Схема:
Задача
Настроить DMVPN с аутентификацией IPsec-соединения по сертификатом согласно схеме. Firewall отключен.
Используемые алгоритмы для IKE SA:
1) IKE version: 1
2) Authentication algorithm: sha2-256
3) Encryption algorithm: aes256cbc
4) DH-group 19
Используемые алгоритмы для IPse SA:
1) Authentication algorithm: sha2-256
2) Encryption algorithm: aes256cbc
3) pfs dh-group 19
4) Protocol: ESP
1. Загрузка сертификатов на маршрутизатора ESR
Для настройки аутентификации IPsec по сертификатам, предварительно необходимо загрузить сертификаты на ESR. Пример загрузки сертификатов для SPOKE-1 через TFTP-сервер:
SPOKE-1# copy tftp://198.51.100.1:/cert_for_dmvpn/dmvpn_ca.crt crypto:cert/dmvpn_ca.crt
|******************************************| 100% (2390B) Crypto file loaded successfully!
SPOKE-1# copy tftp://198.51.100.1:/cert_for_dmvpn/spoke1.crt crypto:cert/spoke1.crt
|******************************************| 100% (2057B) Crypto file loaded successfully!
SPOKE-1# copy tftp://198.51.100.1:/cert_for_dmvpn/spoke1.key crypto:private-key/spoke1.key
|******************************************| 100% (1704B) Crypto file loaded successfully!
Проверка наличия загруженных сертификатов:
SPOKE-1# dir crypto:cert/
Name Type Size Last modified
---------------------------------------------------------- ---------- -------- -- -------------------------
dmvpn_ca.crt File 2.33 KB Thu Aug 6 13:32:09 2020
spoke1.crt File 2.01 KB Thu Aug 6 13:32:20 2020
SPOKE-1# dir crypto:private-key/
Name Type Size Last modified
---------------------------------------------------------- ---------- -------- -- -------------------------
spoke1.key File 1.66 KB Thu Aug 6 13:32:22 2020
Для HUB и SPOKE-2 сертификаты загружаются аналогичным образом.
Пример генерации сертификатов содержится в статье https://docs.eltex-co.ru/x/IoDwFQ
2. Корректировка времени на маршрутизаторе ESR
При использовании сертификатов важно иметь корректноe время на маршрутизаторе ESR, поскольку сертификаты выписываются на определенный момент времени.
Проверить текущее вермя маршрутизатора есть возможнос с помощью команды:
SPOKE-1# show date
"Wednesday 09:51:20 UTC August 07 2024"
Для корректировки времени на мрашрутизаторе ESR есть возможность:
1) Синхронизировать маршрутизатор ESR с внешним NTP-сервером. Более подробная настройка NTP содержится в Руководстве по эксплуатации. Пример минимальной конфигурации:
SPOKE-1# configure
SPOKE-1(config)# ntp server 198.51.100.2
SPOKE-1(config-ntp-server)# exit
SPOKE-1(config)# ntp enable
2) Указать время в CLI с помощью команды:
SPOKE-1# set date 10:04:00 7 august 2024
2024-08-07T10:03:21+00:00 %TIME-I-INFO: System time was changed by user admin
Wed Aug 7 10:04:00 UTC 2024
3. Конфигурации маршрутизаторов
Поэтапная конфигурация DMVPN содержится в Руководстве по эксплуатации (пункт Настройка DMVPN). В текущей статье будут приведены примеры конфигурации DMVPN с аутентификацией IPsec-соединения по сертификатам.
