Пример настройки IPsec VPN (site-to-site) между ESR and Cisco за NAT

Схема:

Задача: Настроить IPsec VPN (site-to-site) между ESR and Cisco, которые находятся за NAT.
Исходные данные: Со стороны провайдеров настроен Static NAT для пар IP-адресов 198.51.100.2 - 203.0.113.2 и 198.51.100.6 - 203.0.113.6.

1. Конфигурации устройств

При построении IPsec-туннеля между маршрутизаторами, находящимися за NAT, может возникнуть проблема в момент идентификации удаленной стороны. При идентификации local ID должен совпадать с remote ID, настроенном на удаленной стороне (данные параметры отмечены на схеме).

По умолчанию на маршрутизаторах local ID и remote ID принимают значения local address и remote address, в результате чего возникает проблема при идентификации на стороне, находящейся за NAT - от удаленной стороны приходит remote ID со значением внешнего IP-адреса (203.0.113.6), в то время как local ID соответствует значению внутреннего IP-адреса (198.51.100.6), в результате чего построение IPsec-туннеля прекращается.

Для удачной идентификации необходимо произвести одно из двух изменений:
1. В качестве значения remote ID необходимо указать local address удаленной стороны, находящейся за NAT.

2. В качестве значения local ID необходимо указать внешний IP-адрес, который используется провайдером для Static-NAT во внешнюю сеть.

Также в качестве идентификации есть возможность использовать KEY или FQDN (DNS):

esr(config-ike-gw)# local id ?
any Configure local id as any ID
dns Configure local id with FQDN
ipv4 Configure local id with IPv4 address
keyid Configure local id with keyid

esr(config-ike-gw)# remote id ?
any Configure remote id as any ID
dns Configure remote id with FQDN
ipv4 Configure remote id with IPv4 address
keyid Configure remote id with keyidКонфигурация local id и remote id доступна с версии ПО 1.23.3.

Пример конфигурации ESR:

ESR# show running-config
hostname ESR

interface gigabitethernet 1/0/1
description "to WAN"
ip firewall disable
ip address 198.51.100.2/30
exit
interface gigabitethernet 1/0/2
description "LAN1"
ip firewall disable
ip address 192.0.2.1/26
exit

security ike proposal ike_proposal
authentication algorithm sha2-256
encryption algorithm aes128
dh-group 2
exit

security ike policy ike_policy
pre-shared-key ascii-text password
proposal ike_proposal
exit

security ike gateway ike_gateway
version v2-only
ike-policy ike_policy
local address 198.51.100.2
local network 192.0.2.0/26
local id ipv4 "203.0.113.2"
remote address 203.0.113.6
remote network 192.0.2.128/26
mode policy-based
exit

security ipsec proposal ipsec_proposal
authentication algorithm sha2-256
encryption algorithm aes128
exit

security ipsec policy ipsec_policy
proposal ipsec_proposal
exit

security ipsec vpn ipsec_vpn
ike establish-tunnel route
ike gateway ike_gateway
ike ipsec-policy ipsec_policy
enable
exit

security passwords history 0

ip route 203.0.113.6/32 198.51.100.1

Пример конфигурации Cisco:

Router#show running-config
...

...
crypto ikev2 proposal ike_proposal
encryption aes-cbc-128
integrity sha256
group 2
!
crypto ikev2 policy ike_policy
match address local 198.51.100.6
proposal ike_proposal
!
crypto ikev2 keyring ike_psk
peer peer_1
address 203.0.113.2
pre-shared-key password
!
!
!
crypto ikev2 profile ike_profile
match identity remote address 203.0.113.2 255.255.255.255
identity local address 203.0.113.6
authentication remote pre-share
authentication local pre-share
keyring local ike_psk
!
!
crypto ipsec transform-set ipsec_transform-set esp-aes esp-sha256-hmac
mode tunnel
!
!
crypto map ipsec_map 1 ipsec-isakmp
set peer 203.0.113.2
set transform-set ipsec_transform-set
set ikev2-profile ike_profile
match address site-to-site
!
!
interface GigabitEthernet1
ip address 198.51.100.6 255.255.255.252
negotiation auto
no mop enabled
no mop sysid
crypto map ipsec_map
!
interface GigabitEthernet2
ip address 192.0.2.129 255.255.255.192
negotiation auto
no mop enabled
no mop sysid
!
!
ip route static install-routes-recurse-via-nexthop
ip route 192.0.2.0 255.255.255.192 203.0.113.2
ip route 203.0.113.0 255.255.255.0 198.51.100.5
!
ip access-list extended site-to-site
10 permit ip 192.0.2.128 0.0.0.63 192.0.2.0 0.0.0.63

