Задача:
Организация IPsec VPN Policy Based Site-to-Site между ESR и Cisco с использованием Pre-Shared Key для шифрования трафика в Internet(WAN) между локальной сетью(192.168.1.0/24) ESR и локальной сетью(172.16.1.0/24) Cisco.
Параметры:
IKE:
группа Диффи-Хэллмана: 2;
алгоритм шифрования: AES 128 bit;
алгоритм аутентификации: MD5.
IPsec:
алгоритм шифрования: AES 128 bit;
алгоритм аутентификации: MD5.
В конфигурации маршрутизатора ESR произведена минимальная настройка firewall в качестве примера.
Конфигурация ESR:
object-group service ISAKMP port-range 500 port-range 4500 exit object-group network local_net ip prefix 192.168.1.0/24 exit object-group network remote_net ip prefix 172.16.1.0/24 exit system fan-speed auto security zone untrusted exit security zone trusted exit interface gigabitethernet 1/0/1 security-zone untrusted ip address 192.0.2.1/30 exit interface gigabitethernet 1/0/2 security-zone trusted ip address 192.168.1.1/24 exit security zone-pair untrusted self rule 1 action permit match protocol icmp enable exit rule 2 action permit match protocol udp match destination-port ISAKMP enable exit rule 3 action permit match protocol esp enable exit exit security zone-pair trusted self rule 1 action permit match protocol icmp enable exit exit security zone-pair trusted untrusted rule 1 action permit match source-address local_net match destination-address remote_net enable exit exit security zone-pair untrusted trusted rule 1 action permit match source-address remote_net match destination-address local_net enable exit exit security ike proposal ike_proposal authentication algorithm md5 encryption algorithm aes128 dh-group 2 exit security ike policy ike_policy pre-shared-key ascii-text encrypted 8CB5107EA7005AFF proposal ike_proposal exit security ike gateway ike_gw ike-policy ike_policy local address 192.0.2.1 local network 192.168.1.0/24 remote address 198.51.100.1 remote network 172.16.1.0/24 mode policy-based exit security ipsec proposal ipsec_prop authentication algorithm md5 encryption algorithm aes128 exit security ipsec policy ipsec_pol proposal ipsec_prop exit security ipsec vpn ipsec_vpn mode ike ike establish-tunnel route ike gateway ike_gw ike ipsec-policy ipsec_pol enable exit ip route 0.0.0.0/0 192.0.2.2
Диагностическая информация ESR:
esr# show security ipsec vpn status ipsec_vpn Currently active IKE SA: Name: ipsec_vpn State: Established Version: v1-only Unique ID: 1 Local host: 192.0.2.1 Remote host: 198.51.100.1 Role: Responder Initiator spi: 0x96035643b0ba9822 Responder spi: 0x7396ec67a146dc7c Encryption algorithm: aes128 Authentication algorithm: md5 Diffie-Hellman group: 2 Established: 40 seconds ago Rekey time: 40 seconds Reauthentication time: 2 hours, 48 minutes and 51 seconds Child IPsec SAs: Name: ipsec_vpn State: Installed Protocol: esp Mode: Tunnel Encryption algorithm: aes128 Authentication algorithm: md5 Rekey time: 47 minutes and 45 seconds Life time: 59 minutes and 40 seconds Established: 20 seconds ago Traffic statistics: Input bytes: 216552 Output bytes: 216552 Input packets: 2578 Output packets: 2578 -------------------------------------------------------------
Шифрование трафика в WAN:
15:37:56.140451 a8:f9:4b:ac:f2:ea > 00:13:1a:5d:cf:94, ethertype IPv4 (0x0800), length 166: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ESP (50), length 152) 192.0.2.1 > 198.51.100.1: ESP(spi=0x0e7648d1,seq=0xd), length 132 15:37:56.141883 00:13:1a:5d:cf:94 > a8:f9:4b:ac:f2:ea, ethertype IPv4 (0x0800), length 166: (tos 0x0, ttl 255, id 1184, offset 0, flags [none], proto ESP (50), length 152) 198.51.100.1 > 192.0.2.1: ESP(spi=0xcd1452c7,seq=0xd), length 132 15:37:57.141009 a8:f9:4b:ac:f2:ea > 00:13:1a:5d:cf:94, ethertype IPv4 (0x0800), length 166: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ESP (50), length 152) 192.0.2.1 > 198.51.100.1: ESP(spi=0x0e7648d1,seq=0xe), length 132 15:37:57.142430 00:13:1a:5d:cf:94 > a8:f9:4b:ac:f2:ea, ethertype IPv4 (0x0800), length 166: (tos 0x0, ttl 255, id 1185, offset 0, flags [none], proto ESP (50), length 152) 198.51.100.1 > 192.0.2.1: ESP(spi=0xcd1452c7,seq=0xe), length 132
Конфигурация Cisco:
crypto isakmp policy 10 encr aes hash md5 authentication pre-share group 2 crypto isakmp key password address 192.0.2.1 ! crypto ipsec transform-set aesset esp-aes esp-md5-hmac ! crypto map link_map 10 ipsec-isakmp set peer 192.0.2.1 set transform-set aesset match address 101 ! interface FastEthernet0/0 ip address 198.51.100.1 255.255.255.252 duplex auto speed auto crypto map link_map ! interface FastEthernet0/1 ip address 172.16.1.1 255.255.255.0 duplex auto speed auto ! ip route 0.0.0.0 0.0.0.0 198.51.100.2 ! access-list 101 permit ip any any
Диагностическая информация Cisco:
Router# show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 192.0.2.1 198.51.100.1 QM_IDLE 1004 ACTIVE IPv6 Crypto ISAKMP SA Router# show crypto ipsec sa # частичный вывод interface: FastEthernet0/0 Crypto map tag: link_map, local addr 198.51.100.1 local crypto endpt.: 198.51.100.1, remote crypto endpt.: 192.0.2.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) current_peer 192.0.2.1 port 500 PERMIT, flags={} #pkts encaps: 2578, #pkts encrypt: 2579, #pkts digest: 2578 #pkts decaps: 2578, #pkts decrypt: 2579, #pkts verify: 2578 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0