Задача:
Организация IPsec VPN Policy Based Site-to-Site между ESR и Cisco с использованием Pre-Shared Key для шифрования трафика в Internet(WAN) между локальной сетью(192.168.1.0/24) ESR и локальной сетью(172.16.1.0/24) Cisco.
Параметры:
IKE:
группа Диффи-Хэллмана: 2;
алгоритм шифрования: AES 128 bit;
алгоритм аутентификации: MD5.
IPsec:
алгоритм шифрования: AES 128 bit;
алгоритм аутентификации: MD5.
В конфигурации маршрутизатора ESR произведена минимальная настройка firewall в качестве примера.
Конфигурация ESR:
object-group service ISAKMP
port-range 500
port-range 4500
exit
object-group network local_net
ip prefix 192.168.1.0/24
exit
object-group network remote_net
ip prefix 172.16.1.0/24
exit
system fan-speed auto
security zone untrusted
exit
security zone trusted
exit
interface gigabitethernet 1/0/1
security-zone untrusted
ip address 192.0.2.1/30
exit
interface gigabitethernet 1/0/2
security-zone trusted
ip address 192.168.1.1/24
exit
security zone-pair untrusted self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol udp
match destination-port ISAKMP
enable
exit
rule 3
action permit
match protocol esp
enable
exit
exit
security zone-pair trusted self
rule 1
action permit
match protocol icmp
enable
exit
exit
security zone-pair trusted untrusted
rule 1
action permit
match source-address local_net
match destination-address remote_net
enable
exit
exit
security zone-pair untrusted trusted
rule 1
action permit
match source-address remote_net
match destination-address local_net
enable
exit
exit
security ike proposal ike_proposal
authentication algorithm md5
encryption algorithm aes128
dh-group 2
exit
security ike policy ike_policy
pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
proposal ike_proposal
exit
security ike gateway ike_gw
ike-policy ike_policy
local address 192.0.2.1
local network 192.168.1.0/24
remote address 198.51.100.1
remote network 172.16.1.0/24
mode policy-based
exit
security ipsec proposal ipsec_prop
authentication algorithm md5
encryption algorithm aes128
exit
security ipsec policy ipsec_pol
proposal ipsec_prop
exit
security ipsec vpn ipsec_vpn
mode ike
ike establish-tunnel route
ike gateway ike_gw
ike ipsec-policy ipsec_pol
enable
exit
ip route 0.0.0.0/0 192.0.2.2
Диагностическая информация ESR:
esr# show security ipsec vpn status ipsec_vpn
Currently active IKE SA:
Name: ipsec_vpn
State: Established
Version: v1-only
Unique ID: 1
Local host: 192.0.2.1
Remote host: 198.51.100.1
Role: Responder
Initiator spi: 0x96035643b0ba9822
Responder spi: 0x7396ec67a146dc7c
Encryption algorithm: aes128
Authentication algorithm: md5
Diffie-Hellman group: 2
Established: 40 seconds ago
Rekey time: 40 seconds
Reauthentication time: 2 hours, 48 minutes and 51 seconds
Child IPsec SAs:
Name: ipsec_vpn
State: Installed
Protocol: esp
Mode: Tunnel
Encryption algorithm: aes128
Authentication algorithm: md5
Rekey time: 47 minutes and 45 seconds
Life time: 59 minutes and 40 seconds
Established: 20 seconds ago
Traffic statistics:
Input bytes: 216552
Output bytes: 216552
Input packets: 2578
Output packets: 2578
-------------------------------------------------------------
Шифрование трафика в WAN:
15:37:56.140451 a8:f9:4b:ac:f2:ea > 00:13:1a:5d:cf:94, ethertype IPv4 (0x0800), length 166: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ESP (50), length 152)
192.0.2.1 > 198.51.100.1: ESP(spi=0x0e7648d1,seq=0xd), length 132
15:37:56.141883 00:13:1a:5d:cf:94 > a8:f9:4b:ac:f2:ea, ethertype IPv4 (0x0800), length 166: (tos 0x0, ttl 255, id 1184, offset 0, flags [none], proto ESP (50), length 152)
198.51.100.1 > 192.0.2.1: ESP(spi=0xcd1452c7,seq=0xd), length 132
15:37:57.141009 a8:f9:4b:ac:f2:ea > 00:13:1a:5d:cf:94, ethertype IPv4 (0x0800), length 166: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ESP (50), length 152)
192.0.2.1 > 198.51.100.1: ESP(spi=0x0e7648d1,seq=0xe), length 132
15:37:57.142430 00:13:1a:5d:cf:94 > a8:f9:4b:ac:f2:ea, ethertype IPv4 (0x0800), length 166: (tos 0x0, ttl 255, id 1185, offset 0, flags [none], proto ESP (50), length 152)
198.51.100.1 > 192.0.2.1: ESP(spi=0xcd1452c7,seq=0xe), length 132
Конфигурация Cisco:
crypto isakmp policy 10 encr aes hash md5 authentication pre-share group 2 crypto isakmp key password address 192.0.2.1 ! crypto ipsec transform-set aesset esp-aes esp-md5-hmac ! crypto map link_map 10 ipsec-isakmp set peer 192.0.2.1 set transform-set aesset match address 101 ! interface FastEthernet0/0 ip address 198.51.100.1 255.255.255.252 duplex auto speed auto crypto map link_map ! interface FastEthernet0/1 ip address 172.16.1.1 255.255.255.0 duplex auto speed auto ! ip route 0.0.0.0 0.0.0.0 198.51.100.2 ! access-list 101 permit ip any any
Диагностическая информация Cisco:
Router# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.0.2.1 198.51.100.1 QM_IDLE 1004 ACTIVE
IPv6 Crypto ISAKMP SA
Router# show crypto ipsec sa # частичный вывод
interface: FastEthernet0/0
Crypto map tag: link_map, local addr 198.51.100.1
local crypto endpt.: 198.51.100.1, remote crypto endpt.: 192.0.2.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 192.0.2.1 port 500
PERMIT, flags={}
#pkts encaps: 2578, #pkts encrypt: 2579, #pkts digest: 2578
#pkts decaps: 2578, #pkts decrypt: 2579, #pkts verify: 2578
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0