Задача: Зашифровать L2TPv3 туннель.
Решение: С помощью IPsec можно шифровать не только определенный протокол, но и трафик, который проходит через конкретный UDP/TCP порты. Применим это на примере шифрования туннеля L2TPv3.
Допустим, что между маршрутизаторами R1 и R2 уже настроен l2tpv3 туннель. Для простоты рассмотрим их минимальную конфигурацию.
Маршуртизатор R1:
object-group service L2TPV3 port-range 514 exit vlan 50 exit security zone untusted exit security zone trusted exit
bridge 10 vlan 50
security-zone trusted ip address 172.16.250.1/30 enable exit interface gigabitethernet 1/0/1 security-zone untrusted ip address 192.0.2.1/24 exit tunnel l2tpv3 1 protocol udp local port 514 remote port 514 local session-id 12 remote session-id 12 bridge-group 10 local address 192.0.2.1 remote address 192.0.2.2 enable exit
security zone-pair untusted self rule 1 action permit match protocol udp match destination-port L2TPV3 enable exit exit
Маршрутизатор R2:
object-group service L2TPV3 port-range 514 exit vlan 50 exit security zone untusted exit security zone trusted exit
bridge 10 vlan 50 security-zone trusted ip address 172.16.250.2/30 enable exit interface gigabitethernet 1/0/1 security-zone untrusted ip address 192.0.2.2/24 exit tunnel l2tpv3 1 protocol udp local port 514 remote port 514 local session-id 12 remote session-id 12 bridge-group 10 local address 192.0.2.2 remote address 192.0.2.1 enable exit
security zone-pair untusted self rule 1 action permit match protocol udp match destination-port L2TPV3 enable exit exit
В данном случае туннельный трафик передается по протоколу UDP через порт 514.
Настроим IPsec на обоих роутерах. В настройках ike gateway укажем соответствующий протокол и порт. Также необходимо не забыть настроить правила файрвола для IPsec.
Маршуртизатор R1:
object-group service IKE port-range 500 port-range 4500 exit
security zone-pair untusted self rule 11 action permit match protocol udp match destination-port IKE enable exit rule 12 action permit match protocol esp enable exit exit
security ike proposal IKEPROP exit security ike policy IKEPOL pre-shared-key ascii-text encrypted CDE65039E5591FA3 proposal IKEPROP exit security ike gateway IKEGW ike-policy IKEPOL local address 192.0.2.1 local network 192.0.2.1/32 protocol udp port 514 remote address 192.0.2.2 remote network 192.0.2.2/32 protocol udp port 514 mode policy-based exit security ipsec proposal IPSECPROP exit security ipsec policy IPSECPOL proposal IPSECPROP exit security ipsec vpn L2TPV3 mode ike ike establish-tunnel route ike gateway IKEGW ike ipsec-policy IPSECPOL enable exit
Маршрутизатор R2:
object-group service IKE port-range 500 port-range 4500 exit
security zone-pair untusted self rule 11 action permit match protocol udp match destination-port IKE enable exit rule 12 action permit match protocol esp enable exit exit
security ike proposal IKEPROP exit security ike policy IKEPOL pre-shared-key ascii-text encrypted CDE65039E5591FA3 proposal IKEPROP exit security ike gateway IKEGW ike-policy IKEPOL local address 192.0.2.2 local network 192.0.2.2/32 protocol udp port 514 remote address 192.0.2.1 remote network 192.0.2.1/32 protocol udp port 514 mode policy-based exit security ipsec proposal IPSECPROP exit security ipsec policy IPSECPOL proposal IPSECPROP exit security ipsec vpn L2TPV3 mode ike ike establish-tunnel route ike gateway IKEGW ike ipsec-policy IPSECPOL enable exit
Таким образом трафик UDP идущий через 514 порт будет шифроваться на интерфейсе gi1/0/1.
esr# sh security ipsec vpn status L2TPV3 Currently active IKE SA: Name: L2TPV3 State: Established Version: v1-only Unique ID: 2 Local host: 192.0.2.2 Remote host: 192.0.2.1 Role: Responder Initiator spi: 0x8914724af54609dd Responder spi: 0x1ad7ceb5de13a486 Encryption algorithm: des Authentication algorithm: sha1 Diffie-Hellman group: 1 Established: 16 minutes and 7 seconds ago Rekey time: 16 minutes and 7 seconds Reauthentication time: 2 hours, 26 minutes and 51 seconds Child IPsec SAs: Name: L2TPV3-2 State: Invalid Protocol: esp Mode: Tunnel Encryption algorithm: 3des Authentication algorithm: sha1 Rekey time: 25 minutes and 56 seconds Life time: 43 minutes and 21 seconds Established: 16 minutes and 39 seconds ago Traffic statistics: Input bytes: 1581 Output bytes: 1488 Input packets: 17 Output packets: 16 -------------------------------------------------------------