1) Этап аутентификации IPsec-содениния по сертификатам настраивается в security ike policy <NAME>ESR# configure
ESR(config)# security ike policy ike_policy
ESR(config-ike-policy)# crypto ?
ca Configure Certification authority certificate
crl Configure certificate revocation list
local-crt Configure local certificate
local-crt-key Configure local certificate key
remote-crt Configure remote certificate
2) В конфигурации security ike gateway <NAME> необходимо указать remote id any для удачной аутентификации IPsec-соединений с разными сертификатами:
ESR# configure ESR(config)# security ike gateway ike_gateway
ESR(config-ike-gw)# remote id any
Пример конфигурации HUB:
HUB# show running-config
hostname HUB
interface gigabitethernet 1/0/2
ip firewall disable
ip address 203.0.113.2/30
exit
tunnel gre 1
ttl 255
mtu 1400
multipoint
ip firewall disable
local address 203.0.113.2
ip address 192.0.2.1/24
ip tcp adjust-mss 1340
ip nhrp ipsec ipsec_dynamic dynamic
ip nhrp multicast dynamic
ip nhrp enable
enable
exit
security ike proposal ike_proposal
authentication algorithm sha2-256
encryption algorithm aes256
dh-group 19
exit
security ike policy ike_policy
crypto ca dmvpn_ca.crt
crypto local-crt hub.crt
crypto local-crt-key hub.key
authentication method public-key
proposal ike_proposal
exit
security ike gateway ike_gateway
ike-policy ike_policy
local address 203.0.113.2
local network 203.0.113.2/32 protocol gre
remote id any
remote address any
remote network any protocol gre
mode policy-based
mobike disable
exit
security ipsec proposal ipsec_proposal
authentication algorithm sha2-256
encryption algorithm aes256
pfs dh-group 19
exit
security ipsec policy ipsec_policy
proposal ipsec_proposal
exit
security ipsec vpn ipsec_dynamic
type transport
ike establish-tunnel route
ike gateway ike_gateway
ike ipsec-policy ipsec_policy
enable
exit
ip route 0.0.0.0/0 203.0.113.1
Пример конфигурации SPOKE-1:
SPOKE-1# show running-config
hostname SPOKE-1
interface gigabitethernet 1/0/2
ip firewall disable
ip address 203.0.113.6/30
exit
tunnel gre 1
ttl 255
mtu 1400
multipoint
ip firewall disable
local address 203.0.113.6
ip address 192.0.2.2/24
ip tcp adjust-mss 1340
ip nhrp holding-time 360
ip nhrp map 192.0.2.1 203.0.113.2
ip nhrp nhs 192.0.2.1/24
ip nhrp ipsec ipsec_static static
ip nhrp ipsec ipsec_dynamic dynamic
ip nhrp multicast nhs
ip nhrp enable
enable
exit
security ike proposal ike_proposal
authentication algorithm sha2-256
encryption algorithm aes256
dh-group 19
exit
security ike policy ike_policy
crypto ca dmvpn_ca.crt
crypto local-crt spoke1.crt
crypto local-crt-key spoke1.key
authentication method public-key
proposal ike_proposal
exit
security ike gateway ike_gateway_to_hub
ike-policy ike_policy
local address 203.0.113.6
local network 203.0.113.6/32 protocol gre
remote id any
remote address 203.0.113.2
remote network 203.0.113.2/32 protocol gre
mode policy-based
mobike disable
exit
security ike gateway ike_gateway_to_spokes
ike-policy ike_policy
local address 203.0.113.6
local network 203.0.113.6/32 protocol gre
remote id any
remote address any
remote network any protocol gre
mode policy-based
mobike disable
exit
security ipsec proposal ipsec_proposal
authentication algorithm sha2-256
encryption algorithm aes256
pfs dh-group 19
exit
security ipsec policy ipsec_policy
proposal ipsec_proposal
exit
security ipsec vpn ipsec_static
type transport
ike establish-tunnel route
ike gateway ike_gateway_to_hub
ike ipsec-policy ipsec_policy
enable
exit
security ipsec vpn ipsec_dynamic
type transport
ike establish-tunnel route
