Схема:

Задача: Построить Route-based IPsec VPN туннель между ESR и Cisco ASA для взаимодействия локальный подсетей 192.0.2.128/25 и 198.51.100.128/25 через статическую маршрутизацию. Без конфигурации Firewall.

Параметры IKE:
  - версия IKE: v2;
  - алгоритм шифрования: aes256;
  - алгоритм аутентификации: sha2-512;
  - группа Диффи-Хэллмана: 21.

Параметры IPSec:
  -алгоритм шифрования: aes256;
  -алгоритм аутентификации: sha2-512;
  -pfs группа Диффи-Хэллмана: 21.


Пример конфигурации ESR:

ESR# show running-config 
hostname ESR

interface gigabitethernet 1/0/1
  ip firewall disable
  ip address 203.0.113.2/30
exit
interface gigabitethernet 1/0/2
  ip firewall disable
  ip address 192.0.2.129/25
exit

tunnel vti 1
  ip firewall disable
  local address 203.0.113.2
  remote address 203.0.113.6
  ip address 192.0.2.1/30
  enable
exit

security ike proposal IKE_proposal
  authentication algorithm sha2-512
  encryption algorithm aes256
  dh-group 21
exit

security ike policy IKE_policy
  lifetime seconds 86400
  pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
  proposal IKE_proposal
exit

security ike gateway IKE_gateway
  version v2-only
  ike-policy IKE_policy
  mode route-based
  mobike disable
  bind-interface vti 1
exit

security ipsec proposal IPsec_proposal
  authentication algorithm sha2-512
  encryption algorithm aes256
  pfs dh-group 21
exit

security ipsec policy IPsec_policy
  proposal IPsec_proposal
exit

security ipsec vpn IPsec_vpn
  ike establish-tunnel route
  ike gateway IKE_gateway
  ike ipsec-policy IPsec_policy
  enable
exit

ip route 198.51.100.128/25 tunnel vti 1
ip route 203.0.113.4/30 203.0.113.1

Пример конфигурации Cisco ASA:

ciscoasa# show running-config 

!

interface GigabitEthernet0/1

 nameif UNTRUSTED

 security-level 0

 ip address 203.0.113.6 255.255.255.252 

!

interface GigabitEthernet0/2

 nameif TRUSTED

 security-level 100

 ip address 198.51.100.129 255.255.255.128

!

interface Tunnel1

 nameif VTI

 ip address 192.0.2.2 255.255.255.252 

 tunnel source interface UNTRUSTED

 tunnel destination 203.0.113.2

 tunnel mode ipsec ipv4

 tunnel protection ipsec profile IPsec_profile

route UNTRUSTED 203.0.113.0 255.255.255.252 203.0.113.5 1

route VTI 192.0.2.128 255.255.255.128 192.0.2.1 1

!

crypto ipsec ikev2 ipsec-proposal IPsec_proposal

 protocol esp encryption aes-256

 protocol esp integrity sha-512

!

crypto ipsec profile IPsec_profile

 set ikev2 ipsec-proposal IPsec_proposal

 set pfs group21

!

crypto ikev2 policy 1

 encryption aes-256

 integrity sha512

 group 21

 prf sha512

!

crypto ikev2 enable UNTRUSTED

!

management-access TRUSTED

!

tunnel-group 203.0.113.2 type ipsec-l2l

tunnel-group 203.0.113.2 ipsec-attributes

 ikev2 remote-authentication pre-shared-key *****

 ikev2 local-authentication pre-shared-key *****

!

...


Вывод оперативной информации IPsec-туннеля со стороны ESR:

ESR# show security ipsec vpn status IPsec_vpn 
Currently active IKE SA:
    Name:                            IPsec_vpn
    State:                           Established
    Version:                         v2-only
    Unique ID:                       4
    Local host:                      203.0.113.2
    Remote host:                     203.0.113.6
    Role:                            Responder
    Initiator spi:                   0x6a98389950285a85
    Responder spi:                   0x2bd00d2deb6b35ff
    Encryption algorithm:            aes256
    Authentication algorithm:        sha2-512
    Diffie-Hellman group:            21
    Established (d,h:m:s):           00,01:12:08 ago
    Rekey time (d,h:m:s):            00,00:00:00
    Reauthentication time (d,h:m:s): 00,22:37:40
    Child IPsec SAs:
        Name:                            IPsec_vpn-37
        State:                           Installed
        Protocol:                        esp
        Mode:                            Tunnel
        Encryption algorithm:            aes256
        Authentication algorithm:        sha2-512
        Rekey time (d,h:m:s):            00,00:19:41
        Life time (d,h:m:s):             00,00:31:26
        Established (d,h:m:s):           00,00:28:34 ago
        Traffic statistics: 
            Input bytes:                 124740
            Output bytes:                124740
            Input packets:               1485
            Output packets:              1485
        -------------------------------------------------------------

ESR#  ping 198.51.100.129 source ip 192.0.2.129
PING 198.51.100.129 (198.51.100.129) from 192.0.2.129 : 56 bytes of data.
!!!!!
--- 198.51.100.129 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 1.820/2.171/2.424/0.226 ms

Вывод оперативной информации IPsec-туннеля со стороны Cisco ASA:

ciscoasa# show crypto ikev2 sa

IKEv2 SAs:

Session-id:3, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                                               Remote                                                  Status         Role
226340325  203.0.113.6/500                                       203.0.113.2/500                                         READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:21, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/4382 sec
Child sa: local selector  0.0.0.0/0 - 255.255.255.255/65535
          remote selector 0.0.0.0/0 - 255.255.255.255/65535
          ESP spi in/out: 0x513a073a/0xce79370a 

ciscoasa# show crypto ipsec sa
interface: vti
    Crypto map tag: __vti-crypto-map-Tunnel1-0-1, seq num: 65280, local addr:  203.0.113.6

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      current_peer: 203.0.113.2


      #pkts encaps: 4066, #pkts encrypt: 4066, #pkts digest: 4066
      #pkts decaps: 4096, #pkts decrypt: 4096, #pkts verify: 4096
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4066, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.:  203.0.113.6/500, remote crypto endpt.: 203.0.113.2/500
      path mtu 1500, ipsec overhead 94(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: CE79370A
      current inbound spi : 513A073A
              
    inbound esp sas:
      spi: 0x513A073A (1362757434)
         SA State: active
         transform: esp-aes-256 esp-sha-512-hmac no compression 
         in use settings ={L2L, Tunnel, PFS Group 21, IKEv2, VTI, }
         slot: 0, conn_id: 103, crypto-map: __vti-crypto-map-Tunnel1-0-1
         sa timing: remaining key lifetime (kB/sec): (3916678/27023)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xCE79370A (3464050442)
         SA State: active
         transform: esp-aes-256 esp-sha-512-hmac no compression 
         in use settings ={L2L, Tunnel, PFS Group 21, IKEv2, VTI, }
         slot: 0, conn_id: 103, crypto-map: __vti-crypto-map-Tunnel1-0-1
         sa timing: remaining key lifetime (kB/sec): (4331398/27023)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

ciscoasa# ping 192.0.2.129
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.0.2.129, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms