туннеля L2TPv3.
Допустим, что между маршрутизаторами R1 и R2 уже настроен l2tpv3 туннель. Для простоты рассмотрим их минимальную конфигурацию.
Маршуртизатор R1:
object-group service L2TPV3
port-range 514
exit
vlan 50
exit
security zone untusted
exit
security zone trusted
exit
bridge 10
vlan 50
security-zone trusted ip address 172.16.250.1/30
enable
exit
interface gigabitethernet 1/0/1
security-zone untrusted ip address 192.0.2.1/24
exit
tunnel l2tpv3 1
protocol udp
local port 514
remote port 514
local session-id 12
remote session-id 12
bridge-group 10
local address 192.0.2.1
remote address 192.0.2.2
enable
exit
security zone-pair untusted self
rule 1
action permit
match protocol udp
match destination-port L2TPV3
enable
exit
exit
Маршрутизатор R2:
object-group service L2TPV3
port-range 514
exit
vlan 50
exit
security zone untusted
exit
security zone trusted
exit
bridge 10
vlan 50
security-zone trusted
ip address 172.16.250.2/30
enable
exit
interface gigabitethernet 1/0/1
security-zone untrusted
ip address 192.0.2.2/24
exit
tunnel l2tpv3 1
protocol udp
local port 514
remote port 514
local session-id 12
remote session-id 12
bridge-group 10
local address
192.0.2.2
remote address
192.0.2.1
enable
exit
security zone-pair untusted self
rule 1
action permit
match protocol udp
match destination-port L2TPV3
enable
exit
exit
В данном случае туннельный трафик передается по протоколу UDP через порт 514.
Настроим IPsec на обоих роутерах. В настройках ike gateway укажем соответствующий протокол и порт. Также необходимо не забыть настроить правила файрвола для IPsec.
Маршуртизатор R1:
object-group service IKE
port-range 500
port-range 4500
exit
security zone-pair untusted self
rule 11
action permit
match protocol udp
match destination-port IKE
enable
exit
rule 12
action permit
match protocol esp
enable
exit
exit
security ike proposal IKEPROP
exit
security ike policy IKEPOL
pre-shared-key ascii-text encrypted CDE65039E5591FA3
proposal IKEPROP
exit
security ike gateway IKEGW
ike-policy IKEPOL
local address
192.0.2.1
local network 192.0.2.1/32 protocol udp port 514
remote address
192.0.2.2
remote network 192.0.2.2/32 protocol udp port 514
mode policy-based
exit
security ipsec proposal IPSECPROP
exit
security ipsec policy IPSECPOL
proposal IPSECPROP
exit
security ipsec vpn L2TPV3
mode ike
ike establish-tunnel route
ike gateway IKEGW
ike ipsec-policy IPSECPOL
enable
exit
Маршрутизатор R2:
object-group service IKE
port-range 500
port-range 4500
exit
security zone-pair untusted self
rule 11
action permit
match protocol udp
match destination-port IKE
enable
exit
rule 12
action permit
match protocol esp
enable
exit
exit
security ike proposal IKEPROP
exit
security ike policy IKEPOL
pre-shared-key ascii-text encrypted CDE65039E5591FA3
proposal IKEPROP
exit
security ike gateway IKEGW
ike-policy IKEPOL
local address
192.0.2.2
local network 192.0.2.2/32 protocol udp port 514
remote address
192.0.2.1
remote network 192.0.2.1/32 protocol udp port 514
mode policy-based
exit
security ipsec proposal IPSECPROP
exit
security ipsec policy IPSECPOL
proposal IPSECPROP
exit
security ipsec vpn L2TPV3
mode ike
ike establish-tunnel route
ike gateway IKEGW
ike ipsec-policy IPSECPOL
enable
exit
Таким образом трафик UDP идущий через 514 порт будет шифроваться на интерфейсе gi1/0/1.
esr# sh security ipsec vpn status L2TPV3
Currently active IKE SA:
Name: L2TPV3
State: Established
Version: v1-only
Unique ID: 2
Local host: 192.0.2.2
Remote host: 192.0.2.1
Role: Responder
Initiator spi: 0x8914724af54609dd
Responder spi: 0x1ad7ceb5de13a486
Encryption algorithm: des
Authentication algorithm: sha1
Diffie-Hellman group: 1
Established: 16 minutes and 7 seconds ago
Rekey time: 16 minutes and 7 seconds
Reauthentication time: 2 hours, 26 minutes and 51 seconds
Child IPsec SAs:
Name: L2TPV3-2
State: Invalid
Protocol: esp
Mode: Tunnel
Encryption algorithm: 3des
Authentication algorithm: sha1
Rekey time: 25 minutes and 56 seconds
Life time: 43 minutes and 21 seconds
Established: 16 minutes and 39 seconds ago
Traffic statistics:
Input bytes: 1581
Output bytes: 1488
Input packets: 17
Output packets: 16
-------------------------------------------------------------