Пример настройки Site-to-Site Policy IPsec между ESR и Mikrotik

Схема:

Задача: Настроить Site-to-Site Policy IPsec между ESR и Mikrotik согласно схеме для взаимодействия подсетей 192.0.2.0/25 и 192.0.2.128/25. Mikrotik будет выступать в качестве инициатора построения IPsec(initiator)-соединения, ESR будет выступать в качестве ответчика (responder) IPsec-соединения. Firewall выключен.

Используемые алгоритмы для IKE SA:
1) IKE version: 2
2) Authentication algorithm: sha2-256
3) Encryption algorithm: aes256cbc
4) DH-group 19

Используемые алгоритмы для IPsec SA:
1) Authentication algorithm: sha2-256
2) Encryption algorithm: aes256cbc
3) pfs dh-group 19
4) Protocol: ESP

1. Конфигурации устройств:

Поскольку ESR выступает в качестве responder, то в качестве режима построения IPsec-туннеля будем использовать ike establish-tunnel by-request

Конфигурация ESR согласно схеме без Firewall:

esr# show running-config

interface gigabitethernet 1/0/1
ip firewall disable
ip address 203.0.113.2/30
exit
interface gigabitethernet 1/0/2
ip firewall disable
ip address 192.0.2.129/25
exit

security ike proposal ike_proposal
authentication algorithm sha2-256
encryption algorithm aes256
dh-group 19
exit

security ike policy ike_policy
pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
proposal ike_proposal
exit

security ike gateway ike_gateway
version v2-only
ike-policy ike_policy
local address 203.0.113.2
local network 192.0.2.128/25
remote address 203.0.113.6
remote network 192.0.2.0/25
mode policy-based
mobike disable
exit

security ipsec proposal ipsec_proposal
authentication algorithm sha2-256
encryption algorithm aes256
pfs dh-group 19
exit

security ipsec policy ipsec_policy
proposal ipsec_proposal
exit

security ipsec vpn ipsec_vpn
ike establish-tunnel by-request
ike gateway ike_gateway
ike ipsec-policy ipsec_policy
enable
exit

ip route 192.168.32.0/20 203.0.113.1

Конфигурация IPsec на Mikrotik согласно схеме:

В WEB:

Конфигурация Mikrotik в CLI

[admin@MikroTik] > ip route print
Flags: D - DYNAMIC; A - ACTIVE; c, s, y - BGP-MPLS-VPN
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS      GATEWAY         DISTANCE
0  As 203.0.113.0/30   203.0.113.5            1
  DAc 192.0.2.0/25     loopback0              0
  DAc 203.0.113.4/30   ether1                 0


   
[admin@MikroTik] > ip ipsec profile print
Flags: * - default 
 0 * name="default" hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=ecp256 lifetime=1d proposal-check=obey nat-traversal=yes 
     dpd-interval=2m dpd-maximum-failures=5 



[admin@MikroTik] > ip ipsec proposal print
Flags: X - disabled; * - default 
 0  * name="default" auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=30m pfs-group=ecp256 



[admin@MikroTik] > ip ipsec peer print 
Flags: X - disabled; D - dynamic; R - responder 
 0     name="ike2" address=203.0.113.2/32 local-address=203.0.113.6 profile=default exchange-mode=ike2 send-initial-contact=yes



[admin@MikroTik] > ip ipsec policy print
Flags: T - TEMPLATE; A - ACTIVE; * - DEFAULT
Columns: PEER, TUNNEL, SRC-ADDRESS, DST-ADDRESS, PROTOCOL, ACTION, LEVEL, PH2-COUNT
#     PEER  TUNNEL  SRC-ADDRESS   DST-ADDRESS     PROTOCOL  ACTION   LEVEL   PH2-COUNT
0 T *               ::/0          ::/0            all                                 
1  A  ike2  yes     192.0.2.0/25  192.0.2.128/25  all       encrypt  unique          1

Если в схеме Site-to-Site планируется шифровать более 1-ой пары подсетей, то со стороны Mikrotik необходимо в конфигурации Policy для Level указать unique:

2. Оперативный вывод команд статуса IPsec-туннеля, а также проверка IP-связанности между локальными подсетями.
Оперативный вывод команд со стороны ESR:

esr# show security ipsec vpn authentication ipsec_vpn
Local host Remote host Local subnet Remote subnet Authentication State
--------------- --------------- ------------------- ------------------- ----------------------------------------- -----------
203.0.113.2 203.0.113.6 192.0.2.128/25 192.0.2.0/25 Pre-shared key Established
esr# show security ipsec vpn status ipsec_vpn
Currently active IKE SA:
Name: ipsec_vpn
State: Established
Version: v2-only
Unique ID: 1
Local host: 203.0.113.2
Remote host: 203.0.113.6
Role: Responder
Initiator spi: 0xe9770a3c07d8beaa
Responder spi: 0xf4ad5924ac8e6136
Encryption algorithm: aes256
Authentication algorithm: sha2-256
Diffie-Hellman group: 19
Established: 17 minutes and 14 seconds ago
Rekey time: 17 minutes and 14 seconds
Reauthentication time: 2 hours, 27 minutes and 12 seconds
Child IPsec SAs:
Name: ipsec_vpn-1
State: Installed
Protocol: esp
Mode: Tunnel
Encryption algorithm: aes256
Authentication algorithm: sha2-256
Rekey time: 25 minutes and 2 seconds
Life time: 42 minutes and 46 seconds
Established: 17 minutes and 14 seconds ago
Traffic statistics:
Input bytes: 868
Output bytes: 868
Input packets: 12
Output packets: 12
-------------------------------------------------------------
esr#
esr# ping 192.0.2.1 source ip 192.0.2.129
PING 192.0.2.1 (192.0.2.1) from 192.0.2.129 : 56 bytes of data.
!!!!!
--- 192.0.2.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 1.104/1.239/1.516/0.152 ms

Оперативный вывод команд со стороны Mikrotik:

[admin@MikroTik] > ip ipsec installed-sa print
Flags: S - SEEN-TRAFFIC; H - HW-AEAD; E - ESP
Columns: SPI, STATE, SRC-ADDRESS, DST-ADDRESS, AUTH-ALGORITHM, ENC-ALGORITHM, ENC-KEY-SIZE
# SPI STATE SRC-ADDRESS DST-ADDRESS AUTH-ALGORITHM ENC-ALGORITHM ENC-KEY-SIZE
0 SHE 0x46DCFE6 mature 203.0.113.2 203.0.113.6 sha256 aes-cbc 256
1 SHE 0xCBB3CAE5 mature 203.0.113.6 203.0.113.2 sha256 aes-cbc 256
[admin@MikroTik] >
[admin@MikroTik] > ping 192.0.2.129 src-address=192.0.2.1
SEQ HOST SIZE TTL TIME STATUS
0 192.0.2.129 56 64 1ms733us
1 192.0.2.129 56 64 1ms418us
2 192.0.2.129 56 64 1ms684us
3 192.0.2.129 56 64 1ms390us
4 192.0.2.129 56 64 1ms691us
sent=5 received=5 packet-loss=0% min-rtt=1ms390us avg-rtt=1ms583us max-rtt=1ms733us

Дерево страниц

Пример настройки Site-to-Site Policy IPsec между ESR и Mikrotik