Схема:
Задача: Настроить IPsec VPN (site-to-site) между ESR and Cisco, которые находятся за NAT.
Исходные данные: Со стороны провайдеров настроен Static NAT для пар IP-адресов 198.51.100.2 - 203.0.113.2 и 198.51.100.6 - 203.0.113.6.
1. Конфигурации устройств
При построении IPsec-туннеля между маршрутизаторами, находящимися за NAT, может возникнуть проблема в момент идентификации удаленной стороны. При идентификации local ID должен совпадать с remote ID, настроенном на удаленной стороне (данные параметры отмечены на схеме).
По умолчанию на маршрутизаторах local ID и remote ID принимают значения local address и remote address, в результате чего возникает проблема при идентификации на стороне, находящейся за NAT - от удаленной стороны приходит remote ID со значением внешнего IP-адреса (203.0.113.6), в то время как local ID соответствует значению внутреннего IP-адреса (198.51.100.6), в результате чего построение IPsec-туннеля прекращается.
Для удачной идентификации необходимо произвести одно из двух изменений:
1. В качестве значения remote ID необходимо указать local address удаленной стороны, находящейся за NAT.
2. В качестве значения local ID необходимо указать внешний IP-адрес, который используется провайдером для Static-NAT во внешнюю сеть.
Также в качестве идентификации есть возможность использовать KEY или FQDN (DNS):
esr(config-ike-gw)# local id ?
any Configure local id as any ID
dns Configure local id with FQDN
ipv4 Configure local id with IPv4 address
keyid Configure local id with keyid
esr(config-ike-gw)# remote id ?
any Configure remote id as any ID
dns Configure remote id with FQDN
ipv4 Configure remote id with IPv4 address
keyid Configure remote id with keyid
Конфигурация local id и remote id доступна с версии ПО 1.23.3.
Пример конфигурации ESR:
ESR# show running-config
hostname ESR
interface gigabitethernet 1/0/1
description "to WAN"
ip firewall disable
ip address 198.51.100.2/30
exit
interface gigabitethernet 1/0/2
description "LAN1"
ip firewall disable
ip address 192.0.2.1/26
exit
security ike proposal ike_proposal
authentication algorithm sha2-256
encryption algorithm aes128
dh-group 2
exit
security ike policy ike_policy
pre-shared-key ascii-text password
proposal ike_proposal
exit
security ike gateway ike_gateway
version v2-only
ike-policy ike_policy
local address 198.51.100.2
local network 192.0.2.0/26
local id ipv4 "203.0.113.2"
remote address 203.0.113.6
remote network 192.0.2.128/26
mode policy-based
exit
security ipsec proposal ipsec_proposal
authentication algorithm sha2-256
encryption algorithm aes128
exit
security ipsec policy ipsec_policy
proposal ipsec_proposal
exit
security ipsec vpn ipsec_vpn
ike establish-tunnel route
ike gateway ike_gateway
ike ipsec-policy ipsec_policy
enable
exit
security passwords history 0
ip route 203.0.113.6/32 198.51.100.1
Пример конфигурации Cisco:
Router#show running-config
...
...
crypto ikev2 proposal ike_proposal
encryption aes-cbc-128
integrity sha256
group 2
!
crypto ikev2 policy ike_policy
match address local 198.51.100.6
proposal ike_proposal
!
crypto ikev2 keyring ike_psk
peer peer_1
address 203.0.113.2
pre-shared-key password
!
!
!
crypto ikev2 profile ike_profile
match identity remote address 203.0.113.2 255.255.255.255
identity local address 203.0.113.6
authentication remote pre-share
authentication local pre-share
keyring local ike_psk
!
!
crypto ipsec transform-set ipsec_transform-set esp-aes esp-sha256-hmac
mode tunnel
!
!
crypto map ipsec_map 1 ipsec-isakmp
set peer 203.0.113.2
set transform-set ipsec_transform-set
set ikev2-profile ike_profile
match address site-to-site
!
!
interface GigabitEthernet1
ip address 198.51.100.6 255.255.255.252
negotiation auto
no mop enabled
no mop sysid
crypto map ipsec_map
!
interface GigabitEthernet2
ip address 192.0.2.129 255.255.255.192
negotiation auto
no mop enabled
no mop sysid
!
