溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊(cè)×
其他方式登錄
點(diǎn)擊 登錄注冊(cè) 即表示同意《億速云用戶服務(wù)條款》

ASA 與路由器在NAT-T環(huán)境下建立ipsec -v-p-n ( ikev2 )配置及排錯(cuò)過程

發(fā)布時(shí)間:2020-07-23 22:40:37 來源:網(wǎng)絡(luò) 閱讀:2335 作者:龍翔九天dl 欄目:網(wǎng)絡(luò)安全

  1. ASA 與路由器在NAT-T環(huán)境下建立ipsec -v-p-n ( ikev2 )配置及排錯(cuò)過程

    實(shí)驗(yàn)?zāi)康?/strong>:為了驗(yàn)證防火墻在NAT-T的環(huán)境能和對(duì)方出口路由器成功建立IPSec -v-p-n

    并實(shí)現(xiàn)公司兩地內(nèi)網(wǎng)通信

    實(shí)驗(yàn)環(huán)境介紹:ASA在內(nèi)網(wǎng); R1,R2為出口、做NAT并指默認(rèn)路由到Internet

    ipsec 版本:ikev2

  2. 報(bào)錯(cuò)

    雖然照著網(wǎng)上找的一個(gè)ikev2的路由器對(duì)路由器非NAT-T版本配的,但是問題也出現(xiàn)不少

    ——cisco ikev2 profile not found

    ——Exchange type: Informational (5)

    ——Exchange type:  NO PAYLOAD

    ——specify IKE identity to use

    ——rec'd IPSEC packet ha 

    ——IKEv2-PROTO-1: (167): The peer's KE payload contained the wrong DH group

    //如果一邊啟用pfs完美向前保密(ipsec sa階段的時(shí)候再次協(xié)商密鑰),一邊未啟用pfs,就會(huì)報(bào)這個(gè)錯(cuò),但不影響加密通信

  3. 先貼出正確的關(guān)鍵配置


    ASA:

    route outside 0.0.0.0 0.0.0.0 10.249.188.254

    //定義感興趣流

    access-list l2lacl extended permit ip 10.249.190.0 255.255.255.0 192.168.1.0 255.255.255.0 

    ipsec部分:

    //定義ipsec第一階段 ikev2協(xié)商策略,主要是為了安全的交換密鑰

    crypto ikev2 policy 10

      encryption 3des

      integrity sha512

      group 2

      prf sha512

      lifetime seconds 86400

    //定義ipsec第二階段轉(zhuǎn)換集加密策略

    crypto ipsec ikev2 ipsec-proposal l2ltrans

       protocol esp encryption 3des

       protocol esp integrity sha-1

    //匹配到感興趣流時(shí),調(diào)用加密圖l2lmap

    crypto map l2lmap 1 match address l2lacl

    crypto map l2lmap 1 set pfs 

    crypto map l2lmap 1 set peer 202.134.122.2 

    crypto map l2lmap 1 set ikev2 ipsec-proposal l2ltrans

      //ipsec類型為點(diǎn)到點(diǎn)L2L,   ipsec的雙方認(rèn)證密鑰(人為干預(yù)的)

      tunnel-group 202.134.122.2 type ipsec-l2l

      tunnel-group 202.134.122.2 ipsec-attributes

        ikev2 remote-authentication pre-shared-key cisco

        ikev2 local-authentication pre-shared-key cisco

     //在接口下調(diào)用

     crypto ikev2 enable outside

     crypto map l2lmap interface outside


R1

ip route 0.0.0.0 0.0.0.0 202.134.121.2

ip nat inside source list natacl interface Ethernet0/1 overload

//若不寫以下端口映射,在內(nèi)網(wǎng) NAT-T環(huán)境下是可以主動(dòng)與對(duì)方出口路由器建立ipsec ***的,反之不行

ip nat inside source static udp 10.249.190.253 500 202.134.121.1 500 extendable

ip nat inside source static udp 10.249.190.253 4500 202.134.121.1 4500 extendable

ip nat outside source static udp 202.134.122.2 500 202.134.122.2 500 extendable

ip nat outside source static udp 202.134.122.2 4500 202.134.122.2 4500 extendable

//從此路由出口的流量全部為訪問異地內(nèi)網(wǎng)所需,所以所有流量都加密

ip access-list extended natacl

 permit ip any any


R2

//定義ipsec第一階段 ikev2協(xié)商策略

crypto ikev2 proposal ikev2-proposal 

 encryption 3des

 integrity sha512

 group 2

//定義ikev2的策略

crypto ikev2 policy ikev2-policy 

 proposal ikev2-proposal

//定義加密認(rèn)證參數(shù)(對(duì)方名、對(duì)方公網(wǎng)地址、預(yù)共享密鑰)

crypto ikev2 keyring ikev2-keyring

 peer ASA2

  address 202.134.121.1

  pre-shared-key cisco

//定義ikev2的認(rèn)證框架(遠(yuǎn)端設(shè)備的真實(shí)內(nèi)網(wǎng)地址,本地公網(wǎng)地址,預(yù)共享認(rèn)證方式,認(rèn)證參數(shù))

這個(gè)內(nèi)網(wǎng)地址不正確,就會(huì)停留在ikev2協(xié)商的第一階段SA-INIT,然后IKE-AUTH階段就一直報(bào)錯(cuò),

crypto ikev2 profile IKEV2-profile

 match identity remote address 10.249.190.253 255.255.255.0 

 identity local address 202.134.122.2

 authentication remote pre-share

 authentication local pre-share

 keyring local ikev2-keyring

//定義第二階段轉(zhuǎn)換集參數(shù)

crypto ipsec transform-set l2ltrans esp-3des esp-sha-hmac 

   mode tunnel

//定義加密圖

crypto map l2lmap 10 ipsec-isakmp 

 set peer 202.134.121.1

 set transform-set l2ltrans 

 set ikev2-profile IKEV2-profile

 set pfs

 match address l2lacl

//分離出要加密的流量

ip access-list extended l2lacl

 permit ip 192.168.1.0 0.0.0.255 10.249.188.0 0.0.0.255

 permit ip 192.168.1.0 0.0.0.255 10.249.189.0 0.0.0.255

 permit ip 192.168.1.0 0.0.0.255 10.249.191.0 0.0.0.255

 permit ip 192.168.1.0 0.0.0.255 10.249.190.0 0.0.0.255

ip access-list extended natacl

 deny   ip 192.168.1.0 0.0.0.255 10.249.188.0 0.0.0.255

 deny   ip 192.168.1.0 0.0.0.255 10.249.189.0 0.0.0.255

 deny   ip 192.168.1.0 0.0.0.255 10.249.190.0 0.0.0.255

 deny   ip 192.168.1.0 0.0.0.255 10.249.191.0 0.0.0.255

 permit ip any any

//接口調(diào)用

ip nat inside source list natacl interface Ethernet0/0 overload

ip route 0.0.0.0 0.0.0.0 202.134.122.1

interface Ethernet0/0

 ip address 202.134.122.2 255.255.255.0

 ip nat outside

 ip virtual-reassembly in

 crypto map l2lmap



報(bào)錯(cuò)內(nèi)容圖片及描述,有空再碼,未完待續(xù)。。。。

向AI問一下細(xì)節(jié)

免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如果涉及侵權(quán)請(qǐng)聯(lián)系站長(zhǎng)郵箱:is@yisu.com進(jìn)行舉報(bào),并提供相關(guān)證據(jù),一經(jīng)查實(shí),將立刻刪除涉嫌侵權(quán)內(nèi)容。

AI