您好,登錄后才能下訂單哦!
實(shí)驗(yàn)?zāi)康?/strong>:為了驗(yàn)證防火墻在NAT-T的環(huán)境能和對(duì)方出口路由器成功建立IPSec -v-p-n
并實(shí)現(xiàn)公司兩地內(nèi)網(wǎng)通信
實(shí)驗(yàn)環(huán)境介紹:ASA在內(nèi)網(wǎng); R1,R2為出口、做NAT并指默認(rèn)路由到Internet
ipsec 版本:ikev2
報(bào)錯(cuò):
雖然照著網(wǎng)上找的一個(gè)ikev2的路由器對(duì)路由器非NAT-T版本配的,但是問題也出現(xiàn)不少
——cisco ikev2 profile not found
——Exchange type: Informational (5)
——Exchange type: NO PAYLOAD
——specify IKE identity to use
——rec'd IPSEC packet ha
——IKEv2-PROTO-1: (167): The peer's KE payload contained the wrong DH group
//如果一邊啟用pfs完美向前保密(ipsec sa階段的時(shí)候再次協(xié)商密鑰),一邊未啟用pfs,就會(huì)報(bào)這個(gè)錯(cuò),但不影響加密通信
先貼出正確的關(guān)鍵配置
ASA:
route outside 0.0.0.0 0.0.0.0 10.249.188.254
//定義感興趣流
access-list l2lacl extended permit ip 10.249.190.0 255.255.255.0 192.168.1.0 255.255.255.0
ipsec部分:
//定義ipsec第一階段 ikev2協(xié)商策略,主要是為了安全的交換密鑰
crypto ikev2 policy 10
encryption 3des
integrity sha512
group 2
prf sha512
lifetime seconds 86400
//定義ipsec第二階段轉(zhuǎn)換集加密策略
crypto ipsec ikev2 ipsec-proposal l2ltrans
protocol esp encryption 3des
protocol esp integrity sha-1
//匹配到感興趣流時(shí),調(diào)用加密圖l2lmap
crypto map l2lmap 1 match address l2lacl
crypto map l2lmap 1 set pfs
crypto map l2lmap 1 set peer 202.134.122.2
crypto map l2lmap 1 set ikev2 ipsec-proposal l2ltrans
//ipsec類型為點(diǎn)到點(diǎn)L2L, ipsec的雙方認(rèn)證密鑰(人為干預(yù)的)
tunnel-group 202.134.122.2 type ipsec-l2l
tunnel-group 202.134.122.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key cisco
ikev2 local-authentication pre-shared-key cisco
//在接口下調(diào)用
crypto ikev2 enable outside
crypto map l2lmap interface outside
R1
ip route 0.0.0.0 0.0.0.0 202.134.121.2
ip nat inside source list natacl interface Ethernet0/1 overload
//若不寫以下端口映射,在內(nèi)網(wǎng) NAT-T環(huán)境下是可以主動(dòng)與對(duì)方出口路由器建立ipsec ***的,反之不行
ip nat inside source static udp 10.249.190.253 500 202.134.121.1 500 extendable
ip nat inside source static udp 10.249.190.253 4500 202.134.121.1 4500 extendable
ip nat outside source static udp 202.134.122.2 500 202.134.122.2 500 extendable
ip nat outside source static udp 202.134.122.2 4500 202.134.122.2 4500 extendable
//從此路由出口的流量全部為訪問異地內(nèi)網(wǎng)所需,所以所有流量都加密
ip access-list extended natacl
permit ip any any
R2
//定義ipsec第一階段 ikev2協(xié)商策略
crypto ikev2 proposal ikev2-proposal
encryption 3des
integrity sha512
group 2
//定義ikev2的策略
crypto ikev2 policy ikev2-policy
proposal ikev2-proposal
//定義加密認(rèn)證參數(shù)(對(duì)方名、對(duì)方公網(wǎng)地址、預(yù)共享密鑰)
crypto ikev2 keyring ikev2-keyring
peer ASA2
address 202.134.121.1
pre-shared-key cisco
//定義ikev2的認(rèn)證框架(遠(yuǎn)端設(shè)備的真實(shí)內(nèi)網(wǎng)地址,本地公網(wǎng)地址,預(yù)共享認(rèn)證方式,認(rèn)證參數(shù))
這個(gè)內(nèi)網(wǎng)地址不正確,就會(huì)停留在ikev2協(xié)商的第一階段SA-INIT,然后IKE-AUTH階段就一直報(bào)錯(cuò),
crypto ikev2 profile IKEV2-profile
match identity remote address 10.249.190.253 255.255.255.0
identity local address 202.134.122.2
authentication remote pre-share
authentication local pre-share
keyring local ikev2-keyring
//定義第二階段轉(zhuǎn)換集參數(shù)
crypto ipsec transform-set l2ltrans esp-3des esp-sha-hmac
mode tunnel
//定義加密圖
crypto map l2lmap 10 ipsec-isakmp
set peer 202.134.121.1
set transform-set l2ltrans
set ikev2-profile IKEV2-profile
set pfs
match address l2lacl
//分離出要加密的流量
ip access-list extended l2lacl
permit ip 192.168.1.0 0.0.0.255 10.249.188.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 10.249.189.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 10.249.191.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 10.249.190.0 0.0.0.255
ip access-list extended natacl
deny ip 192.168.1.0 0.0.0.255 10.249.188.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 10.249.189.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 10.249.190.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 10.249.191.0 0.0.0.255
permit ip any any
//接口調(diào)用
ip nat inside source list natacl interface Ethernet0/0 overload
ip route 0.0.0.0 0.0.0.0 202.134.122.1
interface Ethernet0/0
ip address 202.134.122.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
crypto map l2lmap
報(bào)錯(cuò)內(nèi)容圖片及描述,有空再碼,未完待續(xù)。。。。
免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如果涉及侵權(quán)請(qǐng)聯(lián)系站長(zhǎng)郵箱:is@yisu.com進(jìn)行舉報(bào),并提供相關(guān)證據(jù),一經(jīng)查實(shí),將立刻刪除涉嫌侵權(quán)內(nèi)容。