ike gateway ike_gateway_to_spokes
ike ipsec-policy ipsec_policy
enable
exit
ip route 0.0.0.0/0 203.0.113.5
Пример конфигурации SPOKE-2:
SPOKE-2# show running-config
hostname SPOKE-2
interface gigabitethernet 1/0/2
ip firewall disable
ip address 203.0.113.10/30
exit
tunnel gre 1
ttl 255
mtu 1400
multipoint
ip firewall disable
local address 203.0.113.10
ip address 192.0.2.3/24
ip tcp adjust-mss 1340
ip nhrp holding-time 360
ip nhrp map 192.0.2.1 203.0.113.2
ip nhrp nhs 192.0.2.1/24
ip nhrp ipsec ipsec_static static
ip nhrp ipsec ipsec_dynamic dynamic
ip nhrp multicast nhs
ip nhrp enable
enable
exit
security ike proposal ike_proposal
authentication algorithm sha2-256
encryption algorithm aes256
dh-group 19
exit
security ike policy ike_policy
crypto ca dmvpn_ca.crt
crypto local-crt spoke2.crt
crypto local-crt-key spoke2.key
authentication method public-key
proposal ike_proposal
exit
security ike gateway ike_gateway_to_hub
ike-policy ike_policy
local address 203.0.113.10
local network 203.0.113.10/32 protocol gre
remote id any
remote address 203.0.113.2
remote network 203.0.113.2/32 protocol gre
mode policy-based
mobike disable
exit
security ike gateway ike_gateway_to_spokes
ike-policy ike_policy
local address 203.0.113.10
local network 203.0.113.10/32 protocol gre
remote id any
remote address any
remote network any protocol gre
mode policy-based
mobike disable
exit
security ipsec proposal ipsec_proposal
authentication algorithm sha2-256
encryption algorithm aes256
pfs dh-group 19
exit
security ipsec policy ipsec_policy
proposal ipsec_proposal
exit
security ipsec vpn ipsec_static
type transport
ike establish-tunnel route
ike gateway ike_gateway_to_hub
ike ipsec-policy ipsec_policy
enable
exit
security ipsec vpn ipsec_dynamic
type transport
ike establish-tunnel route
ike gateway ike_gateway_to_spokes
ike ipsec-policy ipsec_policy
enable
exit
ip route 0.0.0.0/0 203.0.113.9
4. Вывод оперативной информации
После настройки маршрутизаторо на HUB будет построен IPsec-туннель с каждым SPOKE, а также зарегистрированы 2 SPOKE:
HUB# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
ipsec_dynamic 203.0.113.2 203.0.113.6 0xa0d605df30d4262d 0x0953f87dc3bf28c9 Established
ipsec_dynamic 203.0.113.2 203.0.113.10 0x27d8fc668ec48e0c 0xa20820c65062d027 Established
HUB# show ip nhrp peers
Flags: E - unique, R - nhs, U - used, L - lower-up
C - connected, G - group, Q - qos, N - nat
P - protected, X - undefined
Tunnel address NBMA address Tunnel Expire Created Type Flags
-------------------- ---------------- --------- --------- -------------- --------------- ----------
192.0.2.2 203.0.113.6 gre 1 00:04:35 0,00:21:35 dynamic LC
192.0.2.3 203.0.113.10 gre 1 00:05:18 0,00:20:51 dynamic LC
SPOKE-1# show running-config
hostname SPOKE-1
interface gigabitethernet 1/0/2
ip firewall disable
ip address 203.0.113.6/30
exit
tunnel gre 1
ttl 255
mtu 1400
multipoint
ip firewall disable
local address 203.0.113.6
ip address 192.0.2.2/24
ip tcp adjust-mss 1340
ip nhrp holding-time 360
ip nhrp map 192.0.2.1 203.0.113.2
ip nhrp nhs 192.0.2.1/24
ip nhrp ipsec ipsec_static static
ip nhrp ipsec ipsec_dynamic dynamic
ip nhrp multicast nhs
ip nhrp enable
enable
exit
security ike proposal ike_proposal
authentication algorithm sha2-256
encryption algorithm aes256
dh-group 19
exit
security ike policy ike_policy
crypto ca dmvpn_ca.crt
crypto local-crt spoke1.crt
crypto local-crt-key spoke1.key
authentication method public-key
proposal ike_proposal
exit
security ike gateway ike_gateway_to_hub
ike-policy ike_policy
local address 203.0.113.6
local network 203.0.113.6/32 protocol gre
