Схема:

Задача: Настроить GRE over IPSec туннель между ESR и Huawei. Также необходимо настроить протокол динамической маршрутизации BGP между туннельными адресами для анонсирования локальных подсетей.

Используемые алгоритмы для IKE SA:
1) IKE version: 1
2) Authentication algorithm: sha2-256
3) Encryption algorithm: aes256cbc
4) DH-group: 14

Используемые алгоритмы для IPseс SA:
1) Authentication algorithm: sha2-256
2) Encryption algorithm: aes256cbc
3) PFS DH-group: 14
4) Protocol: ESP

1. Конфигурации устройств
Конфигурация со стороны ESR:

ESR# show running-config 
hostname ESR

interface gigabitethernet 1/0/1
  ip firewall disable
  ip address 203.0.113.2/30
exit

interface gigabitethernet 1/0/2
  ip firewall disable
  ip address 192.0.2.129/25
exit

security ike proposal ike_proposal
  authentication algorithm sha2-512
  encryption algorithm aes256
  dh-group 14
exit

security ike policy ike_policy
  pre-shared-key ascii-text encrypted ACB5107EA7005AFF33
  proposal ike_proposal
exit

security ike gateway ike_gateway
  version v2-only
  ike-policy ike_policy
  local address 203.0.113.2
  local network 192.0.2.128/25
  remote address 203.0.113.6
  remote network 198.51.100.128/25
  mode policy-based
exit

security ipsec proposal ipsec_proposal
  authentication algorithm sha2-512
  encryption algorithm aes256
  pfs dh-group 14
exit

security ipsec policy ipsec_policy
  proposal ipsec_proposal
exit

security ipsec vpn ipsec_vpn
  ike establish-tunnel route
  ike gateway ike_gateway
  ike ipsec-policy ipsec_policy
  enable
exit

ip route 0.0.0.0/0 203.0.113.1

Конфигурация со стороны Huawei:

[Huawei]display current-configuration 
...
#
 ipsec authentication sha2 compatible enable
#
...
#
acl number 3111                           
 rule 0 permit ip source 198.51.100.128 0.0.0.127 destination 192.0.2.128 0.0.0.127
#
ipsec proposal ipsec_proposal
 esp authentication-algorithm sha2-512 
 esp encryption-algorithm aes-256 
#
ike proposal default
 encryption-algorithm aes-256 aes-192 aes-128 
 dh group14 
 authentication-algorithm sha2-512 sha2-384 sha2-256 
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256 
 prf hmac-sha2-256 
ike proposal 1
 encryption-algorithm aes-256 
 dh group14 
 authentication-algorithm sha2-512 
 authentication-method pre-share
 integrity-algorithm hmac-sha2-512 
 prf hmac-sha2-512 
#
ike peer PEER
 undo version 1
 pre-shared-key simple Password.          
 ike-proposal 1
 local-address 203.0.113.6
 remote-address 203.0.113.2
 rsa encryption-padding oaep
 rsa signature-padding pss
 ikev2 authentication sign-hash sha2-256
#
ipsec policy IPsec 1 isakmp
 security acl 3111
 pfs dh-group14
 ike-peer PEER
 proposal ipsec_proposal
#
...
#
interface GigabitEthernet0/0/1
 ip address 203.0.113.6 255.255.255.252
 ipsec policy IPsec
#
interface GigabitEthernet0/0/2
 ip address 198.51.100.129 255.255.255.128
#
...
#
ip route-static 0.0.0.0 0.0.0.0 203.0.113.5
ip route-static 198.51.100.128 255.255.255.128 203.0.113.2
#
...