2. Построение и вывод оперативной информации IPsec-туннеля

Инициируем построении IPsec-туннеля со стороны Cisco с помощью передачи транзитного трафика, попадающего под access-list site-to-site:

Router#show crypto map
Crypto Map IPv4 "ipsec_map" 1 ipsec-isakmp
Peer = 203.0.113.2
IKEv2 Profile: ike_profile
Extended IP access list site-to-site
access-list site-to-site permit ip 192.0.2.128 0.0.0.63 192.0.2.0 0.0.0.63
Current peer: 203.0.113.2
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
ipsec_transform-set: { esp-aes esp-sha256-hmac } ,
}
Interfaces using crypto map ipsec_map:
GigabitEthernet1

Router#ping 192.0.2.1 source 192.0.2.129
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.0.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.0.2.129
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/2 ms

Вывод оперативной информации о состоянии IPsec-туннеля со стороны Cisco:

Router#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 198.51.100.6/4500 203.0.113.2/4500 none/none READY
Encr: AES-CBC, keysize: 128, PRF: SHA256, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/49 sec

IPv6 Crypto IKEv2 SA

Router#show crypto ipsec sa

interface: GigabitEthernet1
Crypto map tag: ipsec_map, local addr 198.51.100.6

protected vrf: (none)
local ident (addr/mask/prot/port): (192.0.2.128/255.255.255.192/0/0)
remote ident (addr/mask/prot/port): (192.0.2.0/255.255.255.192/0/0)
current_peer 203.0.113.2 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 198.51.100.6, remote crypto endpt.: 203.0.113.2
plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0xC0445324(3225703204)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xFF07196B(4278655339)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2056, flow_id: CSR:56, sibling_flags FFFFFFFF80000048, crypto map: ipsec_map
sa timing: remaining key lifetime (k/sec): (4607998/3526)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xC0445324(3225703204)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2055, flow_id: CSR:55, sibling_flags FFFFFFFF80000048, crypto map: ipsec_map
sa timing: remaining key lifetime (k/sec): (4607999/3526)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

Вывод информации о построенном IPsec-туннеле со стороны ESR, а также проверим прохождение транзитного трафика, попадающего под политику security ike gateway ike_gateway:

ESR# show security ipsec vpn status ipsec_vpn
Currently active IKE SA:
Name: ipsec_vpn
State: Established
Version: v2-only
Unique ID: 1
Local host: 198.51.100.2
Remote host: 203.0.113.6
Role: Responder
Initiator spi: 0x2bc3c69c6aa4dfce
Responder spi: 0x55e653e146af06e9
Encryption algorithm: aes128
Authentication algorithm: sha2-256
Diffie-Hellman group: 2
Established: 2 minutes and 37 seconds ago
Rekey time: 2 minutes and 37 seconds
Reauthentication time: 2 hours, 40 minutes and 1 second
Child IPsec SAs:
Name: ipsec_vpn-2
State: Installed
Protocol: esp
Mode: Tunnel
Encryption algorithm: aes128
Authentication algorithm: sha2-256
Rekey time: 45 minutes and 2 seconds
Life time: 57 minutes and 23 seconds
Established: 2 minutes and 37 seconds ago
Traffic statistics:
Input bytes: 900
Output bytes: 900
Input packets: 9
Output packets: 9
-------------------------------------------------------------

ESR# show security ipsec vpn authentication ipsec_vpn
Local host Remote host Local subnet Remote subnet Authentication State
--------------- --------------- ------------------- ------------------- ----------------------------------------- -----------
198.51.100.2 203.0.113.6 192.0.2.0/26 192.0.2.128/26 Pre-shared key Established

ESR# ping 192.0.2.129 source ip 192.0.2.1
PING 192.0.2.129 (192.0.2.129) from 192.0.2.1 : 56 bytes of data.
!!!!!
--- 192.0.2.129 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4003ms
rtt min/avg/max/mdev = 2.295/2.477/2.938/0.242 ms

Дерево страниц

Пример настройки IPsec VPN (site-to-site) между ESR and Cisco за NAT