remote id any
remote address 203.0.113.2
remote network 203.0.113.2/32 protocol gre
mode policy-based
mobike disable
exit
security ike gateway ike_gateway_to_spokes
ike-policy ike_policy
local address 203.0.113.6
local network 203.0.113.6/32 protocol gre
remote id any
remote address any
remote network any protocol gre
mode policy-based
mobike disable
exit
security ipsec proposal ipsec_proposal
authentication algorithm sha2-256
encryption algorithm aes256
pfs dh-group 19
exit
security ipsec policy ipsec_policy
proposal ipsec_proposal
exit
security ipsec vpn ipsec_static
type transport
ike establish-tunnel route
ike gateway ike_gateway_to_hub
ike ipsec-policy ipsec_policy
enable
exit
security ipsec vpn ipsec_dynamic
type transport
ike establish-tunnel route
ike gateway ike_gateway_to_spokes
ike ipsec-policy ipsec_policy
enable
exit
ip route 0.0.0.0/0 203.0.113.5
SPOKE-1# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
ipsec_static 203.0.113.6 203.0.113.2 0xa0d605df30d4262d 0x0953f87dc3bf28c9 Established
SPOKE-1# show ip nhrp peers
Flags: E - unique, R - nhs, U - used, L - lower-up
C - connected, G - group, Q - qos, N - nat
P - protected, X - undefined
Tunnel address NBMA address Tunnel Expire Created Type Flags
-------------------- ---------------- --------- --------- -------------- --------------- ----------
192.0.2.1 203.0.113.2 gre 1 -- -- static RLC
SPOKE-2# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
ipsec_static 203.0.113.10 203.0.113.2 0x27d8fc668ec48e0c 0xa20820c65062d027 Established
SPOKE-2# show ip nhrp peers
Flags: E - unique, R - nhs, U - used, L - lower-up
C - connected, G - group, Q - qos, N - nat
P - protected, X - undefined
Tunnel address NBMA address Tunnel Expire Created Type Flags
-------------------- ---------------- --------- --------- -------------- --------------- ----------
192.0.2.1 203.0.113.2 gre 1 -- -- static RLC
Для построения динамического туннеля между SPOKE необходимо пустить трафик от одного SPOKE к другому SPOKE. Например, пустим ping со стороны SPOKE-1 в сторону SPOKE-2, в результате чего отработает 2-ая фаза NHRP:
SPOKE-1# ping 192.0.2.3
PING 192.0.2.3 (192.0.2.3) 56 bytes of data.
!!!!
--- 192.0.2.3 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 1.240/1.884/3.625/1.008 ms
SPOKE-1# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
ipsec_static 203.0.113.6 203.0.113.2 0xa0d605df30d4262d 0x0953f87dc3bf28c9 Established
ipsec_dynamic 203.0.113.6 203.0.113.10 0xe843aadb9e1b7620 0x6006d4df45af828d Established
SPOKE-1# show ip nhrp peers
Flags: E - unique, R - nhs, U - used, L - lower-up
C - connected, G - group, Q - qos, N - nat
P - protected, X - undefined
Tunnel address NBMA address Tunnel Expire Created Type Flags
-------------------- ---------------- --------- --------- -------------- --------------- ----------
192.0.2.1 203.0.113.2 gre 1 -- -- static RLC
192.0.2.3 203.0.113.10 gre 1 00:05:38 0,00:00:21 cached ULC
SPOKE-2# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
ipsec_static 203.0.113.10 203.0.113.2 0x27d8fc668ec48e0c 0xa20820c65062d027 Established
ipsec_dynamic 203.0.113.10 203.0.113.6 0xe843aadb9e1b7620 0x6006d4df45af828d Established
SPOKE-2# show ip nhrp peers
Flags: E - unique, R - nhs, U - used, L - lower-up
C - connected, G - group, Q - qos, N - nat
P - protected, X - undefined
Tunnel address NBMA address Tunnel Expire Created Type Flags
-------------------- ---------------- --------- --------- -------------- --------------- ----------
192.0.2.1 203.0.113.2 gre 1 -- -- static RLC
192.0.2.2 203.0.113.6 gre 1 00:04:14 0,00:01:45 cached ULC