Задача:
Организация IPsec VPN Policy Based Site-to-Site в VRF с использованием Pre-Shared Key для шифрования трафика в Internet(WAN) между локальной сетью(192.168.1.0/24) ESR-1 и локальной сетью(172.16.1.0/24) ESR-2.
Параметры:
IKE:
алгоритм шифрования: 3des;
алгоритм аутентификации: sha1.
IPsec:
алгоритм шифрования: 3des ;
алгоритм аутентификации: sha1.
В конфигурации маршрутизаторов ESR-1 и ESR-2 произведена минимальная настройка firewall в качестве примера.
Конфигурация ESR-1:
ESR-1# sh running-config hostname ESR-1 object-group service ISAKMP port-range 500 port-range 4500 exit object-group network Local_net ip prefix 192.168.1.0/24 exit object-group network Remote_net ip prefix 172.16.1.0/24 exit ip vrf test exit security zone untrusted ip vrf forwarding test exit security zone trusted ip vrf forwarding test exit interface gigabitethernet 1/0/1 ip vrf forwarding test security-zone untrusted ip address 192.0.2.1/30 exit interface gigabitethernet 1/0/2 ip vrf forwarding test security-zone trusted ip address 192.168.1.1/24 exit security zone-pair untrusted self rule 1 action permit match protocol udp match destination-port ISAKMP enable exit rule 10 action permit match protocol esp enable exit rule 11 action permit match protocol icmp enable exit exit security zone-pair untrusted trusted rule 10 action permit match source-address Remote_net match destination-address Local_net enable exit exit security zone-pair trusted untrusted rule 10 action permit match source-address Local_net match destination-address Remote_net enable exit exit security ike proposal IKE_PROPOSAL exit security ike policy IKE_POLICY pre-shared-key ascii-text <password> proposal IKE_PROPOSAL exit security ike gateway IKE_GATEWAY ike-policy IKE_POLICY local address 192.0.2.1 local network 192.168.1.0/24 remote address 198.51.100.1 remote network 172.16.1.0/24 mode policy-based exit security ipsec proposal IPSEC_PROPOSAL exit security ipsec policy IPSEC_POLICY proposal IPSEC_PROPOSAL exit security ipsec vpn IPSEC_VPN mode ike ip vrf forwarding test ike establish-tunnel route ike gateway IKE_GATEWAY ike ipsec-policy IPSEC_POLICY enable exit ip route vrf test 0.0.0.0/0 192.0.2.2
Диагностическая информация ESR-1:
ESR-1# sh security ipsec vpn status vrf test IPSEC_VPN Currently active IKE SA: Name: IPSEC_VPN State: Established Version: v1-only Unique ID: 1 Local host: 192.0.2.1 Remote host: 198.51.100.1 Role: Responder Initiator spi: 0x1d0c68c51a7cd2f8 Responder spi: 0x16ed4123946b0295 Encryption algorithm: des Authentication algorithm: sha1 Diffie-Hellman group: 1 Established: 1 hour, 46 minutes and 58 seconds ago Rekey time: 1 hour, 46 minutes and 58 seconds Reauthentication time: 1 hour, 1 minute and 1 second Child IPsec SAs: Name: IPSEC_VPN-4 State: Installed Protocol: esp Mode: Tunnel Encryption algorithm: 3des Authentication algorithm: sha1 Rekey time: 31 minutes and 2 seconds Life time: 43 minutes and 39 seconds Established: 16 minutes and 21 seconds ago Traffic statistics: Input bytes: 873180 Output bytes: 873180 Input packets: 10395 Output packets: 10395 -------------------------------------------------------------
Шифрование трафика в WAN:
