Схема:
Задача
Настроить DMVPN с аутентификацией IPsec-соединения по сертификатом согласно схеме. Firewall отключен.
Используемые алгоритмы для IKE SA:
1) IKE version: 1
2) Authentication algorithm: sha2-256
3) Encryption algorithm: aes256cbc
4) DH-group 19
Используемые алгоритмы для IPse SA:
1) Authentication algorithm: sha2-256
2) Encryption algorithm: aes256cbc
3) pfs dh-group 19
4) Protocol: ESP
1. Загрузка сертификатов на маршрутизатора ESR
Для настройки аутентификации IPsec по сертификатам, предварительно необходимо загрузить сертификаты на ESR. Пример загрузки сертификатов для SPOKE-1 через TFTP-сервер:
SPOKE-1# copy tftp://198.51.100.1:/cert_for_dmvpn/dmvpn_ca.crt crypto:cert/dmvpn_ca.crt|******************************************| 100% (2390B) Crypto file loaded successfully!
SPOKE-1# copy tftp://198.51.100.1:/cert_for_dmvpn/spoke1.crt crypto:cert/spoke1.crt|******************************************| 100% (2057B) Crypto file loaded successfully!
SPOKE-1# copy tftp://198.51.100.1:/cert_for_dmvpn/spoke1.key crypto:private-key/spoke1.key|******************************************| 100% (1704B) Crypto file loaded successfully!
Проверка наличия загруженных сертификатов:
SPOKE-1# dir crypto:cert/Name Type Size Last modified ---------------------------------------------------------- ---------- -------- -- ------------------------- dmvpn_ca.crt File 2.33 KB Thu Aug 6 13:32:09 2020 spoke1.crt File 2.01 KB Thu Aug 6 13:32:20 2020
SPOKE-1# dir crypto:private-key/Name Type Size Last modified ---------------------------------------------------------- ---------- -------- -- ------------------------- spoke1.key File 1.66 KB Thu Aug 6 13:32:22 2020
Для HUB и SPOKE-2 сертификаты загружаются аналогичным образом.
Пример генерации сертификатов содержится в статье https://docs.eltex-co.ru/pages/viewpage.action?pageId=368082978
2. Корректировка времени на маршрутизаторе ESR
При использовании сертификатов важно иметь корректноe время на маршрутизаторе ESR, поскольку сертификаты выписываются на определенный момент времени.
Проверить текущее вермя маршрутизатора есть возможнос с помощью команды:
SPOKE-1# show date "Wednesday 09:51:20 UTC August 07 2024"
Для корректировки времени на мрашрутизаторе ESR есть возможность:
1) Синхронизировать маршрутизатор ESR с внешним NTP-сервером. Более подробная настройка NTP содержится в Руководстве по эксплуатации. Пример минимальной конфигурации:
SPOKE-1# configureSPOKE-1(config)# ntp server 198.51.100.2SPOKE-1(config-ntp-server)# exit SPOKE-1(config)# ntp enable
2) Указать время в CLI с помощью команды:
SPOKE-1# set date 10:04:00 7 august 20242024-08-07T10:03:21+00:00 %TIME-I-INFO: System time was changed by user adminWed Aug 7 10:04:00 UTC 2024
3. Конфигурации маршрутизаторов
Поэтапная конфигурация DMVPN содержится в Руководстве по эксплуатации (пункт Настройка DMVPN). В текущей статье будут приведены примеры конфигурации DMVPN с аутентификацией IPsec-соединения по сертификатам.