!
ip route static install-routes-recurse-via-nexthop
ip route 192.0.2.0 255.255.255.192 203.0.113.2
ip route 203.0.113.0 255.255.255.0 198.51.100.5
!
ip access-list extended site-to-site
10 permit ip 192.0.2.128 0.0.0.63 192.0.2.0 0.0.0.63
2. Построение и вывод оперативной информации IPsec-туннеля
Инициируем построении IPsec-туннеля со стороны Cisco с помощью передачи транзитного трафика, попадающего под access-list site-to-site:
Router#show crypto map
Crypto Map IPv4 "ipsec_map" 1 ipsec-isakmp
Peer = 203.0.113.2
IKEv2 Profile: ike_profile
Extended IP access list site-to-site
access-list site-to-site permit ip 192.0.2.128 0.0.0.63 192.0.2.0 0.0.0.63
Current peer: 203.0.113.2
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
ipsec_transform-set: { esp-aes esp-sha256-hmac } ,
}
Interfaces using crypto map ipsec_map:
GigabitEthernet1
Router#ping 192.0.2.1 source 192.0.2.129
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.0.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.0.2.129
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/2 ms
Вывод оперативной информации о состоянии IPsec-туннеля со стороны Cisco:
Router#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 198.51.100.6/4500 203.0.113.2/4500 none/none READY
Encr: AES-CBC, keysize: 128, PRF: SHA256, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/49 sec
IPv6 Crypto IKEv2 SA
Router#show crypto ipsec sa
interface: GigabitEthernet1
Crypto map tag: ipsec_map, local addr 198.51.100.6
protected vrf: (none)
local ident (addr/mask/prot/port): (192.0.2.128/255.255.255.192/0/0)
remote ident (addr/mask/prot/port): (192.0.2.0/255.255.255.192/0/0)
current_peer 203.0.113.2 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 198.51.100.6, remote crypto endpt.: 203.0.113.2
plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0xC0445324(3225703204)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xFF07196B(4278655339)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2056, flow_id: CSR:56, sibling_flags FFFFFFFF80000048, crypto map: ipsec_map
sa timing: remaining key lifetime (k/sec): (4607998/3526)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC0445324(3225703204)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2055, flow_id: CSR:55, sibling_flags FFFFFFFF80000048, crypto map: ipsec_map
sa timing: remaining key lifetime (k/sec): (4607999/3526)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
Вывод информации о построенном IPsec-туннеле со стороны ESR, а также проверим прохождение транзитного трафика, попадающего под политику security ike gateway ike_gateway:
ESR# show security ipsec vpn status ipsec_vpn
Currently active IKE SA:
Name: ipsec_vpn
State: Established
Version: v2-only
Unique ID: 1
Local host: 198.51.100.2
Remote host: 203.0.113.6
Role: Responder
Initiator spi: 0x2bc3c69c6aa4dfce
Responder spi: 0x55e653e146af06e9
Encryption algorithm: aes128
Authentication algorithm: sha2-256
Diffie-Hellman group: 2
Established: 2 minutes and 37 seconds ago
Rekey time: 2 minutes and 37 seconds
Reauthentication time: 2 hours, 40 minutes and 1 second
Child IPsec SAs:
Name: ipsec_vpn-2
State: Installed
Protocol: esp
Mode: Tunnel
Encryption algorithm: aes128
Authentication algorithm: sha2-256
Rekey time: 45 minutes and 2 seconds
Life time: 57 minutes and 23 seconds
Established: 2 minutes and 37 seconds ago
Traffic statistics:
Input bytes: 900
Output bytes: 900
Input packets: 9
Output packets: 9
-------------------------------------------------------------
ESR# show security ipsec vpn authentication ipsec_vpn
Local host Remote host Local subnet Remote subnet Authentication State
--------------- --------------- ------------------- ------------------- ----------------------------------------- -----------
198.51.100.2 203.0.113.6 192.0.2.0/26 192.0.2.128/26 Pre-shared key Established
ESR# ping 192.0.2.129 source ip 192.0.2.1
PING 192.0.2.129 (192.0.2.129) from 192.0.2.1 : 56 bytes of data.
!!!!!
--- 192.0.2.129 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4003ms
rtt min/avg/max/mdev = 2.295/2.477/2.938/0.242 ms