ASA与路由器在NAT-T环境下建立ipsec-v-p-n(ikev2)配置及排错过程

  1. ASA 与路由器在NAT-T环境下建立ipsec -v-p-n ( ikev2 )配置及排错过程

    成都创新互联是一家集网站建设,济水街道企业网站建设,济水街道品牌网站建设,网站定制,济水街道网站建设报价,网络营销,网络优化,济水街道网站推广为一体的创新建站企业,帮助传统企业提升企业形象加强企业竞争力。可充分满足这一群体相比中小企业更为丰富、高端、多元的互联网需求。同时我们时刻保持专业、时尚、前沿,时刻以成就客户成长自我,坚持不断学习、思考、沉淀、净化自己,让我们为更多的企业打造出实用型网站。

    实验目的:为了验证防火墙在NAT-T的环境能和对方出口路由器成功建立IPSec -v-p-n

    并实现公司两地内网通信

    实验环境介绍:ASA在内网; R1,R2为出口、做NAT并指默认路由到Internet

    ipsec 版本:ikev2

  2. 报错

    虽然照着网上找的一个ikev2的路由器对路由器非NAT-T版本配的,但是问题也出现不少

    ——cisco ikev2 profile not found

    ——Exchange type: Informational (5)

    ——Exchange type:  NO PAYLOAD

    ——specify IKE identity to use

    ——rec'd IPSEC packet ha 

    ——IKEv2-PROTO-1: (167): The peer's KE payload contained the wrong DH group

    //如果一边启用pfs完美向前保密(ipsec sa阶段的时候再次协商密钥),一边未启用pfs,就会报这个错,但不影响加密通信

  3. 先贴出正确的关键配置

    ASA:

    route outside 0.0.0.0 0.0.0.0 10.249.188.254

    //定义感兴趣流

    access-list l2lacl extended permit ip 10.249.190.0 255.255.255.0 192.168.1.0 255.255.255.0 

    ipsec部分:

    //定义ipsec第一阶段 ikev2协商策略,主要是为了安全的交换密钥

    crypto ikev2 policy 10

      encryption 3des

      integrity sha512

      group 2

      prf sha512

      lifetime seconds 86400

    //定义ipsec第二阶段转换集加密策略

    crypto ipsec ikev2 ipsec-proposal l2ltrans

       protocol esp encryption 3des

       protocol esp integrity sha-1

    //匹配到感兴趣流时,调用加密图l2lmap

    crypto map l2lmap 1 match address l2lacl

    crypto map l2lmap 1 set pfs 

    crypto map l2lmap 1 set peer 202.134.122.2 

    crypto map l2lmap 1 set ikev2 ipsec-proposal l2ltrans

      //ipsec类型为点到点L2L,   ipsec的双方认证密钥(人为干预的)

      tunnel-group 202.134.122.2 type ipsec-l2l

      tunnel-group 202.134.122.2 ipsec-attributes

        ikev2 remote-authentication pre-shared-key cisco

        ikev2 local-authentication pre-shared-key cisco

     //在接口下调用

     crypto ikev2 enable outside

     crypto map l2lmap interface outside

R1

ip route 0.0.0.0 0.0.0.0 202.134.121.2

ip nat inside source list natacl interface Ethernet0/1 overload

//若不写以下端口映射,在内网 NAT-T环境下是可以主动与对方出口路由器建立ipsec ***的,反之不行

ip nat inside source static udp 10.249.190.253 500 202.134.121.1 500 extendable

ip nat inside source static udp 10.249.190.253 4500 202.134.121.1 4500 extendable

ip nat outside source static udp 202.134.122.2 500 202.134.122.2 500 extendable

ip nat outside source static udp 202.134.122.2 4500 202.134.122.2 4500 extendable

//从此路由出口的流量全部为访问异地内网所需,所以所有流量都加密

ip access-list extended natacl

 permit ip any any

R2

//定义ipsec第一阶段 ikev2协商策略

crypto ikev2 proposal ikev2-proposal 

 encryption 3des

 integrity sha512

 group 2

//定义ikev2的策略

crypto ikev2 policy ikev2-policy 

 proposal ikev2-proposal

//定义加密认证参数(对方名、对方公网地址、预共享密钥)

crypto ikev2 keyring ikev2-keyring

 peer ASA2

  address 202.134.121.1

  pre-shared-key cisco

//定义ikev2的认证框架(远端设备的真实内网地址,本地公网地址,预共享认证方式,认证参数)

这个内网地址不正确,就会停留在ikev2协商的第一阶段SA-INIT,然后IKE-AUTH阶段就一直报错,

crypto ikev2 profile IKEV2-profile

 match identity remote address 10.249.190.253 255.255.255.0 

 identity local address 202.134.122.2

 authentication remote pre-share

 authentication local pre-share

 keyring local ikev2-keyring

//定义第二阶段转换集参数

crypto ipsec transform-set l2ltrans esp-3des esp-sha-hmac 

   mode tunnel

//定义加密图

crypto map l2lmap 10 ipsec-isakmp 

 set peer 202.134.121.1

 set transform-set l2ltrans 

 set ikev2-profile IKEV2-profile

 set pfs

 match address l2lacl

//分离出要加密的流量

ip access-list extended l2lacl

 permit ip 192.168.1.0 0.0.0.255 10.249.188.0 0.0.0.255

 permit ip 192.168.1.0 0.0.0.255 10.249.189.0 0.0.0.255

 permit ip 192.168.1.0 0.0.0.255 10.249.191.0 0.0.0.255

 permit ip 192.168.1.0 0.0.0.255 10.249.190.0 0.0.0.255

ip access-list extended natacl

 deny   ip 192.168.1.0 0.0.0.255 10.249.188.0 0.0.0.255

 deny   ip 192.168.1.0 0.0.0.255 10.249.189.0 0.0.0.255

 deny   ip 192.168.1.0 0.0.0.255 10.249.190.0 0.0.0.255

 deny   ip 192.168.1.0 0.0.0.255 10.249.191.0 0.0.0.255

 permit ip any any

//接口调用

ip nat inside source list natacl interface Ethernet0/0 overload

ip route 0.0.0.0 0.0.0.0 202.134.122.1

interface Ethernet0/0

 ip address 202.134.122.2 255.255.255.0

 ip nat outside

 ip virtual-reassembly in

 crypto map l2lmap

报错内容图片及描述,有空再码,未完待续。。。。


本文标题:ASA与路由器在NAT-T环境下建立ipsec-v-p-n(ikev2)配置及排错过程
转载注明:http://myzitong.com/article/joidde.html