15:45:54.719594 a8:f9:4b:aa:b3:53 > a8:f9:4b:aa:38:21, ethertype IPv4 (0x0800), length 150: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ESP (50), length 136) 192.0.2.1 > 198.51.100.1: ESP(spi=0xc1413691,seq=0x289c), length 116 15:45:54.719999 a8:f9:4b:aa:38:21 > a8:f9:4b:aa:b3:53, ethertype IPv4 (0x0800), length 150: (tos 0x0, ttl 63, id 13623, offset 0, flags [none], proto ESP (50), length 136) 198.51.100.1 > 192.0.2.1: ESP(spi=0xcc487721,seq=0x289c), length 116 15:45:54.720073 a8:f9:4b:aa:38:21 > a8:f9:4b:aa:b3:53, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 63, id 64462, offset 0, flags [none], proto ICMP (1), length 84) 172.16.1.10 > 192.168.1.10: ICMP echo reply, id 16, seq 1, length 64 15:45:54.720611 a8:f9:4b:aa:b3:53 > a8:f9:4b:aa:38:21, ethertype IPv4 (0x0800), length 150: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ESP (50), length 136) 192.0.2.1 > 198.51.100.1: ESP(spi=0xc1413691,seq=0x289d), length 116
Конфигурация ESR-2:
ESR-2# sh running-config hostname ESR-2 object-group service ISAKMP port-range 500 port-range 4500 exit object-group network Local_net ip prefix 172.16.1.0/24 exit object-group network Remote_net ip prefix 192.168.1.0/24 exit ip vrf test exit security zone untrusted ip vrf forwarding test exit security zone trusted ip vrf forwarding test exit interface gigabitethernet 1/0/1 ip vrf forwarding test security-zone untrusted ip address 198.51.100.1/30 exit interface gigabitethernet 1/0/2 ip vrf forwarding test security-zone trusted ip address 172.16.1.1/24 exit security zone-pair untrusted self rule 1 action permit match protocol udp match destination-port ISAKMP enable exit rule 10 action permit match protocol esp enable exit rule 11 action permit match protocol icmp enable exit exit security zone-pair untrusted trusted rule 10 action permit match source-address Remote_net match destination-address Local_net enable exit exit security zone-pair trusted untrusted rule 10 action permit match source-address Local_net match destination-address Remote_net enable exit exit security zone-pair trusted self rule 10 action permit match protocol icmp enable exit exit security ike proposal IKE_PROPOSAL exit security ike policy IKE_POLICY pre-shared-key ascii-text <password> proposal IKE_PROPOSAL exit security ike gateway IKE_GATEWAY ike-policy IKE_POLICY local address 198.51.100.1 local network 172.16.1.0/24 remote address 192.0.2.1 remote network 192.168.1.0/24 mode policy-based exit security ipsec proposal IPSEC_PROPOSAL exit security ipsec policy IPSEC_POLICY proposal IPSEC_PROPOSAL exit security ipsec vpn IPSEC_VPN mode ike ip vrf forwarding test ike establish-tunnel route ike gateway IKE_GATEWAY ike ipsec-policy IPSEC_POLICY enable exit ip route vrf test 0.0.0.0/0 198.51.100.2
Диагностическая информация ESR-2:
ESR-2# sh security ipsec vpn status vrf test IPSEC_VPN Currently active IKE SA: Name: IPSEC_VPN State: Established Version: v1-only Unique ID: 1 Local host: 198.51.100.1 Remote host: 192.0.2.1 Role: Initiator Initiator spi: 0x1d0c68c51a7cd2f8 Responder spi: 0x16ed4123946b0295 Encryption algorithm: des Authentication algorithm: sha1 Diffie-Hellman group: 1 Established: 1 hour, 55 minutes and 46 seconds ago Rekey time: 1 hour, 55 minutes and 46 seconds Reauthentication time: 54 minutes and 22 seconds Child IPsec SAs: Name: IPSEC_VPN-4 State: Installed Protocol: esp Mode: Tunnel Encryption algorithm: 3des Authentication algorithm: sha1 Rekey time: 23 minutes and 37 seconds Life time: 34 minutes and 51 seconds Established: 25 minutes and 9 seconds ago Traffic statistics: Input bytes: 3657024 Output bytes: 3657024 Input packets: 43536 Output packets: 43536 -------------------------------------------------------------