1) Этап аутентификации IPsec-содениния по сертификатам настраивается в security ike policy <NAME>ESR# configure ESR(config)# security ike policy ike_policy ESR(config-ike-policy)# crypto ? ca Configure Certification authority certificate crl Configure certificate revocation list local-crt Configure local certificate local-crt-key Configure local certificate key remote-crt Configure remote certificate2) В конфигурации security ike gateway <NAME> необходимо указать remote id any для удачной аутентификации IPsec-соединений с разными сертификатами:
ESR# configure ESR(config)# security ike gateway ike_gatewayESR(config-ike-gw)# remote id any
Пример конфигурации HUB:
HUB# show running-config hostname HUBinterface gigabitethernet 1/0/2 ip firewall disable ip address 203.0.113.2/30exit
tunnel gre 1 ttl 255 mtu 1400 multipoint ip firewall disable local address 203.0.113.2 ip address 192.0.2.1/24 ip tcp adjust-mss 1340 ip nhrp ipsec ipsec_dynamic dynamic ip nhrp multicast dynamic ip nhrp enable enableexit
security ike proposal ike_proposal authentication algorithm sha2-256 encryption algorithm aes256 dh-group 19exit
security ike policy ike_policy crypto ca dmvpn_ca.crt crypto local-crt hub.crt crypto local-crt-key hub.key authentication method public-key proposal ike_proposalexit
security ike gateway ike_gateway ike-policy ike_policy local address 203.0.113.2 local network 203.0.113.2/32 protocol gre remote id any remote address any remote network any protocol gre mode policy-based mobike disableexit
security ipsec proposal ipsec_proposal authentication algorithm sha2-256 encryption algorithm aes256 pfs dh-group 19exit
security ipsec policy ipsec_policy proposal ipsec_proposalexit
security ipsec vpn ipsec_dynamic type transport ike establish-tunnel route ike gateway ike_gateway ike ipsec-policy ipsec_policy enableexit
ip route 0.0.0.0/0 203.0.113.1
Пример конфигурации SPOKE-1:
SPOKE-1# show running-config hostname SPOKE-1interface gigabitethernet 1/0/2 ip firewall disable ip address 203.0.113.6/30exit
tunnel gre 1 ttl 255 mtu 1400 multipoint ip firewall disable local address 203.0.113.6 ip address 192.0.2.2/24 ip tcp adjust-mss 1340 ip nhrp holding-time 360 ip nhrp map 192.0.2.1 203.0.113.2 ip nhrp nhs 192.0.2.1/24 ip nhrp ipsec ipsec_static static ip nhrp ipsec ipsec_dynamic dynamic ip nhrp multicast nhs ip nhrp enable enableexit
security ike proposal ike_proposal authentication algorithm sha2-256 encryption algorithm aes256 dh-group 19exit
security ike policy ike_policy crypto ca dmvpn_ca.crt crypto local-crt spoke1.crt crypto local-crt-key spoke1.key authentication method public-key proposal ike_proposalexit
security ike gateway ike_gateway_to_hub ike-policy ike_policy local address 203.0.113.6 local network 203.0.113.6/32 protocol gre remote id any remote address 203.0.113.2 remote network 203.0.113.2/32 protocol gre mode policy-based mobike disableexitsecurity ike gateway ike_gateway_to_spokes ike-policy ike_policy local address 203.0.113.6 local network 203.0.113.6/32 protocol gre remote id any remote address any remote network any protocol gre mode policy-based mobike disableexit
security ipsec proposal ipsec_proposal authentication algorithm sha2-256 encryption algorithm aes256 pfs dh-group 19exit
security ipsec policy ipsec_policy proposal ipsec_proposalexit
security ipsec vpn ipsec_static type transport ike establish-tunnel route ike gateway ike_gateway_to_hub ike ipsec-policy ipsec_policy enableexitsecurity ipsec vpn ipsec_dynamic type transport ike establish-tunnel route ike gateway ike_gateway_to_spokes ike ipsec-policy ipsec_policy enableexit
ip route 0.0.0.0/0 203.0.113.5
Пример конфигурации SPOKE-2:
SPOKE-2# show running-config hostname SPOKE-2interface gigabitethernet 1/0/2 ip firewall disable ip address 203.0.113.10/30exit
