ASA与路由器在NAT-T环境下建立ipsec-v-p-n(ikev2)配置及排错过程
成都创新互联是一家集网站建设,济水街道企业网站建设,济水街道品牌网站建设,网站定制,济水街道网站建设报价,网络营销,网络优化,济水街道网站推广为一体的创新建站企业,帮助传统企业提升企业形象加强企业竞争力。可充分满足这一群体相比中小企业更为丰富、高端、多元的互联网需求。同时我们时刻保持专业、时尚、前沿,时刻以成就客户成长自我,坚持不断学习、思考、沉淀、净化自己,让我们为更多的企业打造出实用型网站。
实验目的:为了验证防火墙在NAT-T的环境能和对方出口路由器成功建立IPSec -v-p-n
并实现公司两地内网通信
实验环境介绍:ASA在内网; R1,R2为出口、做NAT并指默认路由到Internet
ipsec 版本:ikev2
报错:
虽然照着网上找的一个ikev2的路由器对路由器非NAT-T版本配的,但是问题也出现不少
——cisco ikev2 profile not found
——Exchange type: Informational (5)
——Exchange type: NO PAYLOAD
——specify IKE identity to use
——rec'd IPSEC packet ha
——IKEv2-PROTO-1: (167): The peer's KE payload contained the wrong DH group
//如果一边启用pfs完美向前保密(ipsec sa阶段的时候再次协商密钥),一边未启用pfs,就会报这个错,但不影响加密通信
先贴出正确的关键配置
ASA:
route outside 0.0.0.0 0.0.0.0 10.249.188.254
//定义感兴趣流
access-list l2lacl extended permit ip 10.249.190.0 255.255.255.0 192.168.1.0 255.255.255.0
ipsec部分:
//定义ipsec第一阶段 ikev2协商策略,主要是为了安全的交换密钥
crypto ikev2 policy 10
encryption 3des
integrity sha512
group 2
prf sha512
lifetime seconds 86400
//定义ipsec第二阶段转换集加密策略
crypto ipsec ikev2 ipsec-proposal l2ltrans
protocol esp encryption 3des
protocol esp integrity sha-1
//匹配到感兴趣流时,调用加密图l2lmap
crypto map l2lmap 1 match address l2lacl
crypto map l2lmap 1 set pfs
crypto map l2lmap 1 set peer 202.134.122.2
crypto map l2lmap 1 set ikev2 ipsec-proposal l2ltrans
//ipsec类型为点到点L2L, ipsec的双方认证密钥(人为干预的)
tunnel-group 202.134.122.2 type ipsec-l2l
tunnel-group 202.134.122.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key cisco
ikev2 local-authentication pre-shared-key cisco
//在接口下调用
crypto ikev2 enable outside
crypto map l2lmap interface outside
R1
ip route 0.0.0.0 0.0.0.0 202.134.121.2
ip nat inside source list natacl interface Ethernet0/1 overload
//若不写以下端口映射,在内网 NAT-T环境下是可以主动与对方出口路由器建立ipsec ***的,反之不行
ip nat inside source static udp 10.249.190.253 500 202.134.121.1 500 extendable
ip nat inside source static udp 10.249.190.253 4500 202.134.121.1 4500 extendable
ip nat outside source static udp 202.134.122.2 500 202.134.122.2 500 extendable
ip nat outside source static udp 202.134.122.2 4500 202.134.122.2 4500 extendable
//从此路由出口的流量全部为访问异地内网所需,所以所有流量都加密
ip access-list extended natacl
permit ip any any
R2
//定义ipsec第一阶段 ikev2协商策略
crypto ikev2 proposal ikev2-proposal
encryption 3des
integrity sha512
group 2
//定义ikev2的策略
crypto ikev2 policy ikev2-policy
proposal ikev2-proposal
//定义加密认证参数(对方名、对方公网地址、预共享密钥)
crypto ikev2 keyring ikev2-keyring
peer ASA2
address 202.134.121.1
pre-shared-key cisco
//定义ikev2的认证框架(远端设备的真实内网地址,本地公网地址,预共享认证方式,认证参数)
这个内网地址不正确,就会停留在ikev2协商的第一阶段SA-INIT,然后IKE-AUTH阶段就一直报错,
crypto ikev2 profile IKEV2-profile
match identity remote address 10.249.190.253 255.255.255.0
identity local address 202.134.122.2
authentication remote pre-share
authentication local pre-share
keyring local ikev2-keyring
//定义第二阶段转换集参数
crypto ipsec transform-set l2ltrans esp-3des esp-sha-hmac
mode tunnel
//定义加密图
crypto map l2lmap 10 ipsec-isakmp
set peer 202.134.121.1
set transform-set l2ltrans
set ikev2-profile IKEV2-profile
set pfs
match address l2lacl
//分离出要加密的流量
ip access-list extended l2lacl
permit ip 192.168.1.0 0.0.0.255 10.249.188.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 10.249.189.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 10.249.191.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 10.249.190.0 0.0.0.255
ip access-list extended natacl
deny ip 192.168.1.0 0.0.0.255 10.249.188.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 10.249.189.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 10.249.190.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 10.249.191.0 0.0.0.255
permit ip any any
//接口调用
ip nat inside source list natacl interface Ethernet0/0 overload
ip route 0.0.0.0 0.0.0.0 202.134.122.1
interface Ethernet0/0
ip address 202.134.122.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
crypto map l2lmap
报错内容图片及描述,有空再码,未完待续。。。。
新闻标题:ASA与路由器在NAT-T环境下建立ipsec-v-p-n(ikev2)配置及排错过程
文章位置:http://scjbc.cn/article/joidde.html