2. Оперативный вывод команд статуса IPsec-туннеля, а также проверка IP-связанности между локальными подсетями

Вывод оперативных команд со стороны ESR:

ESR# show security ipsec vpn status ipsec_vpn 
Currently active IKE SA:
    Name:                            ipsec_vpn
    State:                           Established
    Version:                         v2-only
    Unique ID:                       1
    Local host:                      203.0.113.2
    Remote host:                     203.0.113.6
    Role:                            Responder
    Initiator spi:                   0xad69d4039ffd151d
    Responder spi:                   0xaaa25c6b9d1ce8de
    Encryption algorithm:            aes256
    Authentication algorithm:        sha2-512
    Diffie-Hellman group:            14
    Established (d,h:m:s):           00,00:02:35 ago
    Rekey time (d,h:m:s):            00,00:00:00
    Reauthentication time (d,h:m:s): 00,02:43:49
    Child IPsec SAs:
        Name:                            ipsec_vpn-2
        State:                           Installed
        Inbound spi:                     cc2f13f9
        Outbound spi:                    0015c3b6
        Protocol:                        esp
        Mode:                            Tunnel
        Encryption algorithm:            aes256
        Authentication algorithm:        sha2-512
        Rekey time (d,h:m:s):            00,00:45:22
        Life time (d,h:m:s):             00,00:57:25
        Established (d,h:m:s):           00,00:02:35 ago
        Traffic statistics: 
            Input bytes:                 420
            Output bytes:                1260
            Input packets:               5
            Output packets:              15
        -------------------------------------------------------------
ESR# show security ipsec vpn authentication ipsec_vpn 
Local host        Remote host       Local subnet          Remote subnet         Authentication                              State         
---------------   ---------------   -------------------   -------------------   -----------------------------------------   -----------   
203.0.113.2       203.0.113.6       192.0.2.128/25        198.51.100.128/25     Pre-shared key                              Established  

ESR# ping 198.51.100.129 source ip 192.0.2.129 
PING 198.51.100.129 (198.51.100.129) from 192.0.2.129 : 56 bytes of data.
!!!!!
--- 198.51.100.129 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4010ms
rtt min/avg/max/mdev = 1.326/1.524/1.718/0.125 ms

Вывод оперативных команд со стороны Huawei:

[Huawei]display ipsec sa  

ipsec sa information:

===============================
Interface: GigabitEthernet0/0/1
===============================

  -----------------------------
  IPSec policy name: "IPsec"
  Sequence number  : 1
  Acl group        : 3111/IPv4
  Acl rule         : 0
  Mode             : ISAKMP
  -----------------------------
    Connection ID     : 2
    Encapsulation mode: Tunnel
    Holding time      : 0d 0h 6m 11s
    Tunnel local      : 203.0.113.6/500
    Tunnel remote     : 203.0.113.2/500
    Flow source       : 198.51.100.128/255.255.255.128 0/0-65535
    Flow destination  : 192.0.2.128/255.255.255.128 0/0-65535

    [Outbound ESP SAs] 
      SPI: 3425637369 (0xcc2f13f9)
      Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-512-256
      SA remaining soft duration (kilobytes/sec): 1234944/2041
      SA remaining hard duration (kilobytes/sec): 1843200/3229
      Outpacket count       : 10
      Outpacket encap count : 10
      Outpacket drop count  : 0
      Max sent sequence-number: 10
      UDP encapsulation used for NAT traversal: N

    [Inbound ESP SAs] 
      SPI: 1426358 (0x15c3b6)
      Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-512-256
      SA remaining soft duration (kilobytes/sec): 1363967/2293
      SA remaining hard duration (kilobytes/sec): 1843199/3229
      Inpacket count        : 20
      Inpacket decap count  : 20
      Inpacket drop count   : 0
      Max received sequence-number: 20
      UDP encapsulation used for NAT traversal: N
      Anti-replay : Enable
      Anti-replay window size: 1024

[Huawei]ping -a 198.51.100.129 192.0.2.129   
  PING 192.0.2.129: 56  data bytes, press CTRL_C to break
    Reply from 192.0.2.129: bytes=56 Sequence=1 ttl=64 time=3 ms
    Reply from 192.0.2.129: bytes=56 Sequence=2 ttl=64 time=2 ms
    Reply from 192.0.2.129: bytes=56 Sequence=3 ttl=64 time=2 ms
    Reply from 192.0.2.129: bytes=56 Sequence=4 ttl=64 time=2 ms
    Reply from 192.0.2.129: bytes=56 Sequence=5 ttl=64 time=1 ms

  --- 192.0.2.129 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 1/2/3 ms


  • Нет меток