tunnel gre 1 ttl 255 mtu 1400 multipoint ip firewall disable local address 203.0.113.10 ip address 192.0.2.3/24 ip tcp adjust-mss 1340 ip nhrp holding-time 360 ip nhrp map 192.0.2.1 203.0.113.2 ip nhrp nhs 192.0.2.1/24 ip nhrp ipsec ipsec_static static ip nhrp ipsec ipsec_dynamic dynamic ip nhrp multicast nhs ip nhrp enable enableexit
security ike proposal ike_proposal authentication algorithm sha2-256 encryption algorithm aes256 dh-group 19exit
security ike policy ike_policy crypto ca dmvpn_ca.crt crypto local-crt spoke2.crt crypto local-crt-key spoke2.key authentication method public-key proposal ike_proposalexit
security ike gateway ike_gateway_to_hub ike-policy ike_policy local address 203.0.113.10 local network 203.0.113.10/32 protocol gre remote id any remote address 203.0.113.2 remote network 203.0.113.2/32 protocol gre mode policy-based mobike disableexitsecurity ike gateway ike_gateway_to_spokes ike-policy ike_policy local address 203.0.113.10 local network 203.0.113.10/32 protocol gre remote id any remote address any remote network any protocol gre mode policy-based mobike disableexit
security ipsec proposal ipsec_proposal authentication algorithm sha2-256 encryption algorithm aes256 pfs dh-group 19exit
security ipsec policy ipsec_policy proposal ipsec_proposalexit
security ipsec vpn ipsec_static type transport ike establish-tunnel route ike gateway ike_gateway_to_hub ike ipsec-policy ipsec_policy enableexitsecurity ipsec vpn ipsec_dynamic type transport ike establish-tunnel route ike gateway ike_gateway_to_spokes ike ipsec-policy ipsec_policy enableexit
ip route 0.0.0.0/0 203.0.113.9
4. Вывод оперативной информации
После настройки маршрутизаторо на HUB будет построен IPsec-туннель с каждым SPOKE, а также зарегистрированы 2 SPOKE:
HUB# show security ipsec vpn status Name Local host Remote host Initiator spi Responder spi State ------------------------------- --------------- --------------- ------------------ ------------------ ----------- ipsec_dynamic 203.0.113.2 203.0.113.6 0xa0d605df30d4262d 0x0953f87dc3bf28c9 Established ipsec_dynamic 203.0.113.2 203.0.113.10 0x27d8fc668ec48e0c 0xa20820c65062d027 Established HUB# show ip nhrp peers Flags: E - unique, R - nhs, U - used, L - lower-up C - connected, G - group, Q - qos, N - nat P - protected, X - undefined
Tunnel address NBMA address Tunnel Expire Created Type Flags -------------------- ---------------- --------- --------- -------------- --------------- ---------- 192.0.2.2 203.0.113.6 gre 1 00:04:35 0,00:21:35 dynamic LC 192.0.2.3 203.0.113.10 gre 1 00:05:18 0,00:20:51 dynamic LC
SPOKE-1# show running-config
hostname SPOKE-1
interface gigabitethernet 1/0/2
ip firewall disable
ip address 203.0.113.6/30
exit
tunnel gre 1
ttl 255
mtu 1400
multipoint
ip firewall disable
local address 203.0.113.6
ip address 192.0.2.2/24
ip tcp adjust-mss 1340
ip nhrp holding-time 360
ip nhrp map 192.0.2.1 203.0.113.2
ip nhrp nhs 192.0.2.1/24
ip nhrp ipsec ipsec_static static
ip nhrp ipsec ipsec_dynamic dynamic
ip nhrp multicast nhs
ip nhrp enable
enable
exit
security ike proposal ike_proposal
authentication algorithm sha2-256
encryption algorithm aes256
dh-group 19
exit
security ike policy ike_policy
crypto ca dmvpn_ca.crt
crypto local-crt spoke1.crt
crypto local-crt-key spoke1.key
authentication method public-key
proposal ike_proposal
exit
security ike gateway ike_gateway_to_hub
ike-policy ike_policy
local address 203.0.113.6
local network 203.0.113.6/32 protocol gre
remote id any
remote address 203.0.113.2
remote network 203.0.113.2/32 protocol gre
mode policy-based
mobike disable
exit
security ike gateway ike_gateway_to_spokes
ike-policy ike_policy
local address 203.0.113.6
local network 203.0.113.6/32 protocol gre
remote id any
remote address any
remote network any protocol gre
mode policy-based
mobike disable
exit
security ipsec proposal ipsec_proposal
authentication algorithm sha2-256
encryption algorithm aes256
pfs dh-group 19
exit
security ipsec policy ipsec_policy
proposal ipsec_proposal
exit
security ipsec vpn ipsec_static
type transport
ike establish-tunnel route
ike gateway ike_gateway_to_hub
ike ipsec-policy ipsec_policy
enable
exit
security ipsec vpn ipsec_dynamic
type transport
ike establish-tunnel route
ike gateway ike_gateway_to_spokes
ike ipsec-policy ipsec_policy
enable
exit
ip route 0.0.0.0/0 203.0.113.5
SPOKE-1# show security ipsec vpn status Name Local host Remote host Initiator spi Responder spi State ------------------------------- --------------- --------------- ------------------ ------------------ ----------- ipsec_static 203.0.113.6 203.0.113.2 0xa0d605df30d4262d 0x0953f87dc3bf28c9 Established SPOKE-1# show ip nhrp peers Flags: E - unique, R - nhs, U - used, L - lower-up C - connected, G - group, Q - qos, N - nat P - protected, X - undefined
Tunnel address NBMA address Tunnel Expire Created Type Flags -------------------- ---------------- --------- --------- -------------- --------------- ---------- 192.0.2.1 203.0.113.2 gre 1 -- -- static RLC
SPOKE-2# show security ipsec vpn status Name Local host Remote host Initiator spi Responder spi State ------------------------------- --------------- --------------- ------------------ ------------------ ----------- ipsec_static 203.0.113.10 203.0.113.2 0x27d8fc668ec48e0c 0xa20820c65062d027 Established SPOKE-2# show ip nhrp peers Flags: E - unique, R - nhs, U - used, L - lower-up C - connected, G - group, Q - qos, N - nat P - protected, X - undefined
Tunnel address NBMA address Tunnel Expire Created Type Flags -------------------- ---------------- --------- --------- -------------- --------------- ---------- 192.0.2.1 203.0.113.2 gre 1 -- -- static RLC
Для построения динамического туннеля между SPOKE необходимо пустить трафик от одного SPOKE к другому SPOKE. Например, пустим ping со стороны SPOKE-1 в сторону SPOKE-2, в результате чего отработает 2-ая фаза NHRP:
SPOKE-1# ping 192.0.2.3PING 192.0.2.3 (192.0.2.3) 56 bytes of data.!!!!--- 192.0.2.3 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 3003msrtt min/avg/max/mdev = 1.240/1.884/3.625/1.008 ms
SPOKE-1# show security ipsec vpn status Name Local host Remote host Initiator spi Responder spi State ------------------------------- --------------- --------------- ------------------ ------------------ ----------- ipsec_static 203.0.113.6 203.0.113.2 0xa0d605df30d4262d 0x0953f87dc3bf28c9 Established ipsec_dynamic 203.0.113.6 203.0.113.10 0xe843aadb9e1b7620 0x6006d4df45af828d Established
SPOKE-1# show ip nhrp peers Flags: E - unique, R - nhs, U - used, L - lower-up C - connected, G - group, Q - qos, N - nat P - protected, X - undefined
Tunnel address NBMA address Tunnel Expire Created Type Flags -------------------- ---------------- --------- --------- -------------- --------------- ---------- 192.0.2.1 203.0.113.2 gre 1 -- -- static RLC 192.0.2.3 203.0.113.10 gre 1 00:05:38 0,00:00:21 cached ULC
SPOKE-2# show security ipsec vpn status Name Local host Remote host Initiator spi Responder spi State ------------------------------- --------------- --------------- ------------------ ------------------ ----------- ipsec_static 203.0.113.10 203.0.113.2 0x27d8fc668ec48e0c 0xa20820c65062d027 Established ipsec_dynamic 203.0.113.10 203.0.113.6 0xe843aadb9e1b7620 0x6006d4df45af828d Established
SPOKE-2# show ip nhrp peers Flags: E - unique, R - nhs, U - used, L - lower-up C - connected, G - group, Q - qos, N - nat P - protected, X - undefined
Tunnel address NBMA address Tunnel Expire Created Type Flags -------------------- ---------------- --------- --------- -------------- --------------- ---------- 192.0.2.1 203.0.113.2 gre 1 -- -- static RLC 192.0.2.2 203.0.113.6 gre 1 00:04:14 0,00:01:45 cached ULC